CASPER
Wireless users are reporting issues with the company's video conferencing and VoIP systems. The security administrator notices internal DoS attacks from infected PCs on the network causing the VoIP system to drop calls. The security administrator also notices that the SIP servers are unavailable during these attacks. Which of the following security controls will MOST likely mitigate the VoIP DoS attacks on the network? (Select TWO). A. Install a HIPS on the SIP servers B. Configure 802.1X on the network C. Update the corporate firewall to block attacking addresses D. Configure 802.11e on the network E. Configure 802.1q on the network
A. Install a HIPS on the SIP servers E. Configure 802.1q on the network
The following has been discovered in an internally developed application: Error - Memory allocated but not freed: char *myBuffer = malloc(BUFFER_SIZE); if (myBuffer != NULL) { *myBuffer = STRING_WELCOME_MESSAGE; printf("Welcome to: %s\n", myBuffer); } exit(0); Which of the following security assessment methods are likely to reveal this security weakness? (Select TWO). A. Static code analysis B. Memory dumping C. Manual code review D. Application sandboxing E. Penetration testing F. Black box testing
A. Static code analysis C. Manual code review
An IT manager is concerned about the cost of implementing a web filtering solution in an effort to mitigate the risks associated with malware and resulting data leakage. Given that the ARO is twice per year, the ALE resulting from a data leak is $25,000 and the ALE after implementing the web filter is $15,000. The web filtering solution will cost the organization $10,000 per year. Which of the following values is the single loss expectancy of a data leakage event after implementing the web filtering solution? A. $0 B. $7,500 C. $10,000 D. $12,500 E. $15,000
B. $7,500
A system worth $100,000 has an exposure factor of eight percent and an ARO of four. Which of the following figures is the system's SLE? A. $2,000 B. $8,000 C. $12,000 D. $32,000
B. $8,000
A security engineer on a large enterprise network needs to schedule maintenance within a fixed window of time. A total outage period of four hours is permitted for servers. Workstations can undergo maintenance from 8:00 pm to 6:00 am daily. Which of the following can specify parameters for the maintenance work? (Select TWO). A. Managed security service B. Memorandum of understanding C. Quality of service D. Network service provider E. Operating level agreement
B. Memorandum of understanding E. Operating level agreement
An investigator wants to collect the most volatile data first in an incident to preserve the data that runs the highest risk of being lost. After memory, which of the following BEST represents the remaining order of volatility that the investigator should follow? A. File system information, swap files, network processes, system processes and raw disk blocks. B. Raw disk blocks, network processes, system processes, swap files and file system information. C. System processes, network processes, file system information, swap files and raw disk blocks. D. Raw disk blocks, swap files, network processes, system processes, and file system information.
C. System processes, network processes, file system information, swap files and raw disk blocks.
A forensics analyst suspect that a buffer overflow exists in a kernel module. The analyst executes the following command: dd if=/dev/ram of=/tmp/mem.dmp The analyst then reviews the associated output: ^34^`AAAAAAAAAAAAAAAAAAAAAAAAAAAAA/bin/bash^21^03`45 However, the analyst is unable to find any evidence of the running shell. Which of the following is the MOST likely reason the analyst cannot find a process ID for the shell? A. The NX bit is enabled. B. The system uses ASLR. C. The shell is obfuscated. D. The code uses dynamic libraries
C. The shell is obfuscated.
An administrator wishes to replace a legacy clinical software product as it has become a security risk. The legacy product generates $10,000 in revenue a month. The new software product has an initial cost of $180,000 and a yearly maintenance of $2,000 after the first year. However, it will generate $15,000 in revenue per month and be more secure. How many years until there is a return on investment for this new package? A. 1 B. 2 C. 3 D. 4
D. 4
A security administrator wants to calculate the ROI of a security design which includes the purchase of new equipment. The equipment costs $50,000 and it will take 50 hours to install and configure the equipment. The administrator plans to hire a contractor at a rate of $100/hour to do the installation. Given that the new design and equipment will allow the company to increase revenue and make an additional $100,000 on the first year, which of the following is the ROI expressed as a percentage for the first year? A. -45 percent B. 5.5 percent C. 45 percent D. 82 percent
D. 82 percent
The helpdesk is receiving multiple calls about slow and intermittent Internet access from the finance department. The following information is compiled: Caller 1, IP 172.16.35.217, NETMASK 255.255.254.0 Caller 2, IP 172.16.35.53, NETMASK 255.255.254.0 Caller 3, IP 172.16.35.173, NETMASK 255.255.254.0 All callers are connected to the same switch and are routed by a router with five built-in interfaces. The upstream router interface's MAC is 00-01-42-32-ab-1a A packet capture shows the following: 09:05:15.934840 arp reply 172.16.34.1 is-at 00:01:42:32:ab:1a (00:01:42:32:ab:1a) 09:06:16.124850 arp reply 172.16.34.1 is-at 00:01:42:32:ab:1a (00:01:42:32:ab:1a) 09:07:25.439811 arp reply 172.16.34.1 is-at 00:01:42:32:ab:1a (00:01:42:32:ab:1a) 09:08:10.937590 IP 172.16.35.1 > 172.16.35.255: ICMP echo request, id 2305, seq 1, length 65534 09:08:10.937591 IP 172.16.35.1 > 172.16.35.255: ICMP echo request, id 2306, seq 2, length 65534 09:08:10.937592 IP 172.16.35.1 > 172.16.35.255: ICMP echo request, id 2307, seq 3, length 65534 Which of the following is occurring on the network? A. A man-in-the-middle attack is underway on the network. B. An ARP flood attack is targeting at the router. C. The default gateway is being spoofed on the network. D. A denial of service attack is targeting at the router.
D. A denial of service attack is targeting at the router.
A company is facing penalties for failing to effectively comply with e-discovery requests. Which of the following could reduce the overall risk to the company from this issue? A. Establish a policy that only allows filesystem encryption and disallows the use of individual file encryption. B. Require each user to log passwords used for file encryption to a decentralized repository. C. Permit users to only encrypt individual files using their domain password and archive all old user passwords. D. Allow encryption only by tools that use public keys from the existing escrowed corporate PKI.
D. Allow encryption only by tools that use public keys from the existing escrowed corporate PKI.
Given the following output from a security tool in Kali: [12:17:41] dumping options: filename: </usr/share/sectools/scans> State: <8> lineo: <56> literals: <74> sequences: [34} symbols: [0} req_del: <200> mseq_len: <1024> plugin: <none> s_syms: <0> literal [1] =[jf2d43kaj4i9eahfh8fbiud8sd8sdhfdfdfhj9] Which of the following types of tools is being used? A. Log reduction B. Network enumerator C. Fuzzer D. SCAP scanner
D. SCAP scanner
A newly hired systems administrator is trying to connect a new and fully updated, but very customized, Android device to access corporate resources. However. the MDM emrollment process continually fails. The administrator asks a security team member to look into the issue. Which of the following is the MOST likely reason the MDM is not allowing enrollment? A. The OS version is not compatible B. The OEM is prohibited C. The device does not support FDE D. The device is rooted
D. The device is rooted
After the install process, a software application executed an online activation process. After a few months, the system experienced a hardware failure. A backup image of the system was restored on a newer revision of the same brand and model device. After the restore, the specialized application no longer works. Which of the following is the MOST likely cause of the problem? A. The binary files used by the application have been modified by malware. B. The application is unable to perform remote attestation due to blocked ports. C. The restored image backup was encrypted with the wrong key. D. The hash key summary of hardware and installed software no longer match.
D. The hash key summary of hardware and installed software no longer match.
The risk manager at a small bank wants to use quantitative analysis to determine the ALE of running a business system at a location which is subject to fires during the year. A risk analyst reports to the risk manager that the asset value of the business system is $120,000 and, based on industry data, the exposure factor to fires is only 20% due to the fire suppression system installed at the site. Fires occur in the area on average every four years. Which of thefollowing is the ALE? A. $6,000 B. $24,000 C. $30,000 D. $96,000
A. $6,000
An engineer is configuring a web server that will host sensitive web applications for users. During configuration, the engineer is prompted to select the cipher suite components for TLS. The combination of which of the following component algorithms is necessary to implement the MOST secure cipher suite secrecy? (Select THREE). A. AES-256-GCM B. ECDSA-384 C. 3DES D. SHA-1 E. ECDHE F. AES-CBC G. DES-CBC3
A. AES-256-GCM B. ECDSA-384 E. ECDHE
A security firm is writing a response to an RFP from a customer that is building a new network based software product. The firm's expertise is in penetration testing corporate networks. The RFP explicitly calls for all possible behaviors of the product to be tested, however, it does not specify any particular method to achieve this goal. Which of the following should be used to ensure the security and functionality of the product? (Select TWO) A. Code review B. Penetration testing C. Grey box testing D. Code signing E. White box testing
A. Code review E. White box testing
A security manager is looking into the following vendor proposal for a cloud-based SIEM solution. The intention is that the cost of the SIEM solution will be justified by having reduced the number of incidents and therefore saving on the amount spent investigating incidents. Proposal: External cloud-based software as a service subscription costing $5,000 per month. Expected to reduce the number of current incidents per annum by 50%. The company currently has ten security incidents per annum at an average cost of $10,000 per incident. Which of the following is the ROI for this proposal after three years? A. -$30,000 B. $120,000 C. $150,000 D. $180,000
A. -$30,000
The senior security administrator wants to redesign the company DMZ to minimize the risks associated with both external and internal threats. The DMZ design must support security in depth, change management and configuration processes, and support incident reconstruction. Which of the following designs BEST supports the given requirements? A. A dual firewall DMZ with remote logging where each firewall is managed by a separate administrator. B. A single firewall DMZ where each firewall interface is managed by a separate administrator and logging to the cloud. C. A SaaS based firewall which logs to the company's local storage via SSL, and is managed by the change control team. D. A virtualized firewall, where each virtual instance is managed by a separate administrator and logging to the same hardware.
