Test 4 Sybex Flashcards

1
Q

What type of access control is intended to discover unwanted or unauthorized activity by providing information after the event has occurred?

A. Preventive
B. Corrective
C. Detective
D. Directive

A

C. Detective access controls operate after the fact and are intended to detect or discover unwanted access or activity. Preventive access controls are designed to prevent the activity from occurring, whereas corrective controls return an environment to its original status after an issue occurs. Directive access controls limit or direct the actions of subjects to ensure compliance with policies.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Which one of the following presents the most complex decoy environment for an attacker to explore during an intrusion attempt?

A. Honeypot
B. Darknet
C. Honeynet
D. Pseudoflaw

A

C. A honeypot is a decoy computer system used to bait intruders into attacking. A honeynet is a network of multiple honeypots that creates a more sophisticated environment for intruders to explore. A pseudoflaw is a false vulnerability in a system that may attract an attacker. A darknet is a segment of unused network address space that should have no network activity and, therefore, may be easily used to monitor for illicit activity.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Ben’s company is considering configuring their systems to work at the level shown by point A on the diagram. What level are they setting the sensitivity to?

A. The FRR crossover
B. The FAR point
C. The CER
D. The CFR

A

C. The CER is the point where FAR and FRR cross over, and it is a standard assessment used to compare the accuracy of biometric devices.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

At point B, what problem is likely to occur?

A. False acceptance will be very high.
B. False rejection will be very high.
C. False rejection will be very low.
D. False acceptance will be very low.

A

A. At point B, the false acceptance rate (FAR) is quite high, whereas the false rejection rate (FRR) is relatively low. This may be acceptable in some circumstances, but in organizations where a false acceptance can cause a major problem, it is likely that they should instead choose a point to the right of point A.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What should Ben do if the FAR and FRR shown in this diagram do not provide an acceptable performance level for his organization’s needs?

A. Adjust the sensitivity of the biometric devices.
B. Assess other biometric systems to compare them.
C. Move the CER.
D. Adjust the FRR settings in software.

A

B. CER is a standard used to assess biometric devices. If the CER for this device does not fit the needs of the organization, Ben should assess other biometric systems to find one with a lower CER. Sensitivity is already accounted for in CER charts, and moving the CER isn’t something Ben can do. FRR is not a setting in software, so Ben can’t use that as an option either.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Ed is tasked with protecting information about his organization’s customers, including their name, Social Security number, birthdate, and place of birth, as well as a variety of other information. What is this information known as?

A. PHI
B. PII
C. Personal protected data
D. PID

A

B. Personally identifiable information (PII) can be used to distinguish a person’s identity. Personal health information (PHI) includes data such as medical history, lab results, insurance information, and other details about a patient. Personal protected data is a made-up term, and PID is an acronym for process ID, the number associated with a running program or process.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What software development lifecycle model is shown in the following illustration?

A. Spiral
B. Agile
C. Boehm
D. Waterfall

A

D. The figure shows the waterfall model, developed by Winston Royce. An important characteristic of this model is a series of sequential steps that include a feedback loop that allows the process to return one step prior to the current step when necessary.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Encapsulation is the core concept that enables what type of protocol?

A. Bridging
B. Multilayer
C. Hashing
D. Storage

A

B. Encapsulation creates both the benefits and potential issues with multilayer protocols. Bridging can use various protocols but does not rely on encapsulation. Hashing and storage protocols typically do not rely on encapsulation as a core part of their functionality.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Amanda wants to use contacts from the existing Gmail accounts that new users for her application already have. What protocol from the following options is used to provide secure delegated access for this type of use by many cloud providers?

A. Open ID
B. Kerberos
C. OAuth
D. SAML

A

C. OAuth is used to provide secure delegated access in scenarios exactly like this. OpenID is used to sign in using credentials from an identity provider to other services, such as when you log in with Google to other sites. SAML, or Security Assertion Markup Language, is used to make security assertions allowing authentication and authorizations between identity providers and service providers. Kerberos is mostly used inside of organizations instead of for federation, as this question focuses on.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Which one of the following metrics specifies the amount of time that business continuity planners find acceptable for the restoration of service after a disaster?

A. MTD
B. RTO
C. RPO
D. MTO

A

B. The recovery time objective (RTO) is the amount of time that it may take to restore a service after a disaster without unacceptable impact on the business. The RTO for each service is identified during a business impact assessment.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Jill is working to procure new network hardware for her organization. She finds a gray market supplier that is importing the hardware from outside the country at a much lower price. What security concern is the most significant for hardware acquired this way?

A. The security of the hardware and firmware
B. Availability of support for the hardware and software
C. Whether the hardware is a legitimate product of the actual vendor
D. The age of the hardware

A

A. Each of these answers may be a concern, but the overriding security concern is if the hardware and firmware can be trusted or may have been modified. Original equipment manufacturers (OEMs) have business reasons to ensure the security of their product, but third parties in the supply chain may not feel the same pressure. Both availability of support and whether the hardware is legitimate are also concerns, but less immediate security concerns. Finally, hardware may be older than expected, or may be used, refurbished, or otherwise not new.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What process is typically used to ensure data security for workstations that are being removed from service but that will be resold or otherwise reused?

A. Destruction
B. Erasing
C. Sanitization
D. Clearing

A

C. When done properly, a sanitization process fully ensures that data is not remnant on the system before it is reused. Clearing and erasing can both be failure prone, and of course, destruction wouldn’t leave a machine or device to reuse.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Colleen is conducting a software test that is evaluating code for both security flaws and usability issues. She is working with the application from an end-user perspective and referencing the source code as she works her way through the product. What type of testing is Colleen conducting?

A. White box
B. Blue box
C. Gray box
D. Black box

A

C. In a gray-box test, the tester evaluates the software from a user perspective but has access to the source code as the test is conducted. White-box tests also have access to the source code but perform testing from a developer’s perspective. Black-box tests work from a user’s perspective but do not have access to source code. Blue boxes are a telephone hacking tool and not a software testing technique. Note: as language changes, new terms like zero knowledge, partial knowledge, and full knowledge are starting to replace white-, gray-, and black-box testing terms.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Harold is looking for a software development methodology that will help with a major issue he is seeing in his organization. Currently, developers and operations staff do not work together and are often seen as taking problems and “throwing them over the fence” to the other team. What technology management approach is designed to alleviate this problem?

A. ITIL
B. Lean
C. ITSM
D. DevOps

A

D. The DevOps approach to technology management seeks to integrate software development, operations, and quality assurance in a cohesive effort. It specifically attempts to eliminate the issue of “throwing problems over the fence” by building collaborative relationships between members of the IT team.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

NIST Special Publication 800-92, the Guide to Computer Security Log Management, describes four types of common challenges to log management:

  • Many log sources
  • Inconsistent log content
  • Inconsistent timestamps
  • Inconsistent log formats

Which of the following solutions is best suited to solving these issues?

A. Implement SNMP for all logging devices.
B. Implement a SIEM.
C. Standardize on the Windows event log format for all devices and use NTP.
D. Ensure that logging is enabled on all endpoints using their native logging formats and set their local time correctly.

A

B. A security information and event management (SIEM) tool is designed to centralize logs from many locations in many formats and to ensure that logs are read and analyzed despite differences between different systems and devices. The Simple Network Management Protocol (SNMP) is used for some log messaging but is not a solution that solves all of these problems. Most non-Windows devices, including network devices among others, are not designed to use the Windows event log format, although using NTP for time synchronization is a good idea. Finally, local logging is useful, but setting clocks individually will result in drift over time and won’t solve the issue with many log sources.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Mike has a flash memory card that he would like to reuse. The card contains sensitive information. What technique can he use to securely remove data from the card and allow its reuse?

A. Degaussing
B. Physical destruction
C. Cryptoshredding
D. Reformatting

A

C. Mike should use cryptoshredding, a secure data destruction process to protect this device. While degaussing is a valid secure data removal technique, it would not be effective in this case, since degaussing works only on magnetic media. Physical destruction would prevent the reuse of the device. Reformatting is not a valid secure data removal technique.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Carlos is investigating the compromise of sensitive information in his organization. He believes that attackers managed to retrieve personnel information on all employees from the database and finds the following user-supplied input in a log entry for a web-based personnel management system:

Collins’&1=1;–

What type of attack took place, and how could it be prevented?

A. SQL injection, use of stored procedures
B. Buffer overflow, automatic buffer expansion
C. Cross-site scripting, turning on XSS prevention on the web server
D. Cross-site request forgery, requiring signed requests

A

A. The single quotation mark in the input field is a telltale sign that this is a SQL injection attack. The quotation mark is used to escape outside the SQL code’s input field, and the text that follows is used to directly manipulate the SQL command sent from the web application to the database.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Which one of the following is a detailed, step-by-step document that describes the exact actions that individuals must complete?

