VOUCHER GIẢM LỆ PHÍ THI GIÁ TỐT NSE FORTINET VOUCHERS 100% LỆ PHÍ THI
Liên hệ
Free Dumps, Free ISACA Dump

Free CISSP Dump

Question #350

Which of the following is the BEST method a security practitioner can use to ensure that systems and sub-systems gracefully handle invalid input?

  • A. Unit testing
  • B. Acceptance testing
  • C. Integration testing
  • D. Negative testing

Correct Answer: C

Community vote distribution

D (95%)

5%

Question #351

Commercial off-the-shelf (COTS) software presents which of the following additional security concerns?

  • A. Vendors take on the liability for COTS software vulnerabilities.
  • B. In-house developed software is inherently less secure.
  • C. COTS software is inherently less secure.
  • D. Exploits for COTS software are well documented and publicly available.

Correct Answer: D

Community vote distribution

D (77%)

C (23%)

Question #352

When conducting a third-party risk assessment of a new supplier, which of the following reports should be reviewed to confirm the operating effectiveness of the security, availability, confidentiality, and privacy trust principles?

  • A. Service Organization Control (SOC) 1, Type 2
  • B. Service Organization Control (SOC) 2, Type 2
  • C. International Organization for Standardization (ISO) 27001
  • D. International Organization for Standardization (ISO) 27002

Correct Answer: B

Community vote distribution

B (100%)

Question #353

Which of the following would be the BEST mitigation practice for man-in-the-middle (MITM) Voice over Internet Protocol (VoIP) attacks?

  • A. Use Secure Shell (SSH) protocol
  • B. Use File Transfer Protocol (FTP)
  • C. Use Transport Layer Security (TLS) protocol
  • D. Use Media Gateway Control Protocol (MGCP)

Correct Answer: C

Community vote distribution

C (100%)

Question #354

The Chief Information Security Officer (CISO) is concerned about business application availability. The organization was recently subject to a ransomware attack that resulted in the unavailability of applications and services for 10 working days that required paper-based running of all main business processes. There are now aggressive plans to enhance the Recovery Time Objective (RTO) and cater for more frequent data captures. Which of the following solutions should be implemented to fully comply to the new business requirements?

  • A. Virtualization
  • B. Antivirus
  • C. Host-based intrusion prevention system (HIPS)
  • D. Process isolation

Correct Answer: A

Community vote distribution

A (100%)

Question #355

What is the MOST appropriate hierarchy of documents when implementing a security program?

  • A. Policy, organization principle, standard, guideline
  • B. Standard, policy, organization principle, guideline
  • C. Organization principle, policy, standard, guideline
  • D. Organization principle, guideline, policy, standard

Correct Answer: B

Community vote distribution

C (92%)

8%

Question #356

Which of the following is the MOST important consideration in selecting a security testing method based on different Radio-Frequency Identification (RFID) vulnerability types?

  • A. An understanding of the attack surface
  • B. Adaptability of testing tools to multiple technologies
  • C. The quality of results and usability of tools
  • D. The performance and resource utilization of tools

Correct Answer: A

Community vote distribution

A (100%)

Question #357

An organization’s internal audit team performed a security audit on the company’s system and reported that the manufacturing application is rarely updated along with other issues categorized as minor. Six months later, an external audit team reviewed the same system with the same scope, but identified severe weaknesses in the manufacturing application’s security controls. What is MOST likely to be the root cause of the internal audit team’s failure in detecting these security issues?

  • A. Inadequate security patch testing
  • B. Inadequate test coverage analysis
  • C. Inadequate log reviews
  • D. Inadequate change control procedures

Correct Answer: B

Community vote distribution

B (75%)

D (25%)

Question #358

Which of the following is a limitation of the Bell-LaPadula model?

  • A. Segregation of duties (SoD) is difficult to implement as the “no read-up” rule limits the ability of an object to access information with a higher classification.
  • B. Mandatory access control (MAC) is enforced at all levels making discretionary access control (DAC) impossible to implement.
  • C. It contains no provision or policy for changing data access control and works well only with access systems that are static in nature.
  • D. It prioritizes integrity over confidentiality which can lead to inadvertent information disclosure.

