Chapter 10 Practice Test 2 (Sybex) Flashcards
1
Q
James is building a disaster recovery plan for his organization and would like to determine the amount of acceptable data loss after an outage. What variable is James determining?
A. SLA
B. RTO
C. MTD
D. RPO
A
D. RPO
Explanation:
The recovery point objective (RPO) identifies the maximum amount of data, measured in time, that may be lost during a recovery effort. The recovery time objective (RTO) is the amount of time expected to return an IT service or component to operation after a failure. The maximum tolerable downtime (MTD) is the longest amount of time that an IT service or component may be unavailable without causing serious damage to the organization. Service-level agreements (SLAs) are written contracts that document service expectations.
2
Q
In his role, Chris is expected to protect the interests of the organization, and the customers whose information he is charged to protect. What term describes the preparation and research undertaken before decisions and actions are made?
A. Due care
B. Compliance
C. Due diligence
D. Regulatory action
A
C. Due diligence
Explanation:
Due care and due diligence can be a confusing pair of terms to keep straight. Chris is engaging in due diligence when he does the preparation and research. Once that is done, he must use due care while undertaking the actions. This is often described in the context of the prudent person rule: would a prudent person have taken the action given the same knowledge?
3
Q
Alex is preparing to solicit bids for a penetration test of his company’s network and systems. He wants to maximize the effectiveness of the testing rather than the realism of the test. What type of penetration test should he require in his bidding process?
A. Black box
B. White box
C.Gray box
D. Zero box
A
B. White box
Explanation:
White-box testing provides the tester with information about networks, systems, and configurations, allowing highly effective testing. It doesn’t simulate an actual attack like black- and gray-box testing can and thus does not have the same realism, and it can lead to attacks succeeding that would fail in a zero- or limited-knowledge attack.
4
Q
Application banner information is typically recorded during what penetration testing phase?
A. Planning
B. Attack
C. Reporting
D. Discovery
A
D. Discovery
Explanation:
The discovery phase includes activities such as gathering IP addresses, network ranges, and hostnames, as well as gathering information about employees, locations, systems, and, of course, the services those systems provide. Banner information is typically gathered as part of discovery to provide information about what version and type of service is being provided.
5
Q
Tony wants to conduct a disaster recovery plan test exercise for his organization. What type of exercise should he conduct if he wants it to be the most realistic event possible and is able to disrupt his organization’s operations to conduct the exercise?
A. Read-through
B. Full interruption
C. Walk-through
D. Simulation
A
B. Full interruption
Explanation:
The most realistic but also most disruptive option for disaster recovery plan testing is a full interruption. The least obtrusive but also least similar to real-world scenarios is a read-through. After that, walk-throughs and simulations are each closer to a true scenario, but parallel operations is often the most popular option because it can be done without disrupting the organization and still reasonably test capabilities.
6
Q
Jim has been asked to individually identify devices that users are bringing to work as part of a new BYOD policy. The devices will not be joined to a central management system like Active Directory, but he still needs to uniquely identify the systems. Which of the following options will provide Jim with the best means of reliably identifying each unique device?
A. Record the MAC address of each system.
B. Require users to fill out a form to register each system.
C. Scan each system using a port scanner.
D. Use device fingerprinting via a web-based registration system.
A
D. Use device fingerprinting via a web-based registration system.
Explanation:
Device fingerprinting via a web portal can require user authentication and can gather data such as operating systems, versions, software information, and many other factors that can uniquely identify systems. Using an automated fingerprinting system is preferable to handling manual registration, and pairing user authentication with data gathering provides more detail than a port scan. MAC addresses can be spoofed, and systems may have more than one depending on how many network interfaces they have, which can make unique identification challenging.
7
Q
Ben works in an organization that uses a formal data governance program. He is consulting with an employee working on a project that created an entirely new class of data and wants to work with the appropriate individual to assign a classification level to that information. Who is responsible for the assignment of information to a classification level?
A. Data creator
B. Data owner
C. CISO
D. Data custodian
A
B. Data owner
Explanation:
The data owner is normally responsible for classifying information at an appropriate level. This role is typically filled by a senior manager or director, who then delegates operational responsibility to a data custodian.
8
Q
James wants to ensure that his company’s backups will survive a disaster that strikes the data center. Which of the following options is the best solution to this concern?
A. Off-site backups
B. A grandfather/father/son backup tiering system
C. Redundant backup systems
D. Snapshots to a SAN or NAS
A
A. Off-site backups
Explanation:
Off-site backups are the best option for disaster recovery in a scenario where a disaster directly impacts the data center. None of the other scenarios as described will directly address the issue, although snapshots to a remote storage location can act as a form of off-site backup.
9
Q
Gabe is concerned about the security of passwords used as a cornerstone of his organization’s information security program. Which one of the following controls would provide the greatest improvement in Gabe’s ability to authenticate users?
A. More complex passwords
B. User education against social engineering
C. Multifactor authentication
D. Addition of security questions based on personal knowledge
A
C. Multifactor authentication
Explanation:
While all of the listed controls would improve authentication security, most simply strengthen the use of knowledge-based authentication. The best way to improve the authentication process would be to add a factor not based on knowledge through the use of multifactor authentication. This may include the use of biometric controls or token-based authentication.
10
Q
The separation of network infrastructure from the control layer, combined with the ability to centrally program a network design in a vendor-neutral, standards-based implementation, is an example of what important concept?
A. MPLS, a way to replace long network addresses with shorter labels and support a wide range of protocols
B. FCoE, a converged protocol that allows common applications over Ethernet
C. SDN, a converged protocol that allows network virtualization
D. CDN, a converged protocol that makes common network designs accessible
A
C. SDN, a converged protocol that allows network virtualization
Explanation:
Software-defined networking (SDN) is a converged protocol that allows virtualization concepts and practices to be applied to networks. MPLS handles a wide range of protocols like ATM, DSL, and others, but isn’t intended to provide the centralization capabilities that SDN does. A content distribution network (CDN) is not a converged protocol, and FCoE is Fibre Channel over Ethernet, a converged protocol for storage.
11
Q
Susan is preparing to decommission her organization’s archival DVD-ROMs that contain Top Secret data. How should she ensure that the data cannot be exposed?
A. Degauss
B. Zero wipe
C. Pulverize
D. Secure erase
A
C. Pulverize
Explanation:
The best way to ensure that data on DVDs is fully gone is to destroy them, and pulverizing DVDs is an appropriate means of destruction. DVD-ROMs are write-only media, meaning that secure erase and zero wipes won’t work. Degaussing only works on magnetic media and cannot guarantee that there will be zero data remanence.
12
Q
Susan is worried about a complex change and wants to ensure that the organization can recover if the change does not go as planned. What should she require in her role on the organization’s change advisory board (CAB)?
A. She should reject the change due to risk.
B. She should require a second change review.
C. She should ensure a backout plan exists.
D. She should ensure a failover plan exists.
A
C. She should ensure a backout plan exists.
Explanation:
Backout plans are required in some change management processes to ensure that the thought process and procedures for what to do if something does not go as planned are needed. Validating backout plan quality can be just as important as the change, and you may find, in many organizations, if nobody is watching
13
Q
Angie is configuring egress monitoring on her network to provide added security. Which one of the following packet types should Angie allow to leave the network headed for the internet?
A. Packets with a source address from Angie’s public IP address block
B. Packets with a destination address from Angie’s public IP address block
C. Packets with a source address outside Angie’s address block
D. Packets with a source address from Angie’s private address block
A
A. Packets with a source address from Angie’s public IP address block
Explanation:
All packets leaving Angie’s network should have a source address from her public IP address block. Packets with a destination address from Angie’s network should not be leaving the network. Packets with source addresses from other networks are likely spoofed and should be blocked by egress filters. Packets with private IP addresses as sources or destinations should never be routed onto the internet.
14
Q
Matt is conducting a penetration test against a Linux server and successfully gained access to an administrative account. He would now like to obtain the password hashes for use in a brute-force attack. Where is he likely to find the hashes, assuming the system is configured to modern security standards?
A. /etc/passwd
B. /etc/hash
C. /etc/secure
D. /etc/shadow
A
D. /etc/shadow
Explanation:
Security best practices dictate the use of shadowed password files that move the password hashes from the widely accessible /etc/passwd file to the more restricted /etc/shadow file.
15
Q
Theresa is implementing a new access control system and wants to ensure that developers do not have the ability to move code from development systems into the production environment. She wants to ensure that a developer who checks in code cannot then approve their own code as part of the process. What information security principle is she most directly enforcing?
