A security architect is reviewing the following proposed corporate firewall architecture and configuration:

Both firewalls are stateful and provide Layer 7 filtering and routing. The company has the following requirements:
Web servers must receive all updates via HTTP/S from the corporate network. Web servers should not initiate communication with the Internet.
Web servers should only connect to preapproved corporate database servers.
Employees’ computing devices should only connect to web services over ports 80 and 443. Which of the following should the architect recommend to ensure all requirements are met
in the MOST secure manner? (Choose two.)

1. A. Add the following to Firewall_A: 15 PERMIT FROM 10.0.0.0/16 TO 0.0.0.0/0 TCP 80,443
2. B. Add the following to Firewall_A: 15 PERMIT FROM 192.168.1.0/24 TO 0.0.0.0 TCP80,443
3. C. Add the following to Firewall_A: 15 PERMIT FROM 10.0.0.0/16 TO 0.0.0.0/0 TCP/UDP 0-65535
4. D. Add the following to Firewall_B: 15 PERMIT FROM 0.0.0.0/0 TO 10.0.0.0/16 TCP/UDP 0-65535
5. E. Add the following to Firewall_B: 15 PERMIT FROM 10.0.0.0/16 TO 0.0.0.0 TCP/UDP 0- 65535
6. F. Add the following to Firewall_B: 15 PERMIT FROM 192.168.1.0/24 TO 10.0.2.10/32 TCP 80,443

Correct Answer: AD

Which of the following technologies allows CSPs to add encryption across multiple data storages?

1. A. Symmetric encryption
2. B. Homomorphic encryption
3. C. Data dispersion
4. D. Bit splitting

Correct Answer: D
Reference: https://www.hhs.gov/sites/default/files/nist800111.pdf

A hospitality company experienced a data breach that included customer Pll. The hacker used social engineering to convince an employee to grant a third-party application access to some company documents within a cloud file storage service. Which of the following is the BEST solution to help prevent this type of attack in the future?

1. A. NGFW for web traffic inspection and activity monitoring
2. B. CSPM for application configuration control
3. C. Targeted employee training and awareness exercises
4. D. CASB for OAuth application permission control

Correct Answer: D
The company should use CASB for OAuth application permission control to help prevent this type of attack in the future. CASB stands for cloud access security broker, which is a software tool that monitors and enforces security policies for cloud applications. CASB can help control which third-party applications can access the company’s cloud file storage service and what permissions they have. CASB can also detect and block any unauthorized or malicious applications that try to access the company’s data. Verified References:
https://www.kaspersky.com/resource-center/threats/how-to-avoid-social-engineering-attacks
https://www.eccouncil.org/cybersecurity-exchange/ethical-hacking/understanding-preventing-social-engin
https://www.indusface.com/blog/10-ways-businesses-can-prevent-social-engineering-attacks/

A DevOps team has deployed databases, event-driven services, and an API gateway as PaaS solution that will support a new billing system. Which of the following security responsibilities will the DevOps team need to perform?

1. A. Securely configure the authentication mechanisms
2. B. Patch the infrastructure at the operating system
3. C. Execute port scanning against the services
4. D. Upgrade the service as part of life-cycle management

Correct Answer: A

A company's finance department acquired a new payment system that exports data to an unencrypted file on the system. The company implemented controls on the file so only appropriate personnel are allowed access. Which of the following risk techniques did the department use in this situation?

1. A. Accept
2. B. Avoid
3. C. Transfer
4. D. Mitigate

Correct Answer: D