A. A dual firewall DMZ with remote logging where each firewall is managed by a separate administrator.
The Information Security Officer (ISO) believes that the company has been targeted by cybercriminals and it is under a cyber-attack. Internal services that are normally available to the public via the Internet are inaccessible, and employees in the office are unable to browse the Internet. The senior security engineer starts by reviewing the bandwidth at the border router, and notices that the incoming bandwidth on the router's external interface is maxed out. The security engineer then inspects the following piece of log to try and determine the reason for the downtime, focusing on the company's external router's IP which is 128.20.176.19: 11:16:22.110343 IP 90.237.31.27.19 > 128.20.176.19.19: UDP, length 1400 11:16:22.110351 IP 23.27.112.200.19 > 128.20.176.19.19: UDP, length 1400 11:16:22.110358 IP 192.200.132.213.19 > 128.20.176.19.19: UDP, length 1400 11:16:22.110402 IP 70.192.2.55.19 > 128.20.176.19.19: UDP, length 1400 11:16:22.110406 IP 112.201.7.39.19 > 128.20.176.19.19: UDP, length 1400 Which of the following describes the findings the senior security engineer should report to the ISO and the BEST solution for service restoration? A. After the senior engineer used a network analyzer to identify an active Fraggle attack, the company's ISP should be contacted and instructed to block the malicious packets. B. After the senior engineer used the above IPS logs to detect the ongoing DDOS attack, an IPS filter should be enabled to block the attack and restore communication. C. After the senior engineer used a mirror port to capture the ongoing amplification attack, a BGP sinkhole should be configured to drop traffic at the source networks. D. After the senior engineer used a packet capture to identify an active Smurf attack, an ACL should be placed on the company's external router to block incoming UDP port 19 traffic.
A. After the senior engineer used a network analyzer to identify an active Fraggle attack, the company's ISP should be contacted and instructed to block the malicious packets.
A completely new class of web-based vulnerabilities has been discovered. Claims have been made that all common web-based development frameworks are susceptible to attack. Proof-of-concept details have emerged on the Internet. A security advisor within a company has been asked to provide recommendations on how to respond quickly to these vulnerabilities. Which of the following BEST describes how the security advisor should respond? A. Assess the reliability of the information source, likelihood of exploitability, and impact to hosted data. Attempt to exploit via the proof-of concept code. Consider remediation options. B. Hire an independent security consulting agency to perform a penetration test of the web servers. Advise management of any 'high' or 'critical' penetration test findings and put forward recommendations for mitigation. C. Review vulnerability write-ups posted on the Internet. Respond to management with a recommendation to wait until the news has been independently verified by software vendors providing the web application software. D. Notify all customers about the threat to their hosted data. Bring the web servers down into "maintenance mode" until the vulnerability can be reliably mitigated through a vendor patch.
A. Assess the reliability of the information source, likelihood of exploitability, and impact to hosted data. Attempt to exploit via the proof-of-concept code. Consider remediation options.
A Chief Information Security Officer (CISO) has requested that a SIEM solution be implemented. The CISO wants to know upfront what the projected TCO would be before looking further into this concern. Two vendor proposals have been received: Vendor A: product-based solution which can be purchased by the pharmaceutical company. Capital expenses to cover central log collectors, correlators, storage and management consoles expected to be $150,000. Operational expenses are expected to be a 0.5 full time employee (FTE) to manage the solution, and 1 full time employee to respond to incidents per year. Vendor B: managed service-based solution which can be the outsourcer for the pharmaceutical company's needs. Bundled offering expected to be $100,000 per year. Operational expenses for the pharmaceutical company to partner with the vendor are expected to be a 0.5 FTE per year. Internal employee costs are averaged to be $80,000 per year per FTE. Based on calculating TCO of the two vendor proposals over a 5 year period, which of the following options is MOST accurate? A. Based on cost alone, having an outsourced solution appears cheaper. B. Based on cost alone, having an outsourced solution appears to be more expensive. C. Based on cost alone, both outsourced an in-sourced solutions appear to be the same. D. Based on cost alone, having a purchased product solution appears cheaper.
A. Based on cost alone, having an outsourced solution appears cheaper.
To prepare for an upcoming audit, the Chief Information Security Officer (CISO) asks for all 1200 vulnerabilities of production servers to be remediated. The security engineer must determine which vulnerabilities represent real threats that can be exploited so resources can be prioritized to mitigate the most dangerous risks. The CISO wants the security engineer to act in the same manner as would an external threat, while using vulnerability scan results to prioritize any actions. Which of the following approaches is being described? A. Blue team B. Red team C. Black box D. White team
A. Blue team Red Teams are external entities brought in to test the effectiveness of a security program. Blue Teams refer to the internal security team that defends against both real attackers and Red Teams. Purple Teams are ideally superfluous groups that exist to ensure and maximize the effectiveness of the Red and Blue teams.
Which of the following would be used in forensic analysis of a compromised Linux system? (Select THREE). A. Check log files for logins from unauthorized IPs. B. Check /proc/kmem for fragmented memory segments. C. Check for unencrypted passwords in /etc/shadow. D. Check timestamps for files modified around time of compromise. E. Use lsof to determine files with future timestamps. F. Use gpg to encrypt compromised data files. G. Verify the MD5 checksum of system binaries. H. Use vmstat to look for excessive disk I/O.
A. Check log files for logins from unauthorized IPs. D. Check timestamps for files modified around time of compromise. G. Verify the MD5 checksum of system binaries.
An organization has recently deployed an EDR solution across its laptops, desktops, and server infrastructure. The organization's server infrastructure is deployed in an IaaS environment. A database within the nonproduction environment has been misconfigured with a routable IP and is communicating with a command and control server. Which of the following procedures should the security responder apply to the situation? (Select TWO). A. Contain the server B. Initiate a legal hold C. Perform a risk assessment D. Determine the data handling standard E. Disclose the breach to customers F. Perform an IOC sweep to determine impact
A. Contain the server F. Perform an IOC (Indicators of Compromise) sweep to determine impact
Legal counsel has notified the information security manager of a legal matter that will require the preservation of electronic records for 2000 sales force employees. Source records will be email, PC, network shares, and applications. After all restrictions have been lifted, which of the following should the information manager review? A. Data retention policy B. Legal hold C. Chain of custody D. Scope statement
A. Data retention policy
A small retail company recently deployed a new point of sale (POS) system to all 67 stores. The core of the POS is an extranet site, accessible only from retail stores and the corporate office over a split- tunnel VPN. An additional split-tunnel VPN provides bi-directional connectivity back to the main office, which provides voice connectivity for store VoIP phones. Each store offers guest wireless functionality, as well as employee wireless. Only the staff wireless network has access to the POS VPN. Recently, stores are reporting poor response times when accessing the POS application from store computers as well as degraded voice quality when making phone calls. Upon investigation, it is determined that three store PCs are hosting malware, which is generating excessive network traffic. After malware removal, the information security department is asked to review the configuration and suggest changes to prevent this from happening again. Which of the following denotes the BEST way to mitigate future malware risk? A. Deploy new perimeter firewalls at all stores with UTM functionality. B. Change antivirus vendors at the store and the corporate office. C. Move to a VDI solution that runs offsite from the same data center that hosts the new POS solution. D. Deploy a proxy server with content filtering at the corporate office and route all traffic through it.