A. Separation of duties
B. Two-person control
C. Least privilege
D. Job rotation
A
A. Separation of duties
Explanation:
While developers may feel like they have a business need to be able to move code into production, the principle of separation of duties dictates that they should not have the ability to both write code and place it on a production server. The deployment of code is often performed by change management staff.
16
Q
Which one of the following tools may be used to achieve the goal of nonrepudiation?
A.Digital signature
B. Symmetric encryption
C. Firewall
D. IDS
A
A.Digital signature
Explanation:
Applying a digital signature to a message allows the sender to achieve the goal of nonrepudiation. This allows the recipient of a message to prove to a third party that the message came from the purported sender. Symmetric encryption does not support nonrepudiation. Firewalls and IDS are network security tools that are not used to provide nonrepudiation.
17
Q
In this diagram of the TCP three-way handshake, what should system A send to system B in step 3?
A. ACK
B. SYN
C. FIN
D. RST
A
A. ACK
Explanation:
A. System A should send an ACK to end the three-way handshake. The TCP three-way handshake is SYN, SYN/ACK, ACK.
18
Q
What RADIUS alternative is commonly used for Cisco network gear and supports two-factor authentication?
A. RADIUS+
B. TACACS+
C. XTACACS
D. Kerberos
A
B. TACACS+
Explanation:
TACACS+ is the most modern version of TACACS, the Terminal Access Controller Access-Control System. It is a Cisco proprietary protocol with added features beyond what RADIUS provides, meaning it is commonly used on Cisco networks. XTACACS is an earlier version, Kerberos is a network authentication protocol rather than a remote user authentication protocol, and RADIUS+ is a made-up term.
19
Q
What two types of attacks are VoIP call managers and VoIP phones most likely to be susceptible to?
A. DoS and malware
B. Worms and Trojans
C. DoS and host OS attacks
D. Host OS attacks and buffer overflows
A
C. DoS and host OS attacks
Explanation:
Call managers and VoIP phones can be thought of as servers or appliances and embedded or network devices. That means that the most likely threats that they will face are denial-of-service (DoS) attacks and attacks against the host operating system. Malware and Trojans are less likely to be effective against a server or embedded system that doesn’t browse the internet or exchange data files; buffer overflows are usually aimed at specific applications or services.
20
Q
Vivian works for a chain of retail stores and would like to use a software product that restricts the software used on point-of-sale terminals to those packages on a preapproved list. What approach should Vivian use?
A.Antivirus
B. Heuristic
C. Whitelist
D. Blacklist
A
C. Whitelist
Explanation:
The blacklist approach to application control blocks certain prohibited packages but allows the installation of other software on systems. The whitelist approach uses the reverse philosophy and only allows approved software. It is worth noting that the terms blacklist and whitelist are increasingly deprecated and that you may encounter terms like block list or deny list and allow list as language and terminology shifts. As you prepare for the exam and your professional work, make sure to consider these equivalents. Antivirus software would only detect the installation of malicious software after the fact. Heuristic detection is a variant of antivirus software.
21
Q
For questions 21–23, please refer to the following scenario: Hunter is the facilities manager for DataTech, a large data center management firm. He is evaluating the installation of a flood prevention system at one of DataTech’s facilities. The facility and contents are valued at $100 million. Installing the new flood prevention system would cost $10 million. Hunter consulted with flood experts and determined that the facility lies within a 200-year flood plain and that, if a flood occurred, it would likely cause $20 million in damage to the facility.
Based on the information in this scenario, what is the exposure factor for the effect of a flood on DataTech's data center? A. 2 percent B. 20 percent C. 100 percent D. 200 percent
A
B. 20 percent
Explanation:
B. The exposure factor is the percentage of the facility that risk managers expect will be damaged if a risk materializes. It is calculated by dividing the amount of damage by the asset value. In this case, that is $20 million in damage divided by the $100 million facility value, or 20 percent.
22
Q
Based on the information in this scenario, what is the annualized rate of occurrence for a flood at DataTech's data center? A. 0.002 B. 0.005 C. 0.02 D. 0.05
A
B. 0.005
Explanation:
The annualized rate of occurrence is the number of times each year that risk analysts expect a risk to happen in any given year. In this case, the analysts expect floods once every 200 years, or 0.005 times per year.
23
Q
Based on the information in this scenario, what is the annualized loss expectancy for a flood at DataTech’s data center?
A. $40,000
B. $100,000
C. $400,000
D. $1,000,000
A
B. $100,000
Explanation:
The annualized loss expectancy is calculated by multiplying the single loss expectancy (SLE) by the annualized rate of occurrence (ARO). In this case, the SLE is $20 million, and the ARO is 0.005. Multiplying these numbers together gives you the ALE of $100,000.
24
Q
Which accounts are typically assessed during an account management assessment?
A. A random sample
B. Highly privileged accounts
C. Recently generated accounts
D. Accounts that have existed for long periods of time
A
B. Highly privileged accounts
Explanation:
The most frequent target of account management reviews are highly privileged accounts, as they create the greatest risk. Random samples are the second most likely choice. Accounts that have existed for a longer period of time are more likely to have a problem due to privilege creep than recently created accounts, but neither of these choices is likely unless there is a specific organizational reason to choose them.
25
Cloud computing uses a shared responsibility model for security, where the vendor and customer both bear some responsibility for security. The division of responsibility depends upon the type of service used. Place the cloud service offerings listed here in order from the case where the customer bears the least responsibility to where the customer bears the most responsibility.
1. IaaS
2. SaaS
3. PaaS
A. 1, 2, 3
B. 2, 1, 3
C. 3, 2, 1
D. 2, 3, 1
D. 2, 3, 1
Explanation:
The cloud service offerings in order from the case where the customer bears the least responsibility to where the customer bears the most responsibility are SaaS, PaaS, and IaaS. In an infrastructure as a service (IaaS) cloud computing model, the customer retains responsibility for managing operating system and application security, while the vendor manages security at the hypervisor level and below. In a platform as a service (PaaS) environment, the vendor takes on responsibility for the operating system, but the customer writes and configures any applications. In a software as a service (SaaS) environment, the vendor takes on responsibility for the development and implementation of the application while the customer merely configures security settings within the application.
26
What type of error occurs when a valid subject using a biometric authenticator is not authenticated?
A. A Type 1 error
B. A Type 2 error
C. A Type 3 error
D. A Type 4 error
A. A Type 1 error
Explanation:
Type 1 errors occur when a valid subject is not authenticated. Type 2 errors occur when an invalid subject is incorrectly authenticated. Type 3 and Type 4 errors are not associated with biometric authentication.
27
An emergency button under the desk is a common example of what type of physical security system?
A. An airgap button
B. A keylogger
C. A pushbutton lock
D. A duress system
D. A duress system
Explanation:
D. Duress systems are intended to allow employees to notify security or others when they are in a dangerous situation or when they need help. Duress systems may be as simple as a push button and as complex as a code word or digital system that allows specific entries to trigger alarms while still performing a desired or deceptive but real-appearing action.
28
Henry runs Nikto against an Apache web server and receives the output shown here.
Which of the following statements is the least important to include in his report?
A. The missing clickjacking x-frame options could be used to redirect input to a malicious site or frame.
B. Cross-site scripting protections should be enabled, but aren't.
C. Inode information leakage from a Linux system is a critical vulnerability allowing direct access to the filesystem using node references.
D. The server is a Linux server.
C. Inode information leakage from a Linux system is a critical vulnerability allowing direct access to the filesystem using node references.
Explanation:
Exposing inode information is not as important as the other information shown. Clickjacking and cross-site scripting are both important issues, and knowing that the server is a Linux server is also important.
29
George is assisting a prosecutor with a case against a hacker who attempted to break into the computer systems at George's company. He provides system logs to the prosecutor for use as evidence, but the prosecutor insists that George testify in court about how he gathered the logs. What rule of evidence requires George's testimony?
A. Testimonial evidence rule
B. Parol evidence rule
C. Best evidence rule
D. Hearsay rule
D. Hearsay rule
Explanation:
The hearsay rule says that a witness cannot testify about what someone else told them, except under very specific exceptions. The courts have applied the hearsay rule to include the concept that attorneys may not introduce logs into evidence unless they are authenticated by the system administrator. In this question, scenario George might also be able to provide a sworn affidavit, but the question doesn't include that option. The best evidence rule states that copies of documents may not be submitted into evidence if the originals are available. The parol evidence rule states that if two parties enter into a written agreement, that written document is assumed to contain all of the terms of the agreement. Testimonial evidence is a type of evidence, not a rule of evidence.
