Chapter 10 Practice Test 2 (Sybex) Flashcards

Question 1

Q

James is building a disaster recovery plan for his organization and would like to determine the amount of acceptable data loss after an outage. What variable is James determining?

A. SLA
B. RTO
C. MTD
D. RPO

Answer

A

D. RPO

Explanation:
The recovery point objective (RPO) identifies the maximum amount of data, measured in time, that may be lost during a recovery effort. The recovery time objective (RTO) is the amount of time expected to return an IT service or component to operation after a failure. The maximum tolerable downtime (MTD) is the longest amount of time that an IT service or component may be unavailable without causing serious damage to the organization. Service-level agreements (SLAs) are written contracts that document service expectations.

Question 2

Q

In his role, Chris is expected to protect the interests of the organization, and the customers whose information he is charged to protect. What term describes the preparation and research undertaken before decisions and actions are made?

A. Due care
B. Compliance
C. Due diligence
D. Regulatory action

Answer

A

C. Due diligence

Explanation:
Due care and due diligence can be a confusing pair of terms to keep straight. Chris is engaging in due diligence when he does the preparation and research. Once that is done, he must use due care while undertaking the actions. This is often described in the context of the prudent person rule: would a prudent person have taken the action given the same knowledge?

Question 3

Q

Alex is preparing to solicit bids for a penetration test of his company’s network and systems. He wants to maximize the effectiveness of the testing rather than the realism of the test. What type of penetration test should he require in his bidding process?

A. Black box
B. White box
C.Gray box
D. Zero box

Answer

A

B. White box

Explanation:
White-box testing provides the tester with information about networks, systems, and configurations, allowing highly effective testing. It doesn’t simulate an actual attack like black- and gray-box testing can and thus does not have the same realism, and it can lead to attacks succeeding that would fail in a zero- or limited-knowledge attack.

Question 4

Q

Application banner information is typically recorded during what penetration testing phase?

A. Planning
B. Attack
C. Reporting
D. Discovery

Answer

A

D. Discovery

Explanation:
The discovery phase includes activities such as gathering IP addresses, network ranges, and hostnames, as well as gathering information about employees, locations, systems, and, of course, the services those systems provide. Banner information is typically gathered as part of discovery to provide information about what version and type of service is being provided.

Question 5

Q

Tony wants to conduct a disaster recovery plan test exercise for his organization. What type of exercise should he conduct if he wants it to be the most realistic event possible and is able to disrupt his organization’s operations to conduct the exercise?

A. Read-through
B. Full interruption
C. Walk-through
D. Simulation

Answer

A

B. Full interruption

Explanation:
The most realistic but also most disruptive option for disaster recovery plan testing is a full interruption. The least obtrusive but also least similar to real-world scenarios is a read-through. After that, walk-throughs and simulations are each closer to a true scenario, but parallel operations is often the most popular option because it can be done without disrupting the organization and still reasonably test capabilities.

Question 6

Q

Jim has been asked to individually identify devices that users are bringing to work as part of a new BYOD policy. The devices will not be joined to a central management system like Active Directory, but he still needs to uniquely identify the systems. Which of the following options will provide Jim with the best means of reliably identifying each unique device?

A. Record the MAC address of each system.
B. Require users to fill out a form to register each system.
C. Scan each system using a port scanner.
D. Use device fingerprinting via a web-based registration system.

Answer

A

D. Use device fingerprinting via a web-based registration system.

Explanation:
Device fingerprinting via a web portal can require user authentication and can gather data such as operating systems, versions, software information, and many other factors that can uniquely identify systems. Using an automated fingerprinting system is preferable to handling manual registration, and pairing user authentication with data gathering provides more detail than a port scan. MAC addresses can be spoofed, and systems may have more than one depending on how many network interfaces they have, which can make unique identification challenging.

Question 7

Q

Ben works in an organization that uses a formal data governance program. He is consulting with an employee working on a project that created an entirely new class of data and wants to work with the appropriate individual to assign a classification level to that information. Who is responsible for the assignment of information to a classification level?

A. Data creator
B. Data owner
C. CISO
D. Data custodian

Answer

A

B. Data owner

Explanation:
The data owner is normally responsible for classifying information at an appropriate level. This role is typically filled by a senior manager or director, who then delegates operational responsibility to a data custodian.

Question 8

Q

James wants to ensure that his company’s backups will survive a disaster that strikes the data center. Which of the following options is the best solution to this concern?

A. Off-site backups
B. A grandfather/father/son backup tiering system
C. Redundant backup systems
D. Snapshots to a SAN or NAS

Answer

A

A. Off-site backups

Explanation:
Off-site backups are the best option for disaster recovery in a scenario where a disaster directly impacts the data center. None of the other scenarios as described will directly address the issue, although snapshots to a remote storage location can act as a form of off-site backup.

Question 9

Q

Gabe is concerned about the security of passwords used as a cornerstone of his organization’s information security program. Which one of the following controls would provide the greatest improvement in Gabe’s ability to authenticate users?

A. More complex passwords
B. User education against social engineering
C. Multifactor authentication
D. Addition of security questions based on personal knowledge

Answer

A

C. Multifactor authentication

Explanation:
While all of the listed controls would improve authentication security, most simply strengthen the use of knowledge-based authentication. The best way to improve the authentication process would be to add a factor not based on knowledge through the use of multifactor authentication. This may include the use of biometric controls or token-based authentication.

Question 10

Q

The separation of network infrastructure from the control layer, combined with the ability to centrally program a network design in a vendor-neutral, standards-based implementation, is an example of what important concept?

A. MPLS, a way to replace long network addresses with shorter labels and support a wide range of protocols
B. FCoE, a converged protocol that allows common applications over Ethernet
C. SDN, a converged protocol that allows network virtualization
D. CDN, a converged protocol that makes common network designs accessible

Answer

A

C. SDN, a converged protocol that allows network virtualization

Explanation:
Software-defined networking (SDN) is a converged protocol that allows virtualization concepts and practices to be applied to networks. MPLS handles a wide range of protocols like ATM, DSL, and others, but isn’t intended to provide the centralization capabilities that SDN does. A content distribution network (CDN) is not a converged protocol, and FCoE is Fibre Channel over Ethernet, a converged protocol for storage.

Question 11

Q

Susan is preparing to decommission her organization’s archival DVD-ROMs that contain Top Secret data. How should she ensure that the data cannot be exposed?

A. Degauss
B. Zero wipe
C. Pulverize
D. Secure erase

Answer

A

C. Pulverize

Explanation:
The best way to ensure that data on DVDs is fully gone is to destroy them, and pulverizing DVDs is an appropriate means of destruction. DVD-ROMs are write-only media, meaning that secure erase and zero wipes won’t work. Degaussing only works on magnetic media and cannot guarantee that there will be zero data remanence.

Question 12

Q

Susan is worried about a complex change and wants to ensure that the organization can recover if the change does not go as planned. What should she require in her role on the organization’s change advisory board (CAB)?

A. She should reject the change due to risk.
B. She should require a second change review.
C. She should ensure a backout plan exists.
D. She should ensure a failover plan exists.

