Brainscape's Knowledge GenomeTM


Top Flashcards (Certified)
All Flashcards

CISSP > Chapter 9 Practice Test 1 (Sybex) > Flashcards

Chapter 9 Practice Test 1 (Sybex) Flashcards

1
Q

Lisa is attempting to prevent her network from being targeted by IP spoofing attacks as well as preventing her network from being the source of those attacks. Which of the following rules are best practices that Lisa should configure at her network border? (Select all that apply.)

A. Block packets with internal source addresses from entering the network.
B. Block packets with external source addresses from leaving the network.
C. Block packets with public IP addresses from entering the network.
D. Block packets with private IP addresses from exiting the network.

A

A. Block packets with internal source addresses from entering the network.
B. Block packets with external source addresses from leaving the network.
D. Block packets with private IP addresses from exiting the network.

Explanation:
Packets with public IP addresses will routinely be allowed to enter the network, so you should not create a rule to block them, making this the correct answer. Packets with internal source addresses should never originate from outside the network, so they should be blocked from entering the network. Packets with external source addresses should never be found on the internal network, so they should be blocked from leaving the network. Finally, private IP addresses should never be used on the internet, so packets containing private IP addresses should be blocked from leaving the network.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Ed has been tasked with identifying a service that will provide a low-latency, high-performance, and high-availability way to host content for his employer. What type of solution should he seek out to ensure that his employer’s customers around the world can access their content quickly, easily, and reliably?

A. A hot site
B. A CDN
C. Redundant servers
D. A P2P CDN

A

B. A CDN

Explanation:
A content distribution network (CDN) is designed to provide reliable, low-latency, geographically distributed content distribution. In this scenario, a CDN is an ideal solution. A P2P CDN like BitTorrent isn’t a typical choice for a commercial entity, whereas redundant servers or a hot site can provide high availability but won’t provide the remaining requirements.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Fran is building a forensic analysis workstation and is selecting a forensic disk controller to include in the setup. Which of the following are functions of a forensic disk controller? (Select all that apply.)

A. Preventing the modification of data on a storage device
B. Returning data requested from the device
C. Reporting errors sent by the device to the forensic host
D. Blocking read commands sent to the device

A

A. Preventing the modification of data on a storage device
B. Returning data requested from the device
C. Reporting errors sent by the device to the forensic host

Explanation:
A forensic disk controller performs four functions. One of those, write blocking, intercepts write commands sent to the device and prevents them from modifying data on the device. The other three functions include returning data requested by a read operation, returning access-significant information from the device, and reporting errors from the device back to the forensic host. The controller should not prevent read commands from being sent to the device because those commands may return crucial information.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Mike is building a fault-tolerant server and wants to implement RAID 1. How many physical disks are required to build this solution?

A. 1
B. 2
C. 3
D. 5

A

B. 2

Explanation:
B. RAID 1, disk mirroring, requires two physical disks that will contain copies of the same data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Darren is troubleshooting an authentication issue for a Kerberized application used by his organization. He believes the issue is with the generation of session keys. What Kerberos service should he investigate first?

A. KDC
B. TGT
C. AS
D. TGS

A

D. TGS

Explanation:
The TGS, or ticket-granting service (which is usually on the same server as the KDC), receives a TGT from the client. It validates the TGT and the user’s rights to access the service they are requesting to use. The TGS then issues a ticket and session keys to the client. The AS serves as the authentication server, which forwards the username to the KDC. It’s worth noting that the client doesn’t communicate with the KDC directly. Instead, it will communicate with the TGT and the AS, which means KDC isn’t an appropriate answer here.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Evelyn believes that one of her organization’s vendors has breached a contractual obligation to protect sensitive data and would like to conduct an investigation into the circumstances. Based upon the results of the investigation, it is likely that Evelyn’s organization will sue the vendor for breach of contract. What term best describes the type of investigation that Evelyn is conducting?

A. Administrative investigation
B. Criminal investigation
C. Civil investigation
D. Regulatory investigation

A

C. Civil investigation

Explanation:
This is an example of a civil investigation because it relates to a contract dispute and will likely wind up being litigated in civil court. Administrative investigations are for internal purposes and are not applicable when a third party is being investigated. Criminal and regulatory investigations may only be initiated by those with regulatory authority, typically government agencies.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Ivan is installing a motion detector to protect a sensitive work area that uses high-frequency microwave signal transmissions to identify potential intruders. What type of detector is he installing?

A. Infrared
B. Heat-based
C. Wave pattern
D. Capacitance

A

C. Wave pattern

Explanation:
Wave pattern motion detectors transmit ultrasonic or microwave signals into the monitor area, watching for changes in the returned signals bouncing off objects. Infrared head-based detectors watch for unusual heat patterns. Capacitance detectors work based upon electromagnetic fields.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Susan sets up a firewall that keeps track of the status of the communication between two systems and allows a remote system to respond to a local system only after the local system starts communication. What type of firewall is Susan using?

A. A static packet filtering firewall
B. An application-level gateway firewall
C. A stateful packet inspection firewall
D. A circuit-level gateway firewall

A

C. A stateful packet inspection firewall

Explanation:
Stateful packet inspection firewalls, also known as dynamic packet filtering firewalls, track the state of a conversation and can allow a response from a remote system based on an internal system being allowed to start the communication. Static packet filtering and circuit-level gateways only filter based on source, destination, and ports, whereas application-level gateway firewalls proxy traffic for specific applications.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

For questions 9–11, please refer to the following scenario:

Ben owns a coffeehouse and wants to provide wireless internet service for his customers. Ben’s network is simple and uses a single consumer-grade wireless router and a cable modem connected via a commercial cable data contract. How can Ben provide access control for his customers without having to provision user IDs before they connect while also gathering useful contact information for his business purposes?

A. WPA2 PSK
B. A captive portal
C. Require customers to use a publicly posted password like “BensCoffee”
D. WPA3 SAE

A

B. A captive portal

Explanation:
A captive portal can require those who want to connect to and use WiFi to provide an email address to connect. This allows Ben to provide easy-to-use wireless while meeting his business purposes. WPA2PSK is the preshared key mode of WPA and won’t provide information about users who are given a key. WPA3’s SAE mode would be preferable to WPA2PSK, but it still does not allow for the data gathering Ben desires. Sharing a password doesn’t allow for data gathering either.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Ben intends to run an open (unencrypted) wireless network. How should he connect his business devices?

A. Run WPA3 on the same SSID.
B. Set up a separate SSID using WPA3.
C. Run the open network in Enterprise mode.
D. Set up a separate wireless network using WEP.

A

B. Set up a separate SSID using WPA3.

Explanation:
Many modern wireless routers can provide multiple SSIDs. Ben can create a private, secure network for his business operations, but he will need to make sure that the customer and business networks are firewalled or otherwise logically separated from each other. Running WPA3 on the same SSID isn’t possible without creating another wireless network and would cause confusion for customers (SSIDs aren’t required to be unique). Running a network in Enterprise mode isn’t used for open networks, and WEP is outdated and incredibly vulnerable.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

After implementing the solution from the first question, Ben receives a complaint about users in his cafe hijacking other customers’ web traffic, including using their usernames and passwords. How is this possible?

A. The password is shared by all users, making traffic vulnerable.
B. A malicious user has installed a Trojan on the router.
C. A user has ARP spoofed the router, making all traffic broadcast to all users.
D. Open networks are unencrypted, making traffic easily sniffable.

A

D. Open networks are unencrypted, making traffic easily sniffable.

Explanation:
Unencrypted open networks broadcast traffic in the clear. This means that unencrypted sessions to websites can be easily captured with a packet sniffer. Some tools like FireSheep have been specifically designed to capture sessions from popular websites. Fortunately, many now use TLS by default, but other sites still send user session information in the clear. Shared passwords are not the cause of the vulnerability, ARP spoofing isn’t an issue with wireless networks, and a Trojan is designed to look like safe software, not to compromise a router.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Kevin is reviewing and updating the security documentation used by his organization. He would like to document some best practices for securing IoT devices that his team has developed over the past year. The practices are generalized in nature and do not cover specific devices. What type of document would be best for this purpose?

A. Policy
B. Standard
C. Guideline
D. Procedure

A

C. Guideline

Explanation:
It is possible that Kevin could use any one of these documents. We should zero in on the portion of the question where it indicates that these are best practices. This implies that the advice is not mandatory and, therefore, would not go into a policy or standard. The fact that the advice is general in nature means that it is likely not well-suited to the step-by-step nature of a procedure. A guideline would be the perfect place to document these best practices.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Tom is tuning his security monitoring tools in an attempt to reduce the number of alerts received by administrators without missing important security events. He decides to configure the system to only report failed login attempts if there are five failed attempts to access the same account within a one-hour period of time. What term best describes the technique that Tom is using?

A. Thresholding
B. Sampling
C. Account lockout
D. Clipping

A

D. Clipping

Explanation:
Clipping is an analysis technique that only reports alerts after they exceed a set threshold. It is a specific form of sampling, which is a more general term that describes any attempt to excerpt records for review. Thresholding is not a commonly used term. Administrators may choose to configure automatic or manual account lockout after failed login attempts, but that is not described in the scenario.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Sally has been tasked with deploying an authentication, authorization, and accounting server for wireless network services in her organization and needs to avoid using proprietary technology. What technology should she select?

