NEW QUESTION 1
The helpdesk department desires to roll out a remote support application for internal use on all company computers. This tool should allow remote desktop sharing, system log gathering, chat, hardware logging, inventory management, and remote registry access. The risk management team has been asked to review vendor responses to the RFQ. Which of the following questions is the MOST important?

• A. What are the protections against MITM?
• B. What accountability is built into the remote support application?
• C. What encryption standards are used in tracking database?
• D. What snapshot or “undo” features are present in the application?
• E. What encryption standards are used in remote desktop and file transfer functionality?

Answer: B

NEW QUESTION 2
A security administrator at a Lab Company is required to implement a solution which will provide the highest level of confidentiality possible to all data on the lab network.
The current infrastructure design includes:
The network is protected with a firewall implementing ACLs, a NIPS device, and secured wireless access points.
Which of the following cryptographic improvements should be made to the current architecture to achieve the stated goals?

• A. PKI based authorization
• B. Transport encryption
• C. Data at rest encryption
• D. Code signing

Answer: B

NEW QUESTION 3
The risk manager has requested a security solution that is centrally managed, can easily be updated, and protects end users' workstations from both known and unknown malicious attacks when connected to either the office or home network. Which of the following would BEST meet this requirement?

• A. HIPS
• B. UTM
• C. Antivirus
• D. NIPS
• E. DLP

Answer: A

NEW QUESTION 4
select id, firstname, lastname from authors User input= firstname= Hack;man lastname=Johnson
Which of the following types of attacks is the user attempting?

• A. XML injection
• B. Command injection
• C. Cross-site scripting
• D. SQL injection

Answer: D

NEW QUESTION 5
A security consultant is called into a small advertising business to recommend which security policies and procedures would be most helpful to the business. The business is comprised of 20 employees, operating off of two shared servers. One server houses employee data and the other houses client data. All machines are on the same local network. Often these employees must work remotely from client sites, but do not access either of the servers remotely. Assuming no security policies or procedures are in place right now, which of the following would be the MOST applicable for implementation? (Select TWO).

• A. Password Policy
• B. Data Classification Policy
• C. Wireless Access Procedure
• D. VPN Policy
• E. Database Administrative Procedure

Answer: AB

NEW QUESTION 6
Company XYZ is in negotiations to acquire Company ABC for $1.2millon. Due diligence activities have uncovered systemic security issues in the flagship product of Company ABC. It has been established that a complete product rewrite would be needed with average estimates indicating a cost of $1.6millon. Which of the following approaches should the risk manager of Company XYZ recommend?

• A. Transfer the risk
• B. Accept the risk
• C. Mitigate the risk
• D. Avoid the risk

Answer: D

NEW QUESTION 7
A system administrator needs to meet the maximum amount of security goals for a new DNS infrastructure. The administrator deploys DNSSEC extensions to the domain names
and infrastructure. Which of the following security goals does this meet? (Select TWO).

• A. Availability
• B. Authentication
• C. Integrity
• D. Confidentiality
• E. Encryption

Answer: BC

NEW QUESTION 8
A security firm is writing a response to an RFP from a customer that is building a new network based software product. The firm’s expertise is in penetration testing corporate networks. The RFP explicitly calls for all possible behaviors of the product to be tested, however, it does not specify any particular method to achieve this goal. Which of the following should be used to ensure the security and functionality of the product? (Select TWO).

• A. Code review
• B. Penetration testing
• C. Grey box testing
• D. Code signing
• E. White box testing

Answer: AE

NEW QUESTION 9
The audit department at a company requires proof of exploitation when conducting internal network penetration tests. Which of the following provides the MOST conclusive proof of compromise without further compromising the integrity of the system?

• A. Provide a list of grabbed service banners.
• B. Modify a file on the system and include the path in the test’s report.
• C. Take a packet capture of the test activity.
• D. Add a new test user account on the system.

Answer: C

NEW QUESTION 10
An organization would like to allow employees to use their network username and password to access a third-party service. The company is using Active Directory Federated Services for their directory service. Which of the following should the company ensure is supported by the third-party? (Select TWO).

• A. LDAP/S
• B. SAML
• C. NTLM
• D. OAUTH
• E. Kerberos

Answer: BE

NEW QUESTION 11
Company XYZ has purchased and is now deploying a new HTML5 application. The company wants to hire a penetration tester to evaluate the security of the client and server components of the proprietary web application before launch. Which of the following is the penetration tester MOST likely to use while performing black box testing of the security of the company’s purchased application? (Select TWO).

• A. Code review
• B. Sandbox
• C. Local proxy
• D. Fuzzer
• E. Web vulnerability scanner

Answer: CD

NEW QUESTION 12
The Information Security Officer (ISO) is reviewing new policies that have been recently made effective and now apply to the company. Upon review, the ISO identifies a new requirement to implement two-factor authentication on the company’s wireless system. Due to budget constraints, the company will be unable to implement the requirement for the next two years. The ISO is required to submit a policy exception form to the Chief Information Officer (CIO). Which of the following are MOST important to include when submitting the exception form? (Select THREE).

• A. Business or technical justification for not implementing the requirements.
• B. Risks associated with the inability to implement the requirements.
• C. Industry best practices with respect to the technical implementation of the current
• D. controls.
• E. All sections of the policy that may justify non-implementation of the requirements.
• F. A revised DRP and COOP plan to the exception form.
• G. Internal procedures that may justify a budget submission to implement the new requirement.
• H. Current and planned controls to mitigate the risks.