Answer

A

C. She should ensure a backout plan exists.

Explanation:
Backout plans are required in some change management processes to ensure that the thought process and procedures for what to do if something does not go as planned are needed. Validating backout plan quality can be just as important as the change, and you may find, in many organizations, if nobody is watching

Question 13

Q

Angie is configuring egress monitoring on her network to provide added security. Which one of the following packet types should Angie allow to leave the network headed for the internet?

A. Packets with a source address from Angie’s public IP address block
B. Packets with a destination address from Angie’s public IP address block
C. Packets with a source address outside Angie’s address block
D. Packets with a source address from Angie’s private address block

Answer

A

A. Packets with a source address from Angie’s public IP address block

Explanation:
All packets leaving Angie’s network should have a source address from her public IP address block. Packets with a destination address from Angie’s network should not be leaving the network. Packets with source addresses from other networks are likely spoofed and should be blocked by egress filters. Packets with private IP addresses as sources or destinations should never be routed onto the internet.

Question 14

Q

Matt is conducting a penetration test against a Linux server and successfully gained access to an administrative account. He would now like to obtain the password hashes for use in a brute-force attack. Where is he likely to find the hashes, assuming the system is configured to modern security standards?

A. /etc/passwd
B. /etc/hash
C. /etc/secure
D. /etc/shadow

Answer

A

D. /etc/shadow

Explanation:
Security best practices dictate the use of shadowed password files that move the password hashes from the widely accessible /etc/passwd file to the more restricted /etc/shadow file.

Question 15

Q

Theresa is implementing a new access control system and wants to ensure that developers do not have the ability to move code from development systems into the production environment. She wants to ensure that a developer who checks in code cannot then approve their own code as part of the process. What information security principle is she most directly enforcing?

A. Separation of duties
B. Two-person control
C. Least privilege
D. Job rotation

Answer

A

A. Separation of duties

Explanation:
While developers may feel like they have a business need to be able to move code into production, the principle of separation of duties dictates that they should not have the ability to both write code and place it on a production server. The deployment of code is often performed by change management staff.

Question 16

Q

Which one of the following tools may be used to achieve the goal of nonrepudiation?

A.Digital signature
B. Symmetric encryption
C. Firewall
D. IDS

Answer

A

A.Digital signature

Explanation:
Applying a digital signature to a message allows the sender to achieve the goal of nonrepudiation. This allows the recipient of a message to prove to a third party that the message came from the purported sender. Symmetric encryption does not support nonrepudiation. Firewalls and IDS are network security tools that are not used to provide nonrepudiation.

Question 17

Q

In this diagram of the TCP three-way handshake, what should system A send to system B in step 3?

A. ACK
B. SYN
C. FIN
D. RST

Answer

A

A. ACK

Explanation:
A. System A should send an ACK to end the three-way handshake. The TCP three-way handshake is SYN, SYN/ACK, ACK.

Question 18

Q

What RADIUS alternative is commonly used for Cisco network gear and supports two-factor authentication?

A. RADIUS+
B. TACACS+
C. XTACACS
D. Kerberos

Answer

A

B. TACACS+

Explanation:
TACACS+ is the most modern version of TACACS, the Terminal Access Controller Access-Control System. It is a Cisco proprietary protocol with added features beyond what RADIUS provides, meaning it is commonly used on Cisco networks. XTACACS is an earlier version, Kerberos is a network authentication protocol rather than a remote user authentication protocol, and RADIUS+ is a made-up term.

Question 19

Q

What two types of attacks are VoIP call managers and VoIP phones most likely to be susceptible to?

A. DoS and malware
B. Worms and Trojans
C. DoS and host OS attacks
D. Host OS attacks and buffer overflows

Answer

A

C. DoS and host OS attacks

Explanation:
Call managers and VoIP phones can be thought of as servers or appliances and embedded or network devices. That means that the most likely threats that they will face are denial-of-service (DoS) attacks and attacks against the host operating system. Malware and Trojans are less likely to be effective against a server or embedded system that doesn’t browse the internet or exchange data files; buffer overflows are usually aimed at specific applications or services.

Question 20

Q

Vivian works for a chain of retail stores and would like to use a software product that restricts the software used on point-of-sale terminals to those packages on a preapproved list. What approach should Vivian use?

A.Antivirus
B. Heuristic
C. Whitelist
D. Blacklist

Answer

A

C. Whitelist

Explanation:
The blacklist approach to application control blocks certain prohibited packages but allows the installation of other software on systems. The whitelist approach uses the reverse philosophy and only allows approved software. It is worth noting that the terms blacklist and whitelist are increasingly deprecated and that you may encounter terms like block list or deny list and allow list as language and terminology shifts. As you prepare for the exam and your professional work, make sure to consider these equivalents. Antivirus software would only detect the installation of malicious software after the fact. Heuristic detection is a variant of antivirus software.

Question 21

Q

For questions 21–23, please refer to the following scenario: Hunter is the facilities manager for DataTech, a large data center management firm. He is evaluating the installation of a flood prevention system at one of DataTech’s facilities. The facility and contents are valued at $100 million. Installing the new flood prevention system would cost $10 million. Hunter consulted with flood experts and determined that the facility lies within a 200-year flood plain and that, if a flood occurred, it would likely cause $20 million in damage to the facility.

Based on the information in this scenario, what is the exposure factor for the effect of a flood on DataTech's data center?  
A. 2 percent 
B. 20 percent 
C. 100 percent 
D. 200 percent

Answer

A

B. 20 percent

Explanation:
B. The exposure factor is the percentage of the facility that risk managers expect will be damaged if a risk materializes. It is calculated by dividing the amount of damage by the asset value. In this case, that is $20 million in damage divided by the $100 million facility value, or 20 percent.

Question 22

Q

Based on the information in this scenario, what is the annualized rate of occurrence for a flood at DataTech's data center?  
A. 0.002 
B. 0.005 
C. 0.02 
D. 0.05

Answer

A

B. 0.005

Explanation:
The annualized rate of occurrence is the number of times each year that risk analysts expect a risk to happen in any given year. In this case, the analysts expect floods once every 200 years, or 0.005 times per year.

Question 23

Q

Based on the information in this scenario, what is the annualized loss expectancy for a flood at DataTech’s data center?

A. $40,000
B. $100,000
C. $400,000
D. $1,000,000

Answer

A

B. $100,000

Explanation:
The annualized loss expectancy is calculated by multiplying the single loss expectancy (SLE) by the annualized rate of occurrence (ARO). In this case, the SLE is $20 million, and the ARO is 0.005. Multiplying these numbers together gives you the ALE of $100,000.

Question 24

Q

Which accounts are typically assessed during an account management assessment?

A. A random sample
B. Highly privileged accounts
C. Recently generated accounts
D. Accounts that have existed for long periods of time

Answer

A

B. Highly privileged accounts

Explanation:
The most frequent target of account management reviews are highly privileged accounts, as they create the greatest risk. Random samples are the second most likely choice. Accounts that have existed for a longer period of time are more likely to have a problem due to privilege creep than recently created accounts, but neither of these choices is likely unless there is a specific organizational reason to choose them.

