Exam 9

Exam 9 Questions.

Enter email to receive results:

Security and Risk Management

Communication and Network Security

Security Assessment and Testing

Identity and Access Management (IAM)

Asset Security

134

General Security Principles

134

Security Operations

Software Development Security

Security Architecture and Engineering

Page 1 of 9

Security and Risk Management

1. When developing an organization's information security budget, which of the following is the MOST important consideration?{

The requested funds are shared with other areas

The expected risk to the organization does not exceed the funds allocated

The requested funds match the expected cost of breaches

The expected risk can be managed appropriately with the funds allocated

2. An organization operates a legacy Industrial Control System (ICS) that must be managed remotely via outdated software. How can this risk be BEST managed?{

Isolate the ICS by moving it onto its own network segment

Convince management to decommission the ICS and migrate to modern technology

Deploy a restrictive proxy between all clients and the vulnerable management station

Air-gap and harden the host used for management purposes

3. What is the PRIMARY purpose of creating and reporting metrics for a security awareness, training, and education program?{

Facilitate supervision of periodic training events

Measure the effect of the program on the organization's workforce

Make all stakeholders aware of the program's progress

Comply with legal regulations and document due diligence

4. Which of the following BEST describes why software assurance is critical in helping prevent an increase in business and mission risk for an organization?{

Request for proposals (RFP) avoid purchasing software that does not meet business needs

Software that does not perform as intended may be exploitable which makes it vulnerable to attack

Decommissioning of old software reduces long-term costs related to technical debt

Contracting processes eliminate liability for security vulnerabilities for the purchaser

5. What is a risk of using commercial off-the-shelf (COTS) products?{

COTS products are typically more expensive than developing software in-house

Vendors are often hesitant to share their source code

COTS products may not map directly to an organization’s security requirements

Cost to implement COTS products is difficult to predict

6. Which of the following poses the GREATEST privacy risk to personally identifiable information (PII) when disposing of an office printer or copier?{

The device transfer roller could contain imprints of PII

A hard disk drive (HDD) in the device could contain PII

Organizational network configuration information could still be present within the device

The device could contain a document with PII on the platen glass

7. Which of the following poses the GREATEST privacy risk to personally identifiable information (PII) when disposing of an office printer or copier?{

Organizational network configuration information could still be present within the device

The device could contain a document with PII on the platen glass

The device transfer roller could contain imprints of PII

A hard disk drive (HDD) in the device could contain PII

8. What should be used to determine the risks associated with using Software as a Service (SaaS) for collaboration and email?{

Process for Attack Simulation and Threat Analysis (PASTA)

Cloud access security broker (CASB)

Common Security Framework (CSF)

Open Web Application Security Project (OWASP)

9. The European Union (EU) General Data Protection Regulation (GDPR) requires organizations to implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk. The Data Owner should therefore consider which of the following requirements?{

Data masking and encryption of personal data

Only to use encryption protocols approved by the EU

Never to store personal data of EU citizens outside the EU

Anonymization of personal data when transmitted to sources outside the EU

10. An organization is preparing to achieve General Data Protection Regulation (GDPR) compliance. The Chief Information Security Officer (CISO) is reviewing data protection methods. Which of the following is the BEST data protection method?{

Encryption

Data obfuscation

Backups

Strong authentication

11. The threat modeling identifies a man-in-the-middle (MITM) exposure. Which countermeasure should the information system security officer (ISSO) select to mitigate the risk of a protected health information (PHI) data leak?{

Privacy monitoring

Anonymization

Auditing

Data retention

12. Which of the following findings would MOST likely indicate a high risk in a vulnerability assessment report?{

End of life system detected

Unlicensed software installed

Non-standard system naming convention used

Transmission Control Protocol (TCP) port 443 open

13. During which phase of a criminal legal proceeding does the lack of a formal data destruction policy have the MOST impact?{

Trial

Discovery

Arraignment

Sentencing

14. A large manufacturing organization arranges to buy an industrial machine system to produce a new line of products. The system includes software provided to the vendor by a third-party organization. The financial risk to the manufacturing organization starting production is high. What step should the manufacturing organization take to minimize its financial risk in the new venture prior to the purchase?{

Require that the software be thoroughly tested by an accredited independent software testing company

