A penetration tester has been contracted to conduct a physical assessment of a site. Which of the following is the MOST plausible method of social engineering to be conducted during this engagement? - Randomly calling customer employees and posing as a help desk technician requiring user password to resolve issues - Posing as a copier service technician and indicating the equipment had “phoned home” to alert the technician for a service call - Simulating an illness while at a client location for a sales call and then recovering once listening devices are installed - Obtaining fake government credentials and impersonating law enforcement to gain access to a company facility

- Posing as a copier service technician and indicating the equipment had “phoned home” to alert the technician for a service call

A penetration tester is conducting an assessment on Comptia.org and runs the following command from a coffee shop while connected to the public Internet: -- image of nslookup of comptia.org's mail exchange -- Which of the following should the penetration tester conclude about the command output? - The public/private views on the Comptia.org DNS servers are misconfigured - Comptia.org is running an older mail server, which may be vulnerable to exploits - The DNS SPF records have not been updated for Comptia.org - 192.168.102.67 is a backup mail server that may be more vulnerable to attack

- Comptia.org is running an older mail server, which may be vulnerable to exploits

Two new technical SMB security settings have been enforced and have also become policies that increase secure communications. Network Client: Digitally sign communication Network Server: Digitally sign communication A storage administrator in a remote location with a legacy storage array, which contains time-sensitive data, reports employees can no longer connect to their department shares. Which of the following mitigation strategies should an information security manager recommend to the data owner? - Accept the risk, reverse the settings for the remote location, and have the remote location file a risk exception until the legacy storage device can be upgraded - Accept the risk for the remote location, and reverse the settings indefinitely since the legacy storage device will not be upgraded - Mitigate the risk for the remote location by suggesting a move to a cloud service provider. Have the remote location request an indefinite risk exception for the use of cloud storage - Avoid the risk, leave the settings alone, and decommission the legacy storage device

- Accept the risk, reverse the settings for the remote location, and have the remote location file a risk exception until the legacy storage device can be upgraded

A systems security engineer is assisting an organization’s market survey team in reviewing requirements for an upcoming acquisition of mobile devices. The engineer expresses concerns to the survey team about a particular class of devices that uses a separate SoC for baseband radio I/O. For which of the following reasons is the engineer concerned? - These devices can communicate over networks older than HSPA+ and LTE standards, exposing device communications to poor encryptions routines - The organization will be unable to restrict the use of NFC, electromagnetic induction, and Bluetooth technologies - The associated firmware is more likely to remain out of date and potentially vulnerable - The manufacturers of the baseband radios are unable to enforce mandatory access controls within their driver set

- The organization will be unable to restrict the use of NFC, electromagnetic induction, and Bluetooth technologies

A security administrator was informed that a server unexpectedly rebooted. The administrator received an export of syslog entries for analysis: --- image of syslog --- Which of the following does the log sample indicate? (Choose two.) - A root user performed an injection attack via kernel module - Encrypted payroll data was successfully decrypted by the attacker - Jsmith successfully used a privilege escalation attack - Payroll data was exfiltrated to an attacker-controlled host - Buffer overflow in memory paging caused a kernel panic - Syslog entries were lost due to the host being rebooted

- Jsmith successfully used a privilege escalation attack - Buffer overflow in memory paging caused a kernel panic

A Chief Information Officer (CIO) publicly announces the implementation of a new financial system. As part of a security assessment that includes a social engineering task, which of the following tasks should be conducted to demonstrate the BEST means to gain information to use for a report on social vulnerability details about the financial system? - Call the CIO and ask for an interview, posing as a job seeker interested in an open position - Compromise the email server to obtain a list of attendees who responded to the invitation who is on the IT staff - Notify the CIO that, through observation at events, malicious actors can identify individuals to befriend - Understand the CIO is a social drinker, and find the means to befriend the CIO at establishments the CIO frequents

- Understand the CIO is a social drinker, and find the means to befriend the CIO at establishments the CIO frequents

The Chief Information Security Officer (CISO) has asked the security team to determine whether the organization is susceptible to a zero-day exploit utilized in the banking industry and whether attribution is possible. The CISO has asked what process would be utilized to gather the information, and then wants to apply signatureless controls to stop these kinds of attacks in the future. Which of the following are the MOST appropriate ordered steps to take to meet the CISO’s request? A. 1. Perform the ongoing research of the best practices 2. Determine current vulnerabilities and threats 3. Apply Big Data techniques 4. Use antivirus control B. 1. Apply artificial intelligence algorithms for detection 2. Inform the CERT team 3. Research threat intelligence and potential adversaries 4. Utilize threat intelligence to apply Big Data techniques C. 1. Obtain the latest IOCs from the open source repositories 2. Perform a sweep across the network to identify positive matches 3. Sandbox any suspicious files 4. Notify the CERT team to apply a future proof threat model D. 1. Analyze the current threat intelligence 2. Utilize information sharing to obtain the latest industry IOCs 3. Perform a sweep across the network to identify positive matches 4. Apply machine learning algorithms

D. 1. Analyze the current threat intelligence 2. Utilize information sharing to obtain the latest industry IOCs 3. Perform a sweep across the network to identify positive matches 4. Apply machine learning algorithms

Self-Test CASP Questions Flashcards by Christopher Mayhew

An infrastructure team is at the end of a procurement process and has selected a vendor. As part of the final negotiations, there are a number of outstanding issues, including:

Indemnity clauses have identified the maximum liability
The data will be hosted and managed outside of the company’s geographical location

The number of users accessing the system will be small, and no sensitive data will be hosted in the solution. As the security consultant on the project, which of the following should the project’s security consultant recommend as the NEXT step?

Develop a security exemption, as it does not meet the security policies
Mitigate the risk by asking the vendor to accept the in-country privacy principles
Require the solution owner to accept the identified risks and consequences
Review the entire procurement process to determine the lessons learned

Require the solution owner to accept the identified risks and consequences

How well did you know this?

Not at all

Perfectly

An SQL database is no longer accessible online due to a recent security breach. An investigation reveals that unauthorized access to the database was possible due to an SQL injection vulnerability. To prevent this type of breach in the future, which of the following security controls should be put in place before bringing the database
back online? (Choose two.)

Secure storage policies
Browser security updates
Input validation
Web application firewall
Secure coding standards
Database activity monitoring

Input validation

- Database activity monitoring

How well did you know this?

Not at all

Perfectly

Given the following output from a local PC:

— image of ipconfig —

Which of the following ACLs on a stateful host-based firewall would allow the PC to serve an intranet website?

Allow 172.30.0.28:80 -> ANY
Allow 172.30.0.28:80 -> 172.30.0.0/16
Allow 172.30.0.28:80 -> 172.30.0.28:443
Allow 172.30.0.28:80 -> 172.30.0.28:53

Allow 172.30.0.28:80 -> 172.30.0.0/16

How well did you know this?

Not at all

Perfectly

A penetration tester has been contracted to conduct a physical assessment of a site. Which of the following is the MOST plausible method of social engineering to be conducted during this engagement?

Randomly calling customer employees and posing as a help desk technician requiring user password to resolve issues
Posing as a copier service technician and indicating the equipment had “phoned home” to alert the technician for a service call
Simulating an illness while at a client location for a sales call and then recovering once listening devices are installed
Obtaining fake government credentials and impersonating law enforcement to gain access to a company facility

Posing as a copier service technician and indicating the equipment had “phoned home” to alert the technician for a service call

How well did you know this?

Not at all

Perfectly

A penetration tester is conducting an assessment on Comptia.org and runs the following command from a coffee shop while connected to the public Internet:

– image of nslookup of comptia.org’s mail exchange –

Which of the following should the penetration tester conclude about the command output?

The public/private views on the Comptia.org DNS servers are misconfigured
Comptia.org is running an older mail server, which may be vulnerable to exploits
The DNS SPF records have not been updated for Comptia.org
192.168.102.67 is a backup mail server that may be more vulnerable to attack

Comptia.org is running an older mail server, which may be vulnerable to exploits

How well did you know this?

Not at all

Perfectly

Two new technical SMB security settings have been enforced and have also become policies that increase secure communications.

Network Client: Digitally sign communication
Network Server: Digitally sign communication

A storage administrator in a remote location with a legacy storage array, which contains time-sensitive data, reports employees can no longer connect to their department shares. Which of the following mitigation strategies should an information security manager recommend to the data owner?

Accept the risk, reverse the settings for the remote location, and have the remote location file a risk exception until the legacy storage device can be upgraded
Accept the risk for the remote location, and reverse the settings indefinitely since the legacy storage device will not be upgraded
Mitigate the risk for the remote location by suggesting a move to a cloud service provider. Have the remote location request an indefinite risk exception for the use of cloud storage
Avoid the risk, leave the settings alone, and decommission the legacy storage device

Accept the risk, reverse the settings for the remote location, and have the remote location file a risk exception until the legacy storage device can be upgraded

How well did you know this?

