CASP 003 3
368. A security technician receives a copy of a report that was originally sent to the board of directors by the Chief Information Security Officer (CISO). The report outlines the following KPVKRI data for the last 12 months: Which of the following BEST describes what could be interpreted from the above data? A. 1. AV coverage across the fleet improved2. There is no correlation between infected systems and AV coverage.3. There is no correlation between detected phishing attempts and infected systems4. A correlation between threat landscape rating and infected systems appears to exist.5. Effectiveness and performance of the security team appears to be degrading. B. 1. AV signature coverage has remained consistently high2. AV coverage across the fleet improved3. A correlation between phishing attempts and infected systems appears to exist4. There is a correlation between the threat landscape rating and the security team's performance.5. There is no correlation between detected phishing attempts and infected systems C. 1. There is no correlation between infected systems and AV coverage2. AV coverage across the fleet improved3. A correlation between phishing attempts and infected systems appears to exist4. There is no correlation between the threat landscape rating and the security team's performance.5. There is a correlation between detected phishing attempts and infected systems D. 1. AV coverage across the fleet declined2. There is no correlation between infected systems and AV coverage.3. A correlation between phishing attempts and infected systems appears to exist4. There is no correlation between the threat landscape rating and the security team's performance5. Effectiveness and performance of the security team appears to be degrading.
A. 1. AV coverage across the fleet improved2. There is no correlation between infected systems and AV coverage.3. There is no correlation between detected phishing attempts and infected systems4. A correlation between threat landscape rating and infected systems appears to exist.5. Effectiveness and performance of the security team appears to be degrading.
341. A newly hired Chief Information Security Officer (CISO) is reviewing the organization's security budget from the previous year. The CISO notices $100,000 worth of fines were paid for not properly encrypting outbound email messages. The CISO expects next year's costs associated with fines to double and the volume of messages to increase by 100%. The organization sent out approximately 25,000 messages per year over the last three years. Given the table below: Which of the following would be BEST for the CISO to include in this year's budget? A. A budget line for DLP Vendor A B. A budget line for DLP Vendor B C. A budget line for DLP Vendor C D. A budget line for DLP Vendor D E. A budget line for paying future fines
A. A budget line for DLP Vendor A
406. Two new technical SMB security settings have been enforced and have also become policies that increase secure communications. Network Client: Digitally sign communication Network Server: Digitally sign communication A storage administrator in a remote location with a legacy storage array, which contains time-sensitive data, reports employees can no longer connect to their department shares. Which of the following mitigation strategies should an information security manager recommend to the data owner? A. Accept the risk, reverse the settings for the remote location, and have the remote location file a risk exception until the legacy storage device can be upgraded B. Accept the risk for the remote location, and reverse the settings indefinitely since the legacy storage device will not be upgraded C. Mitigate the risk for the remote location by suggesting a move to a cloud service provider. Have the remote location request an indefinite risk exception for the use of cloud storage D. Avoid the risk, leave the settings alone, and decommission the legacy storage device
A. Accept the risk, reverse the settings for the remote location, and have the remote location file a risk exception until the legacy storage device can be upgraded
381. A security manager recently categorized an information system. During the categorization effort, the manager determined the loss of integrity of a specific information type would impact business significantly. Based on this, the security manager recommends the implementation of several solutions. Which of the following, when combined, would BEST mitigate this risk? (Select TWO.) A. Access control B. Whitelisting C. Signing D. Validation E. Boot attestation
A. Access control D. Validation
310. An administrator wants to ensure hard drives cannot be removed from hosts and men installed into and read by unauthorized hosts Which of the following techniques would BEST support this? A. Access control lists B. TACACS+ server for AAA C. File-level encryption D. TPM with sealed storage
A. Access control lists
369. A company has gone through a round of phishing attacks. More than 200 users have had their workstation infected because they clicked on a link in an email. An incident analysis has determined an executable ran and compromised the administrator account on each workstation. Management is demanding the information security team prevent this from happening again. Which of the following would BEST prevent this from happening again? A. Antivirus B. Patch management C. Log monitoring D. Application whitelisting E. Awareness training
A. Antivirus
346. A security administrator wants to stand up a NIPS that is multilayered and can incorporate many security technologies into a single platform The product should have diverse capabilities, such as antivirus, VPN, and firewall services, and be able to be updated in a timely manner to meet evolving threats. Which of the following network prevention system types can be used to satisfy the requirements? A. Application firewall B. Unified threat management C. Enterprise firewall D. Content-based IPS
A. Application firewall
314. A corporation with a BYOD policy is very concerned about issues that may arise from data ownership. The corporation is investigating a new MDM solution and has gathered the following requirements as part of the requirements-gathering phase. * Each device must be issued a secure token of trust from the corporate PKI. * All corporate application and local data must be able to deleted from a central console. * Cloud storage and backup applications must be restricted from the device. * Devices must be on the latest OS version within three weeks of an OS release. Which of the following should be feature in the new MDM solution to meet these requirement? (Select TWO.) A. Application-based containerization B. Enforced full-device encryption C. Mandatory acceptance of SCEP system D. Side-loaded application prevention E. Biometric requirement to unlock device F. Over-the-air restriction
A. Application-based containerization
390. An advanced threat emulation engineer is conducting testing against a client's network. The engineer conducts the testing in as realistic a manner as possible. Consequently, the engineer has been gradually ramping up the volume of attacks over a long period of time. Which of the following combinations of techniques would the engineer MOST likely use in this testing? (Choose three.) A. Black box testing B. Gray box testing C. Code review D. Social engineering E. Vulnerability assessment F. Pivoting G. Self-assessment H. White teaming I. External auditing
A. Black box testing E. Vulnerability assessment F. Pivoting
404. A software development company lost customers recently because of a large number of software issues. These issues were related to integrity and availability defects, including buffer overflows, pointer deferences, and others. Which of the following should the company implement to improve code quality?(Select two). A. Development environment access controls B. Continuous integration C. Code comments and documentation D. Static analysis tools E. Application containerization F. Code obfuscation
A. Development environment access controls E. Application containerization
312. A company has created a policy to allow employees to use their personally owned devices. The Chief Information Officer (CISO) is getting reports of company data appearing on unapproved forums and an increase in theft of personal electronic devices. Which of the following security controls would BEST reduce the risk of exposure? A. Disk encryption on the local drive B. Group policy to enforce failed login lockout C. Multifactor authentication D. Implementation of email digital signatures
A. Disk encryption on the local drive
322. The Chief information Officer (CIO) of a large bank, which uses multiple third-party organizations to deliver a service, is concerned about the handling and security of customer data by the parties. Which of the following should be implemented to BEST manage the risk? A. Establish a review committee that assesses the importance of suppliers and ranks them according to contract renewals. At the time of contract renewal, incorporate designs and operational controls into the contracts and a right-to-audit clause. Regularly assess the supplier's post-contract renewal with a dedicated risk management team. B. Establish a team using members from first line risk, the business unit, and vendor management to assess only design security controls of all suppliers. Store findings from the reviews in a database for all other business units and risk teams to reference. C. Establish an audit program that regularly reviews all suppliers regardless of the data they access, how they access the data, and the type of data, Review all design and operational controls based on best practice standard and report the finding back to upper management. D. Establish a governance program that rates suppliers based on their access to data, the type of data, and how they access the data Assign key controls that are reviewed and managed based on the supplier's rating. Report finding units that rely on the suppliers and the various risk teams.