Hire a performance tester to execute offline tests on a system

Calculate the possible loss in revenue due to software bugs and vulnerabilities

Place the machine behind a Layer 3 firewall

15. A recent information security risk assessment identified weak system access controls on mobile devices as a high risk. To address this and ensure only authorized staff access company information, which of the following should the organization implement?{

Multi-factor authentication (MFA)

Data at rest encryption

Data loss protection (DLP)

Intrusion prevention system (IPS)

16. A recent information security risk assessment identified weak system access controls on mobile devices as a high risk. In order to address this risk and ensure only authorized staff access company information, which of the following should the organization implement?{

Data at rest encryption

Data loss protection (DLP)

Intrusion prevention system (IPS)

Multi-factor authentication (MFA)

17. To mitigate the risk of unauthorized access to a cloud-based Identity and Access Management (IAM) service provider, what is the BEST solution?{

Apply Transport Layer Security (TLS) to the cloud-based authentication checks

Require the cloud IAM provider to use declarative security

Integrate a Web-Application Firewall (WAF) in reverse-proxy mode

Install an on-premise Authentication Gateway Service (AGS)

18. What is the MOST effective way to protect privacy?{

Apply tokenization to all personal information records

Encrypt all collected personal information

Eliminate or reduce collection of personal information

Classify all personal information at the highest information classification level

Page 2 of 9

Communication and Network Security

19. The security team is notified that a device on the network is infected with malware. Which tool would be MOST effective in quickly locating and remediating the device?{

Intrusion detection

Information Technology Asset Management (ITAM)

Vulnerability scanner

Data loss protection (DLP)

20. Point-to-Point Protocol (PPP) was designed to specifically address what issue?{

A common design flaw in telephone modems

Compatibility issues with personal computers and web browsers

The security of dial-up connections to remote networks

Speed and reliability issues between dial-up users and ISPs

21. An organization recently suffered from a web-application attack that resulted in stolen user session cookie information. The attacker was able to obtain the information when a user’s browser executed a script upon visiting a compromised website. What type of attack MOST likely occurred?{

Cross-Site Scripting (XSS)

SQL injection (SQLI)

Cross-Site Request Forgery (CSRF)

Extensible Markup Language (XML) external entities

22. When deploying an Intrusion Detection System (IDS) on a high-volume network, the need to distribute the load across multiple sensors would create which technical problem?{

Proxy authentication failure

Sensor overload

Session continuity

Synchronized sensor updates

23. Which of the following will an organization's network vulnerability testing process BEST enhance?{

Code review procedures

Server hardening processes

Firewall log review processes

Asset management procedures

24. Additional padding may be added to the Encapsulating Security Protocol (ESP) trailer to provide which of the following?{

Data origin authentication

Access control

Partial traffic flow confidentiality

Protection against replay attack

25. Which of the following BEST ensures the integrity of transactions to intended recipients?{

Pre-shared key (PSK)

Blockchain technology

Web of trust

Public key infrastructure (PKI)

26. Which Open Systems Interconnection (OSI) layer(s) BEST corresponds to the network access layer in the Transmission Control Protocol/Internet Protocol (TCP/IP) model?{

Application, Presentation, and Session Layers

Transport Layer

Session and Network Layers

Data Link and Physical Layers

27. Which of the following will help identify the source IP address of malware being executed on a computer?{

List of open network connections

Display the ARP table

Display TCP/IP network configuration information

List of running processes

28. Which of the following protocols will allow the encrypted transfer of content on the Internet?{

Hypertext Transfer Protocol (HTTP)

Secure Copy (SCP)

Remote Copy (RCP)

Server Message Block (SMB)

29. Which inherent network challenge does a dispersed network without central control face, and what should be the PRIMARY course of action to mitigate exposure?{

Implement security policies and standards, access controls, and access limitations

Implement management policies, audit control, and data backups

Implement remote access policies, shared workstations, and log management

Implement security policies and standards, data backups, and audit controls

30. Which software-defined networking (SDN) architectural component is responsible for translating network requirements?{

SDN Northbound Interfaces

SDN Data Path

SDN Application

SDN Controller

31. Which of the following BEST represents a defense-in-depth concept?{

Web application firewall (WAF), Gateway network device tuning, Database firewall, Next-Generation Firewall (NGFW), Tier-2 demilitarized zone (DMZ) tuning

Host-based data loss prevention (DLP), Endpoint anti-malware solution, Host-based integrity checker, Laptop locks, hard disk drive (HDD) encryption