Correct Answer: C

Community vote distribution

C (80%)

A (20%)

Question #359

Which of the following vulnerability assessment activities BEST exemplifies the Examine method of assessment?

  • A. Asking the Information System Security Officer (ISSO) to describe the organization’s patch management processes
  • B. Ensuring that system audit logs capture all relevant data fields required by the security controls baseline
  • C. Logging into a web server using the default administrator account and a default password
  • D. Performing Port Scans of selected network hosts to enumerate active services

Correct Answer: B

Community vote distribution

B (50%)

D (33%)

A (17%)

Question #360

Which of the following BEST ensures the integrity of transactions to intended recipients?

  • A. Public key infrastructure (PKI)
  • B. Blockchain technology
  • C. Pre-shared key (PSK)
  • D. Web of trust

Correct Answer: A

Community vote distribution

A (55%)

B (45%)

Question #361

Recently, an unknown event has disrupted a single Layer-2 network that spans between two geographically diverse data centers. The network engineers have asked for assistance in identifying the root cause of the event. Which of the following is the MOST likely cause?

  • A. Smurf attack
  • B. Misconfigured routing protocol
  • C. Broadcast domain too large
  • D. Address spoofing

Correct Answer: D

Community vote distribution

C (65%)

D (30%)

4%

Question #362

A company is moving from the V model to Agile development. How can the information security department BEST ensure that secure design principles are implemented in the new methodology?

  • A. Information security requirements are captured in mandatory user stories.
  • B. All developers receive a mandatory targeted information security training.
  • C. The information security department performs an information security assessment after each sprint.
  • D. The non-financial information security requirements remain mandatory for the new model.

Correct Answer: A

Community vote distribution

A (82%)

C (18%)

Question #363

Which of the (ISC)

Code of Ethics canons is MOST reflected when preserving the value of systems, applications, and entrusted information while avoiding conflicts of interest?

  • A. Provide diligent and competent service to principles.
  • B. Act honorably, honestly, justly, responsibly, and legally.
  • C. Advance and protect the profession.
  • D. Protect society, the commonwealth, and the infrastructure.

Correct Answer: B

Community vote distribution

A (74%)

B (16%)

11%

Question #364

Which of the following should exist in order to perform a security audit?

  • A. Neutrality of the auditor
  • B. Industry framework to audit against
  • C. External (third-party) auditor
  • D. Internal certified auditor

Correct Answer: B

Community vote distribution

B (68%)

A (32%)

Question #365

When telephones in a city are connected by a single exchange, the caller can only connect with the switchboard operator. The operator then manually connects the call. This is an example of which type of network topology?

  • A. Point-to-Point Protocol (PPP)
  • B. Bus
  • C. Star
  • D. Tree

Correct Answer: B

Community vote distribution

C (100%)

Question #366

A firm within the defense industry has been directed to comply with contractual requirements for encryption of a government client’s Controlled Unclassified

Information (CUI). What encryption strategy represents how to protect data at rest in the MOST efficient and cost-effective manner?

  • A. Perform logical separation of program information, using virtualized storage solutions with encryption management in the back-end disk systems
  • B. Perform logical separation of program information, using virtualized storage solutions with built-in encryption at the virtualization layer
  • C. Perform physical separation of program information and encrypt only information deemed critical by the defense client
  • D. Implement data at rest encryption across the entire storage area network (SAN)

Correct Answer: D

Community vote distribution

D (50%)

B (38%)

13%

Question #367

Which audit type is MOST appropriate for evaluating the effectiveness of a security program?

  • A. Analysis
  • B. Threat
  • C. Assessment
  • D. Validation

Correct Answer: C

Community vote distribution

C (100%)

Question #368

Before allowing a web application into the production environment, the security practitioner performs multiple types of tests to confirm that the web application performs as expected. To test the username field, the security practitioner creates a test that enters more characters into the field than is allowed. Which of the following BEST describes the type of test performed?

  • A. Misuse case testing
  • B. Interface testing
  • C. Web session testing
  • D. Penetration testing

Correct Answer: A

Community vote distribution

A (88%)

13%

Question #369

If the wide area network (WAN) is supporting converged applications like Voice over Internet Protocol (VoIP), which of the following becomes even MORE essential to the assurance of the network?