A. Policy
B. Standard
C. Guideline
D. Procedure

A

D. Procedures are formal, mandatory documents that provide detailed, step-by-step actions required from individuals performing a task.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What purpose are the CIS benchmarks frequently used for in organizations?

A. Secure coding standards
B. Performance testing
C. Baselining
D. Monitoring metrics

A

C. The CIS benchmarks are configuration baselines that are frequently used to assess the security settings or configuration for devices and software. Baselining is the process of configuring and validating that a system meets security configuration guidelines or standards.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Bryan has a set of sensitive documents that he would like to protect from public disclosure. He would like to use a control that, if the documents appear in a public forum, may be used to trace the leak back to the person who was originally given the document copy. What security control would best fulfill this purpose?

A . Digital signature
B. Document staining
C. Hashing
D. Watermarking

A

D. Watermarking alters a digital object to embed information about the source, in either a visible or hidden form. Digital signatures may identify the source of a document, but they are easily removed. Hashing would not provide any indication of the document source, since anyone could compute a hash value. Document staining is not a security control.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Carlos is planning a design for a data center that will be constructed within a new four-story corporate headquarters. The building consists of a basement and three above-ground floors. What is the best location for the data center?

A. Basement
B. First floor
C. Second floor
D. Third floor

A

C. Data centers should be located in the core of a building. Locating it on lower floors makes it susceptible to flooding and physical break-ins. Locating it on the top floor makes it vulnerable to wind and roof damage.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Chris is an information security professional for a major corporation, and as he is walking into the building, he notices that the door to a secure area has been left ajar. Physical security does not fall under his responsibility, but he takes immediate action by closing the door and informing the physical security team of his action. What principle is Chris demonstrating?

A. Due care
B. Crime prevention through environmental design
C. Separation of duties
D. Informed consent

A

A. The due care principle states that an individual should react in a situation using the same level of care that would be expected from any reasonable person. It is a very broad standard. Crime prevention through environmental design is a design concept that focuses on making environments less conducive to illicit or unwanted actions. Separation of duties splits duties to ensure that a malicious actor cannot perform actions on their own like making a purchase and approving it. Informed consent is a term used in the medical industry that requires that a person’s permission is required and that they must be aware of what the consequences of their actions could be.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Which one of the following investigation types always uses the beyond-a-reasonable-doubt standard of proof?

A. Civil investigation
B. Criminal investigation
C. Operational investigation
D. Regulatory investigation

A

B. Criminal investigations have high stakes with severe punishment for the offender that may include incarceration. Therefore, they use the strictest standard of evidence of all investigations: beyond a reasonable doubt. Civil investigations use a preponderance-of-the-evidence standard. Regulatory investigations may use whatever standard is appropriate for the venue where the evidence will be heard. This may include the beyond-a-reasonable-doubt standard, but it is not always used in regulatory investigations in the United States. Operational investigations do not use a standard of evidence.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Kristen wants to use multiple processing sites for her data, but does not want to pay for a full data center. Which of the following options would you recommend as her best option if she wants to be able to quickly migrate portions of her custom application environment to facilities in multiple countries without having to wait to ship or acquire hardware?

A. A cloud PaaS vendor
B. A hosted data center provider
C. A cloud IaaS vendor
D. A data center vendor that provides rack, power, and remote hands services

A

C. A cloud IaaS vendor will allow Kristen to set up infrastructure as quickly as she can deploy and pay for it. A PaaS vendor provides a platform that would require her to migrate her custom application to it, likely taking longer than a hosted data center provider. A data center vendor that provides rack, power, and remote hands assistance fails the test based on Kristen’s desire to not have to acquire or ship hardware.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

What type of alternate processing facility contains the hardware necessary to restore operations but does not have a current copy of data?

A. Hot site
B. Warm site
C. Cold site
D. Mobile site

A

B. Warm sites contain the hardware necessary to restore operations but do not have a current copy of data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

Which one of the following terms describes a period of momentary high voltage?

A. Sag
B. Brownout
C. Spike
D. Surge

A

C. A power spike is a momentary period of high voltage. A surge is a prolonged period of high voltage. Sags and brownouts are periods of low voltage.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

Greg needs to label drives used for his company’s medical insurance claims database. What data label from the following list best matches the type of data he is dealing with?

A. PII
B. Secret
C. Business confidential
D. PHI

A

D. Medical insurance claims will contain private health information, or PHI. Greg should label the drives as containing PHI and then ensure that they are handled according to his organization’s handling standards for that type of data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

The Open Shortest Path First (OSPF) protocol is a routing protocol that keeps a map of all connected remote networks and uses that map to select the shortest path to a remote destination. What type of routing protocol is OSPF?

A. Link state
B. Shortest path first
C. Link mapping
D. Distance vector

A

A. OSPF is a link state protocol. Link state protocols maintain a topographical map of all connected networks and preferentially select the shortest path to remote networks for traffic. A distance vector protocol would map the direction and distance in hops to a remote network, whereas shortest path first and link mapping are not types of routing protocols.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

Selah wants to ensure that vehicles cannot crash through into her company’s entryway and front lobby while still remaining accessible to pedestrians and wheelchairs or other mobility devices. What physical security control is best suited to this purpose?

A. Fences
B. Bollards
C. Walls
D. Stairs

A

B. Bollards are physical security solutions that are short and strong posts or similar solutions intended to stop vehicles from crashing through or passing an area. Bollards can be used to allow pedestrians and mobility devices to pass while stopping vehicles. Fences and walls will prevent individuals from passing through them, while stairs are challenging for most mobility devices.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

Concho Controls is a midsize business focusing on building automation systems. It hosts a set of local file servers in its on-premises data center that store customer proposals, building plans, product information, and other data that is critical to their business operations.

Tara works in the Concho Controls IT department and is responsible for designing and implementing the organization’s backup strategy, among other tasks. She currently conducts full backups every Sunday evening at 8 p.m. and differential backups on Monday through Friday at noon.

Concho experiences a server failure at 3 p.m. on Wednesday. Tara rebuilds the server and wants

What backup should Tara apply to the server first?

A. Sunday’s full backup
B. Monday’s differential backup
C. Tuesday’s differential backup
D. Wednesday’s differential backup

A

A. Tara first must achieve a system baseline. She does this by applying the most recent full backup to the new system. This is Sunday’s full backup. Once Tara establishes this baseline, she may then proceed to apply differential backups to bring the system back to a more recent state.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

Concho Controls is a midsize business focusing on building automation systems. It hosts a set of local file servers in its on-premises data center that store customer proposals, building plans, product information, and other data that is critical to their business operations.

Tara works in the Concho Controls IT department and is responsible for designing and implementing the organization’s backup strategy, among other tasks. She currently conducts full backups every Sunday evening at 8 p.m. and differential backups on Monday through Friday at noon.

Concho experiences a server failure at 3 p.m. on Wednesday. Tara rebuilds the server and wants

How many backups in total must Tara apply to the system to make the data it contains as current as possible?

A. 1
B. 2
C. 3
D. 4

A

B. To restore the system to as current a state as possible, Tara must first apply Sunday’s full backup. She may then apply the most recent differential backup, from Wednesday at noon. Differential backups include all files that have changed since the most recent full backup, so the contents of Wednesday’s backup contain all of the data that would be contained in Monday and Tuesday’s backups, making the Monday and Tuesday backups irrelevant for this scenario.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

Concho Controls is a midsize business focusing on building automation systems. It hosts a set of local file servers in its on-premises data center that store customer proposals, building plans, product information, and other data that is critical to their business operations.

Tara works in the Concho Controls IT department and is responsible for designing and implementing the organization’s backup strategy, among other tasks. She currently conducts full backups every Sunday evening at 8 p.m. and differential backups on Monday through Friday at noon.

Concho experiences a server failure at 3 p.m. on Wednesday. Tara rebuilds the server and wants

In this backup approach, some data may be irretrievably lost. How long is the time period where any changes made will have been lost?

A. 3 hours.
B. 5 hours.
C. 8 hours.
D. No data will be lost.

A

A. In this scenario, the differential backup was made at noon, and the server failed at 3 p.m. Therefore, any data modified or created between noon and 3 p.m. on Wednesday will not be contained on any backup and will be irretrievably lost.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

Concho Controls is a midsize business focusing on building automation systems. It hosts a set of local file servers in its on-premises data center that store customer proposals, building plans, product information, and other data that is critical to their business operations.

