Your company is a well-known cloud services provider. You learned about from a threat intelligence report that the Meltdown and Spectre bugs are hardware-level vulnerabilities affecting almost all brands of CPUs. The Meltdown attack allows a rogue process exploiting the race condition to read all memory space and leads to unauthorized access. The Spectre attack is a timing attack employing the speculative execution so that even a scripted malware can read all the process’s memory. After iterations of risk treatments, the latest software patches still hinder the system performance significantly. Supported by considering all the risk treatment options, the senior management decides to accept the risk. Which of the following least reflects the management decision?
A. Monitor and respond to the risk until the risk materializes
B. The risk exposure of inherent risk is lower than the risk acceptance criteria
C. The risk exposure of residual risk is lower than the risk acceptance criteria
D. Leave the risk in the risk register and keep monitoring it

Continue reading →

You hired an external penetration test team to assess your company’s web sites. After receiving the penetration test report, which of the following should you conduct first?
A. Apply patches to mitigate vulnerabilities
B. Prepare a follow-up report for management review and decision
C. Take corrective actions for correction and improvement
D. Improve the performance and security of the web sites continuously

Continue reading →

You are planning for a security assessment project to ensure compliance and security. Vulnerability assessment of information systems and the capability of incident response shall be conducted. Which of the following approaches or methodologies best meets your requirements?
A. Threat Modeling with STRIDE
B. NIST RMF (Risk Management Framework)
C. Open Source Security Testing Methodology Manual (OSSTMM)
D. Risk assessment

Continue reading →

You have engaged in a double-blind pentest contract and get started to conduct testing. After searching the client’s WHOIS DNS data and job vacancies posted on job boards, you decide to proceed to the next stage. Which of the following activities least likely follows what you have completed?
A. Lookup the DNS MX records
B. Masquerade as a job applicant
C. Conduct OSINT (Open-source intelligence)
D. Cloak a port scan with decoys to hide your IP address

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.