CAS-002_247
QUESTION 12 The management at an organization is being investigated by an industry regulator. As a consequence of the investigation, the regulator has requested copies of all management emails for the last seven years as per current regulations. Current company policies state that all emails must be retained for only five years. The IT department has advised that most company emails going back ten years have been archived to a now obsolete tape format. Which of the following is the BEST course of action? A. Classify who in the organization is a manager based on title, supply five years of emails plus copies of tapes containing the additional two years, update the corporate data retention policy and advise data owners. B. Ask the regulator to define which manager emails are required, if technically possible supply emails for the last seven years, update the corporate data retention policies and advise data owners / data handlers of the policy changes. C. Satisfy regulator requirements by supplying all company emails for the last five years plus copies of the archive tapes, update the electronic inventory and asset control system to show that the data has been provided to the regulator. D. Classify who in the organization is a manager based on title, supply only five years of emails, update the corporate data recovery and storage policy and advise all data owners / data handlers of the policy changes. Purge all obsolete tapes that exceed corporate policy.
Answer: A Section: (none) Explanation
QUESTION 16 When performing mobile device forensics, which of the following is the MOST critical reason for performing device isolation before commencing examination? A. It prevents the destruction of data through remote wiping. B. It limits overreach and access to personal data on the device. C. It requires the maintenance of chain of custody for asset management. D. It reduces the potential for physical contamination of the device.
Answer: A Section: (none) Explanation
QUESTION 20 Company, XYZ finds itself using more cloud-based business tools, and password management is becoming onerous. Security is important to the company; as a result, password replication and shared accounts are not acceptable. Which of the following implementations addresses the distributed login with centralized authentication and has wide compatibility among SaaS vendors? A. Establish a cloud-based authentication service that supports SAML. B. Implement a new Diameter authentication server with read-only attestation. C. Install a read-only Active Directory server in the corporate DMZ for federation. D. Allow external connections to the existing corporate RADIUS server.
Answer: A Section: (none) Explanation
QUESTION 21 During a routine audit of the organization's information systems, the auditing team notified the organization of a new requirement in another country which requires all financial transaction data to be encrypted in transit as well as at rest. The organization does business in this country, but the data is hosted at a set of redundant data centers which are outside of the country in question. Based on the scenario provided, which of the following is the MOST appropriate course of action for the Chief Information Security Officer (CISO) to take in addressing this new requirement? A. Conduct further research to determine the scope and details of the new requirement. B. Request that the auditor provide a set of requirements to the IT project manager. C. Task the Information Security Project Manager to encrypt all data at rest within the organization. D. Elevate the issue to the Chief Finance Officer for discussion at the next executive council briefing.
Answer: A Section: (none) Explanation
QUESTION 28 Servers on a network are experiencing an NTP amplification attack. In which of the following ways would a security engineer provide protection from this attack on a perimeter firewall? A. Create a strict ACL for NTP sources. B. Set the time on the perimeter firewall manually. C. Route NTP traffic over port 123. D. Disable NTP on the network domain controller.
Answer: A Section: (none) Explanation
QUESTION 31 An administrator wishes to allow users to use scp and sftp to copy files to a Unix server, but does not want to grant shell access to the users. Which of the following should the administrator use? A. rssh B. ksh C. rbash D. sudo
Answer: A Section: (none) Explanation
QUESTION 35 A developer is able to quickly create applications for clients by reusing several modules of code developed from other clients. The developer creates separate signed modules for all security-sensitive code and unsigned modules for non-security sensitive code. Recently, a client discovered that an attacker was able to use the developer's code to launch a mix-and-match attack to execute privileged code on the client's systems. Which of the following should the developer do to BEST continue rapid application development while keeping products secure? A. Sign both the sensitive and non-sensitive modules. B. Leave all modules unsigned. C. Maintain all code in a single signed module. D. Avoid reusing code from other projects.
Answer: A Section: (none) Explanation
QUESTION 40 A security administrator has moved several confidential servers into a new data center that is completely virtualized. The administrator is concerned that if the virtual machine is compromised, an attacker may be able to attack other hosted virtual machines. Which of the following should the administrator do to help mitigate this type of virtualization attack? A. Isolate virtual machine from each other into specific security zones B. Dedicate a NIC to virtual machines that is different from the host machine's management NIC C. Implement host-based intrusion detection software on each virtual machine D. Use type 2 hypervisors, as they are more modern and have less attack surface
Answer: A Section: (none) Explanation
QUESTION 45 The Chief Executive Officer of a corporation purchased the latest mobile device and wants to connect it to the company's internal network. The Chief Information Security Officer was told to research and recommend how to secure this device. Which of the following recommendations would be BEST to implement in order to keep the device from posing a security risk to the company? A. A corporate policy should be drafted and technical controls implemented to prohibit sensitive information from residing on a mobile device and require mobile device management. B. A GPS based mobile device location application to recover a lost or stole device and encryption of the nonvolatile memory to protect sensitive data that may be stored on the removable memory. C. Encryption of the volatile memory and a corporate policy should be drafted to prevent sensitive information from residing on a mobile device and require mobile device management. D. Encryption of the volatile memory and a password or PIN to access the device with a five minutes screen lockout should be enforced and enable remote wipe capabilities.
Answer: A Section: (none) Explanation
QUESTION 55 Company A agrees to provide perimeter protection, power, and environmental support for Company B, but will not be responsible for user authentication nor patching of operating systems within the perimeter. Which of the following is being described? A. Service Level Agreement B. Memorandum of Understanding C. Business Partner Agreement D. Interoperability Agreement
Answer: A Section: (none) Explanation
QUESTION 67 A routine internal vulnerability scan locates a rogue device in the finance VLAN. Upon further investigation, it is determined that a user has deployed a network attached storage device for local file sharing. Which of the following would BEST describe the concerns of an information security professional? A. Breaking of default IPSec policies B. Duplicate IP assignements C. Lack of appropriate backup functionality D. Finance VLAN network saturation
Answer: A Section: (none) Explanation
QUESTION 7 A large company has recently merged with a smaller company. The smaller company primarily uses certificatebased authentication for connecting its users to its web-based services and back-end applications. The larger company has mainly terminal service-based applications that rely on Active Directory for a Single Sign-On solution. The security administrator for the merged organization has decided to federate the companies to support the delegated administration, authorization, and authentication. Which of the following solutions will the administrator MOST likely select? A. The administrator will need to reconfigure one of the company's servers to support the others's authentication type. Then the administrator can use SAML to meet the goals of federation. B. The administrator can federate the Active Directory into the smaller company's systems using SPML. the certificate-based systems will receive security tokens from the AD service provider. C. The administrator will need to add a domain to the existing Active Directory forest and merge the smaller company's servers into it. The smaller company's PKI can be extended to meet the needs of the federated companies. D. The administrator can implement a PKI-based Shibboleth solution and can make assertions based on any LDAP-style authentication service. Certificate-based users will need to be issued user accounts.