A. Establish a review committee that assesses the importance of suppliers and ranks them according to contract renewals. At the time of contract renewal, incorporate designs and operational controls into the contracts and a right-to-audit clause. Regularly assess the supplier's post-contract renewal with a dedicated risk management team.
410. During an audit, it was determined from a sample that four out of 20 former employees were still accessing their email accounts An information security analyst is reviewing the access to determine if the audit was valid Which of the following would assist with the validation and provide the necessary documentation to audit? A. Examining the termination notification process from human resources and employee account access logs B. Checking social media platforms for disclosure of company sensitive and proprietary information C. Sending a test email to the former employees to document an undeliverable email and review the ERP access D. Reviewing the email global account list and the collaboration platform for recent activity
A. Examining the termination notification process from human resources and employee account access logs
373. During the migration of a company's human resources application to a PaaS provider, the Chief Privacy Officer (CPO) expresses concern the vendor's staff may be able to access data within the migrating applications. The application stack includes a multitier architecture and uses commercially available, vendor-supported software packages. Which of the following BEST addresses the CPO's concerns? A. Execute non-disclosure agreements and background checks on vendor staff. B. Ensure the platform vendor implement date-at-rest encryption on its storage. C. Enable MFA to the vendor's tier of the architecture. D. Impalement a CASB that tokenizes company data in transit to the migrated applications.
A. Execute non-disclosure agreements and background checks on vendor staff.
327. A company is transitioning to a new VDI environment, and a system engineer is responsible for developing a sustainable security strategy for the VDIs. Which of the following is the MOST appropriate order of steps to be taken? A. Firmware update, OS patching, HIDS, antivirus, baseline, monitoring agent B. OS patching, baseline, HIDS, antivirus, monitoring agent, firmware update C. Firmware update, OS patching, HIDS, antivirus, monitoring agent, baseline D. Baseline, antivirus, OS patching, monitoring agent, HIDS, firmware update
A. Firmware update, OS patching, HIDS, antivirus, baseline, monitoring agent
352. During a criminal investigation, the prosecutor submitted the original hard drive from the suspect's computer as evidence. The defense objected during the trial proceedings, and the evidence was rejected. Which of the following practices should the prosecutor's forensics team have used to ensure the suspect's data would be admissible as evidence? (Select TWO.) A. Follow chain of custody best practices B. Create an identical image of the original hard drive, store the original securely, and then perform forensics only on the imaged drive. C. Use forensics software on the original hard drive and present generated reports as evidence D. Create a tape backup of the original hard drive and present the backup as evidence E. Create an exact image of the original hard drive for forensics purposes, and then place the original back in service
A. Follow chain of custody best practices B. Create an identical image of the original hard drive, store the original securely, and then perform forensics only on the imaged drive.
355. An application has been through a peer review and regression testing and is prepared for release. A security engineer is asked to analyze an application binary to look for potential vulnerabilities prior to wide release. After thoroughly analyzing the application, the engineer informs the developer it should include additional input sanitation in the application to prevent overflows. Which of the following tools did the security engineer MOST likely use to determine this recommendation? A. Fuzzer B. HTTP interceptor C. Vulnerability scanner D. SCAP scanner
A. Fuzzer
374. An enterprise is configuring an SSL client-based VPN for certificate authentication. The trusted root certificate from the CA is imported into the firewall, and the VPN configuration in the firewall is configured for certificate authentication. Signed certificates from the trusted CA are distributed to user devices. The CA certificate is set as trusted on the end-user devices, and the VPN client is configured on the end-user devices When the end users attempt to connect however, the firewall rejects the connection after a brief period Which of the following is the MOST likely reason the firewall rejects the connection? A. In the firewall, compatible cipher suites must be enabled B. In the VPN client, the CA CRL address needs to be specified manually C. In the router, IPSec traffic needs to be allowed in bridged mode D. In the CA. the SAN field must be set for the root CA certificate and then reissued
A. In the firewall, compatible cipher suites must be enabled
398. A company monitors the performance of all web servers using WMI. A network administrator informs the security engineer that web servers hosting the company's client-facing portal are running slowly today. After some investigation, the security engineer notices a large number of attempts at enumerating host information via SNMP from multiple IP addresses. Which of the following would be the BEST technique for the security engineer to employ in an attempt to prevent reconnaissance activity? A. Install a HIPS on the web servers B. Disable inbound traffic from offending sources C. Disable SNMP on the web servers D. Install anti-DDoS protection in the DMZ
A. Install a HIPS on the web servers
347. A company has adopted and established a continuous-monitoring capability, which has proven to be effective in vulnerability management, diagnostics, and mitigation. The company wants to increase the likelihood that it is able to discover and therefore respond to emerging threats earlier in the life cycle. Which of the following methodologies would BEST help the company to meet this objective? (Choose two.) A. Install and configure an IPS. B. Enforce routine GPO reviews. C. Form and deploy a hunt team. D. Institute heuristic anomaly detection. E. Use a protocol analyzer with appropriate connectors.
A. Install and configure an IPS. D. Institute heuristic anomaly detection.
399. Ann, a security administrator, is conducting an assessment on a new firewall, which was placed at the perimeter of a network containing PII. Ann runs the following commands on a server (10.0.1.19) behind the firewall: From her own workstation (192.168.2.45) outside the firewall, Ann then runs a port scan against the server and records the following packet capture of the port scan: Connectivity to the server from outside the firewall worked as expected prior to executing these commands. Which of the following can be said about the new firewall? A. It is correctly dropping all packets destined for the server. B. It is not blocking or filtering any traffic to the server. C. Iptables needs to be restarted. D. The IDS functionality of the firewall is currently disabled.
A. It is correctly dropping all packets destined for the server.
386. When of the following is the BEST reason to implement a separation of duties policy? A. It minimizes the risk of Dos due to continuous monitoring. B. It eliminates the need to enforce least privilege by logging all actions. C. It increases the level of difficulty for a single employee to perpetrate fraud. D. it removes barriers to collusion and collaboration between business units.
