CISSP信息系統(tǒng)安全工程師認(rèn)證考試全題庫(kù)（中英對(duì)照版）-上（700題）

PAGEPAGE439CISSP信息系統(tǒng)安全工程師認(rèn)證考試全題庫(kù)（中英對(duì)照版）-上（700題）一、單選題1.Whentestingpasswordstrength,whichofthefollowingistheBESTmethodforbruteforcingpasswords?

在測(cè)試密碼強(qiáng)度時(shí)，以下哪一種是暴力強(qiáng)制使用密碼的最佳方法？A、Conductanofflineattackonthehashedpasswordinformation.

對(duì)散列的密碼信息進(jìn)行離線攻擊。B、Conductanonlinepasswordattackuntiltheaccountbeingusedislocked.

執(zhí)行在線密碼攻擊，直到正在使用的帳戶被鎖定為止。C、Useaprehensivelistofwordstoattempttoguessthepassword.

使用一個(gè)全面的單詞列表來(lái)嘗試猜測(cè)密碼D、Usesocialengineeringmethodstoattempttoobtainthepassword.

使用社會(huì)工程學(xué)的方法來(lái)嘗試獲取密碼答案：C2.WhichofthefollowingisMOSTcriticalinacontractinacontractfordatadisposalonaharddrivewithathirdparty?

在與第三方的硬盤(pán)數(shù)據(jù)處理合同中，以下哪項(xiàng)最關(guān)鍵？A、Authorizeddestructiontimes

授權(quán)銷毀時(shí)間B、Allowedunallocateddiskspace

允許未分配的磁盤(pán)空間C、Amountofoverwritesrequired

所需的覆蓋量D、Frequencyofrecoveredmedia

恢復(fù)介質(zhì)頻率答案：C3.WhichofthefollowingvulnerabilitiescanbeBESTdetectedusingautomatedanalysis?

使用自動(dòng)分析可以最好地檢測(cè)到以下哪些漏洞？A、Validcross-siterequestforgery(CSRF)vulnerabilities

有效的跨站請(qǐng)求偽造(CSRF)漏洞B、Multi-stepprocessattackvulnerabilities

多步驟進(jìn)程攻擊漏洞C、Businesslogicflawvulnerabilities

業(yè)務(wù)邏輯缺陷漏洞D、Typicalsourcecodevulnerabilities

典型的源代碼漏洞答案：D4.Theinitialsecuritycategorizationshouldbedoneearlyinthesystemlifecycleandshouldbereviewedperiodically.Whyisitimportantforthistobedonecorrectly?

初始的安全分類應(yīng)該在系統(tǒng)生命周期的早期階段完成，并應(yīng)定期進(jìn)行審查。為什么要正確地做到這一點(diǎn)才很重要呢？A、Itdeterminesthesecurityrequirements.

它確定了安全要求B、Itaffectsotherstepsinthecertificationandaccreditationprocess.

它會(huì)影響認(rèn)證和認(rèn)證過(guò)程中的其他步驟C、Itdeterminesthefunctionalandoperationalrequirements.

它決定了功能和操作方面的需求D、Thesystemengineeringprocessworkswithselectedsecuritycontrols.

系統(tǒng)工程過(guò)程與選定的安全控制裝置一起工作答案：B5.WhattypeoftestassessesaDisasterRecovery(DR)planusingrealisticdisasterscenarioswhilemaintainingminimalimpacttobusinessoperations?

什么類型的測(cè)試使用真實(shí)的災(zāi)難場(chǎng)景來(lái)評(píng)估災(zāi)難恢復(fù)(DR)計(jì)劃，同時(shí)保持對(duì)業(yè)務(wù)運(yùn)營(yíng)的影響最??？A、Parallel

并行的B、Walkthrough

演練C、Simulation

模擬D、Tabletop

桌面答案：C6.Whichofthefollowingprovidestheminimumsetofprivilegesrequiredtoperformajobfunctionandrestrictstheusertoadomainwiththerequiredprivileges?

以下哪一項(xiàng)提供了執(zhí)行作業(yè)函數(shù)所需的最低權(quán)限集，并將用戶限制在具有所需權(quán)限的域中？A、Accessbasedonrules

基于規(guī)則的訪問(wèn)B、Accessbasedonuser'srole

基于用戶角色的訪問(wèn)C、Accessdeterminedbythesystem

由系統(tǒng)確定的訪問(wèn)權(quán)限D(zhuǎn)、Accessbasedondatasensitivity

基于數(shù)據(jù)敏感性的訪問(wèn)答案：B7.Asoftwaredevelopmentpanyhasashorttimelineinwhichtodeliverasoftwareproduct.Thesoftwaredevelopmentteamdecidestouseopen-sourcesoftwarelibrariestoreducethedevelopmenttime.Whatconceptshouldsoftwaredevelopersconsiderwhenusingopen-sourcesoftwarelibraries?

軟件開(kāi)發(fā)公司交付軟件產(chǎn)品的時(shí)間很短。軟件開(kāi)發(fā)團(tuán)隊(duì)決定使用開(kāi)源軟件庫(kù)來(lái)減少開(kāi)發(fā)時(shí)間。軟件開(kāi)發(fā)人員在使用開(kāi)源軟件庫(kù)時(shí)應(yīng)該考慮什么概念？A、Opensourcelibrariescontainknownvulnerabilities,andadversariesregularlyexploitthosevulnerabilitiesinthewild.

開(kāi)源庫(kù)包含已知的漏洞，對(duì)手經(jīng)常在野外利用這些漏洞。B、Opensourcelibrariescanbeusedbyeveryone,andthereisamonunderstandingthatthevulnerabilitiesintheselibrarieswillNOTbeexploited.

每個(gè)人都可以使用開(kāi)源庫(kù)，人們共同的理解是，這些庫(kù)中的漏洞不會(huì)被利用。C、Opensourcelibrariesareconstantlyupdated,makingitunlikelythatavulnerabilityexistsforanadversarytoexploit.

開(kāi)源庫(kù)不斷更新，這使得對(duì)手不太可能存在可利用的漏洞。D、OpensourcelibrariescontainunKnownvulnerabilities,sotheyshouldNOTbeused.

開(kāi)源庫(kù)包含未知的漏洞，因此不應(yīng)該使用它們答案：A8.Afterfollowingtheprocessesdefinedwithinthechangemanagementplan,asuperuserhasupgradedadevicewithinanInformationsystem.WhatstepwouldbetakentoensurethattheupgradedidNOTaffectthenetworksecurityposture?

在遵循變更管理計(jì)劃中定義的流程后，超級(jí)用戶已經(jīng)升級(jí)了信息系統(tǒng)中的設(shè)備。將采取什么步驟來(lái)確保升級(jí)不會(huì)影響網(wǎng)絡(luò)安全態(tài)勢(shì)？A、ConductanAssessmentandAuthorization(A&A)

進(jìn)行評(píng)估和授權(quán)（A&A）B、Conductasecurityimpactanalysis

進(jìn)行安全影響分析C、Reviewtheresultsofthemostrecentvulnerabilityscan

查看最近的漏洞掃描的結(jié)果D、Conductagapanalysiswiththebaselineconfiguration

使用基線配置進(jìn)行間隙分析答案：B9.WhenintheSoftwareDevelopmentLifeCycle(SDLC)MUSTsoftwaresecurityfunctionalrequirementsbedefined?

