SC0-502 by SCP Actual Free Exam Questions And Answers

Question 1

For three years you have worked with MegaCorp doing occasional network and security consulting. MegaCorp is a small business that provides real estate listings and data to realtors in several of the surrounding states. The company is open for business Monday through Friday from 9 am to 6 pm, closed all evenings and weekends. Your work there has largely consisted of advice and planning, and you have been frequently disappointed by the lack of execution and follow through from the full time staff.
On Tuesday, you received a call from MegaCorp's HR director, "Hello, I'd like to inform you that Purple (the full time senior network administrator) is no longer with us, and we would like to know if you are interested in working with us full time."
You currently have no other main clients, so you reply, "Sure, when do you need me to get going?"
"Today," comes the fast and direct response. Too fast, you think. "
What is the urgency, why can this wait until tomorrow?"
"Red was let go, and he was not happy about it. We are worried that he might have done something to our network on the way out."
"OK, let me get some things ready, and Il be over there shortly."
You knew this would be messy when you came in, but you did have some advantage in that you already knew the network. You had recommended many changes in the past, none of which would be implemented by Purple. While pulling together your laptop and other tools, you grab your notes which have an overview of the network:
MegaCorp network notes: Single Internet access point, T1, connected to MegaCorp Cisco router. Router has E1 to a private web and ftp server and E0 to the LAN switch. LAN switch has four servers, four printers, and 100 client machines. All the machines are running Windows 2000. Currently, they are having their primary web site and email hosted by an ISP in Illinois.
When you get to MegaCorp, the HR Director and the CEO, both of whom you already know, greet you. The CEO informs you that Purple was let go due to difficult personality conflicts, among other reasons, and the termination was not cordial. You are to sign the proper employment papers, and get right on the job. You are given the rest of the day to get setup and running, but the company is quite concerned about the security of their network. Rightly so, you think, if these guys had implemented even half of my recommendations this would sure be easier.You get your equipment setup in your new oversized office space, and get started. For the time you are working here, your IP Address is 10.10.50.23 with a mask of \16.
One of your first tasks is to examine the router configuration. You console into the router, issue a show running-config command, and get the following output:
MegaOne#show running-config
Building configuration
Current configuration:
!
version 12.1
service udp-small-servers
service tcp-small-servers
! hostname MegaOne ! enable secret 5 $1$7BSK3$H394yewhJ45JAFEWU73747. enable password clever ! no ip name-server no ip domain-lookup ip routing ! interface Ethernet0 no shutdown ip address 2.3.57.50 255.255.255.0 no ip directed-broadcast ! interface Ethernet1 no shutdown ip 10.10.40.101 255.255.0.0 no ip directed-broadcast ! interface Serial0 no shutdown ip 1.20.30.23 255.255.255.0 no ip directed-broadcast clockrate 1024000 bandwidth 1024 encapsulation hdlc ! ip route 0.0.0.0 0.0.0.0 1.20.30.45
!
line console 0
exec-timeout 0 0
transport input all
line vty 0 4
password remote
login
!
end
After analysis of the network, you recommend that the router have a new configuration. Your goal is to make the router become part of your layered defense, and to be a system configured to help secure the network.
You talk to the CEO to get an idea of what the goals of the router should be in the new configuration. All your conversations are to go through the CEO; this is whom you also are to report to.
"OK, I suggest that the employees be strictly restricted to only the services that they must access on the Internet." You begin.
"I can understand that, but we have always had an open policy. I like the employees to feel comfortable, and not feel like we are watching over them all the time. Please leave the connection open so they can get to whatever they need to get to. We can always reevaluate this in an ongoing basis."
"OK, if you insist, but for the record I am opposed to that policy."
"Noted," responds the CEO, somewhat bluntly.
"All right, let see, the private web and ftp server have to be accessed by the Internet, restricted to the accounts on the server. We will continue to use the Illinois ISP to host our main web site and to host our email. What else, is there anything else that needs to be accessed from the Internet?"
"No, I think that's it. We have a pretty simple network, we do everything in house."
"All right, we need to get a plan in place as well right away for a security policy. Can we set something up for tomorrow?" you ask.
"Let me see, Il get back to you later." With that the CEO leaves and you get to work.
Based on the information you have from MegaCorp; knowing that the router must be an integral part of the security of the organization, select the best solution to the organization's router problem:}