  • A. Boundary routing
  • B. Classless Inter-Domain Routing (CIDR)
  • C. Internet Protocol (IP) routing lookups
  • D. Deterministic routing

Correct Answer: C

Community vote distribution

D (100%)

Question #370

Why would a system be structured to isolate different classes of information from one another and segregate them by user jurisdiction?

  • A. The organization is required to provide different services to various third-party organizations.
  • B. The organization can avoid e-discovery processes in the event of litigation.
  • C. The organization’s infrastructure is clearly arranged and scope of responsibility is simplified.
  • D. The organization can vary its system policies to comply with conflicting national laws.

Correct Answer: D

Community vote distribution

D (60%)

C (40%)

Question #371

An organization implements Network Access Control (NAC) using Institute of Electrical and Electronics Engineers (IEEE) 802.1x and discovers the printers do not support the IEEE 802.1x standard. Which of the following is the BEST resolution?

  • A. Implement port security on the switch ports for the printers.
  • B. Do nothing; IEEE 802.1x is irrelevant to printers.
  • C. Install an IEEE 802.1x bridge for the printers.
  • D. Implement a virtual local area network (VLAN) for the printers.

Correct Answer: D

Community vote distribution

D (71%)

A (29%)

Question #372

Which of the following goals represents a modern shift in risk management according to National Institute of Standards and Technology (NIST)?

  • A. Provide an improved mission accomplishment approach.
  • B. Focus on operating environments that are changing, evolving, and full of emerging threats.
  • C. Enable management to make well-informed risk-based decisions justifying security expenditure.
  • D. Secure information technology (IT) systems that store, mass, or transmit organizational information.

Correct Answer: B

Community vote distribution

B (83%)

C (17%)

Question #373

Which of the following security tools monitors devices and records the information in a central database for further analysis?

  • A. Antivirus
  • B. Host-based intrusion detection system (HIDS)
  • C. Security orchestration automation and response
  • D. Endpoint detection and response (EDR)

Correct Answer: C

Community vote distribution

D (73%)

B (18%)

9%

Question #374

In addition to life, protection of which of the following elements is MOST important when planning a data center site?

  • A. Data and hardware
  • B. Property and operations
  • C. Resources and reputation
  • D. Profits and assets

Correct Answer: A

Community vote distribution

A (56%)

C (22%)

D (17%)

6%

Question #375

Which of the following documents specifies services from the client’s viewpoint?

  • A. Business Impact analysis (BIA)
  • B. Service level agreement (SLA)
  • C. Service Level Requirement (SLR)
  • D. Service level report

Correct Answer: B

Community vote distribution

C (80%)

B (20%)

Question #376

Which of the following should be included in a good defense-in-depth strategy provided by object-oriented programming for software development?

  • A. Polymorphism
  • B. Inheritance
  • C. Polyinstantiation
  • D. Encapsulation

Correct Answer: C

Community vote distribution

D (50%)

C (50%)

Question #377

Which of the following is a key responsibility for a data steward assigned to manage an enterprise data lake?

  • A. Ensure proper business definition, value, and usage of data collected and stored within the enterprise data lake.
  • B. Ensure adequate security controls applied to the enterprise data lake.
  • C. Ensure proper and identifiable data owners for each data element stored within an enterprise data lake.
  • D. Ensure that any data passing within remit is being used in accordance with the rules and regulations of the business.

Correct Answer: A

Community vote distribution

A (50%)

B (50%)

Question #378

What is the FIRST step prior to executing a test of an organization’s disaster recovery (DR) or business continuity plan (BCP)?

  • A. Develop clear evaluation criteria.
  • B. Identify key stakeholders.
  • C. Develop recommendations for disaster scenarios.
  • D. Identify potential failure points.

Correct Answer: A

Community vote distribution

B (57%)

A (43%)

Question #379

A breach investigation found a website was exploited through an open source component. What is the FIRST step in the process that could have prevented this breach?

  • A. Application whitelisting
  • B. Vulnerability remediation
  • C. Web application firewall (WAF)
  • D. Software inventory

Correct Answer: C

Community vote distribution

D (47%)

B (29%)

C (24%)

Question #380

What security principle addresses the issue of “Security by Obscurity”?