Not at all

Perfectly

A systems security engineer is assisting an organization’s market survey team in reviewing requirements for an upcoming acquisition of mobile devices. The engineer expresses concerns to the survey team about a particular class of devices that uses a separate SoC for baseband radio I/O. For which of the following reasons is the engineer concerned?

These devices can communicate over networks older than HSPA+ and LTE standards, exposing device communications to poor encryptions routines
The organization will be unable to restrict the use of NFC, electromagnetic induction, and Bluetooth technologies
The associated firmware is more likely to remain out of date and potentially vulnerable
The manufacturers of the baseband radios are unable to enforce mandatory access controls within their
driver set

The organization will be unable to restrict the use of NFC, electromagnetic induction, and Bluetooth technologies

How well did you know this?

Not at all

Perfectly

During a security assessment, an organization is advised of inadequate control over network segmentation. The assessor explains that the organization’s reliance on VLANs to segment traffic is insufficient to provide segmentation based on regulatory standards. Which of the following should the organization consider implementing along with VLANs to provide a greater level of segmentation?

Air gaps
Access control lists
Spanning tree protocol
Network virtualization
Elastic load balancing

Air gaps

How well did you know this?

Not at all

Perfectly

A security administrator was informed that a server unexpectedly rebooted. The administrator received an export of syslog entries for analysis:

— image of syslog —

Which of the following does the log sample indicate? (Choose two.)

A root user performed an injection attack via kernel module
Encrypted payroll data was successfully decrypted by the attacker
Jsmith successfully used a privilege escalation attack
Payroll data was exfiltrated to an attacker-controlled host
Buffer overflow in memory paging caused a kernel panic
Syslog entries were lost due to the host being rebooted

Jsmith successfully used a privilege escalation attack

- Buffer overflow in memory paging caused a kernel panic

How well did you know this?

Not at all

Perfectly

An organization has employed the services of an auditing firm to perform a gap assessment in preparation for an upcoming audit. As part of the gap assessment, the auditor supporting the assessment recommends the organization engage with other industry partners to share information about emerging attacks to organizations in the industry in which the organization functions. Which of the following types of information could be drawn
from such participation?

Threat modeling
Risk assessment
Vulnerability data
Threat intelligence
Risk metrics
Exploit frameworks

Threat intelligence

How well did you know this?

Not at all

Perfectly

A security analyst is reviewing the corporate MDM settings and notices some disabled settings, which consequently permit users to download programs from untrusted developers and manually install them. After some conversations, it is confirmed that these settings were disabled to support the internal development of mobile applications. The security analyst is now recommending that developers and testers have a separate device profile allowing this, and that the rest of the organization’s users do not have the ability to manually download and install untrusted applications. Which of the following settings should be toggled to achieve the goal? (Choose two.)

OTA updates
Remote wiping
Side loading
Sandboxing
Containerization
Signed applications

Containerization

- Signed applications

How well did you know this?

Not at all

Perfectly

A security incident responder discovers an attacker has gained access to a network and has overwritten key system files with backdoor software. The server was reimaged and patched offline. Which of the following tools should be implemented to detect similar attacks?

Vulnerability scanner
TPM
Host-based firewall
File integrity monitor
NIPS

File integrity monitor

How well did you know this?

Not at all

Perfectly

An organization is in the process of integrating its operational technology and information technology areas. As part of the integration, some of the cultural aspects it would like to see include more efficient use of resources during change windows, better protection of critical infrastructure, and the ability to respond to incidents. The following observations have been identified:

The ICS supplier has specified that any software installed will result in lack of support.
There is no documented trust boundary defined between the SCADA and corporate networks.
Operational technology staff have to manage the SCADA equipment via the engineering workstation.
There is a lack of understanding of what is within the SCADA network.

Which of the following capabilities would BEST improve the security position?

VNC, router, and HIPS
SIEM, VPN, and firewall
Proxy, VPN, and WAF
IDS, NAC, and log monitoring

VNC, router, and HIPS

How well did you know this?

Not at all

Perfectly

After embracing a BYOD policy, a company is faced with new security challenges from unmanaged mobile devices and laptops. The company’s IT department has seen a large number of the following incidents:

Duplicate IP addresses
Rogue network devices
Infected systems probing the company’s network

Which of the following should be implemented to remediate the above issues? (Choose two.)

Port security
Route protection
NAC
HIPS
NIDS

- HIPS

How well did you know this?

Not at all

Perfectly

Following a security assessment, the Chief Information Security Officer (CISO) is reviewing the results of the assessment and evaluating potential risk treatment strategies. As part of the CISO’s evaluation, a judgment of potential impact based on the identified risk is performed. To prioritize response actions, the CISO uses past experience to take into account the exposure factor as well as the external accessibility of the weakness identified. Which of the following is the CISO performing?

Documentation of lessons learned
Quantitative risk assessment
Qualitative assessment of risk
Business impact scoring
Threat modeling

Qualitative assessment of risk

How well did you know this?

Not at all

Perfectly

A Chief Information Officer (CIO) publicly announces the implementation of a new financial system. As part of a security assessment that includes a social engineering task, which of the following tasks should be conducted to demonstrate the BEST means to gain information to use for a report on social vulnerability details about the financial system?

Call the CIO and ask for an interview, posing as a job seeker interested in an open position
Compromise the email server to obtain a list of attendees who responded to the invitation who is on the IT staff
Notify the CIO that, through observation at events, malicious actors can identify individuals to befriend
Understand the CIO is a social drinker, and find the means to befriend the CIO at establishments the CIO frequents

Understand the CIO is a social drinker, and find the means to befriend the CIO at establishments the CIO frequents

How well did you know this?

Not at all

Perfectly

A recent assessment identified that several users’ mobile devices are running outdated versions of endpoint security software that do not meet the company’s security policy. Which of the following should be performed to ensure the users can access the network and meet the company’s security requirements?

Vulnerability assessment
Risk assessment
Patch management
Device quarantine
Incident management

Patch management

How well did you know this?

Not at all

Perfectly

The Chief Information Security Officer (CISO) has asked the security team to determine whether the organization is susceptible to a zero-day exploit utilized in the banking industry and whether attribution is possible. The CISO has asked what process would be utilized to gather the information, and then wants to apply signatureless controls to stop these kinds of attacks in the future. Which of the following are the MOST appropriate ordered steps to take to meet the CISO’s request?

A. 1. Perform the ongoing research of the best practices

Determine current vulnerabilities and threats
Apply Big Data techniques
Use antivirus control

B. 1. Apply artificial intelligence algorithms for detection

Inform the CERT team
Research threat intelligence and potential adversaries
Utilize threat intelligence to apply Big Data techniques

C. 1. Obtain the latest IOCs from the open source repositories

Perform a sweep across the network to identify positive matches
Sandbox any suspicious files
Notify the CERT team to apply a future proof threat model

D. 1. Analyze the current threat intelligence

Utilize information sharing to obtain the latest industry IOCs
Perform a sweep across the network to identify positive matches
Apply machine learning algorithms

D. 1. Analyze the current threat intelligence

Utilize information sharing to obtain the latest industry IOCs
Perform a sweep across the network to identify positive matches
Apply machine learning algorithms

How well did you know this?

Not at all

Perfectly

A software development team is conducting functional and user acceptance testing of internally developed web applications using a COTS solution. For automated testing, the solution uses valid user credentials from the enterprise directory to authenticate to each application. The solution stores the username in plain text and the corresponding password as an encoded string in a script within a file, located on a globally accessible network share. The account credentials used belong to the development team lead. To reduce the risks associated with this scenario while minimizing disruption to ongoing testing, which of the following are the BEST actions to take? (Choose two.)

Restrict access to the network share by adding a group only for developers to the share’s ACL
Implement a new COTS solution that does not use hard-coded credentials and integrates with directory services
Obfuscate the username within the script file with encoding to prevent easy identification and the account used
Provision a new user account within the enterprise directory and enable its use for authentication to the target applications. Share the username and password with all developers for use in their individual scripts
Redesign the web applications to accept single-use, local account credentials for authentication

Restrict access to the network share by adding a group only for developers to the share’s ACL
Implement a new COTS solution that does not use hard-coded credentials and integrates with directory services

How well did you know this?

Not at all

Perfectly

A security consultant is attempting to discover if the company is utilizing databases on client machines to store the customer data. The consultant reviews the following information:

— image of protocol, local/foreign IP address, and connection status —

Which of the following commands would have provided this output?

arp -s
netstat -a
ifconfig -arp
sqlmap -w

netstat -a

How well did you know this?

Not at all

Perfectly

Management is reviewing the results of a recent risk assessment of the organization’s policies and procedures. During the risk assessment it is determined that procedures associated with background checks have not been effectively implemented. In response to this risk, the organization elects to revise policies and procedures related to background checks and use a third-party to perform background checks on all new employees.

Which of the following risk management strategies has the organization employed?

Transfer
Mitigate
Accept
Avoid
Reject

Mitigate

How well did you know this?

