Which of the following is the BEST definition of Cross-Site Request Forgery (CSRF)?

A.

An attack which forces an end user to execute unwanted actions on a web application in
which they are currently authenticated

B.

An attack that injects a script into a web page to execute a privileged command

C.

An attack that makes an illegal request across security zones and thereby forges itself
into the security database of the system

D.

An attack that forges a false Structure Query Language (SQL) command across systems

As a security manger which of the following is the MOST effective practice for providing value to an organization?

A.

Assess business risk and apply security resources accordingly

B.

Coordinate security implementations with internal audit

C.

Achieve compliance regardless of related technical issues

D.

Identify confidential information and protect it

Why are mobile devices sometimes difficult to investigate in a forensic examination?

A.

There are no forensic tools available for examination.

B.

They may have proprietary software installed to protect them.

C.

They have password-based security at logon.

D.

They may contain cryptographic protection.

Which of the following is considered the last line defense in regard to a Governance, Risk
managements, and compliance (GRC) program?

A.

Internal audit

B.

Internal controls

C.

Board review

D.

Risk management

What is the best way for mutual authentication of devices belonging to the same
organization?

A.

Token

B.

Certificates

C.

User ID and passwords

D.

Biometric

Which of the following open source software issues pose the MOST risk to an application?

A.

The software is beyond end of life and the vendor is out of business.

B.

The software is not used or popular in the development community.

C.

The software has multiple Common Vulnerabilities and Exposures (CVE) and only some
are remediated.

D.

The software has multiple Common Vulnerabilities and Exposures (CVE) but the CVEs
are classified as low risks.

Which of the following is TRUE regarding equivalence class testing?

A.

It is characterized by the stateless behavior of a process implemented In a function.

B.

An entire partition can be covered by considering only one representative value from
that partition.

C.

Test inputs are obtained from the derived boundaries of the given functional
specifications.

D.

It is useful for testing communications protocols and graphical user interfaces.

Which of the following steps is performed during the forensic data analysis phase?

A.

Collect known system files

B.

search for relevant strings.

C.

Create file lists

D.

Recover deleted data

Digital certificates used transport Layer security (TLS) support which of the following?

A.

Server identify and data confidentially

B.

Information input validation

C.

Multi-Factor Authentication (MFA)

D.

Non-reputation controls and data encryption

Functional security testing is MOST critical during which phese of the system development Life Cycle (SDLC)?

A.

Acquisition / Development

B.

Operations / Maintenance

C.

Implementation

D.

Initiation

Which of the below strategies would MOST comprehensively address the risk of malicious insiders leaking sensitive information?

A.

Data Los Protection (DIP), firewalls, data classification

B.

Least privilege access, Data Loss Protection (DLP), physical access controls

C.

Staff vetting, least privilege access, Data Loss Protection (DLP)

D.

Background checks, data encryption, web proxies

Which of the following is applicable to a publicly held company concerned about
information handling and storage requirement specific to the financial reporting?

A.

Privacy Act of 1974

B.

Clinger-Cohan Act of 1996

C.

Sarbanes-Oxley (SOX) Act of 2002

D.

International Organization for Standardization (ISO) 27001