A. It minimizes the risk of Dos due to continuous monitoring.
340. A government entity is developing requirements for an RFP to acquire a biometric authentication system When developing these requirements, which of the following considerations is MOST critical to the verification and validation of the SRTM? A. Local and national laws and regulations B. Secure software development requirements C. Environmental constraint requirements D. Testability of requirements
A. Local and national laws and regulations
383. An organization is implementing a virtualized thin-client solution for normal user computing and access. During a review of the architecture, concerns were raised that an attacker could gain access to multiple user environments by simply gaining a foothold on a single one with malware. Which of the following reasons BEST explains this? A. Malware on one virtual environment could enable pivoting to others by leveraging vulnerabilities in the hypervisor. B. A worm on one virtual environment could spread to others by taking advantage of guest OS networking services vulnerabilities. C. One virtual environment may have one or more application-layer vulnerabilities, which could allow an attacker to escape that environment. D. Malware on one virtual user environment could be copied to all others by the attached network storage controller.
A. Malware on one virtual environment could enable pivoting to others by leveraging vulnerabilities in the hypervisor.
370. A company wants to confirm sufficient executable space protection is in place for scenarios in which malware may be attempting buffer overflow attacks. Which of the following should the security engineer check? A. NX/XN B. ASLR C. strcpy D. ECC
A. NX/XN
353. A Chief Information Security Officer (CISO) is running a test to evaluate the security of the corporate network and attached devices. Which of the following components should be executed by an outside vendor? A. Penetration tests B. Vulnerability assessment C. Tabletop exercises D. Blue-team operations
A. Penetration tests
378. An enterprise's Chief Technology Officer (CTO) and Chief Information Security Officer (CISO) are meeting to discuss ongoing capacity and resource planning issues. The enterprise has experienced rapid, massive growth over the last 12 months, and the technology department is stretched thin for resources. A new accounting service is required to support the enterprise's growth, but the only available compute resources that meet the accounting service requirements are on the virtual platform, which is hosting the enterprise's website. Which of the following should the CISO be MOST concerned about? A. Poor capacity planning could cause an oversubscribed host, leading to poor performance on the company's website. B. A security vulnerability that is exploited on the website could expose the accounting service. C. Transferring as many services as possible to a CSP could free up resources. D. The CTO does not have the budget available to purchase required resources and manage growth.
A. Poor capacity planning could cause an oversubscribed host, leading to poor performance on the company's website.
307. At a meeting, the systems administrator states the security controls a company wishes to implement seem excessive, since all of the information on the company's web servers can be obtained publicly and is not proprietary in any way. The next day the company's website is defaced as part of an SQL injection attack, and the company receives press inquiries about the message the attackers displayed on the website. Which of the following is the FIRST action the company should take? A. Refer to and follow procedures from the company's incident response plan. B. Call a press conference to explain that the company has been hacked. C. Establish chain of custody for all systems to which the systems administrator has access. D. Conduct a detailed forensic analysis of the compromised system. E. Inform the communications and marketing department of the attack details.
A. Refer to and follow procedures from the company's incident response plan.
358. An organization wants to allow its employees to receive corporate email on their own smartphones. A security analyst is reviewing the following information contained within the file system of an employee's smartphone: FamilyPix.jpg Taxreturn.tax paystub.pdf employeesinfo.xls SoccerSchedule.doc RecruitmentPlan.xls Based on the above findings, which of the following should the organization implement to prevent further exposure? (Select two). A. Remote wiping B. Side loading C. VPN D. Containerization E. Rooting F. Geofencing G. Jailbreaking
A. Remote wiping C. VPN
372. Which of the following is a feature of virtualization that can potentially create a single point of failure? A. Server consolidation B. Load balancing hypervisors C. Faster server provisioning D. Running multiple OS instances
A. Server consolidation
343. A security architect has been assigned to a new digital transformation program. The objectives are to provide better capabilities to customers and reduce costs. The program has highlighted the following requirements: Long-lived sessions are required, as users do not log in very often. The solution has multiple SPs, which include mobile and web applications. A centralized IdP is utilized for all customer digital channels. The applications provide different functionality types such as forums and customer portals. The user experience needs to be the same across both mobile and web-based applications. Which of the following would BEST improve security while meeting these requirements? A. Social login to IdP, securely store the session cookies, and implement one-time passwords sent to the mobile device B. Create-based authentication to IdP, securely store access tokens, and implement secure push notifications. C. Username and password authentication to IdP, securely store refresh tokens, and implement context-aware authentication. D. Username and password authentication to SP, securely store Java web tokens, and implement SMS OTPs.
A. Social login to IdP, securely store the session cookies, and implement one-time passwords sent to the mobile device
402. A video-game developer has received reports of players who are cheating. All game players each have five capabilities that are ranked on a scale of 1 to 10 points, with 10 total points available for balance. Players can move these points between capabilities at any time The programming logic is as follows: • A player asks to move points from one capability to another • The source capability must have enough points to allow the move • The destination capability must not exceed 10 after the move • The move from source capability to destination capability is then completed The time stamps of the game logs show each step of the transfer process takes about 900ms However, the time stamps of the cheating players show capability transfers at the exact same time. The cheating players have 10 points in multiple capabilities. Which of the following is MOST likely being exploited to allow these capability transfers? A. TOC/TOU B. CSRF C. Memory leak D. XSS E. SQL injection F. Integer overflow
A. TOC/TOU
336. A security engineer is deploying an IdP to broker authentication between applications. These applications all utilize SAML 2.0 for authentication. Users log into the IdP with their credentials and are given a list of applications they may access. One of the application's authentications is not functional when a user initiates an authentication attempt from the IdP. The engineer modifies the configuration so users browse to the application first, which corrects the issue. Which of the following BEST describes the root cause? A. The application only supports SP-initiated authentication. B. The IdP only supports SAML 1.0 C. There is an SSL certificate mismatch between the IdP and the SaaS application. D. The user is not provisioned correctly on the IdP.
A. The application only supports SP-initiated authentication.
409. During a recent incident, sensitive data was disclosed and subsequently destroyed through a properly secured, cloud-based storage platform. An incident response technician is working with management to develop an after action report that conveys critical metrics regarding the incident. Which of the following would be MOST important to senior leadership to determine the impact of the breach? A. The likely per-record cost of the breach to the organization B. The legal or regulatory exposure that exists due to the breach C. The amount of downtime required to restore the data D. The number of records compromised
A. The likely per-record cost of the breach to the organization
356. A manufacturing company recently recovered from an attack on its ICS devices. It has since reduced the attack surface by isolating the affected components. The company now wants to implement detection capabilities. It is considering a system that is based on machine learning. Which of the following features would BEST describe the driver to adopt such nascent technology over mainstream commercial IDSs? A. Trains on normal behavior and identifies deviations therefrom B. Identifies and triggers upon known bad signatures and behaviors C. Classifies traffic based on logical protocols and messaging formats D. Automatically reconfigures ICS devices based on observed behavior
A. Trains on normal behavior and identifies deviations therefrom
313. A financial institution's information security officer is working with the risk management officer to determine what to do with the institution's residual risk after all security controls have been implemented. Considering the institution's very low risk tolerance, which of the following strategies would be BEST? A. Transfer the risk. B. Avoid the risk C. Mitigate the risk. D. Accept the risk.