Not at all

Perfectly

An advanced threat emulation engineer is conducting testing against a client’s network. The engineer conducts the testing in as realistic a manner as possible. Consequently, the engineer has been gradually ramping up the volume of attacks over a long period of time. Which of the following combinations of techniques would the engineer MOST likely use in this testing? (Choose three.)

Black box testing
Gray box testing
Code review
Social engineering
Vulnerability assessment
Pivoting
Self-assessment
White teaming
External auditing

Black box testing
Vulnerability assessment
Pivoting

How well did you know this?

Not at all

Perfectly

A newly hired systems administrator is trying to connect a new and fully updated, but very customized, Android device to access corporate resources. However, the MDM enrollment process continually fails. The administrator asks a security team member to look into the issue. Which of the following is the MOST likely reason the MDM is not allowing enrollment?

The OS version is not compatible
The OEM is prohibited
The device does not support FDE
The device is rooted

The device is rooted

How well did you know this?

Not at all

Perfectly

A security administrator wants to allow external organizations to cryptographically validate the company’s domain name in email messages sent by employees. Which of the following should the security administrator implement?

SPF
S/MIME
TLS
DKIM

https: //en.wikipedia.org/wiki/DMARC

How well did you know this?

Not at all

Perfectly

An organization is preparing to develop a business continuity plan. The organization is required to meet regulatory requirements relating to confidentiality and availability, which are well-defined. Management has expressed concern following initial meetings that the organization is not fully aware of the requirements associated with the regulations. Which of the following would be MOST appropriate for the project manager to solicit additional resources for during this phase of the project? - After-action reports - Gap assessment - Security requirements traceability matrix - Business impact assessment - Risk analysis

- Gap assessment

An agency has implemented a data retention policy that requires tagging data according to type before storing it in the data repository. The policy requires all business emails be automatically deleted after two years. During an open records investigation, information was found on an employee’s work computer concerning a conversation that occurred three years prior and proved damaging to the agency’s reputation. Which of the following MOST likely caused the data leak? - The employee manually changed the email client retention settings to prevent deletion of emails - The file that contained the damaging information was mistagged and retained on the server for longer than it should have been - The email was encrypted and an exception was put in place via the data classification application - The employee saved a file on the computer’s hard drive that contained archives of emails, which were more than two years old

- The employee saved a file on the computer’s hard drive that contained archives of emails, which were more than two years old

A company is acquiring incident response and forensic assistance from a managed security service provider in the event of a data breach. The company has selected a partner and must now provide required documents to be reviewed and evaluated. Which of the following documents would BEST protect the company and ensure timely assistance? (Choose two.) - RA - BIA - NDA - RFI - RFQ - MSA

- NDA | - MSA

A security architect is implementing security measures in response to an external audit that found vulnerabilities in the corporate collaboration tool suite. The report identified the lack of any mechanism to provide confidentiality for electronic correspondence between users and between users and group mailboxes. Which of the following controls would BEST mitigate the identified vulnerability? - Issue digital certificates to all users, including owners of group mailboxes, and enable S/MIME - Federate with an existing PKI provider, and reject all non-signed emails - Implement two-factor email authentication, and require users to hash all email messages upon receipt - Provide digital certificates to all systems, and eliminate the user group or shared mailboxes

- Issue digital certificates to all users, including owners of group mailboxes, and enable S/MIME

Which of the following BEST represents a risk associated with merging two enterprises during an acquisition? - The consolidation of two different IT enterprises increases the likelihood of the data loss because there are now two backup systems - Integrating two different IT systems might result in a successful data breach if threat intelligence is not shared between the two enterprises - Merging two enterprise networks could result in an expanded attack surface and could cause outages if trust and permission issues are not handled carefully - Expanding the set of data owners requires an in-depth review of all data classification decisions, impacting availability during the review

- Merging two enterprise networks could result in an expanded attack surface and could cause outages if trust and permission issues are not handled carefully

Two competing companies experienced similar attacks on their networks from various threat actors. To improve response times, the companies wish to share some threat intelligence about the sources and methods of attack. Which of the following business documents would be BEST to document this engagement? - Business partnership agreement - Memorandum of understanding - Service-level agreement - Interconnection security agreement

- Interconnection security agreement | https: //nvlpubs.nist.gov/nistpubs/legacy/sp/nistspecialpublication800-47.pdf

A software development team has spent the last 18 months developing a new web-based front-end that will allow clients to check the status of their orders as they proceed through manufacturing. The marketing team schedules a launch party to present the new application to the client base in two weeks. Before the launch, the security team discovers numerous flaws that may introduce dangerous vulnerabilities, allowing direct access to a database used by manufacturing. The development team did not plan to remediate these vulnerabilities during development. Which of the following SDLC best practices should the development team have followed? - Implementing regression testing - Completing user acceptance testing - Verifying system design documentation - Using a SRTM

- Using a SRTM

Legal authorities notify a company that its network has been compromised for the second time in two years. The investigation shows the attackers were able to use the same vulnerability on different systems in both attacks. Which of the following would have allowed the security team to use historical information to protect against the second attack? - Key risk indicators - Lessons learned - Recovery point objectives - Tabletop exercise

- Lessons learned

A team is at the beginning stages of designing a new enterprise-wide application. The new application will have a large database and require a capital investment in hardware. The Chief Information Officer (СIO) has directed the team to save money and reduce the reliance on the datacenter, and the vendor must specialize in hosting large databases in the cloud. Which of the following cloud-hosting options would BEST meet these needs? - Multi-tenancy SaaS - Hybrid IaaS - Single-tenancy PaaS - Community IaaS

- Single-tenancy PaaS

A company wants to extend its help desk availability beyond business hours. The Chief Information Officer (CIO) decides to augment the help desk with a third-party service that will answer calls and provide Tier 1 problem resolution, such as password resets and remote assistance. The security administrator implements the following firewall change: PERMIT TCP FROM 74.23.2.4 TO 192.168.20.20 PORT 80 PERMIT TCP FROM 74.23.2.4 TO 192.168.20.20 PORT 636 PERMIT TCP FROM 74.23.2.4 TO 192.168.20.20 PORT 5800 PERMIT TCP FROM 74.23.2.4 TO 192.168.20.20 PORT 1433 The administrator provides the appropriate path and credentials to the third-party company. Which of the following technologies is MOST likely being used to provide access to the third company? - LDAP - WAYF - OpenID - RADIUS - SAML

- LDAP

An architect was recently hired by a power utility to increase the security posture of the company’s power generation and distribution sites. Upon review, the architect identifies legacy hardware with highly vulnerable and unsupported software driving critical operations. These systems must exchange data with each other, be highly synchronized, and pull from the Internet time sources. Which of the following architectural decisions would BEST reduce the likelihood of a successful attack without harming operational capability? (Choose two.) - Isolate the systems on their own network - Install a firewall and IDS between systems and the LAN - Employ own stratum-0 and stratum-1 NTP servers - Upgrade the software on critical systems - Configure the systems to use government-hosted NTP servers

- Install a firewall and IDS between systems and the LAN | - Configure the systems to use government-hosted NTP servers

An organization is currently working with a client to migrate data between a legacy ERP system and a cloud-based ERP tool using a global PaaS provider. As part of the engagement, the organization is performing data deduplication and sanitization of client data to ensure compliance with regulatory requirements. Which of the following is the MOST likely reason for the need to sanitize the client data? - Data aggregation - Data sovereignty - Data isolation - Data volume - Data analytics

- Data sovereignty

Given the code snippet below: --- image of C++ code --- Which of the following vulnerability types in the MOST concerning? - Only short usernames are supported, which could result in brute forcing of credentials. - Buffer overflow in the username parameter could lead to a memory corruption vulnerability. - Hardcoded usernames with different code paths taken depend on which user is entered. - Format string vulnerability is present for admin users but not for standard users.

- Buffer overflow in the username parameter could lead to a memory corruption vulnerability.

To meet a SLA, which of the following document should be drafted, defining the company’s internal interdependent unit responsibilities and delivery timelines. - BPA - OLA - MSA - MOU

- OLA OLA is an agreement between the internal support groups of an institution that supports SLA. According to the Operational Level Agreement, each internal support group has certain responsibilities to the other group. The OLA clearly depicts the performance and relationship of the internal service groups. The main objective of OLA is to ensure that all the support groups provide the intended Service Level Agreement.

A security analyst sees some suspicious entries in a log file from a web server website, which has a form that allows customers to leave feedback on the company’s products. The analyst believes a malicious actor is scanning the web form. To know which security controls to put in place, the analyst first needs to determine the type of activity occurring to design a control. Given the log below: --- image of log --- Which of the following is the MOST likely type of activity occurring? - SQL injection - XSS scanning - Fuzzing - Brute forcing

- Brute forcing

An organization has established the following controls matrix: --- image --- The following control sets have been defined by the organization and are applied in aggregate fashion: - Systems containing PII are protected with the minimum control set. - Systems containing medical data are protected at the moderate level. - Systems containing cardholder data are protected at the high level. The organization is preparing to deploy a system that protects the confidentially of a database containing PII and medical data from clients. Based on the controls classification, which of the following controls would BEST meet these requirements? - Proximity card access to the server room, context-based authentication, UPS, and full-disk encryption for the database server. - Cipher lock on the server room door, FDE, surge protector, and static analysis of all application code. - Peer review of all application changes, static analysis of application code, UPS, and penetration testing of the complete system. - Intrusion detection capabilities, network-based IPS, generator, and context-based authentication.

