CASP - V14.35 & V14.75

Ace your homework & exams now with Quizwiz!

A company wants to confirm sufficient executable space protection is in place for scenarios in which malware may be attempting buffer overflow attacks. Which of the following should the security engineer check? A. NX/XN B. ASLR C. strcpy D. ECC

ASLR

A cybersecurity analyst has received an alert that well-known "call home" messages are continuously observed by network sensors at the network boundary. The proxy firewall successfully drops the massages. After determining the alert was a true positive, which of the following represents OST likely cause? A. Attackers are running reconnaissance on company resources. B. An outside command and control system is attempting to reach an infected system. C. An insider trying to exfiltrate information to a remote network. D. Malware is running on a company system

An outside command and control system is attempting to reach an infected system.

A security engineer is working with a software development team. The engineer is tasked with ensuring all security requirements are adhered to by the developers. Which of the following BEST describes the contents of the supporting document the engineer is creating? A. A series of ad-hoc tests that each verify security control functionality of the entire system at once. B. A series of discrete tasks that, when viewed in total, can be used to verify and document each individual constraint from the SRTM. C. A set of formal methods that apply to one or more of the programing languages used on the development project. D. A methodology to verify each security control in each unit of developed code prior to committing the code.

A methodology to verify each security control in each unit of developed code prior to committing the code.

A security incident responder discovers an attacker has gained access to a network and has overwritten key system files with backdoor software. The server was reimaged and patched offline. Which of the following tools should be implemented to detect similar attacks? A. Vulnerability scanner B. TPM C. Host-based firewall D. File integrity monitor E. NIPS

Host-based firewall File integrity monitor

An attacker attempts to create a DoS event against the VoIP system of a company. The attacker uses a tool to flood the network with a large number of SIP INVITE traffic. Which of the following would be LEAST likely to thwart such an attack? A. Install IDS/IPS systems on the network B. Force all SIP communication to be encrypted C. Create separate VLANs for voice and data traffic D. Implement QoS parameters on the switches

Implement QoS parameters on the switches

During a routine network scan, a security administrator discovered an unidentified service running on a new embedded and unmanaged HVAC controller, which is used to monitor the company's datacenter Port state 161/UDP open 162/UDP open 163/TCP open The enterprise monitoring service requires SNMP and SNMPTRAP connectivity to operate. Which of the following should the security administrator implement to harden the system? A. Patch and restart the unknown services. B. Segment and firewall the controller's network C. Disable the unidentified service on the controller. D. Implement SNMPv3 to secure communication. E. Disable TCP/UDP PORTS 161 THROUGH 163

Implement SNMPv3 to secure communication.

An organization, which handles large volumes of PII, allows mobile devices that can process, store, and transmit PII and other sensitive data to be issued to employees. Security assessors can demonstrate recovery and decryption of remnant sensitive data from device storage after MDM issues a successful wipe command. Assuming availability of the controls, which of the following would BEST protect against the loss of sensitive data in the future? A. Implement a container that wraps PII data and stores keying material directly in the container's encrypted application space. B. Use encryption keys for sensitive data stored in an eF use-backed memory space that is blown during remote wipe. C. Issue devices that employ a stronger algorithm for the authentication of sensitive data stored on them. D. Procure devices that remove the bootloader binaries upon receipt of an MDM-issued remote wipe command.

Implement a container that wraps PII data and stores keying material directly in the container's encrypted application space.

The Chief Information Security Officer (CISO) at a large organization has been reviewing some security-related incidents at the organization and comparing them to current industry trends. The desktop security engineer feels that the use of USB storage devices on office computers has contributed to the frequency of security incidents. The CISO knows the acceptable use policy prohibits the use of USB storage devices. Every user receives a popup warning about this policy upon login. The SIEM system produces a report of USB violations on a monthly basis; yet violations continue to occur. Which of the following preventative controls would MOST effectively mitigate the logical risks associated with the use of USB storage devices? A. Revise the corporate policy to include possible termination as a result of violations B. Increase the frequency and distribution of the USB violations report C. Deploy PKI to add non-repudiation to login sessions so offenders cannot deny the offense D. Implement group policy objects

Implement group policy objects

An enterprise must ensure that all devices that connect to its networks have been previously approved. The solution must support dual factor mutual authentication with strong identity assurance. In order to reduce costs and administrative overhead, the security architect wants to outsource identity proofing and second factor digital delivery to the third party. Which of the following solutions will address the enterprise requirements? A. Implementing federated network access with the third party. B. Using a HSM at the network perimeter to handle network device access. C. Using a VPN concentrator which supports dual factor via hardware tokens. D. Implementing 802.1x with EAP-TTLS across the infrastructure.

Implementing 802.1x with EAP-TTLS across the infrastructure.

An organization just merged with an organization in another legal jurisdiction and must improve its network security posture in ways that do not require additional resources to implement data isolation. One recommendation is to block communication between endpoint PCs. Which of the following would be the BEST solution?

Implementing network segmentation

The Chief Executive Officer (CEO) of a large prestigious enterprise has decided to reduce business costs by outsourcing to a third party company in another country. Functions to be outsourced include: business analysts, testing, software development and back office functions that deal with the processing of customer data. The Chief Risk Officer (CRO) is concerned about the outsourcing plans. Which of the following risks are MOST likely to occur if adequate controls are not implemented?

Improper handling of customer data, loss of intellectual poprety and reputation damage

An SQL database is no longer accessible online due to a recent security breach. An investigation reveals that unauthorized access to the database was possible due to an SQL injection vulnerability. To prevent this type of breach in the future, which of the following security controls should be put in place before bringing the database back online? (Choose two.) A. Secure storage policies B. Browser security updates C. Input validation D. Web application firewall E. Secure coding standards F. Database activity monitoring

Input validation Database activity monitoring

A company monitors the performance of all web servers using WMI. A network administrator informs the security engineer that web servers hosting the company's client-facing portal are running slowly today. After some investigation, the security engineer notices a large number of attempts at enumerating host information via SNMP from multiple IP addresses. Which of the following would be the BEST technique for the security engineer to employ in an attempt to prevent reconnaissance activity? A. Install a HIPS on the web servers B. Disable inbound traffic from offending sources C. Disable SNMP on the web servers D. Install anti-DDoS protection in the DMZ

Install a HIPS on the web servers

A user asks a security practitioner for recommendations on securing a home network. The user recently purchased a connected home assistant and multiple IoT devices in an effort to automate the home. Some of the IoT devices are wearables, and other are installed in the user's automobiles. The current home network is configured as a single flat network behind an ISP-supplied router. The router has a single IP address, and the router performs NAT on incoming traffic to route it to individual devices. Which of the following security controls would address the user's privacy concerns and provide the BEST level of security for the home network? A. Ensure all IoT devices are configured in a geofencing mode so the devices do not work when removed from the home network. Disable the home assistant unless actively using it, and segment the network so each IoT device has its own segment. B. Install a firewall capable of cryptographically separating network traffic require strong authentication to access all IoT devices, and restrict network access for the home assistant based on time-of-day restrictions. C. Segment the home network to separate network traffic from users and the IoT devices, ensure security settings on the home assistant support no or limited recording capability, and install firewall rules on the router to restrict traffic to the home assistant as much as possible. D. Change all default passwords on the IoT devices, disable Internet access for the IoT devices and the home assistant, obtain routable IP addresses for all devices, and implement IPv6 and IPSec protections on all network traffic.

Install a firewall capable of cryptographically separating network traffic require strong authentication to access all IoT devices, and restrict network access for the home assistant based on time-of-day restrictions.

After a large organization has completed the acquisition of a smaller company, the smaller company must implement new host-based security controls to connect its employees' devices to the network. Given that the network requires 802.1X EAP-PEAP to identify and authenticate devices, which of the following should the security administrator do to integrate the new employees' devices into the network securely? A. Distribute a NAC client and use the client to push the company's private key to all the new devices. B. Distribute the device connection policy and a unique public/private key pair to each new employee's device. C. Install a self-signed SSL certificate on the company's RADIUS server and distribute the certificate's public key to all new client devices. D. Install an 802.1X supplicant on all new devices and let each device generate a self-signed certificate to use for network access.

Install an 802.1X supplicant on all new devices and let each device generate a self-signed certificate to use for network access.

After a large organization has completed the acquisition of a smaller company, the smaller company must implement new host-based security controls to connect its employees' devices to the network. Given that the network requires 802.1X EAP-PEAP to identify and authenticate devices, which of the following should the security administrator do to integrate the new employees' devices into the network securley?

Install an 802.1X supplicant on all new devices and let each device generate a self-signed certificate to use for network access.

An administrator is working with management to develop policies related to the use of the cloud-based resources that contain corporate data. Management plans to require some control over organizational data stored on personal devices, such as tablets. Which of the following controls would BEST support management's policy? A. MDM B. Sandboxing C. Mobile tokenization D. FDE E. MFA

MDM

A security technician is incorporating the following requirements in an RFP for a new SIEM: * New security notifications must be dynamically implemented by the SIEM engine * The SIEM must be able to identify traffic baseline anomalies * Anonymous attack data from all customers must augment attack detection and risk scoring Based on the above requirements, which of the following should the SIEM support? (Choose two.) A. Autoscaling search capability B. Machine learning C. Multisensor deployment D. Big Data analytics E. Cloud-based management F. Centralized log aggregation

Machine learning Big Data analytics

Which of the following BEST represents a risk associated with merging two enterprises during an acquisition?

Merging two enterprise networks could result in an expanded attack surface and could cause outages if trust and permission issues are not handled carefully.

A security consultant is improving the physical security of a sensitive site and takes pictures of the unbranded building to include in the report. Two weeks later, the security consultant misplaces the phone, which only has one hour of charge left on it. The person who finds the phone removes the MicroSD card in an attempt to discover the owner to return it. The person extracts the following data from the phone and EXIF data from some files: DCIM Images folder Audio books folder Torrentz My TAX.xls Consultancy HR Manual.doc Camera: SM-G950F Exposure time: 1/60s Location: 3500 Lacey Road USA Which of the following BEST describes the security problem? A. MicroSD in not encrypted and also contains personal data. B. MicroSD contains a mixture of personal and work data. C. MicroSD in not encrypted and contains geotagging information. D. MicroSD contains pirated software and is not encrypted.

MicroSD in not encrypted and also contains personal data.

In the past, the risk committee at Company A has shown an aversion to even minimal amounts of risk acceptance. A security engineer is preparing recommendations regarding the risk of a proposed introducing legacy ICS equipment. The project will introduce a minor vulnerability into the enterprise. This vulnerability does not significantly expose the enterprise to risk and would be expensive against. Which of the following strategies should the engineer recommended be approved FIRST? A. Avoid B. Mitigate C. Transfer D. Accept

Mitigate

A recent assessment identified that several users' mobile devices are running outdated versions of endpoint security software that do not meet the company's security policy. Which of the following should be performed to ensure the users can access the network and meet the company's security requirements? A. Vulnerability assessment B. Risk assessment C. Patch management D. Device quarantine E. Incident management

Patch management

A threat advisory alert was just emailed to the IT security staff. The alert references specific types of host operating systems that can allow an unauthorized person to access files on a system remotely. A fix was recently published, but it requires a recent endpoint protection engine to be installed prior to running the fix. Which of the following MOST likely need to be configured to ensure the system are mitigated accordingly? (Select two.) A. Antivirus B. HIPS C. Application whitelisting D. Patch management E. Group policy implementation F. Firmware updates

Patch management Firmware updates

A company contracts a security engineer to perform a penetration test of its client-facing web portal. Which of the following activities would be MOST appropriate? A. Use a protocol analyzer against the site to see if data input can be replayed from the browser B. Scan the website through an interception proxy and identify areas for the code injection C. Scan the site with a port scanner to identify vulnerable services running on the web server D. Use network enumeration tools to identify if the server is running behind a load balancer

Scan the site with a port scanner to identify vulnerable services running on the web server

During an incident involving the company main database, a team of forensics experts is hired to respond to the breach. The team is in charge of collecting forensics evidence from the company's database server. Which of the following is the correct order in which the forensics team should engage? A. Notify senior management, secure the scene, capture volatile storage, capture non-volatile storage, implement chain of custody, and analyze original media. B. Take inventory, secure the scene, capture RAM, capture hard drive, implement chain of custody, document, and analyze the data. C. Implement chain of custody, take inventory, secure the scene, capture volatile and non-volatile storage, and document the findings. D. Secure the scene, take inventory, capture volatile storage, capture non-volatile storage, document, and implement chain of custody.

