Following a recent network intrusion, a company wants to determine the current security awareness of all its employees. Which of the following is the BEST way to test awareness? - Conduct a series of security training events with comprehensive tests at the end. - Hire an external company to provide an independent audit of network security posture. - Review the social media of all employees to see how much proprietary information is shared. - Send an email from a corporate account requesting users to log into a site with their enterprise account.

- Hire an external company to provide an independent audit of network security posture.

A company's chief cybersecurity architect wants to configure mutual authentication to access an internal payroll website. The architect has asked the administration team to determine the configuration that would provide the best defense against MITM attacks. Which of the following implementation approaches would BEST support the architect's goals? - Utilize a challenge-response prompt as required input at username/password entry. - Implement TLS and require the clients to use its own certificate during handshake. - Configure a web application proxy and institute monitoring of HTTPS transactions. - Install a reverse proxy in the corporate DMZ configured to decrypt TLS session.

- Implement TLS and require the clients to use its own certificate during handshake.

While investigating suspicious activity on a server a security administrator runs the following report. ``` File system integrity check report Total numbers of files: 3321 Added files: 12 Removed files: 0 Changed Files: 1 Changed files: changed: /etc/passwd --------------------------------------------------------- Detailed information about changes: File: /etc/ Perm: -rw-r--r-- , -rw-r---rw- Hash: md5:ab0e9acb928dfac35de2ac2bef918cae, md5:def9a24cdbeaf4cb15acfed93eedb ``` In addition, the administrator notices changes to the /etc/shadow file that were not listed in the report. Which of the following BEST describe this scenerio? (Select TWO) - An attacker compromised the server and may have used a collision hash in the MD5 algorithm to hand the changes to the /etc/shadow file. - An attacker compromised the server and may have also compromised the file integrity database to hide changes in the /etc/shadow file. - An attacker compromised the server and may have installed a rootkit to always generate valid MD5 hashes to hide the changes to the /etc/shadow file. - An attacker compromised the server and may have used MD5 collision hashes to generate valid passwords, allowing further access to administrator accounts on the server. - An attacker compromised the server and may have used SELinux mandatory access controls to hide the changes to the /etc/shadow file.

- An attacker compromised the server and may have used a collision hash in the MD5 algorithm to hand the changes to the /etc/shadow file. - An attacker compromised the server and may have used MD5 collision hashes to generate valid passwords, allowing further access to administrator accounts on the server.

The Chief Executive Officer (CEO) of a small startup company has a need for a security policy and assessment to address governance, risk management, and compliance. The company has a resource-constrained IT department, but has no information security staff. The CEO has asked for this to be completed in three months. Which o the following would be the MOST cost-effective solution to meet the company's needs? - Select one of the IT personnel to obtain information security training, and then develop all necessary policies and documents in house. - Accept all risks associated with information security, and bring up the issue again at next years' annual board meeting. - Release an RFP to consultancy firms, and then select the most appropriate consultant who can fulfill the requirements. - Hire an experienced, full-time information security team to run the startup company's information security department.

- Release an RFP to consultancy firms, and then select the most appropriate consultant who can fulfill the requirements.

Which of the following is the GREATEST security concern with respect to BYOD? - The filtering of sensitive data out of data flows a geographic boundaries. - Removing potential bottlenecks in data transmissions paths. - The transfer of corporate data onto mobil corporate devices. - The migration of data into and out of the network in an uncontrolled manner.

- The migration of data into and out of the network in an uncontrolled manner.

Ann, a terminated employee, left personal photos on a company-issued laptop and no longer has access to them. Ann emails her previous manager and asks to get her personal photos back. Which of the following BEST describes how the manager should respond? - Determine if the data still exists by inspecting to ascertain if the laptop has already been wiped and if the storage team has recent backups. - Inform Ann that the laptop was for company data only and she should not have stored personal photos on a company asset. - Report the email because it may have been a spoofed request coming from an attacker who is trying to exfiltrate data from the company's laptop. - Consult with the legal and/or human resources departments and check company policies around employment and termination procedures.

- Consult with the legal and/or human resources departments and check company policies around employment and termination procedures.

Latest CASP Questions Flashcards by Christopher Mayhew

Users have been reporting unusual automated phone calls, including names and phone numbers, that appear
to come from devices internal to the company. Which of the following should the systems administrator do to
BEST address this problem?

Add ACL to firewall to block VoIP.
Change the settings on the phone system to use SIP-TLS,
Have the phones download new configurations over TFTP.
Enable QoS configuration on the phone VLAN.

Change the settings on the phone system to use SIP-TLS

How well did you know this?

Not at all

Perfectly

The Chief Information Security Officer (CISO) is concerned that certain system administrators with privileged access may be reading others users’ emails. Review of a tool’s output shows the administrators have used webmail to log into other users’ inboxes. Which of the followings tools would show this type of output?

Log analysis tool
Password cracker
Command-line tool
File integrity monitoring tool

Log analysis tool

How well did you know this?

Not at all

Perfectly

While attending a meeting with the human resources department, an organization’s information security officer sees an employee using a username and password written on a memo pad to log into a specific service. When the information security office inquires further as to why passwords are being written down, the response is that there are too many passwords to remember for all the services the human resources department is required to use. Additionally, each password has specific complexity requirements and different expiration time frames. Which of the following would be the BEST solution for the information security officer to recommend?

Utilize MFA
Implementing SSO
Deploying 802.1X
Pushing SAML adoption
Implementing TACACS

Implementing SSO

How well did you know this?

Not at all

Perfectly

A firewall specialist has been newly assigned to participate in red team exercises and needs to ensure the skills represent real-world threats. Which of the following would be the BEST choice to help the new team member learn bleeding-edge techniques?

Attend hacking conventions.
Research methods using TOR.
Interviewing current read team members .
Attend web-based training.

Attend hacking conventions.

How well did you know this?

Not at all

Perfectly

Following a recent network intrusion, a company wants to determine the current security awareness of all its employees. Which of the following is the BEST way to test awareness?

Conduct a series of security training events with comprehensive tests at the end.
Hire an external company to provide an independent audit of network security posture.
Review the social media of all employees to see how much proprietary information is shared.
Send an email from a corporate account requesting users to log into a site with their enterprise account.

Hire an external company to provide an independent audit of network security posture.

How well did you know this?

Not at all

Perfectly

A company’s chief cybersecurity architect wants to configure mutual authentication to access an internal payroll website. The architect has asked the administration team to determine the configuration that would provide the best defense against MITM attacks. Which of the following implementation approaches would BEST support the architect’s goals?

Utilize a challenge-response prompt as required input at username/password entry.
Implement TLS and require the clients to use its own certificate during handshake.
Configure a web application proxy and institute monitoring of HTTPS transactions.
Install a reverse proxy in the corporate DMZ configured to decrypt TLS session.

Implement TLS and require the clients to use its own certificate during handshake.

How well did you know this?

Not at all

Perfectly

While investigating suspicious activity on a server a security administrator runs the following report.

File system integrity check report
Total numbers of files: 3321
Added files: 12
Removed files: 0
Changed Files: 1
Changed files:
changed: /etc/passwd
---------------------------------------------------------
Detailed information about changes:
File: /etc/
Perm: -rw-r--r-- , -rw-r---rw-
Hash: md5:ab0e9acb928dfac35de2ac2bef918cae, md5:def9a24cdbeaf4cb15acfed93eedb

In addition, the administrator notices changes to the /etc/shadow file that were not listed in the report. Which of the following BEST describe this scenerio? (Select TWO)

An attacker compromised the server and may have used a collision hash in the MD5 algorithm to hand the changes to the /etc/shadow file.
An attacker compromised the server and may have also compromised the file integrity database to hide changes in the /etc/shadow file.
An attacker compromised the server and may have installed a rootkit to always generate valid MD5 hashes to hide the changes to the /etc/shadow file.
An attacker compromised the server and may have used MD5 collision hashes to generate valid passwords, allowing further access to administrator accounts on the server.
An attacker compromised the server and may have used SELinux mandatory access controls to hide the changes to the /etc/shadow file.

An attacker compromised the server and may have used a collision hash in the MD5 algorithm to hand the
changes to the /etc/shadow file.
An attacker compromised the server and may have used MD5 collision hashes to generate valid
passwords, allowing further access to administrator accounts on the server.

How well did you know this?

Not at all

Perfectly

A security engineer is attempting to convey the importance of including job rotation in a company’s standard security policies. Which of the following would be the BEST justification?

Making employees rotate through jobs ensures succession plans can be implemented and prevents single points of failure.
Forcing different people to perform the same job minimizes the amount of time malicious actions go
undetected by forcing malicious actors to attempt collusion between two or more people.
Administrators and engineers who perform multiple job functions throughout the day benefit from being
cross-trained in new job areas.
It eliminates the new to share administrative account passwords because employees gain administrative
rights as they rotate into new job areas.

Forcing different people to perform the same job minimizes the amount of time malicious actions go
undetected by forcing malicious actors to attempt collusion between two or more people.

How well did you know this?

Not at all

Perfectly

The Chief Financial Officer (CFO) of a major hospital system has received a ransom letter that demands a
large sum of cryptocurrency be transferred to an anonymous account. If the transfer does not take place within ten hours, the letter states that patient information will be released on the dark web. A partial listing of recent patients is included in the letter. This is the first indication that a breach took place. Which of the following steps should be done FIRST?

Review audit logs to determine the extent of the breach.
Pay the hacker under the condition that all information is destroyed.
Engage a counter-hacking team to retrieve the data.
Notify the appropriate legal authorities and legal counsel.

Notify the appropriate legal authorities and legal counsel.

How well did you know this?

Not at all

Perfectly

A security administrator is updating a company’s SCADA authentication system with a new application. To ensure interoperability between the legacy system and the new application, which of the following stakeholders should be involved in the configuration process before deployment? (Select TWO)

Network engineer
Service desk personnel
Human resources administrator
Incident response coordinator
Facilities manager
Compliance manager

Network engineer

- Compliance manager

How well did you know this?

Not at all

Perfectly

Given the code snippet below
#include 
#include 
int main(void) {
char username[8];
printf("Enter your username" ");
gets(username)
printf("/n");
if (username == NULL){
printf("you did not enter a username\n");
}
if strcmp(username, "admin") {
printf("%s". "Admin user, enter your physical token value: ");
// rest of conditional logic here has been snipped for brevity
} else {
printf("Standard user, enter your password" ");
// rest of conditional logic here has been snipped for brevity
}
}
Which of the following vulnerability types is MOST concerning?

Only short names are supported, which could result in brute forcing of credentials.
Buffer overflow in the username parameter could lead to a memory corruption vulnerability.
Hardcoding usernames with different code paths taken depend on which user is entered.
Format string vulnerability is present for admin users but not for standard users.

Buffer overflow in the username parameter could lead to a memory corruption vulnerability.

How well did you know this?

Not at all

Perfectly

During the decommissioning phase of a hardware project, a security administrator is tasked with insuring no sensitive data is released inadvertently. All paper records are scheduled to be shredded in a crosscut shedder, and the waste will be burned. The system drives and removable media have been removed prior to e-cycling the hardware. Which of the following would ensure that no data is recovered from the system drives once they are disposed of?

Overwriting all HDD blocks with an alternating series of data.
Physically disabling the HDDs by removing the drive head.
Demagnetizing the hard drive using a degausser,
Deleting the UEFI boot loaders from each HDD.

Demagnetizing the hard drive using a degausser,

How well did you know this?

Not at all

Perfectly

The Chief Executive Officer (CEO) of a small startup company has a need for a security policy and assessment to address governance, risk management, and compliance. The company has a resource-constrained IT department, but has no information security staff. The CEO has asked for this to be completed in three months. Which o the following would be the MOST cost-effective solution to meet the company’s needs?

Select one of the IT personnel to obtain information security training, and then develop all necessary
policies and documents in house.
Accept all risks associated with information security, and bring up the issue again at next years’ annual
board meeting.
Release an RFP to consultancy firms, and then select the most appropriate consultant who can fulfill the
requirements.
Hire an experienced, full-time information security team to run the startup company’s information security
department.

Release an RFP to consultancy firms, and then select the most appropriate consultant who can fulfill the
requirements.

How well did you know this?

Not at all

Perfectly

An engineer needs to provide access to company resources for several offshore contractors. The contractors require:

Access to a number of applications, including internal websites.
Access to database data and the ability to manipulate it.
The ability to log into Linux and Windows servers remotely,

Which of the following remote access technologies are the BEST choices to provide all of this access securely?
(Select TWO)

VTC
VRRP
VLAN
VDI
VPN
Telnet

- VPN

How well did you know this?

Not at all

Perfectly

Which of the following is the GREATEST security concern with respect to BYOD?

The filtering of sensitive data out of data flows a geographic boundaries.
Removing potential bottlenecks in data transmissions paths.
The transfer of corporate data onto mobil corporate devices.
The migration of data into and out of the network in an uncontrolled manner.

The migration of data into and out of the network in an uncontrolled manner.

