Podcast
Questions and Answers
Which of the following management processes allots ONLY those services required for users to
accomplish their tasks, change default user passwords, and set servers to retrieve antivirus updates?
Which of the following management processes allots ONLY those services required for users to accomplish their tasks, change default user passwords, and set servers to retrieve antivirus updates?
Which of the following practices provides the development team with a definition of
security and identification of threats in designing software?
Which of the following practices provides the development team with a definition of security and identification of threats in designing software?
Which of the following is a peor entity authentication method for Point-to-Point
Protocol (PPP)?
Which of the following is a peor entity authentication method for Point-to-Point Protocol (PPP)?
A system with Internet Protocol (IP) address 10.102.10.2 has a physical address of 00:00:08:00:12:13:14:2f. The following static entry is added to its Address
Resolution Protocol (ARP) table: 10.102.10.6: 00:00:08:00:12:13:14:2f.
What form of attack could this represent?
A system with Internet Protocol (IP) address 10.102.10.2 has a physical address of 00:00:08:00:12:13:14:2f. The following static entry is added to its Address Resolution Protocol (ARP) table: 10.102.10.6: 00:00:08:00:12:13:14:2f. What form of attack could this represent?
Which of the following value comparisons MOST accurately reflects the agile development
approach?
Which of the following value comparisons MOST accurately reflects the agile development approach?
Which of the following needs to be included in order for High Availability (HA) to continue operations
during planned system outages?
Which of the following needs to be included in order for High Availability (HA) to continue operations during planned system outages?
Which of the following is the MOST effective countermeasure against Man-in-the Middle (MITM)
attacks while using online banking?
Which of the following is the MOST effective countermeasure against Man-in-the Middle (MITM) attacks while using online banking?
According to the Capability Maturity Model Integration (CMMI), which of the following levels is
identified by a managed process that is tailored from the organization's set of standard processes
according to the organization's tailoring guidelines?
According to the Capability Maturity Model Integration (CMMI), which of the following levels is identified by a managed process that is tailored from the organization's set of standard processes according to the organization's tailoring guidelines?
Point-to-Point Protocol (PPP) was designed to specifically address what issue?
Point-to-Point Protocol (PPP) was designed to specifically address what issue?
Which of the following is an advantage of' Secure Shell (SSH)?
Which of the following is an advantage of' Secure Shell (SSH)?
A security engineer is designing a Customer Relationship Management (CRM) application for a thirdparty
vendor. In which phase of the System Development Life Cycle (SDLC) will it be MOST beneficial
to conduct a data sensitivity assessment?
A security engineer is designing a Customer Relationship Management (CRM) application for a thirdparty vendor. In which phase of the System Development Life Cycle (SDLC) will it be MOST beneficial to conduct a data sensitivity assessment?
Which of the following is a PRIMARY challenge when running a penetration test?
Which of the following is a PRIMARY challenge when running a penetration test?
Which one of the following would cause an immediate review and possible change to the security
policies of an organization?
Which one of the following would cause an immediate review and possible change to the security policies of an organization?
An audit of an application reveals that the current configuration does not match the configuration of
the originally implemented application. Which of the following is the FIRST action to be taken?
An audit of an application reveals that the current configuration does not match the configuration of the originally implemented application. Which of the following is the FIRST action to be taken?
What is the BEST method if an investigator wishes to analyze a hard drive which may be used as
evidence?
What is the BEST method if an investigator wishes to analyze a hard drive which may be used as evidence?
Which of the following provides the GREATEST level of data security for a Virtual
Private Network (VPN) connection?
Which of the following provides the GREATEST level of data security for a Virtual Private Network (VPN) connection?
What is the purpose of code signing?
What is the purpose of code signing?
What is the PRIMARY objective for conducting an internal security audit?
What is the PRIMARY objective for conducting an internal security audit?
What is the PRIMARY purpose for an organization to conduct a security audit?
What is the PRIMARY purpose for an organization to conduct a security audit?
Which testing method requires very limited or no information about the network infrastructure?
Which testing method requires very limited or no information about the network infrastructure?
Which of the following is a MAJOR concern when there is a need to preserve or retain information
for future retrieval?
Which of the following is a MAJOR concern when there is a need to preserve or retain information for future retrieval?
Which of the following types of data would be MOST difficult to detect by a forensic examiner?
Which of the following types of data would be MOST difficult to detect by a forensic examiner?
Following a penetration test, what should an organization do FIRST?
Following a penetration test, what should an organization do FIRST?
