The Chief Executive Officer (CEO) of an Internet service provider (ISP) has decided to limit the company’s
contribution to worldwide Distributed Denial of Service (DDoS) attacks. Which
of the following should the ISP implement? (Select TWO).

A web services company is planning a one-time high-profile event to be hosted on the corporate website. Anoutage, due to an attack, would be publicly embarrassing, so Joe, the Chief Executive Officer (CEO), has
requested that his security engineers put temporary preventive controls in place. Which of the following would
MOST appropriately address Joe’s concerns?

Which of the following describes a risk and mitigation associated with cloud data storage?

Which of the following describes a risk and mitigation associated with cloud data storage?

Due to compliance regulations, a company requires a yearly penetration test. The Chief Information Security
Officer (CISO) has asked that it be done under a black box methodology. Which of the following would be the
advantage of conducting this kind of penetration test?

A security administrator is tasked with implementing two-factor authentication for the company VPN. The VPN
is currently configured to authenticate VPN users against a backend RADIUS server. New company policies
require a second factor of authentication, and the Information Security Officer has selected PKI as the secondfactor. Which of the following should the security administrator configure and implement on the VPN
concentrator to implement the second factor and ensure that no error messages are displayed to the user
during
the VPN connection? (Select TWO).

A company has issued a new mobile device policy permitting BYOD and company-issued devices. The
company-issued device has a managed middleware client that restricts the applications allowed on company
devices and provides those that are approved. The middleware client provides configuration standardization for
both company owned and BYOD to secure data and communication to the device according to industry best
practices. The policy states that, “BYOD clients must meet the company’s infrastructure requirements to permit
a connection.” The company also issues a memorandum separate from the policy, which provides instructions
for the purchase, installation, and use of the middleware client on BYOD.
Which of the following is being described?

A security engineer is working on a large software development project. As part of the design of the project,
various stakeholder requirements were gathered and decomposed to an implementable and testable level.
Various security requirements were also documented. Organize the following security requirements into the
correct hierarchy required for an SRTM. Requirement 1: The system shall provide confidentiality for data in
transit and data at rest. Requirement 2: The system shall use SSL, SSH, or SCP for all data transport.
Requirement 3: The system shall implement a file-level encryption scheme. Requirement 4:
The system shall provide integrity for all data at rest. Requirement 5: The system shall perform CRC checks on
all files.

The Information Security Officer (ISO) believes that the company has been targeted by cybercriminals and it is
under a cyber attack. Internal services that are normally available to the public via the Internet are inaccessible,
and employees in the office are unable to browse the Internet. The senior security engineer starts by reviewing
the bandwidth at the border router, and notices that the incoming bandwidth on the router’s external interface ismaxed out. The security engineer then inspects the following piece of log to try and determine the reason for
the downtime, focusing on the company’s external router’s IP which is 128.20.176.19:
11:16:22.110343 IP 90.237.31.27.19 > 128.20.176.19.19: UDP, length 1400
11:16:22.110351 IP 23.27.112.200.19 > 128.20.176.19.19: UDP, length 1400
11:16:22.110358 IP 192.200.132.213.19 > 128.20.176.19.19: UDP, length 1400
11:16:22.110402 IP 70.192.2.55.19 > 128.20.176.19.19: UDP, length 1400
11:16:22.110406 IP 112.201.7.39.19 > 128.20.176.19.19: UDP, length 1400 Which of the following describes
the findings the senior security engineer should report to the ISO and the BEST solution for service restoration?

A developer has implemented a piece of client-side JavaScript code to sanitize a user’s provided input to a web
page login screen. The code ensures that only the upper case and lower case letters are entered in the
username field, and that only a 6-digit PIN is entered in the password field. A security administrator is
concerned with the following web server log:
10.235.62.11 – [02/Mar/2014:06:13:04] “GET
/site/script.php?user=admin&pass=pass%20or%201=1 HTTP/1.1″ 200 5724 Given this log, which of the
following is the security administrator concerned with and which fix should be implemented by the developer?