Answer: A Section: (none) Explanation
QUESTION 71 Corporate policy prohibits employees from connecting SOHO routers to their office. Using a network analyzer, a security administrator is conducting an assessment to verify if SOHO routers are connected to the enterprise network. The security administrator is analyzing the following PCAP file: 01:04:23.001265 10.234.7.22.50212 >www.comptia.org.80:P 23939443:23939443 (0) ack 23939442 win 4128<mss 556> (ttl 62, id 5433) 01:04:23.091265 10.234.7.22.4033 >www.comptia.org.80:P 39438485:39438485 (0) ack 39438484 win 4128<mss 556> (ttl 126, id 20110) 01:04:23.301265 10.234.7.22.403350212 >www.comptia.org.80:P 39438495:3943848539438495 (0) ack 39438494 win 4128<mss 556> (ttl 126, id 20110) Which of the following can the security administrator infer from the above network capture? A. An employee has installed a wireless SOHO router and is allowing other employees onto the network through the SOHO wireless. B. An employee has installed a wired SOHO router but it has locked it down to only allow one computer to connect to it. C. The corporate IDS has detected the presence of a SOHO router and it has disabled by dropping the network traffic coming from it. D. Corporate policy is being followed by all employees and there is no evidence of SOHO routers being connected to the network.
Answer: A Section: (none) Explanation
QUESTION 72 An education institution is partnering with service providers to allow students access to various services and research information. Students must be authenticated before the third-party authorizes the access. Some of the services require the institution to provide information about the student that must be protected by privacy laws. Which of the following technologies is MOST appropriate for this scenario? A. WAYF for consent attributes B. RADIUS for proxy attributes C. OpenID for distributed attributes D. SAML for federation attributes
Answer: A Section: (none) Explanation
QUESTION 79 A company wants to allow employees to bring in their own devices to access company resources. Which of the following can be implemented to ensure the company can control the resources that are being accessed from personal devices? A. VDI B. VPN C. RDP D. VNC E. RADIUS
Answer: A Section: (none) Explanation
QUESTION 87 A solution architect attempts to make an update to a server and is prevented from changing the application. Additionally, the server would not allow the architect to see application errors related to the issue. The security log reports that file attributes can only be changed by the web server application and not the solution architect's custom application. The architect verifies that all file system permissions are correct and all application services are running properly. Which of the following is MOST likely being used on the server and is causing this issue? A. A trusted operating system B. A misconfigured access control list C. A hardware trust anchor and auditing D. A software chain of trust
Answer: A Section: (none) Explanation
QUESTION 90 A storage as a service company implements both encryption at rest as well as encryption in transit of customers' data. The security administrator is concerned with the overall security of the encrypted customer data stored by the company servers and wants the development team to implement a solution that will strengthen the customer's encryption key. Which of the following, if implemented, will MOST increase the time an offline password attack against the customers' data would take? A. key = NULL ; for (int i=0;i<5000;i++) { key = sha(key + password) } B. password = NULL ; for (int i=0; i<10000;i++) { password = sha256(key) } C. password = password + sha(password+salt) + aes256(password+salt) D. key = aes128(sha256(password) , password))
Answer: A Section: (none) Explanation
QUESTION 93 A company provides on-demand cloud computing resources for a sensitive project. The company implements a fully virtualized datacenter and terminal server access with two-factor authentication for customer access to the administrative website. The security administrator at the company has uncovered a breach in data confidentiality. Sensitive data from customer A was found on a hidden directory within the VM of company B. Company B is not in the same industry as company A and the two are not competitors. Which of the following has MOST likely occurred? A. Both VMs were left unsecured and an attacker was able to exploit network vulnerabilities to access each and move the data. B. A stolen two factor token was used to move data from one virtual guest to another host on the same network segment. C. A hypervisor server was left un-patched and an attacker was able to use a resource exhaustion attack to gain unauthorized access. D. An employee with administrative access to the virtual guests was able to dump the guest memory onto a mapped disk.
Answer: A Section: (none) Explanation
QUESTION 94 A security analyst has been asked to perform a risk assessment on a human resources workflow and give a recommendation to improve the security. While performing the analysis, the security analyst finds the human resources department needs to quickly share employee information with a third-party vendor in an ongoing fashion. The human resources manager is concerned that any modification to the workflow will prevent the data from being received in time. At the end of the assessment, which of the following is the BEST solution? A. Implement a secure email gateway solution B. Recommend a cloud storage service for collaboration C. Provide removable media for employees to send encrypted data D. Make employees aware of a centralized external file transfer service
Answer: A Section: (none) Explanation
QUESTION 95 Which of the following encryption methodologies should be implemented in an environment where all users need access to bulk storage, but not all users have authorized access to each individual database entry? A. Row-level encryption B. Block-level encryption C. File-level encryption D. Table-level encryption E. Full disk encryption
Answer: A Section: (none) Explanation
QUESTION 38 While analyzing network traffic, a security engineer discovers that confidential emails were passing between two users who should not have had this information. The two users deny sending confidential emails to each other. Which of the following security practices would allow for non-repudiation and prevent the users from removing emails such as these from their accounts? (Select TWO). A. Digital Signature B. TSIG code signing C. Legal hold D. Authentication hashing E. Transport encryption
Answer: AC Section: (none) Explanation
QUESTION 41 A security manager is not satisfied with the documented mitigations that the team has been submitting. Mitigations for host-based applications specify that boundary defenses are in place to mitigate the threat of vulnerabilities, without specifying host controls or procedures. Which of the following examples of mitigations would the security manager believe to be valid? (Select TWO). A. A zero-day router OS vulnerability which could allow traffic to pass and has not been filtered by an ACL, would be mitigated by a NIPS on the same network segment as the router's interfaces, and a boundary firewall at the ingress/egress points in the network. B. A zero-day router OS vulnerability which could allow traffic to pass and has not been filtered by an ACL, would be mitigated by a NIDS on the same network segment as the router's interfaces , and a boundary firewall at a hop before egress traffic gets to the router. C. A zero-day OS kernel vulnerability would be mitigated by the presence of integrity checking software on the host, a HIPS client, and antivirus / malware detection software. D. A zero-day OS kernel vulnerability would be mitigated by data-at-rest encryption software on the host, a HIPS client, and a restrictive mobile device policy preventing the use of USB devices. E. A zero-day OS kernel vulnerability would be mitigated by the presence of host integrity checking, two-factor authentication, and hard disk encryption.
Answer: AC Section: (none) Explanation
QUESTION 63 Two competing IT manufacturing companies decide to create a partnership to enter the IT services industry. Since both company's share suppliers, the companies agree to use the supplier's regulated network to support hosting of data for customers with regulatory requirements. Which of the following does each company need from the supplier in order to use the supplier's network? (Select TWO). A. Non-disclosure agreement B. Certificate authority C. Service level agreement D. Acceptable use policy E. Registered agent F. Memorandum of understanding
Answer: AC Section: (none) Explanation
QUESTION 81 A security administrator is scheduling an internal network vulnerability scan for the first time. The administrator has scheduled a one-week scanning window, but is not known how long the scan will take. Which of the following BEST explains what the administrator should do to reduce the risk of causing unknown impacts to the environment? (Select TWO) A. Commence the scan at the start of the scanning window and ensure DoS signatures are disabled. B. During the scanning window, send a daily progress email to the Chief Information Security Officer (CISO). C. Update the plugins to the latest versions and disable time-consuming or resource-consuming plugins. D. Routinely check the scan progress and manually stop the scan before the end of the scanning window. E. Disable UDP scanning and reduce the number of ports being scanned during the window to a list of common TCP ports.