How well did you know this?

Not at all

Perfectly

Ann, a terminated employee, left personal photos on a company-issued laptop and no longer has access to
them. Ann emails her previous manager and asks to get her personal photos back. Which of the following
BEST describes how the manager should respond?

Determine if the data still exists by inspecting to ascertain if the laptop has already been wiped and if the storage team has recent backups.
Inform Ann that the laptop was for company data only and she should not have stored personal photos on a company asset.
Report the email because it may have been a spoofed request coming from an attacker who is trying to exfiltrate data from the company’s laptop.
Consult with the legal and/or human resources departments and check company policies around employment and termination procedures.

Consult with the legal and/or human resources departments and check company policies around employment and termination procedures.

How well did you know this?

Not at all

Perfectly

A security engineer has been hired to design a device that will enable the exfiltration of data from within a well-defended network perimeter during an authorized test. The device must bypass all firewalls and NIDS in place, as well as allow for upload of commands from a centralized command and control server. The total cost of the device must be kept to a minimum in case the device is discovered during an assessment. Which of the following tools should the engineer load onto the device being designed?

Custom firmware with rotating key generation.
Automatic MITM proxy.
TCP beacon broadcast software.
Reverse shell endpoint listener.

Reverse shell endpoint listener.

How well did you know this?

Not at all

Perfectly

An enterprise is trying to secure a specific web-based application by forcing the use of multifactor authentication. Currently, the enterprise cannot change the application’s sign-in page to include an extra field. However, the web-based application supports SAML. Which of the following would BEST secure the application?

Using a SSO application that supports multifactor authentication.
Enabling the web application to support LDAP integration.
Forcing higher-complexity passwords, and frequent changes.
Deploying Shibboleth to all web-based application in the enterprise.

Using a SSO application that supports multifactor authentication.

How well did you know this?

Not at all

Perfectly

A Chief Information Security Officer (CISO) is reviewing the controls in place to support the organization’s
vulnerability management program. The CISO finds patching and vulnerability scanning policies and
procedures are in place. However, the CISO is concerned the organization is siloed and is not maintaining awareness of new risks to the organization. The CISO determines systems administrators need to participate in industry security events. Which of the following is the CISO looking to improve.

Vendor diversification
System hardening standards
Bounty programs
Threat awareness
Vulnerability signatures

Threat awareness

How well did you know this?

Not at all

Perfectly

A large company with a very complex IT environment is considering a move from an on-premises, internally
managed proxy to a cloud-based proxy solution managed by an external vendor. The current proxy provides caching, content filtering, malware analysis, and URL categorization for all staff connected behind the proxy. Staff members connect directly to the Internet outside of the corporate network. The cloud-based version of the solution would provide content filtering, TLS decryption, malware analysis, and URL categorization. After migrating to the cloud solution, all internal proxies would be decommissioned. Which of the following would MOST likely change the company’s RISK profile?

A. 1. There would be a loss of internal intellectual knowledge regarding proxy configurations and application
data flows.
2. There would be a greater likelihood of Internet outages due to lower resilience of cloud gateways.
3. There would be data sovereignty concerns due to changes required in routing and proxy PAC files.

B. 1. The external vendor would have access to inbound and outbound gateway traffic.

The service would provide some level of protection for staff working from home.
Outages would be likely to occur for systems or applications with hard-coded proxy information.

C. 1. The loss of local caching would dramatically increase ISP charges and impact existing bandwidth.

There would be greater likelihood of Internet access outages due to lower resilience of cloud gateways.
There would be a loss of internal intellectual knowledge regarding proxy configurations an application data flows.

D. 1. Outages would likely occur for systems ad applications with hard-coded proxy information.

The service would provide some level of protection for staff members working from home.
Malware detection times would decrease due to third-party management of the service.

B. 1. The external vendor would have access to inbound and outbound gateway traffic.

The service would provide some level of protection for staff working from home.
Outages would be likely to occur for systems or applications with hard-coded proxy information.

How well did you know this?

Not at all

Perfectly

A security incident responder discovers an attacker has gained access to a network and has overwritten key system files with backdoor software. The server was reimaged and patched offline. Which of the following tools should be implemented to detect similar attacks?

Vulnerability scanner
TPM
Host-based firewall
File integrity monitor
NIPS

File integrity monitor

How well did you know this?

Not at all

Perfectly

While reviewing KPIs of the email security appliance with the Chief Information Security Officer (CISO) of an
insurance company, the security engineer notices the following:

Month Encrypted Email Unencrypted Email Contains PII
1 200 0 0
2 230 10 5
3 185 15 10
4 198 60 40
5 204 75 45

Which of the following measures should the security engineer take to ensure PII is not intercepted in transit
while also preventing interruption to business?

Quarantine emails sent to external domains containing PII and release after inspection.
Prevent PII from being sent to domains that allow users to sign up for free webmail.
Enable transport layer security on all outbound email communications and attachments.
Provide security awareness training regarding transmission of PII.

Provide security awareness training regarding transmission of PII.

How well did you know this?

Not at all

Perfectly

A Chief Security Officer (CISO) recently changed jobs into a new industry. The CISO’s first task is to write a new, relevant risk assessment for the organization. Which of the following would BEST help the CISO find relevant risks to the organization. (Select TWO)

A. Perform a penetration test
B. Conduct a regulatory audit
C. Hire a third-party consultant
D. Define a threat model
E. Review the existing BIA
F. Perform an attack path analysis

Define a threat model

- Review the existing BIA

How well did you know this?

Not at all

Perfectly

A penetration tester noticed special characters in a database table. The penetration tester configured the browser to use an HTTP interceptor to verify that the front-end user registration web form accepts invalid input in the user’s age field. The developer was notified and asked to fix the issue. Which of the following is the MOST secure solution for developer to implement?

IF $AGE == “!@#$%^&*()_+<>?”:{}[]” THEN ERROR
IF $AGE ==[123456790] {1,3} THEN CONTINUE
IF $AGE != “a-bA-Z!@#$%^&*()_+<>?{}[]” THEN CONTINUE
IF $AGE == [1-0] {0,2} THEN CONTINUE

IF $AGE ==[123456790] {1,3} THEN CONTINUE

How well did you know this?

Not at all

Perfectly

A security analyst is inspecting pseudocode of the following multithreaded application 1. perform daily ETL of data 1. 1 validate that yesterday's data model file exists 1. 2 validate that today's data model does not exist 1. 2 extract yesterday's data model 1. 3 transform the format 1. 4 load the transformed data into today's data model file 1. 5 exit Which of the following security concerns is evident in the above pseudocode? - Time of check/time of use - Resource exhaustion - Improper storage of sensitive data - Privilege escalation

- Time of check/time of use

A penetration test is being scoped for a set of web services with API endpoints. The APIs will be hosted on existing web application servers. Some of the new APIs will be available to unauthenticated users, but some will only be available to authenticated users. Which of the following tools or activities would the penetration tester MOST likely use or do during the engagement? (Select TWO) - Static code analyzer - Intercepting proxy - Port scanner - Reverse engineering - Reconnaissance gathering - User acceptance testing

- Intercepting proxy | - Reconnaissance gathering

A technician is configuring security options on the mobile device manager for users who often utilize public Internet connections while traveling. After ensuring that full disk encryption is enabled, which of the following security measures should the technician take? (Select TWO) - Require all mobile device backups to be encrypted - Ensure all mobile devices back up using USB OTG - Issue a remote wipe of corporate and personal partitions - Restrict devices from making long-distance calls during business hours - Implement an always-on VPN

- Require all mobile device backups to be encrypted | - Implement an always-on VPN

An organization, which handles large volumes of PII, allows mobile devices that can process, store, and transmit PII and other sensitive data to be issued to employees. Security assessors can demonstrate recovery and decryption of remnant sensitive data from device storage after MDM issues a successful wipe command. Assuming availability of the controls, which of the following would BEST protect against loss of sensitive data in the future? - Implement a container that wraps PII data and stores keying material directly in the container's encrypted application space, - Use encryption keys for sensitive data stored in an eFuse-backed memory space that is blown during a remote wipe. - Issue devices that employ a stronger algorithm for the authentication od sensitive data stored on them. - Procure devices that remove the bootloader binaries upon reciept of an MDM-issue remote wipe command.

- Implement a container that wraps PII data and stores keying material directly in the container's encrypted application space,

A software development company lost customers recently because of a large number of software issues. These issues were related to integrity and availability defects, including buffer overflows, pointer dereferences, and others. Which of the following should the company implement to improve code quality? (Select TWO) - Development environment access controls - Continuous integration - Code comments and documentation - Static analysis tools - Application containerization - Code obfuscation

- Code comments and documentation | - Static analysis tools

Legal counsel has notified the information security manager of a legal matter that will require the preservation of electronic records for 2000 sales force employees. Source records will be email, PC, network shares, and applications. After all restrictions have been lifted, which of the following should the information manager review? - Data retention policy - Legal hold - Chain of custody - Scope statement

- Data retention policy

Company leadership believes employees are experiencing an increased number of cyber attacks, however, the metrics so not show this. Currently the company uses "Number of successful phishing attacks" as a KPI, but it does not show an increase. Which of the following additional information should the Chief Information Security Officer (CISO) include in the report? - The rate of phishing emails to non-phishing emails - The number of phishing attacks per employee - The number of unsuccessful phishing attacks - The percentage of successful phishing attacks

- The number of unsuccessful phishing attacks

Security policies that are in place at an organization prohibit USB drives from being utilized across the entire enterprise, with adequate technical control in place to block them. As a way to be able to work from various locations on different computing resources, several sales staff members have signed up for a web-based storage solution without the consent of the IT department. However, the operations department is required to use the same service to transmit certain business partner documents. Which of the following would BEST allow the IT department to monitor and control this behavior? - Enabling AAA - Deploy a CASB - Configuring an NGFW - Installing a WAF - Using a vTPM

- Deploy a CASB

A company uses an application in its warehouse that works with several commercially available tablets and can only be accesses inside the warehouse. The support department would like the selection of tablets to be limited to three models to provide better support and ensure spares are on hand. Users often keep the tablets after they leave the department, as many of them store personal media items. Which of the following should the security engineer recommend to meet these requirements? - COPE with geofencing - MDM with remote wipe - BYOD with containerization - CYOD with VPN

- COPE with geofencing

A security engineer is performing an assessment again for a company. The security engineer examines the following output from the review: - Password complexity: Disabled - Require authentication from a domain controller before sign-in: Enabled - Allow guest user access: Enabled - Allow anonymous enumeration of groups: Disabled Which of the following tools is the engineer utilizing to perform this assessment? - Vulnerability scanner - SCAP scanner - Port scanner - Interception proxy

- SCAP scanner

While conducting a BIA for a proposed acquisition, the IT integration team found that both companies outsource CRM services to competing and incompatible third-party cloud services. The decision has been made to bring the CRM service in-house, and the IT team has choosen a future solution. With which of the following should the Chief Information Security Officer (CISO) be the MOST concerned? (Select TWO) - Data remnants - Sovereignty - Compatible services - Storage encryption - Data migration - Chain of custody

- Data remnants | - Data migration

To meet an SLA, which of the following documents should be drafted, defining the company's internal interdependent unit responsibilities and delivery timelines? - BPA - OLA - MSA - MOU

- OLA

A government organization operates and maintains several ICS environments. The categorization of one of these environments led to a moderate baseline. The organization has compiled a set of applicable security controls based on this categorization. Given that this is a unique environment which of the following should the organization do NEXT to determine if other security controls should be considered? - Check for any relevant or required overlays. - Review enhancements with in the current control set. - Modify to a high-baseline set of controls. - Perform continuous monitoring.

- Modify to a high-baseline set of controls.

