22 ) SY EX. 6 | COMPLETE | 暗記メーカー

22 ) SY EX. 6 | COMPLETE

91問 • 5ヶ月前

問題一覧

/ Mike's development team wants to expand the use of the software to the whole company, but they are concerned about its performance. What type of testing should they conduct to ensure that the software will not fail under load?

- Stress testing

Two years after deployment, Mike's team is ready to roll out a major upgrade to their web application. They have pulled code from the repository that it was checked into but are worried that old bugs may have been reintroduced because they restored additional functionality based on older code that had been removed in a release a year ago. What type of testing does Mike's team need to perform?

- Regression testing

She would like to assess the application's security by supplying it with invalid inputs. What technique is Padma planning to use?

- Fuzz testing

Which software development life cycle model is illustrated in the image?

- Agile

The Open Worldwide Application Security Project (OWASP) maintains an application called Orizon. This application reviews Java classes and identifies potential security flaws. What type of tool is Orizon?

- Static code analyzer

Barney's organization mandate fuzz testing for all applications before deploying them into production. Which one of the following issues is this testing metodology most likely to detect?

- Unvalidated input

Mia would like to ensure that her organization's cybersecurity team reviews the architecture of a new ERP application that is under development. During which SDLC phase should Mia expect the security architecture to be completed?

- Design

Which one of the following security activities is not normally a component of the Operations and Maintenance phase of the SDLC?

- Disposition

Use the following scenario for questions 208-210. Olivia has been put in charge of performing code reviews for her organization and needs to determine which code analysis models make the most sense based on specific needs her organization has. Use your knowledge of code analysis techniques to answer the following questions. Olivia's security team has identified potential malicious code that has been uploaded to a webserver. If she wants to review the code without running it, what technique should she use?

- Static analysis

Olivia's next task is to test the code for a new mobile application. She needs to test it by executing the code and intends to provide the application with input based on testing scenarios created by the development team as part of their design work. What type of testing will Olivia conduct?

- Dynamic analysis

After completing the first round of tests for her organization's mobile application, Olivia has discovered indications that the application may not handle unexpected data well. What type of testing should she conduct if she wants to test it using an automated tool that will check for this issue?

- Fuzzing

Which one of the following characters would not signal a potential security issue during the validation of user input to a web application?

- $

The Open Worldwide Application Security Project (OWASP) maintains a listing of the most important web application security controls. Which one of these items is least likely to appear on that list?

- Obscure web interface locations.

Kyle is developing a web application that uses a database back end. He is concerned about the possibility of an SQL injection attack against his application and is consulting the OWASP proactive security controls list to identify appropriate controls. Which one of the following WASP controls is least likely to prevent a SQL injection attack?

- Implement logging and intrusion detection.

Jill's organization has adopted an asset management tool. If she wants to identify systems on the network based on a unique identifier per machine that will not normally change over time, which of the following options can she use for network-based discovery?

- MAC address

Which software development methodology is illustrated in the diagram?

- Waterfall

Claire knows that a web application that her organization needs to have in production has vulnerabilities due to a recent scan using a web application security scanner. What is her best protection option if she knows that the vulnerability is a known SQL injection flaw?

- A WAF

Use the following scenario to answer questions 217-219. Donna has been assigned as the security lead for a DevSecOps team building a new web application. As part of the effort, she has to oversee the security practices that the team will use to protect the application. Use your knowledge of secure coding practices to help Donna guide her team through this process. 217. A member of Donna's team recommends building a blocklist to avoid dangerous characters like and ‹script> tags. How could attackers bypass a blocklist that individually identified those characters?

- They can use alternate encodings.

The design of the application calls for client-side validation of input. What type of tool could an attacker use to bypass this?

- A web proxy

A member of Donna's security team suggests that output encoding should also be considered. What type of attack is the team member most likely attempting to prevent?

- Cross-site scripting

Nathan downloads a BIOS/UEFI update from Dell's website, and when he attempts to install it on the PC, he receives an error that the hash of the download does not match the hash stored on Dell's servers. What type of protection is this?

- Firmware protection

What practice is typical in a DevSecOps organization as part of a CI/CD pipeline?

- Automating some security gates

Valerie wants to prevent potential cross-site scripting attacks from being executed when previously entered information is displayed in user's browsers. What technique should she use to prevent this?