Secure the scene, take inventory, capture volatile storage, capture non-volatile storage, document, and implement chain of custody.

The Chief Information Security Officer (CISO) suspects that a database administrator has been tampering with financial data to the administrator's advantage. Which of teh following would allow a third-party consultant to conduct an on-site review of the administrator's activity? A. Separation of duties B. Job rotation C. Continuous monitoring D. Mandatory vacation

Separation of Duties

Which of the following is a feature of virtualization that can potentially create a single point of failure? A. Server consolidation B. Load balancing hypervisors C. Faster server provisioning D. Running multiple OS instances

Server consolidation

A forensic analyst receives a hard drive containing malware quarantined by the antivirus application. After creating an image and determining the directory location of the malware file, which of the following helps to determine when the system became infected? A. The malware file's modify, access, change time properties. B. The timeline analysis of the file system. C. The time stamp of the malware in the swap file. D. The date/time stamp of the malware detection in the antivirus logs.

The timeline analysis of the file system.

The risk manager at a small bank wants to use quantitative analysis to determine the ALE of running a business system at a location which is subject to fires during the year. A risk analyst reports to the risk manager that the asset value of the business system is $120,000 and, based on industry data, the exposure factor to fires is only 20% due to the fire suppression system installed at the site. Fires occur in the area on average every four years. Which of the following is the ALE? A. $6,000 B. $24,000 C. $30,000 D. $96,000

$6,000

A security analyst has been asked to develop a quantitative risk analysis and risk assessment for the company's online shopping application. Based on heuristic information from the Security Operations Center (SOC), a Denial of Service Attack (DoS) has been successfully executed 5 times a year. The Business Operations department has determined the loss associated to each attack is $40,000. After implementing application caching, the number of DoS attacks was reduced to one time a year. The cost of the countermeasures was $100,000. Which of the following is the monetary value earned during the first year of operation? A. $60,000 B. $100,000 C. $140,000 D. $200,000

$60,000

An IT manager is concerned about the cost of implementing a web filtering solution in an effort to mitigate the risks associated with malware and resulting data leakage. Given that the ARO is twice per year, the ALE resulting from a data leak is $25,000 and the ALE after implementing the web filter is $15,000. The web filtering solution will cost the organization $10,000 per year. Which of the following values is the single loss expectancy of a data leakage event after implementing the web filtering solution? A. $0 B. $7,500 C. $10,000 D. $12,500 E. $15,000

$7,500

An accountant at a small business is trying to understand the value of a server to determine if the business can afford to buy another server for DR. The risk manager only provided the accountant with the SLE of $24,000, ARO of 20% and the exposure factor of 25%. Which of the following is the correct asset value calculated by the accountant? A. $4,800 B. $24,000 C. $96,000 D. $120,000

$96,000

A security administrator is shown the following log excerpt from a Unix system: 2013 Oct 10 07:14:57 web14 sshd[1632]: Failed password for root from 198.51.100.23 port 37914 ssh2 2013 Oct 10 07:14:57 web14 sshd[1635]: Failed password for root from 198.51.100.23 port 37915 ssh2 2013 Oct 10 07:14:58 web14 sshd[1638]: Failed password for root from 198.51.100.23 port 37916 ssh2 2013 Oct 10 07:15:59 web14 sshd[1640]: Failed password for root from 198.51.100.23 port 37918 ssh2 2013 Oct 10 07:16:00 web14 sshd[1641]: Failed password for root from 198.51.100.23 port 37920 ssh2 2013 Oct 10 07:16:00 web14 sshd[1642]: Successful login for root from 198.51.100.23 port 37924 ssh2 Which of the following is the MOST likely explanation of what is occurring and the BEST immediate response? (Select TWO). A. An authorized administrator has logged into the root account remotely. B. The administrator should disable remote root logins. C. Isolate the system immediately and begin forensic analysis on the host. D. A remote attacker has compromised the root account using a buffer overflow in sshd. E. A remote attacker has guessed the root password using a dictionary attack. F. Use iptables to immediately DROP connections from the IP 198.51.100.23. G. A remote attacker has compromised the private key of the root account. H. Change the root password immediately to a password not found in a dictionary.

- Isolate the system immediately and begin forensic analysis on the host. - A remote attacker has guessed the root password using a dictionary attack.

A security administrator wants to prevent sensitive data residing on corporate laptops and desktops from leaking outside of the corporate network. The company has already implemented full-disk encryption and has disabled all peripheral devices on its desktops and laptops. Which of the following additional controls MUST be implemented to minimize the risk of data leakage? (Select TWO). A. A full-system backup should be implemented to a third-party provider with strong encryption for data in transit. B. A DLP gateway should be installed at the company border. C. Strong authentication should be implemented via external biometric devices. D. Full-tunnel VPN should be required for all network communication. E. Full-drive file hashing should be implemented with hashes stored on separate storage. F. Split-tunnel VPN should be enforced when transferring sensitive data.

-A DLP gateway should be installed at the company border. -Full-tunnel VPN should be required for all network communication.

A large enterprise with thousands of users is experiencing a relatively high frequency of malicious activity from the insider threats. Much of the activity appears to involve internal reconnaissance that results in targeted attacks against privileged users and network file shares. Given this scenario, which of the following would MOST likely prevent or deter these attacks? (Choose two.) A. Conduct role-based training for privileged users that highlights common threats against them and covers best practices to thwart attacks B. Increase the frequency at which host operating systems are scanned for vulnerabilities, and decrease the amount of time permitted between vulnerability identification and the application of corresponding patches C. Enforce command shell restrictions via group policies for all workstations by default to limit which native operating system tools are available for use D. Modify the existing rules of behavior to include an explicit statement prohibiting users from enumerating user and file directories using available tools and/or accessing visible resources that do not directly pertain to their job functions E. For all workstations, implement full-disk encryption and configure UEFI instances to require complex passwords for authentication F. Implement application blacklisting enforced by the operating systems of all machines in the enterprise

-Enforce command shell restrictions via group policies for all workstations by default to limit which native operating system tools are available for use -Modify the existing rules of behavior to include an explicit statement prohibiting users from enumerating user and file directories using available tools and/or accessing visible resources that do not directly pertain to their job functions

During a criminal investigation, the prosecutor submitted the original hard drive from the suspect's computer as evidence. The defense objected during the trial proceedings, and the evidence was rejected. Which of the following practices should the prosecutor's forensics team have used to ensure the suspect's data would be admissible as evidence? (Select TWO.) A. Follow chain of custody best practices B. Create an identical image of the original hard drive, store the original securely, and then perform forensics only on the imaged drive. C. Use forensics software on the original hard drive and present generated reports as evidence D. Create a tape backup of the original hard drive and present the backup as evidence E. Create an exact image of the original hard drive for forensics purposes, and then place the original back in service

-Follow chain of custody best practices -Create an identical image of the original hard drive, store the original securely, and then perform forensics only on the imaged drive.

An organization has recently deployed an EDR solution across its laptops, desktops, and server infrastructure. The organization's server infrastructure is deployed in an IaaS environment. A database within the non-production environment has been misconfigured with a routable IP and is communicating with a command and control server. Which of the following procedures should the security responder apply to the situation? (Choose two.) A. Contain the server. B. Initiate a legal hold. C. Perform a risk assessment. D. Determine the data handling standard. E. Disclose the breach to customers. F. Perform an IOC sweep to determine the impact.

-Initiate a legal hold. -Perform an IOC sweep to determine the impact.

An architect was recently hired by a power utility to increase the security posture of the company's power generation and distribution sites. Upon review, the architect identifies legacy hardware with highly vulnerable and unsupported software driving critical operations. These systems must exchange data with each other, be highly synchronized, and pull from the Internet time sources. Which of the following architectural decisions would BEST reduce the likelihood of a successful attack without harming operational capability? (Choose two.) A. Isolate the systems on their own network B. Install a firewall and IDS between systems and the LAN C. Employ own stratum-0 and stratum-1 NTP servers D. Upgrade the software on critical systems E. Configure the systems to use government-hosted NTP servers

-Install a firewall and IDS between systems and the LAN -Configure the systems to use government-hosted NTP servers

The Chief Executive Officer (CEO) of an Internet service provider (ISP) has decided to limit the company's contribution to worldwide Distributed Denial of Service (DDoS) attacks. Which of the following should the ISP implement? (Select TWO). A. Block traffic from the ISP's networks destined for blacklisted IPs. B. Prevent the ISP's customers from querying DNS servers other than those hosted by the ISP. C. Scan the ISP's customer networks using an up-to-date vulnerability scanner. D. Notify customers when services they run are involved in an attack. E. Block traffic with an IP source not allocated to customers from exiting the ISP's network.

-Notify customers when services they run are involved in an attack. -Block traffic with an IP source not allocated to customers from exiting the ISP's network.

Company policy requires that all unsupported operating systems be removed from the network. The security administrator is using a combination of network based tools to identify such systems for the purpose of disconnecting them from the network. Which of the following tools, or outputs from the tools in use, can be used to help the security administrator make an approximate determination of the operating system in use on the local company network? (Select THREE). A. Passive banner grabbing B. Password cracker C. http://www.company.org/documents_private/index.php?search=string# &topic=windows&tcp=packet%20capture&cookie=wokdjwalkjcnie61lkasdf2aliser4 D. 443/tcp open http E. dig host.company.com F. 09:18:16.262743 IP (tos 0x0, ttl 64, id 9870, offset 0, flags [none], proto TCP (6), length 40) 192.168.1.3.1051 > 10.46.3.7.80: Flags [none], cksum 0x1800 (correct), win 512, length 0 G. Nmap

-Passive banner grabbing -09:18:16.262743 IP (tos 0x0, ttl 64, id 9870, offset 0, flags [none], proto TCP (6), length 40) 192.168.1.3.1051 > 10.46.3.7.80: Flags [none], cksum 0x1800 (correct), win 512, length 0 -Nmap

A security administrator wants to calculate the ROI of a security design which includes the purchase of new equipment. The equipment costs $50,000 and it will take 50 hours to install and configure the equipment. The administrator plans to hire a contractor at a rate of $100/hour to do the installation. Given that the new design and equipment will allow the company to increase revenue and make an additional $100,000 on the first year, which of the following is the ROI expressed as a percentage for the first year? A. -45 percent B. 5.5 percent C. 45 percent D. 82 percent

82 percent

A software development team is conducting functional and user acceptance testing of internally developed web applications using a COTS solution. For automated testing, the solution uses valid user credentials from the enterprise directory to authenticate to each application. The solution stores the username in plain text and the corresponding password as an encoded string in a script within a file, located on a globally accessible network share. The account credentials used belong to the development team lead. To reduce the risks associated with this scenario while minimizing disruption to ongoing testing, which of the following are the BEST actions to take? (Choose two.) A. Restrict access to the network share by adding a group only for developers to the share's ACL B. Implement a new COTS solution that does not use hard-coded credentials and integrates with directory services C. Obfuscate the username within the script file with encoding to prevent easy identification and the account used D. Provision a new user account within the enterprise directory and enable its use for authentication to the target applications. Share the username and password with all developers for use in their individual scripts E. Redesign the web applications to accept single-use, local account credentials for authentication

-Restrict access to the network share by adding a group only for developers to the share's ACL -Implement a new COTS solution that does not use hard-coded credentials and integrates with directory services

An organization has implemented an Agile development process for front end web application development. A new security architect has just joined the company and wants to integrate security activities into the SDLC. Which of the following activities MUST be mandated to ensure code quality from a security perspective? (Select TWO). A. Static and dynamic analysis is run as part of integration B. Security standards and training is performed as part of the project C. Daily stand-up meetings are held to ensure security requirements are understood D. For each major iteration penetration testing is performed E. Security requirements are story boarded and make it into the build F. A security design is performed at the end of the requirements phase

-Static and dynamic analysis is run as part of integration -For each major iteration penetration testing is performed

