CASP 5

A security company is developing a new cloud-based log analytics platform. Its purpose is to
allow:
Customers to upload their log files to the “big data” platform
Customers to perform remote log search
Customers to integrate into the platform using an API so that third party business intelligence tools
can be used for the purpose of trending, insights, and/or discovery
Which of the following are the BEST security considerations to protect data from one customer
being disclosed to other customers? (Select THREE).

A. Secure storage and transmission of API keys
B. Secure protocols for transmission of log files and search results
C. At least two years retention of log files in case of e-discovery requests
D. Multi-tenancy with RBAC support
E. Sanitizing filters to prevent upload of sensitive log file contents
F. Encrypted storage of all customer log files

A. Secure storage and transmission of API keys
B. Secure protocols for transmission of log files and search results
D. Multi-tenancy with RBAC support
A penetration tester is assessing a mobile banking application. Man-in-the-middle attempts via a
HTTP intercepting proxy are failing with SSL errors. Which of the following controls has likely been
implemented by the developers?

A. SSL certificate revocation
B. SSL certificate pinning
C. Mobile device root-kit detection
D. Extended Validation certificates

B. SSL certificate pinning
During a software development project review, the cryptographic engineer advises the project
manager that security can be greatly improved by significantly slowing down the runtime of a
hashing algorithm and increasing the entropy by passing the input and salt back during each
iteration. Which of the following BEST describes what the engineer is trying to achieve?

A. Monoalphabetic cipher
B. Confusion
C. Root of trust
D. Key stretching
E. Diffusion

D. Key stretching
The threat abatement program manager tasked the software engineer with identifying the fastest
implementation of a hash function to protect passwords with the least number of collisions. Which
of the following should the software engineer implement to best meet the requirements?

A. hash = sha512(password + salt);
for (k = 0; k < 4000; k++) { hash = sha512 (hash); } B. hash = md5(password + salt); for (k = 0; k < 5000; k++) { hash = md5 (hash); } C. hash = sha512(password + salt); for (k = 0; k < 3000; k++) { hash = sha512 (hash + password + salt);} D. hash1 = sha1(password + salt); hash = sha1 (hash1);

C. hash = sha512(password + salt);
for (k = 0; k < 3000; k++) { hash = sha512 (hash + password + salt);}
A security engineer at a bank has detected a Zeus variant, which relies on covert communication
channels to receive new instructions and updates from the malware developers. As a result, NIPS
and AV systems did not detect the configuration files received by staff in emails that appeared as
normal files. Which of the following BEST describes the technique used by the malware
developers?

A. Perfect forward secrecy
B. Stenography
C. Diffusion
D. Confusion
E. Transport encryption

B. Stenography
A security engineer wants to implement forward secrecy but still wants to ensure the number of
requests handled by the web server is not drastically reduced due to the larger computational
overheads. Browser compatibility is not a concern; however system performance is. Which of the
following, when implemented, would BEST meet the engineer’s requirements?

A. DHE
B. ECDHE
C. AES128-SHA
D. DH

B. ECDHE
An IT administrator has been tasked by the Chief Executive Officer with implementing security
using a single device based on the following requirements:
1. Selective sandboxing of suspicious code to determine malicious intent.
2. VoIP handling for SIP and H.323 connections.
3. Block potentially unwanted applications.
Which of the following devices would BEST meet all of these requirements?

A. UTM
B. HIDS
C. NIDS
D. WAF
E. HSM

A. UTM
The Chief Executive Officer (CEO) has asked the IT administrator to protect the externally facing
web server from SQL injection attacks and ensure the backend database server is monitored for
unusual behavior while enforcing rules to terminate unusual behavior. Which of the following
would BEST meet the CEO’s requirements?

A. WAF and DAM
B. UTM and NIDS
C. DAM and SIEM
D. UTM and HSM
E. WAF and SIEM

A. WAF and DAM
The risk manager has requested a security solution that is centrally managed, can easily beupdated, and protects end users’ workstations from both known and unknown malicious attacks when connected to either the office or home network. Which of the following would BEST meet
this requirement?

A. HIPS
B. UTM
C. Antivirus
D. NIPS
E. DLP

A. HIPS
An IT administrator has been tasked with implementing an appliance-based web proxy server to
control external content accessed by internal staff. Concerned with the threat of corporate data
leakage via web-based email, the IT administrator wants to decrypt all outbound HTTPS sessions
and pass the decrypted content to an ICAP server for inspection by the corporate DLP software.
Which of the following is BEST at protecting the internal certificates used in the decryption
process?

A. NIPS
B. HSM
C. UTM
D. HIDS
E. WAF
F. SIEM

B. HSM
A security manager is concerned about performance and patch management, and, as a result,
wants to implement a virtualization strategy to avoid potential future OS vulnerabilities in the host
system. The IT manager wants a strategy that would provide the hypervisor with direct
communications with the underlying physical hardware allowing the hardware resources to be
paravirtualized and delivered to the guest machines. Which of the following recommendations
from the server administrator BEST meets the IT and security managers’ requirements? (Select
TWO).

A. Nested virtualized hypervisors
B. Type 1 hypervisor
C. Hosted hypervisor with a three layer software stack
D. Type 2 hypervisor
E. Bare metal hypervisor with a software stack of two layers

B. Type 1 hypervisor
E. Bare metal hypervisor with a software stack of two layers
Joe, a hacker, has discovered he can specifically craft a webpage that when viewed in a browser
crashes the browser and then allows him to gain remote code execution in the context of the
victim’s privilege level. The browser crashes due to an exception error when a heap memory that
is unused is accessed. Which of the following BEST describes the application issue?

A. Integer overflow
B. Click-jacking
C. Race condition
D. SQL injection
E. Use after free
F. Input validation

E. Use after free
A large hospital has implemented BYOD to allow doctors and specialists the ability to access
patient medical records on their tablets. The doctors and specialists access patient records over
the hospital’s guest WiFi network which is isolated from the internal network with appropriate
security controls. The patient records management system can be accessed from the guest
network and requires two factor authentication. Using a remote desktop type interface, the doctors
and specialists can interact with the hospital’s system. Cut and paste and printing functions are
disabled to prevent the copying of data to BYOD devices. Which of the following are of MOST
concern? (Select TWO).

