CASP Flashcards
1
Q
Company ABCs SAN is nearing capacity and will cause costly downtime if servers run out of disk space. What is a more cost effective alternative to buying a new SAN?
A
Enable deduplication on the storage pools.
2
Q
A system administrator establishes a CIFS share on a UNIX device to share data to Windows systems. The security authentication on the windows domain is set to the highest level. Window domain users are stating that they cannot authenticate to the UNIX share. Which settings on the UNIX server would correct this problem?
A
Refuse LM and only accept NTLMv2.
3
Q
Two universities are making their 802.11n wireless networks available to the other university students. The infrastructure will pass the students credentials back the home school for authentication via the internet. Requirements are no passwords should be sent unencrypted, authentication must be delegated to the home school, design should not limit connect speeds and mutual authentication of clients and authentication server. WPA2 Enterprise using EAP-PEAP-MSCHAPv2 will be used for wireless security. Radius proxy servers will be used to forward authentication requests to the home school. The Radius server will have certifications from a common public certificate authority. A strong shared secret key will be used for RADIUS server authentication. What additional security consideration should be added to the design?
A
Transport layer between the RADIUS servers should be secured.
4
Q
A large organization has recently suffered a massive credit card breach. During the months of incident response there were multiple attempts to assign blame for whose fault it was that the incident occurred. In which part of the incident response phase would this be addressed in a controlled and productive manner?
A
During the lessons learned phase.
5
Q
Three companies want to allow their employees to seamlessly connect to each others wireless corporate networks while keeping one consistent wireless client configuration. Each company wants to maintain its own authentication infrastructure and wants to ensure that an employee who is visiting the other two companies is authenticated by the home office when connecting to the other companies wireless networks. All three companies have agreed to standardize on 802.1v EAP-PEAP-MSCHAP for client configuration. What should the also be implemented in this situation?
A
The three companies should agree on a single SSID and a hierarchical RADIUS system which implements trust delegation.
6
Q
A university requires a significant increase in web and database server resources for one week, twice a year, to handle student registration. The web servers remain idle for the rest of the year. What is the most cost effective way for the university to securely handle student registration?
A
Move the web server to an elastic public cloud while keeping the database server local.
7
Q
A security administrator wants to prevent sensitive data residing on corporate laptops and desktops from leaking outside of the corporate network. The company has already implemented full-disk encryption and has disabled all peripheral devices on its desktops and laptops. What additional controls must be implemented to minimize the risk of data leakage?
A
- A DLP gateway should be installed at the company border
2. Full tunnel VPN should be required for all network communication
8
Q
The Risk Manager has requested a security solution that is centrally managed, can easily be updated and protects end users work stations from both known and unknown malicious attacks when connected to either office or home network. What would be meet this requirement?
A
HIPS
9
Q
A source workstation image for new accounting PCs has begun blue-screening. A technician notices that the date/time stamp of the image source appears to have changed. The desktop support director has asked the Information Security department to determine if any changes were made to the source image. What methods would best help with this process?
A
- Retrieve source system image from backup and run file comparison analysis on the two images.
- Calculate a new hash and compare it with the previously captured image hash.
10
Q
A security administrator notices a recent increase in workstations becoming compromised by malware. Often the malware is delivered via drive-by and is not being detected by the corporate antivirus. Which solutions would BEST provide the protection for the company?
A
Deploy a cloud based content filter and enable the appropriate category to prevent further infections.
11
Q
A security consultant is conducting a network assessment and wishes to discover any legacy backup internet connections the network may have. Where would the consultant find this information and why would it be valuable?
A
This information can be found in global routing tables because backup connections typically do not have perimeter protection as strong as the primary connection.
12
Q
Helpdesk department desires to roll out a remote support application for internal use on all company computers. This tool should allow remote desktop sharing, system log gathering, chat, hardware logging, inventory management, and remote registry access. The risk management team has been asked to review vendor responses to the RFQ. Which of the following is MOST important?
A
What accountability is built into the remote support application.
13
Q
The helpdesk manager wants to find a solution that will enable the helpdesk staff to better serve company employees who call for computer related problems. The helpdesk staff is currently unable to perform effective troubleshooting and relies on callers to describe their technology problems. Given that the helpdesk staff is located within the company headquarters and 90% of the callers are telecommuters, which of the following tools should the helpdesk manager use to make the staff more effective at troubleshooting while at the same time reducing company costs?
A
Instant messaging and Desktop sharing.
14
Q
A new internal network segmentation solution will be implemented into the enterprise that consists of 200 internal firewalls. As part of a running pilot exercise, it was determined that it takes three changes to deploy a new application onto the network before it is operational. Security not has a significant effect on overall availability. Which of the following would be the FIRST process to perform as a result of these findings?
A
Review to determine if control effectiveness is in line with the complexity of the solution. Determine if the requirements can be met with a simpler solution.
15
Q
A company is in the process of implementing a new front end user interface for its customers, the goal is to provide them with more self service functionality. The application has been written by developers over the last six months and the project is currently in the test phase. Which of the following security activities should be implemented as part of the SDL in order to provide the most security coverage over the solution.
A
- Perform grey box penetration testing over the solution.
2. Perform static code review over the front end source code.
16
Q
Security analyst has been asked to develop a quantitive risk analysis and risk assessment for the company’s online shopping application. Based on heuristic information from the Security Operations Center, a Denial of Service attack has been successfully executed 5 times a year. The Business Operations Department has determined the loss associated to each attack is $40000. After implementing application caching the number of DoS attacks was reduced to one time a year. What is the monetary value earned during the first year of operation.
A
$60000
17
Q
At 9:00 am each morning all the virtual desktops in a VDI implementation become extremely slow and/or unresponsive. The outage lasts for 10 minutes after which every thing runs properly again. The administrator has traced the problem to a lab of thin clients that are all booted at 9:00 am each morning. What is the most likely cause of the problem and the BEST solution to fit it.
A
Booting all the lab desktops at the same time is creating excessive I/O.
Install a faster SSD drives in the storage system used in the infrastructure.
18
Q
In order to reduce the costs and improve employee satisfaction, a large corporation is creating a BYOD policy. It will allow access to email and remote connections to the corporate enterprise from personal devices, provided they are on an approved list. What security measure is will be the MOST effective in securing the enterprise under the new policy?
A
- Encrypt data in transit for remote access.
2. Implement NAC to limit insecure device access.
19
Q
There have been some failures of the company’s internal facing website. A security engineer has found the WAF to be the root cause of the failure. System logs show that the WAF has been unavailable for 14 hours over the past month in four separate situations. One of these situations was a two hour scheduled maintenance time aimed at improving the stability of the WAF. Using the MTTR based on the last months performance figures, which of the following calculations is the percentage of uptime assuming there were 722 hours in a month?
A
98.34 percent.
20
Q
A system administrator needs to meet the maximum amount of security goals for a new DNS infrastructure. The administrator deploys DNSSEC extensions to the domain names and infrastructure. Which of the following security goals does this meet?
A
Authentication and Integrity.
21
Q
A security administrator wants to deploy a dedicated storage solution which is inexpensive, can natively integrate with AD, allow files to be selectively encrypted and is suitable for a small number of users at a satellite office. What would be the BEST meet this requirement?
A
NAS
22
Q
The Chief Information Officer is reviewing the IT centric BIA and RA documentation. The document shows that a single 24 hours downtime in a critical business function will cost the business $2.3 million. Additionally, the business unit which depends on the critical business function has determined that there is a high probably that a threat will materialize based on historical data. The CIOs budget does not allow for full system hardware replacement in case of catastrophic failure nor does it allow for purchase of additional compensating controls. What should the CIO recommend to the finance director to minimize loss.
A
Company should transfer the risk.
23
Q
The Human Resource manager at a software development company has been tasked with recruiting personnel for a new cyber defensive division at the company. This division will require personnel to have high technology skills and industry certifications. Which is the best method for this manager to gain insight into this industry to execute the task?
A
Attend conferences, webinars and training to remain current with the industry and job requirements.
24
Q
The Chief Executive Officer of a company that allows telecommuting has challenged the Chief Security Officer request to hardened the corporation’s network perimeter. The CEO argues that the company cannot protect its employee at home so the risk at work is no different. Which of the following BEST explains why the company should proceed with protecting its corporate boundary?
A
The aggregation of employees a corporate network makes it more valuable target for attackers.
25
A popular commercial virtualization platform allows for the creation of virtual hardware. By implementing virtualized TPMs which of the following trusted systems concepts can be implemented?
Chain of trust with a hardware root of trust.
26
A security manager received the following email from the Chief Financial Officer "While I am concerned about the security of the proprietary financial data in our ERP application, we have had a lot of turnover in the accounting group and I am having a difficult time meeting our monthly performance targets. As things currently stand we do not allow employees to work from home but this is something I am willing to allow so we can get back on track. What should we do first to securely enable this capability for my group? Based on the information provided what is the most appropriate response to the CEO?