The Chief Information Security Officer (CISO) has asked the security team to determine whether the organization is susceptible to a zero-day exploit utilized in the banking industry and whether attribution is possible. The CISO has asked what process would be utilized to gather the information, and then wants to apply signatureless controls to stop these kinds of attacks in the future. Which of the following are the MOST appropriate ordered steps to take to meet the CISO's request? A. 1. Perform the ongoing research of the best practices2. Determine current vulnerabilities and threats3. Apply Big Data techniques4. Use antivirus control B. 1. Apply artificial intelligence algorithms for detection2. Inform the CERT team3. Research threat intelligence and potential adversaries4. Utilize threat intelligence to apply Big Data techniques C. 1. Obtain the latest IOCs from the open source repositories2. Perform a sweep across the network to identify positive matches3. Sandbox any suspicious files4. Notify the CERT team to apply a future proof threat model D. 1. Analyze the current threat intelligence2. Utilize information sharing to obtain the latest industry IOCs3. Perform a sweep across the network to identify positive matches4. Apply machine learning algorithms

1. Obtain the latest IOCs from the open source repositories2. Perform a sweep across the network to identify positive matches3. Sandbox any suspicious files4. Notify the CERT team to apply a future proof threat model

An administrator wishes to replace a legacy clinical software product as it has become a security risk. The legacy product generates $10,000 in revenue a month. The new software product has an initial cost of $180,000 and a yearly maintenance of $2,000 after the first year. However, it will generate $15,000 in revenue per month and be more secure. How many years until there is a return on investment for this new package? A. 1 B. 2 C. 3 D. 4

4

There have been some failures of the company's internal facing website. A security engineer has found the WAF to be the root cause of the failures. System logs show that the WAF has been unavailable for 14 hours over the past month, in four separate situations. One of these situations was a two hour scheduled maintenance time, aimed at improving the stability of the WAF. Using the MTTR based on the last month's performance figures, which of the following calculations is the percentage of uptime assuming there were 722 hours in the month? A. 92.24 percent B. 98.06 percent C. 98.34 percent D. 99.72 percent

98.06 percent

The senior security administrator wants to redesign the company DMZ to minimize the risks associated with both external and internal threats. The DMZ design must support security in depth, change management and configuration processes, and support incident reconstruction. Which of the following designs BEST supports the given requirements? A. A dual firewall DMZ with remote logging where each firewall is managed by a separate administrator. B. A single firewall DMZ where each firewall interface is managed by a separate administrator and logging to the cloud. C. A SaaS based firewall which logs to the company's local storage via SSL, and is managed by the change control team. D. A virtualized firewall, where each virtual instance is managed by a separate administrator and logging to the same hardware.

A dual firewall DMZ with remote logging where each firewall is managed by a separate administrator.

The senior security admministrator wants to redesign the company DMZ to minimize the risks associated with both external and internal threats. the DMZ design must support security in depth, change management and configuration processes, and support incident reconstruction. Which of the following designs BEST supports the given requirements? A. A dual firewall DMZ with remote logging where each firewall is managed by a separate administrator. B. A single firewall DMZ where each firewall interface is managed by a separate administrator and logging to the cloud. C. A SaaS based firewall which logs to the company's local storage via SSL, and is managed by the change control team. D. A virtualized firewall, where each virtual instance is managed by a separate administrator and logging to the same hardware.

A dual firewall DMZ with remote logging where each firewall is managed by a separate administrator.

A large company is preparing to merge with a smaller company. The smaller company has been very profitable, but the smaller company's main applications were created in-house. Which of the following actions should the large company's security administrator take in preparation for the merger? A. A review of the mitigations implemented from the most recent audit findings of the smaller company should be performed. B. An ROI calculation should be performed to determine which company's application should be used. C. A security assessment should be performed to establish the risks of integration or co-existence. D. A regression test should be performed on the in-house software to determine security risks associated with the software.

A security assessment should be performed to establish the risks of integration or co-existence.

Two new technical SMB security settings have been enforced and have also become policies that increase secure communications. Network Client: Digitally sign communication Network Server: Digitally sign communication A storage administrator in a remote location with a legacy storage array, which contains time-sensitive data, reports employees can no longer connect to their department shares. Which of the following mitigation strategies should an information security manager recommend to the data owner? A. Accept the risk, reverse the settings for the remote location, and have the remote location file a risk exception until the legacy storage device can be upgraded B. Accept the risk for the remote location, and reverse the settings indefinitely since the legacy storage device will not be upgraded C. Mitigate the risk for the remote location by suggesting a move to a cloud service provider. Have the remote location request an indefinite risk exception for the use of cloud storage D. Avoid the risk, leave the settings alone, and decommission the legacy storage device

Accept the risk, reverse the settings for the remote location, and have the remote location file a risk exception until the legacy storage device can be upgraded

A mature organization with legacy information systems has incorporated numerous new processes and dependencies to manage security as its networks and infrastructure are modernized. The Chief Information Office has become increasingly frustrated with frequent releases, stating that the organization needs everything to work completely, and the vendor should already have those desires built into the software product. The vendor has been in constant communication with personnel and groups within the organization to understand its business process and capture new software requirements from users. Which of the following methods of software development is this organization's configuration management process using? A. Agile B. SDL C. Waterfall D. Joint application development

Agile

A cybersecurity analyst is hired to review the security the posture of a company. The cybersecurity analyst notice a very high network bandwidth consumption due to SYN floods from a small number of IP addresses. Which of the following would be the BEST action to take to support incident response? A. Increase the company's bandwidth. B. Apply ingress filters at the routers. C. Install a packet capturing tool. D. Block all SYN packets.

Apply ingress filters at the routers.

A completely new class of web-based vulnerabilities has been discovered. Claims have been made that all common web-based development frameworks are susceptible to attack. Proof-of-concept details have emerged on the Internet. A security advisor within a company has been asked to provide recommendations on how to respond quickly to these vulnerabilities. Which of the following BEST describes how the security advisor should respond? A. Assess the reliability of the information source, likelihood of exploitability, and impact to hosted data. Attempt to exploit via the proof-of-concept code. Consider remediation options. B. Hire an independent security consulting agency to perform a penetration test of the web servers. Advise management of any 'high' or 'critical' penetration test findings and put forward recommendations for mitigation. C. Review vulnerability write-ups posted on the Internet. Respond to management with a recommendation to wait until the news has been independently verified by software vendors providing the web application software. D. Notify all customers about the threat to their hosted data. Bring the web servers down into "maintenance mode" until the vulnerability can be reliably mitigated through a vendor patch.

Assess the reliability of the information source, likelihood of exploitability, and impact to hosted data. Attempt to exploit via the proof-of-concept code. Consider remediation options.

A human resources manager at a software development company has been tasked with recruiting personnel for a new cyber defense division in the company. This division will require personnel to have high technology skills and industry certifications. Which of the following is the BEST method for this manager to gain insight into this industry to execute the task? A. Interview candidates, attend training, and hire a staffing company that specializes in technology jobs B. Interview employees and managers to discover the industry hot topics and trends C. Attend meetings with staff, internal training, and become certified in software management D. Attend conferences, webinars, and training to remain current with the industry and job requirements

Attend conferences, webinars, and training to remain current with the industry and job requirements

A bank is in the process of developing a new mobile application. The mobile client renders content and communicates back to the company servers via REST/JSON calls. The bank wants to ensure that the communication is stateless between the mobile application and the web services gateway. Which of the following controls MUST be implemented to enable stateless communication? A. Generate a one-time key as part of the device registration process. B. Require SSL between the mobile application and the web services gateway. C. The jsession cookie should be stored securely after authentication. D. Authentication assertion should be stored securely on the client.

Authentication assertion should be stored securely on the client.

A security analyst has requested network engineers integrate sFlow into the SOC's overall monitoring picture. For this to be a useful addition to the monitoring capabilities, which of the following must be considered by the engineering team? A. Effective deployment of network taps B. Overall bandwidth available at Internet PoP C. Optimal placement of log aggregators D. Availability of application layer visualizers

Availability of application layer visualizers

A security analyst is reviewing the following company requirements prior to selecting the appropriate technical control configuration and parameter: RTO:2 days RPO:36 hours MTTR:24 hours MTBF:60 days Which of the following solutions will address the RPO requirements? A. Remote Syslog facility collecting real-time events B. Server farm behind a load balancer delivering five-nines uptime C. Backup solution that implements daily snapshots D. Cloud environment distributed across geographic regions

Backup solution that implements daily snapshots

A Chief Information Security Officer (CISO) has requested that a SIEM solution be implemented. The CISO wants to know upfront what the projected TCO would be before looking further into this concern. Two vendor proposals have been received: Vendor A: product-based solution which can be purchased by the pharmaceutical company. Capital expenses to cover central log collectors, correlators, storage and management consoles expected to be $150,000. Operational expenses are expected to be a 0.5 full time employee (FTE) to manage the solution, and 1 full time employee to respond to incidents per year. Vendor B: managed service-based solution which can be the outsourcer for the pharmaceutical company's needs. Bundled offering expected to be $100,000 per year. Operational expenses for the pharmaceutical company to partner with the vendor are expected to be a 0.5 FTE per year. Internal employee costs are averaged to be $80,000 per year per FTE. Based on calculating TCO of the two vendor proposals over a 5 year period, which of the following options is MOST accurate?

Based on cost alone, having an outsourced solution appears cheaper.

At 9:00 am each morning, all of the virtual desktops in a VDI implementation become extremely slow and/or unresponsive. The outage lasts for around 10 minutes, after which everything runs properly again. The administrator has traced the problem to a lab of thin clients that are all booted at 9:00 am each morning. Which of the following is the MOST likely cause of the problem and the BEST solution? (Select TWO). A. Add guests with more memory to increase capacity of the infrastructure. B. A backup is running on the thin clients at 9am every morning. C. Install more memory in the thin clients to handle the increased load while booting. D. Booting all the lab desktops at the same time is creating excessive I/O. E. Install 10-Gb uplinks between the hosts and the lab to increase network capacity. F. Install faster SSD drives in the storage system used in the infrastructure. G. The lab desktops are saturating the network while booting. H. The lab desktops are using more memory than is available to the host systems.

Booting all the lab desktops at the same time is creating excessive I/O. Install faster SSD drives in the storage system used in the infrastructure.

A Chief Information Security Officer(CISO) requests the following external hosted services be scanned for malware, unsecured PII, and healthcare data:*Corporate intranet site *Online storage application *Email and collaboration suite Security policy also is updated to allow the security team to scan and detect any bulk downloads of corporate data from the company's intranet and online storage site. Which of the following is needed to comply with the corporate security policy and the ciso's request?

CASB

A pharmacy gives its clients online access to their records and the ability to review bills and make payments. A new SSL vulnerability on a specific platform was discovered, allowing an attacker to capture the data between the end user and the web server providing these services. After the new vulnerability, it was determined that web services provided are being impacted by this new threat. Which of the following data types MOST likely at risk of exposure based on this new threat? (Select Two) A. Cardholder data B. Intellectual property C. Personal health information D. Employee records E. Corporate financial data

Cardholder data Personal health information

Which of the following would be used in forensic analysis of a compromised Linux system? (Select THREE). A. Check log files for logins from unauthorized IPs. B. Check /proc/kmem for fragmented memory segments. C. Check for unencrypted passwords in /etc/shadow. D. Check timestamps for files modified around time of compromise. E. Use lsof to determine files with future timestamps. F. Use gpg to encrypt compromised data files. G. Verify the MD5 checksum of system binaries. H. Use vmstat to look for excessive disk I/O.

Check log files for logins from unauthorized IPs. Check timestamps for files modified around time of compromise. Verify the MD5 checksum of system binaries.

A company decides to purchase commercially available software packages. This can introduce new security risks to the network. Which of the following is the BEST description of why this is true? A. Commercially available software packages are typically well known and widely available. Information concerning vulnerabilities and viable attack patterns are never revealed by the developer to avoid lawsuits. B. Commercially available software packages are often widely available. Information concerning vulnerabilities is often kept internal to the company that developed the software. C. Commercially available software packages are not widespread and are only available in limited areas. Information concerning vulnerabilities is often ignored by business managers. D. Commercially available software packages are well known and widely available. Information concerning vulnerabilities and viable attack patterns are always shared within the IT community.

