team moves from one virtual host to another in their cloud service provider's environment. What should she instruct her team to do to avoid this concern?Zero-wipe drives before moving systems.Use full-disk encryption.Use data masking.Span multiple virtual disks to fragment data.25 Huan is hiring a third-party consultant who will have remote access to the organization's datacenter, but he would like to approve that access each time it occurs. Which one of the following solutions would meet Huan's needs in a practical manner?Huan should keep the consultant's password himself and provide it to the consultant when needed, and then immediately change the password after each use.Huan should provide the consultant with the password but configure his own device to approve logins via multifactor authentication.Huan should provide the consultant with the password but advise the consultant that she must advise him before using the account and then audit those attempts against access logs.Huan should create a new account for the consultant each time she needs to access the datacenter.
26 Ian is reviewing the security architecture shown here. This architecture is designed to connect his local datacenter with an IaaS service provider that his company is using to provide overflow services. What component can be used at the points marked by the question marks (?s) to provide a secure encrypted network connection?FirewallVPNIPSDLP
27 Which one of the following technologies is not typically used to implement network segmentation?Host firewallNetwork firewallVLAN taggingRouters and switches
28 Which one of the following approaches is an example of a formal code review process?Pair programmingOver-the-shoulderFagan inspectionPass-around code review
29 The Open Web Application Security Project (OWASP) maintains an application called Orizon. This application reviews Java classes and identifies potential security flaws. What type of tool is Orizon?FuzzerStatic code analyzerWeb application assessorFault injector
30 Barney's organization mandates fuzz testing for all applications before deploying them into production. Which one of the following issues is this testing methodology most likely to detect?Incorrect firewall rulesUnvalidated inputMissing operating system patchesUnencrypted data transmission
31 Kobe wants to provide access to a jump box in a secured network. What technology should he deploy to allow a secure connection to the system through untrusted intermediary networks?VPCAn air gapA VPNPhysical segmentation
32 Mia would like to ensure that her organization's cybersecurity team reviews the architecture of a new ERP application that is under development. During which SDLC phase should Mia expect the security architecture to be completed?Analysis and Requirements DefinitionDesignDevelopmentTesting and Integration
33 Which one of the following security activities is not normally a component of the Operations and Maintenance phase of the SDLC?Vulnerability scansDispositionPatchingRegression testing
34 Which hardware device is used on endpoint devices to store RSA encryption keys specific to that device to allow hardware authentication?A SSDA hard driveA MFA tokenA TPM
35 Which one of the following testing techniques is typically the final testing done before code is released to production?Unit testingIntegration testingUser acceptance testingSecurity testingUse the following scenario for questions 36–38.Olivia has been put in charge of performing code reviews for her organization and needs to determine which code analysis models make the most sense based on specific needs her organization has. Use your knowledge of code analysis techniques to answer the following questions.
36 Olivia's security team has identified potential malicious code that has been uploaded to a webserver. If she wants to review the code without running it, what technique should she use?Dynamic analysisFagan analysisRegression analysisStatic analysis
37 Olivia's next task is to test the code for a new mobile application. She needs to test it by executing the code and intends to provide the application with input based on testing scenarios created by the development team as part of their design work. What type of testing will Olivia conduct?Dynamic analysisFagan analysisRegression analysisStatic analysis
38 After completing the first round of tests for her organization's mobile application, Olivia has discovered indications that the application may not handle unexpected data well. What type of testing should she conduct if she wants to test it using an automated tool that will check for this issue?Fault injectionFagan testingFuzzingFailure injection
39 Which one of the following characters would not signal a potential security issue during the validation of user input to a web application?<`>$
40 The Open Web Application Security Project (OWASP) maintains a listing of the most important web application security controls. Which one of these items is least likely to appear on that list?Implement identity and authentication controlsImplement appropriate access controlsObscure web interface locationsLeverage security frameworks and libraries
41 Kyle is developing a web application that uses a database backend. He is concerned about the possibility of an SQL injection attack against his application and is consulting the OWASP proactive security controls list to identify appropriate controls. Which one of the following OWASP controls is least likely to prevent a SQL injection attack?Parameterize queriesValidate all inputEncode dataImplement logging and intrusion detection
42 Jill's organization has adopted an asset management tool. If she wants to identify systems on the network based on a unique identifier per machine that will not normally change over time, which of the following options can she use for network-based discovery?IP addressHostnameMAC addressNone of the above
43 Barcodes and RFID tags are both frequently used for what asset management practice?Asset dispositionAsset taggingAsset acquisitionAsset lifespan estimation
44 What type of secure boot process is shown in the following image?Remote attestationMeasured bootLogged loaderUEFI
45 Ian has been asked to deploy a secure wireless network in parallel with a public wireless network inside his organization's buildings. What type of segmentation should he implement to do so without adding additional costs and complexity?SSID segmentationLogical segmentationPhysical segmentationWPA segmentation
46 Barbara has segmented her virtualized servers using VMware to ensure that the networks remain secure and isolated. What type of attack could defeat her security design?VLAN hopping802.1q trunking vulnerabilitiesCompromise of the underlying VMware hostBGP route spoofing
47 What major issue would Charles face if he relied on hashing malware packages to identify malware packages?Hashing can be spoofed.Collisions can result in false positives.Hashing cannot identify unknown malware.Hashing relies on unencrypted malware samples.
48 Noriko wants to ensure that attackers cannot access his organization's building automation control network. Which of the following segmentation options provides the strongest level of assurance that this will not happen?Air gapVLANsNetwork firewallsHost firewalls
49 What type of network device is most commonly used to connect two or more networks to forward traffic between them?A switchA firewallA routerAn IPSUse the following scenario for questions 50–53.Angela is a security practitioner at a mid-sized company that recently experienced a serious breach due to a successful phishing attack. The company has committed to changing their security practices across the organization and has assigned Angela to determine the best strategy to make major changes that will have a significant impact right away.
50 Angela's company has relied on passwords as their authentication factor for years. The current organizational standard is to require an eight-character, complex password, and to require a password change every 12 months. What recommendation should Angela make to significantly decrease the likelihood of a similar phishing attack and breach
