Questions and CORRECT Answers
A flaw in an online sporting goods website allows customers to purchase multiple quantities of
goods and only be charged the single quantity price. To improve the site, management is
demanding that the ecommerce application be tested to insure this flaw is corrected. Which of
the following is the BEST combination of tools and or methods to use? - CORRECT
ANSWER - A. Blackbox testing using outside consultants
C. Fuzzer and HTTP interceptor
All adverse impacts of a security event can be measured quantitatively? - CORRECT
ANSWER - False
An active\passive cluster of redundant routers and firewalls has been installed in the network
edge by your enterprise LAN/WAN engineer. The firewalls are using stateful firewall inspection.
Even with the redundant equipment, there are still multiple reports of dropped connections with
external clients. Which of the following is MOST likely the cause of this problem? - CORRECT
ANSWER - TCP sessions are being rejected because they are being handled by
asynchronous route paths through the firewalls.
Which of the following describes a single sign on implementation? - CORRECT
ANSWER - A web access load balancer passes the same authentication attributes in a
HTTP header to multiple applications.
What does the access control term AAA stand for? - CORRECT ANSWER -
Authentication, Authorization, Accounting
A government agency has a major new initiative to virtualize as many servers as possible, due to
power and rack space capacity at its two data centers. The agency has prioritized virtualizing
older servers first as the hardware is nearing end of life. The two initial migrations include
Windows 2000 hosts (domain controllers and front-facing web servers) and open source Linux
hosts (front facing web servers). Which of the following should occur based on best practices? -
, CORRECT ANSWER - Each data center should contain separate virtual environments for
the web servers and for the domain controllers.
Shifting the responsibility for a risk to a third party is which strategy for managing risks? -
CORRECT ANSWER - Transfer
Audit logs can be used to prevent users from performing unauthorized operations. - CORRECT
ANSWER - False
The CISO at a software development company is concerned about weaknesses in the review
processes his company has for their major product. Testing was performed in house by a small
review team, and the previous projects have been found to have that only limited test cases were
used and many of the code paths remained untested. The CISO raised concerns that this product
cannot fail in an upcoming large scale deployment. Which of the following will provide the
MOST thorough additional testing? - CORRECT ANSWER - Run a small pilot test at the
customers site before rolling out the complete deployment.
Which of the following is the process of determining whether someone or something is who or
what it declares itself to be? - CORRECT ANSWER - Authentication
Which of the following is an incremental update between service packs or versions to fix
outstanding issues? - CORRECT ANSWER - Maintenance release
A new IDS appliance is generating a very large number of events, most of which are not
security-related. Select the approach which best resolves this issue. - CORRECT
ANSWER - Adjust IDS filters that are creating false positives.
Which recovery site is fully equipped and is capable of restoring data and configurations within
hours? - CORRECT ANSWER - B. Hot Site
C. Mirrored Site