A. Deploy new perimeter firewalls at all stores with UTM functionality.
A security administrator is helping to troubleshoot a developer's resting environment. The developer has a local copy of a website, but testing always gives 403 errors. A directory listing of the admin's directory shows: ` ls -l /home/admin -rwxr-x--- 23 admin admin 235 index.html -rwxr-x--- 5 admin admin 125 style.css -rwxr-x--- 7 admin admin 412 form.php A review of the audit log shows: avc:denied { read write search } for pid 37024 comm="httpd" name="admin" dev=sdal ino=1377215 scontext=system_d:system_r:httpd:t:s0 tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 Which of the following should the security administrator do to correct the developer's local environment? (Select TWO). A. Enable the http_enable_homedirs boolean security setting B. Enable the write permission for the admin group on the files C. Restart the httpd service with mod_security enabled D. Change the file ownership to the web service service account E. Run the command and then perform a reboot F. Set the document root directive to http to /home/admin
A. Enable the http_enable_homedirs boolean security setting E. Run the command and then perform a reboot
A security engineer is a new member to a configuration board at the request of management. The company has two new major IT projects starting this year and wants to plan security into the application deployment. The board is primarily concerned with the applications' compliance with federal assessment and authorization standards. The security engineer asks for a timeline to determine when a security assessment of both applications should occur and does not attend subsequent configuration board meetings. If the security engineer is only going to perform a security assessment, which of the following steps in system authorization has the security engineer omitted? A. Establish the security control baseline B. Build the application according to software development security standards C. Review the results of user acceptance testing D. Consult with the stakeholders to determine which standards can be omitted
A. Establish the security control baseline
An intruder was recently discovered inside the data center, a highly sensitive area. To gain access, the intruder circumvented numerous layers of physical and electronic security measures. Company leadership has asked for a thorough review of physical security controls to prevent this from happening again. Which of the following departments are the MOST heavily invested in rectifying the problem? (Select THREE). A. Facilities management B. Human resources C. Research and development D. Programming E. Data center operations F. Marketing G. Information technology
A. Facilities management E. Data center operations G. Information technology
A large enterprise acquires another company which uses antivirus from a different vendor. The CISO has requested that data feeds from the two different antivirus platforms be combined in a way that allows management to assess and rate the overall effectiveness of antivirus across the entire organization. Which of the following tools can BEST meet the CISO's requirement? A. GRC B. IPS C. CMDB D. Syslog-ng E. IDS
A. GRC
An administrator believes that the web servers are being flooded with excessive traffic from time to time. The administrator suspects that these traffic floods correspond to when a competitor makes major announcements. Which of the following should the administrator do to prove this theory? A. Implement data analytics to try and correlate the occurrence times. B. Implement a honey pot to capture traffic during the next attack. C. Configure the servers for high availability to handle the additional bandwidth. D. Log all traffic coming from the competitor's public IP addresses.
A. Implement data analytics to try and correlate the occurrence times.
A security researcher is gathering information about a recent spike in the number of targeted attacks against multinational bans. The spike is on top of already sustained attacks against the banks. Some of the previous attacks have resulted in the loss of sensitive data, but as of yet the attackers have not successfully stolen any funds. Based on the information available to the researcher, which of the following is the MOST likely threat profile? A. Nation-state-sponsored attackers conducting espionage for strategic gain B. Insiders seeking to gain access to funds for illicit purposes C. Opportunists seeking notoriety and face for personal gain D. Hacktivists seeking to make a political statement because of socio-economic factors
A. Nation-state-sponsored attackers conducting espionage for strategic gain
Company policy requires that all unsupported operating systems be removed from the network. The security administrator is using a combination of network based tools to identify such systems for the purpose of disconnecting them from the network. Which of the following tools, or outputs from the tools in use, can be used to help the security administrator make an approximate determination of the operating system in use on the local company network? (Select THREE). A. Passive banner grabbing B. Password cracker C.http://www.company.org/documents_private/index.php?#search=string#&topic=windows&tcp=packet%20 capture&cookie=wokdjwalkjcnie61lkasdf2aliser4 D. 443/tcp open http E. dig host.company.com F. 09:18:16.262743 IP (tos 0x0, ttl 64, id 9870, offset 0, flags [none], proto TCP (6), length 40) 192.168.1.3.1051 > 10.46.3.7.80: Flags [none], cksum 0x1800 (correct), win 512, length 0 G. Nmap
A. Passive banner grabbing F. 09:18:16.262743 IP (tos 0x0, ttl 64, id 9870, offset 0, flags [none], proto TCP (6), length 40) 192.168.1.3.1051 > 10.46.3.7.80: Flags [none], cksum 0x1800 (correct), win 512, length 0 G.Nmap
An organization's Chief Financial Officer (CFO) was the target of several different social engineering attacks recently. The CFO has subsequently worked closely with the Chief Information Security Officer (CISO) to increase awareness of what attacks may look like. An unexpected email arrives in the CFO's inbox from a familiar name with an attachment. Which of the following should the CISO task a security analyst with to determine whether or not the attachment is safe? A. Place it in a malware sandbox. B. Perform a code review of the attachment. C. Conduct a memory dump of the CFO's PC. D. Run a vulnerability scan on the email server.
A. Place it in a malware sandbox.
A large hospital has implemented BYOD to allow doctors and specialists the ability to access patient medical records on their tablets. The doctors and specialists access patient records over the hospital's guest WiFi network which is isolated from the internal network with appropriate security controls. The patient records management system can be accessed from the guest network and require two factor authentication. Using a remote desktop type interface, the doctors and specialists can interact with the hospital's system. Cut and paste and printing functions are disabled to prevent the copying of data to BYOD devices. Which of the following are of MOST concern? (Select TWO). A. Privacy could be compromised as patient records can be viewed in uncontrolled areas. B. Device encryption has not been enabled and will result in a greater likelihood of data loss. C. The guest WiFi may be exploited allowing non-authorized individuals access to confidential patient data. D. Malware may be on BYOD devices which can extract data via key logging and screen scrapes. E. Remote wiping of devices should be enabled to ensure any lost device is rendered inoperable.
A. Privacy could be compromised as patient records can be viewed in uncontrolled areas. D. Malware may be on BYOD devices which can extract data via key logging and screen scrapes.
Joe is a security architect who is tasked with choosing a new NIPS platform that has the ability to perform SSL inspection, analyze up to 10Gbps of traffic, can be centrally managed and only reveals inspected application payload data to specified internal security employees. Which of the following steps should Joe take to reach the desired outcome? A. Research new technology vendors to look for potential products. Contribute to an RFP and then evaluate RFP responses to ensure that the vendor product meets all mandatory requirements. Test the product and make a product recommendation. B. Evaluate relevant RFC and ISO standards to choose an appropriate vendor product. Research industry surveys, interview existing customers of the product and then recommend that the product be purchased. C. Consider outsourcing the product evaluation and ongoing management to an outsourced provider on the basis that each of the requirements are met and a lower total cost of ownership (TCO) is achieved. D. Choose a popular NIPS product and then consider outsourcing the ongoing device management to a cloud provider. Give access to internal security employees so that they can inspect the application payload data. E. Ensure that the NIPS platform can also deal with recent technological advancements, such as threats emerging from social media, BYOD and cloud storage prior to purchasing the product.
A. Research new technology vendors to look for potential products. Contribute to an RFP and then evaluate RFP responses to ensure that the vendor product meets all mandatory requirements. Test the product and make a product recommendation.
The source workstation image for new accounting PCs has begun blue-screening. A technician notices that the date/time stamp of the image source appears to have changed. The desktop support director has asked the Information Security department to determine if any changes were made to the source image. Which of the following methods would BEST help with this process? (Select TWO). A. Retrieve source system image from backup and run file comparison analysis on the two images. B. Parse all images to determine if extra data is hidden using steganography. C. Calculate a new hash and compare it with the previously captured image hash. D. Ask desktop support if any changes to the images were made. E. Check key system files to see if date/time stamp is in the past six months.
A. Retrieve source system image from backup and run file comparison analysis on the two images. C. Calculate a new hash and compare it with the previously captured image hash.
The network administrator at an enterprise reported a large data leak. One compromised server was used to aggregate data from several critical application servers and send it out to the Internet using HTTPS. Upon investigation, there have been no user logins over the previous week and the endpoint protection software is not reporting any issues. Which of the following BEST provides insight into where the compromised server collected the information? A. Review the flow data against each server's baseline communications profile. B. Configure the server logs to collect unusual activity including failed logins and restarted services. C. Correlate data loss prevention logs for anomalous communications from the server. D. Setup a packet capture on the firewall to collect all of the server communications.
A. Review the flow data against each server's baseline communications profile.
A risk manager has decided to use likelihood and consequence to determine the risk of an event occurring to a company asset. Which of the following is a limitation of this approach to risk management? A. Subjective and based on an individual's experience. B. Requires a high degree of upfront work to gather environment details. C. Difficult to differentiate between high, medium, and low risks. D. Allows for cost and benefit analysis. E. Calculations can be extremely complex to manage.
A. Subjective and based on an individual's experience.
A small company's Chief Executive Officer (CEO) has asked its Chief Security Officer (CSO) to improve the company's security posture quickly with regard to targeted attacks. Which of the following should the CSO conduct FIRST? A. Survey threat feeds from services inside the same industry. B. Purchase multiple threat feeds to ensure diversity and implement blocks for malicious traffic. C. Conduct an internal audit against industry best practices to perform a qualitative analysis. D. Deploy a UTM solution that receives frequent updates from a trusted industry vendor.
A. Survey threat feeds from services inside the same industry.
A new web based application has been developed and deployed in production. A security engineer decides to use an HTTP interceptor for testing the application. Which of the following problems would MOST likely be uncovered by this tool? A. The tool could show that input validation was only enabled on the client side B. The tool could enumerate backend SQL database table and column names C. The tool could force HTTP methods such as DELETE that the server has denied D. The tool could fuzz the application to determine where memory leaks occur
A. The tool could show that input validation was only enabled on the client side
A security consultant is conducting a network assessment and wishes to discover any legacy backup Internet connections the network may have. Where would the consultant find this information and why would it be valuable? A. This information can be found in global routing tables, and is valuable because backup connections typically do not have perimeter protection as strong as the primary connection. B. This information can be found by calling the regional Internet registry, and is valuable because backup connections typically do not require VPN access to the network. C. This information can be found by accessing telecom billing records, and is valuable because backup connections typically have much lower latency than primary connections. D. This information can be found by querying the network's DNS servers, and is valuable because backup DNS servers typically allow recursive queries from Internet hosts.
