CISSP 8 (3rd Study)

In supervisory control and data acquisition (SCADA) systems, which of the following controls can be used to reduce device exposure to malware?. Disallow untested code in the execution space of the SCADA device. Disable all command line interfaces. Disable Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) port 138 and 139 on the SCADA device. Prohibit the use of unsecure scripting languages.

Which of the following secure transport protocols is often used to secure Voice over Internet Protocol (VoIP) communications on a network from end to end?. Secure File Transfer Protocol (SFTP). Secure Real-time Transport Protocol (SRTP). Generic Routing Encapsulation (GRE). Internet Protocol Security (IPSec).

A healthcare insurance organization chose a vendor to develop a software application. Upon review of the draft contract, the information security professional notices that software security is not addressed. What is the BEST approach to address the issue?. Update the contract to require the vendor to perform security code reviews. Update the service level agreement (SLA) to provide the organization the right vendor. Update the contract so that the vendor is obligated to provide security capabilities. Update the service level agreement (SLA) to require the vendor to provide security capabilities.

Which of the following security tools will ensure authorized data is sent to the application when implementing a cloud-based application?. Host-based intrusion prevention system (HIPS). Access control list (ACL). Data loss prevention (DLP). File integrity monitoring (FIM).

A client server infrastructure that provides user-to-server authentication describes which one of the following?. Secure Sockets Layer (SSL). User-based authorization. Kerberos. X.509.

A system developer has a requirement for an application to check for a secure digital signature before the application is accessed on a user's laptop. Which security mechanism addresses this requirement?. Trusted Platform Module (TPM). Certificate revocation list (CRL) policy. Key exchange. Hardware encryption.

Which of the following is a term used to describe maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions?. Information Security Continuous Monitoring (ISCM). Risk Management Framework (RMF). Information Sharing & Analysis Centers (ISAC). Information Security Management System (ISMS).

Which of the following types of firewall only examines the "handshaking" between packets before forwarding traffic?. Proxy firewalls. Circuit-level firewalls. Network Address Translation (NAT) firewalls. Host-based firewalls.

What is a use for mandatory access control (MAC)?. Allows for mandatory user identity and passwords based on sensitivity. Allows for mandatory system administrator access control over objects. Allows for labeling of sensitive user accounts for access control. Allows for object security based on sensitivity represented by a label.

An organization has developed a way for customers to share information from their wearable devices with each other. Unfortunately, the users were not informed as to what information collected would be shared. What technical controls should be put in place to remedy the privacy issue while still trying to accomplish the organization's business goals?. Share only what the organization decides is best. Stop sharing data with the other users. Default the user to not share any information. Inform the user of the sharing feature changes after implemented.

Which of the following system components enforces access controls on an object?. Security perimeter. Access control matrix. Trusted domain. Reference monitor.

In setting expectations when reviewing the results of a security test, which of the following statements is MOST important to convey to reviewers?. The accuracy of testing results can be greatly improved if the target(s) are properly hardened. The results of the tests represent a point-in-time assessment of the target(s). The deficiencies identified can be corrected immediately. The target's security posture cannot be further compromised.

What is the benefit of an operating system (OS) feature that is designed to prevent an application from executing code from a non-executable memory region?. Identifies which security patches still need to be installed on the system. Reduces the risk of polymorphic viruses from encrypting their payload. Stops memory resident viruses from propagating their payload. Helps prevent certain exploits that store code in buffers.

What is the overall goal of software security testing?. Identifying the key security features of the software. Ensuring all software functions perform as specified. Reducing vulnerabilities within a software system. Making software development more agile.

Which of the following implementations will achieve high availability in a website?. Disk mirroring of the web server with redundant disk drives in a hardened data center. Disk striping of the web server hard drives and large amounts of bandwidth. Multiple geographically dispersed web servers that are configured for failover. Multiple Domain Name System (DNS) entries resolving to the same web server and large amounts of bandwidth.

Which of the following is an important design feature for the outer door of a mantrap?. Allow it to be opened by an alarmed emergency button. Do not allow anyone to enter it alone. Do not allow it to be observed by closed-circuit television (CCTV) cameras. Allow it be opened when the inner door of the mantrap is also open.

Which of the following is the MOST important rule for digital investigations?. Ensure original data is never modified. Ensure systems are powered on. Ensure event logs are rotated. Ensure individual privacy is protected.

An information security professional is reviewing user access controls on a customer-facing application. The application must have multi-factor authentication (MFA) in place. The application currently requires a username and password to login. Which of the following options would BEST implement MFA?. Geolocate the user and compare to previous logins. Require a pre-selected number as part of the login. Have the user answer a secret question that is known to them. Enter an automatically generated number from a hardware token.

Which of the following is a MAJOR consideration in implementing a Voice over Internet Protocol (VoIP) network?. Use of Request for Comments (RFC) 1918 addressing. Use of Network Access Control (NAC) on switches. Use of separation for the voice network. Use of a unified messaging.

During testing, where are the requirements to inform parent organizations, law enforcement, and a computer incident response team documented. Security Assessment Report (SAR). Security assessment plan. Unit test results. System integration plan.

The security architect has been mandated to assess the security of various brands of mobile devices. At what phase of the product lifecycle would this be MOST likely to occur?. Implementation. Operations and maintenance. Disposal. Development.