A. Privacy could be compromised as patient records can be viewed in uncontrolled areas.
B. Device encryption has not been enabled and will result in a greater likelihood of data loss.
C. The guest WiFi may be exploited allowing non-authorized individuals access to confidential
patient data.
D. Malware may be on BYOD devices which can extract data via key logging and screen scrapes.
E. Remote wiping of devices should be enabled to ensure any lost device is rendered inoperable.

A. Privacy could be compromised as patient records can be viewed in uncontrolled areas.
D. Malware may be on BYOD devices which can extract data via key logging and screen scrapes.
A high-tech company dealing with sensitive data seized the mobile device of an employee
suspected of leaking company secrets to a competitive organization. Which of the following is the
BEST order for mobile phone evidence extraction?

A. Device isolation, evidence intake, device identification, data processing, verification of data
accuracy, documentation, reporting, presentation and archival.
B. Evidence intake, device identification, preparation to identify the necessary tools, device
isolation, data processing, verification of data accuracy, documentation, reporting, presentation
and archival.
C. Evidence log, device isolation ,device identification, preparation to identify the necessary tools,
data processing, verification of data accuracy, presentation and archival.
D. Device identification, evidence log, preparation to identify the necessary tools, data processing,
verification of data accuracy, device isolation, documentation, reporting, presentation and archival.

B. Evidence intake, device identification, preparation to identify the necessary tools, device
isolation, data processing, verification of data accuracy, documentation, reporting, presentation
and archival.
A company is in the process of implementing a new front end user interface for its customers, the
goal is to provide them with more self service functionality. The application has been written by
developers over the last six months and the project is currently in the test phase.
Which of the following security activities should be implemented as part of the SDL in order to
provide the MOST security coverage over the solution? (Select TWO).

A. Perform unit testing of the binary code
B. Perform code review over a sampling of the front end source code
C. Perform black box penetration testing over the solution
D. Perform grey box penetration testing over the solution
E. Perform static code review over the front end source code

D. Perform grey box penetration testing over the solution
E. Perform static code review over the front end source code
A company is in the process of outsourcing its customer relationship management system to a
cloud provider. It will host the entire organization’s customer database. The database will be
accessed by both the company’s users and its customers. The procurement department has
asked what security activities must be performed for the deal to proceed. Which of the following
are the MOST appropriate security activities to be performed as part of due diligence? (Select
TWO).

A. Physical penetration test of the datacenter to ensure there are appropriate controls.
B. Penetration testing of the solution to ensure that the customer data is well protected.
C. Security clauses are implemented into the contract such as the right to audit.
D. Review of the organizations security policies, procedures and relevant hosting certifications.
E. Code review of the solution to ensure that there are no back doors located in the software.

C. Security clauses are implemented into the contract such as the right to audit.
D. Review of the organizations security policies, procedures and relevant hosting certifications.
A developer is determining the best way to improve security within the code being developed. The
developer is focusing on input fields where customers enter their credit card details. Which of the
following techniques, if implemented in the code, would be the MOST effective in protecting the
fields from malformed input?

A. Client side input validation
B. Stored procedure
C. Encrypting credit card details
D. Regular expression matching

D. Regular expression matching
The audit department at a company requires proof of exploitation when conducting internal network penetration tests. Which of the following provides the MOST conclusive proof of compromise without further compromising the integrity of the system?

A. Provide a list of grabbed service banners.
B. Modify a file on the system and include the path in the test’s report.
C. Take a packet capture of the test activity.
D. Add a new test user account on the system.

C. Take a packet capture of the test activity.
A security administrator was doing a packet capture and noticed a system communicating with an
address within the 2001::/32 prefix. The network administrator confirms there is no IPv6 routing
into or out of the network. Which of the following is the BEST course of action?

A. Investigate the network traffic and block UDP port 3544 at the firewall
B. Remove the system from the network and disable IPv6 at the router
C. Locate and remove the unauthorized 6to4 relay from the network
D. Disable the switch port and block the 2001::/32 traffic at the firewall

A. Investigate the network traffic and block UDP port 3544 at the firewall
An organization is finalizing a contract with a managed security services provider (MSSP) that is
responsible for primary support of all security technologies. Which of the following should the
organization require as part of the contract to ensure the protection of the organization’s
technology?

A. An operational level agreement
B. An interconnection security agreement
C. A non-disclosure agreement
D. A service level agreement

B. An interconnection security agreemen
An administrator is trying to categorize the security impact of a database server in the case of a
security event. There are three databases on the server.
Current Financial Data = High level of damage if data is disclosed. Moderate damage if the system
goes offline
Archived Financial Data = No need for the database to be online. Low damage for integrity loss
Public Website Data = Low damage if the site goes down. Moderate damage if the data is
corrupted
Given these security categorizations of each database, which of the following is the aggregate
security categorization of the database server?

A. Database server = {(Confidentiality HIGH),(Integrity High),(Availability High)}
B. Database server = {(Confidentiality HIGH),(Integrity Moderate),(Availability Moderate)}
C. Database server = {(Confidentiality HIGH),(Integrity Moderate),(Availability Low)}
D. Database server = {(Confidentiality Moderate),(Integrity Moderate),(Availability Moderate)}

B. Database server = {(Confidentiality HIGH),(Integrity Moderate),(Availability Moderate)}
Every year, the accounts payable employee, Ann, takes a week off work for a vacation. She
typically completes her responsibilities remotely during this week. Which of the following policies,
when implemented, would allow the company to audit this employee’s work and potentially
discover improprieties?

A. Job rotation
B. Mandatory vacations
C. Least privilege
D. Separation of duties

A. Job rotation
A new web based application has been developed and deployed in production. A security
engineer decides to use an HTTP interceptor for testing the application. Which of the following
problems would MOST likely be uncovered by this tool?

A. The tool could show that input validation was only enabled on the client side
B. The tool could enumerate backend SQL database table and column names
C. The tool could force HTTP methods such as DELETE that the server has denied
D. The tool could fuzz the application to determine where memory leaks occur

A. The tool could show that input validation was only enabled on the client side
A security consultant is investigating acts of corporate espionage within an organization. Each
time the organization releases confidential information to high-ranking engineers, the information
is soon leaked to competing companies. Which of the following techniques should the consultant
use to discover the source of the information leaks?