- Intrusion detection capabilities, network-based IPS, generator, and context-based authentication.

A company’s existing forward proxies support software-based TLS decryption, but are currently at 60% load just dealing with AV scanning and content analysis for HTTP traffic. More than 70% outbound web traffic is currently encrypted. The switching and routing network infrastructure precludes adding capacity, preventing the installation of a dedicated TLS decryption system. The network firewall infrastructure is currently at 30% load and has software decryption modules that can be activated by purchasing additional license keys. An existing project is rolling out agent updates to end-user desktops as part of an endpoint security refresh. Which of the following is the BEST way to address these issues and mitigate risks to the organization? - Purchase the SSL decryption license for the firewalls and route traffic back to the proxies for end-user categorization and malware analysis. - Roll out application whitelisting to end-user desktops and decommission the existing proxies, freeing up network ports. - Use an EDP solution to address the malware issue and accept the diminishing role of the proxy for URL categorization in the short team. - Accept the current risk and seek possible funding approval in the next budget cycle to replace the existing proxies with ones with more capacity.

- Purchase the SSL decryption license for the firewalls and route traffic back to the proxies for end-user categorization and malware analysis.

A recent CRM upgrade at a branch office was completed after the desired deadline. Several technical issues were found during the upgrade and need to be discussed in depth before the next branch office is upgraded. Which of the following should be used to identify weak processes and other vulnerabilities? - Gap analysis - Benchmarks and baseline results - Risk assessment - Lessons learned report

- Lessons learned report

A threat advisory alert was just emailed to the IT security staff. The alert references specific types of host operating systems that can allow an unauthorized person to access files on a system remotely. A fix was recently published, but it requires a recent endpoint protection engine to be installed prior to running the fix. Which of the following MOST likely need to be configured to ensure the system are mitigated accordingly? (Select two.) - Antivirus - HIPS - Application whitelisting - Patch management - Group policy implementation - Firmware updates

- Antivirus | - Patch management

A network engineer is attempting to design-in resiliency characteristics for an enterprise network’s VPN services. If the engineer wants to help ensure some resilience against zero-day vulnerabilities exploited against the VPN implementation, which of the following decisions would BEST support this objective? - Implement a reverse proxy for VPN traffic that is defended and monitored by the organization’s SOC with near-real-time alerting to administrators. - Subscribe to a managed service provider capable of supporting the mitigation of advanced DDoS attacks on the enterprise’s pool of VPN concentrators. - Distribute the VPN concentrators across multiple systems at different physical sites to ensure some backup services are available in the event of primary site loss. - Employ a second VPN layer concurrently where the other layer’s cryptographic implementation is sourced from a different vendor.

- Employ a second VPN layer concurrently where the other layer’s cryptographic implementation is sourced from a different vendor.

An information security officer is responsible for one secure network and one office network. Recent intelligence suggests there is an opportunity for attackers to gain access to the secure network due to similar login credentials across networks. To determine the users who should change their information, the information security officer uses a tool to scan a file with hashed values on both networks and receives the following data: --- image --- Which of the following tools was used to gather this information from the hashed values in the file? - Vulnerability scanner - Fuzzer - MD5 generator - Password cracker - Protocol analyzer

- Protocol analyzer

A Chief Information Security Officer (CISO) is reviewing and revising system configuration and hardening guides that were developed internally and have been used several years to secure the organization’s systems. The CISO knows improvements can be made to the guides. Which of the following would be the BEST source of reference during the revision process? - CVE database - Internal security assessment reports - Industry-accepted standards - External vulnerability scan reports - Vendor-specific implementation guides

- Vendor-specific implementation guides

Legal counsel has notified the information security manager of a legal matter that will require the preservation of electronic records for 2000 sales force employees. Source records will be email, PC, network shares, and applications. After all restrictions have been lifted, which of the following should the information manager review? - Data retention policy - Legal hold - Chain of custody - Scope statement

- Data retention policy

The legal department has required that all traffic to and from a company’s cloud-based word processing and email system is logged. To meet this requirement, the Chief Information Security Officer (CISO) has implemented a next-generation firewall to perform inspection of the secure traffic and has decided to use a cloud-based log aggregation solution for all traffic that is logged. Which of the following presents a long-term risk to user privacy in this scenario? - Confidential or sensitive documents are inspected by the firewall before being logged. - Latency when viewing videos and other online content may increase. - Reports generated from the firewall will take longer to produce due to more information from inspected traffic. - Stored logs may contain non-encrypted usernames and passwords for personal websites.

- Confidential or sensitive documents are inspected by the firewall before being logged.

A breach was caused by an insider threat in which customer PII was compromised. Following the breach, a lead security analyst is asked to determine which vulnerabilities the attacker used to access company resources. Which of the following should the analyst use to remediate the vulnerabilities? - Protocol analyzer - Root cause analysis - Behavioral analytics - Data leak prevention

- Data leak prevention

A security analyst has requested network engineers integrate sFlow into the SOC’s overall monitoring picture. For this to be a useful addition to the monitoring capabilities, which of the following must be considered by the engineering team? - Effective deployment of network taps - Overall bandwidth available at Internet PoP - Optimal placement of log aggregators - Availability of application layer visualizers

- Availability of application layer visualizers

Ann, a member of the finance department at a large corporation, has submitted a suspicious email she received to the information security team. The team was not expecting an email from Ann, and it contains a PDF file inside a ZIP compressed archive. The information security learn is not sure which files were opened. A security team member uses an air-gapped PC to open the ZIP and PDF, and it appears to be a social engineering attempt to deliver an exploit. Which of the following would provide greater insight on the potential impact of this attempted attack? - Run an antivirus scan on the finance PC. - Use a protocol analyzer on the air-gapped PC. - Perform reverse engineering on the document. - Analyze network logs for unusual traffic. - Run a baseline analyzer against the user’s computer.

- Use a protocol analyzer on the air-gapped PC.

A new cluster of virtual servers has been set up in a lab environment and must be audited before being allowed on the production network. The security manager needs to ensure unnecessary services are disabled and all system accounts are using strong credentials. Which of the following tools should be used? (Choose two.) - Fuzzer - SCAP scanner - Packet analyzer - Password cracker - Network enumerator - SIEM

- SCAP scanner | - SIEM

A security technician is incorporating the following requirements in an RFP for a new SIEM: - New security notifications must be dynamically implemented by the SIEM engine - The SIEM must be able to identify traffic baseline anomalies - Anonymous attack data from all customers must augment attack detection and risk scoring Based on the above requirements, which of the following should the SIEM support? (Choose two.) - Autoscaling search capability - Machine learning - Multisensor deployment - Big Data analytics - Cloud-based management - Centralized log aggregation

- Machine learning | - Centralized log aggregation

Given the following information about a company’s internal network: User IP space: 192.168.1.0/24 Server IP space: 192.168.192.0/25 A security engineer has been told that there are rogue websites hosted outside of the proper server space, and those websites need to be identified. Which of the following should the engineer do? - Use a protocol analyzer on 192.168.1.0/24 - Use a port scanner on 192.168.1.0/24 - Use an HTTP interceptor on 192.168.1.0/24 - Use a port scanner on 192.168.192.0/25 - Use a protocol analyzer on 192.168.192.0/25 - Use an HTTP interceptor on 192.168.192.0/25

- Use a port scanner on 192.168.1.0/24

While attending a meeting with the human resources department, an organization’s information security officer sees an employee using a username and password written on a memo pad to log into a specific service. When the information security officer inquires further as to why passwords are being written down, the response is that there are too many passwords to remember for all the different services the human resources department is required to use. Additionally, each password has specific complexity requirements and different expiration time frames. Which of the following would be the BEST solution for the information security officer to recommend? - Utilizing MFA - Implementing SSO - Deploying 802.1X - Pushing SAML adoption - Implementing TACACS

- Implementing SSO

Which of the following is the GREATEST security concern with respect to BYOD? - The filtering of sensitive data out of data flows at geographic boundaries. - Removing potential bottlenecks in data transmission paths. - The transfer of corporate data onto mobile corporate devices. - The migration of data into and out of the network in an uncontrolled manner.

- The migration of data into and out of the network in an uncontrolled manner.

