Advanced Security Practitioner 2
Q12. The security administrator is tasked with finding a security product to replace the current anti-spam system in the company. After reading through NIST documents and the OWASP top ten protection guide, the security administrator is now ready to approach vendors. Which of the following types of research documents should the administrator look for? (Select THREE). A. ROI B. RFI C. TCO D. RFQ E. RFC F. RFP
--> B. RFI, D. RFQ, F. RFP
Q7. A security architect has the following requirements for a system: 1. Must be developed with an object-oriented programming language 2. Must encrypt data at rest 3. Must comply with corporate PII policies 4. Must support multi-factor authentication 5. Should be built on a trusted OS Which of the following contractual documents is the correct place to list these requirements when initially surveying the vendor space? A. RFC B. RFT C. RFQ D. RFP
--> B. RFT - A request for tenders (RFT) is a formal, structured invitation to suppliers to submit a bid to supply products or services. - Request for Contract
Q3. An organization is developing a new web application that can provide the ability for customers to retrieve fast quotes on products and services. After going live with the web application, the organization is seeing system outages and delays in presenting quotes to customers. Further investigation reveals the logs are seeing SQL queries with $username = '1' or '1' = '1' that give results. Which of the following could prevent this query from being successful? A. Ad hoc queries B. ACLs C. Stored procedures D. Web content filtering E. DLP solution
--> C. Stored procedures
Q5. An online gaming company receives two DoS attacks per year. Losses are estimated to be $200,000 per incident. Executives have decided to invest $75,000 annually in performance and security services, which reduced the annual loss by 30 percent. Which of the following is the return on investment? A. $45,000 B. $75,000 C. $120,000 D. $280,000
--> A. $45,000
XX Q47. XX A penetration tester exploits a bug in the web services of a UNIX server as part of a penetration test. The penetration tester is dropped to the following prompt: nobody@server$ After executing a local command in the /var/www directory while trying to exploit the database, the prompt changes to: Which of the following attacks was successfully utilized? A. SQL injection B. Privilege escalation C. Directory traversal D. Session hijacking
--> B. Privilege escalation
Q20. A new system that will share sensitive information is in the process of being implemented. Two users have shared ownership of the sensitive data stored within the system and they are performing separate data classification exercises. Joe's data classification matrix is shown below: RECORD TYPE CONFIDENTIALITY INTEGRITY AVAILABILITY User health record HIGH HIGH MEDIUM User address HIGH MEDIUM LOW Ann's data classification matrix is also shown below: RECORD TYPE CONFIDENTIALITY INTEGRITY AVAILABILITY User department LOW LOW LOW User budget MEDIUM HIGH MEDIUM User's supervisor LOW LOW LOW Given the above information, which of the following is the appropriate individual sensitivity level with respect to CIA and aggregate CIA score which will be applied to the system storing such data? A. Confidentiality=HIGH, Integrity=HIGH, Availability=MEDIUM, Aggregate=HIGH B. Confidentiality=HIGH, Integrity=HIGH, Availability=LOW, Aggregate=HIGH C. Confidentiality=HIGH, Integrity=MEDIUM, Availability=MEDIUM, Aggregate=MEDIUM D. Confidentiality=HIGH, Integrity=MEDIUM, Availability=LOW, Aggregate=MEDIUM
--> A. Confidentiality=HIGH, Integrity=HIGH, Availability=MEDIUM, Aggregate=HIGH
Q34. While analyzing network traffic, a security engineer discovers that confidential emails were passing between two users who should not have had this information. The two users deny sending confidential emails to each other. Which of the following security practices would allow for non-repudiation and prevent the users from removing emails such as these from their accounts? (Select TWO). A. Digital Signature B. TSIG code signing C. Legal hold D. Authentication hashing E. Transport encryption
--> A. Digital Signature, C. Legal hold
Q15. The company's communications department is taking photos of employees at multiple locations to showcase the corporate culture. Some of the pictures include datacenter facilities. Which of the following sensitive information should be removed prior to the posting pictures? (Select TWO). A. Employee badges B. Geotags C. Company logos D. Watermarking E. Timestamp
--> A. Employee badges, B. Geotags
Q60. The Human Resources administrator has initiated a forensics investigation about a user who was recently terminated. The subsequent forensics investigation found that the terminated user had downloaded a series of files that contained sensitive information about current employees. That file had been overwritten with a file of the same size and name of the original file. This security incident could have been prevented with a combination of which of the following security controls? (Select TWO). A. FIM B. HIDS C. HIPS D. AV E. DLP F. Anti-spam
--> A. FIM, E. DLP
Q67. A penetration tester is able to obtain the /etc/ shadow file from an important Linux server. The penetration tester considers many different password cracking tools and techniques to use on the file before deciding to try a rainbow tables attack. Which of the following BEST describes the results the penetration tester might see using this type of attack? A. Hashed passwords on a Linux system are salted, which makes precomputed rainbow tables attack ineffective. B. Modern Linux systems use the crypt() function on passwords, which is not compatible with rainbow tables. C. To be most effective, the penetration tester should use rainbow tables generated for Linux hashes, not LAN manager hashes. D. If the penetration tester can reduce the key space in use, rainbow tables will be very effective.
--> A. Hashed passwords on a Linux system are salted, which makes precomputed rainbow tables attack ineffective.
