Podcast
Questions and Answers
Which of the following management processes allots ONLY those services required for users to
accomplish their tasks, change default user passwords, and set servers to retrieve antivirus updates?
Which of the following management processes allots ONLY those services required for users to accomplish their tasks, change default user passwords, and set servers to retrieve antivirus updates?
Answer hidden
Which of the following practices provides the development team with a definition of
security and identification of threats in designing software?
Which of the following practices provides the development team with a definition of security and identification of threats in designing software?
Answer hidden
Which of the following is a peor entity authentication method for Point-to-Point
Protocol (PPP)?
Which of the following is a peor entity authentication method for Point-to-Point Protocol (PPP)?
Answer hidden
A system with Internet Protocol (IP) address 10.102.10.2 has a physical address of 00:00:08:00:12:13:14:2f. The following static entry is added to its Address
Resolution Protocol (ARP) table: 10.102.10.6: 00:00:08:00:12:13:14:2f.
What form of attack could this represent?
A system with Internet Protocol (IP) address 10.102.10.2 has a physical address of 00:00:08:00:12:13:14:2f. The following static entry is added to its Address Resolution Protocol (ARP) table: 10.102.10.6: 00:00:08:00:12:13:14:2f. What form of attack could this represent?
Answer hidden
Which of the following value comparisons MOST accurately reflects the agile development
approach?
Which of the following value comparisons MOST accurately reflects the agile development approach?
Answer hidden
Which of the following needs to be included in order for High Availability (HA) to continue operations
during planned system outages?
Which of the following needs to be included in order for High Availability (HA) to continue operations during planned system outages?
Answer hidden
Which of the following is the MOST effective countermeasure against Man-in-the Middle (MITM)
attacks while using online banking?
Which of the following is the MOST effective countermeasure against Man-in-the Middle (MITM) attacks while using online banking?
Answer hidden
According to the Capability Maturity Model Integration (CMMI), which of the following levels is
identified by a managed process that is tailored from the organization's set of standard processes
according to the organization's tailoring guidelines?
According to the Capability Maturity Model Integration (CMMI), which of the following levels is identified by a managed process that is tailored from the organization's set of standard processes according to the organization's tailoring guidelines?
Answer hidden
Point-to-Point Protocol (PPP) was designed to specifically address what issue?
Point-to-Point Protocol (PPP) was designed to specifically address what issue?
Answer hidden
Which of the following is an advantage of' Secure Shell (SSH)?
Which of the following is an advantage of' Secure Shell (SSH)?
Answer hidden
A security engineer is designing a Customer Relationship Management (CRM) application for a thirdparty
vendor. In which phase of the System Development Life Cycle (SDLC) will it be MOST beneficial
to conduct a data sensitivity assessment?
A security engineer is designing a Customer Relationship Management (CRM) application for a thirdparty vendor. In which phase of the System Development Life Cycle (SDLC) will it be MOST beneficial to conduct a data sensitivity assessment?
Answer hidden
Which of the following is a PRIMARY challenge when running a penetration test?
Which of the following is a PRIMARY challenge when running a penetration test?
Answer hidden
Which one of the following would cause an immediate review and possible change to the security
policies of an organization?
Which one of the following would cause an immediate review and possible change to the security policies of an organization?
Answer hidden
An audit of an application reveals that the current configuration does not match the configuration of
the originally implemented application. Which of the following is the FIRST action to be taken?
An audit of an application reveals that the current configuration does not match the configuration of the originally implemented application. Which of the following is the FIRST action to be taken?
Answer hidden
What is the BEST method if an investigator wishes to analyze a hard drive which may be used as
evidence?
What is the BEST method if an investigator wishes to analyze a hard drive which may be used as evidence?
Answer hidden
Which of the following provides the GREATEST level of data security for a Virtual
Private Network (VPN) connection?
Which of the following provides the GREATEST level of data security for a Virtual Private Network (VPN) connection?
Answer hidden
What is the purpose of code signing?