Endpoint security management, network intrusion detection system (NIDS), Network Access Control (NAC), Privileged Access Management (PAM), security information and event management (SIEM)

Network-based data loss prevention (DLP), Network Access Control (NAC), network-based Intrusion prevention system (NIPS), Port security on core switches

32. Which of the following BEST represents a defense-in-depth concept?{

Network-based data loss prevention (DLP), Network Access Control (NAC), network-based Intrusion prevention system (NIPS), Port security on core switches

Web application firewall (WAF), Gateway network device tuning, Database firewall, Next-Generation Firewall (NGFW), Tier-2 demilitarized zone (DMZ) tuning

Endpoint security management, network intrusion detection system (NIDS), Network Access Control (NAC), Privileged Access Management (PAM), security information and event management (SIEM)

Host-based data loss prevention (DLP), Endpoint anti-malware solution, Host-based integrity checker, Laptop locks, hard disk drive (HDD) encryption

33. Which solution is BEST for verifying endpoint security protections and operating system (OS) versions before granting network access?{

Network Access Control (NAC)

A firewall

An intrusion detection system (IDS)

An intrusion prevention system (IPS)

34. Which network device uses the destination IP address to forward packets?{

A bridge

A router

A Layer 2 switch

A repeater

35. Which Wide Area Network (WAN) technology requires the first router to determine the full path the packet will travel?{

Fiber Channel Over Ethernet (FCoE)

Session Initiation Protocol (SIP)

Synchronous Optical Networking (SONET)

Multiprotocol Label Switching (MPLS)

Page 3 of 9

Security Assessment and Testing

36. Which of the following is TRUE regarding equivalence class testing?{

An entire partition can be covered by considering only one representative value from that partition

It is useful for testing communications protocols and graphical user interfaces

Test inputs are obtained from derived boundaries of the functional specifications

It is characterized by the stateless behavior of a process implemented in a function

37. Functional security testing is MOST critical during which phase of the system development life cycle (SDLC)?{

Acquisition / Development

Operations / Maintenance

Initiation

Implementation

38. Which of the following is the BEST method a security practitioner can use to ensure that systems and sub-systems gracefully handle invalid input?{

Acceptance testing

Integration testing

Unit testing

Negative testing

39. An authentication system that uses challenge and response was recently implemented because penetration testing revealed lateral movement using authenticated credentials. Which attack method was MOST likely used?{

Hash collision

Pass the ticket

Cross-Site Scripting (XSS)

Brute force

40. What is the PRIMARY purpose of auditing, as it relates to the security review cycle?{

To ensure the organization meets contractual requirements

To ensure the organization's executive team won't be sued

To ensure the organization's controls and policies are working as intended

To ensure the organization can still be publicly traded

41. Which audit type is MOST appropriate for evaluating the effectiveness of a security program?{

Assessment

Threat

Analysis

Validation

42. When can a security program be considered effective?{

Risk is lowered to an acceptable level

Vulnerabilities are proactively identified

Audits are regularly performed and reviewed

Badges are regularly performed and validated

43. Which of the following needs to be taken into account when assessing vulnerability?{

Risk identification and validation

Risk acceptance criteria

Threat mapping

Safeguard selection

44. Which of the following is included in change management?{

Technical review by business owner

User Acceptance Testing (UAT) before implementation

Business continuity testing

Cost-benefit analysis (CBA) after implementation

Page 4 of 9

Identity and Access Management (IAM)

45. A company is attempting to enhance the security of its user authentication processes. After evaluating several options, the company decides to utilize Identity as a Service (IDaaS). Which factor likely led to this decision?{

Third-party solutions are inherently more secure

In-house team lacks resources to support an on-premise solution

In-house development provides more control

Third-party solutions are known for transferring risk to the vendor

46. A large human resources organization wants to integrate their identity management with a trusted partner organization. The human resources organization wants to maintain the creation and management of the identities and may want to share with other partners in the future. Which of the following options BEST serves their needs?{

Single sign-on (SSO)

Security Assertion Markup Language (SAML)

Federated identity

Cloud Active Directory (AD)