Q6. A company is evaluating an investment of $1.5 million in IT infrastructure upgrades. The upgrades will take three years to be fully implemented but will be 80% implemented within 60 days. The remaining upgrades will be completed on an evenly distributed schedule. The board of directors is only willing to make the infrastructure investment if the cost of the upgrades can be recouped within 12 months. It is estimated that for every 10% of the infrastructure that is upgraded, an additional $200,000 in profit will be realized. Which of the following describes the length of time it will take for the investment to be fully paid for? A. Less than two months B. Between two and three months C. Between nine and 12 months D. After 12 months
--> A. Less than two months
Q71. An organization has identified a compromised workstation on its network. The organization wants to learn as much as it can about the attack behavior while minimizing impact to the business. Which of the following is the organization's BEST course of action? A. Logically move the infected system to an isolated network that still allows outbound connections, create an image of the system's memory, and capture and inspect all network traffic. B. Remove the system from the network and create an image of the system's memory. Perform antivirus and anti-malware scans against the system to identify the infection. C. Power off the system, collect an image of the system's memory, capture and inspect inbound network traffic, and conduct a thorough forensics analysis of the hard disk. D. Unplug the system's physical network connection and move it to an isolated network that still allows it to make outbound connections. Perform antivirus and anti-malware scans against the system to identify the infection.
--> A. Logically move the infected system to an isolated network that still allows outbound connections, create an image of the system's memory, and capture and inspect all network traffic.
Q46. A security administrator is reviewing the company RA to ensure all required components are being addressed. Which of the following are required components of a RA that are used by the business to evaluate the plan for continued service? (Select THREE). A. Loss expectancy B. Threat factor identification C. Data ownership identification D. Mean time between failures E. Threat occurrence F. Recovery time objective
--> A. Loss expectancy, B. Threat factor identification, D. Mean time between failures
Q66. The Chief Information Security Officer (CISO) for a passenger airline is responding to a cybersecurity risk assessment for an aircraft mission system. One of the many findings showed the aircraft's mission computer performs automatic flight control, and attackers can impact the integrity of this localization technology to cause loss of life and property. Insufficient data is available to determine the probability of occurrence, but the assessment revealed the attack could be easily executed within the aircraft's line of sight. The vulnerabilities enabling the attack can be corrected, but the fix require all aircraft to be returned to depot for major component upgrades by the manufacturer. Given this scenario, which of the following BEST represents an appropriate response strategy? A. Mitigate the risk by returning all aircraft to the manufacturer depot for appropriate fixes B. Transfer the risk by purchasing the appropriate levels of insurance C. Adopt a risk avoidance strategy by replacing the impacted aircraft D. Accept the risk since this type of attack has never been demonstarted
--> A. Mitigate the risk by returning all aircraft to the manufacturer depot for appropriate fixes
Q53. A security engineer is analyzing security differences between commercial products. The engineer is implementing one-time password authentication schemes that are based on software or hardware tokens where the secret key is shared between the server and the token. Which of the following BEST describes the main design differences? A. On a hardware token device, the secret key is not transferred during the authentication process so it only needs to be secured at rest B. Software token devices must implement encryption techniques to emulate an equivalent security level as hardware tokens C. On both token devices, the secret key must be transferred for provisioning, putting it at risk for replay attacks D. The secret key on both token devices must be transferred for token provisioning using asymmetric cryptography
--> A. On a hardware token device, the secret key is not transferred during the authentication process so it only needs to be secured at rest
Q37. The network administrator at an enterprise reported a large data leak. One compromised server was used to aggregate data from several critical application servers and sent it out to the Internet using HTTPS. Upon investigation,there have been no user logins over the previous week and the endpoint protection software is not reporting any issues. Which of the following BEST provides insight into where the compromised server collected the information? A. Review the flow data against each server's baseline communications profile B. Configure data loss prevention logs for anomalous communications from the server C. Correlate data loss prevention logs for anomalous communications from the server D. Setup a packet capture on the firewall to collect all of the server communications
--> A. Review the flow data against each server's baseline communications profile
Q1. Which of the following encryption methodologies should be implemented in an environment where all users need access to bulk storage, but not all users have authorized access to each individual database entry? A. Row-level encryption B. Block-level encryption C. File-level encryption D. Table-level encryption E. Full disk encryption
--> A. Row-level encryption - Row-Level Security enables customers to control access to rows in a database table based on the characteristics of the user executing a query (for example, group membership or execution context). Row-Level Security (RLS) simplifies the design and coding of security in your application. - Block-based encryption systems operate below the file system level, encrypting one disk block at a time. This is advantageous because they do not require knowledge of the file system that resides on top of them, and can even be used for swap partitions or applications that require access to raw partitions (such as database servers). Also, they do not reveal information about individual files (such as sizes and owners) or directory structure Eg. BestCrypt (loopback driver) Stackable file systems are a compromise between kernel-level disk-based file systems and loopback network file systems.
Q59. In reviewing the budget proposal by the Chief Information Officer (CIO), the Chief Financial Officer (CFO) finds a significant portion of the budget is allocated for upgrades to unsupported hardware and software, which are long past their end-of-life. The CFO sees the year-to-year fluctuation as a problem. From the CFO's perspective, which of the following BEST describes the CIO's budgetary obstacle? A. The CIO should consider vendor-hosted services rather than simply replacing systems B. The CIO should have planned for a slower deployment of replacement hardware and software C. The CIO has not clearly articulated the current budget's return on investment D. The CIO did not adequately plan for the total cost of ownership in past budgets
--> A. The CIO should consider vendor-hosted services rather than simply replacing systems
Q56. While diagnosing a multipath problem with a SAN, the administrator notices Fibre Channel logins on the SAN from an unknown host with a WWN 00:50:78:3f:ab:3c:15:9e. Since the host is not defined, the storage system has named it Host_0050783fab3c169e. Which of the following is the MOST likely cause of the issue? A. The host is zoned incorrectly. B. The switch has the incorrect domain C. The host HBA is connected to two switches D. The iSCSI initiator on the host is incorrect
--> A. The host is zoned incorrectly.
