Weekend Special Sale Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: buysanta

Exact2Pass Menu

Question # 4

When considering the disposal of confidential data, equipment and storage devices, what social engineering technique SHOULD always be taken into consideration?

A.

Spear Phishing.

B.

Shoulder Surfing.

C.

Dumpster Diving.

D.

Tailgating.

Full Access
Question # 5

Why should a loading bay NEVER be used as a staff entrance?

A.

Loading bays are intrinsically vulnerable, so minimising the people traffic makes securing the areas easier and more effective.

B.

Loading bays are often dirty places, and staff could find their clothing damaged or made less appropriate for the office.

C.

Most countries have specific legislation covering loading bays and breaching this could impact on insurance status.

D.

Staff should always enter a facility via a dedicated entrance to ensure smooth access and egress.

Full Access
Question # 6

A system administrator has created the following "array" as an access control for an organisation.

Developers: create files, update files.

Reviewers: upload files, update files.

Administrators: upload files, delete fifes, update files.

What type of access-control has just been created?

A.

Task based access control.

B.

Role based access control.

C.

Rule based access control.

D.

Mandatory access control.

Full Access
Question # 7

What type of attack attempts to exploit the trust relationship between a user client based browser and server based websites forcing the submission of an authenticated request to a third party site?

A.

XSS.

B.

Parameter Tampering

C.

SQL Injection.

D.

CSRF.

Full Access
Question # 8

How might the effectiveness of a security awareness program be effectively measured?

1) Employees are required to take an online multiple choice exam on security principles.

2) Employees are tested with social engineering techniques by an approved penetration tester.

3) Employees practice ethical hacking techniques on organisation systems.

4) No security vulnerabilities are reported during an audit.

5) Open source intelligence gathering is undertaken on staff social media profiles.

A.

3, 4 and 5.

B.

2, 4 and 5.

C.

1, 2 and 3.

D.

1, 2 and 5.

Full Access
Question # 9

What is the name of the method used to illicitly target a senior person in an organisation so as to try to coerce them Into taking an unwanted action such as a misdirected high-value payment?

A.

Whaling.

B.

Spear-phishing.

C.

C-suite spamming.

D.

Trawling.

Full Access
Question # 10

Which security framework impacts on organisations that accept credit cards, process credit card transactions, store relevant data or transmit credit card data?

A.

PCI DSS.

B.

TOGAF.

C.

ENISA NIS.

D.

Sarbanes-Oxiey

Full Access
Question # 11

Ensuring the correctness of data inputted to a system is an example of which facet of information security?

A.

Confidentiality.

B.

Integrity.

C.

Availability.

D.

Authenticity.

Full Access
Question # 12

What Is the root cause as to why SMS messages are open to attackers and abuse?

A.

The store and forward nature of SMS means it is considered a 'fire and forget service'.

B.

SMS technology was never intended to be used to transmit high risk content such as One-time payment codes.

C.

The vast majority of mobile phones globally support the SMS protocol inexpensively.

D.

There are only two mobile phone platforms - Android and iOS - reducing the number of target environments.

Full Access
Question # 13

What are the different methods that can be used as access controls?

1. Detective.

2. Physical.

3. Reactive.

4. Virtual.

5. Preventive.

A.

1, 2 and 4.

B.

1, 2 and 3.

C.

1, 2 and 5.

D.

3, 4 and 5.

Full Access
Question # 14

How does the use of a "single sign-on" access control policy improve the security for an organisation implementing the policy?

A.

Password is better encrypted for system authentication.

B.

Access control logs are centrally located.

C.

Helps prevent the likelihood of users writing down passwords.

D.

Decreases the complexity of passwords users have to remember.

Full Access
Question # 15

What Is the PRIMARY reason for organisations obtaining outsourced managed security services?

A.

Managed security services permit organisations to absolve themselves of responsibility for security.

B.

Managed security services are a de facto requirement for certification to core security standards such as ISG/IEC 27001

C.

Managed security services provide access to specialist security tools and expertise on a shared, cost-effective basis.

D.

Managed security services are a powerful defence against litigation in the event of a security breach or incident

Full Access
Question # 16

A penetration tester undertaking a port scan of a client's network, discovers a host which responds to requests on TCP ports 22, 80, 443, 3306 and 8080.

What type of device has MOST LIKELY been discovered?

A.

File server.

B.

Printer.

C.

Firewall.

D.

Web server

Full Access
Question # 17

Which of the following describes a qualitative risk assessment approach?

A.

A subjective assessment of risk occurrence likelihood against the potential impact that determines the overall severity of a risk.

B.

The use of verifiable data to predict the risk occurrence likelihood and the potential impact so as to determine the overall severity of a risk.

C.

The use of Monte-Carlo Analysis and Layers of Protection Analysis (LOPA) to determine the overall severity of a risk.

