Exam 3

Exam 3 Questions.

Enter email to receive results:

Security and Risk Management

Identity and Access Management (IAM)

Asset Security

Security Architecture and Engineering

Security Operations

Security Assessment and Testing

Page 1 of 6

Security and Risk Management

1. In a Bell-LaPadula system, which user cannot write to File 3?

User D

User A

User B

2. The security program can be considered effective when

risk is lowered to an acceptable level

vulnerabilities are proactively identified

audits are regularly performed and reviewed

3. A large bank deploys hardware tokens to all customers that use their online banking system. The token generates and displays a six-digit numeric password every 60 seconds. This is an example of

synchronous token

asynchronous token

Single Sign-On (SSO) token

4. Which of the following is a critical factor for implementing a successful data classification program?

Executive sponsorship

Information security sponsorship

End-user acceptance

5. What is the MOST effective method for gaining unauthorized access to a file protected with a long complex password?

Social engineering

Brute force attack

Frequency analysis

6. What is the BEST reason for the organization to pursue a plan to mitigate client-based attacks?

Client-based attacks are more common and easier to exploit than server and network-based attacks

Client privilege administration is inherently weaker than server privilege administration

Client hardening and management is easier on clients than on servers

7. In a Multilevel Security (MLS) system, the following sensitivity labels are used in increasing levels of sensitivity: restricted, confidential, secret, top secret. Table A lists the clearance levels for four users, while Table B lists the security classes of four different files. Which of the following is true according to the star property (*property)?

User A can write to File 1

User D can write to File 1

User B can write to File 1

8. Which of the following is the BEST way to determine if a particular system is able to identify malicious software without executing it?

Testing with an EICAR file

Testing with a Botnet

Executing a binary shellcode

9. In the plan, what is the BEST approach to mitigate future internal client-based attacks?

Harden the client image before deployment

Block all client side web exploits at the perimeter

Remove all non-essential client-side web services from the network

10. What additional considerations are there if the third party is located in a different country?

The effects of transborder data flows and customer expectations regarding the storage or processing of their data

The organizational structure of the third party and how it may impact timelines within the organization

The ability of the third party to respond to the organization in a timely manner and with accurate information

11. During an audit, the auditor finds evidence of potentially illegal activity. Which of the following is the MOST appropriate action to take?

Work with the client to report the activity to the appropriate authority

Immediately call the police

Work with the client to resolve the issue internally

12. Which of the following provides effective management assurance for a Wireless Local Area Network (WLAN)?

Establishing a Virtual Private Network (VPN) tunnel between the WLAN client device and a VPN concentrator

Maintaining an inventory of authorized Access Points (AP) and connecting devices

Setting the radio frequency to the minimum range required

13. A risk assessment report recommends upgrading all perimeter firewalls to mitigate a particular finding. Which of the following BEST supports this recommendation?

The expected loss from the risk exceeds mitigation costs

The inherent risk is greater than the residual risk

The Annualized Loss Expectancy (ALE) approaches zero

14. When dealing with compliance with the Payment Card Industry-Data Security Standard (PCI-DSS), an organization that shares card holder information with a service provider MUST do which of the following?

Validate the service provider's PCI-DSS compliance status on a regular basis

Perform a service provider PCI-DSS assessment on a yearly basis

Validate that the service providers' security policies align with those of the organization

15. What is the MOST LIKELY security issue with degaussing a magnetic drive?

Degausser products may not be properly maintained and operated

Commercial products often have serious weaknesses of the magnetic force available in the degausser product

The inability to turn the drive around in the chamber for the second pass due to human error

16. Which of the following actions MUST be taken if a vulnerability is discovered during the maintenance stage in a System Development Life Cycle (SDLC)?

Make changes following principle and design guidelines

Stop the application until the vulnerability is fixed

Report the vulnerability to product owner

17. Where should the permitted access for each department and job classification combination be specified?

Security standards

Security procedures

Human resource policy

18. What is the PRIMARY concern regarding database information after unauthorized access?

Unauthorized database changes

Integrity of security logs

Availability of the database

19. When using third-party software developers, which of the following is the MOST effective method of providing software development Quality Assurance (QA)?