Following a merger, the number of remote sites for a company has doubled to 52. The company has decided to secure each remote site with an NGFW to provide web filtering, NIDS/NIPS, and network antivirus. The Chief Information Officer (CIO) has requested that the security engineer provide recommendations on sizing for the firewall with the requirements that it be easy to manage and provide capacity for growth. The tables below provide information on a subset of remote sites and the firewall options: --- images --- Which of the following would be the BEST option to recommend to the CIO? - Vendor C for small remote sites, and Vendor B for large sites. - Vendor B for all remote sites - Vendor C for all remote sites - Vendor A for all remote sites - Vendor D for all remote sites

- Vendor D for all remote sites

Due to a recent breach, the Chief Executive Officer (CEO) has requested the following activities be conducted during incident response planning: - Involve business owners and stakeholders - Create an applicable scenario - Conduct a biannual verbal review of the incident response plan - Report on the lessons learned and gaps identified Which of the following exercises has the CEO requested? - Parallel operations - Full transition - Internal review - Tabletop - Partial simulation

- Tabletop

A government organization operates and maintains several ICS environments. The categorization of one of the ICS environments led to a moderate baseline. The organization has complied a set of applicable security controls based on this categorization. Given that this is a unique environment, which of the following should the organization do NEXT to determine if other security controls should be considered? - Check for any relevant or required overlays. - Review enhancements within the current control set. - Modify to a high-baseline set of controls. - Perform continuous monitoring.

- Modify to a high-baseline set of controls.

A security analyst is inspecting pseudocode of the following multithreaded application: 1. perform daily ETL of data 1. 1 validate that yesterday’s data model file exists 1. 2 validate that today’s data model file does not exist 1. 2 extract yesterday’s data model 1. 3 transform the format 1. 4 load the transformed data into today’s data model file 1. 5 exit Which of the following security concerns is evident in the above pseudocode? - Time of check/time of use - Resource exhaustion - Improper storage of sensitive data - Privilege escalation

- Time of check/time of use

Which of the following is an external pressure that causes companies to hire security assessors and penetration testers? - Lack of adequate in-house testing skills. - Requirements for geographically based assessments - Cost reduction measures - Regulatory insistence on independent reviews.

- Regulatory insistence on independent reviews.

Engineers at a company believe a certain type of data should be protected from competitors, but the data owner insists the information is not sensitive. An information security engineer is implementing controls to secure the corporate SAN. The controls require dividing data into four groups: non-sensitive, sensitive but accessible, sensitive but export-controlled, and extremely sensitive. Which of the following actions should the engineer take regarding the data? - Label the data as extremely sensitive. - Label the data as sensitive but accessible. - Label the data as non-sensitive. - Label the data as sensitive but export-controlled.

- Label the data as non-sensitive.

A database administrator is required to adhere to and implement privacy principles when executing daily tasks. A manager directs the administrator to reduce the number of unique instances of PII stored within an organization’s systems to the greatest extent possible. Which of the following principles is being demonstrated? - Administrator accountability - PII security - Record transparency - Data minimization

- Data minimization

A newly hired security analyst has joined an established SOC team. Not long after going through corporate orientation, a new attack method on web-based applications was publicly revealed. The security analyst immediately brings this new information to the team lead, but the team lead is not concerned about it. Which of the following is the MOST likely reason for the team lead’s position? - The organization has accepted the risks associated with web-based threats. - The attack type does not meet the organization’s threat model. - Web-based applications are on isolated network segments. - Corporate policy states that NIPS signatures must be updated every hour.

- The organization has accepted the risks associated with web-based threats.

The Chief Information Officer (CISO) is concerned that certain systems administrators will privileged access may be reading other users’ emails. Review of a tool’s output shows the administrators have used web mail to log into other users’ inboxes. Which of the following tools would show this type of output? - Log analysis tool - Password cracker - Command-line tool - File integrity monitoring tool

- Log analysis tool

A security analyst is troubleshooting a scenario in which an operator should only be allowed to reboot remote hosts but not perform other activities. The analyst inspects the following portions of different configuration files: Configuration file 1: Operator ALL=/sbin/reboot Configuration file 2: Command=”/sbin/shutdown now”, no-x11-forwarding, no-pty, ssh-dss Configuration file 3: Operator:x:1000:1000::/home/operator:/bin/bash Which of the following explains why an intended operator cannot perform the intended action? - The sudoers file is locked down to an incorrect command - SSH command shell restrictions are misconfigured - The passwd file is misconfigured - The SSH command is not allowing a pty session

- The SSH command is not allowing a pty session

The director of sales asked the development team for some small changes to increase the usability of an application used by the sales team. Prior security reviews of the code showed no significant vulnerabilities, and since the changes were small, they were given a peer review and then pushed to the live environment. Subsequent vulnerability scans now show numerous flaws that were not present in the previous versions of the code. Which of the following is an SDLC best practice that should have been followed? - Versioning - Regression testing - Continuous integration - Integration testing

- Regression testing

A company has gone through a round of phishing attacks. More than 200 users have had their workstation infected because they clicked on a link in an email. An incident analysis has determined an executable ran and compromised the administrator account on each workstation. Management is demanding the information security team prevent this from happening again. Which of the following would BEST prevent this from happening again? - Antivirus - Patch management - Log monitoring - Application whitelisting - Awareness training

- Antivirus

An internal staff member logs into an ERP platform and clicks on a record. The browser URL changes to: URL: http://192.168.0.100/ERP/accountId=5&action=SELECT Which of the following is the MOST likely vulnerability in this ERP platform? - Brute forcing of account credentials - Plan-text credentials transmitted over the Internet - Insecure direct object reference - SQL injection of ERP back end

- Plan-text credentials transmitted over the Internet

Providers at a healthcare system with many geographically dispersed clinics have been fined five times this year after an auditor received notice of the following SMS messages: --- image --- Which of the following represents the BEST solution for preventing future fines? - Implement a secure text-messaging application for mobile devices and workstations. - Write a policy requiring this information to be given over the phone only. - Provide a courier service to deliver sealed documents containing public health informatics. - Implement FTP services between clinics to transmit text documents with the information. - Implement a system that will tokenize patient numbers.

- Implement a secure text-messaging application for mobile devices and workstations.

A penetration tester noticed special characters in a database table. The penetration tester configured the browser to use an HTTP interceptor to verify that the front-end user registration web form accepts invalid input in the user’s age field. The developer was notified and asked to fix the issue. Which of the following is the MOST secure solution for the developer to implement? - IF $AGE == “!@#%^&*()_+❮❯?”:{}[]” THEN ERROR - IF $AGE == [1234567890] {1,3} THEN CONTINUE - IF $AGE != “a-bA-Z!@#$%^&*()_+❮❯?”{}[]”THEN CONTINUE - IF $AGE == [1-0] {0,2} THEN CONTINUE

- IF $AGE == [1234567890] {1,3} THEN CONTINUE

A managed service provider is designing a log aggregation service for customers who no longer want to manage an internal SIEM infrastructure. The provider expects that customers will send all types of logs to them, and that log files could contain very sensitive entries. Customers have indicated they want on-premises and cloud-based infrastructure logs to be stored in this new service. An engineer, who is designing the new service, is deciding how to segment customers. Which of the following is the BEST statement for the engineer to take into consideration? - Single-tenancy is often more expensive and has less efficient resource utilization. Multi-tenancy may increase the risk of cross-customer exposure in the event of service vulnerabilities. - The managed service provider should outsource security of the platform to an existing cloud company. This will allow the new log service to be launched faster and with well-tested security controls. - Due to the likelihood of large log volumes, the service provider should use a multi-tenancy model for the data storage tier, enable data deduplication for storage cost efficiencies, and encrypt data at rest. - The most secure design approach would be to give customers on-premises appliances, install agents on endpoints, and then remotely manage the service via a VPN.

- Single-tenancy is often more expensive and has less efficient resource utilization. Multi-tenancy may increase the risk of cross-customer exposure in the event of service vulnerabilities.

Click on the exhibit buttons to view the four messages. --- images --- A security architect is working with a project team to deliver an important service that stores and processes customer banking details. The project, internally known as ProjectX, is due to launch its first set of features publicly within a week, but the team has not been able to implement encryption-at-rest of the customer records. The security architect is drafting an escalation email to senior leadership. Which of the following BEST conveys the business impact for senior leadership? - Message 1 - Message 2 - Message 3 - Message 4

- Message 4

As a result of an acquisition, a new development team is being integrated into the company. The development team has BYOD laptops with IDEs installed, build servers, and code repositories that utilize SaaS. To have the team up and running effectively, a separate Internet connection has been procured. A stand up has identified the following additional requirements: 1. Reuse of the existing network infrastructure 2. Acceptable use policies to be enforced 3. Protection of sensitive files 4. Access to the corporate applications Which of the following solution components should be deployed to BEST meet the requirements? (Select three.) - IPSec VPN - HIDS - Wireless controller - Rights management - SSL VPN - NAC - WAF - Load balancer

- HIDS - SSL VPN - NAC

An enterprise with global sites processes and exchanges highly sensitive information that is protected under several countries’ arms trafficking laws. There is new information that malicious nation-state-sponsored activities are targeting the use of encryption between the geographically disparate sites. The organization currently employs ECDSA and ECDH with P-384, SHA-384, and AES-256-GCM on VPNs between sites. Which of the following techniques would MOST likely improve the resilience of the enterprise to attack on cryptographic implementation? - Add a second-layer VPN from a different vendor between sites. - Upgrade the cipher suite to use an authenticated AES mode of operation. - Use a stronger elliptic curve cryptography algorithm. - Implement an IDS with sensors inside (clear-text) and outside (cipher-text) of each tunnel between sites. - Ensure cryptography modules are kept up to date from vendor supplying them.