Tara works in the Concho Controls IT department and is responsible for designing and implementing the organization’s backup strategy, among other tasks. She currently conducts full backups every Sunday evening at 8 p.m. and differential backups on Monday through Friday at noon.

Concho experiences a server failure at 3 p.m. on Wednesday. Tara rebuilds the server and wants

If Tara followed the same schedule but switched the differential backups to incremental backups, how many backups in total would she need to apply to the system to make the data it contains as current as possible?

A. 1
B. 2
C. 3
D. 4

A

D. By switching from differential to incremental backups, Tara’s weekday backups will only contain the information changed since the previous day. Therefore, she must apply all of the available incremental backups. She would begin by restoring the Sunday full backup and then apply the Monday, Tuesday, and Wednesday incremental backups.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

Concho Controls is a midsize business focusing on building automation systems. It hosts a set of local file servers in its on-premises data center that store customer proposals, building plans, product information, and other data that is critical to their business operations.

Tara works in the Concho Controls IT department and is responsible for designing and implementing the organization’s backup strategy, among other tasks. She currently conducts full backups every Sunday evening at 8 p.m. and differential backups on Monday through Friday at noon.

Concho experiences a server failure at 3 p.m. on Wednesday. Tara rebuilds the server and wants

If Tara made the change from differential to incremental backups and we assume that the same amount of information changes each day, which one of the following files would be the largest?

A. Monday’s incremental backup.
B. Tuesday’s incremental backup.
C. Wednesday’s incremental backup.
D. All three will be the same size.

A

D. Each incremental backup contains only the information changed since the most recent full or incremental backup. If we assume that the same amount of information changes every day, each of the incremental backups would be roughly the same size.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

The following figure shows an example of an attack where Mal, the attacker, has redirected traffic from a user’s system to their own, allowing them to read TLS encrypted traffic. Which of the following terms best describes this attack?

A. A DNS hijacking attack
B. An ARP spoofing attack
C. A man-in-the-middle attack
D. A SQL injection attack

A

C. A man-in-the-middle (increasingly often referred to as a person-in-the-middle, or on-path) attack allows an attacker to redirect traffic and thus read or modify it. This can be completely transparent to the end user, making it a dangerous attack if the malicious actor is successful. DNS hijacking would change a system’s domain name information, and there is no direct indication of that here. Similarly, ARP spoofing is one way to conduct a man-in-the-middle attack, but that detail is not here either. SQL injection is normally done via web applications to execute commands against a database server.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

Bob has been tasked with writing a policy that describes how long data should be kept and when it should be purged. What concept does this policy deal with?

A. Data remanence
B. Record retention
C. Data redaction
D. Audit logging

A

B. Record retention ensures that data is kept and maintained as long as it is needed and that it is purged when it is no longer necessary. Data remanence occurs when data is left behind after an attempt is made to remove it, whereas data redaction is not a technical term used to describe this effort. Finally, audit logging may be part of the records retained but doesn’t describe the lifecycle of data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q

Which component of IPsec provides authentication, integrity, and nonrepudiation?

A. L2TP
B. Encapsulating Security Payload
C. Encryption Security Header
D. Authentication Header

A

D. The Authentication Header provides authentication, integrity, and nonrepudiation for IPsec connections. The Encapsulating Security Payload provides encryption and thus provides confidentiality. It can also provide limited authentication. L2TP is an independent VPN protocol, and Encryption Security Header is a made-up term.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
38
Q

Renee notices that a system on her network recently received connection attempts on all 65,536 TCP ports from a single system during a short period of time. What type of attack did Renee most likely experience?

A. Denial-of-service
B. Reconnaissance
C. Malicious insider
D. Compromise

A

B. The attack described in the scenario is a classic example of TCP scanning, a network reconnaissance technique that may precede other attacks. There is no evidence that the attack disrupted system availability, which would characterize a denial-of-service attack; that it was waged by a malicious insider; or that the attack resulted in the compromise of a system.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
39
Q

What type of Windows audit record describes events like an OS shutdown or a service being stopped?

A. An application log
B. A security log
C. A system log
D. A setup log

A

C. Windows system logs include reboots, shutdowns, and service state changes. Application logs record events generated by programs, security logs track events like logins and uses of rights, and setup logs track application setup.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
40
Q

Melissa is in charge of her organization’s security compliance efforts and has been told that the organization does not install Windows patches until a month has passed since the patch has been released unless there is a zero-day exploit that is being actively exploited. Why would the company delay patching like this?

A. To minimize business impact of the installation
B. To allow any flaws with the patch to be identified
C. To prevent malware in the patches from being installed before it is identified
D. To allow the patch to be distributed to all systems

A

B. Many organizations delay patches for a period of time to ensure that any previously unidentified flaws are found before the patches are installed throughout their organization. Melissa needs to balance business impact against security in her role and may choose to support this or to push for more aggressive installation practices depending on the organization’s risk tolerance and security needs.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
41
Q

What level of RAID is also known as disk striping?

A. RAID 0
B. RAID 1
C. RAID 5
D. RAID 10

A

A. RAID level 0 is also known as disk striping. RAID 1 is called disk mirroring. RAID 5 is called disk striping with parity. RAID 10 is known as a stripe of mirrors.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
42
Q

Jacob executes an attack against a system using a valid but low-privilege user account by accessing a file pointer that the account has access to. After the access check, but before the file is opened, he quickly switches the file pointer to point to a file that the user account does not have access to. What type of attack is this?

A. TOCTOU
B. Permissions creep
C. Impersonation
D. Link swap

A

A. This is an example of a time of check/time of use, or TOC/TOU, attack. It exploits the difference between the times when a system checks for permission to perform an action and when the action is actually performed. Permissions creep would occur if the account had gained additional rights over time as the other’s role or job changed. Impersonation occurs when an attacker pretends to be a valid user, and link swap is not a type of attack.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
43
Q

What is the minimum number of disks required to implement RAID level 0?

A. 1
B. 2
C. 3
D. 5

A

B. RAID 0, or disk striping, requires at least two disks to implement. It improves performance of the storage system but does not provide fault tolerance.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
44
Q

Fred’s company wants to ensure the integrity of email messages sent via its central email servers. If the confidentiality of the messages is not critical, what solution should Fred suggest?

A. Digitally sign and encrypt all messages to ensure integrity.
B. Digitally sign but don’t encrypt all messages.
C. Use TLS to protect messages, ensuring their integrity.
D. Use a hashing algorithm to provide a hash in each message to prove that it hasn’t changed.

A

B. Fred’s company needs to protect integrity, which can be accomplished by digitally signing messages. Any change will cause the signature to be invalid. Encrypting isn’t necessary because the company does not want to protect confidentiality. TLS can provide in-transit protection but won’t protect integrity of the messages, and of course a hash used without a way to verify that the hash wasn’t changed won’t ensure integrity either.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
45
Q

The leadership at Susan’s company has asked her to implement an access control system that can support rule declarations like “Only allow access to salespeople from managed devices on the wireless network between 8 a.m. and 6 p.m.” What type of access control system would be Susan’s best choice?

A. ABAC
B. RBAC
C. DAC
D. MAC

A

A. An attribute-based access control (ABAC) system will allow Susan to specify details about subjects, objects, and access, allowing granular control. Although a rule-based access control system (RBAC) might allow this, the attribute-based access control system can be more specific and thus is more flexible. Discretionary access control (DAC) would allow object owners to make decisions, and mandatory access controls (MACs) would use classifications; neither of these capabilities was described in the requirements.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
46
Q

Nora’s company operates servers on a five-year lifecycle. When they reach their end of life according to that process, the servers are sent to an e-waste recycler. Which of the following is the most effective control that Nora could implement to ensure that a data breach does not occur due to remanent data?

A. Zero wipe the drives before the servers leave the organization.
B. Remove the drives and shred them.
C. Reformat the drives before the servers are sent to the e-waste company.
D. Require certificates of disposal from the e-waste company.

A

B. The most effective control is to remove the drives and shred them, removing any chance for the servers to leave with data remaining on them. A trustworthy company that can provide a certificate of disposal with appropriate contractual controls may be a reasonable and cost-efficient alternative, but the company may also then want to zero wipe drives before the systems leave to reduce the risk if a system makes it out of the recycler’s control. The worst answer here is reformatting, which will not remove data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
47
Q

Chris is deploying a gigabit Ethernet network using Category 6 cable between two buildings. What is the maximum distance he can run the cable according to the Category 6 standard?

