A Chief Information Security Officer (CISO) has been trying to eliminate some IT security risks for several months. These risks are not high profile but still exist. Furthermore, many of these risks have been mitigated with innovative solutions. However, at this point in time, the budget is insufficient to deal with the risks. Which of the following risk strategies should be used?
A. Transfer the risks
B. Avoid the risks
C. Accept the risks
D. Mitigate the risks
The firm’s CISO has been working with the Chief Procurement Officer (CPO) and the Senior Project Manager (SPM) on soliciting bids for a series of HIPS and NIPS products for a major installation in the firm’s new Hong Kong office. After reviewing RFQs received from three vendors, the CPO and the SPM have not gained any real data regarding the specifications about any of the solutions and want that data before the procurement continues. Which of the following will the CPO and SPM have the CISO do at this point to get back on track in this procurement process?
A. Ask the three submitting vendors for a full blown RFP so that the CPO and SPM can move to the next step.
B. Contact the three submitting vendor firms and have them submit supporting RFIs to provide more detailed information about their product solutions.
C. Provide the CPO and the SPM a personalized summary from what the CISO knows about these three submitting vendors.
D. Inform the three submitting vendors that there quotes are null and void at this time and that they are disqualified based upon their RFQs.
To prevent a third party from identifying a specific user as having previously accessed a service provider through an SSO operation, SAML uses which of the following?
A. Transient identifiers
B. SOAP calls
C. Discovery profiles
D. Security bindings
SAML entities can operate in a variety of different roles. Valid SAML roles include which of the following?
A. Attribute authority and certificate authority
B. Certificate authority and attribute requestor
C. Identity provider and service provider
D. Service provider and administrator
A financial institution has decided to purchase a very expensive resource management system and has selected the product and vendor. The vendor is experiencing some minor, but public, legal issues. Senior management has some concerns on maintaining this system should the vendor go out of business. Which of the following should the Chief Information Security Officer (CISO) recommend to BEST limit exposure?
A. Include a source code escrow clause in the contract for this system.
B. Require proof-of-insurance by the vendor in the RFP for this system.
C. Include a penalty clause in the contract for this system.
D. Require on-going maintenance as part of the SLA for this system.
A company decides to purchase COTS software. This can introduce new security risks to the network. Which of the following is the BEST description of why this is true?
A. COTS software is typically well known and widely available. Information concerning vulnerabilities and viable attack patterns are never revealed by the developer to avoid a lawsuit.
B. COTS software is not well known and is only available in limited quantities. Information concerning vulnerabilities is kept internal to the company that developed the software.
C. COTS software is well known and widely available. Information concerning vulnerabilities and viable attack patterns is typically ignored within the IT community.
D. COTS software is well known and widely available. Information concerning vulnerabilities and viable attack patterns is typically shared within the IT community.
Which of the following is a security concern with deploying COTS products within the network?
A. It is difficult to verify the security of COTS code because the source is available to the customer and it takes significant man hours to sort through it.
B. COTS software often provides the source code as part of the licensing agreement and it becomes the company’s responsibility to verify the security.
C. It is difficult to verify the security of COTS code because the source is not available to the customer in many cases.
D. COTS source code is readily available to the customer in many cases which opens the customer’s network to both internal and external attacks.
The database team has suggested deploying a SOA based system across the enterprise. The Chief Information Officer (CIO) has decided to consult the security manager about the risk implications for adopting this architecture. Which of the following are concerns that the security manager should present to the CIO concerning the SOA system? (Select TWO).
A. Users and services are centralized and only available within the enterprise.
B. Users and services are distributed, often times over the Internet
C. SOA centrally manages legacy systems, and opens the internal network to vulnerabilities.
D. SOA abstracts legacy systems as a virtual device and is susceptible to VMEscape.
E. SOA abstracts legacy systems as web services, which are often exposed to outside threats.
The security team for Company XYZ has determined that someone from outside the organization
has obtained sensitive information about the internal organization by querying the external DNS server of the company. The security manager is tasked with making sure this problem does not occur in the future. How would the security manager address this problem?
A. Implement a split DNS, only allowing the external DNS server to contain information about domains that only the outside world should be aware, and an internal DNS server to maintain authoritative records for internal systems.
B. Implement a split DNS, only allowing the external DNS server to contain information about internal domain resources that the outside world would be interested in, and an internal DNS server to maintain authoritative records for internal systems.
C. Implement a split DNS, only allowing the external DNS server to contain information about domains that only the outside world should be aware, and an internal DNS server to maintain non- authoritative records for external systems.
D. Implement a split DNS, only allowing the internal DNS server to contain information about domains the outside world should be aware of, and an external DNS server to maintain authoritative records for internal systems.
Unit testing for security functionality and resiliency to attack, as well as developing secure code and exploit mitigation, occur in which of the following phases of the Secure Software Development Lifecycle?
A. Secure Software Requirements
B. Secure Software Implementation
C. Secure Software Design
D. Software Acceptance