- Ensure cryptography modules are kept up to date from vendor supplying them.

The government is concerned with remote military missions being negatively being impacted by the use of technology that may fail to protect operational security. To remediate this concern, a number of solutions have been implemented, including the following: - End-to-end encryption of all inbound and outbound communication, including personal email and chat sessions that allow soldiers to securely communicate with families. - Layer 7 inspection and TCP/UDP port restriction, including firewall rules to only allow TCP port 80 and 443 and approved applications - A host-based whitelist of approved websites and applications that only allow mission-related tools and sites - The use of satellite communication to include multiple proxy servers to scramble the source IP address Which of the following is of MOST concern in this scenario? - Malicious actors intercepting inbound and outbound communication to determine the scope of the mission - Family members posting geotagged images on social media that were received via email from soldiers - The effect of communication latency that may negatively impact real-time communication with mission control - The use of centrally managed military network and computers by soldiers when communicating with external parties

- The use of centrally managed military network and computers by soldiers when communicating with external parties

Given the following code snippet: 〈form action='http://192.168.51.10/cgi-bin/order.pl' method='post'〉 〈input type='hidden' name='price' value='199.99〉 〈input type='hidden' name='prd_id' value='X190〉 Quantity: 〈input type='text' name='quant' value-1〉 〈/form〉 Of which of the following is this snippet an example? - Data execution prevention - Buffer overflow - Failure to use standard libraries - Improper field usage - Input validation

- Improper field usage

A company has created a policy to allow employees to use their personally owned devices. The Chief Information Officer (CISO) is getting reports of company data appearing on unapproved forums and an increase in theft of personal electronic devices. Which of the following security controls would BEST reduce the risk of exposure? - Disk encryption on the local drive - Group policy to enforce failed login lockout - Multifactor authentication - Implementation of email digital signatures

- Disk encryption on the local drive

After a large organization has completed the acquisition of a smaller company, the smaller company must implement new host-based security controls to connect its employees’ devices to the network. Given that the network requires 802.1X EAP-PEAP to identify and authenticate devices, which of the following should the security administrator do to integrate the new employees’ devices into the network securely? - Distribute a NAC client and use the client to push the company’s private key to all the new devices. - Distribute the device connection policy and a unique public/private key pair to each new employee’s device. - Install a self-signed SSL certificate on the company’s RADIUS server and distribute the certificate’s public key to all new client devices. - Install an 802.1X supplicant on all new devices and let each device generate a self-signed certificate to use for network access.

- Install an 802.1X supplicant on all new devices and let each device generate a self-signed certificate to use for network access.

Ann, a terminated employee, left personal photos on a company-issued laptop and no longer has access to them. Ann emails her previous manager and asks to get her personal photos back. Which of the following BEST describes how the manager should respond? - Determine if the data still exists by inspecting to ascertain if the laptop has already been wiped and if the storage team has recent backups. - Inform Ann that the laptop was for company data only and she should not have stored personal photos on a company asset. - Report the email because it may have been a spoofed request coming from an attacker who is trying to exfiltrate data from the company laptop. - Consult with the legal and/or human resources department and check company policies around employment and termination procedures.

- Consult with the legal and/or human resources department and check company policies around employment and termination procedures.

A company is transitioning to a new VDI environment, and a system engineer is responsible for developing a sustainable security strategy for the VDIs. Which of the following is the MOST appropriate order of steps to be taken? - Firmware update, OS patching, HIDS, antivirus, baseline, monitoring agent - OS patching, baseline, HIDS, antivirus, monitoring agent, firmware update - Firmware update, OS patching, HIDS, antivirus, monitoring agent, baseline - Baseline, antivirus, OS patching, monitoring agent, HIDS, firmware update

- Firmware update, OS patching, HIDS, antivirus, baseline, monitoring agent

The Chief Information Officer (CIO) has been asked to develop a security dashboard with the relevant metrics. The board of directors will use the dashboard to monitor and track the overall security posture of the organization. The CIO produces a basic report containing both KPI and KRI data in two separate sections for the board to review. Which of the following BEST meets the needs of the board? A. KRI: - Compliance with regulations - Backlog of unresolved security investigations - Severity of threats and vulnerabilities reported by sensors - Time to patch critical issues on a monthly basis KPI: - Time to resolve open security items - % of suppliers with approved security control frameworks - EDR coverage across the fleet - Threat landscape rating B. KRI: - EDR coverage across the fleet - Backlog of unresolved security investigations - Time to patch critical issues on a monthly basis - Threat landscape rating KPI: - Time to resolve open security items - Compliance with regulations - % of suppliers with approved security control frameworks - Severity of threats and vulnerabilities reported by sensors C. KRI: - EDR coverage across the fleet - % of suppliers with approved security control framework - Backlog of unresolved security investigations - Threat landscape rating KPI: - Time to resolve open security items - Compliance with regulations - Time to patch critical issues on a monthly basis - Severity of threats and vulnerabilities reported by sensors D. KPI: - Compliance with regulations - % of suppliers with approved security control frameworks - Severity of threats and vulnerabilities reported by sensors - Threat landscape rating KRI: - Time to resolve open security items - Backlog of unresolved security investigations - EDR coverage across the fleet - Time to patch critical issues on a monthly basis

A. KRI: - Compliance with regulations - Backlog of unresolved security investigations - Severity of threats and vulnerabilities reported by sensors - Time to patch critical issues on a monthly basis KPI: - Time to resolve open security items - % of suppliers with approved security control frameworks - EDR coverage across the fleet - Threat landscape rating

The Chief Executive Officer (CEO) of a small startup company has an urgent need for a security policy and assessment to address governance, risk management, and compliance. The company has a resource-constrained IT department, but has no information security staff. The CEO has asked for this to be completed in three months. Which of the following would be the MOST cost-effective solution to meet the company’s needs? - Select one of the IT personnel to obtain information security training, and then develop all necessary policies and documents in-house. - Accept all risks associated with information security, and then bring up the issue again at next year’s annual board meeting. - Release an RFP to consultancy firms, and then select the most appropriate consultant who can fulfill the requirements. - Hire an experienced, full-time information security team to run the startup company’s information security department.

- Release an RFP to consultancy firms, and then select the most appropriate consultant who can fulfill the requirements.

A project manager is working with a team that is tasked to develop software applications in a structured environment and host them in a vendor’s cloud-based infrastructure. The organization will maintain responsibility for the software but will not manage the underlying server applications. Which of the following does the organization plan to leverage? - SaaS - PaaS - IaaS - Hybrid cloud - Network virtualization

- PaaS

During the deployment of a new system, the implementation team determines that APIs used to integrate the new system with a legacy system are not functioning properly. Further investigation shows there is a misconfigured encryption algorithm used to secure data transfers between systems. Which of the following should the project manager use to determine the source of the defined algorithm in use? - Code repositories - Security requirements traceability matrix - Software development lifecycle - Data design diagram - Roles matrix - Implementation guide

- Implementation guide

An administrator has noticed mobile devices from an adjacent company on the corporate wireless network. Malicious activity is being reported from those devices. To add another layer of security in an enterprise environment, an administrator wants to add contextual authentication to allow users to access enterprise resources only while present in corporate buildings. Which of the following technologies would accomplish this? - Port security - Rogue device detection - Bluetooth - GPS

- GPS

An administrator is working with management to develop policies related to the use of the cloud-based resources that contain corporate data. Management plans to require some control over organizational data stored on personal devices, such as tablets. Which of the following controls would BEST support management’s policy? - MDM - Sandboxing - Mobile tokenization - FDE - MFA

- MDM

Users have been reporting unusual automated phone calls, including names and phone numbers, that appear to come from devices internal to the company. Which of the following should the systems administrator do to BEST address this problem? - Add an ACL to the firewall to block VoIP. - Change the settings on the phone system to use SIP-TLS. - Have the phones download new configurations over TFTP. - Enable QoS configuration on the phone VLAN.

- Change the settings on the phone system to use SIP-TLS.

A company has adopted and established a continuous-monitoring capability, which has proven to be effective in vulnerability management, diagnostics, and mitigation. The company wants to increase the likelihood that it is able to discover and therefore respond to emerging threats earlier in the life cycle. Which of the following methodologies would BEST help the company to meet this objective? (Choose two.) - Install and configure an IPS. - Enforce routine GPO reviews. - Form and deploy a hunt team. - Institute heuristic anomaly detection. - Use a protocol analyzer with appropriate connectors.