A. Digital watermarking
B. Steganography
C. Enforce non-disclosure agreements
D. Digital rights management

A. Digital watermarking
A security administrator is investigating the compromise of a SCADA network that is not physically
connected to any other network. Which of the following is the MOST likely cause of the
compromise?

A. Outdated antivirus definitions
B. Insecure wireless
C. Infected USB device
D. SQL injection

C. Infected USB device
The Chief Information Security Officer (CISO) at a company knows that many users store
business documents on public cloud-based storage; and realizes this is a risk to the company. In
response, the CISO implements a mandatory training course in which all employees are instructed
on the proper use of cloud-based storage. Which of the following risk strategies did the CISO
implement?

A. Avoid
B. Accept
C. Mitigate
D. Transfer

C. Mitigate
A security administrator is investigating the compromise of a software distribution website.
Forensic analysis shows that several popular files are infected with malicious code. However,
comparing a hash of the infected files with the original, non-infected files which were restored from
backup, shows that the hash is the same. Which of the following explains this?

A. The infected files were using obfuscation techniques to evade detection by antivirus software.
B. The infected files were specially crafted to exploit a collision in the hash function.
C. The infected files were using heuristic techniques to evade detection by antivirus software.
D. The infected files were specially crafted to exploit diffusion in the hash function.

B. The infected files were specially crafted to exploit a collision in the hash function.
A court order has ruled that your company must surrender all the email sent and received by a
certain employee for the past five years. After reviewing the backup systems, the IT administrator
concludes that email backups are not kept that long. Which of the following policies MUST be reviewed to address future compliance?

A. Tape backup policies
B. Offsite backup policies
C. Data retention policies
D. Data loss prevention policies

C. Data retention policies
A system administrator needs to meet the maximum amount of security goals for a new DNS
infrastructure. The administrator deploys DNSSEC extensions to the domain names and
infrastructure. Which of the following security goals does this meet? (Select TWO).

A. Availability
B. Authentication
C. Integrity
D. Confidentiality
E. Encryption

B. Authentication
C. Integrity
The risk manager is reviewing a report which identifies a requirement to keep a business critical
legacy system operational for the next two years. The legacy system is out of support because the
vendor and security patches are no longer released. Additionally, this is a proprietary embedded
system and little is documented and known about it. Which of the following should the Information
Technology department implement to reduce the security risk from a compromise of this system?

A. Virtualize the system and migrate it to a cloud provider.
B. Segment the device on its own secure network.
C. Install an antivirus and HIDS on the system.
D. Hire developers to reduce vulnerabilities in the code.

B. Segment the device on its own secure network.
Two separate companies are in the process of integrating their authentication infrastructure into a
unified single sign-on system. Currently, both companies use an AD backend and two factor
authentication using TOTP. The system administrators have configured a trust relationship
between the authentication backend to ensure proper process flow. How should the employees
request access to shared resources before the authentication integration is complete?

A. They should logon to the system using the username concatenated with the 6-digit code and
their original password.
B. They should logon to the system using the newly assigned global username: first.lastname####
where #### is the second factor code.
C. They should use the username format: LANfirst.lastname together with their original password
and the next 6-digit code displayed when the token button is depressed.
D. They should use the username format: [email protected], together with a password
and their 6-digit code.

D. They should use the username format: [email protected], together with a password
and their 6-digit code.
The Chief Risk Officer (CRO) has requested that the MTD, RTO and RPO for key business
applications be identified and documented. Which of the following business documents would
MOST likely contain the required values?

A. MOU
B. BPA
C. RA
D. SLA
E. BIA

E. BIA
An organization is selecting a SaaS provider to replace its legacy, in house Customer Resource Management (CRM) application. Which of the following ensures the organization mitigates the risk of managing separate user credentials?

A. Ensure the SaaS provider supports dual factor authentication.
B. Ensure the SaaS provider supports encrypted password transmission and storage.
C. Ensure the SaaS provider supports secure hash file exchange.
D. Ensure the SaaS provider supports role-based access control.
E. Ensure the SaaS provider supports directory services federation.

E. Ensure the SaaS provider supports directory services federation.
A forensic analyst receives a hard drive containing malware quarantined by the antivirus
application. After creating an image and determining the directory location of the malware file,
which of the following helps to determine when the system became infected?

A. The malware file’s modify, access, change time properties.
B. The timeline analysis of the file system.
C. The time stamp of the malware in the swap file.
D. The date/time stamp of the malware detection in the antivirus logs.

B. The timeline analysis of the file system.
After a security incident, an administrator would like to implement policies that would help reduce
fraud and the potential for collusion between employees. Which of the following would help meet
these goals by having co-workers occasionally audit another worker’s position?

A. Least privilege
B. Job rotation
C. Mandatory vacation
D. Separation of duties

B. Job rotation
A security engineer at a software development company has identified several vulnerabilities in a
product late in the development cycle. This causes a huge delay for the release of the product.
Which of the following should the administrator do to prevent these issues from occurring in the
future?

A. Recommend switching to an SDLC methodology and perform security testing during
eachmaintenance iteration
B. Recommend switching to a spiral software development model and perform security testing
during the requirements gathering
C. Recommend switching to a waterfall development methodology and perform security testing
during the testing phase
D. Recommend switching to an agile development methodology and perform security testing
during iterations

D. Recommend switching to an agile development methodology and perform security testing
during iterations
Company XYZ is building a new customer facing website which must access some corporate
resources. The company already has an internal facing web server and a separate server
supporting an extranet to which suppliers have access. The extranet web server is located in a
network DMZ. The internal website is hosted on a laptop on the internal corporate network. The
internal network does not restrict traffic between any internal hosts. Which of the following
locations will BEST secure both the intranet and the customer facing website?

A. The existing internal network segment
B. Dedicated DMZ network segments
C. The existing extranet network segment
D. A third-party web hosting company

B. Dedicated DMZ network segments
A security architect is locked into a given cryptographic design based on the allowable software at the company. The key length for applications is already fixed as is the cipher and algorithm in use.
The security architect advocates for the use of well-randomized keys as a mitigation to brute force
and rainbow attacks. Which of the following is the security architect trying to increase in the
design?

