Practice Exam 2

Item number: 1

Item type: Multiple Choice

Question: Your company performs a security audit. This audit uncovers that some of the encryption keys that secure the company business-to-business (B2B) financial transactions with its partners may be too weak. The security administrator needs to ensure that financial transactions will not be compromised if a weak encryption key is found. What should the security administrator do?

Options:

A. Implement PFS on all VPN tunnels.

B. Implement PFS on all SSH connections.

C. Enable entropy on all SSLv2 transactions.

D. Implement AES256-CBC for all encrypted data.

Answer: A

Explanation: The security administrator should implement PFS on all VPN tunnels. This will ensure that the B2B financial transactions will not be compromised if a weak encryption key is found. Perfect forward secrecy (PFS) ensures that a session key derived from a set of long-term keys cannot be compromised if one of the long-term keys is compromised in the future.

Item number: 2

Item type: Multiple Choice

Question: Users report that they are having trouble with certificates. After researching the issue, you discover that workstations on Network B are unable to validate certificates, while workstations on Network A are having no issues. You need to ensure that each certificate is validated by a single server that returns the validity of that certificate. What should you use?

Options:

A. XACML

B. OCSP

C. DRM

D. S/MIME

Answer: B

Explanation: Online Certificate Status Protocol (OCSP) allows a certificate to be validated by a single server that returns the validity of that certificate.

Item number: 3

Item type: Multiple Choice

Question: After a security incident, you revoke the SSL certificate for your company’s web server, www.pearson.com. Later, you discover that a few other servers are generating certificate errors: ftp.pearson.com, mail.pearson.com, and partners.pearson.com. Which of the following is MOST likely the reason for this?

Options:

A. Certificates should be revoked at the domain level.

B. The CRL has not been updated yet.

C. The servers used a wildcard certificate.

D. The web server is the CA for the PKI.

Answer: C

Explanation: The most likely reason for a few other servers generating certificate errors is that the servers used a wildcard certificate.

Item number: 4

Item type: Multiple Choice

Question: An employee of your company files a complaint with a security administrator. While sniffing network traffic, the employee discovers that financially confidential emails were passing between two warehouse users. The two users deny having sent confidential emails to each other. You need to allow for non-repudiation and prevent network sniffers from reading the confidential mail. What should you do?

Options:

A. Implement transport encryption and authentication hashing.

B. Implement transport encryption and legal mail hold.

C. Implement legal mail hold and authentication hashing.

D. Implement transport encryption and digital signatures.

Answer: D

Explanation: To allow for non-repudiation and prevent network sniffers from reading the confidential mail, you should implement transport encryption and digital signatures. Transport encryption protects all information transmitted over the network. Digital signatures ensure that the source of the email can be verified.

Item number: 5

Item type: Multiple Choice

Question: You need to install a patch for a human resources application. When you access the vendor’s website, it shows that the patch is located on four different servers. A hash value is given. What should you do to ensure that you obtain the appropriate, unchanged patch?

Options:

A. Download and install any version of the patch. The patch is valid and unchanged if it is located on the vendor’s servers.

B. Download all the versions of the patch, use MD5 to calculate the hash value of each version you downloaded, and compare the hash value obtained to the hash value given by the vendor. Install the patch that has a hash value that matches the hash value given by the vendor.

C. Download the first version of the patch, use MD5 to calculate the hash value of the version you downloaded, and compare the hash value obtained to the hash value given by the vendor. If the hash value is the same, install that patch. If the hash value is different, try the next version of the patch and follow the same procedure.

D. Contact the vendor to find out which patch is valid.

Answer: C

Explanation: You should download the first version of the patch, use MD5 to calculate the hash value of the version you downloaded, and compare the hash value obtained to the hash value given by the vendor. If the hash value is the same, install that patch. If the hash value is different, try the next version of the patch and follow the same procedure.

Item number: 6

Item type: Multiple Choice

Question: Your company has invested an increasing amount in security due to the changing threat landscape. The company is trying to reduce costs, and the CFO has queried the security budget. At the same time, you as a security practitioner are actively requesting additional funding to support new initiatives. These initiatives will mitigate security incidents such as several that have occurred due to ineffective controls.

You assess the current controls framework and provide recommendations on whether preventive, detective, or corrective controls should be implemented. How should you explain which controls to implement?

Options:

A. While corrective controls are more costly to implement, they are needed only for real attacks on high-value assets. Put controls in place after a real attack has occurred.

B. Detective controls are less costly to implement than preventive controls and should be encouraged wherever possible; corrective controls are used during an event or a security incident; and preventive controls are hard to achieve in practice with current market offerings.

C. Use preventive controls as this will prevent security incidents from occurring in the first place. Detective and corrective controls are redundant compensating controls and are not required if preventive controls are implemented.

D. Use preventive controls before an event occurs; use detective controls during an event; and use corrective controls after an event has occurred. Use a combination of controls.

Answer: D

Explanation: You should explain that the company should use preventive controls before an event occurs, use detective controls during an event, and use corrective controls after an event has occurred. Therefore, you should use a combination of controls.

Item number: 7

Item type: Multiple Choice

Question: The customer support department in a large organization purchased mobile devices for all 150 remote technicians to improve efficiency. In addition, a new help desk application will be developed to work with the mobile devices. The IT department manager attempted to stop the deployment because the equipment and application are nonstandard and unsupported within the organization. However, upper management decided to continue the deployment. Which of the following provides the BEST method for evaluating the potential threats?

Options:

A. Conduct a vulnerability assessment for the new devices and the application.

B. Deploy a small portion of the mobile devices to obtain a benchmark on how the devices will affect the organization.

C. Perform a risk assessment for the new devices and the application and classify the risk associated with the full life cycle of the hardware and software deployment.