Which of the following statements is MOST accurate regarding information assets?. International Organization for Standardization (ISO) 27001 compliance specifies which information assets must be included in asset inventory. Information assets include any information that is valuable to the organization. Building an information assets register is a resource-intensive job. Information assets inventory is not required for risk assessment.

Which of the following attack types can be used to compromise the integrity of data during transmission?. Synchronization flooding. Session hijacking. Keylogging. Packet sniffing.

A malicious user gains access to unprotected directories on a web server. Which of the following is MOST likely the cause for this information disclosure?. Broken authentication management. Security misconfiguration. Cross-site request forgery (CSRF). Structured Query Language injection (SQLi).

When reviewing the security logs, the password shown for an administrative login event was ' OR ' '1'='1' --. This is an example of which of the following kinds of attack?. Structured Query Language (SQL) Injection. Brute Force Attack. Rainbow Table Attack. Cross-Site Scripting (XSS).

Which is the BEST control to meet the Statement on Standards for Attestation Engagements 18 (SSAE-18) confidentiality category?. File hashing. Storage encryption. Data retention policy. Data processing.

Which of the following BEST describes why software assurance is critical in helping prevent an increase in business and mission risk for an organization?. Request for proposals (RFP) avoid purchasing software that does not meet business needs. Contracting processes eliminate liability for security vulnerabilities for the purchaser. Decommissioning of old software reduces long-term costs related to technical debt. Software that does not perform as intended may be exploitable which makes it vulnerable to attack.

An employee's home address should be categorized according to which of the following references?. The consent form terms and conditions signed by employees. An organization security plan for human resources. Existing employee data classifications. The organization's data classification model.

Which of the following activities should a forensic examiner perform FIRST when determining the priority of digital evidence collection at a crime scene?. Gather physical evidence. Assign responsibilities to personnel on the scene. Establish a list of files to examine. Establish order of volatility.

Which software defined networking (SDN) architectural component is responsible for translating network requirements?. SDN Controller. SDN Datapath. SDN Northbound Interfaces. SDN Application.

An internal audit for an organization recently identified malicious actions by a user account. Upon further investigation, it was determined the offending user account was used by multiple people at multiple locations simultaneously for various services and applications. What is the BEST method to prevent this problem in the future?. Ensure each user has their own unique account. Allow several users to share a generic account. Ensure the security information and event management (SIEM) is set to alert. Inform users only one user should be using the account at a time.

Who should perform the design review to uncover security design flaws as part of the Software Development Life Cycle (SDLC)?. A security subject matter expert (SME). A developer subject matter expert (SME). The business owner. The application owner.

The initial security categorization should be done early in the system life cycle and should be reviewed periodically. Why is it important for this to be done correctly?. It determines the functional and operational requirements. It determines the security requirements. It affects other steps in the certification and accreditation process. The system engineering process works with selected security controls.

When designing a Cyber-Physical System (CPS), which of the following should be a security practitioner's first consideration?. Detection of sophisticated attackers. Topology of the network used for the system. Risk assessment of the system. Resiliency of the system.

Which of the following events prompts a review of the disaster recovery plan (DRP)?. Change in senior management. Completion of the security policy review. Organizational merger. New members added to the steering committee.

A user is allowed to access the file labeled "Financial Forecast," but only between 9:00 a.m. and 5:00 p.m., Monday through Friday. Which type of access mechanism should be used to accomplish this?. Minimum access control. Limited role-based access control (RBAC). Access control list (ACL). Rule-based access control.

What is the benefit of using Network Admission Control (NAC)?. NAC only supports Windows operating systems (OS). NAC supports validation of the endpoint's security posture prior to allowing the session to go into an authorized state. NAC can require the use of certificates, passwords, or a combination of both before allowing network admission. Operating system (OS) versions can be validated prior to allowing network access.

When MUST an organization's information security strategic plan be reviewed?. Whenever there are major changes to the business. Quarterly, when the organization's strategic plan is updated. Every three years, when the organization's strategic plan is updated. Whenever there are significant changes to a major application.

An established information technology (IT) consulting firm is considering acquiring a successful local startup. To gain a comprehensive understanding of the startup's security posture, which type of assessment provides the BEST information?. A security audit. A tabletop exercise. A penetration test. security threat model.

An organization plans to acquire a commercial off-the-shelf (COTS) system to replace their aging home-built reporting system. When should the organization's security team FIRST get involved in this acquisition's life cycle?. When the system is verified and validated. When the need for a system is expressed and the purpose of the system is documented. When the system is deployed into production. When the system is being designed, purchased, programmed, developed, or otherwise constructed.

Which of the following is a PRIMARY security weakness in the design of Domain Name System (DNS)?. Each DNS server must hold the address of the root servers. A DNS server can be disabled in a denial-of-service (DoS) attack. A DNS server does not authenticate source of information. A DNS server database can be injected with falsified checksums.

To minimize the vulnerabilities of a web-based application, which of the following FIRST actions will lock down the system and minimize the risk of an attack?. Apply the latest vendor patches and updates. Run a vulnerability scanner. Review access controls. Install an antivirus on the server.