Q36. A security administrator has uncovered an unknown executable file named UNKOWNFILE.EXE on the company's web server. Although the executable is not triggering the host-based antivirus system, it appears it has been loaded into memory and initiated a TCP connection with a remote host. The security administrator uploads the file to a cloud-based antivirus system and reviews the following information: SAMPLE FILE RESULTS SIMILARITY SCORE (%) UNKOWNFILE.EXE TROJ.GEN.39133 90% Which of the following findings should the security administrator include in the web server security report based in the above information? (Select TWO). A. The sample binary code is a variant of TROJ.GEN.39133 B. The cloud-based antivirus system found 90 similar pieces of malware C. Fuzzy hashing analysis was used to determine if the sample was malware D. TROJ.GEN.39133 was found loaded in web server memory E. UNKNOWNFILE.EXE uses HTTPS to connect to 90 hardcoded remote hosts
--> A. The sample binary code is a variant of TROJ.GEN.39133, C. Fuzzy hashing analysis was used to determine if the sample was malware
XX Q48. XX A security administrator receives an advisory from the video conference vendor. The advisory states that if not secured, video streams are susceptible to a session hijacking attack that would allow the video stream to be intercepted and recorded for later playback. In attempting to test this atttack on the corporate network, the administrator receives the following output from a video stream: Which of the following can the security administrator conclude from the network trace? A. The video stream is secured with IPSec and is not vulnerable to the vulnerability in this advisory B. The video stream is using PPTP connection and is vulnerable to an MS-CHAPv2 authentication attack C. The video stream is using AH-ESP tunnel through GRE and is not susceptible to the vulnerability in the advisory D. The video stream is secured with IPv6 6-to-4 tunnel and is not susceptible in the vulnerability in the advisory
--> A. The video stream is secured with IPSec and is not vulnerable to the vulnerability in this advisory
Q22. A company has reported several web applications are experiencing errors related to unsecure certificates from the web browser. A security consultant discovers Internet-facing web servers, as well as intranet and internal servers, are configured with 1024-bit key lengths. Which of the following will resolve the web browser errors? A. The local workstations key store will need to be cleared B. New certificates will need to be issued to support 2048-bit RSA key lengths C. Internet-facing web applications must be configured to work with 2048-bit RSA key lengths D. Browsers will need to be updated with new trusted root authorities
--> B. New certificates will need to be issued to support 2048-bit RSA key lengths
Q33. The sales staff wants to use a cloud-based customer relationship (CRM) solution. Customer databases are highly prized and a closely guarded secret. The information security group is raising concerns about data privacy while reviewing the cloud CRM solution. The following are critical needs of the sales department: - Lightweight user interfaces for interaction with CRM - Minimal learning curves for staff - Consolidated software updates and feature rollouts - Accessible from anywhere To mitigate information security concerns, the following need to be in place: - Strong authentication - Encrypted data transfer to/from CRM - Not publically accessible Which of the following BEST meets the identified needs? A. Use a SaaS CRM solution hosted in a local datacenter, accessed via a HTTPS-enabled interface B. Locally deploy an extranet running CRM that is accessible via SSL VPN with token-based authentication C. Develop an in-house solution built on a distributed PaaS that requires token-based authentication via a TLS interface D. Develop an in-house client-server application behind a secondary firewall with a complex password policy
--> A. Use a SaaS CRM solution hosted in a local datacenter, accessed via a HTTPS-enabled interface
Q40. The lead software developer wishes to distribute a company's application along with MD5 hashes of the files. The security administrator argues that this method of distribution is not sufficient, and the software should be digitally signed. Which of the following further explains the security administrator's argument? A. While the MD5 hash ensures the integrity of the files, it does not ensure authentication or non-repudiation. B. While the MD5 hash ensures the authentication of the files, it does not ensure integrity or non-repudiation. C. While the MD5 hash ensures integrity and authentication, it does not ensure non-repudiation. D. While the MD5 hash ensures integrity and non-repudiation, it does not ensure authentication. E. While the MD5 hash ensures non-repudiation and authentication, it does not ensure integrity.
--> A. While the MD5 hash ensures the integrity of the files, it does not ensure authentication or non-repudiation.
Q49. The increased usage of BYOD policies has introduced a shifting risk environment for corporate IT security staff due to the now-porous nature of the network boundary and devices comprising the network. This risk is often accepted or mitigated due to: A. user demand for faster technology deployments than those traditionally supported in a corporate environment. B. the increasingly complex nature of boundary security devices and the frequent updates required to maintain them. C. requirements from users for social media and other networking software for work use. D. management's desire to lower sunk costs of technology that must be replaced every few years with faster models.
--> A. user demand for faster technology deployments than those traditionally supported in a corporate environment.
Q2. A security bulletin describes a vulnerability in a common blogging platform due to XML HTTP Request (XHR) processing of state information. Which of the following technologies would this be a part of? A. JavaScript B. CSS C. AJAX D. XML DOM
--> B. CSS
Q70. A company is trying to decide how to manage hosts in a branch location connected via a slow WAN link. The company desires to provide the same level of performance and functionality to the branch office as it provides to the main campus. The company uses Active Directory for its directory service and host configuration management. The branch location does not have a datacenter, and the physical security posture of the building is weak. Which of the following designs is MOST appropriate for this scenario? A. Deploy a branch location Read-Only Domain Controller in the DMZ at the main campus with a two-way trust. B. Deploy a corporate Read-Only Domain Controller to the branch location. C. Deploy a corporate Domain Controller in the DMZ at the main campus. D. Deploy a branch location Read-Only Domain Controller to the branch office location with a oneway trust. E. Deploy a corporate Domain Controller to the branch location. F. Deploy a branch location Domain Controller to the branch location with a one-way trust.