Commercially available software packages are often widely available. Information concerning vulnerabilities is often kept internal to the company that developed the software.

A team is at the beginning stages of designing a new enterprise-wide application. The new application will have a large database and require a capital investment in hardware. The Chief Information Officer (IO) has directed the team to save money and reduce the reliance on the datacenter, and the vendor must specialize in hosting large databases in the cloud. Which of the following cloud-hosting options would BEST meet these needs? A. Multi-tenancy SaaS B. Hybrid IaaS C. Single-tenancy PaaS D. Community IaaS

Community IaaS

The marketing department has developed a new marketing campaign involving significant social media outreach. The campaign includes allowing employees and customers to submit blog posts and pictures of their day-to-day experiences at the company. The information security manager has been asked to provide an informative letter to all participants regarding the security risks and how to avoid privacy and operational security issues. Which of the following is the MOST important information to reference in the letter? A. After-action reports from prior incidents. B. Social engineering techniques C. Company policies and employee NDAs D. Data classification processes

Company policies and employee NDAs

A security analyst, Ann, states that she believes Internet facing file transfer servers are being attacked. Which of the following is evidence that would aid Ann in making a case to management that action needs to be taken to safeguard these servers? A. Provide a report of all the IP addresses that are connecting to the systems and their locations B. Establish alerts at a certain threshold to notify the analyst of high activity C. Provide a report showing the file transfer logs of the servers D. Compare the current activity to the baseline of normal activity

Compare the current activity to the baseline of normal activity

While conducting a BIA for a proposed acquisiotion, the IT integration team found that both companies outsource CRM services to competing and incompatible third-party cloud services. The decision has been made to bring the CRM service in-house, and the IT team has chosen a future solution. With which of the following should the Chief information Security Officer (CISO) be MOSt concerned? (Choose Two) A. Data remnants B. Sovereignty C. Compatible services D. Storage encryption E. Data migration F. Chain of custody

Compatible Services & Data Migration

A security analyst has been asked to create a list of external IT security concerns, which are applicable to the organization. The intent is to show the different types of external actors, their attack vectors, and the types of vulnerabilities that would cause business impact. The Chief Information Security Officer (CISO) will then present this list to the board to request funding for controls in areas that have insufficient coverage. Which of the following exercise types should the analyst perform? A. Summarize the most recently disclosed vulnerabilities. B. Research industry best practices and latest RFCs. C. Undertake an external vulnerability scan and penetration test. D. Conduct a threat modeling exercise.

Conduct a threat modeling exercise.

A security administrator wants to implement two-factor authentication for network switches and routers. The solution should integrate with the company's RADIUS server, which is used for authentication to the network infrastructure devices. The security administrator implements the following: * An HOTP service is installed on the RADIUS server. * The RADIUS server is configured to require the HOTP service for authentication. The configuration is successfully tested using a software supplicant and enforced across all network devices. Network administrators report they are unable to log onto the network devices because they are not being prompted for the second factor. Which of the following should be implemented to BEST resolve the issue? A. Replace the password requirement with the second factor. Network administrators will enter their username and then enter the token in place of their password in the password field. B. Configure the RADIUS server to accept the second factor appended to the password. Network administrators will enter a password followed by their token in the password field. C. Reconfigure network devices to prompt for username, password, and a token. Network administrators will enter their username and password, and then they will enter the token. D. Install a TOTP service on the RADIUS server in addition to the HOTP service. Use the HOTP on older devices that do not support two-factor authentication. Network administrators will use a web portal to log onto these devices.

Configure the RADIUS server to accept the second factor appended to the password. Network administrators will enter a password followed by their token in the password field.

A company sales manager received a memo from th company's financial department which stated that the company would not be putting its software products through the same security testing as previous years to reduce the research and development cost by 20 percent for the upcoming year. The memo also stated that the marketing material and service level agreement for each product would remain unchanged. The sales manager has reviewed the sales goals for the upcoming year and identified an increased target across the software products that will be affected by the financial department's change. All software products will continue to go through new devlopment in the coming year. Which of the following should the sales manager do to ensure the company stays out of trouble?

Consult the company's legal department on practices and law

A company sales manager received a memo from the company's financial department which stated that the company would not be putting its software products through the same security testing as previous years to reduce the research and development cost by 20 percent for the upcoming year. The memo also stated that the marketing material and service level agreement for each product would remain unchanged. The sales manager has reviewed the sales goals for the upcoming year and identified an increased target across the software products that will be affected by the financial department's change. All software products will continue to go through new development in the coming year. Which of the following should the sales manager do to ensure the company stays out of trouble? A. Discuss the issue with the software product's user groups B. Consult the company's legal department on practices and law C. Contact senior finance management and provide background information D. Seek industry outreach for software practices and law

Consult the company's legal department on practices and law

A security analyst is reviewing the corporate MDM settings and notices some disabled settings, which consequently permit users to download programs from untrusted developers and manually install them. After some conversations, it is confirmed that these settings were disabled to support the internal development of mobile applications. The security analyst is now recommending that developers and testers have a separate device profile allowing this, and that the rest of the organization's users do not have the ability to manually download and install untrusted applications. Which of the following settings should be toggled to achieve the goal? (Choose two.)

Containerzation & Signed Applications

A web services company is planning a one-time high-profile event to be hosted on the corporate website. An outage, due to an attack, would be publicly embarrassing, so Joe, the Chief Executive Officer (CEO), has requested that his security engineers put temporary preventive controls in place. Which of the following would MOST appropriately address Joe's concerns? A. Ensure web services hosting the event use TCP cookies and deny_hosts. B. Configure an intrusion prevention system that blocks IPs after detecting too many incomplete sessions. C. Contract and configure scrubbing services with third-party DDoS mitigation providers. D. Purchase additional bandwidth from the company's Internet service provider.

Contract and configure scrubbing services with third-party DDoS mitigation providers.

A security analyst is reviewing logs and discovers that a company-owned computer issued to an employee is generating many alerts and analyst continues to review the log events and discovers that a non-company-owned device from a different, unknown IP address is general same events. The analyst informs the manager of these finding, and the manager explains that these activities are already known and . . . ongoing simulation. Given this scenario, which of the following roles are the analyst, the employee, and the manager fillings? A. The analyst is red team The employee is blue team The manager is white team B. The analyst is white team The employee is red team The manager is blue team C. The analyst is red team The employee is white team The manager is blue team D. The analyst is blue team The employee is red team The manager is white team E. D

D??

An analyst has noticed unusual activities in the SIEM to a .cn domain name. Which of the following should the analyst use to identify the content of the traffic? A. Log review B. Service discovery C. Packet capture D. DNS harvesting

DNS harvesting

A database administrator is required to adhere to and implement privacy principles when executing daily tasks. A manager directs the administrator to reduce the number of unique instances of PII stored within an organization's systems to the greatest extent possible. Which of the following principles is being demonstrated? A. Administrator accountability B. PII security C. Record transparency D. Data minimization

Data minimization

A recent overview of the network's security and storage applications reveals a large amount of data that needs to be isolated for security reasons. Below are the critical applications and devices configured on the network: * Firewall * Core switches * RM server * Virtual environment * NAC solution The security manager also wants data from all critical applications to be aggregated to correlate events from multiple sources. Which of the following must be configured in certain applications to help ensure data aggregation and data isolation are implemented on the critical applications and devices? (Select TWO). A. Routing tables B. Log forwarding C. Data remanants D. Port aggregation E. NIC teaming F. Zones

Data remanants Zones

A business is growing and starting to branch out into other locations. In anticipation of opening an office in a different country, the Chief Information Security Officer (CISO) and legal team agree they need to meet the following criteria regarding data to open the new office: * Store taxation-related documents for five years * Store customer addresses in an encrypted format * Destroy customer information after one year * Keep data only in the customer's home country Which of the following should the CISO implement to BEST meet these requirements? (Choose three.) A. Capacity planning policy B. Data retention policy C. Data classification standard D. Legal compliance policy E. Data sovereignty policy F. Backup policy G. Acceptable use policy H. Encryption standard

Data retention policy Data classification standard Encryption standard

During the decommissioning phase of a hardware project, a security administrator is tasked with ensuring no sensitive data is released inadvertently. All paper records are scheduled to be shredded in a crosscut shredded, and the waste will be burned. The system drives and removable media have been removed prior to e-cycling the hardware. Which of the following would ensure no data is recovered from the system droves once they are disposed of? A. Overwriting all HDD blocks with an alternating series of data. B. Physically disabling the HDDs by removing the dive head. C. Demagnetizing the hard drive using a degausser. D. Deleting the UEFI boot loaders from each HDD.

Demagnetizing the hard drive using a degausser.

After several industry comnpetitors suffered data loss as a result of cyebrattacks, the Chief Operating Officer (COO) of a company reached out to the information security manager to review the organization's security stance. As a result of the discussion, the COO wants the organization to meet the following criteria: * Blocking of suspicious websites * Prevention of attacks based on threat intelligence * Reduction in spam * Identity-based reporting to meet regulatory compliance * Prevention of viruses based on signature * Protect applications from web-based threats Which of the following would be the BEST recommendation the information security manager could make? A. Reconfigure existing IPS resources B. Implement a WAF C. Deploy a SIEM solution D. Deploy a UTM solution E. Implement an EDR platform

Deploy a UTM solution

An engineer is assisting with the design of a new virtualized environment that will house critical company services and reduce the datacenter's physical footprint. The company has expressed concern about the integrity of operating systems and wants to ensure a vulnerability exploited in one datacenter segment would not lead to the compromise of all others. Which of the following design objectives should the engineer complete to BEST mitigate the company's concerns? (Choose two.) A. Deploy virtual desktop infrastructure with an OOB management network B. Employ the use of vTPM with boot attestation C. Leverage separate physical hardware for sensitive services and data D. Use a community CSP with independently managed security services E. Deploy to a private cloud with hosted hypervisors on each physical machine

Deploy virtual desktop infrastructure with an OOB management network Leverage separate physical hardware for sensitive services and data

An engineer is assisting with the design of a new virtualized environment that will house critical company services and reduce the datacenter's physical footprint. The company has expressed concern about the integrity of operating systems and wants to ensure a vulnerability exploited in one datacenter segment would not lead to the compromise of all others. Which of the following design objectives should the engineer complete to BEST mitigate the company's concerns? (Choose two.)

Deploy virtual desktop infrastructure with an OOB management network & Leverage separately physical hardware for sensitive services and data

A forensics analyst suspects that a breach has occurred. Security logs show the company's OS patch system may be compromised, and it is serving patches that contain a zero-day exploit and backdoor. The analyst extracts an executable file from a packet capture of communication between a client computer and the patch server. Which of the following should the analyst use to confirm this suspicion? A. File size B. Digital signature C. Checksums D. Anti-malware software E. Sandboxing

Digital signature

An organization has decided to reduce labor costs by outsourcing back office processing of credit applications to a provider located in another country. Data sovereignty and privacy concerns raised by the security team resulted in the third-party provider only accessing and processing the data via remote desktop sessions. To facilitate communications and improve productivity, staff at the third party has been provided with corporate email accounts that are only accessible via the remote desktop sessions. Email forwarding is blocked and staff at the third party can only communicate with staff within the organization. Which of the following additional controls should be implemented to prevent data loss? (Select THREE). A. Implement hashing of data in transit B. Session recording and capture C. Disable cross session cut and paste D. Monitor approved credit accounts E. User access audit reviews F. Source IP whitelisting

Disable cross session cut and paste User access audit reviews Source IP whitelisting

A company has created a policy to allow employees to use their personally owned devices. The Chief Information Officer (CISO) is getting reports of company data appearing on unapproved forums and an increase in theft of personal electronic devices. Which of the following security controls would BEST reduce the risk of exposure? A. Disk encryption on the local drive B. Group policy to enforce failed login lockout C. Multifactor authentication D. Implementation of email digital signatures

Disk encryption on the local drive

A large organization has recently suffered a massive credit card breach. During the months of Incident Response, there were multiple attempts to assign blame for whose fault it was that the incident occurred. In which part of the incident response phase would this be addressed in a controlled and productive manner? A. During the Identification Phase B. During the Lessons Learned phase C. During the Containment Phase D. During the Preparation Phase

During the Lessons Learned phase

A recent penetration test identified that a web server has a major vulnerability. The web server hosts a critical shipping application for the company and requires 99.99% availability. Attempts to fix the vulnerability would likely break the application. The shipping application is due to be replaced in the next three months. Which of the following would BEST secure the web server until the replacement web server is ready? A. Patch management B. Antivirus C. Application firewall D. Spam filters E. HIDS

HIDS

The Chief Information Security Officer (CISO) for an organization wants to develop custom IDS rulesets faster, prior to new rules being released by IDS vendors. Which of the following BEST meets this objective? A. Identify a third-party source for IDS rules and change the configuration on the applicable IDSs to pull in the new rulesets B. Encourage cybersecurity analysts to review open-source intelligence products and threat database to generate new IDS rules based on those sources C. Leverage the latest TCP- and UDP-related RFCs to arm sensors and IDSs with appropriate heuristics for anomaly detection D. Use annual hacking conventions to document the latest attacks and threats, and then develop IDS rules to counter those threats

Encourage cybersecurity analysts to review open-source intelligence products and threat database to generate new IDS rules based on those sources

Company XYZ finds itself using more cloud-based business tools, and password management is becoming onerous. Security is important to the company; as a result, password replication and shared accounts are not acceptable. Which of the following implementations addresses the distributed login with centralized authentication and has wide compatibility among SaaS vendors? A. Establish a cloud-based authentication service that supports SAML. B. Implement a new Diameter authentication server with read-only attestation. C. Install a read-only Active Directory server in the corporate DMZ for federation. D. Allow external connections to the existing corporate RADIUS server.