An organization has implemented a password complexity and an account lockout policy enforcing five incorrect logins tries within ten minutes. Network users have reported significantly increased account lockouts. Which of the following security principles is this company affecting?. Confidentiality. Integrity. Availability. Authentication.

In the last 15 years a company has experienced three electrical failures. The cost associated with each failure is listed below. Which of the following would be a reasonable annual loss expectation?. 3500. 140000. 14000. 350000.

A security practitioner has been asked to model best practices for disaster recovery (DR) and business continuity. The practitioner has decided that a formal committee is needed to establish a business continuity policy. Which of the following BEST describes this stage of business continuity development?. Developing and Implementing business continuity plans (BCP). Project Initiation and Management. Risk Evaluation and Control. Business impact analysis (BIA).

What physical characteristic does a retinal scan biometric device measure?. The amount of light reflected by the retina. The pattern of blood vessels at the back of the eye. The size, curvature, and shape of the retina. The pattern of light receptors It the back of the eye.

Which of the following BEST represents a defense in depth concept?. Network-based data loss prevention (DLP), Network Access Control (NAC), network-based Intrusion prevention system (NIPS), Port security on core switches. Host-based data loss prevention (DLP), Endpoint anti-malware solution, Host-based integrity checker, Laptop locks, hard disk drive (HDD) encryption. Endpoint security management, network intrusion detection system (NIDS), Network Access Control (NAC), Privileged Access Management (PAM), security information and event management (SIEM). Web application firewall (WAF), Gateway network device tuning, Database firewall, Next- Generation Firewall (NGFW), Tier-2 demilitarized zone (DMZ) tuning.

Which of the following is required to verify the authenticity of a digitally signed document?. Agreed upon shared secret. Digital hash of the signed document. Recipient's public key. Sender's private key.

Which of the following contributes MOST to the effectiveness of a security officer?. Developing precise and practical security plans. Integrating security into the business strategies. Understanding the regulatory environment. Analyzing the strengths and weakness of the organization.

Where can the Open Web Application Security Project (OWASP) list of associated vulnerabilities be found?. OWASP Mobile Project. OWASP Software Assurance Maturity Model (SAMM) Project. OWASP Guide Project. OWASP Top 10 Project.

Employee training, risk management, and data handling procedures and policies could be characterized as which type of security measure?. Preventative. Management. Non-essential. Administrative.

A hospital's building controls system monitors and operates the environmental equipment to maintain a safe and comfortable environment. Which of the following could be used to minimize the risk of utility supply interruption?. Digital protection and control devices capable of minimizing the adverse impact to critical utility. Standardized building controls system software with high connectivity to hospital networks. Lock out maintenance personnel from the building controls system access that can impact critical utility supplies. Digital devices that can turn equipment off and continuously cycle rapidly in order to increase supplies and conceal activity on the hospital network.

Which of the following statements BEST distinguishes a stateful packet inspection firewall from a stateless packet filter firewall?. The SPI inspects traffic on a packet-by-packet basis. The SPI inspects the flags on Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) packets. The SPI is capable of dropping packets based on a pre-defined rule set. The SPI inspects the traffic in the context of a session.

What is the MAIN purpose of conducting a business impact analysis (BIA)?. To determine the cost for restoration of damaged information system. To determine the controls required to return to business critical operations. To determine the critical resources required to recover from an incident within a specified time period. To determine the effect of mission-critical information system failures on core business processes.

Which algorithm gets its security from the difficulty of calculating discrete logarithms in a finite field and is used to distribute keys, but cannot be used to encrypt or decrypt messages?. Kerberos. Digital Signature Algorithm (DSA). Diffie-Hellman. Rivest-Shamir-Adleman (RSA).

Which of the following is established to collect information in accordance with pre-established metrics, utilizing information readily available in part through implemented security controls?. Security Assessment Report (SAR). Organizational risk tolerance. Risk assessment report. Information Security Continuous Monitoring (ISCM).

When conducting a remote access session using Internet Protocol Security (IPSec), which Open Systems Interconnection (OSI) model layer does this connection use?. Presentation. Transport. Network. Data link.

Which of the following is the MOST effective corrective control to minimize the effects of a physical intrusion?. Rapid response by guards or police to apprehend a possible intruder. Sounding a loud alarm to frighten away a possible intruder. Automatic videotaping of a possible intrusion. Activating bright lighting to frighten away a possible intruder.

Which of the following are the three MAIN categories of security controls?. Preventative, corrective, detective. Administrative, technical, physical. Corrective, detective, recovery. Confidentiality, integrity, availability.

Which is the PRIMARY mechanism for providing the workforce with the information needed to protect an agency's vital information resources?. Implementation of access provisioning process for coordinating the creation of user accounts. Incorporating security awareness and training as part of the overall information security program. An information technology (IT) security policy to preserve the confidentiality, integrity, and availability of systems. Execution of periodic security and privacy assessments to the organization.

Which of the following is considered the FIRST step when designing an internal security control assessment?. Create a plan based on comprehensive knowledge of known breaches. Create a plan based on reconnaissance of the organization's infrastructure. Create a plan based on a recognized framework of known controls. Create a plan based on recent vulnerability scans of the systems in question.

