程序代写 [[Block: Domain 1: Security and Risk Management]]

[[Block: Domain 1: Security and Risk Management]]
1.What is the final step of a quantitative risk analysis?
Conduct a cost/benefit analysis.
Assess the annualized rate of occurrence.

Copyright By PowCoder代写 加微信 powcoder

Derive the annualized loss expectancy.
Determine asset value.
2.Which one of the following is appropriate for multifactor authentication?
Fingerprint scan
Personal identification number (PIN)
Security question
3.You are completing your business continuity planning effort and have decided that you wish to accept one of the risks. What should you do next?
Document your decision-making process.
Design a disaster recovery plan.
Repeat the business impact assessment.
Implement new security controls to reduce the risk level.
4.Which one of the following individuals is normally responsible for fulfilling the operational data protection responsibilities delegated by senior management, such as validating data integrity, testing backups, and managing security policies?
Data custodian
Data owner
5.Which information security goal is impacted when an organization experiences a DoS or DDoS attack?
Availability
Independence
Profitability
6._____ also known as defense in depth, is simply the use of multiple controls in a series. No one control can protect against all possible threats.
Abstraction
Data Hiding
Encryption
7._____ is the primary means by which data is protected based on its need for secrecy, sensitivity, or confidentiality and value.
Data classification
Data allocation
Data management
Data laundry
[[Block: Domain 2: Asset Security]]
8.Angela is an information security architect at a bank and has been assigned to ensure that transactions are secure as they traverse the network. She recommends that all transactions use TLS. What threat is she most likely attempting to stop, and what method is she using to protect against it?
Sniffing, encryption
Packet injection, encryption
Man-in-the-middle, VPN
Sniffing, TEMPEST
9.What scenario describes data at rest?
Data stored on a system drive (HDD or SSD)
Data in an e-commerce transaction
Data in an IPSec tunnel
Data stored in RAM
10.What is the primary purpose of data classification?
It identifies the value of the data to the organization.
It helps prioritizes IT expenditures.
It allows compliance with breach notification laws.
It quantifies the cost of a data breach.
11.AES is an example of
Block cipher algorithms
Public key cryptography algorithms
Stream cipher algorithms
SSL encryption algorithms
12.Public key cryptography is so-named because:
The key that is used to encrypt a message does not need to be kept a secret, but can be made public
Its use is not restricted by patents
It utilizes an open source encryption algorithm
It is highly popular
13.Full disk encryption like Microsoft’s BitLocker is used to protect data in what state?

Data at rest

Data in transit

Unlabeled data
Labeled data
[[Block: Domain 3: Security Architecture and Engineering]]
14.What concept describes the degree of confidence that an organization has that its controls satisfy security requirements?
Credentialing
Verification
15.What type of security vulnerability are developers most likely to introduce into code when they seek to facilitate their own access, for testing purposes, to software they developed?
Maintenance hook
Cross-site scripting
SQL injection
Buffer overflow
16.What name is given to the random value added to a password in an attempt to defeat rainbow table attacks?
17.You would like to implement application control technology in your organization. Users often need to install new applications for research and testing purposes, and you don’t want to interfere with that process. At the same time, you would like to block the use of known malicious software. What type of application control would be appropriate in this situation?
Blacklisting
Graylisting
Whitelisting
Bluelisting
18.What action can you take to prevent accidental data disclosure due to wear leveling on an SSD device before reusing the drive?
Disk encryption
Reformatting
Degaussing
Physical destruction
[[Block: Domain 4: Communication and Network Security]]
19.What network tool can be used to protect the identity of clients while providing Internet access by accepting client requests, altering the source addresses of the requests, mapping requests to clients, and sending the modified requests out to their destination?
20.A remote access tool that copies what is displayed on a desktop PC to a remote computer is an example of what type of technology?
Screen scraping
Remote node operation
Remote control
21.Peter is receiving reports from end users that their internet connections are extremely slow. He looks at the firewall and determines that there are thousands of unexpected inbound connections per second arriving from all over the world. What type of attack is most likely occurring?
A distributed denial of service attack
A smurf attack
22.You are designing a Wi-Fi network and has been asked to choose the most secure option for the network. Which wireless security standard that you will choose?
23.A denial of service (DoS) attack that sends fragmented TCP packets is known as what kind

of attack?