- Output encoding

While developing a web application, Chris sets his session ID length to 128 bits based on OWASP's recommended session management standards. What reason would he have for needing such a long session ID?

- To prevent brute-forcing

Robert is reviewing a web application, and the developers have offered four different responses to incorrect logins. Which of the following four responses is the most secure option?

- Login failed; invalid user ID or password

Nathan is reviewing PHP code for his organization and finds the following code in the application he is assessing. What technique is the developer using?: $stmt = $dbh->prepare ( "INSERT INTO REGISTRY (vari, var2) VALUES (:vari, :var2)"); $stmt->bindParam(':varl', $varl); $stmt->bindParam(' :var2', $var2);

- Parameterized queries

Christina wants to check the firmware she has been provided to ensure that it is the same firmware that the manufacturer provides. What process should she follow to validate that the firmware is trusted firmware?

- Compare a hash of the file to a hash provided by the manufacturer.

What type of attack is the use of query parameterization intended to prevent?

- SQL injection

What type of attack is output encoding typically used against?

- XSS

Use the following scenario for questions 229-231. Scott has been asked to select a software development model for his organization and knows that there are a number of models that may make sense for what he has been asked to accomplish. Use your knowledge of SDLC models to identify an appropriate model for each of the following requirements. 229. Scott's organization needs basic functionality of the effort to become available as soon as possible and wants to involve the teams that will use it heavily to ensure that their needs are met. What model should Scott recommend?

- Agile

Use the following scenario for questions 229-231. Scott has been asked to select a software development model for his organization and knows that there are a number of models that may make sense for what he has been asked to accomplish. Use your knowledge of SDLC models to identify an appropriate model for each of the following requirements. A parallel coding effort needs to occur; however, this effort involves a very complex system and errors could endanger human lives. The system involves medical records and drug dosages, and the organization values stability and accuracy over speed. Scott knows the organization often adds design constraints throughout the process and that the model he selects must also deal with that need. What model should he choose?

- Spiral

- Disposition

The OWASP Session Management Cheatsheet advises that session IDs are meaningless and recommends that they should be used only as an identifier on the client side. Why should a session ID not have additional information encoded in it like the IP address of the client, their username, or other information?

- Session IDs could be decoded, resulting in data leakage.

Bounds checking, removing special characters, and forcing strings to match a limited set of options are all examples of what web application security technique?

- Input validation

Abigail is performing input validation against an input field and uses the following regular expression: ^ (AA AE AP AL AK AS AZ AR CA CO CT | DE DC FM' FL GA GU HI ID IL IN IA KS KY LA ME MH MD MA MI MN MS MO MT NE NV NH NJ NM NY NC ND MP OH OK OR PW PA PR RI SC SD TN IX UT VT VI VA WA WV WI WY) $ What is she checking with the regular expression?

- She is checking for all U.S. state name abbreviations.

Jennifer uses an application to send randomized data to her application to determine how it responds to unexpected input. What type of tool is she using?

- A fuzzer

Greg wants to prevent SQL injection in a web application he is responsible for. Which of the following is not a common defense against SQL injection?

- Output validation

While reviewing code that generates a SQL query, Aarav notices that the "address" field is appended to the query without input validation or other techniques applied. What type of attack is most likely to be successful against code like this?

- SQL injection

Use the following diagram and scenario for questions 238-240. Amanda has been assigned to lead the development of a new web application for her organization. She is following a standard SDLC model as shown here. Use the model and your knowledge of the software development life cycle to answer the following questions. 238. Amanda's first task is to determine if there are alternative solutions that are more cost effective than in-house development. What phase is she in?

- Feasibility

Use the following diagram and scenario for questions 238-240. Amanda has been assigned to lead the development of a new web application for her organization. She is following a standard SDLC model as shown here. Use the model and your knowledge of the software development life cycle to answer the following questions. 239. What phase of the SDLC typically includes the first code analysis and unit testing in the process?

- Coding

Use the following diagram and scenario for questions 238-240. Amanda has been assigned to lead the development of a new web application for her organization. She is following a standard SDLC model as shown here. Use the model and your knowledge of the software development life cycle to answer the following questions. After making it through most of the DLC process, Amanda has reached point E on the diagram. What occurs at point E?

- Training and transition

Angela wants to prevent buffer overflow attacks on a Windows system. What two built-in technologies should she consider?

