1. A security analyst is adding input to the incident response communication plan. A company officer has suggested that if a data breach occurs, only affected partiesshould be notified to keep an incident from becoming a media headline. Which of the following should the analyst recommend to the company officer?

A) The HR department should have information security personnel who are involved in the investigation of the incident sign non-disclosure agreements so thecompany cannot be held liable for customer data that might be viewed during an investigation.
B) Guidance from laws and regulations should be considered when deciding who must be notified in order to avoid fines and judgements from non-compliance.
C) The first responder should contact law enforcement upon confirmation of a security incident in order for a forensics team to preserve chain of custody.
D) An externally hosted website should be prepared in advance to ensure that when an incident occurs victims have timely access to notifications from a non-compromised recourse.



2. Using a heuristic system to detect an anomaly in a computers baseline, a system administrator was able to detect an attack even though the company signaturebased IDS and antivirus did not detect it. Further analysis revealed that the attacker had downloaded an executable file onto the company PC from the USB port,and executed it to trigger a privilege escalation flaw. Which of the following attacks has MOST likely occurred?

A) Directory traversal
B) Cookie stealing
C) Zero-day
D) XML injection



3. A business-critical application is unable to support the requirements in the current password policy because it does not allow the use of special characters.Management does not want to accept the risk of a possible security incident due to weak password standards. Which of the following is an appropriate means tolimit the risks related to the application?

A) A compensating control
B) Creating new account management procedures
C) Encrypting authentication traffic
D) Altering the password policy



4. As part of an upcoming engagement for a client, an analyst is configuring a penetration testing application to ensure the scan complies with information defined inthe SOW. Which of the following types of information should be considered based on information traditionally found in the SOW? (Select two.)(Select 2answers)

A) Maintenance windows
B) Excluded hosts
C) Timing of the scan
D) Contents of the executive summary report
E) IPS configuration
F) Incident response policies

5. An organization wants to remediate vulnerabilities associated with its web servers. An initial vulnerability scan has been performed, and analysts are reviewing theresults. Before starting any remediation, the analysts want to remove false positives to avoid spending time on issues that are not actual vulnerabilities. Which of thefollowing would be an indicator of a likely false positive?

A) Any items labeled low are considered informational only.
B) The scan result version is different from the automated asset inventory.
C) Reports show the scanner compliance plug-in is out-of-date.
D) HTTPS entries indicate the web page is encrypted securely.