  • A. Open design
  • B. Role Based Access Control (RBAC)
  • C. Segregation of duties (SoD)
  • D. Least privilege

Correct Answer: C

Community vote distribution

A (92%)

8%

Question #381

What is the MOST important goal of conducting security assessments?

  • A. To align the security program with organizational risk appetite
  • B. To demonstrate proper function of security controls and processes to senior management
  • C. To prepare the organization for an external audit, particularly by a regulatory entity
  • D. To discover unmitigated security vulnerabilities, and propose paths for mitigating them

Correct Answer: D

Community vote distribution

D (58%)

B (42%)

Question #382

Which of the following virtual network configuration options is BEST to protect virtual machines (VM)?

  • A. Data segmentation
  • B. Data encryption
  • C. Traffic filtering
  • D. Traffic throttling

Correct Answer: D

Community vote distribution

A (52%)

C (46%)

2%

Question #383

Which of the following features is MOST effective in mitigating against theft of data on a corporate mobile device which has been stolen?

  • A. Mobile Device Management (MDM) with device wipe
  • B. Mobile device tracking with geolocation
  • C. Virtual private network (VPN) with traffic encryption
  • D. Whole device encryption with key escrow

Correct Answer: A

Community vote distribution

A (58%)

D (42%)

Question #384

An organization is implementing data encryption using symmetric ciphers and the Chief Information Officer (CIO) is concerned about the risk of using one key to protect all sensitive data. The security practitioner has been tasked with recommending a solution to address the CIO’s concerns. Which of the following is the

BEST approach to achieving the objective by encrypting all sensitive data?

  • A. Use a Secure Hash Algorithm 256 (SHA-256).
  • B. Use Rivest-Shamir-Adleman (RSA) keys.
  • C. Use a hierarchy of encryption keys.
  • D. Use Hash Message Authentication Code (HMAC) keys.

Correct Answer: B

Community vote distribution

C (64%)

B (36%)

Question #385

Which of the following is a MUST for creating a new custom-built, cloud-native application designed to be horizontally scalable?

  • A. Network as a Service (NaaS)
  • B. Platform as a Service (PaaS)
  • C. Infrastructure as a Service (IaaS)
  • D. Software as a Service (SaaS)

Correct Answer: C

Community vote distribution

B (50%)

C (38%)

13%

Question #386

Which of the following access control mechanisms characterized subjects and objects using a set of encoded security-relevant properties?

  • A. Mandatory access control (MAC)
  • B. Role-based access control (RBAC)
  • C. Attribute-based access control (ABAC)
  • D. Discretionary access control (DAC)

Correct Answer: C

Community vote distribution

C (50%)

A (50%)

Question #387

Which kind of dependencies should be avoided when implementing secure design principles in software-defined networking (SDN)?

  • A. Hybrid
  • B. Circular
  • C. Dynamic
  • D. Static

Correct Answer: B

Question #388

Which mechanism provides the BEST protection against buffer overflow attacks in memory?

  • A. Address Space Layout Randomization (ASLR)
  • B. Memory management unit
  • C. Stack and heap allocation
  • D. Dynamic random access memory (DRAM)

Correct Answer: A

Community vote distribution

A (75%)

B (25%)

Question #389

Which of the following terms is used for online service providers operating within a federation?

  • A. Active Directory Federation Services (ADFS)
  • B. Relying party (RP)
  • C. Single sign-on (SSO)
  • D. Identity and access management (IAM)

Correct Answer: A

Community vote distribution

B (100%)

Question #390

The Chief Information Security Officer (CISO) of a large financial institution is responsible for implementing the security controls to protect the confidentiality and integrity of the organization’s Information Systems. Which of the controls below is prioritized FIRST?

  • A. Firewall and reverse proxy
  • B. Web application firewall (WAF) and HyperText Transfer Protocol Secure (HTTPS)
  • C. Encryption of data in transit and data at rest
  • D. Firewall and intrusion prevention system (IPS)

Correct Answer: C

Community vote distribution

C (67%)

D (33%)

Question #391

Who is the BEST person to review developed application code to ensure it has been tested and verified?

  • A. A developer who knows what is expected of the application, but not the same one who developed it.
  • B. A member of quality assurance (QA) should review the developer’s code.
  • C. A developer who understands the application requirements document, and who also developed the code.
  • D. The manager should review the developer’s application code.