30
Which of the following is not a valid use for key risk indicators (KRIs)?
A. Provide warnings before issues occur.
B. Provide real-time incident response information.
C. Provide historical views of past incidents.
D. Provide insight into risk tolerance for the organization.
B. Provide real-time incident response information.
Explanation:
B. While key risk indicators can provide useful information for organizational planning and a deeper understanding of how organizations view risk, KRIs are not a great way to handle a real-time security response. Monitoring and detection systems like IPS, SIEM, and other tools are better suited to handling actual attacks.
31
Which one of the following malware types uses built-in propagation mechanisms that exploit system vulnerabilities to spread?
A. Trojan horse
B. Worm
C. Logic bomb
D. Virus
B. Worm
Explanation:
Worms have built-in propagation mechanisms that do not require user interaction, such as scanning for systems containing known vulnerabilities and then exploiting those vulnerabilities to gain access. Viruses and Trojan horses typically require user interaction to spread. Logic bombs do not spread from system to system but lie in wait until certain conditions are met, triggering the delivery of their payload.
32
As part of your company's security team, you have been asked to advise on how to ensure that media is not improperly used or stored. What solution will help staff members in your organization to handle media appropriately?
A. Labeling with sensitivity levels
B. Encrypting the sensitive media
C. Dual control media systems
D. A clear desk policy
A. Labeling with sensitivity levels
Explanation:
As simple as the answer may seem, labeling media or even color coding it with sensitivity levels and ensuring staff are appropriately trained on what the levels mean will normally have the biggest impact. Encrypting media can help, but without the labels, files may be stored on inappropriate media. A clear desk policy can help if casual media theft is an issue but is not likely to be an important control in this scenario. Dual control is used to ensure that a task cannot be performed by a single staff member to avoid malfeasance and is not directly useful here.
33
Alaina wants to use a broadly adopted threat modeling framework for her organization's threat intelligence efforts. Which of the following would you advise her to adopt if she wants to use pre-existing tools to help her threat modeling team integrate both internally created intelligence and external threat feed data?
A. The Diamond Model of Intrusion Analysis
B. ATT&CK
C. Microsoft's Threat-JUMP modeling system
D. Threat-EN
B. ATT&CK
Explanation:
MITRE's ATT&CK framework is broadly adopted by threat modeling and threat intelligence organizations and is used as a default model in many software packages and tools. The Diamond Model specifically addresses how to think about intrusions but does not address broader threats, and the other answers were made up for this question.
34
Which one of the following is not a principle of the Agile approach to software development?
A. The most efficient method of conveying information is electronic.
B. Working software is the primary measure of progress.
C. Simplicity is essential.
D. Businesspeople and developers must work together daily.
A. The most efficient method of conveying information is electronic.
Explanation:
The Agile approach to software development states that working software is the primary measure of progress, that simplicity is essential, and that businesspeople and developers must work together daily. It also states that the most efficient method of conveying information is face to face, not electronic.
35
Harry is concerned that accountants within his organization will modify data to cover up fraudulent activity in accounts that they normally access. Which one of the following controls would best defend against this type of attack?
A. Encryption
B. Access controls
C. Integrity verification
D. Firewalls
C. Integrity verification
Explanation:
C. Encryption, access controls, and firewalls would not be effective in this example because the accountants have legitimate access to the data. Integrity verification software would protect against this attack by identifying unexpected changes in protected data.
36
Ben wants to use the concept of crime prevention through environmental design to help secure his facility. Which of the following is not a common example of this design concept in use?
A. Mounting cameras in full view to act as a deterrent
B. Limiting the size of planters to avoid having them used to hide behind
C. Locating data centers at the edge of the building to enhance security
D. Making delivery access driveways and entrances less visible to the public
C. Locating data centers at the edge of the building to enhance security
Explanation:
Crime prevention through environmental design (CPTED) focuses on making crime less likely due to design elements. Data centers are often placed near the core of a building to make them easier to secure and less likely to be impacted by natural disasters or accidents. Mounting cameras where they can be seen, avoiding the creation of easy hiding places, and keeping delivery areas less visible and thus less attractive to access are all common techniques used in CPTED.
37
Meena wants to ensure that her supply chain risks are well managed. Which of the following is not a common practice she should include in her supply chain risk management (SCRM) plan?
A. Use contractual controls such as insurance and liability limitations where appropriate.
B. Sole source to provide vendor stability.
C. Ensure multiple suppliers exist for critical components.
D. Validate the financial stability of potential suppliers.
B. Sole source to provide vendor stability.
Explanation:
Sole sourcing can create additional fragility in supply chains due to reliance on a single supplier. Contractual controls including requirements for supplier insurance and liability limitations, having multiple suppliers, and validating their financial stability are all common ways to help reduce supply chain risk.
38
Using the following table and your knowledge of the auditing process, answer questions 38–40. As they prepare to migrate their data center to an infrastructure as a service (IaaS) provider, Susan's company wants to understand the effectiveness of their new provider's security, integrity, and availability controls. What SOC report would provide them with the most detail, including input from the auditor on the effectiveness of controls at the IaaS provider?
A. SOC 1.
B. SOC 2.
C. SOC 3.
D. None of the SOC reports is suited to this, and they should request another form of report.
B. SOC 2.
Explanation:
SOC 2 reports are released under NDA to select partners or customers and can provide detail on the controls and any issues they may have. A SOC 1 report would only provide financial control information, and a SOC 3 report provides less information since it is publicly available.
39
Susan wants to ensure that the audit report that her organization requested includes input from an external auditor and information about control implementation over a period of time. What type of report should she request?
A. SOC 2, Type 1
B. SOC 3, Type 1
C. SOC 2, Type 2
D. SOC 3, Type 2
C. SOC 2, Type 2
Explanation:
An SOC 2, Type 2 report includes information about a data center's security, availability, processing integrity, confidentiality, and privacy, and includes an auditor's opinion on the operational effectiveness of the controls. SOC 3 does not have types, and an SOC 2 Type 1 is only conducted at a point in time.
40
When Susan requests an SOC 2 report, she receives an SOC 1 report. What issue should Susan raise?
A. SOC 1 reports only reveal publicly available information.
B. SOC 1 reports cover financial data.
C. SOC 1 reports only cover a point in time.
D. SOC 1 reports only use a three-month period for testing.
B. SOC 1 reports cover financial data.
Explanation:
B. Susan asked for a security controls report (SOC 2) and received a financial internal controls report (SOC 1). This question doesn't specify whether a Type 1 or Type 2 report is desired, but most security practitioners will prefer a Type 2 report if they can get it since it tests the actual controls and their implementation instead of their descriptions.
41
Brad wants to engage third-party auditors to assess a vendor that his company will be signing a contract with. If Brad wants to assess the vendor's security policies and controls as well as the effectiveness of those controls as implemented over time, what SOC level and type should he request the auditors perform?
A. A SOC 1, Type 2
B. A SOC 2, Type 1
C. A SOC 1, Type 1
D. A SOC 2, Type 2
D. A SOC 2, Type 2
Explanation:
D. An SOC 2 assessment looks at controls that affect security, and a Type 2 report validates the operating effectiveness of the controls. SOC 1 engagement assesses controls that might impact financial reporting, and a Type 1 report provides the auditors opinions of the descriptions of controls provided by management at a single point in time—not the actual implementations of the controls.
42
Bell–LaPadula is an example of what type of access control model?
A. DAC
B. RBAC
C. MAC
D. ABAC
C. MAC
Explanation:
Bell–LaPadula uses security labels on objects and clearances for subjects and is therefore a MAC model. It does not use discretionary, rule-based, role-based, or attribute-based access control.
43
Martha is the information security officer for a small college and is responsible for safeguarding the privacy of student records. What law most directly applies to her situation?
A. HIPAA
B. HITECH
C. COPPA
D. FERPA
D. FERPA
Explanation:
The Family Educational Rights and Privacy Act (FERPA) protects the privacy of students in any educational institution that accepts any form of federal funding.
44
What U.S. federal law mandates the security of protected health information?
A. FERPA
B. SAFE Act
C. GLBA
D. HIPAA
D. HIPAA
Explanation:
The Health Insurance Portability and Accountability Act (HIPAA) mandates the protection of protected health information (PHI). The SAFE Act deals with mortgages, the Graham–Leach–Bliley Act (GLBA) covers financial institutions, and FERPA deals with student data.
