Question 1
Question
The Chief Information Security Officer (CISO) at a company knows that many users store business documents on public cloud-based storage, and realizes this is a risk to the company. In response, the CISO implements a mandatory training course in which all employees are instructed on the proper use of cloud-based storage. Which of the following risk strategies did the CISO implement?
Answer
-
Avoid
-
Accept
-
Mitigate
-
Transfer
Question 2
Question
A forensic analyst receives a hard drive containing malware quarantined by the antivirus application. After creating an image and determining the directory location of the malware file, which of the following helps to determine when the system became infected?
Answer
-
The malware file’s modify, access, change time properties.
-
The timeline analysis of the file system.
-
The time stamp of the malware in the swap file.
-
The date/time stamp of the malware detection in the antivirus logs.
Question 3
Question
The Chief Executive Officer (CEO) of a company that allows telecommuting has challenged the Chief Security Officer’s (CSO) request to harden the corporate network’s perimeter. The CEO argues that the company cannot protect its employees at home, so the risk at work is no different. Which of the following BEST explains why this company should proceed with protecting its corporate network boundary?
Answer
-
The corporate network is the only network that is audited by regulators and customers.
-
The aggregation of employees on a corporate network makes it a more valuable target for attackers.
-
Home networks are unknown to attackers and less likely to be targeted directly.
-
Employees are more likely to be using personal computers for general web browsing when they are at home.
Question 4
Question
A security officer is leading a lessons learned meeting. Which of the following should be components of that meeting? (Select TWO).
Answer
-
Demonstration of IPS system
-
Review vendor selection process
-
Calculate the ALE for the event
-
Discussion of event timeline
-
Assigning of follow up items
Question 5
Question
An assessor identifies automated methods for identifying security control compliance through validating sensors at the endpoint and at Tier 2. Which of the following practices satisfy continuous monitoring of authorized information systems?
Question 6
Question
The source workstation image for new accounting PCs has begun blue-screening. A technician notices that the date/time stamp of the image source appears to have changed. The desktop support director has asked the Information Security department to determine if any changes were made to the source image. Which of the following methods would BEST help with this process? (Select TWO).
Answer
-
Retrieve source system image from backup and run file comparison analysis on the two images.
-
Parse all images to determine if extra data is hidden using steganography.
-
Calculate a new hash and compare it with the previously captured image hash.
-
Ask desktop support if any changes to the images were made.
-
Check key system files to see if date/time stamp is in the past six months.
Question 7
Question
A software project manager has been provided with a requirement from the customer to place limits on the types of transactions a given user can initiate without external interaction from another user with elevated privileges. This requirement is BEST described as an implementation of:
Question 8
Question
The technology steering committee is struggling with increased requirements stemming from an increase in telecommuting. The organization has not addressed telecommuting in the past. The implementation of a new SSL-VPN and a VOIP phone solution enables personnel to work from remote locations with corporate assets. Which of the following steps must the committee take FIRST to outline senior management’s directives?
Answer
-
Develop an information classification scheme that will properly secure data on corporate systems.
-
Implement database views and constrained interfaces so remote users will be unable to access PII from personal equipment.
-
Publish a policy that addresses the security requirements for working remotely with company equipment.
-
Work with mid-level managers to identify and document the proper procedures for telecommuting.
Question 9
Question
A company is facing penalties for failing to effectively comply with e-discovery requests. Which of the following could reduce the overall risk to the company from this issue?
Answer
-
Establish a policy that only allows filesystem encryption and disallows the use of individual file encryption.
-
Require each user to log passwords used for file encryption to a decentralized repository.
-
Permit users to only encrypt individual files using their domain password and archive all old user passwords.
-
Allow encryption only by tools that use public keys from the existing escrowed corporate PKI.
Question 10
Question
There have been some failures of the company’s internal facing website. A security engineer has found the WAF to be the root cause of the failures. System logs show that the WAF has been unavailable for 14 hours over the past month, in four separate situations. One of these situations was a two hour scheduled maintenance time, aimed at improving the stability of the WAF. Using the MTTR based on the last month’s performance figures, which of the following calculations is the percentage of uptime assuming there were 722 hours in the month?
Answer
-
92.24 percent
-
98.06 percent
-
98.34 percent
-
99.72 percent
Question 11
Question
A security firm is writing a response to an RFP from a customer that is building a new network based software product. The firm’s expertise is in penetration testing corporate networks. The RFP explicitly calls for all possible behaviors of the product to be tested, however, it does not specify any particular method to achieve this goal. Which of the following should be used to ensure the security and functionality of the product? (Select TWO).
Answer
-
Code review
-
Penetration testing
-
Grey box testing
-
Code signing
-
White box testing
Question 12
Question
Company XYZ has purchased and is now deploying a new HTML5 application. The company wants to hire a penetration tester to evaluate the security of the client and server components of the proprietary web application before launch. Which of the following is the penetration tester MOST likely to use while performing black box testing of the security of the company’s purchased application? (Select TWO).