A. Key stretching
B. Availability
C. Entropy
D. Root of trust
E. Integrity

C. Entropy
Noticing latency issues at its connection to the Internet, a company suspects that it is being
targeted in a Distributed Denial of Service attack. A security analyst discovers numerous inbound
monlist requests coming to the company’s NTP servers. Which of the following mitigates this
activity with the LEAST impact to existing operations?

A. Block in-bound connections to the company’s NTP servers.
B. Block IPs making monlist requests.
C. Disable the company’s NTP servers.
D. Disable monlist on the company’s NTP servers.

D. Disable monlist on the company’s NTP servers.
The Chief Executive Officer (CEO) of an Internet service provider (ISP) has decided to limit the
company’s contribution to worldwide Distributed Denial of Service (DDoS) attacks. Which of the
following should the ISP implement? (Select TWO).

A. Block traffic from the ISP’s networks destined for blacklisted IPs.
B. Prevent the ISP’s customers from querying DNS servers other than those hosted by the ISP.
C. Block traffic with a source IP not allocated to the ISP from exiting the ISP’s network.
D. Scan the ISP’s customer networks using an up-to-date vulnerability scanner.
E. Notify customers when services they run are involved in an attack.

C. Block traffic with a source IP not allocated to the ISP from exiting the ISP’s network.
E. Notify customers when services they run are involved in an attack.
For companies seeking to move to cloud services, variances in regulation between jurisdictions
can be addressed in which of the following ways?

A. Ensuring the cloud service provides high availability spanning multiple regions.
B. Using an international private cloud model as opposed to public IaaS.
C. Encrypting all data moved to or processed in a cloud-based service.
D. Tagging VMs to ensure they are only run in certain geographic regions.

D. Tagging VMs to ensure they are only run in certain geographic regions.
A large organization that builds and configures every data center against distinct requirements
loses efficiency, which results in slow response time to resolve issues. However, total uniformity
presents other problems. Which of the following presents the GREATEST risk when consolidating
to a single vendor or design solution?

A. Competitors gain an advantage by increasing their service offerings.
B. Vendor lock in may prevent negotiation of lower rates or prices.
C. Design constraints violate the principle of open design.
D. Lack of diversity increases the impact of specific events or attacks.

D. Lack of diversity increases the impact of specific events or attacks.
The Chief Executive Officer (CEO) of a company that allows telecommuting has challenged the
Chief Security Officer’s (CSO) request to harden the corporate network’s perimeter. The CEO
argues that the company cannot protect its employees at home, so the risk at work is no different.
Which of the following BEST explains why this company should proceed with protecting its
corporate network boundary?

A. The corporate network is the only network that is audited by regulators and customers.
B. The aggregation of employees on a corporate network makes it a more valuable target for
attackers.
C. Home networks are unknown to attackers and less likely to be targeted directly.
D. Employees are more likely to be using personal computers for general web browsing when they
are at home.

B. The aggregation of employees on a corporate network makes it a more valuable target for
attackers.
An industry organization has implemented a system to allow trusted authentication between all of
its partners. The system consists of a web of trusted RADIUS servers communicating over the
Internet. An attacker was able to set up a malicious server and conduct a successful man-in-themiddle
attack. Which of the following controls should be implemented to mitigate the attack in the
future?

A. Use PAP for secondary authentication on each RADIUS server
B. Disable unused EAP methods on each RADIUS server
C. Enforce TLS connections between RADIUS servers
D. Use a shared secret for each pair of RADIUS servers

C. Enforce TLS connections between RADIUS servers
An organization would like to allow employees to use their network username and password to
access a third-party service. The company is using Active Directory Federated Services for their
directory service. Which of the following should the company ensure is supported by the thirdparty?
(Select TWO).

A. LDAP/S
B. SAML
C. NTLM
D. OAUTH
E. Kerberos

B. SAML
E. Kerberos
An extensible commercial software system was upgraded to the next minor release version to
patch a security vulnerability. After the upgrade, an unauthorized intrusion into the system was
detected. The software vendor is called in to troubleshoot the issue and reports that all core
components were updated properly. Which of the following has been overlooked in securing the
system? (Select TWO).

A. The company’s IDS signatures were not updated.
B. The company’s custom code was not patched.
C. The patch caused the system to revert to http.
D. The software patch was not cryptographically signed.
E. The wrong version of the patch was used.
F. Third-party plug-ins were not patched.

B. The company’s custom code was not patched.
F. Third-party plug-ins were not patched.
A security officer is leading a lessons learned meeting. Which of the following should be
components of that meeting? (Select TWO).

A. Demonstration of IPS system
B. Review vendor selection process
C. Calculate the ALE for the event
D. Discussion of event timeline
E. Assigning of follow up items

D. Discussion of event timeline
E. Assigning of follow up items
A network administrator with a company’s NSP has received a CERT alert for targeted adversarial
behavior at the company. In addition to the company’s physical security, which of the following can
the network administrator use to scan and detect the presence of a malicious actor physically
accessing the company’s network or information systems from within? (Select TWO).

A. RAS
B. Vulnerability scanner
C. HTTP intercept
D. HIDS
E. Port scanner
F. Protocol analyzer

D. HIDS
E. Port scanner
An administrator’s company has recently had to reduce the number of Tier 3 help desk technicians
available to support enterprise service requests. As a result, configuration standards have
declined as administrators develop scripts to troubleshoot and fix customer issues. The
administrator has observed that several default configurations have not been fixed through applied
group policy or configured in the baseline. Which of the following are controls the administrator
should recommend to the organization’s security manager to prevent an authorized user from
conducting internal reconnaissance on the organization’s network? (Select THREE).
A. Network file system
B. Disable command execution
C. Port security
D. TLS
E. Search engine reconnaissance
F. NIDS
G. BIOS security
H. HIDS
I. IdM
B. Disable command execution
G. BIOS security
I. IdM
A mature organization with legacy information systems has incorporated numerous new processes
and dependencies to manage security as its networks and infrastructure are modernized. The
Chief Information Office has become increasingly frustrated with frequent releases, stating that the
organization needs everything to work completely, and the vendor should already have those
desires built into the software product. The vendor has been in constant communication with
personnel and groups within the organization to understand its business process and capture new software requirements from users. Which of the following methods of software development is this
organization’s configuration management process using?

A. Agile
B. SDL
C. Waterfall
D. Joint application development

A. Agile
Joe, the Chief Executive Officer (CEO), was an Information security professor and a Subject
Matter Expert for over 20 years. He has designed a network defense method which he says is
significantly better than prominent international standards. He has recommended that the
company use his cryptographic method. Which of the following methodologies should be adopted?