A. OAuth
B. RADIUS
C. XTACACS
D. TACACS+

A

B. RADIUS

Explanation:
B. RADIUS is a common AAA technology used to provide services for dial-up, wireless networks, network devices, and a range of other systems. OAuth is an authentication protocol used to allow applications to act on a user’s behalf without sharing the password and is used for many web applications. While both XTACACS and TACACS+ provide the functionality Sally is looking for, both are Cisco proprietary protocols.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

An accounting clerk for Christopher’s Cheesecakes does not have access to the salary information for individual employees but wanted to know the salary of a new hire. He pulled total payroll expenses for the pay period before the new person was hired and then pulled the same expenses for the following pay period. He computed the difference between those two amounts to determine the individual’s salary. What type of attack occurred?

A. Salami slicing
B. Data diddling
C. Inference
D. Social engineering

A

C. Inference

Explanation:
In an inference attack, the attacker uses several pieces of generic nonsensitive information to determine a specific sensitive value. In a salami slicing attack, the attacker siphons off minute quantities of money many times to accumulate a large amount of funds. In a data diddling attack, the attacker alters the contents of a database. Social engineering attacks exploit human psychology to achieve their goals.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Alice would like to have read permissions on an object and knows that Bob already has those rights and would like to give them to herself. Which one of the rules in the Take-Grant protection model would allow her to complete this operation if the relationship exists between Alice and Bob?

A. Take rule
B. Grant rule
C. Create rule
D. Remote rule

A

A. Take rule

Explanation:
The take rule allows a subject to take the rights belonging to another object. If Alice has take rights on Bob, she can give herself the same permissions that Bob already possesses.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

During a log review, Danielle discovers a series of logs that show login failures:

Jan 31 11:39:12 ip-10-0-0-2 sshd[29092]: Invalid user admin from remotehost passwd=aaaaaaaa
Jan 31 11:39:20 ip-10-0-0-2 sshd[29098]: Invalid user admin from remotehost passwd=aaaaaaab
Jan 31 11:39:23 ip-10-0-0-2 sshd[29100]: Invalid user admin from remotehost passwd=aaaaaaac
Jan 31 11:39:31 ip-10-0-0-2 sshd[29106]: Invalid user admin from remotehost passwd=aaaaaaad
Jan 31 20:40:53 ip-10-0-0-254 sshd[30520]: Invalid user admin from remotehost passwd=aaaaaaae

What type of attack has Danielle discovered?

A. A pass-the-hash attack
B. A brute-force attack
C. A man-in-the-middle attack
D. A dictionary attack

A

B. A brute-force attack

Explanation:
Brute-force attacks try every possible password. In this attack, the password is changing by one letter at each attempt, which indicates that it is a brute-force attack. A dictionary attack would use dictionary words for the attack, whereas a man-in-the-middle or pass-the-hash attack would most likely not be visible in an authentication log except as a successful login.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Ben is designing a database-driven application and would like to ensure that two executing transactions do not affect each other by storing interim results in the database. What property is he seeking to enforce?

A. Atomicity
B. Isolation
C. Consistency
D. Durability

A

B. Isolation

Explanation:
B. Isolation requires that transactions operate separately from each other. Atomicity ensures that if any part of a database transaction fails, the entire transaction must be rolled back as if it never occurred. Consistency ensures that all transactions are consistent with the logical rules of the database, such as having a primary key. Durability requires that once a transaction is committed to the database it must be preserved. Together, these properties make up the ACID model.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Kim is the system administrator for a small business network that is experiencing security problems. She is in the office in the evening working on the problem, and nobody else is there. As she is watching, she can see that systems on the other side of the office that were previously behaving normally are now exhibiting signs of infection one after the other. What type of malware is Kim likely dealing with?

A. Virus
B. Worm
C. Trojan Horse
D. Logic Bomb

A

B. Worm

Explanation:
Worms have built-in propagation mechanisms that do not require user interaction, such as scanning for systems containing known vulnerabilities and then exploiting those vulnerabilities to gain access. Viruses and Trojan horses typically require user interaction to spread. Logic bombs do not spread from system to system but lie in wait until certain conditions are met, triggering the delivery of their payload.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Barb is reviewing the compliance obligations facing her organization and the types of liability that each one might incur. Which of the following laws and regulations may involve criminal penalties if violated? (Select all that apply.)

A. FERPA
B. HIPAA
C. SOX
D. PCI DSS

A

B. HIPAA
C. SOX

Explanation;
The Health Insurance Portability and Accountability Act (HIPAA) is a U.S. law governing the healthcare sector that does provide for criminal penalties. The Sarbanes–Oxley (SOX) Act governs publicly traded corporations and also provides for criminal penalties. The Family Educational Rights and Privacy Act (FERPA) is a U.S. law governing educational records, but it does not provide for criminal penalties. PCI DSS, the Payment Card Industry Data Security Standard, is an industry standard for credit card operations and handling. Because it is not a law, PCI DSS violations cannot incur criminal sanctions.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Quentin is analyzing network traffic that he collected with Wireshark on a TCP/IP network. He would like to identify all new connections that were set up during his traffic collection. If he is looking for the three packets that constitute the TCP three-way handshake used to establish a new connection, what flags should be set on the first three packets?

A. SYN, ACK, SYN/ACK
B. PSH, RST, ACK
C. SYN, SYN/ACK, ACK
D. SYN, RST, FIN

A

C. SYN, SYN/ACK, ACK

Explanation:
The TCP three-way handshake consists of initial contact via a SYN, or synchronize flagged packet; which receives a response with a SYN/ACK, or synchronize and acknowledge flagged packet; which is acknowledged by the original sender with an ACK, or acknowledge packet. RST is used in TCP to reset a connection, PSH is used to send data immediately, and FIN is used to end a connection.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Daniel is selecting a new mobile device management (MDM) solution for his organization and is writing the RFP. He is trying to decide what features he should include as requirements after aligning his organization’s security needs with an MDM platform’s capabilities. Which of the following are typical capabilities of MDM solutions? (Select all that apply.)

A. Remotely wiping the contents of a mobile device
B. Assuming control of a nonregistered BYOD mobile device
C. Enforcing the use of device encryption
D. Managing device backups

A

A. Remotely wiping the contents of a mobile device
C. Enforcing the use of device encryption
D. Managing device backups

Explanation:
MDM products do not have the capability of assuming control of a device not currently managed by the organization. This would be equivalent to hacking into a device owned by someone else and might constitute a crime. They do normally provide the ability to manage device backups, enforce the use of encryption, and remotely wipe the contents of mobile devices.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Jim is implementing an IDaaS solution for his organization. What type of technology is he putting in place?

A. Identity as a service
B. Employee ID as a service
C. Intrusion detection as a service
D. OAuth

A

A. Identity as a service

Explanation:
Identity as a service (IDaaS) provides an identity platform as a third-party service. This can provide benefits, including integration with cloud services and removing overhead for maintenance of traditional on-premises identity systems, but can also create risk due to third-party control of identity services and reliance on an off-site identity infrastructure.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Gina recently took the CISSP certification exam and then wrote a blog post that included the text of many of the exam questions that she experienced. What aspect of the (ISC)2 Code of Ethics is most directly violated in this situation?

A. Advance and protect the profession.
B. Act honorably, honestly, justly, responsibly, and legally.
C. Protect society, the common good, necessary public trust and confidence, and the infrastructure.
D. Provide diligent and competent service t