An Intrusion Detection System (IDS) is based on the general hypothesis that a
security violation is associated with a pattern of system usage which can be
An Intrusion Detection System (IDS) is based on the general hypothesis that a security violation is associated with a pattern of system usage which can be
Which of the following models uses unique groups contained in unique conflict classes?
Which of the following models uses unique groups contained in unique conflict classes?
When developing the entitlement review process, which of the following roles is responsible for
determining who has a need for the information?
When developing the entitlement review process, which of the following roles is responsible for determining who has a need for the information?
What should an auditor do when conducting a periodic audit on media retention?
What should an auditor do when conducting a periodic audit on media retention?
Which of the following factors is á PRIMARY reason to drive changes in an Information Security
Continuous Monitoring (ISCM) strategy?
Which of the following factors is á PRIMARY reason to drive changes in an Information Security Continuous Monitoring (ISCM) strategy?
Digital non-repudiation requires which of the following?
Digital non-repudiation requires which of the following?
Data remanence is the biggest threat in which of the following scenarios?
Data remanence is the biggest threat in which of the following scenarios?
Which of the following is the MOST secure password technique?
Which of the following is the MOST secure password technique?
Which of the following is a Key Performance Indicator (KPI) for a security training and awareness
program?
Which of the following is a Key Performance Indicator (KPI) for a security training and awareness program?
When are security requirements the LEAST expensive to implement?
When are security requirements the LEAST expensive to implement?
What type of attack sends Internet Control Message Protocol (ICMP) echo requests to the target
machine with a larger payload than the target can handle?
What type of attack sends Internet Control Message Protocol (ICMP) echo requests to the target machine with a larger payload than the target can handle?
What is the HIGHEST priority in agile development?
What is the HIGHEST priority in agile development?
Which of the following is included in the Global System for Mobile Communications (GSM) security
framework?
Which of the following is included in the Global System for Mobile Communications (GSM) security framework?
Which of the following is the reason that transposition ciphers are easily recognizable?
Which of the following is the reason that transposition ciphers are easily recognizable?
How is it possible to extract private keys securely stored on a cryptographic smartcard?
How is it possible to extract private keys securely stored on a cryptographic smartcard?
Which of the following is an important requirement when designing a secure remote access system?
Which of the following is an important requirement when designing a secure remote access system?
Which of the following is the BEST way to mitigate circumvention of access controls?
Which of the following is the BEST way to mitigate circumvention of access controls?
Which one of the following can be used to detect an anomaly in a system by keeping track of the
state of files that do not normally change?\
Which one of the following can be used to detect an anomaly in a system by keeping track of the state of files that do not normally change?\
Which of the following is the MOST effective preventative method to identify security flaws in
software?
Which of the following is the MOST effective preventative method to identify security flaws in software?
Which of the following BEST describes botnets?
Which of the following BEST describes botnets?
An organization seeks to use a cloud Identity and Access Management (IAM) provider whose protocols and data formats are incompatible with existing systems.
Which of the following techniques addresses the compatibility issue?
An organization seeks to use a cloud Identity and Access Management (IAM) provider whose protocols and data formats are incompatible with existing systems. Which of the following techniques addresses the compatibility issue?
Which of the following BEST describes the objectives of the Business Impact Analysis (BIA)?
Which of the following BEST describes the objectives of the Business Impact Analysis (BIA)?
The application owner of a system that handles confidential data leaves an organization. It is
anticipated that a replacement will be hired in approximately six months. During that time, which of
the following should the organization do?
The application owner of a system that handles confidential data leaves an organization. It is anticipated that a replacement will be hired in approximately six months. During that time, which of the following should the organization do?
Which Redundant Array c/ Independent Disks (RAID) Level does the following diagram represent?
Which Redundant Array c/ Independent Disks (RAID) Level does the following diagram represent?
Which of the following is used to ensure that data mining activities Will NOT reveal sensitive data?
Which of the following is used to ensure that data mining activities Will NOT reveal sensitive data?
Why are packet filtering routers used in low-risk environments?
Why are packet filtering routers used in low-risk environments?
Which of the following protocols will allow the encrypted transfer of content on the Internet?
Which of the following protocols will allow the encrypted transfer of content on the Internet?
What requirement MUST be met during internal security audits to ensure that all information
provided is expressed as an objective assessment without risk of retaliation?
What requirement MUST be met during internal security audits to ensure that all information provided is expressed as an objective assessment without risk of retaliation?
