Q1. - (Topic 4) 

A medium-sized company has recently launched an online product catalog. It has decided to keep the credit card purchasing in-house as a secondary potential income stream has been identified in relation to sales leads. The company has decided to undertake a PCI assessment in order to determine the amount of effort required to meet the business objectives. Which compliance category would this task be part of? 

A. Government regulation 

B. Industry standard 

C. Company guideline 

D. Company policy 

View Answer

Q2. - (Topic 1) 

A security firm is writing a response to an RFP from a customer that is building a new network based software product. The firm’s expertise is in penetration testing corporate networks. The RFP explicitly calls for all possible behaviors of the product to be tested, however, it does not specify any particular method to achieve this goal. Which of the following should be used to ensure the security and functionality of the product? (Select TWO). 

A. Code review 

B. Penetration testing 

C. Grey box testing 

D. Code signing 

E. White box testing 

View Answer

Q3. - (Topic 2) 

A web developer is responsible for a simple web application that books holiday accommodations. The front-facing web server offers an HTML form, which asks for a user’s age. This input gets placed into a signed integer variable and is then checked to ensure that the user is in the adult age range. 

Users have reported that the website is not functioning correctly. The web developer has inspected log files and sees that a very large number (in the billions) was submitted just before the issue started occurring. Which of the following is the MOST likely situation that has occurred? 

A. The age variable stored the large number and filled up disk space which stopped the application from continuing to function. Improper error handling prevented the application from recovering. 

B. The age variable has had an integer overflow and was assigned a very small negative number which led to unpredictable application behavior. Improper error handling prevented the application from recovering. 

C. Computers are able to store numbers well above “billions” in size. Therefore, the website issues are not related to the large number being input. 

D. The application has crashed because a very large integer has lead to a “divide by zero”. Improper error handling prevented the application from recovering. 

View Answer

Q4. - (Topic 3) 

Which of the following is the BEST place to contractually document security priorities, responsibilities, guarantees, and warranties when dealing with outsourcing providers? 

A. NDA 

B. OLA 

C. MOU 

D. SLA 

View Answer

Q5. - (Topic 5) 

News outlets are beginning to report on a number of retail establishments that are experiencing payment card data breaches. The data exfiltration is enabled by malware on a compromised computer. After the initial exploit network mapping and fingerprinting occurs in preparation for further exploitation. Which of the following is the MOST effective solution to protect against unrecognized malware infections, reduce detection time, and minimize any damage that might be done? 

A. Remove local admin permissions from all users and change anti-virus to a cloud aware, push technology. 

B. Implement an application whitelist at all levels of the organization. 

C. Deploy a network based heuristic IDS, configure all layer 3 switches to feed data to the IDS for more effective monitoring. 

D. Update router configuration to pass all network traffic through a new proxy server with advanced malware detection. 

View Answer

Q6. - (Topic 1) 

A large organization has recently suffered a massive credit card breach. During the months of Incident Response, there were multiple attempts to assign blame for whose fault it was that the incident occurred. In which part of the incident response phase would this be addressed in a controlled and productive manner? 

A. During the Identification Phase 

B. During the Lessons Learned phase 

C. During the Containment Phase 

D. During the Preparation Phase 

View Answer

Q7. - (Topic 4) 

Company A needs to export sensitive data from its financial system to company B’s database, using company B’s API in an automated manner. Company A’s policy prohibits the use of any intermediary external systems to transfer or store its sensitive data, therefore the transfer must occur directly between company A’s financial system and company B’s destination server using the supplied API. Additionally, company A’s legacy financial software does not support encryption, while company B’s API supports encryption. Which of the following will provide end-to-end encryption for the data transfer while adhering to these requirements? 

A. Company A must install an SSL tunneling service on the financial system. 

B. Company A’s security administrator should use an HTTPS capable browser to transfer the data. 

C. Company A should use a dedicated MPLS circuit to transfer the sensitive data to company B. 

D. Company A and B must create a site-to-site IPSec VPN on their respective firewalls. 

View Answer

Q8. - (Topic 3) 

As part of the ongoing information security plan in a large software development company, the Chief Information officer (CIO) has decided to review and update the company’s privacy policies and procedures to reflect the changing business environment and business requirements. 

Training and awareness of the new policies and procedures has been incorporated into the security awareness program which should be: 

A. presented by top level management to only data handling staff. 

B. customized for the various departments and staff roles. 

C. technical in nature to ensure all development staff understand the procedures. 

D. used to promote the importance of the security department. 

View Answer

Q9. - (Topic 1) 

In order to reduce costs and improve employee satisfaction, a large corporation is creating a BYOD policy. It will allow access to email and remote connections to the corporate enterprise from personal devices; provided they are on an approved device list. Which of the following security measures would be MOST effective in securing the enterprise under the new policy? (Select TWO). 

A. Provide free email software for personal devices. 

B. Encrypt data in transit for remote access. 

C. Require smart card authentication for all devices. 

D. Implement NAC to limit insecure devices access. 

E. Enable time of day restrictions for personal devices. 

View Answer

Q10. - (Topic 5) 

A software development manager is taking over an existing software development project. The team currently suffers from poor communication due to a long delay between requirements documentation and feature delivery. This gap is resulting in an above average number of security-related bugs making it into production. Which of the following development methodologies is the team MOST likely using now? 

A. Agile 

B. Waterfall 

C. Scrum 

D. Spiral 

View Answer