Work with the executive management team to revise policies before allowing any remote access.
27
A Penetration tester is accessing a mobile bank application. Man-in-the-middle attack via a HTTP intercepting proxy are failing with SSL errors. Which of the following controls has likely been implemented by the developer?
SSL certificate pinning.
28
Company XYZ provides hosting services for hundreds of companies across multiple industries including healthcare education and manufacturing. The security architect for company XYZ is reviewing a vendor's proposal to reduce the company's hardware cost by combining multiple physical hosts through the use of virtualization technologies. The security architect notes concern about data separation confidentiality regulatory requirements concerning PII and administrative complexity on the proposal. Which BEST describes the core concerns of the security architect?
Company XYZ could be liable for disclosure of sensitive data from one hosted customer when accessed by a malicious user who has gained access to the virtual machine of another hosted customer.
29
Company A needs to export sensitive data from its financial system to Company's B database using company's Bs API in an automated manner. Company A's policy prohibits the use of any intermediary external system to transfer or store its sensitive data therefore the transfer must occur directly between company's A legacy financial system and company B's destination server using the supplied API. Additional company A's legacy financial software does not support encryption while company B API supports encryption. Which of the following will support end to end encryption for the data transfer while adhering to these requirements?
Company A must install an SSL tunneling software on the finance system.
30
Member of the software development team has requested advice from the security team to implement a new secure lab for testing malware. Which of the following is the net step that the security team should take?
Create a proposal and present it to management for approval.
31
A developer is determining the best way to improve security within the code being developed. The developer is focusing on input fields where customers enter their credit card details. Which of the following techniques, if implemented in the code would be the most effective in protecting the fields from malformed input?
Regular expression matching.
32
An organization would like to allow employees to use their network username and password to access third party service. The company is using Active Directory Federated Services for their directory service. Which of the following should the company ensure is supported by the third party?
SAML and Kerberos
33
Which of the following activities is deemed Out of Scope when undertaking a penetration test?
Undertaking network based denial of service attacks in production environment.
34
An organization has decided to reduce labor costs by outsourcing back office processing of credit applications to a provider located in another country. Data sovereignty and privacy concerns raised by the security team resulted in the data via remote desktops sessions. To facilitate communications and improve productivity staff the third party company has been provided with corporate email accounts that are only accessible via remote desktop sessions. Email forwarding is blocked and staff at the third part can only communicate with staff within the organization. What additional controls should be implemented to prevent data loss?
1. Disable cross session cut and paste.
| 2. Source IP white listing.
35
CEO of a large prestigious enterprise has decided to reduce business cost by out sourcing to a third party company in another country. Functions to be outsourced include business analysts, testing, software development and back office functions that deal with the processing of customer data. The CRO is concerned about the outsourcing plans. Which of the following risks are MOST likely to occur if adequate controls are not implemented?
Improper handling of customer data, loss of intellectual property and reputation damage.
36
Application present on the majority of an organizations 1000 systems is vulnerable to buffer overflow attack. What is the most comprehensive way to resolve the issue?
Validate and deploy the appropriate patch.
37
An intruder was recently discovered inside the data center, a highly sensitive area. To gain access the intruder circumvented numerous layers of physical and electronic security measures. Company leadership has asked for a through review of physical security controls to prevent this from happening again. Which of the following departments are most heavily invested in rectifying the problem?
Facilities Management
Data Center Operations
Information Technology
38
After being notified of an issue with the online shopping cart where customers are able by to arbitrarily change the price of listed items a programmer analyzes the following piece of code used by the web based shopping cart:
SELECT ITEM CART WHERE ITEM=ADDSLASHES($userinput$)
The programmer found that every time a user adds an item to the cart, a temporary file is created on the web server /tmp directory. The temp file has a name which is generated by canating the content of $userinput$ variable and a timestamp in the form of MM-DD-YY containing the price of the item being purchased. Which of the following is most likely being exploited to manipulate the price of a shopping carts item?
TOC/TOU
39
A security firm is writing a response to an RFP from a customer that is building a new network based software product. The firms expertise is in penetration testing corporate networks. The RFP explicitly calls for all possible behaviors of the product to be tested, however it does not specify any particular method to achieve this goal. What should be used to ensure the security and functionality of the product?
Code Review
| White box testing
40
An organization is concerned with the possible data loss in the event of a disaster and created a backup data center as a mitigation strategy. The current storage method is a single NAS used by all servers in both datacenters. Which of the following options increases data availability in the event of a datacenter failure?
Establish a SAN that replicates between datacenters.
41
Due to compliance regulations, a company requires a yearly penetration test. The Chief Information Security Officer has asked that it be done under a Black Box methodology. Which of the following would be the advantage of conducting this kind of penetration test?
The results should reflect what attackers may be able to learn about the company.
42
A security architect is designing a new infrastructure using both type 1 and type 2 virtual machines. In addition to the normal compliment of security controls the security architect needs to implement a mechanism to securely store cryptographic keys used to sign code and code modules on the VMS. Which of the following will meet this goal without requiring any hardware pass through implementations?
vTPM
43
Due to a new regulatory requirement ABC company must now encrypt all WAN transmissions. When speaking with the network administrator the security administrator learns that the existing routers have the minimum processing power to do the required level of encryption. Which of the following solutions minimizes the performance impact on the router?
Deploy inline network encryption devices.
44
An extensible commercial software system upgraded t the next minor release version to patch a security vulnerability. After the upgrade an unauthorized intrusion into the system is detected. The software vendor is called to troubleshoot the issue and reports that all the components were updated properly. Which of the following has been overlooked?
1. The company's custom code was not patched.
| 2. Third party plug-ins were not patched.
45
Security administrator was doing a packet capture and noticed a system communicating with an unauthorized address within the 2001:/32 prefix. The network administrator confirms there is no IPv6 routing into or out of the network. Which of the following is the best course of action?
Investigate the network traffic and block UDP port 3544 at the firewall.
46
Anna, a system engineer, is working to identify an unknown node in the corporate network. To begin her
investigative work she runs the following nmap command string:
user@hostname:~$sudu nmap 0 192.168.1.54
Based on the output nmap is unable to identify the os running on the node, but the following ports are open on the device: TCP/22, TCP/111, TCP/512-514, TCP/2049, TCP/32778 Based on this information which of the following operating systems is MOST likely running on the unknown node?
Solaris
47
Company XYZ has purchased and is now developing a new HTMLS application. The company wants to hire a penetration tester to evaluate the security of the client and server components of the proprietary web application before launch. Which of the following is the penetration tester most likely to use while performing black box testing of the security of the company's purchased application
Local proxy
| Fuzzer
48
The technology steering committee is struggling with increased requirements stemming from an increase in telecommuting. The organization has not addressed telecommuting in the past. The implementation of a new SSL VPN and a Voip phone solution enables a person to work from remote locations with corporate assets. Which of the following steps must the committee take first to outline senior management directives?
Publish a policy that addresses the security requirements for working remotely with corporate equipment.
49
A network administrator with a company SNSP has received a CERT alert for targeted adversarial behavior at the company. In addition to the company's physical security which of the following can the network administrator used to detect the presence of a malicious actor physically accessing the company's network or information systems from within?
HIDS
| Protocol Analyzer
50
An attacker attempts to create a DoS event against the Voip system of a company. The attacker uses a tool to flood the network with a large number of SIP invite traffic. Which of the following would be least likely to thwart such an attack?
Implement QoS parameters on the switches.
51
A forensic analyst works for an ediscovery firm where several gigabytes of data are processed daily. While the business is lucrative they do not have the resources or the scalability to adequately serve their clients. Since it is an ediscovery firm where chain of custody is important which of the following scenarios should they consider?
Using a community cloud with adequate controls.
52
An analyst connects to a company's web conference hosted on www.webconference.com/meeting id#01234 and observers that numerous guests have been allowed to join without providing identifying information. The topics covered during the web conference are considered proprietary to the company. Which of the following security concerns does the analyst present to management?
Unauthorized users could present a risk to the confidentiality of the company's information.
53
Security administrator is tasked with implementing two factor authentication for the company's VPN. VPN is currently configured authenticate VPN users against a backend RADIUS server. New company policies requires a second factor of authentication and the Information Security Officer has selected PKI as the second factor. Which of the following should the security administrator configure and implement on the VPN concentrator to implement the second factor and ensure that no error messages are displayed to the user during the VPN connection?
The VPN concentrators certificate private key must be installed on the VPN concentrator.
The CA’s certificate public key must be installed on the VPN concentrator.
54
An analyst connects to a company web conference hosted on www.webconference.com/meetingID#01234 and observes that numerous guests have
been allowed to join, without providing identifying information. The topics covered during the web conference are considered proprietary to the company. Which of the following security concerns does the analyst present to management?
