31 Kobe wants to provide access to a jump box in a secured network. What technology should he deploy to allow a secure connection to the system through untrusted intermediary networks?VPCAn air gapA VPNPhysical segmentation
32 Mia would like to ensure that her organization's cybersecurity team reviews the architecture of a new ERP application that is under development. During which SDLC phase should Mia expect the security architecture to be completed?Analysis and Requirements DefinitionDesignDevelopmentTesting and Integration
33 Which one of the following security activities is not normally a component of the Operations and Maintenance phase of the SDLC?Vulnerability scansDispositionPatchingRegression testing
34 Which hardware device is used on endpoint devices to store RSA encryption keys specific to that device to allow hardware authentication?A SSDA hard driveA MFA tokenA TPM
35 Which one of the following testing techniques is typically the final testing done before code is released to production?Unit testingIntegration testingUser acceptance testingSecurity testingUse the following scenario for questions 36–38.Olivia has been put in charge of performing code reviews for her organization and needs to determine which code analysis models make the most sense based on specific needs her organization has. Use your knowledge of code analysis techniques to answer the following questions.
36 Olivia's security team has identified potential malicious code that has been uploaded to a webserver. If she wants to review the code without running it, what technique should she use?Dynamic analysisFagan analysisRegression analysisStatic analysis
37 Olivia's next task is to test the code for a new mobile application. She needs to test it by executing the code and intends to provide the application with input based on testing scenarios created by the development team as part of their design work. What type of testing will Olivia conduct?Dynamic analysisFagan analysisRegression analysisStatic analysis
38 After completing the first round of tests for her organization's mobile application, Olivia has discovered indications that the application may not handle unexpected data well. What type of testing should she conduct if she wants to test it using an automated tool that will check for this issue?Fault injectionFagan testingFuzzingFailure injection
39 Which one of the following characters would not signal a potential security issue during the validation of user input to a web application?<`>$
40 The Open Web Application Security Project (OWASP) maintains a listing of the most important web application security controls. Which one of these items is least likely to appear on that list?Implement identity and authentication controlsImplement appropriate access controlsObscure web interface locationsLeverage security frameworks and libraries
41 Kyle is developing a web application that uses a database backend. He is concerned about the possibility of an SQL injection attack against his application and is consulting the OWASP proactive security controls list to identify appropriate controls. Which one of the following OWASP controls is least likely to prevent a SQL injection attack?Parameterize queriesValidate all inputEncode dataImplement logging and intrusion detection
42 Jill's organization has adopted an asset management tool. If she wants to identify systems on the network based on a unique identifier per machine that will not normally change over time, which of the following options can she use for network-based discovery?IP addressHostnameMAC addressNone of the above
43 Barcodes and RFID tags are both frequently used for what asset management practice?Asset dispositionAsset taggingAsset acquisitionAsset lifespan estimation
44 What type of secure boot process is shown in the following image?Remote attestationMeasured bootLogged loaderUEFI
45 Ian has been asked to deploy a secure wireless network in parallel with a public wireless network inside his organization's buildings. What type of segmentation should he implement to do so without adding additional costs and complexity?SSID segmentationLogical segmentationPhysical segmentationWPA segmentation
46 Barbara has segmented her virtualized servers using VMware to ensure that the networks remain secure and isolated. What type of attack could defeat her security design?VLAN hopping802.1q trunking vulnerabilitiesCompromise of the underlying VMware hostBGP route spoofing
47 What major issue would Charles face if he relied on hashing malware packages to identify malware packages?Hashing can be spoofed.Collisions can result in false positives.Hashing cannot identify unknown malware.Hashing relies on unencrypted malware samples.
48 Noriko wants to ensure that attackers cannot access his organization's building automation control network. Which of the following segmentation options provides the strongest level of assurance that this will not happen?Air gapVLANsNetwork firewallsHost firewalls
49 What type of network device is most commonly used to connect two or more networks to forward traffic between them?A switchA firewallA routerAn IPSUse the following scenario for questions 50–53.Angela is a security practitioner at a mid-sized company that recently experienced a serious breach due to a successful phishing attack. The company has committed to changing their security practices across the organization and has assigned Angela to determine the best strategy to make major changes that will have a significant impact right away.
50 Angela's company has relied on passwords as their authentication factor for years. The current organizational standard is to require an eight-character, complex password, and to require a password change every 12 months. What recommendation should Angela make to significantly decrease the likelihood of a similar phishing attack and breach in the future?Increase the password length.Shorten the password lifespan.Deploy multifactor authentication.Add a PIN to all logins.
51 Angela has decided to roll out a multifactor authentication system. What are the two most common factors used in MFA systems?Location and knowledgeKnowledge and possessionKnowledge and biometricKnowledge and location
52 As part of the investigation after the breach, Angela's team noticed that some staff were using organizational resources after hours when they weren't supposed to be logged in. What type of authentication model could she deploy to use information about an employee's role and work hours to manage when they can be logged in?Location factorsBiometric factorsContext based authenticationMultifactor authentication
53 Angela's multifactor deployment includes the ability to use text (SMS) messages to send the second factor for authentication. What issues should she point to?VoIP hacks and SIM swappingSMS messages are logged on the recipient's phonesPIN hacks and SIM swappingVoIP hacks and PIN hacks
54 Keith needs to manage digital keys, and he wants to implement a hardware security module in his organization. What U.S. government standard are hardware security modules often certified against?PCI-DSSHSM-2015FIPS 140-2CA-Check
55 What purpose does the OpenFlow protocol serve in software-defined networks?It captures flow logs from devices.It allows software-defined network controllers to push changes to devices to manage the network.It sends flow logs to flow controllers.It allows devices to push changes to SDN controllers to manage the network.
56 What type of access control system relies on the operating system to control the ability of subjects to perform actions on objects through a set of policies controlled by a policy administrator?RBACMACDACABAC
57 What term is used to describe an isolated pool of cloud resources for a specific organization or user allocated inside of a public cloud environment?VPNVPCCDACCA
58 Rick's security research company wants to gather data about current attacks and sets up a number of intentionally vulnerable systems that allow his team to log and analyze exploits and attack tools. What type of environment has Rick set up?A tarpitA honeypotA honeynetA blackhole
59 Kalea wants to prevent DoS attacks against her serverless application from driving up her costs when using a cloud service. What technique is not an appropriate solution for her need?Horizontal scalingAPI keysSetting a cap on API invocations for a given timeframeUsing timeouts
60 What is the purpose of change management in an organization?Ensuring changes are scheduledEnsuring