it-pruefungen bietet qualitativ hochwertige Prüfungsfragen und Antworten für die Vorbereitung auf Ihre IT-Zertifizierungsprüfungen, die alle Examfragen und Examsantworten abdecken. Bei it-pruefungen.de stehen Ihnen zahlreiche kostenlose Zertifizierungsfragen von IT Prüfungen zur Verfügung. Die neuesten Unterlagen und Simulationssoftware bei it-pruefungen.de machen die IT Prüfungen ganz leicht für Sie. Im Falle eines Scheiterns erhalten Sie nämlich die Gebühr zurückerstattet

CISM Certified Information Security Manager IT Prüfung,IT Zertifizierung,Prüfungsfrage, originale Fragen,Antorten, Fragenkataloge,Prüfungsunterlagen, Prüfungsfragen, Prüfungsfrage, Testfagen, Testantworten, Vorbereitung, Zertifizierungsfragen, Zertifizierungsantworten, Examsfragen, Antworten, echte Fragen

QUESTION: 1
A common concern with poorly written web applications is that they can allow an attacker
to:

A. gain control through a buffer overflow.
B. conduct a distributed denial of service (DoS) attack.
C. abuse a race condition.
D. inject structured query language (SQL) statements.

Answer: D

Explanation:
Structured query language (SQL) injection is one of the most common and dangerous web application vulnerabilities. Buffer overflows and race conditions are very difficult to find and exploit on web applications. Distributed denial of service (DoS) attacks have nothing to do with the quality of a web application.

QUESTION: 2
Which of the following would be of GREATEST importance to the security manager in
determining whether to accept residual risk?

A. Historical cost of the asset
B. Acceptable level of potential business impacts
C. Cost versus benefit of additional mitigating controls
D. Annualized loss expectancy (ALE)

Answer: C

Explanation:
The security manager would be most concerned with whether residual risk would be reduced by a greater amount than the cost of adding additional controls. The other choices, although relevant, would not be as important.

QUESTION: 3
A project manager is developing a developer portal and requests that the security manager assign a public IP address so that it can be accessed by in-house staff and by external consultants outside the organization’s local are network (LAN). What should the security manager do FIRST?

A. Understand the business requirements of the developer portal
B. Perform a vulnerability assessment of the developer portal
C. Install an intrusion detection system (IDS)
D. Obtain a signed nondisclosure agreement (NDA) from the external consultants before
allowing external access to the server

Answer: A

Explanation:
The information security manager cannot make an informed decision about the request
without first understanding the business requirements of the developer portal. Performing a vulnerability assessment of developer portal and installing an intrusion detection system
(IDS) are best practices but are subsequent to understanding the requirements. Obtaining a signed nondisclosure agreement will not take care of the risks inherent in the organization’s application.

QUESTION: 4
A mission-critical system has been identified as having an administrative system account
with attributes that prevent locking and change of privileges and name. Which would be the BEST approach to prevent successful brute forcing of the account?
A. Prevent the system from being accessed remotely
B. Create a strong random password
C. Ask for a vendor patch
D. Track usage of the account by audit trails

Answer: B

Explanation:
Creating a strong random password reduces the risk of a successful brute force attack by
exponentially increasing the time required. Preventing the system from being accessed
remotely is not always an option in mission-critical systems and still leaves local access
risks. Vendor patches are not always available. Tracking usage is a detective control and will not prevent an attack.

Echte Fragen CISM Isaca Fragenkatalog