A. You backup the current router config to a temp location on your laptop. Early Monday morning, you come in to build the new router configuration. Using your knowledge of the network, and your conversation with the CEO, you build and implement the following router configuration: MegaOne#configure terminal MegaOne(config)#access-list 175 permit tcp any 2.3.57.60 0.0.0.0 eq 80 MegaOne(config)#access-list 175 permit tcp any 2.3.57.60 0.0.0.0 eq 20 MegaOne(config)#access-list 175 permit tcp any 2.3.57.60 0.0.0.0 eq 21 MegaOne(config)#access-list 175 permit tcp any 10.10.0.0 0.0.255.255 established MegaOne(config)#access-list 175 permit ip any 10.10.0.0 0.0.255.255 MegaOne(config)#access-list 175 permit udp any 10.10.0.0 0.0.255.255 MegaOne(config)#access-list 175 permit icmp any 10.10.0.0 0.0.255.255 MegaOne(config)#interface Serial 0 MegaOne(config-if)#ip access-group 175 in MegaOne(config-if)#no cdp enable MegaOne(config-if)#no ip directed broadcast MegaOne(config-if)#no ip unreachables MegaOne(config-if)#^Z MegaOne#

B. With the office closed, you decide to build the new router configuration on Saturday. Using your knowledge of the network, and your conversation with the CEO, you build and implement the following router configuration: MegaOne#configure terminal MegaOne(config)#no cdp run MegaOne(config)#access-list 175 permit tcp any 2.3.57.60 0.0.0.0 eq 80 MegaOne(config)#access-list 175 permit tcp any 2.3.57.60 0.0.0.0 eq 20 MegaOne(config)#access-list 175 permit tcp any 2.3.57.60 0.0.0.0 eq 21 MegaOne(config)#access-list 175 permit tcp any 10.10.0.0 0.0.255.255 established MegaOne(config)#access-list 175 permit ip any 10.10.0.0 0.0.255.255 MegaOne(config)#access-list 175 permit udp any 10.10.0.0 0.0.255.255 MegaOne(config)#access-list 175 permit icmp any 10.10.0.0 0.0.255.255 MegaOne(config)#access-list 175 deny ip 0.0.0.0 255.255.255.255 any MegaOne(config)#access-list 175 deny ip 10.0.0.0 0.255.255.255 any MegaOne(config)#access-list 175 deny ip 127.0.0.0 0.255.255.255 any MegaOne(config)#access-list 175 deny ip 172.16.0.0 0.0.255.255 any MegaOne(config)#access-list 175 deny ip 192.168.0.0 0.0.255.255 any MegaOne(config)#no ip source-route MegaOne(config)#no ip finger MegaOne(config)#interface serial 0 MegaOne(config-if)#ip access-group 175 in MegaOne(config-if)#no ip directed broadcast MegaOne(config-if)#no ip unreachables MegaOne(config-if)#^Z MegaOne#

