The Chief Information Security Officer (CISO) regularly receives reports of a single department repeatedly violating the corporate security policy. The head of the department in question informs the CISO that the offending behaviors are a result of necessary business activities. The CISO assigns a junior security administrator to solve the issue. Which of the following is the BEST course of action for the junior security administrator to take?
A. Work with the department head to find an acceptable way to change the business needs so the department no longer violates the corporate security policy.
B. Draft an RFP for the purchase of a COTS product or consulting services to solve the problem through implementation of technical controls.
C. Work with the CISO and department head to create an SLA specifying the response times of the IT security department when incidents are reported.
D. Draft an MOU for the department head and CISO to approve, documenting the limits of the necessary behavior, and actions to be taken by both teams.
A security administrator at Company XYZ is trying to develop a body of knowledge to enable heuristic and behavior based security event monitoring of activities on a geographically distributed network. Instrumentation is chosen to allow for monitoring and measuring the network. Which of the following is the BEST methodology to use in establishing this baseline?
A. Model the network in a series of VMs; instrument the systems to record comprehensive metrics; run a large volume of simulated data through the model; record and analyze results; document expected future behavior.
B. Completely duplicate the network on virtual machines; replay eight hours of captured corporate network traffic through the duplicate network; instrument the network; analyze the results; document the baseline.
C. Instrument the operational network; simulate extra traffic on the network; analyze net flow information from all network devices; document the baseline volume of traffic.
D. Schedule testing on operational systems when users are not present; instrument the systems to log all network traffic; monitor the network for at least eight hours; analyze the results; document the established baseline.
A new IDS device is generating a very large number of irrelevant events. Which of the following would BEST remedy this problem?
A. Change the IDS to use a heuristic anomaly filter.
B. Adjust IDS filters to decrease the number of false positives.
C. Change the IDS filter to data mine the false positives for statistical trending data.
D. Adjust IDS filters to increase the number of false negatives.
The Chief Information Security Officer (CISO) at a software development company is concerned about the lack of introspection during a testing cycle of the company’s flagship product. Testing was conducted by a small offshore consulting firm and the report by the consulting firm clearly
indicates that limited test cases were used and many of the code paths remained untested.
The CISO raised concerns about the testing results at the monthly risk committee meeting, highlighting the need to get to the bottom of the product behaving unexpectedly in only some large enterprise deployments.
The Security Assurance and Development teams highlighted their availability to redo the testing if required.
Which of the following will provide the MOST thorough testing?
A. Have the small consulting firm redo the Black box testing.
B. Use the internal teams to perform Grey box testing.
C. Use the internal team to perform Black box testing.
D. Use the internal teams to perform White box testing.
E. Use a larger consulting firm to perform Black box testing.
A security code reviewer has been engaged to manually review a legacy application. A number of systemic issues have been uncovered relating to buffer overflows and format string vulnerabilities.
The reviewer has advised that future software projects utilize managed code platforms if at all possible.
Which of the following languages would suit this recommendation? (Select TWO).
A bank now has a major initiative to virtualize as many servers as possible, due to power and rack space capacity at both data centers. The bank has prioritized by virtualizing older servers first as the hardware is nearing end-of-life.
The two initial migrations include:
– Windows 2000 hosts: domain controllers and front-facing web servers
– RHEL3 hosts: front-facing web servers
Which of the following should the security consultant recommend based on best practices?
A. One data center should host virtualized web servers and the second data center should host the virtualized domain controllers.
B. One virtual environment should be present at each data center, each housing a combination of the converted Windows 2000 and RHEL3 virtual machines.
C. Each data center should contain one virtual environment for the web servers and another virtual environment for the domain controllers.
D. Each data center should contain one virtual environment housing converted Windows 2000 virtual machines and converted RHEL3 virtual machines.
After being informed that the company DNS is unresponsive, the system administrator issues the following command from a Linux workstation:
– SSH–p 2020 -l user dnsserver.company.com
Once at the command prompt, the administrator issues the below command:
– Servicebind restart
– The system returns the below response:
– Unable to restart BIND
Which of the following is true about the above situation?
A. The administrator must use the sudo command in order to restart the service.
B. The administrator used the wrong SSH port to restart the DNS server.
C. The service was restarted correctly, but it failed to bind to the network interface.
D. The service did not restart because the bind command is privileged.
Which of the following is an example of single sign-on?
A. An administrator manages multiple platforms with the same username and hardware token. The same username and token is used across all the platforms.
B. Multiple applications have been integrated with a centralized LDAP directory for authentication and authorization. A user has to authenticate each time the user accesses an application.
C. A password is synchronized between multiple platforms and the user is required to authenticate with the same password across each platform.
D. A web access control infrastructure performs authentication and passes attributes in a HTTP header to multiple applications.
Company XYZ has just purchased Company ABC through a new acquisition. A business decision has been made to integrate the two company’s networks, application, and several basic services.
The initial integration of the two companies has specified the following requirements:
– Company XYZ requires access to the web intranet, file, print, secure FTP server, and authentication domain resources
– Company XYZ is being on boarded into Company ABC’s authentication domain
– Company XYZ is considered partially trusted
– Company XYZ does not want performance issues when accessing ABC’s systems
Which of the following network security solutions will BEST meet the above requirements?
A. Place a Company ABC managed firewall in Company XYZ’s hub site; then place Company ABC’s file, print, authentication, and secure FTP servers in a zone off the firewall. Ensure that Company ABC’s business partner firewalls are opened up for web intranet access and other required services.
B. Require Company XYZ to manage the router ACLs, controlling access to Company ABC
resources, but with Company ABC approving the change control to the ACLs. Open up Company ABC’s business partner firewall to permit access to Company ABC’s file, print, secure FTP server, authentication servers and web intranet access.
C. Place no restrictions on internal network connectivity between Company XYZ and Company ABC. Open up Company ABC’s business partner firewall to permit access to Company ABC’s file, print, secure FTP server, authentication servers and web intranet access.
D. Place file, print, secure FTP server and authentication domain servers at Company XYZ’s hub site. Open up Company ABC’s business partner firewall to permit access to ABC’s web intranet access and other required services.
In developing a new computing lifecycle process for a large corporation, the security team is developing the process for decommissioning computing equipment. In order to reduce the potential for data leakage, which of the following should the team consider? (Select TWO).
A. Erase all files on drive
B. Install of standard image
C. Remove and hold all drives
D. Physical destruction
E. Drive wipe