A. 50 meters
B. 100 meters
C. 200 meters
D. 300 meters

A

B. The maximum allowed length of a Cat 6 cable is 100 meters, or 328 feet. Long distances are typically handled by a fiber run or by using network devices like switches or repeaters—not only because of the distance, but also because outdoor runs can experience lightning strikes, which won’t affect fiber. Knowing that copper twisted pair has distance limitations can be important in many network designs and influences where switches and other devices are placed.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
48
Q

Howard is a security analyst working with an experienced computer forensics investigator. The investigator asks him to retrieve a forensic drive controller, but Howard cannot locate a device in the storage room with this name. What is another name for a forensic drive controller?

A. RAID controller
B. Write blocker
C. SCSI terminator
D. Forensic device analyzer

A

B. One of the main functions of a forensic drive controller is preventing any command sent to a device from modifying data stored on the device. For this reason, forensic drive controllers are also often referred to as write blockers.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
49
Q

The web application that Saria’s development team is working on needs to provide secure session management that can prevent hijacking of sessions using the cookies that the application relies on. Which of the following techniques would be the best for her to recommend to prevent this?

A. Set the Secure attribute for the cookies, thus forcing TLS.
B. Set the Domain cookie attribute to example.com to limit cookie access to servers in the same domain.
C. Set the Expires cookie attribute to less than a week.
D. Set the HTTPOnly attribute to require only unencrypted sessions.

A

A. Setting the Secure cookie will only allow cookies to be sent via HTTPS TLS or SSL sessions, preventing man-in-the-middle attacks that target cookies. The rest of the settings are problematic. For example, cookies are vulnerable to DNS spoofing. Domain cookies should usually have the narrowest possible scope, which is actually accomplished by not setting the Domain cookie. This allows only the originating server to access the cookie. Cookies without the Expires or Max-age attributes are ephemeral and will only be kept for the session, making them less vulnerable than stored cookies. Normally, the HTTPOnly attribute is a good idea, but it prevents scripting rather than requiring unencrypted HTTP sessions.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
50
Q

Ben’s company has recently retired its fleet of multifunction printers. The information security team has expressed concerns that the printers contain hard drives and that they may still have data from scans and print jobs. What is the technical term for this issue?

A. Data pooling
B. Failed clearing
C. Data permanence
D. Data remanence

A

D. Data remanence describes data that is still on media after an attempt has been made to remove it. Failed clearing and data pooling are not technical terms, and data permanence describes how long data lasts.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
51
Q

What access control scheme labels subjects and objects and allows subjects to access objects when the labels match?

A. DAC
B. MAC
C. Rule-based access control (RBAC)
D. Role-based access control (RBAC)

A

B. Mandatory access control (MAC) applies labels to subjects and objects and allows subjects to access objects when their labels match. Discretionary access control (DAC) is controlled by the owner of objects, rule-based access control applies rules throughout a system, and role-based access control bases rights on roles, which are often handled as groups of users.

52
Q

A cloud-based service that provides account provisioning, management, authentication, authorization, reporting, and monitoring capabilities is known as what type of service?

A. PaaS
B. IDaaS
C. IaaS
D. SaaS

A

B. Identity as a service (IDaaS) provides capabilities such as account provisioning, management, authentication, authorization, reporting, and monitoring. Platform as a service (PaaS), infrastructure as a service (IaaS), and software as a service (SaaS).

53
Q

Sally wants to secure her organization’s VoIP systems. Which of the following attacks is one that she shouldn’t have to worry about?

A. Eavesdropping
B. Denial-of-service
C. Blackboxing
D. Caller ID spoofing

A

C. Eavesdropping, denial-of-service attacks, and caller ID spoofing are all common VoIP attacks. Blackboxing is a made-up answer, although various types of colored boxes were associated with phone phreaking.

54
Q

Marty discovers that the access restrictions in his organization allow any user to log into the workstation assigned to any other user, even if they are from completely different departments. This type of access most directly violates which information security principle?

A. Separation of duties
B. Two-person control
C. Need to know
D. Least privilege

A

D. This broad access may indirectly violate all of the listed security principles, but it is most directly a violation of least privilege because it grants users privileges that they do not need for their job functions.

55
Q

Fred needs to transfer files between two servers on an untrusted network. Since he knows the network isn’t trusted, he needs to select an encrypted protocol that can ensure that his data remains secure. What protocol should he choose?

A. SSH
B. TCP
C. SFTP
D. IPsec

A

C. The Secure File Transfer Protocol (SFTP) is specifically designed for encrypted file transfer. SSH is used for secure command-line access, whereas TCP is one of the bundles of internet protocols commonly used to transmit data across a network. IPsec could be used to create a tunnel to transfer the data but is not specifically designed for file transfer.

56
Q

Chris uses a packet sniffer to capture traffic from a TACACS+ server. What protocol should he monitor, and what data should he expect to be readable?

A. UDP; none—TACACS+ encrypts the full session.
B. TCP; none—TACACS+ encrypts the full session.
C. UDP; all but the username and password, which are encrypted.
D. TCP; all but the username and password, which are encrypted.

A

B. TACACS+ uses TCP and encrypts the entire session, unlike RADIUS, which only encrypts the password and operates via UDP.

57
Q

If the client has already authenticated to the KDC, what does the client workstation send to the KDC at point A when it wants to access a resource?

A. It resends the password
B. A TGR
C. Its TGT
D. A service ticket

A

C. The client sends its existing valid TGT to the KDC and requests access to the resource.

58
Q

What occurs between steps A and B?

A. The KDC verifies the validity of the TGT and whether the user has the right privileges for the requested resource.
B. The KDC updates its access control list based on the data in the TGT.
C. The KDC checks its service listing and prepares an updated TGT based on the service request.
D. The KDC generates a service ticket to issue to the client.

A

A. The KDC must verify that the TGT is valid and whether the user has the right privileges to access the service it is requesting access to. If it does, it generates a service ticket and sends it to the client (step B).

59
Q

What system or systems does the service that is being accessed use to validate the ticket?

A. The KDC.
B. The client workstation and the KDC.
C. The client workstation supplies it in the form of a client-to-server ticket and an authenticator.
D. The KVS.

A

C. When a client connects to a service server (SS), it sends the following two messages:
* The client-to-server ticket, encrypted using the service’s secret key
* A new authenticator, including the client ID and timestamp that is encrypted using the client/server session key.
The server or service that is being accessed receives all of the data it needs in the service ticket. To do so, the client uses a client-to-server ticket received from the ticket granting service.

60
Q

What does a service ticket (ST) provide in Kerberos authentication?

A. It serves as the authentication host.
B. It provides proof that the subject is authorized to access an object.
C. It provides proof that a subject has authenticated through a KDC and can request tickets to access other objects.
D. It provides ticket granting services.

A

B. The service ticket in Kerberos authentication provides proof that a subject is authorized to access an object. Ticket granting services are provided by the TGS. Proof that a subject has authenticated and can request tickets to other objects uses ticket-granting tickets, and authentication host is a made-up term.

61
Q

Judy is preparing to conduct a business impact analysis. What should her first step be in the process?

A. Identify threats to the business.
B. Identify risks to the organization.
C. Identify business priorities.
D. Conduct likelihood analysis.

A

C. The first step in a business impact analysis is to identify the business’s priorities. Judy should ensure that business areas are all represented and that the functions of each department or area are assessed. Once that is done, she can move on to identifying risks, evaluating likelihood and impact, and then prioritizing the resources available to the business to address the identified priorities.

62
Q

What is the most common risk that cellular phone hotspots create for business networks?

A. They can provide attackers with a nonsecured network path into your network.
B. They can be used like rogue access points for man-in-the-middle attacks.
C. They allow wireless data to be intercepted.
D. They are unencrypted and can be easily sniffed.

A

A. Organizations are most often concerned about hotspots creating an unsecured network connection into their secure network via laptops or other devices that are connected to them. Bridging a cellular connection to a network connection to the business’s network creates a path that bypasses security controls. Hotspots could be used as rogue access points, but this is a less common scenario. They do not specifically allow wireless data to be intercepted and, in most modern implementations, are encrypted, thus limiting the likelihood of sniffing providing useful data.

63
Q

Which one of the following fire suppression systems poses the greatest risk of accidental discharge that damages equipment in a data center?

A. Wet pipe
B. Dry pipe
C. Deluge
D. Preaction

A

A. Dry pipe, deluge, and preaction systems all use pipes that remain empty until the system detects signs of a fire. Wet pipe systems use pipes filled with water that may damage equipment if there is damage to a pipe.

64
Q

Amanda’s healthcare provider maintains such data as details about her health, treatments, and medical billing. What type of data is this?