--> B. Deploy a corporate Read-Only Domain Controller to the branch location.
Q28. A hacker wants to target a local electronics distributor. The hacker goes to the distributor's website and displays the HTML code on the current page. Within the HTML, the hacker finds a snapshot of the code: <FORM ACTION="http://localelectronicsdistributor.com/cgi-bin/order.pl" method="post"> <input type=hidden name="price" value="999.99"> <input type=hidden name="prd_id" value="X190"> QUANTITY: <input type=text name="quant" size=3 maxlength=3 value=1> </FORM> The hacker recognizes the vulnerability and modifies the line of HTML code to read: <input type=hidden name="price" value="1.99"> Which of the following vulnerabilities has the hacker taken advantage of? A. Click-jacking B. Field manipulation C. Cross-site request forgery D. Input validation E. SQL injection
--> B. Field manipulation
Q57. During a penetration test, it is requested that the tester perform client side testing of a web application that is only available internally. This web application has no SSL and is available for all employees to use. The goal of the client side test is to evaluate the server side validation of all inputs going into the web application that is available on the network. Which of the following is the BEST tool to use in this scenario? A. Port scanner B. HTTP interceptor C. Vulnerability scanner D. Password cracker
--> B. HTTP interceptor
Q72. The SOC has received several reports about the organization's financial site. The reports state the site has been shutting down for no apparent reason. The security analyst has attempted to troubleshoot the issue and found the following code after performing an internal web application assessment: Username: aaaaaaaaaaaaaa ' Password: '; exec xp_cmdshell 'shutdown' -- Which of the following is the vulnerability and what is the appropriate security control to mitigate this? (Select TWO). A. Script verification B. Input validation C. Cross-site scripting D. Code verification E. Cross-site request forgery F. SQL injection G. Click-jacking
--> B. Input validation, F. SQL injection
Q25. A security administrator has discovered a user may be sending sensitive data communications to external parties. Law enforcement is not ready to prosecute the case against the user but has asked the administrator to protect any current and future evidence that may assist in the case. The user must be allowed to continue working until a change is formally issued. Which of the following should the administrator implement to meet these requirements? A. COOP B. Legal hold C. Data recovery D. Chain of custody E. Data retention
--> B. Legal hold
Q69. A security engineer is faced with competing requirements from the networking group and database administrators. The database administrators would like ten application servers on the same subnet for ease of administration, whereas the networking group would like to segment all applications from one another. Which of the following should the security administrator do to rectify this issue? A. Recommend performing a security assessment on each application, and only segment the applications with the most vulnerability. B. Recommend classifying each application into like security groups and segmenting the groups from one another. C. Recommend segmenting each application, as it is the most secure approach. D. Recommend that only applications with minimal security features should be segmented to protect them.
--> B. Recommend classifying each application into like security groups and segmenting the groups from one another.
Q65. Company A had an existing nightly batch transfer of data. This process was based on AES-256 Zip encryption of multiple files from the staging directory of company B's SFTP server. Company B is now required to send files to Company A in real time. This new dasta transfer must be encrypted, may contain PII, and must implement integrity checking. Which of the following modifications will meet these requirements? A. Reduce the key size to increase performance B. Replace AES-256 Zip with SSH C. Install a VPN between the companies D. Update processes to be automated E. Introduce message integrity checking
--> B. Replace AES-256 Zip with SSH
Q21. A security architect is designing a series of technical protect, detect, and respond security capabilities with significant automation potential. One of the objectives is to ensure tools from various vendors can be implemented and support standardized data exchange. The architect would like to initially select a solution that supports automated configuration checklists. Which of the following solutions should be selected? A. CVS B. SCAP C. SAML D. OCSP
--> B. SCAP
Q32. A new application written in C++ has been completed in the development environment and has been promoted into the testing environment. To test this application from a security perspective, which of the following activities should occur? A. SSL encryption testing B. Static code scan C. Code object reusability D. Web application testing
--> B. Static code scan
Q9. A vulnerability scanner report shows that a client-server host monitoring solution operating in the credit card corporate environment is managing SSL sessions with a weak algorithm which does not meet corporate policy. Which of the following are true statements? (Select TWO). A. The X509 V3 certificate was issued by a non trusted public CA. B. The client-server handshake could not negotiate strong ciphers C. The client-server handshake is configured with a wrong priority. D. The client-server handshake is based on TLS authentication. E. The X509 V3 certificate is expired. F. The client-server implements client-server mutual authentication with different certificates.
--> B. The client-server handshake could not negotiate strong ciphers, C. The client-server handshake is configured with a wrong priority.
Q24. A security architect receives a 42-page document of project specifications from the lead developer. According to corporate policy, the message is sent using the PKI system. While the architect is able to read the document, the digital signature has failed validation. The architect calls the developer to see if the document can be sent again. The developer says this happens all the time and the document is probably fine. Which of the following should the architect be concerned about? A. The integrity of the document is maintained, and the confidentiality of the document and non-repudiation of the recipient are lost. B. The integrity of the document and non-repudiation of the sender are lost without a valid digital signature. C. The root of trust has been broken and the CA has been compromised. D. The integrity of the document is maintained, and the digital signature hash algorithm is susceptible to collisions.
--> B. The integrity of the document and non-repudiation of the sender are lost without a valid digital signature.