47. What is the MOST significant benefit of role-based access control (RBAC)?{

Management of least privilege

Reduces inappropriate access

Reduction in authorization administration overhead

Most granular form of access control

48. Which of the following is the FIRST step during digital identity provisioning?{

Authorizing the entity for resource access

Issuing an initial random password

Creating the entity record with the correct attributes

Synchronizing directories

49. A company needs to provide employee access to travel services, which are hosted by a third-party service provider. Employee experience is important, and when users are already authenticated, access to the travel portal is seamless. Which of the following methods is used to share information and grant user access to the travel portal?{

Open Authorization (OAuth) access

Single sign-on (SSO) access

Federated access

Security Assertion Markup Language (SAML) access

50. Which of the following is the FIRST step during digital identity provisioning?{

Creating the entity record with the correct attributes

Synchronizing directories

Authorizing the entity for resource access

Issuing an initial random password

51. Individuals have been identified and determined as having a need-to-know for the information. Which of the following access control methods MUST include a consistent set of rules for controlling and limiting access?{

Role-Based Access Control (RBAC)

Mandatory Access Control (MAC)

Discretionary Access Control (DAC)

Attribute Based Access Control (ABAC)

52. What type of access control determines the authorization to resources based on predefined job titles within an organization?{

}

Discretionary Access Control (DAC)

Non-discretionary access control

Role-Based Access Control (RBAC)

53. A technician wants to install a WAP (Wireless Access Point) in the center of a room that provides service in a radius surrounding the radio. Which of the following antenna types should the AP utilize?{

Yagi

Omni

Directional

Parabolic

54. Which access control method is based on users issuing access requests on system resources, features assigned to those resources, the operational or situational context, and a set of policies specified in terms of those features and context?{

Discretionary Access Control (DAC)

Role-Based Access Control (RBAC)

Attribute-Based Access Control (ABAC)

Mandatory Access Control (MAC)

55. Before allowing personnel to access social media from a corporate device, what is the FIRST step an organization should take?{

Deliver security awareness training

Document a procedure for accessing social media sites

Publish a social media guidelines document

Publish an acceptable usage policy

56. In Identity Management (IdM), when is the verification stage performed?{

During authorization of the identity

After revocation of the identity

As part of system sign-on

Before creation of the identity

57. Which of the following is the BEST way to mitigate circumvention of access controls?{

Multi-vendor approach to technology implementation

Multi-layer access controls working in isolation

Multi-layer firewall architecture with Internet Protocol (IP) filtering enabled

Multi-layer access controls with diversification of technologies

Page 5 of 9

Asset Security

58. Which of the following media is least problematic with data remanence?{

Flash memory

Magnetic disk

Electrically Erasable Programming read-only Memory (EEPROM)

Dynamic Random Access Memory (DRAM)

59. A company wants to store data related to users on an offsite server. What method can be deployed to protect the privacy of the user’s information while maintaining the field-level configuration of the database?{

Hashing

Encryption

Encoding

Tokenization

60. Which of the following steps is performed during the forensic data analysis phase?{

Recover deleted data

Collect known system files

Create file lists

Search for relevant strings

61. An organization is considering outsourcing applications and data to a Cloud Service Provider (CSP). Which of the following is the MOST important concern regarding privacy?{

The CSP determines data criticality

The CSP provides end-to-end encryption services

The CSP’s privacy policy may be developed by the organization

The CSP may not be subject to the organization’s country legislation

62. An employee's home address should be categorized according to which of the following references?{

Existing employee data classifications

The organization's data classification model

The consent form terms and conditions signed by employees

An organization security plan for human resources

63. Which of the following is the MOST effective countermeasure against data remanence?{

Clearing

Encryption

Purging

Destruction

64. Which of the following needs to be tested to achieve a Cat 6a certification for a company's data cabling?{

Patch panel

F-type connector

LC ports

RJ11

65. Which technique is MOST appropriate for destroying magnetic platter hard disk drives (HDDs) containing data with a "HIGH" security categorization?{

Mechanically shred the entire HDD

Remove the control electronics

Drill through the device and platters

Process the HDD through a degaussing device

66. A hospital enforces the Code of Fair Information Practices. What practice applies to a patient requesting their medical records from a web portal?{

Individual participation

Purpose specification

Collection limitation

Use limitation

67. A vehicle of a private courier company that transports backup data for offsite storage was robbed while in transit. The incident management team is now responsible to estimate the robbery's impact. Which of the following would help the team MOST effectively analyze the business impact?{

Log of backup administrative actions

Log of backed up data and their respective data custodians

Log of the transported media and its classification marking

Log of the transported media and its detailed contents

68. Which type of database attack would allow a customer service employee to determine quarterly sales results before they are publicly announced?{