Perform overlapping code reviews by both parties

Retain intellectual property rights through contractual wording

Verify that the contractors attend development planning meetings

20. Host-Based Intrusion Protection (HIPS) systems are often deployed in monitoring or learning mode during their initial implementation. What is the objective of starting in this mode?

Automatically create exceptions for specific actions or files

Determine which files are unsafe to access and blacklist them

Automatically whitelist actions or files known to the system

21. Which of the following are required components for implementing software configuration management systems?

Audit control and signoff

User training and acceptance

Rollback and recovery processes

22. A new employee is given a laptop computer with full administrator access. This employee does not have a personal computer at home and has a child that uses the computer to send and receive e-mail, search the web, and use instant messaging. The organization’s IT department discovers that a peer-to-peer program has been installed on the computer using the employee's access. Which of the following methods is the MOST effective way of removing the Peer-to-Peer (P2P) program from the computer?

Re-image the computer

Run software uninstall

Find and remove all installation files

23. Which of the following is a process within a Systems Engineering Life Cycle (SELC) stage?

Requirements Analysis

Development and Deployment

Production Operations

24. During the investigation of a security incident, it is determined that an unauthorized individual accessed a system which hosts a database containing financial information. If it is discovered that large quantities of information have been copied by the unauthorized individual, what attribute of the data has been compromised?

Confidentiality

Integrity

Availability

25. An organization experiencing a negative financial impact is forced to reduce budgets and the number of IT operations staff performing basic logical access security administration functions. Security processes have been tightly integrated into normal IT operations and are not separate and distinct roles. Which of the following will be the PRIMARY security concern as staff is released from the organization?

Loss of data and separation of duties

Inadequate IT support

Undocumented security controls

26. Which of the following secure startup mechanisms are PRIMARILY designed to thwart attacks?

Side channel

Timing

Cold boot

27. Which of the following is required to determine classification and ownership?

System and data resources are properly identified

Access violations are logged and audited

Data file references are identified and linked

28. From a security perspective, which of the following is a best practice to configure a Domain Name Service (DNS) system?

Limit zone transfers to authorized devices

Configure secondary servers to use the primary server as a zone forwarder

Block all Transmission Control Protocol (TCP) connections

29. What is the MOST critical factor to achieve the goals of a security program?

Executive management support

Capabilities of security resources

Effectiveness of security management

30. Desktop computers in an organization were sanitized for re-use in an equivalent security environment. Organizational policy requires the deletion of user data from Personal Digital Assistant (PDA) devices before disposal. It may not be possible to delete the user data if the device is malfunctioning. Which destruction method below provides the BEST assurance that the data has been removed?

Shredding

Knurling

Grinding

31. The amount of data that will be collected during an audit is PRIMARILY determined by the

audit scope

auditor's experience level

availability of the data

32. During an investigation of database theft from an organization's website, it was determined that the SQL injection technique was used despite input validation with client-side scripting. Which of the following provides the GREATEST protection against the same attack occurring again?

Implement server-side filtering

Encrypt communications between the servers

Encrypt the web server traffic

33. Without proper signal protection, embedded systems may be prone to which type of attack?

Information disclosure

Brute force

Tampering

34. An organization publishes and periodically updates its employee policies in a file on their intranet. Which of the following is a PRIMARY security concern?

Integrity

Availability

Confidentiality

35. In a Multilevel Security (MLS) system with increasing sensitivity labels (restricted, confidential, secret, top secret), and following the Bell-LaPadula model, which user has the MOST restrictions when writing data?

User A

User B

User C

36. What security risk does the role-based access approach mitigate MOST effectively?

Excessive access rights to systems and data

Segregation of duties conflicts within business applications

Lack of system administrator activity monitoring

37. What type of test assesses a Disaster Recovery (DR) plan using realistic disaster scenarios while maintaining minimal impact to business operations?

Parallel

Walkthrough

Simulation

38. Which type of test assesses a Disaster Recovery (DR) plan using realistic disaster scenarios while maintaining minimal impact to business operations?

Simulation

Tabletop

Checklist

39. The implementation of which feature in an identity management system reduces costs and administration overhead while improving audit and accountability?