D. Develop a standard image for the new devices and migrate to a web application to eliminate locally resident data.

Answer: C

Explanation: You should perform a risk assessment for the new devices and the application and classify the risk associated with the full life cycle of the hardware and software deployment. This option will identify and analyze potential threats for the mobile device deployment.

Item Number: 8

Item type: Multiple Choice

Question: A newly appointed risk management director for the IT department at your company, a major automobile parts manufacturer, needs to conduct a risk analysis for a new system that the developers plan to bring online in three weeks. The director begins by reviewing a thorough and well-written security assessment of the system. The report lists a manageable volume of infrequently exploited security vulnerabilities. The likelihood of a malicious attacker exploiting one of the vulnerabilities is low; however, the director still has some reservations about approving the system. What is a valid reason for his reservations?

Options:

A. Government regulations prevent the director from approving a system that has vulnerabilities.

B. The resulting impact of even one attack being realized might cripple the company financially.

C. The director is being rushed to approve a project before an adequate assessment has been performed.

D. The director should be uncomfortable accepting any security vulnerabilities and should find time to correct them before the system is deployed.

Answer: B

Explanation: A valid reason for the risk management director’s reservations is that even one attack being realized might have a big enough impact to cripple the company financially.

Item number: 9

Item type: Multiple Choice

Question: A business is upgrading its network infrastructure to accommodate a personnel growth of over 50% within the next six months. All preliminary planning has been completed, and a risk assessment plan is being adopted to decide which security controls to put in place throughout each phase. As part of this project, upper management is negotiating an SLA with a third party. Which of the following risk responses is being used?

Options:

A. avoidance

B. mitigation

C. acceptance

D. transference

Answer: D

Explanation: When upper management is negotiating an SLA with a third party, the organization is using a risk response of transference: At least some of the risk of the project is being transferred to the third party.

Item number: 10

Item type: Multiple Choice

Question: Several high-level employees have recently requested remote access to corporate email and shared drives. Your company has never offered remote access. However, the company wants to improve productivity. Rapidly responding to customer demands means staff now requires remote access. Which of the following controls will BEST protect the corporate network?

Options:

A. Plan and develop security policies based on the assumption that external environments have active hostile threats.

B. Implement a DLP program to log data accessed by users connecting via remote access.

C. Secure remote access systems to ensure that shared drives are read only and access is provided through an SSL portal.

D. Implement a VLAN to allow users to remotely access internal resources.

Answer: A

Explanation: The best control to protect the corporate network is to plan and develop security policies based on the assumption that external environments have active hostile threats.

Item number: 11

Item type: Multiple Choice

Question: A company’s research department needs to provide more real-time interaction with its partners and consumers. After holding several meetings, the department decides to develop a presence on multiple social networking sites for sharing information. Which of the following minimizes the potential exposure of proprietary information?

Options:

A. Require that a confidential statement be attached to all information released to the social networking sites.

B. Establish a specific set of trained people who can release information on the company’s behalf.

C. Require each person joining the company’s social networking initiative to sign an NDA.

D. Establish a social media usage policy and provide training to all research department employees.

Answer: B

Explanation: To minimize the potential exposure of proprietary information, the company should establish a specific set of trained people who can release information on the company’s behalf.

Item number: 12

Item type: Multiple Choice

Question: Your company has recently completed the connection of its network to a national high-speed private cloud network. Local businesses in the area are seeking to connect to the high-speed cloud network by directly connecting through your company’s network. Your company’s chief information officer (CIO) believes that this is an opportunity to increase revenues and visibility for the company. However, the chief security officer (CSO) has expressed concerns regarding the security issues such a proposition introduces. As the security analyst, you have been asked to document the technical security requirements of the connection.

Which document are you creating?

Options:

A. NDA

B. OLA

C. ISA

D. SLA

Answer: C

Explanation: You are creating an interconnection security agreement (ISA), which will document all the technical security requirements of the connection.

Item number: 13

Item type: Multiple Choice

Question: Your company hired a third-party auditor to complete the annual audit of the company’s financial system. The audit report indicates that the accounts payable department did not follow proper record disposal procedures during a business continuity plan (BCP) tabletop exercise involving manual processing of financial transactions.

Which of the following should be your recommendations? (Choose all that apply.)

Options:

A. Wait for the internal audit results.

B. Compare the manual processing to the automated processing of financial transactions.

C. Review company procedures.

D. Implement mandatory training.

E. Perform another BCP exercise.

Answer: C, D

Explanation: You should recommend that the company review its procedures and implement mandatory training.

Item number: 14

Item type: Multiple Choice

Question: Your company is working on setting up the procedures that will be used for e-discovery. Which of the following must be taken into consideration for when a legal case is first presented to a company?

Options:

A. data recovery and storage

B. data retention policies on only web servers

C. data loss prevention (DLP) for the company

D. data ownership on all files

Answer: A

Explanation: When setting up e-discovery procedures, data recovery and storage must be taken into consideration for when a legal case is first presented to a company.

Item number: 15

Item type: Multiple Choice

Question: Your company has an intrusion detection system (IDS) monitoring traffic between the Internet and the company’s internal network. The IDS logged an attack attempt from a remote IP address. Two months later, the attacker successfully compromised the network. Which of the following most likely occurred?

Options:

A. The IDS generated too many false negatives.

B. No one was reviewing the IDS event logs.

C. The IDS generated too many false positives.

D. The attack occurred during off-hours or a holiday.

Answer: B

Explanation: It is most likely that no one was reviewing the IDS event logs. If those logs were reviewed on a regular basis, someone would have noticed the attack attempt and would have taken measures to prevent the attack in the future.

Item number: 16

Item type: Multiple Choice

Question: You have been asked to revise the current security awareness and training program based on attacks that have recently occurred. One of the attacks occurred when a workstation’s pointer operated on its own to move and open files. You need to address this attack in the revised program and provide procedures that users must follow.

