Dump - 13

A company needs to provide shared access of sensitive data on a cloud storage to external business partners. Which of the following identity models is the BEST to blind identity providers (IdP) and relying parties (RP) so that subscriber lists of other parties are not disclosed?

Which algorithm gets its security from the difficulty of calculating discrete logarithms in a finite field and is used to distribute keys, but cannot be used to encrypt or decrypt messages?

Which Wide Area Network (WAN) technology requires the first router in the path to determine the full path the packet will travel, removing the need for other routers in the path to make independent determinations?

An organization recently suffered from a web-application attack that resulted in stolen user session cookie information. The attacker was able to obtain the information when a user's browser executed a script upon visiting a compromised website. What type of attack MOST likely occurred?

An organization recently upgraded to a Voice over Internet Protocol (VoIP) phone system. Management is concerned with unauthorized phone usage. security consultant is responsible for putting together a plan to secure these phones. Administrators have assigned unique personal identification number codes for each person in the organization. What is the BEST solution?

Which of the following regulations dictates how data breaches are handled?

Which of the following is fundamentally required to address potential security issues when initiating software development?

Which of the following is the BEST method a security practitioner can use to ensure that systems and sub-systems gracefully handle invalid input?

An information security administrator wishes to block peer-to-peer (P2P) traffic over Hypertext Transfer Protocol (HTTP) tunnels. Which of the following layers of the Open Systems Interconnection (OSI) model requires inspection?

An organization has requested storage area network (SAN) disks for a new project. What Redundant Array of Independent Disks (RAID) level provides the BEST redundancy and fault tolerance?

An organization has implemented a password complexity and an account lockout policy enforcing five incorrect logins tries within ten minutes. Network users have reported significantly increased account lockouts. Which of the following security principles is this company affecting?

In the last 15 years a company has experienced three electrical failures. The cost associated with each failure is listed below. Which of the following would be a reasonable annual loss expectation?

Availability 60000 Integrity 10000 Confidentiality 0

70000

Which of the following addresses requirements of security assessments during software acquisition?

Which of the following BEST obtains an objective audit of security controls?

Which of the following is established to collect information in accordance with pre-established metrics, utilizing information readily available in part through implemented security controls?

In order to provide dual assurance in a digital signature system, the design MUST include which of the following?

Which of the following attacks, if successful, could give an intruder complete control of a softwaredefined networking (SDN) architecture?

What type of investigation applies when malicious behavior is suspected between two organizations?

The Chief Information Security Officer (CISO) of a small organization is making a case for building a security operations center (SOC). While debating between an in-house, fully outsourced, or a hybrid capability, which of the following would be the MAIN consideration, regardless of the model?

What are the three key benefits that application developers should derive from the northbound application programming interface (API) of software defined networking (SDN)?

What security principle addresses the issue of "Security by Obscurity"?

In Federated Identity Management (FIM), which of the following represents the concept of federation?

A software engineer uses automated tools to review application code and search for application flaws, back doors, or other malicious code. Which of the following is the FIRST Software Development Life Cycle (SDLC) phase where this takes place?

Which of the following vulnerability assessment activities BEST exemplifies the Examine method of assessment?

Which of the following is the MOST appropriate control for asset data labeling procedures?

What BEST describes the confidentiality, integrity, availability triad?

When developing an external facing web-based system, which of the following would be the MAIN focus of the security assessment prior to implementation and production?

What type of risk is related to the sequences of value-adding and managerial activities undertaken in an organization?

In an environment where there is not full administrative control over all network connected endpoints, such as a university where non-corporate devices are used, what is the BEST way to restrict access to the network?

Which of the following threats would be MOST likely mitigated by monitoring assets containing open source libraries for vulnerabilities?

Which of the following is the BEST way to determine the success of a patch management process?

A company needs to provide employee access to travel services, which are hosted by a third-party service provider, Employee experience is important, and when users are already authenticated, access to the travel portal is seamless. Which of the following methods is used to share information and grant user access to the travel portal?

Why is data classification control important to an organization?

Which of the following is the strongest physical access control?

