A chief Financial Officer (CFO) has asked the Chief Information Officer (CISO) to provide responses to a recent audit report detailing deficiencies in the organization security controls. The CFO would like to know ways in which the organization can improve its authorization controls. Given the request by the CFO, which of the following controls should the CISO focus on in the report? (Select Three)
A. Password complexity policies B. Hardware tokens C. Biometric systems D. Role-based permissions E. One time passwords F. Separation of duties G. Multifactor authentication H. Single sign-on I. Lease privilege
While reviewing the security controls in place for a web-based application, a security controls assessor notices that there are no password strength requirements in place. Because of this vulnerability, passwords might be easily discovered using a brute force attack. Which of the following password requirements will MOST effectively improve the security posture of the application against these attacks? (Select two)
A. Minimum complexity B. Maximum age limit C. Maximum length D. Minimum length E. Minimum age limit F. Minimum re-use limit
Joe, a security analyst, is attempting to determine if a new server meets the security requirements of his organization. As a step in this process, he attempts to identify a lack of security controls and to identify common misconfigurations on the server. Which of the following is Joe attempting to complete?
A. Black hat testing B. Vulnerability scanning C. Black box testing D. Penetration testing
A bank chief information security officer (CISO) is responsible for a mobile banking platform that operates natively on iOS and Andriod. Which of the following security controls helps protect the associated publicly accessible API endpoints?
A. Mobile device management B. Jailbreak detection C. Network segmentation D. Application firewalls
A security technician wants to implement stringent security controls over web traffic by restricting the client source TCP ports allowed through the corporate firewall. Which of the following should the technician implement?
A. Deny port 80 and 443 but allow proxies B. Only allow port 80 and 443 C. Only allow ports above 1024 D. Deny ports 80 and allow port 443
A company’s application is hosted at a data center. The data center provides security controls for the infrastructure. The data center provides a report identifying serval vulnerabilities regarding out of date OS patches. The company recommends the data center assumes the risk associated with the OS vulnerabilities. Which of the following concepts is being implemented?
A. Risk Transference B. Risk Acceptance C. Risk Avoidance D. Risk Deterrence
Ann the security administrator has been reviewing logs and has found several overnight sales personnel are accessing the finance department’s network shares. Which of the following security controls should be implemented to BEST remediate this?
A. Mandatory access B. Separation of duties C. Time of day restrictions D. Role based access
The new Chief Information Officer (CIO) of company ABC, Joe has noticed that company XWY is always one step ahead with similar products. He tasked his Chief Security Officer to implement new security controls to ensure confidentiality of company ABC’s proprietary data and complete accountability for all data transfers. Which of the following security controls did the Chief Security Officer implement to BEST meet these requirements? (Select Two)
A. Redundancy B. Hashing C. DRP D. Digital Signatures E. Encryptions