Employees are receiving certificate errors when visiting secure internet websites. A help desk technician reviews a sample of the certificates from various external websites and determines that an internal certificate with the name of the company’s proxy is present in the middle of the certificate chain. The help desk technician escalates the issue to the security team. Which of the following should the security team do next to resolve this issue?
- A. Renew and redeploy the intermediate CA certificate.
- B. Contact the external websites about updating their certificates.
- C. Use Wireshark to analyze network traffic for potential malicious activities.
- D. Add the affected websites to the proxy’s allow list.
A PKI engineer is defining certificate templates for an organization’s CA and would like to ensure at least two of the possible SAN certificate extension fields populate for documentation purposes. Which of the following are explicit options within this extension? (Choose two.)
- A. Type
- B. Email
- C. OCSP responder
- D. Registration authority
- E. Common Name
- F. DNS name
An organization needs to disable TLS 1.0 on a retail website. Which of the following best explains the reason for this action?
- A. Payment card industry compliance requires the change.
- B. Digital certificates are dependent on a newer protocol.
- C. Most browser manufacturers are ending legacy support.
- D. The application software no longer supports TLS 1.0.
A security review of the architecture for an application migration was recently completed. The following observations were made:
• External inbound access is blocked.
• A large amount of storage is available.
• Memory and CPU usage are low.
• The load balancer has only a single server assigned.
• Multiple APIs are integrated.
Which of the following needs to be addressed?
- A. Scalability
- B. Automation
- C. Availability
- D. Performance
A security technician is trying to connect a remote site to the central office over a site-to-site VPN. The technician has verified the source and destination IP addresses are correct, but the technician is unable to get the remote site to connect. The following error message keeps repeating:
An error has occurred during Phase 1 handshake. Deleting keys and retrying…
Which of the following is most likely the reason the connection is failing?
- A. The IKE hashing algorithm uses different key lengths on each VPN device.
- B. The IPSec settings allow more than one cipher suite on both devices.
- C. The Diffie-Hellman group on both sides matches but is a legacy group.
- D. The remote VPN is attempting to connect with a protocol other than SSL/TLS.
A company uses a CSP to provide a front end for its new payment system offering. The new offering is currently certified as PCI compliant. In order for the integrated solution to be compliant, the customer:
- A. must also be PCI compliant, because the risk is transferred to the provider.
- B. still needs to perform its own PCI assessment of the provider’s managed serverless service.
- C. needs to perform a penetration test of the cloud provider’s environment.
- D. must ensure in-scope systems for the new offering are also PCI compliant.
A company would like to move its payment card data to a cloud provider. Which of the following solutions will best protect account numbers from unauthorized disclosure?
- A. Storing the data in an encoded file
- B. Implementing database encryption at rest
- C. Only storing tokenized card data
- D. Implementing data field masking
A company recently migrated its critical web application to a cloud provider’s environment. As part of the company’s risk management program, the company intends to conduct an external penetration test. According to the scope of work and the rules of engagement, the penetration tester will validate the web application’s security and check for opportunities to expose sensitive company information in the newly migrated cloud environment. Which of the following should be the first consideration prior to engaging in the test?
- A. Prepare a redundant server to ensure the critical web application’s availability during the test.
- B. Obtain agreement between the company and the cloud provider to conduct penetration testing.
- C. Ensure the latest patches and signatures are deployed on the web server.
- D. Create an NDA between the external penetration tester and the company.
A threat hunting team receives a report about possible APT activity in the network. Which of the following threat management frameworks should the team implement?
- A. NIST SP 800-53
- B. MITRE ATT&CK
- C. OWASP
- D. The Diamond Model of Intrusion Analysis
IoCs were missed during a recent security incident due to the reliance on a signature-based detection platform. A security engineer must recommend a solution that can be implemented to address this shortcoming. Which of the following would be the most appropriate recommendation?
- A. FIM
- B. SASE
- C. UEBA
- D. CSPM
- E. EAP