Establish a cloud-based authentication service that supports SAML.

A SaaS-based email service provider often receives reports from legitimate customers that their IP netblocks are on blacklists and they cannot send email. The SaaS has confirmed that affected customers typically have IP addresses within broader network ranges and some abusive customers within the same IP ranges may have performed spam campaigns. Which of the following actions should the SaaS provider perform to minimize legitimate customer impact? A. Inform the customer that the service provider does not have any control over third-party blacklist entries. The customer should reach out to the blacklist operator directly B. Perform a takedown of any customer accounts that have entries on email blacklists because this is a strong indicator of hostile behavior C. Work with the legal department and threaten legal action against the blacklist operator if the netblocks are not removed because this is affecting legitimate traffic D. Establish relationship with a blacklist operators so broad entries can be replaced with more granular entries and incorrect entries can be quickly pruned

Establish relationship with a blacklist operators so broad entries can be replaced with more granular entries and incorrect entries can be quickly pruned

A security engineer is a new member to a configuration board at teh request of management. The company has two new major IT projects starting this year and wants to plan security into the application deployment. The board is primarily concerned with the applications' compliance with federal assessment and authorization standards. The security engineer asks for a timeline to determine when a security assessment of both applications should occur and does not attend subsequent configuration board meetings. If the security engineer is only going to perform a security assessment, which of the following steps in system authorization has the security engineer omitted?

Establish the security control baseline

A security administrator is hardening a TrustedSolaris server that processes sensitive data. The data owner has established the following security requirements: * The data is for internal consumption only and shall not be distributed to outside individuals * The systems administrator should not have access to the data processed by the server * The integrity of the kernel image is maintained Which of the following host-based security controls BEST enforce the data owner's requirements? (Choose three.) A. SELinux B. DLP C. HIDS D. Host-based firewall E. Measured boot F. Data encryption G. Watermarking

HIDS Measured boot Data encryption

A security engineer is a new member to a configuration board at the request of management. The company has two new major IT projects starting this year and wants to plan security into the application deployment. The board is primarily concerned with the applications' compliance with federal assessment and authorization standards. The security engineer asks for a timeline to determine when a security assessment of both applications should occur and does not attend subsequent configuration board meetings. If the security engineer is only going to perform a security assessment, which of the following steps in system authorization has the security engineer omitted? A. Establish the security control baseline B. Build the application according to software development security standards C. Review the results of user acceptance testing D. Consult with the stakeholders to determine which standards can be omitted

Establish the security control baseline

An intruder was recently discovered inside the data center, a highly sensitive area. To gain access, the intruder circumvented numerous layers of physical and electronic security measures. Company leadership has asked for a thorough review of physical security controls to prevent this from happening again. Which of the following departments are the MOST heavily invested in rectifying the problem? (Select THREE). A. Facilities management B. Human resources C. Research and development D. Programming E. Data center operations F. Marketing G. Information technology

Facilities management Data center operations Information technology

It has come to the IT administrator's attention that the "post your comment" field on the company blog page has been exploited, resulting in cross-site scripting attacks against customers reading the blog. Which of the following would be the MOST effective at preventing the "post your comment" field from being exploited? A. Update the blog page to HTTPS B. Filter metacharacters C. Install HIDS on the server D. Patch the web application E. Perform client side input validation

Filter metacharacters

A consulting firm was hired to conduct assessment for a company. During the first stage, a penetration tester used a tool that provided the following output: TCP 80 open TCP 443 open TCP 1434 filtered The penetration tester then used a different tool to make the following requests: GET / script/login.php?token=45$MHT000MND876 GET / script/login.php?token=@#984DCSPQ%091DF Which of the following tools did the penetration tester use? A. Protocol analyzer B. Port scanner C. Fuzzer D. Brute forcer E. Log analyzer F. HTTP interceptor

Fuzzer

An administrator has noticed mobile devices from an adjacent company on the corporate wireless network. Malicious activity is being reported from those devices. To add another layer of security in an enterprise environment, an administrator wants to add contextual authentication to allow users to access enterprise resources only while present in corporate buildings. Which of the following technologies would accomplish this? A. Port security B. Rogue device detection C. Bluetooth D. GPS

GPS

An organization is preparing to develop a business continually plan. The organization is required to meet regulatory requirements relating to confidentiality and availability, which are well-defined. Management has expressed concern following initial meetings that the organization is not fully aware of the requirements associated with the regulations. Which of teh following would be MOST appropriate for the project manager to solicit additional resources for during this phase of the project?

Gap assessment

Executive management is asking for a new manufacturing control and workflow automation solution. This application will facilitate management of proprietary information and closely guarded corporate trade secrets. The information security team has been a part of the department meetings and come away with the following notes: Human resources would like complete access to employee data stored in the application. They would like automated data interchange with the employee management application, a cloud-based SaaS application. Sales is asking for easy order tracking to facilitate feedback to customers. Legal is asking for adequate safeguards to protect trade secrets. They are also concerned with data ownership questions and legal jurisdiction. Manufacturing is asking for ease of use. Employees working the assembly line cannot be bothered with additional steps or overhead. System interaction needs to be quick and easy. Quality assurance is concerned about managing the end product and tracking overall performance of the product being produced. They would like read-only access to the entire workflow process for monitoring and baselining. The favored solution is a user friendly software application that would be hosted onsite. It has extensive ACL functionality, but also has readily available APIs for extensibility. It supports read-only access, kiosk automation, custom fields, and data encryption. Which of the following departments' request is in contrast to the favored solution? A. Manufacturing B. Legal C. Sales D. Quality assurance E. Human resources

Human resources

A penetration tester noticed special characters in a database table. The penetration tester configured the browser to use an HTTP interceptor to verify that the front-end user registration web form accepts invalid input in the user's age field. The developer was notified and asked to fix the issue. Which of the following is the MOST secure solution for the developer to implement? A. IF $AGE == "!@#%^&*()_+<>?":{}[]" THEN ERROR B. IF $AGE == [1234567890] {1,3} THEN CONTINUE C. IF $AGE != "a-bA-Z!@#$%^&*()_+<>?"{}[]"THEN CONTINUE D. IF $AGE == [1-0] {0,2} THEN CONTINUE

IF $AGE == [1234567890] {1,3} THEN CONTINUE

An organization uses IP address block 203.0.113.0/24 on its internal network. At the border router, the network administrator sets up rules to deny packets with a source address in this subnet from entering the network, and to deny packets with a destination address in this subnet from leaving the network. Which of the following is the administrator attempting to prevent? A. BGP route hijacking attacks B. Bogon IP network traffic C. IP spoofing attacks D. Man-in-the-middle attacks E. Amplified DDoS attacks

IP spoofing attacks

An educational institution would like to make computer labs available to remote students. The labs are used for various IT networking, security, and programming courses. The requirements are: Each lab must be on a separate network segment. Labs must have access to the Internet, but not other lab networks. Student devices must have network access, not simple access to hosts on the lab networks. Students must have a private certificate installed before gaining access. Servers must have a private certificate installed locally to provide assurance to the students. All students must use the same VPN connection profile. Which of the following components should be used to achieve the design in conjunction with directory services?

IPSec VPN with mutual authentication for remote connectivity, RADIUS for authentication, ACLs on network equipment

The risk subcommittee of a corporate board typically maintains a master register of the most prominent risks to the company. A centralized holistic view of risk is particularly important to the corporate Chief Information Security Officer (CISO) because: A. IT systems are maintained in silos to minimize interconnected risks and provide clear risk boundaries used to implement compensating controls B. risks introduced by a system in one business unit can affect other business units in ways in which the individual business units have no awareness C. corporate general counsel requires a single system boundary to determine overall corporate risk exposure D. major risks identified by the subcommittee merit the prioritized allocation of scare funding to address cybersecurity concerns

IT systems are maintained in silos to minimize interconnected risks and provide clear risk boundaries used to implement compensating controls

The helpdesk manager wants to find a solution tha will enable the helpdesk staff to better serve company employees who call with computer-related problems. The helpdesk staff is currently unable to perform effective troubleshooting and relies on callers to describe their technology problems. Given that the helpdesk staff is located within teh company headquarters and 90% of the callers are telecommuters, which of the following tools should teh helpdesk manager use to make the staff more effective at troubleshooting while the same time reducing company costs? (Select TWO)

Instant Messaging & Desktop Sharing

The helpdesk manager wants to find a solution that will enable the helpdesk staff to better serve company employees who call with computer-related problems. The helpdesk staff is currently unable to perform effective troubleshooting and relies on callers to describe their technology problems. Given that the helpdesk staff is located within the company headquarters and 90% of the callers are telecommuters, which of the following tools should the helpdesk manager use to make the staff more effective at troubleshooting while at the same time reducing company costs? (Select TWO). A. Web cameras B. Email C. Instant messaging D. BYOD E. Desktop sharing F. Presence

Instant messaging Desktop sharing

A security architect is implementing security measures in response to an external audit that found vulnerabilities in the corporate collaboration tool suite. The report identified the lack of any mechanism to provide confidentiality for electronic correspondence between users and between users and group mailboxes. Which of the following controls would BEST mitigate the identified vulnerability? A. Issue digital certificates to all users, including owners of group mailboxes, and enable S/MIME B. Federate with an existing PKI provider, and reject all non-signed emails C. Implement two-factor email authentication, and require users to hash all email messages upon receipt D. Provide digital certificates to all systems, and eliminate the user group or shared mailboxes

Issue digital certificates to all users, including owners of group mailboxes, and enable S/MIME

After a security incident, an administrator would like to implement policies that would help reduce fraud and the potential for collusion between employees. Which of the following would help meet these goals by having co-workers occasionally audit another worker's position? A. Least privilege B. Job rotation C. Mandatory vacation D. Separation of duties

Job rotation

Legal authorities notify a company that its network has been compromised for the second time in two years. The investigation shows the attackers were able to use the same vulnerability on different systems in both attacks. Which of the following would have allowed the security team to use historical information to protect against the second attack? A. Key risk indicators B. Lessons learned C. Recovery point objectives D. Tabletop exercise

Key risk indicators

Which of the following technologies prevents an unauthorized HBA from viewing iSCSI target information? A. Deduplication B. Data snapshots C. LUN masking D. Storage multipaths