- ASLR and DEP

Amanda has been assigned to reduce the attack surface area for her organization, and she knows that the current network design relies on allowing systems throughout her organization to access the Internet directly via public IP addresses they are assigned. What should her first step be to reduce her organization's attack surface quickly and without large amounts of time invested?

- Move to a NAT environment.

Matt believes that developers in his organization deployed code that did not implement cookies in a secure way. What type of attack would be aided by this security issue?

- Session hijacking

Chris operates the point-of-sale (POS) network for a company that accepts credit cards and is thus required to be compliant with PCI DSS. During his regular assessment of the POS terminals, he discovers that a recent Windows operating system vulnerability exists on all of them. Since they are all embedded systems that require a manufacturer update, he knows that he cannot install the available patch. What is Chris's best option to stay compliant with PCI DSS and protect his vulnerable systems?

- Identify, implement, and document compensating controls.

Tracy is validating the web application security controls used by her organization. She wants to ensure that the organization is prepared to conduct forensic investigations of future security incidents. Which one of the following OWASP control categories is most likely to contribute to this effort?

- Implement logging.

While reviewing his Apache logs, Oscar discovers the following entry. What has occurred? 10.1.1.1 - - [27/Jun/ 2023:11:42:22 -0500] "GET /query.php? searchterm=stuff&:201id=1÷20UNION&20SE- LECT&200, username, user_id, password, name, 820email, &20FROM%2 Ousers нттр/1.1" 200 9918 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SVI; •NET CIR 1.1.4322)"

- A SQL injection attack

Joan is working as a security consultant to a company that runs a critical web application. She discovered that the application has a serious SQL injection vulnerability, but the company cannot take the system offline during the two weeks required to revise the code. Which one of the following technologies would serve as the best compensating control?

- WAF

After conducting an map scan of his network from outside of his network, James notes that a large number of devices are showing three TCP ports open on public IP addresses: 9100, 515, and 631. What type of devices has he found, and how could he reduce his organization's attack surface?

- Printers, move the printers to an internal-only IP address range

Alex is working to understand his organization's attack surface. Services, input fields in a web application, and communication protocols are all examples of what component of an attack surface evaluation?

- Attack vectors

Michelle wants to implement a static application security testing (SAST) tool into her continuous integration pipeline. What challenge could she run into if her organization uses multiple programming languages for components of their application stack that will be tested?

- They will have to ensure the scanner works with all of the languages chosen.

Ken learns that an APT group is targeting his organization. What term best describes this situation?

- Threat

Which one of the following activities is least likely to occur during the risk identification process?

- Network segmentation

What two factors are weighted most heavily when determining the severity of a risk?

- Probability and magnitude

Preemployment background screening is an example of what type of security control?

- Preventive

Roland received a security assessment report from a third-party assessor, and it indicated that one of the organization's web applications is susceptible to an Auth redirect attack. What type of attack would this vulnerability allow an attacker to wage?

- Impersonation

Questions 256-258 refer to the following scenario. Gary recently conducted a comprehensive security review of his organization. He identified the 25 top risks to the organization and is pursuing different risk management strategies for each of these risks. In some cases, he is using multiple strategies to address a single risk. His goal is to reduce the overall level of risk so that it lies within his organization's risk tolerance. 256. Gary decides that the organization should integrate a threat intelligence feed with the firewall. What type of risk management strategy is this?

- Risk mitigation

Gary discovers that his organization is storing some old files in a cloud service that are exposed to the world. He deletes those files. What type of risk management strategy is this?

- Risk avoidance

Gary is working with his financial team to purchase a cyber-liability insurance policy to cover the financial impact of a data breach. What type of risk management strategy is he using?

- Risk transference

Which one of the following risk management strategies is most likely to limit the probability of a risk occurring?

- Risk avoidance

Saanvi would like to reduce the probability of a data breach that affects sensitive personal information. Which one of the following compensating controls is most likely to achieve that obiective?

- Minimizing the amount of data retained and the number of places where it is stored

Kwame recently completed a risk assessment and is concerned that the level of residual risk exceeds his organization's risk tolerance. What should he do next?

- Have a discussion with his manager.