}

Aggregation

Inference

Data mining

69. Which type of database attack would allow a customer service employee to determine quarterly sales results before they are publicly announced?{

Inference

}

Data mining

Aggregation

70. The Chief Information Officer (CIO) has decided to move towards a cloud architecture. Which role must the CIO primarily work with to ensure proper protection of data during and after the migration?{

Chief Information Security Officer (CISO)

Information owner

Chief Security Officer (CSO)

General Counsel

71. Which process is established to collect security information available through implemented controls?{

Information Security Continuous Monitoring (ISCM)

Organizational risk tolerance

Risk assessment report

Security Assessment Report (SAR)

72. What is the BEST approach to minimize the attack surface for a customer's private information?{

Obfuscation

Collection limitation

Authentication

Data masking

Page 6 of 9

General Security Principles

73. Which attack defines a piece of code that is inserted into software to trigger a malicious function?{

Phishing

Salami

Logic bomb

Back door

74. Which of the following is security control volatility?{

A reference to the impact of the security control

A reference to how unpredictable the security control is

A reference to the likelihood of change in the security control

A reference to the stability of the security control

75. Which of the following BEST describes the security role filled by the head of the IT department when they are responsible for technical implementation?{

System custodian

System security officer

System processor

System analyst

76. Which technique is effective to detect taps in fiber optic cables?{

Outlining electromagnetic field strength

Performing network vulnerability scanning

Taking baseline signal level of the cable

Measuring signal through external oscillator solution devices

77. What is the value called when a biometric system adjusts its threshold so that the false rejection rate (FRR) and false acceptance rate (FAR) are the same?{

False Rejection Rate (FRR)

Accuracy acceptance threshold

False Acceptance Rate (FAR)

Equal error rate

78. A company wants to implement two-factor authentication (2FA) to protect their computers from unauthorized users. Which solution provides the MOST secure means of authentication and meets the criteria they have set?{

Username and personal identification number (PIN)

Hardware token and password

Fingerprint and retinal scanners

Short Message Services (SMS) and smartphone authenticator

79. Which of the following attributes could be used to describe a protection mechanism of an open design methodology?{

It can facilitate blackbox penetration testing

It exposes the design to vulnerabilities and malicious attacks

It must be tamperproof to protect it from malicious attacks

It can facilitate independent confirmation of the design security

80. Which of the following is a formal document that expresses an implementation-independent set of security requirements in the common criteria?{

Protection Profile (PP)

Target of Evaluation (TOE)

Organizational Security Policy

Security Target (ST)

81. A company wants to implement two-factor authentication (2FA) to protect their computers from unauthorized users. Which solution provides the MOST secure means of authentication and meets the criteria they have set?{

Hardware token and password

Fingerprint and retinal scanners

Short Message Services (SMS) and smartphone authenticator

Username and personal identification number (PIN)

82. Which of the following attributes could be used to describe a protection mechanism of an open design methodology?{

It can facilitate independent confirmation of the design security

It can facilitate blackbox penetration testing

It must be tamperproof to protect it from malicious attacks

It exposes the design to vulnerabilities and malicious attacks

83. Which of the following System and Organization Controls (SOC) report types should an organization request if they require a period of time report covering security and availability for a particular system?{

SOC 1 Type 1

SOC 2 Type 2

SOC 1 Type 2

SOC 2 Type 1

84. Compared with hardware cryptography, software cryptography is generally:{

Less expensive and slower

Less expensive and faster

More expensive and faster

More expensive and slower

85. Which of the following statements is MOST accurate regarding information assets?{

Information assets include any information that is valuable to the organization

Building an information assets register is a resource-intensive job

ISO 27001 compliance specifies which information assets must be included in asset inventory

Information assets inventory is not required for risk assessment

86. Which is the second phase of public key infrastructure (PKI) key/certificate lifecycle management?{

Cancellation phase

Implementation phase

Initialization phase

Issued phase

87. A security professional was tasked with rebuilding a company's wireless infrastructure. Which of the following are the MOST important factors to consider while making a decision on which wireless spectrum to deploy?{