在軟件開(kāi)發(fā)生命周期(SDLC)中必須定義軟件安全功能要求？A、Afterthesystempreliminarydesignhasbeendevelopedandthedatasecuritycategorizationhasbeenperformed

系統(tǒng)初步設(shè)計(jì)，并進(jìn)行了數(shù)據(jù)安全分類B、Afterthevulnerabilityanalysishasbeenperformedandbeforethesystemdetaileddesignbegins

在執(zhí)行漏洞分析之后和系統(tǒng)詳細(xì)設(shè)計(jì)開(kāi)始之前C、Afterthesystempreliminarydesignhasbeendevelopedandbeforethedatasecuritycategorizationbegins

在系統(tǒng)初步設(shè)計(jì)開(kāi)發(fā)之后和數(shù)據(jù)安全分類開(kāi)始之前D、Afterthebusinessfunctionalanalysisandthedatasecuritycategorizationhavebeenperformed

在進(jìn)行了業(yè)務(wù)功能分析和數(shù)據(jù)安全分類之后答案：D10.WhyisauthenticationbyownershipstrongerthanauthenticationbyKnowledge?

為什么所有權(quán)認(rèn)證比知識(shí)認(rèn)證更強(qiáng)？A、ltiseasiertochange

更容易改變B、ltcanbekeptontheuser'sperson

它可以保存在用戶的個(gè)人身上C、ltismoredifficulttoduplicate

它更難復(fù)制D、ltissimplertocontrol

更容易控制答案：B11.Apanyhiredanexternalvendortoperformapenetrationtestofanewpayrollsystem.Thepany'sinternaltestteamhadalreadyperformedanin-depthapplicationandsecuritytestofthesystemanddeterminedthatitmetsecurityrequirements.However,theexternalvendoruncovered

Significantsecurityweaknesseswheresensitivepersonaldatawasbeingsentunencryptedtothetaxprocessingsystems.WhatistheMOSTlikelycauseofthesecurityissues?

一家公司雇傭了外部供應(yīng)商對(duì)新的工資系統(tǒng)進(jìn)行滲透測(cè)試。該公司的內(nèi)部測(cè)試團(tuán)隊(duì)已經(jīng)對(duì)該系統(tǒng)進(jìn)行了深入的應(yīng)用和安全測(cè)試，并確定其滿足安全要求。然而，外部供應(yīng)商發(fā)現(xiàn)了一些重大的安全弱點(diǎn)，即敏感的個(gè)人數(shù)據(jù)被未加密地發(fā)送到稅務(wù)處理系統(tǒng)。造成安全問(wèn)題的最可能的原因是什么？A、Failuretoperforminterfacetesting

無(wú)法執(zhí)行接口測(cè)試B、Failuretoperformnegativetesting

未進(jìn)行陰性測(cè)試C、Inadequateperformancetesting

性能測(cè)試不足D、Inadequateapplicationleveltesting

應(yīng)用程序級(jí)別測(cè)試不足答案：A12.Afiberlinkconnectingtwocampusnetworksisbroken.Whichofthefollowingtoolsshouldanengineerusetodetecttheexactbreakpointofthefiberlink?

連接兩個(gè)校園網(wǎng)的光纖鏈路中斷。工程師應(yīng)使用以下哪些工具來(lái)檢測(cè)光纖鏈路的確切斷點(diǎn)？A、OTDR

光時(shí)域反射儀B、Tonegenerator

音頻發(fā)生器C、Fusionsplicer

熔接機(jī)D、Cabletester

電纜測(cè)試器E、PoEinjectorPoE

注射器答案：A13.Topreventinadvertentdisclosureofrestrictedinformation,whichofthefollowingwouldbetheLEASTeffectiveprocessforeliminatingdatapriortothemediabeingdiscarded?

為了防止無(wú)意中受限信息的披露，以下哪一個(gè)將是在丟棄媒體之前消除數(shù)據(jù)的最不有效的過(guò)程？A、Multiple-passoverwriting

多通道覆蓋B、Degaussing

消磁C、High-levelformatting

高級(jí)格式化D、Physicaldestruction

物理破壞答案：C14.Informationsecuritypractitionersareinthemidstofimplementinganewfirewall.WhichofthefollowingfailuremethodswouldBESTprioritizesecurityintheeventoffailure?

信息安全從業(yè)人員正在實(shí)施一個(gè)新的防火墻。以下哪種故障方法最能優(yōu)先考慮安全性？A、Fail-Closed

故障關(guān)閉B、Fail-Open

故障打開(kāi)C、Fail-Safe

故障安全D、Failover

故障轉(zhuǎn)移答案：A15.Whichoneofthefollowingisafundamentalobjectiveinhandlinganincident?

以下哪一項(xiàng)是處理一個(gè)事件的基本目標(biāo)？A、Torestorecontroloftheaffectedsystems

還原對(duì)受影響系統(tǒng)的控制B、Toconfiscatethesuspect'sputers

沒(méi)收嫌疑人的電腦C、Toprosecutetheattacker

起訴攻擊者D、Toperformfullbackupsofthesystem

執(zhí)行系統(tǒng)的完整備份答案：A16.panyAisevaluatingnewsoftwaretoreplaceanin-housedevelopedapplication.Duringthe

Acquisitionprocess.panyAspecifiedthesecurityretirement,aswellasthefunctional

Requirements.panyBrespondedtotheacquisitionrequestwiththeirflagshipproductthatruns

OnanOperatingSystem(OS)thatpanyAhasneverusednorevaluated.Theflagshipproduct

Meetsallsecurity-andfunctionalrequirementsasdefinedbypanyA.BaseduponpanyB's

Response,whatstepshouldpanyAtake?

A公司正在評(píng)估一種新的軟件，以取代一個(gè)內(nèi)部開(kāi)發(fā)的應(yīng)用程序。在收購(gòu)過(guò)程中。A公司明確了擔(dān)保退休，以及功能要求。B公司以其運(yùn)行在A公司從未使用過(guò)或評(píng)估過(guò)的操作系統(tǒng)(OS)上的旗艦產(chǎn)品回應(yīng)了收購(gòu)請(qǐng)求。旗艦產(chǎn)品滿足A公司定義的所有安全和功能要求。根據(jù)B公司的響應(yīng)，A公司應(yīng)采取什么步驟？A、Moveaheadwiththeacpjisitionprocess,andpurchasetheflagshipsoftware。

繼續(xù)推進(jìn)收購(gòu)程序，并購(gòu)買旗艦軟件B、ConductasecurityreviewoftheOS.

對(duì)操作系統(tǒng)進(jìn)行安全審查C、Performfunctionalitytesting.