45
Which one of the following techniques can an attacker use to exploit a TOC/TOU vulnerability?
A. File locking
B. Exception handling
C. Algorithmic complexity
D. Concurrency control
C. Algorithmic complexity
Explanation:
Attackers may use algorithmic complexity as a tool to exploit a time of change/time of use (TOC/TOU) condition. By varying the workload on the CPU, attackers may exploit the amount of time required to process requests and use that variance to effectively schedule the exploit's execution. File locking, exception handling, and concurrency controls are all methods used to defend against TOC/TOU attacks.
46
Susan is configuring her network devices to use syslog. What should she set to ensure that she is notified about issues but does not receive normal operational issue messages?
A. The facility code
B. The log priority
C. The security level
D. The severity level
D. The severity level
Explanation:
Implementations of syslog vary, but most provide a setting for severity level, allowing configuration of a value that determines what messages are sent. Typical severity levels include debug, informational, notice, warning, error, critical, alert, and emergency. The facility code is also supported by syslog, but is associated with which services are being logged. Security level and log priority are not typical syslog settings.
47
What RAID level is also known as disk mirroring?
A. RAID 0
B. RAID 1
C. RAID 3
D. RAID 5
B. RAID 1
Explanation:
B. In RAID 1, also known as disk mirroring, systems contain two physical disks. Each disk contains copies of the same data, and either one may be used in the event the other disk fails.
48
Isaac recently purchased a 48 port switch from his switch vendor. The switch vendor has announced that the model of switch that Isaac purchased will reach end of life next year. What does this tell Isaac about the devices?
A. The devices will stop being sold next year.
B. The devices will stop functioning next year.
C. The devices will no longer be supported next year.
D. The devices will be supported for a minimum of three more years.
A. The devices will stop being sold next year.
Explanation:
Most vendors use the term end of life, or EOL, to denote when the product will stop being sold.
End of support typically comes sometime after end of life, and this problem does not specify when end of support (EOS) will occur. Devices will still function after end of life and likely after end of support, but security professionals should raise concerns about the security of devices or software after the end of support because patches and updates will likely no longer be available.
49
Surveys, interviews, and audits are all examples of ways to measure what important part of an organization's security posture?
A. Code quality
B. Service vulnerabilities
C. Awareness
D. Attack surface
C. Awareness
Explanation:
C. Interviews, surveys, and audits are all useful for assessing awareness. Code quality is best judged by code review, service vulnerabilities are tested using vulnerability scanners and related tools, and the attack surface of an organization requires both technical and administrative review.
50
Tom is the general counsel for an internet service provider, and he recently received notice of a lawsuit against the firm because of copyrighted content illegally transmitted over the provider's circuits by a customer. What law protects Tom's company in this case?
A. Computer Fraud and Abuse Act
B. Digital Millennium Copyright Act
C. Wiretap Act
D. Copyright Code
B. Digital Millennium Copyright Act
Explanation:
The Digital Millennium Copyright Act extends common carrier protection to online service providers, which are not liable for the “transitory activities” of their customers.
51
A Type 2 authentication factor that generates dynamic passwords based on a time- or algorithm-based system is what type of authenticator?
A. A PII
B. A smart card
C. A token
D. A CAC
C. A token
Explanation:
C. Tokens are hardware devices (something you have) that generate a one-time password based on time or an algorithm. They are typically combined with another factor like a password to authenticate users. CAC and PIV cards are U.S. government–issued smartcards.
52
Fred's new employer has hired him for a position with access to their trade secrets and confidential internal data. What legal tool should they use to help protect their data if he chooses to leave to work at a competitor?
A. A stop-loss order
B. An NDA
C. An AUP
D. Encryption
B. An NDA
Explanation:
A nondisclosure agreement (NDA) is a legal agreement between two parties that specifies what data they will not disclose. NDAs are common in industries that have sensitive or trade secret information they do not want employees to take to new jobs. Encryption would only help in transit or at rest, and Fred will likely have access to the data in unencrypted form as part of his job. An AUP is an acceptable use policy, and a stop-loss order is used on the stock market.
53
Mark's company is involved in a civil case. What evidentiary standard is he likely to need to meet?
A. The real evidence standard
B. Beyond a reasonable doubt
C. Preponderance of evidence
D. The documentary evidence standard
C. Preponderance of evidence
Explanation:
C. Civil cases typically rely on a preponderance of evidence. Criminal cases must be proven beyond a reasonable doubt. Real evidence is object evidence—tangible things that can be brought into a court of law. Documentary evidence are written items used to prove facts. Neither of these is an evidentiary standard; instead, they describe types of evidence.
54
How many possible keys exist when using a cryptographic algorithm that has an 8-bit binary encryption key?
A. 16
B. 128
C. 256
D. 512
C. 256
Explanation:
Binary keyspaces contain a number of keys equal to 2 raised to the power of the number of bits. Two to the eighth power is 256, so an 8-bit keyspace contains 256 possible keys.
55
What activity is being performed when you apply security controls based on the specific needs of the IT system that they will be applied to?
A. Standardizing
B. Baselining
C. Scoping
D. Editing
C. Scoping
Explanation;
Scoping is the process of reviewing and selecting security controls based on the system that they will be applied to. Editing is not a commonly used term in this context. Baselines are used as a base set of security controls, often from a third-party organization that creates them. Standardization isn’t a relevant term here.
56
During what phase of the electronic discovery process does an organization perform a rough cut of the information gathered to discard irrelevant information?
A. Preservation
B. Identification
C. Collection
D. Processing
D. Processing
Explanation:
During the preservation phase, the organization ensures that information related to the matter at hand is protected against intentional or unintentional alteration or deletion. The identification phase locates relevant information but does not preserve it. The collection phase occurs after preservation and gathers responsive information. The processing phase performs a rough cut of the collected information for relevance.
57
Ben's job is to ensure that data is labeled with the appropriate sensitivity label. Since Ben works for the U.S. government, he has to apply the labels Unclassified, Confidential, Secret, and Top Secret to systems and media. If Ben is asked to label a system that handles Secret, Confidential, and Unclassified information, how should he label it?
A. Mixed classification
B. Confidential
C. Top Secret
D. Secret
D. Secret
Explanation:
Systems and media should be labeled with the highest level of sensitivity that they store or handle. In this case, based on the U.S. government classification scheme, the highest classification level in use on the system is Secret. Mixed classification provides no useful information about the level, whereas Top Secret and Confidential are too high and too low, respectively.
58
Susan has discovered that the smart card–based locks used to keep the facility she works at secure are not effective because staff members are propping the doors open. She places signs on the doors reminding staff that leaving the door open creates a security issue, and she adds alarms that will sound if the doors are left open for more than five minutes. What type of controls has she put into place?
A. Physical
B. Administrative
C. Compensating
D. Recovery
C. Compensating
Explanation:
C. She has placed compensation controls in place. Compensation controls are used when controls like the locks in this example are not sufficient. While the alarm is a physical control, the signs she posted are not. Similarly, the alarms are not administrative controls. None of these controls helps to recover from an issue, and they are thus not recovery controls.
59
Ben is concerned about password cracking attacks against his system. He would like to implement controls that prevent an attacker who has obtained those hashes from easily cracking them. What two controls would best meet this objective?
A. Longer passwords and salting
B. Over-the-wire encryption and use of SHA1 instead of MD5
C. Salting and use of MD5
D. Using shadow passwords and salting
A. Longer passwords and salting
Explanation:
A. Rainbow tables rely on being able to use databases of precomputed hashes to quickly search for matches to known hashes acquired by an attacker. Making passwords longer can greatly increase the size of the rainbow table required to find the matching hash, and adding a salt to the password will make it nearly impossible for the attacker to generate a table that will match unless they can acquire the salt value. MD5 and SHA1 are both poor choices for password hashing compared to modern password hashes, which are designed to make hashing easy and recovery difficult. Rainbow tables are often used against lists of hashes acquired by attacks rather than over-the-wire attacks, so over-the-wire encryption is not particularly useful here. Shadow passwords simply make the traditionally world-readable list of password hashes on Unix and Linux systems available in a location readable only by root. This doesn't prevent a rainbow table attack once the hashes are obtained.
60
Which group is best suited to evaluate an organization's administrative controls and provide credible reports to a third party?
A. Internal auditors
B. Penetration testers
C. External auditors
D. Employees who design, implement, and monitor the controls
C. External auditors
Explanation:
C. External auditors can provide an unbiased and impartial view of an organization's controls to third parties. Internal auditors are useful when reporting to senior management of the organization but are typically not asked to report to third parties. Penetration tests test technical controls but are not as well suited to testing many administrative controls. The employees who build and maintain controls are more likely to bring a bias to the testing of those controls and should not be asked to report on them to third parties.
