Due to compliance regulations, a company requires a yearly penetration test. The Chief Information Security
Officer (CISO) has asked that it be done under a black box methodology.
Which of the following would be the advantage of conducting this kind of penetration test?A. The risk of unplanned server outages is reduced.

An external penetration tester compromised one of the client organization’s authentication servers and retrieved
the password database. Which of the following methods allows the penetration tester to MOST efficiently useany obtained administrative credentials on the client organization’s other systems, without impacting the
integrity of any of the systems?

The Information Security Officer (ISO) believes that the company has been targeted by cybercriminals and it is
under a cyber attack. Internal services that are normally available to the public via the Internet are inaccessible,
and employees in the office are unable to browse the Internet. The senior security engineer starts by reviewing
the bandwidth at the border router, and notices that the incoming bandwidth on the router’s external interface is
maxed out. The security engineer then inspects the following piece of log to try and determine the reason for
the downtime, focusing on the company’s external router’s IP which is 128.20.176.19:
11:16:22.110343 IP 90.237.31.27.19 > 128.20.176.19.19: UDP, length 1400
11:16:22.110351 IP 23.27.112.200.19 > 128.20.176.19.19: UDP, length 1400
11:16:22.110358 IP 192.200.132.213.19 > 128.20.176.19.19: UDP, length 1400
11:16:22.110402 IP 70.192.2.55.19 > 128.20.176.19.19: UDP, length 1400
11:16:22.110406 IP 112.201.7.39.19 > 128.20.176.19.19: UDP, length 1400
Which of the following describes the findings the senior security engineer should report to the ISO and the
BEST solution for service restoration?

Which of the following provides the BEST risk calculation methodology?

The Chief Executive Officer (CEO) of a large prestigious enterprise has decided to reduce business costs by
outsourcing to a third party company in another country. Functions to be outsourced include: business analysts,
testing, software development and back office functions that deal with the processing of customer data. The
Chief Risk Officer (CRO) is concerned about the outsourcing plans. Which of the following risks are MOSTlikely to occur if adequate controls are not implemented?

Which of the following describes a risk and mitigation associated with cloud data storage?

A security administrator is shown the following log excerpt from a Unix system:
2013 Oct 10 07:14:57 web14 sshd[1632]: Failed password for root from 198.51.100.23 port 37914 ssh2
2013 Oct 10 07:14:57 web14 sshd[1635]: Failed password for root from 198.51.100.23 port 37915 ssh2
2013 Oct 10 07:14:58 web14 sshd[1638]: Failed password for root from 198.51.100.23 port 37916 ssh2
2013 Oct 10 07:15:59 web14 sshd[1640]: Failed password for root from 198.51.100.23 port 37918 ssh2
2013 Oct 10 07:16:00 web14 sshd[1641]: Failed password for root from 198.51.100.23 port 37920 ssh2
2013 Oct 10 07:16:00 web14 sshd[1642]: Successful login for root from 198.51.100.23 port 37924 ssh2
Which of the following is the MOST likely explanation of what is occurring and the BEST immediate response?
(Select TWO).

select id, firstname, lastname from authors
User input= firstname= Hack;man
lastname=Johnson
Which of the following types of attacks is the user attempting?

Which of the following provides the HIGHEST level of security for an integrated network providing services to
authenticated corporate users?

A security administrator wants to verify and improve the security of a business process which is tied to proven
company workflow. The security administrator was able to improve security by applying controls that were
defined by the newly released company security standard. Such controls included code improvement, transport
encryption, and interface restrictions. Which of
the following can the security administrator do to further increase security after having exhausted all the
technical controls dictated by the company’s security standard?