C. You backup the current router config to a temp location on your laptop. Friday night, you come in to build the new router configuration. Using your knowledge of the network, and your conversation with the CEO, you build and implement the following router configuration: MegaOne#configure terminal MegaOne(config)#no cdp run MegaOne(config)#no ip source-route MegaOne(config)#no ip finger MegaOne(config)#access-list 175 permit tcp any 2.3.57.60 0.0.0.0 eq 80 MegaOne(config)#access-list 175 permit tcp any 2.3.57.60 0.0.0.0 eq 20 MegaOne(config)#access-list 175 permit tcp any 2.3.57.60 0.0.0.0 eq 21 MegaOne(config)#access-list 175 permit tcp any 10.10.0.0 0.0.255.255 established MegaOne(config)#access-list 175 deny ip 0.0.0.0 255.255.255.255 any MegaOne(config)#access-list 175 deny ip 10.0.0.0 0.255.255.255 any MegaOne(config)#access-list 175 deny ip 127.0.0.0 0.255.255.255 any MegaOne(config)#access-list 175 deny ip 172.16.0.0 0.0.255.255 any MegaOne(config)#access-list 175 deny ip 192.168.0.0 0.0.255.255 any MegaOne(config)#access-list 175 permit ip any 10.10.0.0 0.0.255.255 MegaOne(config)#access-list 175 permit udp any 10.10.0.0 0.0.255.255 MegaOne(config)#access-list 175 permit icmp any 10.10.0.0 0.0.255.255 MegaOne(config)#interface serial 0 MegaOne(config-if)#ip access-group 175 in MegaOne(config-if)#no ip directed broadcast MegaOne(config-if)#no ip unreachables MegaOne(config-if)#^Z MegaOne#

D. As soon as the office closes Friday, you get to work on the new router configuration. Using your knowledge of the network, and your conversation with the CEO, you build and implement the following router configuration: MegaOne#configure terminal MegaOne(config)#access-list 175 permit tcp any 2.3.57.60 0.0.0.0 eq 80 MegaOne(config)#access-list 175 permit tcp any 2.3.57.60 0.0.0.0 eq 20 MegaOne(config)#access-list 175 permit tcp any 2.3.57.60 0.0.0.0 eq 21 MegaOne(config)#access-list 175 permit tcp any 10.10.0.0 0.0.255.255 established MegaOne(config)#access-list 175 permit ip any 10.10.0.0 0.0.255.255 MegaOne(config)#access-list 175 permit udp any 10.10.0.0 0.0.255.255 MegaOne(config)#access-list 175 permit icmp any 10.10.0.0 0.0.255.255 MegaOne(config)#interface Ethernet 0 MegaOne(config-if)#ip access-group 175 in MegaOne(config)#interface Ethernet 1 MegaOne(config-if)#ip access-group 175 in MegaOne(config-if)#^Z MegaOne#

E. You backup the current router config to a temp location on your laptop. Sunday night, you come in to build the new router configuration. Using your knowledge of the network, and your conversation with the CEO, you build and implement the following router configuration: MegaOne#configure terminal MegaOne(config)#access-list 175 permit tcp any 2.3.57.60 0.0.0.0 eq 80 MegaOne(config)#access-list 175 permit tcp any 2.3.57.60 0.0.0.0 eq 20 MegaOne(config)#access-list 175 permit tcp any 2.3.57.60 0.0.0.0 eq 21 MegaOne(config)#access-list 175 permit tcp any 10.10.0.0 0.0.255.255 established MegaOne(config)#access-list 175 permit ip any 10.10.0.0 0.0.255.255 MegaOne(config)#access-list 175 permit udp any 10.10.0.0 0.0.255.255 MegaOne(config)#access-list 175 permit icmp any 10.10.0.0 0.0.255.255 MegaOne(config)#interface Ethernet 0 MegaOne(config-if)#ip access-group 175 in MegaOne(config-if)#no cdp enable MegaOne(config)#interface Ethernet 1 MegaOne(config-if)#ip access-group 175 in MegaOne(config-if)#no cdp enable MegaOne(config-if)#^Z MegaOne#