A. Protected health information
B. Personally identifiable information
C. Protected health insurance
D. Individual protected data

A

A. Protected health information (PHI) is defined by HIPAA to include health information used by healthcare providers, such as medical treatment, history, and billing. Personally identifiable information is information that can be used to identify an individual, which may be included in the PHI but isn’t specifically this type of data. Protected health insurance and individual protected data are both made-up terms.

65
Q

What type of code review is best suited to identifying business logic flaws?

A. Mutational fuzzing
B. Manual
C. Generational fuzzing
D. Interface testing

A

B. Manual testing uses human understanding of business logic to assess program flow and responses. Mutation or generational fuzzing will help determine how the program responds to expected inputs but does not test the business logic. Interface testing ensures that data exchange between modules works properly but does not focus on the logic of the program or application.

66
Q

Something you know is an example of what type of authentication factor?

A. Type 1
B. Type 2
C. Type 3
D. Type 4

A

A. A Type 1 authentication factor is something you know. A Type 2 authentication factor is something you have, like a smartcard or hardware token. A Type 3 authentication factor is something you are, like a biometric identifier. There is no such thing as a Type 4 authentication factor.

67
Q

Saria is the system owner for a healthcare organization. What responsibilities does she have related to the data that resides on or is processed by the systems she owns?

A. She has to classify the data.
B. She has to make sure that appropriate security controls are in place to protect the data.
C. She has to grant appropriate access to personnel.
D. She bears sole responsibility for ensuring that data is protected at rest, in transit, and in use.

A

B. System owners develop and maintain system security plans with system administrators, and they have to ensure that appropriate security controls are in place on those systems. System owners also share responsibility for data protection with data owners. System administrators grant appropriate access and apply the controls, whereas data owners own the classification process.

68
Q

During software testing, Jack diagrams how a hacker might approach the application he is reviewing and determines what requirements the hacker might have. He then tests how the system would respond to the attacker’s likely behavior. What type of testing is Jack conducting?

A. Misuse case testing
B. Use case testing
C. Hacker use case testing
D. Static code analysis

A

A. Jack is performing misuse case analysis, a process that tests code based on how it would perform if it was misused instead of used properly. Use case testing tests valid use cases, whereas static code analysis involves reviewing the code itself for flaws rather than testing the live software. Hacker use case testing isn’t an industry term for a type of testing.

69
Q

Rick’s risk assessment for his company’s web application noted that it could suffer from SQL injection attacks. Which of the following mitigation techniques would you recommend Rick apply to help reduce this risk? (Select all that apply.)

A. Stored procedures
B. Escaping all user-supplied input
C. Parameterized queries
D. Input validation

A

A, B, C, D. All of these options are useful to help prevent SQL injection. Stored procedures limit what can be done via the database server, and escaping user input makes dangerous characters less likely to be a problem. Parameterized queries limit what can be sent in a query, and input validation adds another layer of protection by limiting what can be successfully input by a user.

70
Q

Chris has been assigned to scan a system on all of its possible TCP and UDP ports. How many ports of each type must he scan to complete his assignment?

A. 65,536 TCP ports and 32,768 UDP ports
B. 1,024 common TCP ports and 32,768 ephemeral UDP ports
C. 65,536 TCP and 65,536 UDP ports
D. 16,384 TCP ports, and 16,384 UDP ports

A

C. Both TCP and UDP port numbers are a 16-digit binary number, which means there can be 216 ports, or 65,536 ports, numbered from 0 to 65,535.

71
Q

CVE and the NVD both provide information about what?

A. Vulnerabilities
B. Markup languages
C. Vulnerability assessment tools
D. Penetration testing methodologies

A

A. MITRE’s Common Vulnerabilities and Exploits (CVE) dictionary and NIST’s National Vulnerability Database (NVD) both provide information about vulnerabilities.

72
Q

Michelle wants to ensure that her company does not keep logs for longer than they need to. What type of policy should she write and implement to ensure this?

A. An EOL policy
B. A data classification policy
C. An EOS policy
D. A record retention policy

A

D. Record retention policies are used to establish what data organizations retain and how long they will retain it for. Keeping data longer than necessary can increase risk to the organization, but having data when needed for investigations, legal compliance, or other business purposes is also important. EOL, or end of life, and EOS, or end of support, apply to hardware or software and not to data. Data classification policies are used to help classify data, which may influence how long it is retained, but classification policies themselves typically do not set retention timeframes.

73
Q

In what type of trusted recovery process does the system recover against one or more failure types without administrator intervention while protecting itself against data loss?

A. Automated recovery
B. Manual recovery
C. Function recovery
D. Automated recovery without undue data loss

A

D. In an automated recovery, the system can recover itself against one or more failure types. In an automated recovery without undue loss, the system can recover itself against one or more failure types and also preserve data against loss. In function recovery, the system can restore functional processes automatically. In a manual recovery approach, the system does not fail into a secure state but requires an administrator to manually restore operations.

74
Q

What three important items should be considered if you are attempting to control the strength of signal for a wireless network as well as where it is accessible?

A. Antenna placement, antenna type, antenna power levels
B. Antenna design, power levels, use of a captive portal
C. Antenna placement, antenna design, use of a captive portal
D. Power levels, antenna placement, FCC minimum strength requirements

A

A. Antenna placement, antenna design, and power level control are the three important factors in determining where a signal can be accessed and how usable it is. A captive portal can be used to control user logins, and antenna design is part of antenna types. The FCC does provide maximum broadcast power guidelines but does not require a minimum power level.

75
Q

What is the best way to ensure that data is unrecoverable from an SSD?

A. Use the built-in erase commands.
B. Use a random pattern wipe of 1s and 0s.
C. Physically destroy the drive.
D. Degauss the drive.

A

C. Physically destroying the drive is the best way to ensure that there is no remnant data on the drive. SSDs are flash media, which means that you can’t degauss them, whereas both random pattern writes and the built-in erase commands have been shown to be problematic due to the wear leveling built into SSDs as well as differences in how they handle erase commands.

76
Q

Alice sends a message to Bob and wants to ensure that Mal, a third party, does not read the contents of the message while in transit. What goal of cryptography is Alice attempting to achieve?

A. Confidentiality
B. Integrity
C. Authentication
D. Nonrepudiation

A

A. Confidentiality ensures that data cannot be read by unauthorized individuals while stored or in transit.

77
Q

Place the following stages in their proper order for the MITRE ATT&CK framework shown here. Note that Recon is the start of the process and Maintain is the end.

A. 1 Recon – 2 Deliver – 3 Weaponize – 4 Exploit – 5 Control – 6 Execute – 7 Maintain
B. 1 Recon – 2 Weaponize – 3 Deliver – 4 Exploit – 5 Control – 6 Execute – 7 Maintain
C. 1 Recon – 2 Weaponize – 3 Deliver – 4 Exploit – 5 Execute – 6 Control – 7 Maintain
D. 1 Recon – 2 Weaponize – 3 Exploit – 4 Deliver – 5 Control – 6 Execute – 7 Maintain

A

B. The proper order is as follows: 1 Recon– 2 Weaponize– 3 Deliver– 4 Exploit– 5 Control– 6 Execute– 7 Maintain.

78
Q

The company that Gary works for processes credit cards and operates under an industry standard for credit card handling. Which of the following standards will his company need to comply with?

A. ISO27001
B. FIPS 140
C. PCI-DSS
D. ISO 27002

A

D. PCI-DSS, or the Payment Card Industry Data Security Standard is the industry standard Gary’s company will need to comply with. ISO27001 and 27002 are information security management standards. FIPS 140 is a standard for cryptographic modules.

79
Q

James has opted to implement a NAC solution that uses a post-admission philosophy for its control of network connectivity. What type of issues can’t a strictly post-admission policy handle?

A. Out-of-band monitoring
B. Preventing an unpatched laptop from being exploited immediately after connecting to the network
C. Denying access when user behavior doesn’t match an authorization matrix
D. Allowing a user access to a specific object when user behavior is allowed based on an authorization matrix

A

B. A post-admission philosophy allows or denies access based on user activity after connection. Since this doesn’t check the status of a machine before it connects, it can’t prevent the exploit of the system immediately after connection. This doesn’t preclude out-of-band or in-band monitoring, but it does mean that a strictly post-admission policy won’t handle system checks before the systems are admitted to the network.

80
Q

Ben has built an access control list that lists the objects that his users are allowed to access. When users attempt to access an object that they don’t have rights to, they are denied access, even though there isn’t a specific rule that prevents it. What access control principle is key to this behavior?