A. The company should develop an in-house solution and keep the algorithm a secret.
B. The company should use the CEO’s encryption scheme.
C. The company should use a mixture of both systems to meet minimum standards.
D. The company should use the method recommended by other respected information security
organizations.

D. The company should use the method recommended by other respected information security
organizations.
The security engineer receives an incident ticket from the helpdesk stating that DNS lookup
requests are no longer working from the office. The network team has ensured that Layer 2 and
Layer 3 connectivity are working. Which of the following tools would a security engineer use to
make sure the DNS server is listening on port 53?

A. PING
B. NESSUS
C. NSLOOKUP
D. NMAP

D. NMAP
A large organization has recently suffered a massive credit card breach. During the months of
Incident Response, there were multiple attempts to assign blame as to whose fault it was that the
incident occurred. In which part of the incident response phase would this be addressed in a
controlled and productive manner?

A. During the Identification Phase
B. During the Lessons Learned phase
C. During the Containment Phase
D. During the Preparation Phase

B. During the Lessons Learned phase
A security administrator needs to deploy a remote access solution for both staff and contractors.
Management favors remote desktop due to ease of use. The current risk assessment suggests
protecting Windows as much as possible from direct ingress traffic exposure. Which of the
following solutions should be selected?

A. Deploy a remote desktop server on your internal LAN, and require an active directory integrated
SSL connection for access.
B. Change remote desktop to a non-standard port, and implement password complexity for the
entire active directory domain.
C. Distribute new IPSec VPN client software to applicable parties. Virtualize remote desktop
services functionality.
D. Place the remote desktop server(s) on a screened subnet, and implement two-factor
authentication.

D. Place the remote desktop server(s) on a screened subnet, and implement two-factor
authentication.
Due to compliance regulations, a company requires a yearly penetration test. The Chief
Information Security Officer (CISO) has asked that it be done under a black box methodology.
Which of the following would be the advantage of conducting this kind of penetration test?

A. The risk of unplanned server outages is reduced.
B. Using documentation provided to them, the pen-test organization can quickly determine areas
to focus on.
C. The results will show an in-depth view of the network and should help pin-point areas of internal
weakness.
D. The results should reflect what attackers may be able to learn about the company.

D. The results should reflect what attackers may be able to learn about the company.
The IT manager is evaluating IPS products to determine which would be most effective at stopping
network traffic that contains anomalous content on networks that carry very specific types of traffic.
Based on the IT manager’s requirements, which of the following types of IPS products would be
BEST suited for use in this situation?

A. Signature-based
B. Rate-based
C. Anomaly-based
D. Host-based

A. Signature-based
A software project manager has been provided with a requirement from the customer to place
limits on the types of transactions a given user can initiate without external interaction from
another user with elevated privileges. This requirement is BEST described as an implementation
of:

A. An administrative control
B. Dual control
C. Separation of duties
D. Least privilege
E. Collusion

C. Separation of duties
Which of the following is the information owner responsible for?

A. Developing policies, standards, and baselines.
B. Determining the proper classification levels for data within the system.
C. Integrating security considerations into application and system purchasing decisions.
D. Implementing and evaluating security controls by validating the integrity of the data.

B. Determining the proper classification levels for data within the system.
A Chief Information Security Officer (CISO) is approached by a business unit manager who heard
a report on the radio this morning about an employee at a competing firm who shipped a VPN
token overseas so a fake employee could log into the corporate VPN. The CISO asks what can be
done to mitigate the risk of such an incident occurring within the organization. Which of the
following is the MOST cost effective way to mitigate such a risk?

A. Require hardware tokens to be replaced on a yearly basis.
B. Implement a biometric factor into the token response process.
C. Force passwords to be changed every 90 days.
D. Use PKI certificates as part of the VPN authentication process.

B. Implement a biometric factor into the token response process.
Two universities are making their 802.11n wireless networks available to the other university’s
students. The infrastructure will pass the student’s credentials back to the home school for
authentication via the Internet.
The requirements are:
Mutual authentication of clients and authentication server
The design should not limit connection speeds
Authentication must be delegated to the home school
No passwords should be sent unencrypted
The following design was implemented:
WPA2 Enterprise using EAP-PEAP-MSCHAPv2 will be used for wireless security
RADIUS proxy servers will be used to forward authentication requests to the home school
The RADIUS servers will have certificates from a common public certificate authority
A strong shared secret will be used for RADIUS server authentication
Which of the following security considerations should be added to the design?

A. The transport layer between the RADIUS servers should be secured
B. WPA Enterprise should be used to decrease the network overhead
C. The RADIUS servers should have local accounts for the visiting students
D. Students should be given certificates to use for authentication to the network

A. The transport layer between the RADIUS servers should be secured
A company has decided to move to an agile software development methodology. The company
gives all of its developers security training. After a year of agile, a management review finds that
the number of items on a vulnerability scan has actually increased since the methodology change.
Which of the following best practices has MOST likely been overlooked in the agile
implementation?

A. Penetration tests should be performed after each sprint.
B. A security engineer should be paired with a developer during each cycle.
C. The security requirements should be introduced during the implementation phase.
D. The security requirements definition phase should be added to each sprint.

D. The security requirements definition phase should be added to each sprint.
A system administrator has a responsibility to maintain the security of the video teleconferencing
system. During a self-audit of the video teleconferencing room, the administrator notices that
speakers and microphones are hard-wired and wireless enabled. Which of the following security
concerns should the system administrator have about the existing technology in the room?

A. Wired transmissions could be intercepted by remote users.
B. Bluetooth speakers could cause RF emanation concerns.
C. Bluetooth is an unsecure communication channel.
D. Wireless transmission causes interference with the video signal.

C. Bluetooth is an unsecure communication channel.
A security engineer is a new member to a configuration board at the request of management. The
company has two new major IT projects starting this year and wants to plan security into the
application deployment. The board is primarily concerned with the applications’ compliance with
federal assessment and authorization standards. The security engineer asks for a timeline to
determine when a security assessment of both applications should occur and does not attend
subsequent configuration board meetings. If the security engineer is only going to perform a
security assessment, which of the following steps in system authorization has the security
engineer omitted? (Select TWO).