What is the purpose of code signing?
Answer hidden
What is the PRIMARY objective for conducting an internal security audit?
What is the PRIMARY objective for conducting an internal security audit?
Answer hidden
What is the PRIMARY purpose for an organization to conduct a security audit?
What is the PRIMARY purpose for an organization to conduct a security audit?
Answer hidden
Which testing method requires very limited or no information about the network infrastructure?
Which testing method requires very limited or no information about the network infrastructure?
Answer hidden
Which of the following is a MAJOR concern when there is a need to preserve or retain information
for future retrieval?
Which of the following is a MAJOR concern when there is a need to preserve or retain information for future retrieval?
Answer hidden
Which of the following types of data would be MOST difficult to detect by a forensic examiner?
Which of the following types of data would be MOST difficult to detect by a forensic examiner?
Answer hidden
Following a penetration test, what should an organization do FIRST?
Following a penetration test, what should an organization do FIRST?
Answer hidden
An Intrusion Detection System (IDS) is based on the general hypothesis that a
security violation is associated with a pattern of system usage which can be
An Intrusion Detection System (IDS) is based on the general hypothesis that a security violation is associated with a pattern of system usage which can be
Answer hidden
Which of the following models uses unique groups contained in unique conflict classes?
Which of the following models uses unique groups contained in unique conflict classes?
Answer hidden
When developing the entitlement review process, which of the following roles is responsible for
determining who has a need for the information?
When developing the entitlement review process, which of the following roles is responsible for determining who has a need for the information?
Answer hidden
What should an auditor do when conducting a periodic audit on media retention?
What should an auditor do when conducting a periodic audit on media retention?
Answer hidden
Which of the following factors is á PRIMARY reason to drive changes in an Information Security
Continuous Monitoring (ISCM) strategy?
Which of the following factors is á PRIMARY reason to drive changes in an Information Security Continuous Monitoring (ISCM) strategy?
Answer hidden
Digital non-repudiation requires which of the following?
Digital non-repudiation requires which of the following?
Answer hidden
Data remanence is the biggest threat in which of the following scenarios?
Data remanence is the biggest threat in which of the following scenarios?
Answer hidden
Which of the following is the MOST secure password technique?
Which of the following is the MOST secure password technique?
Answer hidden
Which of the following is a Key Performance Indicator (KPI) for a security training and awareness
program?
Which of the following is a Key Performance Indicator (KPI) for a security training and awareness program?
Answer hidden
When are security requirements the LEAST expensive to implement?
When are security requirements the LEAST expensive to implement?
Answer hidden
What type of attack sends Internet Control Message Protocol (ICMP) echo requests to the target
machine with a larger payload than the target can handle?
What type of attack sends Internet Control Message Protocol (ICMP) echo requests to the target machine with a larger payload than the target can handle?
Answer hidden
What is the HIGHEST priority in agile development?
What is the HIGHEST priority in agile development?
Answer hidden
Which of the following is included in the Global System for Mobile Communications (GSM) security
framework?
Which of the following is included in the Global System for Mobile Communications (GSM) security framework?
Answer hidden
Which of the following is the reason that transposition ciphers are easily recognizable?
Which of the following is the reason that transposition ciphers are easily recognizable?
Answer hidden
How is it possible to extract private keys securely stored on a cryptographic smartcard?
How is it possible to extract private keys securely stored on a cryptographic smartcard?
Answer hidden
Which of the following is an important requirement when designing a secure remote access system?
Which of the following is an important requirement when designing a secure remote access system?
Answer hidden
Which of the following is the BEST way to mitigate circumvention of access controls?
Which of the following is the BEST way to mitigate circumvention of access controls?
Answer hidden
Which one of the following can be used to detect an anomaly in a system by keeping track of the
state of files that do not normally change?\
Which one of the following can be used to detect an anomaly in a system by keeping track of the state of files that do not normally change?\
Answer hidden
Which of the following is the MOST effective preventative method to identify security flaws in
software?