A. Transfer the risk.
306. A company's Chief Information Security Officer (CISO) is working with the product owners to perform a business impact assessment. The product owners provide feedback related to the critically of various business processes, personal, and technologies. Transitioning into risk assessment activities, which of the following types of information should the CISO require to determine the proper risk ranking? (Select TWO). A. Trend analysis B. Likelihood C. TCO D. Compensating controls E. Magnitude F. ROI
A. Trend analysis C. TCO
367. A researcher is working to identify what appears to be a new variant of an existing piece of malware commonly used in ransomware attacks While it is not identical to the malware previously evaluated. it has a number of similarities including language, payload. and algorithms. Which of the following would help the researcher safely compare the code base of the two variants? A. Virtualized sandbox B. Vulnerability scanner C. Software-defined network D. HTTP interceptor
A. Virtualized sandbox
329. The Chief Information Security Officer (CISO) of a new company is looking for a comprehensive assessment of the company's application services Which of the following would provide the MOST accurate number of weaknesses? A. White-box penetration test B. Internal vulnerability scanning C. Internal controls audit D. Third-party red-team engagement
A. White-box penetration test
376. The code snippet below controls all electronic door locks to a secure facility in which the doors should only fail open in an emergency. In the code, "criticalValue" indicates if an emergency is underway: Which of the following is the BEST course of action for a security analyst to recommend to the software developer? A. Rewrite the software to implement fine-grained, conditions-based testing B. Add additional exception handling logic to the main program to prevent doors from being opened C. Apply for a life-safety-based risk exception allowing secure doors to fail open D. Rewrite the software's exception handling routine to fail in a secure state
B. Add additional exception handling logic to the main program to prevent doors from being opened
389. Developers are working on anew feature to add to a social media platform. Thew new feature involves users uploading pictures of what they are currently doing. The data privacy officer (DPO) is concerned about various types of abuse that might occur due to this new feature. The DPO state the new feature cannot be released without addressing the physical safety concerns of the platform's users. Which of the following controls would BEST address the DPO's concerns? A. Increasing blocking options available to the uploader B. Adding a one-hour delay of all uploaded photos C. Removing all metadata in the uploaded photo file D. Not displaying to the public who uploaded the photo E. Forcing TLS for all connections on the platform
B. Adding a one-hour delay of all uploaded photos
308. A cybersecurity analyst has received an alert that well-known "call home" messages are continuously observed by network sensors at the network boundary. The proxy firewall successfully drops the massages. After determining the alert was a true positive, which of the following represents OST likely cause? A. Attackers are running reconnaissance on company resources. B. An outside command and control system is attempting to reach an infected system. C. An insider trying to exfiltrate information to a remote network. D. Malware is running on a company system
B. An outside command and control system is attempting to reach an infected system.
379. Given the code snippet below: Which of the following vulnerability types in the MOST concerning? A. Only short usernames are supported, which could result in brute forcing of credentials. B. Buffer overflow in the username parameter could lead to a memory corruption vulnerability. C. Hardcoded usernames with different code paths taken depend on which user is entered. D. Format string vulnerability is present for admin users but not for standard users.
B. Buffer overflow in the username parameter could lead to a memory corruption vulnerability.
332. An external red team member conducts a penetration test, attempting to gain physical access to a large organization's server room in a branch office. During reconnaissance, the red team member sees a clearly marked door to the server room, located next to the lobby, with a tumbler lock. Which of the following is BEST for the red team member to bring on site to open the locked door as quickly as possible without causing significant damage? A. Screwdriver set B. Bump key C. RFID duplicator D. Rake picking
B. Bump key
331. The email administrator must reduce the number of phishing emails by utilizing more appropriate security controls The following configurations already are in place • Keyword Mocking based on word lists • URL rewriting and protection • Stopping executable files from messages Which of the following is the BEST configuration change for the administrator to make? A. Configure more robust word lists for blocking suspicious emails B. Configure appropriate regular expression rules per suspicious email received C. Configure Bayesian filtering to block suspicious inbound email D. Configure the mail gateway to strip any attachments
B. Configure appropriate regular expression rules per suspicious email received
380. A technician is reviewing the following log: Which of the following tools should the organization implement to reduce the highest risk identified in this log? A. NIPS B. DLP C. NGFW D. SIEM
B. DLP
326. Security policies that are in place at an organization prohibit USB drives from being utilized across the entire enterprise, with adequate technical controls in place to block them. As a way to still be able to work from various locations on different computing resources, several sales staff members have signed up for a web-based storage solution without the consent of the IT department. However, the operations department is required to use the same service to transmit certain business partner documents. Which of the following would BEST allow the IT department to monitor and control this behavior? A. Enabling AAA B. Deploying a CASB C. Configuring an NGFW D. Installing a WAF E. Utilizing a vTPM
B. Deploying a CASB
311. A company that has been breached multiple times is looking to protect cardholder data. The previous undetected attacks all mimicked normal administrative-type behavior. The company must deploy a host solution to meet the following requirements: Detect administrative actions Block unwanted MD5 hashes Provide alerts Stop exfiltration of cardholder data Which of the following solutions would BEST meet these requirements? (Choose two.) A. AV B. EDR C. HIDS D. DLP E. HIPS F. EFS
B. EDR F. EFS
335. A security administrator wants to implement controls to harden company-owned mobile devices. Company policy specifies the following requirements: Mandatory access control must be enforced by the OS. Devices must only use the mobile carrier data transport. Which of the following controls should the security administrator implement? (Select three). A. Enable DLP B. Enable SEAndroid C. Enable EDR D. Enable secure boot E. Enable remote wipe F. Disable Bluetooth G. Disable 802.11 H. Disable geotagging
B. Enable SEAndroid F. Disable Bluetooth G. Disable 802.11
385. A network engineer is upgrading the network perimeter and installing a new firewall, IDS, and external edge router. The IDS is reporting elevated UDP traffic, and the internal routers are reporting high utilization. Which of the following is the BEST solution? A. Reconfigure the firewall to block external UDP traffic. B. Establish a security baseline on the IDS. C. Block echo reply traffic at the firewall. D. Modify the edge router to not forward broadcast traffic.