Discussion 0

Correct Answer: C Vote an answer

Question 2

Although you feel that you have taken solid steps in the security of MegaCorp, you would like to have some more analysis and documentation of the state of the network, and the systems in place protecting MegaCorp resources.
The CEO wants to know what MegaCorp should be spending on securing these resources, and wants justification for the numbers that you provide. You inform the group that you will be able to provide them with a Risk Analysis on the defined resources, and you also suggest that MegaCorp perform a full business Risk Analysis, and that they make it part of their policy to perform ongoing analysis.
During the first meeting after the agreement on analysis, a sales manager tells you the following; "We are rolling out a new online sales component to our organization. It will be up to you to design the system for this, but we anticipate it being up and running next month and are looking to have initial revenues of around $1,000 per day through that component."
"All right," you respond "If the initial revenues are going to be around $1,000 per day, what are you projecting will be the daily revenue through this in 6 and 12 months?"
The CEO answers this question, "Our projections are to have an average of about $2,000 per day in six months and $3,000 per day within a year."
"And, what is this system going to be responsible for? By that I mean, is this just an order taking machine, is it tied into inventory, is it tied into shipping, and so on?" you ask.
"Right now, and as far as the current plan goes, this is an order taking system. It will not be tied into any of our other systems."
"Are we going to get a new Internet connection for this server, or is it going to run off the current connection we have? I recommend a new connection, but am curious to know if that has been considered."
"I think we can stick with our current connection for the time being. If it seems like there is a need in the future for the expenses of a new connection, we can discuss it then. Anything else?"
"Not right now, as issues come up I will talk to you about them." The rest of the meeting does not require your attendance, so you head back to your office.
Based on your knowledge of the MegaCorp environment, select the solution that best allow you to justify the expense of protecting the new server.}

A. You decide to perform a Qualitative Risk Analysis on the new server. You organize a short meeting with the sales director to get a better idea of what will be stored on the system. You know the projected sales volumes, and you find out that on the system will be nothing more than a catalog, where people can order MegaCorp products.
Since there is nothing of value stored on the server, you decide that the Level of Damage that would happen if this system is compromised is low and that the Likelihood of an Attack to gain access is low. Since the company needs the system for sales, you decide that the threat of a power loss is significant.
Your report back to the CEO is that the current security systems in place are adequate for the new system, that it will be protected by the firewall and IDS. You do request to increase the resources for power equipment, specifically a large battery backup for the server.

B. Since this is the only system that you are requested to analyze, and the CEO is looking for numbers, you decide to run a fast Qualitative Risk Analysis. You know that the server is going to generate $6,000 per month, and you think there will most likely be an attack on the server at least twice a month. This means that for this server, you have an SLE of $6,000 and an ALE of 24. With an SLE of $6,000, and with an ALE of 24, you determine that the SRO for the system is $144,000.
You report to the CEO that there is a risk of $144,000 to this server every year, and you recommend that for the first year that full risk amount be spent on mitigating the risk, so that in subsequent years you can report the risk has been reduced to zero.

C. With only this one single system to analyze, you decide that a Quantitative Risk Analysis is appropriate. You identify three major threats: Power Outage, Administrator-level system compromise, and Denial of Service attacks. You assign the power outage a low likelihood, the administrative compromise a medium likelihood, and the DoS a high likelihood.
You assign the power outage a high level of damage, you assign the administrative compromise a high level of damage, and you assign the DoS a low level of damage. Since the likelihood of the power outage is low, you do not recommend spending any new money on this in your report to the CEO. Since the level of damage is so high due to the administrative compromise, you recommend new security systems to protect against that threat. You recommend that the systems in place to mitigate the threat of the administrative compromise also be capable of addressing the DoS threat.

D. You decide to perform a Quantitative Risk Analysis on the server. You meet with the sales director to find out that the server will only hold a copy of the catalog. You estimate that since the system will be directly connected with a public IP Address, and since it will hold customer data that it is a likely target for attack.
You know that you have solid security systems in place, but you think there will be a legitimate attack to compromise this server at least once per month. Based on this information you decide that the ARO is 12, and the SLE will be one day of operation plus one day to restore the system, therefore $6,000. With an ARO of 12, and with a SLE of $6,000 you determine that the ALE for the system is $72,000.
You report to the CEO that although the current security systems in place are solid, this server requires security of it own. You identify the $72,000 that could be lost every year due to attacks, and request resources to properly protect the server.