The Open Web Application Security Project's (OWASP) Software Assurance Maturity Model (SAMM) allows organizations to implement a flexible software security strategy to measure organizational impact based on what risk management aspect?. Risk exception. Risk tolerance. Risk treatment. Risk response.

Match the roles for an external audit to the appropriate responsibilities. Drag each role on the left to its corresponding responsibility on the right. Select and Place:

What is the PRIMARY reason that a bit-level copy is more desirable than a filelevel copy when replicating a hard drives contents for an e-discovery investigation?. The corruption of files is less likely. Files that have been deleted will be transferred. The file and directory structure is retained. File-level security settings will be preserved.

An organization outgrew its internal data center and is evaluating third-party hosting facilities. In this evaluation, which of the following is a PRIMARY factor for selection?. Facility provides an acceptable level of risk. Facility provides disaster recovery (DR) services. Facility has physical access protection measures. Facility provides the most cost-effective solution.

A large manufacturing organization arranges to buy an industrial machine system to produce a new line of products. The system includes software provided to the vendor by a third-party organization. The financial risk to the manufacturing organization starting production is high. What step should the manufacturing organization take to minimize its financial risk in the new venture prior to the purchase?. Require that the software be thoroughly tested by an accredited independent software testing company. Hire a performance tester to execute offline tests on a system. Calculate the possible loss in revenue to the organization due to software bugs and vulnerabilities, and compare that to the system's overall price. Place the machine behind a Layer 3 firewall.

Which of the following is the BEST method a security practitioner can use to ensure that systems and sub-systems gracefully handle invalid input?. Unit testing. Acceptance testing. Integration testing. Negative testing.

Commercial off-the-shelf (COTS) software presents which of the following additional security concerns?. Vendors take on the liability for COTS software vulnerabilities. In-house developed software is inherently less secure. COTS software is inherently less secure. Exploits for COTS software are well documented and publicly available.

When conducting a third-party risk assessment of a new supplier, which of the following reports should be reviewed to confirm the operating effectiveness of the security, availability, confidentiality, and privacy trust principles?. Service Organization Control (SOC) 1, Type 2. Service Organization Control (SOC) 2, Type 2. International Organization for Standardization (ISO) 27001. International Organization for Standardization (ISO) 27002.

Which of the following would be the BEST mitigation practice for man-in-themiddle (MITM) Voice over Internet Protocol (VoIP) attacks?. Use Secure Shell (SSH) protocol. Use File Transfer Protocol (FTP). Use Transport Layer Security (TLS) protocol. Use Media Gateway Control Protocol (MGCP).

The Chief Information Security Officer (CISO) is concerned about business application availability. The organization was recently subject to a ransomware attack that resulted in the unavailability of applications and services for 10 working days that required paper-based running of all main business processes. There are now aggressive plans to enhance the Recovery Time Objective (RTO) and cater for more frequent data captures. Which of the following solutions should be implemented to fully comply to the new business requirements?. Virtualization. Antivirus. Host-based intrusion prevention system (HIPS). Process isolation.

What is the MOST appropriate hierarchy of documents when implementing a security program?. Policy, organization principle, standard, guideline. Standard, policy, organization principle, guideline. Organization principle, policy, standard, guideline. Organization principle, guideline, policy, standard.

Which of the following is the MOST important consideration in selecting a security testing method based on different Radio-Frequency Identification (RFID) vulnerability types?. An understanding of the attack surface. Adaptability of testing tools to multiple technologies. The quality of results and usability of tools. The performance and resource utilization of tools.

An organization's internal audit team performed a security audit on the company's system and reported that the manufacturing application is rarely updated along with other issues categorized as minor. Six months later, an external audit team reviewed the same system with the same scope, but identified severe weaknesses in the manufacturing application's security controls. What is MOST likely to be the root cause of the internal audit team's failure in detecting these security issues?. Inadequate security patch testing. Inadequate test coverage analysis. Inadequate log reviews. Inadequate change control procedures.

Which of the following is a limitation of the Bell-LaPadula model?. Segregation of duties (SoD) is difficult to implement as the "no read-up" rule limits the ability of an object to access information with a higher classification. Mandatory access control (MAC) is enforced at all levels making discretionary access control (DAC) impossible to implement. It contains no provision or policy for changing data access control and works well only with access systems that are static in nature. It prioritizes integrity over confidentiality which can lead to inadvertent information disclosure.

Which of the following vulnerability assessment activities BEST exemplifies the Examine method of assessment?. Asking the Information System Security Officer (ISSO) to describe the organization's patch management processes. Ensuring that system audit logs capture all relevant data fields required by the security controls baseline. Logging into a web server using the default administrator account and a default password. Performing Port Scans of selected network hosts to enumerate active services.

Which of the following BEST ensures the integrity of transactions to intended recipients?. Public key infrastructure (PKI). Blockchain technology. Pre-shared key (PSK). Web of trust.

Recently, an unknown event has disrupted a single Layer-2 network that spans between two geographically diverse data centers. The network engineers have asked for assistance in identifying the root cause of the event. Which of the following is the MOST likely cause?. Smurf attack. Misconfigured routing protocol. Broadcast domain too large. Address spoofing.