Question 25

Q

Cloud computing uses a shared responsibility model for security, where the vendor and customer both bear some responsibility for security. The division of responsibility depends upon the type of service used. Place the cloud service offerings listed here in order from the case where the customer bears the least responsibility to where the customer bears the most responsibility.

IaaS
SaaS
PaaS

A. 1, 2, 3
B. 2, 1, 3
C. 3, 2, 1
D. 2, 3, 1

Answer

A

D. 2, 3, 1

Explanation:
The cloud service offerings in order from the case where the customer bears the least responsibility to where the customer bears the most responsibility are SaaS, PaaS, and IaaS. In an infrastructure as a service (IaaS) cloud computing model, the customer retains responsibility for managing operating system and application security, while the vendor manages security at the hypervisor level and below. In a platform as a service (PaaS) environment, the vendor takes on responsibility for the operating system, but the customer writes and configures any applications. In a software as a service (SaaS) environment, the vendor takes on responsibility for the development and implementation of the application while the customer merely configures security settings within the application.

Question 26

Q

What type of error occurs when a valid subject using a biometric authenticator is not authenticated?

A. A Type 1 error
B. A Type 2 error
C. A Type 3 error
D. A Type 4 error

Answer

A

A. A Type 1 error

Explanation:
Type 1 errors occur when a valid subject is not authenticated. Type 2 errors occur when an invalid subject is incorrectly authenticated. Type 3 and Type 4 errors are not associated with biometric authentication.

Question 27

Q

An emergency button under the desk is a common example of what type of physical security system?

A. An airgap button
B. A keylogger
C. A pushbutton lock
D. A duress system

Answer

A

D. A duress system

Explanation:
D. Duress systems are intended to allow employees to notify security or others when they are in a dangerous situation or when they need help. Duress systems may be as simple as a push button and as complex as a code word or digital system that allows specific entries to trigger alarms while still performing a desired or deceptive but real-appearing action.

Question 28

Q

Henry runs Nikto against an Apache web server and receives the output shown here.
Which of the following statements is the least important to include in his report?

A. The missing clickjacking x-frame options could be used to redirect input to a malicious site or frame.
B. Cross-site scripting protections should be enabled, but aren’t.
C. Inode information leakage from a Linux system is a critical vulnerability allowing direct access to the filesystem using node references.
D. The server is a Linux server.

Answer

A

C. Inode information leakage from a Linux system is a critical vulnerability allowing direct access to the filesystem using node references.

Explanation:
Exposing inode information is not as important as the other information shown. Clickjacking and cross-site scripting are both important issues, and knowing that the server is a Linux server is also important.

Question 29

Q

George is assisting a prosecutor with a case against a hacker who attempted to break into the computer systems at George’s company. He provides system logs to the prosecutor for use as evidence, but the prosecutor insists that George testify in court about how he gathered the logs. What rule of evidence requires George’s testimony?

A. Testimonial evidence rule
B. Parol evidence rule
C. Best evidence rule
D. Hearsay rule

Answer

A

D. Hearsay rule

Explanation:
The hearsay rule says that a witness cannot testify about what someone else told them, except under very specific exceptions. The courts have applied the hearsay rule to include the concept that attorneys may not introduce logs into evidence unless they are authenticated by the system administrator. In this question, scenario George might also be able to provide a sworn affidavit, but the question doesn’t include that option. The best evidence rule states that copies of documents may not be submitted into evidence if the originals are available. The parol evidence rule states that if two parties enter into a written agreement, that written document is assumed to contain all of the terms of the agreement. Testimonial evidence is a type of evidence, not a rule of evidence.

Question 30

Q

Which of the following is not a valid use for key risk indicators (KRIs)?

A. Provide warnings before issues occur.
B. Provide real-time incident response information.
C. Provide historical views of past incidents.
D. Provide insight into risk tolerance for the organization.

Answer

A

B. Provide real-time incident response information.

Explanation:
B. While key risk indicators can provide useful information for organizational planning and a deeper understanding of how organizations view risk, KRIs are not a great way to handle a real-time security response. Monitoring and detection systems like IPS, SIEM, and other tools are better suited to handling actual attacks.

Question 31

Q

Which one of the following malware types uses built-in propagation mechanisms that exploit system vulnerabilities to spread?

A. Trojan horse
B. Worm
C. Logic bomb
D. Virus

Answer

A

B. Worm

Explanation:
Worms have built-in propagation mechanisms that do not require user interaction, such as scanning for systems containing known vulnerabilities and then exploiting those vulnerabilities to gain access. Viruses and Trojan horses typically require user interaction to spread. Logic bombs do not spread from system to system but lie in wait until certain conditions are met, triggering the delivery of their payload.

Question 32

Q

As part of your company’s security team, you have been asked to advise on how to ensure that media is not improperly used or stored. What solution will help staff members in your organization to handle media appropriately?

A. Labeling with sensitivity levels
B. Encrypting the sensitive media
C. Dual control media systems
D. A clear desk policy

Answer

A

A. Labeling with sensitivity levels

Explanation:
As simple as the answer may seem, labeling media or even color coding it with sensitivity levels and ensuring staff are appropriately trained on what the levels mean will normally have the biggest impact. Encrypting media can help, but without the labels, files may be stored on inappropriate media. A clear desk policy can help if casual media theft is an issue but is not likely to be an important control in this scenario. Dual control is used to ensure that a task cannot be performed by a single staff member to avoid malfeasance and is not directly useful here.

Question 33

Q

Alaina wants to use a broadly adopted threat modeling framework for her organization’s threat intelligence efforts. Which of the following would you advise her to adopt if she wants to use pre-existing tools to help her threat modeling team integrate both internally created intelligence and external threat feed data?

A. The Diamond Model of Intrusion Analysis
B. ATT&CK
C. Microsoft’s Threat-JUMP modeling system
D. Threat-EN

Answer

A

B. ATT&CK

Explanation:
MITRE’s ATT&CK framework is broadly adopted by threat modeling and threat intelligence organizations and is used as a default model in many software packages and tools. The Diamond Model specifically addresses how to think about intrusions but does not address broader threats, and the other answers were made up for this question.

Question 34

Q

Which one of the following is not a principle of the Agile approach to software development?

A. The most efficient method of conveying information is electronic.
B. Working software is the primary measure of progress.
C. Simplicity is essential.
D. Businesspeople and developers must work together daily.

Answer

A

A. The most efficient method of conveying information is electronic.

Explanation:
The Agile approach to software development states that working software is the primary measure of progress, that simplicity is essential, and that businesspeople and developers must work together daily. It also states that the most efficient method of conveying information is face to face, not electronic.

Question 35

Q

Harry is concerned that accountants within his organization will modify data to cover up fraudulent activity in accounts that they normally access. Which one of the following controls would best defend against this type of attack?

A. Encryption
B. Access controls
C. Integrity verification
D. Firewalls

Answer

A

C. Integrity verification

Explanation:
C. Encryption, access controls, and firewalls would not be effective in this example because the accountants have legitimate access to the data. Integrity verification software would protect against this attack by identifying unexpected changes in protected data.

Question 36

Q

Ben wants to use the concept of crime prevention through environmental design to help secure his facility. Which of the following is not a common example of this design concept in use?