A. Least privilege
B. Implicit deny
C. Explicit deny
D. Final rule fall-through

A

B. The principle of implicit denial states that any action that is not explicitly allowed is denied. This is an important concept for firewall rules and other access control systems. Implementing least privilege ensures that subjects have only the rights they need to accomplish their job. While explicit deny and final rule fall-through may sound like important access control concepts, neither is.

81
Q

Mary is a security risk analyst for an insurance company. She is currently examining a scenario where a hacker might use a SQL injection attack to deface a web server due to a missing patch in the company’s web application. In this scenario, what is the risk?

A. Unpatched web application
B. Web defacement
C. Hacker
D. Operating system

A

B. Risks are the combination of a threat and a vulnerability. Threats are the external forces seeking to undermine security, such as the hacker in this case. Vulnerabilities are the internal weaknesses that might allow a threat to succeed. In this case, web defacement is the risk. In this scenario, if the hacker attempts a SQL injection attack (threat) against the unpatched server (vulnerability), the result is website defacement (risk).

82
Q

The mean time to detect a compromise is what type of security measurement?

A. An MTO
B. A technical control objective
C. A compliance objective
D. A KPI

A

D. The mean time to detect a compromise is a security KPI, or key performance indicator. KPIs are used to determine how effective practices, procedures, and staff are.

83
Q

Val is attempting to review security logs but is overwhelmed by the sheer volume of records maintained in her organization’s central log repository. What technique can she use to select a representative set of records for further review?

A. Statistical sampling.
B. Clipping.
C. Choose the first 5 percent of records from each day.
D. Choose 5 percent of records from the middle of the day.

A

A. Val can use statistical sampling techniques to choose a set of records for review that are representative of the entire day’s data. Clipping chooses only records that exceed a set threshold, so it is not a representative sample. Choosing records based on the time they are recorded may not produce a representative sample because it may capture events that occur at the same time each day and miss many events that simply don’t occur during the chosen time period.

84
Q

In Jen’s job as the network administrator for an industrial production facility, she is tasked with ensuring that the network is not susceptible to electromagnetic interference due to the large motors and other devices running on the production floor. What type of network cabling should she choose if this concern is more important than cost and difficulty of installation?

A. 10Base2
B. 100BaseT
C. 1000BaseT
D. Fiber optic

A

D. Fiber-optic cable is more expensive and can be harder to install than stranded copper cable or coaxial cable in some cases, but it isn’t susceptible to electromagnetic interference (EMI). That makes it a great solution for Jen’s problem, especially if she is deploying EMI-hardened systems to go with her EMI-resistant network cables.

85
Q

Jasper Diamonds is a jewelry manufacturer that markets and sells custom jewelry through its website. Bethany is the manager of Jasper’s software development organization, and she is working to bring the company into line with industry-standard practices. She is developing a new change management process for the organization and wants to follow commonly accepted approaches.

Bethany would like to put in place controls that provide an organized framework for company employees to suggest new website features that her team will develop. What change management process facilitates this?

A. Configuration control
B. Change control
C. Release control
D. Request control

A

D. The request control process provides an organized framework within which users can request modifications, managers can conduct cost/benefit analyses, and developers can prioritize tasks.

86
Q

Jasper Diamonds is a jewelry manufacturer that markets and sells custom jewelry through its website. Bethany is the manager of Jasper’s software development organization, and she is working to bring the company into line with industry-standard practices. She is developing a new change management process for the organization and wants to follow commonly accepted approaches.

Bethany would also like to create a process that helps multiple developers work on code at the same time. What change management process facilitates this?

A. Configuration control
B. Change control
C. Release control
D. Request control

A

B. Change control provides an organized framework within which multiple developers can create and test solutions prior to rolling them out into a production environment.

87
Q

Jasper Diamonds is a jewelry manufacturer that markets and sells custom jewelry through its website. Bethany is the manager of Jasper’s software development organization, and she is working to bring the company into line with industry-standard practices. She is developing a new change management process for the organization and wants to follow commonly accepted approaches.

Bethany is working with her colleagues to conduct user acceptance testing. What change management process includes this task?

A. Configuration control
B. Change control
C. Release control
D. Request control

A

C. Release control includes acceptance testing to ensure that any alterations to end-user work tasks are understood and functional.

88
Q

Jasper Diamonds is a jewelry manufacturer that markets and sells custom jewelry through its website. Bethany is the manager of Jasper’s software development organization, and she is working to bring the company into line with industry-standard practices. She is developing a new change management process for the organization and wants to follow commonly accepted approaches.

Bethany noticed that some problems arise when system administrators update libraries without informing developers. What change management process can assist with this problem?

A. Configuration control
B. Change control
C. Release control
D. Request control

A

A. Configuration control ensures that changes to software versions are made in accordance with the change control and configuration management process. Updates can be made only from authorized distributions in accordance with those policies.

89
Q

Ben has written the password hashing system for the web application he is building. His hashing code function for passwords results in the following process for a series of passwords:

hash (password1 + 07C98BFE4CF67B0BFE2643B5B22E2D7D) = 10B222970537B97919DB36EC757370D2 hash (password2 + 07C98BFE4CF67B0BFE2643B5B22E2D7D) = F1F16683F3E0208131B46D37A79C8921

What flaw has Ben introduced with his hashing implementation?

A. Plaintext salting
B. Salt reuse
C. Use of a short salt
D. Poor salt algorithm selection

A

B. Ben is reusing his salt. When the same salt is used for each hash, all users with the same password will have the same hash, and the attack can either attempt to steal the salt or may attempt to guess the salt by targeting the most frequent hash occurrences based on commonly used passwords. Short salts are an issue, but the salts used here are 32 bytes (256 bits) long. There is no salting algorithm used or mentioned here; salt is an added value for a hash, and plaintext salting is a made-up term.

90
Q

Which one of the following is an example of risk transference?

A. Building a guard shack
B. Purchasing insurance
C. Erecting fences
D. Relocating facilities

A

B. Risk transference involves actions that shift risk from one party to another. Purchasing insurance is an example of risk transference because it moves risk from the insured to the insurance company.

91
Q

What protocol takes the place of certificate revocation lists and adds real-time status verification?

A. RTCP
B. RTVP
C. OCSP
D. CSRTP

A

C. The Online Certificate Status Protocol (OCSP) eliminates the latency inherent in the use of certificate revocation lists by providing a means for real-time certificate verification.

92
Q

Xavier’s company has been using an increasing number of cloud services, and he is concerned that the security policies that the company has implemented in its existing data center are not being followed in the cloud. Which of the following solutions is best suited to ensuring that policies are applied to all cloud services?

A. A CIPS
B. A CASB
C. A CSG
D. A CDLP

A

B. A cloud access security broker is a tool that sits between on-premises and cloud systems, monitoring traffic and enforcing security policies. This scenario exactly matches what a CASB is designed to do. The other answers were made up; none of these is an actual cloud security device or tool (at least as of the writing of this book!).

93
Q

What process makes TCP a connection-oriented protocol?

A. It works via network connections.
B. It uses a handshake.
C. It monitors for dropped connections.
D. It uses a complex header.

A

B. TCP’s use of a handshake process to establish communications makes it a connection-oriented protocol. TCP does not monitor for dropped connections, nor does the fact that it works via network connections make it connection-oriented.

94
Q

Susan wants to build a security awareness program for her organization, but knows that keeping staff engaged is difficult. Which of the following techniques is often associated with the use of points and scores as part of the assessment process?

A. Gamification
B. Phishing testing
C. Security champions
D. Social engineering evaluations

A

A. Gamification uses common components from games like points, scores, and competition to engage participants in a security awareness program. None of the other answers uses these together unless they use a gamification component.

95
Q

You are conducting a qualitative risk assessment for your organization. The two important risk elements that should weigh most heavily in your analysis of risk are probability and ________________.

A. Likelihood
B. History
C. Impact
D. Cost

A

C. The two most important elements of a qualitative risk assessment are determining the probability and impact of each risk upon the organization. Likelihood is another word for probability. Cost should be taken into account but is only one element of impact, which also includes reputational damage, operational disruption, and other ill effects.

96
Q

Using the OSI model, what format does the Data Link layer use to format messages received from higher up the stack?

A. A data stream
B. A frame
C. A segment
D. A datagram

A

B. When a message reaches the Data Link layer, it is called a frame. Data streams exist at the Application, Presentation, and Session layers, whereas segments and datagrams exist at the Transport layer (for TCP and UDP, respectively).

97
Q

What is the maximum penalty that may be imposed by an (ISC)2 peer review board when considering a potential ethics violation?