Which of the following is the MOST effective preventative method to identify security flaws in software?
Answer hidden
Which of the following BEST describes botnets?
Which of the following BEST describes botnets?
Answer hidden
An organization seeks to use a cloud Identity and Access Management (IAM) provider whose protocols and data formats are incompatible with existing systems.
Which of the following techniques addresses the compatibility issue?
An organization seeks to use a cloud Identity and Access Management (IAM) provider whose protocols and data formats are incompatible with existing systems. Which of the following techniques addresses the compatibility issue?
Answer hidden
Which of the following BEST describes the objectives of the Business Impact Analysis (BIA)?
Which of the following BEST describes the objectives of the Business Impact Analysis (BIA)?
Answer hidden
The application owner of a system that handles confidential data leaves an organization. It is
anticipated that a replacement will be hired in approximately six months. During that time, which of
the following should the organization do?
The application owner of a system that handles confidential data leaves an organization. It is anticipated that a replacement will be hired in approximately six months. During that time, which of the following should the organization do?
Answer hidden
Which Redundant Array c/ Independent Disks (RAID) Level does the following diagram represent?
Which Redundant Array c/ Independent Disks (RAID) Level does the following diagram represent?
Answer hidden
Which of the following is used to ensure that data mining activities Will NOT reveal sensitive data?
Which of the following is used to ensure that data mining activities Will NOT reveal sensitive data?
Answer hidden
Why are packet filtering routers used in low-risk environments?
Why are packet filtering routers used in low-risk environments?
Answer hidden
Which of the following protocols will allow the encrypted transfer of content on the Internet?
Which of the following protocols will allow the encrypted transfer of content on the Internet?
Answer hidden
What requirement MUST be met during internal security audits to ensure that all information
provided is expressed as an objective assessment without risk of retaliation?
What requirement MUST be met during internal security audits to ensure that all information provided is expressed as an objective assessment without risk of retaliation?
Answer hidden
In order to support the least privilege security principle when a resource is transferring within the organization from a production support system administration role to a developer role, what changes should be made to that resource's access to the production Operating System (OS) directory structure?
In order to support the least privilege security principle when a resource is transferring within the organization from a production support system administration role to a developer role, what changes should be made to that resource's access to the production Operating System (OS) directory structure?
Answer hidden
What is the FINAL step in the waterfall method for contingency planning?
What is the FINAL step in the waterfall method for contingency planning?
Answer hidden
Which of the following is a security weakness in the evaluation of common criteria (CC) products?
Which of the following is a security weakness in the evaluation of common criteria (CC) products?
Answer hidden
What is the second phase of public key infrastructure (PKI) key/certificate life-cycle management?
What is the second phase of public key infrastructure (PKI) key/certificate life-cycle management?
Answer hidden
Which of the following BEST describes the standard used to exchange authorization information
between different identity management systems?
Which of the following BEST describes the standard used to exchange authorization information between different identity management systems?
Answer hidden
What is the PRIMARY objective of an application security assessment?
What is the PRIMARY objective of an application security assessment?
Answer hidden
The security team has been tasked with performing an interface test against a frontend external
facing application and needs to verify that all input fields protect against
invalid input. Which of the following BEST assists this process?
The security team has been tasked with performing an interface test against a frontend external facing application and needs to verify that all input fields protect against invalid input. Which of the following BEST assists this process?
Answer hidden
Which of the following is the FIRST step during digital identity provisioning?
Which of the following is the FIRST step during digital identity provisioning?
Answer hidden
Physical Access Control Systems (PACS) allow authorized security personnel to manage and monitor
access control for subjects through which function?
Physical Access Control Systems (PACS) allow authorized security personnel to manage and monitor access control for subjects through which function?
Answer hidden
In a large company, a system administrator needs to assign users access to files using Role Based
Access Control (RBAC). Which option Is an example of RBAC?
In a large company, a system administrator needs to assign users access to files using Role Based Access Control (RBAC). Which option Is an example of RBAC?