A. Establish the security control baseline to be assessed
B. Build the application according to software development security standards
C. Write the systems functionality requirements into the security requirements traceability matrix
D. Review the results of user acceptance testing
E. Categorize the applications according to use
F. Consult with the stakeholders to determine which standards can be omitted

A. Establish the security control baseline to be assessed
E. Categorize the applications according to use
A security manager is collecting RFQ, RFP, and RFI publications to help identify the technology
trends which a government will be moving towards in the future. This information is available to the
public. By consolidating the information, the security manager will be able to combine several
perspectives into a broader view of technology trends. This is an example of which of the
following? (Select TWO).

A. Supervisory control and data acquisition
B. Espionage
C. Hacktivism
D. Data aggregation
E. Universal description discovery and integration
F. Open source intelligence gathering

D. Data aggregation
F. Open source intelligence gathering
As a cost saving measure, a company has instructed the security engineering team to allow all
consumer devices to be able to access the network. They have asked for recommendations on
what is needed to secure the enterprise, yet offer the most flexibility in terms of controlling
applications, and stolen devices. Which of the following is BEST suited for the requirements?

A. MEAP with Enterprise Appstore
B. Enterprise Appstore with client-side VPN software
C. MEAP with TLS
D. MEAP with MDM

D. MEAP with MDM
A company uses a custom Line of Business (LOB) application to facilitate all back-end
manufacturing control. Upon investigation, it has been determined that the database used by the
LOB application uses a proprietary data format. The risk management group has flagged this as a
potential weakness in the company’s operational robustness. Which of the following would be the
GREATEST concern when analyzing the manufacturing control application?
A. Difficulty backing up the custom database
B. Difficulty migrating to new hardware
C. Difficulty training new admin personnel
D. Difficulty extracting data from the database
D. Difficulty extracting data from the database
An asset manager is struggling with the best way to reduce the time required to perform asset
location activities in a large warehouse. A project manager indicated that RFID might be a valid
solution if the asset manager’s requirements were supported by current RFID capabilities. Which
of the following requirements would be MOST difficult for the asset manager to implement?

A. The ability to encrypt RFID data in transmission
B. The ability to integrate environmental sensors into the RFID tag
C. The ability to track assets in real time as they move throughout the facility
D. The ability to assign RFID tags a unique identifier

A. The ability to encrypt RFID data in transmission
Ann, a systems engineer, is working to identify an unknown node on the corporate network. To
begin her investigative work, she runs the following nmap command string:
[email protected]:~$ sudo nmap -O 192.168.1.54
Based on the output, nmap is unable to identify the OS running on the node, but the following
ports are open on the device:
TCP/22
TCP/111
TCP/512-514
TCP/2049
TCP/32778
Based on this information, which of the following operating systems is MOST likely running on the unknown node?

A. Linux
B. Windows
C. Solaris
D. OSX

C. Solaris
A security analyst is tasked to create an executive briefing, which explains the activity and
motivation of a cyber adversary. Which of the following is the MOST important content for the brief
for management personnel to understand?

A. Threat actor types, threat actor motivation, and attack tools
B. Unsophisticated agents, organized groups, and nation states
C. Threat actor types, attack sophistication, and the anatomy of an attack
D. Threat actor types, threat actor motivation, and the attack impact

D. Threat actor types, threat actor motivation, and the attack impact
A security engineer has inherited an authentication project which integrates 1024-bit PKI
certificates into the company infrastructure and now has a new requirement to integrate 2048-bit
PKI certificates so that the entire company will be interoperable with its vendors when the project
is completed. The project is now 25% complete, with 15% of the company staff being issued 1024-
bit certificates. The provisioning of network based accounts has not occurred yet due to other
project delays. The project is now expected to be over budget and behind its original schedule.
Termination of the existing project and beginning a new project is a consideration because of the
change in scope. Which of the following is the security engineer’s MOST serious concern with
implementing this solution?

A. Succession planning
B. Performance
C. Maintainability
D. Availability

C. Maintainability
A company has migrated its data and application hosting to a cloud service provider (CSP). To
meet its future needs, the company considers an IdP. Why might the company want to select an
IdP that is separate from its CSP? (Select TWO).

A. A circle of trust can be formed with all domains authorized to delegate trust to an IdP
B. Identity verification can occur outside the circle of trust if specified or delegated
C. Replication of data occurs between the CSP and IdP before a verification occurs
D. Greater security can be provided if the circle of trust is formed within multiple CSP domains
E. Faster connections can occur between the CSP and IdP without the use of SAML

A. A circle of trust can be formed with all domains authorized to delegate trust to an IdP
D. Greater security can be provided if the circle of trust is formed within multiple CSP domains
An internal committee comprised of the facilities manager, the physical security manager, the
network administrator, and a member of the executive team has been formed to address a recent
breach at a company’s data center. It was discovered that during the breach, an HVAC specialist
had gained entry to an area that contained server farms holding sensitive financial data. Although
the HVAC specialist was there to fix a legitimate issue, the investigation concluded security be
provided for the two entry and exit points for the server farm. Which of the following should be
implemented to accomplish the recommendations of the investigation?

A. Implement a policy that all non-employees should be escorted in the data center.
B. Place a mantrap at the points with biometric security.
C. Hire an HVAC person for the company, eliminating the need for external HVAC people.
D. Implement CCTV cameras at both points.

B. Place a mantrap at the points with biometric security.
During a recent audit of servers, a company discovered that a network administrator, who required
remote access, had deployed an unauthorized remote access application that communicated over
common ports already allowed through the firewall. A network scan showed that this remote
access application had already been installed on one third of the servers in the company. Which of
the following is the MOST appropriate action that the company should take to provide a more
appropriate solution?

A. Implement an IPS to block the application on the network
B. Implement the remote application out to the rest of the servers
C. Implement SSL VPN with SAML standards for federation
D. Implement an ACL on the firewall with NAT for remote access

C. Implement SSL VPN with SAML standards for federation
A company wishes to purchase a new security appliance. A security administrator has extensively
researched the appliances, and after presenting security choices to the company’s management
team, they approve of the proposed solution. Which of the following documents should be
constructed to acquire the security appliance?