Answer: ABG

NEW QUESTION 13
An enterprise must ensure that all devices that connect to its networks have been previously approved. The solution must support dual factor mutual authentication with strong identity assurance. In order to reduce costs and administrative overhead, the security architect wants to outsource identity proofing and second factor digital delivery to the third party. Which of the following solutions will address the enterprise requirements?

• A. Implementing federated network access with the third party.
• B. Using a HSM at the network perimeter to handle network device access.
• C. Using a VPN concentrator which supports dual factor via hardware tokens.
• D. Implementing 802.1x with EAP-TTLS across the infrastructure.

Answer: D

NEW QUESTION 14
The Chief Information Security Officer (CISO) regularly receives reports of a single department repeatedly violating the corporate security policy. The head of the department in question informs the CISO that the offending behaviors are a result of necessary business activities. The CISO assigns a junior security administrator to solve the issue. Which of the following is the BEST course of action for the junior security administrator to take?

• A. Work with the department head to find an acceptable way to change the business needs so the department no longer violates the corporate security policy.
• B. Draft an RFP for the purchase of a COTS product or consulting services to solve the problem through implementation of technical controls.
• C. Work with the CISO and department head to create an SLA specifying the response times of the IT security department when incidents are reported.
• D. Draft an MOU for the department head and CISO to approve, documenting the limits of the necessary behavior, and actions to be taken by both teams.

Answer: D

NEW QUESTION 15
A security administrator is tasked with implementing two-factor authentication for the company VPN. The VPN is currently configured to authenticate VPN users against a backend RADIUS server. New company policies require a second factor of authentication, and the Information Security Officer has selected PKI as the second factor. Which of the following should the security administrator configure and implement on the VPN concentrator to implement the second factor and ensure that no error messages are displayed to the user during the VPN connection? (Select TWO).

• A. The user’s certificate private key must be installed on the VPN concentrator.
• B. The CA’s certificate private key must be installed on the VPN concentrator.
• C. The user certificate private key must be signed by the CA.
• D. The VPN concentrator’s certificate private key must be signed by the CA and installed on the VPN concentrator.
• E. The VPN concentrator’s certificate private key must be installed on the VPN concentrator.
• F. The CA’s certificate public key must be installed on the VPN concentrator.

Answer: EF

NEW QUESTION 16
A security consultant is hired by a company to determine if an internally developed web application is vulnerable to attacks. The consultant spent two weeks testing the application, and determines that no vulnerabilities are present. Based on the results of the tools and tests available, which of the following statements BEST reflects the security status of the application?

• A. The company’s software lifecycle management improved the security of the application.
• B. There are no vulnerabilities in the application.
• C. The company should deploy a web application firewall to ensure extra security.
• D. There are no known vulnerabilities at this time.

Answer: D

NEW QUESTION 17
Wireless users are reporting issues with the company’s video conferencing and VoIP systems. The security administrator notices internal DoS attacks from infected PCs on the network causing the VoIP system to drop calls. The security administrator also notices that the SIP servers are unavailable during these attacks. Which of the following security controls will MOST likely mitigate the VoIP DoS attacks on the network? (Select TWO).

• A. Install a HIPS on the SIP servers
• B. Configure 802.1X on the network
• C. Update the corporate firewall to block attacking addresses
• D. Configure 802.11e on the network
• E. Configure 802.1q on the network

Answer: AD

NEW QUESTION 18
Ann is testing the robustness of a marketing website through an intercepting proxy. She has intercepted the following HTTP request:
POST /login.aspx HTTP/1.1 Host: comptia.org
Content-type: text/html txtUsername=ann&txtPassword=ann&alreadyLoggedIn=false&submit=true
Which of the following should Ann perform to test whether the website is susceptible to a simple authentication bypass?

• A. Remove all of the post data and change the request to /login.aspx from POST to GET
• B. Attempt to brute force all usernames and passwords using a password cracker
• C. Remove the txtPassword post data and change alreadyLoggedIn from false to true
• D. Remove the txtUsername and txtPassword post data and toggle submit from true to false

Answer: C

NEW QUESTION 19
A sensitive database needs its cryptographic integrity upheld. Which of the following controls meets this goal? (Select TWO).

• A. Data signing
• B. Encryption
• C. Perfect forward secrecy
• D. Steganography
• E. Data vaulting
• F. RBAC
• G. Lock and key

Answer: AF

NEW QUESTION 20
The Chief Information Security Officer (CISO) at a software development company is concerned about the lack of introspection during a testing cycle of the company’s flagship product. Testing was conducted by a small offshore consulting firm and the report by the consulting firm clearly indicates that limited test cases were used and many of the code paths remained untested.
The CISO raised concerns about the testing results at the monthly risk committee meeting, highlighting the need to get to the bottom of the product behaving unexpectedly in only some large enterprise deployments.
The Security Assurance and Development teams highlighted their availability to redo the testing if required.
Which of the following will provide the MOST thorough testing?

• A. Have the small consulting firm redo the Black box testing.
• B. Use the internal teams to perform Grey box testing.
• C. Use the internal team to perform Black box testing.
• D. Use the internal teams to perform White box testing.
• E. Use a larger consulting firm to perform Black box testing.

Answer: D