執(zhí)行功能測(cè)試。D、EnterintocontractnegotiationsensuringServiceLevelAgreements(SLA)areestablishedtoincludesecuritypatching

簽訂合同談判，確保建立了服務(wù)水平協(xié)議(SLA)，以包括安全補(bǔ)丁答案：B17.Whichofthefollowingisanexampleoftwo-factorauthentication?

以下哪一個(gè)是雙因素身份驗(yàn)證的例子？A、Retinascanandapalmprint

視網(wǎng)膜掃描和掌紋B、Fingerprintandasmartcard

指紋和智能卡C、MagneticstripecardandanIDbadge

磁條卡和身份證章D、PasswordandpletelyAutomatedPublicTuringtesttotellputersandHumansApart(CAPTCHA)

密碼和完全自動(dòng)化的公共圖靈測(cè)試來(lái)區(qū)分計(jì)算機(jī)和人類（CAPTCHA）答案：B18.WhichofthefollowingauthorizationstandardsisbuilttohandleApplicationprogrammingInterface(API)accessforfederatedIdentitymanagement(FIM)?

以下哪些授權(quán)標(biāo)準(zhǔn)用于處理聯(lián)邦身份管理(FIM)的應(yīng)用程序編程接口(API)訪問(wèn)？A、RemoteAuthenticationDial-InUserService(RADIUS)

遠(yuǎn)程身份驗(yàn)證撥入用戶服務(wù)（RADIUS）B、TerminalAccessControllerAccessControlSystemPlus(TACACS+)

終端門(mén)禁控制器門(mén)禁系統(tǒng)升級(jí)版（TACACS+）C、OpenAuthentication(OAuth)

開(kāi)放式身份驗(yàn)證（OAuth）D、SecurityAssertionMarkupLanguage(SAML)

安全斷言標(biāo)記語(yǔ)言（SAML）答案：C19.IntheSoftwareDevelopmentLifeCycle(SDLC),maintainingaccuratehardwareandsoftwareinventoriesisacriticalpartof:

在軟件開(kāi)發(fā)生命周期（SDLC）中，保持準(zhǔn)確的硬件和軟件庫(kù)存是（）？A、systemsintegration.

系統(tǒng)集成B、riskmanagement.

風(fēng)險(xiǎn)管理C、qualityassurance.

質(zhì)量保證D、changemanagement.

變更管理答案：D20.Anestablishinformationtechnology(IT)consultingfirmisconsideringacquiringasuccessfullocalstartup.Togainaprehensiveunderstandingofthestartup'ssecurityposture'whichtypeofassessmentprovidestheBESTinformation?

一家成熟的信息技術(shù)（IT）咨詢公司正在考慮收購(gòu)一家成功的本地創(chuàng)業(yè)公司。為了全面了解初創(chuàng)公司的安全狀況，哪種評(píng)估類型提供了最佳信息？A、Asecurityaudit

安全審計(jì)B、Apenetrationtest

滲透測(cè)試C、Atabletopexercise

桌面練習(xí)D、Asecuritythreatmodel

一個(gè)安全威脅模型答案：A21.Asecuritypliancemanagerofalargeenterprisewantstoreducethetimeittakestoperformnetwork,system,andapplicationsecurityplianceauditswhileincreasingqualityandeffectivenessoftheresults.WhatshouldbeimplementedtoBESTachievethedesiredresults?

大型企業(yè)的安全遵從性經(jīng)理希望減少執(zhí)行網(wǎng)絡(luò)、系統(tǒng)和應(yīng)用程序安全遵從性審計(jì)所需的時(shí)間，同時(shí)提高結(jié)果的質(zhì)量和有效性。應(yīng)該實(shí)現(xiàn)什么來(lái)最好地達(dá)到期望的結(jié)果？A、ConfigurationManagementDatabase(CMDB)

配置管理數(shù)據(jù)庫(kù)B、Sourcecoderepository

源代碼存儲(chǔ)庫(kù)C、ConfigurationManagementPlan(CMP)

配置管理計(jì)劃D、Systemperformancemonitoringapplication

系統(tǒng)性能監(jiān)控應(yīng)用答案：A22.Duringwhichofthefollowingprocessesisleastprivilegeimplementedforauseraccount?

在以下哪個(gè)過(guò)程中，對(duì)用戶帳戶實(shí)現(xiàn)的權(quán)限最少？A、Provision

準(zhǔn)備B、Approve

批準(zhǔn)C、Request

請(qǐng)求D、Review

審查答案：A23.WhichoneofthefollowingactivitieswouldpresentasignificantsecurityrisktoorganizationswhenemployingaVirtualPrivateNetwork(VPN)solution?

在使用虛擬專用網(wǎng)絡(luò)(VPN)解決方案時(shí)，下列哪些活動(dòng)之一會(huì)給組織帶來(lái)重大的安全風(fēng)險(xiǎn)？A、VPNbandwidth

VPN帶寬B、Simultaneousconnectiontoothernetworks

同時(shí)連接到其他網(wǎng)絡(luò)C、UserswithInternetProtocol(IP)addressingconflicts

使用互聯(lián)網(wǎng)協(xié)議(IP)解決沖突的用戶D、Remoteuserswithadministrativerights

具有管理權(quán)限的遠(yuǎn)程用戶答案：B24.TheSecureShell(SSH)version2protocolsupports.

支持安全Shell(SSH)版本2協(xié)議。A、availability,accountability,pression,andintegrity.

可用性、可問(wèn)責(zé)制、壓縮性和完整性B、authentication,availability,confidentiality,andintegrity.

身份驗(yàn)證、可用性、機(jī)密性和完整性。C、accountability,pression,confidentiality,andintegrity.

問(wèn)責(zé)制、壓縮、機(jī)密性和完整性D、authentication,pression,confidentiality,andintegrity.

身份驗(yàn)證、壓縮、機(jī)密性和完整性。答案：D25.Amobiledeviceapplicationthatrestrictsthestorageofuserinformationtojustthatwhichisneededtoacplishlawfulbusinessgoalsadherestowhatprivacyprinciple?

一個(gè)移動(dòng)設(shè)備應(yīng)用程序，限制用戶信息的存儲(chǔ)，只是需要實(shí)現(xiàn)合法的業(yè)務(wù)目標(biāo)，遵循什么隱私原則？A、Onwardtransfer

向前轉(zhuǎn)移B、CollectionLimitation

收集限制C、CollectorAccountability

收集器問(wèn)責(zé)制D、IndividualParticipation

個(gè)人參與答案：B26.WhichofthefollowingistheBESTwaytoprotectagainstStructuredQuerylanguage(SQL)injection?

以下哪一種是防止結(jié)構(gòu)化查詢語(yǔ)言(SQL)注入的最佳方法？A、Enforceboundarychecking.

強(qiáng)制邊界檢查B、RatfrictumofSELECTmand.

選擇命令的速率C、RestrictHyperTextMarkupLanguage(HTML)sourcecode

限制超文本標(biāo)記語(yǔ)言(HTML)源代碼D、Usestoredprocedures.

使用存儲(chǔ)過(guò)程答案：D27.WhileclassifyingcreditcarddatarelatedtoPaymentCardIndustryDataSecurityStandards(PCIDSS),whichofthefollowingisaPRIMARYsecurityrequirement?