A. This information can be found in global routing tables, and is valuable because backup connections typically do not have perimeter protection as strong as the primary connection.
An external penetration tester compromised one of the client organization's authentication servers and retrieved the password database. Which of the following methods allows the penetration tester to MOST efficiently use any obtained administrative credentials on the client organization's other systems, without impacting the integrity of any of the systems? A. Use the pass the hash technique B. Use rainbow tables to crack the passwords C. Use the existing access to change the password D. Use social engineering to obtain the actual password
A. Use the pass the hash technique
A red team leader is performing OSINT activities on a target asset before attempting to socially engineer an administrator working at the target. Which of the following should the tester check FIRST to determine the target's upsteam network providers and network prefixes? A. Social media profiles B. BGP looking glass C. Whois records D. DNS entries E. Search engine results F. Online technical forums
B. BGP looking glass
Customers are receiving emails containing a link to malicious software. These emails are subverting spam filters. The email reads as follows: Delivered-To: [email protected] Received: by 10.14.120.205 Mon, 1 Nov 2010 11:15:24 -0700 (PDT) Received: by 10.231.31.193 Mon, 01 Nov 2010 11:15:23 -0700 (PDT) Return-Path: <[email protected]> Received: from 127.0.0.1 for <[email protected]>; Mon, 1 Nov 2010 13:15:14 -0500 (envelopefrom <[email protected]>) Received: by smtpex.example.com (SMTP READY) with ESMTP (AIO); Mon, 01 Nov 2010 13:15:14 -0500 Received: from 172.18.45.122 by 192.168.2.55; Mon, 1 Nov 2010 13:15:14 -0500 From: Company <[email protected]> To: "[email protected]" <[email protected]> Date: Mon, 1 Nov 2010 13:15:11 -0500 Subject: New Insurance Application Thread-Topic: New Insurance Application Please download and install software from the site below to maintain full access to your account. www.examplesite.com Additional information: The authorized mail servers IPs are 192.168.2.10 and 192.168.2.11. The network's subnet is 192.168.2.0/25. Which of the following are the MOST appropriate courses of action a security administrator could take to eliminate this risk? (Select TWO). A. Identify the origination point for malicious activity on the unauthorized mail server. B. Block port 25 on the firewall for all unauthorized mail servers. C. Disable open relay functionality. D. Shut down the SMTP service on the unauthorized mail server. E. Enable STARTTLS on the spam filter.
B. Block port 25 on the firewall for all unauthorized mail servers. D. Shut down the SMTP service on the unauthorized mail server.
An organization has established the following controls matrix: Minimum Moderate High Physical Security Cylinder Lock Cipher Lock Proximity Access Card Environmental Security Surge Protector UPS Generator Data Security Context-Based MFA FDE Authentication Application Security Peer Review Static Analysis Penetration Testing Logical Security HIDS NIDS NIPS The following control sets have been defined by the organization and are applied in aggregate fashion: Systems containing PII are protected with the minimum control set. Systems containing medical data are protected at the moderate level. Systems containing cardholder data are protected at the high level. The organization is preparing to deploy a system that protects the confidentiality of a database containing PII and medical data from clients. Based on the controls classification, which of the following controls would BEST meet these requirements? A. Proximity card access to the server room, context-based authentication, UPS, and full-disk encryption for the database server B. Cipher lock on the server room door, FDE, surge protector, and static analysis of all application code C. Peer review of all application changes, static analysis of application code, UPS, and penetration testing of the complete system D. Intrusion detection capabilities, network-based IPS, generator, and context-based authentication.
B. Cipher lock on the server room door, FDE, surge protector, and static analysis of all application code
A company sales manager received a memo from the company's financial department which stated that the company would not be putting its software products through the same security testing as previous years to reduce the research and development cost by 20 percent for the upcoming year. The memo also stated that the marketing material and service level agreement for each product would remain unchanged. The sales manager has reviewed the sales goals for the upcoming year and identified an increased target across the software products that will be affected by the financial department's change. All software products will continue to go through new development in the coming year. Which of the following should the sales manager do to ensure the company stays out of trouble? A. Discuss the issue with the software product's user groups B. Consult the company's legal department on practices and law C. Contact senior finance management and provide background information D. Seek industry outreach for software practices and law
B. Consult the company's legal department on practices and law
A security administrator notices a recent increase in workstations becoming compromised by malware. Often, the malware is delivered via drive-by downloads, from malware hosting websites, and is not being detected by the corporate antivirus. Which of the following solutions would provide the BEST protection for the company? A. Increase the frequency of antivirus downloads and install updates to all workstations. B. Deploy a cloud-based content filter and enable the appropriate category to prevent further infections. C. Deploy a WAF to inspect and block all web traffic which may contain malware and exploits. D. Deploy a web based gateway antivirus server to intercept viruses before they enter the network.
B. Deploy a cloud-based content filter and enable the appropriate category to prevent further infections.
It has come to the IT administrator's attention that the "post your comment" field on the company blog page has been exploited, resulting in cross-site scripting attacks against customers reading the blog. Which of the following would be the MOST effective at preventing the "post your comment" field from being exploited? A. Update the blog page to HTTPS B. Filter metacharacters C. Install HIDS on the server D. Patch the web application E. Perform client side input validation
B. Filter metacharacters
A company has issued a new mobile device policy permitting BYOD and company-issued devices. The company-issued device has a managed middleware client that restricts the applications allowed on company devices and provides those that are approved. The middleware client provides configuration standardization for both company owned and BYOD to secure data and communication to the device according to industry best practices. The policy states that, "BYOD clients must meet the company's infrastructure requirements to permit a connection." The company also issues a memorandum separate from the policy, which provides instructions for the purchase, installation, and use of the middleware client on BYOD. Which of the following is being described? A. Asset management B. IT governance C. Change management D. Transference of risk
B. IT governance
A critical system audit shows that the payroll system is not meeting security policy due to missing OS security patches. Upon further review, it appears that the system is not being patched at all. The vendor states that the system is only supported on the current OS patch level. Which of the following compensating controls should be used to mitigate the vulnerability of missing OS patches on this system? A. Isolate the system on a secure network to limit its contact with other systems B. Implement an application layer firewall to protect the payroll system interface C. Monitor the system's security log for unauthorized access to the payroll application D. Perform reconciliation of all payroll transactions on a daily basis
B. Implement an application layer firewall to protect the payroll system interface
News outlets are beginning to report on a number of retail establishments that are experiencing payment card data breaches. The data exfiltration is enabled by malware on a compromised computer. After the initial exploit, network mapping and fingerprinting is conducted to prepare for further exploitation. Which of the following is the MOST effective solution to protect against unrecognized malware infections? A. Remove local admin permissions from all users and change anti-virus to a cloud aware, push technology. B. Implement an application whitelist at all levels of the organization. C. Deploy a network based heuristic IDS, configure all layer 3 switches to feed data to the IDS for more effective monitoring. D. Update router configuration to pass all network traffic through a new proxy server with advanced malware detection.
B. Implement an application whitelist at all levels of the organization.
A security auditor suspects two employees of having devised a scheme to steal money from the company. While one employee submits purchase orders for personal items, the other employee approves these purchase orders. The auditor has contacted the human resources director with suggestions on how to detect such illegal activities. Which of the following should the human resource director implement to identify the employees involved in these activities and reduce the risk of this activity occurring in the future? A. Background checks B. Job rotation C. Least privilege D. Employee termination procedures
B. Job rotation
A security engineer is working on a large software development project. As part of the design of the project, various stakeholder requirements were gathered and decomposed to an implementable and testable level. Various security requirements were also documented. Organize the following security requirements into the correct hierarchy required for an SRTM. Requirement 1: The system shall provide confidentiality for data in transit and data at rest. Requirement 2: The system shall use SSL, SSH, or SCP for all data transport. Requirement 3: The system shall implement a file-level encryption scheme. Requirement 4: The system shall provide integrity for all data at rest. Requirement 5: The system shall perform CRC checks on all files. A. Level 1: Requirements 1 and 4; Level 2: Requirements 2, 3, and 5 B. Level 1: Requirements 1 and 4; Level 2: Requirements 2 and 3 under 1, Requirement 5 under 4 C. Level 1: Requirements 1 and 4; Level 2: Requirement 2 under 1, Requirement 5 under 4; Level 3: Requirement 3 under 2 D. Level 1: Requirements 1, 2, and 3; Level 2: Requirements 4 and 5
B. Level 1: Requirements 1 and 4; Level 2: Requirements 2 and 3 under 1, Requirement 5 under 4
The Chief Executive Officer (CEO) of a small start-up company wants to set up offices around the country for the sales staff to generate business. The company needs an effective communication solution to remain in constant contact with each other, while maintaining a secure business environment. A junior-level administrator suggests that the company and the sales staff stay connected via free social media. Which of the following decisions is BEST for the CEO to make? A. Social media is an effective solution because it is easily adaptable to new situations. B. Social media is an ineffective solution because the policy may not align with the business. C. Social media is an effective solution because it implements SSL encryption. D. Social media is an ineffective solution because it is not primarily intended for business applications.
