A security controls assessor intends to perform a holistic configuration compliance test of networked assets. The assessor has been handed a package of definitions provided in XML format, and many of the files have two common tags within them: "<object object_ref=... />" and "<state state_ref=... />". Which of the following tools BEST supports the use of these definitions?

• A.HTTP interceptor
• B.XML fuzzer
• C.Static code analyzer
• D.SCAP scanner

Comment: *

Name: *

Email: *

Verification: *

The Chief Information Security Officer (CISO) at a large organization has been reviewing some security-related incidents at the organization and comparing them to current industry trends. The desktop security engineer feels that the use of USB storage devices on office computers has contributed to the frequency of security incidents. The CISO knows the acceptable use policy prohibits the use of USB storage devices. Every user receives a popup warning about this policy upon login. The SIEM system produces a report of USB violations on a monthly basis; yet violations continue to occur.
Which of the following preventative controls would MOST effectively mitigate the logical risks associated with the use of USB storage devices?

• A.Revise the corporate policy to include possible termination as a result of violations
• B.Increase the frequency and distribution of the USB violations report
• C.Deploy PKI to add non-repudiation to login sessions so offenders cannot deny the offense
• D.Implement group policy objects

Comment: *

Name: *

Email: *

Verification: *

The Chief Information Officer (CIO) has been asked to develop a security dashboard with the relevant metrics.
The board of directors will use the dashboard to monitor and track the overall security posture of the organization. The CIO produces a basic report containing both KPI and KRI data in two separate sections for the board to review.
Which of the following BEST meets the needs of the board?

• A.KRI:- EDR coverage across the fleet- Backlog of unresolved security investigations- Time to patch critical issues on a monthly basis- Threat landscape ratingKPI:- Time to resolve open security items- Compliance with regulations- % of suppliers with approved security control frameworks- Severity of threats and vulnerabilities reported by sensors
• B.KRI:- EDR coverage across the fleet- % of suppliers with approved security control framework- Backlog of unresolved security investigations- Threat landscape ratingKPI:- Time to resolve open security items- Compliance with regulations- Time to patch critical issues on a monthly basis- Severity of threats and vulnerabilities reported by sensors
• C.KPI:- Compliance with regulations- % of suppliers with approved security control frameworks- Severity of threats and vulnerabilities reported by sensors- Threat landscape ratingKRI:- Time to resolve open security items- Backlog of unresolved security investigations- EDR coverage across the fleet- Time to patch critical issues on a monthly basis
• D.KRI:- Compliance with regulations- Backlog of unresolved security investigations- Severity of threats and vulnerabilities reported by sensors- Time to patch critical issues on a monthly basisKPI:- Time to resolve open security items- % of suppliers with approved security control frameworks- EDR coverage across the fleet- Threat landscape rating

Comment: *

Name: *

Email: *

Verification: *

As part of an organization's ongoing vulnerability assessment program, the Chief Information Security Officer (CISO) wants to evaluate the organization's systems, personnel, and facilities for various threats As part of the assessment the CISO plans to engage an independent cybersecurity assessment firm to perform social engineering and physical penetration testing against the organization's corporate offices and remote locations.
Which of the following techniques would MOST likely be employed as part of this assessment? (Select THREE).

• A.SQL injection
• B.Privilege escalation
• C.Tailgating
• D.TOC/TOU exploitation
• E.Vulnerability scanning
• F.Vishing
• G.Rogue AP substitution
• H.Badge skimming

Comment: *

Name: *

Email: *

Verification: *

Which of the following provides the BEST risk calculation methodology?

• A.Annual Loss Expectancy (ALE) x Value of Asset
• B.Potential Loss x Event Probability x Control Failure Probability
• C.Impact x Threat x Vulnerability
• D.Risk Likelihood x Annual Loss Expectancy (ALE)

Comment: *

Name: *

Email: *

Verification: *