A security architect is determining the best solution for a new project. The project is developing a new intranet with advanced authentication capabilities, SSO for users, and automated provisioning to streamline Day 1 access to systems. The security architect has identified the following requirements. 1. Information should be sourced from the trusted master data source. 2. There must be future requirements for identity proofing of devices and users. 3. A generic identity connector than can be reused must be developed. 4. The current project scope is for internally hosted applications only. Which of the following solution building blocks should the security architect use to BEST meet the requirements? - LDAP, multifactor authentication, OAuth, XACML - AD, certificate-based authentication, Kerberos, SPML - SAML, context-aware authentication, OAuth, WAYF - NAC, radius, 802.1X, centralized active directory

- LDAP, multifactor authentication, OAuth, XACML

The finance department has started to use a new payment system that requires strict PII security restrictions on various network devices. The company decides to enforce the restrictions and configure all devices appropriately. Which of the following risk response strategies is being used? - Avoid - Mitigate - Transfer - Accept

- Mitigate

Following the successful response to a data-leakage incident, the incident team lead facilitates an exercise that focuses on continuous improvement of the organization's incident response capabilities. Which of the following activities has the incident team lead executed? - Lessons learned review - Root cause analysis - Incident audit - Corrective action exercise

- Lessons learned review

A project manager is working with a software development group to collect and evaluate user stories related to the organization's internally designed CRM tool. After defining requirements, the project manager would like to validate the developer's interpretation and understanding of the user's request. Which of the following would BEST support this objective? - Peer review - Design review - Scrum - User acceptance testing - Unit testing

- Scrum

A system administrator receives an advisory email that a recently discovered exploit is being used in another country and the financial institutions have ceased operations while they find a way to respond to the attack. Which of the following BEST describes where the administrator should look to find information on the attack to determine if a response must be prepared for the systems? (Select TWO) - Bug bounty websites - Hacker forums - Antivirus vendor websites - Trade industry association websites - CVE database - Company's legal department

- CVE database | - Company's legal department

Company.org has requested a black-box security assessment be performed on key cyber terrain. One area of concern is DNS services. The security assessor wants to run reconnaissance before taking any additional action and wishes to determine which DNS servers a Internet-facing. Which of the following commands should the assessor use to determine this information? - dnsrecon -d company - t SOA - dig company.org mx - nc -v company.org - whois company.org

- dnsrecon -d company - t SOA

A user asks a security practitioner for recommendation on securing a home network. The user recently purchased a connected home assistant and multiple IoT devices in an effort to automate the home. Some of the IoT devices are wearables, and others are installed in the user's automobiles. The current home network is configure as a single flat network behind an ISP-supplied router, The router has a single IP address, and the router performs NAT on incoming traffic to route it to individual devices. Which of the following security controls would address the user's privacy concerns and provide the BEST level of security for the home network? - Ensuring all IoT devices are configured in geofencing mode so that the devices do not work when removed from the home network. Disable the home assistant unless actively using it, segment the network so each IoT device has its own segment. - Install a firewall capable of cryptographically separating network traffic, require strong authentication to access all IoT devices, and restrict network access for the home assistant based on time-of-day restrictions. - Segment the home network to separate network traffic from users and the IoT devices, ensure security settings on the home assistant support no or limited recording capability, and install firewall rules on the router to restrict traffic to the home assistant as much as possible. - Change all default passwords on the IoT devices, disable Internet access for the IoT devices and the home assistant, obtain routable IP addresses for all devices, and implement IPv6 and IPSec protections on all network traffic.

- Segment the home network to separate network traffic from users and the IoT devices, ensure security settings on the home assistant support no or limited recording capability, and install firewall rules on the router to restrict traffic to the home assistant as much as possible.

A government contractor was a victim of a malicious attack that resulted in the theft of sensitive information. An analyst's subsequent investigation of sensitive systems led to the following discoveries. - There was no indication of the data owner's or user's account being compromised - No database activity outside of previous baselines was discovered. - All workstations and servers were fully patched for all known vulnerabilities at the time of the attack. - It was likely not an insider threat, as all employees passed polygraph tests. Given the scenario, which of the following is the MOST likely attack that occurred? - The attacker harvested the hash credentials of an account within the database administrators group after dumping memory of a compromised machine. With these credentials, the attacker was able to access the database containing sensitive information directly. - An account, which belongs to a administrator of virtualization infrastructure, was compromised with a successful phishing attack. The attacker used these credentials to access the virtual machine manager and made a copy of the target virtual machine image. The attacker later accessed the image offline to obtain sensitive information. - A shared workstation was physically accessible in a common area of the contractor's office space and was compromised by an attacker using a USB exploit, which later resulted in gaining a local administrator account. Using the local administrator credentials, the attacker was able to move laterally to the server hosting the database with sensitive information. - After successfully using a watering hole attack to deliver an exploit to a machine, which belongs to an employee of the contractor, an attacker gained access to a corporate laptop. With this access, the attacker the establish a remote session over a VPN connection with the server hosting the database of sensitive information.

- An account, which belongs to a administrator of virtualization infrastructure, was compromised with a successful phishing attack. The attacker used these credentials to access the virtual machine manager and made a copy of the target virtual machine image. The attacker later accessed the image offline to obtain sensitive information.

A security engineer is analyzing an application during a security assessment to ensure it is configured to protect against common threats. Given the output below: ``` Response Headers Cache-Control:no-cache Content-Type:text/event-stream Date:Mon, 17 Sep 2018 15:58:37 GMT Expires:-1 Pragma:no-cache Transfer-Encoding:chunked X-Content-Type-Options:nosniff X-Frame-Options:SAMEORIGIN Request Headers Host: secure.comptia.org Connection: keep-alive Accept: text/event-stream Cache-Control: no-cache Accept-Encoding: gzip, deflate, br Accept-Language: en-US, en;q=0.9 ``` Which of the following tools did the security engineer MOST likely use to generate this output? - Application fingerprinter - Fuzzer - HTTP interceptor - Vulnerability scanner

- HTTP interceptor

An organization is implementing a virtualized thin-client solution for normal user computing and access. During a review of the architecture, concerns were raised than an attacker could gain access to multiple user environments by simply gaining a foothold on a single one with malware. Which of the following reasons BEST explains this? - Malware on one virtual environment could enable pivoting to others by leveraging vulnerabilities in the hypervisor. - A worm on one virtual environment could spread to others by taking advantage of guest OS networking services vulnerabilities. - One virtual environment may have one of more application-layer vulnerabilities, which would allow an attacker to escape that environment. - Malware on one virtual user environment could be copied to all others by the attached network storage controller.

- Malware on one virtual environment could enable pivoting to others by leveraging vulnerabilities in the hypervisor.

An information security officer is responsible for one secure network and one office network. Recent intelligence suggests there is an opportunity for attackers to gain access to the secure network due to similar login credentials across networks. To determine the users which should change their password information, the information security officer uses a tool to scan a file with hashed values on both networks and receives the following information. Corporate Network Secure Network james. bond asHU8$1bg jbond asHU8$1bg tom. jones wit4njyt%! tom.jones wit4njyt% dade. murphy mUrpHTIME7 d,murph3 t%w38T9)n herbie. handcock hh2016!/# hhanco hh2016!/# suzy. smith iLI*#HFadf ssmith iLI*#HFadf Which of the following tools was used to gather this information from the hashed values in this file? - Vulnerability scanner - Fuzzer - MD5 generator - Password cracker - Protocol analyzer

- password cracker Listed answer is - Protocol analyzer, but makes no sense...

The chief Information Security Officer (CISO) suspects that a database administrator has been tampering with financial data to the administrators advantage. Which of the following would allow a third-part consultant to conduct an on-site review of the administrator's activity? - Separation of duties - Job rotation - Continuous monitoring - Mandatory vacation

- Separation of duties

A system administrator at a medical imaging company discovers protected health information (PHI) on a general-purpose file server. Which of the following steps should the administrator take NEXT? - Isolate all the PHI on its own VLAN and keep it segregated at Layer 2. - Immediately encrypt the PHI with AES-256 - Delete all PHI from the network until the legal department is consulted. - Consult the legal department to determine legal requirements.

- Immediately encrypt the PHI with AES-256

The Chief Executive Officers (CEOs) from two different companies are discussing the highly sensitive prospect of merging their respective companies together, Both have invited their Chief Information Officers (CIOs) to discern how they can securely and digitally communicate, and the following criteria are collectedly determined: - Must be encrypted on the email servers and clients - Must be OK to transmit over unsecured Internet connections Which of the following communication methods would be BEST to recommend? - Force TLS between domains. - Enable STARTTLS on both domains. - Use PGP-encrypted emails. - Switch both domains to utilize DNSSEC

- Use PGP-encrypted emails.

A security analyst is reviewing the corporate MDM settings and notices some disabled settings, which consequently permit users to download programs from untrusted developers and manually install them. After some conversations, it is confirmed that these settings were disabled to support the internal development of mobile applications. The security analyst is now recommending that developers and testers have a sperate device profile allowing this, and that the rest of the organization's users do not have the ability to manually download and install untrusted application. Which of the following settings should be toggled to achieve the goal? (Select TWO) - OTA updates - Remote wiping - Side loading - Sandboxing - Containerization - Signed applications

- Containerization | - Signed applications

A security analyst is classifying data based on input from data owners and other stakeholders. The analyst has identified three data types: 1. Financially sensitive data 2. Project data 3. Sensitive project data The analyst proposes that data be protected in two major groups, with further access control separating the financial sensitive data from the sensitive project data. The normal project data will be stored in a separate, less secure location. Some stakeholders are concerned about the recommended approach and insist that commingling the data from different sensitive project would leave them vulnerable to industrial espionage. Which of the following is the BEST course of action for the analyst to recommend? - Conduct a quantitative evaluation of the risks associated with commingling the data and reject or accept the concerns raised by the stakeholders. - Meet with the affected stakeholders and determine which security controls would be sufficient to address the newly raised risks. - Use qualitative methods to determine aggregate risk scores for each project and use the derived scores to more finely segregate the data. - Increase the number of available data storage devices to provide enough capacity for physical separation of non-sensitive project data.

- Meet with the affected stakeholders and determine which security controls would be sufficient to address the newly raised risks.

A security analyst has requested network engineers integrate sFlow into SOC's overall monitoring picture. For this to be a useful addition to the monitoring capabilities, which of the following must be considered by the engineering team? - Effective deployment of network taps. - Overall bandwidth available at Internet PoP. - Optimal placement of log aggregators. - Availability of application layer visualizers

- Availability of application layer visualizers

A security analyst has been asked to create a list of external IT security concerns, which are applicable to the organization. The intent is to show the different types of external actors, their attack vectors, and the types of vulnerabilities that would cause business impact. The Chief Information Security Officer (CISO) will then present this list to the board to request funding for controls in areas that have insufficient coverage. Which of the following exercise types should the analyst perform? - Summarize the most recent disclosed vulnerabilities. - Research industry best practices and the latest RFCs. - Undertake an external vulnerability scan and penetration test. - Conduct a threat modeling exercise,

- Conduct a threat modeling exercise,

A company has decided to lower costs by conducting an internal assessment on specific devices and various internal and external subnets. The assessment will be done during regular office hours, but it must not affect any production servers. Which of the following would MOST likely be used to complete the assessment? (Select TWO) - Agent-based vulnerability scan - Black-box penetration testing - Configuration review - Social engineering - Malware sandboxing - Tabletop exercise

- Configuration review | - Tabletop exercise

A business is growing and starting to branch out into other locations. In anticipation of opening an office in a different country, the Chief Information Security Officer (CISO) and legal team agree they need the following criteria regarding data to open the new office. - Store taxation-related documents for five years. - Store customer addresses in an encrypted format. - Destroy customer information after one year. - Keep data only in the customer's home country. Which of the following should the CISO implement to BEST meet these requirements? (Select THREE) - Capacity planning policy - Data retention policy - Data classification policy - Legal compliance policy - Data sovereignty policy - Backup policy - Acceptable use policy - Encryption standard

- Data retention policy - Data sovereignty policy - Encryption standard

A company has decided to replace all its T-1 uplinks at each regional office and move away from using the existing MPLS network. All regional sites will use high-speed connections and VPNs to connect back to the main campus. Which of the following devices would most likely be added at each location? - SIEM - IDS/IPS - Proxy server - Firewall - Router

- Firewall

Given the following code snippet ❮FORM ACTION="http://192.168.51.10/cgi-bin/order.pl" method="post"❯ ❮input type="hidden name="price" value="199.99"❯ ❮input type=hidden name="prd_id" value="X190"❯ QUANTITY:

- Improper field usage

An advanced threat emulation engineer is conducting testing against a client's network. The engineer conducts the testing in as realistic manner as possible. Consequently, the engineer has been gradually ramping up the volume of attacks over a long period of time. Which of the following combinations of techniques would the engineer MOST likely use in testing? (Select THREE) - Black box testing - Gray box testing - Code review - Social engineering - Vulnerability assessment - Pivoting - Self-assessment - White teaming - External auditing

- Black box testing - Vulnerability assessment - Pivoting

The Chief Information Security Officer (CISO) of an e-retailer, which has an established security department, identifies a customer using a fraudulent credit card. The CISO calls the local authorities, and when they arrive on-site, the authorities ask a security engineer to create a point-in-time copy of the running database in their presence. This is an example of: - Creating a forensic image - Deploying fraud monitoring - Following a chain of custody - analyzing the order of volatility

- Following a chain of custody

An organization is in the process of integrating its operational technology and informational technology areas. As part of the integration, some of the cultural aspects it would like to see include more efficient use of resources during change windows, better protection of critical infrastructure, and ability to respond to incidents. The following observations have been identified: 1. The ICS supplier has specified that any software installed will result in lack of support. 2. There is not documented trust boundary defined between the SCADA and corporate networks. 3. Operational technology staff have to manage the SCADA equipment via the engineering workstation, 4. There is a lack of understanding of what is within the SCADA network. Which of the following capabilities would BEST improve the security position? - VNC, router, HIPS - SIEM, VPN, firewall - Proxy, VPN, WAF - IDS, NAC, and log monitoring

- VNC, router, HIPS

A regional business is expecting a severe winter storm next week. The IT staff has been reviewing corporate policies on how to handle various situations and found some are missing or incomplete. After reporting this gap in documentation to the information security manage, a document is immediately drafted to move various personnel to other locations to avoid downtime in operations. This is an example of - a disaster recovery plan - an incident response plan - a business continuity plan - a risk avoidance plan

- a business continuity plan

Providers at a healthcare system with many geographically dispersed clinics have been fined five times this year after an auditor received notice of the following SMS messages: ---image--- Which of the following represents the BEST solution for preventing future fines? - Implement a secure text-messaging application for mobile devices and workstations. - Write a policy requiring this information to be given over the phone only. - Provide a courier service to deliver sealed documents containing public health informatics. - Implement FTP services between clinics to transmit text documents with the information. - Implement a system that will tokenize patient numbers.