In order to support the least privilege security principle when a resource is transferring within the organization from a production support system administration role to a developer role, what changes should be made to that resource's access to the production Operating System (OS) directory structure?
In order to support the least privilege security principle when a resource is transferring within the organization from a production support system administration role to a developer role, what changes should be made to that resource's access to the production Operating System (OS) directory structure?
What is the FINAL step in the waterfall method for contingency planning?
What is the FINAL step in the waterfall method for contingency planning?
Which of the following is a security weakness in the evaluation of common criteria (CC) products?
Which of the following is a security weakness in the evaluation of common criteria (CC) products?
What is the second phase of public key infrastructure (PKI) key/certificate life-cycle management?
What is the second phase of public key infrastructure (PKI) key/certificate life-cycle management?
Which of the following BEST describes the standard used to exchange authorization information
between different identity management systems?
Which of the following BEST describes the standard used to exchange authorization information between different identity management systems?
What is the PRIMARY objective of an application security assessment?
What is the PRIMARY objective of an application security assessment?
The security team has been tasked with performing an interface test against a frontend external
facing application and needs to verify that all input fields protect against
invalid input. Which of the following BEST assists this process?
The security team has been tasked with performing an interface test against a frontend external facing application and needs to verify that all input fields protect against invalid input. Which of the following BEST assists this process?
Which of the following is the FIRST step during digital identity provisioning?
Which of the following is the FIRST step during digital identity provisioning?
Physical Access Control Systems (PACS) allow authorized security personnel to manage and monitor
access control for subjects through which function?
Physical Access Control Systems (PACS) allow authorized security personnel to manage and monitor access control for subjects through which function?
In a large company, a system administrator needs to assign users access to files using Role Based
Access Control (RBAC). Which option Is an example of RBAC?
In a large company, a system administrator needs to assign users access to files using Role Based Access Control (RBAC). Which option Is an example of RBAC?
During a Disaster Recovery (DR) simulation, it is discovered that the shared recovery site lacks
adequate data restoration capabilities to support the implementation of multiple plans
simultaneously. What would be impacted by this fact if left unchanged?
During a Disaster Recovery (DR) simulation, it is discovered that the shared recovery site lacks adequate data restoration capabilities to support the implementation of multiple plans simultaneously. What would be impacted by this fact if left unchanged?
What is the MAIN objective of risk analysis in Disaster Recovery (DR) planning?
What is the MAIN objective of risk analysis in Disaster Recovery (DR) planning?
The adoption of an enterprise-wide Business Continuity (BC) program requires which of the
following?
The adoption of an enterprise-wide Business Continuity (BC) program requires which of the following?
A security professional is assessing the risk in an application and does not take into account any
mitigating or compensating controls. This type of risk rating is an example of which of the following?
A security professional is assessing the risk in an application and does not take into account any mitigating or compensating controls. This type of risk rating is an example of which of the following?
Which of the following is the BEST way to protect against Structured Query language (SQL) injection?
Which of the following is the BEST way to protect against Structured Query language (SQL) injection?
When defining a set of security controls to mitigate a risk, which of the following actions MUST
occur?
When defining a set of security controls to mitigate a risk, which of the following actions MUST occur?
A company-wide penetration test result shows customers could access and read files through a web
browser. Which of the following can be used to mitigate this vulnerability?
A company-wide penetration test result shows customers could access and read files through a web browser. Which of the following can be used to mitigate this vulnerability?
Which of the following provides the MOST secure method for Network Access Control (NAC)?
Which of the following provides the MOST secure method for Network Access Control (NAC)?
What does the result of Cost-Benefit Analysis (C8A) on new security initiatives provide?
What does the result of Cost-Benefit Analysis (C8A) on new security initiatives provide?
Which of the following is considered the PRIMARY security issue associated with encrypted e-mail
messages?
Which of the following is considered the PRIMARY security issue associated with encrypted e-mail messages?
Which media sanitization methods should be used for data with a high security categorization?
Which media sanitization methods should be used for data with a high security categorization?
Which of the following is the MOST secure protocol for zremote command access to the firewall?
Which of the following is the MOST secure protocol for zremote command access to the firewall?
A minimal implementation of endpoint security includes which of the following?
A minimal implementation of endpoint security includes which of the following?
How should the retention period for an organization's social media content be defined?
How should the retention period for an organization's social media content be defined?
In Identity Management (IdM), when is the verification stage performed?
In Identity Management (IdM), when is the verification stage performed?
What is the PRIMARY purpose of auditing, as it relates to the security review cycle?