A. SLA
B. RFQ
C. RFP
D. RFI

B. RFQ
A small retail company recently deployed a new point of sale (POS) system to all 67 stores. The
core of the POS is an extranet site, accessible only from retail stores and the corporate office over
a split-tunnel VPN. An additional split-tunnel VPN provides bi-directional connectivity back to the
main office, which provides voice connectivity for store VoIP phones. Each store offers guest
wireless functionality, as well as employee wireless. Only the staff wireless network has access to
the POS VPN. Recently, stores are reporting poor response times when accessing the POS
application from store computers as well as degraded voice quality when making phone calls.
Upon investigation, it is determined that three store PCs are hosting malware, which is generating
excessive network traffic. After malware removal, the information security department is asked to review the configuration and suggest changes to prevent this from happening again. Which of the
following denotes the BEST way to mitigate future malware risk?

A. Deploy new perimeter firewalls at all stores with UTM functionality.
B. Change antivirus vendors at the store and the corporate office.
C. Move to a VDI solution that runs offsite from the same data center that hosts the new POS
solution.
D. Deploy a proxy server with content filtering at the corporate office and route all traffic through it.

A. Deploy new perimeter firewalls at all stores with UTM functionality.
Executive management is asking for a new manufacturing control and workflow automation
solution. This application will facilitate management of proprietary information and closely guarded
corporate trade secrets.
The information security team has been a part of the department meetings and come away with
the following notes:
-Human resources would like complete access to employee data stored in the application. They
would like automated data interchange with the employee management application, a cloud-based
SaaS application.
-Sales is asking for easy order tracking to facilitate feedback to customers.
-Legal is asking for adequate safeguards to protect trade secrets. They are also concerned with
data ownership questions and legal jurisdiction.
-Manufacturing is asking for ease of use. Employees working the assembly line cannot be
bothered with additional steps or overhead. System interaction needs to be quick and easy.
-Quality assurance is concerned about managing the end product and tracking overall
performance of the product being produced. They would like read-only access to the entire
workflow process for monitoring and baselining.
The favored solution is a user friendly software application that would be hosted onsite. It has
extensive ACL functionality, but also has readily available APIs for extensibility. It supports readonly
access, kiosk automation, custom fields, and data encryption.
Which of the following departments’ request is in contrast to the favored solution?

A. Manufacturing
B. Legal
C. Sales
D. Quality assurance
E. Human resources

E. Human resources
News outlets are beginning to report on a number of retail establishments that are experiencing
payment card data breaches. The data exfiltration is enabled by malware on a compromised
computer. After the initial exploit network mapping and fingerprinting occurs in preparation for
further exploitation. Which of the following is the MOST effective solution to protect against
unrecognized malware infections, reduce detection time, and minimize any damage that might be
done?

A. Remove local admin permissions from all users and change anti-virus to a cloud aware, push
technology.
B. Implement an application whitelist at all levels of the organization.
C. Deploy a network based heuristic IDS, configure all layer 3 switches to feed data to the IDS for
more effective monitoring.
D. Update router configuration to pass all network traffic through a new proxy server with
advanced malware detection.

B. Implement an application whitelist at all levels of the organization.
The Chief Information Security Officer (CISO) is asking for ways to protect against zero-day
exploits. The CISO is concerned that an unrecognized threat could compromise corporate data
and result in regulatory fines as well as poor corporate publicity. The network is mostly flat, with
split staff/guest wireless functionality. Which of the following equipment MUST be deployed to
guard against unknown threats?

A. Cloud-based antivirus solution, running as local admin, with push technology for definition
updates.
B. Implementation of an offsite data center hosting all company data, as well as deployment of
VDI for all client computing needs.
C. Host based heuristic IPS, segregated on a management VLAN, with direct control of the
perimeter firewall ACLs.
D. Behavior based IPS with a communication link to a cloud based vulnerability and threat feed.

D. Behavior based IPS with a communication link to a cloud based vulnerability and threat feed.
A small company’s Chief Executive Officer (CEO) has asked its Chief Security Officer (CSO) to
improve the company’s security posture with regard to targeted attacks. Which of the following
should the CSO conduct FIRST?

A. Survey threat feeds from analysts inside the same industry.
B. Purchase multiple threat feeds to ensure diversity and implement blocks for malicious traffic.
C. Conduct an internal audit against industry best practices to perform a gap analysis.
D. Deploy a UTM solution that receives frequent updates from a trusted industry vendor.

A. Survey threat feeds from analysts inside the same industry.
The sales team is considering the deployment of a new CRM solution within the enterprise. The IT
and Security teams are members of the project; however, neither team has expertise or
experience with the proposed system. Which of the following activities should be performed
FIRST?

A. Visit a company who already has the technology, sign an NDA, and read their latest risk
assessment.
B. Contact the top vendor, assign IT and Security to work together to implement a demo and pen
test the system.
C. Work with Finance to do a second ROI calculation before continuing further with the project.
D. Research the market, select the top vendors and solicit RFPs from those vendors.

D. Research the market, select the top vendors and solicit RFPs from those vendors.
A security administrator notices a recent increase in workstations becoming compromised by
malware. Often, the malware is delivered via drive-by downloads, from malware hosting websites,
and is not being detected by the corporate antivirus. Which of the following solutions would
provide the BEST protection for the company?

A. Increase the frequency of antivirus downloads and install updates to all workstations.
B. Deploy a cloud-based content filter and enable the appropriate category to prevent further
infections.
C. Deploy a NIPS to inspect and block all web traffic which may contain malware and exploits.
D. Deploy a web based gateway antivirus server to intercept viruses before they enter the
network.

B. Deploy a cloud-based content filter and enable the appropriate category to prevent further
infections.
The helpdesk manager wants to find a solution that will enable the helpdesk staff to better serve
company employees who call with computer-related problems. The helpdesk staff is currently
unable to perform effective troubleshooting and relies on callers to describe their technology
problems. Given that the helpdesk staff is located within the company headquarters and 90% of
the callers are telecommuters, which of the following tools should the helpdesk manager use to
make the staff more effective at troubleshooting while at the same time reducing company costs?
(Select TWO).

A. Web cameras
B. Email
C. Instant messaging
D. BYOD
E. Desktop sharing
F. Presence

C. Instant messaging
E. Desktop sharing
A security manager has started a new job and has identified that a key application for a new client
does not have an accreditation status and is currently not meeting the compliance requirement for the contract’s SOW. The security manager has competing priorities and wants to resolve this issue
quickly with a system determination and risk assessment. Which of the following approaches
presents the MOST risk to the security assessment?