- Implement a secure text-messaging application for mobile devices and workstations.

An organization is considering the use of a thin client architecture as it moves to a cloud-hosted environment. A security analyst is asked to provide thoughts on the security advantages of using thin clients and virtual workstations. Which of the following are security advantages of the use of this combination of thin clients and virtual workstations? - Malicious insiders will not have the opportunity to tamper with data at rest and affect the integrity of the system. - Thin client workstations require much less security because they lack storage and peripherals that can be easily compromised, and the virtual workstations are protected in the cloud where security is outsourced. - All thin clients use TPM for core protection, and virtual workstations use vTPM for core protection with both equally ensuring a greater security advantage for a cloud-hosted environment. - Malicious users will have reduced opportunities for data extractions from their physical thin client workstations, this reducing the effectiveness of local attacks.

- Thin client workstations require much less security because they lack storage and peripherals that can be easily compromised, and the virtual workstations are protected in the cloud where security is outsourced.

A security engineer is assisting a developer with input validation, they are studying the following code block: ``` String accountIdRegexp = "TODO, help!"; private static final Pattern accountIdPattern = Pattern.compile ("accountIdRegexp"); String accountId = request.getParameter("accountNumber"); if (!accountIdPattern.matcher(accountId).matches() { System.out.println("account ID format incorrect"); } else { //continue } ``` The security engineer wants to ensure strong input validation is in place for customer-provided account identifiers. These identifiers are ten-digit numbers. The developer wants to ensure input validation is fast because a large number of people use the system. Which of the following would be the BEST advise for the security engineer to give the developer? - Replace code with Java-based type checks - Parse input into an array - Use regular expressions - Canonicalize input into string objects before validation

- Use regular expressions

Due to a breach, the Chief Executive Officer (CEO) has requested the following activities be conducted during incident response planning: - Involve business owners and stakeholders - Create an applicable scenario - Conduct a biannual verbal review of the incident response plan - Report on the lessons learned and gaps identified Which of the following exercises has the CEO requested? - Parallel operations - Full transition - Internal review - Tabletop - Partial simulation

- Internal review

A security researches is gathering information about a recent spoke in the number of targeted attacks against multinational banks. The spike is on top of already sustained attacks against the banks. Some of the previous attacks have resulted in the loss of sensitive data, but as of yet the attackers have not successfully stolen any funds. Based on the information available to the researcher, which of the following is the MOST likely threat profile? - Nation-state-sponsored attackers conducting espionage for strategic gain. - Insiders seeking to gain access to funds for illicit purposes. - Opportunists seeking notoriety and fame for personal gain. - Hacktivists seeking to make a political statement because of socio-economic factors.

- Hacktivists seeking to make a political statement because of socio-economic factors.

A systems administrator has installed a disk wiping utility on all computers across the organization and configured it to perform a seven-pass wipe and an additional pass to overwrite the disk with zeros. The company has also instituted a policy that requires users to erase files containing sensitive information when they are no longer needed. To ensure the process provides the intended results, an auditor reviews the following content from a randomly selected decommissioned hard disk: - 0000000000000000 - 0000000000000000 - 0000000000000000 - 00000000000qjkehd Which of the following should be included in the auditor's report based in the above findings? - The hard disk contains bad sectors - The disk has been degaussed. - The data represents part of the disk BIOS. - Sensitive data might still be present on the hard drives.

- The hard disk contains bad sectors

Security technician receives a copy of a report that was originally sent to the board of directors by the Chief Information security Officer (CISO). The report outlines the following KPI/KRI data for last 12 months. ``` Month AV Fleet AV Signature Detected Phishing Infected Threat Landscape Number of Open Coverage Updated Attempts Systems Rating Security Incidents -------------------------------------------------------------------------------------------------------------------------------------------------- --------------------- January 30% 100% 40 26 High 40 February 20% 100% 8 4 Low 40 March 40% 100% 2 3 Low 30 April 50% 98% 17 12 Medium 30 May 90% 98% 40 5 Low 20 June 95% 98% 10 13 Medium 30 July 95% 98% 25 13 Medium 30 August 95% 96% 8 15 Medium 40 Sept 95% 90% 9 10 Medium 50 Oct 95% 90% 20 4 Low 65 Nov 95% 98% 17 7 Low 75 Dec 95% 100% 5 22 High 85 ``` Which of the following BEST describes what could be interpreted from the above data? A. 1. AV coverage across the fleet improved. 2. There is no correlation between infected systems and AV coverage. 3. There is no correlation between phishing attempts attempts and infected systems. 4. A correlation between threat landscape rating and infected systems appears to exist. 5. Effectiveness and performance of the security team appears to be degrading. B. 1. AV signature coverage has remained consistently high. 2. AV coverage across the fleet improved. 3. A correlation between phishing attempts and infected systems to exist. 4. There is a correlation between the threat landscape rating and security team's performance. 5. There is no correlation between detected phishing attempts and infected systems. C. 1. AV coverage across the fleet declined. 2. There is no correlation between infected systems and AV coverage. 3. A correlation between phishing attempts and infected system appears to exist. 4. There is no correlation between the threat landscape rating and the security team's performance. 5. There is a correlation between detected phishing attempts and infected systems. D. 1. AV coverage across the fleet declined. 2. There is no correlation between infected systems and AV coverage. 3. A correlation between phishing attempts and infected systems appears to exist. 4. There is no correlation between the threat landscape rating and the security team's performance. 5. Effectiveness and performance of the security team appears to be degraded.

A. 1. AV coverage across the fleet improved. 2. There is no correlation between infected systems and AV coverage. 3. There is no correlation between phishing attempts attempts and infected systems.

A security engineer is attempting to convey the importance of including job rotation in a company's standard security policies. Which of the following would be the BEST justification? - Making employees rotate through jobs ensures succession plans can be implemented and prevents single point of failure. - Forcing different people to perform the same job minimizes the amount of time malicious actions go undetected by forcing malicious actors to attempt collusion between two or more people. - Administrators and engineers who perform multiple job functions throughout the day benefit from being cross-trained in new job areas. - It eliminates the need to share administrative account passwords because employees gain administrative rights as they rotate into a new job area.

- Forcing different people to perform the same job minimizes the amount of time malicious actions go undetected by forcing malicious actors to attempt collusion between two or more people.

The Chief Information Officer (CIO) wants to increase security and accessibility among the organization's cloud SaaS applications. The applications are configured to use passwords, and two-factor authentication is not provided natively. Which of the following would BEST address the CIO's concerns? - Procure a password manager for the employees to use with the cloud applications. - Create a VPN tunnel between the on-premises environment and the cloud providers. - Deploy applications internally and migrate away from SaaS applications. - Implement an IdP that supports SAML and time-based, one-time passwords.

- Implement an IdP that supports SAML and time-based, one-time passwords.

Which of the following is an external pressure that causes companies to hire security assessors and penetrations testers? - Lack of adequate in house testing skills. - Requirements for geographically based assessments. - Cost reduction measures. - Regulatory insistence on independent reviews.

- Regulatory insistence on independent reviews.

After significant vulnerabilities and misconfigurations were found in numerous production web applications, a security manager identified the need to implement better development controls. Which of the following controls should be verified? (Select TWO) - Input validation routines are enforced on the server side. - Operating systems do not permit null sessions. - System administrator receive application security training. - VPN connections are terminated after a defined period of time - Error-handling logic fails securely. - OCSP calls are handled effectively.

- Input validation routines are enforced on the server side. | - Error-handling logic fails securely.

An organization has established the following controls matrix: ---image--- The following control sets have been defined by the organization and are applied in aggregate fashion: - Systems containing PII are protected with the minimum control set. - Systems containing medical data are protected at the moderate level. - Systems containing cardholder data are protected at the high level. The organization is preparing to deploy a system that protects the confidentially of a database containing PII and medical data from clients. Based on the controls classification, which of the following controls would BEST meet these requirements? - Proximity card access to the server room, context-based authentication, UPS, and full-disk encryption for the database server. - Cipher lock on the server room door, FDE, surge protector, and static analysis of all application code. - Peer review of all application changes, static analysis of application code, UPS, and penetration testing of the complete system. - Intrusion detection capabilities, network-based IPS, generator, and context-based authentication.

- Intrusion detection capabilities, network-based IPS, generator, and context-based authentication.

