PM SG 9-10

Question 1

A security researcher has discovered a malicious script hosted on a bank website. This script runs each time a customer logs in. Which of the following would best describe this attack type?

1.Vishing
2.Supply chain attack
3.Race condition
4.SQL injection
5.Watering hole attack

Answer 1

Correct Answer: 5.Watering hole attack

Watering hole attack: The attacker compromises a commonly visited website to infect its visitors.

Incorrect options:
4.SQL injection: Targets databases, not scripts running on a website.
1.Vishing: Uses phone-based social engineering, not web-based attacks.

Question 2

A company is configuring their systems for 802.1X. Which of the following would best describe this configuration?

1.Loop prevention
2.Wireless encryption
3.Server redundancy
4.Authentication requirement
5.File integrity monitoring

Answer 2

Correct Answer: 4.Authentication requirement

802.1X: A network access control protocol that requires authentication before granting access.

Incorrect options:
2.Wireless encryption: 802.1X is about access control, not encryption like WPA2.

Question 3

A development team has tested a new application in a lab containing an exact replica of the production VMs. Which of the following would describe this testing?

1.Static code analysis
2.Input validation
3.Sandboxing
4.Secure cookies
5.Code signing

Answer 3

Correct Answer: 3.Sandboxing

Sandboxing: Isolates a system or app in a controlled environment for testing.

Incorrect options:
1.Static code analysis: Reviews source code but doesn’t execute it.

Question 4

Each time a company laptop is lost or stolen, the total loss is approximately $4,000. Which of the following would describe this value?

1.SLE
2.EF
3.ALE
4.AV
5.ARO

Answer 4

Correct Answer: 1.SLE (Single Loss Expectancy)

SLE: The financial loss from a single security incident.

Incorrect options:
2.EF (Exposure Factor): A percentage of loss, not the total cost.
3.ALE (Annualized Loss Expectancy): Predicts loss over a year, not per incident.

Question 5

Which of the following is responsible for allowing, monitoring, and terminating connections?

1.Policy enforcement point
2.Policy engine
3.Control plane
4.Policy administrator
5.Operational control

Answer 5

Correct Answer: 1.Policy enforcement point

Policy enforcement point (PEP): Implements security decisions and controls access.

Incorrect options:
2.Policy engine: Makes policy decisions but doesn’t enforce them.

Question 6

Two companies have been working together for a number of months, and they would now like to qualify their partnership with a broad formal agreement between both organizations. Which of the following would describe this agreement?

1.SLA
2.SOW
3.MOA
4.NDA

Answer 6

Correct Answer: 3.MOA (Memorandum of Agreement)

MOA: Formal agreement outlining mutual responsibilities and goals.

Incorrect options:
1.SLA: Defines service level expectations but isn’t a partnership agreement.

Question 7

A company has discovered Javascript embedded within the text of their public message board. Which of the following would be the most likely description of this attack?

1.Brute force
2.Buffer overflow
3.XSS
4.Race condition
5.Sideloading

Answer 7

Correct Answer: 3.XSS (Cross-Site Scripting)

XSS: Injects malicious scripts into web pages viewed by other users.

Incorrect options:
2.Buffer overflow: Overwrites memory, not injects scripts.

Question 8

A company uses a system that uses a deterministic processing schedule during operation. Which of the following would best describe this system?

1.lOT
2.RTOS
3.SCADA
4.Embedded
5.ICS

Answer 8

Correct Answer: 2.RTOS (Real-Time Operating System)

RTOS: Executes tasks with strict timing constraints.

Incorrect options:
5.ICS (Industrial Control System): Used in manufacturing, but not always real-time.

Question 9

A user is assigning share permissions on their spreadsheet for other users to access and edit. Which of the following access controls would best describe this process?

1.A Role-based
2.Mandatory
3.Attribute-based
4.Rule-based
5.Discretionary

Answer 9

Correct Answer: 5.Discretionary Access Control (DAC)

DAC: The data owner decides who gets access.

Incorrect options:
1.Role-based (RBAC): Assigns permissions based on job roles, not user discretion.

Question 10

An employee would like to use their company laptop on nights and weekends to write a book about their life. Which of the following should the employee use to determine if this would be allowed?

1.AUP
2.EULA
3.NDA
4.SDLC
5.SLA

Answer 10

Correct Answer: 1.AUP (Acceptable Use Policy)

AUP: Defines acceptable and prohibited activities for company resources.

Incorrect options:
2.EULA (End User License Agreement): Covers software, not company hardware usage.

Question 11

A company would like to examine the credentials of each individual entering the data center building. Which of the following would BEST facilitate this requirement?

1.Access control vestibule
2.Video surveillance
3.Pressure sensors
4.Bollards

Answer 11

Correct Answer: 1.Access control vestibule

Access control vestibule (mantrap): A secure entry that verifies identity before access.

Incorrect options:
2.Video surveillance: Records events but doesn’t control access in real-time.