61
Lucca's manager does not want to adopt an open source software package for their organization's web application stack. What software security advantage is the most important when considering open source software packages?
A. The fact that the code is not compiled
B. The fact the code is free
C. The ability to inspect the code
D. The ability to change the code
C. The ability to inspect the code
Explanation:
The ability to inspect open source software means that organizations can inspect it, but more importantly that others can and often have also inspected it. This results in software that has had far more review than some closed-source or commercial packages (although large organizations may perform more review). The ability to change the code can sometimes be important as well, but changing open source code in-house can create maintenance issues in the future. Open source software may be compiled, but the source will still be available. The code being free is not a security advantage or disadvantage.
62
As part of hiring a new employee, Kathleen's identity management team creates a new user object and ensures that the user object is available in the directories and systems where it is needed. What is this process called?
A. Registration
B. Provisioning
C. Population
D. Authenticator loading
B. Provisioning
Explanation:
Provisioning includes the creation, maintenance, and removal of user objects from applications, systems, and directories. Registration occurs when users are enrolled in a biometric system; population and authenticator loading are not common industry terms.
63
What phase of the change management process for software occurs when changes are finalized?
A. Request control
B. Configuration control
C. Release control
D. Change control
C. Release control
Explanation:
Release control occurs after changes are finalized. With changes that are ready to be implemented in hand, release managers can follow their process with steps that typically include removing debugging code and conducting acceptance testing. Request control is the start of a process that allows users to submit change requests, while change control handles the process of ensuring quality assurance happens, that documentation is done, and that security testing is handled. Finally, configuration control is part of software configuration management, not the change process.
64
Alice is designing a cryptosystem for use by six users and would like to use a symmetric encryption algorithm. She wants any two users to be able to communicate with each other without worrying about eavesdropping by a third user. How many symmetric encryption keys will she need to generate?
A. 6
B. 12
C. 15
D. 30
C. 15
Explanation:
The formula for determining the number of encryption keys required by a symmetric algorithm is ((n*(n − 1))/2). With six users, you will need ((6*5)/2), or 15 keys.
65
Which one of the following intellectual property protection mechanisms has the shortest duration in the United States?
A. Copyright
B. Patent
C. Trademark
D. Trade secret
B. Patent
Explanation:
Patents have the shortest duration of the techniques listed: at most, 20 years. Copyrights last for 70 years beyond the death of the author if owned by an individual, or 95 years from publication or 120 years from creation if owned by a corporation. Trademarks are renewable indefinitely, and trade secrets are protected as long as they remain secret.
66
Gordon is developing a business continuity plan for a manufacturing company's IT operations. The company is located in North Dakota and currently evaluating the risk of earthquake. They choose to pursue a risk acceptance strategy. Which one of the following actions is consistent with that strategy?
A. Purchasing earthquake insurance
B. Relocating the data center to a safer area
C. Documenting the decision-making process
D. Reengineering the facility to withstand the shock of an earthquake
C. Documenting the decision-making process
Explanation:
C. In a risk acceptance strategy, the organization chooses to take no action other than documenting the risk. Purchasing insurance would be an example of risk transference. Relocating the data center would be risk avoidance. Reengineering the facility is an example of a risk mitigation strategy.
67
Carol would like to implement a control that protects her organization from the momentary loss of power to the data center. Which control is most appropriate for her needs?
A. Redundant servers
B. RAID
C. UPS
D. Generator
C. UPS
Explanation:
C. Uninterruptible power supplies (UPSs) provide immediate, battery-driven power for a short period of time to cover momentary losses of power. Generators are capable of providing backup power for a sustained period of time in the event of a power loss, but they take time to activate. RAID and redundant servers are high-availability controls but do not cover power loss scenarios.
68
Ben has encountered problems with users in his organization reusing passwords, despite a requirement that they change passwords every 30 days. What type of password setting should Ben employ to help prevent this issue?
A. Longer minimum age
B. Increased password complexity
C. Implement password history
D. Implement password length requirements
C. Implement password history
Explanation:
Password histories retain a list of previous passwords, preferably a list of salted hashes for previous passwords, to ensure that users don't reuse their previous passwords. Longer minimum age can help prevent users from changing their passwords and then changing them back but won't prevent a determined user from eventually getting their old password back. Length requirements and complexity requirements tend to drive users to reuse passwords if they're not paired with tools like single sign-on, password storage systems, or other tools that decrease the difficulty of password management.
69
Chris is conducting a risk assessment for his organization and has determined the amount of damage that a single flood could be expected to cause to his facilities. What metric has Chris identified?
A. ALE
B. SLE
C. ARO
D. AV
B. SLE
Explanation;
The Single Loss Expectancy (SLE) is the amount of damage that a risk is expected to cause each time that it occurs.
70
The removal of a hard drive from a PC before it is retired and sold as surplus is an example of what type of action?
A. Purging
B. Sanitization
C. Degaussing
D. Destruction
B. Sanitization
Explanation;
Sanitization includes steps such as removing the hard drive and other local storage from PCs before they are sold as surplus. Degaussing uses magnetic fields to wipe media; purging is an intense form of clearing used to ensure that data is removed and unrecoverable from media; and removing does not necessarily imply destruction of the drive.
71
During which phase of the incident response process would an organization determine whether it is required to notify law enforcement officials or other regulators of the incident?
A. Detection
B. Recovery
C. Remediation
D. Reporting
D. Reporting
Explanation;
During the Reporting phase, incident responders assess their obligations under laws and regulations to report the incident to government agencies and other regulators.
72
Every 90 days, the staff in Charles's department at his bank switch tasks as part of the organization's normal processes to ensure that an individual does not exploit their privileges. What security practice is his organization engaging in?
A. Dual control
B. Job rotation
C. Cross-training
D. Offboarding
B. Job rotation
Explanation:
The bank that Charles works at is using job rotation to ensure that employees are not exploiting the rights and permissions that they have in their roles. The practice is intended to allow the next person in the role to identify irregularities and to prevent individuals from hiding malfeasance. Dual control requires two or more staff members to complete a task to ensure that a single employee cannot abuse their role.
Cross-training is used to ensure that multiple staff members have the skills needed to perform a task or role so the loss of a staff member does not cause the organization's inability to perform the service.
73
Michelle is in charge of her organization's mobile device management efforts and handles lost and stolen devices. Which of the following recommendations will provide the most assurance to her organization that data will not be lost if a device is stolen?
A. Mandatory passcodes and application management
B. Full device encryption and mandatory passcodes
C. Remote wipe and GPS tracking
D. Enabling GPS tracking and full device encryption
B. Full device encryption and mandatory passcodes
Explanation:
While full device encryption doesn't guarantee that data cannot be accessed, it provides Michelle's best option for preventing data from being lost with a stolen device when paired with a passcode. Mandatory passcodes and application management can help prevent application-based attacks and unwanted access to devices, but won't keep the data secure if the device is lost. Remote wipe and GPS location is useful if the thief allows the device to connect to a cellular or WiFi network. Unfortunately, many modern thieves immediately take steps to ensure that the device will not be trackable or allowed to connect to a network before they capture data or wipe the device for resale.
74
Susan's SMTP server does not authenticate senders before accepting and relaying email. What is this security configuration issue known as?
A. An email gateway
B. An SMTP relay
C. An X.400-compliant gateway
D. An open relay
D. An open relay
Explanation:
SMTP servers that don't authenticate users before relaying their messages are known as open relays. Open relays that are internet-exposed are typically quickly exploited to send email for spammers.
75
For questions 75–77, please refer to the following scenario: The large business that Jack works for has been using noncentralized logging for years. They have recently started to implement centralized logging, however, and as they reviewed logs, they discovered a breach that appeared to have involved a malicious insider.
When the breach was discovered and the logs were reviewed, it was discovered that the attacker had purged the logs on the system that they compromised. How can this be prevented in the future?
A. Encrypt local logs.
B. Require administrative access to change logs.
C. Enable log rotation.
D. Send logs to a bastion host.
D. Send logs to a bastion host.
Explanation:
Sending logs to a secure log server, sometimes called a bastion host, is the most effective way to ensure that logs survive a breach. Encrypting local logs won't stop an attacker from deleting them, and requiring administrative access won't stop attackers who have breached a machine and acquired escalated privileges. Log rotation archives logs based on time or file size and can also purge logs after a threshold is hit. Rotation won't prevent an attacker from purging logs.