A company is moving from the V model to Agile development. How can the information security department BEST ensure that secure design principles are implemented in the new methodology?. Information security requirements are captured in mandatory user stories. All developers receive a mandatory targeted information security training. The information security department performs an information security assessment after each sprint. The non-financial information security requirements remain mandatory for the new model.

Which of the (ISC) Code of Ethics canons is MOST reflected when preserving the value of systems, applications, and entrusted information while avoiding conflicts of interest?. Provide diligent and competent service to principles. Act honorably, honestly, justly, responsibly, and legally. Advance and protect the profession. Protect society, the commonwealth, and the infrastructure.

Which of the following should exist in order to perform a security audit?. Neutrality of the auditor. Industry framework to audit against. External (third-party) auditor. Internal certified auditor.

When telephones in a city are connected by a single exchange, the caller can only connect with the switchboard operator. The operator then manually connects the call. This is an example of which type of network topology?. Point-to-Point Protocol (PPP). Bus. Star. Tree.

A firm within the defense industry has been directed to comply with contractual requirements for encryption of a government client's Controlled Unclassified Information (CUI). What encryption strategy represents how to protect data at rest in the MOST efficient and cost-effective manner?. Perform logical separation of program information, using virtualized storage solutions with encryption management in the back-end disk systems. Perform logical separation of program information, using virtualized storage solutions with built-in encryption at the virtualization layer. Perform physical separation of program information and encrypt only information deemed critical by the defense client. Implement data at rest encryption across the entire storage area network.

Which audit type is MOST appropriate for evaluating the effectiveness of a security program?. Analysis. Threat. Assessment. Validation.

Before allowing a web application into the production environment, the security practitioner performs multiple types of tests to confirm that the web application performs as expected. To test the username field, the security practitioner creates a test that enters more characters into the field than is allowed. Which of the following BEST describes the type of test performed?. Misuse case testing. Interface testing. Web session testing. Penetration testing.

If the wide area network (WAN) is supporting converged applications like Voice over Internet Protocol (VoIP), which of the following becomes even MORE essential to the assurance of the network?. Boundary routing. Classless Inter-Domain Routing (CIDR). Internet Protocol (IP) routing lookups. Deterministic routing.

Why would a system be structured to isolate different classes of information from one another and segregate them by user jurisdiction?. The organization is required to provide different services to various third-party organizations. The organization can avoid e-discovery processes in the event of litigation. The organization's infrastructure is clearly arranged and scope of responsibility is simplified. The organization can vary its system policies to comply with conflicting national laws.

An organization implements Network Access Control (NAC) using Institute of Electrical and Electronics Engineers (IEEE) 802.1x and discovers the printers do not support the IEEE 802.1x standard. Which of the following is the BEST resolution?. Implement port security on the switch ports for the printers. Do nothing; IEEE 802.1x is irrelevant to printers. Install an IEEE 802.1x bridge for the printers. Install an IEEE 802.1x bridge for the printers.

Which of the following goals represents a modern shift in risk management according to National Institute of Standards and Technology (NIST)?. Provide an improved mission accomplishment approach. Focus on operating environments that are changing, evolving, and full of emerging threats. Enable management to make well-informed risk-based decisions justifying security expenditure. Secure information technology (IT) systems that store, mass, or transmit organizational information.

Which of the following security tools monitors devices and records the information in a central database for further analysis?. Antivirus. Host-based intrusion detection system (HIDS). Security orchestration automation and response. Endpoint detection and response (EDR).

In addition to life, protection of which of the following elements is MOST important when planning a data center site?. Data and hardware. Property and operations. Resources and reputation. Profits and assets.

Which of the following documents specifies services from the client's viewpoint?. Business Impact analysis (BIA). Service level agreement (SLA). Service Level Requirement (SLR). Service level report.

Which of the following should be included in a good defense-in-depth strategy provided by object-oriented programming for software development?. Polymorphism. Inheritance. Polyinstantiation. Encapsulation.

Which of the following is a key responsibility for a data steward assigned to manage an enterprise data lake?. Ensure proper business definition, value, and usage of data collected enterprise data lake. Ensure adequate security controls applied to the enterprise data lake. Ensure proper and identifiable data owners for each data element stored within an enterprise data lake. Ensure that any data passing within remit is being used in accordance with the rules and regulations of the business.

What is the FIRST step prior to executing a test of an organization's disaster recovery (DR) or business continuity plan (BCP)?. Develop clear evaluation criteria. Identify key stakeholders. Develop recommendations for disaster scenarios. Identify potential failure points.

A breach investigation found a website was exploited through an open source component. What is the FIRST step in the process that could have prevented this breach?. Application whitelisting. Vulnerability remediation. Web application firewall (WAF). Software inventory.

What security principle addresses the issue of "Security by Obscurity"?. Open design. Role Based Access Control (RBAC). Segregation of duties (SoD). Least privilege.

What is the MOST important goal of conducting security assessments?. To align the security program with organizational risk appetite. To demonstrate proper function of security controls and processes to senior management. To prepare the organization for an external audit, particularly by a regulatory entity. To discover unmitigated security vulnerabilities, and propose paths for mitigating them.

Which of the following virtual network configuration options is BEST to protect virtual machines (VM)?. Data segmentation. Data encryption. Traffic filtering. Traffic throttling.