Correct Answer: B

Community vote distribution

A (63%)

B (38%)

Question #392

A bank failed to meet service-level agreements (SLA) with customers after suffering from a database failure of the transaction processing system (TPS) that resulted in delayed financial deposits. A regulatory agency overseeing the bank would like to determine if the cause of the delay was a material weakness. Which of the following documents is MOST relevant for the regulatory agency to review?

  • A. Business continuity plan (BCP)
  • B. Business impact analysis (BIA)
  • C. Continuity of Operations Plan (COOP)
  • D. Enterprise resource planning (ERP)

Correct Answer: B

Community vote distribution

A (60%)

B (40%)

Question #393

What is the MOST effective way to ensure that a cloud service provider does not access a customer’s data stored within its infrastructure?

  • A. Use the organization’s encryption tools and data management controls.
  • B. Ensure that the cloud service provider will contractually not access data unless given explicit authority.
  • C. Request audit logs on a regular basis.
  • D. Utilize the cloud provider’s key management and elastic hardware security module (HSM) support.

Correct Answer: B

Community vote distribution

A (86%)

14%

Question #394

Prohibiting which of the following techniques is MOST helpful in preventing users from obtaining confidential data by using statistical queries?

  • A. Sequences of queries that refer repeatedly to the same population
  • B. Repeated queries that access multiple databases
  • C. Selecting all records from a table and displaying all columns
  • D. Running queries that access sensitive data

Correct Answer: D

Community vote distribution

A (100%)

Question #395

Which of the following is a major component of the federated identity management (FIM) implementation model and used to establish a network between dozens of organizations?

  • A. Identity as a Service (IDaaS)
  • B. Attribute-based access control (ABAC)
  • C. Cross-certification
  • D. Trusted third party (TTP)

Correct Answer: C

Community vote distribution

A (50%)

D (25%)

C (25%)

Question #396

A Chief Information Security Officer (CISO) is considering various proposals for evaluating security weaknesses and vulnerabilities at the source code level. Which of the following items BEST equips the CISO to make smart decisions for the organization?

  • A. The Common Weakness Risk Analysis Framework (CWRAF)
  • B. The Common Vulnerabilities and Exposures (CVE)
  • C. The Common Weakness Enumeration (CWE)
  • D. The Open Web Application Security Project (OWASP) Top Ten

Correct Answer: C

Community vote distribution

A (100%)

Question #397

Which of the following methods is MOST effective in mitigating Cross-Site Scripting (XSS) vulnerabilities within HyperText Markup Language (HTML) websites?

  • A. Use antivirus and endpoint protection on the server to secure the web-based application
  • B. Place the web-based system in a defined Demilitarized Zone (DMZ)
  • C. Use .NET framework with .aspx extension to provide a higher level of security to the web application so that the web server display can be locked down
  • D. Not returning any HTML tags to the browser client

Correct Answer: D

Community vote distribution

C (50%)

A (50%)

Question #398

Which of the following MOST accurately describes the Security Target (ST) in the Common Criteria framework?

  • A. The set of rules that define how resources or assets are managed and protected
  • B. A product independent set of security criteria for a class of products
  • C. The product and documentation to be evaluated
  • D. A document that includes a product specific set of security criteria

Correct Answer: D

Community vote distribution

D (100%)

Question #399

An organization has approved deployment of a virtual environment for the development servers and has established controls for restricting access to resources. In order to implement best security practices for the virtual environment, the security team MUST also implement which of the following steps?

  • A. Implement a dedicated management network for the hypervisor.
  • B. Deploy Terminal Access Controller Access Control System Plus (TACACS+) for authentication.
  • C. Implement complex passwords using Privileged Access Management (PAM).
  • D. Capture network traffic for the network interface.

Correct Answer: A

Community vote distribution

A (100%)

Trả lời

Email của bạn sẽ không được hiển thị công khai. Các trường bắt buộc được đánh dấu *

you are using free dumps!!!

Please help to click ads to support the website

Buy Premium Dumps For Ads-free
Buy Vouchers

DỊCH VỤ iT

Thiết kế Website

Biên tập Video theo yêu cầu

THÔNG TIN CHI TIẾT