A. Revocation of certification
B. Termination of employment
C. Financial penalty
D. Suspension of certification

A

A. If the (ISC)2 peer review board finds that a certified individual has violated the (ISC)2 Code of Ethics, the board may revoke their certification. The board is not able to terminate an individual’s employment or assess financial penalties.

98
Q

Which one of the following statements about the SDLC is correct?

A. The SDLC requires the use of an iterative approach to software development.
B. The SDLC requires the use of a sequential approach to software development.
C. The SDLC does not include training for end users and support staff.
D. The waterfall methodology is compatible with the SDLC.

A

D. SDLC approaches include steps to provide operational training for support staff as well as end-user training. The SDLC may use one of many development models, including the waterfall and spiral models. The SDLC does not mandate the use of an iterative or sequential approach; it allows for either approach.

99
Q

In the diagram shown here, Harry is prevented from reading a file at a higher classification level than his security clearance. What security model prevents this behavior?

A. Bell–LaPadula
B. Biba
C. Clark–Wilson
D. Brewer–Nash

A

A. The Bell–LaPadula model includes the Simple Security Property, which prevents an individual from reading information that is classified at a level higher than the individual’s security clearance.

100
Q

Susan is setting up the network for a local coffee house and wants to ensure that users have to authenticate using an email address and agree to the coffee house’s acceptable use policy before being allowed on the network. What technology should she use to do this?

A. 802.11
B. NAC
C. A captive portal
D. A wireless gateway

A

C. Captive portals are designed to show a page that can require actions like accepting an agreement or recording an email address before connecting clients to the internet. NAC is designed to verify whether clients meet a security profile, which doesn’t match the needs of most coffee shops. A wireless gateway is a tool to access a cellular or other network, rather than a way to interact with users before they connect, and 802.11 is the family of IEEE wireless standards.

101
Q

Travis is concerned about the security that his organization’s use of Microsoft’s BitLocker provides for systems. When are the systems most secure from data loss based on the encryption state of the drive if the systems are equipped with TPM and use full disk encryption?

A. When they are booted up and running because the system monitors for drive access
B. When the system is shutting down because keys are removed from memory
C. When they are booting up because the TPM checks for a secure boot process
D. When they are off because the drive is fully encrypted

A

D. The files on the drive are at their most secure when the system is off and the drive is encrypted and not in a readable state. BitLocker decrypts files as needed when in use, meaning that any time after the system is booted files may be accessed, particularly if the user is logged in and access to the system can be gained or if malware is running.

102
Q

Andrea wants to ensure that her virtualized networks are secure between virtual environments. She uses virtual machine clusters in multiple locations in her state with third-party internet service providers between those locations. Which of the following solutions is best suited to protecting her traffic if she runs a flattened layer 2 network between those locations?

A. TLS
B. BGP
C. IPsec
D. AES

A

C. An IPsec VPN will allow Andrea to keep her networks running as layer 2 flattened networks when necessary while providing the security for her traffic that she wants. TLS operates at a higher network layer, although traffic could be tunneled through it. BGP is a routing protocol, and AES is an encryption algorithm.

103
Q

The company that Fred works for is reviewing the security of their company-issued cell phones. They issue 4G-capable smartphones running Android and iOS and use a mobile device management solution to deploy company software to the phones. The mobile device management software also allows the company to remotely wipe the phones if they are lost.

What security considerations should Fred’s company require for sending sensitive data over the cellular network?

A. They should use the same requirements as data over any public network.
B. Cellular provider networks are private networks and should not require special consideration.
C. Encrypt all traffic to ensure confidentiality.
D. Require the use of WAP for all data sent from the phone.

A

A. Cellular networks have the same issues that any public network does. Encryption requirements should match those that the organization selects for other public networks like hotels, conference WiFi, and similar scenarios. Encrypting all data is difficult and adds overhead, so it should not be the default answer unless the company specifically requires it. WAP is a dated wireless application protocol and is not in broad use; requiring it would be difficult. WAP does provide TLS, which would help when in use.

104
Q

The company that Fred works for is reviewing the security of their company-issued cell phones. They issue 4G-capable smartphones running Android and iOS and use a mobile device management solution to deploy company software to the phones. The mobile device management software also allows the company to remotely wipe the phones if they are lost.

Fred intends to attend a major hacker conference this year and needs to connect to his employer’s network during his time at the conference. What should he do when connecting to his cellular provider’s 4G network while at the conference?

A. Continue normal usage.
B. Discontinue all usage; towers can be spoofed.
C. Only use trusted WiFi networks.
D. Connect to his company’s encrypted VPN service.

A

D. Fred’s best option is to use an encrypted, trusted VPN service to tunnel all of his data usage. Trusted WiFi networks are unlikely to exist at a hacker conference, normal usage is dangerous due to the proliferation of technology that allows fake towers to be set up, and discontinuing all usage won’t support Fred’s business needs.

105
Q

The company that Fred works for is reviewing the security of their company-issued cell phones. They issue 4G-capable smartphones running Android and iOS and use a mobile device management solution to deploy company software to the phones. The mobile device management software also allows the company to remotely wipe the phones if they are lost.

What are the most likely circumstances that would cause a remote wipe of a mobile phone to fail?

A. The phone has a passcode on it.
B. The phone cannot contact a network.
C. The provider has not unlocked the phone.
D. The phone is in use.

A

B. Remote wipe tools are a useful solution, but they work only if the phone can access either a cellular or WiFi network. Remote wipe solutions are designed to wipe data from the phone regardless of whether it is in use or has a passcode. Providers unlock phones for use on other cellular networks rather than for wiping or other feature support.

106
Q

Elaine is developing a business continuity plan for her organization. What value should she seek to minimize?

A. AV
B. SSL
C. RTO
D. MTO

A

C. The goal of business continuity planning exercises is to reduce the amount of time required to restore operations. This is done by minimizing the recovery time objective (RTO).

107
Q

Warren wants to conduct an internal security audit. He wants to use a broadly accepted audit framework so that he can more easily compare the results to other organizations. Which of the following options should he select as his base audit framework?

A. ITSM
B. ATT&CK
C. COBIT
D. CIS

A

C. The COBIT, or Control Objectives for Information and related Technologies, framework describes common requirements that organizations should have in place for their information systems. It is the only audit or compliance framework on the list. ITSM is the acronym for Information Technology Service Management; CIS is the Center for Information Security, which provides guidelines for system security that can be used to assess systems but is not itself an audit framework; and ATT&CK is a framework for describing threats and attack methodologies.

108
Q

Place the list of disaster recovery test types in order of their potential impact on the business, starting with the least impactful and progressing through the most impactful.

  1. Checklist review
  2. Parallel test
  3. Tabletop exercise
  4. Full interruption test

A. 1, 2, 3, 4
B. 1, 3, 2, 4
C. 1, 3, 4, 2
D. 2, 1, 3, 4

A

B. The disaster recovery test types, listed in order of their potential impact on the business from the least impactful to the most impactful, are as follows:
1. Checklist review
2. Tabletop exercise
3. Parallel test
4. Full interruption test
Checklist reviews are the least impactful type of exercise because they do not even require a meeting. Each team member reviews the checklist on their own. Tabletop exercises are slightly more impactful because they require bringing together the DR team in the same room. Parallel tests require the activation of alternate processing sites and require significant resources. Full interruption tests are the most impactful type of exercise because they involve shifting operations to the alternate site and could disrupt production activity.

109
Q

Jack’s data center design calls for dual-power supplies in every critical server. What part of the CIA triad is he addressing with this design decision?

A. Confidentiality
B. Integrity
B. Availability
C. None of the above

A

C. Redundancy is part of many availability designs. Dual power supplies allow multiple levels of availability support; they allow you to connect servers to distinct power infrastructures and also provide the ability to run if a single power supply dies. Some servers are even set up to use more than two power supplies. Another approach to this type of availability is to use more systems, rather than more expensive systems with greater support for availability.

110
Q

What step is missing from the IR process cycle diagram shown here?

A. Forensics
B. Retribution
C. Recovery
D. Analysis

A

C. The CISSP CBK uses a six-stage process: Detection, Response, Mitigation, Reporting, Recovery, and Remediation. This diagram is missing Recovery. Other standards differ, using different terms or slightly different processes.

111
Q

Frank is attempting to protect his web application against cross-site scripting attacks. Users do not need to provide input containing scripts, so he decided the most effective way to filter would be to write a filter on the server that watches for the

 tag and removes it. What is the issue with Frank's approach?