B. Establish a security baseline on the IDS.
337. A company's IT department currently performs traditional patching, and the servers have a significant longevity that may span over five years. A security architect is moving the company toward an immune server architecture in which servers are replaced rather than patched. Instead of having static servers for development, test, and production, the severs will move from environment to environment dynamically. Which of the following are required to move to this type of architecture? (Select Two.) A. Network segmentation B. Forward proxy C. Netflow D. Load balancers E. Automated deployments
B. Forward proxy D. Load balancers
325. A penetration testing manager is contributing to an RFP for the purchase of a new platform. The manager has provided the following requirements: Must be able to MITM web-based protocols Must be able to find common misconfigurations and security holes Which of the following types of testing should be included in the testing platform? (Choose two.) A. Reverse engineering tool B. HTTP intercepting proxy C. Vulnerability scanner D. File integrity monitor E. Password cracker F. Fuzzer
B. HTTP intercepting proxy C. Vulnerability scanner
400. A penetration test is being scoped for a set of web services with API endpoints. The APIs will be hosted on existing web application servers. Some of the new APIs will be available to unauthenticated users, but some will only be available to authenticated users. Which of the following tools or activities would the penetration tester MOST likely use or do during the engagement? (Select TWO.) A. Static code analyzer B. Intercepting proxy C. Port scanner D. Reverse engineering E. Reconnaissance gathering F. User acceptance testing
B. Intercepting proxy E. Reconnaissance gathering
321. Legal counsel has notified the information security manager of a legal matter that will require the preservation of electronic records for 2000 sales force employees. Source records will be email, PC, network shares, and applications. After all restrictions have been lifted, which of the following should the information manager review? A. Data retention policy B. Legal hold C. Chain of custody D. Scope statement
B. Legal hold
387. A recent overview of the network's security and storage applications reveals a large amount of data that needs to be isolated for security reasons. Below are the critical applications and devices configured on the network: Firewall Core switches RM server Virtual environment NAC solution The security manager also wants data from all critical applications to be aggregated to correlate events from multiple sources. Which of the following must be configured in certain applications to help ensure data aggregation and data isolation are implemented on the critical applications and devices? (Select TWO). A. Routing tables B. Log forwarding C. Data remanants D. Port aggregation E. NIC teaming F. Zones
B. Log forwarding F. Zones
354. Ann, a CIRT member, is conducting incident response activities on a network that consists of several hundred virtual servers and thousands of endpoints and users. The network generates more than 10,000 log messages per second. The enterprise belong to a large, web-based cryptocurrency startup, Ann has distilled the relevant information into an easily digestible report for executive management . However, she still needs to collect evidence of the intrusion that caused the incident. Which of the following should Ann use to gather the required information? A. Traffic interceptor log analysis B. Log reduction and visualization tools C. Proof of work analysis D. Ledger analysis software
B. Log reduction and visualization tools
407. A security analyst receives an email from a peer that includes a sample of code from a piece of malware found in an application running in the organization's staging environment. During the incident response process, it is determined the code was introduced into the environment as a result of a compromised laptop being used to harvest credentials and access the organization's code repository. While the laptop itself was not used to access the code repository, an attacker was able to leverage the harvested credentials from another system in the development environment to bypass the ACLs limiting access to the repositories. Which of the following controls MOST likely would have interrupted the kill chain in this attack? A. IP whitelisting on the perimeter firewall B. MFA for developer access C. Dynamic analysis scans in the production environment D. Blue team engagement in peer-review activities E. Time-based restrictions on developer access to code repositories
B. MFA for developer access
388. Management is reviewing the results of a recent risk assessment of the organization's policies and procedures. During the risk assessment it is determined that procedures associated with background checks have not been effectively implemented. In response to this risk, the organization elects to revise policies and procedures related to background checks and use a third-party to perform background checks on all new employees. Which of the following risk management strategies has the organization employed? A. Transfer B. Mitigate C. Accept D. Avoid E. Reject
B. Mitigate
392. An electric car company hires an IT consulting company to improve the cybersecurity of us vehicles. Which of the following should achieve the BEST long-term result for the company? A. Designing Developing add-on security components for fielded vehicles B. Reviewing proposed designs and prototypes for cybersecurity vulnerabilities C. Performing a cyber-risk assessment on production vehicles D. Reviewing and influencing requirements for an early development vehicle
B. Reviewing proposed designs and prototypes for cybersecurity vulnerabilities
363. A server (10.0.0.2) on the corporate network is experiencing a DoS from a number of marketing desktops that have been compromised and are connected to a separate network segment. The security engineer implements the following configuration on the management router: Which of the following is the engineer implementing? A. Remotely triggered black hole B. Route protection C. Port security D. Transport security E. Address space layout randomization
B. Route protection
345. After embracing a BYOD policy, a company is faced with new security challenges from unmanaged mobile devices and laptops. The company's IT department has seen a large number of the following incidents: Duplicate IP addresses Rogue network devices Infected systems probing the company's network Which of the following should be implemented to remediate the above issues? (Choose two.) A. Port security B. Route protection C. NAC D. HIPS E. NIDS
B. Route protection C. NAC
344. A security engineer is performing an assessment again for a company. The security engineer examines the following output from the review: Which of the following tools is the engineer utilizing to perform this assessment? A. Vulnerability scanner B. SCAP scanner C. Port scanner D. Interception proxy
B. SCAP scanner
375. An organization is in the process of integrating its operational technology and information technology areas. As part of the integration, some of the cultural aspects it would like to see include more efficient use of resources during change windows, better protection of critical infrastructure, and the ability to respond to incidents. The following observations have been identified: The ICS supplier has specified that any software installed will result in lack of support. There is no documented trust boundary defined between the SCADA and corporate networks. Operational technology staff have to manage the SCADA equipment via the engineering workstation. There is a lack of understanding of what is within the SCADA network. Which of the following capabilities would BEST improve the security position? A. VNC, router, and HIPS B. SIEM, VPN, and firewall C. Proxy, VPN, and WAF D. IDS, NAC, and log monitoring
B. SIEM, VPN, and firewall
333. A security administrator is updating corporate policies to respond to an incident involving collusion between two systems administrators that went undetected for more than six months. Which of the following policies would have MOST likely uncovered the collusion sooner? (Choose two.) A. Mandatory vacation B. Separation of duties C. Continuous monitoring D. Incident response E. Time-of-day restrictions F. Job rotation
B. Separation of duties F. Job rotation
362. An attacker wants to gain information about a company's database structure by probing the database listener. The attacker tries to manipulate the company's database to see if it has any vulnerabilities that can be exploited to help carry out an attack. To prevent this type of attack, which of the following should the company do to secure its database? A. Mask the database banner B. Tighten database authentication and limit table access C. Harden web and Internet resources D. Implement challenge-based authentication
B. Tighten database authentication and limit table access
371. An incident responder wants to capture volatile memory comprehensively from a running machine for forensic purposes. The machine is running a very recent release of the Linux OS. Which of the following technical approaches would be the MOST feasible way to accomplish this capture? A. Run the memdump utility with the -k flag. B. Use a loadable kernel module capture utility, such as LiME. C. Run dd on/dev/mem. D. Employ a stand-alone utility, such as FTK Imager.