Q43. After recently failing a security audit, a company has been tasked with making sure that all sources of logs are being analyzed by SIEM for event correlation. The Chief Security Officer (CSO) has tasked the security architect with discovery of all sources of logs within the company, and solutions how to get logs to the SIEM. Given the task, which of the following would have to occur FIRST in order to get started? A. Enumerate the network and find all sources of traffic B. Validate the source types that SIEM can handle C. Meet with database administrators for flat file logging D. Meet with the Chief Financial Officer (CFO) for funding
--> B. Validate the source types that SIEM can handle
Q54. A company recently hired a risk and vulnerability assessment team to assess the IT infrastructure. The team will be conducting several engagements required by the company's statement of work. The team has the following requirements: 1. Analyze for known open ports that are used during exploitation 2. Leverage public data to discover sensitive information 3. Detect external vulnerabilities 4. Determine missing patches 5. Avoid disruption to running services 6. Use automated tools where possible to contain costs Which of the following tools are BEST to use to perform the above tasks? (Select THREE). A. OS scanner B. Vulnerability scanner C. Port scanner D. Malware scanner E. Protocol analyzer F. Fuzzer G. Whoami H. Whois I. HTTP interceptor
--> B. Vulnerability scanner, C. Port scanner, H. Whois
Q51. A Chief Security Officer (CSO) wants to test the company network for vulnerabilities. The test must be performed in the shortest amount of time with provable results and include unannounced testing of incident response procedures. Which of the following testing methodologies should be used? A. Social engineering B. White box C. Black box D. Fingerprinting E. Gray box
--> B. White box
Q50. A penetration tester has been contracted by a company to conduct brute force attempts against SSH that is available to the Internet. The penetration tester must show the commands and tools used. Given the conditions, which of the following would MOST likely be the command used to brute force SSH? A. "nmap -S 1.1.1.1 -p 22" B. "pwdump -u admin -p password -s SSH" C. "hydra -L users.txt -P passwords.txt 1.1.1.1 ssh" D. "john --format=NTLM passwords.txt > sshpass.txt"
--> C. "hydra -L users.txt -P passwords.txt 1.1.1.1 ssh"
Q16. A company is seeking to reduce communications costs by implementing BYOD. The security administrator is concerned that the existing security acceptable use policies will be ignored or ineffective on users' personal devices. Corporate data on the personal devices must be protected from theft and should only be accessible through certain applications. The BYOD policy, however, allows users to still utilize devices for personal pictures, videos, or games. Which of the following should the security administrator implement to meet the security goals as well as the BYOD policy? A. An application whitelist B. A standard device deployment template C. A managed sandbox D. A compliance auditing agent
--> C. A managed sandbox
Q39. An organization is in the process of reviewing its DRP to ensure that critical systems are identified and to determine the maximum amount of time those systems can be down. Which of the following will the business need to perform? A. Security controls assessment B. Disaster recovery exercise C. Business impact analysis D. Continuity of operations plan
--> C. Business impact analysis
Q58. An organization recently upgraded its wireless infrastructure to support 802.1x and require all clients to use this method. After the upgrade, several critical wireless clients fail to connect because they are only pre-shared key compliant. For the foreseeable future, none of the affected clients have an upgrade path to put them in compliance with the 802.1x requirement. Which of the following provides the MOST secure method of integrating the non-compliant clients into the network? A. Create a separate SSID and require the use of dynamic encryption keys B. Create a separate SSID with a pre-shared key to support the legacy clients and rotate the key at random intervals C. Create a separate SSID and pre-shared WPA2 key on a new network segment and only allow required communications paths D. Create a separate SSID and require the legacy clients to connect to the wireless network using certificate based 802.1x
--> C. Create a separate SSID and pre-shared WPA2 key on a new network segment and only allow required communications paths
Q63. A system administrator notices a large amount of data being transmitted from an internal resource to an unidentified external IP. Performing a traffic capture of the outgoing packets, it was determined that a Diffie-Hellman key exchange is occurring. Which of the following would be needed to perform an impact analysis? A. Destination IP B. Firewall logs C. Data content D. User access audit
--> C. Data content
Q38. A company has recently discovered the integrity of its data was compromised 7 days ago. The logs indicate the changes were occurring from an account with privileged access. Further analysis has determined the account is associated with a former employee who left 4 weeks ago. Which of the following could have prevented this compromise? A. SIEM tool B. Two-factor authentication C. Deprovisioning process D. Periodic user account review
--> C. Deprovisioning process
Q18. Routine review of new releases of content for specifications defined within SCAP can assist organizations in gathering and applying intelligence on which of the following types of information? (Select TWO). A. OS configurations B. Change management database C. Emerging attacks D. Malware attributes E. Software vulnerabilities F. Hardware specifications
--> C. Emerging attacks, E. Software vulnerabilities
Q10. A security manager has received the following email from the disaster recover project manager: During part of the recent COOP exercise, I determined that we do not have sufficient network performance at our hot site to support production-level operations. We found that if we scaled down the sensitivity on the WAF, we achieved the requisite level of performance required to support the productivity needs of the organization. Based on the information provided, which of the following would be the MOST appropriate response to this inquiry from the project manager? A. As long as the WAF settings are scaled back at the primary site, the same can be done at the hot site. B. Leave the WAF settings the same and consider a bandwidth upgrade at the hot site. C. If the current configuration at the primary site is working correctly, there may be other issues at the hot site. D. Bypass the web application firewall when performing future COOP exercises.
--> C. If the current configuration at the primary site is working correctly, there may be other issues at the hot site.
Q30. During an audit of firewall rules, an auditor noted that there was no way to find out who had allowed port 3389 to be available to the Internet. The auditor gave the company a negative mark on their audit, and requested that within 30 days the company produce a written plan to deal with such items in the future. Given the scenario, which of the following will be MOST effective in securing the firewall? A. Implement an identity management system. B. Utilize PAT on the firewall for well-known ports. C. Implement a detailed change management system. D. Implement role-based access control on the firewall.