Which of the following should you instruct users to do if such an attack occurs?

Options:

A. Unplug the network cable.

B. Reboot the workstation.

C. Take a screen shot and email it to the IT department.

D. Contact the incident response team for direction.

Answer: D

Explanation: Users should contact the incident response team for direction when a workstation’s pointer is operating on its own and opening files. This occurs when remote users connect to your computer using Remote Desktop, Telnet, or a similar program. It is also advisable that Remote Desktop Protocol (RDP) be disabled on all workstations and enabled only when the user needs help from a remote member of the IT department. The incident response team should be contacted to attempt to investigate the attack so that the attacker can be identified.

Item number: 17

Item type: Multiple Choice

Question: A file server has been compromised. You need to ensure that nonvolatile data is preserved as part of the investigation. Which of the following is the BEST way to do this?

Options:

A. Image the hard drive.

B. Copy the hard drive’s data to DVD.

C. Complete an incremental backup of the hard drive’s data.

D. Complete a differential backup of the hard drive’s data.

Answer: A

Explanation: You should image the hard drive to ensure that all nonvolatile data is preserved.

Item number: 18

Item type: Multiple Choice

Question: You have been trying to convince the information security officer (ISO) to purchase a new intrusion prevention system (IPS) capable of analyzing encrypted web transactions. What should you provide to the ISO to BEST support the request?

A. best practices and new technologies report

B. best practices and emerging threats report

C. emerging threats report and company attack trends

D. new technologies report and company attack trends

Answer: C

Explanation: You should provide an emerging threats report and company attack trends to prove to company management that the company needs the IPS.

Item number: 19

Item type: Multiple Choice

Question: Your company has recently adopted a new social media policy that allows members of the marketing department to post important company news, product updates, and special promotions on social websites. The initial pilot period is over, and the project is considered a success across the organization.

Now the human resources department wants to use social media websites to provide updates as well, including job listings, benefits changes, and so on. The CSO has asked you to document negative security impacts of allowing the human resources staff to post updates as well.

Which of the following are the major risks you should report to the CSO?

Options:

A. brute-force attacks, DDoS attacks, and SQL injection attacks

B. malware infection, phishing attacks, and social engineering attacks

C. DoS attacks, dictionary attacks, and buffer overflow attacks

D. wardriving attacks, spoofing attacks, and shoulder surfing

Answer: B

Explanation: The major risks of allowing human resources staff (or any other staff) to post updates include malware infection, phishing attacks, and social engineering attacks.

Item number: 20

Item type: Multiple Choice

Options: You have been hired as the security administrator of a private company. You have been asked to research and put together a proposal to purchase an IPS to replace an existing IDS. Management has selected a specific brand and model, but you need to gather cost information for that product. Which document provides a cost analysis report and includes information such as payment terms?

A. RFC

B. RFP

C. RFQ

D. NDA

Answer: C

Explanation: A request for quotation (RFQ) is a document that provides a cost analysis report and includes information such as payment terms.

Item number: 21

Item type: Multiple Choice

Question: Your company has solicited bids for a series of HIPS and NIPS products for a major installation in the company’s new Chicago office. After reviewing RFQs received from three vendors, your company has not gained any real data regarding the specifications of the proposed solutions. You have been asked to obtain that data before the procurement continues. What should you do at this point to get back on track in this procurement process?

Options:

A. Contact the three vendors and request that they submit RFIs to provide more detailed information about their product solutions.

B. Inform the three vendors that their quotes are null and void at this time and that they are disqualified based upon their RFQs.

C. Send the three vendors for full-blown RFP so that your company can move on to the next step.

D. Provide a personalized summary from what you know about these three vendors.

Answer: A

Explanation: You should contact the three vendors and request that they submit requests for information (RFIs) to provide more detailed information about their product solutions.

Item number: 22

Item type: Multiple Choice

Question: After three vendors submit their requested documentation, the purchasing department manager can better understand what each vendor does and what solutions the vendors can provide. But now she wants to see how these solutions match the requirements needed by the firm. Which of the following should be submitted to the three vendors?

Options:

A. an RFQ

B. a T&M agreement

C. an RFP

D. an SRTM

Answer: C

Explanation: A request for proposal (RFP) should be submitted to the three vendors, requesting that the vendor match the solutions they suggest to the firm’s requirements.

Item number: 23

Item type: Multiple Choice

Question: Your company’s software development team is currently engaged in the development of a new application. Management has adopted the following policy regarding any new systems or applications: “Administrators must be notified prior to a security incident occurring.”

Which of the following BEST restates the above statement to allow it to be implemented by a team of software developers?

Options:

A. The application will halt on error until an administrator resolves the error.

B. The application will throw an error when specified incidents pass a configurable threshold.

C. The application will cease processing data when certain configurable events occur.

D. The application will continue processing in the event of an error and email the administrator the error logs.

Answer: B

Explanation: To allow the statement to be implemented by a team of software developers, the application should throw an error when specified incidents pass a configurable threshold.

Item number: 24

Item type: Multiple Choice

Question: A project manager needs to provide a cost/benefit analysis to support a software security initiative business case. The project manager has asked you to perform an ROI study. It has been estimated that by spending $300,000 on the software security initiative, a 30% savings in cost will be realized for each project. Based on an average of eight software projects at a current cost of $50,000 each, how many years will it take to see a positive ROI?

Options:

A. two to three years

B. three years

C. three to four years

D. four years

Answer: C

Explanation: Each project will realize a savings of 30%, meaning each project will save $15,000. With eight projects, that is $120,000 annually. It will take three to four years to see a positive ROI.

Item number: 25

Item type: Multiple Choice

Question: You are a security administrator for your company. You need to develop a body of knowledge to enable heuristic- and behavior-based security event monitoring on a geographically distributed network. Instrumentation is chosen to allow for monitoring and measuring the network. What is the BEST methodology to use in establishing this baseline?