B. Use a loadable kernel module capture utility, such as LiME.
394. Within the past six months, a company has experienced a series of attacks directed at various collaboration tools. Additionally, sensitive information was compromised during a recent security breach of a remote access session from an unsecure site. As a result, the company is requiring all collaboration tools to comply with the following: Secure messaging between internal users using digital signatures Secure sites for video-conferencing sessions Presence information for all office employees Restriction of certain types of messages to be allowed into the network. Which of the following applications must be configured to meet the new requirements? (Select TWO.) A. Remote desktop B. VoIP C. Remote assistance D. Email E. Instant messaging F. Social media websites
B. VoIP E. Instant messaging
323. A technician receives the following security alert from the firewall's automated system: Match_Time: 10/10/16 16:20:43 Serial: 002301028176 Device_name: COMPSEC1 Type: CORRELATION Scrusex: domain\samjones Scr: 10.50.50.150 Object_name: beacon detection Object_id: 6005 Category: compromised-host Severity: medium Evidence: host repeatedly visited a dynamic DNS domain (17 time) After reviewing the alert, which of the following is the BEST analysis? A. the alert is a false positive because DNS is a normal network function. B. this alert indicates a user was attempting to bypass security measures using dynamic DNS. C. this alert was generated by the SIEM because the user attempted too many invalid login attempts. D. this alert indicates an endpoint may be infected and is potentially contacting a suspect host.
B. this alert indicates a user was attempting to bypass security measures using dynamic DNS.
360. A new security policy slates all wireless and wired authentication must include the use of certificates when connecting to internal resources within the enterprise LAN by all employees Which of the following should be configured to comply with the new security policy? (Select TWO). A. SSO B. New pre-shared key C. 8021X D. OAuth E. Push-based authentication F. PKI
C. 802.1X F. PKI
309. To prepare for an upcoming audit, the Chief Information Security Officer (CISO) asks for all 1200 vulnerabilities on production servers to be remediated. The security engineer must determine which vulnerabilities represent real threats that can be exploited so resources can be prioritized to migrate the most dangerous risks. The CISO wants the security engineer to act in the same manner as would an external threat, while using vulnerability scan results to prioritize any actions. Which of the following approaches is described? A. Blue team B. Red team C. Black box D. White team
C. Black box
357. An information security officer reviews a report and notices a steady increase in outbound network traffic over the past ten months. There is no clear explanation for the increase The security officer interviews several business units and discovers an unsanctioned cloud storage provider was used to share marketing materials with potential customers. Which of the following services would be BEST for the security officer to recommend to the company? A. NIDS B. HIPS C. CASB D. SFTP
C. CASB
366. A company's chief cybersecurity architect wants to configure mutual authentication to access an internal payroll website. The architect has asked the administration team to determine the configuration that would provide the best defense against MITM attacks. Which of the following implementation approaches would BEST support the architect's goals? A. Utilize a challenge-response prompt as required input at username/password entry. B. Implement TLS and require the client to use its own certificate during handshake. C. Configure a web application proxy and institute monitoring of HTTPS transactions. D. Install a reverse proxy in the corporate DMZ configured to decrypt TLS sessions.
C. Configure a web application proxy and institute monitoring of HTTPS transactions.
328. The security configuration management policy states that all patches must undergo testing procedures before being moved into production. The sec... analyst notices a single web application server has been downloading and applying patches during non-business hours without testing. There are no apparent adverse reaction, server functionality does not seem to be affected, and no malware was found after a scan. Which of the following action should the analyst take? A. Reschedule the automated patching to occur during business hours. B. Monitor the web application service for abnormal bandwidth consumption. C. Create an incident ticket for anomalous activity. D. Monitor the web application for service interruptions caused from the patching.
C. Create an incident ticket for anomalous activity.
365. A security engineer is embedded with a development team to ensure security is built into products being developed. The security engineer wants to ensure developers are not blocked by a large number of security requirements applied at specific schedule points. Which of the following solutions BEST meets the engineer's goal? A. Schedule weekly reviews of al unit test results with the entire development team and follow up between meetings with surprise code inspections. B. Develop and implement a set of automated security tests to be installed on each development team leader's workstation. C. Enforce code quality and reuse standards into the requirements definition phase of the waterfall development process. D. Deploy an integrated software tool that builds and tests each portion of code committed by developers and provides feedback.
C. Enforce code quality and reuse standards into the requirements definition phase of the waterfall development process.
348. A cybersecurity analyst created the following tables to help determine the maximum budget amount the business can justify spending on an improved email filtering system: Which of the following meets the budget needs of the business? A. Filter ABC B. Filter XYZ C. Filter GHI D. Filter TUV
C. Filter GHI
403. A consulting firm was hired to conduct assessment for a company. During the first stage, a penetration tester used a tool that provided the following output: TCP 80 open TCP 443 open TCP 1434 filtered The penetration tester then used a different tool to make the following requests: GET / script/login.php?token=45$MHT000MND876 GET / script/login.php?token=@#984DCSPQ%091DF Which of the following tools did the penetration tester use? A. Protocol analyzer B. Port scanner C. Fuzzer D. Brute forcer E. Log analyzer F. HTTP interceptor
C. Fuzzer
319. A security engineer is analyzing an application during a security assessment to ensure it is configured to protect against common threats. Given the output below: Which of the following tools did the security engineer MOST likely use to generate this output? A. Application fingerprinter B. Fuzzer C. HTTP interceptor D. Vulnerability scanner
C. HTTP interceptor
382. A company wants to secure a newly developed application that is used to access sensitive information and data from corporate resources The application was developed by a third-party organization, and it is now being used heavily despite lacking the following controls: • Certificate pinning • Tokenization • Biometric authentication The company has already implemented the following controls: • Full device encryption • Screen lock • Device password • Remote wipe The company wants to defend against interception of data attacks Which of the following compensating controls should the company implement NEXT? A. Enforce the use of a VPN when using the newly developed application. B. Implement a geofencing solution that disables the application according to company requirements. C. Implement an out-of-band second factor to authenticate authorized users D. Install the application in a secure container requiring additional authentication controls.