在對(duì)與支付卡行業(yè)數(shù)據(jù)安全標(biāo)準(zhǔn)(PCI-DSS)相關(guān)的信用卡數(shù)據(jù)進(jìn)行分類時(shí)，以下哪一個(gè)是主要的安全要求？A、Processoragreementswithcardholders

與持卡人簽訂的處理器協(xié)議B、Three-yearretentionofdata

數(shù)據(jù)的三年保留C、Encryptionofdata

數(shù)據(jù)加密D、Specificcarddisposalmethodology

特定的卡片處理方法答案：C28.Whendeterminingdataandinformationassethandling,regardlessofthespecifictoolsetbeingused,whichofthefollowingisoneofthemonponentsofbigdata?

在確定數(shù)據(jù)和信息資產(chǎn)處理時(shí)，無(wú)論使用的是特定的工具集，以下哪一個(gè)是大數(shù)據(jù)的共同組成部分之一？A、Consolidateddatacollection

合并數(shù)據(jù)收集B、Distributedstoragelocations

分布式存儲(chǔ)位置C、Distributeddatacollection

分布式數(shù)據(jù)收集D、Centralizedprocessinglocation

集中處理位置答案：C29.Whenperforminganinvestigationwiththepotentialforlegalaction,whatshouldbetheanalyst'sFIRSTconsideration?

當(dāng)進(jìn)行可能采取法律行動(dòng)的調(diào)查時(shí)，分析師首先考慮的是什么？A、Chain-of-custody

監(jiān)管鏈B、Authorizationtocollect

收集授權(quán)C、Courtadmissibility

法院可采性D、Datadecryption

數(shù)據(jù)解密答案：A30.AsasecuritymangerwhichofthefollowingistheMOSTeffectivepracticeforprovidingvalue

Toanorganization?

作為一個(gè)安全經(jīng)理，以下哪一種是為組織提供價(jià)值的最有效的做法？A、Assessbusinessriskandapplysecurityresourcesaccordingly

評(píng)估業(yè)務(wù)風(fēng)險(xiǎn)并相應(yīng)地應(yīng)用安全資源B、Coordinatesecurityimplementationswithinternalaudit

協(xié)調(diào)安全實(shí)施與內(nèi)部審計(jì)C、Achieveplianceregardlesofrelatedtechnicalissuses

實(shí)現(xiàn)相關(guān)技術(shù)問(wèn)題的合規(guī)性D、ldentifyconfidentialinformationandprotectit

識(shí)別機(jī)密信息并加以保護(hù)答案：D31.InwhichprocessMUSTsecuritybeconsideredduringtheacquisitionofnewsoftware?

在購(gòu)買新軟件時(shí)，在哪個(gè)過(guò)程必須考慮安全性？A、Contractnegotiation

合同談判B、Requestforproposal(RFP)

申請(qǐng)?zhí)岚?RFP)C、Implementation

實(shí)施D、Vendorselection

供應(yīng)商選擇答案：B32.WhatistheFIRSTstepthatshouldbeconsideredinaDataLossPrevention(DLP)program?

在數(shù)據(jù)丟失預(yù)防(DLP)計(jì)劃中，應(yīng)該考慮的第一步是什么？A、Configurationmanagement(CM)

配置管理(CM)B、InformationRightsManagement(IRM)

信息權(quán)限管理(IRM)C、Policycreation

創(chuàng)建策略D、Dataclassification

數(shù)據(jù)分類答案：D33.WhichofthefollowingstatementsisTRUEregardingequivalenceclasstesting?

關(guān)于等價(jià)類測(cè)試，下面哪些語(yǔ)句是正確的？A、Testinputsareobtainedfromthederivedboundariesofthegivenfunctionalspecifications.

測(cè)試輸入是從給定的功能規(guī)范的導(dǎo)出邊界中獲得的B、Itischaracterizedbythestatelessbehaviorofaprocessimplementedinafunction.

它的特征是在一個(gè)函數(shù)中實(shí)現(xiàn)的進(jìn)程的無(wú)狀態(tài)行為C、Anentirepartitioncanbecoveredbyconsideringonlyonerepresentativevaluefromthatpartition.

通過(guò)只考慮該分區(qū)中的一個(gè)代表值，就可以覆蓋整個(gè)分區(qū)D、Itisusefulfortestingmunicationsprotocolsandgraphicaluserinterfaces.

它對(duì)測(cè)試通信協(xié)議和圖形用戶界面很有用答案：C34.Whiledealingwiththeconsequencesofasecurityincident,whichofthefollowingsecuritycontrolsareMOSTappropriate?

在處理安全事件的后果時(shí)，下列哪一種安全控制最合適？A、Detectiveandrecoverycontrols

偵查和恢復(fù)控制B、Correctiveandrecoverycontrols

糾正和恢復(fù)控制C、Preventativeandcorrectivecontrols

預(yù)防性和糾正性控制D、Recoveryandproactivecontrols

恢復(fù)和主動(dòng)控制答案：C35.AnorganizationisrequiredtoplywiththePaymentCardIndustryDataSecurityStandard(PCI-DSS),whatistheMOSTeffectiveapproachtosafeguarddigitalandpapermediathatcontainscardholderdata?

一個(gè)組織機(jī)構(gòu)必須遵守支付卡行業(yè)數(shù)據(jù)安全標(biāo)準(zhǔn)(PCI-DSS)，保護(hù)包含持卡人數(shù)據(jù)的數(shù)字和紙質(zhì)媒體的最有效的方法是什么？A、Useandregularityupdateantivirussoftware.

使用和定期更新防病毒軟件B、Maintainstrictcontroloverstorageofmedia.

保持對(duì)媒體存儲(chǔ)的嚴(yán)格控制C、Mandateencryptionofcardholderdata.

對(duì)持卡人的數(shù)據(jù)進(jìn)行強(qiáng)制加密D、Configurefirewallrulestoprotectthedata.

配置防火墻規(guī)則以保護(hù)數(shù)據(jù)答案：C36.Avulnerabilityassessmentreporthasbeensubmittedtoaclient.Theclientindicatesthatonethirdofthehoststhatwereinscopearemissingfromthereport.

InwhichphaseoftheassessmentwasthiserrorMOSTlikelymade?

已向客戶端提交了一個(gè)漏洞評(píng)估報(bào)告?？蛻舳酥甘緢?bào)告中缺少三分之一的主機(jī)。在評(píng)估的哪個(gè)階段最可能出錯(cuò)？A、Enumeration

列舉B、Reporting

報(bào)告C、Detection

偵查D、Discovery

發(fā)現(xiàn)答案：A37.WhichofthefollowingBESTdescribesRecoveryTimeObjective(RTO)?

以下哪一項(xiàng)最能描述恢復(fù)時(shí)間目標(biāo)(RTO)？A、Timeofdatavalidationafterdisaster.

災(zāi)難發(fā)生后的數(shù)據(jù)驗(yàn)證時(shí)間B、Timeofdatarestorationfrombackupafterdisaster.