Options:

A. Schedule testing on operational systems when users are not present. Instrument the systems to log all network traffic. Monitor the network for at least eight hours. Analyze the results. Document the established baseline.

B. Model the network in a series of VMs. Instrument the systems to record comprehensive metrics. Run a large volume of simulated data through the model. Record and analyze the results. Document expected future behavior.

C. Instrument the operational network. Simulate extra traffic on the network. Analyze network flow information from all network devices. Document the baseline volume of traffic.

D. Completely duplicate the network on VMs. Replay eight hours of captured corporate network traffic through the duplicate network. Instrument the network. Analyze the results. Document the baseline.

Answer: B

Explanation: You should model the network in a series of VMs, instrument the systems to record comprehensive metrics, run a large volume of simulated data through the model, record and analyze results, and document expected future behavior.

Item number: 26

Item type: Multiple Choice

Question: Your company hosts multiple virtualized client computers on a single host. Management is considering adding a new host to create a cluster. The new host hardware and operating system will be different from those of the first host, but the underlying virtualization technology will be compatible. Both hosts will be connected to a shared iSCSI storage solution. What is your company MOST likely trying to achieve?

Options:

A. increased customer data confidentiality

B. increased customer data availability

C. increased customer data integrity

D. increased security through provisioning

Answer: B

Explanation: Your company is most likely trying to achieve increased customer data availability. Clusters paired with iSCSI storage solutions improve availability.

Item number: 27

Item type: Multiple Choice

Question: Yesterday, an employee was terminated and promptly escorted to his exit interview. Immediately following the exit interview, the employee left the building. It has been discovered that this employee had accepted a position with a competitor and had given to the competitor screen shots of his work at the company that included live customer data. The employee removed this information from the company through the use of a USB device. After this incident, it is determined that a process review must be conducted to ensure that this issue will not recur.

Which of the following business areas should primarily be involved in this discussion?

Options:

A. IT management and the network administrator

B. human resources and the network administrator

C. human resources and IT management

D. human resources, the network administrator, and IT management

Answer: C

Explanation: Human resources and IT management should be primarily involved in the process review to ensure that private or confidential data is not removed through the use of a USB device.

Item number: 28

Item type: Multiple Choice

Question: You have been asked to provide recommendations on the breakout of tasks for the development of a new product. Management thinks that by assigning areas of work appropriately, the overall security of the product will be increased because staff will focus on their areas of expertise.

You have been given a list of the groups and tasks. You must select the best assignments for each group.

These are the groups:

Networks

Development

Project management

Security

Systems engineering

Testing

These are the tasks:

Decomposing requirements

Secure coding standards

Code stability

Functional validation

Stakeholder engagement

Secure transport

Which task should you assign to the networks group?

Options:

A. functional validation

B. secure transport

C. code stability

D. decomposing requirements

Answer: B

Explanation: You should assign secure transport to the networks group.

Item number: 29

Item type: Multiple Choice

Question: You have been asked to provide recommendations on the breakout of tasks for the development of a new product. Management thinks that by assigning areas of work appropriately, the overall security of the product will be increased because staff will focus on their areas of expertise.

You have been given a list of the groups and tasks. You must select the best assignments for each group.

These are the groups:

Networks

Development

Project management

Security

Systems engineering

Testing

These are the tasks:

Decomposing requirements

Secure coding standards

Code stability

Functional validation

Stakeholder engagement

Secure transport

Which task should you assign to the security group?

Options:

A. secure coding standards

B. secure transport

C. code stability

D. stakeholder engagement

Answer: A

Explanation: You should assign the secure coding standards task to the security group.

Item number: 30

Item type: Multiple Choice

Question: You have recently been hired by your company as a security analyst. As part of your first job tasks, you meet with management regarding the lack of governance for solution designs. As a result of this lack of governance, there are inconsistencies and varying levels of quality for the artifacts that are produced. Which of the following will help BEST improve this situation?

Options:

A. Ensure that appropriate representation from each relevant discipline approves of the solution documents before official approval.

B. Introduce a peer review and presentation process that includes a review board with representation from relevant disciplines.

C. Ensure that management must provide official approval of all documents.

D. Ensure that personnel producing solution artifacts are reminded that quality is important.

Answer: B

Explanation: To improve this situation, you should introduce a peer review and presentation process that includes a review board with representation from relevant disciplines. This will ensure that the quality of the artifacts will be improved.

Item number: 31

Item type: Multiple Choice

Question: You are the security administrator for your company. Your company’s network contains more than 20,000 desktop computers and 1,000 servers that all run some version of Windows.

You have received numerous alerts from the internal IDS of a possible malware infection spreading through the network via the Windows file sharing services. This is an emergency situation that could lead to widespread data compromise. A security analyst believes that the best course of action is to block the file sharing service across the organization by placing ACLs on the internal routers.

Which of the following should you do before applying the ACLs?

Options:

A. Call an emergency change management meeting to ensure that the ACLs will not impact core business functions.

B. Apply changes to the ACLs immediately.

C. Meet with the entire security team to obtain approval on the solution.

D. Implement the solution immediately if it is considered a best practice.

Answer: A

Explanation: Before applying the ACLs, you should call an emergency change management meeting to ensure that the ACLs will not impact core business functions.

Item number: 32

Item type: Multiple Choice

Question: Your company stores a lot of sensitive data on DVDs for archiving purposes. You discover that there is no stated policy on the disposal of these DVDs. You must ensure that DVDs that contain sensitive information are sanitized in the most cost-effective manner possible. Which policy should you recommend?

Options:

A. Incinerate the DVDs.

B. Write over the data on the DVDs.

C. Shred the DVDs.

D. Purge the data on the DVDs.

Answer: C

Explanation: You should recommend that the company adopt a policy of shredding the DVDs that contain sensitive information.