A. Mounting cameras in full view to act as a deterrent
B. Limiting the size of planters to avoid having them used to hide behind
C. Locating data centers at the edge of the building to enhance security
D. Making delivery access driveways and entrances less visible to the public

Answer

A

C. Locating data centers at the edge of the building to enhance security

Explanation:
Crime prevention through environmental design (CPTED) focuses on making crime less likely due to design elements. Data centers are often placed near the core of a building to make them easier to secure and less likely to be impacted by natural disasters or accidents. Mounting cameras where they can be seen, avoiding the creation of easy hiding places, and keeping delivery areas less visible and thus less attractive to access are all common techniques used in CPTED.

Question 37

Q

Meena wants to ensure that her supply chain risks are well managed. Which of the following is not a common practice she should include in her supply chain risk management (SCRM) plan?

A. Use contractual controls such as insurance and liability limitations where appropriate.
B. Sole source to provide vendor stability.
C. Ensure multiple suppliers exist for critical components.
D. Validate the financial stability of potential suppliers.

Answer

A

B. Sole source to provide vendor stability.

Explanation:
Sole sourcing can create additional fragility in supply chains due to reliance on a single supplier. Contractual controls including requirements for supplier insurance and liability limitations, having multiple suppliers, and validating their financial stability are all common ways to help reduce supply chain risk.

Question 38

Q

Using the following table and your knowledge of the auditing process, answer questions 38–40. As they prepare to migrate their data center to an infrastructure as a service (IaaS) provider, Susan’s company wants to understand the effectiveness of their new provider’s security, integrity, and availability controls. What SOC report would provide them with the most detail, including input from the auditor on the effectiveness of controls at the IaaS provider?

A. SOC 1.
B. SOC 2.
C. SOC 3.
D. None of the SOC reports is suited to this, and they should request another form of report.

Answer

A

B. SOC 2.

Explanation:
SOC 2 reports are released under NDA to select partners or customers and can provide detail on the controls and any issues they may have. A SOC 1 report would only provide financial control information, and a SOC 3 report provides less information since it is publicly available.

Question 39

Q

Susan wants to ensure that the audit report that her organization requested includes input from an external auditor and information about control implementation over a period of time. What type of report should she request?

A. SOC 2, Type 1
B. SOC 3, Type 1
C. SOC 2, Type 2
D. SOC 3, Type 2

Answer

A

C. SOC 2, Type 2

Explanation:
An SOC 2, Type 2 report includes information about a data center’s security, availability, processing integrity, confidentiality, and privacy, and includes an auditor’s opinion on the operational effectiveness of the controls. SOC 3 does not have types, and an SOC 2 Type 1 is only conducted at a point in time.

Question 40

Q

When Susan requests an SOC 2 report, she receives an SOC 1 report. What issue should Susan raise?

A. SOC 1 reports only reveal publicly available information.
B. SOC 1 reports cover financial data.
C. SOC 1 reports only cover a point in time.
D. SOC 1 reports only use a three-month period for testing.

Answer

A

B. SOC 1 reports cover financial data.

Explanation:
B. Susan asked for a security controls report (SOC 2) and received a financial internal controls report (SOC 1). This question doesn’t specify whether a Type 1 or Type 2 report is desired, but most security practitioners will prefer a Type 2 report if they can get it since it tests the actual controls and their implementation instead of their descriptions.

Question 41

Q

Brad wants to engage third-party auditors to assess a vendor that his company will be signing a contract with. If Brad wants to assess the vendor’s security policies and controls as well as the effectiveness of those controls as implemented over time, what SOC level and type should he request the auditors perform?

A. A SOC 1, Type 2
B. A SOC 2, Type 1
C. A SOC 1, Type 1
D. A SOC 2, Type 2

Answer

A

D. A SOC 2, Type 2

Explanation:
D. An SOC 2 assessment looks at controls that affect security, and a Type 2 report validates the operating effectiveness of the controls. SOC 1 engagement assesses controls that might impact financial reporting, and a Type 1 report provides the auditors opinions of the descriptions of controls provided by management at a single point in time—not the actual implementations of the controls.

Question 42

Q

Bell–LaPadula is an example of what type of access control model?

A. DAC
B. RBAC
C. MAC
D. ABAC

Answer

A

C. MAC

Explanation:
Bell–LaPadula uses security labels on objects and clearances for subjects and is therefore a MAC model. It does not use discretionary, rule-based, role-based, or attribute-based access control.

Question 43

Q

Martha is the information security officer for a small college and is responsible for safeguarding the privacy of student records. What law most directly applies to her situation?

A. HIPAA
B. HITECH
C. COPPA
D. FERPA

Answer

A

D. FERPA

Explanation:
The Family Educational Rights and Privacy Act (FERPA) protects the privacy of students in any educational institution that accepts any form of federal funding.

Question 44

Q

What U.S. federal law mandates the security of protected health information?

A. FERPA
B. SAFE Act
C. GLBA
D. HIPAA

Answer

A

D. HIPAA

Explanation:
The Health Insurance Portability and Accountability Act (HIPAA) mandates the protection of protected health information (PHI). The SAFE Act deals with mortgages, the Graham–Leach–Bliley Act (GLBA) covers financial institutions, and FERPA deals with student data.

Question 45

Q

Which one of the following techniques can an attacker use to exploit a TOC/TOU vulnerability?

A. File locking
B. Exception handling
C. Algorithmic complexity
D. Concurrency control

Answer

A

C. Algorithmic complexity

Explanation:
Attackers may use algorithmic complexity as a tool to exploit a time of change/time of use (TOC/TOU) condition. By varying the workload on the CPU, attackers may exploit the amount of time required to process requests and use that variance to effectively schedule the exploit’s execution. File locking, exception handling, and concurrency controls are all methods used to defend against TOC/TOU attacks.

Question 46

Q

Susan is configuring her network devices to use syslog. What should she set to ensure that she is notified about issues but does not receive normal operational issue messages?

A. The facility code
B. The log priority
C. The security level
D. The severity level

Answer

A

D. The severity level

Explanation:
Implementations of syslog vary, but most provide a setting for severity level, allowing configuration of a value that determines what messages are sent. Typical severity levels include debug, informational, notice, warning, error, critical, alert, and emergency. The facility code is also supported by syslog, but is associated with which services are being logged. Security level and log priority are not typical syslog settings.

Question 47

Q

What RAID level is also known as disk mirroring?

A. RAID 0
B. RAID 1
C. RAID 3
D. RAID 5

Answer

A

B. RAID 1

Explanation:
B. In RAID 1, also known as disk mirroring, systems contain two physical disks. Each disk contains copies of the same data, and either one may be used in the event the other disk fails.

Question 48

Q

Isaac recently purchased a 48 port switch from his switch vendor. The switch vendor has announced that the model of switch that Isaac purchased will reach end of life next year. What does this tell Isaac about the devices?

A. The devices will stop being sold next year.
B. The devices will stop functioning next year.
C. The devices will no longer be supported next year.
D. The devices will be supported for a minimum of three more years.

Answer

A

A. The devices will stop being sold next year.

Explanation:
Most vendors use the term end of life, or EOL, to denote when the product will stop being sold.
End of support typically comes sometime after end of life, and this problem does not specify when end of support (EOS) will occur. Devices will still function after end of life and likely after end of support, but security professionals should raise concerns about the security of devices or software after the end of support because patches and updates will likely no longer be available.