E. You decide to follow the Facilitated Risk Analysis Process (FRAP) for the server. You sit down in your office by yourself, and you list out the vulnerabilities that might exist for the server. You then categorize those vulnerabilities into High, Medium, and Low.
Taking each individual vulnerability that you discovered, you further detail that listing the degree of impact that vulnerability could have, again categorizing them as High, medium, and Low.
When you are done, you have a list that shows five vulnerabilities, only one of them High, and that is attempted system compromise. You have identified this vulnerability to have a Low impact, since it will only contain the MegaCorp catalog and no other critical services.
You report back to the CEO that the current systems in place are adequate, and your only suggestion is to possibly increase the power backup to a larger model for the server.

Discussion 0

Correct Answer: D Vote an answer

Question 3

You finish the work you were doing in the morning, and head out to the monthly meeting. During this meeting, the Vice President of Strategic Partner Relations informs the group of some news, "we have decided that we need to implement a new web site that is for our strategic partners only. This site will be used for various purposes, but will primarily be used as a means of information exchange."
"So, is this going to be a private site?" asks Orange.
"Absolutely. We will not want any public users on this website. It's just for the people we identify in our Strategic Partner Program. I need those of you in security to be sure that this site is secure." "We can take care of that. How many people do you think will be accessing the site?" asks
Orange.
"Not too many, perhaps around fifty."
"So, is it correct to assume that you know each of these fifty people?"
"Yes, that is correct."
"OK, well this should not be too hard. Wel get working on this right away."
The meeting ends, and you and Orange chat more about the web site issue.
"Well, we know that only around fifty people are going to access the, and we know who these fifty
are. This should not cause too many problems," Orange says.
"I agree. Do you think it will be all right to spend any money outside of the site itself?" you ask.
"Since we are dealing with so few people, that shouldn be a problem. However, we cannot go
overboard. Go ahead and write up plan for this and get it back to me in a day or two."
Based on your knowledge of GlobalCorp, choose the best solution to the web site security issue.}

A. You decide to use digital certificates on smart cards to secure the web site. You will first install a new IIS web server to host the site. You then connect to the CA_SERVER and request a new certificate for the server. The server certificate will be used for authentication, and you have the certificate issued and stored on a portable USB drive.
You then configure a machine to function as the enrollment machine for smart cards. You are going to manage the smart cards yourself. At the machine that you are going to use for the smart cards, you first configure the system with an enrollment agent certificate from the CA_SERVER, and then you install the driver for the smart card reader.
Once the driver is installed, you make certificate requests for each of the fifty users. You start with the first user, by logging in to the CA and selecting the option to Request A Certificate For A Smart Card On Behalf Of Another User Using The Smart Card Enrollment Station radio button. You then select the Smartcard User template, and enter the user name. When prompted, you put a blank smart card in the reader and press the Enroll button, followed by entering the default PIN.
Once you have created all fifty smart cards, you continue with the configuration of the web site. You configure the site to Require Secure Channel (SSL) and configure the site certificate from the USB drive. You then configure the site to require the user to have certificates as well, enabling mapping for the specific users of this site.
You then test access to the site from a remote machine using the smart card and PIN to be authenticated to the site. Once the test is complete, you write a short howto file and send it along with the smart card, smart card reader, and driver to each of the fifty users. You follow up with each user upon receipt to walk them through the configuration.

B. You decide that you will use digital certificates to secure the web site. You will first install a new private CA that the remote users can connect to and request their certificates. This CA will be protected with a very strong password. Each user will be given a user account to access the CA, also protected with a strong password.
Next, you install the new private web server. You then connect to the new CA and make a request for a certificate for the web site. Once you receive the certificate, you configure the web site to use the certificate to Require a Secure Channel (SSL). You then select the option to require client certificates, and you enable mapping for each user account.
Finally, you will call each person and instruct them on the process of connecting to the CA and requesting their certificate, which you will instruct them to store on their local machine. Once they have their certificate, you have them test access to the site, and when successful you move on to the next person.

