A tarpit, or a system that looks vulnerable but actually is intended to slow down attackers, is an example of what type of technique? A. A passive defense B. A sticky defense C. An active defense D. A reaction-based defense. Manesh downloads a new security tool and checks its MD5. What does she know about the software she downloaded if she receives the following message:
root@demo:~# md5sum -c demo.md5
demo.txt: FAILED
md5sum: WARNING: 1 computed checksum did NOT match
A. The file has been corrupted. B. Attackers have modified the file. C. The files do not match. D. The test failed and provided no answer. 9 A. Measured boot B. TPM C. Remote attestation D. Signed BIOS. An access control system that relies on the operating system to constrain the ability of a
subject to perform operations is an example of what type of access control system?
A. A discretionary access control system B. A role-based access control system C. A mandatory access control system D. A level-based access control system. Carol wants to analyze a malware sample that she has discovered. She wants to run the sample safely while capturing information about its behavior and impact on the system it infects. What type of tool should she use?
A. A static code analysis tool B. A dynamic analysis sandbox tool C. A Fagan sandbox D. A decompiler running on an isolated VM. Susan is reviewing files on a Windows workstation and believes that cmd.exe has been
replaced with a malware package. Which of the following is the best way to validate
her theory? A. Submit cmd.exe to VirusTotal. B. Compare the hash of cmd.exe to a known good version. C. Check the file using the National Software Reference Library. D. Run cmd.exe to make sure its behavior is normal. Padma is evaluating the security of an application developed within her organization. She
would like to assess the application’s security by supplying it with invalid inputs. What
technique is Padma planning to use?
A. Fault injection B. Stress testing C. Mutation testing D. Fuzz testing. 22 A. Waterfall B. Spiral C. Agile D. RAD. Which one of the following technologies is not typically used to implement network segmentation? A. Host firewall B. Network firewall C. VLAN tagging D. Routers and switches. Which one of the following approaches is an example of a formal code review process? A. Pair programming B. Over-the-shoulder C. Fagan inspection D. Pass-around code review. Mia would like to ensure that her organization’s cybersecurity team reviews the
architecture of a new ERP application that is under development. During which SDLC
phase should Mia expect the security architecture to be completed? A. Analysis and Requirements Definition B. Design C. Development D. Testing and Integration. Olivia’s next task is to test the code for a new mobile application. She needs to test it by
executing the code and intends to provide the application with input based on testing scenarios
created by the development team as part of their design work. What type of testing will Olivia conduct? A. Dynamic analysis B. Fagan analysis C. Regression analysis D. Static analysis. After completing the first round of tests for her organization’s mobile application, Olivia
has discovered indications that the application may not handle unexpected data well. What
type of testing should she conduct if she wants to test it using an automated tool that will
check for this issue? A. Fault injection B. Fagan testing C. Fuzzing D. Failure injection. The Open Web Application Security Project (OWASP) maintains a listing of the most
important web application security controls. Which one of these items is least likely to
appear on that list? A. Implement identity and authentication controls B. Implement appropriate access controls C. Obscure web interface locations D. Leverage security frameworks and libraries. What type of network device is most commonly used to connect two or more networks to forward traffic between them? A. A switch B. A firewall C. A router D. An IPS. Angela’s multifactor deployment includes the ability to use text (SMS) messages to send the second factor for authentication. What issues should she point to?
A. VoIP hacks and SIM swapping B. SMS messages are logged on the recipient’s phones C. PIN hacks and SIM swapping D. VoIP hacks and PIN hacks. Keith needs to manage digital keys, and he wants to implement a hardware security module in his organization. What U.S. government standard are hardware security modules often certified against? A. PCI-DSS B. HSM-2015 C. FIPS 140-2 D. CA-Check. What type of access control system relies on the operating system to control the ability
of subjects to perform actions on objects through a set of policies controlled by a policy administrator?
A. RBAC B. MAC C. DAC D. ABAC. Kalea wants to prevent DoS attacks against her serverless application from driving up her costs when using a cloud service. What technique is not an appropriate solution for her need?