A

A. Advance and protect the profession.

Explanation:
Gina’s actions harm the CISSP certification and information security community by undermining the integrity of the examination process. While Gina also is acting dishonestly, the harm to the profession is more of a direct violation of the (ISC)2 Code of Ethics.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Gordon is conducting a risk assessment for his organization and determined the amount of damage that flooding is expected to cause to his facilities each year. What metric has Gordon identified? A. ALE B. ARO C. SLE D. EF
A. ALE Explanation: The annualized loss expectancy (ALE) is the amount of damage that the organization expects to occur each year as the result of a given risk.
26
Greg would like to implement application control technology in his organization. He would like to limit users to installing only approved software on their systems. What type of application control would be appropriate in this situation? A. Blacklisting B. Graylisting C. Whitelisting D. Bluelisting
C. Whitelisting Explanation: The whitelisting approach to application control allows users to install only those software packages specifically approved by administrators. This would be an appropriate approach in a scenario where application installation needs to be tightly controlled.
27
Frank is the security administrator for a web server that provides news and information to people located around the world. His server received an unusually high volume of traffic that it could not handle and was forced to reject requests. Frank traced the source of the traffic back to a botnet. What type of attack took place? A. Denial-of-service B. Reconnaissance C. Compromise D. Malicious insider
A. Denial-of-service Explanation: This is a clear example of a denial-of-service attack—denying legitimate users authorized access to the system through the use of overwhelming traffic. It goes beyond a reconnaissance attack because the attacker is affecting the system, but it is not a compromise because the attacker did not attempt to gain access to the system. There is no reason to believe that a malicious insider was involved.
28
In the database table shown here, which column would be the best candidate for a primary key? A. Company ID B. Company Name C. ZIP Code D. Sales Rep
A. Company ID Explanation: A. The Company ID column is likely unique for each row in the table, making it the best choice for a primary key. There may be multiple companies that share the same name or ZIP code. Similarly, a single sales representative likely serves more than one company, making those fields unsuitable for use as a unique identifier.
29
Gwen is a cybersecurity professional for a financial services firm that maintains records of their customers. These records include personal information about each customer, including the customer's name, Social Security number, date and place of birth, and mother's maiden name. What category best describes these records? A. PHI B. Proprietary data C. PII D. EDI
C. PII Explanation: Personally identifiable information (PII) includes data that can be used to distinguish or trace that person's identity and also includes information like their medical, educational, financial, and employment information. PHI is personal health information, EDI is electronic data interchange, and proprietary data is used to maintain an organization's competitive advantage.
30
Bob is configuring egress filtering on his network, examining traffic destined for the internet. His organization uses the public address range 12.8.195.0/24. Packets with which one of the following destination addresses should Bob permit to leave the network? A. 12.8.195.15 B. 10.8.15.9 C. 192.168.109.55 D. 129.53.44.124
D. 129.53.44.124 Explanation: 129.53.44.124 is a valid public IP address and a legitimate destination for traffic leaving Bob's network. 12.8.195.15 is a public address on Bob's network and should not be a destination address on a packet leaving the network. 10.8.15.9 and 192.168.109.55 are both private IP addresses that should not be routed to the internet.
31
Brian is considering increasing the length of the cryptographic keys used by his organization. If he adds 8 bits to the encryption key, how many more possible keys will be added to the keyspace for the algorithm? A. The size of the keyspace will double. B. The size of the keyspace will increase by a factor of 8. C. The size of the keyspace will increase by a factor of 64. D. The size of the keyspace will increase by a factor of 256.
D. The size of the keyspace will increase by a factor of 256. Explanation: Binary keyspaces contain a number of keys equal to 2 raised to the power of the number of bits. Two to the eighth power is 256, so the keyspace will increase by a factor of 256.
32
Which of the following data assets may be safely and effectively disposed of using shredding? (Select all that apply.) A. Paper records B. Credit cards C. Removable media D. SSD hard drives
A. Paper records B. Credit cards C. Removable media D. SSD hard drives Explanation: Traditional office shredding machines may be used for the disposal of paper records and, depending upon their grade, may also be able to shred credit cards. Industrial shredders are capable of destroying larger pieces of equipment, including removable media and hard drives.
33
GAD Systems is concerned about the risk of hackers stealing sensitive information stored on a file server. They choose to pursue a risk mitigation strategy. Which one of the following actions would support that strategy? A. Encrypting the files B. Deleting the files C. Purchasing cyber-liability insurance D. Taking no action
A. Encrypting the files Explanation: Encrypting the files reduces the probability that the data will be successfully stolen, so it is an example of risk mitigation. Deleting the files would be risk avoidance. Purchasing insurance would be risk transference. Taking no action would be risk acceptance.
34
Viola is conducting a user account audit to determine whether accounts have the appropriate level of permissions and that all permissions were approved through a formal process. The organization has approximately 50,000 user accounts and an annual employee turnover rate of 24 percent. Which one of the following sampling approaches would be the most effective use of her time when choosing records for manual review? A. Select all records that have been modified during the past month. B. Ask access administrators to identify the accounts most likely to have issues and audit those. C. Select a random sample of records, either from the entire population or from the population of records that have changed during the audit period. D. Sampling is not effective in this situation, and all accounts should be audited.
C. Select a random sample of records, either from the entire population or from the population of records that have changed during the audit period. Explanation: Sampling should be done randomly to avoid human bias. Sampling is an effective process if it is done on a truly random sample of sufficient size to provide effective coverage of the userbase. It is infeasible for a single person to review every single record. In an organization of 50,000 users with a 24 percent annual turnover, it is likely that at least 1,000 of those records have changed in the last month. This is still too many records to review. Asking account administrators to select the records to review is a conflict of interest, as they are the group being audited.
35
Lila is reviewing her organization's adverse termination process. In that process, when would be the most appropriate time to revoke a user's access privileges to digital systems? A. At the time the user is informed of the termination B. At the end of the last day of employment C. At the time the decision is made D. Several days after the last day of employment
A. At the time the user is informed of the termination Explanation: In the case of an involuntary termination under adverse circumstances, the user is being fired and may have a negative and potentially hostile reaction. For this reason, it is important to terminate access immediately upon the user being informed of the termination. Terminating access prior to notification may tip the user off to the termination in advance. Leaving access privileges available after termination poses a risk of malicious insider activity.
36
William is reviewing log files that were stored on a system with a suspected compromise. He finds the log file shown here. What type of log file is this? A. Firewall log B. Change log C. Application log D. System log
C. Application log Explanation: C. The file clearly shows HTTP requests, as evidenced by the many GET commands. Therefore, this is an example of an application log from an HTTP server.
37
Roger is reviewing a list of security vulnerabilities in his organization and rating them based upon their severity. Which one of the following models would be most useful to his work? A. CVSS B. STRIDE C. PASTA D. ATT&CK
A. CVSS Explanation: The Common Vulnerability Scoring System (CVSS) is a standardized approach to rating the severity of vulnerabilities and would be the most helpful tool for Roger's work. The STRIDE and ATT&CK models are used to classify the nature, not the severity, of threats. The PASTA model is designed to help with countermeasure selection.
38
An attacker recently called an organization's help desk and persuaded them to reset a password for another user's account. What term best describes this attack? A. A human Trojan B. Social engineering C. Phishing D. Whaling
B. Social engineering Explanation: Social engineering exploits humans to allow attacks to succeed. Since help-desk employees are specifically tasked with being helpful, they may be targeted by attackers posing as legitimate employees. Trojans are a type of malware, whereas phishing is a targeted attack via electronic communication methods intended to capture passwords or other sensitive data. Whaling is a type of phishing aimed at high-profile or important targets.
39
Greg is evaluating a new vendor that will be supplying networking gear to his organization. Due to the nature of his organization's work, Greg is concerned that an attacker might attempt a supply chain exploit. Assuming that both Greg's organization and the vendor operate under reasonable security procedures, which one of the following activities likely poses the greatest supply chain risk to the equipment? A. Tampering by an unauthorized third party at the vendor's site B. Interception of devices in transit C. Misconfiguration by an administrator after installation D. Tampering by an unauthorized third party at Greg's site
B. Interception of devices in transit Explanation: If the vendor operates with reasonable security procedures, it is unlikely that the devices will be tampered with at the vendor's site. Similarly, if Greg's organization has reasonable security procedures, tampering at his site is also unlikely. Misconfiguration by an administrator is always possible, but this is a post-installation risk and not a supply chain risk. It is possible that devices will be intercepted and tampered with while in transit from the vendor to Greg's organization.
40
Kevin is operating in a single-level security environment and is seeking to classify information systems according to the type of information that they process. What procedure would be the best way for him to assign asset classifications? A. Assign systems the classification of information that they most commonly process. B. Assign systems the classification of the highest level of information that they are expected to process regularly. C. Assign systems the classification of the highest level of information that they are ever expected to process. D. Assign all systems the same classification level.
C. Assign systems the classification of the highest level of information that they are ever expected to process. Explanation: In a single-level security environment, systems should be assigned the classification level of the highest classification of information they are ever expected to process. Systems may not process information that is above their classification level without reclassifying the system upwards.
41