While dealing with the consequences of a security incident, which of the following security controls are MOST appropriate?

A Chief Information Security Officer (CISO) of a firm which decided to migrate to cloud has been tasked with ensuring an optimal level of security. Which of the following would be the FIRST consideration?

Which technique helps system designers consider potential security concerns of their systems and applications?

What is the MOST important goal of conducting security assessments?

A hospital's building controls system monitors and operates the environmental equipment to maintain a safe and comfortable environment. Which of the following could be used to minimize the risk of utility supply interruption?

To monitor the security of buried data lines inside the perimeter of a facility, which of the following is the MOST effective control?

What is the BEST method to use for assessing the security impact of acquired software?

Which of the following is the MOST effective way to ensure the endpoint devices used by remote users are compliant with an organization's approved policies before being allowed on the network?

Which of the following factors should be considered characteristics of Attribute Based Access Control (ABAC) in terms of the attributes used?

A security architect is developing an information system for a client. One of the requirements is to deliver a platform that mitigates against common vulnerabilities and attacks, What is the MOST efficient option used to prevent buffer overflow attacks?

A security engineer is assigned to work with the patch and vulnerability management group. The deployment of a new patch has been approved and needs to be applied. The research is complete, and the security engineer has provided recommendations. Where should the patch be applied FIRST?

When telephones in a city are connected by a single exchange, the caller can only connect with the switchboard operator. The operator then manually connects the call. This is an example of which type of network topology?

Which of the following departments initiates the request, approval, and provisioning business process?

Which of the following should be done at a disaster site before any item is removed, repaired, or replaced?

Which organizational department is ultimately responsible for information governance related to email and other e-records?

What is the FIRST step in risk management?

Which element of software supply chain management has the GREATEST security risk to organizations?

A colleague who recently left the organization asked a security professional for a copy of the organization's confidential incident management policy. Which of the following is the BEST response to this request?

Within a large organization, what business unit is BEST positioned to initiate provisioning and deprovisioning of user accounts?

An enterprise is developing a baseline cybersecurity standard its suppliers must meet before being awarded a contract. Which of the following statements is TRUE about the baseline cybersecurity standard?

Which of the following is the MOST effective strategy to prevent an attacker from disabling a network?

Which of the following features is MOST effective in mitigating against theft of data on a corporate mobile device which has been stolen?

An organization is implementing data encryption using symmetric ciphers and the Chief Information Officer (CIO) is concerned about the risk of using one key to protect all sensitive data. The security practitioner has been tasked with recommending a solution to address the CIO's concerns. Which of the following is the BEST approach to achieving the objective by encrypting all sensitive data?

International bodies established a regulatory scheme that defines how weapons are exchanged between the signatories. It also addresses cyber weapons, including malicious software, Command and Control (C2) software, and internet surveillance software. This is a description of which of the following?

In software development, developers should use which type of queries to prevent a Structured Query Language (SQL) injection?

Which of the following BEST describes when an organization should conduct a black box security audit on a new software product?

The Chief Information Officer (CIO) has decided that as part of business modernization efforts the organization will move towards a cloud architecture. All business-critical data will be migrated to either internal or external cloud services within the next two years. The CIO has a PRIMARY obligation to work with personnel in which role in order to ensure proper protection of data during and after the cloud migration?

When reviewing vendor certifications for handling and processing of company data, which of the following is the BEST Service Organization Controls (SOC) certification for the vendor to possess?

Which of the following is a covert channel type?

Which change management role is responsible for the overall success of the project and supporting the change throughout the organization?

Which of the following is a unique feature of attribute-based access control (ABAC)?

When auditing the Software Development Life Cycle (SDLC) which of the following is one of the highlevel audit phases?

Which of the following BEST describes the purpose of Border Gateway Protocol (BGP)?

Which of the following is the PRIMARY purpose of installing a mantrap within a facility?

A security professional can BEST mitigate the risk of using a Commercial Off-The-Shelf (COTS) solution by deploying the application with which of the following controls in ?