Which of the following features is MOST effective in mitigating against theft of data on a corporate mobile device which has been stolen?. Mobile Device Management (MDM) with device wipe. Mobile device tracking with geolocation. Virtual private network (VPN) with traffic encryption. Whole device encryption with key escrow.

An organization is implementing data encryption using symmetric ciphers and the Chief Information Officer (CIO) is concerned about the risk of using one key to protect all sensitive data. The security practitioner has been tasked with recommending a solution to address the CIO's concerns. Which of the following is the BEST approach to achieving the objective by encrypting all sensitive data?. Use a Secure Hash Algorithm 256 (SHA-256). Use Rivest-Shamir-Adleman (RSA) keys. Use a hierarchy of encryption keys. Use Hash Message Authentication Code (HMAC) keys.

Which of the following is a MUST for creating a new custom-built, cloud-native application designed to be horizontally scalable?. Network as a Service (NaaS). Platform as a Service (PaaS). Infrastructure as a Service (IaaS). Software as a Service (SaaS).

Which of the following access control mechanisms characterized subjects and objects using a set of encoded security-relevant properties?. Mandatory access control (MAC). Role-based access control (RBAC). Attribute-based access control (ABAC). Discretionary access control (DAC).

Which kind of dependencies should be avoided when implementing secure design principles in software-defined networking (SDN)?. Hybrid. Circular. Dynamic. Static.

Which mechanism provides the BEST protection against buffer overflow attacks in memory?. Address Space Layout Randomization (ASLR). Memory management unit. Stack and heap allocation. Dynamic random access memory (DRAM).

Which of the following terms is used for online service providers operating within a federation?. Active Directory Federation Services (ADFS). Relying party (RP). Single sign-on (SSO). Identity and access management (IAM).

The Chief Information Security Officer (CISO) of a large financial institution is responsible for implementing the security controls to protect the confidentiality and integrity of the organization’s Information Systems. Which of the controls below is prioritized FIRST?. Firewall and reverse proxy. Web application firewall (WAF) and HyperText Transfer Protocol Secure (HTTPS). Encryption of data in transit and data at rest. Firewall and intrusion prevention system (IPS).

Who is the BEST person to review developed application code to ensure it has been tested and verified?. A developer who knows what is expected of the application, but not the same one who developed it. A member of quality assurance (QA) should review the developer’s code. A developer who understands the application requirements document, and who also developed the code. The manager should review the developer’s application code.

A bank failed to meet service-level agreements (SLA) with customers after suffering from a database failure of the transaction processing system (TPS) that resulted in delayed financial deposits. A regulatory agency overseeing the bank would like to determine if the cause of the delay was a material weakness. Which of the following documents is MOST relevant for the regulatory agency to review?. Business continuity plan (BCP). Business impact analysis (BIA). Continuity of Operations Plan (COOP). Enterprise resource planning (ERP).

What is the MOST effective way to ensure that a cloud service provider does not access a customer’s data stored within its infrastructure?. Use the organization’s encryption tools and data management controls. Ensure that the cloud service provider will contractually not access data unless given explicit authority. Request audit logs on a regular basis. Utilize the cloud provider’s key management and elastic hardware security module (HSM) support.

Prohibiting which of the following techniques is MOST helpful in preventing users from obtaining confidential data by using statistical queries?. Sequences of queries that refer repeatedly to the same population. Repeated queries that access multiple databases. Selecting all records from a table and displaying all columns. Running queries that access sensitive data.

Which of the following is a major component of the federated identity management (FIM) implementation model and used to establish a network between dozens of organizations?. Identity as a Service (IDaaS). Attribute-based access control (ABAC). Cross-certification. Trusted third party (TTP).

A Chief Information Security Officer (CISO) is considering various proposals for evaluating security weaknesses and vulnerabilities at the source code level. Which of the following items BEST equips the CISO to make smart decisions for the organization?. The Common Weakness Risk Analysis Framework (CWRAF). The Common Vulnerabilities and Exposures (CVE). The Common Weakness Enumeration (CWE). The Open Web Application Security Project (OWASP) Top Ten.

Which of the following methods is MOST effective in mitigating Cross-Site Scripting (XSS) vulnerabilities within HyperText Markup Language (HTML) websites?. Use antivirus and endpoint protection on the server to secure the web-based application. Place the web-based system in a defined Demilitarized Zone (DMZ). Use .NET framework with .aspx extension to provide a higher level of security to the web application so that the web server display can be locked down. Not returning any HTML tags to the browser client.

Which of the following MOST accurately describes the Security Target (ST) in the Common Criteria framework?. The set of rules that define how resources or assets are managed and protected. A product independent set of security criteria for a class of products. The product and documentation to be evaluated. The product and documentation to be evaluated.

An organization has approved deployment of a virtual environment for the development servers and has established controls for restricting access to resources. In order to implement best security practices for the virtual environment, the security team MUST also implement which of the following steps?. Implement a dedicated management network for the hypervisor. Deploy Terminal Access Controller Access Control System Plus (TACACS+) for authentication. Implement complex passwords using Privileged Access Management (PAM). Capture network traffic for the network interface.