A. Horizontal scaling B. API keys C. Setting a cap on API invocations for a given timeframe D. Using timeouts. Which of the following is not a common identity protocol for federation?
A. SAML B. OpenID C. OAuth D. Kerberos. Donna has been assigned as the security lead for a DevSecOps team building a new web
application. As part of the effort, she has to oversee the security practices that the team will
use to protect the application. Use your knowledge of secure coding practices to help Donna
guide her team through this process.
A member of Donna’s security team suggests that output encoding should also be considered.
What type of attack is the team member most likely attempting to prevent?
A. Cross-site scripting B. SQL injection C. Cross-site request forgery D. All of the above. Alex has deployed a new model of network connected Internet of Things (IoT) devices
throughout his organization’s facilities to track environmental data. The devices use a
system on a chip (SOC) and Alex is concerned about potential attacks. What is the most
likely exploit channel for SOCs in this environment? A. Physical attacks B. Attacks via an untrusted foundry C. Attacks against the operating system and software D. Side channel attacks. What practice is typical in a DevSecOps organization as part of a CI/CD pipeline? A. Automating some security gates B. Programmatic implementation of zero-day vulnerabilities
C. Using security practitioners to control the flow of the CI/CD pipeline D. Removing security features from the IDE. Nathan is reviewing PHP code for his organization and finds the following code in the
application he is assessing. What technique is the developer using?
$stmt = $dbh->prepare("INSERT INTO REGISTRY (var1, var2) VALUES (:var1, :var2)");
$stmt->bindParam(':var1', $var1);
$stmt->bindParam(':var2', $var2);
A. Dynamic binding B. Parameterized queries C. Variable limitation D. None of the above. Anja is assessing the security of a SOAP-based web service implementation. Which of the
following web service security requirements should she recommend to reduce the likelihood
of a successful man-in-the-middle attack? A. Use TLS. B. Use XML input validation. C. Use XML output validation. D. Virus-scan files received by web service. Which of the following components are not part of a typical SOAP message? A. The envelope B. The header C. The stamp D. The body. How are requests in REST-based web services typically structured?
A. As XML B. As a URL C. As a SQL query D. As a SOAP statement. Dev wants to use Secure Boot on a workstation. What technology must his workstation use to support Secure Boot? A. BIOS B. ROM C. UEFI D. TPM. What requirements must be met for a trusted execution environment to exist? A. All trusted execution environment assets must have been installed and started securely. B. The trusted execution environment must be verified and certified by a third party. C. The trusted execution environment must be verified and approved by the end user. D. Only trusted components built into the operating system can be run in a trusted execution environment. 109/cap2. Which one of the following websites would not be covered by this certificate?
A. nd.edu B. www.nd.edu C. www.business.nd.edu D. All of these sites would be covered by the certificate. After Tom initiates a connection to the website, what key is used to encrypt future communications from the web server to Tom? A. The website’s public key B. The website’s private key C. Tom’s public key D. The session key. What is the key difference between a secured boot chain and a measured boot chain?
A. A secured boot chain depends on a root of trust B. A measured boot chain computes the hash of the next object in the chain and stores it securely. C. A secured boot chain computes the hash of the next object in the chain and stores it securely. D. A measured boot chain depends on a root of trust. Encrypted data transmission from a CPU to a GPU is an example of what type of technology? A. Secure Enclave B. Bus encryption C. Hardware security module D. Software security module. Saeed wants to ensure that devices procured by his company are captured in inventory and
tracked throughout their lifespan via physical inventory tracking methods. What can he do
to make sure that the assets are easier to quickly identify against an asset inventory? A. Record them in a database B. Record them via paper forms C. Use asset tagging D. Use hardware address-based tagging. Micro-probing, applying unexpected or out of specification voltages or clock signals, and
freezing a device are all examples of types of attacks prevented by what type of technique?
A. DRM B. Anti-theft C. Anti-tamper D. Fault tolerance. Patricia wants to protect updated firmware for her organization’s proprietary hardware
when it is installed and is concerned about third parties capturing the information as it
is transferred between the host system and the hardware device. What type of solution
should she use to protect the data in transit if the device is a PCIe internal card?