Which of the following would an information security professional use to recognize changes to content, particularly unauthorized changes?

An organization with divisions in the United States (US) and the United Kingdom (UK) processes data comprised of personal information belonging to subjects living in the European Union (EU) and in the US. Which data MUST be handled according to the privacy protections of General Data Protection Regulation (GDPR)?

Which of the following has the responsibility of information technology (IT) governance?

Dumpster diving is a technique used in which stage of penetration testing methodology?

What is the MOST common cause of Remote Desktop Protocol (RDP) compromise?

An organization is looking to include mobile devices in its asset management system for better tracking. In which system tier of the reference architecture would mobile devices be tracked?

Which is MOST important when negotiating an Internet service provider (ISP) service-level agreement (SLA) by an organization that solely provides Voice over Internet Protocol (VoIP) services?

A company developed a web application which is sold as a Software as a Service (SaaS) solution to the customer. The application is hosted by a web server running on a specific operating system (OS) on a virtual machine (VM). During the transition phase of the service, it is determined that the support team will need access to the application logs. Which of the following privileges would be the MOST suitable?

A systems engineer is designing a wide area network (WAN) environment for a new organization. The WAN will connect sites holding information at various levels of sensitivity, from publicly available to highly confidential. The organization requires a high degree of interconnectedness to support existing business processes. What is the BEST design approach to securing this environment?

Which event magnitude is defined as deadly, destructive, and disruptive when a hazard interacts with human vulnerability?

Question: 1380 Which of the following goals represents a modern shift in risk management according to National Institute of Standards and Technology (NIST)?

A web developer is completing a new web application security checklist before releasing the application to production. the task of disabling unecessary services is on the checklist. Which web application threat is being mitigated by this action?

Which of the following is a limitation of the Bell-LaPadula model?

Which of the following is the BEST option to reduce the network attack surface of a system?

Which of the following is the PRIMARY reason for selecting the appropriate level of detail for audit record generation?

A financial organization that works according to agile principles has developed a new application for their external customer base to request a line of credit. A security analyst has been asked to assess the security risk of the minimum viable product (MVP). Which is the MOST important activity the analyst should assess?

When configuring Extensible Authentication Protocol (EAP) in a Voice over Internet Protocol (VoIP) network, which of the following authentication types is the MOST secure?

An organization would like to ensure that all new users have a predefined departmental access template applied upon creation. The organization would also like additional access for users to be granted on a per-project basis. What type of user access administration is BEST suited to meet the organization's needs?

A firm within the defense industry has been directed to comply with contractual requirements for encryption of a government client's Controlled Unclassified Information (CUI). What encryption strategy represents how to protect data at rest in the MOST efficient and cost-effective manner?

A software developer installs a game on their organization-provided smartphone. Upon installing the game, the software developer is prompted to allow the game access to call logs, Short Message Service (SMS) messaging, and Global Positioning System (GPS) location dat a. What has the game MOST likely introduced to the smartphone?

A developer is creating an application that requires secure logging of all user activity. What is the BEST permission the developer should assign to the log file to ensure requirements are met?

What industry-recognized document could be used as a baseline reference that is related to data security and business operations for conducting a security assessment?

A scan report returned multiple vulnerabilities affecting several production servers that are mission critical. Attempts to apply the patches in the development environment have caused the servers to crash. What is the BEST course of action?

Which of the following would be the BEST guideline to follow when attempting to avoid the exposure of sensitive data?

Which application type is considered high risk and provides a common way for malware and viruses to enter a network?

In a disaster recovery (DR) test, which of the following would be a trait of crisis management?

The existence of physical barriers, card and personal identification number (PIN) access systems, cameras, alarms, and security guards BEST describes this security approach?

A software architect has been asked to build a platform to distribute music to thousands of users on a global scale. The architect has been reading about content delivery networks (CDN). Which of the following is a principal task to undertake?

Which of the following BEST describes centralized identity management?

A database server for a financial application is scheduled for production deployment. Which of the following controls will BEST prevent tampering?

What is the FIRST step that should be considered in a Data Loss Prevention (DLP) program?