Which of the following is a weakness of the Data Encryption Standard (DES)?. Block encryption scheme. Use of same key for encryption and decryption. Publicly disclosed algorithm. Inadequate key length.

What are facets of trustworthy software in supply chain operations?. Functionality, safety, reliability, integrity, and accuracy. Confidentiality, integrity, availability, authenticity, and possession. Safety, reliability, availability, resilience, and security. Reparability, security, upgradability, functionality, and accuracy.

In order to meet the project delivery deadline, a web application developer used readily available software components. Which is the BEST method for reducing the risk associated with this practice?. Ensure developers are using approved software development frameworks. Obtain components from official sources over secured link. Ensure encryption of all sensitive data in a manner that protects and defends against threats. Implement a process to verify the effectiveness of the software components and settings.

To ensure proper governance of information throughout the lifecycle, which of the following should be assigned FIRST?. Owner. Classification. Custodian. Retention.

An effective information security strategy is PRIMARILY based upon which of the following?. Risk management practices. Security budget constraints. Security control implementation. Industry and regulatory standards.

One of Canada’s leading pharmaceutical firms recently hired a Chief Data Officer (CDO) to oversee its data privacy program. The CDO has discovered the firm’s marketing department has been collecting information from individuals without their knowledge and consent via the company website. Which of the following privacy regulations should concern the CDO regarding this practice?. The Health Insurance Portability and Accountability Act (HIPAA). The Privacy Act of 1974. The Fair Information Practice Principles (FIPPs). The Personal Information Protection and Electronic Documents Act.

An organization is attempting to strengthen the configuration of its enterprise resource planning (ERP) software in order to enforce sufficient segregation of duties (SoD). Which of the following approaches would BEST improve SoD effectiveness?. Implementation of frequent audits of access and activity in the ERP by a separate team with no operational duties. Implementation of strengthened authentication measures including mandatory secondfactor authentication. Review of ERP access profiles to enforce the least-privilege principle based on existing employee responsibilities. Review of employee responsibilities and ERP access profiles to differentiate mission activities from system support activities.

Which type of log collection is focused on detecting and responding to attacks, malware infection, and data theft?. Intrusion detection. Operational. Security. Compliance.

If a medical analyst independently provides protected health information (PHI) to an external marketing organization, which ethical principal is this a violation of?. Higher ethic in the worst case. Informed consent. Change of scale test. Privacy regulations.

Which of the following measures is the MOST critical in order to safeguard from a malware attack on a smartphone?. Enable strong password. Install anti-virus for mobile. Enable biometric authentication. Prevent jailbreaking or rooting.

Which of the following Secure Shell (SSH) remote access practices is MOST suited for scripted functions?. Restricting authentication by Internet Protocol (IP) address. Requiring multi-factor authentication (MFA). Implementing access credentials management tools. Using public key-based authentication method.

Which stage in the identity management (IdM) lifecycle constitutes the GREATEST risk for an enterprise if performed incorrectly?. Propagating. Deprovisioning. Provisioning. Maintaining.

Which of the following reports provides the BEST attestation of detailed controls when evaluating an Identity as a Service (IDaaS) solution?. Service Organization Control (SOC) 1. Service Organization Control (SOC) 2. Service Organization Control (SOC) 3. Statement on Auditing Standards (SAS) 70.

Single sign-on (SSO) for federated identity management (FIM) must be implemented and managed so that authorization mechanisms protect access to privileged information using OpenID Connect (OIDC) token or Security Assertion Markup Language (SAML) assertion. What is the BEST method to use to protect them?. Pass data in a bearer assertion, only signed by the identity provider. Tokens and assertion should use base64 encoding to assure confidentiality. Use a challenge and response mechanism such as Challenge Handshake Authentication Protocol (CHAP). The access token or assertion should be encrypted to ensure privacy.

The client of a security firm reviewed a vulnerability assessment report and claims the report is inaccurate. The client states that the vulnerabilities listed are not valid because the host’s operating system (OS) was not properly detected. Where in the vulnerability assessment process did the error MOST likely occur?. Report writing. Detection. Enumeration. Scanning.

For a victim of a security breach to prevail in a negligence claim, what MUST the victim establish?. Concern. Breach of contract. Proximate cause. Hardship.

A large international organization that collects information from its consumers has contracted with a Software as a Service (SaaS) cloud provider to process this data. The SaaS cloud provider uses additional data processing to demonstrate other capabilities it wishes to offer to the data owner. This vendor believes additional data processing activity is allowed since they are not disclosing to other organizations. Which of the following BEST supports this rationale?. The data was encrypted at all times and only a few cloud provider employees had access. As the data owner, the cloud provider has the authority to direct how the data will be processed. As the data processor, the cloud provider has the authority to direct how the data will be processed. The agreement between the two parties is vague and does not detail how the data can be used.

A security engineer is conducting an audit of an organization’s Voice over Internet Protocol (VoIP) phone network due to a large increase in charges from their phone provider. The engineer discovers unauthorized endpoints have connected to the phone server from the public internet and placed hundreds of unauthorized calls to parties around the globe. Which type of attack occured?. Control eavesdropping. Toll fraud. Call hijacking. Address spoofing.