76
How can Jack detect issues such as this using his organization's new centralized logging?
A. Deploy and use an IDS.
B. Send logs to a central logging server.
C. Deploy and use a SIEM.
D. Use syslog.
C. Deploy and use a SIEM.
Explanation:
A security information and event management (SIEM) tool is designed to provide automated analysis and monitoring of logs and security events. A SIEM tool that receives access to logs can help detect and alert on events such as logs being purged or other breach indicators. An IDS can help detect intrusions, but IDSs are not typically designed to handle central logs. A central logging server can receive and store logs but won't help with analysis without taking additional actions. Syslog is simply a log format.
77
How can Jack best ensure accountability for actions taken on systems in his environment?
A. Log review and require digital signatures for each log.
B. Require authentication for all actions taken and capture logs centrally.
C. Log the use of administrative credentials and encrypt log data in transit.
D> Require authorization and capture logs centrally.
B. Require authentication for all actions taken and capture logs centrally.
Explanation:
Requiring authentication can help provide accountability by ensuring that any action taken can be tracked back to a specific user. Storing logs centrally ensures that users can't erase the evidence of actions that they have taken. Log review can be useful when identifying issues, but digital signatures are not a typical part of a logging environment. Logging the use of administrative credentials helps for those users but won't cover all users, and encrypting the logs doesn't help with accountability. Authorization helps, but being able to specifically identify users through authentication is more important.
78
Ed's organization has 5 IP addresses allocated to them by their ISP but needs to connect more than 100 computers and network devices to the internet. What technology can he use to connect his entire network via the limited set of IP addresses he can use?
A. IPsec
B. PAT
C. SDN
D. IPX
B. PAT
Explanation:
Port Address Translation (PAT) is used to allow a network to use any IP address set inside without causing a conflict with the public internet. PAT is often confused with Network Address Translation (NAT), which maps one internal address to one external address. IPsec is a security protocol suite, software-defined networking (SDN) is a method of defining networks programmatically, and IPX is a non-IP network protocol.
79
What type of attack would the following precautions help prevent?
Requesting proof of identity
Requiring callback authorizations on voice-only requests
Not changing passwords via voice communications
What type of attack would the following precautions help prevent?
A. DoS attacks
B. Worms
C. Social engineering
D. Shoulder surfing
C. Social engineering
Explanation:
Each of the precautions listed helps to prevent social engineering by helping prevent exploitation of trust. Avoiding voice-only communications is particularly important, since establishing identity over the phone is difficult. The other listed attacks would not be prevented by these techniques.
80
The CIS benchmarks are an example of what sort of compliance tool?
A. A security baseline
B. A compliance standard
C. A secure provisioning tool
D. A security automation tool
A. A security baseline
Explanation:
The CIS benchmarks provide a useful security standard and baseline to assess systems against or to configure them to. Organizations can adapt and modify the baseline to meet their specific needs while speeding up deployment by using an accepted industry standard. They are not a compliance standard and do not provide provisioning or automation, but tools that do may use the benchmark as a standard to do so.
81
Residual data is another term for what type of data left after attempts have been made to erase it?
A. Leftover data
B. MBR
C. Bitrot
D. Remnant data
D. Remnant data
Explanation;
Remnant data is data that is left after attempts have been made to remove or erase it. Bitrot is a term used to describe aging media that decays over time. MBR is the master boot record, a boot sector found on hard drives and other media. Leftover data is not an industry term.
82
Which one of the following disaster recovery test types involves the actual activation of the disaster recovery facility?
A. Simulation test
B. Tabletop exercise
C. Parallel test
D. Checklist review
C. Parallel test
Explanation:
C. During a parallel test, the team activates the disaster recovery site for testing, but the primary site remains operational. A simulation test involves a role-play of a prepared scenario overseen by a moderator. Responses are assessed to help improve the organization's response process. The checklist review is the least disruptive type of disaster recovery test. During a checklist review, team members each review the contents of their disaster recovery checklists on their own and suggest any necessary changes. During a tabletop exercise, team members come together and walk through a scenario without making any changes to information systems.
83
What access control system lets owners decide who has access to the objects they own?
A. Role-based access control
B. Task-based access control
C. Discretionary access control
D. Rule-based access control
C. Discretionary access control
Explanation:
Discretionary access control gives owners the right to decide who has access to the objects they own. Role-based access control uses administrators to make that decision for roles or groups of people with a role, task-based access control uses lists of tasks for each user, and rule-based access control applies a set of rules to all subjects.
84
Using a trusted channel and link encryption are both ways to prevent what type of access control attack?
A. Brute-force
B. Spoofed login screens
C. Man-in-the-middle attacks
D. Dictionary attacks
C. Man-in-the-middle attacks
Explanation:
C. Trusted paths that secure network traffic from capture and link encryption are both ways to help prevent man-in-the-middle attacks. Brute-force and dictionary attacks can both be prevented using back-off algorithms that slow down repeated attacks. Log analysis tools can also create dynamic firewall rules, or an IPS can block attacks like these in real time. Spoofed login screens can be difficult to prevent, although user awareness training can help.
85
Which one of the following is not one of the canons of the (ISC)2 Code of Ethics?
A. Protect society, the common good, necessary public trust and confidence, and the infrastructure.
B. Act honorably, honestly, justly, responsibly, and legally.
C. Provide diligent and competent service to principals.
D. Maintain competent records of all investigations and assessments.
D. Maintain competent records of all investigations and assessments.
Explanation:
D. The four canons of the (ISC)2 Code of Ethics are to protect society, the common good, the necessary public trust and confidence, and the infrastructure; act honorably, honestly, justly, responsibly, and legally; provide diligent and competent service to principals; and advance and protect the profession.
86
Which one of the following components should be included in an organization's emergency response guidelines?
A. Immediate response procedures
B. Long-term business continuity protocols
C. Activation procedures for the organization's cold sites
D. Contact information for ordering equipment
A. Immediate response procedures
Explanation;
The emergency response guidelines should include the immediate steps an organization should follow in response to an emergency situation. These include immediate response procedures, a list of individuals who should be notified of the emergency, and secondary response procedures for first responders. They do not include long-term actions such as activating business continuity protocols, ordering equipment, or activating DR sites.
87
Ben is working on integrating a federated identity management system and needs to exchange authentication and authorization information for browser-based single sign-on. What technology is his best option?
A. HTML
B. XACML
C. SAML
D. SPML
C. SAML
Explanation:
C. Security Assertion Markup Language (SAML) is the best choice for providing authentication and authorization information, particularly for browser-based SSO. HTML is primarily used for web pages, SPML is used to exchange user information for SSO, and XACML is used for access control policy markup.
88
What is the minimum interval at which an organization should conduct business continuity plan refresher training for those with specific business continuity roles?
A. Weekly
B. Monthly
C. Semiannually
D. Annually
D. Annually
Explanation:
D. Individuals with specific business continuity roles should receive training on at least an annual basis.
89
What three types of interfaces are typically tested during software testing?
A. Network, physical, and application interfaces
B. APIs, UIs, and physical interfaces
C. Network interfaces, APIs, and UIs
D. Application, programmatic, and user interfaces
B. APIs, UIs, and physical interfaces
Explanation:
Application programming interfaces (APIs), user interfaces (UIs), and physical interfaces are all tested during the software testing process. Network interfaces are not typically tested, and programmatic interfaces is another term for APIs.
90
Amanda wants to monitor her LDAP servers to identify which types of queries are causing problems. What type of monitoring should she use if she wants to be able to use the production servers and actual traffic for her testing?
A. Active
B. Real-time
C. Passive
D. Replay
C. Passive
Explanation:
Since Amanda wants to monitor her production server, she should use passive monitoring by employing a network tap, span port, or other means of copying actual traffic to a monitoring system that can identify performance and other problems. This will avoid introducing potentially problematic traffic on purpose while capturing actual traffic problems. Active monitoring relies on synthetic or previously recorded traffic, and both replay and real time are not common industry terms used to describe types of monitoring.
91
Steve is developing an input validation routine that will protect the database supporting a web application from SQL injection attack. Where should Steve place the input validation code?
A. JavaScript embedded in the web pages
B. Back-end code on the web server
C. Stored procedure on the database
D. Code on the user's web browser
B. Back-end code on the web server
Explanation;
For web applications, input validation should always be performed on the web application server. By the time the input reaches the database, it is already part of a SQL command that is properly formatted and input validation would be far more difficult, if it is even possible. Input validation controls should never reside in the client's browser, as is the case with JavaScript, because the user may remove or tamper with the validation code.
