Its About Company Quiz

The risk of unplanned seiver outages is reduced

Using documentation provided to them, the pen-test organization can quickly determine areas to focus on.

The results will show an in-depth view of the network and should help pin-point areas of internal weakness.

The results should reflect what attackers may be able to learn about the company.

Spiral model

Incremental model

Waterfall model

Agile model

Meet the two key VPs and request a signature on the original assessment.

Include specific case studies from other organizations in an updated report.

Schedule a meeting with key human resource application stakeholders.

Craft an RFP to begin finding a new human resource application.

Cloud-based ant ivirus solut ion, running as local admin. with push technology for definition updates.

Implementation of an offsite data center hosting all company data, as well as deployment of VOi for all client computing needs.

Host based heuristic IPS, segregated on a management VLAN, with direct control of the perimeter firewall ACLs.

Behavior based IPS with a communication lank to a cloud based vulnerabthty and threat feed

TOTP

PAP

CHAP

HOTP

ISA

BIA

MOU

SOA

BPA

Update the blog page to HTTPS

Filter metacharacters

Install HIDS on the server

Patch the web application

Perform client side input validation

Implement an Acceptable Use Policy which addresses malware downloads

Deploy a network access control system with a persistent agent.

Enforce mandatory security awareness training for all employees and contractors.

Block cloud-based storage software on the company network

The data may not be in a usable format.

The new storage array is not FCoE based.

The data may need a file system check.

The new storage array also only has a single controller.

Capture process ID data and submit to anti-virus vendor for review.

Reboot the Linux servers, check running processes, and install needed patches.

Remove a single Linux server from production and place in quarantine.

Notify upper management of a security breach.

Conduct a bit level image, including RAM, of one or more of the Linux servers.

Remote access to the ERP tool introduces additional security vulnerabilities and should not be allowed .

Allow VNC access to corporate desktops from personal computers for the users working from home.

Allow terminal services access from personal computers after the CFO provides a list of the users working from home.

Work with the executive management team to revise policies before allowing any remote access.

Require each Company XYZ employee to use an IPSec connection to the required systems

Require Company XYZ employees to establish an encrypted VDI session to the required systems

Require Company ABC employees to use two-factor authentication on the required systems

Require a site-to-site VPN for intercompany communications

Interview candidates, attend training, and hire a staffing company that specializes in technology jobs

Interview employees and managers to discover the industry h ct topics and trends

Attend meetings with staff, internal training, and become certified in software management

Attend conferences, webinars, and training to remain current with the industry and job requirements

Social media is an effective solution because it is easily adaptable to new situations.

Social media is an ineffective solution because the policy may not align with the business.

Social media is an effective solution because it implements SSL encryption.

Social media is an ineffective solution because it is not primarily intended for business applications.

Issue a RFQ for vendors to quote a complete vulnerability and risk management solution to the company.

Issue a policy that requires only the most stringent security standards be implemented throughout the company

Issue a policy specifying best practice security standards and a baseline to be implemented across the company.

Issue a RFI for vendors to determine which set of security standards i s best for the company

SSL certificate revocation

SSL certificate pinning

Mobile device root-kit detection

Extended Validation certificates

$6,000

$24,000

$30,000

$96,000

Meet the two key VPs and request a signature on the original assessment.

Include specific case studies from other organizations in an updated report.

Schedule a meeting with key human resource application stakeholders.

Craft an RFP to begin finding a new human resource application.

$2,000

$8,000

$12,000

$32,000

Automated workflow

Procedure

Corporate standard

Guideline

Policy

What are the protections against MITM?

What accountability is built into the remote support application?

What encryption standards are used in tracking database?

What snapshot or "undo" features are present in the application?

What encryption standa1ds are used in remote desktop and file transfer functionality?

$0

$7,500

$10,000

$12,500

$15,000

Deploy a branch location Read-Only Domain Controller in the DMZ at the main campus with a two-way trust.

Deploy a corporate Read-Only Domain Controller to the branch location.

Deploy a corporate Domain Controller in the DMZ at the maim campus.

Deploy a branch location Read-Only Domain Controller to the branch office location with a one-way trust.

Deploy a corporate Domain Controller to the branch location.

Deploy a branch location Domain Controller to the branch location with a one-way trust.

After the senior engineer used a network analyzer to identify an active Fraggle attack, the company's ISP should be contacted and instructed to block the malicious packets packets.

After the senior engineer used the above IPS logs to detect the ongoing DDOS attack, an IPS filter should be enabled to block the attack and restore communication.