Item number: 33

Item type: Multiple Choice

Question: Your company has decided to use the SDLC to create and produce a new information system. You are training all users on how to protect company information while using the new system, along with being able to recognize social engineering attacks. Senior management must also formally approve of the system prior to it going live. In which of the following phases would these security controls take place?

Options:

A. operations and maintenance

B. initiation

C. acquisition and development

D. implementation

Answer: D

Explanation: These security controls take place during the implementation phase of the SDLC. The steps in the Systems Development Life Cycle (SDLC) are as follows:

1. Initiate

2. Acquire/develop

3. Implement

4. Operate/maintain

5. Dispose

Item number: 34

Item type: Multiple Choice

Question: A replacement application has had its business case approved. In preparation for a requirements workshop, an architect is working with you to ensure that appropriate security requirements have been captured. Which of the following documents BEST captures the security requirements?

Options:

A. solution overview document

B. use case document

C. security requirements traceability matrix

D. business requirements document

Answer: D

Explanation: The business requirements document best captures the security requirements.

Item number: 35

Item type: Multiple Choice

Question: Your company has implemented a new authentication system for the server room. To be given access to the room, a user must provide his username and password. Once those factors are authenticated, the user must then provide his smart card. Which type of authentication is being used?

Options:

A. one-factor authentication

B. two-factor authentication

C. three-factor authentication

D. four-factor authentication

Answer: B

Explanation: Two-factor authentication is being used. Even though the user is providing a total of three factors, both the username and password are knowledge factors. The smart card is an ownership factor. Therefore, you are providing two types of authentication factors.

Item number: 36

Item type: Multiple Choice

Question: Your company announces that it will implement a new authentication method that will use an ownership factor. Which authentication factor could you use as the new authentication method?

Options:

A. password

B. date of birth

C. Social Security number

D. smart card

Answer: D

Explanation: Of the options listed, the smart card is an ownership factor. Ownership factors are something a person owns, including a smart card or an identification badge.

Item number: 37

Item type: Multiple Choice

Question: Your company has recently adopted several new account policies that will be enforced for all user accounts. One of the policies is an account lockout policy. What is the purpose of this policy?

Options:

A. It configures the number of unique new passwords that must be associated with a user account before an old password can be reused.

B. It configures the maximum number of days a password can be used before the user must change it.

C. It ensures that an account can no longer be used after a certain number of unsuccessful login attempts.

D. It configures the fewest number of characters that can make up a password for a user account.

Answer: C

Explanation: An account lockout policy ensures that an account can no longer be used after a certain number of unsuccessful login attempts.

Item number: 38

Item type: Multiple Choice

Question: You have recently been hired as a security analyst. You have been given a copy of all organizational security policies. One of the policies stipulates that users will be issued login credentials that include a username and password. The password will be the same for each login. Which type of password is being used?

Options:

A. static password

B. one-time password

C. complex password

D. cognitive password

Answer: A

Explanation: A static password is the same for each login.

Item number: 39

Item type: Multiple Choice

Question: Your company has recently decided to implement a new biometric system to secure access to your company’s data center. Management has decided to implement a biometric system in which the colored portion of the eye, including all rifts, coronas, and furrows are measured. Which biometric system does management want?

Options:

A. iris scan

B. retina scan

C. eigenfeatures facial scan

D. eigenfaces facial scan

Answer: A

Explanation: In an iris scan, the colored portion of the eye, including all rifts, coronas, and furrows are scanned.

Item number: 40

Item type: Multiple Choice

Question: You have been hired as a security analyst by your company. Currently, your company deploys two DNS servers: one that acts as an internal DNS server and one that acts as an external DNS server. Which is the BEST location to deploy the external DNS server?

Options:

A. in a VLAN

B. in a DMZ

C. in a VPN

D. on a SAN

Answer: B

Explanation: The best location to deploy the external DNS server is on a demilitarized zone (DMZ). This will ensure that external resources can access the DNS information without breaching the internal network.

Item number: 1

Item type: Multiple Choice

Question: Which of the following measures satisfies the CIA requirement of availability in a SAN?

Options:

A. multipathing

B. additional CPU cores

C. using FCoE

D. dynamic memory allocation

Answer: A

Explanation: While the other options may improve performance, multipathing is the only one that provides fault tolerance and therefore increased availability.

Item number: 2

Item type: Multiple Choice

Question: The storage team is discussing the implementation of shared storage to support a business-critical, high-volume database application. Which of the following techniques can be used to make some of the storage solutions available to some hosts and unavailable to others?

Options:

A. multipathing

B. LUN masking

C. VLANs

D. port security

Answer: B

Explanation: LUN masking hides or makes unavailable storage devices or groups of storage devices from all but devices with approved access.

Item number: 3

Item type: Multiple Choice

Question: As storage administrator, you are implementing the storage solution for a customer. His concern is that the data must be immediately usable if he has an availability issue and needs to restore the raw data to different hardware. Which of the following features, if implemented, could cause a problem with the usability of the raw data after a restoration to new hardware?

Options:

A. multipathing

B. data deduplication

C. LUN masking

D. zoning

Answer: B

Explanation: The algorithms used to perform deduplication will alter the way the data is stored on the old hardware. When this raw data is restored to new hardware, there is the chance that the data may not be in a usable format.

Item number: 4

Item type: Multiple Choice

Question: You have taken the following steps to connect a server to the SAN:

1. Install a dual-port HBA on the server.

2. Create a LUN on the SAN for the server.

3. Enable LUN masking and multipath.

Which of the following objectives have you NOT achieved?

Options:

A. increased availability

B. access control

C. increased performance

D. decreased space occupied on the SAN

Answer: D

Explanation: Decreasing the space occupied on the SAN would require data deduplication or a similar technique.

