A security architect was asked to modify an existing internal network design to accommodate the following requirements for RDP:
✑ Enforce MFA for RDP.
✑ Ensure RDP connections are only allowed with secure ciphers.
The existing network is extremely complex and not well segmented. Because of these limitations, the company has requested that the connections not be restricted by network-level firewalls or ACLs.
Which of the following should the security architect recommend to meet these requirements?
- A. Implement a reverse proxy for remote desktop with a secure cipher configuration enforced.
- B. Implement a bastion host with a secure cipher configuration enforced.
- C. Implement a remote desktop gateway server, enforce secure ciphers, and configure to use OTP.
- D. Implement a GPO that enforces TLS cipher suites and limits remote desktop access to only VPN users.
An organization is deploying a new, online digital bank and needs to ensure availability and performance. The cloud-based architecture is deployed using PaaS and SaaS solutions, and it was designed with the following considerations:
– Protection from DoS attacks against its infrastructure and web applications is in place.
– Highly available and distributed DNS is implemented.
– Static content is cached in the CDN.
– A WAF is deployed inline and is in block mode.
– Multiple public clouds are utilized in an active-passive architecture.
With the above controls in place, the bank is experiencing a slowdown on the unauthenticated payments page. Which of the following is the MOST likely cause?
- A. The public cloud provider is applying QoS to the inbound customer traffic.
- B. The API gateway endpoints are being directly targeted.
- C. The site is experiencing a brute-force credential attack.
- D. A DDoS attack is targeted at the CDN.
A healthcare system recently suffered from a ransomware incident. As a result, the board of directors decided to hire a security consultant to improve existing network security. The security consultant found that the healthcare network was completely flat, had no privileged access limits, and had open RDP access to servers with personal health information. As the consultant builds the remediation plan, which of the following solutions would BEST solve these challenges?
(Choose three.)
- A. SD-WAN
- B. PAM
- C. Remote access VPN
- D. MFA
- E. Network segmentation
- F. BGP
- G. NAC
A Chief Information Security Officer (CISO) is concerned that a company’s current data disposal procedures could result in data remanence. The company uses only SSDs. Which of the following would be the MOST secure way to dispose of the SSDs given the CISO’s concern?
- A. Degaussing
- B. Overwriting
- C. Shredding
- D. Formatting
- E. Incinerating
The CI/CD pipeline requires code to have close to zero defects and zero vulnerabilities. The current process for any code releases into production uses two-week
Agile sprints. Which of the following would BEST meet the requirement?
- A. An open-source automation server
- B. A static code analyzer
- C. Trusted open-source libraries
- D. A single code repository for all developers
A security analyst wants to keep track of all outbound web connections from workstations. The analyst’s company uses an on-premises web filtering solution that forwards the outbound traffic to a perimeter firewall. When the security analyst gets the connection events from the firewall, the source IP of the outbound web traffic is the translated IP of the web filtering solution. Considering this scenario involving source NAT, which of the following would be the BEST option to inject in the HTTP header to include the real source IP from workstations?
- A. X-Forwarded-Proto
- B. X-Forwarded-For
- C. Cache-Control
- D. Strict-Transport-Security
- E. Content-Security-Policy
An HVAC contractor requested network connectivity permission to remotely support/troubleshoot equipment issues at a company location. Currently, the company does not have a process that allows vendors remote access to the corporate network. Which of the following solutions represents the BEST course of action to allow the contractor access?
- A. Add the vendor’s equipment to the existing network. Give the vendor access through the standard corporate VPN.
- B. Give the vendor a standard desktop PC to attach the equipment to. Give the vendor access through the standard corporate VPN.
- C. Establish a certification process for the vendor. Allow certified vendors access to the VDI to monitor and maintain the HVAC equipment.
- D. Create a dedicated segment with no access to the corporate network. Implement dedicated VPN hardware for vendor access.
An attacker infiltrated the code base of a hardware manufacturer and inserted malware before the code was compiled. The malicious code is now running at the hardware level across a number of industries and sectors. Which of the following categories BEST describes this type of vendor risk?
- A. SDLC attack
- B. Side-load attack
- C. Remote code signing
- D. Supply chain attack
A company is adopting a new artificial-intelligence-based analytics SaaS solution. This is the company’s first attempt at using a SaaS solution, and a security architect has been asked to determine any future risks. Which of the following would be the GREATEST risk in adopting this solution?
- A. The inability to assign access controls to comply with company policy
- B. The inability to require the service provider process data in a specific country
- C. The inability to obtain company data when migrating to another service
- D. The inability to conduct security assessments against a service provider
A BIA of a popular online retailer identified several mission-essential functions that would take more than seven days to recover in the event of an outage. Which of the following should be considered when setting priorities for the restoration of these functions?
- A. Supply chain issues
- B. Revenue generation
- C. Warm-site operations
- D. Scheduled impacts to future projects