After the senior engineer used a mirror port to capture the ongoing amplification attack. a BGP sinkhole should be configured to drop traffic at the source networks

After the senior engineer used a packet capture to identify an active Smurf attack, an ACL should be placed on the company's external router to block incoming UDP port 19 traffic.

Insider threat

Network reconnaissance

Physical security

Industrial espionage

A man-in-the-middle attack is underway on the network

An ARP flood attack is targeting at the router.

The default gateway is being spoofed on the network.

A denial of service attack is targeting at the router.

A separate physical interface placed on a private VLAN should be configured for live host operations.

Database record encryption should be used when storing sensitive information on virtual servers.

Full disk encryption should be enabled across the enterprise to ensure the confidentiality of sensitive data.

Sensitive data should be stored on a backend SAN which uses an isolated fiber channel network.

Least privilege

Job rotation

Mandatory vacation

Separation of duties

Test password complexity of all login fields and input validation of form fields

Reverse engineering any thick client software that has been provided for the test

Undertaking network-based denial of service attacks in production environment

Attempting to perform blind SOL injection and reflected cross-site scripting attacks

Running a vulnerability scanning tool to assess network and host weaknesses

WAF

Input validation

SIEM

Sandboxing

DAM

Background checks

Job rotation

Least privilege

Employee termination procedures

L2TP VPN over TLS for remote connectivity, SAML for federated authentication, firewalls between each lab segment

SSL VPN for remote connectivity directory services groups for each lab group, ACLs on routing equipment

IPSec VPN with mutual authentication for remote connectivity , RADIUS for authentication, ACLs on network equipment

Cloud service remote access tool for remote connectivity, OAuth for authentication, ACL on routing equipment

Penetration test, perform social engineering and run a vulnerability scanner

Perform dynamic code analysis, penetration test and run a vulnerability scanner

Conduct network analysis, dynamic code analysis, and static code analysis

Run a protocol analyzer perform static code analysis and vulnerability assessment

Purchase new hardware to keep the malware isolated.

Develop a policy to outline what will be required in the secure lab

Construct a series of VMs to host the malware environment.

Create a proposal and present it to management for approval.

Generate a one-time key as part of the device registration process.

Require SSL between the mobile application and the web services gateway.

The jsession cookie should be stored securely after authentication.

Authentication assertion should be stored securely on the client.

Online password testing

Rainbow tables attack

Dictionary attack

Brute force attack

Add a permit statement to allow traffic from 192.168.5.0/24 to the VPN network

Add a permit statement to allow traffic to 192.168.5.1 from the VPN network

IPS is blocking traffic and needs to be reconfigured

Configure the traffic shaper to limit DMZ traffic

Increase bandwidth limit on the VPN network

Linux

Windows

Solaris

OSX

Manufacturing

Legal

Sales

Quality assurance

Human resources

Discuss the issue with the software product's user groups

Consult the company's legal department on practices and law

Contact senior finance management and provide background information

Seek industry outreach for software practices and law

Sign a MOU with a marketing firm to preserve the company reputation and use in-house resources for random testing.

Sign a SPA with a small software consulting firm and use the firm to perform Black box testing and address all findings.

Sign a NDA with a large security consulting firm and use the firm to perform Grey box testing and address all findings.

Use the most qualified and senior developers on the project to perform a variety of White box testing and code reviews.

Most of company XYZ's customers are willing to accept the risks of unauthorized disclosure and access to information by outside users.

The availability requirements in SLAs with each hosted customer would have to be re-written to account for the transfer of virtual machines between physical platforms for regular maintenance.

Company XYZ could be liable for disclosure of sensitive data from one hosted customer when accessed by a malicious user who has gained access to the virtual machine of another hosted customer.

Not all of company XYZs customers require the same level of security and the administrative complexity of maintaining multiple security postures on a single hypervisor negates hardware cost savings.

Ensure the SaaS provider supports dual factor authentication.

Ensure the SaaS provider supports encrypted password transmission and storage.

Ensure the SaaS provider supports secure hash file exchange.

Ensure the SaaS provider supports role-based access control.

Ensure the SaaS provider supports directory services federation.

The ISO is evaluating the business implications of a recent telephone system failure within the BIA.

The ISO is investigating the impact of a possible downtime of the messaging system within the RA.

The ISO is calculating the budget adjustment needed to ensure audio/video system redundancy within the RFQ.

The ISO is assessing the effect of a simulated downtime involving the telecommunication system within the AAR.