災(zāi)難后備份數(shù)據(jù)恢復(fù)時(shí)間C、Timeofapplicationresumptionafterdisaster.

災(zāi)難發(fā)生后申請(qǐng)恢復(fù)的時(shí)間D、Timeofapplicationverificationafterdisaster.

災(zāi)難發(fā)生后的應(yīng)用程序驗(yàn)證時(shí)間答案：C38.Apanyisattemptingtoenhancethesecurityofitsuserauthenticationprocesses.Afterevaluatingseveraloptions,thepanyhasdecidedtoutilizeIdentityasaService(IDaaS).WhichofthefollowingfactorsleadsthepanytochooseanIDaaSastheirsolution?

一家公司正試圖增強(qiáng)其用戶認(rèn)證過(guò)程的安全性。在評(píng)估了幾種選項(xiàng)后，該公司決定使用身份即服務(wù)(IDaaS)。以下哪些因素導(dǎo)致公司選擇IDaaS作為其解決方案？A、In-housedevelopmentprovidesmorecontrol.

內(nèi)部開(kāi)發(fā)提供了更多的控制能力B、In-houseteamlacksresourcestosupportanon-premisesolution.

內(nèi)部團(tuán)隊(duì)缺乏支持內(nèi)部解決方案的資源C、Third-partysolutionsareinherentlymoresecure.

第三方解決方案本身就更安全D、Third-partysolutionsareKnownfortransferringtherisktothevendor.

第三方解決方案可以將風(fēng)險(xiǎn)轉(zhuǎn)移給供應(yīng)商答案：B39.AttacktreesareMOSTusefulforwhichofthefollowing?

攻擊樹(shù)對(duì)下列哪一個(gè)最有用？A、Determiningsystemsecurityscopes.

確定系統(tǒng)安全范圍B、Generatingattacklibraries.

生成攻擊庫(kù)C、Enumeratingthreats.

枚舉威脅D、EvaluatingDenialofService(DoS)attacks.

評(píng)估拒絕服務(wù)(DoS)攻擊答案：C40.Beforeallowingawebapplicationintotheproductionenvironment,thesecuritypractitionerperformsmultipletypesofteststoconfirmthatthewebapplicationperformsasexpected.Totesttheusernamefield,thesecuritypractitionercreatesatestthatentersmorecharactersintothefieldthanisallowed.WhichofthefollowingBESTdescribesthetypeoftestperformed?

在允許web應(yīng)用程序進(jìn)入生產(chǎn)環(huán)境之前，安全從業(yè)者會(huì)執(zhí)行多種類型的測(cè)試，以確認(rèn)web應(yīng)用程序是否按照預(yù)期執(zhí)行。要測(cè)試用戶名字段，安全從業(yè)者創(chuàng)建一個(gè)測(cè)試，在該字段中輸入超出允許的字符。下面哪項(xiàng)最佳測(cè)試描述了所執(zhí)行的測(cè)試類型？A、Misusecasetesting.

誤用案例測(cè)試B、Penetrationtesting.

滲透測(cè)試C、Websessiontesting.

網(wǎng)絡(luò)會(huì)話測(cè)試D、Interfacetesting.

接口測(cè)試答案：A41.WhatistheMOSTeffectivemethodforgainingunauthorizedaccesstoafileprotectedwithaongplexpassword?

獲得對(duì)受長(zhǎng)時(shí)間復(fù)雜密碼保護(hù)的文件的未經(jīng)授權(quán)訪問(wèn)的最有效的方法是什么？A、Bruteforceattack.

蠻力攻擊B、Frequencyanalysis.

頻率分析C、Socialengineering.

社會(huì)工程D、Dictionaryattack.

字典式攻擊答案：C42.AnorganizationseekstouseacloudIdentityandAccessManagement(IAM)providerwhoseprotocolsanddataformatsareinpatiblewithexistingsystems.Whichofthefollowingtechniquesaddressesthepatibilityissue?

組織試圖使用其協(xié)議和數(shù)據(jù)格式與現(xiàn)有系統(tǒng)不兼容的云標(biāo)識(shí)和訪問(wèn)管理(IAM)提供程序。以下哪些技術(shù)解決了兼容性問(wèn)題？A、Requirethecloud1AMprovidertousedeclarativesecurityinsteadofprogrammaticauthenticationchecks.

要求cloud1AM提供程序使用聲明性安全，而不是編程身份驗(yàn)證檢查B、IntegrateaWeb-ApplicationFirewall(WAF)Inreverie-proxymodeinfrontoftheserviceprovider.

在服務(wù)提供商面前以幻想-代理模式集成Web應(yīng)用程序防火墻(WAF)C、ApplyTransportlayerSecurity(TLS)tothecloud-basedauthenticationchecks.

將傳輸層安全性(TLS)應(yīng)用于基于云的身份驗(yàn)證檢查D、Installanon-premiseAuthenticationGatewayService(AGS)Infrontoftheserviceprovider.

在服務(wù)提供商面前安裝一個(gè)內(nèi)部部署的身份驗(yàn)證網(wǎng)關(guān)服務(wù)(AGS)答案：D43.WhichofthefollowingistheMOSTeffectivemethodofdetectingvulnerabilitiesinwebbasedapplicationsearlyinthesecureSoftwareDevelopmentLifeCycle(SDLC)?

以下哪一種是在安全軟件開(kāi)發(fā)生命周期(SDLC)早期檢測(cè)基于web的應(yīng)用程序中漏洞的最有效的方法？A、Webapplicationvulnerabilityscanning

Web應(yīng)用程序漏洞掃描B、Applicationfuzzing

應(yīng)用程序融合C、Codereview

代碼審查D、Penetrationtesting

滲透試驗(yàn)答案：C44.WhenconfiguringExtensibleAuthenticationProtocol(EAP)inaVoiceoverInternetProtocol(VoIP)network,whichofthefollowingauthenticationtypesistheMOSTsecure?

在互聯(lián)網(wǎng)語(yǔ)音協(xié)議(VoIP)網(wǎng)絡(luò)中配置可擴(kuò)展身份驗(yàn)證協(xié)議(EAP)時(shí)，下列哪種身份驗(yàn)證類型是最安全的？A、EAP-TransportLayerSecurity(TLS)

EAP-傳輸層安全性(TLS)B、EAP-FlexibleAuthenticationviaSecureTunneling

EAP-通過(guò)安全隧道進(jìn)行的靈活認(rèn)證C、EAP-TunneledTransportLayerSecurity(TLS)

EAP-隧道傳輸層安全性(TLS)D、EAP-ProtectedExtensibleAuthenticationProtocol(PEAP)

受eap保護(hù)的可擴(kuò)展身份驗(yàn)證協(xié)議(PEAP)答案：C45.WhatistheBESTmethodifaninvestigatorwishestoanalyzeaharddrivewhichmaybeusedasevidence?

如果研究者希望分析一個(gè)可作為證據(jù)的硬盤(pán)驅(qū)動(dòng)器，最好的方法是什么？A、LeavetheharddriveinplaceanduseonlyverifiedandauthenticatedOperatingSystems(OS)utilities...