C. Implement an out-of-band second factor to authenticate authorized users
351. As part of the development process for a new system, the organization plans to perform requirements analysis and risk assessment. The new system will replace a legacy system, which the organization has used to perform data analytics. Which of the following is MOST likely to be part of the activities conducted by management during this phase of the project? A. Static code analysis and peer review of all application code B. Validation of expectations relating to system performance and security C. Load testing the system to ensure response times is acceptable to stakeholders D. Design reviews and user acceptance testing to ensure the system has been deployed properly E. Regression testing to evaluate interoperability with the legacy system during the deployment
C. Load testing the system to ensure response times is acceptable to stakeholders
411. As part of a systems modernization program, the use of a weak encryption algorithm is identified m a wet se-vices API The client using the API is unable to upgrade the system on its end which would support the use of a secure algorithm set As a temporary workaround the client provides its IP space and the network administrator Limits access to the API via an ACL to only the IP space held by the client. Which of the following is the use of the ACL in this situation an example of? A. Avoidance B. Transference C. Mitigation D. Acceptance E. Assessment
C. Mitigation
401. An organization is currently performing a market scan for managed security services and EDR capability. Which of the following business documents should be released to the prospective vendors in the first step of the process? (Select TWO). A. MSA B. RFP C. NDA D. RFI E. MOU F. RFQ
C. NDA D. RFI
350. A security consultant was hired to audit a company's password are account policy. The company implements the following controls: Minimum password length: 16 Maximum password age: 0 Minimum password age: 0 Password complexity: disabled Store passwords in plain text: disabled Failed attempts lockout: 3 Lockout timeout: 1 hour The password database uses salted hashes and PBKDF2. Which of the following is MOST likely to yield the greatest number of plain text passwords in the shortest amount of time? A. Offline hybrid dictionary attack B. Offline brute-force attack C. Online hybrid dictionary password spraying attack D. Rainbow table attack E. Online brute-force attack F. Pass-the-hash attack
C. Online hybrid dictionary password spraying attack
338. During a security event investigation, a junior analyst fails to create an image of a server's hard drive before removing the drive and sending it to the forensics analyst. Later, the evidence from the analysis is not usable in the prosecution of the attackers due to the uncertainty of tampering. Which of the following should the junior analyst have followed? A. Continuity of operations B. Chain of custody C. Order of volatility D. Data recovery
C. Order of volatility
359. Ann, a retiring employee, cleaned out her desk. The next day, Ann's manager notices company equipment that was supposed to remain at her desk is now missing. Which of the following would reduce the risk of this occurring in the future? A. Regular auditing of the clean desk policy B. Employee awareness and training policies C. Proper employee separation procedures D. Implementation of an acceptable use policy
C. Proper employee separation procedures
342. An insurance company has two million customers and is researching the top transactions on its customer portal. It identifies that the top transaction is currently password reset. Due to users not remembering their secret questions, a large number of calls are consequently routed to the contact center for manual password resets. The business wants to develop a mobile application to improve customer engagement in the future, continue with a single factor of authentication, minimize management overhead of the solution, remove passwords, and eliminate to the contact center. Which of the following techniques would BEST meet the requirements? (Choose two.) A. Magic link sent to an email address B. Customer ID sent via push notification C. SMS with OTP sent to a mobile number D. Third-party social login E. Certificate sent to be installed on a device F. Hardware tokens sent to customers
C. SMS with OTP sent to a mobile number E. Certificate sent to be installed on a device
317. Due to a recent acquisition, the security team must find a way to secure several legacy applications. During a review of the applications, the following issues are documented: The applications are considered mission-critical. The applications are written in code languages not currently supported by the development staff. Security updates and patches will not be made available for the applications. Username and passwords do not meet corporate standards. The data contained within the applications includes both PII and PHI. The applications communicate using TLS 1.0. Only internal users access the applications. Which of the following should be utilized to reduce the risk associated with these applications and their current architecture? A. Update the company policies to reflect the current state of the applications so they are not out of compliance. B. Create a group policy to enforce password complexity and username requirements. C. Use network segmentation to isolate the applications and control access. D. Move the applications to virtual servers that meet the password and account standards.
C. Use network segmentation to isolate the applications and control access.
318. An online bank has contracted with a consultant to perform a security assessment of the bank's web portal. The consultant notices the login page is linked from the main page with HTTPS, but when the URL is changed to HTTP, the browser is automatically redirected back to the HTTPS site. Which of the following is a concern for the consultant, and how can it be mitigated? A. XSS could be used to inject code into the login page during the redirect to the HTTPS site. The consultant should implement a WAF to prevent this. B. The consultant is concerned the site is using an older version of the SSL 3.0 protocol that is vulnerable to a variety of attacks. Upgrading the site to TLS 1.0 would mitigate this issue. C. The HTTP traffic is vulnerable to network sniffing, which could disclose usernames and passwords to an attacker. The consultant should recommend disabling HTTP on the web server. D. A successful MITM attack Could intercept the redirect and use sslstrip to decrypt further HTTPS traffic. Implementing HSTS on the web server would prevent this.
D. A successful MITM attack Could intercept the redirect and use ssl strip to decrypt further HTTPS traffic. Implementing HSTS on the web server would prevent this.
324. After multiple service interruptions caused by an older datacenter design, a company decided to migrate away from its datacenter. The company has successfully completed the migration of all datacenter servers and services to a cloud provider. The migration project includes the following phases: Selection of a cloud provider Architectural design Microservice segmentation Virtual private cloud Geographic service redundancy Service migration The Chief Information Security Officer (CISO) is still concerned with the availability requirements of critical company applications. Which of the following should the company implement NEXT? A. Multicloud solution B. Single-tenancy private cloud C. Hybrid cloud solution D. Cloud access security broker
D. Cloud access security broker
349. A security analyst has been asked to create a list of external IT security concerns, which are applicable to the organization. The intent is to show the different types of external actors, their attack vectors, and the types of vulnerabilities that would cause business impact. The Chief Information Security Officer (CISO) will then present this list to the board to request funding for controls in areas that have insufficient coverage. Which of the following exercise types should the analyst perform? A. Summarize the most recently disclosed vulnerabilities. B. Research industry best practices and latest RFCs. C. Undertake an external vulnerability scan and penetration test. D. Conduct a threat modeling exercise.