92
Ben is selecting an encryption algorithm for use in an organization with 10,000 employees. He must facilitate communication between any two employees within the organization. Which one of the following algorithms would allow him to meet this goal with the least time dedicated to key management?
A. RSA
B. IDEA
C.3DES
D. Skipjack
A. RSA
Explanation:
RSA is an asymmetric encryption algorithm that requires only two keys for each user. IDEA, 3DES, and Skipjack are all symmetric encryption algorithms and would require a key for every unique pair of users in the system.
93
Grace is considering the use of new identification cards in her organization that will be used for physical access control. She comes across the sample card shown here and is unsure of the technology it uses. What type of card is this?
A. Smart card
B. Phase-two card
C. Proximity card
D. Magnetic stripe card
D. Magnetic stripe card
Explanation:
The image clearly shows a black magnetic stripe running across the card, making this an example of a magnetic stripe card.
94
What type of log file is shown in this figure?
A. Application
B. Web server
C. System
D. Firewall
D. Firewall
Explanation:
The log entries contained in this example show the allow/deny status for inbound and outbound TCP and UDP sessions. This is, therefore, an example of a firewall log.
95
Which one of the following activities transforms a zero-day vulnerability into a less dangerous attack vector?
A. Discovery of the vulnerability
B. Implementation of transport-layer encryption
C. Reconfiguration of a firewall
D. Release of a security patch
D. Release of a security patch
Explanation:
D. Zero-day vulnerabilities remain in the dangerous zero-day category until the release of a patch that corrects the vulnerability. At that time, it becomes the responsibility of IT professionals to protect their systems by applying the patch. Implementation of other security controls, such as encryption or firewalls, does not change the nature of the zero-day vulnerability.
96
Elle's organization has had to shift to remote work. Each staff member needs access to specific applications, and due to the quick shift, staff members are working from systems that may be home systems or borrowed laptops.
What is the best option for remote access in a situation like the one that Elle is facing?
A. An IPsec VPN
B. A dedicated fiber connection to each remote work location
C. An HTML5-based VPN
D. Use of remote desktop to connect to an existing workstation at the company's office building
C. An HTML5-based VPN
Explanation:
An HTML5-based VPN will provide Elle's staff with access to the applications they need without requiring the installation of a client that might be challenging or impossible without managed machines. A client-based IPsec VPN provides additional opportunities for control that a broadly deployed base of directly accessed machines via RDP do not, making it the second-best choice here. Deploying fiber for direct connections for end users is not viable for most organizations based on cost and complexity.
97
Susan wants to monitor traffic between systems in a VMware environment. What solution would be her best option to monitor that traffic?
A. Use a traditional hardware-based IPS.
B. Install Wireshark on each virtual system.
C. Set up a virtual span port and capture data using a VM IDS.
D. Use netcat to capture all traffic sent between VMs.
C. Set up a virtual span port and capture data using a VM IDS.
Explanation:
Using a virtual machine to monitor a virtual span port allows the same type of visibility that it would in a physical network if implemented properly. Installing Wireshark would allow monitoring on each system but doesn't scale well. A physical appliance would require all traffic to be sent out of the VM environment, losing many of the benefits of the design. Finally, netcat is a network tool used to send or receive data, but it isn't a tool that allows packet capture of traffic between systems.
98
For questions 98–101, please refer to the following scenario: Matthew and Richard are friends located in different physical locations who would like to begin communicating with each other using cryptography to protect the confidentiality of their communications. They exchange digital certificates to begin this process and plan to use an asymmetric encryption algorithm for the secure exchange of email messages.
When Matthew sends Richard a message, what key should he use to encrypt the message?
A. Matthew's public key
B. Matthew's private key
C. Richard's public key
D. Richard's private key
C. Richard's public key
Explanation:
C. The sender of a message encrypts the message using the public key of the message recipient.
99
When Richard receives the message from Matthew, what key should he use to decrypt the message?
A. Matthew's public key
B. Matthew's private key
C. Richard's public key
D. Richard's private key
D. Richard's private key
Explanation:
The recipient of a message uses his or her own private key to decrypt messages that were encrypted with the recipient's public key. This ensures that nobody other than the intended recipient can decrypt the message.
100
Matthew would like to enhance the security of his communication by adding a digital signature to the message. What goal of cryptography are digital signatures intended to enforce?
A. Secrecy
B. Availability
C. Confidentiality
D. Nonrepudiation
D. Nonrepudiation
Explanation:
Digital signatures enforce nonrepudiation. They prevent individuals from denying that they were the actual originator of a message.
101
When Matthew goes to add the digital signature to the message, what encryption key does he use to create the digital signature?
A. Matthew's public key
B. Matthew's private key
C. Richard's public key
D. Richard's private key
B. Matthew's private key
Explanation:
An individual creates a digital signature by encrypting the message digest with their own private key.
102
When Jim logs into a system, his password is compared to a hashed value stored in a database. What is this process?
A. Identification
B. Hashing
C. Tokenization
D. Authentication
D. Authentication
Explanation:
The comparison of a factor to validate an identity is known as authentication. Identification would occur when Jim presented his user ID. Tokenization is a process that converts a sensitive data element to a nonsensitive representation of that element. Hashing transforms a string of characters into a fixed-length value or key that represents the original string.
103
What is the top priority for security professionals when considering facility design?
A. Limiting access to only approved personnel
B. Ensuring that the structure supports least privilege
C. Ensuring the safety of personnel
D. Limiting the potential for weather or other natural disasters to imp
C. Ensuring the safety of personnel
Explanation:
C. The most important item in facility design is the safety of personnel. Once designs take that into account, security, operational effectiveness, and other concerns can be addressed.
104
Which of the following types of controls does not describe a mantrap?
A. Deterrent
B. Preventive
C. Compensating
D. Physical
C. Compensating
Explanation:
A mantrap, which is composed of two sets of doors with an access mechanism that allows only one door to open at a time, is an example of a preventive access control because it can stop unwanted access by keeping intruders from accessing a facility due to an opened door or following legitimate staff in. It can serve as a deterrent by discouraging intruders who would be trapped in it without proper access, and of course, doors with locks are an example of a physical control. A compensating control attempts to make up for problems with an existing control or to add additional controls to improve a primary control.
105
Sally's organization needs to be able to prove that certain staff members sent emails, and she wants to adopt a technology that will provide that capability without changing their existing email system. What is the technical term for the capability Sally needs to implement as the owner of the email system, and what tool could she use to do it?
A. Integrity; IMAP
B. Repudiation; encryption
C. Nonrepudiation; digital signatures
D. Authentication; DKIM
C. Nonrepudiation; digital signatures
Explanation:
Sally needs to provide nonrepudiation, the ability to provably associate a given email with a sender. Digital signatures can provide nonrepudiation and are her best option. IMAP is a mail protocol, encryption can provide confidentiality, and DKIM is a tool for identifying domains that send email.
106
Which one of the following background checks is not normally performed during normal pre-hire activities?
A. Credit check
B. Reference verification
C. Criminal records check
D. Medical records check
D. Medical records check
Explanation:
In most situations, employers may not access medical information due to healthcare privacy laws. Reference checks, criminal records checks, and credit history reports are all typically found during pre-employment background checks.
107
Naomi's organization limits data access to only those users with roles that require it for their job. What key security operations practice does this describe?
A. Least privilege
B. Privileged account management
C. Job rotation
D. Privilege escalation
A. Least privilege
Explanation:
Naomi's organization operates under the concept of least privilege. Individuals only receive the rights that they need to accomplish their task. This also means that the organization will need to ensure that those rights do not accrue to users over time and that they are changed or removed when user roles change. Privileged account management is the process of properly managing accounts with higher levels of privilege like administrative accounts. Job rotation moves employees between roles to ensure that they do not take advantage of the role and that a new set of eyes can help identify problems. Privilege escalation is the process of gaining additional rights when attacking systems or services.
108
In the OSI model, when a packet changes from a data stream to a segment or a datagram, what layer has it traversed?
A. The Transport layer
B. The Application layer
C. The Data Link layer
D. The Physical layer
A. The Transport layer
Explanation:
When a data stream is converted into a segment (TCP) or a datagram (UDP), it transitions from the Session layer to the Transport layer. This change from a message sent to an encoded segment allows it to then traverse the Network layer.