A security engineer is assessing the controls that are in place to secure the corporate-Internet-facing DNS server. The engineer notices that security ACLs exist but are not being used properly. The DNS server should respond to any source but only provide information about domains it has authority over. Additionally , the DNS administrators have identified some problematic IP addresses that should not not be able to make DNS requests. Given the ACLs below: ``` acl secondary-dns { 192.168.1.54; }; acl internal-nets { 192.168.1.0/24; }; acl blacklist-ips { 224.0.22.39; 12.122.1.0/24; 122.64.8.80; }; ``` Which of the following should the security administrator configure to meet the DNS security needs? ``` - zone "company.com" in { type "master"; allow-query { any;}; allow-transfer { !blacklist-ips;}; }; - zone "company.com" in { type = "master"; file "company.hosts"; allow-query { secondary-dns; internal-nets; !blacklist-ips; ;}; allow-transfer {none}; }; - zone "company.com" in { type = "master"; file "company.hosts"; allow-query { internal-nets; !blacklist-ips; }; allow-transfer {none}; }; - zone "company.com" in { type = "master"; file "company.hosts"; allow-query { any; !blacklist-ips; }; allow-transfer { secondary-dns}; }; ```

``` - zone "company.com" in { type = "master"; file "company.hosts"; allow-query { any; !blacklist-ips; }; allow-transfer { secondary-dns}; }; ```

A legacy web application, which is being used by a hospital, cannot be upgraded for 12 months. A new vulnerability is found in the legacy application and the networking team is tasked with mitigation. Middleware for mitigation will cost $100,000 per year. Which of the following must be calculated to determine ROI? (Select TWO) - ALE - RTO - MTBF - ARO - RPO

- ALE - ARO These are the only options that have a monetary metric.

A company is not familiar with the risks associated with IPv6. The systems administrator wants to isolate IPv4 from IPv6 traffic between two different network segments. Which of the following should the company implement? (Select TWO) A. Use an internal firewall to block UDP port 3544. B. Disable network discovery protocol on all company routers. C. Block IP protocol 41 using layer 3 switches D. Disable the DHCPv6 service from all routers E. Drop traffic for ::/0 at the edge firewall. F. Implement a 6in4 proxy server

- Disable the DHCPv6 service from all routers | - Drop traffic for ::/0 at the edge firewall.

Ann, a security administrator is conducting an assessment on a new firewall, which is placed at the perimeter of a network containing PII. Ann runs the following commands on a server (10.2.1.19) behind the firewall. service iptables stop service sshd stop From her own workstation (192.168.2.45) outside the firewall. Ann then runs a port scan against the server and records the following packet capture of the port scan. 0.872299 192.168.2.45 -> 10.1.1.19 TCP 62 49188 > 22 [SYN] Seq=0 Len=0 MSS=1460 0.872899 10.0.1.19 -> 192.168.2.45 TCP 62 22 > 49188 [RST] Seq=0 Len=0 MSS=1460 0.892308 192.168.2.45 -> 10.1.1.19 TCP 62 49188 > 23 [SYN] Seq=0 Len=0 MSS=1460 0.892309 10.0.1.19 -> 192.168.2.45 TCP 62 23 > 49189 [RST] Seq=0 Len=0 MSS=1460 0.901234 192.168.2.45 -> 10.1.1.19 TCP 62 49189 > 24 [SYN] Seq=0 Len=0 MSS=1460 0.901454 10.0.1.19 -> 192.168.2.45 TCP 62 24 > 49188 [RST] Seq=0 Len=0 MSS=1460 0.925657 192.168.2.45 -> 10.1.1.19 TCP 62 49188 > 25 [SYN] Seq=0 Len=0 MSS=1460 0.929872 10.0.1.19 -> 192.168.2.45 TCP 62 25 > 49188 [RST] Seq=0 Len=0 MSS=1460 Connectivity to the server from outside the firewall worked as expected prior to executing these commands. Which of the following can be said about the new firewall? - It is correctly dropping all packets destined for the server. - It is not blocking or filtering any traffic to the server. - iptables needs to be restarted - The IDS functionality of the firewall is currently disabled

- It is correctly dropping all packets destined for the server. Note: iptables is the linux service for a firewall. sshd is the Secure Shell (SSH) service.

A security analyst is reviewing the following company requirements prior to selecting the appropriate technical control configuration parameter. RTO 2 days RPO 36 hours MTTR 24 hours MFBF 60 days Which of the following solutions will address the RPO requirements? - Remote Syslog facility collection real-time events - Server farm behind the load balancer delivering five-nines uptime - Backup solution that implements daily snapshots - Cloud environment distributed across geographic regions

- Backup solution that implements daily snapshots Note: RPO defines how much data you can afford to lose. This is what defines how often you make backups.

A security consultant is improving the physical security of a sensitive site and takes pictures of the unbranded building to include in the report. Two weeks later the security consultant misplaces the phone, which only has one hour of charge left on it. The person who finds the phone removes the MicroSD card in an attempt to discover the owner to return it. The person extracts the following from the phone and EXIF data from some files. ``` DCM images folder Audio books folder Torrentz My TAX.xls Consultancy HR Manual.doc Camera: SM-G950F Exposure time: 1/60 s Location: 3500 Lacey Road USA ``` Which of the following BEST describes the security problem? - MicroSD is not encrypted and also contains personal data - MicroSD contains a mixture of personal and work data - MicroSD is not encrypted and contains geotagging information - MicroSD contains pirated software and is not encrypted

- MicroSD is not encrypted and contains geotagging information

An organization is deploying IoT locks, sensors and cameras, which operate over 802.11 to replace legacy building access control systems. These devices are capable of triggering physical changes access changes, including locking and unlocking doors and gates. Unfortunately, the devices have known vulnerabilities for which the vendor has yet to provide firmware updates. Which of the following would BEST mitigate this risk? - Direct wire the IoT devices into the physical switches and place them on an exclusive VLAN - Require sensors to sign all transmitted unlock control messages digitally - Associate the devices with an isolated wireless network configured for WPA2 and EAP-TLS - Implement an out-of-band monitoring solution to detect message injections and attempts.

- Associate the devices with an isolated wireless network configured for WPA2 and EAP-TLS

A company decides to implement a BYOD policy and is concerned about how to implement the proper controls to secure its mobile device. Which of the following security approaches can the company implement to ensure its mobile devices are secure? - Use FDE with key escrow - Allow the use of the camera, the microphone, and removable media - Deploy a custom SEAndroid policy - Implement security awareness training - Configure a custom MAC policy

- Use FDE with key escrow

A security analyst sees some suspicious entries in a log file from a web server website, which has a form that allows customers to leave feedback on the company's projects. The analyst believes a malicious actor is scanning the web form. To know which security controls to put in place, the analyst first needs to determine the type of activity occurring to design a control. Given the log below: Timestamp SourceIP CustName PreferredContact ProdName Comments --------------------------------------------------------------------------------- ---------- Monday 10:00:04 10.14.34.55 aaaaa Phone Widget1 None left Monday 10:00:04 10.14.34.55 bbbbb Phone Widget1 None left Monday 10:00:05 10.14.34.55 ccccc Phone Widget1 ../../etc/ passwd Monday 10:01:03 10.14.34.55 ddddd Phone Widget1 None left Monday 10:01:04 10.14.34.55 eeeee Phone Widget1 None left Monday 10:01:05 10.14.34.55 fffff Phone Widget1 1=1 Monday 10:03:05 172.16.34.20 Joe Phone Widget30 Love the Widget! Monday 10:04:01 10.14.34.55 ggggg Phone Widget1 Monday 10:05:05 10.14.34.55 hhhhh Phone Widget1 wget cookie Monday 10:05:05 10.14.34.55 iiiii Phone Widget1 None left Monday 10:05:06 10.14.34.55 jjjjj Phone Widget1 None left Which of the following is the MOST likely type of activity occurring? - SQL Injection - XSS scanning - Fuzzing - Brute force

- Brute force

A Chief Information Security Office (CISO) is reviewing technical documentation from various regional offices and notices some key differences between these groups. The CISO has not discovered an governance documentation. The CISO creates the following chart to visualize the differences amount the networking used. ``` Switch Vendor Trunking Protocal Minimum Cabling Requirements Active Support --------------------------------------------------------------------------------- ---------- Group A Vendor 1 802.1q Cat 5E YES Group B Vendor 2 ISL Cat 5E YES Group C Vendor 3 802.1q Cat 5 NO Group D Vendor 4 802.1q Cat 5 YES ``` Which of the following would be the CISO's MOST immediate concern? - There are open standards in use on the network - Network engineers have ignored defacto standards - Network engineers are not following SOPs - The network has competing standards in use

- Network engineers have ignored defacto standards

A Chief Security Officer (CSO) is reviewing the organization's incident respose report form a recent incident. The details of the event indicate: 1. A user received a phishing email that appears to be a report from the organization's CRM tool 2. The user attempted to access the CRM tool via a fraudulent web page but was unable to access the tool. 3. The user, unaware of the compromised account, did not report the incident and continued to use the CRM tool with the original credentials. 4. Several weeks later, the user reported anomalous activity within the CRM tool. 5. Following an investigation, it was determined the account was compromised and an attacker in another country gained access to the CRM tool. 6. Following identification of the corrupted data and successful recovery from the incident, a lessons learned activity was to be led by the CSO. Which of the following would MOST likely have allowed the user to more quickly identify the unauthorized use of credentials by the attacker? ``` A. Security awareness training B. Last logon verification C. Log correlation D. Time of check controls E. Time-of-use controls F. WAYF-based authentication ```

- Last logon verification

Company.com uses a trusted internal PKI to issue x.509 certificates for securing internal web application servers. After a security engineer issued a new certificate for Webserver17, employees begin receiving browser errors when connecting to the web server. ``` Webserver17 certificate properties" Issuer internalpki.company.com Signature algorithm sha256 RSA Subject Webserver17.company.com Public key RSA (2048 bits) Enhanced key usage Client authentication Subject alternative name Erpapp.company.com Thumbprint algorithm sha1 ``` - The enhanced key usage field is missing server authentication OID - The thumbprint algorithm does not match the signature algorithm - The thumbprint algorithm is being flagged by the browser as insecure - The issuer is not a trusted CA by the web browser. - The subject alternative name is incorrect

- The enhanced key usage field is missing server authentication OID

One of the objectives of a bank is to instill a security awareness culture. Which of the following are techniques that could help to achieve this? (Choose TWO.) - Blue teaming - Phishing simulations - Lunch-and-learn - Random audits - Continuous monitoring - Separation of duties

- Phishing simulations | - Lunch-and-learn

An online bank has contracted with a consultant to perform a security assessment of the bank's web portal. The consultant notices the login page is linked from the main page with HTTP, but when the URL is changed to HTTP, the browser is automatically redirected back to the HTTPS site. Which of the following is a concern for the consultant and how can it be mitigated? - XSS could be used to inject code into the login page during the redirect to the HTTPS site. The consultant should implement a WAF to prevent this. - The consultant is concerned the site is using n older version of SSL 3.0 protocol that is vulnerable to a variety of attacks. Upgrading the site to TLS 1.0 would mitigate is issue. - The HTTP is is vulnerable to network sniffing, which could disclose usernames and passwords to an attacker. The consultant should recommend disabling HTTP on the web server. - A successful MITM attack could intercept the redirect and use sslstrip to decrypt further HTTPS traffic. Implementing HSTS on the web server would prevent this.

- A successful MITM attack could intercept the redirect and use sslstrip to decrypt further HTTPS traffic. Implementing HSTS on the web server would prevent this.

A university's help desk is receiving reports than Internet access on campus is not functioning. The network administrator looks at the management tools and sees the 1 Gbps Internet connection is completely saturated with ingress traffic. The administrator sees the following output on the Internet router: 13:45.12857 156.34.99.54.2343 > 192.168.3.78.443 s 37486928:37483928 (0) win 16384 13:45.12890 145.24.78.34.2343 > 192.168.3.78.443 s 58457854:58457854 (0) win 36638 13:45.12890 89.25.68.12.2343 > 192.168.3.78.443 s 3297488:32987488 (0) win 25411 13:45.12902 178.78.189.1.2343 > 192.168.3.78.443 s 36214896:36214869 (0) win 12225 13:45.12934 147.22.98.156.2343 > 192.168.3.78.443 s 21558745:21558745 (0) win 32633 13:45.12956 121.45.56.79.2343 > 192.168.3.78.443 s 86441289:86441289 (0) win 33225 13:45.12989 126.88.125.117.2343 > 192.168.3.78.443 s 47841688:48741688 (0) win 18412 The administrator calls the university's ISP for assistance, but it takes more than four hours to speak to a network engineer who can resolve the problem. Based on the information above, which of the following should the ISP engineer do to resolve the issue? - The ISP engineer should null route traffic to the web server immediately to restore Internet connectivity. The university should implement a remotely triggered black hole with the ISP to restore this more quickly. - A university web server is under increased load during enrollment. The ISP engineer should immediately increase to 2 Gbps to restore Internet connectivity. In the future, the university should pay more for bandwidth to handle spikes in web server traffic. - The ISP engineer should immediately begin blocking IP addresses that are attacking the web server to restore Internet connectivity. In the future, the university should install a WAF to prevent this attack from happening again. - The ISP engineer should begin refusing network connections to the web server immediately to restore Internet connectivity on campus. The university should purchase an IPS device to stop DDoS attacks in the future.

- The ISP engineer should begin refusing network connections to the web server immediately to restore Internet connectivity on campus. The university should purchase an IPS device to stop DDoS attacks in the future.

A recent overview of the network's security and storage applications reveals a large amount of data that needs to be isolated for security reasons. Below are the critical applications and devices configured for the network. - Firewall - Core switches - RM server - Virtual environment - NAC solution The security manager also wants data from all critical applications to be aggregated to correlate events from multiple sources. Which of the following must be configured in certain applications to help ensure data aggregation and data isolation are implemented on the critical applications and devices? (Select TWO) - Routing tables - Log forwarding - Data remnants - Port aggregation - NIC teaming - Zones

- Log forwarding | - Zones

A security administrator is troubleshooting RADIUS authentication for a newly implemented controller-based wireless deployment. The RADIUS server contains the following information in its logs: - A RADIUS message was received from the invalid RADIUS client IP address 10. 35.55.10 Based on this information, the administrator reconfigures the RADIUS server, which results in the following log data. - An Access-Request was received from RADIUS client 10.35.55.10 with a Message- Authenticator attribute that is not valid To correct this error message, the administrator makes an additional change to the RADIUS server. Which of the following did the administrator reconfigure on the RADIUS server? (Select TWO) - Added the controller address as an authorized client - Registered the RADIUS server to the wireless controller - Corrected a mismatched shared secret - Renewed the expired client certificate - Reassigned the RADIUS policy to the controller - Modified the client authentication method

- Added the controller address as an authorized client | - Corrected a mismatched shared secret

After investigating virus outbreaks that have cost the company $1,000 per incident, the company's Chief Information Security Officer (CISO) has been researching new antivirus software solutions to use and be fully supported for the next two years. The CISO has narrowed down the potential solutions to four candidates that meet all the company's performance and capability requirements: --- image --- Using the table above, which of the following would be the BEST business-driven choice among five possible solutions? - Product A - Product B - Product C - Product D - Product E

- Product D

