1 / 40

Which of the following mechanisms will BEST prevent a Cross-Site Request Forgery (CSRF) attack?

2 / 40

What MUST each information owner do when a system contains data from multiple information owners?

3 / 40

Which of the following is a direct monetary cost of a security incident?

4 / 40

An organization adopts a new firewall hardening standard. How can the security professional verify that the technical staff correct implemented the new standard?

5 / 40

A security analyst for a large financial institution is reviewing network traffic related to an incident. The analyst determines the traffic is irrelevant to the investigation but in the process of the review, the analyst also finds that an applications data, which included full credit card cardholder data, is transferred in clear
text between the server and user’s desktop. The analyst knows this violates the Payment Card Industry Data Security Standard (PCI-DSS).
Which of the following is the analyst’s next step?

6 / 40

Which of the following are important criteria when designing procedures and acceptance criteria for acquired software?

7 / 40

A security compliance manager of a large enterprise wants to reduce the time it takes to perform network, system, and application security compliance audits while increasing quality and effectiveness of the results.
What should be implemented to BEST achieve the desired results?

8 / 40

As part of the security assessment plan, the security professional has been asked to use a negative testing strategy on a new website. Which of the following actions would be performed?

9 / 40

A security practitioner is tasked with securing the organization’s Wireless Access Points (WAP). Which of these is the MOST effective way of restricting this environment to authorized users?

10 / 40

Which one of the following considerations has the LEAST impact when considering transmission security?

11 / 40

As part of an application penetration testing process, session hijacking can BEST be achieved by which of the following?

12 / 40

Which of the following is BEST achieved through the use of eXtensible Access Markup Language (XACML)?

13 / 40

An international medical organization with headquarters in the United States (US) and branches in France wants to test a drug in both countries.
What is the organization allowed to do with the test subject’s data?

14 / 40

When developing a business case for updating a security program, the security program owner MUST do which of the following?

15 / 40

The MAIN use of Layer 2 Tunneling Protocol (L2TP) is to tunnel data

16 / 40

Attack trees are MOST useful for which of the following?

17 / 40

What is the MAIN reason for testing a Disaster Recovery Plan (DRP)?

18 / 40

An organization’s security policy delegates to the data owner the ability to assign which user roles have access to a particular resource. What type of authorization mechanism is being used?

19 / 40

What is the second step in the identity and access provisioning lifecycle?

20 / 40

Which of the following management process allows ONLY those services required for users to accomplish their tasks, change default user passwords, and set servers to retrieve antivirus updates?

21 / 40

Which of the following is a benefit in implementing an enterprise Identity and Access Management (IAM) solution?

22 / 40

A Security Operations Center (SOC) receives an incident response notification on a server with an active intruder who has planted a backdoor. Initial notifications are sent and communications are established.
What MUST be considered or evaluated before performing the next step?

23 / 40

Who is responsible for the protection of information when it is shared with or provided to other

24 / 40

The design review for an application has been completed and is ready for release. What technique should an organization use to assure application integrity?

25 / 40

Which of the following is a weakness of Wired Equivalent Privacy (WEP)?

26 / 40

When writing security assessment procedures, what is the MAIN purpose of the test outputs and reports?

27 / 40

Which of the following command line tools can be used in the reconnaissance phase of a network vulnerability assessment?

28 / 40

Which type of security testing is being performed when an ethical hacker has no knowledge about the target system but the testing target is notified before the test?

29 / 40

Which of the following BEST describes Recovery Time Objective (RTO)?

30 / 40

In order to assure authenticity, which of the following are required?

31 / 40

An application developer is deciding on the amount of idle session time that the application allows before a timeout. The BEST reason for determining the session timeout requirement is

32 / 40

An organization’s information security strategic plan MUST be reviewed

33 / 40

Which of the following is a remote access protocol that uses a static authentication?

34 / 40

During which of the following processes is least privilege implemented for a user account?

35 / 40

An employee of a retail company has been granted an extended leave of absence by Human Resources (HR). This information has been formally communicated to the access provisioning team. Which of the following is the BEST action to take?

36 / 40

Which Radio Frequency Interference (RFI) phenomenon associated with bundled cable runs can create information leakage?

37 / 40

What is an advantage of Elliptic Curve Cryptography (ECC)?

38 / 40

For network based evidence, which of the following contains traffic details of all network sessions in order to detect anomalies?

39 / 40

What does the Maximum Tolerable Downtime (MTD) determine?

40 / 40

Which of the following BEST represents the concept of least privilege?

Leave a Reply

Your email address will not be published. Required fields are marked *