User self-service

Two-factor authentication

Single Sign-On (SSO)

40. Which of the following explains why record destruction requirements are included in a data retention policy?

To comply with legal and business requirements

To save cost for storage and backup

To meet destruction guidelines

41. When writing security assessment procedures, what is the MAIN purpose of the test outputs and reports?

To find areas of compromise in confidentiality and integrity

To force the software to fail and document the process

To allow for objective pass or fail decisions

42. The restoration priorities of a Disaster Recovery Plan (DRP) are based on which of the following documents?

Business Impact Analysis (BIA)

Service Level Agreement (SLA)

Business Continuity Plan (BCP)

43. Network-based logging has which advantage over host-based logging when reviewing malicious activity on a victim machine?

Properly handled network-based logs may be more reliable and valid

Addresses and protocols of network-based logs are analyzed

Host-based system logging has files stored in multiple locations

44. Which of the following could elicit a Denial of Service (DoS) attack against a credential management system?

Modification of Certificate Revocation List

Delayed revocation or destruction of credentials

Unauthorized renewal or re-issuance

45. From a cryptographic perspective, the service of non-repudiation includes which of the following features?

Proof of integrity of the message

Validity of digital certificates

Validity of the authorization rules

46. The application of which of the following standards would BEST reduce the potential for data breaches?

ISO 27001

ISO 9000

ISO 20121

47. What is the MOST effective method of testing custom application code?

White box testing

Negative testing

Penetration testing

48. The PRIMARY purpose of accreditation is to

allow senior management to make an informed decision regarding whether to accept the risk of operating the system

comply with applicable laws and regulations

protect an organization’s sensitive data

49. Sensitive customer data is going to be added to a database. What is the MOST effective implementation for ensuring data privacy?

Data link encryption

Discretionary Access Control (DAC) procedures

Mandatory Access Control (MAC) procedures

50. Reciprocal backup site agreements are considered to be

easy to implement for similar types of organizations

a better alternative than the use of warm sites

difficult to test for complex systems

51. A vulnerability in which of the following components would be MOST difficult to detect?

Hardware

Kernel

Shared libraries

52. What does an organization FIRST review to assure compliance with privacy requirements?

Legal and regulatory mandates

Best practices

Business objectives

53. Which of the following is the BEST example of weak management commitment to the protection of security assets and resources?

Poor governance over security processes and procedures

Immature security controls and procedures

Variances against regulatory requirements

54. Which of the following is the PRIMARY security concern associated with the implementation of smart cards?

Vendor application compatibility

The cards have limited memory

Complexity of card reader installation

55. How should an organization determine the priority of its remediation efforts after a vulnerability assessment has been conducted?

Use a risk-based approach

Use an impact-based approach

Use a criticality-based approach

56. The MAIN reason an organization conducts a security authorization process is to

force the organization to make conscious risk decisions

assure the effectiveness of security controls

assure the correct security organization exists

57. Which of the following is the MOST effective method of mitigating data theft from an active user workstation?

Disable use of portable devices

Implement full-disk encryption

Enable multifactor authentication

58. Which of the following information MUST be provided for user account provisioning?

Unique identifier

Full name

Security question

59. To protect auditable information, which of the following MUST be configured to only allow read access?

Transaction log files

Logging configurations

User account configurations

60. Which of the following countermeasures is the MOST effective in defending against a social engineering attack?

Changing individual behavior

Mandating security policy acceptance

Evaluating security awareness training

61. Data remanence refers to which of the following?

The residual information left on magnetic storage media after a deletion or erasure

The remaining photons left in a fiber optic cable after a secure transmission

The retention period required by law or regulation

62. Which one of the following activities would present a significant security risk to organizations when employing a Virtual Private Network (VPN) solution?

Simultaneous connection to other networks

VPN bandwidth

Users with Internet Protocol (IP) addressing conflicts

63. Which of the following is the BEST approach to take in order to effectively incorporate the concepts of business continuity into the organization?

Develop training and awareness programs that involve all stakeholders

Ensure end users are aware of the planning activities

Validate all regulatory requirements are known and fully documented

64. An organization lacks a data retention policy. Of the following, who is the BEST person to consult for such a requirement?

Privacy Officer

Application Manager

Database Administrator

65. Who is ultimately responsible to ensure that information assets are categorized and adequate measures are taken to protect them?