Answer: AC Section: (none) Explanation
QUESTION 77 A generator upgrade is scheduled for the building hosting a company's datacenter. The current building generator is scheduled to be taken offline at 8:00 am and the new building generator is projected to be online at 8:10 am on the same day. The current datacenter's UPS battery backup displays a runtime of 15 minutes. The Information Security Officer is concerned with possible issues that may delay the generator's cut-over time beyond the battery backup runtime. Which of the following business units are MOST critical, and should be on standby in case the generator's cut-over time exceeds the UPS battery backup runtime? (Select TWO) A. Facilities management B. Emergency response team C. Forensics team D. Technical service owner E. Physical security group
Answer: AD Section: (none) Explanation
QUESTION 10 An audit report against a sensitive database system lists a number of vulnerabilities that must be addressed by the system administrator. More specifically, the system administrator must address specific operating system configuration lockdown to ensure the confidentiality, integrity, and availability of the information stored within the system. Which of the following should the administrator address to secure the operating system? (Select THREE). A. Configuring IPv4 and IPv6 dual stack B. Implementing a NIDS C. Disabling unneeded service D. Disabling the guest account E. Changing the database administrator password F. Requiring N-tier system architecture G. Monitoring file permissions H. Enabling database record encryption
Answer: AGH Section: (none) Explanation
QUESTION 15 Company XYZ and Company ABC are merging into one company and consolidating IT assets and systems. The systems of each company are at different security levels, built-on different operating systems, and contain customized applications. The new security administrator for the merged company must use caution when planning the consolidation so that confidentiality, integrity, and availability are maintained and uninterrupted. Which of the following BEST describes the possible security related impacts the administrator could face when connecting two corporate domains together? A. Unintentional data disclosures, loss of legacy capability, and increased use of network bandwidth. B. Disruptions of service, data loss, unintentional data disclosures, and lost system capability. C. Loss of maintainability, loss of corporate historical knowledge, and intentional data disclosures. D. Disruptions of service, decreased market share, increased system capabilities, and data loss.
Answer: B Section: (none) Explanation
QUESTION 17 Company XYZ maintains a number of legacy SCADA systems that only support local username and password authentication. The systems are only accessible from the corporate network or a VPN connection into the corporate network. As the company is migrating to more cloud-based business applications, they are considering deploying a next-generation authentication system. Which of the following implementations will ensure that employees will be able to access legacy systems? A. Configure all users' keys to be encrypted with the password used on the legacy systems. B. Configure the authentication server to support OAUTH between itself and the legacy systems. C. Configure username and password replication from the company's Active Directory server. D. Configure the legacy systems as SPs to accept attestation from a cloud-based IdP.
Answer: B Section: (none) Explanation
QUESTION 18 The IT department is charged with developing a solution that will enable all employees to quickly reach other employees and communicate securely amongst them in real time. The solution must implement encrypted file transfer and voice communication and must integrate with the existing email and calendaring system. Which of the following MUST the solution implement to ensure employees can make educated decisions about when to contact other employees? A. Messaging B. Presence C. Peer-to-peer D. Social media
Answer: B Section: (none) Explanation
QUESTION 19 A more granular approach to determine which groups can access which resources, even down to the exact command that can be run on supported devices, is developed using custom Attribute Value Pairs (AVP). The requirements are: 1. Eliminate non-engineer AD OUs from running the "clear" or "delete" command on firewalls. 2. Allow non-engineer AD OUs to run the command "no shut", but not "shut", on routers. 3. Allow authentication from a mobile device where the function of specific users is unknown until they access a resource on the network. 4. Have the ability to allow proxy server support. Given the above requirements, which of the following AAA protocols is BEST suited and should be set up by the security administrator? A. Kerberos B. TACACS+ C. SLDAP D. Diameter
Answer: B Section: (none) Explanation
QUESTION 22 Which of the following technologies is the MOST appropriate to deploy to specifically protect an application from attacks, while delivering information from a backend database? A. HIDS with application signatures B. Web application firewall C. Web content filter D. Router with an ACL
Answer: B Section: (none) Explanation
QUESTION 29 A security engineer is faced with competing requirements from the networking group and database administrators. The database administrators would like ten application servers on the same subnet for ease of administration, whereas the networking group would like to segment all applications from one another. Which of the following should the security administrator do to rectify this issue? A. Recommend performing a security assessment on each application, and only segment the applications with the most vulnerability. B. Recommend classifying each application into like security groups and segmenting the groups from one another. C. Recommend segmenting each application, as it is the most secure approach. D. Recommend that only applications with minimal security features should be segmented to protect them.
Answer: B Section: (none) Explanation
QUESTION 30 A system administrator clones an unpatched guest VM in an effort to meet a backlog of project requests for new servers to be used as database servers and public facing web servers. Once the servers are online, an attack exploits an application on the web server by crafting a stack frame which is executed by the host kernel after a general protection fault. Which of the following BEST explains the issue and type of vulnerability exploited by the attacker? A. Only the guest system running the application is compromised due to the unpatched operating system. A privilege elevation occurred as the fault was handled after a stack switch. B. The unpatched guest was used to compromise the hypervisor thus providing the attacker with ring-0 access to multiple VM hosts at once. A VMEscape occurred due to the guest's stack data being executed by they hypervisor. C. The compromised hypervisor now provides the attacker with access to hosts with different security requirements. A VMEscape occurred as the fault was handled before a stack switch. D. Only the hypervisor is compromised as the attacker does not have access to the guest operating system administrator account. A privilege elevation occurred due to data remnants from the cloning process resulting in the general protection fault.
Answer: B Section: (none) Explanation
QUESTION 36 Which of the following is MOST likely to occur when debug output settings are not properly configured? A. Attacks on newly discovered zero-day vulnerabilities result in system compromises B. Attacks targeted against specific vulnerable software versions C. Attacks resulting in session hijacking D. Attacks caused by browser "drive-by-download"
Answer: B Section: (none) Explanation
QUESTION 48 The IT Department at a company permits 20% of its annual staff to attend remote training sites and conferences. At this year's conference, a new client-side exploit is revealed to the conference attendees, which affects a previously upgraded version of a web browser deployed on the enterprise. No patch is currently available for the browser, but the IT department believes it is critical to take immediate action due to the ease of exploitation and the high likelihood of compromise. Which of the following is the BEST action the IT department should take now to protect the enterprise? A. Disable the use of the web browser to reduce the likelihood of the vulnerability being exploited. B. Install a new web browser and issue a group policy to prevent the use of the vulnerable web browser. C. Setup a HIDS on all workstations to detect suspicious traffic. D. Patch the web browser to the latest available release.
Answer: B Section: (none) Explanation
QUESTION 51 A system administrator is parsing through the log files from the web server. The administrator notices a large number of 403 error response codes originating from the same IP address. Which of the following is the MOST likely explanation? A. The web browser is incorrectly configured. B. A hacker is attempting to access the web server. C. A person incorrectly typed the web address. D. A search engine is redirecting users to the wrong URL.
Answer: B Section: (none) Explanation
QUESTION 52 A security administrator needs an external vendor to correct an urgent issue with an organization's physical access control system (PACS). The PACS does not currently have internet access because it is running a legacy operating system. Which of the following methods should the security administrator select that BEST balances security and efficiency? A. Temporarily permit outbound Internet access for the PACS so desktop sharing can be set up. B. Have the external vendor come onsite and provide access to the PACS directly. C. Set up new VPN concentrator for the vendor and restrict access to the PACS using desktop sharing. D. Set up a web conference on the administrator's PC; then, remotely connect to the PACS.