Christmas tree

Stack killer
Frag grenade
24.What type of attack is most likely to occur after a successful ARP spoofing attempt?

A man-in-the-middle attack

A replay attack
A DoS attack
[[Block: Domain 5: Identity and Access Management]]
25.Fingerprint is what type of authentication factor?

Something you are

Something you have

Something you know
Somewhere you are
26.What type of access controls allow the owner of a file to grant other users access to it using an access control list?

Discretionary

Nondiscretionary

Rule based
Role based
27.When an application or system allows a logged-in user to perform specific actions, it is an example of what?

Authorization

Group management

28.When you input a user ID and password, you are performing what important identity and access management activity?

Validation

Authorization
Authentication
29.What authentication protocol does Windows use by default for Active Directory systems?

30.The purpose of a background verification is to:

Obtain independent verification of claims on an employment application

Determine if the applicant should be hired

Determine if the applicant is suitable for the job description
Determine the applicant’s honesty
31.CIA refers to:

Confidentiality, integrity, and availability of information and systems

Confidentiality, integrity, and assessment of information and systems

Confidence, integrity, and audit of information and systems
Cryptography, integrity, and audit of information and systems
  

[[Block: Domain 6: Security Assessment and Testing]]
32.You want to use an automated tool to fill web application forms to test for format string vulnerabilities. What type of tool should you use?

A brute-force tool

A black box
A static analysis tool
33.You have been contracted to perform a penetration test of a bank’s primary branch. In order to make the test as real as possible, you haven’t been given any information about the bank other than its name and address. What type of penetration test that you agree to perform?

A black box penetration test

A gray box penetration test

A crystal box penetration test
A white box penetration test
34.Which of the following vulnerabilities is unlikely to be found by a web vulnerability scanner?

Race condition

Local file inclusion

Path disclosure
Buffer overflow
35.What is the first step that should occur before a penetration test is performed?

Getting permission

Port scanning

Data gathering
36.What type of vulnerabilities most likely will not be found by a vulnerability scanner?

Zero-day vulnerabilities

Service vulnerabilities

Local vulnerabilities
Vulnerabilities that require authentication 
37What term describes software testing that is intended to uncover new bugs introduced by

patches or configuration changes?

Regression testing

Evolution testing

Smoke testing
Nonregression testing
[[Block: Domain 7: Security Operations]]
38.Lily is processing access control requests for her organization. She comes across a request where the user does have the required security clearance, but there is no business justification for the access. Lily denies this request. What security principle is she following?

Need to know

Least privilege

Separation of duties
Two-person control
39.An organization that runs the majority of its services on a virtualization platform located in its own data center but also leverages an IaaS provider for hosting its web services and a SaaS email system. What term best describes the type of cloud environment this organization uses?

Hybrid cloud

Dedicated cloud

Private cloud
Public cloud
40.In which cloud computing model does a customer share computing infrastructure with other customers of the cloud vendor where one customer may not know the other’s identity?

Public cloud

Private cloud

Community cloud
Shared cloud
41.Which one of the following is an example of a manmade disaster?

Transformer failure

42.During what phase of the incident response process do administrators take action to limit the effect or scope of an incident?

Mitigation

43.What type of trust relationship extends beyond the two domains participating in the trust to one or more of their subdomains?

Transitive trust

Inheritable trust

Nontransitive trust
Noninheritable trust
44.What documentation is typically prepared after a postmortem review of an incident has been completed?

A lessons learned document

A risk assessment

A remediation list
A mitigation checklist
[[Block: Domain 8: Software Development]]
45.Which one of the following testing methodologies typically works without access to source code?

Dynamic testing

Static testing

White box testing
Code review
46.Which one of the following files is a target for a macro virus?

projections.doc

command.com
command.exe
loopmaster.exe
47.Which one of the following is an effective control against SQL injection attacks?

Client-side input validation

Parameterization
Limiting database permissions
48.Which one of the following approaches to failure management is the most conservative from a security perspective?

Fail closed

Fail mitigation

Fail clear

49.Rootkits can be difficult to discover because:

They subvert the operating system

They install themselves in master boot records (MBRs)

They install themselves in flash memory
They use hidden processes

50.When using the SDLC, which one of these steps should you take before the others?
Functional requirements determination

Control specifications development

Code review
Design review

程序代写 CS代考 加微信: powcoder QQ: 1823890830 Email: powcoder@163.com