For questions 41–43, please refer to the following scenario: The organization that Ben works for has a traditional on-site Active Directory environment that uses a manual provisioning process for each addition to their 350-employee company. As the company adopts new technologies, they are increasingly using software as a service applications to replace their internally developed software stack. Ben has been tasked with designing an identity management implementation that will allow his company to use cloud services while supporting their existing systems. Using the logical diagram shown here, answer the following questions about the identity recommendations Ben should make. If availability of authentication services is the organization's biggest priority, what type of identity platform should Ben recommend? A. On-site B. Cloud-based C. Hybrid D. Outsourced
C. Hybrid Explanation: A hybrid authentication service can provide authentication services both in the cloud and on-premises, ensuring that service outages due to interrupted links are minimized. An on-site service would continue to work during an internet outage but would not allow the e-commerce website to authenticate. A cloud service would leave the corporate location offline. Outsourcing authentication does not indicate whether the solution is on- or off-premises and thus isn't a useful answer.
42
If Ben needs to share identity information with the business partner shown, what should he investigate? A. Single sign-on B. Multifactor authentication C. Federation D. IDaaS
C. Federation Explanation: Federation links identity information between multiple organizations. Federating with a business partner can allow identification and authorization to occur between them, making integration much easier. Single sign-on would reduce the number of times a user has to log in but will not facilitate the sharing of identity information. Multifactor can help secure authentication, but again doesn't help integrate with a third party. Finally, an identity as a service provider might provide federation but doesn't guarantee it.
43
What technology is likely to be involved when Ben's organization needs to provide authentication and authorization assertions to their cloud e-commerce application? A. Active Directory B. SAML C. RADIUS D. SPML
B. SAML Explanation: Security Assertion Markup Language (SAML) is frequently used to integrate cloud services and provides the ability to make authentication and authorization assertions. Active Directory integrations are possible but are less common for cloud service providers, and RADIUS is not typically used for integrations like this. Service Provisioning Markup Language (SPML) is used to provision users, resources, and services, not for authentication and authorization.
44
Dave is responsible for password security in his organization and would like to strengthen the security of password files. He would like to defend his organization against the use of rainbow tables. Which one of the following techniques is specifically designed to frustrate the use of rainbow tables? A. Password expiration policies B. Salting C. User education D. Password complexity policies
B. Salting Explanation: Rainbow tables use precomputed password hashes to conduct cracking attacks against password files. They may be frustrated by the use of salting, which adds a specified value to the password prior to hashing, making it much more difficult to perform precomputation. Password expiration policies, password complexity policies, and user education may all contribute to password security, but they are not direct defenses against the use of rainbow tables.
45
Helen recently built a new system as part of her organization's deception campaign. The system is configured in a manner that makes it vulnerable to attack and that conveys that it might contain highly sensitive information. What term best describes this system? A. Honeynet B. Darknet C. Honeypot D. Pseudoflaw
C. Honeypot Explanation: A honeypot is a decoy computer system used to bait intruders into attacking. A honeynet is a network of multiple honeypots that creates a more sophisticated environment for intruders to explore. A pseudoflaw is a false vulnerability in a system that may attract an attacker. A darknet is a segment of unused network address space that should have no network activity and, therefore, may be easily used to monitor for illicit activity.
46
Nandi is evaluating a set of candidate systems to replace a biometric authentication mechanism in her organization. What metric would be the best way to compare the effectiveness of the different systems? A. FAR B. FRR C. CER D. FDR
C. CER Explanation: C. The false acceptance rate (FAR) is the rate at which the system inadvertently admits an unauthorized user, while the false rejection rate (FRR) is the rate at which the system inadvertently rejects an authorized user. Both the FAR and FRR may be modified by adjusting the sensitivity of the system. The crossover error rate (CER) is the point where both the false acceptance rate and the false rejection rate cross. The CER is less subject to manipulation and is, therefore, the best metric to use for evaluating systems. The FDR is not a metric used to evaluate authentication systems.
47
Sean suspects that an individual in his company is smuggling out secret information despite his company's careful use of data loss prevention systems. He discovers that the suspect is posting photos, including the one shown here, to public internet message boards. What type of technique may the individuals be using to hide messages inside this image? A. Watermarking B. VPN C. Steganography D. Covert timing channel
C. Steganography Explanation: C. Steganography is the art of using cryptographic techniques to embed secret messages within other content. Steganographic algorithms work by maalterations to files, such as modifying the least significant bits of the many bits that make up image files. VPNs may be used to obscure secret communications, but they provide protection in transit and can't be used to embed information in an image. Watermarking does embed information in an image but with the intent of protecting intellectual property. A still image would not be used for a covert timing channel because it is a fixed file.
48
Roger is concerned that a third-party firm hired to develop code for an internal application will embed a backdoor in the code. The developer retains rights to the intellectual property and will only deliver the software in its final form. Which one of the following languages would be least susceptible to this type of attack because it would provide Roger with code that is human-readable in its final form? A. JavaScript B. C C. C++ D. Java
A. JavaScript Explanation: JavaScript is an interpreted language so the code is not compiled prior to execution, allowing Roger to inspect the contents of the code. C, C++, and Java are all compiled languages—a compiler produces an executable file that is not human-readable.
49
Jesse is looking at the /etc/passwd file on a system configured to use shadowed passwords. What should she expect to see in the password field of this file? A. Plaintext passwords B. Encrypted passwords C. Hashed passwords D. x
D. x Explanation: When a system is configured to use shadowed passwords, the /etc/passwd file contains only the character x in the place of a password. It would not contain any passwords, in either plaintext, encrypted, or hashed form.
50
Rob recently received a notice from a vendor that the EOL date is approaching for a firewall platform that is used in his organization. What action should Rob take? A. Prepare to discontinue use of the platform as soon as possible. B. Immediately discontinue use of the device. C. Prepare to discontinue use of the device as part of the organization's normal planning cycle. D. No action is necessary.
C. Prepare to discontinue use of the device as part of the organization's normal planning cycle. Explanation: The end-of-life (EOL) date for a product is normally the date that the vendor will stop selling a product. It is reasonable to continue using the product as long as support remains available. Rob should begin making plans to discontinue use of the product, pending the announcement of an end-of-support (EOS) date.
51
What principle states that an individual should make every effort to complete his or her responsibilities in an accurate and timely manner? A. Least privilege B. Separation of duties C. Due care D. Due diligence
D. Due diligence Explanation: The due care principle states that an individual should react in a situation using the same level of care that would be expected from any reasonable person. It is a very broad standard. The due diligence principle is a more specific component of due care that states that an individual assigned a responsibility should exercise due care to complete it accurately and in a timely manner. Least privilege says that an individual should have the minimum set of permissions necessary to carry out their work. Separation of duties says that no single person should have the right to perform two distinct tasks, which, when combined, constitute a highly privileged action.
52
Tony is developing a data classification system for his organization. What factor should he use as the primary driver when determining the classification level of each category of information? A. Sensitivity B. Source C. Likelihood of theft D. Likelihood of data loss
A. Sensitivity Explanation: A. Information should be classified based upon its sensitivity. This may be due to the value of the information to the organization, the damage caused if lost or compromised, or other factors. The source of the information is one possible contributing factor to the sensitivity level. The likelihood of loss or theft is a component of risk, but does not contribute to the classification level.
53
Perry is establishing information handling requirements for his organization. He discovers that the organization often needs to send sensitive information over the internet to a supplier and is concerned about it being intercepted. What handling requirement would best protect against this risk? A. Require the use of transport encryption. B. Require proper classification and labeling. C. Require the use of data loss prevention technology. D. Require the use of storage encryption.
A. Require the use of transport encryption. Explanation: All of these controls are good practices for protecting sensitive information. However, Perry is most concerned about the risk of interception while in transit over the internet. Transport encryption would, therefore, be the most appropriate control, as anyone intercepting the information would be unable to read its contents. Storage encryption would protect against the theft of information at rest, rather than in transit over a network. Classification and labeling would not protect against interception. Data loss prevention technology may block the transfer entirely and would not meet the business requirement if it blocked the transmission and would not meet the security requirement if it did not detect the data transfer.
54
John is developing a tangible asset inventory for his organization. Which of the following items would most likely be included in this inventory? (Select all that apply.) A. Intellectual property B. Server hardware C. Files stored on servers D. Mobile devices
B. Server hardware D. Mobile devices Explanation: Tangible asset inventories include physical items owned by the organization. This would include server hardware and mobile devices. Intellectual property and files stored on a server are not tangible property and would instead be included in an intangible asset inventory.
55
Maria is analyzing a security incident where she believes that an attacker gained access to a fiber-optic cable and installed a tap on that cable. What layer of the OSI model did this attack occur at? A. Transport B. Network C. Data Link D. Physical
D. Physical Explanation: The Physical layer deals with the electrical impulses or optical pulses that are sent as bits to convey data. This is the layer where cable tapping would occur. Attacks at the Data Link, Network, or Transport layers would involve higher levels of activity in the OSI model, such as compromising a device and using a protocol analyzer to sniff network traffic.
56
Bert is considering the use of an infrastructure as a service cloud computing partner to provide virtual servers. Which one of the following would be a vendor responsibility in this scenario? A. Maintaining the hypervisor B. Managing operating system security settings C. Maintaining the host firewall D. Configuring server access control