Unauthenticated users could present a risk to the confidentiality of the company's information.
55
A web services company is planning a one-time high-profile event to be hosted on the corporate website. An outage, due to an attack, would be publicly embarrassing, so Joe, the Chief Executive Officer (CEO), has requested that his security engineers put temporary
preventive controls in place. Which of the following would MOST appropriately address Joe's concerns?
Contract and configure scrubbing services with third-party DDoS mitigation providers.
56
The security engineer receives an incident ticket from the helpdesk stating that DNS lookup requests are no longer working from the office. The network team has ensured that Layer 2 and Layer 3 connectivity are working. Which of the following tools would a security
engineer use to make sure the DNS server is listening on port 53?
NMAP
57
The Information Security Officer (ISO) is reviewing a summary of the findings from the last COOP tabletop exercise. The Chief Information Officer (CIO) wants to determine which additional controls must be implemented to reduce the risk of an extended customer
service outage due to the VoIP system being unavailable. Which of the following BEST describes the scenario presented and the document the ISO is reviewing?
The ISO is assessing the effect of a simulated downtime involving the telecommunication system within the AAR.
58
The Information Security Officer (ISO) believes that the company has been targeted by cybercriminals and it is under a cyber attack. Internal services that are normally available to the public via the Internet are inaccessible, and employees in the office are unable to browse the Internet. The senior security engineer starts by reviewing the bandwidth at the border router, and notices that the incoming bandwidth on the routers external interface is
maxed out. The security engineer then inspects the following piece of log to try and determine the reason for the downtime, focusing on the companys external routers IP which is 128.20.176.19: 11:16:22.110343 IP 90.237.31.27.19 > 128.20.176.19.19:
UDP, length 1400 11:16:22.110351 IP 23.27.112.200.19 > 128.20.176.19.19: UDP, length 1400
11:16:22.110358 IP 192.200.132.213.19 > 128.20.176.19.19: UDP, length 1400 11:16:22.110402 IP 70.192.2.55.19 > 128.20.176.19.19: UDP, length 1400
11:16:22.110406 IP 112.201.7.39.19 > 128.20.176.19.19: UDP, length 1400
Which of the following describes the findings the senior security engineer should report to the ISO and the BEST solution for service restoration?
After the senior engineer used a network analyzer to identify an active Fraggle attack, the companys ISP should be contacted and instructed to block the malicious packets.
59
The security administrator finds unauthorized tables and records, which were not present before, on a Linux database server. The database server communicates only with one web server, which connects to the database server via an account with SELECT only privileges. Web server logs show the following:
90.76.165.40 - [08/Mar/2014:10:54:04] GET calendar.php?create%20table%20hidden HTTP/1.1 200 5724
90.76.165.40 - [08/Mar/2014:10:54:05] GET ../../../root/.bash_history HTTP/1.1 200
5724 90.76.165.40 - [08/Mar/2014:10:54:04] GET index.php?user=Create
HTTP/1.1 200 5724
The security administrator also inspects the following file system locations on the database
server using the command ls -al /root
drwxrwxrwx 11 root root 4096 Sep 28 22:45 .
drwxr-xr-x 25 root root 4096 Mar 8 09:30 ..
-rws------ 25 root root 4096 Mar 8 09:30 .bash_history
-rw------- 25 root root 4096 Mar 8 09:30 .bash_history
-rw------- 25 root root 4096 Mar 8 09:30 .profile
-rw------- 25 root root 4096 Mar 8 09:30 .ssh
Which of the following attacks was used to compromise the database server and what can the security administrator implement to detect such attacks in the future? (Select TWO).
Privilege escalation
| Update crontab with: find / \( -perm -4000 \) –type f –print0 | xargs -0 ls –l | email.sh
60
Which of the following provides the BEST risk calculation methodology?
Potential Loss x Event Probability x Control Failure Probability
61
The Chief Information Security Officer (CISO) is asking for ways to protect against zero-day exploits. The CISO is concerned that an unrecognized threat could compromise corporate data and result in regulatory fines as well as poor corporate publicity. The network is mostly
flat, with split staff/guest wireless functionality. Which of the following equipment MUST be deployed to guard against unknown threats?
Behavior based IPS with a communication link to a cloud based vulnerability and threat feed.
62
Joe, a hacker, has discovered he can specifically craft a webpage that when viewed in a browser crashes the browser and then allows him to gain remote code execution in the context of the victims privilege level. The browser crashes due to an exception error when
a heap memory that is unused is accessed. Which of the following BEST describes the application issue?
Use after free
63
A security engineer on a large enterprise network needs to schedule maintenance within a fixed window of time. A total outage period of four hours is permitted for servers. Workstations can undergo maintenance from 8:00 pm to 6:00 am daily. Which of the following can specify parameters for the maintenance work? (Select TWO).
Memorandum of understanding
| Operating level agreement
64
A security engineer is responsible for monitoring company applications for known vulnerabilities. Which of the following is a way to stay current on exploits and information security news?
Subscribe to security mailing lists
65
A security engineer is working on a large software development project. As part of the design of the project, various stakeholder requirements were gathered and decomposed to an implementable and testable level. Various security requirements were also documented. Organize the following security requirements into the correct hierarchy required for an
SRTM.
Requirement 1: The system shall provide confidentiality for data in transit and data at rest.
Requirement 2: The system shall use SSL, SSH, or SCP for all data transport.
Requirement 3: The system shall implement a file-level encryption scheme.
Requirement 4: The system shall provide integrity for all data at rest.
Requirement 5: The system shall perform CRC checks on all files.
Level 1: Requirements 1 and 4;
Level 2: Requirements 2 and 3 under 1,
Requirement 5 under 4
66
An organization is selecting a SaaS provider to replace its legacy, in house Customer Resource Management (CRM) application. Which of the following ensures the organization mitigates the risk of managing separate user credentials?
Ensure the SaaS provider supports directory services federation.
67
A company has received the contract to begin developing a new suite of software tools to replace an aging collaboration solution. The original collaboration solution has been in place for nine years, contains over a million lines of code, and took over two years to
develop originally. The SDLC has been broken up into eight primary stages, with each stage requiring an in-depth risk analysis before moving on to the next phase. Which of the following software development methods is MOST applicable?
Waterfall model
68
A security officer is leading a lessons learned meeting. Which of the following should be components of that meeting? (Select TWO).
Discussion of event timeline
| Assigning of follow up items
69
A company is in the process of outsourcing its customer relationship management system to a cloud provider. It will host the entire organizations customer database. The database will be accessed by both the companys users and its customers. The procurement
department has asked what security activities must be performed for the deal to proceed. Which of the following are the MOST appropriate security activities to be performed as part of due diligence? (Select TWO).
Security clauses are implemented into the contract such as the right to audit.
Review of the organizations security policies, procedures and relevant hosting certifications.
70
Which of the following describes a risk and mitigation associated with cloud data storage?
Risk: Shared hardware caused data leakage Mitigation: Strong encryption at rest
71
An industry organization has implemented a system to allow trusted authentication between all of its partners. The system consists of a web of trusted RADIUS servers
communicating over the Internet. An attacker was able to set up a malicious server and conduct a successful man-in-the-middle attack. Which of the following controls should be implemented to mitigate the attack in the future?
Enforce TLS connections between RADIUS servers
72
The risk manager is reviewing a report which identifies a requirement to keep a business critical legacy system operational for the next two years. The legacy system is out of support because the vendor and security patches are no longer released. Additionally, this is a proprietary embedded system and little is documented and known about it. Which of the following should the Information Technology department implement to reduce the
security risk from a compromise of this system?
Segment the device on its own secure network.
73
A large hospital has implemented BYOD to allow doctors and specialists the ability to access patient medical records on their tablets. The doctors and specialists access patient records over the hospitals guest WiFi network which is isolated from the internal network
with appropriate security controls. The patient records management system can be accessed from the guest network and requires two factor authentication. Using a remote desktop type interface, the doctors and specialists can interact with the hospitals system.
Cut and paste and printing functions are disabled to prevent the copying of data to BYOD devices. Which of the following are of MOST concern? (Select TWO).
Privacy could be compromised as patient records can be viewed in uncontrolled areas.
Malware may be on BYOD devices which can extract data via key logging and screen scrapes.
74
Ann, a software developer, wants to publish her newly developed software to an online store. Ann wants to ensure that the software will not be modified by a third party or end users before being installed on mobile devices. Which of the following should Ann implement to stop modified copies of her software from running on mobile devices?
Remote attestation
75
Which of the following BEST constitutes the basis for protecting VMs from attacks from other VMs hosted on the same physical platform?
Aggressive patch management on the host and guest OSs.