C. You decide that you will use freely available PGP certificates to secure access to the website. You will first install a new IIS web server to hose the site. You then configure one user account, with a strong password. You map this account as the only account that has access to the website.
You then log on locally, as this user account, to the server and create a public\private key pair. From that account you then send an outgoing email to all fifty users with the account private key. You finish the configuration of the website by making changes in the Security properties of the website.
In the Security properties, you select the Advanced tab. On the Advanced tab, you check the box to map this account to a local digital certificate, and you select the new certificate you just created.
Next, you contact each remote user and instruct them to open the email from you. You have them store the key they receive in their personal certificate store. To verify the install is correct, you walk them through the process of viewing their certificates in the MMC. Once verified, you have the user connect to the website, and enter the location of their certificate when asked for authentication credentials.

D. You decide to use existing security technology of digital certificates and SSL to secure the site. You first install a new IIS server that will be the host of the web site. You then connect to the GlobalCorp CA for the executive building and request a new certificate for the web site.
You then configure the web site to Require a Secure Channel (SSL) and install the certificate. One you install the new certificate, you connect from the new server to the CA in each office where one or more of the fifty people that require access works. At that CA, you install the CA certificate, so that the new server will trust the certificates that each CA issues.
Next, you return to the configuration of the new web site. To make the site more secure, you require client certificates, and enable mappings for each user account. You call each user and ensure that they have a certificate from their own CA, which the new server now trusts. You walk them through the process of connecting to the site, and verify that secure access to them has been granted.

E. You decide to use strong authentication via biometrics, specifically fingerprint scanning to secure the web site. You will first install a new IIS web server to host the site. You then configure fifty user accounts for the remote users, and assign those accounts very strong passwords.
You then ship one biometric mouse and software to each remote client. You call each user and walk them through the process of configuration of their equipment. First, you tell them to create a matching user account with the same user name and very strong password as you used on the IIS server. You then have them install the software, which you instruct them to configure so that the biometric will be linked to the user account.
Once the software is installed, you instruct them to connect the mouse to their system and load the appropriate driver. With the driver installed, you tell them how to load the program and enroll their fingerprint. Once they have their fingerprint enrolled, and it is matched to their user account, you let them know that their side of the configuration is complete, and that you will call them shortly to finish the process.
You return to the configuration of the IIS server. In the Security properties of the website, you select the Advanced authentication tab. On the Advanced tab, you check the box for mapping user accounts to external biometric devices, and you check the box to allow the remote machine to control the mapping. You finish the configuration by configuring the site to use 128-bit RSA to encrypt the data between the client and the server.
With the server configuration done, you call the client back and have them log in using their biometric mouse. Once logged in, you instruct them to connect to the website and verify the secure site is running.

Discussion 0

Correct Answer: A Vote an answer

Question 4

Although you feel that you have taken solid steps in the security of MegaCorp, you would like to have some more analysis and documentation of the state of the network, and the systems in place protecting MegaCorp resources.
The CEO wants to know what MegaCorp should be spending on securing these resources, and wants justification for the numbers that you provide. You inform the group that you will be able to provide them with a Risk Analysis on the defined resources, and you also suggest that MegaCorp perform a full business Risk Analysis, and that they make it part of their policy to perform ongoing analysis.
During the first meeting after the agreement on analysis, a sales manager tells you the following; "We are rolling out a new online sales component to our organization. It will be up to you to design the system for this, but we anticipate it being up and running next month and are looking to have initial revenues of around $1,000 per day through that component."
"All right," you respond "If the initial revenues are going to be around $1,000 per day, what are you projecting will be the daily revenue through this in 6 and 12 months?"
The CEO answers this question, "Our projections are to have an average of about $2,000 per day in six months and $3,000 per day within a year."
"And, what is this system going to be responsible for? By that I mean, is this just an order taking machine, is it tied into inventory, is it tied into shipping, and so on?" you ask.
"Right now, and as far as the current plan goes, this is an order taking system. It will not be tied into any of our other systems."
"Are we going to get a new Internet connection for this server, or is it going to run off the current connection we have? I recommend a new connection, but am curious to know if that has been considered."
"I think we can stick with our current connection for the time being. If it seems like there is a need in the future for the expenses of a new connection, we can discuss it then. Anything else?"
"Not right now, as issues come up I will talk to you about them." The rest of the meeting does not require your attendance, so you head back to your office.
Based on your knowledge of the MegaCorp environment, select the solution that best allow you to justify the expense of protecting the new server.}