A security analyst, who is working in a Windows environment, has noticed a significant amount of IPv6 traffic originating from a client, even though IPv6 is not currently in use. The client is a stand-alone device, not connected to the AD, that manages a series of SCADA device used for manufacturing. Which of the following is the appropriate command to disable the client's IPv6 stack? - c:\❯netsh ipsec static set policy name=MyIPPolicy /v Disable TCPIP6 - c:\❯reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\IPV6" /v disallowRun /t REG_DWORD /d "0000001" /t - c:\❯reg add "HKCU\system\CurrentControlSet\services\TCPIP6\Parameters /v DisabledComponets /t REG_DWORD /d 255 /t - c:\❯reg add "HKLM\SYSTEM\CurrentControllSet\IPV6" /f /v fDenyIPV6Connections /t

- c:\❯reg add "HKCU\system\CurrentControlSet\services\TCPIP6\Parameters /v DisabledComponets /t REG_DWORD /d 255 /t

An internal staff member logs into an ERP platform and clicks on a record. The browser URL changes to - http://192.168.0.11/ERP/accountID=5&action=SELECT Which of the following is the MOST likely vulnerability in this ERP platform - Brute forcing of the account credentials - Plain-text credentials transmitted over the Internet - Insecure direct object reference - SQL injection of ERP back end

- Plain-text credentials transmitted over the Internet

A security analyst has been asked to create a list of external IT security concerns, which are applicable to the organization. The intent is to show the different types of external actors, their attack vectors, and the types of vulnerabilities that would cause business impact. The Chief Information Security Officer (CISO) will then present this list to the board to request funding for controls in areas that have insufficient coverage. Which of the following exercise types should the analyst perform? - Summarize the most recently disclosed vulnerabilities - Research industry best practices and the latest RFC's - Undertake an external vulnerability scan and penetration test - Conduct a threat modeling exercise

- Conduct a threat modeling exercise

An organization is currently working with a client to mitigate data between a legacy ERP system and a cloud based ERP tool using a global PasS provider. As part of the engagement, the organization is performing data deduplication and sanitization of client data to ensure compliance with regulatory requirements. Which of the following is the MOST likely reason for the need to sanitize the client data? (Select TWO) - Data aggregation - Data volume - Data isolation - Data sovereignty - Data analytics - Data precision

- Data aggregation | - Data sovereignty

A medical device company is implementing a new COTS antivirus solution in its manufacturing plant. All validated machines and instruments must be retested for interoperability with the new software. Which of the following would BEST ensure the software and instruments are working as designed? - System design documentation - User acceptance testing - Peer Review - Static code analysis testing - Change control documentation

- Change control documentation

A security administrator wants to implement controls to harden company-owned mobile devices. Company policy specifies the following requirements: - Mandatory access control must be enforced by the OS - Devices must use the mobile carrier data transport Which of the following controls should the security administrator implement? (Select THREE) ``` A. Enable DLP B. Enable SEAndroid C. Enable EDR D. Enable secure boot E. Enable secure wipe F. Disable Bluetooth G. Disable 802.11 H. Disable geotagging ```

- Enable SEAndroid - Disable Bluetooth - Disable 802.11

Several recent ransomware outbreaks at a company have cost a significant amount of lost revenue. The security team needs to find a technical control mechanism that will meet the following requirements and aid in preventing these outbreaks. - Stop malicious software that does not match a signature - Report on instances of suspicious behavior - Protect from previously unknown threats - Augment existing security capabilities Which of the following tools would BEST meet thee requirements? - Host-based firewall - EDR - HIPS - Patch management

- HIPS

A penetration tester is trying to gain access to a remote system. The tester is able to see the secure login page and knows one user account and email address, but has not yet discovered a password. Which of the following would be the EASIEST method of obtaining a password for the known account? - Man In The Middle - Reverse engineering - Social engineering - Hash cracking

- Social engineering

A security engineer successfully exploits an application during a penetration test. As proof of the exploit, the security engineer takes screenshots of how the data was compromised in the application. Given the information below from the screenshot 2019-11-21 13:11:45 POST http://company.com/store

- The engineer queried the server and edited the data using an HTTP proxy interceptor

Click on the exhibit buttons to view the four messages. --- images and stuff --- A security architect is working with a project team to deliver an important service that stores and processes customer banking details. The project, internally known as ProjectX, is due to launch its first set of features publicly within a week, but the team has not been able to implement encryption-at-rest of the customer records. The security architect is drafting an escalation email to senior leadership. Which of the following BEST conveys the business impact for senior leadership? - Message 1 - Message 2 - Message 3 - Message 4

- Message 4

The director of sales asked the development team for some small changes to increase the usability of an application used by the sales team. Prior security reviews of the code showed no significant vulnerabilities, and since the changes were small, they were given a peer review and then pushed to the live environment. Subsequent vulnerability scans now show numerous flaws that were not present in the previous versions of the code. Which of the following is an SDLC best practice that should have been followed? - Versioning - Regression testing - Continuous integration - Integration testing

- Regression testing

ODBC access to a database on a network-connected host is required. The host does not have a security mechanism to authenticate the incoming ODBC connection, and the application requires that the connection have read/write permissions. In order to further secure the data, anon standard configuration would need to be implemented. The information in the database is not sensitive, but was not readily accessible prior to the implementation of the ODBC connection. Which of the following actions should be taken by the security analyst? - Accept the risk in order to keep the system within the company’s standard security configuration. - Explain the risks to the data owner and aid in the decision to accept the risk versus choosing a nonstandard solution. - Secure the data despite the need to use a security control or solution that is not within company standards. - Do not allow the connection to be made to avoid unnecessary risk and avoid deviating from the standard security configuration.

- Explain the risks to the data owner and aid in the decision to accept the risk versus choosing a nonstandard solution.

The government is concerned with remote military missions being negatively being impacted by the use of technology that may fail to protect operational security. To remediate this concern, a number of solutions have been implemented, including the following: - End-to-end encryption of all inbound and outbound communication, including personal email and chat sessions that allow soldiers to securely communicate with families. - Layer 7 inspection and TCP/UDP port restriction, including firewall rules to only allow TCP port 80 and 443 and approved applications - A host-based whitelist of approved websites and applications that only allow mission-related tools and sites - The use of satellite communication to include multiple proxy servers to scramble the source IP address Which of the following is of MOST concern in this scenario? - Malicious actors intercepting inbound and outbound communication to determine the scope of the mission - Family members posting geotagged images on social media that were received via email from soldiers - The effect of communication latency that may negatively impact real-time communication with mission control - The use of centrally managed military network and computers by soldiers when communicating with external parties

- Malicious actors intercepting inbound and outbound communication to determine the scope of the mission

Following a complete outage of the electronic medical record system for more than 18 hours, the hospital's CEO has requested that the CISO perform an investigation into the possibility of a disgruntled employee causing the outage maliciously. To begin the investigation, the CISO pulls all event logs and device configurations from the time of the outage. The CISO immediately notices the configuration of a top-of-rack switch from one day prior to the outage does not match the configuration that was in place at the time of the outage. However, none of the event logs show who changed the switch configuration, and seven people have the ability to change it. Because of this, the investigation is inconclusive. Which of the following processes should be implemented to ensure this information is available for future investigations? - Asset inventory management - Incident response plan - Test and evaluation - Configuration and change management

- Configuration and change management

A laptop is recovered a few days after it was stolen. Which of the following should be verified during incident response activities to determine the possible impact of the incident? - Full disk encryption status - TPM PCR values - File system integrity - Presence of UEFI vulnerabilities

- Full disk encryption status

An incident responder wants to capture volatile memory comprehensively from a running machine for forensic purposes. The machine is running a very recent release of the LINUX os, which of the following technical approaches would be the MOST feasible way to accomplish this capture? - Run the memdump utility with the -k flag - Use a loadable kernel module capture utility, such a LiME - Run dd on /dev/mem - Employ a stand-alone utility, such as FTK Imager

- Use a loadable kernel module capture utility, such a LiME

Given the following: ``` // TODO - should this be odbc or jdbc? var oddcString = getaParameterByName("queryString", "dbConnector"); doc.interHTML = "DB connector: ❮b❯ + odbcString + "❮/b❯"; document.body.appendChild(doc); ``` Which of the following vulnerabilities is present in the above code snippet? - Disclosure of database credential - SQL-based string concatenation - DOM-based injection - Information disclosure in comments

- Disclosure of database credential

A financial institution's information security officer is working with the risk management officer to determine what to do with the institution's residual risk after all security controls have been implemented. Considering the institution's very low risk tolerance, which of the following strategies would be best? - Transfer the risk - Avoid the risk - Mitigate the risk - Accept the risk

- Transfer the risk

First responders, who are part of a core incident response team, have been working to contain an outbreak of ransomware that also led to data loss. In the rush to isolate the three hosts that were calling out to the NAS to encrypt whole directories, the hosts were shut down immediately and then isolated. Which of the following were missed? (Select TWO) - CPU, process state tables, and main memory dumps - Essential information needed to perform data restoration to a known clean state - Temporary file system and swap space - Indicators of compromise to determine ransomware encryption - Chain of custody information needed for investigation

- CPU, process state tables, and main memory dumps | - Temporary file system and swap space

A software company is releasing a new mobile application to a broad set of external customers. Because the software company is rapidly releasing new features, it has built in an over-the-air software update process that can automatically update the application at launch time. Which of the following security controls should be recommended by the company's security architect to protect the integrity of the update process? (Select TWO) - Validate cryptographic signatures applied to software updates - Perform certificate pinning of the associated code signing key - Require HTTPS connections for downloads of software updates - Ensure there are multiple download mirrors for availability - Enforce a click-through process with user opt-in for new features

- Validate cryptographic signatures applied to software updates - Require HTTPS connections for downloads of software updates

A company that has been breached multiple times is looking to protect cardholder data. The previous undetected attacks all mirrored normal administrator behavior. The company must deploy a host solution to meet the following requirements: 1. Detect administrative actions 2. Block unwanted MD5 hashes 3. Provide alerts 4. Stop exfiltration of cardholder data Which of the following solutions would BEST meet these requirements? (Select TWO) - AV - EDR - HIDS - DLP - HIPS - EFS

- EDR | - HIPS

An organization wants to arm its cybersecurity defense suite automatically with intelligence on zero-day threats shortly after they emerge. Acquiring tools and services which support the following data standards would BEST enable the organization to meet this objective? - XCCDF - OVAL - STIX - CWE - CVE

- STIX

A technician is validating compliance with organizational policies. The user and machine accounts in the AD are not yet to expire, which is non-compliant. Which of the following network tools would provide this type of information? - SIEM server - IDS appliance - SCAP scanner - HTTP interceptor

- SCAP scanner

During a criminal investigation, the prosecutor submitted the original hard drive from the suspect's computer as evidence. The defense objected during the trial proceedings, and the evidence was rejected. Which of the following practices should the prosecutor' forensics team have used to ensure the subject's data would be admissible as evidence? (Select TWO) - Follow chain of custody best practices - Create an identical image of the original hard drive, store the original securely, and then perform forensics only on the imaged drive - Use forensics software on the original hard drive and present generated reports as evidence - Create a tape backup of the original hard drive and present the backup as evidence - Create an exact image of the original hard drive for forensics purposes, and then place the original back in service.

- Follow chain of custody best practices - Create an identical image of the original hard drive, store the original securely, and then perform forensics only on the imaged drive

Within the past six months, a company has experienced a series of attacks directed a various collaboration tools. Additionally, sensitive information was compromised during a recent security breach of a remote access session from an unsecured site. As a result, the company is requiring all collaboration tools to comply with the following: - Secure messaging between internal users using digital signatures - Secure sites for video conferencing sessions - Presence information for all office employees - Restriction of certain types of messages to be allowed into the network Which of the following applications must be configured to the meet the requirements? (Select TWO) - Remote desktop - VoIP - Remote assistance - Email - Instant messaging - Social media websites

- Email | - Instant messaging

A security analyst is reviewing the following packet capture of communication between a host and company's router: 1 192.168.1.10 -> 10.5.10.1 icmp echo request 33 bytes sent ABCDEFGHIJKLMNOPQRSTUVWXYZ 2 10.5.10.1 -> 192.168.1.10 icmp echo reply 34 bytes sent ABCDEFGHIJKLMNOPQRSTUVWXYZ%MDKF8 Which of the following actions should the security analyst take to remove this vulnerability? - Update the router code - Implement a router ACL - Disconnect the host from the network - Install the latest the latest antivirus definitions - Deploy a network based IPS

- Implement a router ACL

A security analyst is reviewing the following pseudo-output snippet after running the command less /temp/file.tmp. ``` JFIF 40 42.8562N 74 0.3582W DLLA;SSKFAKFSFAJFSUTHWNVUNVNUVNUVWVN RWEIMVMIOWEMVWVMMVVMVMOWMVOMMIOMVMMM ELRWIOURITU8U4DFVUR9W8UVOFW9JVKVWOVN ``` The information above was obtained from a public-facing website and used to identify military assets. Which of the following should be reduced the risk of a similar compromised? - Deploy a solution to sanitize geotagging information - Install software to wipe data remnants on servers - Enforce proper input validation on mission-critical software - Implement a digital watermarking solution

- Deploy a solution to sanitize geotagging information

A security engineer is managing operational, excess, and available equipment for a customer. Three pieces of expensive leased equipment, which are supporting a highly confidential portion of the customer network, have recently been taken out of operation. The engineer determines the equipment lease runs for another 18 months. Which of the following is the BEST course of action for the engineer to take to decommission the equipment properly? - Remove any labeling indicating the equipment was used to process confidential date and mark it as available for reuse - Return the equipment to the leasing company and seek a refund for the unused time - Redeploy the equipment to a less sensitive part of the network until the lease expires - Securely wipe all device memory and store the equipment in a secure location until the end of the lease

- Securely wipe all device memory and store the equipment in a secure location until the end of the lease