LUN masking

A security engineer has implemented an internal user access review tool so service teams can baseline user accounts and group memberships. However, the tool has not been built to cater to a broader set of internal teams yet. The engineer has sought feedback from internal stakeholders, and a list of summarized requirements is as follows: * The tool needs to be responsive so service teams can query it, and then perform an automated response action. * The tool needs to be resilient to outages so service teams can perform the user access review at any point in time and meet their own SLAs. * The tool will become the system-of-record for approval, reapproval, and removal life cycles of group memberships and must allow for data retrieval after failure. Which of the following need specific attention to meet the requirements listed above? (Choose three.) A. Scalability B. Latency C. Availability D. Usability E. Recoverability F. Maintainability

Latency, Availability, and Recoverability

With which of the following departments should an engineer for a consulting firm coordinate when determining the control and reporting requirements for storage of sensitive, proprietary customer information? A. Human resources B. Financial C. Sales D. Legal counsel

Legal counsel

Legal counsel has notified the information security manager of a legal matter that will require the preservation of electronic records for 2000 sales force employees. Source records will be email, PC, network shares, and applications. After all restrictions have been lifted, which of the following should the information manager review? A. Data retention policy B. Legal hold C. Chain of custody D. Scope statement

Legal hold

A recent CRM upgrade at a branch office was completed after the desired deadline. Several technical issues were found during the upgrade and need to be discussed in depth before the next branch office is upgraded. Which of the following should be used to identify weak processes and other vulnerabilities? A. Gap analysis B. Benchmarks and baseline results C. Risk assessment D. Lessons learned report

Lessons learned report

A security engineer is working on a large software development project. As part of the design of the project, various stakeholder requirements were gathered and decomposed to an implementable and testable level. Various security requirements were also documented. Organize the following security requirements into the correct hierarchy required for an SRTM. Requirement 1: The system shall provide confidentiality for data in transit and data at rest. Requirement 2: The system shall use SSL, SSH, or SCP for all data transport. Requirement 3: The system shall implement a file-level encryption scheme. Requirement 4: The system shall provide integrity for all data at rest. Requirement 5: The system shall perform CRC checks on all files. A. Level 1: Requirements 1 and 4; Level 2: Requirements 2, 3, and 5 B. Level 1: Requirements 1 and 4; Level 2: Requirements 2 and 3 under 1, Requirement 5 under 4 C. Level 1: Requirements 1 and 4; Level 2: Requirement 2 under 1, Requirement 5 under 4; Level 3: Requirement 3 under 2 D. Level 1: Requirements 1, 2, and 3; Level 2: Requirements 4 and 5

Level 1: Requirements 1 and 4; Level 2: Requirements 2 and 3 under 1, Requirement 5 under 4

As part of the development process for a new system, the organization plans to perform requirements analysis and risk assessment. The new system will replace a legacy system, which the organization has used to perform data analytics. Which of the following is MOST likely to be part of the activities conducted by management during this phase of the project? A. Static code analysis and peer review of all application code B. Validation of expectations relating to system performance and security C. Load testing the system to ensure response times is acceptable to stakeholders D. Design reviews and user acceptance testing to ensure the system has been deployed properly E. Regression testing to evaluate interoperability with the legacy system during the deployment

Load testing the system to ensure response times is acceptable to stakeholders

A security manager looked at various logs while investigating a recent security breach in the data center from an external source. Each log below was collected from various security devices compiled from a report through the company's security information and event management server. Logs: Log 1: Feb 5 23:55:37.743: %SEC-6-IPACCESSLOGS: list 10 denied 10.2.5.81 3 packets Log 2: HTTP://www.company.com/index.php?user=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Log 3: Security Error Alert Event ID 50: The RDP protocol component X.224 detected an error in the protocol stream and has disconnected the client Log 4: Encoder oe = new OracleEncoder (); String query = "Select user_id FROM user_data WHERE user_name = ' " + oe.encode ( req.getParameter("userID") ) + " ' and user_password = ' " + oe.encode ( req.getParameter("pwd") ) +" ' "; Vulnerabilities Buffer overflow SQL injection ACL XSS Which of the following logs and vulnerabilities would MOST likely be related to the security breach? (Select TWO). A. Log 1 B. Log 2 C. Log 3 D. Log 4 E. Buffer overflow F. ACL G. XSS H. SQL injection

Log 2 Buffer overflow

The Chief Information Officer (CISO) is concerned that certain systems administrators with privileged access may be reading other user's emails. Review of a tool's output shows the administrators have used web mail to log into other users' inboxes. Which of the following tools would show this type of output?

Log analysis tool

A security administrator wants to deploy a dedicated storage solution which is inexpensive, can natively integrate with AD, allows files to be selectively encrypted and is suitable for a small number of users at a satellite office. Which of the following would BEST meet the requirement? A. SAN B. NAS C. Virtual SAN D. Virtual storage

NAS

To meet a SLA, which of the following document should be drafted, defining the company's internal interdependent unit responsibilities and delivery timelines. A. BPA B. OLA C. MSA D. MOU

OLA

During a security event investigation, a junior analyst fails to create an image of a server's hard drive before removing the drive and sending it to the forensics analyst. Later, the evidence from the analysis is not usable in the prosecution of the attackers due to the uncertainty of tampering. Which of the following should the junior analyst have followed? A. Continuity of operations B. Chain of custody C. Order of volatility D. Data recovery

Order of volatility

ABC Corporation uses multiple security zones to protect systems and information, and all of the VM hosts are part of a consolidated VM infrastructure. Each zone has different VM administrators. Which of the following restricts different zone administrators from directly accessing the console of a VM host from another zone? A. Ensure hypervisor layer firewalling between all VM hosts regardless of security zone. B. Maintain a separate virtual switch for each security zone and ensure VM hosts bind to only the correct virtual NIC(s). C. Organize VM hosts into containers based on security zone and restrict access using an ACL. D. Require multi-factor authentication when accessing the console at the physical VM host.

Organize VM hosts into containers based on security zone and restrict access using an ACL.

A company is in the process of implementing a new front end user interface for its customers, the goal is to provide them with more self-service functionality. The application has been written by developers over the last six months and the project is currently in the test phase. Which of the following security activities should be implemented as part of the SDL in order to provide the MOST security coverage over the solution? (Select TWO). A. Perform unit testing of the binary code B. Perform code review over a sampling of the front end source code C. Perform black box penetration testing over the solution D. Perform grey box penetration testing over the solution E. Perform static code review over the front end source code

Perform grey box penetration testing over the solution Perform static code review over the front end source code

A user is suspected of engaging in potentially illegal activities. Law enforcement has requested that the user continue to operate on the network as normal. However, they would like to have a copy of any communications from the user involving certain key terms. Additionally, the law enforcement agency has requested that the user's ongoing communication be retained in the user's account for future investigations. Which of the following will BEST meet the goals of law enforcement? A. Begin a chain-of-custody on for the user's communication. Next, place a legal hold on the user's email account. B. Perform an e-discover using the applicable search terms. Next, back up the user's email for a future investigation. C. Place a legal hold on the user's email account. Next, perform e-discovery searches to collect applicable emails. D. Perform a back up of the user's email account. Next, export the applicable emails that match the search terms.

Place a legal hold on the user's email account. Next, perform e-discovery searches to collect applicable emails.

A security policy states that all applications on the network must have a password length of eight characters. There are three legacy applications on the network that cannot meet this policy. One system will be upgraded in six months, and two are not expected to be upgraded or removed from the network. Which of the following processes should be followed? A. Establish a risk matrix B. Inherit the risk for six months C. Provide a business justification to avoid the risk D. Provide a business justification for a risk exception

Provide a business justification for a risk exception

A well-known retailer has experienced a massive credit card breach. The retailer had gone through an audit and had been presented with a potential problem on their network. Vendors were authenticating directly to the retailer's AD servers, and an improper firewall rule allowed pivoting from the AD server to the DMZ where credit card servers were kept. The firewall rule was needed for an internal application that was developed, which presents risk. The retailer determined that because the vendors were required to have site to site VPN's no other security action was taken. To prove to the retailer the monetary value of this risk, which of the following type of calculations is needed? A. Residual Risk calculation B. A cost/benefit analysis C. Quantitative Risk Analysis D. Qualitative Risk Analysis

Quantitative Risk Analysis

A well-known retailer has experienced a massive credit card breach. The retailer had gone through an audit and had been presented with a protential problem on their network. Vendors were authenticating directly to the retailer's AD servers, and an improper firewall rule allowed pivoting from the AD server to the DMZ where credit card servers were kept. The firewall rule was needed for an internal application that was developed, which presents risk. The retailer determined that because the vendors were required to have site to site VPNs no other security action was taken. To prove to the retailer the monetary value of the risk, which of the following type of calculations is needed?

Quantitative Risk Analysis

The IT Security Analyst for a small organization is working on a customer's system and identifies a possible intrusion in a database that contains PII. Since PII is involved, the analyst wants to get the issue addressed as soon as possible. Which of the following is the FIRST step the analyst should take in mitigating the impact of the potential intrusion? A. Contact the local authorities so an investigation can be started as quickly as possible. B. Shut down the production network interfaces on the server and change all of the DBMS account passwords. C. Disable the front-end web server and notify the customer by email to determine how the customer would like to proceed. D. Refer the issue to management for handling according to the incident response process.

Refer the issue to management for handling according to the incident response process.

At a meeting, the systems administrator states the security controls a company wishes to implement seem excessive, since all of the information on the company's web servers can be obtained publicly and is not proprietary in any way. The next day the company's website is defaced as part of an SQL injection attack, and the company receives press inquiries about the message the attackers displayed on the website. Which of the following is the FIRST action the company should take? A. Refer to and follow procedures from the company's incident response plan. B. Call a press conference to explain that the company has been hacked. C. Establish chain of custody for all systems to which the systems administrator has access. D. Conduct a detailed forensic analysis of the compromised system. E. Inform the communications and marketing department of the attack details.

Refer to and follow procedures from the company's incident response plan.

A systems administrator establishes a CIFS share on a UNIX device to share data to Windows systems. The security authentication on the Windows domain is set to the highest level. Windows users are stating that they cannot authenticate to the UNIX share. Which of the following settings on the UNIX server would correct this problem? A. Refuse LM and only accept NTLMv2 B. Accept only LM C. Refuse NTLMv2 and accept LM D. Accept only NTLM

Refuse LM and only accept NTLMv2

The director of sales asked the development team for some small changes to increase the usability of an application used by the sales team. Prior security reviews of the code showed no significant vulnerabilities, and since the changes were small, they were given a peer review and then pushed to the live environment. Subsequent vulnerability scans now show numerous flaws that were not present in the previous versions of the code. Which of the following is an SDLC best practice that should have been followed? A. Versioning B. Regression testing C. Continuous integration D. Integration testing

Regression testing

Which of the following is an external pressure that causes companies to hire security assessors and penetration testers? A. Lack of adequate in-house testing skills. B. Requirements for geographically based assessments C. Cost reduction measures D. Regulatory insistence on independent reviews.

Regulatory insistence on independent reviews.

Company policy requires that all company laptops meet the following baseline requirements: Software requirements: Antivirus Anti-malware Anti-spyware Log monitoring Full-disk encryption Terminal services enabled for RDP Administrative access for local users Hardware restrictions: Bluetooth disabled FireWire disabled WiFi adapter disabled Ann, a web developer, reports performance issues with her laptop and is not able to access any network resources. After further investigation, a bootkit was discovered and it was trying to access external websites. Which of the following hardening techniques should be applied to mitigate this specific issue from reoccurring? (Select TWO). A. Group policy to limit web access B. Restrict VPN access for all mobile users C. Remove full-disk encryption D. Remove administrative access to local users E. Restrict/disable TELNET access to network resources F. Perform vulnerability scanning on a daily basis G. Restrict/disable USB access

Remove administrative access to local users Restrict/disable USB access

Company ABC is hiring customer service representatives from Company XYZ. The representatives reside at Company XYZ's headquarters. Which of the following BEST prevents Company XYZ representatives from gaining access to unauthorized Company ABC systems? A. Require each Company XYZ employee to use an IPSec connection to the required systems B. Require Company XYZ employees to establish an encrypted VDI session to the required systems C. Require Company ABC employees to use two-factor authentication on the required systems D. Require a site-to-site VPN for intercompany communications

Require Company XYZ employees to establish an encrypted VDI session to the required systems

Joe is a security architect who is tasked with choosing a new NIPS platform that has the ability to perform SSL inspection, analyze up to 10Gbps of traffic, can be centrally managed and only reveals inspected application payload data to specified internal security employees. Which of the following steps should Joe take to reach the desired outcome? A. Research new technology vendors to look for potential products. Contribute to an RFP and then evaluate RFP responses to ensure that the vendor product meets all mandatory requirements. Test the product and make a product recommendation. B. Evaluate relevant RFC and ISO standards to choose an appropriate vendor product. Research industry surveys, interview existing customers of the product and then recommend that the product be purchased. C. Consider outsourcing the product evaluation and ongoing management to an outsourced provider on the basis that each of the requirements are met and a lower total cost of ownership (TCO) is achieved. D. Choose a popular NIPS product and then consider outsourcing the ongoing device management to a cloud provider. Give access to internal security employees so that they can inspect the application payload data. E. Ensure that the NIPS platform can also deal with recent technological advancements, such as threats emerging from social media, BYOD and cloud storage prior to purchasing the product.