Answer: B Section: (none) Explanation
QUESTION 57 A customer of a cloud provider has requested the security engineering team to open ports 21 and 22 to a legacy FTP server from their public IP address space. The customer has indicated this should be a good control since only their IP address can access the legacy FTP server from the Internet. The security engineering team requires a VPN tunnel to be established between the cloud provider and the customer in order to provide the most secure implementation for a protocol that has many known vulnerabilities. Which of the following has occurred in the risk management process? A. The customer has inherently accepted the risk once they made the request to the security engineering team. B. The proposed solution mitigates the risk of the request from the customer. C. The customer has avoided the risk by using the cloud provider. D. The proposed solution forces the customer to use FTPS or SFTP exclusively.
Answer: B Section: (none) Explanation
QUESTION 58 A hacker is actively targeting a database server that runs a command line operating system. The hacker notices that twice each hour, a script is run that uses elevated privileges to send data to a secure backup. Utilizing a small piece of code executed during the scheduled task, the hacker notices that he is able to temporarily gain administrative privileges. Which of the following describes how the hacker was able to exploit the server? A. The hacker produced a resource exhaustion fail-open condition. B. The hacker took advantage of a TOCTOU race condition. C. The hacker created a buffer overflow in the kernel. D. The hacker exploited an input validation flaw.
Answer: B Section: (none) Explanation
QUESTION 6 A penetration tester is preparing for a client engagement in which the tester must provide data that proves and validates the scanning tools' results. Which of the following is the BEST method for collecting this information? A. Set up the scanning system's firewall to permit and log all outbound connections. B. Use a protocol analyzer to log all pertinent network traffic. C. Configure network flow data logging on all scanning systems. D. Enable debug level logging on the scanning systems and all scanning tools used.
Answer: B Section: (none) Explanation
QUESTION 70 One of the items discussed in a risk assessment is the concern about the finance department's process for originating wire transfers and other similar online banking processes. The processes are being performed on the same computers employees use to do their daily work, and they are not utilizing the extra security measures that the bank offers. Which of the following is the MOST appropriate response to the finding? A. Report the findings to the audit committee of the board of directors. Also, submit a proposal for a plan of action. Follow up with them after the next board meeting and support the implementation that is chosen. B. Work with the leadership in the finance department to list the control gaps and opportunities for improvement and to plan and prioritize the implementation plan, including training employees on any changes. C. Develop a plan in conjunction with IT support to train the finance department on how to secure their browser session during online banking. Periodically assess their workstation configuration using automated scanning. Follow up with the leadership in finance if employees are not following procedures. D. Contact the bank to enable the strongest security controls available. Block access from the finance department's subnet to the bank's online services. Deploy one or more workstations on a secure subnet. Train employees on the changes.
Answer: B Section: (none) Explanation
QUESTION 73 A security administrator wants to implement a shared storage system for sensitive company data. The data owner has rated the data as being highly sensitive with respect to confidentiality and availability. Business users must be able to securely access such data from remote locations using employee BYOD technologies. Which of the following solutions will BEST address the data owner requirements? A. Cloud based storage, where the data is encrypted prior to being stored. B. A local SAN where data is accessed via VPN and encrypted while in transit via IPSec policies. C. An offsite backup storage facility which also serves as a recovery site. D. A virtual SAN which implements network segmentation for data access and system management.
Answer: B Section: (none) Explanation
QUESTION 74 A forensic investigator has run into difficulty recovering usable files from a SAN drive. Which of the following SAN features might have caused the problem? A. Storage multipaths B. Deduplication C. LUN masking D. Data snapshots
Answer: B Section: (none) Explanation
QUESTION 76 A company is investigating a data compromise where data exfiltration occurred. Prior to the investigation, the supervisor terminates an employee as a result of the suspected data loss. During the investigation, the supervisor is absent for the interview, and little evidence can be provided from the role-based authentication system in use by the company. This situation can be identified for future mitigation as which of the following? A. Job rotation B. Log failure C. Lack of training D. Insider threat
Answer: B Section: (none) Explanation
QUESTION 84 An administrator is installing an enterprise Human Resources Management (HRM) system. The HRM system will integrate with the existing LDAP directory and will use LDAP for both authentication and authorization. The HRM system requires a secure connection for authentication and several custom attributes in the user object class to store role data for authorization. Which of the following are the BEST options for the administrator to complete this integration? A. Use a TLS connection on port 389 for authentication, and extend the LDAP schema to store authorization data. B. Use an SSL connection on port 636 for authentication, and extend the LDAP schema to store authorization data. C. Use a TLS connection on port 389 for authentication, and utilize unused LDAP attributes to store authorization data. D. Use an SSL connection on port 636 for authentication, and utilize unused LDAP attributes to store authorization data.
Answer: B Section: (none) Explanation
QUESTION 85 A security architect receives a 42-page document of project specifications from the lead developer. According to corporate policy, the message is sent using the PKI system. While the architect is able to read the document, the digital signature has failed validation. The architect calls the developer to see if the document can be sent again. The developer says this happens all the time and the document is probably fine. Which of the following should the architect be concerned about? A. The integrity of the document is maintained, and the confidentiality of the document and non-repudiation of the recipient are lost. B. The integrity of the document and non-repudiation of the sender are lost without a valid digital signature. C. The root of trust has been broken and the CA has been compromised. D. The integrity of the document is maintained, and the digital signature hash algorithm is susceptible to collisions.
Answer: B Section: (none) Explanation
QUESTION 96 In an effort to minimize costs, the management of a small candy company wishes to explore a cloud service option for the development of its online applications. The company does not wish to invest heavily in IT infrastructure. Which of the following solutions should be recommended? A. A public IaaS B. A public PaaS C. A public SaaS D. A private SaaS E. A private IaaS F. A private PaaS
Answer: B Section: (none) Explanation
QUESTION 98 A security analyst is inspecting the results of a recent internal vulnerability scan that was performed against intranet services. The scan report includes the following critical-rated vulnerability: Title: Remote Command Execution vulnerability in web server Rating: Critical (CVSS 10.0) Threat actor: any remote user of the web server Confidence: certain Recommendation: apply vendor patches Which of the following actions should the security analyst perform FIRST? A. Escalate the issue to senior management. B. Apply organizational context to the risk rating. C. Organize for urgent out-of-cycle patching. D. Exploit the server to check whether it is a false positive.
Answer: B Section: (none) Explanation
QUESTION 99 Senior management wants to prevent sensitive data from being leaked onto the web; however, they cannot afford a mature DLP solution. A security administrator has been tasked with finding an alternative solution. After researching multiple products, the security administrator recommends implementing a: A. CASB. B. WAF. C. WIPS. D. DEP.
Answer: B Section: (none) Explanation
QUESTION 61 The Chief Executive Officer has requested a report on the disadvantages or limitations of implementing a comprehensive DLP solution. Which of the following should be included in the report? (Select TWO) A. A content-neutral approach applies controls without regard for the type of data involved in a transaction. B. Growing adoption of cloud computing will be a challenge for the control of data. C. Endpoint monitoring and management of agents is more complex than web and email monitoring. D. Identity and access management solutions degrade the effectiveness of secure data handling. E. DLP solutions can only monitor data in use and in transit.