Question 49

Q

Surveys, interviews, and audits are all examples of ways to measure what important part of an organization’s security posture?

A. Code quality
B. Service vulnerabilities
C. Awareness
D. Attack surface

Answer

A

C. Awareness

Explanation:
C. Interviews, surveys, and audits are all useful for assessing awareness. Code quality is best judged by code review, service vulnerabilities are tested using vulnerability scanners and related tools, and the attack surface of an organization requires both technical and administrative review.

Question 50

Q

Tom is the general counsel for an internet service provider, and he recently received notice of a lawsuit against the firm because of copyrighted content illegally transmitted over the provider’s circuits by a customer. What law protects Tom’s company in this case?

A. Computer Fraud and Abuse Act
B. Digital Millennium Copyright Act
C. Wiretap Act
D. Copyright Code

Answer

A

B. Digital Millennium Copyright Act

Explanation:
The Digital Millennium Copyright Act extends common carrier protection to online service providers, which are not liable for the “transitory activities” of their customers.

Question 51

Q

A Type 2 authentication factor that generates dynamic passwords based on a time- or algorithm-based system is what type of authenticator?

A. A PII
B. A smart card
C. A token
D. A CAC

Answer

A

C. A token

Explanation:
C. Tokens are hardware devices (something you have) that generate a one-time password based on time or an algorithm. They are typically combined with another factor like a password to authenticate users. CAC and PIV cards are U.S. government–issued smartcards.

Question 52

Q

Fred’s new employer has hired him for a position with access to their trade secrets and confidential internal data. What legal tool should they use to help protect their data if he chooses to leave to work at a competitor?

A. A stop-loss order
B. An NDA
C. An AUP
D. Encryption

Answer

A

B. An NDA

Explanation:
A nondisclosure agreement (NDA) is a legal agreement between two parties that specifies what data they will not disclose. NDAs are common in industries that have sensitive or trade secret information they do not want employees to take to new jobs. Encryption would only help in transit or at rest, and Fred will likely have access to the data in unencrypted form as part of his job. An AUP is an acceptable use policy, and a stop-loss order is used on the stock market.

Question 53

Q

Mark’s company is involved in a civil case. What evidentiary standard is he likely to need to meet?

A. The real evidence standard
B. Beyond a reasonable doubt
C. Preponderance of evidence
D. The documentary evidence standard

Answer

A

C. Preponderance of evidence

Explanation:
C. Civil cases typically rely on a preponderance of evidence. Criminal cases must be proven beyond a reasonable doubt. Real evidence is object evidence—tangible things that can be brought into a court of law. Documentary evidence are written items used to prove facts. Neither of these is an evidentiary standard; instead, they describe types of evidence.

Question 54

Q

How many possible keys exist when using a cryptographic algorithm that has an 8-bit binary encryption key?

A. 16
B. 128
C. 256
D. 512

Answer

A

C. 256

Explanation:
Binary keyspaces contain a number of keys equal to 2 raised to the power of the number of bits. Two to the eighth power is 256, so an 8-bit keyspace contains 256 possible keys.

Question 55

Q

What activity is being performed when you apply security controls based on the specific needs of the IT system that they will be applied to?

A. Standardizing
B. Baselining
C. Scoping
D. Editing

Answer

A

C. Scoping

Explanation;
Scoping is the process of reviewing and selecting security controls based on the system that they will be applied to. Editing is not a commonly used term in this context. Baselines are used as a base set of security controls, often from a third-party organization that creates them. Standardization isn’t a relevant term here.

Question 56

Q

During what phase of the electronic discovery process does an organization perform a rough cut of the information gathered to discard irrelevant information?

A. Preservation
B. Identification
C. Collection
D. Processing

Answer

A

D. Processing

Explanation:
During the preservation phase, the organization ensures that information related to the matter at hand is protected against intentional or unintentional alteration or deletion. The identification phase locates relevant information but does not preserve it. The collection phase occurs after preservation and gathers responsive information. The processing phase performs a rough cut of the collected information for relevance.

Question 57

Q

Ben’s job is to ensure that data is labeled with the appropriate sensitivity label. Since Ben works for the U.S. government, he has to apply the labels Unclassified, Confidential, Secret, and Top Secret to systems and media. If Ben is asked to label a system that handles Secret, Confidential, and Unclassified information, how should he label it?

A. Mixed classification
B. Confidential
C. Top Secret
D. Secret

Answer

A

D. Secret

Explanation:
Systems and media should be labeled with the highest level of sensitivity that they store or handle. In this case, based on the U.S. government classification scheme, the highest classification level in use on the system is Secret. Mixed classification provides no useful information about the level, whereas Top Secret and Confidential are too high and too low, respectively.

Question 58

Q

Susan has discovered that the smart card–based locks used to keep the facility she works at secure are not effective because staff members are propping the doors open. She places signs on the doors reminding staff that leaving the door open creates a security issue, and she adds alarms that will sound if the doors are left open for more than five minutes. What type of controls has she put into place?

A. Physical
B. Administrative
C. Compensating
D. Recovery

Answer

A

C. Compensating

Explanation:
C. She has placed compensation controls in place. Compensation controls are used when controls like the locks in this example are not sufficient. While the alarm is a physical control, the signs she posted are not. Similarly, the alarms are not administrative controls. None of these controls helps to recover from an issue, and they are thus not recovery controls.

Question 59

Q

Ben is concerned about password cracking attacks against his system. He would like to implement controls that prevent an attacker who has obtained those hashes from easily cracking them. What two controls would best meet this objective?

A. Longer passwords and salting
B. Over-the-wire encryption and use of SHA1 instead of MD5
C. Salting and use of MD5
D. Using shadow passwords and salting

Answer

A

A. Longer passwords and salting

Explanation:
A. Rainbow tables rely on being able to use databases of precomputed hashes to quickly search for matches to known hashes acquired by an attacker. Making passwords longer can greatly increase the size of the rainbow table required to find the matching hash, and adding a salt to the password will make it nearly impossible for the attacker to generate a table that will match unless they can acquire the salt value. MD5 and SHA1 are both poor choices for password hashing compared to modern password hashes, which are designed to make hashing easy and recovery difficult. Rainbow tables are often used against lists of hashes acquired by attacks rather than over-the-wire attacks, so over-the-wire encryption is not particularly useful here. Shadow passwords simply make the traditionally world-readable list of password hashes on Unix and Linux systems available in a location readable only by root. This doesn’t prevent a rainbow table attack once the hashes are obtained.

Question 60

Q

Which group is best suited to evaluate an organization’s administrative controls and provide credible reports to a third party?

A. Internal auditors
B. Penetration testers
C. External auditors
D. Employees who design, implement, and monitor the controls

Answer

A

C. External auditors

Explanation:
C. External auditors can provide an unbiased and impartial view of an organization’s controls to third parties. Internal auditors are useful when reporting to senior management of the organization but are typically not asked to report to third parties. Penetration tests test technical controls but are not as well suited to testing many administrative controls. The employees who build and maintain controls are more likely to bring a bias to the testing of those controls and should not be asked to report on them to third parties.

