New Questions 6

A new web based application has been developed and deployed in production. A security engineer decides to use an HTTP interceptor for testing the application. Which of the following problems would MOST likely be uncovered by this tool?

A. The tool could show that input validation was only enabled on the client side

B. The tool could enumerate backend SQL database table and column names

C. The tool could force HTTP methods such as DELETE that the server has denied

D. The tool could fuzz the application to determine where memory leaks occur

View Answer

New Questions 7

A developer has implemented a piece of client-side JavaScript code to sanitize a useru2021s

provided input to a web page login screen. The code ensures that only the upper case and lower case letters are entered in the username field, and that only a 6-digit PIN is entered in the password field. A security administrator is concerned with the following web server log:

10.235.62.11 u2013 - [02/Mar/2014:06:13:04] u201cGET

/site/script.php?user=admin&pass=pass%20or%201=1 HTTP/1.1u201d 200 5724

Given this log, which of the following is the security administrator concerned with and which fix should be implemented by the developer?

A. The security administrator is concerned with nonprintable characters being used to gain administrative access, and the developer should strip all nonprintable characters.

B. The security administrator is concerned with XSS, and the developer should normalize Unicode characters on the browser side.

C. The security administrator is concerned with SQL injection, and the developer should implement server side input validation.

D. The security administrator is concerned that someone may log on as the administrator, and the developer should ensure strong passwords are enforced.

View Answer

New Questions 8

An external auditor has found that IT security policies in the organization are not maintained and in some cases are nonexistent. As a result of the audit findings, the CISO has been tasked with the objective of establishing a mechanism to manage the lifecycle of IT security policies. Which of the following can be used to BEST achieve the CISOu2021s objectives?

A. CoBIT

B. UCF

C. ISO 27002

D. eGRC

View Answer

New Questions 9

The Chief Information Security Officer (CISO) at a company knows that many users store business documents on public cloud-based storage; and realizes this is a risk to the company. In response, the CISO implements a mandatory training course in which all employees are instructed on the proper use of cloud-based storage. Which of the following risk strategies did the CISO implement?

A. Avoid

B. Accept

C. Mitigate

D. Transfer

View Answer

New Questions 10

An industry organization has implemented a system to allow trusted authentication between all of its partners. The system consists of a web of trusted RADIUS servers communicating over the Internet. An attacker was able to set up a malicious server and conduct a successful man-in-the-middle attack. Which of the following controls should be implemented to mitigate the attack in the future?

A. Use PAP for secondary authentication on each RADIUS server

B. Disable unused EAP methods on each RADIUS server

C. Enforce TLS connections between RADIUS servers

D. Use a shared secret for each pair of RADIUS servers

View Answer

New Questions 11

The sales team is considering the deployment of a new CRM solution within the enterprise. The IT and Security teams are members of the project; however, neither team has expertise or experience with the proposed system. Which of the following activities should be performed FIRST?

A. Visit a company who already has the technology, sign an NDA, and read their latest risk assessment.

B. Contact the top vendor, assign IT and Security to work together to implement a demo and pen test the system.

C. Work with Finance to do a second ROI calculation before continuing further with the project.

D. Research the market, select the top vendors and solicit RFPs from those vendors.

View Answer

New Questions 12

The organization has an IT driver on cloud computing to improve delivery times for IT solution provisioning. Separate to this initiative, a business case has been approved for replacing the existing banking platform for credit card processing with a newer offering. It is the security practitioneru2021s responsibility to evaluate whether the new credit card processing platform can be hosted within a cloud environment. Which of the following BEST balances the security risk and IT drivers for cloud computing?

A. A third-party cloud computing platform makes sense for new IT solutions. This should be endorsed going forward so as to align with the IT strategy. However, the security practitioner will need to ensure that the third-party cloud provider does regular penetration tests to ensure that all data is secure.

B. Using a third-party cloud computing environment should be endorsed going forward. This aligns with the organizationu2021s strategic direction. It also helps to shift any risk and regulatory compliance concerns away from the companyu2021s internal IT department. The next step will be to evaluate each of the cloud computing vendors, so that a vendor can then be selected for hosting the new credit card processing platform.

C. There may be regulatory restrictions with credit cards being processed out of country or processed by shared hosting providers. A private cloud within the company should be considered. An options paper should be created which outlines the risks, advantages, disadvantages of relevant choices and it should recommended a way forward.

D. Cloud computing should rarely be considered an option for any processes that need to be significantly secured. The security practitioner needs to convince the stakeholders that the new platform can only be delivered internally on physical infrastructure.

View Answer

New Questions 13

Joe, the Chief Executive Officer (CEO), was an Information security professor and a Subject Matter Expert for over 20 years. He has designed a network defense method which he says is significantly better than prominent international standards. He has recommended that the company use his cryptographic method. Which of the following methodologies should be adopted?

A. The company should develop an in-house solution and keep the algorithm a secret.

B. The company should use the CEOu2021s encryption scheme.

C. The company should use a mixture of both systems to meet minimum standards.

D. The company should use the method recommended by other respected information security organizations.

View Answer

New Questions 14

An organization would like to allow employees to use their network username and password to access a third-party service. The company is using Active Directory Federated Services for their directory service. Which of the following should the company ensure is supported by the third-party? (Select TWO).

A. LDAP/S

B. SAML

C. NTLM

D. OAUTH

E. Kerberos

View Answer

New Questions 15

A security administrator is investigating the compromise of a SCADA network that is not physically connected to any other network. Which of the following is the MOST likely cause of the compromise?

A. Outdated antivirus definitions

B. Insecure wireless

C. Infected USB device

D. SQL injection

View Answer