Answer: BC Section: (none) Explanation
QUESTION 69 The Chief Information Security Officer (CISO) wants to implement a solution to measure IT performance and ensure that IT goals are in line with business goals. The CISO decides to implement company-wide policies to ensure the IT department provides input on new company projects and approval for IT-related purchases. Which of the following is the CISO implementing within the company? (Select TWO). A. Risk analysis B. IT governance C. Portfolio management D. Project execution E. Configuration management
Answer: BC Section: (none) Explanation
QUESTION 8 An organization has configured a set of hosts in such a way that only authorized programs and tools are allowed to execute for all accounts. After an intrusion was detected on one of the fully patched hosts, it was discovered that malware was able to execute in spite of this configuration being active. Which of the following may have occurred? (Select TWO). A. A man-in-the-middle attack was used to steal credentials and launch the malware B. The malware was injected into the running process of an allowed application C. The whitelist used only executable names for enforcement D. The host's file system does not implement full disk encryption E. An unexpired and valid Kerberos token was refused by the malware
Answer: BC Section: (none) Explanation
QUESTION 97 A company has contracted with a public SaaS cloud provider to utilize an open source web application that is shared with other tenants. A security architect at the company has been tasked with performing a risk assessment of the solution. Which of the following are MOST likely to be residual risks in this scenario? (Select TWO). A. Ongoing vulnerability scanning cannot be performed by the customer. B. Compliance breaches may occur due to lack of data sovereignty. C. Penetration testing by the customer is not allowed by the cloud provider. D. Web application code review by the customer is not allowed by the cloud provider. E. Intrusion attempts cannot be investigated by the cloud provider.
Answer: BC Section: (none) Explanation
QUESTION 32 A system administrator has the responsibility to manage the company's contracts with the cloud service provider as a result of outsourcing. The administrator knows that previous applications in use at the company seemed to lifecycle every three years due to the nature of the business. Which of the following should be the administrator's long-term concerns? (Select TWO). A. Scalability of platform and service based systems B. Portability and lock-in to proprietary systems C. Reliability of applications with hardware dependencies D. Loss of control over the use of technologies E. Transition support costs
Answer: BD Section: (none) Explanation
QUESTION 100 A developer has implemented a piece of client-side JavaScript code to sanitize a user's provided input to a web page login screen. The code ensures that only the upper case and lower case letters are entered in the username field, and that only a 6-digit PIN is entered in the password field. A security administrator is concerned with the following web server log: 10.235.62.11 - - (02/Mar/2014:06:13:04) "GET /site/script.php?user=admin&pass=pass%20or%201=1 HTTP/1.1" 200 5724 Given this log, which of the following is the security administrator concerned with and which fix should be implemented by the developer? A. The security administrator is concerned with nonprintable characters being used to gain administrative access, and the developer should strip all nonprintable characters. B. The security administrator is concerned with XSS, and the developer should normalize Unicode characters on the browser side. C. The security administrator is concerned with SQL injection, and the developer should implement server side input validation. D. The security administrator is concerned that someone may log on as the administrator, and the developer should ensure strong passwords are enforced.
Answer: C Section: (none) Explanation
QUESTION 13 An administrator is reviewing the pluggable authentication modules configuration on a Linux-based server. auth sufficient otp_generator_authentication.so auth sufficient pam_unix.so auth required pam_env.so account required pam_unix.so password required pam_cracklib.so retry=3 password required pam_unix.so shadow use_authtok session required pam_unix.so Given the output above, how should users of this system provide the proper authentication to log in? A. Users will need a username and either a password OR a one-time use certificate. B. Users will need to authenticate with a username, a one-time PIN, AND a password. C. Users will need a username and either a password OR a one-time PIN. D. Users will need to authenticate with a username, a one-time PIN, AND a certificate.
Answer: C Section: (none) Explanation
QUESTION 14 A shipping company will be upgrading their wireless infrastructure to support the new COTS forklift-mounted PCs and warehouse management system they just purchased. The solution must also be compatible with the existing employee laptops. Which of the following should the security administrator recommend to BEST protect the warehouse management system communications? A. Configure a wireless controller to ensure that rogue devices cannot intercept the warehouse management system communications. B. Configure wireless isolation so the forklift-mounted PCs can only communicate with the warehouse management system. C. Move the wireless VLAN behind a firewall to restrict access to only permit communications with the warehouse management system. D. Use a 5-GHz spectrum to reduce the likelihood of someone capturing warehouse management system communications.
Answer: C Section: (none) Explanation
QUESTION 2 A project manager needs to decide between options to proceed with implementation. The three options are outlined as: Option 1: Cost to implement: $2,000. SLE: $4,000. Likelihood of occurrence: once per quarter Option 2: Cost to implement: $5,000. SLE: $4,000. Likelihood of occurrence: once every two years Option 3: Cost to implement: $1,000. SLE: $1,000. Likelihood of occurrence: once every 6 months Which of the following options gives the LOWEST TCO? A. Option 1 B. Option 2 C. Option 3 D. Option 1 AND Option 2 E. Option 1 AND Option 3 F. Option 2 AND Option 3
Answer: C Section: (none) Explanation
QUESTION 24 Which of the following delineates why it is important to perform egress filtering and monitoring on Internet connected security zones or interfaces on the firewall? A. Egress traffic is more important than ingress traffic for malware prevention. B. To rebalance the amount of outbound traffic and inbound traffic. C. Outbound traffic could be communicating to known botnet sources. D. To prevent DDoS attacks originating from external networks.
Answer: C Section: (none) Explanation
QUESTION 34 A company Chief Information Officer (CIO) is unsure which set of standards should govern the company's IT policy. The CIO has hired consultants to develop use cases to test against various government and industry security standards. The CIO is convinced that there is large overlap between the configuration checks and security controls governing each set of standards. Which of the following selections represent the BEST option for the CIO? A. Issue a RFQ for vendors to quote a complete vulnerability and risk management solution to the company. B. Issue a policy that requires only the most stringent security standards be implemented throughout the company. C. Issue a policy specifying best practice security standards and a baseline to be implemented across the company. D. Issue a RFI for vendors to determine which set of security standards is best for the company.
Answer: C Section: (none) Explanation
QUESTION 37 Which of the following BEST describes the initial processing phase used in mobile device forensics? A. The phone should be powered down and the battery removed to preserve the state of data on any internal or removable storage utilized by the mobile device. B. The removable data storage cards should be processed first to prevent data alteration when examining the mobile device. C. The mobile device should be examined first, then removable storage and lastly the phone without removable storage should be examined again. D. The phone and storage cards should be examined as a complete unit after examining the removable storage cards separately.
Answer: C Section: (none) Explanation
QUESTION 39 During an audit of firewall rules, an auditor noted that there was no way to find out who had allowed port 3389 to be available to the Internet. The auditor gave the company a negative mark on their audit, and requested that within 30 days the company produce a written plan to deal with such items in the future. Given the scenario, which of the following will be MOST effective in securing the firewall? A. Implement an identity management system. B. Utilize PAT on the firewall for well-known ports. C. Implement a detailed change management system. D. Implement role-based access control on the firewall.