--> C. Implement a detailed change management system.
Q41. A network engineer wants to deploy user-based authentication across the company's wired and wireless infrastructure at layer 2 of the OSI model. Company policies require that users be centrally managed and authenticated and that each user's network access be controlled based on the user's role within the company. Additionally, the central authentication system must support hierarchical trust and the ability to natively authenticate mobile devices and workstations. Which of the following are needed to implement these requirements? (Select TWO). A. SAML B. WAYF C. LDAP D. RADIUS E. Shibboleth F. PKI
--> C. LDAP, D. RADIUS
Q8. A company is deploying smartphones for the mobile workforce. The devices will be used for personal and business use, but are owned by the organization. Sales personnel will save new customer data via a custom application developed by the company. This information will integrate with the phones' contact information application storage and populate new records into it. The custom application's data is encrypted at rest and the connection to the back office is considered secure. The Chief Information Security Officer (CISO) has concerns that the customer contact information might accidentally leak due to the devices' limited security capabilities and controls planned. What is the MOST effective security control to implement to lower the risk? A. Implement a mobile data loss agent on the devices to prevent any user manipulation with the contact information B. Restrict screen capture features on the device when using the custom application and the contact information C. Restrict contact information storage dataflow so that it is only shared with the custom application D. Require complex passwords for authentication when accessing the contact information
--> C. Restrict contact information storage dataflow so that it is only shared with the custom application
Q31. A security administrator must ensure two-factor authentication is enforced when system administrators log in via SSH to sensitive systems. The company already implements certificate-based authentication on sensitive systems, but a recent audit uncovered some systems can log on without the second factor. Which of the following has the security administrator overlooked when implementing certificate-based authentication? A. The system administrator is not enforcing password-based system-level authentication. B. Sensitive systems are not enforcing key encryption when the key is stored on the system C. System administrators have the ability to issue self-signed certificates to themselves D. The security administrator has mistakenly signed the private key with the wrong CA
--> C. System administrators have the ability to issue self-signed certificates to themselves
Q29. A security architect is evaluating new UTM appliances for a large streaming video provider company. The field of potential devices has been the three leading products based on a market survey where the main criteria was the total number of endpoints protected. During evaluation the three UTM's, each was further tested for throughput under normal conditions and attack conditions, amount of latency between attacks and administrative usability (scored from 1 to 5 with 5 being perfect usability). The results of the testing are shown in the table below: UTM 1 2 3 Normal throughput 1Gbps 5Gbps 1Gbps Attacked throughput .1Gbps 1Gbps .5Gbps Latency 50ms 60ms 150ms Usability 4 2 3 Which of the following three UTM's should be recommended and why? A. UTM 1 because it has the highest usability score B. UTM 1 because it has the lowest reporting latency C. UTM 2 because it has the highest throughput in both conditions D. UTM 3 because it has the lowest differential between throughput volumes
--> C. UTM 2 because it has the highest throughput in both conditions
Q68. A OLA relates to an SLA is that it: A. codifies the metrics used to determine the company's effectiveness of meeting SLA-defined uptime objectives B. documents employee staffing and renouncing requirements to deliver the SLA C. determines internal organizational relationships and requirements to execute the SLA D. supports the SLA by describing third-party company coordination
--> C. determines internal organizational relationships and requirements to execute the SLA
Q62. The incident response team has completed an exercise that involved keeping the businesses essential functions operational during an incident. The team has analysed strengths and weaknesses, and has compiled a document and that summarizes the findings. The Chief Security Officer (CSO) approved the document and sent it to the company's president. Which of the following will the president receive from the CSO? A. BCP B. PIR C. DRP D. AAR
--> D. AAR
Q61. A company is purchasing a SaaS CRM solution. While conducting due diligence, it was identified that the SaaS provider would be hosting customers' health-identifiable information in a country that is beyond the regulators' risk appetite. The solution has the following requirements: - End users need to view all customer data in the CRM - No sensitive data is to be hosted outside the country - Performance is not a concern Which of the following controls should the security architect recommend as an option to the business owner to meet the above requirements? A. Masked sensitive fields B. Encrypted SaaS database C. Hashed sensitive fields D. Encryption gateway E. Updated privacy policy
--> D. Encryption gateway
Q14. Company A is attempting to acquire competitor Company M. Both companies are publicly traded and must adhere to merger acquisition regulations. The two companies are currently awaiting approval from Company M's board of directors. During this decision process both companies have new products that are soon to be released. With the news of these impending events, company A's security team is seeing an increase in whaling attacks targeting senior executives. Which of the following can be used to mitigate the risk? A. Contract a third party to provide a network vulnerability assessment B. Consolidate email systems between two companies C. Implement digital signatures for email integrity D. Follow the communications policy for acquisitions
--> D. Follow the communications policy for acquisitions (could very well be wrong)
Q4. An information systems manager has been asked to manage the consolidation of two merging companies' IT infrastructures. As part of the project the manager will need to evaluate the impact of regulatory requirements relating to storage of data in datacenters. Which of the following is a regulatory consideration the manager should evaluate? A. Encryption of data in transit B. Compatibility of datacenter providers C. Outsourcing of security operations and auditing D. Geographical location of datacenters
--> D. Geographical location of datacenters
Q45. The Chief Information Security Officer (CISO) at a large organization has been reviewing some security related incidents and comparing them to current industry trends. The desktop security engineer feels that the use of USB storage devices on office computers has contributed to the frequency of security incidents. The CISO knows the acceptable use policy prohibits the use of USB storage devices. Every user receives a pop-up warning about the policy upon login. The SIEM system produces a report of USB violations on a monthly basis, yet violations continue to occur. Which of the following preventative controls would MOST effectively mitigate the logical risks associated with the USB storage devices? A. Revise the corporate policy to include possible termination as a result of violations B. Increase the frequency and distribution of USB violations report C. Deploy PKI to add non-repudiation to login sessions so offenders cannot deny the offense D. Implement group policy objects