A. Validation should always be performed on the client side.
B. Attackers may use XSS filter evasion techniques against this approach.
C. Server-side validation requires removing all HTML tags, not just the

 tag.
D. There is no problem with Frank's approach.
A

B. While removing the

 tag from user input, it is not sufficient, as a user may easily evade this filter by encoding the tag with an XSS filter evasion technique. Frank was correct to perform validation on the server rather than at the client, but he should use validation that limits user input to allowed values, rather than filtering out one potentially malicious tag.
112
Q

Megan wants to ensure that the new software as a service provider that her company is signing a contract with will make sure the service works all the time without disruptions. Which of the following is often part of contracts to provide that assurance?

A. An SLA
B. An RPA
C. An NDA
D. An MOU

A

A. A service level agreement, or SLA, contains details about how the service will be provided, what level of outages or downtime is acceptable, and what remedies may exist in the case of outages or other issues. Megan should ensure that the SLA contains both appropriate performance guarantees and penalties that will be of sufficient magnitude to compensate her company for issues while motivating the service provider to maintain a reliable service. RPA is robotic process automation, an automation technology. NDA is a nondisclosure agreement, a legal document used to help control for the risk of information or data being exposed or shared. An MOU is a memorandum of understanding and is used when two organizations want to work together to document a shared vision or the goals they share.

113
Q

Uptown Records Management recently entered into a contract with a hospital for the secure storage of medical records. The hospital is a U.S.-based, HIPAA-covered entity, which means it needs to ensure that organizations they contract with can meet security practice requirements. What type of agreement should the two organizations sign to meet this requirement?

A. NDA
B. NCA
C. BAA
D. SLA

A

C. HIPAA requires that anyone working with personal health information on behalf of a HIPAA-covered entity be subject to the terms of a business associates agreement (BAA).

114
Q

Norm would like to conduct a disaster recovery test for his organization and wants to choose the most thorough type of test, recognizing that it may be quite disruptive. What type of test should Norm choose?

A. Full interruption test
B. Parallel test
C. Tabletop exercise
D. Checklist review

A

A. During a full interruption test, the team takes down the primary site and confirms that the disaster recovery site is capable of handling regular operations. The full interruption test is the most thorough test but also the most disruptive. During a parallel test, the team actually activates the disaster recovery site for testing, but the primary site remains operational. The checklist review is the least disruptive type of disaster recovery test. During a checklist review, team members each review the contents of their disaster recovery checklists on their own and suggest any necessary changes. During a tabletop exercise, team members come together and walk through a scenario without making any changes to information systems.

115
Q

Ed is building a network that supports IPv6 but needs to connect it to an IPv4 network. What type of device should Ed place between the networks?

A. A switch
B. A router
C. A bridge
D. A gateway

A

D. Ed’s best option is to install an IPv6 to IPv4gateway that can translate traffic between the networks. A bridge would be appropriate for different types of networks, whereas a router would make sense if the networks were similar. A modern switch might be able to carry both types of traffic but wouldn’t be much help translating between the two protocols.

116
Q

Henry’s company has deployed an extensive IoT infrastructure for building monitoring that includes environmental controls, occupancy sensors, and a variety of other sensors and controllers that help manage the building. Which of the following security concerns should Henry report as the most critical in his analysis of the IoT deployment?

A. The lack of local storage space for security logs that is common to IoT devices.
B. The IoT devices may not have a separate administrative interface, allowing anybody on the same network to attempt to log into them and making brute-force attacks possible.
C. The IoT devices may not support strong encryption for communications, exposing the log and sensor data to interception on the network.
D. The long-term support and patching model for the IoT devices may create security and operational risk for the organization.

A

D. Henry’s biggest concern should be the long-term security and supportability of the IoT devices. As these devices are increasingly embedded in buildings and infrastructure, the support model and security model are important to understand. Both the lack of separate administrative access and the lack of strong encryption can be addressed by placing the IoT devices on a dedicated subnet or network that prevents other users from accessing the devices directly. This will help limit the risk without undue expense or complexity and is a common practice. Finally, lack of storage space can be a concern, but is not the most important when looking at the risks IoT devices can create.

117
Q

Isaac wants to use a connectionless protocol to transfer data because he needs to optimize speed of transmission over reliability. Which protocol should he select?

A. ICMP
B. TCP
C. UDP
D. SNMP

A

C. UDP, the User Datagram Protocol, is a connectionless, best-effort protocol that is often used when sending data quickly without strong requirements for reliability features like error correction and detection or flow control to make sense. TCP is connection-oriented and provides those and other reliability features. ICMP, the Internet Control Message Protocol, is used to check routes and paths as well as availability, but is not used for significant data transfer in normal cases. SNMP is a network management monitoring protocol.

118
Q

Which one of the following actions is not required under the EU General Data Protection Regulation?

A. Organizations must allow individuals to opt out of information sharing.
B. Organizations must provide individuals with lists of employees with access to information.
C. Organizations must use proper mechanisms to protect data against unauthorized disclosure.
D. Organizations must have a dispute resolution process for privacy issues.

A

B. The EU General Data Protection Regulation does not require that organizations provide individuals with employee lists.

119
Q

Tammy is selecting a disaster recovery facility for her organization. She would like to choose a facility that balances the time required to recover operations with the cost involved. What type of facility should she choose?

A. Hot site
B. Warm site
C. Cold site
D. Red site

A

B. Tammy should choose a warm site. This type of facility meets her requirements for a good balance between cost and recovery time. It is less expensive than a hot site but facilitates faster recovery than a cold site. A red site is not a type of disaster recovery facility.

120
Q

What layer of the OSI model is associated with datagrams?

A. Session
B. Transport
C. Network
D. Data Link

A

B. When data reaches the Transport layer, it is sent as segments (TCP) or datagrams (UDP). Above the Transport layer, data becomes a data stream, while below the Transport layer they are converted to packets at the Network layer, frames at the Data Link layer, and bits at the Physical layer.

121
Q

Which one of the following is not a valid key length for the Advanced Encryption Standard?

A. 128 bits
B. 192 bits
C. 256 bits
D. 384 bits

A

D. The Advanced Encryption Standard supports encryption with 128-bit keys, 192-bit keys, and 256-bit keys.

122
Q

Which one of the following technologies provides a function interface that allows developers to directly interact with systems without knowing the implementation details of that system?

A. Data dictionary
B. Object model
C. Source code
D. API

A

D. An application programming interface (API) allows developers to create a direct method for other users to interact with their systems through an abstraction that does not require knowledge of the implementation details. Access to object models, source code, and data dictionaries also indirectly facilitate interaction but do so in a manner that provides other developers with implementation details.

123
Q

Ian wants to assess the security of his company’s new SaaS provider. Which of the following options is the most likely option that he can realistically expect to be able to use to assess a major cloud provider’s security?

A. Run a vulnerability scan against the provider’s external services.
B. Request a SOC 2 Type II report.
C. Run a vulnerability scan against the provider’s internal systems.
D. Request a SOC 1 Type II report.

A

B. Ian’s best bet is an SOC report, and an SOC 2 Type II report will assess security controls and their application over time, telling him if the organization is responsibly maintaining their security efforts. An SOC 1 report looks at financial controls, and a Type I report only looks at how controls are described, not their application over time. Ian is unlikely to be allowed to run a vulnerability scan against a major provider’s infrastructure either internally or externally.

124
Q

When Ben lists the files on a Linux system, he sees a set of attributes as shown here.

The letters rwx indicate different levels of what?

A. Identification
B. Authorization
C. Authentication
D. Accountability

A

B. The permissions granted on files in Linux designate what authorized users can do with those files—read, write, or execute. In the image shown, all users can read, write, and execute index.html, whereas the owner can read, write, and execute example.txt, the group cannot, and everyone can write and execute it.

125
Q

Match each one of the numbered protocols with the most accurate lettered description. Use each answer exactly once.

Protocol
1. TCP
2. UDP
3. DNS
4. ARP

Description
A. Performs translations between MAC addresses and IP addresses
B. Performs translations between FQDNs and IP addresses
C. Transports data over a network in a connection-oriented fashion
D. Transports data over a network in a connectionless fashion

A

The protocols match with the descriptions as follows:
1. TCP: C. Transports data over a network in a connection-oriented fashion.
2. UDP: D. Transports data over a network in a connectionless fashion.
3. DNS: B. Performs translations between FQDNs and IP addresses.
4. ARP: A. Performs translations between MAC addresses and IP addresses.
The Domain Name System (DNS) translates human-friendly fully qualified domain names (FQDNs) into IP addresses, making it possible to easily remember websites and hostnames. ARP is used to resolve IP addresses into MAC addresses. TCP and UDP are used to control the network traffic that travels between systems. TCP does so in a connection-oriented fashion using the three-way handshake, while UDP uses connectionless “best-effort” delivery.