B. Social media is an ineffective solution because the policy may not align with the business.
A new cluster of virtual servers has been set up in a lab environment and must be audited before being allowed on the production network. The security manager needs to ensure unnecessary services are disabled and all system accounts are using strong credentials. Which of the following tools should be used? (Select TWO). A. Fuzzer B. SCAP scanner C. Packet analyzer D. Password cracker E. Network enumerator F. SIEM
B. SCAP scanner D. Password cracker
An organization is in the process of integrating its operational technology and information technology areas. As part of the integration, some of the cultural aspects it would like to see include more efficient use of resources during change windows, better protection of critical infrastructure, and the ability to respond to incidents. The following observations have been identified: 1. The ICS supplier has specified that any software installed will result in lack of support. 2. There is no documented trust boundary defined between the SCADA and corporate networks. 3. Operational technology staff have to manage the SCADA equipment via the engineering workstation 4. There is a lack of understanding of what is within the SCADA network Which of the following capabilities would BEST improve the security position? A. VNC, router, and HIPS B. SIEM, VPN, firewall C. Proxy, VPN, WAF D. IDS, NAC, and log monitoring
B. SIEM, VPN, firewall
The latest independent research shows that cyber attacks involving SCADA systems grew an average of 15% per year in each of the last four years, but that this year's growth has slowed to around 7%. Over the same time period, the number of attacks against applications has decreased or stayed flat each year. At the start of the measure period, the incidence of PC boot loader or BIOS based attacks was negligible. Starting two years ago, the growth in the number of PC boot loader attacks has grown exponentially. Analysis of these trends would seem to suggest which of the following strategies should be employed? A. Spending on SCADA protections should stay steady; application control spending should increase substantially and spending on PC boot loader controls should increase substantially. B. Spending on SCADA security controls should stay steady; application control spending should decrease slightly and spending on PC boot loader protections should increase substantially. C. Spending all controls should increase by 15% to start; spending on application controls should be suspended, and PC boot loader protection research should increase by 100%. D. Spending on SCADA security controls should increase by 15%; application control spending should increase slightly, and spending on PC boot loader protections should remain steady.
B. Spending on SCADA security controls should stay steady; application control spending should decrease slightly and spending on PC boot loader protections should increase substantially.
A security engineer is responsible for monitoring company applications for known vulnerabilities. Which of the following is a way to stay current on exploits and information security news? A. Update company policies and procedures B. Subscribe to security mailing lists C. Implement security awareness training D. Ensure that the organization vulnerability management plan is up-to-date
B. Subscribe to security mailing lists
The Chief Executive Officer (CEO) of a company that allows telecommuting has challenged the Chief Security Officer's (CSO) request to harden the corporate network's perimeter. The CEO argues that the company cannot protect its employees at home, so the risk at work is no different. Which of the following BEST explains why this company should proceed with protecting its corporate network boundary? A. The corporate network is the only network that is audited by regulators and customers. B. The aggregation of employees on a corporate network makes it a more valuable target for attackers. C. Home networks are unknown to attackers and less likely to be targeted directly. D. Employees are more likely to be using personal computers for general web browsing when they are at home.
B. The aggregation of employees on a corporate network makes it a more valuable target for attackers.
Since the implementation of IPv6 on the company network, the security administrator has been unable to identify the users associated with certain devices utilizing IPv6 addresses, even when the devices are centrally managed. en1: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500 ether f8:1e:af:ab:10:a3 inet6 fw80::fa1e:dfff:fee6:9d8%en1 prefixlen 64 scopeid 0x5 inet 192.168.1.14 netmask 0xffffff00 broadcast 192.168.1.255 inet6 2001:200:5:922:1035:dfff:fee6:9dfe prefixlen 64 autoconf inet6 2001:200:5:922:10ab:5e21:aa9a:6393 prefixlen 64 autoconf temporary nd6 options=1<PERFORMNUD> media: autoselect status: active Given this output, which of the following protocols is in use by the company and what can the system administrator do to positively map users with IPv6 addresses in the future? (Select TWO). A. The devices use EUI-64 format B. The routers implement NDP C. The network implements 6to4 tunneling D. The router IPv6 advertisement has been disabled E. The administrator must disable IPv6 tunneling F. The administrator must disable the mobile IPv6 router flag G. The administrator must disable the IPv6 privacy extensions H. The administrator must disable DHCPv6 option code 1
B. The routers implement NDP G. The administrator must disable the IPv6 privacy extensions
The helpdesk department desires to roll out a remote support application for internal use on all company computers. This tool should allow remote desktop sharing, system log gathering, chat, hardware logging, inventory management, and remote registry access. The risk management team has been asked to review vendor responses to the RFQ. Which of the following questions is the MOST important? A. What are the protections against MITM? B. What accountability is built into the remote support application? C. What encryption standards are used in tracking database? D. What snapshot or "undo" features are present in the application? E. What encryption standards are used in remote desktop and file transfer functionality?
B. What accountability is built into the remote support application?
A security officer is attempting to discover if the company is utilizing databases on client machines to store customer data. The consultant reviews the following information: Protocol Local Address Foreign Address Status TCP 127.0.0.1 172.16.10.101:25 Connection established TCP 127.0.0.1 172.16.20.45:443 Connection established UDP 127.0.0.1 172.16.20.80:53 Waiting listening TCP 172.16.10.10:1433 172.16.10.34 Connection established Which of the following commands would have provided this output? A. arp -s B. netstat -a C. ifconfig -arp D. sqlmap -w
B. netstat -a
An accountant at a small business is trying to understand the value of a server to determine if the business can afford to buy another server for DR. The risk manager only provided the accountant with the SLE of $24,000, ARO of 20% and the exposure factor of 25%. Which of the following is the correct asset value calculated by the accountant? A. $4,800 B. $24,000 C. $96,000 D. $120,000
C. $96,000
There have been some failures of the company's internal facing website. A security engineer has found the WAF to be the root cause of the failures. System logs show that the WAF has been unavailable for 14 hours over the past month, in four separate situations. One of these situations was a two hour scheduled maintenance time, aimed at improving the stability of the WAF. Using the MTTR based on the last month's performance figures, which of the following calculations is the percentage of uptime assuming there were 722 hours in the month? A. 92.24 percent B. 98.06 percent C. 98.34 percent D. 99.72 percent
C. 98.34 percent
A large company is preparing to merge with a smaller company. The smaller company has been very profitable, but the smaller company's main applications were created in-house. Which of the following actions should the large company's security administrator take in preparation for the merger? A. A review of the mitigations implemented from the most recent audit findings of the smaller company should be performed. B. An ROI calculation should be performed to determine which company's application should be used. C. A security assessment should be performed to establish the risks of integration or co-existence. D. A regression test should be performed on the in-house software to determine security risks associated with the software.
C. A security assessment should be performed to establish the risks of integration or co-existence.
A threat advisory alert was just emailed to the IT security staff. The alert references specific types of host operating systems that can allow an unauthorized person to access files on a system remotely. A fix was recently published, but it requires a recent endpoint protection engine to be installed prior to running the fix. Which of the following MOST likely need to be configured to ensure the systems are mitigated accordingly (Select TWO) A. Antivirus B. HIPS C. Application whitelisting D. Patch Management E. Group policy implementation F. Firmware updates
C. Application whitelisting D. Patch Management
Following a recent data breach, a company has hired a new Chief Information Security Officer (CISO). The CISO is very concerned about the response time to the previous breach and wishes to know how the security team expects to react to a future attack. Which of the following is the BEST method to achieve this goal while minimizing disruption? A. Perform a black box assessment. B. Hire an external red team audit. C. Conduct a tabletop exercise. D. Recreate the previous breach. E. Conduct an external vulnerability assessment.
C. Conduct a tabletop exercise.
A web services company is planning a one-time high-profile event to be hosted on the corporate website. An outage, due to an attack, would be publicly embarrassing, so Joe, the Chief Executive Officer (CEO), has requested that his security engineers put temporary preventive controls in place. Which of the following would MOST appropriately address Joe's concerns? A. Ensure web services hosting the event use TCP cookies and deny_hosts. B. Configure an intrusion prevention system that blocks IPs after detecting too many incomplete sessions. C. Contract and configure scrubbing services with third-party DDoS mitigation providers. D. Purchase additional bandwidth from the company's Internet service provider.