Answer: C Section: (none) Explanation
QUESTION 4 The online banking credentials of the Chief Executive Officer (CEO) of a research company were recently compromised. Despite the fact that banks no longer require frequent password changes, the CEO frequently changed this password. Now, because of the experience, the CEO questions the value of routine password changes at the company. Which of the following communicates the BEST approach for the company's security policies? A. The company should review customer input to determine if there is a clear need to perform regular password changes. B. The company should conduct a survey of others in the same industry and follow the most commonly implemented policy, fulfilling due diligence and due care obligations. C. The nature of the research company's threat may be different from banks, so the company should consider the specific threats it needs to address. D. Regular password resets are a common practice and should be continued because the policy put auditors and customers at ease.
Answer: C Section: (none) Explanation
QUESTION 42 A risk assessor is calculating the required escrow a company should keep to ensure that the company's new SAN meets availability requirements. The vendor documentation indicates the expected lifespan of each hard drive is four years and the expense of each hard drive is $100. The SAN contains 50 1 TB hard drives. Which of the following is the ALE for the SAN? A. $25 B. $100 C. $1250 D. $5000
Answer: C Section: (none) Explanation
QUESTION 60 A security architect has convened a meeting to discuss an organization's key management policy. The organization has a reliable internal key management system, and some argue that it would be best to manage the cryptographic keys internally as opposed to using a solution from a third party. The company should use: A. the current internal key management system. B. a third party key management system that will reduce operating costs. C. risk benefits analysis results to make a determination. D. a software solution including secure key escrow capabilities.
Answer: C Section: (none) Explanation
QUESTION 62 A user at a company frequently receives desktop notifications from the remote access software installed by the helpdesk. The notifications appear to be random, so the user checks to see if a connection can be established from the user's computer to someone else. The user is successful in the attempt without escalating privileges for the account. Which of the following is the BEST solution for the issue? A. Reissue the user's PKI certificate. B. Enforce UAC restrictions. C. Secure the RDP client. D. Enable host intrusion detection.
Answer: C Section: (none) Explanation
QUESTION 66 A software developer firm has outsourced a large development project to an organization that utilizes waterfall software development models. The developers have estimated a 12 month time frame to completion and are currently 6 months into the project. Prior to testing the current progress on the application, the developers have requested that the security architect review their progress and make recommendations on how to secure the application. Which of the following is true about the current project status? A. The project is being run in quick development phases that often stop development to test the current process and recommend changes to the application requirements. This gives the security architect adequate time to make appropriate recommendations. B. The development should have involved the security architect early on in the project. However, changes can be implemented incrementally over the next few project phase iterations at a lower cost. C. The development should have involved the security architect early on in the project. At this point in the project, any security recommendations that require major changes will have large impacts on project times, resources and costs. D. The waterfall method is a static approach to software development. At the current point in the project, the security architect's recommendations will not be able to be implemented until after the final release and the next version of the software development begins.
Answer: C Section: (none) Explanation
QUESTION 82 An SLA between a company and a public cloud hosting provider will MOST likely influence which of the following security areas? A. Integrity B. Confidentiality C. Availability D. Authentication
Answer: C Section: (none) Explanation
QUESTION 9 Company XYZ has a large sales force that works from home. To increase sales effectiveness and reduce travel costs, the company purchased video conferencing equipment for all home offices. Since using the video conferencing equipment, some customers have begun to demand lower prices. The company's senior officers suspect these customers know the company's margins, because members of the sales force keep printed proprietary information in their home offices. Which of the following represents the BEST immediate response action while the security team develops a more complete response? A. Force remote employees to connect to the corporate VPN before using the teleconference equipment. B. Do not provide access to cost and margin information to the sales force. C. Enforce a clear field of view policy during customer teleconferences. D. Purchase and deploy a Data Loss Prevention tool, and install it on server infrastructure.
Answer: C Section: (none) Explanation
QUESTION 91 A company has recently discovered the integrity of its data was compromised 7 days ago. The logs indicate the changes were occurring from an account with privileged access. Further analysis has determined the account is associated with a former employee who left 4 weeks ago. Which of the following could have prevented this compromise? A. SIEM tool B. Two-factor authentication C. Deprovisioning process D. Periodic user account review
Answer: C Section: (none) Explanation
QUESTION 11 A security assurance officer is preparing a plan to measure the technical state of a customer's enterprise. The testers employed to perform the audit will be given access to the customer facility and network. The testers will not be given access to the details of custom developed software used by the customer. However, the testers will have access to the source code for several open source applications and pieces of networking equipment used at the facility; but these items will not be within the scope of the audit. Which of the following BEST describes the appropriate method of testing or technique to use in this scenario? (Select TWO). A. Social engineering B. All-source C. Black box D. Memory dumping E. Penetration
Answer: CD Section: (none) Explanation
QUESTION 26 A facility's security manager has observed that an executive officer within the company is seldom absent and fails to meet the compliance of organization security and training events due to business demands. To complicate the issue, the security manager is a direct report to that executive officer. Which of the following are the methods to ensure that the conflict of interest is mitigated in the future? (Select TWO). A. Distribute a list of users who have not complied with policy throughout the organization B. Redirect the enforcement policy to a peer of the executive officer C. Enforce organizational policy by requiring the most senior executive in the organization to authorize IT policy D. Link policy compliance activities to computer/network use account E. Suspend the account of the executive officer regardless of existing policy
Answer: CD Section: (none) Explanation
QUESTION 49 A reduction in business growth forced a large business to adopt cloud services to reduce the number of IT staff employed. The Chief Financial Officer (CFO) is very happy with the changes as it has driven down capital expenditure, making the company more attractive for acquisition by a large hedge fund. Six months after the adoption of the cloud services the risk manager is concerned by the move as a recent audit of the provider revealed a mixture of findings: - The main software repository used by developers appears well maintained and has the latest security patches integrated. - A number of security intrusions were detected by the provider, but not reported to the business in a timely manner. Application log management and application alerting has not been occurring as agreed with the provider. Based on the findings, which of the following services were purchased by the business? (Select TWO). A. IaaS B. CaaS C. PaaS D. SaaS E. MaaS
Answer: CE Section: (none) Explanation
QUESTION 44 Company ABC is looking to use an application that company XYZ owns. The application queries the billing information of company ABC's clients. Company ABC would like to establish a site-to-site VPN with company XYZ to allow its users to access the application. Which of the following documents are BEST to use during this process to determine if it is feasible to establish the connection without any security concerns? (Select THREE). A. RFC B. SLA C. NDA D. BPA E. ISA F. RA G. ROI H. MOU
Answer: CEF Section: (none) Explanation
Blind SQL Injection is a form of SQL Injection that overcomes the lack of error messages. Without the error messages that facilitate SQL Injection, the attacker constructs input strings that probe the target through simple Boolean SQL expressions. QUESTION 89 A major healthcare provider was recently fined for not following regulatory compliance. The Chief Information Security Officer is concerned that the organization is not trained and aware of cybersecurity related issues. Which of the following is the MOST effective method of gaining access to the organization's sensitive information? A. Installing ransomware B. Penetration testing C. Vulnerability scanners D. Social engineering
Answer: D Section: (none) Explanation
QUESTION 23 A security administrator is assisting law enforcement in collecting evidence of a computer crime. The administrator has access to the latest forensics tools. The computer system being examined is still running and has not been tampered with since law enforcement arrived. The security administrator needs to collect as much information as possible before transporting the computer to a laboratory. Which of the following is the BEST order in which to proceed? A. Remove power to the system, image NVRAM, image the HDD/SDD, reboot the machine, image RAM, transport the system. B. Image NVRAM, copy system RAM, image the BIOS/UEFI memory registers, shutdown the system for transport. C. Image the HDD/SSD, copy BIOS/UEFI seeting, image RAM, shutdown the system, prepare the system for transport. D. Image RAM, image the HDD/SSD while running the OS, copy system NVRAM, shutdown the system for transport.