Data/Information/Business Owners

Data Custodian

Executive Management

66. What type of wireless network attack BEST describes an Electromagnetic Pulse (EMP) attack?

Denial of Service (DoS) attack

Radio Frequency (RF) attack

Data modification attack

67. Which one of the following operates at the session, transport, or network layer of the Open Systems Interconnection (OSI) model?

Cyclic redundancy check (CRC)

Data at rest encryption

Configuration Management

68. An organization’s information security strategic plan MUST be reviewed

whenever there are major changes to the business

quarterly, when the organization’s strategic plan is updated

whenever there are significant changes to a major application

69. The BEST method to mitigate the risk of a dictionary attack on a system is to

use complex passphrases

use a hardware token

implement password history

70. Which of the following approaches is the MOST effective way to dispose of data on multiple hard drives?

Perform multiple passes on each drive using approved formatting methods

Delete every file on each drive

Destroy the partition table for each drive using the command line

71. Application of which of the following Institute of Electrical and Electronics Engineers (IEEE) standards will prevent an unauthorized wireless device from being attached to a network?

IEEE 802.1X

IEEE 802.1F

IEEE 802.1H

72. Which of the following describes the BEST configuration management practice?

A baseline configuration is created and maintained for all relevant systems

After installing a new system, the configuration files are copied to a separate backup system and hashed to detect tampering

After installing a new system, the configuration files are copied to an air-gapped system and hashed to detect tampering

73. Which of the following primarily contributes to security incidents in web-based applications?

Improper stress testing and application interfaces

Systems administration and operating systems

System incompatibility and patch management

74. While inventorying storage equipment, it is found that there are unlabeled, disconnected, and powered-off devices. What is the correct procedure for handling such equipment?

They should be inspected and sanitized following the organizational policy

They should be recycled to save energy

They should be recycled according to NIST SP 800-88

75. Which of the following is the best method to assess the effectiveness of an organization's vulnerability management program?

Periodic third-party vulnerability assessment

Review automated patch deployment reports

Automated vulnerability scanning

76. Which of the following questions can be answered using user and group entitlement reporting?

Where does a particular user have access within the network

When a particular file was last accessed by a user

Change control activities for a particular group of users

77. The goal of a Business Continuity Plan (BCP) training and awareness program is to

enhance the skills required to create, maintain, and execute the plan

provide for a high level of recovery in case of disaster

describe the recovery organization to new employees

78. How can lessons learned from business continuity training and actual recovery incidents BEST be used?

As a means for improvement

As alternative options for awareness and training

As indicators of a need for policy

79. The World Trade Organization's (WTO) agreement on Trade-Related Aspects of Intellectual Property Rights (TRIPS) requires authors of computer software to be given the

right to refuse or permit commercial rentals

right to disguise the software's geographic origin

ability to tailor security parameters based on location

80. An organization regularly conducts its own penetration tests. Which of the following scenarios MUST be covered for the test to be effective?

Third-party vendor with access to the system

System administrator access compromised

Internal attacker with access to the system

81. Which of the following restricts the ability of an individual to carry out all the steps of a particular process?

Separation of duties

Job rotation

Least privilege

82. When planning a penetration test, the tester will be MOST interested in which information?

Exploits that can attack weaknesses

Places to install back doors

The main network access points

83. Which of the following BEST describes a rogue Access Point (AP)?

An AP connected to the wired infrastructure but not under the management of authorized network administrators

An AP that is not protected by a firewall

An AP not configured to use Wired Equivalent Privacy (WEP) with Triple Data Encryption Algorithm (3DES)

84. Which of the following is the MOST important output from a mobile application threat modeling exercise according to Open Web Application Security Project (OWASP)?

A data flow diagram for the application and attack surface analysis

Application interface entry and endpoints

The likelihood and impact of a vulnerability

85. Which Radio Frequency Interference (RFI) phenomenon associated with bundled cable runs can create information leakage?

Cross-talk

Transference

Covert channel

86. Knowing the language in which an encrypted message was originally produced might help a cryptanalyst to perform

frequency analysis

clear-text attack

known cipher attack

87. A mobile device application that restricts the storage of user information to just that which is needed to accomplish lawful business goals adheres to what privacy principle?