C. Contract and configure scrubbing services with third-party DDoS mitigation providers.
An organization has decided to reduce labor costs by outsourcing back office processing of credit applications to a provider located in another country. Data sovereignty and privacy concerns raised by the security team resulted in the third-party provider only accessing and processing the data via remote desktop sessions. To facilitate communications and improve productivity, staff at the third party has been provided with corporate email accounts that are only accessible via the remote desktop sessions. Email forwarding is blocked and staff at the third party can only communicate with staff within the organization. Which of the following additional controls should be implemented to prevent data loss? (Select THREE) A. Implement hashing of data in transit B. Session recording and capture C. Disable cross session cut and paste D. Monitor approved credit accounts E. User access audit reviews F. Source IP whitelisting
C. Disable cross session cut and paste E. User access audit reviews F. Source IP whitelisting
During a recent audit of servers, a company discovered that a network administrator, who required remote access, had deployed an unauthorized remote access application that communicated over common ports already allowed through the firewall. A network scan showed that this remote access application had already been installed on one third of the servers in the company. Which of the following is the MOST appropriate action that the company should take to provide a more appropriate solution? A. Implement an IPS to block the application on the network B. Implement the remote application out to the rest of the servers C. Implement SSL VPN with SAML standards for federation D. Implement an ACL on the firewall with NAT for remote access
C. Implement SSL VPN with SAML standards for federation
An internal staff member logs into an ERP platform and clicks on a record. The browser URL changes to: URL: http//192.168.0.100/ERP/accountId=5&action=SELECT Which of the following is the MOST likely vulnerability in this ERP platform? A. Brute forcing of account credentials B. Plain-text credentials transmitted over the Internet C. Insecure direct objects reference D. SQL injection of ERP back end
C. Insecure direct objects reference
The helpdesk manager wants to find a solution that will enable the helpdesk staff to better serve company employees who call with computer-related problems. The helpdesk staff is currently unable to perform effective troubleshooting and relies on callers to describe their technology problems. Given that the helpdesk staff is located within the company headquarters and 90% of the callers are telecommuters, which of the following tools should the helpdesk manager use to make the staff more effective at troubleshooting while at the same time reducing company costs? (Select TWO) A. Web cameras B. Email C. Instant messaging D. BYOD E. Desktop sharing F. Presence
C. Instant messaging E. Desktop sharing
The finance department for an online shopping website has discovered that a number of customers were able to purchase goods and services without any payments. Further analysis conducted by the security investigations team indicated that the website allowed customers to update a payment amount for shipping. A specially crafted value could be entered and cause a roll over, resulting in the shipping cost being subtracted from the balance and in some instances resulted in a negative balance. As a result, the system processed the negative balance as zero dollars. Which of the following BEST describes the application issue? A. Race condition B. Click-jacking C. Integer overflow D. Use after free E. SQL injection
C. Integer overflow
Company XYZ has purchased and is now deploying a new HTML5 application. The company wants to hire a penetration tester to evaluate the security of the client and server components of the proprietary web application before launch. Which of the following is the penetration tester MOST likely to use while performing black box testing of the security of the company's purchased application? (Select TWO) A. Code review B. Sandbox C. Local proxy D. Fuzzer E. Port scanner
C. Local proxy D. Fuzzer
The Chief Information Security Officer (CISO) at a company knows that many users store business documents on public cloud-based storage, and realizes this is a risk to the company. In response, the CISO implements a mandatory training course in which all employees are instructed on the proper use of cloud-based storage. Which of the following risk strategies did the CISO implement? A. Avoid B. Accept C. Mitigate D. Transfer
C. Mitigate
A user is suspected of engaging in potentially illegal activities. Law enforcement has requested that the user continue to operate on the network as normal. However, they would like to have a copy of any communications from the user involving certain key terms. Additionally, the law enforcement agency has requested that the user's ongoing communication be retained in the user's account for future investigations. Which of the following will BEST meet the goals of law enforcement? A. Begin a chain-of-custody on for the user's communication. Next, place a legal hold on the user's email account. B. Perform an e-discover using the applicable search terms. Next, back up the user's email for a future investigation. C. Place a legal hold on the user's email account. Next, perform e-discovery searches to collect applicable emails. D. Perform a backup of the user's email account. Next, export the applicable emails that match the search terms.
C. Place a legal hold on the user's email account. Next, perform e-discovery searches to collect applicable emails.
The technology steering committee is struggling with increased requirements stemming from an increase in telecommuting. The organization has not addressed telecommuting in the past. The implementation of a new SSL-VPN and a VOIP phone solution enables personnel to work from remote locations with corporate assets. Which of the following steps must the committee take FIRST to outline senior management's directives? A. Develop an information classification scheme that will properly secure data on corporate systems. B. Implement database views and constrained interfaces so remote users will be unable to access PII from personal equipment. C. Publish a policy that addresses the security requirements for working remotely with company equipment. D. Work with mid-level managers to identify and document the proper procedures for telecommuting.
C. Publish a policy that addresses the security requirements for working remotely with company equipment.
A well-known retailer has experienced a massive credit card breach. The retailer had gone through an audit and had been presented with a potential problem on their network. Vendors were authenticating directly to the retailer's AD servers, and an improper firewall rule allowed pivoting from the AD server to the DMZ where credit card servers were kept. The firewall rule was needed for an internal application that was developed, which presents risk. The retailer determined that because the vendors were required to have site to site VPN's no other security action was taken. To prove to the retailer the monetary value of this risk, which of the following type of calculations is needed? A. Residual Risk calculation B. A cost/benefit analysis C. Quantitative Risk Analysis D. Qualitative Risk Analysis
C. Quantitative Risk Analysis
Ann, a systems engineer, is working to identify an unknown node on the corporate network. To begin her investigative work, she runs the following nmap command string: user@hostname:~$ sudo nmap -O 192.168.1.54. Based on the output, nmap is unable to identify the OS running on the node, but the following ports are open on the device: TCP/22 TCP/111 TCP/512-514 TCP/2049 TCP/32778 Based on this information, which of the following operating systems is MOST likely running on the unknown node? A. Linux B. Windows C. Solaris D. OSX
C. Solaris
An insurance company has an online quoting system for insurance premiums. It allows potential customers to fill in certain details about their car and obtain a quote. During an investigation, the following patterns were detected: Pattern 1 - Analysis of the logs identifies that insurance premium forms are being filled in but only single fields are incrementally being updated. Pattern 2 - For every quote completed, a new customer number is created; due to legacy systems, customer numbers are running out. Which of the following is the attack type the system is susceptible to, and what is the BEST way to defend against it? (Select TWO). A. Apply a hidden field that triggers a SIEM alert B. Cross site scripting attack C. Resource exhaustion attack D. Input a blacklist of all known BOT malware IPs into the firewall E. SQL injection F. Implement an inline WAF and integrate into SIEM G. Distributed denial of service H. Implement firewall rules to block the attacking IP addresses
C. Resource exhaustion attack F. Implement an inline WAF and integrate into SIEM
A firm's Chief Executive Officer (CEO) is concerned that IT staff lacks the knowledge to identify complex vulnerabilities that may exist in a payment system being internally developed. The payment system being developed will be sold to a number of organizations and is in direct competition with another leading product. The CEO highlighted that code base confidentiality is of critical importance to allow the company to exceed the competition in terms of the product's reliability, stability, and performance. Which of the following would provide the MOST thorough testing and satisfy the CEO's requirements? A. Sign a MOU with a marketing firm to preserve the company reputation and use in-house resources for random testing. B. Sign a BPA with a small software consulting firm and use the firm to perform Black box testing and address all findings. C. Sign a NDA with a large security consulting firm and use the firm to perform Grey box testing and address all findings. D. Use the most qualified and senior developers on the project to perform a variety of White box testing and code reviews.
C. Sign a NDA with a large security consulting firm and use the firm to perform Grey box testing and address all findings.
In a situation where data is to be recovered from an attacker's location, which of the following are the FIRST things to capture? (Select TWO). A. Removable media B. Passwords written on scrap paper C. Snapshots of data on the monitor D. Documents on the printer E. Volatile system memory F. System hard drive
C. Snapshots of data on the monitor E. Volatile system memory
An analyst connects to a company web conference hosted on www.webconference.com/meetingID`01234 and observes that numerous guests have been allowed to join, without providing identifying information. The topics covered during the web conference are considered proprietary to the company. Which of the following security concerns does the analyst present to management? A. Guest users could present a risk to the integrity of the company's information. B. Authenticated users could sponsor guest access that was previously approved by management. C. Unauthenticated users could present a risk to the confidentiality of the company's information. D. Meeting owners could sponsor guest access if they have passed a background check.
C. Unauthenticated users could present a risk to the confidentiality of the company's information.
Which of the following activities is commonly deemed "OUT OF SCOPE" when undertaking a penetration test? A. Test password complexity of all login fields and input validation of form fields B. Reverse engineering any thick client software that has been provided for the test C. Undertaking network-based denial of service attacks in production environment D. Attempting to perform blind SQL injection and reflected cross-site scripting attacks E. Running a vulnerability scanning tool to assess network and host weaknesses
C. Undertaking network-based denial of service attacks in production environment
A company has received the contract to begin developing a new suite of software tools to replace an aging collaboration solution. The original collaboration solution has been in place for nine years, contains over a million lines of code, and took over two years to develop originally. The SDLC has been broken up into eight primary stages, with each stage requiring an in-depth risk analysis before moving on to the next phase. Which of the following software development methods is MOST applicable? A. Spiral model B. Incremental model C. Waterfall model D. Agile model
C. Waterfall model
A regional business is expecting a severe winter storm next week. The IT staff has been reviewing corporate policies on how to handle various situations and found some are missing or incomplete. After reporting this gap in documentation to the information security manager, a document is immediately drafted to move various personnel to other locations to avoid downtime in operations. This is an example of: A. a disaster recovery plan. B. an incident response plan. C. a business continuity plan. D. a risk avoidance plan.
