An organization has hired a penetration tester to test the security of its ten web servers. The penetration
tester is able to gain root/administrative access in several servers by exploiting vulnerabilities associated
with the implementation of SMTP, POP, DNS, FTP, Telnet, and IMAP. Which of the following
recommendations should the penetration tester provide to the organization to better protect their web
servers in the future?

A security engineer is faced with competing requirements from the networking group and database
administrators. The database administrators would like ten application servers on the same subnet for
ease of administration, whereas the networking group would like to segment all applications from one
another. Which of the following should the security administrator do to rectify this issue?

A security analyst has been asked to perform a review of an organization’s software development
lifecycle. The analyst reports that the lifecycle does not contain a phase in which team members evaluate
and provide critical feedback of another developer’s code. Which of the following assessment techniques
is BEST described in the analyst’s report?

An attacker wearing a building maintenance uniform approached a company’s receptionist asking for
access to a secure area. The receptionist asks for identification, a building access badge and checks the
company’s list approved maintenance personnel prior to granting physical access to the secure are. The
controls used by the receptionist are in place to prevent which of the following types of attacks?

A security administrator is tasked with conducting an assessment made to establish the baseline security
posture of the corporate IT infrastructure. The assessment must report actual flaws and weaknesses in
the infrastructure. Due to the expense of hiring outside consultants, the testing must be performed using
in-house or cheaply available resource. There cannot be a possibility of any requirement being damaged
in the test. Which of the following has the administrator been tasked to perform?

A network administrator is attempting to troubleshoot an issue regarding certificates on a secure
website. During the troubleshooting process, the network administrator notices that the web gateway
proxy on the local network has signed all of the certificates on the local machine. Which of the following
describes the type of attack the proxy has been legitimately programmed to perform?

Which of the following use the SSH protocol?

A security administrator is developing training for corporate users on basic security principles for personal
email accounts. Which of the following should be mentioned as the MOST secure way for password
recovery?

A company researched the root cause of a recent vulnerability in its software. It was determined that the
vulnerability was the result of two updates made in the last release. Each update alone would not have
resulted in the vulnerability. In order to prevent similar situations in the future, the company should
improve which of the following?

A computer on a company network was infected with a zero-day exploit after an employee accidently
opened an email that contained malicious content. The employee recognized the email as malicious and
was attempting to delete it, but accidently opened it. Which of the following should be done to prevent
this scenario from occurring again in the future?