Item number: 1

Item type: Multiple Choice

Question: The company that you work for has implemented the following security controls:

End-to-end encryption in the DMZ using SSL

IPsec in transport mode in the internal network with AH enabled and ESP disabled

NIPs in the internal network

HIPs in the DMZ

Which of the following would improve the security of the implementation without seriously impacting performance?

Options:

A. Enable ESP in the internal network.

B. Switch to HIDS in the internal network.

C. Switch to NIDS in the DMZ.

D. Switch to TLS in the DMZ.

Answer: D

Explanation: TLS is the successor to SSL and provides better security than SSL.

Item number: 2

Item type: Multiple Choice

Question: You need to ensure that when you connect from your Mac laptop to a Linux server to access an application on the server that the connection is secured from sniffing. The IP address of the Mac is 192.168.5.5 /24, and the IP address of the server is 192.168.5.4 /24. You take the following actions:

1. Establish an SSH tunnel from the Mac to the Linux server.

2. Connect the VNC to 192.168.5.5.

The connection is not working. What should you change?

Options:

A. Use SSL instead.

B. Connect the VNC to 192.168.5.6.

C. Connect the VNC to 127.0.0.1.

D. Use IPsec instead.

Answer: C

Explanation: The VNC should be connected to the localhost, or to the address 127.0.0.1.

Item number: 3

Item type: Multiple Choice

Question: Your network requires the highest degree of security. The security team implements the following:

port security on all switches

point-to-point VPN tunnels for user server connections

cryptographic two-factor authentication

physical locks

a warm site

Which of the following actions would elevate the level of availability the MOST?

Options:

A. Switch to a standby hot site.

B. Switch to IPv6 networking.

C. Implement full disk compression.

D. Place the server in a cloud.

Answer: A

Explanation: While it is more expensive than a warm site, a standby hot site also provides more availability.

Item number: 4

Item type: Multiple Choice

Question: While attending a security conference, you notice that almost all attendees are using smartphones, with only a very small number using laptops. Which of the following is the biggest security issue at the conference?

A. physical theft of smartphones

B. open Ethernet jacks

C. physical theft of laptops

D. Bluejacking attacks

Answer: A

Explanation: With so many small, easily stolen devices, theft of smartphones is the biggest issue listed.

Item number: 5

Item type: Multiple Choice

Question: The company security policy led to the installation of a VPN concentrator and a RADIUS server. With only these devices installed, which of the following goals cannot be achieved?

Options:

A. All data must be encrypted.

B. All connections must be authenticated.

C. Only certain external networks can be the source of a connection.

D. All connections must be authorized.

Answer: C

Explanation: A firewall would be required to ensure that only certain external networks can be the source of a connection.

Item number: 1

Item type: Multiple Choice

Question: The CIO of the company wants to mitigate the effects of zero-day attacks by applying third-party patches. If the company decides to go that route, which of the following would be the most important addition to the network?

Options:

A. a secure version of DNS

B. creating a test network

C. stateful firewalls

D. HIDS

Answer: B

Explanation: All patches, especially ones that do not come directly from the vendor, should be tested before they are used in the production network. Therefore, you should create a separate test network.

Item number: 2

Item type: Multiple Choice

Question: The company you work for has decided to outsource its email system to a SaaS provider. Which of the following should be implemented to help prevent the disclosure of intellectual property in the new system?

Options:

A. DNSSEC

B. DLP

C. IPsec

D. NIDS

Answer: B

Explanation: A data loss prevention (DLP) system could be deployed to prevent disclosure of both PII and intellectual property.

Item number: 3

Item type: Multiple Choice

Question: You are reviewing the work of an associate. He has added the following rule to an ACL on the HIPS on a mission-critical server:

Deny TCP any any 445

What does this rule do?

Options:

A. prevents any data using TCP for a system named 445

B. prevents data arriving from anywhere destined for anywhere using port TCP 445

C. prevents data from a system named 445 going anywhere using TCP

D. prevents data from anywhere using TCP destined for a system named 445

Answer: B

Explanation: This rule prevents data arriving from anywhere destined for anywhere using port TCP 445.

Item number: 4

Item type: Multiple Choice

Question: You work for a chain of small medical clinics. Your company has decided to move all systems to a cloud-hosting provider. The security team of the cloud provider has identified the following issues with the servers.

Old unpatched version of a server operating system on several machines

Logging disabled in several servers

PII stored in the cloud in an encrypted format

DNS server allowing open relay

Which of these issues should be addressed first?

Options:

A. Old unpatched versions of a server operating system on several machines

B. Logging disabled in several servers

C. PII stored in the cloud in an encrypted format

D. DNS server allowing open relay

Answer: A

Explanation: The first issue to address is updating and patching the server operating systems. They present the biggest current attack surface.

Item number: 5

Item type: Multiple Choice

Question: Recent changes have been made to your network to address certain issues. These changes include virtualizing all servers and implementing host firewalls on all servers. Which of the following issues has NOT been addressed?

Options:

A. Network access is only allowed to certain services.

B. All systems use similar hardware.

C. Unauthorized application configuration changes are prevented.

D. All VPN connections are encrypted.

Answer: D

Explanation: Virtualizing the servers and installing host firewalls will have no effect on VPN connections.

Item number: 1

Item type: Multiple Choice

Question: It has been discovered that when customers enter a certain set of characters in a web form, the server locks up. Which of the following identifies the issue and describes the correct mitigation?

Options:

A. memory leak/input validation

B. buffer overflow/secure coding standards

C. cross-site scripting/HIDS

D. SQL injection/disabling DNS relay

Answer: B

Explanation: This is a buffer overflow. These attacks can be mitigated by reviewing security of all code.

Item number: 2

Item type: Multiple Choice

Question: Which of the following components would benefit from input validation?

Options:

A. web form

B. trunk links

C. router interfaces

D. switch ports

Answer: A

Explanation: Web forms should undergo input validation to prevent buffer overflows.