Answer
-
Code review
-
Sandbox
-
Local proxy
-
Fuzzer
-
Port scanner
Question 13
Question
The Information Security Officer (ISO) believes that the company has been targeted by cybercriminals and it is under a cyber attack. Internal services that are normally available to the public via the Internet are inaccessible, and employees in the office are unable to browse the Internet. The senior security engineer starts by reviewing the bandwidth at the border router, and notices that the incoming bandwidth on the router’s external interface is maxed out. The security engineer then inspects the following piece of log to try and determine the reason for the downtime, focusing on the company’s external router’s IP which is 128.20.176.19:
11:16:22.110343 IP 90.237.31.27.19 > 128.20.176.19.19: UDP, length 1400 11:16:22.110351 IP 23.27.112.200.19 > 128.20.176.19.19: UDP, length 1400 11:16:22.110358 IP 192.200.132.213.19 > 128.20.176.19.19: UDP, length 1400 11:16:22.110402 IP 70.192.2.55.19 > 128.20.176.19.19: UDP, length 1400 11:16:22.110406 IP 112.201.7.39.19 > 128.20.176.19.19: UDP, length 1400
Which of the following describes the findings the senior security engineer should report to the ISO and the BEST solution for service restoration?
Answer
-
After the senior engineer used a network analyzer to identify an active Fraggle attack, the company’s ISP should be contacted and instructed to block the malicious packets.
-
After the senior engineer used the above IPS logs to detect the ongoing DDOS attack, an IPS filter should be enabled to block the attack and restore communication.
-
After the senior engineer used a mirror port to capture the ongoing amplification attack, a BGP sinkhole should be configured to drop traffic at the source networks.
-
After the senior engineer used a packet capture to identify an active Smurf attack, an ACL should be placed on the company’s external router to block incoming UDP port 19 traffic.
Question 14
Question
An external penetration tester compromised one of the client organization’s authentication servers and retrieved the password database. Which of the following methods allows the penetration tester to MOST efficiently use any obtained administrative credentials on the client organization’s other systems, without impacting the integrity of any of the systems?
Answer
-
Use the pass the hash technique
-
Use rainbow tables to crack the passwords
-
Use the existing access to change the password
-
Use social engineering to obtain the actual password
Question 15
Question
A web services company is planning a one-time high-profile event to be hosted on the corporate website. An outage, due to an attack, would be publicly embarrassing, so Joe, the Chief Executive Officer (CEO), has requested that his security engineers put temporary preventive controls in place. Which of the following would MOST appropriately address Joe's concerns?
Answer
-
Ensure web services hosting the event use TCP cookies and deny_hosts.
-
Configure an intrusion prevention system that blocks IPs after detecting too many incomplete sessions.
-
Contract and configure scrubbing services with third-party DDoS mitigation providers.
-
Purchase additional bandwidth from the company’s Internet service provider.
Question 16
Question
The Chief Executive Officer (CEO) of an Internet service provider (ISP) has decided to limit the company’s contribution to worldwide Distributed Denial of Service (DDoS) attacks. Which of the following should the ISP implement? (Select TWO).
Answer
-
Block traffic from the ISP’s networks destined for blacklisted IPs.
-
Prevent the ISP’s customers from querying DNS servers other than those hosted by the ISP.
-
Scan the ISP’s customer networks using an up-to-date vulnerability scanner.
-
Notify customers when services they run are involved in an attack.
-
Block traffic with an IP source not allocated to customers from exiting the ISP's network.
Question 17
Question
Due to compliance regulations, a company requires a yearly penetration test. The Chief Information Security Officer (CISO) has asked that it be done under a black box methodology.
Which of the following would be the advantage of conducting this kind of penetration test?
Answer
-
The risk of unplanned server outages is reduced.
-
Using documentation provided to them, the pen-test organization can quickly determine areas to focus on.
-
The results will show an in-depth view of the network and should help pin-point areas of internal weakness.
-
The results should reflect what attackers may be able to learn about the company.
Question 18
Question
Ann, a systems engineer, is working to identify an unknown node on the corporate network. To begin her investigative work, she runs the following nmap command string:
user@hostname:~$ sudo nmap –O 192.168.1.54
Based on the output, nmap is unable to identify the OS running on the node, but the following ports are open on the device:
TCP/22 TCP/111 TCP/512-514 TCP/2049 TCP/32778
Based on this information, which of the following operating systems is MOST likely running on the unknown node?
Answer
-
Linux
-
Windows
-
Solaris
-
OSX
Question 19
Question
A security engineer is responsible for monitoring company applications for known vulnerabilities. Which of the following is a way to stay current on exploits and information security news?
Answer
-
Update company policies and procedures
-
Subscribe to security mailing lists
-
Implement security awareness training
-
Ensure that the organization vulnerability management plan is up-to-date
Question 20
Question
The Chief Executive Officer (CEO) of a small start-up company wants to set up offices around the country for the sales staff to generate business. The company needs an effective communication solution to remain in constant contact with each other, while maintaining a secure business environment. A junior-level administrator suggests that the company and the sales staff stay connected via free social media. Which of the following decisions is BEST for the CEO to make?
Answer
-
Social media is an effective solution because it is easily adaptable to new situations.
-
Social media is an ineffective solution because the policy may not align with the business.
-
Social media is an effective solution because it implements SSL encryption.
-
Social media is an ineffective solution because it is not primarily intended for business applications.