400-550 Flashcards
An organization does not have visibility into when company-owned assets are off network or not connected via a VPN. The lack of visibility prevents the organization from meeting security and operational objectives.
Which of the following cloud-hosted solutions should the organization implement to help mitigate the risk?
A. Antivirus
B. UEBA
C. EDR
D. HIDS
C. EDR
A company has retained the services of a consultant to perform a security assessment. As part of the assessment, the consultant recommends engaging with others in the industry to collaborate in regards to emerging attacks.
Which of the following would BEST enable this activity?
A. ISAC
B. OSINT
C. CVSS
D. Threat modeling
A. ISAC
A law firm experienced a breach in which access was gained to a secure server. During an investigation to determine how the breach occurred, an employee admitted to clicking on a spear phishing link.
A security analyst reviewed the event logs and found the following:
- PAM had not been bypassed.
- DLP did not trigger any alerts.
- The antivirus was updated to the most current signatures.
Which of the following MOST likely occurred?
A. Exploitation
B. Exfiltration
C. Privilege escalation
D. Lateral movement
A. Exploitation
A company processes sensitive cardholder information that is stored in an internal production database and accessed by internet-facing web servers. The company’s Chief Information Security Officer (CISO) is concerned with the risks related to sensitive data exposure and wants to implement tokenization of sensitive information at the record level. The company implements a one-to-many mapping of primary credit card numbers to temporary credit card numbers.
Which of the following should the CISO consider in a tokenization system?
A. Data field watermarking
B. Field tagging
C. Single-use translation
D. Salted hashing
C. Single-use translation
A network administrator receives a ticket regarding an error from a remote worker who is trying to
reboot a laptop. The laptop has not yet loaded the operating system, and the user is unable to
continue the boot process. The administrator is able to provide the user with a recovery PIN, and
the user is able to reboot the system and access the device as needed. Which of the following is
the MOST likely cause of the error?
A. Lockout of privileged access account
B. Duration of the BitLocker lockout period
C. Failure of the Kerberos time drift sync
D. Failure of TPM authentication
D. Failure of TPM authentication
A security engineer is concerned about the threat of side-channel attacks. The company experienced a past attack that degraded parts of a SCADA system, causing a fluctuation to 20,000rpm from its normal operating range. As a result, the part deteriorated more quickly than the mean time to failure. A further investigation revealed the attacker was able to determine the
acceptable rpm range, and the malware would then fluctuate the rpm until the part failed.
Which of the following solutions would be BEST to prevent a side-channel attack in the future?
A. Installing online hardware sensors
B. Air gapping important ICS and machines
C. Implementing a HIDS
D. Installing a SIEM agent on the endpoint
B. Air gapping important ICS and machines
Which of the following is the primary reason that a risk practitioner determines the security boundary prior to conducting a risk assessment?
A. To determine the scope of the risk assessment
B. To determine the business owner(s) of the system
C. To decide between conducting a quantitative or qualitative analysis
D. To determine which laws and regulations apply
A. To determine the scope of the risk assessment
A security architect must mitigate the risks from what is suspected to be an exposed, private cryptographic key.
Which of the following is the BEST step to take?
A. Revoke the certificate.
B. Inform all the users of the certificate.
C. Contact the company’s Chief Information Security Officer.
D. Disable the website using the suspected certificate.
E. Alert the root CA.
A. Revoke the certificate.
An employee’s device was missing for 96 hours before being reported. The employee called the help desk to ask for another device. Which of the following phases of the incident response cycle needs improvement?
A. Containment
B. Preparation
C. Resolution
D. Investigation
B. Preparation
A security consultant has been asked to recommend a secure network design that would:
- Permit an existing OPC server to communicate with a new Modbus server that is controlling electrical relays.
- Limit operational disruptions.
Due to the limitations within the Modbus protocol, which of the following configurations should the
security engineer recommend as part of the solution?
A. Restrict inbound traffic so that only the OPC server is permitted to reach the Modbus server on port 135.
B. Restrict outbound traffic so that only the OPC server is permitted to reach the Modbus server onport 102.
C. Restrict outbound traffic so that only the OPC server is permitted to reach the Modbus server onport 5000.
D. Restrict inbound traffic so that only the OPC server is permitted to reach the Modbus server on port 502.
D. Restrict inbound traffic so that only the OPC server is permitted to reach the Modbus server on port 502.
A forensic investigator started the process of gathering evidence on a laptop in response to an incident. The investigator took a snapshot of the hard drive, copied relevant log files, and then performed a memory dump.
Which of the following steps in the process should have occurred FIRST?
A. Preserve secure storage.
B. Clone the disk.
C. Collect the most volatile data.
D. Copy the relevant log files.
C. Collect the most volatile data.
A company is designing a new system that must have high security. This new system has the
following requirements:
- Permissions must be assigned based on role.
- Fraud from a single person must be prevented.
- A single entity must not have full access control.
Which of the following can the company use to meet these requirements?
A. Dual responsibility
B. Separation of duties
C. Need to know
D. Least privilege
B. Separation of duties
A Chief Security Officer (CSO) is concerned about the number of successful ransomware attacks
that have hit the company. The data indicates most of the attacks came through a fake email. The company has added training, and the CSO now wants to evaluate whether the training has been
successful.
Which of the following should the CSO implement?
A. Simulating a spam campaign
B. Conducting a sanctioned vishing attack
C. Performing a risk assessment
D. Executing a penetration test
A. Simulating a spam campaign
A company hosts a large amount of data in blob storage for its customers. The company recently had a number of issues with this data being prematurely deleted before the scheduled backup processes could be completed. The management team has asked the security architect for a recommendation that allows blobs to be deleted occasionally, but only after a successful backup.
Which of the following solutions will BEST meet this requirement?
A. Mirror the blobs at a local data center.
B. Enable fast recovery on the storage account.
C. Implement soft delete for blobs.
D. Make the blob immutable.
C. Implement soft delete for blobs.
To save time, a company that is developing a new VPN solution has decided to use the OpenSSL library within its proprietary software.
Which of the following should the company consider to
maximize risk reduction from vulnerabilities introduced by OpenSSL?
A. Include stable, long-term releases of third-party libraries instead of using newer versions.
B. Ensure the third-party library implements the TLS and disable weak ciphers.
C. Compile third-party libraries into the main code statically instead of using dynamic loading.
D. Implement an ongoing, third-party software and library review and regression testing.
D. Implement an ongoing, third-party software and library review and regression testing.