C. a business continuity plan.
A software project manager has been provided with a requirement from the customer to place limits on the types of transactions a given user can initiate without external interaction from another user with elevated privileges. This requirement is BEST described as an implementation of: A. an administrative control B. dual control C. separation of duties D. least privilege E. collusion
C. separation of duties
A human resources manager at a software development company has been tasked with recruiting personnel for a new cyber defense division in the company. This division will require personnel to have high technology skills and industry certifications. Which of the following is the BEST method for this manager to gain insight into this industry to execute the task? A. Interview candidates, attend training, and hire a staffing company that specializes in technology jobs B. Interview employees and managers to discover the industry hot topics and trends C. Attend meetings with staff, internal training, and become certified in software management D. Attend conferences, webinars, and training to remain current with the industry and job requirements
D. Attend conferences, webinars, and training to remain current with the industry and job requirements
The Chief Information Security Officer (CISO) is asking for ways to protect against zero-day exploits. The CISO is concerned that an unrecognized threat could compromise corporate data and result in regulatory fines as well as poor corporate publicity. The network is mostly flat, with split staff/guest wireless functionality. Which of the following equipment MUST be deployed to guard against unknown threats? A. Cloud-based antivirus solution, running as local admin, with push technology for definition updates. B. Implementation of an offsite data center hosting all company data, as well as deployment of VDI for all client computing needs. C. Host based heuristic IPS, segregated on a management VLAN, with direct control of the perimeter firewall ACLs. D. Behavior based IPS with a communication link to a cloud based vulnerability and threat feed.
D. Behavior based IPS with a communication link to a cloud based vulnerability and threat feed.
A security analyst, Ann, states that she believes Internet facing file transfer servers are being attacked. Which of the following is evidence that would aid Ann in making a case to management that action needs to be taken to safeguard these servers? A. Provide a report of all the IP addresses that are connecting to the systems and their locations B. Establish alerts at a certain threshold to notify the analyst of high activity C. Provide a report showing the file transfer logs of the servers D. Compare the current activity to the baseline of normal activity
D. Compare the current activity to the baseline of normal activity
A member of the software development team has requested advice from the security team to implement a new secure lab for testing malware. Which of the following is the NEXT step that the security team should take? A. Purchase new hardware to keep the malware isolated. B. Develop a policy to outline what will be required in the secure lab. C. Construct a series of VMs to host the malware environment. D. Create a proposal and present it to management for approval.
D. Create a proposal and present it to management for approval.
A security officer is leading a lessons learned meeting. Which of the following should be components of that meeting? (Select TWO) A. Demonstration of IPS system B. Review vendor selection process C. Calculate the ALE for the event D. Discussion of event timeline E. Assigning of follow up items
D. Discussion of event timeline. E. Assigning of follow up items.
A network administrator with a company's NSP has received a CERT alert for targeted adversarial behavior at the company. In addition to the company's physical security, which of the following can the network administrator use to detect the presence of a malicious actor physically accessing the company's network or information systems from within? (Select TWO) A. RAS B. Vulnerability scanner C. HTTP intercept D. HIDS E. Port scanner F. Protocol analyzer
D. HIDS F. Protocol analyzer
An attacker attempts to create a DoS event against the VoIP system of a company. The attacker uses a tool to flood the network with a large number of SIP INVITE traffic. Which of the following would be LEAST likely to thwart such an attack? A. Install IDS/IPS systems on the network B. Force all SIP communication to be encrypted C. Create separate VLANs for voice and data traffic D. Implement QoS parameters on the switches
D. Implement QoS parameters on the switches
A software development manager is running a project using agile development methods. The company cybersecurity engineer has noticed a high number of vulnerabilities have been making it into production code on the project. Which of the following methods could be used in addition to an integrated development environment to reduce the severity of the issue? A. Conduct a penetration test on each function as it is developed. B. Develop a set of basic checks for common coding errors. C. Adopt a waterfall method of software development. D. Implement unit tests that incorporate static code analyzers.
D. Implement unit tests that incorporate static code analyzers.
A security administrator is assessing a new application. The application uses an API that is supposed to encrypt text strings that are stored in memory. How might the administrator test that the strings are indeed encrypted in memory? A. Use fuzzing techniques to examine application inputs B. Run nmap to attach to application memory C. Use a packet analyzer to inspect the strings D. Initiate a core dump of the application E. Use an HTTP interceptor to capture the text strings
D. Initiate a core dump of the application
A mature organization with legacy information systems has incorporated numerous new processes and dependencies to manage security as its networks and infrastructure are modernized. The Chief Information Office has become increasingly frustrated with frequent releases, stating that the organization needs everything to work completely, and the vendor should already have those desires built into the software product. The vendor has been in constant communication with personnel and groups within the organization to understand its business process and capture new software requirements from users. Which of the following methods of software development is this organization's configuration management process using? A. Agile B. SDL C. Waterfall D. JAD (Joint Application Development)
D. JAD (Joint Application Development)
A security manager looked at various logs while investigating a recent security breach in the data center from an external source. Each log below was collected from various security devices compiled from a report through the company's security information and event management server. Log 1:Feb 5 23:55:37.743: %SEC-6-IPACCESSLOGS: list 10 denied 10.2.5.81 3 packets Log 2: HTTP://www.company.com/index.php?user=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Log 3: Security Error Alert Event ID 50: The RDP protocol component X.224 detected an error in the protocol stream and has disconnected the client Log 4: Encoder oe = new OracleEncoder ();String query = "Select user_id FROM user_data WHERE user_name = ' "+ oe.encode ( req.getParameter("userID") ) + " ' and user_password = ' " + oe.encode ( req.getParameter("pwd") ) +" ' "; Vulnerabilities Buffer overflow SQL injection ACL Which of the following logs and vulnerabilities would MOST likely be related to the security breach? (Select TWO). A. Log 1 B. Log 2 C. Log 3 D. Log 4 E. Buffer overflow F. ACL G. XSS H. SQL injection
D. Log 4 H. SQL injection
A security architect is determining the best solution for a new project. The project is developing a new intranet with advanced authentication capabilities, SSO for users, and automated provisioning to streamline Day 1 access to systems. The security architect has identified the following requirements: 1. Information should be sourced from the trusted master data source. 2. There must be future requirements for identity proofing of devices and users. 3. A generic identity connector that can be reused must be developed. 4. The current project scope is for internally hosted applications only. Which of the following solution building blocks should the security architect use to BEST meet the requirement? A. LDAP, multifactor authentication, oAuth, XACML B. AD, certificate-based authentication, Kerberos, SPML C. SAML, context-aware authentication, oAuth, WAYF D. NAC, radius, 802.1x, centralized active directory
D. NAC, radius, 802.1x, centralized active directory
A bank is initiating the process of acquiring another smaller bank. Before negotiations happen between the organizations, which of the following business documents would be used as the FIRST step in the process? A. MOU B. OLA C. BPA D. NDA
D. NDA
The security engineer receives an incident ticket from the helpdesk stating that DNS lookup requests are no longer working from the office. The network team has ensured that Layer 2 and Layer 3 connectivity are working. Which of the following tools would a security engineer use to make sure the DNS server is listening on port 53? A. PING B. NESSUS C. NSLOOKUP D. NMAP
D. NMAP
The Chief Executive Officer (CEO) of an Internet service provider (ISP) has decided to limit the company's contribution to worldwide Distributed Denial of Service (DDoS) attacks. Which of the following should the ISP implement? (Select TWO) A. Block traffic from the ISP's networks destined for blacklisted IPs. B. Prevent the ISP's customers from querying DNS servers other than those hosted by the ISP. C. Scan the ISP's customer networks using an up-to-date vulnerability scanner. D. Notify customers when services they run are involved in an attack. E. Block traffic with an IP source not allocated to customers from exiting the ISP's network.
D. Notify customers when services they run are involved in an attack. E. Block traffic with an IP source not allocated to customers from exiting the ISP's network.
An assessor identifies automated methods for identifying security control compliance through validating sensors at the endpoint and at Tier 2. Which of the following practices satisfy continuous monitoring of authorized information systems? A. Independent verification and validation B. Security test and evaluation C. Risk assessment D. Ongoing authorization
D. Ongoing authorization
A company's goal is to provide them with more self-service functionality. The application has been written by developers over the last six months and the project is currently in the test phase. Which of the following security activities should be implemented as part of the SDL in order to provide the MOST security coverage over the solution? (Select TWO) A. Perform unit testing of the binary code B. Perform code review over a sampling of the front end source code C. Perform black box penetration testing over the solution D. Perform grey box penetration testing over the solution E. Perform static code review over the front end source code
D. Perform grey box penetration testing over the solution E. Perform static code review over the front end source code
A security policy states that all applications on the network must have a password length of eight characters. There are three legacy applications on the network that cannot meet this policy. One system will be upgraded in six months, and two are not expected to be upgraded or removed from the network. Which of the following processes should be followed? A. Establish a risk matrix B. Inherit the risk for six months C. Provide a business justification to avoid the risk D. Provide a business justification for a risk exception
D. Provide a business justification for a risk exception
The IT Security Analyst for a small organization is working on a customer's system and identifies a possible intrusion in a database that contains PII. Since PII is involved, the analyst wants to get the issue addressed as soon as possible. Which of the following is the FIRST step the analyst should take in mitigating the impact of the potential intrusion? A. Contact the local authorities so an investigation can be started as quickly as possible. B. Shut down the production network interfaces on the server and change all of the DBMS account passwords. C. Disable the front-end web server and notify the customer by email to determine how the customer would like to proceed. D. Refer the issue to management for handling according to the incident response process.
