Which of the following describes a risk and mitigation associated with cloud data storage?

Due to compliance regulations, a company requires a yearly penetration test. The Chief Information Security
Officer (CISO) has asked that it be done under a black box methodology. Which of the following would be the
advantage of conducting this kind of penetration test?

A security administrator is tasked with implementing two-factor authentication for the company VPN. The VPN
is currently configured to authenticate VPN users against a backend RADIUS server. New company policies
require a second factor of authentication, and the Information Security Officer has selected PKI as the secondfactor. Which of the following should the security administrator configure and implement on the VPN
concentrator to implement the second factor and ensure that no error messages are displayed to the user
during
the VPN connection? (Select TWO).

A company has issued a new mobile device policy permitting BYOD and company-issued devices. The
company-issued device has a managed middleware client that restricts the applications allowed on company
devices and provides those that are approved. The middleware client provides configuration standardization for
both company owned and BYOD to secure data and communication to the device according to industry best
practices. The policy states that, “BYOD clients must meet the company’s infrastructure requirements to permit
a connection.” The company also issues a memorandum separate from the policy, which provides instructions
for the purchase, installation, and use of the middleware client on BYOD.
Which of the following is being described?

A security engineer is working on a large software development project. As part of the design of the project,
various stakeholder requirements were gathered and decomposed to an implementable and testable level.
Various security requirements were also documented. Organize the following security requirements into the
correct hierarchy required for an SRTM. Requirement 1: The system shall provide confidentiality for data in
transit and data at rest. Requirement 2: The system shall use SSL, SSH, or SCP for all data transport.
Requirement 3: The system shall implement a file-level encryption scheme. Requirement 4:
The system shall provide integrity for all data at rest. Requirement 5: The system shall perform CRC checks on
all files.

The Information Security Officer (ISO) believes that the company has been targeted by cybercriminals and it is
under a cyber attack. Internal services that are normally available to the public via the Internet are inaccessible,
and employees in the office are unable to browse the Internet. The senior security engineer starts by reviewing
the bandwidth at the border router, and notices that the incoming bandwidth on the router’s external interface ismaxed out. The security engineer then inspects the following piece of log to try and determine the reason for
the downtime, focusing on the company’s external router’s IP which is 128.20.176.19:
11:16:22.110343 IP 90.237.31.27.19 > 128.20.176.19.19: UDP, length 1400
11:16:22.110351 IP 23.27.112.200.19 > 128.20.176.19.19: UDP, length 1400
11:16:22.110358 IP 192.200.132.213.19 > 128.20.176.19.19: UDP, length 1400
11:16:22.110402 IP 70.192.2.55.19 > 128.20.176.19.19: UDP, length 1400
11:16:22.110406 IP 112.201.7.39.19 > 128.20.176.19.19: UDP, length 1400 Which of the following describes
the findings the senior security engineer should report to the ISO and the BEST solution for service restoration?

A developer has implemented a piece of client-side JavaScript code to sanitize a user’s provided input to a web
page login screen. The code ensures that only the upper case and lower case letters are entered in the
username field, and that only a 6-digit PIN is entered in the password field. A security administrator is
concerned with the following web server log:
10.235.62.11 – [02/Mar/2014:06:13:04] “GET
/site/script.php?user=admin&pass=pass%20or%201=1 HTTP/1.1″ 200 5724 Given this log, which of the
following is the security administrator concerned with and which fix should be implemented by the developer?

After being notified of an issue with the online shopping cart, where customers are able to arbitrarily change the
price of listed items, a programmer analyzes the following piece of code used by a web based shopping cart.
SELECT ITEM FROM CART WHERE ITEM=ADDSLASHES($USERINPUT); The programmer found that every
time a user adds an item to the cart, a temporary file is created on the web server /tmp directory. The
temporary file has a name which is generated by concatenating the content of the $USERINPUT variable and atimestamp in the form of MM- DD-YYYY, (e.g. smartphone-12-25-2013.tmp) containing the price of the item
being purchased. Which of the following is MOST likely being exploited to manipulate the price of a shopping
cart’s items?

A small retail company recently deployed a new point of sale (POS) system to all 67 stores. The core of the
POS is an extranet site, accessible only from retail stores and the corporate office over a split-tunnel VPN. An
additional split-tunnel VPN provides bi-directional connectivity back to the main office, which provides voice
connectivity for store VoIP phones. Each store offers guest wireless functionality, as well as employee wireless.
Only the staff wireless network has access to the POS VPN. Recently, stores are reporting poor response times
when accessing the POS application from store computers as well as degraded voice quality when making
phone calls. Upon investigation, it is determined that three store PCs are hosting malware, which is generating
excessive network traffic. After malware removal, the information security department is asked to review the
configuration and suggest changes to prevent this from happening again. Which of the following denotes the
BEST way to mitigate future malware risk?

An industry organization has implemented a system to allow trusted authentication between all of its partners.
The system consists of a web of trusted RADIUS servers communicating over the Internet. An attacker was
able to set up a malicious server and conduct a successful man-in- the-middle attack. Which of the following
controls should be implemented to mitigate the attack in the future?