Item number: 3

Item type: Multiple Choice

Question: During the development of a new web application, a new member of the team relates how his old job used a piece of software called a fuzzer. What issue could a fuzzer help identify?

A. unknown vulnerabilities

B. performance issues

C. inefficient code

D. code inconsistencies

Answer: A

Explanation: Fuzzers are used to discover vulnerabilities that may occur when random input is injected.

Item number: 4

Item type: Multiple Choice

Question: Which of the following is an example of privilege escalation?

Options:

A. A hacker accesses a printer from the Internet, then the print server, and then the domain controller.

B. A hacker sends many oversized ping packets.

C. A hacker convinces a user to reveal a password.

D. A hacker follows a user into the facility.

Answer: A

Explanation: When systems are accessed by unauthorized personnel, a privilege escalation has occurred.

Item number: 5

Item type: Multiple Choice

Question: Which of the following is NOT a form of a DoS attack?

Options:

A. SYN flood

B. smurf

C. DNS reflection

D. tailgating

Answer: D

Explanation: Tailgating is a social engineering attack, not a DoS attack.

Item number: 1

Item type: Multiple Choice

Question: Your company has selected a new vendor to provide a CRM solution. The CIO wants to include a source code escrow clause in the contract. From what specific issue does this clause shield the company?

Options:

A. software flaws

B. the vendor going out of business

C. SLA disagreements

D. performance issues with the solution

Answer: B

Explanation: Source code escrow clauses protect the company from the vendor going out of business by holding the source code in escrow and providing it to the company in the event that the vendor does go out of business.

Item number: 2

Item type: Multiple Choice

Question: A banking firm is considering moving some large computing jobs to a cloud provider and is considering a number of issues that accompany doing so. Which of the following characteristics of cloud and virtual computing could potentially allow sensitive data to be scraped from the hardware platform?

Options:

A. elastic resource allocation

B. shared storage

C. LUN masking

D. asynchronous replication

Answer: A

Explanation: When elastic resource allocation is used, virtual resources are created and destroyed on-the-fly as needed, meaning that any point in time data that was “deleted” but not overwritten could be still residing on the hardware.

Item number: 3

Item type: Multiple Choice

Question: An organization is considering several alternative actions to take. One of the initiatives has generated the following concerns:

Fragmentation of the strategic architecture over time

Increase in cost of managing vendor relationships

Decrease in knowledge of the internal IT systems over time

Increase in the time it takes to implement security initiatives

Which of the following initiatives would generate these concerns?

Options:

A. outsourcing desktop support to one vendor, network management to another, security to a third vendor, and day-to-day business processing to a fourth vendor

B. creating separate departments internally for desktop support, security, network management, and day-to-day business processing

C. the creation of autonomous IT teams for each location

D. the centralization of all IT support services in the main office

Answer: A

Explanation: Outsourcing all these various functions to different vendors causes the company to lose knowledge of its own systems over time and makes controlling all the vendors a costly endeavor. It also slows every initiative the company might want to implement.

Item number: 4

Item type: Multiple Choice

Question: In which of the following scenarios should your company consider developing an interconnection policy?

Options:

A. when connecting two company offices with a VPN

B. when integrating a purchased business’s network into the corporate network

C. when signing a contract with a new hardware provider

D. when configuring synchronous replication between your data center and your hot site

Answer: B

Explanation: An interconnection policy is used to ensure that the network being integrated is safe before the integration occurs.

Item number: 1

Item type: Multiple Choice

Question: A new vendor has asked your permission to use a protocol analyzer on your network. Which of the following would NOT be a potential use of this software?

Options:

A. Verify that a specific traffic type is encrypted on the network.

B. Identify the computers currently connected to the network.

C. Identify the potential for a web application to suffer a buffer overflow.

D. Identify the manufacturer of the wireless devices on the network.

Answer: C

Explanation: Protocol analyzers can only capture raw packets from the network. They cannot examine the inner workings of an application—web or otherwise.

Item number: 2

Item type: Multiple Choice

Question: The university you work for allows students to purchase items over the intranet, using student ID cards that can be loaded with credits. Recently some students got the system to put unearned credits on their cards. The security team wants to use a protocol analyzer to address this issue. How could such software be useful in this scenario?

Options:

A. to fuzz the application for errors

B. to reverse engineer the transaction system’s protocol

C. to block transactions from specific students

D. to create a honeypot to lure and identify the guilty students

Answer: B

Explanation: Protocol analyzers can be used to capture raw packets from the network and analyze those packets offline. Studying the operation of the transaction system’s protocol could help identify the flaw that has allowed this to occur.

Item number: 3

Item type: Multiple Choice

Question: The web development team has discovered that the shopping cart application on the website is allowing certain customers to give themselves a discount on purchases. The newest member of the team, who recently came from a job working as an auditor for a large security consulting firm, suggests using two tools: a fuzzer and an HTTP interceptor. What issues could be checked with this software?

Options:

A. open ports that the application does not use

B. validation of all input in drop-down boxes and free-form text field

C. access control to the critical modules

D. performance under stress

Answer: B

Explanation: HTTP interceptors are tools that can be used to introduce invalid input to see if the application performs proper input validation. Fuzzers introduce random output to assess the reaction of the application to the random output. Both could be used in this case to validate all input in drop-down boxes and free-form text fields.

Item number: 4

Item type: Multiple Choice

Question: Your organization produces a proprietary piece of hardware for which confidentiality of the software code is critical. Considering this, what type of vulnerability testing should a third-party vulnerability team be allowed to perform?

Options:

A. white box

B. black box

C. regression

D. integration

Answer: B

Explanation: Black-box testing is testing in which no information about the inner workings of the source code is shared with the tester. In this case, that type of testing would maintain the confidentiality of the software code.