76
A developer has implemented a piece of client-side JavaScript code to sanitize a users provided input to a web page login screen. The code ensures that only the upper case and lower case letters are entered in the username field, and that only a 6-digit PIN is entered
in the password field. A security administrator is concerned with the following web server log:
10.235.62.11 - [02/Mar/2014:06:13:04] GET/site/script.php?user=admin&pass=pass%20or%201=1 HTTP/1.1 200 5724
Given this log, which of the following is the security administrator concerned with and which fix should be implemented by the developer?
The security administrator is concerned with SQL injection, and the developer should implement server side input validation.
77
An assessor identifies automated methods for identifying security control compliance through validating sensors at the endpoint and at Tier 2. Which of the following practices satisfy continuous monitoring of authorized information systems?
Ongoing authorization
78
The administrator is troubleshooting availability issues on an FCoE-based storage array that uses deduplication. The single controller in the storage array has failed, so the administrator wants to move the drives to a storage array from a different manufacturer in order to access the data. Which of the following issues may potentially occur?
The data may not be in a usable format
79
The Chief Executive Officer (CEO) of a small start-up company wants to set up offices around the country for the sales staff to generate business. The company needs an effective communication solution to remain in constant contact with each other, while maintaining a secure business environment. A junior-level administrator suggests that the company and the sales staff stay connected via free social media. Which of the following decisions is BEST for the CEO to make?
Social media is an ineffective solution because the policy may not align with the business.
80
During a recent audit of servers, a company discovered that a network administrator, who required remote access, had deployed an unauthorized remote access application that communicated over common ports already allowed through the firewall. A network scan
showed that this remote access application had already been installed on one third of the servers in the company. Which of the following is the MOST appropriate action that the company should take to provide a more appropriate solution?
Implement SSL VPN with SAML standards for federation
81
A completely new class of web-based vulnerabilities has been discovered. Claims have been made that all common web-based development frameworks are susceptible to attack. Proof-of-concept details have emerged on the Internet. A security advisor within a company has been asked to provide recommendations on how to respond quickly to these vulnerabilities. Which of the following BEST describes how the security advisor should respond?
Assess the reliability of the information source, likelihood of exploitability, and impact to hosted data. Attempt to exploit via the proof-of-concept code. Consider remediation options.
82
News outlets are beginning to report on a number of retail establishments that are experiencing payment card data breaches. The data exfiltration is enabled by malware on a compromised computer. After the initial exploit, network mapping and fingerprinting is
conducted to prepare for further exploitation. Which of the following is the MOST effective solution to protect against unrecognized malware infections?
Implement an application whitelist at all levels of the organization.
83
A company is deploying a new iSCSI-based SAN. The requirements are as follows:
✑ SAN nodes must authenticate each other.
✑ Shared keys must NOT be used.
✑ Do NOT use encryption in order to gain performance.
Which of the following design specifications meet all the requirements? (Select TWO).
IPSec using AH with PKI certificates for authentication.
| Initiators and targets use CHAP authentication
84
A software project manager has been provided with a requirement from the customer to place limits on the types of transactions a given user can initiate without external interaction from another user with elevated privileges. This requirement is BEST described as an
implementation of:
separation of duties
85
A small company's Chief Executive Officer (CEO) has asked its Chief Security Officer (CSO) to improve the company's security posture quickly with regard to targeted attacks. Which of the following should the CSO conduct FIRST?
Survey threat feeds from services inside the same industry.
86
A large enterprise acquires another company which uses antivirus from a different vendor. The CISO has requested that data feeds from the two different antivirus platforms be combined in a way that allows management to assess and rate the overall effectiveness of antivirus across the entire organization. Which of the following tools can BEST meet the
CISOs requirement?
GRC
87
A new piece of ransomware got installed on a company's backup server which encrypted the hard drives containing the OS and backup application configuration but did not affect the deduplication data hard drives. During the incident response, the company finds that all backup tapes for this server are also corrupt. Which of the following is the PRIMARY
concern?
Restoring the data will be difficult without the application configuration
88
A company has issued a new mobile device policy permitting BYOD and company-issued devices. The company-issued device has a managed middleware client that restricts the applications allowed on company devices and provides those that are approved. The
middleware client provides configuration standardization for both company owned and BYOD to secure data and communication to the device according to industry best
practices. The policy states that, BYOD clients must meet the company's infrastructure requirements to permit a connection. The company also issues a memorandum separate from the policy, which provides instructions for the purchase, installation, and use of the
middleware client on BYOD. Which of the following is being described?
IT governance
89
A Chief Financial Officer (CFO) has raised concerns with the Chief Information Security Officer (CISO) because money has been spent on IT security infrastructure, but corporate assets are still found to be vulnerable. The business recently funded a patch management
product and SOE hardening initiative. A third party auditor reported findings against the business because some systems were missing patches. Which of the following statements BEST describes this situation?
Security controls are generally never 100% effective and gaps should be explained to stakeholders and managed accordingly.
90
An administrator wants to enable policy based flexible mandatory access controls on an
open source OS to prevent abnormal application modifications or executions. Which of the
following would BEST accomplish this?
SELinux
91
security manager for a service provider has approved two vendors for connections to the service provider backbone. One vendor will be providing authentication services for its payment card service, and the other vendor will be providing maintenance to the service
provider infrastructure sites. Which of the following business agreements is MOST relevant to the vendors and service providers relationship?
Interconnection Security Agreement
92
Company XYZ provides cable television service to several regional areas. They are currently installing fiber-to-the-home in many areas with hopes of also providing telephone and Internet services. The telephone and Internet services portions of the company will
each be separate subsidiaries of the parent company. The board of directors wishes to keep the subsidiaries separate from the parent company. However all three companies must share customer data for the purposes of accounting, billing, and customer authentication. The solution must use open standards, and be simple and seamless for customers, while only sharing minimal data between the companies. Which of the following
solutions is BEST suited for this scenario?
The companies should federate, with the parent becoming the IdP, and the subsidiaries becoming an SP.
93
```
The Information Security Officer (ISO) is reviewing new policies that have been recently made effective and now apply to the company. Upon review, the ISO identifies a new requirement to implement two-factor authentication on the company's wireless system. Due to budget constraints, the company will be unable to implement the requirement for the next two years. The ISO is required to submit a policy exception form to the Chief
Information Officer (CIO). Which of the following are MOST important to include when submitting the exception form? (Select THREE).
```
- Business or technical justification for not implementing the requirements.
- Risks associated with the inability to implement the requirements.
- Current and planned controls to mitigate the risks.
94
A software development manager is taking over an existing software development project. The team currently suffers from poor communication due to a long delay between requirements documentation and feature delivery. This gap is resulting in an above average number of security-related bugs making it into production. Which of the following development methodologies is the team MOST likely using now?
Waterfall
95
A company sales manager received a memo from the company's financial department which stated that the company would not be putting its software products through the same security testing as previous years to reduce the research and development cost by 20
percent for the upcoming year. The memo also stated that the marketing material and service level agreement for each product would remain unchanged. The sales manager has reviewed the sales goals for the upcoming year and identified an increased target across the software products that will be affected by the financial departments change. All software products will continue to go through new development in the coming year. Which of the following should the sales manager do to ensure the company stays out of trouble?
Consult the company’s legal department on practices and law
96
The Chief Executive Officer (CEO) of an Internet service provider (ISP) has decided to limit the company's contribution to worldwide Distributed Denial of Service (DDoS) attacks.Which of the following should the ISP implement? (Select TWO).
- Notify customers when services they run are involved in an attack.
- Block traffic with an IP source not allocated to customers from exiting the ISP's network
97
A security engineer is a new member to a configuration board at the request of management. The company has two new major IT projects starting this year and wants to
plan security into the application deployment. The board is primarily concerned with the applications compliance with federal assessment and authorization standards. The security engineer asks for a timeline to determine when a security assessment of bothapplications should occur and does not attend subsequent configuration board meetings. If the security engineer is only going to perform a security assessment, which of the following
steps in system authorization has the security engineer omitted?
Establish the security control baseline
98
After a security incident, an administrator would like to implement policies that would help reduce fraud and the potential for collusion between employees. Which of the following would help meet these goals by having coworkers occasionally audit another worker's position?
Job rotation
99
Joe, the Chief Executive Officer (CEO), was an Information security professor and a Subject Matter Expert for over 20 years. He has designed a network defense method which he says is significantly better than prominent international standards. He has
recommended that the company use his cryptographic method. Which of the following methodologies should be adopted?
The company should use the method recommended by other respected information security organizations
100
The Chief Information Security Officer (CISO) at a company knows that many users store business documents on public cloud-based storage, and realizes this is a risk to the company. In response, the CISO implements a mandatory training course in which all
employees are instructed on the proper use of cloud-based storage. Which of the following risk strategies did the CISO implement?
