Online Access Free CAS-001 Practice Test

A health service provider is considering the impact of allowing doctors and nurses access to the internal email system from their personal smartphones. The Information Security Officer (ISO) has received a technical document from the security administrator explaining that the current email system is capable of enforcing security policies to personal smartphones, including screen lockout and mandatory PINs. Additionally, the system is able to remotely wipe a phone if reported lost or stolen. Which of the following should the Information Security Officer be MOST concerned with based on this scenario? (Select THREE).

• A.The email system may become unavailable due to overload.
• B.Data usage cost could significantly increase.
• C.Smartphones may be used as rogue access points.
• D.Not all smartphones natively support encryption.
• E.Compliance may not be supported by all smartphones.
• F.Smartphone radios can interfere with health equipment.
• G.Equipment loss, theft, and data leakage.

A security administrator has finished building a Linux server which will host multiple virtual machines through hypervisor technology. Management of the Linux server, including monitoring server performance, is achieved through a third party web enabled application installed on the Linux server. The security administrator is concerned about vulnerabilities in the web application that may allow an attacker to retrieve data from the virtual machines.
Which of the following will BEST protect the data on the virtual machines from an attack?

• A.The security administrator must install the third party web enabled application in a chroot environment.
• B.The security administrator must install anti-virus software on both the Linux server and the virtual machines.
• C.The security administrator must install a software firewall on both the Linux server and the virtual machines.
• D.The security administrator must install the data exfiltration detection software on the perimeter firewall.

Within a large organization, the corporate security policy states that personal electronic devices are not allowed to be placed on the company network. There is considerable pressure from thecompany board to allow smartphones to connect and synchronize email and calendar items of board members and company executives. Which of the following options BEST balances the security and usability requirements of the executive management team?

• A.Allow only the executive management team the ability to use personal devices on the company network, as they have important responsibilities and need convenient access.
• B.Allow only certain devices that are known to have the ability of being centrally managed. Do not allow any other smartphones until the device is proven to be centrally managed.
• C.Review the security policy. Perform a risk evaluation of allowing devices that can be centrally managed, remotely disabled, and have device-level encryption of sensitive data.
• D.Stand firm on disallowing non-company assets from connecting to the network as the assets may lead to undesirable security consequences, such as sensitive emails being leaked outside the company.

The security administrator is receiving numerous alerts from the internal IDS of a possible Conficker infection spreading through the network via the Windows file sharing services. Given the size of the company which deploys over 20,000 workstations and 1,000 servers, the security engineer believes that the best course of action is to block the file sharing service across the organization by placing ACLs on the internal routers.
Which of the following should the security administrator do before applying the ACL?

• A.Quickly research best practices with respect to stopping Conficker infections and implement the solution.
• B.Call an emergency change management meeting to ensure the ACL will not impact core business functions.
• C.Apply the ACL immediately since this is an emergency that could lead to a widespread data compromise.
• D.Consult with the rest of the security team and get approval on the solution by all the team members and the team manager.

The Chief Information Security Officer (CISO) of a small bank wants to embed a monthly testing regiment into the security management plan specifically for the development area. The CISO's requirements are that testing must have a low risk of impacting system stability, can be scripted, and is very thorough. The development team claims that this will lead to a higher degree of test script maintenance and that it would be preferable if the testing was outsourced to a third party. The CISO still maintains that third-party testing would not be as thorough as the third party lacks the introspection of the development team. Which of the following will satisfy the CISO requirements?

• A.Black box testing performed by a major external consulting firm who have signed a NDA.
• B.White box testing performed by the development and security assurance teams.
• C.Grey box testing performed by a major external consulting firm who have signed a ND
• D.Grey box testing performed by the development and security assurance teams.