Item number: 5

Item type: Multiple Choice

Question: Your boss just returned from a security conference, and his head is filled with security concerns of all types. With a background as a developer, he was particularity interested in a process called code review. Which of the following issues would this process NOT mitigate?

Options:

A. integer overflows

B. buffer overflow

C. race conditions

D. performance issues

Answer: D

Explanation: Performance issues are not the main focus of code review. The main focus is to identify problems in the code that can lead to or allow issues such as the other options.

Item number: 1

Item type: Multiple Choice

Question: Which of the following services or protocols can be made more secure by implementing H.235 extensions with DES?

Options:

A. DNS

B. H.323

C. SIP

D. STP

Answer: B

Explanation: H.323 is a protocol used in video conferencing. H.235 extensions with DES can be used to provide security and privacy for H.323. The H.235 data encryption is implemented on the RTP layer, supporting algorithms ranging from DES to Triple DES and AES.

Item number: 2

Item type: Multiple Choice

Question: Your company is considering allowing personal smartphones to be given access to the network. Which of the following functions is NOT a key requirement that should be imposed on the allowed smartphones?

Options:

A. remote wipe

B. encryption

C. geotagging

D. DLP

Answer: C

Explanation: While geotagging allows locating the devices, the other functions would be much more important to require.

Item number: 3

Item type: Multiple Choice

Question: Your company is assessing vendors of collaboration software. The only remaining issues that need to be discussed are the relative merits of the competing systems with regard to security. Which of the following features creates the biggest issue?

Options:

A. user registration codes

B. read/write desktop sharing

C. read-only desktop sharing

D. buffer overflows

Answer: B

Explanation: Read/write desktop sharing should be prevented or strongly audited.

Item number: 4

Item type: Multiple Choice

Question: Remote users connect to a VPN concentrator for video conferences. Because all email, voice mail, telephony, presence, and messaging has been integrated, a list of security measures has been developed. Which of the following measures does NOT address unified communications security?

Options:

A. creating presence groups

B. restricting IM protocols to the internal network

C. implementing single sign-on

D. restricting access to services to local users and VPN users

Answer: C

Explanation: While single sign-on simplifies the management of passwords by users, it does not specifically address unified communications issues.

Item number: 5

Item type: Multiple Choice

Question: The security team is assessing the relative security of four IM products. Which of the following sets of features provides the most secure solution?

Options:

A. protocol used is IRC over TLS; uses FTP for file exchange and video provided by Flash

B. protocol used is Jabber; uses FTP for file exchange and video provided by Flash

C. protocol used is XMPP over TLS; uses SCP for file exchange and video provided by H.323 over TLS

D. protocol used is SIP; uses RCP for file exchange and video provided by H.323

Answer: C

Explanation: This option is only one that uses encryption to secure all three features: the protocol, the file exchange process, and the video.

Item number: 1

Item type: Multiple Choice

Question: In an SPML exchange, which of the following roles responds to provisioning requests?

Options:

A. RA

B. PSP

C. PST

D. RP

Answer: B

Explanation: The request authority (RA) entity makes the provisioning request, the provisioning service provider (PSP) responds to the RA requests, and the provisioning service target (PST) performs to the provisioning. There is no RP in the transaction.

Item number: 2

Item type: Multiple Choice

Question: A trust relationship has been established between two organizations with web-based services. Which of the following statements is true with regard to the use of SPML between the two organizations?

Options:

A. The trust relationship uses SAML in the SOAP header.

B. The trust relationship uses XACML in the SAML header.

C. The SOAP body transports the SAML requests/responses.

D. The SAML body transports the SOAP requests/responses.

Answer: A

Explanation: The trust relationship uses SAML in the SOAP header, and the SOAP body transports the SPML requests/responses.

Item number: 3

Item type: Multiple Choice

Question: Which of the following is the only function facilitated by XACML?

Options:

A. authentication

B. access control

C. confidentiality

D. integrity

Answer: B

Explanation: XAMCL addresses only access control.

Item number: 4

Item type: Multiple Choice

Question: Which of the following statements is true with regard to a SOAP packet?

Options:

A. The header is encrypted.

B. The body cannot be encrypted.

C. The header is not encrypted.

D. The body is always encrypted.

Answer: C

Explanation: One of the security issues with SOAP is that the SOAP header is not encrypted and allows intermediaries to view the header data. The body can be partially or completely encrypted.

Item number: 5

Item type: Multiple Choice

Question: Which of the following is an example of coarse-grained access control?

Options:

A. Employees can open the door.

B. Employees based in the United States can open or close the door during office hours.

C. Employees in the engineering department and based in the United States can open or close the door during office hours if they are assigned to an active project.

D. Employees with passwords can open the door.

Answer: A

Explanation: Coarse-grained access control describes a method with little or no specificity to its rule set.

Item number: 6

Item type: Multiple Choice

Question: What type of transaction is described by the following series of steps?

1. The browser asks the security provider (SP) for a resource.

2. The SP provides the browser with an XHTML format.

3. The browser asks the identity provider to validate the user.

4. The browser provides the XHTML back to the SP for access.

Options:

A. authenticated SAMLv2

B. unauthenticated SAMLv2

C. authenticated SAMLv1

D. unauthenticated SAMLv1

Answer: B

Explanation: The steps provided describe an unauthenticated SAMLv2 transaction.

Item number: 7

Item type: Multiple Choice

Question: Which process is being described by the following steps?

1. A user logs into domain A using a PKI certificate on a smartcard protected by an eight-digit PIN.

2. The credential is cached by the authenticating server in Domain A.

3. Later, the user attempts to access a resource in Domain B.

4. A request to the original authenticating server is initiated to somehow attest to the resource server in the second domain that the user is in fact who he claims to be.

Options:

A. HTML

B. SAML

C. SOAP

D. IPsec

Answer: B

Explanation: The steps provided describe the operation of SAML.