Mitigate
101
A small retail company recently deployed a new point of sale (POS) system to all 67 stores. The core of the POS is an extranet site, accessible only from retail stores and the corporate office over a split-tunnel VPN. An additional split-tunnel VPN provides bi-directional
connectivity back to the main office, which provides voice connectivity for store VoIP phones. Each store offers guest wireless functionality, as well as employee wireless. Only the staff wireless network has access to the POS VPN. Recently, stores are reporting poor
response times when accessing the POS application from store computers as well as degraded voice quality when making phone calls. Upon investigation, it is determined that three store PCs are hosting malware, which is generating excessive network traffic. After
malware removal, the information security department is asked to review the configuration and suggest changes to prevent this from happening again. Which of the following denotes the BEST way to mitigate future malware risk?
Deploy new perimeter firewalls at all stores with UTM functionality
102
A new web based application has been developed and deployed in production. A security engineer decides to use an HTTP interceptor for testing the application. Which of the following problems would MOST likely be uncovered by this tool?
The tool could show that input validation was only enabled on the client side
103
Executive management is asking for a new manufacturing control and workflow automation
solution. This application will facilitate management of proprietary information and closely guarded corporate trade secrets. The information security team has been a part of the department meetings and come away
with the following notes:
-Human resources would like complete access to employee data stored in the application. They would like automated data interchange with the employee management application, a cloud-based SaaS application.
-Sales is asking for easy order tracking to facilitate feedback to customers.
-Legal is asking for adequate safeguards to protect trade secrets. They are also concerned with data ownership questions and legal jurisdiction.
-Manufacturing is asking for ease of use. Employees working the assembly line cannot be bothered with additional steps or overhead. System interaction needs to be quick and easy.
-Quality assurance is concerned about managing the end product and tracking overall performance of the product being produced. They would like read-only access to the entire workflow process for monitoring and baselining. The favored solution is a user friendly software application that would be hosted onsite. It
has extensive ACL functionality, but also has readily available APIs for extensibility. It supports read-only access, kiosk automation, custom fields, and data encryption. Which of the following departments request is in contrast to the favored solution?
Human resources
104
A mature organization with legacy information systems has incorporated numerous new processes and dependencies to manage security as its networks and infrastructure are modernized. The Chief Information Office has become increasingly frustrated with frequent
releases, stating that the organization needs everything to work completely, and the vendor should already have those desires built into the software product. The vendor has been in constant communication with personnel and groups within the organization to understand
its business process and capture new software requirements from users. Which of the following methods of software development is this organizations configuration management process using?
Agile
105
A forensic analyst receives a hard drive containing malware quarantined by the antivirus application. After creating an image and determining the directory location of the malware file, which of the following helps to determine when the system became infected?
The timeline analysis of the file system.
106
An external penetration tester compromised one of the client organizations authentication servers and retrieved the password database. Which of the following methods allows the penetration tester to MOST efficiently use any obtained administrative credentials on the client organizations other systems, without impacting the integrity of any of the systems?
Use the pass the hash technique
107
A security policy states that all applications on the network must have a password length of eight characters. There are three legacy applications on the network that cannot meet this policy. One system will be upgraded in six months, and two are not expected to be upgraded or removed from the network. Which of the following processes should be followed?
Provide a business justification for a risk exception
108
A user has a laptop configured with multiple operating system installations. The operating systems are all installed on a single SSD, but each has its own partition and logical volume. Which of the following is the BEST way to ensure confidentiality of individual operating system data?
Encryption of each individual partition
109
A security administrator wants to calculate the ROI of a security design which includes the purchase of new equipment. The equipment costs $50,000 and it will take 50 hours to install and configure the equipment. The administrator plans to hire a contractor at a rate of
$100/hour to do the installation. Given that the new design and equipment will allow the company to increase revenue and make an additional $100,000 on the first year, which of the following is the ROI expressed as a percentage for the first year?
82 percent
110
A government agency considers confidentiality to be of utmost importance and availability issues to be of least importance. Knowing this, which of the following correctly orders various vulnerabilities in the order of MOST important to LEAST important?
Insecure direct object references, CSRF, Smurf
111
The senior security administrator wants to redesign the company DMZ to minimize the risks associated with both external and internal threats. The DMZ design must support security in depth, change management and configuration processes, and support incident reconstruction. Which of the following designs BEST supports the given requirements?
A dual firewall DMZ with remote logging where each firewall is managed by a separate administrator
112
A security company is developing a new cloud-based log analytics platform. Its purpose is to allow:
✑ Customers to upload their log files to the “big data” platform
✑ Customers to perform remote log search
✑ Customers to integrate into the platform using an API so that third party business intelligence tools can be used for the purpose of trending, insights, and/or
discovery. Which of the following are the BEST security considerations to protect data from one customer being disclosed to other customers? (Select THREE).
- Secure storage and transmission of API keys
- Secure protocols for transmission of log files and search results
- Multi-tenancy with RBAC support
113
A company is facing penalties for failing to effectively comply with e-discovery requests. Which of the following could reduce the overall risk to the company from this issue?
Allow encryption only by tools that use public keys from the existing escrowed corporate PKI.
114
An insurance company is looking to purchase a smaller company in another country. Which of the following tasks would the security administrator perform as part of the security due diligence?
Review the security policies and standards
115
select id, firstname, lastname from authors
User input= firstname= Hack;man
lastname=Johnson
Which of the following types of attacks is the user attempting?
SQL injection
116
Two separate companies are in the process of integrating their authentication infrastructure into a unified single sign-on system. Currently, both companies use an AD backend and two factor authentication using TOTP. The system administrators have configured a trust
relationship between the authentication backend to ensure proper process flow. How should the employees request access to shared resources before the authentication integration is complete?
They should use the username format: first.lastname@company.com, together with a
password and their 6-digit code.
117
A system administrator has just installed a new Linux distribution. The distribution is configured to be secure out of the box. The system administrator cannot make updates to certain system files and services. Each time changes are attempted, they are denied and a
system error is generated. Which of the following troubleshooting steps should the security
administrator suggest?
Review settings in the SELinux configuration files
118
The network administrator at an enterprise reported a large data leak. One compromised server was used to aggregate data from several critical application servers and send it out to the Internet using HTTPS. Upon investigation, there have been no user logins over the
previous week and the endpoint protection software is not reporting any issues. Which of the following BEST provides insight into where the compromised server collected the information?
Review the flow data against each server’s baseline communications profile.
119
It has come to the IT administrators attention that the post your comment field on the company blog page has been exploited, resulting in cross-site scripting attacks against customers reading the blog. Which of the following would be the MOST effective at preventing the post your comment field from being exploited?
Filter metacharacters
120
Joe is a security architect who is tasked with choosing a new NIPS platform that has the ability to perform SSL inspection, analyze up to 10Gbps of traffic, can be centrally managed and only reveals inspected application payload data to specified internal security
employees. Which of the following steps should Joe take to reach the desired outcome?
Research new technology vendors to look for potential products. Contribute to an RFP and then evaluate RFP responses to ensure that the vendor product meets all mandatory requirements. Test the product and make a product recommendation.
121
The risk manager at a small bank wants to use quantitative analysis to determine the ALE of running a business system at a location which is subject to fires during the year. A risk analyst reports to the risk manager that the asset value of the business system is $120,000 and, based on industry data, the exposure factor to fires is only 20% due to the fire suppression system installed at the site. Fires occur in the area on average every four years. Which of the following is the ALE?
$6,000
122
An internal development team has migrated away from Waterfall development to use Agile development. Overall, this has been viewed as a successful initiative by the stakeholders as it has improved time-to-market. However, some staff within the security team have
contended that Agile development is not secure. Which of the following is the MOST accurate statement?
Agile development has different phases and timings compared to Waterfall. Security activities need to be adapted and performed within relevant Agile phases.
123
A bank has decided to outsource some existing IT functions and systems to a third party service provider. The third party service provider will manage the outsourced systems on their own premises and will continue to directly interface with the banks other systems through dedicated encrypted links. Which of the following is critical to ensure the successful management of system security concerns between the two organizations?
ISA
124
Which of the following represents important technical controls for securing a SAN storage infrastructure? (Select TWO).
- LUN masking/mapping
| - Port mapping
125
A finance manager says that the company needs to ensure that the new system can replay data, up to the minute, for every exchange being tracked by the investment departments. The finance manager also states that the companys transactions need to be
tracked against this data for a period of five years for compliance. How would a security engineer BEST interpret the finance managers needs?
User requirements
126
During an incident involving the company main database, a team of forensics experts is hired to respond to the breach. The team is in charge of collecting forensics evidence from the company's database server. Which of the following is the correct order in which the
forensics team should engage?
Secure the scene, take inventory, capture volatile storage, capture non-volatile storage, document, and implement chain of custody
127
An organization has several production critical SCADA supervisory systems that cannot follow the normal 30-day patching policy. Which of the following BEST maximizes the protection of these systems from malicious software?