A. Maintaining the hypervisor Explanation: In an IaaS server environment, the customer retains responsibility for most server security operations under the shared responsibility model. This includes managing OS security settings, maintaining host firewalls, and configuring server access control. The vendor would be responsible for all security mechanisms at the hypervisor layer and below.
57
When Ben records data and then replays it against his test website to verify how it performs based on a real production workload, what type of performance monitoring is he undertaking? A. Passive B. Proactive C. Reactive D. Replay
B. Proactive Explanation: Proactive monitoring, aka synthetic monitoring, uses recorded or generated traffic to test systems and software. Passive monitoring uses a network span, tap, or other device to capture traffic to be analyzed. Reactive and replay are not industry terms for types of monitoring.
58
Kailey is reviewing a set of old records maintained by her organization and wants to dispose of them securely. She is unsure how long the organization should keep the records because they involve tax data. How can Kailey determine whether the records may be disposed? \ A. Consult the organization's records retention policy. B. Consult IRS requirements. C. Retain the records for at least seven years. D. Retain the records permanently.
A. Consult the organization's records retention policy. Explanation: A. Kailey should consult her organization's record retentions policy to determine the appropriate length of time to preserve the records. The organization may be subject to tax requirements in this regard, and many accountants recommend preserving records for at least seven years, but the organization's own requirements may be stricter than these requirements.
59
Alan is considering the use of new identification cards in his organization that will be used for physical access control. He comes across a sample card and is unsure of the technology. He breaks it open and sees the following internal construction. What type of card is this? A. Smart card B. Proximity card C. Magnetic stripe D. Phase-two card
B. Proximity card Explanation: The use of an electromagnetic coil inside the card indicates that this is a proximity card.
60
Mark is planning a disaster recovery test for his organization. He would like to perform a live test of the disaster recovery facility but does not want to disrupt operations at the primary facility. What type of test should Mark choose? A. Full interruption test B. Checklist review C. Parallel test D. Tabletop exercise
C. Parallel test Explanation: During a parallel test, the team actually activates the disaster recovery site for testing, but the primary site remains operational. During a full interruption test, the team takes down the primary site and confirms that the disaster recovery site is capable of handling regular operations. The full interruption test is the most thorough test but also the most disruptive. The checklist review is the least disruptive type of disaster recovery test. During a checklist review, team members each review the contents of their disaster recovery checklists on their own and suggest any necessary changes. During a tabletop exercise, team members come together and walk through a scenario without making any changes to information systems.
61
Which one of the following is not a principle of the Agile approach to software development? A. The best architecture, requirements, and designs emerge from self-organizing teams. B. Deliver working software infrequently, with an emphasis on creating accurate code over longer timelines. C. Welcome changing requirements, even late in the development process. D.d Simplicity is essential.
B. Deliver working software infrequently, with an emphasis on creating accurate code over longer timelines. Explanation: The Agile approach to software development embraces 12 core principles, found in the Agile Manifesto. One of these principles is that the best architecture, requirements, and designs emerge from self-organizing teams. Another is that teams should welcome changing requirements at any step in the process. A third is that simplicity is essential. The Agile approach emphasizes delivering software frequently, not infrequently.
62
During a security audit, Susan discovers that the organization is using hand geometry scanners as the access control mechanism for their secure data center. What recommendation should Susan make about the use of hand geometry scanners? A. They have a high FRR and should be replaced. B. A second factor should be added because they are not a good way to reliably distinguish individuals. C. The hand geometry scanners provide appropriate security for the data center and should be considered for other high-security areas. D. They may create accessibility concerns, and an alternate biometric system should be considered.
B. A second factor should be added because they are not a good way to reliably distinguish individuals. Explanation: Hand geometry scanners assess the physical dimensions of an individual's hand but do not verify other unique factors about the individual, or even verify if they are alive. This means that hand geometry scanners should not be implemented as the sole authentication factor for secure environments. Hand geometry scanners do not have an abnormally high FRR and do not stand out as a particular issue from an accessibility standpoint compared to other biometric systems.
63
Colleen is conducting a business impact assessment for her organization. What metric provides important information about the amount of time that the organization may be without a service before causing irreparable harm? A. MTD B. ALE C. RPO D. RTO
A. MTD Explanation: The maximum tolerable downtime (MTD) is the amount of time that a business may be without a service before irreparable harm occurs. This measure is sometimes also called maximum tolerable outage (MTO) or maximum allowable downtime (MAD).
64
Bailey is concerned that users around her organization are using sensitive information in a variety of cloud services and would like to enforce security policies consistently across those services. What security control would be best suited for her needs? A. DRM B. IPS C. CASB D. DLP
C. CASB Explanation: Cloud access security brokers (CASB) are designed to enforce security policies consistently across cloud services and would best meet Bailey's needs. Data loss prevention (DLP) and digital rights management (DRM) solutions may be able to detect, block, and control some use of information in the cloud, but they would not provide a way to consistently enforce security policies across cloud platforms. Intrusion prevention systems (IPS) are designed to detect and block malicious activity and would not be relevant in this scenario.
65
Matt is designing a set of information handling requirements for his organization and would like to draw upon common industry practices. Which of the following practices should Matt implement? (Select all that apply.) A. Labeling both paper and electronic documents with their classification level B. Automatically granting senior executives full access to all classified information C. Automatically granting visitors access to information classified at the lowest level of sensitivity D. Encrypting sensitive information in storage and at rest
A. Labeling both paper and electronic documents with their classification level D. Encrypting sensitive information in storage and at rest Explanation: Organizations should always label classified information in whatever form, paper or electronic, that it appears. This allows employees to apply proper handling procedures. It is also a common practice to encrypt sensitive information both at rest and in transit. Organizations should grant access to classified information on a need-to-know basis. Automatically granting access to information, whether it is to a visitor or a senior executive, should not occur.
66
Jerry is investigating an attack where the attacker stole an authentication token from a user's web session and used it to impersonate the user on the site. What term best describes this attack? A. Masquerading B. Replay C. Spoofing D. Modification
B. Replay Explanation: Masquerading (or impersonation) attacks use stolen or falsified credentials to bypass authentication mechanisms. That term does describe this attack, but you should keep reading the answer choices even after finding a possible correct answer. In this case, replay attacks are a more specific type of masquerading attack that relies on captured authentication tokens, and this is, therefore, a better answer. Spoofing attacks rely on falsifying an identity like an IP address or hostname without credentials. Modification attacks occur when captured packets are modified and replayed to a system to attempt to perform an action.
67
Lisa wants to integrate with a cloud identity provider that uses OAuth 2.0, and she wants to select an appropriate authentication framework. Which of the following best suits her needs? A. OpenID Connect B. SAML C. RADIUS D. Kerberos
A. OpenID Connect Explanation: A. OpenID Connect is an authentication layer that works with OAuth 2.0 as its underlying authorization framework. It has been widely adopted by cloud service providers and is widely supported. SAML, RADIUS, and Kerberos are alternative authentication technologies but do not have the same level of seamless integration with OAuth.
68
Owen recently designed a security access control structure that prevents a single user from simultaneously holding the role required to create a new vendor and the role required to issue a check. What principle is Owen enforcing? A. Two-person control B. Least privilege C. Separation of duties D. Job rotation
C. Separation of duties Explanation: This scenario describes separation of duties—not allowing the same person to hold two roles that, when combined, are sensitive. While two-person control is a similar concept, it does not apply in this case because the scenario does not say that either action requires the concurrence of two users. Least privilege says that an individual should have the minimum set of permissions necessary to carry out their work. Job rotation moves people through jobs on a periodic basis to deter fraud.
69
Denise is preparing for a trial relating to a contract dispute between her company and a software vendor. The vendor is claiming that Denise made a verbal agreement that amended their written contract. What rule of evidence should Denise raise in her defense? A. Real evidence rule B. Best evidence rule C. Parol evidence rule D. Testimonial evidence rule
C. Parol evidence rule Explanation: The parol evidence rule states that when an agreement between two parties is put into written form, it is assumed to be the entire agreement unless amended in writing. The best evidence rule says that a copy of a document is not admissible if the original document is available. Real evidence and testimonial evidence are evidence types, not rules of evidence.
70
While Lauren is monitoring traffic on two ends of a network connection, she sees traffic that is inbound to a public IP address show up inside the production network. It is headed for an internal host with an RFC 1918 reserved destination address. What technology should she expect is in use at the network border? A. NAT B. VLANs C. S/NAT D. BGP
A. NAT Explanation: A. Network Address Translation (NAT) translates an internal address to an external address. VLANs are used to logically divide networks, BGP is a routing protocol, and S/NAT is a made-up term.
71
Which of the following statements about SSAE-18 are correct? (Select all that apply.) A. It mandates a specific control set. B. It is an attestation standard. C. It is used for external audits. D. It uses a framework, including SOC 1, SOC 2, and SOC 3 reports.
B. It is an attestation standard. C. It is used for external audits. D. It uses a framework, including SOC 1, SOC 2, and SOC 3 reports. Explanation: SSAE-18 does not assert specific controls. Instead, it reviews the use and application of controls in an audited organization. It is an attestation standard, used for external audits, and forms part of the underlying framework for SOC 1, 2, and 3 reports.