A company has created a policy to allow employees to use their personally owned devices. The CISO is getting reports of company data appearing on unapproved forums and an increase in theft of personal electronic devices. Which of the following security controls would BEST reduce the risk of exposure? - Disk encryption on the local drive - Group policy to enforce failed login lockout - Multifactor authentication - Implementation of email digital signatures

- Multifactor authentication

Staff members are reporting an unusual number of device thefts associated with time out of the office. Thefts increased soon after the company deployed a new social networking app. Which of the following should the CISO recommend implementing? - Automatic location check-ins - Geolocated presence privacy - Integrity controls - NAC checks to quarantine devices

- Automatic location check-ins

A project manager is working with system owners to develop maintenance windows for system patching and upgrades in a cloud-based PaaS environment. Management has indicated one maintenance window will be authorized per month, but clients have stated they require quarterly maintenance windows to meet their obligations. Which of the following documents should the project manager review? - MOU - SOW - SRTM - SLA

- SLA

A newly hired CISO wants to understand how the organization's CIRT handles issues brought to their attention, but needs to be very cautious about impacting any systems. The MOST appropriate method to use would be: - an internal vulnerability assessment - a red team threat hunt exercise - a white-box penetration test - a guided tabletop exercise

- a guided tabletop exercise

A CISO is developing a new BIA for the organization. The CISO wants to gather requirements to determine the appropriate RTO and RPO for the organization's ERP. Which of the following should the CISO interview as MOST qualified to provide RTO/RPO metrics? - Data custodian - Data owner - Security analyst - Business unit director - Chief Executive Office

- Business unit director

An external red team member conducts a penetration test, attempting to gain physical access to a large organization's server room in a branch office. During reconnaissance, the red team member sees a clearly marked door to the server room, located next to the lobby, with a tumbler lock. Which of the following is BEST for the red team member to bring on site to open the locked door as quickly as possible without causing significant damage? - Screwdriver set - Bump key - RFID duplicator - Rake picking

- Bump key

A company relies on the ICS to perform equipment monitoring functions that are federally mandated for operation of the facility. Fines for non-compliance could be costly. The ICS has known vulnerabilities and can no longer be patched or updated . Cyber-liability insurance cannot be obtained because insurance companies will not insure this equipment. Which of the following would be the BEST option to manage this risk to the company's production environment? - Avoid the risk by removing the ICS from production - Transfer the risk associated with the ICS vulnerabilities - Mitigate the risk by restricting access to the ICS - Accept the risk and upgrade the ICS when possible.

- Mitigate the risk by restricting access to the ICS

A medical facility wants to purchase mobile devices for doctors and nurses. To ensure accountabilities, each individual will be assigned a separate mobile device. Additionally, to protect patient health information, management has identified the following requirements: - Data must be encrypted at rest - The device must be disabled if it leaves the facility - The device must be disabled when tampered with Which of the following technologies would BEST support these requirements? (Select TWO) - eFuse - NFC - GPS - Biometric - USB 4.1 - MicroSD

- eFuse | - GPS

An organization is improving its web services to enable better customer engagement and self-service. The organization has a mobile application and a rewards portal provided by a third party. The business wants to provide customers with the ability to log in once and have SSO between each of the applications. The integrity of the identity is important so it can be propagated through to back-end systems to maintain a consistent audit trail. Which of the following authentication and authorization types BEST meet the requirements? (Select TWO) - SAML - Social login - OpenID connect - XACML - SPML - OAuth

- Social login | - OpenID connect

A security administrator is concerned with the security of data processed and stored by a secure Linux system. The administrator executes the bash script shown below: while i; do echo $RANDOM%10; done; The administrator then reviews the following output generated by the bash script. 3 9 2 7 3 9 2 3 8 4 7 5 7 4 6 4 5 Additionally, the administrator needs to consider the classification of the data stored. Which of the following action is MOST appropriate? - Use an external source of entropy - Implement perfect forward secrecy - Use a cryptographic service provider - Implement a key stretching algorithm

- Use a cryptographic service provider

A penetration testing manager is contributing to an RFP for the purchase of a new testing platform. The manager has provided the following requirements: - Must be able to MITM web-based protocols - MUST be able to find common misconfigurations and security holes Which of the following types of testing tools should be included in the testing platform? (Select TWO) - Reverse engineering tool - HTTP intercepting proxy - Vulnerability scanner - File integrity monitor - Password cracker - Fuzzer

- HTTP intercepting proxy | - Vulnerability scanner

A recent security assessment revealed a web application may be vulnerable to clickjacking. According to the application developers, a fix may be months away. Which of the following should a security engineer configure on the web server to help mitigate the issue? - File upload size limits - HttpOnly cookie field - X-Frame-Options header - Input validation

- X-Frame-Options header

A security engineer is designing a system in which offshore, outsourced staff can push code from the development environment to the production environment securely. The security engineer is concerned with data loss, while the business does not want to slow down its development process. Which of the following solutions BEST balances security requirements with business need? - Set up a VDI environment that prevents copying and pasting to the local workstations of the outsourced staff members - Install a client-side VPN on the staff laptops and limit access to the developments - Create an IPSec VPN tunnel from the development network to the office of the outsourced staff - Use online collaboration tool to initiate workstation-sharing sessions with local staff who have access to the development network.

- Set up a VDI environment that prevents copying and pasting to the local workstations of the outsourced staff members

A security architect is reviewing the code for company's finance HTML element, along with a server-side function, to generate a random number on the page used to initiate a funds transfer: ❮input type="hidden" name="token" value=generateRandomNumber()❯ Which of the following attacks is the security architect attempting to prevent? - SQL Injection - XSRF - XSS - Clickjacking

- XSRF

Following a security assessment, the CISO is reviewing the results of the assessment and evaluation potential risk treatment strategies. As part of the CISO's evaluation, a judgment of potential impact based on the identified risk is performed. To prioritize response actions, the CISO uses past experience to take into account the exposure factor as well as the external accessibility of the weakness identified. Which of the following is the CISO performing? - Documentation of lessons learned - Quantitative risk assessment - Qualitative assessment of risk - Business impact scoring - Threat modeling

- Qualitative assessment of risk

The marketing department has developing a new marketing campaign involving significant social media outreach. The campaign includes allowing employee and customers to submit blog posts and pictures of their of their day to day experiences at the company. The information security manager has been asked to provide an informative letter to all participants regarding the security risks and how to avoid privacy and operational security issues. Which of the following is the MOST important information to reference in the letter? - After-action reports from prior incidents - Social engineering techniques - Company policies and employee NDAs - Data Classification processes

- Company policies and employee NDAs

A security administrator is reviewing the following output from an offline password audit: Username Password Crack Time User1 Teleportation1 4s User2 Amphitheater1 2s User3 Undetermined4u. 10s Which of the following should the systems administrator implement to BEST address this audit finding? (Select TWO) - Cryptoprocessor - Bcrypt - SHA-256 - PBKDF2 - Message authentication

- Bcrypt | - PBKDF2

A security architect has been assigned to a new digital transformation program. The objectives are to provide better capabilities to customers and reduce costs. The program has highlighted the following requirements: 1. Long live sessions are required, as users do on log in very often 2. The solution has multiple SPs, which include mobile and web applications 3. A centralized IdP is utilized for all customer digital channels 4. The applications provide different functionality types such as forums and customer portals 5. The user experience needs to be the same across both mobile and web-based applications ----- - Social login to IdP, securely store session cookies, and implement one-time passwords sent to the mobile device - Certificate-based authentication to IdP, securely store access tokens, and implement secure push notifications - Username and password authentication to IdP, securely store refresh tokens, and implement context-aware authentication - Username and password authentication to SP, securely store Java web tokens, and implement SMS OTPs

- Username and password authentication to SP, securely store Java web tokens, and implement SMS OTPs

During a security assessment, activities were divided into two phases: internal and external exploitation. The security assessment team set a hard time limit on external activities before moving to a compromised box within the enterprise perimeter. Which of the following methods is the assessment team most likely to employ NEXT? - Pivoting from the compromised, moving laterally through the enterprise, and trying to exfiltrate data and compromise devices - Conducting a social engineering attack attempt with the goal of accessing the compromised box physically - Exfiltrating network scans from the compromised box as a precursor to social media reconnaissance - Open-source intelligence gathering to identify the network perimeter and scope to enable further system compromised

- Pivoting from the compromised, moving laterally through the enterprise, and trying to exfiltrate data and compromise devices

Ann, a member of the finance department at a large corporation, has submitted a suspicious email she received to the information security team. The team was not expecting an email from Ann, and it contains a PDF file inside a ZIP compressed archive. The information security team is not sure which files were opened. A security team members uses an air-gapped PC to open the ZIP and PDF, and it appears to be a social engineering attempt to deliver an exploit. Which of the following would provide greater insight on the potential impact of the attempting attack? - Run an antivirus scan on the finance PC - Use a protocol analyzer on the air-gapped PC - Perform reverse engineering on the document - Analyze network logs for unusual traffic - Run a baseline analyzer against the user's computer

- Use a protocol analyzer on the air-gapped PC

An organization has recently deployed an EDR solution across its laptops, desktops, and server infrastructure. The organization's server infrastructure is deployed in an IaaS environment. A database within the nonproduction environment has been misconfigured with a routable IP and is communicating with a command and control server. Which of the following procedures should the security responder apply to the situation? (Select TWO) - Contain the server - Initiate a legal hold - Perform a risk assessment - Determine the data handling standard - Disclose the breach to customers - Perform an IOC sweep to determine the impact

- Initiate a legal hold | - Perform an IOC sweep to determine the impact

A managed service provider is designing a log aggregation service for customers who no longer want to manage an internal SIEM infrastructure. The provider expects that customers will send all types of logs to them, and that log files could contain very sensitive entries. Customers have indicated that they want on-premises and cloud-based infrastructure logs to be stored in this new service. An engineer, who is designing the new service is deciding how to segment customers. Which of the following is the BEST statement for the engineer to take into consideration? - Single-tenancy is often more expensive and has less efficient resource utilization. Multi tenancy may increase the risk of cross-customer exposure in the event of service vulnerabilities. - The managed service provider should outsource security of the platform to an existing cloud company. This will allow the new log service to be launched faster and with well-tested security controls. - Due to the likelihood of large log volumes, the service provider should use a multi tenancy model for the data storage tier, enable data deduplication for storage for storage cost efficiency, and encrypt data at rest. - The most secure design approach would be to give customers on-premises appliances, install agents on endpoints, and then remotely manage the service via a VPN.

- Single-tenancy is often more expensive and has less efficient resource utilization. Multi tenancy may increase the risk of cross-customer exposure in the event of service vulnerabilities.

An administrator is working with management to develop policies related to the use of cloud-base resources that contain corporate data. Management plans to require some control over organizational data stored on personal devices, such as tablets. Which of the following controls would BEST support management's policy? - MDM - Sandboxing - Mobile tokenization - FDE - MFA

- MDM

An infrastructure team is at the end of a procurement process and has selected a vendor. As part of the final negotiations, there are a number of outstanding issues, including: 1. Indemnity clauses have identified the maximum liability 2. The data will be hosted and managed outside of the company's geographical location. The number of users accessing the system will be small, and no sensitive data will be hosted in the solution. As the security consultant on the project, which of the following should the project's security consultant recommend as the NEXT step? - Develop a security exemption, as it does not meet the security - Mitigate the risk by asking the vendor to accept the in-country privacy principles - Require the solution owner to accept the identified risks and consequences - Review the entire procurement process to determine the lessons learned.

- Require the solution owner to accept the identified risks and consequences

A security engineer is working with a software development team. The engineer is tasked with ensuring all security requirements are adhered to by the developers. Which of the following BEST describes the contents of the supporting document the engineer is creating? - A series of ad-hoc tests that each verify security control functionality of the entire system at once. - A series of discrete tasks that, when viewed in total, can be used to verify and document each individual constraint from the SRTM - A set of formal methods that apply to one or more of the programming languages used on the development project - A methodology to verify each security control in each unit of developed code prior to committing the code.

- A methodology to verify each security control in each unit of developed code prior to committing the code.

A system owner has requested support from data owners to data owners to evaluate options for the disposal of equipment containing sensitive data. Regulatory requirements state the data must be rendered unrecoverable via logical means or physically destroyed. Which of the following facts is the regulation intended to address? - Sovereignty - E-waste - Remanence - Deduplication

- E-waste

Following a recent data breach, a company has hired a new CISO. The CISO is very concerned with the response time to the previous breach and wishes to know how the security team expects to react to future attacks. Which of the following is the BEST method to achieve this goal while minimizing disruption? - Perform a black box assessment - Hire an external red team audit - Conduct a tabletop exercise - Recreate the previous breach - Conduct an external vulnerability assessment

- Conduct a tabletop exercise

An administrator has noticed mobile devices from an adjacent company on the corporate wireless network. Malicious activity is being reported from those devices. To add another layer of security in an enterprise environment, an administrator wants to add contextual authentication to allow users to access enterprise resources only while present in corporate buildings. Which of the following technologies would accomplish this? - Port security - Rogue device detection - Bluetooth - GPS