An organization is looking to improve threat detection on their wireless network. The company goal is to automate alerts to improve response efforts. Which of the following best practices should be implemented FIRST?. Deploy a standalone guest Wi-Fi network. Implement multi-factor authentication (MFA) on all domain accounts. Deploy a wireless intrusion detection system (IDS). Implement 802.1x authentication.

Security personnel should be trained by emergency management personnel in what to do before and during a disaster, as well as their role in recovery efforts. Personnel should take required training for emergency response procedures and protocols. Which part of physical security design does this fall under?. Legal concerns. Loss prevention. Emergency preparedness. Liability for employee conduct.

How is protection for hypervisor host and software administration functions BEST achieved?. Enforce network controls using a host-based firewall. Deploy the management interface in a dedicated virtual network segment. The management traffic pathway should have separate physical network interface cards (NIC) and network. Deny permissions to specific virtual machines (VM) groups and objects.

To ensure compliance with the General Data Protection Regulation (GDPR), who in the organization should the help desk manager confer with before selecting a Software as a Service (SaaS) solution?. Data owner. Database administrator (DBA). Data center manager. Data Protection Officer (DPO).

An Information System Security Officer (ISSO) employed by a large corporation, while also freelancing in a similar role for a competitor, violates what canon of the (ISC)2 Code of Professional Ethics?. Advance and protect the profession. Provide diligent and competent service to principals. Act honorably, honestly, justly, responsibly, and legally. Protect society, the commonwealth, and the infrastructure.

Which is the FIRST action the Incident Response team should take when an incident is suspected?. Choose a containment strategy. Record all facts regarding the incident. Attempt to identify the attacker. Notify management of the incident.

A hospital has three data classification levels: shareable without restrictions, shareable with restrictions, and internal use only. Which of the following BEST demonstrates adhering to principles of good enterprise data classification?. A printout of the employee code of conduct marked “shareable with restrictions” is posted in the hallway where patients have access. A printout of the employee code of conduct marked “internal use only” is posted in the waiting room. A memo regarding a newly discovered data breach marked as “internal use only” is posted on the wall in the employee lunchroom. An electronic health record (EHR) with personally identifiable information (PII) marked as “sharable with restrictions” is found in the employee lunchroom.

A web application requires users to register before they can use its services. Users must choose a unique username and a password that contains a minimum of eight characters. Which method MUST be used to store these passwords to ensure offline attacks are difficult?. Use an encryption algorithm that is fast with a random per-user encryption key. Use a hash function that is fast with a per-user random salt. Use a hash function with a cost factor and a per-user random salt. Use an encryption algorithm with a random master key.

Which of the following is the PRIMARY objective of performing scans with an active discovery tool?. Discovering virus and malware activity. Discovering changes for security configuration management (CM). Asset identification (ID) and inventory management. Vulnerability management and remediation.

A large law firm would like to enable employees to participate in a bring your own device (BYOD) program. Only devices with up-to-date antivirus and operating system (OS) patches will be allowed on the network. Which solution will BEST enforce the security requirements?. Endpoint Detection and Response. Next-Generation Firewall. Intrusion detection and prevention system (IDPS). Network Access Control (NAC).

A security operations center (SOC) discovers a recently deployed router beaconing to a malicious website. Replacing the router fixes the issue. What is the MOST likely cause of the router’s behavior?. The network administrator failed to reconfigure the router’s access control list (ACL). The router was damaged during shipping or installed incorrectly. The router was counterfeit and acquired through unauthorized channels. The network administrator failed to update the router’s firmware.

The principle that personally identifiable information (PII) should be kept upto- date and relevant to the purposes for which they are to be used is attributed to which fair information practice per the United States (US) Organization for Economic Cooperation and Development (OECD)?. Purpose Specification. Security Safeguards. Collection Limitation. Data Quality.

Which of the following are common components of a Security Assertion Markup Language (SAML) based federation system?. Client, Service Provider, identity provider (IdP), Token. Client, Service Provider, Resource Server, Grant. Client, Authorization Server, identity provider (IdP), Claim. Client, Authorization Server, Resource Server, Assertion.

Which of the following is the MOST effective way to ensure hardware and software remain updated throughout an organization?. Performance of frequent security configuration audits. Performance of regular vulnerability scans. Use an inventory management tool. Use an automated configuration monitoring system.

When developing an electronic health record (EHR) in the United States (US), which of the following would be the BEST source of information for any compliance requirements?. World Health Organization (WHO). International Organization for Standardization (ISO). Health and Human Services (HHS). American Public Health Association (APHA).

An organization suspects it is receiving spoofed e-mails from a foreign-hosted web e-mail service. Where can the MOST relevant be found to begin the process of identifying the perpetrator?. E-mail logs from foreign-hosted web server. Message header of received e-mails. Traffic logs from the corporate firewall. Log files of the corporate Simple Mail Transfer Protocol (SMTP) server.

A new internal auditor is tasked with auditing the supply chain. The system owner stated that the last internal auditor was terminated because the auditor discovered too many deficient controls. The auditor reports this conversation to their manager. Which of the following audit integrity principles BEST applies to this situation?. Demonstrate competence while performing professional duties. Perform professional duties with honesty, diligence, and responsibility. Perform professional duties in accordance with company policy. Be aware of any influences that may be exerted on professional judgement.