Configure the systems to ensure only necessary applications are able to run
128
A security services company is scoping a proposal with a client. They want to perform a general security audit of their environment within a two week period and consequently have the following requirements:
Requirement 1 Ensure their server infrastructure operating systems are at their latest patch levels
Requirement 2 Test the behavior between the application and database
Requirement 3 Ensure that customer data can not be exfiltrated
Which of the following is the BEST solution to meet the above requirements?
Perform dynamic code analysis, penetration test and run a vulnerability scanner
129
An IT auditor is reviewing the data classification for a sensitive system. The company has
classified the data stored in the sensitive system according to the following matrix:
DATA TYPECONFIDENTIALITYINTEGRITYAVAILABILITY
----------------------------------------------------------------------------------------------------------------
FinancialHIGHHIGHLOW
Client nameMEDIUMMEDIUMHIGH
Client addressLOWMEDIUMLOW
-----------------------------------------------------------------------------------------------------------------
AGGREGATEMEDIUMMEDIUMMEDIUM
The auditor is advising the company to review the aggregate score and submit it to senior
management. Which of the following should be the revised aggregate score?
HIGH, HIGH, HIGH
130
A security solutions architect has argued consistently to implement the most secure
method of encrypting corporate messages. The solution has been derided as not being
cost effective by other members of the IT department. The proposed solution uses
symmetric keys to encrypt all messages and is very resistant to unauthorized decryption.
The method also requires special handling and security for all key material that goes above
and beyond most encryption systems.
Which of the following is the solutions architect MOST likely trying to implement?
One time pads
131
Since the implementation of IPv6 on the company network, the security administrator has been unable to identify the users associated with certain devices utilizing IPv6 addresses, even when the devices are centrally managed.
en1: flags=8863 mtu 1500
ether f8:1e:af:ab:10:a3
inet6 fw80::fa1e:dfff:fee6:9d8%en1 prefixlen 64 scopeid 0x5
inet 192.168.1.14 netmask 0xffffff00 broadcast 192.168.1.255
inet6 2001:200:5:922:1035:dfff:fee6:9dfe prefixlen 64 autoconf
inet6 2001:200:5:922:10ab:5e21:aa9a:6393 prefixlen 64 autoconf temporary
nd6 options=1
media: autoselect
status: active
Given this output, which of the following protocols is in use by the company and what can the system administrator do to positively map users with IPv6 addresses in the future?
(Select TWO).
- The routers implement NDP
| - The administrator must disable the IPv6 privacy extensions
132
Customers have recently reported incomplete purchase history and other anomalies while
accessing their account history on the web server farm. Upon investigation, it has been
determined that there are version mismatches of key e-commerce applications on the
production web servers. The development team has direct access to the production servers
and is most likely the cause of the different release versions. Which of the following
process level solutions would address this problem?
Implement change control practices at the organization level.
133
Ann is testing the robustness of a marketing website through an intercepting proxy. She
has intercepted the following HTTP request:
POST /login.aspx HTTP/1.1
Host: comptia.org
Content-type: text/html
txtUsername=ann&txtPassword=ann&alreadyLoggedIn=false&submit=true
Which of the following should Ann perform to test whether the website is susceptible to a
simple authentication bypass?
Remove the txtPassword post data and change alreadyLoggedIn from false to true
134
In an effort to minimize costs, the management of a small candy company wishes to
explore a cloud service option for the development of its online applications. The company
does not wish to invest heavily in IT infrastructure. Which of the following solutions should
be recommended?
A public PaaS
135
A large company is preparing to merge with a smaller company. The smaller company has
been very profitable, but the smaller companys main applications were created in-house.
Which of the following actions should the large companys security administrator take in
preparation for the merger?
A security assessment should be performed to establish the risks of integration or co- existence
136
A business unit of a large enterprise has outsourced the hosting and development of a new
external website which will be accessed by premium customers, in order to speed up the
time to market timeline. Which of the following is the MOST appropriate?
The external party providing the hosting and website development should be obligated under contract to provide a secure service which is regularly tested (vulnerability and penetration). SLAs should be in place for the resolution of newly identified vulnerabilities and a guaranteed uptime.
137
A software developer and IT administrator are focused on implementing security in the
organization to protect OSI layer 7. Which of the following security technologies would
BEST meet their requirements? (Select TWO).
HIPS
| WAF
138
A recently hired security administrator is advising developers about the secure integration
of a legacy in-house application with a new cloud based processing system. The systems
must exchange large amounts of fixed format data such as names, addresses, and phone
numbers, as well as occasional chunks of data in unpredictable formats. The developers
want to construct a new data format and create custom tools to parse and process the
data. The security administrator instead suggests that the developers:
Use well formed standard compliant XML and strict schemas
139
The helpdesk is receiving multiple calls about slow and intermittent Internet access from
the finance department. The following information is compiled:
Caller 1, IP 172.16.35.217, NETMASK 255.255.254.0
Caller 2, IP 172.16.35.53, NETMASK 255.255.254.0
Caller 3, IP 172.16.35.173, NETMASK 255.255.254.0
All callers are connected to the same switch and are routed by a router with five built-in
interfaces. The upstream router interfaces MAC is 00-01-42-32-ab-1a
A packet capture shows the following:
09:05:15.934840 arp reply 172.16.34.1 is-at 00:01:42:32:ab:1a (00:01:42:32:ab:1a)
09:06:16.124850 arp reply 172.16.34.1 is-at 00:01:42:32:ab:1a (00:01:42:32:ab:1a)
09:07:25.439811 arp reply 172.16.34.1 is-at 00:01:42:32:ab:1a (00:01:42:32:ab:1a)
09:08:10.937590 IP 172.16.35.1 > 172.16.35.255: ICMP echo request, id 2305, seq 1,
length 65534
09:08:10.937591 IP 172.16.35.1 > 172.16.35.255: ICMP echo request, id 2306, seq 2,
length 65534
09:08:10.937592 IP 172.16.35.1 > 172.16.35.255: ICMP echo request, id 2307, seq 3,
length 65534
Which of the following is occurring on the network?
A denial of service attack is targeting at the router.
140
During a new desktop refresh, all hosts are hardened at the OS level before deployment to
comply with policy. Six months later, the company is audited for compliance to regulations.
The audit discovers that 40 percent of the desktops do not meet requirements. Which of
the following is the MOST likely cause of the noncompliance?
The devices are being modified and settings are being overridden in production.
141
An IT manager is concerned about the cost of implementing a web filtering solution in an
effort to mitigate the risks associated with malware and resulting data leakage. Given that
the ARO is twice per year, the ALE resulting from a data leak is $25,000 and the ALE after
implementing the web filter is $15,000. The web filtering solution will cost the organization
$10,000 per year. Which of the following values is the single loss expectancy of a data
leakage event after implementing the web filtering solution?
$7,500
142
A company is trying to decide how to manage hosts in a branch location connected via a
slow WAN link. The company desires to provide the same level of performance and
functionality to the branch office as it provides to the main campus. The company uses
Active Directory for its directory service and host configuration management. The branch
location does not have a datacenter, and the physical security posture of the building is
weak. Which of the following designs is MOST appropriate for this scenario?
Deploy a corporate Read-Only Domain Controller to the branch location.
143
A security manager looked at various logs while investigating a recent security breach in
the data center from an external source. Each log below was collected from various
security devices compiled from a report through the companys security information and
event management server.
Logs:
Log 1:
Feb 5 23:55:37.743: %SEC-6-IPACCESSLOGS: list 10 denied 10.2.5.81 3 packets
Log 2:
HTTP://www.company.com/index.php?user=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
Log 3:
Security Error Alert
Event ID 50: The RDP protocol component X.224 detected an error in the protocol stream
and has disconnected the client
Log 4:
Encoder oe = new OracleEncoder ();
String query = Select user_id FROM user_data WHERE user_name =
+ oe.encode ( req.getParameter(userID) ) + and user_password =
+ oe.encode ( req.getParameter(pwd) ) + ;
Vulnerabilities
Buffer overflow
SQL injection
ACL
XSS
Which of the following logs and vulnerabilities would MOST likely be related to the security
breach? (Select TWO).
Log 2
| Buffer overflow
144
A company decides to purchase commercially available software packages. This can
introduce new security risks to the network. Which of the following is the BEST description
of why this is true?
Commercially available software packages are often widely available. Information concerning vulnerabilities is often kept internal to the company that developed the software.
145
Which of the following would be used in forensic analysis of a compromised Linux system?
(Select THREE).
- Check log files for logins from unauthorized IPs.
- Check timestamps for files modified around time of compromise.
- Verify the MD5 checksum of system binaries.
146
A storage as a service company implements both encryption at rest as well as encryption in
transit of customers data. The security administrator is concerned with the overall security
of the encrypted customer data stored by the company servers and wants the development
team to implement a solution that will strengthen the customers encryption key. Which of
the following, if implemented, will MOST increase the time an offline password attack
against the customers data would take?
key = NULL ; for (int i=0; i<5000; i++) { key = sha(key + password) }
147
A pentester must attempt to crack passwords on a windows domain that enforces strong
complex passwords. Which of the following would crack the MOST passwords in the
shortest time period?