D. Conduct a threat modeling exercise.
315. Following a complete outage of the electronic medical record system for more than 18 hours, the hospital's Chief Executive Officer (CEO) has requested that the Chief Information Security Officer (CISO) perform an investigation into the possibility of a disgruntled employee causing the outage maliciously. To begin the investigation, the CISO pulls all event logs and device configurations from the time of the outage. The CISO immediately notices the configuration of a top-of-rack switch from one day prior to the outage does not match the configuration that was in place at the time of the outage. However, none of the event logs show who changed the switch configuration, and seven people have the ability to change it. Because of this, the investigation is inconclusive. Which of the following processes should be implemented to ensure this information is available for future investigations? A. Asset inventory management B. Incident response plan C. Test and evaluation D. Configuration and change management
D. Configuration and change management
397. A security administrator receives reports that several workstations are unable to access resources within one network segment. A packet capture shows the segment is flooded with ICMPv6 traffic from the source fe80::21ae;4571:42ab:1fdd and for the destination ff02::1. Which of the following should the security administrator integrate into the network to help prevent this from occurring? A. Raise the dead peer detection interval to prevent the additional network chatter B. Deploy honeypots on the network segment to identify the sending machine. C. Ensure routers will use route advertisement guards. D. Deploy ARP spoofing prevention on routers and switches.
D. Deploy ARP spoofing prevention on routers and switches.
396. A company is not familiar with the risks associated with IPv6. The systems administrator wants to isolate IPv4 from IPv6 traffic between two different network segments. Which of the following should the company implement? (Select TWO) A. Use an internal firewall to block UDP port 3544. B. Disable network discovery protocol on all company routers. C. Block IP protocol 41 using Layer 3 switches. D. Disable the DHCPv6 service from all routers. E. Drop traffic for ::/0 at the edge firewall. F. Implement a 6in4 proxy server.
D. Disable the DHCPv6 service from all routers. E. Drop traffic for ::/0 at the edge firewall.
408. An organization is facing budget constraints The Chief Technology Officer (CTO) wants to add a new marketing platform but the organization does not have the resources to obtain separate servers to run the new platform. The CTO recommends running the new marketing platform on a virtualized video-conferencing server because video conferencing is rarely used The Chief Information Security Officer (CISO) denies this request Which of the following BEST explains the reason why the CISO has not approved the request? A. Privilege escalation attacks B. Performance and availability C. Weak DAR encryption D. Disparate security requirements
D. Disparate security requirements
330. With which of the following departments should an engineer for a consulting firm coordinate when determining the control and reporting requirements for storage of sensitive, proprietary customer information? A. Human resources B. Financial C. Sales D. Legal counsel
D. Legal counsel
334. A company is concerned about disgruntled employees transferring its intellectual property data through covert channels. Which of the following tools would allow employees to write data into ICMP echo response packets? A. Thor B. Jack the Ripper C. Burp Suite D. Loki
D. Loki
391. The Chief Financial Officer (CFO) of a major hospital system has received a ransom letter that demands a large sum of cryptocurrency be transferred to an anonymous account. If the transfer does not take place within ten hours, the letter states that patient information will be released on the dark web. A partial listing of recent patients is included in the letter. This is the first indication that a breach took place. Which of the following steps should be done FIRST? A. Review audit logs to determine the extent of the breach B. Pay the hacker under the condition that all information is destroyed C. Engage a counter-hacking team to retrieve the data D. Notify the appropriate legal authorities and legal counsel
D. Notify the appropriate legal authorities and legal counsel
320. After the departure of a developer under unpleasant circumstances, the company is concerned about the security of the software to which the developer has access. Which of the following is the BEST way to ensure security of the code following the incident? A. Hire an external red tem to conduct black box testing B. Conduct a peer review and cross reference the SRTM C. Perform white-box testing on all impacted finished products D. Perform regression testing and search for suspicious code
D. Perform regression testing and search for suspicious code
405. Given the following output from a security tool in Kali: A. Log reduction B. Network enumerator C. Fuzzer D. SCAP scanner
D. SCAP scanner
377. Following a recent network intrusion, a company wants to determine the current security awareness of all of its employees. Which of the following is the BEST way to test awareness? A. Conduct a series of security training events with comprehensive tests at the end B. Hire an external company to provide an independent audit of the network security posture C. Review the social media of all employees to see how much proprietary information is shared D. Send an email from a corporate account, requesting users to log onto a website with their enterprise account
D. Send an email from a corporate account, requesting users to log onto a website with their enterprise account
395. Which of the following is the GREATEST security concern with respect to BYOD? A. The filtering of sensitive data out of data flows at geographic boundaries. B. Removing potential bottlenecks in data transmission paths. C. The transfer of corporate data onto mobile corporate devices. D. The migration of data into and out of the network in an uncontrolled manner.
D. The migration of data into and out of the network in an uncontrolled manner.
361. A financial consulting firm recently recovered from some damaging incidents that were associated with malware installed via rootkit. Post-incident analysis is ongoing, and the incident responders and systems administrators are working to determine a strategy to reduce the risk of recurrence. The firm's systems are running modern operating systems and feature UEFI and TPMs. Which of the following technical options would provide the MOST preventive value? A. Update and deploy GPOs B. Configure and use measured boot C. Strengthen the password complexity requirements D. Update the antivirus software and definitions
D. Update the antivirus software and definitions
393. The results of an external penetration test for a software development company show a small number of applications account for the largest number of findings. While analyzing the content and purpose of the applications, the following matrix is created. The findings are then categorized according to the following chart: Which of the following would BEST reduce the amount of immediate risk incurred by the organization from a compliance and legal standpoint? (Select TWO) A. Place a WAF in line with Application 2 B. Move Application 3 to a secure VLAN and require employees to use a jump server for access. C. Apply the missing OS and software patches to the server hosting Application 4 D. Use network segmentation and ACLs to control access to Application 5. E. Implement an IDS/IPS on the same network segment as Application 3 F. Install a FIM on the server hosting Application 4
D. Use network segmentation and ACLs to control access to Application 5. E. Implement an IDS/IPS on the same network segment as Application 3
384. A Chief Information Security Officer (CISO) is working with a consultant to perform a gap assessment prior to an upcoming audit. It is determined during the assessment that the organization lacks controls to effectively assess regulatory compliance by third-party service providers. Which of the following should be revised to address this gap? A. Privacy policy B. Work breakdown structure C. Interconnection security agreement D. Vendor management plan E. Audit report
D. Vendor management plan
412. A security analyst is reviewing the corporate MDM settings and notices some disabled settings, which consequently permit users to download programs from untrusted developers and manually install them. After some conversations, it is confirmed that these settings were disabled to support the internal development of mobile applications. The security analyst is now recommending that developers and testers have a separate device profile allowing this, and that the rest of the organization's users do not have the ability to manually download and install untrusted applications. Which of the following settings should be toggled to achieve the goal? (Choose two.) A. OTA updates B. Remote wiping C. Side loading D. Sandboxing E. Containerization F. Signed applications
E. Containerization F. Signed applications