A. Bus encryption B. CPU encryption
C. Full-disk encryption D. DRM. Piper wants to delete the contents of a self-encrypting drive (SED). What is the fastest way to securely do so? A. Use a full-drive wipe following DoD standards. B. Delete the encryption key for the drive C. Use a degausser. D. Format the drive. Although both Secure Boot and Measured Boot processes rely on a chain of trust, only
one validates the objects in the chain. Which technology does this and what process does
it follow?
A. A Secured Boot chain validates the boot objects using private keys to check against
public keys already in the BIOS. B. A Measured Boot chain computes the hash of the next object in the chain and compares
it to the hash of the previous object. C. A Secured Boot chain computes the hash of the next object in the chain and compares
it to the hash of the previous object. D. A Measured Boot chain validates the boot objects using private keys to check against
public keys already in the BIOS. Support for AES, 3DES, ECC, and SHA-256 are all examples of what?
A. Encryption algorithms B. Hashing algorithms C. Processor security extensions D. Bus encryption modules. What types of attacks can API keys help prevent when used to limit access to a RESTbased service?
A. Brute-force attacks B. Time-of-access/time-of-use attacks C. Man-in-the-middle attacks D. Denial-of-service attacks. Scott has been asked to review his infrastructure for any other critical
points of failure. If
point E is an edge router and individual workstations are not considered
mission critical, what issue should he identify?
A. Point D B. Point E C. Point F D. None of the above. Which of the following is not a common use case for network segmentation?
A. Creating a VoIP network B. Creating a shared network
C. Creating a guest wireless network
D. Creating trust zones. Kwame discovers that secrets for a microservice have been set as environment variables on
the Linux host that he is reviewing using the following command:
docker run -it -e "DBUSER= appsrv" -e DBPASSWD=secure11" dbappsrv
Which processes can read the environment variables?
A. The dbuser B. The Docker user C. All processes on the system D. Root and other administrative users. What three layers make up a software defined network?
A. Application, Datagram, and Physical layers B. Application, Control, and Infrastructure layers C. Control, Infrastructure, and Session layers D. Data link, Presentation, and Transport layers. Micah is designing a containerized application security environment and wants to ensure
that the container images he is deploying do not introduce security issues due to vulnerable
applications. What can he integrate into the CI/CD pipeline to help prevent this? A. Automated checking of application hashes against known good versions B. Automated vulnerability scanning C. Automated fuzz testing D. Automated updates. Camille wants to integrate with a federation. What will she need to authenticate her users
to the federation? A. An IDP B. A SP C. An API gateway D. A SSO server. What key functionality do enterprise privileged account management tools provide? A. Password creation B. Access control to individual systems C. Entitlement management across multiple systems D. Account expiration tools. Nathaniel wants to use an access control system that takes into account information about
resources like the resource owner, filename, and data sensitivity. What type of access control
system should he use?
A. ABAC B. DAC C. MAC D. RBAC. Bob wants to deploy a VPN technology with granular access controls for applications that
are enforced at the gateway. Which VPN technology is best suited to this requirement? A. IKE VPNs B. TLS VPNs C. X.509 VPNs
D. IPsec VPNs. Alaina wants to identify only severe kernel issues on a Linux system, and she knows that
log levels for the kernel range from level 0 to level 7. Which of the following levels is the
most severe?
A. Level 1, KERN_ALERT B. Level 2, KERN_CRIT C. Level 4, KERN_WARNING D. Level 7, KERN_DEBUG. Scott has been asked to select a software development model for his organization and
knows that there are a number of models that may make sense for what he has been asked
to accomplish. Use your knowledge of SDLC models to identify an appropriate model for
each of the following requirements.
160. Scott’s organization needs basic functionality of the effort to become available as soon as
possible and wants to involve the teams that will use it heavily to ensure that their needs
are met. What model should Scott recommend? A. Waterfall B. Spiral C. Agile D. Rapid Application Development. At the end of his development cycle, what SDLC phase will Scott enter as the new application
is installed and replaces the old code?