保留硬盤(pán)驅(qū)動(dòng)器，只使用經(jīng)過(guò)驗(yàn)證和身份驗(yàn)證的操作系統(tǒng)(OS)實(shí)用程序B、LogintothesystemandimmediatelymakeacopyofallrelevantfilestoaWriteOnce,ReadMany...

登錄系統(tǒng)，立即復(fù)制所有相關(guān)文件到一個(gè)寫(xiě)一次，讀很多C、Removetheharddrivefromthesystemandmakeacopyoftheharddrive'scontentsusingimaginghardware.

從系統(tǒng)中刪除硬盤(pán)驅(qū)動(dòng)器，并使用映像硬件復(fù)制硬盤(pán)驅(qū)動(dòng)器的內(nèi)容D、Useaseparatebootabledevicetomakeacopyoftheharddrivebeforebootingthesystemandanalyzingtheharddrive.

在啟動(dòng)系統(tǒng)并分析硬盤(pán)之前，使用單獨(dú)的可引導(dǎo)設(shè)備復(fù)制硬盤(pán)答案：C46.ThecoreponentofRoleBasedAccesscontrol(RBAC)mustbeconstructedofdefineddataelements.Whichelementsarerequired?

基于角色的訪問(wèn)控制(RBAC)的核心組件必須由已定義的數(shù)據(jù)元素構(gòu)造。需要哪些元素？A、Users,permissions,operators,andprotectedobjects

用戶、權(quán)限、操作符和受保護(hù)的對(duì)象B、Users,rotes,operations,andprotectedobjects

用戶、對(duì)象、操作和受保護(hù)的對(duì)象C、Roles,accounts,permissions,andprotectedobjects

角色、帳戶、權(quán)限和受保護(hù)的對(duì)象D、Roles,operations,accounts,andprotectedobjects

角色、操作、帳戶和受保護(hù)的對(duì)象答案：B47.Adisadvantageofanapplicationfilteringfirewallisthatitcanleadto

應(yīng)用程序過(guò)濾防火墻的一個(gè)缺點(diǎn)是，它可能會(huì)導(dǎo)致A、acrashofthenetworkasaresultofuseractivities.

由于用戶活動(dòng)而導(dǎo)致的網(wǎng)絡(luò)崩潰B、performancedegradationduetotherulesapplied.

由于所應(yīng)用的規(guī)則而導(dǎo)致的性能下降C、lossofpacketsonthenetworkduetoinsufficientbandwidth.

由于帶寬不足，網(wǎng)絡(luò)上的數(shù)據(jù)包丟失D、InternetProtocol(IP)spoofingbyhackers.

被黑客欺騙的互聯(lián)網(wǎng)協(xié)議(IP)答案：B48.Anorganizationisdesigningalargeenterprise-widedocumentrepositorysystem.Theyplantohaveseveraldifferentclassificationlevelareaswithincreasinglevelsofcontrols.TheBESTwaytoensuredocumentconfidentialityintherepositoryisto

一個(gè)組織正在設(shè)計(jì)一個(gè)大型企業(yè)范圍內(nèi)的文檔存儲(chǔ)庫(kù)系統(tǒng)。他們計(jì)劃有幾個(gè)不同的分類級(jí)別區(qū)域，并增加控制級(jí)別。確保存儲(chǔ)庫(kù)中的文檔機(jī)密性的最佳方法是A、encryptthecontentsoftherepositoryanddocumentanyexceptionstothatrequirement.

加密存儲(chǔ)庫(kù)的內(nèi)容，并記錄該需求的任何例外情況。B、utilizeIntrusionDetectionSystem(IDS)setdropconnectionsiftoomanyrequestsfordocumentsaredetected.

如果檢測(cè)到過(guò)多的文檔請(qǐng)求，請(qǐng)使用入侵檢測(cè)系統(tǒng)(IDS)設(shè)置刪除連接。C、keepindividualswithaccesstohighsecurityareasfromsavingthosedocumentsintolowersecurityareas.

防止能夠進(jìn)入高安全區(qū)域的個(gè)人將這些文件保存到較低的安全區(qū)域。D、requireindividualswithaccesstothesystemtosignNon-DisclosureAgreements(NDA).

要求能夠進(jìn)入該系統(tǒng)的個(gè)人簽署保密協(xié)議(NDA)答案：A49.TheMAINreasonanorganizationconductsasecurityauthorizationprocessisto

組織執(zhí)行安全授權(quán)過(guò)程的主要原因是為了A、forcetheorganizationtomakeconsciousriskdecisions.

迫使組織做出有意識(shí)的風(fēng)險(xiǎn)決策B、assuretheeffectivenessofsecuritycontrols.

確保安全控制的有效性C、assurethecorrectsecurityorganizationexists.

確保安全控制的有效性D、forcetheorganizationtoenlistmanagementsupport.

強(qiáng)制該組織爭(zhēng)取管理支持答案：A50.AnIntrusionDetectionSystem(IDS)hasrecentlybeendeployedinaDemilitarizedZone(DMZ).TheIDSdetectsafloodofmalformedpackets.WhichofthefollowingBESTdescribeswhathasoccurred?

入侵檢測(cè)系統(tǒng)(IDS)最近已部署在非軍事區(qū)(DMZ)。IDS檢測(cè)到大量畸形的數(shù)據(jù)包。下面哪一個(gè)最好的描述了發(fā)生了什么？A、DenialofService(DoS)attack

拒絕服務(wù)（DoS）攻擊B、AddressResolutionProtocol(ARP)spoof

地址解析協(xié)議（ARP）欺騙C、Bufferoverflow

緩沖區(qū)溢出D、Pingfloodattackping泛洪攻擊答案：A51.Whomustapprovemodificationstoanorganization'sproductioninfrastructureconfiguration?

誰(shuí)必須批準(zhǔn)對(duì)組織的生產(chǎn)基礎(chǔ)設(shè)施配置的修改？A、Technicalmanagement

技術(shù)管理B、Changecontrolboard

變速控制板C、Systemoperations

系統(tǒng)操作D、Systemusers

系統(tǒng)用戶答案：B52.Acriminalorganizationisplanninganattackonagovernmentnetwork.WhichofthefollowingistheMOSTsevereattacktothenetworkavailability?

一個(gè)犯罪組織正在計(jì)劃攻擊一個(gè)政府網(wǎng)絡(luò)。以下哪一個(gè)是對(duì)網(wǎng)絡(luò)可用性的最嚴(yán)重的攻擊？A、Networkmanagementmunicationsisdisruptedbyattacker

網(wǎng)絡(luò)管理通信被攻擊者中斷B、Operatorlosescontrolofnetworkdevicestoattacker

操作者對(duì)攻擊者網(wǎng)絡(luò)設(shè)備的控制C、Sensitiveinformationisgatheredonthenetworktopologybyattacker

攻擊者在網(wǎng)絡(luò)拓?fù)浣Y(jié)構(gòu)上收集敏感信息D、Networkisfloodedwithmunicationtrafficbyattacker

網(wǎng)絡(luò)被攻擊者淹沒(méi)通信流量答案：B53.Refertotheinformationbelowtoanswerthequestion.