72
Elliott is using an asymmetric cryptosystem and would like to add a digital signature to a message. What key should he use to encrypt the message digest? A. Elliott's private key B. Elliott's public key C. Recipient's private key D. Recipient's public key
A. Elliott's private key Explanation: When creating a digital signature, the sender of a message always encrypts the message digest with their own private key. The recipient (or any third party) may then verify the digital signature by decrypting it with the sender's public key and then comparing that decrypted signature with a message digest that the recipient computes themselves.
73
Greg is building a disaster recovery plan for his organization and would like to determine the amount of time that it should take to restore a particular IT service after an outage. What variable is Greg calculating? A. MTD B. RTO C. RPO D. SLA
B. RTO Explanation: B. The recovery time objective (RTO) is the amount of time expected to return an IT service or component to operation after a failure. The maximum tolerable downtime (MTD) is the longest amount of time that an IT service or component may be unavailable without causing serious damage to the organization. The recovery point objective (RPO) identifies the maximum amount of data, measured in time, that may be lost during a recovery effort. Service-level agreements (SLAs) are written contracts that document service expectations.
74
What business process typically requires sign-off from a manager before modifications are made to a system? A. SDN B. Release management C. Change management D. Versioning
C. Change management Explanation: C. Change management typically requires sign-off from a manager or supervisor before changes are made. This helps to ensure proper awareness and communication. SDN stands for software-defined networking, release management is the process that new software releases go through to be accepted, and versioning is used to differentiate versions of software, code, or other objects.
75
Jen is selecting a fire suppression system for her organization's data center and would like to narrow down the list of candidates. Which one of the following suppression systems would be LEAST appropriate for use? A. Dry pipe B. Wet pipe C. Pre-action D. FM-200
B. Wet pipe Explanation: Wet pipe suppression systems have water present in the pipes at all times, posing an unacceptable level of risk for a data center containing electronics that might be damaged if a pipe leaks. Dry pipe and pre-action systems only contain water when triggered in the event of a possible fire. FM-200 is a chemical suppressant commonly used in place of water in data centers.
76
The company Chris works for has notifications posted at each door reminding employees to be careful to not allow people to enter when they do. Which type of control is this? A. Detective B. Physical C. Preventive D. Directive
D. Directive Explanation: Notifications and procedures like the signs posted at the company Chris works for are examples of directive access controls. Detective controls are designed to operate after the fact. The doors and the locks on them are examples of physical controls. Preventive controls are designed to stop an event and could also include the locks that are present on the doors.
77
Seth is designing the physical security controls for a new facility being constructed by his organization. He would like to deter attacks to the extent possible. Which of the following controls serve as deterrents? (Select all that apply.) A. Motion detectors B. Guard dogs C. Mantraps D. Lighting
B. Guard dogs D. Lighting Explanation: Deterrent controls seek to prevent an intruder from attempting an attack in the first place. Guard dogs have an intimidating presence that serves this purpose well. They do also serve to deny, detect, and delay intrusions depending upon their training. Lighting also deters attacks by making potential intrusions more visible, reducing the likelihood that an intruder will enter a well-lit area. Mantraps are intended to deny intruders access, rather than deter attempts. Motion detectors are intended to detect intruders rather than deter them.
78
Thomas recently signed an agreement for a serverless computing environment where his organization's developers will be able to write functions in Python and deploy them on the cloud provider's servers for execution. The cloud provider will manage the servers. What term best describes this model? A. SaaS B. PaaS C. IaaS D. Containerization
B. PaaS Explanation: This is an example of function as a service (FaaS) computing. However, FaaS is not listed as an answer choice, so you must also know that FaaS is a subcategory of platform as a service (PaaS) computing to answer this question correctly. This model does not necessarily take advantage of containerization. The cloud provider is managing the infrastructure and only making the platform available to customers, so it is not infrastructure as a service (IaaS). The customers are running their own code, so it is not software as a service (SaaS).
79
An attacker has intercepted a large amount of data that was all encrypted with the same algorithm and encryption key. With no further information, which of the following cryptanalytic attacks are possible? (Select all that apply.) A. Known plaintext B. Chosen ciphertext C. Frequency analysis D. Brute-force
C. Frequency analysis D. Brute-force Explanation: The attacker may attempt to perform frequency analysis or a brute-force attack against the large volume of encrypted ciphertext. As the attacker does not have access to the plaintext information, a known plaintext attack is not possible. The attacker also does not have the ability to encrypt information, so they cannot use a chosen ciphertext attack.
80
For questions 80–82, please refer to the following scenario: Alex has been with the university he works at for more than 10 years. During that time, he has been a system administrator and a database administrator, and he has worked in the university's help desk. He is now a manager for the team that runs the university's web applications. Using the provisioning diagram shown here, answer the following questions. If Alex hires a new employee and the employee's account is provisioned after HR manually inputs information into the provisioning system based on data Alex provides via a series of forms, what type of provisioning has occurred? A. Discretionary account provisioning B. Workflow-based account provisioning C. Automated account provisioning D. Self-service account provisioning
B. Workflow-based account provisioning Explanation: Provisioning that occurs through an established workflow, such as through an HR process, is workflow-based account provisioning. If Alex had set up accounts for his new hire on the systems he manages, he would have been using discretionary account provisioning. If the provisioning system allowed the new hire to sign up for an account on their own, they would have used self-service account provisioning, and if there was a central, software-driven process, rather than HR forms, it would have been automated account provisioning.
81
Alex has access to B, C, and D in the diagram. What concern should he raise to the university's identity management team? A. The provisioning process did not give him the rights he needs. B. He has excessive privileges. C. Privilege creep may be taking place. D. Logging is not properly enabled.
C. Privilege creep may be taking place. Explanation: As Alex has changed roles, he retained access to systems that he no longer administers. The provisioning system has provided rights to workstations and the application servers he manages, but he should not have access to the databases he no longer administers. Privilege levels are not specified, so we can't determine if he has excessive rights. Logging may or may not be enabled, but it isn't possible to tell from the diagram or problem.
82
When Alex changes roles, what should occur? A. He should be de-provisioned, and a new account should be created. B. He should have his new rights added to his existing account. C. He should be provisioned for only the rights that match his role. D. He should have his rights set to match those of the person he is replacing.
C. He should be provisioned for only the rights that match his role. Explanation: When a user's role changes, they should be provisioned based on their role and other access entitlements. De-provisioning and re-provisioning are time-consuming and can lead to problems with changed IDs and how existing credentials work. Simply adding new rights leads to privilege creep, and matching another user's rights can lead to excessive privileges due to privilege creep for that other user.
83
Robert is reviewing a system that has been assigned the EAL2 evaluation assurance level under the Common Criteria. What is the highest level of assurance that he may have about the system? A. It has been functionally tested. B. It has been structurally tested. C. It has been formally verified, designed, and tested. D. It has been semiformally designed and tested.
B. It has been structurally tested. Explanation: B. EAL2 assurance applies when the system has been structurally tested. It is the second-to-lowest level of assurance under the Common Criteria.
84
Adam is processing an access request for an end user. What two items should he verify before granting the access? A. Separation and need to know B. Clearance and endorsement C. Clearance and need to know D. Second factor and clearance
C. Clearance and need to know Explanation: Before granting any user access to information, Adam should verify that the user has an appropriate security clearance as well as a business need to know the information in question.
85
During what phase of the electronic discovery reference model does an organization ensure that potentially discoverable information is protected against alteration or deletion? A. Identification B. Preservation C. Collection D. Processing
B. Preservation Explanation: During the preservation phase, the organization ensures that information related to the matter at hand is protected against intentional or unintentional alteration or deletion. The identification phase locates relevant information but does not preserve it. The collection phase occurs after preservation and gathers responsive information. The processing phase performs a rough cut of the collected information for relevance.
86
Dana is selecting a hash function for use in her organization and would like to balance a concern for a cryptographically strong hash with the speed and efficiency of the algorithm. Which one of the following hash functions would best meet her needs? A. MD5 B. RIPEMD C. SHA-2 D. SHA-3
C. SHA-2 Explanation: The original version of RIPEMD and the MD5hash algorithm have known vulnerabilities and should no longer be used. SHA-2 and SHA-3 are both considered secure today and provide the same level of security. SHA-3 is, however, less efficient than SHA-2, making SHA-2 the better choice for Dana's needs.
87
Harry would like to access a document owned by Sally stored on a file server. Applying the subject/object model to this scenario, who or what is the object of the resource request? A. Harry B. Sally C. File server D. Document
D. Document Explanation: D. In the subject/object model, the object is the resource being requested by a subject. In this example, Harry would like access to the document, making the document the object of the request.
88
What is the process that occurs when the Session layer removes the header from data sent by the Transport layer? A. Encapsulation B. Packet unwrapping C. De-encapsulation D. Payloading
C. De-encapsulation Explanation: The process of removing a header (and possibly a footer) from the data received from a previous layer in the OSI model is known as de-encapsulation. Encapsulation occurs when the header and/or footer are added. Payloads are part of a virus or malware package that are delivered to a target, and packet unwrapping is a made-up term.
89
Rob is reviewing his organization's campus for physical security using the Crime Prevention Through Environmental Design (CPTED) framework. Which one of the following is NOT a strategy in this framework? A. Natural intrusion detection B. Natural access control C. Natural surveillance D.; Natural territorial reinforcement