Research new technology vendors to look for potential products. Contribute to an RFP and then evaluate RFP responses to ensure that the vendor product meets all mandatory requirements. Test the product and make a product recommendation.

An insurance company has an online quoting system for insurance premiums. It allows potential customers to fill in certain details about their car and obtain a quote. During an investigation, the following patterns were detected: Pattern 1 - Analysis of the logs identifies that insurance premium forms are being filled in but only single fields are incrementally being updated. Pattern 2 - For every quote completed, a new customer number is created; due to legacy systems, customer numbers are running out. Which of the following is the attack type the system is susceptible to, and what is the BEST way to defend against it? (Select TWO). A. Apply a hidden field that triggers a SIEM alert B. Cross site scripting attack C. Resource exhaustion attack D. Input a blacklist of all known BOT malware IPs into the firewall E. SQL injection F. Implement an inline WAF and integrate into SIEM G. Distributed denial of service H. Implement firewall rules to block the attacking IP addresses

Resource exhaustion attack Implement an inline WAF and integrate into SIEM

A new piece of ransomware got installed on a company's backup server which encrypted the hard drives containing the OS and backup application configuration but did not affect the deduplication data hard drives. During the incident response, the company finds that all backup tapes for this server are also corrupt. Which of the following is the PRIMARY concern? A. Determining how to install HIPS across all server platforms to prevent future incidents B. Preventing the ransomware from re-infecting the server upon restore C. Validating the integrity of the deduplicated data D. Restoring the data will be difficult without the application configuration

Restoring the data will be difficult without the application configuration

The network administrator at an enterprise reported a large data leak. One compromised server was used to aggregate data from several critical application servers and send it out to the Internet using HTTPS. Upon investigation, there have been no user logins over the previous week and the endpoint protection software is not reporting any issues. Which of the following BEST provides insight into where the compromised server collected the information? A. Review the flow data against each server's baseline communications profile. B. Configure the server logs to collect unusual activity including failed logins and restarted services. C. Correlate data loss prevention logs for anomalous communications from the server. D. Setup a packet capture on the firewall to collect all of the server communications.

Review the flow data against each server's baseline communications profile.

A new internal network segmentation solution will be implemented into the enterprise that consists of 200 internal firewalls. As part of running a pilot exercise, it was determined that it takes three changes to deploy a new application onto the network before it is operational. Security now has a significant effect on overall availability. Which of the following would be the FIRST process to perform as a result of these findings? A. Lower the SLA to a more tolerable level and perform a risk assessment to see if the solution could be met by another solution. Reuse the firewall infrastructure on other projects. B. Perform a cost benefit analysis and implement the solution as it stands as long as the risks are understood by the business owners around the availability issues. Decrease the current SLA expectations to match the new solution. C. Engage internal auditors to perform a review of the project to determine why and how the project did not meet the security requirements. As part of the review ask them to review the control effectiveness. D. Review to determine if control effectiveness is in line with the complexity of the solution. Determine if the requirements can be met with a simpler solution.

Review to determine if control effectiveness is in line with the complexity of the solution. Determine if the requirements can be met with a simpler solution.

As a result of an acquisition, a new development team is being integrated into the company. The development team has BYOD laptops with IDEs installed, build servers, and code repositories that utilize SaaS. To have the team up and running effectively, a separate Internet connection has been procured. A stand up has identified the following additional requirements: 1. Reuse of the existing network infrastructure 2. Acceptable use policies to be enforced 3. Protection of sensitive files 4. Access to the corporate applications Which of the following solution components should be deployed to BEST meet the requirements? (Select three.) A. IPSec VPN B. HIDS C. Wireless controller D. Rights management E. SSL VPN F. NAC G. WAF H. Load balancer

Rights management SSL VPN NAC

A systems administrator recently joined an organization and has been asked to perform a security assessment of controls on the organization's file servers, which contain client data from a number of sensitive systems. The administrator needs to compare documented access requirements to the access implemented within the file system. Which of the following is MOST likely to be reviewed during the assessment? (Select two.) A. Access control list B. Security requirements traceability matrix C. Data owner matrix D. Roles matrix E. Data design document F. Data access policies

Roles matrix Data access policies

An external red team is brought into an organization to perform a penetration test of a new network-based application. The organization deploying the network application wants the red team to act like remote, external attackers, and instructs the team to use a black-box approach. Which of the following is the BEST methadology for the red team to follow? A. Run a protocol analyzer to determine what traffic is flowing in and out of the server, and look for ways to alter the data stream that will result in information leakage or a system failure. B. Send out spear-phishing emails against users who are known to have access to the network-based application, so the red team can go on-site with valid credentials and use the software. C. Examine the application using a port scanner, then run a vulnerability scanner against open ports looking for known, exploitable weaknesses the application and related services may have. D. Ask for more details regarding the engagement using social engineering tactics in an attempt to get the organization to disclose more information about the network application to make attacks easier.

Run a protocol analyzer to determine what traffic is flowing in and out of the server, and look for ways to alter the data stream that will result in information leakage or a system failure.

A new cluster of virtual servers has been set up in a lab environment and must be audited before being allowed on the production network. The security manager needs to ensure unnecessary services are disabled and all system accounts are using strong credentials. Which of the following tools should be used? (Choose two.) A. Fuzzer B. SCAP scanner C. Packet analyzer D. Password cracker E. Network enumerator F. SIEM

SCAP scanner SIEM

An insurance company has two million customers and is researching the top transactions on its customer portal. It identifies that the top transaction is currently password reset. Due to users not remembering their secret questions, a large number of calls are consequently routed to the contact center for manual password resets. The business wants to develop a mobile application to improve customer engagement in the future, continue with a single factor of authentication, minimize management overhead of the solution, remove passwords, and eliminate to the contact center. Which of the following techniques would BEST meet the requirements? (Choose two.) A. Magic link sent to an email address B. Customer ID sent via push notification C. SMS with OTP sent to a mobile number D. Third-party social login E. Certificate sent to be installed on a device F. Hardware tokens sent to customers

SMS with OTP sent to a mobile number Certificate sent to be installed on a device

A managed service provider is designing a log aggregation service for customers who no longer want to manage an internal SIEM infrastructure. The provider expects that customers will send all types of logs to them, and that log files could contain very sensitive entries. Customers have indicated they want on-premises and cloud-based infrastructure logs to be stored in this new service. An engineer, who is designing the new service, is deciding how to segment customers. Which of the following is the BEST statement for the engineer to take into consideration? A. Single-tenancy is often more expensive and has less efficient resource utilization. Multi-tenancy may increase the risk of cross-customer exposure in the event of service vulnerabilities. B. The managed service provider should outsource security of the platform to an existing cloud company. This will allow the new log service to be launched faster and with well-tested security controls. C. Due to the likelihood of large log volumes, the service provider should use a multi-tenancy model for the data storage tier, enable data deduplication for storage cost efficiencies, and encrypt data at rest. D. The most secure design approach would be to give customers on-premises appliances, install agents on endpoints, and then remotely manage the service via a VPN.

Single-tenancy is often more expensive and has less efficient resource utilization. Multi-tenancy may increase the risk of cross-customer exposure in the event of service vulnerabilities.

A security architect has been assigned to a new digital transformation program. The objectives are to provide better capabilities to customers and reduce costs. The program has highlighted the following requirements: * Long-lived sessions are required, as users do not log in very often. * The solution has multiple SPs, which include mobile and web applications. * A centralized IdP is utilized for all customer digital channels. * The applications provide different functionality types such as forums and customer portals. * The user experience needs to be the same across both mobile and web-based applications. Which of the following would BEST improve security while meeting these requirements? A. Social login to IdP, securely store the session cookies, and implement one-time passwords sent to the mobile device B. Create-based authentication to IdP, securely store access tokens, and implement secure push notifications. C. Username and password authentication to IdP, securely store refresh tokens, and implement context-aware authentication. D. Username and password authentication to SP, securely store Java web tokens, and implement SMS OTPs.

Social login to IdP, securely store the session cookies, and implement one-time passwords sent to the mobile device

The Chief Executive Officer (CEO) of a small start-up company wants to set up offices around the country for the sales staff to generate business. The company needs an effective communication solution to remain in constant contact with each other, while maintaining a secure business environment. A junior-level administrator suggests that the company and the sales staff stay connected via free social media. Which of the following decisions is BEST for the CEO to make? A. Social media is an effective solution because it is easily adaptable to new situations. B. Social media is an ineffective solution because the policy may not align with the business. C. Social media is an effective solution because it implements SSL encryption. D. Social media is an ineffective solution because it is not primarily intended for business applications.

Social media is an ineffective solution because the policy may not align with the business.

Ann, a systems engineer, is working to identify an unknown node on the corporate network. To begin her investigative work, she runs the following nmap command string: user@hostname:~$ sudo nmap -O 192.168.1.54 Based on the output, nmap is unable to identify the OS running on the node, but the following ports are open on the device: TCP/22 TCP/111 TCP/512-514 TCP/2049 TCP/32778 Based on this information, which of the following operating systems is MOST likely running on the unknown node? A. Linux B. Windows C. Solaris D. OSX

Solaris

A risk manager has decided to use likelihood and consequence to determine the risk of an event occurring to a company asset. Which of the following is a limitation of this approach to risk management? A. Subjective and based on an individual's experience. B. Requires a high degree of upfront work to gather environment details. C. Difficult to differentiate between high, medium, and low risks. D. Allows for cost and benefit analysis. E. Calculations can be extremely complex to manage.

Subjective and based on an individual's experience.

A risk manager has decided to use likelihood and sonsequence to determine the risk of an event occurring to a company asset. Which of the following is a limitation of this aproach to risk management?

Subjective and based on an individual's experience.

A security engineer is responsible for monitoring company applications for known vulnerabilities. Which of the following is a way to stay current on exploits and information security news? A. Update company policies and procedures B. Subscribe to security mailing lists C. Implement security awareness training D. Ensure that the organization vulnerability management plan is up-to-date

Subscribe to security mailing lists

A small company's Chief Executive Officer (CEO) has asked its Chief Security Officer (CSO) to improve the company's security posture quickly with regard to targeted attacks. Which of the following should the CSO conduct FIRST? A. Survey threat feeds from services inside the same industry. B. Purchase multiple threat feeds to ensure diversity and implement blocks for malicious traffic. C. Conduct an internal audit against industry best practices to perform a qualitative analysis. D. Deploy a UTM solution that receives frequent updates from a trusted industry vendor.

Survey threat feeds from services inside the same industry.

Which of the following is the GREATEST security concern with respect to BYOD? A. The filtering of sensitive data out of data flows at geographic boundaries. B. Removing potential bottlenecks in data transmission paths. C. The transfer of corporate data onto mobile corporate devices. D. The migration of data into and out of the network in an uncontrolled manner.

The migration of data into and out of the network in an uncontrolled manner.

The Chief Executive Officers (CEOs) from two different companies are discussing the highly sensitive prospect of merging their respective companies together. Both have invited their Chief Information Officers (CIOs) to discern how they can securely and digitaly communicate, and the following criteria are collectively determined: * Must be encrypted on the email servers and clients * Must be OK to transmit over unsecure Internet connections Which of the following communication methods would be BEST to recommend? A. Force TLS between domains. B. Enable STARTTLS on both domains. C. Use PGP-encrypted emails. D. Switch both domains to utilize DNSSEC.