What is the PRIMARY purpose of auditing, as it relates to the security review cycle?
Which of the following access control models is MOST restrictive?
Which of the following access control models is MOST restrictive?
Which of the following is a canon of the (ISC)2 Code of Ethics?
Which of the following is a canon of the (ISC)2 Code of Ethics?
Which of the following will an organization's network vulnerability testing process BEST enhance?
Which of the following will an organization's network vulnerability testing process BEST enhance?
Which of the following is the MOST effective countermeasure against data remanence?
Which of the following is the MOST effective countermeasure against data remanence?
A security professional has been requested by the Board of Directors and Chief Information Security
Officer (CISO) to perform an internal and external penetration
test. What is the BEST course of action?
A security professional has been requested by the Board of Directors and Chief Information Security Officer (CISO) to perform an internal and external penetration test. What is the BEST course of action?
The Rivest-Shamir-Adleman (RSA) algorithm is BEST suited for which of the following operations?
The Rivest-Shamir-Adleman (RSA) algorithm is BEST suited for which of the following operations?
Configuring a Wireless Access Point (WAP) with the same Service Set Identifier (SSID) as another
WAP in order to have users unknowingly connect is referred to as which of the following?
Configuring a Wireless Access Point (WAP) with the same Service Set Identifier (SSID) as another WAP in order to have users unknowingly connect is referred to as which of the following?
Which of the following actions should be taken by a security professional when a mission critical
computer network attack is suspected?
Which of the following actions should be taken by a security professional when a mission critical computer network attack is suspected?
In what phase of the System Development Life Cycle (SDLC) should security training for the development team begin?
In what phase of the System Development Life Cycle (SDLC) should security training for the development team begin?
Of the following, which BEST provides non- repudiation with regards to access to a server room?
Of the following, which BEST provides non- repudiation with regards to access to a server room?
The personal laptop of an organization executive is stolen from the office, complete with personnel
and project records. Which of the following should be done FIRST to mitigate future occurrences?
The personal laptop of an organization executive is stolen from the office, complete with personnel and project records. Which of the following should be done FIRST to mitigate future occurrences?
Which of the following is a standard Access Control List (ACL) element that enables a router to filter
Internet traffic?
Which of the following is a standard Access Control List (ACL) element that enables a router to filter Internet traffic?
Which of the following will accomplish Multi-Factor Authentication (MFA)?
Which of the following will accomplish Multi-Factor Authentication (MFA)?
Which of the following is the PRIMARY issue when analyzing detailed log information?
Which of the following is the PRIMARY issue when analyzing detailed log information?
How does security in a distributed file system using mutual authentication differ from file security in
a multi-user host?
How does security in a distributed file system using mutual authentication differ from file security in a multi-user host?
Which of the following explains why classifying data is an important step in performing a Risk
assessment?
Which of the following explains why classifying data is an important step in performing a Risk assessment?
How is Remote Authentication Dial-In User Service (RADIUS) authentication accomplished?
How is Remote Authentication Dial-In User Service (RADIUS) authentication accomplished?
A security professional should ensure that clients support which secondary algorithm for digital
signatures when a Secure Multipurpose Internet Mail Extension (S/MIME) is used?
A security professional should ensure that clients support which secondary algorithm for digital signatures when a Secure Multipurpose Internet Mail Extension (S/MIME) is used?
What documentation is produced FIRST when performing an effective physical loss control process?
What documentation is produced FIRST when performing an effective physical loss control process?
Who should formulate conclusions from a particular digital fore Ball, Submit a Toper Of Tags, and the
results?
Who should formulate conclusions from a particular digital fore Ball, Submit a Toper Of Tags, and the results?
A manager identified two conflicting sensitive user functions that were assigned to a single user
account that had the potential to result in financial and regulatory risk to the company. The manager
MOST likely discovered this during which of the following?
A manager identified two conflicting sensitive user functions that were assigned to a single user account that had the potential to result in financial and regulatory risk to the company. The manager MOST likely discovered this during which of the following?
When assessing the audit capability of an application, which of the following activities is MOST
important?
When assessing the audit capability of an application, which of the following activities is MOST important?
A web-based application known to be susceptible to attacks is now under review by a senior
developer. The organization would like to ensure this application Is less susceptible to injection
attacks specifically,
What strategy will work BEST for the organization's situation?
A web-based application known to be susceptible to attacks is now under review by a senior developer. The organization would like to ensure this application Is less susceptible to injection attacks specifically, What strategy will work BEST for the organization's situation?