A security program manager wants to actively test the security posture of a system. The system is not yet in production and has no uptime requirement or active user base. Which of the following methods will produce a report which shows vulnerabilities that were actually exploited?
A. Peer review B. Component testing C. Penetration testing D. Vulnerability testing
A security administrator is tasked with conducting an assessment made to establish the baseline security posture of the corporate IT infrastructure. The assessment must report actual flaws and weaknesses in the infrastructure. Due to the expense of hiring outside consultants, the testing must be performed using in-house or cheaply available resource. There cannot be a possibility of any requirement being damaged in the test. Which of the following has the administrator been tasked to perform?
A. Risk transference B. Penetration test C. Threat assessment D. Vulnerability assessment
A company hires a penetration testing team to test its overall security posture. The organization has not disclosed any information to the penetration testing team and has allocated five days for testing. Which of the following types of testing will the penetration testing team have to conduct?
A. Static analysis B. Gray Box C. White box D. Black box
A company wants to improve its overall security posture by deploying environmental controls in its datacenter. Which of the following is considered an environmental control that can be deployed to meet this goal?
A. Full-disk encryption B. Proximity readers C. Hard ward locks D. Fire suppression
A security manager is discussing change in the security posture of the network, if a proposed application is approved for deployment. Which of the following is the MOST important the security manager must rely upon to help make this determination?
A. Ports used by new application B. Protocols/services used by new application C. Approved configuration items D. Current baseline configuration
A recent audit had revealed weaknesses in the process of deploying new servers and network devices. Which of the following practices could be used to increase the security posture during deployment? (Select TWO).
A. Deploy a honeypot B. Disable unnecessary services C. Change default password D. Implement an application firewall E. Penetration testing
The information security technician wants to ensure security controls are deployed and functioning as intended to be able to maintain an appropriate security posture. Which of the following security techniques is MOST appropriate to do this?
A. Log audits B. System hardening C. Use IPS/IDS D. Continuous security monitoring
Correct Answer: D Section: Application, Data and Host Security
A security baseline is the security setting of a system that is known to be secure. This is the initial security setting of a system. Once the baseline has been applied, it must be
maintained or improved. Maintaining the security baseline requires continuous monitoring.
A: Auditing logs is good practice. However, it is only one aspect of maintaining security posture. This question asks for the MOST appropriate answer. Continuous security monitoring
covers all aspects of maintaining security posture so it is a more appropriate answer.
B: Hardening is the process of securing a system by reducing its surface of vulnerability. Reducing the surface of vulnerability typically includes removing or disabling unnecessary
functions and features, removing or disabling unnecessary user accounts, disabling unnecessary protocols and ports, and disabling unnecessary services.
C: An IPS/IDS (intrusion prevention system/intrusion detection system) is used to detect and prevent malicious activity on a network or a host. However, there is more to maintaining
security posture that this one aspect and should be a part of continuous security monitoring.
Stewart, James Michael, Stewart, James Michael, CompTIA Security+ Review Guide, Sybex, Indianapolis, 2014, Sybex, Indianapolis, 2014, pp. 12, 61, 130
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, 6th Edition, Sybex, Indianapolis, 2014, pp. 208, 215-217, 222
A company is looking to improve their security posture by addressing risks uncovered by a recent penetration test. Which of the following risks is MOST likely to affect the business on a day-to-day basis?
A. Insufficient encryption methods B. Large scale natural disasters C. Corporate espionage D. Lack of antivirus software
Correct Answer: D Section: Threats and Vulnerabilities
The most common threat to computers is computer viruses. A computer can become infected with a virus through day-to-day activities such as browsing web sites or emails. As
browsing and opening emails are the most common activities performed by all users, computer viruses represent the most likely risk to a business.
A: Insufficient encryption methods do not represent the most likely risk to a business. While some weaker encryption methods are still used today, it still takes some determined effort
to decrypt the data. This is not something that would happen on a day-to-day basis.
B: Large scale natural disasters obviously are bad for computer networks. However, they’re pretty rare. They certainly don’t happen on a day-to-day basis. Computers becoming
infected with a virus are much more common.
C: Corporate espionage is a risk to any business. However, it doesn’t happen on a day-to-day basis. Computers becoming infected with a virus are much more common.
Which of the following BEST represents the goal of a vulnerability assessment?
A. To test how a system reacts to known threats B. To reduce the likelihood of exploitation C. To determine the system’s security posture D. To analyze risk mitigation strategies
Correct Answer: C Section: Threats and Vulnerabilities
A vulnerability scan is the process of scanning the network and/or I.T. infrastructure for threats and vulnerabilities. The threats and vulnerabilities are then evaluated in a risk
assessment and the necessary actions taken to resolve and vulnerabilities. A vulnerability scan scans for known weaknesses such as missing patches or security updates.
A vulnerability scan is the automated process of proactively identifying security vulnerabilities of computing systems in a network in order to determine if and where a system can be
exploited and/or threatened. While public servers are important for communication and data transfer over the Internet, they open the door to potential security breaches by threat
agents, such as malicious hackers.
Vulnerability scanning employs software that seeks out security flaws based on a database of known flaws, testing systems for the occurrence of these flaws and generating a report of
the findings that an individual or an enterprise can use to tighten the network’s security.
A: A vulnerability scan is used to determine whether a system is vulnerable to known threats. It is not used to test how a system reacts to the known threats.
B: A vulnerability scan is used to determine whether a system is vulnerable to known threats. By determining the existence of vulnerabilities, we can reduce the likelihood of the system
being exploited. However, we first need to determine the existence of the vulnerabilities.
D: A vulnerability scan is used to determine whether a system is at risk from known threats. After determining the risk, we can develop a risk mitigation strategy. However it is not the
purpose of the vulnerability scan to analyze the risk mitigation strategies.
A security manager must remain aware of the security posture of each system. Which of the following supports this requirement?
A. Training staff on security policies B. Establishing baseline reporting C. Installing anti-malware software D. Disabling unnecessary accounts/services
Correct Answer: B Section: Threats and Vulnerabilities
The IT baseline protection approach is a methodology to identify and implement computer security measures in an organization. The aim is the achievement of an adequate and appropriate level of security for IT systems. This is known as a baseline.
A baseline report compares the current status of network systems in terms of security updates, performance or other metrics to a predefined set of standards (the baseline).
A: Training staff on security policies is always a good idea. However, this will not provide a mechanism for making the security manager aware of the security posture of each system.
C: Anti-malware is required to remove any existing malware and prevent malware being installed in the future. However, anti-malware does not provide a mechanism for making the security manager aware of the security posture of each system.
D: Disabling unnecessary accounts/services is a good practice for reducing the attack surface of a computer system. However, it does not provide a mechanism for making the security manager aware of the security posture of each system.