Anorganizationhashiredaninformationsecurityofficertoleadtheirsecuritydepartment.Theofficerhasadequatepeopleresourcesbutislackingtheothernecessaryponentstohaveaneffectivesecurityprogram.Therearenumerousinitiativesrequiringsecurityinvolvement.Giventhenumberofpriorities,whichofthefollowingwillMOSTlikelyinfluencetheselectionoftopinitiatives?

請(qǐng)參考下面的信息來(lái)回答這個(gè)問(wèn)題。一個(gè)組織已經(jīng)雇傭了一名信息安全官員來(lái)領(lǐng)導(dǎo)他們的安全部門(mén)。警官有足夠的人力資源，但缺乏其他必要的組件來(lái)有一個(gè)有效的安全計(jì)劃。有許多倡議需要安全人員的參與?？紤]到優(yōu)先事項(xiàng)的數(shù)量，以下哪些將最可能影響頂級(jí)倡議的選擇？A、Severityofrisk

風(fēng)險(xiǎn)的嚴(yán)重程度B、plexityofstrategy

策略的復(fù)雜性C、Frequencyofincidents

事件發(fā)生頻率D、Ongoingawareness

持續(xù)的意識(shí)答案：A54.WhichofthefollowingBESTmitigatesareplayattackagainstasystemusingidentityfederationandSecurityAssertionMarkupLanguage(SAML)implementation?

以下哪一種最佳方法可以減輕使用身份標(biāo)識(shí)聯(lián)合和安全斷言標(biāo)記語(yǔ)言(SAML)實(shí)現(xiàn)對(duì)系統(tǒng)的重放攻擊？A、Two-factorauthentication

雙因素認(rèn)證B、Digitalcertificatesandhardwaretokens

數(shù)字證書(shū)和硬件令牌C、TimedsessionsandSecureSocketLayer(SSL)

定時(shí)會(huì)話和安全套接字層(SSL)D、Passwordswithalpha-numericandspecialcharacters

帶有字母數(shù)字和特殊字符的密碼答案：C55.IndividualaccesstoanetworkisBESTdeterminedbasedon

個(gè)人對(duì)網(wǎng)絡(luò)的訪問(wèn)最好是基于A、riskmatrix.

風(fēng)險(xiǎn)矩陣B、valueofthedata.

數(shù)據(jù)的值。C、businessneed.

業(yè)務(wù)需求D、dataclassification.

數(shù)據(jù)分類答案：C56.DuringaDisasterRecovery(DR)simulation,itisdiscoveredthatthesharedrecoverysitelacksadequatedatarestorationcapabilitiestosupporttheimplementationofmultipleplanssimultaneously.Whatwouldbeimpactedbythisfactifleftunchanged?

在災(zāi)難恢復(fù)(DR)模擬期間，發(fā)現(xiàn)共享恢復(fù)站點(diǎn)缺乏足夠的數(shù)據(jù)恢復(fù)能力來(lái)同時(shí)支持多個(gè)計(jì)劃的實(shí)現(xiàn)。如果保持不變，這一事實(shí)會(huì)產(chǎn)生什么影響呢？A、RecoveryPointObjective(RPO)

恢復(fù)點(diǎn)目標(biāo)(RPO)B、RecoveryTimeObjective(RTO)

恢復(fù)時(shí)間目標(biāo)(RTO)C、BusinessImpactAnalysis(BIA)

業(yè)務(wù)影響分析(BIA)D、ReturnonInvestment(ROI)

投資回報(bào)率(ROI)答案：A57.WhichofthefollowingprovidestheMOSTsecuremethodforNetworkAccessControl(NAC)?

以下哪一種為網(wǎng)絡(luò)訪問(wèn)控制(NAC)提供了最安全的方法？A、MediaAccessControl(MAC)filtering

媒體訪問(wèn)控制(MAC)過(guò)濾B、802.IXauthentication

802.IX身份驗(yàn)證C、Applicationlayerfiltering

應(yīng)用層過(guò)濾D、NetworkAddressTranslation(NAT)

網(wǎng)絡(luò)地址轉(zhuǎn)換(NAT)答案：B58.Inconfigurationmanagement,whatbaselineconfigurationinformationMUSTbemaintainedforeachputersystem?

在配置管理中，必須維護(hù)什么基準(zhǔn)配置信息為每個(gè)計(jì)算機(jī)系統(tǒng)A、Operatingsystemandversion,patchlevel,applicationsrunning,andversions.

操作系統(tǒng)和版本、補(bǔ)丁程序級(jí)別、正在運(yùn)行的應(yīng)用程序和版本B、Listofsystemchanges,testreports,andchangeapprovals

系統(tǒng)變更、測(cè)試報(bào)告和變更批準(zhǔn)的列表C、Lastvulnerabilityassessmentreportandinitialriskassessmentreport

最后的脆弱性評(píng)估報(bào)告和初始風(fēng)險(xiǎn)評(píng)估報(bào)告D、Dateoflastupdate,testreport,andaccreditationcertificate

上次更新、測(cè)試報(bào)告和認(rèn)證證書(shū)的日期答案：A59.WhichofthefollowingistheBESTmethodtopreventmalwarefrombeingintroducedintoaproductionenvironment?

以下哪一種是防止惡意軟件被引入生產(chǎn)環(huán)境的最佳方法？A、Purchasesoftwarefromalimitedlistofretailers

從一個(gè)有限的零售商名單上購(gòu)買軟件B、Verifythehashkeyorcertificatekeyofallupdates

驗(yàn)證所有更新的哈希密鑰或證書(shū)密鑰C、DoNOTpermitprograms,patches,orupdatesfromtheInternet

不允許從互聯(lián)網(wǎng)上進(jìn)行程序、補(bǔ)丁或更新D、Testallnewsoftwareinasegregatedenvironment

在一個(gè)隔離的環(huán)境中測(cè)試所有的新軟件答案：D60.WhichfactorsMUSTbeconsideredwhenclassifyinginformationandsupportingassetsforriskmanagement,legaldiscovery,andpliance?

在對(duì)信息和針對(duì)風(fēng)險(xiǎn)管理、法律發(fā)現(xiàn)和合規(guī)的支持資產(chǎn)進(jìn)行分類時(shí)，必須考慮哪些因素？A、Systemowerrolesandresponsibililes,datahandingstandards.storageandsecuredevelopentlifeclerequirements

系統(tǒng)角色和職責(zé)，數(shù)據(jù)處理標(biāo)準(zhǔn)。存儲(chǔ)和安全顯影液生命周期要求B、Datastewardshiproles,datahandingandstoragestandards,datalifcyclerequirements

數(shù)據(jù)管理角色、數(shù)據(jù)處理和存儲(chǔ)標(biāo)準(zhǔn)、數(shù)據(jù)生命周期要求C、plianceofficerolesandresponsiblities,classifiedmateriakhandingstandards,storagesystemlifecyclerequirements

法規(guī)遵從性辦公室的角色和職責(zé)、保密標(biāo)準(zhǔn)、存儲(chǔ)系統(tǒng)生命周期要求D、Systemauthorizationrolesandreponsibilities,cloudputingstandards,lifecyclerequirements

系統(tǒng)授權(quán)角色和責(zé)任、云計(jì)算標(biāo)準(zhǔn)、生命周期要求答案：B61.TheMAINtaskofpromotingsecurityforPersonalputers(PC)is

提高個(gè)人電腦(PC)的安全水平的主要任務(wù)是A、understandingthetechnicalcontrolsandensuringtheyarecorrectlyinstalled.