A. The security manager reviews the system description for the previous accreditation, but does
not review application change records.
B. The security manager decides to use the previous SRTM without reviewing the system
description.
C. The security manager hires an administrator from the previous contract to complete the
assessment.
D. The security manager does not interview the vendor to determine if the system description is
accurate.

B. The security manager decides to use the previous SRTM without reviewing the system
description.
A security administrator was recently hired in a start-up company to represent the interest of
security and to assist the network team in improving security in the company. The sales team is
continuously contacting the security administrator to answer security questions posed by potential
customers/clients. Which of the following is the BEST strategy to minimize the frequency of these
requests?

A. Request the major stakeholder hire a security liaison to assist the sales team with securityrelated
questions.
B. Train the sales team about basic security, and make them aware of the security policies and
procedures of the company.
C. The job description of the security administrator is to assist the sales team; thus the process
should not be changed.
D. Compile a list of the questions, develop an FAQ on the website, and train the sales team about
basic security concepts.

D. Compile a list of the questions, develop an FAQ on the website, and train the sales team about
basic security concepts.
The Chief Information Officer (CIO) is focused on improving IT governance within the organization
to reduce system downtime. The CIO has mandated that the following improvements be
implemented:
-All business units must now identify IT risks and include them in their business risk profiles.
-Key controls must be identified and monitored.
-Incidents and events must be recorded and reported with management oversight.
-Exemptions to the information security policy must be formally recorded, approved, and
managed.
-IT strategy will be reviewed to ensure it is aligned with the businesses strategy and objectives.
In addition to the above, which of the following would BEST help the CIO meet the requirements?

A. Establish a register of core systems and identify technical service owners
B. Establish a formal change management process
C. Develop a security requirement traceability matrix
D. Document legacy systems to be decommissioned and the disposal process

An organization has decided to reduce labor costs by outsourcing back office processing of credit
applications to a provider located in another country. Data sovereignty and privacy concerns
raised by the security team resulted in the third-party provider only accessing and processing the
data via remote desktop sessions. To facilitate communications and improve productivity, staff at
the third party has been provided with corporate email accounts that are only accessible via the
remote desktop sessions. Email forwarding is blocked and staff at the third party can only
communicate with staff within the organization. Which of the following additional controls should
be implemented to prevent data loss? (Select THREE).

A. Implement hashing of data in transit
B. Session recording and capture
C. Disable cross session cut and paste
D. Monitor approved credit accounts
E. User access audit reviews
F. Source IP whitelisting

C. Disable cross session cut and paste
E. User access audit reviews
F. Source IP whitelisting
A company has received the contract to begin developing a new suite of software tools to replace
an aging collaboration solution. The original collaboration solution has been in place for nine
years, contains over a million lines of code, and took over two years to develop originally. The
SDLC has broken the primary delivery stages into eight different deliverables, with each section
requiring an in-depth risk analysis before moving on to the next phase. Which of the following
software development methods is MOST applicable?

A. Spiral model
B. Incremental model
C. Waterfall model
D. Agile model

D. Agile model
The manager of the firewall team is getting complaints from various IT teams that firewall changes
are causing issues. Which of the following should the manager recommend to BEST address
these issues?

A. Set up a weekly review for relevant teams to discuss upcoming changes likely to have a broad
impact.
B. Update the change request form so that requesting teams can provide additional details about
the requested changes.
C. Require every new firewall rule go through a secondary firewall administrator for review before
pushing the firewall policy.
D. Require the firewall team to verify the change with the requesting team before pushing the
updated firewall policy.

A. Set up a weekly review for relevant teams to discuss upcoming changes likely to have a broad
impact.
An intruder was recently discovered inside the data center, a highly sensitive area. To gain
access, the intruder circumvented numerous layers of physical and electronic security measures.
Company leadership has asked for a thorough review of physical security controls to prevent this
from happening again. Which of the following departments are the MOST heavily invested in rectifying the problem? (Select THREE).

A. Facilities management
B. Human resources
C. Research and development
D. Programming
E. Data center operations
F. Marketing
G. Information technology

A. Facilities management
E. Data center operations
G. Information technology
The helpdesk department desires to roll out a remote support application for internal use on all
company computers. This tool should allow remote desktop sharing, system log gathering, chat,
hardware logging, inventory management, and remote registry access. The risk management
team has been asked to review vendor responses to the RFQ. Which of the following questions is
the MOST important?

A. What are the protections against MITM?
B. What accountability is built into the remote support application?
C. What encryption standards are used in tracking database?
D. What snapshot or “undo” features are present in the application?
E. What encryption standards are used in remote desktop and file transfer functionality?

B. What accountability is built into the remote support application?
A software development manager is taking over an existing software development project. The
team currently suffers from poor communication, and this gap is resulting in an above average
number of security-related bugs making it into production. Which of the following development
methodologies involves daily stand-ups designed to improve communication?
A. Spiral
B. Agile
C. Waterfall
D. Rapid
B. Agile
A software development manager is taking over an existing software development project. The
team currently suffers from poor communication due to a long delay between requirements
documentation and feature delivery. This gap is resulting in an above average number of securityrelated
bugs making it into production. Which of the following development methodologies is the
team MOST likely using now?

A. Agile
B. Waterfall
C. Scrum
D. Spiral

B. Waterfall
A security manager has received the following email from the Chief Financial Officer (CFO):
“While I am concerned about the security of the proprietary financial data in our ERP application,
we have had a lot of turnover in the accounting group and I am having a difficult time meeting our
monthly performance targets. As things currently stand, we do not allow employees to work from
home but this is something I am willing to allow so we can get back on track. What should we do
first to securely enable this capability for my group?”
Based on the information provided, which of the following would be the MOST appropriate
response to the CFO?
A. Remote access to the ERP tool introduces additional security vulnerabilities and should not be
allowed.
B. Allow VNC access to corporate desktops from personal computers for the users working from
home.
C. Allow terminal services access from personal computers after the CFO provides a list of the
users working from home.
D. Work with the executive management team to revise policies before allowing any remote access.
D. Work with the executive management team to revise policies before allowing any remote access.