A. Natural intrusion detection Explanation: CPTED implements three strategies: natural access control, natural surveillance, and natural territorial reinforcement. Natural access control uses barricades and other physical elements to create a separation between secure and insecure spaces. Natural surveillance designs the environment to expose potential intruders to natural scrutiny by legitimate occupants. Natural territorial reinforcement uses fences, signs, and other elements to clearly define secure spaces. Natural intrusion detection is not an element of CPTED.
90
What markup language uses the concepts of a requesting authority, a provisioning service point, and a provisioning service target to handle its core functionality? A. SAML B. SAMPL C. SPML D. XACML
C. SPML Explanation: Service Provisioning Markup Language (SPML) uses requesting authorities to issue SPML requests to a provisioning service point. Provisioning service targets are often user accounts and are required to be allowed unique identification of the data in its implementation. SAML is used for security assertions, SAMPL is an algebraic modeling language, and XACML is an access control markup language used to describe and process access control policies in an XML format.
91
What type of risk assessment uses tools such as the one shown here? A. Quantitative B. Loss expectancy C. Financial D. Qualitative
D. Qualitative Explanation: D. The use of a probability/impact matrix is the hallmark of a qualitative risk assessment. It uses subjective measures of probability and impact, such as “high” and “low,” in place of quantitative measures.
92
MAC models use three types of environments. Which of the following is not a mandatory access control design? A. Hierarchical B. Bracketed C. Compartmentalized D. Hybrid
B. Bracketed Explanation: Mandatory access control systems can be hierarchical, where each domain is ordered and related to other domains above and below it; compartmentalized, where there is no relationship between each domain; or hybrid, where both hierarchy and compartments are used. There is no concept of bracketing in mandatory access control design.
93
Mandy is the team leader for a project team that includes six people. She would like to provide those people with the ability to communicate privately, such that any pair of people can exchange communications that are not subject to interception by anyone else (team member or nonteam member). She is using an asymmetric encryption algorithm. How many keys are required to implement these requirements? A. 6 B. 12 C. 15 D. 36
B. 12 Explanation: Asymmetric encryption algorithms require two keys per user, regardless of the number of participants. Therefore, this six-member team would require 12keys. If this team were to use symmetric cryptography, they would require (n*(n-1))/2, or (6*(6-1))/2 = 15keys.
94
Sally is wiring a gigabit Ethernet network. What cabling choices should she make to ensure she can use her network at the full 1000 Mbps she wants to provide to her users? A. Cat 5 and Cat 6 B. Cat 5e and Cat 6 C. Cat 4e and Cat 5e D. Cat 6 and Cat 7
B. Cat 5e and Cat 6 Explanation: B. Category 5e and Category 6 UTP cable are both rated to 1000Mbps. Cat 5 (not Cat 5e) is only rated to 100Mbps, whereas Cat 7 is rated to 10Gbps. There is no Cat 4e.
95
Ursula is seeking to expand the reach and scalability of her organization's website. She would like to position copies of her data around the world in locations close to website visitors to reduce loading time and the burden on her servers. What type of cloud service would best meet her needs? A. IaaS B. Containerization C. CDN D. SaaS
C. CDN Explanation: While Ursula may use a variety of different options to meet her needs, the best approach would be the use of a content delivery network (CDN). CDNs are specifically designed for this role, distributing content to many remote endpoints where it may be quickly loaded by local users.
96
Robert is the network administrator for a small business and recently installed a new firewall. After seeing signs of unusually heavy network traffic, he checked his intrusion detection system, which reported that a smurf attack was underway. What firewall configuration change can Robert make to most effectively prevent this attack? A. Block the source IP address of the attack. B. Block inbound UDP traffic. C. Block the destination IP address of the attack. D. Block inbound ICMP traffic.
D. Block inbound ICMP traffic. Explanation: Smurf attacks use a distributed attack approach to send ICMP echo replies at a targeted system from many different source addresses. The most effective way to block this attack would be to block inbound ICMP traffic. Blocking the source addresses is not feasible because the attacker would likely simply change the source addresses. Blocking destination addresses would likely disrupt normal activity. The smurf attack does not use UDP, so blocking that traffic would have no effect.
97
Which one of the following types of firewalls does not have the ability to track connection status between different packets? A. Stateful inspection B. Application proxy C. Packet filter D. Next generation
C. Packet filter Explanation: Static packet filtering firewalls are known as first-generation firewalls and do not track connection state. Stateful inspection, application proxying, and next-generation firewalls all add connection state tracking capability.
98
Frances is concerned that equipment failures within her organization's servers will lead to a loss of power to those servers. Which one of the following controls would best address this risk? A. Redundant power sources B. Backup generators C. Dual power supplies D. Uninterruptible power supplies
C. Dual power supplies Explanation: C. All of these controls serve to increase the reliability of power to a server. However, only dual power supplies address hardware issues that arise within the server, allowing the server to continue operation if one of the power supplies fails. Redundant power sources, backup generators, and uninterruptible power supplies (UPS) are designed to increase the reliability of power flowing to the server.
99
Peter is reviewing the remote access technologies used by his organization and would like to eliminate the use of any techniques that do not include built-in encryption. Which of the following approaches should he retain? (Select all that apply.) A. RDP B. Telnet C. SSH D. Dial-up
A. RDP C. SSH Explanation: C. The Remote Desktop Protocol (RDP) and Secure Shell (SSH) are modern approaches to remote access that include encryption features. Telnet and dial-up are outdated approaches that do not provide encryption and should not be relied upon for secure access.
100
Matthew is experiencing issues with the quality of network service on his organization's network. The primary symptom is that packets are occasionally taking too long to travel from their source to their destination. The length of this delay changes for individual packets. What term describes the issue Matthew is facing? A. Latency B. Jitter C. Packet loss D. Interference
B. Jitter Explanation: Latency is a delay in the delivery of packets from their source to their destination. Jitter is a variation in the latency for different packets. Packet loss is the disappearance of packets in transit that requires retransmission. Interference is electrical noise or other disruptions that corrupt the contents of packets.
101
Gavin is an internal auditor working to assess his organization's cybersecurity posture. Which of the following would be appropriate recipients of the reports he generates from his work? (Select all that apply.) A. Managers B. Individual contributors C. Suppliers D. Board members
A. Managers B. Individual contributors D. Board members Explanation: It is entirely appropriate to distribute internal audit reports to anyone in the organization who has a valid need to know. This may include both management and individual contributors responsible for remediating issues as well as board members charged with oversight. It would not normally be appropriate to distribute internal audit reports to external entities, such as suppliers and customers.
102
Kim is conducting testing of a web application developed by her organization and would like to ensure that it is accessible from all commonly used web browsers. What type of testing should she conduct? A. Regression testing B. Interface testing C. Fuzzing D. White-box testing
B. Interface testing Explanation: Web applications communicate with web browsers via an interface, making interface testing the best answer here. Regression testing might be used as part of the interface test but is too specific to be the best answer. Similarly, the test might be a white-box, or full knowledge, test, but interface testing better describes this specific example. Fuzzing is less likely as part of a browser compatibility test, as it tests unexpected inputs, rather than functionality.
103
Kathleen is implementing an access control system for her organization and builds the following array: Reviewers: update files, delete files Submitters: upload files Editors: upload files, update files Archivists: delete files What type of access control system has Kathleen implemented? A. Role-based access control B. Task-based access control C.Rule-based access control D. Discretionary access control
A. Role-based access control Explanation: Role-based access control gives each user an array of permissions based on their position in the organization, such as the scheme shown here. Task-based access control is not a standard approach. Rule-based access controls use rules that apply to all subjects, which isn't something we see in the list. Discretionary access control gives object owners rights to choose how the objects they own are accessed, which is not what this list shows.
104
Alan is installing a fire suppression system that will activate after a fire breaks out and protect the equipment in the data center from extensive damage. What metric is Alan attempting to lower? A. Likelihood B. RTO C. RPO D. Impact
D. Impact Explanation: Fire suppression systems do not stop a fire from occurring but do reduce the damage that fires cause. This is an example of reducing risk by lowering the impact of an event.
105
Alan's Wrenches recently developed a new manufacturing process for its product. They plan to use this technology internally and not share it with others. They would like it to remain protected for as long as possible. What type of intellectual property protection is best suited for this situation? A. Patent B. Copyright C. Trademark D. Trade secret
D. Trade secret Explanation: Patents and trade secrets can both protect intellectual property in the form of a process. Patents require public disclosure and have expiration dates while trade secrets remain in force for as long as they remain secret. Therefore, trade secret protection most closely aligns with the company's goals.
106
Ben wants to interface with the National Vulnerability Database using a standardized protocol. What option should he use to ensure that the tools he builds work with the data contained in the NVD? A. XACML B. SCML C. VSML D. SCAP
D. SCAP Explanation: The Security Content Automation Protocol (SCAP) is a suite of specifications used to handle vulnerability and security configuration information. The National Vulnerability Database provided by NIST uses SCAP. XACML is the eXtensible Access Control Markup Language, an OASIS standard used for access control decisions, and neither VSML nor SCML is an industry term.
107
Ron's organization does not have the resources to conduct penetration testing that uses time-intensive manual techniques, but he would like to achieve some of the benefits of penetration testing. Which one of the following techniques could he engage in that requires the least manual effort? A. White-box testing B. Black-box testing C. Gray-box testing D. Breach and attack simulation
D. Breach and attack simulation Explanation: Breach and attack simulation (BAS) platforms are intended to automate some aspects of penetration testing. These systems are designed to inject threat indicators onto systems and networks in an effort to trigger other security controls. White-box, gray-box, and black-box testing all involve more significant manual effort.
108