Answer hidden
During a Disaster Recovery (DR) simulation, it is discovered that the shared recovery site lacks
adequate data restoration capabilities to support the implementation of multiple plans
simultaneously. What would be impacted by this fact if left unchanged?
During a Disaster Recovery (DR) simulation, it is discovered that the shared recovery site lacks adequate data restoration capabilities to support the implementation of multiple plans simultaneously. What would be impacted by this fact if left unchanged?
Answer hidden
What is the MAIN objective of risk analysis in Disaster Recovery (DR) planning?
What is the MAIN objective of risk analysis in Disaster Recovery (DR) planning?
Answer hidden
The adoption of an enterprise-wide Business Continuity (BC) program requires which of the
following?
The adoption of an enterprise-wide Business Continuity (BC) program requires which of the following?
Answer hidden
A security professional is assessing the risk in an application and does not take into account any
mitigating or compensating controls. This type of risk rating is an example of which of the following?
A security professional is assessing the risk in an application and does not take into account any mitigating or compensating controls. This type of risk rating is an example of which of the following?
Answer hidden
Which of the following is the BEST way to protect against Structured Query language (SQL) injection?
Which of the following is the BEST way to protect against Structured Query language (SQL) injection?
Answer hidden
When defining a set of security controls to mitigate a risk, which of the following actions MUST
occur?
When defining a set of security controls to mitigate a risk, which of the following actions MUST occur?
Answer hidden
A company-wide penetration test result shows customers could access and read files through a web
browser. Which of the following can be used to mitigate this vulnerability?
A company-wide penetration test result shows customers could access and read files through a web browser. Which of the following can be used to mitigate this vulnerability?
Answer hidden
Which of the following provides the MOST secure method for Network Access Control (NAC)?
Which of the following provides the MOST secure method for Network Access Control (NAC)?
Answer hidden
What does the result of Cost-Benefit Analysis (C8A) on new security initiatives provide?
What does the result of Cost-Benefit Analysis (C8A) on new security initiatives provide?
Answer hidden
Which of the following is considered the PRIMARY security issue associated with encrypted e-mail
messages?
Which of the following is considered the PRIMARY security issue associated with encrypted e-mail messages?
Answer hidden
Which media sanitization methods should be used for data with a high security categorization?
Which media sanitization methods should be used for data with a high security categorization?
Answer hidden
Which of the following is the MOST secure protocol for zremote command access to the firewall?
Which of the following is the MOST secure protocol for zremote command access to the firewall?
Answer hidden
A minimal implementation of endpoint security includes which of the following?
A minimal implementation of endpoint security includes which of the following?
Answer hidden
How should the retention period for an organization's social media content be defined?
How should the retention period for an organization's social media content be defined?
Answer hidden
In Identity Management (IdM), when is the verification stage performed?
In Identity Management (IdM), when is the verification stage performed?
Answer hidden
What is the PRIMARY purpose of auditing, as it relates to the security review cycle?
What is the PRIMARY purpose of auditing, as it relates to the security review cycle?
Answer hidden
Which of the following access control models is MOST restrictive?
Which of the following access control models is MOST restrictive?
Answer hidden
Which of the following is a canon of the (ISC)2 Code of Ethics?
Which of the following is a canon of the (ISC)2 Code of Ethics?
Answer hidden
Which of the following will an organization's network vulnerability testing process BEST enhance?
Which of the following will an organization's network vulnerability testing process BEST enhance?
Answer hidden
Which of the following is the MOST effective countermeasure against data remanence?
Which of the following is the MOST effective countermeasure against data remanence?
Answer hidden
A security professional has been requested by the Board of Directors and Chief Information Security
Officer (CISO) to perform an internal and external penetration
test. What is the BEST course of action?
A security professional has been requested by the Board of Directors and Chief Information Security Officer (CISO) to perform an internal and external penetration test. What is the BEST course of action?
