judgment to solve problems where the most secure solution is not feasible.
1 One of the biggest tasks as a security professional is identifying vulnerabilities. What is the difference between a vulnerability and a threat?A vulnerability is a weakness in system design, procedure, or code. A threat is the circumstance or likelihood of a vulnerability being exploited.A vulnerability is the driving force behind the activity. A threat is the probability of an attack.A vulnerability is the value to an institution where a threat is the source of the risk, internal or external.A vulnerability is the probability of the realization of a threat. A threat is the driving force behind the activity.
2 Which of the following BEST defines risk in IT?You have a vulnerability with a known active threat.You have a threat with a known vulnerability.You have a risk with a known threat.You have a threat with a known exploit.
3 A situation that affects the CIA triad of an IT asset can include an internal and external risk source. A breach of physical security can be instigated by_________________.untrusted insiders or trusted outsiderstrusted insiders or untrusted outsidershidden costsservice deterioration
4 Your organization provides cloud computing for a highly classified project. You implemented a virtual data center with multifactor authentication. Using the SIEM, you discovered a breach affecting confidential data. Sensitive information was found within the hypervisor. What has most probably occurred?You found a token and a RAM exploit that was used to move data.You found a local admin who could move data to their hard drive.A vulnerable server was unpatched, and the attacker was able to use VMEscape for access.A guest account used privilege escalation to move data from one virtual token to another.
5 An internal auditor has completed the annual audit of the company's financial records. The report has found several lapses in security policies and procedures, including proper disposal and sanitation of financial transactions. What would be their recommendation?You should wait for an external audit.You should recommend a separation of duties.You should institute job rotation.You should implement mandatory training.
6 An analyst has been attempting to acquire a budget for a new security tool. Which of the following should the analyst give to management to support the request?Threat reports and a trend analysisInterconnection security agreement (ISA)Master service agreement (MSA)Request for information (RFI)
7 An audit found a lack of security controls regarding employee termination. The current company policy states that the terminated employee's account is disabled within one hour of termination. The audit found that more than 10 percent of terminated employees still have active accounts. What is the BEST course of action?Review the termination requirements.Implement a monthly review of terminated employees.Update the policy to accommodate the delay.Review the termination policy with managers.
8 Several servers went offline since an update was pushed out. Other servers without that patch are still operational but vulnerable to attack. As the security administrator, you must ensure that critical servers are patched while minimizing downtime. What is the best strategy to minimize risk?All updates are tested in a lab before deployment.All systems in production are patched automatically.Production servers are patched only when updates are released.All updates are tested after being installed in a live environment.
9 Your organization is in the middle of a risk assessment for a new network infrastructure upgrade. All planning is complete, and your plan must include which security controls are to be put in place during each stage of the upgrade. What risk response is most likely being considered while creating an SLA contract with a third party?Accepting riskIdentifying riskTransferring riskMitigating risk
10 Your company hired a new CISO, and the first order of business is to perform a risk assessment on a new mobile device that is to be given to all employees. The device is commercially available and runs a popular operating system. What are the most important security factors that you should consider while conducting this risk assessment?Remote wipe and controls, encryption, and vendor track recordEncryption, IPV6, cost, and colorRemote wipe, maintenance, and inventory managementRemote monitoring, cost, SSD, and vendor track record
11 Your CISO wants you to conduct a risk assessment for a vital new healthcare system that needs to be in place in a month. As you conduct the assessment, you find a vulnerability report that details the low likelihood of exploitation. Why does your CISO still have reservations about making an exemption for this risk?The CISO has concerns about government regulations and compliance.The CISO feels rushed to make a decision.Competitors have elected not to use this system.Even one attack would be devastating to the organization, both financially and to its reputation.
12 Your company is looking at a new strategy to reach customers that includes social media. The marketing director would like to share news, updates, and promotions on all social websites. What are the major security risks to be aware of when this new program goes into effect?Malware, phishing, and social engineeringDDOS, brute force, and SQLiMergers and data ownershipRegulatory requirements and environmental changes
13 Your CEO purchased the latest and greatest mobile device (BYOD) and now wants you to connect it to the company's intranet. You have been told to research this process. What BEST security recommendation do you recommend to make the biggest impact on risk?Making this a new corporate policy available for everyoneAdding a PIN to access the deviceEncrypting nonvolatile memoryAuditing requirements
14 Your organization wants to move a vital company process to the cloud. You are tasked with conducting a risk analysis to minimize the risk of hosting email in the cloud. What is the best path forward?All logins must be done over an encrypted channel and obtain an NDA and SLA from the cloud provider.Remind all users not to write down their passwords.Make sure that the OLA covers more than just operations.Require data classification.
15 A web developer builds a web form for customers to fill out and respond to the company via a web page. What is the first thing that a developer should do to avoid this page becoming a security risk?SQLiInput validationCross-site request forgeryFuzzing
16 Your organization is pressured by both the company board and employees to allow personal devices on the network. They asked for email and calendar items to be synced between the company ecosystem and their BYOD. Which of the following BEST balances security and usability?Allowing access for the management team only, because they have a need for convenient accessNot allowing any access between a BYOD device and the corporate network, only cloud applicationsOnly allowing certain types of devices that can be centrally managedReviewing security policy and performing a risk evaluation focused on central management, including the remote wipe and encryption of sensitive data
17 Your organization decided to outsource systems that are not mission critical. You have been tasked with calculating the risk of outsourcing these systems because a recent review indicates that core business functions are dependent on these outsourced systems. What is the BEST tool to use?Business impact analysisAnnual loss expectancyTotal cost of ownershipGap analysis
18 The retail division of your organization purchased touchscreen tablets and wireless mice and keyboards for all their representatives to increase productivity. You communicated the risk of nonstandard devices and wireless devices, but the deployment continued. What is the BEST method for evaluating and presenting potential threats to upper management?Conducting a vulnerability assessmentDeveloping a standard image for these assetsMaking new recommendations for security policiesWorking with the management team to understand the processes these devices will interface with, and to classify the risk connected with the hardware/software deployment life cycle
19 Your organization experiences a security incident that costs $20,000 in downtime each time it occurs. It's happened twice this fiscal year. The device causing the issue is scheduled to be upgraded next year. The cost of implementing a fix is more than $250,000 and also
