A security administrator configured the account policies per security implementation guidelines. However, the accounts still appear to be susceptible to brute-force attacks. The following settings meet the existing compliance guidelines:
– Must have a minimum of 15 characters
– Must use one number
– Must use one capital letter
– Must not be one of the last 12 passwords used
Which of the following policies should be added to provide additional security?
- A. Shared accounts
- B. Password complexity
- C. Account lockout
- D. Password history
- E. Time-based logins
A cybersecurity analyst discovered a private key that could have been exposed.
Which of the following is the BEST way for the analyst to determine if the key has been compromised?
- A. HSTS
- B. CRL
- C. CSRs
- D. OCSP
Which of the following technologies allows CSPs to add encryption across multiple data storages?
- A. Symmetric encryption
- B. Homomorphic encryption
- C. Data dispersion
- D. Bit splitting
A vulnerability scanner detected an obsolete version of an open-source file-sharing application on one of a company’s Linux servers. While the software version is no longer supported by the OSS community, the company’s Linux vendor backported fixes, applied them for all current vulnerabilities, and agrees to support the software in the future.
Based on this agreement, this finding is BEST categorized as a:
- A. true positive.
- B. true negative.
- C. false positive.
- D. false negative.
A company’s Chief Information Security Officer is concerned that the company’s proposed move to the cloud could lead to a lack of visibility into network traffic flow logs within the VPC.
Which of the following compensating controls would be BEST to implement in this situation?
- A. EDR
- B. SIEM
- C. HIDS
- D. UEBA
A security team received a regulatory notice asking for information regarding collusion and pricing from staff members who are no longer with the organization.
The legal department –
provided the security team with a list of search terms to investigate.
This is an example of:
- A. due diligence.
- B. e-discovery.
- C. due care.
- D. legal hold.
Which of the following protocols is a low power, low data rate that allows for the creation of PAN networks?
- A. Zigbee
- B. CAN
- C. DNP3
- D. Modbus
An organization’s assessment of a third-party, non-critical vendor reveals that the vendor does not have cybersecurity insurance and IT staff turnover is high. The organization uses the vendor to move customer office equipment from one service location to another. The vendor acquires customer data and access to the business via an API.
Given this information, which of the following is a noted risk?
- A. Feature delay due to extended software development cycles
- B. Financial liability from a vendor data breach
- C. Technical impact to the API configuration
- D. The possibility of the vendor’s business ceasing operations
A company wants to quantify and communicate the effectiveness of its security controls but must establish measures. Which of the following is MOST likely to be included in an effective assessment roadmap for these controls?
- A. Create a change management process.
- B. Establish key performance indicators.
- C. Create an integrated master schedule.
- D. Develop a communication plan.
- E. Perform a security control assessment.
A bank is working with a security architect to find the BEST solution to detect database management system compromises. The solution should meet the following requirements:
✑ Work at the application layer
✑ Send alerts on attacks from both privileged and malicious users
✑ Have a very low false positive
Which of the following should the architect recommend?
- A. FIM
- B. WAF
- C. NIPS
- D. DAM
- E. UTM