--> D. Implement group policy objects
Q27. During a new desktop refresh, all hosts are hardened at the OS level before deployment to comply with policy. Six months later, the company is audited for compliance to regulations. The audit discovers that 30 percent of the desktops do not meet regulations because the devices are consistently being changed to override settings that do not meet policy. Which of the following is the BEST solution to correct the issue and prevent future noncompliance? A. Use a compliance tool to identify baseline changes B. Establish a deployment plan to refresh the image every six months C. Enable OS-level auditing to notify when changed occur on devices D. Implement group policy to enforce configuration settings
--> D. Implement group policy to enforce configuration settings
Q64. A security architect wants to install a new sandboxing appliance on the network. Which of the following controls should be implemented to inspect covert and suspicious Internet traffic? A. Wire speed application awareness B. Real-time passive inspection C. Out-of-band HTTP inspection D. In-line with SSL inspection
--> D. In-line with SSL inspection
Q19. A technician is hardening a host that is going to be used as a web application server. The technician is making several registry setting changes to ensure all security events are being logged for review. Two weeks later, the technician gets a report that users are unable to login to the web server. Analyze the following group policies set by the technician: -Set maximum security file size to 512KB -Retain security logs is set to 90 days. -Retention method for security logs is set to not overwrite events -Retain application logs is set to 14 days -Set maximum application log size to 1024KB -Prevent local guest group from accessing application logs is enabled Which of the following is causing the users' inability to login to the web server? A. Application log retention is misconfigured B. The retention period is set too long C. Access logs are world writable D. Log file size is too small
--> D. Log file size is too small
Q11. An organization is in the process of implementing a SaaS customer relationship system for its bankers. The SaaS provider supports standards-based authentication integration mechanisms. There are a number of requirements that need to be met as part of the deployment, including: - The bankers will not need to enter a password to access the system once logged onto the network. - The access provisioning process into the SaaS system will be part of the authentication request. - Authorization to the system will be based on existing groups and permissions. Which of the following MUST be implemented to meet all the above requirements? A. OAUTH1.0 provider B. OAUTH2.0 provider C. SAML2.0 provider D. OpenID provider
--> D. OpenID provider - OpenID is an open standard and decentralized authentication protocol. Promoted by the non-profit OpenID Foundation, it allows users to be authenticated by co-operating sites (known as relying parties, or RP) using a third-party service, eliminating the need for webmasters to provide their own ad hoc login systems, and allowing users to log into multiple unrelated websites without having to have a separate identity and password for each. Users create accounts by selecting an OpenID identity provider, and then use those accounts to sign onto any website that accepts OpenID authentication. Several large organizations either issue or accept OpenIDs on their websites according to the OpenID Foundation. The OpenID standard provides a framework for the communication that must take place between the identity provider and the OpenID acceptor (the "relying party"). An extension to the standard (the OpenID Attribute Exchange) facilitates the transfer of user attributes, such as name and gender, from the OpenID identity provider to the relying party (each relying party may request a different set of attributes, depending on its requirements). The OpenID protocol does not rely on a central authority to authenticate a user's identity. Moreover, neither services nor the OpenID standard may mandate a specific means by which to authenticate users, allowing for approaches ranging from the common (such as passwords) to the novel (such as smart cards or biometrics). The term OpenID may also refer to an identifier as specified in the OpenID standard; these identifiers take the form of a unique Uniform Resource Identifier (URI), and are managed by some "OpenID provider" that handles authentication. The current version of OpenID is OpenID Connect 1.0, finalized and published in February 2014, and updated with corrections in November 2014.
Q42. A public utility company has recently seen an increase in spear phishing attacks that have occurred against targeted employees. The company is relatively small and users manual processes to monitor such attacks. The company then receives a report that the public website has been defaced with hacktivist comments. The company cannot isolate the server, as certain components are used to process payments via the public website, but quickly remediates the defacement. Which of the following MOST likely occurred in addition to the defacement? A. The SCADA network was compromised. B. The email system was compromised. C. The website was redirected to a malicious website. D. Payment card information was stolen.
--> D. Payment card information was stolen.
Q17. Security architects often have to design systems for environments where different stakeholders have competing requirements. In addition to internal influences and competitors, which of the following often has a major effect on mandatory system design features? A. Top-level management B. Investors and shareholders C. Risk assessments D. Regulatory entities
--> D. Regulatory entities
Q35. A penetration test discovers a server that is potentially vulnerable to a specific exploit. If the exploit is successful, the penetration tester would like to establish a remote administrator session to the server. The server uses a host-based firewall which blocks all incoming connections. Which of the following payloads should be delivered with the exploit to establish a remote administrator session? A. SSH server B. VNC server C. /usr/bin/bash D. Reverse TCP shell E. Keystroke logger
--> D. Reverse TCP shell
Q52. The finance department has purchased a cloud SaaS solution without consulting the IT department. As a result, the IT department has to manage the ongoing life cycle of 40,000 employees and their passwords. The department wants to remove the administration of password resets and the creation of user identities. The user experience should be like other internal applications where the authentication process is seamless after the user has logged into a desktop. Which of the following solutions should be recommended? A. A login page is presented, which makes an LDAP call back to active directory. B. OAuth is implemented with user profile information passed through. C. XACML is utilized for the provisioning of the authentication and provisioning. D. SAML is implemented with extended attributes for identity provisioning.