Existing client devices, manufacturer reputation, and electrical interference

Facility size, intermodulation, and direct satellite service

Performance, geographic location, and radio signal interference

Hybrid frequency band, service set identifier (SSID), and interpolation

88. Which of the following is required to verify the authenticity of a digitally signed document?{

Recipient's public key

Sender's private key

Agreed upon shared secret

Digital hash of the signed document

89. Which of the following is the MOST significant key management problem due to the number of keys created?{

Exponential growth when using asymmetric keys

Exponential growth when using symmetric keys

Storage of the keys requires increased security

Keys are more difficult to provision

90. A client-server infrastructure that provides user-to-server authentication describes which one of the following?{

Secure Sockets Layer (SSL)

User-based authorization

X.509

Kerberos

91. Which of the following techniques is MOST useful when dealing with Advanced Persistent Threat (APT) intrusions on live virtualized environments?{

Memory forensics

Antivirus operations

Reverse engineering

Logfile analysis

92. Which of the following protects personally identifiable information (PII) used by financial services organizations?{

Gramm-Leach-Bliley Act (GLBA)

Health Insurance Portability and Accountability Act (HIPAA)

Payment Card Industry Data Security Standard (PCI-DSS)

National Institute of Standards and Technology (NIST) SP 800-53

93. Which inherent password weakness does a One-Time Password (OTP) generator overcome?{

Static passwords are too predictable

Static passwords are difficult to generate

Static passwords are easily disclosed

Static passwords must be changed frequently

94. Who should an information security practitioner work with to ensure that information is properly categorized?{

System Administrator

Chief Information Officer (CIO)

Information Owner (IO)

Business Continuity (BC) Manager

95. Why is it important for initial security categorization to be done correctly?{

It determines the security requirements

It determines the functional and operational requirements

It affects other steps in the certification and accreditation process

The system engineering process works with selected security controls

96. What is the MAIN purpose of a security assessment plan?{

Provide education to employees on security and privacy

Provide technical information to executives for securing funding

Provide the objectives for the security and privacy control assessments and a detailed roadmap

Provide guidance on security requirements to ensure risks are addressed

97. The Chief Information Security Officer (CISO) has requested a Service Organization Control (SOC) report for the security and availability of a system over a 12-month period. Which type of SOC report should be used?{

SOC 3 Type 1

}

SOC 2 Type 2

SOC 1 Type 1

98. Within a large organization, what business unit is BEST positioned to initiate provisioning and deprovisioning of user accounts?{

Information technology (IT)

Human resources

Internal audit

Training department

99. Which layer handles packet fragmentation and reassembly in the Open Systems Interconnection (OSI) Reference model?{

Network

Data Link

Session

Transport

100. Which of the following is the MOST comprehensive Business Continuity (BC) test?{

Full interruption

Full simulation

Full table-top

Full functional drill

101. When performing an investigation with the potential for legal action, what should be the analyst's FIRST consideration?{

Data decryption

Court admissibility

Authorization to collect

Chain-of-custody

102. Copyright provides protection for which of the following?{

Ideas expressed in literary works

Discoveries of natural phenomena

New and non-obvious invention

A particular expression of an idea

103. Which of the following is included in the Global System for Mobile Communications (GSM) security framework?{

Digital signatures

Biometric authentication

Symmetric key cryptography

Public-Key Infrastructure (PKI)

104. When performing an investigation with the potential for legal action, what should be the analyst's FIRST consideration?{

Authorization to collect

Data decryption

Chain-of-custody

Court admissibility

105. Copyright provides protection for which of the following?{

Discoveries of natural phenomena

A particular expression of an idea

New and non-obvious inventions

Ideas expressed in literary works

106. Which of the following is included in the Global System for Mobile Communications (GSM) security framework?{

Biometric authentication

Digital signatures

Public-Key Infrastructure (PKI)

Symmetric key cryptography

107. What subsection of the change management process involves developing and verifying proposed changes before implementation?{

Select security controls

Categorize Information System (IS)

Build and test

Implement security controls

108. What additional security concern is presented by Commercial off-the-shelf (COTS) software?{

In-house developed software is inherently less secure

Exploits for COTS software are well documented and publicly available

Vendors take on the liability for COTS software vulnerabilities

}

109. Which part of an operating system (OS) is responsible for providing security interfaces among the hardware, OS, and other parts of the computing system?{

Time separation

Trusted Computing Base (TCB)

Reference monitor

Security kernel

110. A user downloads a file from the internet and applies the Secure Hash Algorithm 3 (SHA-3). What is the purpose of this action?{

