Q1. - (Topic 5) 

A security manager has received the following email from the Chief Financial Officer (CFO): 

“While I am concerned about the security of the proprietary financial data in our ERP application, we have had a lot of turnover in the accounting group and I am having a difficult time meeting our monthly performance targets. As things currently stand, we do not allow employees to work from home but this is something I am willing to allow so we can get back on track. What should we do first to securely enable this capability for my group?” 

Based on the information provided, which of the following would be the MOST appropriate response to the CFO? 

A. Remote access to the ERP tool introduces additional security vulnerabilities and should not be allowed. 

B. Allow VNC access to corporate desktops from personal computers for the users working from home. 

C. Allow terminal services access from personal computers after the CFO provides a list of the users working from home. 

D. Work with the executive management team to revise policies before allowing any remote access. 

View Answer

Q2. - (Topic 3) 

The VoIP administrator starts receiving reports that users are having problems placing phone calls. The VoIP administrator cannot determine the issue, and asks the security administrator for help. The security administrator reviews the switch interfaces and does not see an excessive amount of network traffic on the voice network. Using a protocol analyzer, the security administrator does see an excessive number of SIP INVITE packets destined for the SIP proxy. Based on the information given, which of the following types of attacks is underway and how can it be remediated? 

A. Man in the middle attack; install an IPS in front of SIP proxy. 

B. Man in the middle attack; use 802.1x to secure voice VLAN. 

C. Denial of Service; switch to more secure H.323 protocol. 

D. Denial of Service; use rate limiting to limit traffic. 

View Answer

Q3. - (Topic 1) 

An extensible commercial software system was upgraded to the next minor release version to patch a security vulnerability. After the upgrade, an unauthorized intrusion into the system was detected. The software vendor is called in to troubleshoot the issue and reports that all core components were updated properly. Which of the following has been overlooked in securing the system? (Select TWO). 

A. The company’s IDS signatures were not updated. 

B. The company’s custom code was not patched. 

C. The patch caused the system to revert to http. 

D. The software patch was not cryptographically signed. 

E. The wrong version of the patch was used. 

F. Third-party plug-ins were not patched. 

View Answer

Q4. - (Topic 4) 

The Chief Executive Officer (CEO) of a large prestigious enterprise has decided to reduce business costs by outsourcing to a third party company in another country. Functions to be outsourced include: business analysts, testing, software development and back office functions that deal with the processing of customer data. The Chief Risk Officer (CRO) is concerned about the outsourcing plans. Which of the following risks are MOST likely to occur if adequate controls are not implemented? 

A. Geographical regulation issues, loss of intellectual property and interoperability agreement issues 

B. Improper handling of client data, interoperability agreement issues and regulatory issues 

C. Cultural differences, increased cost of doing business and divestiture issues 

D. Improper handling of customer data, loss of intellectual property and reputation damage 

View Answer

Q5. - (Topic 3) 

A database administrator comes across the below records in one of the databases during an internal audit of the payment system: 

UserIDAddressCredit Card No.Password 

jsmith123 fake street55XX-XXX-XXXX-1397Password100 

jqdoe234 fake street42XX-XXX-XXXX-202717DEC12 

From a security perspective, which of the following should be the administrator’s GREATEST concern, and what will correct the concern? 

A. Concern: Passwords are stored in plain text. Correction: Require a minimum of 8 alphanumeric characters and hash the password. 

B. Concern: User IDs are also usernames, and could be enumerated, thereby disclosing sensitive account information. Correction: Require user IDs to be more complex by using alphanumeric characters and hash the UserIDs. 

C. Concern: User IDs are confidential private information. Correction: Require encryption of user IDs. 

D. Concern: More than four digits within a credit card number are stored. Correction: Only store the last four digits of a credit card to protect sensitive financial information. 

View Answer

Q6. - (Topic 3) 

New zero-day attacks are announced on a regular basis against a broad range of technology systems. Which of the following best practices should a security manager do to manage the risks of these attack vectors? (Select TWO). 

A. Establish an emergency response call tree. 

B. Create an inventory of applications. 

C. Backup the router and firewall configurations. 

D. Maintain a list of critical systems. 

E. Update all network diagrams. 

View Answer

Q7. - (Topic 5) 

A Chief Information Security Officer (CISO) is approached by a business unit manager who heard a report on the radio this morning about an employee at a competing firm who shipped a VPN token overseas so a fake employee could log into the corporate VPN. The CISO asks what can be done to mitigate the risk of such an incident occurring within the organization. Which of the following is the MOST cost effective way to mitigate such a risk? 

A. Require hardware tokens to be replaced on a yearly basis. 

B. Implement a biometric factor into the token response process. 

C. Force passwords to be changed every 90 days. 

D. Use PKI certificates as part of the VPN authentication process. 

View Answer

Q8. - (Topic 2) 

A penetration tester is inspecting traffic on a new mobile banking application and sends the following web request: 

POST http://www.example.com/resources/NewBankAccount HTTP/1.1 

Content-type: application/json 

{ 

“account”: 

[ 

{ “creditAccount”:”Credit Card Rewards account”} { 

 “salesLeadRef”:”www.example.com/badcontent/exploitme.exe”} 

], 

“customer”: 

[ 

{ “name”:”Joe Citizen”} { “custRef”:”3153151”} 

] 

} 

The banking website responds with: 

HTTP/1.1 200 OK 

{ 

“newAccountDetails”: 

[ 

{ “cardNumber”:”1234123412341234”} { “cardExpiry”:”2021-12-31”} 

{ “cardCVV”:”909”} 

], 

“marketingCookieTracker”:“JSESSIONID=000000001” 

“returnCode”:“Account added successfully” 

} 

Which of the following are security weaknesses in this example? (Select TWO). 

A. Missing input validation on some fields 

B. Vulnerable to SQL injection 

C. Sensitive details communicated in clear-text 

D. Vulnerable to XSS 

E. Vulnerable to malware file uploads 

F. JSON/REST is not as secure as XML 

View Answer