Question 61

Q

Lucca’s manager does not want to adopt an open source software package for their organization’s web application stack. What software security advantage is the most important when considering open source software packages?

A. The fact that the code is not compiled
B. The fact the code is free
C. The ability to inspect the code
D. The ability to change the code

Answer

A

C. The ability to inspect the code

Explanation:
The ability to inspect open source software means that organizations can inspect it, but more importantly that others can and often have also inspected it. This results in software that has had far more review than some closed-source or commercial packages (although large organizations may perform more review). The ability to change the code can sometimes be important as well, but changing open source code in-house can create maintenance issues in the future. Open source software may be compiled, but the source will still be available. The code being free is not a security advantage or disadvantage.

Question 62

Q

As part of hiring a new employee, Kathleen’s identity management team creates a new user object and ensures that the user object is available in the directories and systems where it is needed. What is this process called?

A. Registration
B. Provisioning
C. Population
D. Authenticator loading

Answer

A

B. Provisioning

Explanation:
Provisioning includes the creation, maintenance, and removal of user objects from applications, systems, and directories. Registration occurs when users are enrolled in a biometric system; population and authenticator loading are not common industry terms.

Question 63

Q

What phase of the change management process for software occurs when changes are finalized?

A. Request control
B. Configuration control
C. Release control
D. Change control

Answer

A

C. Release control

Explanation:
Release control occurs after changes are finalized. With changes that are ready to be implemented in hand, release managers can follow their process with steps that typically include removing debugging code and conducting acceptance testing. Request control is the start of a process that allows users to submit change requests, while change control handles the process of ensuring quality assurance happens, that documentation is done, and that security testing is handled. Finally, configuration control is part of software configuration management, not the change process.

Question 64

Q

Alice is designing a cryptosystem for use by six users and would like to use a symmetric encryption algorithm. She wants any two users to be able to communicate with each other without worrying about eavesdropping by a third user. How many symmetric encryption keys will she need to generate?

A. 6
B. 12
C. 15
D. 30

Answer

A

C. 15

Explanation:
The formula for determining the number of encryption keys required by a symmetric algorithm is ((n(n − 1))/2). With six users, you will need ((65)/2), or 15 keys.

Answer 65

A

B. Patent

Explanation:
Patents have the shortest duration of the techniques listed: at most, 20 years. Copyrights last for 70 years beyond the death of the author if owned by an individual, or 95 years from publication or 120 years from creation if owned by a corporation. Trademarks are renewable indefinitely, and trade secrets are protected as long as they remain secret.

Answer 66

A

C. Documenting the decision-making process

Explanation:
C. In a risk acceptance strategy, the organization chooses to take no action other than documenting the risk. Purchasing insurance would be an example of risk transference. Relocating the data center would be risk avoidance. Reengineering the facility is an example of a risk mitigation strategy.

Answer 67

A

C. UPS

Explanation:
C. Uninterruptible power supplies (UPSs) provide immediate, battery-driven power for a short period of time to cover momentary losses of power. Generators are capable of providing backup power for a sustained period of time in the event of a power loss, but they take time to activate. RAID and redundant servers are high-availability controls but do not cover power loss scenarios.

Answer 68

A

C. Implement password history

Explanation:
Password histories retain a list of previous passwords, preferably a list of salted hashes for previous passwords, to ensure that users don’t reuse their previous passwords. Longer minimum age can help prevent users from changing their passwords and then changing them back but won’t prevent a determined user from eventually getting their old password back. Length requirements and complexity requirements tend to drive users to reuse passwords if they’re not paired with tools like single sign-on, password storage systems, or other tools that decrease the difficulty of password management.

Answer 69

A

B. SLE

Explanation;
The Single Loss Expectancy (SLE) is the amount of damage that a risk is expected to cause each time that it occurs.

Answer 70

A

B. Sanitization

Explanation;
Sanitization includes steps such as removing the hard drive and other local storage from PCs before they are sold as surplus. Degaussing uses magnetic fields to wipe media; purging is an intense form of clearing used to ensure that data is removed and unrecoverable from media; and removing does not necessarily imply destruction of the drive.

Answer 71

A

D. Reporting

Explanation;
During the Reporting phase, incident responders assess their obligations under laws and regulations to report the incident to government agencies and other regulators.

Answer 72

A

B. Job rotation

Explanation:
The bank that Charles works at is using job rotation to ensure that employees are not exploiting the rights and permissions that they have in their roles. The practice is intended to allow the next person in the role to identify irregularities and to prevent individuals from hiding malfeasance. Dual control requires two or more staff members to complete a task to ensure that a single employee cannot abuse their role.
Cross-training is used to ensure that multiple staff members have the skills needed to perform a task or role so the loss of a staff member does not cause the organization’s inability to perform the service.

Answer 73

A

B. Full device encryption and mandatory passcodes

Explanation:
While full device encryption doesn’t guarantee that data cannot be accessed, it provides Michelle’s best option for preventing data from being lost with a stolen device when paired with a passcode. Mandatory passcodes and application management can help prevent application-based attacks and unwanted access to devices, but won’t keep the data secure if the device is lost. Remote wipe and GPS location is useful if the thief allows the device to connect to a cellular or WiFi network. Unfortunately, many modern thieves immediately take steps to ensure that the device will not be trackable or allowed to connect to a network before they capture data or wipe the device for resale.

Answer 74

A

D. An open relay

Explanation:
SMTP servers that don’t authenticate users before relaying their messages are known as open relays. Open relays that are internet-exposed are typically quickly exploited to send email for spammers.

Answer 75

A

D. Send logs to a bastion host.

Explanation:
Sending logs to a secure log server, sometimes called a bastion host, is the most effective way to ensure that logs survive a breach. Encrypting local logs won’t stop an attacker from deleting them, and requiring administrative access won’t stop attackers who have breached a machine and acquired escalated privileges. Log rotation archives logs based on time or file size and can also purge logs after a threshold is hit. Rotation won’t prevent an attacker from purging logs.

Answer 76

A

C. Deploy and use a SIEM.

Explanation:
A security information and event management (SIEM) tool is designed to provide automated analysis and monitoring of logs and security events. A SIEM tool that receives access to logs can help detect and alert on events such as logs being purged or other breach indicators. An IDS can help detect intrusions, but IDSs are not typically designed to handle central logs. A central logging server can receive and store logs but won’t help with analysis without taking additional actions. Syslog is simply a log format.

Answer 77

A

B. Require authentication for all actions taken and capture logs centrally.

Explanation:
Requiring authentication can help provide accountability by ensuring that any action taken can be tracked back to a specific user. Storing logs centrally ensures that users can’t erase the evidence of actions that they have taken. Log review can be useful when identifying issues, but digital signatures are not a typical part of a logging environment. Logging the use of administrative credentials helps for those users but won’t cover all users, and encrypting the logs doesn’t help with accountability. Authorization helps, but being able to specifically identify users through authentication is more important.

