managementVirtualizationContainerizationIdentity and access managementCloud access security broker (CASB)HoneypotMonitoring and loggingEncryptionCertificate managementActive defense
2.2 Explain software assurance best practices.PlatformsSoftware development lifecycle (SDLC) integrationDevSecOpsSoftware assessment methodsSecure coding best practicesStatic analysis toolsDynamic analysis toolsFormal methods for verification of critical softwareService-oriented architecture
2.3 Explain hardware assurance best practices.Hardware root of trusteFuseUnified Extensible Firmware Interface (UEFI)Trusted FoundrySecure processingAnti-tamperSelf-encrypting driveTrusted firmware updatesMeasured boot and attestationBus encryption
1 What purpose does a honeypot system serve when placed on a network as shown in the following diagram?It prevents attackers from targeting production servers.It provides information about the techniques attackers are using.It slows down attackers like sticky honey.It provides real-time input to IDSs and IPSs.
2 A tarpit, or a system that looks vulnerable but actually is intended to slow down attackers, is an example of what type of technique?A passive defenseA sticky defenseAn active defenseA reaction-based defense
3 As part of a government acquisitions program for the U.S. Department of Defense, Sean is required to ensure that the chips and other hardware level components used in the switches, routers, and servers that he purchases do not include malware or other potential attack vectors. What type of supplier should Sean seek out?A TPMAn OEM providerA trusted foundryA gray-market provider
4 Susan needs to test thousands of submitted binaries. She needs to ensure that the applications do not contain malicious code. What technique is best suited to this need?SandboxingImplementing a honeypotDecompiling and analyzing the application codeFagan testing
5 Manesh downloads a new security tool and checks its MD5. What does she know about the software she downloaded if she receives the following message:root@demo:~# md5sum -c demo.md5 demo.txt: FAILED md5sum: WARNING: 1 computed checksum did NOT matchThe file has been corrupted.Attackers have modified the file.The files do not match.The test failed and provided no answer.
6 Tracy is designing a cloud infrastructure for her company and wants to generate and store encryption keys in a secure way. What type of technology should she look for as part of her infrastructure as a service vendor's portfolio?TPMHSMUEFIVPC
7 Aziz needs to provide SSH access to systems behind his datacenter firewall. If Aziz's organization uses the system architecture shown here, what is the system at point A called?A firewall-hopperAn isolated systemA moat-protected hostA jump box
8 Charles wants to provide additional security for his web application, which currently stores passwords in plaintext in a database. Which of the following options will best prevent theft of the database resulting in exposed passwords?Encrypt the database of plaintext passwordsUse MD5 and a saltUse SHA-1 and a saltUse bcrypt
9 What type of protected boot process is illustrated in the following diagram?Measured bootTPMRemote attestationSigned BIOS
10 An access control system that relies on the operating system to constrain the ability of a subject to perform operations is an example of what type of access control system?A discretionary access control systemA role-based access control systemA mandatory access control systemA level-based access control system
11 During his analysis of a malware sample, Sahib reviews the malware files and binaries without running them. What type of analysis is this?Automated analysisDynamic analysisStatic analysisHeuristic analysis
12 Carol wants to analyze a malware sample that she has discovered. She wants to run the sample safely while capturing information about its behavior and impact on the system it infects. What type of tool should she use?A static code analysis toolA dynamic analysis sandbox toolA Fagan sandboxA decompiler running on an isolated VMUse the following scenario for questions 13–15.Mike is in charge of the software testing process for his company. They perform a complete set of tests for each product throughout its lifespan. Use your knowledge of software assessment methods to answer the following questions.
13 A new web application has been written by the development team in Mike's company. They used an Agile process and have built a tool that fits all of the user stories that the participants from the division that asked for the application outlined. If they want to ensure that the functionality is appropriate for all users in the division, what type of testing should Mike perform?Stress testingRegression testingStatic testingUser acceptance testing
14 Mike's development team wants to expand the use of the software to the whole company, but they are concerned about its performance. What type of testing should they conduct to ensure that the software will not fail under load?Stress testingRegression testingStatic testingUser acceptance testing
15 Two years after deployment, Mike's team is ready to roll out a major upgrade to their web application. They have pulled code from the repository that it was checked into but are worried that old bugs may have been reintroduced because they restored additional functionality based on older code that had been removed in a release a year ago. What type of testing does Mike's team need to perform?Stress testingRegression testingStatic testingUser acceptance testing
16 Susan is reviewing files on a Windows workstation and believes that cmd.exe has been replaced with a malware package. Which of the following is the best way to validate her theory?Submit cmd.exe to VirusTotal.Compare the hash of cmd.exe to a known good version.Check the file using the National Software Reference Library.Run cmd.exe to make sure its behavior is normal.
17 As part of her malware analysis process, Caitlyn diagrams the high-level functions and processes that the malware uses to accomplish its goals. What is this process known as?Static analysisCompositionDynamic analysisDecomposition
18 As a U.S. government employee, Michael is required to ensure that the network devices that he procures have a verified chain of custody for every chip and component that goes into them. What is this program known as?Gray-market procurementTrusted foundryWhite-market procurementChain of procurement
19 Padma is evaluating the security of an application developed within her organization. She would like to assess the application's security by supplying it with invalid inputs. What technique is Padma planning to use?Fault injectionStress testingMutation testingFuzz testing
20 Nishi is deploying a new application that will process sensitive health information about her organization's clients. In order to protect this information, the organization is building a new network that does not share any hardware or logical access credentials with the organization's existing network. What approach is Nishi adopting?Network interconnectionNetwork segmentationVirtual LAN (VLAN) isolationVirtual private network (VPN)
21 Bobbi is deploying a single system that will be used to manage a very sensitive industrial control process. This system will operate in a standalone fashion and not have any connection to other networks. What strategy is Bobbi deploying to protect this SCADA system?Network segmentationVLAN isolationAirgappingLogical isolation
22 Which software development life cycle model is illustrated in the image?WaterfallSpiralAgileRAD
23 Geoff has been asked to identify a technical solution that will reduce the risk of captured or stolen passwords being used to allow access to his organization's systems. Which of the following technologies should he recommend?Captive portalsMultifactor authenticationVPNsOAuth
24 The company that Amanda works for is making significant investments in infrastructure as a service hosting to replace their traditional datacenter. Members of her organization's management have expressed concerns