Collection Limitation

Onward transfer

Collector Accountability

88. Which of the following secures web transactions at the Transport Layer?

Secure Sockets Layer (SSL)

Secure HyperText Transfer Protocol (S-HTTP)

Socket Security (SOCKS)

89. What balance MUST be considered when web application developers determine how informative application error messages should be constructed?

Risk versus benefit

Availability versus auditability

Confidentiality versus integrity

90. During the Security Assessment and Authorization process, what is the PRIMARY purpose for conducting a hardware and software inventory?

Define the boundaries of the information system

Calculate the value of assets being accredited

Create a list to include in the Security Assessment and Authorization package

91. What is a characteristic of Secure Socket Layer (SSL) and Transport Layer Security (TLS)?

SSL and TLS provide a generic channel security mechanism on top of Transmission Control Protocol (TCP)

SSL and TLS provide nonrepudiation by default

SSL and TLS do not provide security for most routed protocols

92. After acquiring the latest security updates, what must be done before deploying to production systems?

Install the patches on a test system

Use tools to detect missing system patches

Subscribe to notifications for vulnerabilities

93. Which of the following roles has the obligation to ensure that a third-party provider is capable of processing and handling data in a secure manner and meeting the standards set by the organization?

Data Owner

Data Custodian

Data Creator

94. If compromised, which of the following would lead to the exploitation of multiple virtual machines?

Virtual machine monitor

Virtual device drivers

Virtual machine instance

95. Data leakage of sensitive information is MOST often concealed by which of the following?

Secure Sockets Layer (SSL)

Secure Hash Algorithm (SHA)

Wired Equivalent Privacy (WEP)

96. When using Generic Routing Encapsulation (GRE) tunneling over Internet Protocol version 4 (IPv4), where is the GRE header inserted?

Between the delivery header and payload

Into the options field

Between the source and destination addresses

97. Which of the following statements is TRUE regarding value boundary analysis as a functional software testing technique?

Test inputs are obtained from the derived threshold of the given functional specifications

It is useful for testing communications protocols and graphical user interfaces

It is characterized by the stateless behavior of a process implemented in a function

98. A Simple Power Analysis (SPA) attack against a device directly observes which of the following?

Consumption

Static discharge

Generation

99. What operations role is responsible for protecting the enterprise from corrupt or contaminated media?

Information librarian

Information security practitioner

Computer operator

100. In general, servers that are facing the Internet should be placed in a demilitarized zone (DMZ). What is the MAIN purpose of the DMZ?

Reduced risk to internal systems

Prepare the server for potential attacks

Mitigate the risk associated with the exposed server

101. Retaining system logs for six months or longer can be valuable for what activities?

Forensics and incident response

Disaster recovery and business continuity

Identity and authorization management

102. The 802.1x standard provides a framework for what?

Network authentication for wired and wireless networks

Network authentication for only wireless networks

Wireless encryption using the Advanced Encryption Standard (AES)

103. When building a data classification scheme, which of the following is the PRIMARY concern?

Purpose

Cost effectiveness

Availability

104. Which of the following analyses is performed to protect information assets?

Cost benefit analysis

Business impact analysis

Feasibility analysis

105. What is the process called when impact values are assigned to the security objectives for information types?

System security categorization

Qualitative analysis

Quantitative analysis

106. Backup information that is critical to the organization is identified through a

Business Impact Analysis (BIA)

Vulnerability Assessment (VA)

Business Continuity Plan (BCP)

107. An organization has developed a major application that has undergone accreditation testing. After receiving the results of the evaluation, what is the final step before the application can be accredited?

Acceptance of risk by the authorizing official

Remediation of vulnerabilities

Adoption of standardized policies and procedures

108. During which of the following processes is least privilege implemented for a user account?

Provision

Approve

Request

109. At which layer of the Open Systems Interconnect (OSI) model are the source and destination addresses for a datagram handled?

Network Layer

Transport Layer

Data-Link Layer

110. By carefully aligning the pins in the lock, which of the following defines the opening of a mechanical lock without the proper key?

Lock picking

Lock pinging

Lock bumping

Security and Risk Management

Identity and Access Management (IAM)

Asset Security

Security Architecture and Engineering

Security Operations

Security Assessment and Testing

Submit a Comment Cancel reply

Latest Posts

stay connected

Quick links

Guaranteed by