NEW QUESTION 1
Which of the following is a web application control that should be put into place to prevent exploitation of Operating System (OS) bugs?

• A. Check arguments in function calls
• B. Test for the security patch level of the environment
• C. Include logging functions
• D. Digitally sign each application module

Answer: B

NEW QUESTION 2
Which of the following is an effective control in preventing electronic cloning of Radio Frequency Identification (RFID) based access cards?

• A. Personal Identity Verification (PIV)
• B. Cardholder Unique Identifier (CHUID) authentication
• C. Physical Access Control System (PACS) repeated attempt detection
• D. Asymmetric Card Authentication Key (CAK) challenge-response

Answer: C

NEW QUESTION 3
Which of the following is the MAIN reason that system re-certification and re-accreditation are needed?

• A. To assist data owners in making future sensitivity and criticality determinations
• B. To assure the software development team that all security issues have been addressed
• C. To verify that security protection remains acceptable to the organizational security policy
• D. To help the security team accept or reject new systems for implementation and production

Answer: C

NEW QUESTION 4
What is the PRIMARY difference between security policies and security procedures?

• A. Policies are used to enforce violations, and procedures create penalties
• B. Policies point to guidelines, and procedures are more contractual in nature
• C. Policies are included in awareness training, and procedures give guidance
• D. Policies are generic in nature, and procedures contain operational details

Answer: D

NEW QUESTION 5
Refer to the information below to answer the question.
During the investigation of a security incident, it is determined that an unauthorized individual accessed a system which hosts a database containing financial information.
Aside from the potential records which may have been viewed, which of the following should be the PRIMARY concern regarding the database information?

• A. Unauthorized database changes
• B. Integrity of security logs
• C. Availability of the database
• D. Confidentiality of the incident

Answer: A

NEW QUESTION 6
What is a characteristic of Secure Socket Layer (SSL) and Transport Layer Security (TLS)?

• A. SSL and TLS provide a generic channel security mechanism on top of Transmission Control Protocol (TCP).
• B. SSL and TLS provide nonrepudiation by default.
• C. SSL and TLS do not provide security for most routed protocols.
• D. SSL and TLS provide header encapsulation over HyperText Transfer Protocol (HTTP).

Answer: A

Explanation: Topic 13, New Questions B

NEW QUESTION 7
Although code using a specific program language may not be susceptible to a buffer overflow attack,

• A. most calls to plug-in programs are susceptible.
• B. most supporting application code is susceptible.
• C. the graphical images used by the application could be susceptible.
• D. the supporting virtual machine could be susceptible.

Answer: C

NEW QUESTION 8
During the Security Assessment and Authorization process, what is the PRIMARY purpose for conducting a hardware and software inventory?

• A. Calculate the value of assets being accredited.
• B. Create a list to include in the Security Assessment and Authorization package.
• C. Identify obsolete hardware and software.
• D. Define the boundaries of the information system.

Answer: A

NEW QUESTION 9
Which of the following is a critical factor for implementing a successful data classification program?

• A. Executive sponsorship
• B. Information security sponsorship
• C. End-user acceptance
• D. Internal audit acceptance

Answer: A

NEW QUESTION 10
When designing a networked Information System (IS) where there will be several different types of individual access, what is the FIRST step that should be taken to ensure all access control requirements are addressed?

• A. Create a user profile.
• B. Create a user access matrix.
• C. Develop an Access Control List (ACL).
• D. Develop a Role Based Access Control (RBAC) list.

Answer: B

NEW QUESTION 11
Which of the following would an attacker BEST be able to accomplish through the use of Remote Access
Tools (RAT)?

• A. Reduce the probability of identification
• B. Detect further compromise of the target
• C. Destabilize the operation of the host
• D. Maintain and expand control

Answer: D

NEW QUESTION 12
When transmitting information over public networks, the decision to encrypt it should be based on

• A. the estimated monetary value of the information.
• B. whether there are transient nodes relaying the transmission.
• C. the level of confidentiality of the information.
• D. the volume of the information.

Answer: C

NEW QUESTION 13
As part of the security assessment plan, the security professional has been asked to use a negative testing strategy on a new website. Which of the following actions would be performed?

• A. Use a web scanner to scan for vulnerabilities within the website.
• B. Perform a code review to ensure that the database references are properly addressed.
• C. Establish a secure connection to the web server to validate that only the approved ports are open.
• D. Enter only numbers in the web form and verify that the website prompts the user to enter a valid input.

Answer: D

NEW QUESTION 14
When designing a vulnerability test, which one of the following is likely to give the BEST indication of what components currently operate on the network?

• A. Topology diagrams
• B. Mapping tools
• C. Asset register
• D. Ping testing

Answer: B

NEW QUESTION 15
What is the BEST way to encrypt web application communications?

• A. Secure Hash Algorithm 1 (SHA-1)
• B. Secure Sockets Layer (SSL)
• C. Cipher Block Chaining Message Authentication Code (CBC-MAC)
• D. Transport Layer Security (TLS)

Answer: D

NEW QUESTION 16
Which of the following combinations would MOST negatively affect availability?

• A. Denial of Service (DoS) attacks and outdated hardware
• B. Unauthorized transactions and outdated hardware
• C. Fire and accidental changes to data
• D. Unauthorized transactions and denial of service attacks

Answer: A

NEW QUESTION 17
What does electronic vaulting accomplish?

• A. It protects critical files.
• B. It ensures the fault tolerance of Redundant Array of Independent Disks (RAID) systems
• C. It stripes all database records
• D. It automates the Disaster Recovery Process (DRP)

Answer: A

Explanation: Section: Security Operations