Rainbow tables attack
148
A project manager working for a large city government is required to plan and build a WAN,
which will be required to host official business and public access. It is also anticipated that
the citys emergency and first response communication systems will be required to operate
across the same network. The project manager has experience with enterprise IT projects,
but feels this project has an increased complexity as a result of the mixed business / public
use and the critical infrastructure it will provide. Which of the following should the project
manager release to the public, academia, and private industry to ensure the city provides
due care in considering all project factors prior to building its new WAN?
RFI
149
A penetration tester is inspecting traffic on a new mobile banking application and sends the
following web request:
POST http://www.example.com/resources/NewBankAccount HTTP/1.1
Content-type: application/json
account:
{ creditAccount:Credit Card Rewards account} {
salesLeadRef:www.example.com/badcontent/exploitme.exe}
],
customer:
{ name:Joe Citizen} { custRef:3153151}
The banking website responds with:
HTTP/1.1 200 OK
newAccountDetails:
{ cardNumber:1234123412341234} { cardExpiry:2020-12-31}
{ cardCVV:909}
],
marketingCookieTracker:JSESSIONID=000000001
returnCode:Account added successfully
Which of the following are security weaknesses in this example? (Select TWO).
Missing input validation on some fields
| Sensitive details communicated in clear-text
150
A web developer is responsible for a simple web application that books holiday
accommodations. The front-facing web server offers an HTML form, which asks for a users
age. This input gets placed into a signed integer variable and is then checked to ensure
that the user is in the adult age range.
Users have reported that the website is not functioning correctly. The web developer has
inspected log files and sees that a very large number (in the billions) was submitted just
before the issue started occurring. Which of the following is the MOST likely situation that
has occurred?
The age variable has had an integer overflow and was assigned a very small negative number which led to unpredictable application behavior. Improper error handling prevented the application from recovering.
151
A security administrator is performing VDI traffic data collection on a virtual server which
migrates from one host to another. While reviewing the data collected by the protocol
analyzer, the security administrator notices that sensitive data is present in the packet
capture. Which of the following should the security administrator recommend to ensure the
confidentiality of sensitive information during live VM migration, while minimizing latency
issues?
A separate physical interface placed on a private VLAN should be configured for live host operations.
152
A medical device manufacturer has decided to work with another international organization
to develop the software for a new robotic surgical platform to be introduced into hospitals
within the next 12 months. In order to ensure a competitor does not become aware,
management at the medical device manufacturer has decided to keep it secret until formal
contracts are signed. Which of the following documents is MOST likely to contain a
description of the initial terms and arrangement and is not legally enforceable?
MOU
153
An IT manager is working with a project manager from another subsidiary of the same
multinational organization. The project manager is responsible for a new software
development effort that is being outsourced overseas, while customer acceptance testing
will be performed in house. Which of the following capabilities is MOST likely to cause
issues with network availability?
Time-based access control lists
154
An information security assessor for an organization finished an assessment that identified
critical issues with the human resource new employee management software application.
The assessor submitted the report to senior management but nothing has happened.
Which of the following would be a logical next step?
Schedule a meeting with key human resource application stakeholders.
155
Wireless users are reporting issues with the companys video conferencing and VoIP systems. The security administrator notices internal DoS attacks from infected PCs on the network causing the VoIP system to drop calls. The security administrator also notices that
the SIP servers are unavailable during these attacks. Which of the following securitycontrols will MOST likely mitigate the VoIP DoS attacks on the network? (Select TWO).
- Install a HIPS on the SIP servers
| - Configure 802.11e on the network
156
A critical system audit shows that the payroll system is not meeting security policy due to missing OS security patches. Upon further review, it appears that the system is not being patched at all. The vendor states that the system is only supported on the current OS patch
level. Which of the following compensating controls should be used to mitigate the vulnerability of missing OS patches on this system?
Isolate the system on a secure network to limit its contact with other systems
157
An administrator believes that the web servers are being flooded with excessive traffic from time to time. The administrator suspects that these traffic floods correspond to when a competitor makes major announcements. Which of the following should the administrator do to prove this theory?
Implement data analytics to try and correlate the occurrence times.
158
A security administrator was recently hired in a start-up company to represent the interest of security and to assist the network team in improving security in the company. The programmers are not on good terms with the security team and do not want to be distracted with security issues while they are working on a major project. Which of the following is the BEST time to make them address security issues in the project?
At the inception of the project
159
An investigator wants to collect the most volatile data first in an incident to preserve the
data that runs the highest risk of being lost. After memory, which of the following BEST
represents the remaining order of volatility that the investigator should follow?
System processes, network processes, file system information, swap files and raw disk blocks.
160
An administrator is tasked with securing several website domains on a web server. The
administrator elects to secure www.example.com, mail.example.org, archive.example.com,
and www.example.org with the same certificate. Which of the following would allow the
administrator to secure those domains with a single issued certificate?
Subject Alternative Names Certificate
161
```
The following has been discovered in an internally developed application:
Error - Memory allocated but not freed:
char *myBuffer = malloc(BUFFER_SIZE);
if (myBuffer != NULL) {
*myBuffer = STRING_WELCOME_MESSAGE;
printf(Welcome to: %s\n, myBuffer);
exit(0);
Which of the following security assessment methods are likely to reveal this security
weakness? (Select TWO).
```
- Static code analysis
| - Manual code review
162
A company Chief Information Officer (CIO) is unsure which set of standards should govern
the companys IT policy. The CIO has hired consultants to develop use cases to test
against various government and industry security standards. The CIO is convinced that
there is large overlap between the configuration checks and security controls governing
each set of standards. Which of the following selections represent the BEST option for the
CIO?
Issue a policy specifying best practice security standards and a baseline to be implemented across the company.
163
The finance department for an online shopping website has discovered that a number of
customers were able to purchase goods and services without any payments. Further
analysis conducted by the security investigations team indicated that the website allowed
customers to update a payment amount for shipping. A specially crafted value could be
entered and cause a roll over, resulting in the shipping cost being subtracted from the
balance and in some instances resulted in a negative balance. As a result, the system
processed the negative balance as zero dollars. Which of the following BEST describes the
application issue?
Integer overflow
164
```
VPN users cannot access the active FTP server through the router but can access any
server in the data center.
Additional network information:
DMZ network 192.168.5.0/24 (FTP server is 192.168.5.11)
VPN network 192.168.1.0/24
Datacenter 192.168.2.0/24
User network - 192.168.3.0/24
HR network 192.168.4.0/24\
Traffic shaper configuration:
VLAN Bandwidth Limit (Mbps)
VPN50
User175
HR250
Finance250
Guest0
Router ACL:
ActionSourceDestination
Permit192.168.1.0/24192.168.2.0/24
Permit192.168.1.0/24192.168.3.0/24
Permit192.168.1.0/24192.168.5.0/24
Permit192.168.2.0/24192.168.1.0/24
Permit192.168.3.0/24192.168.1.0/24
Permit192.168.5.1/32192.168.1.0/24
Deny192.168.4.0/24192.168.1.0/24
Deny192.168.1.0/24192.168.4.0/24
Denyanyany
Which of the following solutions would allow the users to access the active FTP server?
```
Add a permit statement to allow traffic from 192.168.5.0/24 to the VPN network
165
A company with 2000 workstations is considering purchasing a HIPS to minimize the
impact of a system compromise from malware. Currently, the company projects a total cost
of $50,000 for the next three years responding to and eradicating workstation malware. The
Information Security Officer (ISO) has received three quotes from different companies that
provide HIPS.
✑ The first quote requires a $10,000 one-time fee, annual cost of $6 per workstation,
and a 10% annual support fee based on the number of workstations.
✑ The second quote requires a $15,000 one-time fee, an annual cost of $5 per
workstation, and a 12% annual fee based on the number of workstations.
✑ The third quote has no one-time fee, an annual cost of $8 per workstation, and a
15% annual fee based on the number of workstations.
Which solution should the company select if the contract is only valid for three years?
Second quote
166
A user is suspected of engaging in potentially illegal activities. Law enforcement has
requested that the user continue to operate on the network as normal. However, they
would like to have a copy of any communications from the user involving certain key terms.
Additionally, the law enforcement agency has requested that the user's ongoing
communication be retained in the user's account for future investigations. Which of the
following will BEST meet the goals of law enforcement?
Place a legal hold on the user's email account. Next, perform e-discovery searches to collect applicable emails.
167
A well-known retailer has experienced a massive credit card breach. The retailer had gone
through an audit and had been presented with a potential problem on their network.
Vendors were authenticating directly to the retailers AD servers, and an improper firewall
rule allowed pivoting from the AD server to the DMZ where credit card servers were kept.
