1. A company has decided to change its current business direction and refocusing on the core business. Consequently, different sub-business companies are in the process of being sold off. A security consultant has been engaged to advise on the remaining information security concerns with the merger. From a high level perspective, which of the following BEST contains the procedure that the consultant should follow?

A) Duplicate-based security assets to be sold for commercial gain to ensure that does not reduce the security posture of the company.
B) Perform a penetration test for the current state of the business. Perform a penetration test after the split. Identify the gaps between the two tests.
C) None
D) Explain that security consultants are not trained to give advice on corporate acquisitions or mergers. This should be handled by the legal representatives well versed in corporate law.
E) Identify the current situation from a security standpoint. Based on the split, assess the security gaps will be of a physical, technical, DR, and policy / awareness perspective.


2. A vulnerability scanner report shows that a client-server host monitoring solution operating in the credit card business environment is the management of SSL sessions with a weak algorithm which does not comply with company policy. Which of the following statements are true? (Choose two).(Select 2answers)

A) The client-server handshake could not negotiate strong figures
B) The client-server handshake is configured with the wrong priority.
C) The X509 V3 certificate was issued by an untrusted public CA.
D) The X509 V3 certificate has expired.
E) The client-server handshake is based on TLS authentication.


3. An industry organization has implemented a system to enable trusted authentication between all of its partners. The system consists of a web of communicating trusted RADIUS servers via the Internet. One attacker was able to set up a malicious server and run a successful man-in-the-middle attack. Which of the following controls should be implemented to mitigate the attack in the future?

A) Use PAP secondary authentication to any RADIUS server
B) Maintain TLS connections between RADIUS servers
C) Use a shared secret for each pair of RADIUS servers
D) None
E) Turn off unused EAP methods on each RADIUS server


4. A Chief Information Security Officer (CISO) has sought to implement a SIEM solution. The CISO wants to know in advance what the projected TCO before continuing to watch this care would be. Two vendor proposals were received: Vendor A: product-based solution that can be bought by the pharmaceutical company. Capital expenditures cover central log collectors, correlators, storage and management consoles is expected to be $ 150,000. Operating expenses are expected to be a 0.5 full-time employee (FTE) to manage the solution and one full-time employee to respond to incidents per year. Vendor B: managed service-based solution that the outsourcer for the pharmaceutical companyà ¬ YS needs may be. Bundled offerings to be $ 100,000 per year. The operating costs for the pharmaceutical company to be expected along with the supplier that it has a 0.5 FTE per year. Internal personnel are on average $ 80,000 per year per FTE. Based on the calculation of the TCO of the two suppliers proposals over a period of 5 years, which of the following is most accurate?

A) Based on cost alone, both outsourced in-sourced solutions seem to be the same.
B) Based on cost alone, with a purchased product solution seems cheaper.
C) Based on cost alone, with an outsourced solution seems cheaper
D) None
E) Based on cost alone, with an outsourced solution seems to be more expensive.


5. A company needs to export sensitive data of its financial system to Company B database, using Company B API in an automated fashion. A company policy prohibits the use of an intermediary external systems onto to carry or store sensitive data, thus the transfer should take place directly between a company's financial systems and business BÃ ¬ YS destination server using the provided API. Furthermore, company A legacy financial software will not support encryption, while Company B API supports encryption. Which of the following will ensure end-to-end encryption of data transfer, while adhering to these requirements?

A) None
B) Company A and B need to create a site-to-site IPSec VPN to their respective firewalls.
C) Company A security administrator should use a HTTPS-capable browser to get the data.
D) A company needs to install an SSL tunneling software to the financial system.
E) Company A security administrator should use a HTTPS-capable browser to get the data.