A security administrator is conducting network forensic analysis of a recent defacement of the company's secure web payment server (HTTPS). The server was compromised around the New Year's holiday when all the company employees were off. The company's network diagram is summarized below:
The security administrator discovers that all the local web server logs have been deleted. Additionally, the Internal Firewall logs are intact but show no activity from the internal network to the web server farm during the holiday.
Which of the following is true?
A. The security administrator must correlate the external firewall logs with the intrusion detection system logs to determine what specific attack led to the web server compromise.
B. The security administrator must reconfigure the network and place the IDS between the SSL accelerator and the server farm to be able to determine the cause of future attacks.
C. The security administrator must correlate logs from all the devices in the network diagram to determine what specific attack led to the web server compromise.
D. The security administrator should review the IDS logs to determine the source of the attack and the attack vector used to compromise the web server.
正解:B
質問 2:
A small company's Chief Executive Officer (CEO) has asked its Chief Security Officer (CSO) to improve the company's security posture quickly with regard to targeted attacks.
Which of the following should the CSO conduct FIRST?
A. Purchase multiple threat feeds to ensure diversity and implement blocks for malicious traffic.
B. Conduct an internal audit against industry best practices to perform a qualitative analysis.
C. Deploy a UTM solution that receives frequent updates from a trusted industry vendor.
D. Survey threat feeds from services inside the same industry.
正解:D
質問 3:
A forensic analyst works for an e-discovery firm where several gigabytes of data are processed daily. While the business is lucrative, they do not have the resources or the scalability to adequately serve their clients. Since it is an e-discovery firm where chain of custody is important, which of the following scenarios should they consider?
A. Outsourcing the service to a third party cloud provider
B. Offload some data processing to a public cloud
C. Using a community cloud with adequate controls
D. Aligning their client intake with the resources available
正解:C
質問 4:
The Chief Information Security Officer (CISO) of a small bank wants to embed a monthly testing regiment into the security management plan specifically for the development area.
The CISO's requirements are that testing must have a low risk of impacting system stability, can be scripted, and is very thorough. The development team claims that this will lead to a higher degree of test script maintenance and that it would be preferable if the testing was outsourced to a third party. The CISO still maintains that third-party testing would not be as thorough as the third party lacks the introspection of the development team. Which of the following will satisfy the CISO requirements?
A. Grey box testing performed by the development and security assurance teams.
B. Black box testing performed by a major external consulting firm who have signed a NDA.
C.
D. White box testing performed by the development and security assurance teams.
正解:D
質問 5:
A web developer is responsible for a simple web application that books holiday accommodations. The front-facing web server offers an HTML form, which asks for a user's age. This input gets placed into a signed integer variable and is then checked to ensure that the user is in the adult age range.
Users have reported that the website is not functioning correctly. The web developer has inspected log files and sees that a very large number (in the billions) was submitted just before the issue started occurring. Which of the following is the MOST likely situation that has occurred?
A. Computers are able to store numbers well above "billions" in size. Therefore, the website issues are not related to the large number being input.
B. The age variable stored the large number and filled up disk space which stopped the application from continuing to function. Improper error handling prevented the application from recovering.
C. The age variable has had an integer overflow and was assigned a very small negative number which led to unpredictable application behavior. Improper error handling prevented the application from recovering.
D. The application has crashed because a very large integer has lead to a "divide by zero".
Improper error handling prevented the application from recovering.
正解:C
質問 6:
A health service provider is considering the impact of allowing doctors and nurses access to the internal email system from their personal smartphones. The Information Security Officer (ISO) has received a technical document from the security administrator explaining that the current email system is capable of enforcing security policies to personal smartphones, including screen lockout and mandatory PINs. Additionally, the system is able to remotely wipe a phone if reported lost or stolen. Which of the following should the Information Security Officer be MOST concerned with based on this scenario? (Select THREE).
A. Smartphones may be used as rogue access points.
B. Not all smartphones natively support encryption.
C. Compliance may not be supported by all smartphones.
D. Smartphone radios can interfere with health equipment.
E. The email system may become unavailable due to overload.
F. Equipment loss, theft, and data leakage.
G. Data usage cost could significantly increase.
正解:B,C,F
質問 7:
A security administrator is tasked with securing a company's headquarters and branch offices move to unified communications. The Chief Information Officer (CIO) wants to integrate the corporate users' email, voice mail, telephony, presence and corporate messaging to internal computers, mobile users, and devices. Which of the following actions would BEST meet the CIO's goals while providing maximum unified communications security?
A. Create presence groups, restrict IM protocols to the internal networks, encrypt remote devices, and restrict access to services to local network and VPN clients.
B. Establish presence privacy groups, restrict all IM protocols, allow secure RTP on session border gateways, enable full disk encryptions, and transport encryption for email security.
C. Enable discretionary email forwarding restrictions, utilize QoS and Secure RTP, allow external IM protocols only over TLS, and allow port 2000 incoming to the internal firewall interface for secure SIP
D. Set presence to invisible by default, restrict IM to invite only, implement QoS on SIP and RTP traffic, discretionary email forwarding, and full disk encryption.
正解:A