An internal employee has sold a copy of the production customer database that was being used for upgrade testing to outside parties via HTTP file upload. The Chief Information Officer (CIO) has resigned and the Chief Executive Officer (CEO) has tasked the incoming CIO with putting effective controls in place to help prevent this from occurring again in the future. Which of the following controls is the MOST effective in preventing this threat from re-occurring?

A. Network-based intrusion prevention system

B. Data loss prevention

C. Host-based intrusion detection system

D. Web application firewall


Answer: B




A security manager has provided a Statement of Work (SOW) to an external penetration testing firm for a web application security test. The web application starts with a very simple HTML survey form with two components: a country selection dropdown list and a submit button. The penetration testers are required to provide their test cases for this survey form in advance. In order to adequately test the input validation of the survey form, which of the following tools would be the BEST tool for the technician to use?

A. HTTP interceptor

B. Vulnerability scanner

C. Port scanner

D. Fuzzer


Answer: A




An online banking application has had its source code updated and is soon to be re-launched. The underlying infrastructure has not been changed. In order to ensure that the application has an appropriate security posture, several security-related activities are required.

 Which of the following security activities should be performed to provide an appropriate level of security testing coverage? (Select TWO).

A. Penetration test across the application with accounts of varying access levels (i.e. non- authenticated, authenticated, and administrative users).

B. Code review across critical modules to ensure that security defects, Trojans, and backdoors are not present.

C. Vulnerability assessment across all of the online banking servers to ascertain host and container configuration lock-down and patch levels.

D. Fingerprinting across all of the online banking servers to ascertain open ports and services.

E. Black box code review across the entire code base to ensure that there are no security defects present.


Answer: A,B




Within a large organization, the corporate security policy states that personal electronic devices are not allowed to be placed on the company network. There is considerable pressure from the company board to allow smartphones to connect and synchronize email and calendar items of board members and company executives. Which of the following options BEST balances the security and usability requirements of the executive management team?

A. Allow only the executive management team the ability to use personal devices on the company network, as they have important responsibilities and need convenient access.

B. Review the security policy. Perform a risk evaluation of allowing devices that can be centrally managed, remotely disabled, and have device-level encryption of sensitive data.

C. Stand firm on disallowing non-company assets from connecting to the network as the assets may lead to undesirable security consequences, such as sensitive emails being leaked outside the company.

D. Allow only certain devices that are known to have the ability of being centrally managed. Do not allow any other smartphones until the device is proven to be centrally managed.


Answer: B




A replacement CRM has had its business case approved. In preparation for a requirements workshop, an architect is working with a business analyst to ensure that appropriate security

 requirements have been captured. Which of the following documents BEST captures the security requirements?

A. Business requirements document

B. Requirements traceability matrix document

C. Use case and viewpoints document

D. Solution overview document


Answer: A




Which of the following BEST defines the term e-discovery?

A. A product that provides IT-specific governance, risk management, and compliance.

B. A form of reconnaissance used by penetration testers to discover listening hosts.

C. A synonymous term for computer emergency response and incident handling.

D. A process of producing electronically stored information for use as evidence.


Answer: D




A new project initiative involves replacing a legacy core HR system, and is expected to touch many major operational systems in the company. A security administrator is engaged in the project to provide security consulting advice. In addition, there are database, network, application, HR, and transformation management consultants engaged on the project as well. The administrator has established the security requirements. Which of the following is the NEXT logical step?

A. Document the security requirements in an email and move on to the next most urgent task.

B. Organize for a requirements workshop with the non-technical project members, being the HR and transformation management consultants.

C. Communicate the security requirements with all stakeholders for discussion and buy-in.

D. Organize for a requirements workshop with the technical project members, being the database, network, and application consultants.


Answer: C





SDLC is being used for the commissioning of a new platform. To provide an appropriate level of assurance the security requirements that were specified at the project origin need to be carried through to implementation. Which of the following would BEST help to determine if this occurred?

A. Requirements workshop

B. Security development lifecycle (SDL)

C. Security requirements traceability matrix (SRTM)

D. Secure code review and penetration test


Answer: C




An IT administrator has installed new DNS name servers (Primary and Secondary), which are used to host the company MX records and resolve the web server’s public address. In order to secure the zone transfer between the primary and secondary server, the administrator uses only server ACLs. Which of the following attacks could the secondary DNS server still be susceptible to?

A. Email spamming

B. IP spoofing

C. Clickjacking

D. DNS replication


Answer: B




The Chief Executive Officer (CEO) has decided to outsource systems which are not core business functions; however, a recent review by the risk officer has indicated that core business functions are dependent on the outsourced systems. The risk officer has requested that the IT department calculates the priority of restoration for all systems and applications under the new business

 model. Which of the following is the BEST tool to achieve this?

A. Business impact analysis

B. Annualized loss expectancy analysis

C. TCO analysis

D. Residual risk and gap analysis


Answer: A



Comments are closed.