Answer hidden
The Rivest-Shamir-Adleman (RSA) algorithm is BEST suited for which of the following operations?
The Rivest-Shamir-Adleman (RSA) algorithm is BEST suited for which of the following operations?
Answer hidden
Configuring a Wireless Access Point (WAP) with the same Service Set Identifier (SSID) as another
WAP in order to have users unknowingly connect is referred to as which of the following?
Configuring a Wireless Access Point (WAP) with the same Service Set Identifier (SSID) as another WAP in order to have users unknowingly connect is referred to as which of the following?
Answer hidden
Which of the following actions should be taken by a security professional when a mission critical
computer network attack is suspected?
Which of the following actions should be taken by a security professional when a mission critical computer network attack is suspected?
Answer hidden
In what phase of the System Development Life Cycle (SDLC) should security training for the development team begin?
In what phase of the System Development Life Cycle (SDLC) should security training for the development team begin?
Answer hidden
Of the following, which BEST provides non- repudiation with regards to access to a server room?
Of the following, which BEST provides non- repudiation with regards to access to a server room?
Answer hidden
The personal laptop of an organization executive is stolen from the office, complete with personnel
and project records. Which of the following should be done FIRST to mitigate future occurrences?
The personal laptop of an organization executive is stolen from the office, complete with personnel and project records. Which of the following should be done FIRST to mitigate future occurrences?
Answer hidden
Which of the following is a standard Access Control List (ACL) element that enables a router to filter
Internet traffic?
Which of the following is a standard Access Control List (ACL) element that enables a router to filter Internet traffic?
Answer hidden
Which of the following will accomplish Multi-Factor Authentication (MFA)?
Which of the following will accomplish Multi-Factor Authentication (MFA)?
Answer hidden
Which of the following is the PRIMARY issue when analyzing detailed log information?
Which of the following is the PRIMARY issue when analyzing detailed log information?
Answer hidden
How does security in a distributed file system using mutual authentication differ from file security in
a multi-user host?
How does security in a distributed file system using mutual authentication differ from file security in a multi-user host?
Answer hidden
Which of the following explains why classifying data is an important step in performing a Risk
assessment?
Which of the following explains why classifying data is an important step in performing a Risk assessment?
Answer hidden
How is Remote Authentication Dial-In User Service (RADIUS) authentication accomplished?
How is Remote Authentication Dial-In User Service (RADIUS) authentication accomplished?
Answer hidden
A security professional should ensure that clients support which secondary algorithm for digital
signatures when a Secure Multipurpose Internet Mail Extension (S/MIME) is used?
A security professional should ensure that clients support which secondary algorithm for digital signatures when a Secure Multipurpose Internet Mail Extension (S/MIME) is used?
Answer hidden
What documentation is produced FIRST when performing an effective physical loss control process?
What documentation is produced FIRST when performing an effective physical loss control process?
Answer hidden
Who should formulate conclusions from a particular digital fore Ball, Submit a Toper Of Tags, and the
results?
Who should formulate conclusions from a particular digital fore Ball, Submit a Toper Of Tags, and the results?
Answer hidden
A manager identified two conflicting sensitive user functions that were assigned to a single user
account that had the potential to result in financial and regulatory risk to the company. The manager
MOST likely discovered this during which of the following?
A manager identified two conflicting sensitive user functions that were assigned to a single user account that had the potential to result in financial and regulatory risk to the company. The manager MOST likely discovered this during which of the following?
Answer hidden
When assessing the audit capability of an application, which of the following activities is MOST
important?
When assessing the audit capability of an application, which of the following activities is MOST important?
Answer hidden
A web-based application known to be susceptible to attacks is now under review by a senior
developer. The organization would like to ensure this application Is less susceptible to injection
attacks specifically,
What strategy will work BEST for the organization's situation?
A web-based application known to be susceptible to attacks is now under review by a senior developer. The organization would like to ensure this application Is less susceptible to injection attacks specifically, What strategy will work BEST for the organization's situation?
Answer hidden