D.

The use of Risk Tolerance and Risk Appetite values to determine the overall severity of a risk

Full Access
Question # 18

Which of the following compliance legal requirements are covered by the ISO/IEC 27000 series?

1. Intellectual Property Rights.

2. Protection of Organisational Records

3. Forensic recovery of data.

4. Data Deduplication.

5. Data Protection & Privacy.

A.

1, 2 and 3

B.

3, 4 and 5

C.

2, 3 and 4

D.

1, 2 and 5

Full Access
Question # 19

Why might the reporting of security incidents that involve personal data differ from other types of security incident?

A.

Personal data is not highly transient so its 1 investigation rarely involves the preservation of volatile memory and full forensic digital investigation.

B.

Personal data is normally handled on both IT and non-IT systems so such incidents need to be managed in two streams.

C.

Data Protection legislation normally requires the reporting of incidents involving personal data to a Supervisory Authority.

D.

Data Protection legislation is process-oriented and focuses on quality assurance of procedures and governance rather than data-focused event investigation

Full Access
Question # 20

For which security-related reason SHOULD staff monitoring critical CCTV systems be rotated regularly during each work session?

A.

To reduce the chance of collusion between security staff and those being monitored.

B.

To give experience to monitoring staff across a range of activities for training purposes.

C.

Health and Safety regulations demand that staff are rotated to prevent posture and vision related harm.

D.

The human attention span during intense monitoring sessions is about 20 minutes.

Full Access
Question # 21

Which of the following testing methodologies TYPICALLY involves code analysis in an offline environment without ever actually executing the code?

A.

Dynamic Testing.

B.

Static Testing.

C.

User Testing.

D.

Penetration Testing.

Full Access
Question # 22

What Is the PRIMARY difference between DevOps and DevSecOps?

A.

Within DevSecOps security is introduced at the end of development immediately prior to deployment.

B.

DevSecOps focuses solely on iterative development cycles.

C.

DevSecOps includes security on the same level as continuous integration and delivery.

D.

DevOps mandates that security is integrated at the beginning of the development lifecycle.

Full Access
Question # 23

In order to maintain the currency of risk countermeasures, how often SHOULD an organisation review these risks?

A.

Once defined, they do not need reviewing.

B.

A maximum of once every other month.

C.

When the next risk audit is due.

D.

Risks remain under constant review.

Full Access
Question # 24

Which cryptographic protocol preceded Transport Layer Security (TLS)?

A.

Public Key Infrastructure (PKI).

B.

Simple Network Management Protocol (SNMP).

C.

Secure Sockets Layer (SSL).

D.

Hypertext Transfer Protocol Secure (HTTPS)

Full Access
Question # 25

Which of the following is NOT an information security specific vulnerability?

A.

Use of HTTP based Apache web server.

B.

Unpatched Windows operating system.

C.

Confidential data stored in a fire safe.

D.

Use of an unlocked filing cabinet.

Full Access
Question # 26

Select the document that is MOST LIKELY to contain direction covering the security and utilisation of all an organisation's information and IT equipment, as well as email, internet and telephony.

A.

Cryptographic Statement.

B.

Security Policy Framework.

C.

Acceptable Usage Policy.

D.

Business Continuity Plan.

Full Access
Question # 27

Which of the following is NOT a valid statement to include in an organisation's security policy?

A.

The policy has the support of Board and the Chief Executive.

B.

The policy has been agreed and amended to suit all third party contractors.

C.

How the organisation will manage information assurance.

D.

The compliance with legal and regulatory obligations.

Full Access
Question # 28

What Is the PRIMARY security concern associated with the practice known as Bring Your Own Device (BYOD) that might affect a large organisation?

A.

Most BYOD involves the use of non-Windows hardware which is intrinsically insecure and open to abuse.

B.

The organisation has significantly less control over the device than over a corporately provided and managed device.

C.

Privately owned end user devices are not provided with the same volume nor frequency of security patch updates as a corporation.

D.

Under GDPR it is illegal for an individual to use a personal device when handling personal information under corporate control.

Full Access
Question # 29

By what means SHOULD a cloud service provider prevent one client accessing data belonging to another in a shared server environment?

A.

By ensuring appropriate data isolation and logical storage segregation.

B.

By using a hypervisor in all shared severs.

C.

By increasing deterrent controls through warning messages.

D.

By employing intrusion detection systems in a VMs.

Full Access
Question # 30

Which of the following is considered to be the GREATEST risk to information systems that results from deploying end-to-end Internet of Things (IoT) solutions?

A.

Use of 'cheap" microcontroller based sensors.

B.

Much larger attack surface than traditional IT systems.

C.

Use of proprietary networking protocols between nodes.

D.

Use of cloud based systems to collect loT data.

Full Access