Answer 78

A

B. PAT

Explanation:
Port Address Translation (PAT) is used to allow a network to use any IP address set inside without causing a conflict with the public internet. PAT is often confused with Network Address Translation (NAT), which maps one internal address to one external address. IPsec is a security protocol suite, software-defined networking (SDN) is a method of defining networks programmatically, and IPX is a non-IP network protocol.

Answer 79

A

C. Social engineering

Explanation:
Each of the precautions listed helps to prevent social engineering by helping prevent exploitation of trust. Avoiding voice-only communications is particularly important, since establishing identity over the phone is difficult. The other listed attacks would not be prevented by these techniques.

Answer 80

A

A. A security baseline

Explanation:
The CIS benchmarks provide a useful security standard and baseline to assess systems against or to configure them to. Organizations can adapt and modify the baseline to meet their specific needs while speeding up deployment by using an accepted industry standard. They are not a compliance standard and do not provide provisioning or automation, but tools that do may use the benchmark as a standard to do so.

Answer 81

A

D. Remnant data

Explanation;
Remnant data is data that is left after attempts have been made to remove or erase it. Bitrot is a term used to describe aging media that decays over time. MBR is the master boot record, a boot sector found on hard drives and other media. Leftover data is not an industry term.

Answer 82

A

C. Parallel test

Explanation:
C. During a parallel test, the team activates the disaster recovery site for testing, but the primary site remains operational. A simulation test involves a role-play of a prepared scenario overseen by a moderator. Responses are assessed to help improve the organization’s response process. The checklist review is the least disruptive type of disaster recovery test. During a checklist review, team members each review the contents of their disaster recovery checklists on their own and suggest any necessary changes. During a tabletop exercise, team members come together and walk through a scenario without making any changes to information systems.

Answer 83

A

C. Discretionary access control

Explanation:
Discretionary access control gives owners the right to decide who has access to the objects they own. Role-based access control uses administrators to make that decision for roles or groups of people with a role, task-based access control uses lists of tasks for each user, and rule-based access control applies a set of rules to all subjects.

Answer 84

A

C. Man-in-the-middle attacks

Explanation:
C. Trusted paths that secure network traffic from capture and link encryption are both ways to help prevent man-in-the-middle attacks. Brute-force and dictionary attacks can both be prevented using back-off algorithms that slow down repeated attacks. Log analysis tools can also create dynamic firewall rules, or an IPS can block attacks like these in real time. Spoofed login screens can be difficult to prevent, although user awareness training can help.

Answer 85

A

D. Maintain competent records of all investigations and assessments.

Explanation:
D. The four canons of the (ISC)2 Code of Ethics are to protect society, the common good, the necessary public trust and confidence, and the infrastructure; act honorably, honestly, justly, responsibly, and legally; provide diligent and competent service to principals; and advance and protect the profession.

Answer 86

A

A. Immediate response procedures

Explanation;
The emergency response guidelines should include the immediate steps an organization should follow in response to an emergency situation. These include immediate response procedures, a list of individuals who should be notified of the emergency, and secondary response procedures for first responders. They do not include long-term actions such as activating business continuity protocols, ordering equipment, or activating DR sites.

Answer 87

A

C. SAML

Explanation:
C. Security Assertion Markup Language (SAML) is the best choice for providing authentication and authorization information, particularly for browser-based SSO. HTML is primarily used for web pages, SPML is used to exchange user information for SSO, and XACML is used for access control policy markup.

Answer 88

A

D. Annually

Explanation:
D. Individuals with specific business continuity roles should receive training on at least an annual basis.

Answer 89

A

B. APIs, UIs, and physical interfaces

Explanation:
Application programming interfaces (APIs), user interfaces (UIs), and physical interfaces are all tested during the software testing process. Network interfaces are not typically tested, and programmatic interfaces is another term for APIs.

Answer 90

A

C. Passive

Explanation:
Since Amanda wants to monitor her production server, she should use passive monitoring by employing a network tap, span port, or other means of copying actual traffic to a monitoring system that can identify performance and other problems. This will avoid introducing potentially problematic traffic on purpose while capturing actual traffic problems. Active monitoring relies on synthetic or previously recorded traffic, and both replay and real time are not common industry terms used to describe types of monitoring.

Answer 91

A

B. Back-end code on the web server

Explanation;
For web applications, input validation should always be performed on the web application server. By the time the input reaches the database, it is already part of a SQL command that is properly formatted and input validation would be far more difficult, if it is even possible. Input validation controls should never reside in the client’s browser, as is the case with JavaScript, because the user may remove or tamper with the validation code.

Answer 92

A

A. RSA

Explanation:
RSA is an asymmetric encryption algorithm that requires only two keys for each user. IDEA, 3DES, and Skipjack are all symmetric encryption algorithms and would require a key for every unique pair of users in the system.

Answer 93

A

D. Magnetic stripe card

Explanation:
The image clearly shows a black magnetic stripe running across the card, making this an example of a magnetic stripe card.

Answer 94

A

D. Firewall

Explanation:
The log entries contained in this example show the allow/deny status for inbound and outbound TCP and UDP sessions. This is, therefore, an example of a firewall log.

Answer 95

A

D. Release of a security patch

Explanation:
D. Zero-day vulnerabilities remain in the dangerous zero-day category until the release of a patch that corrects the vulnerability. At that time, it becomes the responsibility of IT professionals to protect their systems by applying the patch. Implementation of other security controls, such as encryption or firewalls, does not change the nature of the zero-day vulnerability.

Answer 96

A

C. An HTML5-based VPN

Explanation:
An HTML5-based VPN will provide Elle’s staff with access to the applications they need without requiring the installation of a client that might be challenging or impossible without managed machines. A client-based IPsec VPN provides additional opportunities for control that a broadly deployed base of directly accessed machines via RDP do not, making it the second-best choice here. Deploying fiber for direct connections for end users is not viable for most organizations based on cost and complexity.

Answer 97

A

C. Set up a virtual span port and capture data using a VM IDS.

Explanation:
Using a virtual machine to monitor a virtual span port allows the same type of visibility that it would in a physical network if implemented properly. Installing Wireshark would allow monitoring on each system but doesn’t scale well. A physical appliance would require all traffic to be sent out of the VM environment, losing many of the benefits of the design. Finally, netcat is a network tool used to send or receive data, but it isn’t a tool that allows packet capture of traffic between systems.

Answer 98

A

C. Richard’s public key

Explanation:
C. The sender of a message encrypts the message using the public key of the message recipient.

Answer 99

A

D. Richard’s private key

Explanation:
The recipient of a message uses his or her own private key to decrypt messages that were encrypted with the recipient’s public key. This ensures that nobody other than the intended recipient can decrypt the message.

Answer 100

A

D. Nonrepudiation

Explanation:
Digital signatures enforce nonrepudiation. They prevent individuals from denying that they were the actual originator of a message.

Answer 101

A

B. Matthew’s private key

Explanation:
An individual creates a digital signature by encrypting the message digest with their own private key.

Answer 102

A

D. Authentication

Explanation:
The comparison of a factor to validate an identity is known as authentication. Identification would occur when Jim presented his user ID. Tokenization is a process that converts a sensitive data element to a nonsensitive representation of that element. Hashing transforms a string of characters into a fixed-length value or key that represents the original string.