Answer: D Section: (none) Explanation
QUESTION 25 An employee from finance was dismissed when it was discovered that the employee had been committing financial fraud for several years. The most trusted senior manager in finance has been reassigned the duty of performing wire transfers. The Chief Financial Officer (CFO) is asking the Chief Information Security Officer (CISO) to implement stronger controls to secure how the transfers are performed. Which of the following responses should the CISO deliver? A. Deploy a standalone workstation for performing wire transfers. Isolate it on a secure network. Monitor the network. B. Recommend using the bank's more secure wire transfer service where keys are exchanged and all transfer files are digitally signed and verified. C. Implement DLP at the gateway, and implement two-factor authentication on the workstation where the transactions are performed. D. Suggest detective controls and separation of duties and explain why they may be more effective mitigation strategies.
Answer: D Section: (none) Explanation
QUESTION 27 Joe, a system administrator, submits a brief helpdesk request to the information security team about implementing a site-to-site VPN from his home to the office in order to get more done at home. After analyzing the risks of doing the task, the information security team should take which of the following actions? A. Approve the request. A trusted employee with a company laptop is secure enough. B. Deny the request but implement remote assistance software at the home office. C. Approve the request. Traffic is encrypted between the two site, making it safe to work. D. Deny the request but implement a popular remote desktop application of HTTPS.
Answer: D Section: (none) Explanation
QUESTION 3 When reviewing the various logs on a mission-critical application server, the server administrator first reviews the system log and determines that everything appears normal. Next, the administrator reviews the security log and finds a period of eight hours where no events have been recorded. What is the MOST likely explanation? A. The server is logging to a remote location. B. An intrusion activity has occurred. C. No critical events occurred during the time frame. D. Audit logging has been turned off.
Answer: D Section: (none) Explanation
QUESTION 33 Several critical servers are unresponsive after an update was installed. Other computers that have not yet received the same update are operational, but are vulnerable against the vulnerability being patched. The security administrator is required to ensure all systems have the right updates while minimizing any downtime. The BEST risk mitigation strategy is to use a centrally controlled patch management system where all updates are tested in a lab environment and then: A. sequentially distributed according to their service relevance. B. sequentially distributed to system owners for installation approval. C. distributed to a set percentage of systems per week. D. distributed to all systems so as to mitigate the exposure.
Answer: D Section: (none) Explanation
QUESTION 43 Six months into development, the core team assigned to implement a new internal piece of software must convene to discuss a new requirement with the stakeholders. A stakeholder identified a missing feature critical to the organization, which must be implemented. The team needs to validate the feasibility of the newly introduced requirement and ensure it does not introduce new vulnerabilities to the software and other applications that will integrate with it. Which of the following BEST describes what the company is implementing at this time? A. The system integration phase of the SDLC B. The system analysis phase of SSDLC C. The system design phase of the SDLC D. The system development phase of the SDLC
Answer: D Section: (none) Explanation
QUESTION 47 A number of organizations are collaborating on a common project and are using federation for access to a subset of their applications. One organization is taking the lead role in provisioning sponsored guest accounts on behalf of the other organizations. Which of the following should ALL organizations support to ensure that the organization provisioning the guest accounts on behalf of the requester is able to do so by provisioning and updating credentials and account information? A. Shibboleth B. Single Sign-On C. OpenID D. SPML E. WAYF
Answer: D Section: (none) Explanation
QUESTION 5 The company develops a wide array of proprietary software for its clients utilizing an agile development methodology. Many of the company's prominent products use various open source libraries. Recently, a vulnerability in an open source security library allowed malicious attackers to bypass certificate revocation lists to compromise secure data. Which of the following is BEST implemented to help prevent this in the future? A. The companies should fork the open source code and maintain its own static version so future flaws upstream can not be introduced into the code. B. The company should remove the open source libraries from its code and develop the libraries in-house. C. The company should match patching schedules with the open source vendors that are upstream to help prevent future attacks. D. The company should include the open source libraries in its code review process at regular intervals during the SDLC.
Answer: D Section: (none) Explanation
QUESTION 50 During a new desktop refresh, all hosts are hardened at the OS level before deployment to comply with policy. Six months later, the company is audited for compliance to regulations. The audit discovers that 30 percent of the desktops do not meet regulations because the devices are consistently being changed to override settings that do not meet policy. Which of the following is the BEST solution to correct the issue and prevent future noncompliance? A. Use a compliance tool to identify baseline changes B. Establish a deployment plan to refresh the image every six months C. Enable OS-level auditing to notify when changed occur on devices D. Implement group policy to enforce configuration settings
Answer: D Section: (none) Explanation
QUESTION 53 After installing a new Linux 'sudo' application, the security administrator runs the following command: Linux-box:~$ ldd /user/bin/sudo linux-gate.so.1 => (0xb7792000) libpam.so.0 => /tmp/limpam.so.0 (0xb776d000) libdl.so.2 => /tmp/libdl.so.2 (0xb7769000) libc.so.6 => /tmp/libc.so.6 (0xb760b000) libcrypt.so.1 => /tmp/libcrypt.so.1 (0xb75d9000) /lib/ld-linus.so.2 (0xb7793000) Which of the following can be deduced about the security of the system and application based on the above output? A. The application runs in a chroot tmp shell so that user data can be wiped. B. The application uses a secure crypto routine to ensure data confidentiality. C. The application uses temporary files to protect execution and memory access. D. The application is prone to exploitation by any user with access to the system.
Answer: D Section: (none) Explanation
QUESTION 54 After solely reviewing the below output: user@linux:/usr/local/bin$ ls-al total 376 drwxr-xr-x 2 user user 4096 2010-09-29 11:35 . drwxrwxrwt 20 root root 348160 2010-09-29 11:35 . . -rwsr-xr-x 1 root user 26188 2010-09-29 11:23 newprog Which of the following can the administrator conclude about the program? A. The program can only connect to local resources. B. The program may be used to launch SQL injection attacks. C. The program is running in a restricted user shell. D. The program may lead to a privilege escalation.
Answer: D Section: (none) Explanation
QUESTION 59 A hacker has targeted a health care conglomerate, and has gained access to their internal network. The hacker has disabled various security controls and has now located the patient database. Which of the following is the NEXT step that a hacker might take? A. Change the firewall to allow all inbound traffic. B. Remove evidence by deleting the log files. C. Insert malware into the company network. D. Package the patient data and FTP it to a remote site.