A. You decide to perform a Qualitative Risk Analysis on the new server. You organize a short meeting with the sales director to get a better idea of what will be stored on the system. You know the projected sales volumes, and you find out that on the system will be nothing more than a catalog, where people can order MegaCorp products.
Since there is nothing of value stored on the server, you decide that the Level of Damage that would happen if this system is compromised is low and that the Likelihood of an Attack to gain access is low. Since the company needs the system for sales, you decide that the threat of a power loss is significant.
Your report back to the CEO is that the current security systems in place are adequate for the new system, that it will be protected by the firewall and IDS. You do request to increase the resources for power equipment, specifically a large battery backup for the server.

B. Since this is the only system that you are requested to analyze, and the CEO is looking for numbers, you decide to run a fast Qualitative Risk Analysis. You know that the server is going to generate $6,000 per month, and you think there will most likely be an attack on the server at least twice a month. This means that for this server, you have an SLE of $6,000 and an ALE of 24. With an SLE of $6,000, and with an ALE of 24, you determine that the SRO for the system is $144,000.
You report to the CEO that there is a risk of $144,000 to this server every year, and you recommend that for the first year that full risk amount be spent on mitigating the risk, so that in subsequent years you can report the risk has been reduced to zero.

C. With only this one single system to analyze, you decide that a Quantitative Risk Analysis is appropriate. You identify three major threats: Power Outage, Administrator-level system compromise, and Denial of Service attacks. You assign the power outage a low likelihood, the administrative compromise a medium likelihood, and the DoS a high likelihood.
You assign the power outage a high level of damage, you assign the administrative compromise a high level of damage, and you assign the DoS a low level of damage. Since the likelihood of the power outage is low, you do not recommend spending any new money on this in your report to the CEO. Since the level of damage is so high due to the administrative compromise, you recommend new security systems to protect against that threat. You recommend that the systems in place to mitigate the threat of the administrative compromise also be capable of addressing the DoS threat.

D. You decide to perform a Quantitative Risk Analysis on the server. You meet with the sales director to find out that the server will only hold a copy of the catalog. You estimate that since the system will be directly connected with a public IP Address, and since it will hold customer data that it is a likely target for attack.
You know that you have solid security systems in place, but you think there will be a legitimate attack to compromise this server at least once per month. Based on this information you decide that the ARO is 12, and the SLE will be one day of operation plus one day to restore the system, therefore $6,000. With an ARO of 12, and with a SLE of $6,000 you determine that the ALE for the system is $72,000.
You report to the CEO that although the current security systems in place are solid, this server requires security of it??s own. You identify the $72,000 that could be lost every year due to attacks, and request resources to properly protect the server.

E. You decide to follow the Facilitated Risk Analysis Process (FRAP) for the server. You sit down in your office by yourself, and you list out the vulnerabilities that might exist for the server. You then categorize those vulnerabilities into High, Medium, and Low.
Taking each individual vulnerability that you discovered, you further detail that listing the degree of impact that vulnerability could have, again categorizing them as High, medium, and Low.
When you are done, you have a list that shows five vulnerabilities, only one of them High, and that is attempted system compromise. You have identified this vulnerability to have a Low impact, since it will only contain the MegaCorp catalog and no other critical services.
You report back to the CEO that the current systems in place are adequate, and your only suggestion is to possibly increase the power backup to a larger model for the server.

Discussion 0

Correct Answer: D Vote an answer

SCP Security Certified Program (SCP) - SC0-502 Exam Practice Test

Contact Us

Useful Links

Latest Updated