The symmetric cipher uses a secret key to encrypt and decrypt data. Which of the following has the least overhead in negotiating a shared key between two communication parties? (Wentz QOTD)
A. Web of trust
B. Diffie-Hellman
C. Trusted couriers
D. Public key infrastructure

You are evaluating alternative sites to support the continuous delivery of products and services if a disaster materializes. Which of the following is the best benefit of a cold site? (Wentz QOTD)
A. Shorten the relocation time
B. Provide off-site data vaulting
C. Respond to e-discovery requests
D. Reserve alternative computing capacities

As a system owner, you are planning for the recovery of a core system to support business continuity. Which of the following is not a recovery objective specific to your system? (Wentz QOTD)
A. Recovery Point Objective (RPO)
B. Recovery Time Objective (RTO)
C. Service Delivery Objective (SDO)
D. Maximum Tolerable Downtime (MTD)

Small businesses typically have limited resources, so that software developers may have to support operations. If it’s unavoidable for a developer to assume development and operations activities, which of the following is the best arrangement? (Wentz QOTD)
A. Dual control
B. Segregation of Duties
C. Separation of Privilege
D. M of N Control

Software developers might embed maintenance hooks or even trap doors for timely or emergent responses to support requests. Your organization’s security policy doesn’t allow their existence. Which of the following is the best testing method to detect them?
A. Static testing
B. Passive testing
C. Black box testing
D. Integration testing

An online bank relying solely on internet banking intends to increase customer’s confidence and plans to engage in security assurance. Which of the following is the least practical approach to assuring customers?
A. Provide the SOC 3 report attested by a certified public accountant (CPA)
B. Present a certificate of information security management system of ISO 27001
C. Conduct and demonstrate self-assessment against the NIST cybersecurity framework
D. Complete the CSA STAR assessment conducted by an independent certification body

A computer giant has been hit by a ransomware attack where the threat actors demand a large ransom of millions of dollars. After investigation, it is confirmed that the attackers exploited a mail server’s vulnerability in the DMZ as the foothold and conducted lateral movements to other servers and internal networks. Which of the following is the best solution to prevent the ransomware attack from recurring?
A. Threat modeling
B. Awareness training
C. Risk-based access control
D. Discretionary Access Control (DAC)

A new online bank is developing its core system to support internet banking. Business staff considers the system should be submitted for certification after being fully tested, while the IT team insists the system should be released for evaluation and improved per the feedback. However, the IT’s approach results in that the CEO stepped down because the core system cannot meet the minimum security requirements and keeps failing to get the authorization to operate from the regulatory agency. Which of the following development approaches should have been implemented to avoid the failure?
A. Waterfall
B. Incremental development
C. Agile
D. Continuous delivery

Your organization is evaluating an email service. The service must comply with a standard that defines the digital signature generation methods used to protect the integrity of messages and verify and validate their digital signatures. Which of the following is the least ideal technique?
A. The RSA Digital Signature Algorithm.
B. The Digital Signature Algorithm (DSA).
C. ElGamal Digital Signature Algorithm (EGDSA).
D. Elliptic Curve Digital Signature Algorithm (ECDSA).

You are conducting threat modeling and developing misuse cases. Which of the following is least likely to be treated as a misuse case?
A. A hacker types in SQL expressions in the login form.
B. A user uses relative paths to navigate between resources.
C. A developer creates a buggy API for system monitoring purposes.
D. A customer goes to a specific page of the product list by typing in the URL.