Questions 262-267 refer to the following scenario. Alan is a risk manager for Acme University, a higher education institution located in the western United States. He is concerned about the threat that an earthquake will damage his organization's primary datacenter. He recently undertook a replacement cost analysis and determined that the datacenter is valued at $10 million. After consulting with seismologists, Alan determined that an earthquake is expected in the area of the datacenter once every 200 years. Datacenter specialists and architects helped him determine that an earthquake would likely cause $5 million in damage to the facility. Based on the information in this scenario, what is the exposure factor (EF) for the effect of an earthquake on Acme University's datacenter?

- 50 percent

Questions 262-267 refer to the following scenario. Alan is a risk manager for Acme University, a higher education institution located in the western United States. He is concerned about the threat that an earthquake will damage his organization's primary datacenter. He recently undertook a replacement cost analysis and determined that the datacenter is valued at $10 million. After consulting with seismologists, Alan determined that an earthquake is expected in the area of the datacenter once every 200 years. Datacenter specialists and architects helped him determine that an earthquake would likely cause $5 million in damage to the facility. Based on the information in this scenario, what is the annualized rate of occurrence (ARO) for an earthquake at the datacenter?

- .005

Questions 262-267 refer to the following scenario. Alan is a risk manager for Acme University, a higher education institution located in the western United States. He is concerned about the threat that an earthquake will damage his organization's primary datacenter. He recently undertook a replacement cost analysis and determined that the datacenter is valued at $10 million. After consulting with seismologists, Alan determined that an earthquake is expected in the area of the datacenter once every 200 years. Datacenter specialists and architects helped him determine that an earthquake would likely cause $5 million in damage to the facility. Based on the information in this scenario, what is the annualized loss expectancy (ALE) for an earthquake at the datacenter?

- $25,000

Questions 262-267 refer to the following scenario. Alan is a risk manager for Acme University, a higher education institution located in the western United States. He is concerned about the threat that an earthquake will damage his organization's primary datacenter. He recently undertook a replacement cost analysis and determined that the datacenter is valued at $10 million. After consulting with seismologists, Alan determined that an earthquake is expected in the area of the datacenter once every 200 years. Datacenter specialists and architects helped him determine that an earthquake would likely cause $5 million in damage to the facility. 265. Referring to the previous scenario, if Alan's organization decides to move the datacenter to a location where earthquakes are not a risk, what risk management strategy are they using?

- Risk avoidance

Questions 262-267 refer to the following scenario. Alan is a risk manager for Acme University, a higher education institution located in the western United States. He is concerned about the threat that an earthquake will damage his organization's primary datacenter. He recently undertook a replacement cost analysis and determined that the datacenter is valued at $10 million. After consulting with seismologists, Alan determined that an earthquake is expected in the area of the datacenter once every 200 years. Datacenter specialists and architects helped him determine that an earthquake would likely cause $5 million in damage to the facility. 266. Referring to the previous scenario, if the organization decides not to relocate the datacenter but instead purchases an insurance policy to cover the replacement cost of the datacenter, what risk management strategy are they using?

- Risk transference

Questions 262-267 refer to the following scenario. Alan is a risk manager for Acme University, a higher education institution located in the western United States. He is concerned about the threat that an earthquake will damage his organization's primary datacenter. He recently undertook a replacement cost analysis and determined that the datacenter is valued at $10 million. After consulting with seismologists, Alan determined that an earthquake is expected in the area of the datacenter once every 200 years. Datacenter specialists and architects helped him determine that an earthquake would likely cause $5 million in damage to the facility. Referring to the previous scenario, assume that the organization decides that relocation is too difficult and the insurance is too expensive. They instead decide that they will carry on despite the risk of earthquake and handle the impact if it occurs. What risk management strategy are they using?

- Risk acceptance

Colin would like to implement a detective security control in his accounting department, which is specifically designed to identify cases of fraud that are able to occur despite the presence of other security controls. Which one of the following controls is best suited to meet Colin's need?

- Mandatory vacations

Rob is an auditor reviewing the managerial controls used in an organization. He is examining the payment process used by the company to issue checks to vendors. He notices that Helen, a staff accountant, is the person responsible for creating new vendors. Norm, another accountant, is responsible for issuing payments to vendors. Helen and Norm are cross-trained to provide backup for each other. What security issue, if any, exists in this situation?

- Separation of duties violation

Mei recently completed a risk management review and identified that the organization is susceptible to an on-path (also known as man-in-the-middle) attack. After review with her manager, they jointly decided that accepting the risk is the most appropriate strategy. What should Mei do next?