A. User acceptance testing B. Testing and integration C. Disposition D. Redesign. Sofía wants to ensure that the ICs in the new device that her commercial consumer products
company is releasing cannot be easily reverse engineered. Which technique is not an
appropriate means of meeting her requirement?
A. Use a trusted foundry. B. Encase the IC in epoxy. C. Design the chip to zeroize sensitive data if its security encapsulation fails. D. Design the chip to handle out of spec voltages and clock signals. Alaina wants to implement a modern service-oriented architecture (SOA) that relies on
HTTP-based commands, works well in limited bandwidth environments, and can handle
multiple data formats beyond XML. What should she build her SOA in? A. SOAP B. Waterfall C. REST D. CAVE. Abigail is performing input validation against an input field and uses the following regular
expression:
^(AA|AE|AP|AL|AK|AS|AZ|AR|CA|CO|CT|DE|DC|FM|FL|GA|GU|
HI|ID|IL|IN|IA|KS|KY|LA|ME|MH|MD|MA|MI|MN|MS|MO|MT|NE|
NV|NH|NJ|NM|NY|NC|ND|MP|OH|OK|OR|PW|PA|PR|RI|SC|SD|TN|
TX|UT|VT|VI|VA|WA|WV|WI|WY)$
What is she checking with the regular expression? A. She is removing all typical special characters found in SQL injection. B. She is checking for all U.S. state names. C. She is removing all typical special characters for cross-site scripting attacks. D. She is checking for all U.S. state name abbreviations. Lara has been assigned to assess likely issues with an embedded system used for building
automation and control. Which of the following software assurance issues is least likely to
be of concern for her organization?
A. Lack of updates and difficulty deploying them B. Long life cycle for the embedded devices C. Assumptions of network security where deployed D. Use of proprietary protocols. Kristen wants to securely store passwords and knows that a modern password hashing
algorithm is her best option. Which of the following should she choose?
A. SHA-256 B. bcrypt C. MD5 D. SHA-512. Liam wants to protect data at rest in an SaaS service. He knows that he needs to consider
his requirements differently in his cloud environment than an on-premises environment.
What option can he use to ensure that the data is encrypted when it is stored?
.
A. Install a full-disk encryption tool. B. Install a column-level encryption C. Select an SaaS service that supports encryption at rest. D. Hire an independent auditor to validate the encryption. Greg wants to prevent SQL injection in a web application he is responsible for. Which of
the following is not a common defense against SQL injection?
A. Prepared statements with parameterized queries B. Output validation C. Stored procedures D. Escaping all user-supplied input. What type of assertion is made to an SP in a SAML authentication process?
A. The user’s password B. Who the user is C. Who the SP is D. What rights the user has. Michelle wants to acquire data from a self-encrypting drive. When is the data on the drive
unencrypted and accessible?
A. Data is unencrypted before the system boots. B. Data is unencrypted after the OS boots. C. Data is unencrypted only when it is read from the drive. D. Data is never unencrypted. What term describes hardware security features built into a CPU?
A. Atomic execution B. Processor security extensions C. Processor control architecture D. Trusted execution. Angela wants to provide her users with a VPN service and does not want them to need to
use client software. What type of VPN should she set up? A. IPsec B. Air gap C. VPC D. SSL/TLS. Nathan is designing the logging infrastructure for his company and wants to ensure that a
compromise of a system will not result in the loss of that system’s logs. What should he do
to protect the logs?
A. Limit log access to administrators B. Encrypt the logs. C. Rename the log files from their common name. D. Send the logs to a remote server. What type of software testing most frequently happens during the development phase?
A. Unit testing B. User acceptance testing C. Fuzzing D. Stress testing. Amanda’s first task is to determine if there are alternative solutions that are more cost
effective than in-house development. What phase is she in?
A. Design B. Operations and maintenance C. Feasibility D. Analysis and requirements definition. What phase of the SDLC typically includes the first code analysis and unit testing in
the process?
A. Analysis and requirements definition
B. Design C. Coding D. Testing and integration. After making it through most of the SDLC process, Amanda has reached point E on the diagram. What occurs at point E?
A. Disposition B. Training and transition C. Unit testing D. Testing and integration.
|