The firewall rule was needed for an internal application that was developed, which presents
risk. The retailer determined that because the vendors were required to have site to site
VPNs no other security action was taken.
To prove to the retailer the monetary value of this risk, which of the following type of
calculations is needed?
Quantitative Risk Analysis
168
ODBC access to a database on a network-connected host is required. The host does not
have a security mechanism to authenticate the incoming ODBC connection, and the
application requires that the connection have read/write permissions. In order to further
secure the data, a nonstandard configuration would need to be implemented. The
information in the database is not sensitive, but was not readily accessible prior to the
implementation of the ODBC connection. Which of the following actions should be taken by
the security analyst?
Explain the risks to the data owner and aid in the decision to accept the risk versus choosing a nonstandard solution.
169
Using SSL, an administrator wishes to secure public facing server farms in three
subdomains: dc1.east.company.com, dc2.central.company.com, and
dc3.west.company.com. Which of the following is the number of wildcard SSL certificates
that should be purchased?
3
170
A new IT company has hired a security consultant to implement a remote access system,
which will enable employees to telecommute from home using both company issued as
well as personal computing devices, including mobile devices. The company wants a
flexible system to provide confidentiality and integrity for data in transit to the companys
internally developed application GUI. Company policy prohibits employees from having
administrative rights to company issued devices. Which of the following remote access
solutions has the lowest technical complexity?
RDP server
171
A security tester is testing a website and performs the following manual query:
https://www.comptia.com/cookies.jsp?products=5%20and%201=1
The following response is received in the payload:
ORA-000001: SQL command not properly ended
Which of the following is the response an example of?
Fingerprinting
172
A bank is in the process of developing a new mobile application. The mobile client renders
content and communicates back to the company servers via REST/JSON calls. The bank
wants to ensure that the communication is stateless between the mobile application and
the web services gateway. Which of the following controls MUST be implemented to enable
stateless communication?
Authentication assertion should be stored securely on the client.
173
A multi-national company has a highly mobile workforce and minimal IT infrastructure. The
company utilizes a BYOD and social media policy to integrate presence technology into
global collaboration tools by individuals and teams. As a result of the dispersed employees
and frequent international travel, the company is concerned about the safety of employees
and their families when moving in and out of certain countries. Which of the following could
the company view as a downside of using presence technology?
Physical security
174
An organization has implemented an Agile development process for front end web
application development. A new security architect has just joined the company and wants
to integrate security activities into the SDLC.
Which of the following activities MUST be mandated to ensure code quality from a security
perspective? (Select TWO).
- Static and dynamic analysis is run as part of integration
| - For each major iteration penetration testing is performed
175
An organization is implementing a project to simplify the management of its firewall network flows and implement security controls. The following requirements exist. Drag and drop the BEST security solution to meet the given requirements. Options may be used once or not at all. All placeholders must be filled.
1. Permit staff to securely work from home
2. Permit customers to access their account only from certain countries
3. Detect credit cards leaving the organization
4, Deploy infrastructure to permit users to access the Internet
5. Deploy infrastructure to permit customers to access their account balance
1. Implement a VPN with appropriate authentication and authorization
2. Implement risk profiling of any connecting device
3. Implement a DLP solution
4. Implement forward proxies with the appropriate authentication and authorization
5. Implement infrastructure reverse proxies with the appropriate authentication and authorization
176
A security administrator is assessing a new application. The application uses an API that is supposed to encrypt text strings that are stored in memory. How might the administrator test that the strings are indeed encrypted in memory?
Initiate a core dump of the application
177
Which of the following technologies prevents an unauthorized HBA from viewing iSCSI target information?
LUN masking
178
The IT Security Analyst for a small organization is working on a customers system and identifies a possible intrusion in a database that contains PII. Since PII is involved, the analyst wants to get the issue addressed as soon as possible. Which of the following is the
FIRST step the analyst should take in mitigating the impact of the potential intrusion?
Refer the issue to management for handling according to the incident response process.
179
An employee is performing a review of the organizations security functions and noticed that there is some cross over responsibility between the IT security team and the financial fraud team. Which of the following security documents should be used to clarify the roles
and responsibilities between the teams?
MOU
180
Joe, a penetration tester, is tasked with testing the security robustness of the protocol between a mobile web application and a RESTful application server. Which of the following security tools would be required to assess the security between the mobile web application
and the RESTful application server? (Select TWO).
- HTTP interceptor
| - Vulnerability scanner
181
A company provides on-demand cloud computing resources for a sensitive project. The company implements a fully virtualized datacenter and terminal server access with two-factor authentication for customer access to the administrative website. The security administrator at the company has uncovered a breach in data confidentiality. Sensitive data from customer A was found on a hidden directory within the VM of company B. Company B is not in the same industry as company A and the two are not competitors. Which of the following has MOST likely occurred?
Both VMs were left unsecured and an attacker was able to exploit network vulnerabilities to access each and move the data.
182
A system worth $100,000 has an exposure factor of eight percent and an ARO of four. Which of the following figures is the systems SLE?
$8,000
183
A facilities manager has observed varying electric use on the companys metered service lines. The facility management rarely interacts with the IT department unless new equipment is being delivered. However, the facility manager thinks that there is a correlation between spikes in electric use and IT department activity. Which of the following business processes and/or practices would provide better management of organizational resources with the IT departments needs? (Select TWO).
- Facility management participation on a change control board
- Implementation of change management best practices
184
A security administrator has noticed that an increased number of employees workstations are becoming infected with malware. The company deploys an enterprise antivirus system as well as a web content filter, which blocks access to malicious web sites where malware files can be downloaded. Additionally, the company implements technical measures to
disable external storage. Which of the following is a technical control that the security administrator should implement next to reduce malware infection?
Block cloud-based storage software on the company network.
185
An administrator wishes to replace a legacy clinical software product as it has become a security risk. The legacy product generates $10,000 in revenue a month. The new software product has an initial cost of $180,000 and a yearly maintenance of $2,000 after the first
year. However, it will generate $15,000 in revenue per month and be more secure. How many years until there is a return on investment for this new package?
4
186
The DLP solution has been showing some unidentified encrypted data being sent using FTP to a remote server. A vulnerability scan found a collection of Linux servers that are missing OS level patches. Upon further investigation, a technician notices that there are a
few unidentified processes running on a number of the servers. What would be a key FIRST step for the data security team to undertake at this point?
Conduct a bit level image, including RAM, of one or more of the Linux servers
187
A security analyst, Ann, states that she believes Internet facing file transfer servers are being attacked. Which of the following is evidence that would aid Ann in making a case to management that action needs to be taken to safeguard these servers?
Compare the current activity to the baseline of normal activity
188
A security manager is looking into the following vendor proposal for a cloud-based SIEM
solution. The intention is that the cost of the SIEM solution will be justified by having
reduced the number of incidents and therefore saving on the amount spent investigating
incidents.
Proposal:
External cloud-based software as a service subscription costing $5,000 per month.
Expected to reduce the number of current incidents per annum by 50%.
The company currently has ten security incidents per annum at an average cost of $10,000
per incident. Which of the following is the ROI for this proposal after three years?
-$30,000
189
An enterprise must ensure that all devices that connect to its networks have been previously approved. The solution must support dual factor mutual authentication with strong identity assurance. In order to reduce costs and administrative overhead, the security architect wants to outsource identity proofing and second factor digital delivery to the third party. Which of the following solutions will address the enterprise requirements?
Implementing 802.1x with EAP-TTLS across the infrastructure.
190
Company policy requires that all unsupported operating systems be removed from the
network. The security administrator is using a combination of network based tools to
identify such systems for the purpose of disconnecting them from the network. Which of the
following tools, or outputs from the tools in use, can be used to help the security
administrator make an approximate determination of the operating system in use on the
local company network? (Select THREE).
- Passive banner grabbing
- 09:18:16.262743 IP (tos 0x0, ttl 64, id 9870, offset 0, flags [none], proto TCP (6), length 40) 192.168.1.3.1051 > 10.46.3.7.80: Flags [none], cksum 0x1800 (correct), win 512, length 0
- Nmap
191
A company has a difficult time communicating between the security engineers, application
developers, and sales staff. The sales staff tends to overpromise the application
deliverables. The security engineers and application developers are falling behind
schedule. Which of the following should be done to solve this?
Allow the sales staff to shadow the developers and engineers to see how their sales impact the deliverables.
192
A small company is developing a new Internet-facing web application. The security
requirements are:
1. Users of the web application must be uniquely identified and authenticated.
2. Users of the web application will not be added to the companys directory services.
3. Passwords must not be stored in the code.
Which of the following meets these requirements?
Use OpenID and allow a third party to authenticate users.
193
In a situation where data is to be recovered from an attackers location, which of the
following are the FIRST things to capture? (Select TWO).
- Snapshots of data on the monitor
| - Volatile system memory