D. Refer the issue to management for handling according to the incident response process.
Which of the following is an external pressure that causes companies to hire security assessors and penetration testers? A. Lack of adequate in-house testing skills B. Requirements for geographically based assessments C. Cost reduction measures D. Regulatory insistence on independent reviews
D. Regulatory insistence on independent reviews
Company policy requires that all company laptops meet the following baseline requirements: Software requirements: Antivirus, Anti-malware Anti-spyware Log monitoring, Full-disk encryption,Terminal services enabled for RDP, Administrative access for local users. Hardware restrictions: Bluetooth, FireWire, WiFi adapter disabled. Ann, a web developer, reports performance issues with her laptop and is not able to access any network resources. After further investigation, a bootkit was discovered and it was trying to access external websites. Which of the following hardening techniques should be applied to mitigate this specific issue from reoccurring? (Select TWO). A. Group policy to limit web access B. Restrict VPN access for all mobile users C. Remove full-disk encryption D. Remove administrative access to local users E. Restrict/disable TELNET access to network resources F. Perform vulnerability scanning on a daily basis G. Restrict/disable USB acces
D. Remove administrative access to local users G. Restrict/disable USB access
A new internal network segmentation solution will be implemented into the enterprise that consists of 200 internal firewalls. As part of running a pilot exercise, it was determined that it takes three changes to deploy a new application onto the network before it is operational. Security now has a significant effect on overall availability. Which of the following would be the FIRST process to perform as a result of these findings? A. Lower the SLA to a more tolerable level and perform a risk assessment to see if the solution could be met by another solution. Reuse the firewall infrastructure on other projects. B. Perform a cost benefit analysis and implement the solution as it stands as long as the risks are understood by the business owners around the availability issues. Decrease the current SLA expectations to match the new solution. C. Engage internal auditors to perform a review of the project to determine why and how the project did not meet the security requirements. As part of the review ask them to review the control effectiveness. D. Review to determine if control effectiveness is in line with the complexity of the solution. Determine if the requirements can be met with a simpler solution.
D. Review to determine if control effectiveness is in line with the complexity of the solution. Determine if the requirements can be met with a simpler solution.
A Chief Financial Officer (CFO) has raised concerns with the Chief Information Security Officer (CISO) because money has been spent on IT security infrastructure, but corporate assets are still found to be vulnerable. The business recently funded a patch management product and SOE hardening initiative. A third party auditor reported findings against the business because some systems were missing patches. Which of the following statements BEST describes this situation? A. The CFO is at fault because they are responsible for patching the systems and have already been given patch management and SOE hardening products. B. The audit findings are invalid because remedial steps have already been applied to patch servers and the remediation takes time to complete. C. The CISO has not selected the correct controls and the audit findings should be assigned to them instead of the CFO. D. Security controls are generally never 100% effective and gaps should be explained to stakeholders and managed accordingly.
D. Security controls are generally never 100% effective and gaps should be explained to stakeholders and managed accordingly.
The Information Security Officer (ISO) is reviewing a summary of the findings from the last COOP tabletop exercise. The Chief Information Officer (CIO) wants to determine which additional controls must be implemented to reduce the risk of an extended customer service outage due to the VoIP system being unavailable. Which of the following BEST describes the scenario presented and the document the ISO is reviewing? A. The ISO is evaluating the business implications of a recent telephone system failure within the BIA. B. The ISO is investigating the impact of a possible downtime of the messaging system within the RA. C. The ISO is calculating the budget adjustment needed to ensure audio/video system redundancy within the RFQ. D. The ISO is assessing the effect of a simulated downtime involving the telecommunication system within the AAR.
D. The ISO is assessing the effect of a simulated downtime involving the telecommunication system within the AAR.
A security analyst is troubleshooting a scenario in which an operator should only be allowed to reboot remote hosts but not perform other activities. The analyst inspects the following portions of different configuration files: Configuration file 1: operator ALL=/sbin/reboot Configuration file 2: command="/sbin/shutdown now " , no=x11-forwarding, no-pty, ssh-dss Configuration file 3: operator:x:1000:1000: : /home/operator:/bin/bash Which of the following explains why an intended operator cannot perform the intended action? A. The sudoers file is locked down to an innocent command. B. SSH command shell restrictions are misconfigured. C. The passwd file is misconfigured. D. The SSH command is not allowing a pty session.
D. The SSH command is not allowing a pty session.
Due to compliance regulations, a company requires a yearly penetration test. The Chief Information Security Officer (CISO) has asked that it be done under a black box methodology. Which of the following would be the advantage of conducting this kind of penetration test? A. The risk of unplanned server outages is reduced. B. Using documentation provided to them, the pen-test organization can quickly determine areas to focus on. C. The results will show an in-depth view of the network and should help pin-point areas of internal weakness. D. The results should reflect what attackers may be able to learn about the company.
D. The results should reflect what attackers may be able to learn about the company.
The DLP solution has been showing some unidentified encrypted data being sent using FTP to a remote server. A vulnerability scan found a collection of Linux servers that are missing OS level patches. Upon further investigation, a technician notices that there are a few unidentified processes running on a number of the servers. What would be a key FIRST step for the data security team to undertake at this point? A. Capture process ID data and submit to anti-virus vendor for review. B. Reboot the Linux servers, check running processes, and install needed patches. C. Remove a single Linux server from production and place in quarantine. D. Notify upper management of a security breach. E. Conduct a bit level image, including RAM, of one or more of the Linux servers.
E. Conduct a bit level image, including RAM, of one or more of the Linux servers.
Executive management is asking for a new manufacturing control and workflow automation solution. This application will facilitate management of proprietary information and closely guarded corporate trade secrets. The information security team has been a part of the department meetings and come away with the following notes: Human resources would like complete access to employee data stored in the application. They would like automated data interchange with the employee management application, a cloud-based SaaS application. Sales is asking for easy order tracking to facilitate feedback to customers. Legal is asking for adequate safeguards to protect trade secrets. They are also concerned with data ownership questions and legal jurisdiction. Manufacturing is asking for ease of use. Employees working the assembly line cannot be bothered with additional steps or overhead. System interaction needs to be quick and easy. Quality assurance is concerned about managing the end product and tracking overall performance of the product being produced. They would like read-only access to the entire workflow process for monitoring and baselining. The favored solution is a user friendly software application that would be hosted onsite. It has extensive ACL functionality, but also has readily available APIs for extensibility. It supports read-only access, kiosk automation, custom fields, and data encryption. Which of the following departments' request is in contrast to the favored solution? A. Manufacturing B. Legal C. Sales D. Quality assurance E. Human resources
E. Human resources
After several industry competitors suffered data loss as a recent result of cyberattacks, the Chief Operating Officer (COO) of a company reached out to the information security manager to review the organization's security stance. As a result of the discussion, the COO wants the organization to meet the following criteria: Blocking of suspicious websites Prevention of attacks based on threat intelligence Reduction in spam Identity-based reporting to meet regulatory compliance Prevention of viruses based on signature Protect applications from web-based threats Which of the following would be the BEST recommendation the information security manager could make? A. Reconfigure existing IPS resources. B. Implement a WAF. C. Deploy a SIEM solution. D. Deploy a UTM solution. E. Implement an EDR platform
E. Implement an EDR platform
Ann, a member of the finance department at a large corporation, has submitted a suspicious email she received to the information security team. The team was not expecting an email from Ann, and it contains a PDF file inside a ZIP compressed archive. The information security team is not sure which files were opened. A security team member uses an air-gapped PC to open the ZIP and PDF, and it appears to be a social engineering attempt to deliver an exploit. Which of the following would provide greater insight on the potential impact of this attempted attack? A. Run an antivirus scan on the finance PC. B. Use a protocol analyzer on the air-gapped PC. C. Perform reverse engineering on the document. D. Analyze network logs for unusual traffic. E. Run a baseline analyzer against the user's computer.
E. Run a baseline analyzer against the user's computer.
A Chief information Security Officer (CISO) is reviewing and revising system configuration and hardening guides that were developed internally and have been used for several years to secure the organization's systems. The CISO knows improvements can be made to the guides. Which of the following would be the BEST source of reference during the revision process? A. CVE database B. Internal security assessment reports C. Industry-accepted standards D. External vulnerability scan reports E. Vendor-specific implementation guides
E. Vendor-specific implementation guides