Software developers might embed maintenance hooks or even trap doors for timely or emergent responses to support requests. Your organization’s security policy doesn’t allow their existence. Which of the following is the best testing method to detect them?
A. Static testing
B. Passive testing
C. Black box testing
D. Integration testing

An online bank relying solely on internet banking intends to increase customer’s confidence and plans to engage in security assurance. Which of the following is the least practical approach to assuring customers?
A. Provide the SOC 3 report attested by a certified public accountant (CPA)
B. Present a certificate of information security management system of ISO 27001
C. Conduct and demonstrate self-assessment against the NIST cybersecurity framework
D. Complete the CSA STAR assessment conducted by an independent certification body

A computer giant has been hit by a ransomware attack where the threat actors demand a large ransom of millions of dollars. After investigation, it is confirmed that the attackers exploited a mail server’s vulnerability in the DMZ as the foothold and conducted lateral movements to other servers and internal networks. Which of the following is the best solution to prevent the ransomware attack from recurring?
A. Threat modeling
B. Awareness training
C. Risk-based access control
D. Discretionary Access Control (DAC)

A new online bank is developing its core system to support internet banking. Business staff considers the system should be submitted for certification after being fully tested, while the IT team insists the system should be released for evaluation and improved per the feedback. However, the IT’s approach results in that the CEO stepped down because the core system cannot meet the minimum security requirements and keeps failing to get the authorization to operate from the regulatory agency. Which of the following development approaches should have been implemented to avoid the failure?
A. Waterfall
B. Incremental development
C. Agile
D. Continuous delivery

Your organization is evaluating an email service. The service must comply with a standard that defines the digital signature generation methods used to protect the integrity of messages and verify and validate their digital signatures. Which of the following is the least ideal technique?
A. The RSA Digital Signature Algorithm.
B. The Digital Signature Algorithm (DSA).
C. ElGamal Digital Signature Algorithm (EGDSA).
D. Elliptic Curve Digital Signature Algorithm (ECDSA).

You are conducting threat modeling and developing misuse cases. Which of the following is least likely to be treated as a misuse case?
A. A hacker types in SQL expressions in the login form.
B. A user uses relative paths to navigate between resources.
C. A developer creates a buggy API for system monitoring purposes.
D. A customer goes to a specific page of the product list by typing in the URL.

Encryption protects confidentiality, hashing enforces data integrity, and message authentication code renders authenticity of data origin. Which of the following is the best candidate that implies all the three security properties are fulfilled?
A. AES
B. HMAC
C. CBC-MAC
D. Digital Signature Standard (DSS)

Your organization implemented an intrusion detection system (IDS) with passive sensors that receive traffic from switch hubs through spanning ports. However, it cannot analyze the activity within encrypted network communications. Which of the following is the most effective solution?
A. Install IDS agents on endpoints.
B. Install an IDS load balancer to distribute traffic.
C. Install an inline IDS sensor in front of the firewall.
D. Install an IDS sensor tapped to the firewall internal interface.

You are evaluating solutions to protect data at rest. Which of the following is correct?
A. Full Disk Encryption (FDE) is a software solution that protects data at rest.
B. A Self-Encrypting Drive (SED) doesn’t rely on the CPU and has no degradation in performance.
C. The Data Encryption Key (DEK) of a SED should be stored on and protected by a trusted platform module (TPM).
D. A TPM is a built-in component on a SED to speed up cryptographic operations and protect keys.

Which of the following authentication protocols is least likely to be used to establish a point-to-point connection?
A. EAP-MD5
B. Password Authentication Protocol (PAP)
C. Extensible Authentication Protocol (EAP)
D. Challenge-Handshake Authentication Protocol (CHAP)