--> D. SAML is implemented with extended attributes for identity provisioning.
Q13. An IT security architect is defining the technology roadmap for a company. In particular, the security architect is researching and analyzing industry trends in automated transmission of security content. Which of the following would help to evaluate products in this area? A. CVE B. EAL C. OVAL D. SCAP
--> D. SCAP - The Common Vulnerabilities and Exposures (CVE) system provides a reference-method for publicly known information-security vulnerabilities and exposures. The National Cybersecurity FFRDC, operated by the Mitre Corporation, maintains the system, with funding from the National Cyber Security Division of the United States Department of Homeland Security. The Security Content Automation Protocol uses CVE, and CVE IDs are listed on MITRE's system as well as in the US National Vulnerability Database. - An Evaluation Assurance Level (EAL) is a category ranking assigned to an IT product or system after a Common Criteria security evaluation. The level indicates to what extent the product or system was tested. A product or system must meet specific assurance requirements to achieve a particular EAL. Requirements involve design documentation, analysis and functional or penetration testing. The highest level provides the highest guarantee that the system's principal security features are reliably applied. - Open Vulnerability and Assessment Language (OVAL) is an international, information security, community standard to promote open and publicly available security content, and to standardize the transfer of this information across the entire spectrum of security tools and services. OVAL includes a language used to encode system details, and an assortment of content repositories held throughout the community. The language standardizes the three main steps of the assessment process: representing configuration information of systems for testing; analyzing the system for the presence of the specified machine state (vulnerability, configuration, patch state, etc.); and reporting the results of this assessment. The repositories are collections of publicly available and open content that utilize the language. - The Security Content Automation Protocol (SCAP) is a method for using specific standards to enable the automated vulnerability management, measurement, and policy compliance evaluation of systems deployed in an organization, including e.g., FISMA compliance. The National Vulnerability Database (NVD) is the U.S. government content repository for SCAP. To guard against security threats, organizations need to continuously monitor the computer systems and applications they have deployed, incorporate security upgrades to software and deploy updates to configurations. The Security Content Automation Protocol (SCAP), pronounced "ess-cap", comprises a number of open standards that are widely used to enumerate software flaws and configuration issues related to security. Applications which conduct security monitoring use the standards when measuring systems to find vulnerabilities, and offer methods to score those findings in order to evaluate the possible impact. The SCAP suite of specifications standardize the nomenclature and formats used by these automated vulnerability management, measurement, and policy compliance products. A vendor of a computer system configuration scanner can get their product validated against SCAP, demonstrating that it will interoperate with other scanners and express the scan results in a standardized way.
Q23. After a recent breach, a company discovers a web server could not be updated due to incompatibilities with the local legacy database. The chief information officer has decided to implement a design that allows for easier updating of discrete components of the company's IT infrastructure. Which of the following principles BEST achieves the CIO's objective? (Select TWO). A. Document all configurations and store in a shared repository B. Develop communications protocols using open source tools C. Encourage use of multi-tier server architecture D. Select products developed by established companies E. Leverage protocols from RFC documents F. Ensure all servers operate in isolation from each other
--> D. Select products developed by established companies, E. Leverage protocols from RFC documents
Q26. An employee from finance was dismissed when it was discovered that the employee had been committing financial fraud for several years. The most trusted senior manager in finance has been reassigned the duty of performing wire transfers. The Chief Financial Officer (CFO) is asking the Chief Information Security Officer (CISO) to implement stronger controls to secure how the transfers are performed. Which of the following responses should the CISO deliver? A. Deploy a standalone workstation for performing wire transfers. Isolate it on a secure network. Monitor the network. B. Recommend using the bank's more secure wire transfer service where keys are exchanged and all transfer files are digitally signed and verified. C. Implement DLP at the gateway, and implement two-factor authentication on the workstation where the transactions are performed. D. Suggest detective controls and separation of duties and explain why they may be more effective mitigation strategies.
--> D. Suggest detective controls and separation of duties and explain why they may be more effective mitigation strategies.
Q44. The administrator is attempting to secure an iSCSI-based storage array that uses deduplication. The administrator captures several datastreams between the storage array and the user's PCs to determine if confidential data can be collected. Which of the following would MOST likely result from the administrator's packet captures? A. The capture is insecure, as iSCSI traffic can be reassembled into the files or storage blocks that are transmitted B. The capture is secure, as iSCSI uses block-level data transfers which cannot be assembled C. The capture is secure, as the SAN's deduplication feature obfuscates the data until it is assembled at the client D. The capture is insecure, as it can be reassembled, but to use the data the administrator would need to know the deduplication method
--> D. The capture is insecure, as it can be reassembled, but to use the data the administrator would need to know the deduplication method
Q55. A university has experienced an unusually high number of cyber bullying incidents, which are occurring through a new mobile social application. The mobile application provides a venue for users to publish temporary anonymous messages to a public bulletin board. Students who live in the residence halls, which are located on the southeast side of the campus, are being targeted by other students who live in the same residence halls. The security administrator, whose office is located on the northwest side of the campus, is unable to verify the cyberbullying claims while reviewing the content of the public bulletin board. Which of the following should the security administrator do to validate the cyberbullying claims? A. The security administrator should review the bulletin board while in the same residence hall room as the targeted students B. The security administrator should implement a MDM solution to scan all students' mobile devices for signs of malware C. The security administrator should use mobile location services to identify the source IP address of the cyberbullying D. The security administrator should post messages to the bulletin boards from a university-provided phone and wait for a reply
--> D. The security administrator should post messages to the bulletin boards from a university-provided phone and wait for a reply