- Install and configure an IPS. | - Institute heuristic anomaly detection.

An organization has recently deployed an EDR solution across its laptops, desktops, and server infrastructure. The organization’s server infrastructure is deployed in an IaaS environment. A database within the nonproduction environment has been misconfigured with a routable IP and is communicating with a command and control server. Which of the following procedures should the security responder apply to the situation? (Choose two.) - Contain the server. - Initiate a legal hold. - Perform a risk assessment. - Determine the data handling standard. - Disclose the breach to customers. - Perform an IOC sweep to determine the impact.

- Initiate a legal hold. | - Perform an IOC sweep to determine the impact.

An organization, which handles large volumes of PII, allows mobile devices that can process, store, and transmit PII and other sensitive data to be issued to employees. Security assessors can demonstrate recovery and decryption of remnant sensitive data from device storage after MDM issues a successful wipe command. Assuming availability of the controls, which of the following would BEST protect against the loss of sensitive data in the future? - Implement a container that wraps PII data and stores keying material directly in the container’s encrypted application space. - Use encryption keys for sensitive data stored in an eF use-backed memory space that is blown during remote wipe. - Issue devices that employ a stronger algorithm for the authentication of sensitive data stored on them. - Procure devices that remove the bootloader binaries upon receipt of an MDM-issued remote wipe command.

- Implement a container that wraps PII data and stores keying material directly in the container’s encrypted application space. B. Use encryption keys for sensitive data

A large company with a very complex IT environment is considering a move from an on-premises, internally managed proxy to a cloud-based proxy solution managed by an external vendor. The current proxy provides caching, content filtering, malware analysis, and URL categorization for all staff connected behind the proxy. Staff members connect directly to the Internet outside of the corporate network. The cloud-based version of the solution would provide content filtering, TLS decryption, malware analysis, and URL categorization. After migrating to the cloud solution, all internal proxies would be decommissioned. Which of the following would MOST likely change the company’s risk profile? A. 1. There would be a loss of internal intellectual knowledge regarding proxy configurations and application data flows. 2. There would be a greater likelihood of Internet access outages due to lower resilience of cloud gateways. 3. There would be data sovereignty concerns due to changes required in routing and proxy PAC files. B. 1. The external vendor would have access to inbound and outbound gateway traffic. 2. The service would provide some level of protection for staff working from home. 3. Outages would be likely to occur for systems or applications with hard-coded proxy information. C. 1. The loss of local caching would dramatically increase ISP changes and impact existing bandwidth. 2. There would be a greater likelihood of Internet access outages due to lower resilience of cloud gateways. 3. There would be a loss of internal intellectual knowledge regarding proxy configurations and application data flows. D. 1. Outages would be likely to occur for systems or applications with hard-coded proxy information. 2. The service would provide some level of protection for staff members working from home. 3. Malware detection times would decrease due to third-party management of the service.

B. 1. The external vendor would have access to inbound and outbound gateway traffic. 2. The service would provide some level of protection for staff working from home. 3. Outages would be likely to occur for systems or applications with hard-coded proxy information.

A security engineer is deploying an IdP to broker authentication between applications. These applications all utilize SAML 2.0 for authentication. Users log into the IdP with their credentials and are given a list of applications they may access. One of the application’s authentications is not functional when a user initiates an authentication attempt from the IdP. The engineer modifies the configuration so users browse to the application first, which corrects the issue. Which of the following BEST describes the root cause? - The application only supports SP-initiated authentication. - The IdP only supports SAML 1.0 - There is an SSL certificate mismatch between the IdP and the SaaS application. - The user is not provisioned correctly on the IdP.

- The application only supports SP-initiated authentication.

As part of the development process for a new system, the organization plans to perform requirements analysis and risk assessment. The new system will replace a legacy system, which the organization has used to perform data analytics. Which of the following is MOST likely to be part of the activities conducted by management during this phase of the project? - Static code analysis and peer review of all application code - Validation of expectations relating to system performance and security - Load testing the system to ensure response times is acceptable to stakeholders - Design reviews and user acceptance testing to ensure the system has been deployed properly - Regression testing to evaluate interoperability with the legacy system during the deployment

- Validation of expectations relating to system performance and security The below is the listed answer for this test bank, but a different bank indicates the above. I think the above is better. - Design reviews and user acceptance testing to ensure the system has been deployed properly

A company is not familiar with the risks associated with IPv6. The systems administrator wants to isolate IPv4 from IPv6 traffic between two different network segments. Which of the following should the company implement? (Select TWO) - Use an internal firewall to block UDP port 3544. - Disable network discovery protocol on all company routers. - Block IP protocol 41 using Layer 3 switches. - Disable the DHCPv6 service from all routers. - Drop traffic for ::/0 at the edge firewall. - Implement a 6in4 proxy server.

- Use an internal firewall to block UDP port 3544. | - Drop traffic for ::/0 at the edge firewall.

A company wants to confirm sufficient executable space protection is in place for scenarios in which malware may be attempting buffer overflow attacks. Which of the following should the security engineer check? - NX/XN - ASLR - strcpy - ECC

- ASLR

Developers are working on anew feature to add to a social media platform. The new feature involves users uploading pictures of what they are currently doing. The data privacy officer (DPO) is concerned about various types of abuse that might occur due to this new feature. The DPO state the new feature cannot be released without addressing the physical safety concerns of the platform’s users. Which of the following controls would BEST address the DPO’s concerns? - Increasing blocking options available to the uploader - Adding a one-hour delay of all uploaded photos - Removing all metadata in the uploaded photo file - Not displaying to the public who uploaded the photo - Forcing TLS for all connections on the platform

- Removing all metadata in the uploaded photo file

Within the past six months, a company has experienced a series of attacks directed at various collaboration tools. Additionally, sensitive information was compromised during a recent security breach of a remote access session from an unsecure site. As a result, the company is requiring all collaboration tools to comply with the following: - Secure messaging between internal users using digital signatures - Secure sites for video-conferencing sessions - Presence information for all office employees - Restriction of certain types of messages to be allowed into the network. Which of the following applications must be configured to meet the new requirements? (Select TWO.) - Remote desktop - VoIP - Remote assistance - Email - Instant messaging - Social media websites

- VoIP | - Email

A Chief Information Securiy Officer (CISO) is reviewing technical documentation from various regional offices and notices some key differences between these groups. The CISO has not discovered any governance documentation. The CISO creates the following chart to visualize the differences among the networking used. --- image --- Which of the following would be the CISO’s MOST immediate concern? - There are open standards in use on the network. - Network engineers have ignored defacto standards. - Network engineers are not following SOPs. - The network has competing standards in use.

- Network engineers have ignored defacto standards.

Given the following: ``` // TDO - should this be odbc or jdbc? var odbcString = getParameterByName('queryString, 'dbConnector'); doc.innerHTML = 'DB connector: ❮b❯" + odbcString + '❮/b❯'; document.body.appendChild(doc); ``` Which of the following vulnerabilities is present in the above code snippet? - Disclosure of database credential - SQL-based string concatenation - DOM-based injection - Information disclosure in comments

- Disclosure of database credential

An organization is currently performing a market scan for managed security services and EDR capability. Which of the following business documents should be released to the prospective vendors in the first step of the process? (Select TWO). - MSA - RFP - NDA - RFI - MOU - RFQ

- NDA | - RFI

A security analyst, who is working in a Windows environment, has noticed a significant amount of IPv6 traffic originating from a client, even though IPv6 is not currently in use. The client is a stand-alone device, not connected to the AD that manages a series of SCADA devices used for manufacturing. Which of the following is the appropriate command to disable the client’s IPv6 stack? - c:\〉netag ipsec static set policy name=MYIPPolicy /v Disable TCPIP6 - c:\〉reg add 'HRCU\Software\Microsoft\Windows\CurrentVersion\Policies\IPV6 /v disallowRun /t REG_DWORD /d '0000001' /f - c:\〉reg add HRLM\system\CurrentControlSet\services\TCPIP6\Parameters /v DisabledComponents /t REG_DWORD /d 255 /f - c:\〉reg add HRLM\SYSTEM\CurrentControlSet\IPV6 /f /v fDenyIPV6Connection /t

- c:\〉reg add HRLM\system\CurrentControlSet\services\TCPIP6\Parameters /v DisabledComponents /t REG_DWORD /d 255 /f

An organization is improving its web services to enable better customer engagement and self-service. The organization has a native mobile application and a rewards portal provided by a third party. The business wants to provide customers with the ability to log in once and have SSO between each of the applications. The integrity of the identity is important so it can be propagated through to back-end systems to maintain a consistent audit trail. Which of the following authentication and authorization types BEST meet the requirements? (Choose two.) - SAML - Social login - OpenID connect - XACML - SPML - OAuth