In the figure shown here, Harry's request to read the data file is blocked. Harry has a Secret security clearance, and the data file has a Top Secret classification. What principle of the Bell–LaPadula model blocked this request? A. Simple Security Property B. Simple Integrity Property C. *-Security Property D. Discretionary Security Property
A. Simple Security Property Explanation: A. The Simple Security Property prevents an individual from reading information at a higher security level than his or her clearance allows. This is also known as the “no read up” rule. The Simple Integrity Property says that a user can't write data to a higher integrity level than their own. The *-Security Property says that users can't write data to a lower security level than their own. The Discretionary Security Property allows the use of a matrix to determine access permissions.
109
Norm is starting a new software project with a vendor that uses an SDLC approach to development. When he arrives on the job, he receives a document that has the sections shown here. What type of planning document is this? A. Functional requirements B. Work breakdown structure C. Test analysis report D. Project plan
B. Work breakdown structure Explanation: The work breakdown structure (WBS) is an important project management tool that divides the work done for a large project into smaller components. It is not a project plan because it does not describe timing or resources. Test analyses are used during later phases of the development effort to report test results. Functional requirements may be included in a work breakdown structure, but they are not the full WBS.
110
Kolin is searching for a network security solution that will allow him to help reduce zero-day attacks while using identities to enforce a security policy on systems before they connect to the network. What type of solution should Kolin implement? A. A firewall B. A NAC system C. An intrusion detection system D. Port security
B. A NAC system Explanation: Network Access Control (NAC) systems can be used to authenticate users and then validate their system's compliance with a security standard before they are allowed to connect to the network. Enforcing security profiles can help reduce zero-day attacks, making NAC a useful solution. A firewall can't enforce system security policies, whereas an IDS can only monitor for attacks and alarm when they happen. Thus, neither a firewall nor an IDS meets Kolin's needs. Finally, port security is a MAC address-based security feature that can only restrict which systems or devices can connect to a given port.
111
Gwen comes across an application that is running under a service account on a web server. The service account has full administrative rights to the server. What principle of information security does this violate? A. Need to know B. Separation of duties C. Least privilege D. Job rotation
C. Least privilege Explanation: This scenario violates the least privilege principle because an application should never require full administrative rights to run. Gwen should update the service account to have only the privileges necessary to support the application.
112
Ed is developing a set of key performance and risk indicators for his organization's information security program. Which of the following are commonly used indicators? (Select all that apply.) A. Number of scheduled audits B. Time to resolve vulnerabilities C. Number of malicious site visit attempts D. Number of account compromises
B. Time to resolve vulnerabilities C. Number of malicious site visit attempts D. Number of account compromises Explanation: D. Organizations typically use the time to resolve vulnerabilities, the number of account compromises, and the number of attempts by users to visit malicious sites as indicators. The number of scheduled audits is not normally a measure of the performance of an information security team. A more appropriate indicator in this area is the number of repeat audit findings.
113
Kara is documenting the results of a vulnerability scan. After reviewing one finding, she determined that the vulnerability did exist. The team then implemented a configuration change that corrected the issue. How should Kara classify this vulnerability in her report? A. True positive B. True negative C. False positive D. False negative
A. True positive Explanation: This is a true positive report because the scan detected the vulnerability and the vulnerability actually existed. The fact that the team later remediated the vulnerability could be noted in the report, but it does not change the result of the scan or its classification. True negatives occur when scans correctly note the absence of a vulnerability. False positives occur when scans report the presence of a vulnerability that does not actually exist. False negatives occur when scans report that no vulnerability exists when one does, in fact, exist.
114
For questions 114–116, please refer to the following scenario: During a web application vulnerability scanning test, Steve runs Nikto against a web server he believes may be vulnerable to attacks. Using the Nikto output shown here, answer the following questions. Why does Nikto flag the /test directory? A. The /test directory allows administrative access to PHP. B. It is used to store sensitive data. C. Test directories often contain scripts that can be misused. D. It indicates a potential compromise.
C. Test directories often contain scripts that can be misused. Explanation: C. Test directories often include scripts that may have poor protections or may have other data that can be misused. There is not a default test directory that allows administrative access to PHP. Test directories are not commonly used to store sensitive data, nor is the existence of a test directory a common indicator of compromise.
115
Why does Nikto identify directory indexing as an issue? A. It lists files in a directory. B. It may allow for XDRF. C. Directory indexing can result in a denial-of-service attack. D. Directory indexing is off by default, potentially indicating compromise.
A. It lists files in a directory. Explanation: Directory indexing may not initially seem like an issue during a penetration test, but simply knowing the name and location of files can provide an attacker with quite a bit of information about an organization, as well as a list of potentially accessible files. XDRF is not a type of attack, and indexing is not a denial-of-service attack vector. Directory indexing being turned on is typically either due to misconfiguration or design or because the server was not properly configured at setup, rather than being a sign of attack.
116
Nikto lists OSVDB-877, noting that the system may be vulnerable to XST. What would this type of attack allow an attacker to do? A. Use cross-site targeting. B. Steal a user's cookies. C. Counter SQL tracing. D. Modify a user's TRACE information.
B. Steal a user's cookies. Explanation: Cross-site tracing (XST) leverages the HTTP TRACE or TRACK methods and could be used to steal a user's cookies via cross-site scripting (XSS). The other options are not industry terms for web application or web server attacks or vulnerabilities.
117
Who would be the most appropriate supervisor for an organization's chief audit executive (CAE)? A. CIO B. CISO C. CEO D. CFO
C. CEO Explanation: The chief audit executive (CAE) should report to the most senior possible leader to avoid conflicts of interest. Of the choices provided, the chief executive officer (CEO) is the most senior position and the best option. It is also possible to provide an added degree of independence by having the CAE report to the board of directors, either as a primary reporting line or as a dotted line relationship.
118
Ursula believes that many individuals in her organization are storing sensitive information on their laptops in a manner that is unsafe and potentially violates the organization's security policy. What control can she use to identify the presence of these files? A. Network DLP B. Network IPS C. Endpoint DLP D. Endpoint IPS
C. Endpoint DLP Explanation: Data loss prevention (DLP) systems specialize in the identification of sensitive information. In this case, Ursula would like to identify the presence of this information on endpoint devices, so she should choose an endpoint DLP control. Network-based DLP would not detect stored information unless the user transmits it over the network. Intrusion prevention systems (IPSs) are designed to detect and block attacks in progress, not necessarily the presence of sensitive information.
119
In what cloud computing model does the customer build a cloud computing environment in his or her own data center or build an environment in another data center that is for the customer's exclusive use? A. Public cloud B. Private cloud C. Hybrid cloud D. Shared cloud
B. Private cloud Explanation: B. In the private cloud computing model, the cloud computing environment is dedicated to a single organization and does not follow the shared tenancy model. The environment may be built by the company in its own data center or built by a vendor at a co-location site.
120
Which one of the following technologies is designed to prevent a web server going offline from becoming a single point of failure in a web application architecture? A. Load balancing B. Dual-power supplies C. IPS D. RAID
A. Load balancing Explanation: Load balancing helps to ensure that a failed server will not take a website or service offline. Dual power supplies only work to prevent failure of a power supply or power source. IPS can help to prevent attacks, and RAID can help prevent a disk failure from taking a system offline.
121
Alice wants to send Bob a message with the confidence that Bob will know the message was not altered while in transit. What security goal is Alice trying to achieve? A. Confidentiality B. Nonrepudiation C. Authentication D. Integrity
D. Integrity Explanation: Integrity ensures that unauthorized changes are not made to data while stored or in transit.
122
What network topology is shown here? A. A ring B. A bus C. A star D. A mesh
C. A star Explanation: A star topology uses a central connection device. Ethernet networks may look like a star, but they are actually a logical bus topology that is sometimes deployed in a physical star.
123
Monica is developing a software application that calculates an individual's body mass index for use in medical planning. She would like to include a control on the field where the physician enters an individual's weight to ensure that the weight falls within an expected range. What type of control should Monica use? A. Fail open B. Fail secure C. Limit check D. Buffer bounds
C. Limit check Explanation: Input validation ensures that the data provided to a program as input matches the expected parameters. Limit checks are a special form of input validation that ensure that the value remains within an expected range, as is the case described in this scenario. Fail open and fail secure are options when planning for possible system failures. Buffer bounds are not a type of software control.
124
Match the following numbered types of testing methodologies with the lettered correct level of knowledge: Testing methodologies 1. Black box 2. White box 3. Gray box Level of knowledge A. Full knowledge of the system B. Partial or incomplete knowledge C. No prior knowledge of the system
The testing methodologies match with the level of knowledge as follows: Black box: C. No prior knowledge of the system White box: A. Full knowledge of the system Gray box: B. Partial or incomplete knowledge
125
Match the following lettered factors to their numbered type: Factors ``` A. A PIN B. A token C. A fingerprint D. A password E. A smart card F. A retinal scan G. A security question/answer ``` Types 1. Something you know 2. Something you have 3. Something you are
The factors match to the types as follows: A PIN: Something you know A token: Something you have A fingerprint: Something you are A password: Something you know A smartcard: Something you have A retinal scan: Something you are A security question/answer: Something you know
125
Match the following lettered factors to their numbered type: Factors ``` A. A PIN B. A token C. A fingerprint D. A password E. A smart card F. A retinal scan G. A security question/answer ``` Types 1. Something you know 2. Something you have 3. Something you are

CISSP (43 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2025 Bold Learning Solutions. Terms and Conditions