Answer 103

A

C. Ensuring the safety of personnel

Explanation:
C. The most important item in facility design is the safety of personnel. Once designs take that into account, security, operational effectiveness, and other concerns can be addressed.

Answer 104

A

C. Compensating

Explanation:
A mantrap, which is composed of two sets of doors with an access mechanism that allows only one door to open at a time, is an example of a preventive access control because it can stop unwanted access by keeping intruders from accessing a facility due to an opened door or following legitimate staff in. It can serve as a deterrent by discouraging intruders who would be trapped in it without proper access, and of course, doors with locks are an example of a physical control. A compensating control attempts to make up for problems with an existing control or to add additional controls to improve a primary control.

Answer 105

A

C. Nonrepudiation; digital signatures

Explanation:
Sally needs to provide nonrepudiation, the ability to provably associate a given email with a sender. Digital signatures can provide nonrepudiation and are her best option. IMAP is a mail protocol, encryption can provide confidentiality, and DKIM is a tool for identifying domains that send email.

Answer 106

A

D. Medical records check

Explanation:
In most situations, employers may not access medical information due to healthcare privacy laws. Reference checks, criminal records checks, and credit history reports are all typically found during pre-employment background checks.

Answer 107

A

A. Least privilege

Explanation:
Naomi’s organization operates under the concept of least privilege. Individuals only receive the rights that they need to accomplish their task. This also means that the organization will need to ensure that those rights do not accrue to users over time and that they are changed or removed when user roles change. Privileged account management is the process of properly managing accounts with higher levels of privilege like administrative accounts. Job rotation moves employees between roles to ensure that they do not take advantage of the role and that a new set of eyes can help identify problems. Privilege escalation is the process of gaining additional rights when attacking systems or services.

Answer 108

A

A. The Transport layer

Explanation:
When a data stream is converted into a segment (TCP) or a datagram (UDP), it transitions from the Session layer to the Transport layer. This change from a message sent to an encoded segment allows it to then traverse the Network layer.

Answer 109

A

C. Need to know

Explanation:
C. The user has successfully explained a valid need to know the data—completing the report requested by the CFO requires this access. However, the user has not yet demonstrated that they have appropriate clearance to access the information. A note from the CFO would meet this requirement.

Answer 110

A

B. LDAP

Explanation:
B. Kathleen’s needs point to a directory service, and the Lightweight Directory Access Protocol (LDAP) would meet her needs. LDAP is an open, industry-standard, and vendor-neutral protocol for directory services. Kerberos and RADIUS are both authentication protocols, and Active Directory is a Microsoft product and is not vendor-neutral, although it does support a number of open standards.

Answer 111

A

D. A system inventory

Explanation:
D. A system inventory is most frequently used to associate individuals with systems or devices. This can help when tracking their support history and aids in provisioning the proper tools, permissions, and data to a system. Both barcode and RFID property tags are used to identify systems, which can then be checked against a system inventory. Finally, enterprise content management tools are used to manage files and data as part of workflows and other business processes.

Answer 112

A

C. Create rule

Explanation:
The create rule allows a subject to create new objects and also creates an edge from the subject to that object, granting rights on the new object.

Answer 113

A

A. Metasploit can only test vulnerabilities it has plug-ins for.

Explanation:
Metasploit provides an extensible framework, allowing penetration testers to create their own exploits in addition to those that are built into the tool. Unfortunately, penetration testing can only cover the point in time when it is conducted. When conducting a penetration test, the potential to cause a denial of service due to a fragile service always exists, but it can test process and policy through social engineering and operational testing that validates how those processes and policies work.

Answer 114

A

D. It has been formally verified, designed, and tested.

Explanation:
EAL7 is the highest level of assurance under the Common Criteria. It applies when a system has been formally verified, designed, and tested.

Answer 115

A

C. X.509

Explanation:
X.509 defines standards for public key certificates like those used with many smartcards. X.500 is a series of standards defining directory services. The Service Provisioning Markup Language (SPML) and the Security Assertion Markup Language (SAML) aren’t standards that Alex should expect to see when using a smartcard to authenticate.

Answer 116

A

C. Websites that collect information from children

Explanation:
The Children’s Online Privacy Protection Act (COPPA) regulates websites that cater to children or knowingly collect information from children under the age of 13.

Answer 117

A

A. HIPAA

Explanation:
The Health Insurance Portability and Accountability Act (HIPAA) applies to healthcare information and is unlikely to apply in this situation. The Federal Information Security Management Act (FISMA) and Government Information Security Reform Act regulate the activities of all government agencies. The Homeland Security Act (HSA) created the U.S. Department of Homeland Security and, more importantly for this question, included the Cyber Security Enhancement Act of 2002 and the Critical Infrastructure Information Act of 2002. The Computer Fraud and Abuse Act (CFAA) provides specific protections for systems operated by government agencies.

Answer 118

A

C. Turnstile

Explanation:
C. Turnstiles are unidirectional gates that prevent more than a single person from entering a facility at a time.

Answer 119

A

C. Identification and authentication

Explanation:
Access control systems rely on identification and authentication to provide accountability. Effective authorization systems are desirable, but not required, since logs can provide information about who accessed what resources, even if access to those resources is not managed well. Of course, poor authorization management can create many other problems.

Answer 120

A

B. Integrity

Explanation:
Checksums validate whether a file or other data object has been changed or modified, and thus, they support integrity.

Answer 121

A

C. The IP address is a private, nonroutable address.

Explanation:
C. The 192.168.0.0 to 192.168.255.255 address range is one of the ranges defined by RFC 1918 as private, nonroutable IP ranges. Scott’s ISP (and any other organization with a properly configured router) will not route traffic from these addresses over the public internet.

Answer 122

A

B. CI/CD

Explanation:
Jack’s organization is using a continuous integration/continuous deliver (CI/CD) model where the application is updated and deployed on an ongoing basis. This can allow for an agile application but requires strong testing and validation practices to ensure that bad code doesn’t make it into production. Waterfall is a development model that is based on a slower, precise process. SCM is software configuration management, and an IDE is an integrated development environment.

Answer 123

A

A. Use VLANs.

Explanation:
A well-designed set of VLANs based on functional groupings will logically separate segments of the network, making it difficult to have data exposure issues between VLANs. Changing the subnet mask will only modify the broadcast domain and will not fix issues with packet sniffing. Gateways would be appropriate if network protocols were different on different segments. Port security is designed to limit which systems can connect to a given port.

Answer 124

A

B. Private IP address

Explanation:
B.Any 10.x.x.x address is a private address as defined by RFC 1918. APIPA addresses are self assigned by Windows when they cannot contact a DHCP server. 127.0.0.1 is a loopback address systems use to connect with themselves. Public IP addresses compose the majority of IP addresses with the exception of reserved addresses like those described in RFC 1918.

Answer 125

A

D. Nikto

Explanation:
D. Nikto is a web application and server scanning tool and is best suited to Jim’s needs. Nmap is a port scanner, Hydra is a login cracking tool, and Metasploit is a complete pentesting framework but isn’t designed specifically to test web applications and servers.

Brainscape's Knowledge GenomeTM

Chapter 10 Practice Test 2 (Sybex) Flashcards

Brainscape's Knowledge Genome^TM