- Social login | - OpenID connect

After the departure of a developer under unpleasant circumstances, the company is concerned about the security of the software to which the developer has access. Which of the following is the BEST way to ensure security of the code following the incident? - Hire an external red team to conduct black box testing - Conduct a peer review and cross reference the SRTM - Perform white-box testing on all impacted finished products - Perform regression testing and search for suspicious code

- Perform white-box testing on all impacted finished products

A software company is releasing a new mobile application to a broad set of external customers. Because the software company is rapidly releasing new features, it has built in an over-the-air software update process that can automatically update the application at launch time. Which of the following security controls should be recommended by the company’s security architect to protect the integrity of the update process? (Choose two.) - Validate cryptographic signatures applied to software updates - Perform certificate pinning of the associated code signing key - Require HTTPS connections for downloads of software updates - Ensure there are multiple download mirrors for availability - Enforce a click-through process with user opt-in for new features

- Validate cryptographic signatures applied to software updates - Perform certificate pinning of the associated code signing key

A Chief Information Security Officer (CISO) is developing a new BIA for the organization. The CISO wants to gather requirements to determine the appropriate RTO and RPO for the organization’s ERP. Which of the following should the CISO interview as MOST qualified to provide RTO/RPO metrics? - Data custodian - Data owner - Security analyst - Business unit director - Chief Executive Officer (CEO)

- Business unit director

Several recent ransomware outbreaks at a company have cost a significant amount of lost revenue. The security team needs to find a technical control mechanism that will meet the following requirements and aid in preventing these outbreaks: - Stop malicious software that does not match a signature - Report on instances of suspicious behavior - Protect from previously unknown threats - Augment existing security capabilities Which of the following tools would BEST meet these requirements? - Host-based firewall - EDR - HIPS - Patch management

- HIPS

An information security manager conducted a gap analysis, which revealed a 75% implementation of security controls for high-risk vulnerabilities, 90% for medium vulnerabilities, and 10% for low-risk vulnerabilities. To create a road map to close the identified gaps, the assurance team reviewed the likelihood of exploitation of each vulnerability and the business impact of each associated control. To determine which controls to implement, which of the following is the MOST important to consider? - KPI - KRI - GRC - BIA

- GRC

A security engineer is assisting a developer with input validation, and they are studying the following code block: ``` String accountIdRegexp = "TODO, help!"; private static final Pattern accountIdPattern = Pattern.compile ("accountIdRegexp"); String accountId = request.getParameter("accountNumber"); if (!accountIdPattern.matcher(accountId).matches() { System.out.println("account ID format incorrect"); } else { //continue } ``` The security engineer wants to ensure strong input validation is in place for customer-provided account identifiers. These identifiers are ten-digit numbers. The developer wants to ensure input validation is fast because a large number of people use the system. Which of the following would be the BEST advice for the security engineer to give to the developer? - Replace code with Java-based type checks - Parse input into an array - Use regular expressions - Canonicalize input into string objects before validation

- Use regular expressions

A network printer needs Internet access to function. Corporate policy states all devices allowed on the network must be authenticated. Which of the following is the MOST secure method to allow the printer on the network without violating policy? - Request an exception to the corporate policy from the risk management committee - Require anyone trying to use the printer to enter their username and password - Have a help desk employee sign in to the printer every morning - Issue a certificate to the printer and use certificate-based authentication

- Issue a certificate to the printer and use certificate-based authentication

The Chief Information Security Officer (CISO) of an established security department, identifies a customer who has been using a fraudulent credit card. The CISO calls the local authorities, and when they arrive on-site, the authorities ask a security engineer to create a point-in-time copy of the running database in their presence. This is an example of: - creating a forensic image - deploying fraud monitoring - following a chain of custody - analyzing the order of volatility

- following a chain of custody

A systems administrator receives an advisory email that a recently discovered exploit is being used in another country and the financial institutions have ceased operations while they find a way to respond to the attack. Which of the following BEST describes where the administrator should look to find information on the attack to determine if a response must be prepared for the systems? (Choose two.) - Bug bounty websites - Hacker forums - Antivirus vendor websites - Trade industry association websites - CVE database - Company’s legal department

- CVE database | - Company’s legal department

While conducting a BIA for a proposed acquisition, the IT integration team found that both companies outsource CRM services to competing and incompatible third-party cloud services. The decision has been made to bring the CRM service in-house, and the IT team has chosen a future solution. With which of the following should the Chief Information Security Officer (CISO) be MOST concerned? (Choose two.) - Data remnants - Sovereignty - Compatible services - Storage encryption - Data migration - Chain of custody

- Data remnants | - Data migration

A company’s security policy states any remote connections must be validated using two forms of network-based authentication. It also states local administrative accounts should not be used for any remote access. PKI currently is not configured within the network. RSA tokens have been provided to all employees, as well as a mobile application that can be used for 2FA authentication. A new NGFW has been installed within the network to provide security for external connections, and the company has decided to use it for VPN connections as well. Which of the following should be configured? (Choose two.) - Certificate-based authentication - TACACS+ - 802.1X - RADIUS - LDAP - Local user database

- RADIUS | - LDAP

A security administrator is updating a company’s SCADA authentication system with a new application. To ensure interoperability between the legacy system and the new application, which of the following stakeholders should be involved in the configuration process before deployment? (Choose two.) - Network engineer - Service desk personnel - Human resources administrator - Incident response coordinator - Facilities manager - Compliance manager

- Network engineer | - Facilities manager

A security analyst is classifying data based on input from data owners and other stakeholders. The analyst has identified three data types: - Financially sensitive data - Project data - Sensitive project data The analyst proposes that the data be protected in two major groups, with further access control separating the financially sensitive data from the sensitive project data. The normal project data will be stored in a separate, less secure location. Some stakeholders are concerned about the recommended approach and insist that commingling data from different sensitive projects would leave them vulnerable to industrial espionage. Which of the following is the BEST course of action for the analyst to recommend? - Conduct a quantitative evaluation of the risks associated with commingling the data and reject or accept the concerns raised by the stakeholders. - Meet with the affected stakeholders and determine which security controls would be sufficient to address the newly raised risks. - Use qualitative methods to determine aggregate risk scores for each project and use the derived scores to more finely segregate the data. - Increase the number of available data storage devices to provide enough capacity for physical separation of non-sensitive project data.

- Meet with the affected stakeholders and determine which security controls would be sufficient to address the newly raised risks.

A government contractor was the victim of a malicious attack that resulted in the theft of sensitive information. An analyst’s subsequent investigation of sensitive systems led to the following discoveries: - There was no indication of the data owner’s or user’s accounts being compromised. - No database activity outside of previous baselines was discovered. - All workstations and servers were fully patched for all known vulnerabilities at the time of the attack. - It was likely not an insider threat, as all employees passed polygraph tests. Given this scenario, which of the following is the MOST likely attack that occurred? - The attacker harvested the hashed credentials of an account within the database administrators group after dumping the memory of a compromised machine. With these credentials, the attacker was able to access the database containing sensitive information directly. - An account, which belongs to an administrator of virtualization infrastructure, was compromised with a successful phishing attack. The attacker used these credentials to access the virtual machine manager and made a copy of the target virtual machine image. The attacker later accessed the image offline to obtain sensitive information. - A shared workstation was physically accessible in a common area of the contractor’s office space and was compromised by an attacker using a USB exploit, which resulted in gaining a local administrator account. Using the local administrator credentials, the attacker was able to move laterally to the server hosting the database with sensitive information. - After successfully using a watering hole attack to deliver an exploit to a machine, which belongs to an employee of the contractor, an attacker gained access to a corporate laptop. With this access, the attacker then established a remote session over a VPN connection with the server hosting the database of sensitive information.

- After successfully using a watering hole attack to deliver an exploit to a machine, which belongs to an employee of the contractor, an attacker gained access to a corporate laptop. With this access, the attacker then established a remote session over a VPN connection with the server hosting the database of sensitive information.

A networking administrator was recently promoted to security administrator in an organization that handles highly sensitive data. The Chief Information Security Officer (CISO) has just asked for all IT security personnel to review a zero-day vulnerability and exploit for specific application servers to help mitigate the organization’s exposure to that risk. Which of the following should the new security administrator review to gain more information? (Choose three.) - CVE database - Recent security industry conferences - Security vendor pages - Known vendor threat models - Secure routing metrics - Server’s vendor documentation - Verified security forums - NetFlow analytics

- CVE database - Security vendor pages - Verified security forums

First responders, who are part of a core incident response team, have been working to contain an outbreak of ransomware that also led to data loss in a rush to isolate the three hosts that were calling out to the NAS to encrypt whole directories, the hosts were shut down immediately without investigation and then isolated. Which of the following were missed? (Choose two.) - CPU, process state tables, and main memory dumps - Essential information needed to perform data restoration to a known clean state - Temporary file system and swap space - Indicators of compromise to determine ransomware encryption - Chain of custody information needed for investigation

- CPU, process state tables, and main memory dumps | - Temporary file system and swap space