- (Exam Topic 2)
A security practitioner is performing due diligence on a vendor that is being considered for cloud services.
Which of the following should the practitioner consult for the best insight into the current security posture of the vendor?

1. A. PCI DSS standards
2. B. SLA contract
3. C. CSF framework
4. D. SOC 2 report

Correct Answer: D
A SOC 2 report is a document that provides an independent assessment of a service organization’s controls related to the Trust Services Criteria of Security, Availability, Processing Integrity, Confidentiality, or Privacy. A SOC 2 report can help a security practitioner evaluate the current security posture of a vendor that provides cloud services1.

- (Exam Topic 4)
The application development teams have been asked to answer the following questions:
Does this application receive patches from an external source?
Does this application contain open-source code?
Is this application accessible by external users?
Does this application meet the corporate password standard?
Which of the following are these questions part of?

1. A. Risk control self-assessment
2. B. Risk management strategy
3. C. Risk acceptance
4. D. Risk matrix

Correct Answer: A
A risk control self-assessment (RCSA) is a process that allows an organization to identify, evaluate, and mitigate the risks associated with its activities, processes, systems, and products. A RCSA involves asking relevant questions to assess the effectiveness of existing controls and identify any gaps or weaknesses that need improvement. A RCSA also helps to align the risk appetite and tolerance of the organization with its strategic objectives and performance.
The application development teams have been asked to answer questions related to their applications’ security posture, such as whether they receive patches from an external source, contain open-source code, are accessible by external users, or meet the corporate password standard. These questions are part of a RCSA process that aims to evaluate the potential risks and vulnerabilities associated with each application and determine how well they are managed and mitigated.

- (Exam Topic 3)
A technician is setting up a new firewall on a network segment to allow web traffic to the internet while
hardening the network. After the firewall is configured, users receive errors stating the website could not be located. Which of the following would best correct the issue?

1. A. Setting an explicit deny to all traffic using port 80 instead of 443
2. B. Moving the implicit deny from the bottom of the rule set to the top
3. C. Configuring the first line in the rule set to allow all traffic
4. D. Ensuring that port 53 has been explicitly allowed in the rule set

Correct Answer: D
Port 53 is the default port for DNS traffic. If the firewall is blocking port 53, then users will not be able to resolve domain names and will receive errors stating that the website could not be located.
The other options would not correct the issue. Setting an explicit deny to all traffic using port 80 instead of 443 would block all HTTP traffic, not just web traffic. Moving the implicit deny from the bottom of the rule set to the top would make the deny rule more restrictive, which would not solve the issue. Configuring the first line in the rule set to allow all traffic would allow all traffic, including malicious traffic, which is not a good security practice.
Therefore, the best way to correct the issue is to ensure that port 53 has been explicitly allowed in the rule set. Here are some additional information about DNS traffic:
DNS traffic is used to resolve domain names to IP addresses.
DNS traffic is typically unencrypted, which makes it vulnerable to eavesdropping.
There are a number of ways to secure DNS traffic, such as using DNS over HTTPS (DoH) or DNS over TLS (DoT).

- (Exam Topic 2)
A company is enhancing the security of the wireless network and needs to ensure only employees with a valid certificate can authenticate to the network. Which of the following should the company implement?

1. A. PEAP
2. B. PSK
3. C. WPA3
4. D. WPS

Correct Answer: A
PEAP stands for Protected Extensible Authentication Protocol, which is a protocol that can provide secure authentication for wireless networks. PEAP can use certificates to authenticate the server and the client, or only the server. PEAP can also use other methods, such as passwords or tokens, to authenticate the client. PEAP can ensure only employees with a valid certificate can authenticate to the network.

- (Exam Topic 2)
A security administrator Installed a new web server. The administrator did this to Increase the capacity (or an application due to resource exhaustion on another server. Which o( the following algorithms should the administrator use to split the number of the connections on each server In half?

1. A. Weighted response
2. B. Round-robin
3. C. Least connection
4. D. Weighted least connection

Correct Answer: B
The administrator should use a round-robin algorithm to split the number of connections on each server in half. Round-robin is a load-balancing algorithm that distributes incoming requests to the available servers one by one in a cyclical order. This helps to evenly distribute the load across all of the servers, ensuring that no single server is overloaded.