- Rogue device detection

After several industry competitors suffered data loss as a result of cyberattacks, the COO of a company reaches out to the information security manager to review the organization's security stance. As a result of the discussion, the COO wants the organization to meet the following criteria: - Blocking of suspicious websites - Prevention of attacks based on threat intelligence - Reduction in spam - Identity-based reporting to meet regulatory compliance - Prevention of viruses based on signature - Protect applications from web-based threats Which of the following would be the BEST recommendation the information security manager can make? - Reconfigure existing IPS resources - Implement a WAF - Deploy a SIEM solution - Deploy a UTM solution - Implement a EDR platform

- Deploy a UTM solution

A security administrator is concerned about the increasing number of users who click on malicious links contained within phishing emails. Although the company has implemented a process to block these links at the network perimeter, many accounts become compromised. Which of the following should be implemented to further reduce the account compromises caused by remote users who click these links? - Anti-spam gateways - Security awareness training - URL rewriting - Internal phishing campaign

- Internal phishing campaign

After a large organization has completed the acquisition of a smaller company, the smaller company must implement a new host-based security controls to connect its employees' devices to the network. Given that the network requires 802.1X EAP-PEAP to identify and authenticate devices, which of the following should the security administrator do to integrate the new employees' devices to the network securely? - Distribute a NAC client and use the client to push the company's private key to the new device - Distribute the device connection policy and use a unique public/private key pair to each new employee's device - Install a self-signed SSL certificate on the company;s RADIUS server and distribute the certificate's public key to all new client devices - Install an 802.1X supplicant on all new devices and let each device generate a self-signed certificate to use for network access

- Distribute the device connection policy and use a unique public/private key pair to each new employee's device

A request has been approved for a vendor to access a new internal server using HTTPS and SSH to manage the backend system for the portal. Internal users just need HTTP and HTTPS access to all the internal webservers. All other external access to the new server and its subnet is not allowed. The security manager must ensure proper access us configured: ``` New internal server IP: 10.1.50.150 Vendor IP: 208.206.109.249 External development subnet: 108.109.110.0/28 Internal subnet: 10.1.10.0/24 Web team subnet: 10.1.40.0/24 Web server subnet: 10.1.50.0/24 ``` Below is a snippet from the firewall related to that server (access is provided in a top-down model): Line # Source address Destination address Port Access type 1 10.1.40.0/24 10.1.50.0/24 Any Permit 2 10.1.10.0/24 10.1.50.0/24 80 Permit 3 Any 10.1.50.0/24 Any Deny 4 208.206.109.249 10.1.50.150 80, 22 Permit 5 10.1.40.0/24 108.109.110.0/28 80, 8080 Permit Which of the following lines should be configured to allow proper access? (Select TWO). A. Move line 3 below line 4 and change port 80 to 443 on line 4 B. Move line 3 below line 4 and add port 443 to line C. Move line 4 below line 5 and change port 80 to 8080 on line 2 D. Add port 22 to line 2 E. Add port 22 to line 5 F. Add port 443 to line 2 G. Add port 443 to line 5

- Move line 3 below line 4 and change port 80 to 443 on line 4 - Add port 443 to line 2

Following a merger, the number of remote sites for a company has doubled to 52. The company has decided to secure each remote site with an NGFW to provide web filtering, NIDS/NIPS and network antivirus. The CIO has requested that the security engineer provide recommendations on sizing for the firewall with the requirements that it be easy to manage and provide capacity for growth. The tables below provide information on a subset of remote sites and the firewall options ``` Location # of Users Connectivity Bandwidth Utilization St. Louis 18 50Mbps 20Mbps Des Moines 12 25Mbps 19Mbps Chicago 27 100Mbps 41Mbps Rapid City 6 10Mbps 8Mbps Indianapolis 7 12Mbps 8Mbps ``` ``` Vendor Maximum Recommended Firewall Full UTM? Centralized Management Devices Throughput Available? A 40 150Mbps Y Y B 60 400Mbps N Y C 25 200Mbps N N D 25 100Mbps Y Y ``` Which of the following would be the BEST option to recommend to the CIO? - Vendor A for all remote sites - Vendor B for all remote sites - Vendor C for small remote sites, and Vendor B for larger sites - Vendor C for all remote sites - Vendor D for all remote sites

- Vendor A for all remote sites

A new database application was added to a company's hosted VM environment. Firewall ACLs were modified to allow database users to access the server remotely. The company's IdTrust security broker then identified abnormal behavior from a database user on-site. Upon further investigation, the security team noticed a user ran code on the VM that provided access to the hypervisor directly and access to other sensitive data. Which of the following should the security team do to help mitigate future attacks within the VM environment? (Select TWO) - Install the appropriate patches - Install perimeter NGFW - Configure VM isolation - Deprovision database VM - Change the user's access privileges - Update virus definitions on all endpoints

- Configure VM isolation | - Change the user's access privileges

A newly hired CISO is reviewing the organization's security budget from the previous year. The CISO notices $120,000 worth of fines were paid for not properly encrypting outbound email messages. The CISO expects next year's cost associated with the fines to be double and the volume of messages to increase by 100%. The organization sent out approximately 25,000 messages per year over the last three years. Given the table below: ``` Security product Hardware price Installation fee Cost per message Throughput MTBF DLP Vendor A $50,000 $25,000 $1 100Mbps 10000 hours DLP Vendor B $38,000 $10,000 $2 50Mbps 8000 hours DLP Vendor C $45,000 $30,000 $1 70Mbps 7000 hours DLP Vendor D $40,000 $60,000 $0.50 100Mbps 7000 hours ``` Which of the following would be the BEST for the CISO to include in this year's budget? - A budget for DLP Vendor A - A budget for DLP Vendor B - A budget for DLP Vendor C - A budget for DLP Vendor D - A budget line for paying future fines

- A budget for DLP Vendor A

An organization just merged with an organization in another legal jurisdiction and must improve its security posture in ways that do not require additional resources to implement data isolation. One recommendation is to block communication between endpoint PC's. Which of the following would be the BEST solution? - Installing HIDS - Configuring a host-based firewall - Configuring EDR - Implementing network segmentation

- Configuring a host-based firewall

An organization is currently performing a market scan for managed security services and EDR capability. Which of the following business documents should be released to the prospective vendors in the first step of the process? (Select TWO) - MSA - RFP - NDA - RFI - MOU - RFQ

- RFP | - RFI

A penetration tester has been contracted to conduct a physical assessment of a site. Which of the following is the MOST plausible method of social engineering to be conducted during this engagement? - Randomly calling customer employees and posing as a help desk technician requesting user password to resolve issues - Posing as a copier service technician and indicating the equipment had "phone home" to alert the technician for a service call - Simulating an illness while at a client location for a sales call and then recovering once listening devices are installed - Obtaining fake government credentials and impersonating law enforcement to gain access to a company facility

- Posing as a copier service technician and indicating the equipment had "phone home" to alert the technician for a service call

Developers are working on a new feature to add to a social media platform. The new feature involves users uploading pictures of what they are currently doing. The data privacy officer (DPO) is concerned about various types of abuse that might occur due to this new feature. The DPO states the new feature cannot be released with addressing the physical safety concerns of the platform's users. Which of the following controls would BEST address the DPO's concerns? - Increasing blocking options available to the unloader - Adding a one-hour delay of all uploaded photos - Removing all metadata in the uploaded photo file - Not displaying to the public who uploaded the photo - Forcing TLS for all connections on the platform

- Removing all metadata in the uploaded photo file

A security administrator is updating corporate policies to respond to an incident involving collusion between two system administrators that went undetected for more than six months. Which of the following policies would have MOST likely uncovered the collusion sooner? (Select TWO) - Mandatory vacation - Separation of duties - Continue monitoring - Incident response - Time-of-day restrictions - Job rotation

- Mandatory vacation | - Job rotation

A consultant is hired to perform a passive vulnerability assessment of a company to determine what information might be collected about the company and its employees. The assessment will be considered successful if the consultant can discover the name of one of the IT administrators. Which of the following is MOST likely to produce the needed information? - Whois - DNA enumeration - Vulnerability scanner - Fingerprinting

- Whois

Following a recent audit, an in-house software solution is found to have multiple security holes and vulnerabilities. The application is hosted on a public-facing legacy server that has access to an internal database containing sensitive information. The security manager must find a secure solution to protect the data without outsourcing the application. External access is still required for this application. The following was fully implemented recently within the enterprise network. - NGFW on the perimeter network - Internal VM environment within the datacenter - New storage solution - SSO integration for all new applications Which of the following would BEST protect the data? - Virtualize the server, patch the host infrastructure, and disable unnecessary services - Use secure commercial software to process the data and integrate SSO - Place the server in a DMZ and configure appropriate NAT and security rules - Harden the server, configure SSO, and disable the inbound connection on the NGFW to the database - Connect the server to the new storage solution and secure external access to the database

- Place the server in a DMZ and configure appropriate NAT and security rules

Due to a recent acquisition, the security team must find a way to secure several legacy application, During the review of the applications, the following issues are documented: - The applications are considered mission-critical - The applications are written in code languages not currently supported by the development staff - Security updates and patches will not be paid available for the applications - Username and passwords do not meet corporate standards - The data contained within the applications include both PII and PHI - The applications communicate using TLS 1.0 - Only internal users access the applications Which of the following should be utilized to reduce the risk associated with these application and their current architecture? - Update the company policies to reflect the current state of the applications so they are not out of compliance - Create a group policy to enforce password complexity and username requirements - Use network segmentation to isolate the applications and control access - Move the applications to virtual server that meet the password and account standards

- Use network segmentation to isolate the applications and control access

A corporate forensic investigator has been asked to acquire five forensic images of an employee database application. There are three images to capture in the US, one in the UK and one in Germany. Upon completion of the work, the forensic investigator saves the images to a local workstation. Which of the following types of concerns should the forensic investigator have about this work assignment? - Environmental - Privacy - Ethical - Criminal

- Privacy

A large, public university has recently been experiencing an increase in ransomware attacks against computers connected to its network. Security engineers have discovered various staff members receiving seemingly innocuous files in their email that are being run. Which of the following would BEST mitigate the attack method? - Improving organizational email filtering - Conducting user awareness training - Upgrading endpoint anti-malware software - Enabling application whitelisting

- Enabling application whitelisting

An organization is evaluating options related to moving organizational assets to a cloud-based environment using an IaaS provider. One engineer has suggested connecting a second cloud environment within the organization's existing facilities to capitalize on available datacenter space and resources. Other project members are concerned about such a commitment of organizational assets and ask the Chief Security Office (CSO) for input. The CSO explains that the project team should work with the engineer to evaluate the risks associated with using the datacenter to implement... - a hybrid cloud - an on-premised private cloud - a hosted hybrid cloud - a private cloud

- a hybrid cloud

A company recently implemented a new cloud storage storage solution and installed the required synchronization client on all company devices. A few months later. a breach of sensitive data was discovered. Root cause analysis shows the data breach happened from a lost personal mobile device. Which of the following controls can the organization implement to reduce the risk of similar breaches? - Biometric authentication - Cloud storage encryption - Application containerization - Hardware anti-tamper

- Biometric authentication

A company is migrating systems from an on-premises facility to a third-party managed datacenter. For continuity of operations and business agility, remote access to all hardware platforms must be available at all times. Access controls need to be very robust and provide an audit trail. Which of the following security controls will meet the company's objectives? (Select TWO) - Integrated platform management interfaces are configured to allow access only via SSH - Access to hardware platforms is restricted to the system administrator's IP address - Access is captured in event logs that include source address, time stamp, and outcome - The IP addresses of server management interfaces are located within the company's extranet - Access is limited to interactive logins on the VDI - Application logs are hashed cryptographically and sent to a SIEM

- Integrated platform management interfaces are configured to allow access only via SSH - Access is captured in event logs that include source address, time stamp, and outcome

The CISO accompanies the CIO to purchase a small piece of office equipment that is needed for an upcoming project. When paying for the item, the CIO is asked to use the EMV chip reader instead of swiping. The CIO asks the CISO what is difference, and the CISO explains it is part of the store's risk management. The chip reader allows the store to: - avoid fraudulent card risk - transfer fraudulent card risk - mitigate fraudulent card risk - accept fraudulent card risk

- mitigate fraudulent card risk

A security architect has designated that a server segment of an enterprise network will require each server to have secure and measured boot capabilities. The architect now wishes to ensure service consumers and peers can verify the hosted services. Which of the following capabilities must the architect consider for enabling the verification? - Centralized attestation server - Enterprise HSM - vTPM - SIEM

- Centralized attestation server

A vendor develops a mobile application for global customers. The mobile application supports advanced encryption of data between the source (the mobile device) and the destination (the organization's ERP system). As part of the vendor's compliance program, which of the following would be important to take into account? - Mobile tokenization - Export controls - Device containerization - Privacy policies

- Export controls

A security manager recently categorized an information system. During the categorization effort, the manager determined the loss of integrity of a specific information type would impact business significantly. Based on this, the security manager recommends the implementation of several solutions. Which of the following, when combined, would BEST mitigate this risk? (Select TWO) - Access control - Whitelisting - Signing - Validation - Boot attestation

- Access control | - Validation

An internal penetration tester was assessing a recruiting page for potential issues before it was pushed to the production website. The penetration tester discovers an issue that must be corrected before the page goes live. The web host administrator collects the log files below and gives them to the development team so improvements can made to the security design of the website. --- image --- Which of the following types of attack vectors did the penetration tester use? - SQL injection - CSRF - Brute force - XSS - TOC/TOU

- CSRF