1. Due to regulatory compliance, requires a company to an annual penetration test. The Chief Information Security Officer (CISO) has requested that it be done under a black box methodology. Which of the following would be the advantage of performing this kind of penetration test?

A) The results should reflect what attackers are able to learn about the company.
B) Using the documentation provided to them, the pen-testing organization can quickly establish areas to focus on.
C) The results will demonstrate a thorough understanding of the network and should help pin-point areas of internal weakness.
D) None
E) The risk of unplanned server downtime is reduced.


2. A Chief Financial Officer (CFO) has expressed its concern with the Chief Information Security Officer (CISO), because the money is spent on IT security infrastructure but assets are still found to be vulnerable. The company recently funded a patch management product and SOE hardening initiative. A third party audit findings reported to the company, because some systems are missing patches. Which of the following statements best describes this situation?

A) None
B) Security measures are generally is not 100% effective and differences must be explained to the stakeholders and managed accordingly.
C) The CFO is at fault, because they are responsible for patching systems and have been given patch management and SOE hardening products
D) The audit findings are invalid because corrective action has already been used to patch servers and rehabilitation takes time.
E) The CISO has not selected the right controls and audit findings should be allocated to them instead of the CFO.


3. The Chief Information Security Officer (CISO) asks for ways to protect against zero-day exploits. The CISO is concerned that could bring an unknown menace business and result in regulatory fines and bad publicity and therefore at risk. The network is mostly flat, with split staff / guest wireless functionality. Which of the following equipment must be used to guard against unknown threats?

A) None
B) Implementing an offsite data center hosting all business, as well as the deployment of VDI client for all computing needs.
C) Cloud-based antivirus solution, designed as a local admin, with push technology for definition updates.
D) Behavior-based IPS with a communication link to a cloud-based vulnerability and threat feed.
E) Host-based heuristic IPS, separated on a VLAN management, with direct control of the perimeter firewall ACL.


4. A security engineer working on a large software development project. As part of the design of the project, various stakeholder requirements were collected and broken down into an executable and testable level. Several safety were documented. Organize the next security in the correct hierarchy required for SRTM. Requirement 1: The system must provide resting confidentiality of data in transit and data. Requirement 2: The system must use SSL, SSH or SCP for all data transport. Requirement 3: The system needs to perform a file-encryption scheme. Requirement 4: The system has the integrity of all data at rest. Requirement 5: The system must perform CRC checks all files.

A) Level 1: Requirements 1, 2 and 3; Level 2: Requirements 4 and 5
B) None
C) Level 1: Requirements 1 and 4; Level 2: Requirements 2, 3 and 5
D) Level 1: Requirements 1 and 4; 2: Requirement 2 in 1, Eis 5 to 4; Level 3: Requirement 3 to 2
E) Level 1: Requirements 1 and 4; 2: Requirements 2, and 3 in 1, 4 5 to Eis


5. An external penetration tester compromised a client organization authentication servers and removed the password database. Which of the following is the penetration tester to use as efficiently as possible any resulting administrative credentials on other systems of the client organization, without impacting the integrity of the system?

A) In the past the hash technique
B) Use to change the existing access to the password
C) None
D) Use rainbow tables to crack passwords
E) Use social engineering to obtain the actual password