- Document the decision.

Robin is planning to conduct a risk assessment in her organization. She is concerned that it will be difficult to perform the assessment because she needs to include information about both tangible and intangible assets. What would be the most effective risk assessment strategy for her to use?

- Combination of quantitative and qualitative risk assessment

Barry's organization is running a security exercise and Barry was assigned to conduct offensive operations. What term best describes Barry's role in the process?

- Red team

Vlad's organization recently underwent a security audit that resulted in a finding that the organization fails to promptly remove the accounts associated with users who have left the organization. This resulted in at least one security incident where a terminated user logged into a corporate system and took sensitive information. What identity and access management control would best protect against this risk?

- Automated deprovisioning

Jay is the CISO for his organization and is responsible for conducting periodic reviews of the organization's information security policy. The policy was written three years ago and has undergone several minor revisions after audits and assessments. Which one of the following would be the most reasonable frequency to conduct formal reviews of the policy?

- Annually

Terri is undertaking a risk assessment for her organization. Which one of the following activities would normally occur first?

- Risk identification

Kai is attempting to determine whether he can destroy a cache of old records that he discovered. What type of policy would most directly answer his question?

- Data retention

Fences are a widely used security control that can be described by several different control types. Which one of the following control types would least describe a fence?

- Corrective

Ian is designing an authorization scheme for his organization's deployment of a new accounting system. He is considering putting a control in place that would require that two accountants approve any payment request over $100,000. What security principle is lan seeking to enforce?

- Dual control

Carmen is working with a new vendor on the design of a penetration test. She would like to ensure that the vendor does not conduct any physical intrusions as part of their testing. Where should Carmen document this requirement?

- Rules of engagement

Gavin is drafting a document that provides a detailed step-by-step process that users may follow to connect to the VPN from remote locations. Alternatively, users may ask IT to help them configure the connection. What term best describes this document?

- Procedure

Which one of the following security controls is designed to help provide continuity for security responsibilities?

- Succession planning

After conducting a security review, Oskar determined that his organization is not conducting regular backups of critical data. What term best describes the type of control gap that exists in Oskar's organization?

- Corrective

Carla is reviewing the cybersecurity policies used by her organization. What policy might she put in place as a failsafe to cover emplovee behavior situations where no other policy directly applies?

- Code of conduct

Which one of the following items is not normally included in a request for an exception to security policy?

- Proposed revision to the security policy

What policy should contain provisions for removing user access upon termination?

- Account management policy

Questions 286-288 refer to the following scenario: Karen is the CISO of a major manufacturer of industrial parts. She is currently performing an assessment of the firm's financial controls, with an emphasis on implementing security practices that will reduce the likelihood of theft from the firm. 286. Karen would like to ensure that the same individual is not able to both create a new vendor in the system and authorize a payment to that vendor. She is concerned that an individual who could perform both of these actions would be able to send payments to false vendors. What type of control should Karen implement?

- Separation of duties

Questions 286-288 refer to the following scenario: Karen is the CISO of a major manufacturer of industrial parts. She is currently performing an assessment of the firm's financial controls, with an emphasis on implementing security practices that will reduce the likelihood of theft from the firm. 287. The accounting department has a policy that requires the signatures of two individuals on checks valued over $5,000. What type of control do they have in place?

- Two-person control

Questions 286-288 refer to the following scenario: Karen is the CISO of a major manufacturer of industrial parts. She is currently performing an assessment of the firm's financial controls, with an emphasis on implementing security practices that will reduce the likelihood of theft from the firm. 288. Karen would also like to implement controls that would help detect potential malfeasance by existing employees. Which one of the following controls is least likely to detect malfeasance?

- Background investigations

Kevin is conducting a security exercise for his organization that uses both offensive and defensive operations. His role is to serve as the moderator of the exercise and to arbitrate disputes. What role is Kevin playing?

- White team

///////////////////// Bohai is concerned about access to the main account for a cloud service that his company uses to manage payment transactions. He decides to implement a new process for multifactor authentication to that account where an individual on the IT team has the password to the account, while an individual in the accounting group has the token. What security principle is Bohai using?

- Dual control

THE P.T: 1 CHRONICLE: ( ex.9 )

The R.S.S.H Delivery Company · 90問 · 6ヶ月前

THE P.T: 1 CHRONICLE: ( ex.9 )