It ensures the entire file downloaded

It encrypts the entire file

It verifies the integrity of the file

It checks the file for malware

111. Which of the following is applicable to a publicly held company concerned about financial reporting requirements?{

Privacy Act of 1974

International Organization for Standardization (ISO) 27001

Sarbanes-Oxley (SOX) Act of 2002

Clinger-Cohan Act of 1996

112. Which of the following is used to detect steganography?{

Audio analysis

Statistical analysis

Reverse engineering

Cryptanalysis

Page 7 of 9

Security Operations

113. Which of the following is a characteristic of a challenge/response authentication process?{

Requiring the use of non-consecutive numeric characters

Transmitting a hash based on the user's password

Using a password history blacklist

Presenting distorted graphics of text for authentication

114. Which of the following events prompts a review of the disaster recovery plan (DRP)?{

Completion of the security policy review

Change in senior management

Organizational merger

New members added to the steering committee

115. Which of the following activities should a forensic examiner perform FIRST when determining the priority of digital evidence collection at a crime scene?{

Establish a list of files to examine

Establish the order of volatility

Assign responsibilities to personnel on the scene

Gather physical evidence

116. Which of the following initiates the system recovery phase of a disaster recovery plan?{

Assessing the extent of damage following the disaster

Evacuating the disaster site

Issuing a formal disaster declaration

Activating the organization's hot site

117. What is the PRIMARY objective of the post-incident phase of the incident response process in the security operations center (SOC)?{

Finalize the IR

Communicate the IR details to the stakeholders

Validate the integrity of the IR

Improve the incident response (IR) process

Page 8 of 9

Software Development Security

118. Which type of test suite should be run for fast feedback during application development?{

Specific functionality

Full regression

Smoke

End-to-end

119. An organization is implementing security review as part of system development. Which of the following is the BEST technique to follow?{

Perform incremental assessments

Engage a third-party auditing firm

Conduct penetration testing

Review security architecture

120. Which of the following is the BEST method to validate secure coding techniques against injection and overflow attacks?{

Ensure code editing tools are updated against known vulnerability patterns

Using automated programs to test for the latest known vulnerability patterns

The regular use of production code routines from similar applications already in use

Scheduled team review of coding style and techniques for vulnerability patterns

121. Why should Open Web Application Security Project (OWASP) Application Security Verification Standards (ASVS) Level 1 be considered a MINIMUM level of protection for any web application?{

Securing applications at ASVS Level 1 provides adequate protection for sensitive data

Opportunistic attackers will look for any easily exploitable vulnerable applications

Most regulatory bodies consider ASVS Level 1 as a baseline set of controls for applications

ASVS Level 1 ensures that applications are invulnerable to OWASP top 10 threats

122. A security professional has been assigned to assess a web application. The assessment report recommends switching to Security Assertion Markup Language (SAML). What is the PRIMARY security benefit in switching to SAML?{

It limits unnecessary data entry on web forms

It enables single sign-on (SSO) for web applications

The users' password is not passed during authentication

It uses Transport Layer Security (TLS) to address confidentiality

123. Which of the (ISC)² Code of Ethics canons is MOST reflected when preserving the value of systems, applications, and entrusted information while avoiding conflicts of interest?{

Advance and protect the profession

Protect society, the commonwealth, and the infrastructure

Provide diligent and competent service to principles

Act honorably, honestly, justly, responsibly, and legally

124. Which of the (ISC)² Code of Ethics canons is MOST reflected when preserving the value of systems, applications, and entrusted information while avoiding conflicts of interest?{

Provide diligent and competent service to principles

Act honorably, honestly, justly, responsibly, and legally

Advance and protect the profession

Protect society, the commonwealth, and the infrastructure

Page 9 of 9

Security Architecture and Engineering

125. Which algorithm gets its security from the difficulty of calculating discrete logarithms in a finite field and is used to distribute keys but cannot be used to encrypt or decrypt messages?{

Diffie-Hellman

Kerberos

Digital Signature Algorithm (DSA)

Rivest-Shamir-Adleman (RSA)

Security and Risk Management

Communication and Network Security

Security Assessment and Testing

Identity and Access Management (IAM)

Asset Security

General Security Principles

Security Operations

Software Development Security

Security Architecture and Engineering

Submit a Comment Cancel reply

Latest Posts

stay connected

Quick links

Guaranteed by