了解技術(shù)控制措施，并確保其得到正確安裝B、understandingtherequiredsystemsandpatchingprocessesfordifferentOperatingSystems(OS)

了解不同操作系統(tǒng)(OS)所需的系統(tǒng)和修補(bǔ)流程C、makingsurethatusersareusingonlyvalid,authorizedsoftware,sothatthechanceofvirusinfection

確保用戶只使用有效的、經(jīng)授權(quán)的軟件，以便有病毒感染的機(jī)會(huì)D、makingusersunderstandtheriskstothemachinesanddata,sotheywilltakeappropriatestepsto

Projectthem.

讓用戶了解對(duì)機(jī)器和數(shù)據(jù)造成的風(fēng)險(xiǎn)，因此他們將采取適當(dāng)?shù)牟襟E來(lái)投射它們答案：C62.TheOpenWebApplicationSecurityProject's(OWASP)SoftwareAssuranceMaturityModel(SAMM)allowsorganizationstoimplementaflexiblesoftwaresecuritystrategytomeasureorganizationalimpactbasedonwhatriskmanagementaspect?

開(kāi)放Web應(yīng)用程序安全項(xiàng)目(OWASP)的軟件保證成熟度模型(SAMM)允許組織實(shí)施一個(gè)靈活

的軟件安全策略，以根據(jù)什么風(fēng)險(xiǎn)管理方面來(lái)衡量組織的影響？A、Risktolerance

風(fēng)險(xiǎn)容忍B、Riskexception

風(fēng)險(xiǎn)異常C、Risktreatment

風(fēng)險(xiǎn)處理D、Riskresponse

風(fēng)險(xiǎn)反應(yīng)答案：D63.Ifanidentificationprocessusingabiometricsystemdetectsa100%matchbetweenapresentedtemplateandastoredtemplate,whatistheinterpretationofthisresult?

如果使用生物識(shí)別系統(tǒng)的識(shí)別過(guò)程檢測(cè)到所呈現(xiàn)的模板和存儲(chǔ)的模板之間100%匹配，那么這

個(gè)結(jié)果的解釋是什么？A、Usererror

用戶錯(cuò)誤B、Suspectedtampering

涉嫌篡改C、Accurateidentification

準(zhǔn)確識(shí)別D、Unsuccessfulidentification

未能成功識(shí)別答案：B64.Asoftwaredevelopmentpanyfoundoddbehaviorinsomerecentlydevelopedsoftware,creatinganeedforamorethoroughcodereview.WhatistheMOSTeffectiveargumentforamorethoroughcodereview?

一家軟件開(kāi)發(fā)公司在一些最近開(kāi)發(fā)的軟件中發(fā)現(xiàn)了一些奇怪的行為，因此需要進(jìn)行更徹底的代碼審查。對(duì)于更徹底的代碼審查，最有效的理由是什么？A、Itwillincreaseflexibilityoftheapplicationsdeveloped.

它將增加所開(kāi)發(fā)的應(yīng)用程序的靈活性B、Itwillincreaseaccountabilitywiththecustomers.

它將增加對(duì)客戶的責(zé)任C、Itwillimpedethedevelopmentprocess.

它將阻礙開(kāi)發(fā)過(guò)程D、ltwillreducethepotentialforvulnerabilities.

Lt將減少潛在的漏洞。答案：D65.WhichofthefollowingBESTdescribesachosenplaintextattack?

以下哪項(xiàng)最能描述所選擇的明文攻擊？A、Thecryptanalystcangenerateciphertextfromarbitrarytext.

密碼分析師可以從任意文本生成密文B、Thecryptanalystexaminesthemunicationbeingsentbackandforth.

密碼分析師檢查來(lái)回發(fā)送的通信C、Thecryptanalystcanchoosethekeyandalgorithmtomounttheattack.

密碼分析師可以選擇密鑰和算法來(lái)發(fā)起攻擊D、Thecryptanalystispresentedwiththeciphertextfromwhichtheoriginalmessageisdetermined.

密碼分析人員將得到確定原始消息的密文答案：A66.Whichofthefollowingisasecuredesignprincipleforanewproduct?

以下哪一種是一種新產(chǎn)品的安全設(shè)計(jì)原則？A、Buildinappropriatelevelsoffaulttolerance.

建立適當(dāng)?shù)娜蒎e(cuò)等級(jí)B、Utilizeobfuscationwheneverpossible.

盡可能利用混淆法C、DoNOTrelyonpreviouslyusedcode.

不要依賴于以前使用過(guò)的代碼D、Restricttheuseofmodularization.

限制模塊化的使用答案：A67.RecoverystrategiesofaDisasterRecoveryplanning(DRIP)MUSTbealignedwithwhichofthefollowing?

災(zāi)難恢復(fù)計(jì)劃(DRIP)的恢復(fù)策略必須與下列哪一項(xiàng)保持一致？A、Hardwareandsoftwarepatibilityissues

硬件和軟件的兼容性問(wèn)題B、Applications'criticallyanddowntimetolerance

應(yīng)用程序的關(guān)鍵性和停機(jī)時(shí)間容忍度C、Budgetconstraintsandrequirements

預(yù)算約束和要求D、Cost/benefitanalysisandbusinessobjectives

成本/效益分析和業(yè)務(wù)目標(biāo)答案：D68.Fromasecurityperspective,whichofthefollowingassumptionsMUSTbemadeaboutinputtoanapplication?

從安全的角度來(lái)看，必須對(duì)應(yīng)用程序的輸入做出以下哪些假設(shè)？A、Itistested

經(jīng)過(guò)測(cè)試B、Itislogged

它被記錄C、Itisverified

它經(jīng)過(guò)驗(yàn)證D、Itisuntrusted

它是不受信任的答案：D69.Whichofthefollowingphasesinthesoftwareacquisitionprocessdoesdevelopingevaluationcriteriatakeplace?

以下哪個(gè)階段開(kāi)發(fā)評(píng)估是否符合標(biāo)準(zhǔn)？A、Follow-On

后續(xù)B、Planning

規(guī)劃C、Contracting

承包D、MonitoringandAcceptance

監(jiān)控和驗(yàn)收答案：D70.WhatisthePRIMARYadvantageofusingautomatedapplicationsecuritytestingtools?

使用自動(dòng)化應(yīng)用程序安全測(cè)試工具的主要優(yōu)勢(shì)是什么？A、TheapplicationcanbeprotectedintheproductionenvironmentA.

應(yīng)用程序可以在生