Switch both domains to utilize DNSSEC.

A medical device company is implementing a new COTS antivirus solution in its manufacturing plant. All validated machines and instruments must be retested for interoperability with the new software. Which of the following would BEST ensure the software and instruments are working as designed? A. System design documentation B. User acceptance testing C. Peer review D. Static code analysis testing E. Change control documentation

System design documentation

After being notified of an issue with the online shopping cart, where customers are able to arbitrarily change the price of listed items, a programmer analyzes the following piece of code used by a web based shopping cart. SELECT ITEM FROM CART WHERE ITEM=ADDSLASHES($USERINPUT); The programmer found that every time a user adds an item to the cart, a temporary file is created on the web server /tmp directory. The temporary file has a name which is generated by concatenating the content of the $USERINPUT variable and a timestamp in the form of MM-DD-YYYY, (e.g. smartphone-12-25-2013.tmp) containing the price of the item being purchased. Which of the following is MOST likely being exploited to manipulate the price of a shopping cart's items? A. Input validation B. SQL injection C. TOCTOU D. Session hijacking

TOCTOU

During a new desktop refresh, all hosts are hardened at the OS level before deployment to comply with policy. Six months later, the company is audited for compliance to regulations. The audit discovers that 40 percent of the desktops do not meet requirements. Which of the following is the MOST likely cause of the noncompliance? A. The devices are being modified and settings are being overridden in production. B. The patch management system is causing the devices to be noncompliant after issuing the latest patches. C. The desktop applications were configured with the default username and password. D. 40 percent of the devices use full disk encryption.

The devices are being modified and settings are being overridden in production.

An agency has implemented a data retention policy that requires tagging data according to type before storing it in the data repository. The policy requires all business emails be automatically deleted after two years. During an open records investigation, information was found on an employee's work computer concerning a conversation that occurred three years prior and proved damaging to the agency's reputation. Which of the following MOST likely caused the data leak? A. The employee manually changed the email client retention settings to prevent deletion of emails B. The file that contained the damaging information was mistagged and retained on the server for longer than it should have been C. The email was encrypted and an exception was put in place via the data classification application D. The employee saved a file on the computer's hard drive that contained archives of emails, which were more than two years old

The employee saved a file on the computer's hard drive that contained archives of emails, which were more than two years old

The administrator is troubleshooting availability issues on an FCoE-based storage array that uses deduplication. The single controller in the storage array has failed, so the administrator wants to move the drives to a storage array from a different manufacturer in order to access the data. Which of the following issues may potentially occur? A. The data may not be in a usable format. B. The new storage array is not FCoE based. C. The data may need a file system check. D. The new storage array also only has a single controller.

The new storage array is not FCoE based.

A newly hired security analyst has joined an established SOC team. Not long after going through corporate orientation, a new attack method on web-based applications was publicly revealed. The security analyst immediately brings this new information to the team lead, but the team lead is not concerned about it. Which of the following is the MOST likely reason for the team lead's position? A. The organization has accepted the risks associated with web-based threats. B. The attack type does not meet the organization's threat model. C. Web-based applications are on isolated network segments. D. Corporate policy states that NIPS signatures must be updated every hour.

The organization has accepted the risks associated with web-based threats.

A new web based application has been developed and deployed in production. A security engineer decides to use an HTTP interceptor for testing the application. Which of the following problems would MOST likely be uncovered by this tool? A. The tool could show that input validation was only enabled on the client side B. The tool could enumerate backend SQL database table and column names C. The tool could force HTTP methods such as DELETE that the server has denied D. The tool could fuzz the application to determine where memory leaks occur

The tool could show that input validation was only enabled on the client side

A malware infection spread to numerous workstations within the marketing department. The workstations were quarantined and replaced with machines. Which of the following represents a FINAL step in the prediction of the malware? A. The workstations should be isolated from the network. B. The workstations should be donated for refuse. C. The workstations should be reimaged D. The workstations should be patched and scanned.

The workstations should be reimaged

A security analyst is inspecting pseudocode of the following multithreaded application: 1. perform daily ETL of data 1.1 validate that yesterday's data model file exists 1.2 validate that today's data model file does not exist 1.2 extract yesterday's data model 1.3 transform the format 1.4 load the transformed data into today's data model file 1.5 exit Which of the following security concerns is evident in the above pseudocode? A. Time of check/time of use B. Resource exhaustion C. Improper storage of sensitive data D. Privilege escalation

Time of check/time of use

A Chief Information Officer (CIO) publicly announces the implementation of a new financial system. As part of a security assessment that includes a social engineering task, which of the following tasks should be conducted to demonstrate teh BEST means to gain information to usefor a report on social vulnerability details about the financial system?

Understand the CIO is a social drinker, and find the means to befriend the CIO at establishments the CIO frequents

A financial consulting firm recently recovered from some damaging incidents that were associated with malware installed via rootkit. Post-incident analysis is ongoing, and the incident responders and systems administrators are working to determine a strategy to reduce the risk of recurrence. The firm's systems are running modern operating systems and feature UEFI and TPMs. Which of the following technical options would provide the MOST preventive value? A. Update and deploy GPOs B. Configure and use measured boot C. Strengthen the password complexity requirements D. Update the antivirus software and definitions

Update the antivirus software and definitions

A small company is developing a new Internet-facing web application. The security requirements are: Users of the web application must be uniquely identified and authenticated. Users of the web application will not be added to the company's directory services. Passwords must not be stored in the code. Which of the following meets these requirements? A. Use OpenID and allow a third party to authenticate users. B. Use TLS with a shared client certificate for all users. C. Use SAML with federated directory services. D. Use Kerberos and browsers that support SAML.

Use OpenID and allow a third party to authenticate users.

An enterprise with global sites processes and exchanges highly sensitive information that is protected under several countries' arms trafficking laws. There is new information that malicious nation-state-sponsored activities are targeting the use of encryption between the geographically disparate sites. The organization currently employs ECDSA and ECDH with P-384, SHA-384, and AES 256-GCM on VPNs between sites. Which of the following techniques would MOST likely improve the resilience of the enterprise to attack on cryptographic implementation?

Use a stronger elliptic curve cryptography algorithm.

An enterprise with global sites processes and exchanges highly sensitive information that is protected under several countries' arms trafficking laws. There is new information that malicious nation-state-sponsored activities are targeting the use of encryption between the geographically disparate sites. The organization currently employs ECDSA and ECDH with P-384, SHA-384, and AES-256-GCM on VPNs between sites. Which of the following techniques would MOST likely improve the resilience of the enterprise to attack on cryptographic implementation? A. Add a second-layer VPN from a different vendor between sites. B. Upgrade the cipher suite to use an authenticated AES mode of operation. C. Use a stronger elliptic curve cryptography algorithm. D. Implement an IDS with sensors inside (clear-text) and outside (cipher-text) of each tunnel between sites. E. Ensure cryptography modules are kept up to date from vendor supplying them.

Use a stronger elliptic curve cryptography algorithm.

A security engineer is designing a system in which offshore, outsourced staff can push code from the development environment to the production environment securely. The security engineer is concerned with data loss, while the business does not want to slow down its development process. Which of the following solutions BEST balances security requirements with business need? A. Set up a VDI environment that prevents copying and pasting to the local workstations of outsourced staff members B. Install a client-side VPN on the staff laptops and limit access to the development network C. Create an IPSec VPN tunnel from the development network to the office of the outsourced staff D. Use online collaboration tools to initiate workstation-sharing sessions with local staff who have access to the development network

Use online collaboration tools to initiate workstation-sharing sessions with local staff who have access to the development network

An external penetration tester compromised one of the client organization's authentication servers and retrieved the password database. Which of the following methods allows the penetration tester to MOST efficiently use any obtained administrative credentials on the client organization's other systems, without impacting the integrity of any of the systems? A. Use the pass the hash technique B. Use rainbow tables to crack the passwords C. Use the existing access to change the password D. Use social engineering to obtain the actual password

Use the pass the hash technique

A software development team has spent the last 18 months developing a new web-based front-end that will allow clients to check the status of their orders as they proceed through manufacturing. The marketing team schedules a launch party to present the new application to the client base in two weeks. Before the launch, the security team discovers numerous flaws that may introduce dangerous vulnerabilities, allowing direct access to a database used by manufacturing. The development team did not plan to remediate these vulnerabilities during development. Which of the following SDLC best practices should the development team have followed?

Using a SRTM

A software development team has spent the last 18 months developing a new web-based front-end that will allow clients to check the status of their orders as they proceed through manufacturing. The marketing team schedules a launch party to present the new application to the client base in two weeks. Before the launch, the security team discovers numerous flaws that may introduce dangerous vulnerabilities, allowing direct access to a database used by manufacturing. The development team did not plan to remediate these vulnerabilities during development. Which of the following SDLC best practices should the development team have followed? A. Implementing regression testing B. Completing user acceptance testing C. Verifying system design documentation D. Using a SRTM

Using a SRTM

An engineer needs to provide access to company resources for several offshore contractors. The contractors require: * Access to a number of applications, including internal websites * Access to database data and the ability to manipulate it * The ability to log into Linux and Windows servers remotely Which of the following remote access technologies are the BEST choices to provide all of this access securely? (Choose two.) A. VTC B. VRRP C. VLAN D. VDI E. VPN F. Telnet

VDI VPN

Which of the following system would be at the GREATEST risk of compromise if found to have an open vulnerability associated with perfect ... secrecy? A. Endpoints B. VPN concentrators C. Virtual hosts D. SIEM E. Layer 2 switches

VPN concentrators

There have been several exploits to critical devices within the network. However, there is currently no process to perform vulnerability analysis. Which the following should the security analyst implement during production hours to identify critical threats and vulnerabilities? A. asset inventory of all critical devices B. Vulnerability scanning frequency that does not interrupt workflow C. Daily automated reports of exploited devices D. Scanning of all types of data regardless of sensitivity levels

Vulnerability scanning frequency that does not interrupt workflow

The helpdesk department desires to roll out a remote support application for internal use on all company computers. This tool should allow remote desktop sharing, system log gathering, chat, hardware logging, inventory management, and remote registry access. The risk management team has been asked to review vendor responses to the RFQ. Which of the following questions is the MOST important? A. What are the protections against MITM? B. What accountability is built into the remote support application? C. What encryption standards are used in tracking database? D. What snapshot or "undo" features are present in the application? E. What encryption standards are used in remote desktop and file transfer functionality?

What accountability is built into the remote support application?

A security analyst is attempting to break into a client's secure network. The analyst was not given prior information about the client, except for a block of public IP addresses that are currently in use. After network enumeration, the analyst's NEXT step is to perform: A. a gray-box penetration test B. a risk analysis C. a vulnerability assessment D. an external security audit E. a red team exercise

a gray-box penetration test

As part of an organization's compliance program, administrators must complete a hardening checklist and note any potential improvements. The process of noting improvements in the checklist is MOST likely driven by: A. the collection of data as part of the continuous monitoring program. B. adherence to policies associated with incident response. C. the organization's software development life cycle. D. changes in operating systems or industry trends.

the collection of data as part of the continuous monitoring program.

A security architect is designing a new infrastructure using both type 1 and type 2 virtual machines. In addition to the normal complement of security controls (e.g. antivirus, host hardening, HIPS/NIDS) the security architect needs to implement a mechanism to securely store cryptographic keys used to sign code and code modules on the VMs. Which of the following will meet this goal without requiring any hardware pass-through implementations? A. vTPM B. HSM C. TPM D. INE

vTPM

A security architect is designing a new infrastructure using both type 1 and type 2 virtual machines. In addition to the normal complement of security controls (e.g. antivirus, host hardening, HIPS/NIDS) the security architect needs to implement a mechanism to securely stroe cryptographic keys used to sign code and code modules on the VMs. Which of the following will meet this goal without requiring any hardware pass-through implementations? A. vTPM B. HSM C. TPM D. INE

vTPM


Related study sets

reglas para el uso de la C,S,Z,X

View Set

Indonesian quiz works wk 6T222!! :)

View Set