Answer: D Section: (none) Explanation
QUESTION 65 Company XYZ has decided to make use of a cloud-based service that requires mutual, certificate-based authentication with its users. The company uses SSL-inspecting IDS at its network boundary and is concerned about the confidentiality of the mutual authentication. Which of the following models prevents the IDS from capturing credentials used to authenticate users to the new service or keys to decrypt that communication? A. Use of OATH between the user and the service and attestation from the company domain B. Use of Active Directory federation between the company and the cloud-based service C. Use of of smartcards that store X.509 keys, signed by a global CA D. Use of a third-party, SAML-based authentication service for attestation
Answer: D Section: (none) Explanation
QUESTION 68 The data backup window has expanded into the morning hours and has begun to affect production users. The main bottleneck in the process is the time it takes to replicate the backups to separate servers at the offsite data center. Which of the following uses of deduplication could be implemented to reduce the backup window? A. Implement deduplication at the network level between the two locations B. Implement deduplication on the storage array to reduce the amount of drive space needed C. Implement deduplication on the server storage to reduce the data backed up D. Implement deduplication on both the local and remote servers
Answer: D Section: (none) Explanation
QUESTION 75 A security architect is looking into the following vendor proposal for implementing a secure code scanning platform. Proposal Software purchase with license fee of $40,000 and a 30% support fee per annum from year 2 onwards. Requires internal hardware hosting which is $5,000 Which of the following is the TCO for this proposal after five years? A. $75,000 B. $81,000 C. $88,000 D. $93,000
Answer: D Section: (none) Explanation
QUESTION 78 The security administrator is compiling the incident timeline of a security breach which occurred on a virtualized payment gateway server running on shared hardware and shared iSCSI storage. The company implements data deduplication on the back-end storage and uses snapshots taken every Sunday at 2:00 am. Incident timeline: Tuesday, 10:00 p.m. - Security patches are downloaded and installed on all servers. Thursday, 4:00 a.m. - The network IDS detects possible payment gateway server compromise. Thursday, 9:00 a.m. - The helpdesk receives multiple calls to report payment issues. Thursday, 2:00 p.m. - The security administrator returns the payment server to the last snapshot. Friday, 10:00 a.m. - The security administrator submits the report to the external forensic team. Which of the following should be the response of the forensic team? A. The cause for the server's compromise can only be found after taking a new memory and file system snapshot. B. Forensic analysis of the server's current memory and file system state can lead to the cause of the compromise. C. The cause for the server compromise can be found by reverting the data deduplication process on the backend storage. D. Forensic analysis of the payment gateway server cannot be conducted to determine the cause of the compromise.
Answer: D Section: (none) Explanation
QUESTION 80 A parent company consists of multiple independent companies and has several business partners. Board members of each of these enterprises should be able to securely log in to the company's extranet site with personal credentials or company credentials. Each of the independent companies has made its own technology decisions and uses its chosen IT partners. The parent company does not offer a centralized authentication scheme and wants to enable access with minimal investment to its system. Which of the following is the MOST suitable solution for the extranet? A. Identity federation with a social media service provider B. Identity federation with one-to-one approach with the parent company C. Identity federation with mesh approach between all companies D. Identity federation with a trusted third-party service provider
Answer: D Section: (none) Explanation
QUESTION 83 A systems administrator inherits an older fibre channel SAN for use in the testing lab. The administrator would like to test the performance of file-level versus block-level encryption over the network. While there are ten servers in the testing lab, only one server has a HBA. How would the administrator use the SAN in the testing lab? A. Use LUN mapping on the SAN to map all servers to the HBA. B. Install fibre channel software on the server with a HBA. C. Purchase a fibre channel switch to connect each server in the lab. D. Install NAS server software on the server with a HBA.
Answer: D Section: (none) Explanation
QUESTION 86 An existing financial system has identified vulnerabilities and the vendor has recommended an upgrade. The company, however, has planned to replace the system with a competing product costing $200,000 within 3 years. The security engineer has estimated that a breach of the existing system would have an ARO of 2 and a SLE of $40,000. The Chief Information Officer (CIO) continues with the plan to upgrade in 3 years. Which of the following BEST describes how the CIO addressed the risk of the existing product? A. The CIO mitigated the risk. B. The CIO transferred the risk. C. The CIO avoided the risk. D. The CIO accepted the risk.
Answer: D Section: (none) Explanation
QUESTION 88 A security analyst finds the following web logs after a breach of sensitive information: http://www.data.com/gender.php?val=male http://www.data.com/gender.php?val=female http://www.data.com/gender.php?val=ABC female http://www.data.com/gender.php?val=GHI http://www.data.com/gender.php?val=ORSfemale Which of the following describes the attack being performed? A. URL browser parameter manipulation B. Cross-site scripting C. Network protocol fuzzing D. Blind SQL injection
Answer: D Section: (none) Explanation
QUESTION 92 Security architects often have to design systems for environments where different stakeholders have competing requirements. In addition to internal influences and competitors, which of the following often has a major effect on mandatory system design features? A. Top-level management B. Investors and shareholders C. Risk assessments D. Regulatory entities
Answer: D Section: (none) Explanation
QUESTION 46 A company has a security policy that specifies all endpoint computing devices should be assigned a unique identifier that can be tracked via an inventory management system. Recent changes to airline security regulations have caused many executives in the company to travel with mini tablet devices instead of laptops. These mini tablet devices are difficult to tag and track. An RDP application is used from the tablet to connect into the company network. Which of the following should be implemented in order to meet the security policy requirements? (Select TWO). A. Virtual Desktop Infrastructure (VDI) B. WS-security and geo-fencing C. A hardware security module (HSM) D. RFID tagging system E. MDM software F. Security Requirements Traceability Matrix (SRTM)
Answer: DE Section: (none) Explanation
QUESTION 56 A developer has just released into production a new financial application. This application is web based, uses REST web services and transmits information in the JSON format. The security engineer is worried that this web service could be easily manipulated by an attacker. Which of the following should the security engineer recommend the developer do to secure the web service? (Select TWO). A. Require client side input validation B. Require the use of XML rather than JSON C. Require POST, GET, PUT, and DELETE methods are denied D. Require the web application to maintain a secure session state E. Require the use of SOAP rather than REST F. Require REST traffic to use TLS
Answer: DF Section: (none) Explanation
QUESTION 64 While in the process of investigating unusually high bandwidth usage on corporate WAN connections, the network administrator identifies an application server which appears to be sending and receiving large amounts of data during overnight hours when few users are on the network. Which of the following actions would be MOST appropriate action for the network administrator to take to address this finding? A. Perform a packet capture on the server's LAN connection and send the data to the server team for analysis. B. Create a firewall rule blocking the suspected traffic and notify the system owner. C. Create a service request for the help desk to work on when they are in the office. D. Use bandwidth shaping to reduce the bandwidth available to that particular server in an effort to improve QoS for other applications. E. Notify the incident response team using the process identified in the incident response plan.
Answer: E Section: (none) Explanation
QUESTION 1 A company has hired a new Chief Financial Officer (CFO) who has requested to be shown the ALE for a project implemented 4 years ago. The project had implemented a clustered pair of high end firewalls that cost $164,000 each at the beginning of the project. 2 years after the project was implemented, two line cards were added to each firewall that cost $3,000 each. The ARO of a fire in the area is 0.1, and the EF for a fire is 50%. Given that no fire has occurred since implementation, which of the following is the ALE? A. The ALE is 8,200 B. The ALE is 8,275 C. The ALE is 8,350 D. The ALE is 8,500
D. The ALE is 8,500