109
Tommy handles access control requests for his organization. A user approaches him and explains that he needs access to the human resources database in order to complete a head-count analysis requested by the CFO. What has the user demonstrated successfully to Tommy?
A. Clearance
B. Separation of duties
C. Need to know
D. Isolation
C. Need to know
Explanation:
C. The user has successfully explained a valid need to know the data—completing the report requested by the CFO requires this access. However, the user has not yet demonstrated that they have appropriate clearance to access the information. A note from the CFO would meet this requirement.
110
Kathleen wants to set up a service to provide information about her organization's users and services using a central, open, vendor-neutral, standards-based system that can be easily queried. Which of the following technologies is her best choice?
A. RADIUS
B. LDAP
C. Kerberos
D.Active Directory
B. LDAP
Explanation:
B. Kathleen's needs point to a directory service, and the Lightweight Directory Access Protocol (LDAP) would meet her needs. LDAP is an open, industry-standard, and vendor-neutral protocol for directory services. Kerberos and RADIUS are both authentication protocols, and Active Directory is a Microsoft product and is not vendor-neutral, although it does support a number of open standards.
111
What type of tool is most frequently used to match assets to users and owners in enterprises?
A. An enterprise content management tool
B. Barcoded property tags
C. RFID-based property tags
D. A system inventory
D. A system inventory
Explanation:
D. A system inventory is most frequently used to associate individuals with systems or devices. This can help when tracking their support history and aids in provisioning the proper tools, permissions, and data to a system. Both barcode and RFID property tags are used to identify systems, which can then be checked against a system inventory. Finally, enterprise content management tools are used to manage files and data as part of workflows and other business processes.
112
Alice would like to add another object to a security model and grant herself rights to that object. Which one of the rules in the Take-Grant protection model would allow her to complete this operation?
A. Take rule
B. Grant rule
C. Create rule
D. Remove rule
C. Create rule
Explanation:
The create rule allows a subject to create new objects and also creates an edge from the subject to that object, granting rights on the new object.
113
Which of the following concerns should not be on Amanda's list of potential issues when penetration testers suggest using Metasploit during their testing?
A. Metasploit can only test vulnerabilities it has plug-ins for.
B. Penetration testing only covers a point-in-time view of the organization's security.
C. Tools like Metasploit can cause denial-of-service issues.
D. Penetration testing cannot test process and policy.
A. Metasploit can only test vulnerabilities it has plug-ins for.
Explanation:
Metasploit provides an extensible framework, allowing penetration testers to create their own exploits in addition to those that are built into the tool. Unfortunately, penetration testing can only cover the point in time when it is conducted. When conducting a penetration test, the potential to cause a denial of service due to a fragile service always exists, but it can test process and policy through social engineering and operational testing that validates how those processes and policies work.
114
Colin is reviewing a system that has been assigned the EAL7 evaluation assurance level under the Common Criteria. What is the highest level of assurance that he may have about the system?
A. It has been functionally tested.
B. It has been methodically tested and checked.
C. It has been methodically designed, tested, and reviewed.
D. It has been formally verified, designed, and tested.
D. It has been formally verified, designed, and tested.
Explanation:
EAL7 is the highest level of assurance under the Common Criteria. It applies when a system has been formally verified, designed, and tested.
115
Which ITU-T standard should Alex expect to see in use when he uses his smart card to provide a certificate to an upstream authentication service?
A. X.500
B. SPML
C. X.509
D. SAML
C. X.509
Explanation:
X.509 defines standards for public key certificates like those used with many smartcards. X.500 is a series of standards defining directory services. The Service Provisioning Markup Language (SPML) and the Security Assertion Markup Language (SAML) aren't standards that Alex should expect to see when using a smartcard to authenticate.
116
What type of websites are regulated under the terms of COPPA?
A. Financial websites not run by financial institutions
B. Healthcare websites that collect personal information
C. Websites that collect information from children
D. Financial websites run by financial institutions
C. Websites that collect information from children
Explanation:
The Children's Online Privacy Protection Act (COPPA) regulates websites that cater to children or knowingly collect information from children under the age of 13.
117
Tracy recently accepted an IT compliance position at a federal government agency that works very closely with the Defense Department on classified government matters. Which one of the following laws is least likely to pertain to Tracy's agency?
A. HIPAA
B. FISMA
C. HSA
D. CFAA
A. HIPAA
Explanation:
The Health Insurance Portability and Accountability Act (HIPAA) applies to healthcare information and is unlikely to apply in this situation. The Federal Information Security Management Act (FISMA) and Government Information Security Reform Act regulate the activities of all government agencies. The Homeland Security Act (HSA) created the U.S. Department of Homeland Security and, more importantly for this question, included the Cyber Security Enhancement Act of 2002 and the Critical Infrastructure Information Act of 2002. The Computer Fraud and Abuse Act (CFAA) provides specific protections for systems operated by government agencies.
118
Referring to the figure shown here, what is the name of the security control indicated by the arrow?
A. Mantrap
B. Intrusion prevention system
C. Turnstile
D. Portal
C. Turnstile
Explanation:
C. Turnstiles are unidirectional gates that prevent more than a single person from entering a facility at a time.
119
What two important factors does accountability for access control rely on?
A. Identification and authorization
B. Authentication and authorization
C. Identification and authentication
D. Accountability and authentication
C. Identification and authentication
Explanation:
Access control systems rely on identification and authentication to provide accountability. Effective authorization systems are desirable, but not required, since logs can provide information about who accessed what resources, even if access to those resources is not managed well. Of course, poor authorization management can create many other problems.
120
What part of the CIA triad does a checksum support?
A. Availability
B. Integrity
C. Confidentiality
D. Authenticity
B. Integrity
Explanation:
Checksums validate whether a file or other data object has been changed or modified, and thus, they support integrity.
121
Scott's organization has configured their external IP address to be 192.168.1.25. When traffic is sent to their ISP, it never reaches its destination. What problem is Scott's organization encountering?
A. BGP is not set up properly.
B. They have not registered their IP with their ISP.
C. The IP address is a private, nonroutable address.
D. 192.168.1.25 is a reserved address for home routers.
C. The IP address is a private, nonroutable address.
Explanation:
C. The 192.168.0.0 to 192.168.255.255 address range is one of the ranges defined by RFC 1918 as private, nonroutable IP ranges. Scott's ISP (and any other organization with a properly configured router) will not route traffic from these addresses over the public internet.
122
Jack's organization merges updates to their main application multiple times a day and then deploys it as code that is checked in and tested through their software development pipeline. What type of model is this?
A. Waterfall
B. CI/CD
C. SCM
D. IDE
B. CI/CD
Explanation:
Jack's organization is using a continuous integration/continuous deliver (CI/CD) model where the application is updated and deployed on an ongoing basis. This can allow for an agile application but requires strong testing and validation practices to ensure that bad code doesn't make it into production. Waterfall is a development model that is based on a slower, precise process. SCM is software configuration management, and an IDE is an integrated development environment.
123
Sue's organization recently failed a security assessment because their network was a single flat broadcast domain, and sniffing traffic was possible between different functional groups. What solution should she recommend to help prevent the issues that were identified?
A. Use VLANs.
B. Change the subnet mask for all systems.
C. Deploy gateways.
D. Turn on port security.
A. Use VLANs.
Explanation:
A well-designed set of VLANs based on functional groupings will logically separate segments of the network, making it difficult to have data exposure issues between VLANs. Changing the subnet mask will only modify the broadcast domain and will not fix issues with packet sniffing. Gateways would be appropriate if network protocols were different on different segments. Port security is designed to limit which systems can connect to a given port.
124
Which of the following terms best describes the IP address 10.14.124.240?
A. Public IP address
B. Private IP address
C. APIPA address
D. Loopback address
B. Private IP address
Explanation:
B.Any 10.x.x.x address is a private address as defined by RFC 1918. APIPA addresses are self assigned by Windows when they cannot contact a DHCP server. 127.0.0.1 is a loopback address systems use to connect with themselves. Public IP addresses compose the majority of IP addresses with the exception of reserved addresses like those described in RFC 1918.
125
Jim is performing a security assessment of his company and would like to use a testing tool to perform a web vulnerability scan. Which of the following tools is best suited to that need?
A. Nmap
B. Hydra
C. Metasploit
D. Nikto
D. Nikto
Explanation:
D. Nikto is a web application and server scanning tool and is best suited to Jim’s needs. Nmap is a port scanner, Hydra is a login cracking tool, and Metasploit is a complete pentesting framework but isn’t designed specifically to test web applications and servers.
