An organization regularly conducts its own penetration tests. Which of the following
scenarios MUST be covered for the test to be effective?

A.

Third-party vendor with access to the system

B.

System administrator access compromised

C.

Internal attacker with access to the system

D.

Internal user accidentally accessing data

How should an organization determine the priority of its remediation efforts after a
vulnerability assessment has been conducted?

A.

Use an impact-based approach.

B.

Use a risk-based approach.

C.

Use a criticality-based approach.

D.

Use a threat-based approach.

In the Software Development Life Cycle (SDLC), maintaining accurate hardware and software inventories is a critical part of

A.

systems integration.

B.

risk management.

C.

quality assurance.

D.

change management.

Although code using a specific program language may not be susceptible to a buffer overflow attack,

A.

most calls to plug-in programs are susceptible.

B.

most supporting application code is susceptible.

C.

the graphical images used by the application could be susceptible.

D.

the supporting virtual machine could be susceptible.

At which layer of the Open Systems Interconnect (OSI) model are the source and
destination address for a datagram handled?

A.

Transport Layer

B.

Data-Link Layer

C.

Network Layer

D.

Application Layer

Which of the following countermeasures is the MOST effective in defending against a social engineering attack?

A.

lear-text attack.

B.

known cipher attack.

C.

frequency analysis.

D.

stochastic assessment

A company has decided that they need to begin maintaining assets deployed in the enterprise. What approach should be followed to determine and maintain ownership  information to bring the company into compliance?

A.

Enterprise asset management framework

B.

Asset baseline using commercial off the shelf software

C.

Asset ownership database using domain login records

D.

A script to report active user logins on assets

The application of a security patch to a product previously validate at Common Criteria (CC) Evaluation Assurance Level (EAL) 4 would

A.

require an update of the Protection Profile (PP).

B.

require recertification.

C.

retain its current EAL rating.

D.

reduce the product to EAL 3.

The goal of a Business Impact Analysis (BIA) is to determine which of the following?

A.

Cost effectiveness of business recovery

B.

Cost effectiveness of installing software security patches

C.

Resource priorities for recovery and Maximum Tolerable Downtime (MTD)

D.

Which security measures should be implemented

What is the difference between media marking and media labeling?

A.

Media marking refers to the use of human-readable security attributes, while media
labeling refers to the use of security attributes in internal data structures.

B.

Media labeling refers to the use of human-readable security attributes, while media
marking refers to the use of security attributes in internal data structures.

C.

Media labeling refers to security attributes required by public policy/law, while media
marking refers to security required by internal organizational policy.

D.

Media marking refers to security attributes required by public policy/law, while media labeling refers to security attributes required by internal organizational policy.

Match the name of access control model with its associated restriction.
Drag each access control model to its appropriate restriction access on the right.

What is a characteristic of Secure Socket Layer (SSL) and Transport Layer Security (TLS)?

A.

SSL and TLS provide a generic channel security mechanism on top of Transmission Control Protocol (TCP).

B.

SSL and TLS provide nonrepudiation by default.

C.

SSL and TLS do not provide security for most routed protocols.

D.

SSL and TLS provide header encapsulation over HyperText Transfer Protocol (HTTP).