OPT Flashcards
1
Q
- What is the final step of a quantitative risk analysis?
A. Determine asset value.
B. Assess the annualized rate of occurrence.
C. Derive the annualized loss expectancy.
D. Conduct a cost/benefit analysis.
A
D. The final step of a quantitative risk analysis is conducting a cost/benefit analysis to
determine whether the organization should implement proposed countermeasure(s).
2
Q
- Match the following numbered wireless attack terms with their appropriate lettered
descriptions:
Wireless attack terms - Rogue access point
- Replay
- Evil twin
- War driving
Descriptions
A. An attack that relies on an access point to spoof a legitimate access point’s SSID and Mandatory Access Control (MAC) address
B. An access point intended to attract new connections by using an apparently legitimate SSID
C. An attack that retransmits captured communication to attempt to gain access to a targeted system
D. The process of using detection tools to find wireless networks
A
BCAD
3
Q
- Under the Digital Millennium Copyright Act (DMCA), what type of offenses do not require prompt action by an internet service provider after it receives a notification of infringement claim from a copyright holder?
A. Storage of information by a customer on a provider’s server
B. Caching of information by the provider
C. Transmission of information over the provider’s network by a customer
D. Caching of information in a provider search engine
A
C
4
Q
4. FlyAway Travel has offices in both the European Union (EU) and the United States and transfers personal information between those offices regularly. They have recently received a request from an EU customer requesting that their account be terminated. Under the General Data Protection Regulation (GDPR), which requirement for processing personal information states that individuals may request that their data no longer be disseminated or processed? A. The right to access B. Privacy by design C. The right to be forgotten D. The right of data portability
A
C. The right to be forgotten, also known as the right to erasure, guarantees the data subject the ability to have their information removed from processing or use. It may be tied to consent given for data processing; if a subject revokes consent for processing, the data controller may need to take additional steps, including erasure.
5
Q
5. Which one of the following is not one of the three common threat modeling techniques? A. Focused on assets B. Focused on attackers C. Focused on software D. Focused on social engineering
A
D. The three common threat modeling techniques are focused on attackers, software, and assets. Social engineering is a subset of attackers.
6
Q
6. Which one of the following elements of information is not considered personally identifiable information that would trigger most United States (U.S.) state data breach laws? A. Student identification number B. Social Security number C. Driver’s license number D. Credit card number
A
A. Most state data breach notification laws are modeled after California’s law, which covers Social Security number, driver’s license number, state identification card number, credit/debit card numbers, bank account numbers (in conjunction with a PIN or password), medical records, and health insurance information.
7
Q
7. In 1991, the Federal Sentencing Guidelines formalized a rule that requires senior executives to take personal responsibility for information security matters. What is the name of this rule? A. Due diligence rule B. Personal liability rule C. Prudent man rule D. Due process rule
A
C. The prudent man rule requires that senior executives take personal responsibility for ensuring the due care that ordinary, prudent individuals would exercise in the same situation. The rule originally applied to financial matters, but the Federal Sentencing Guidelines applied them to information security matters in 1991.
8
Q
9. What United States government agency is responsible for administering the terms of privacy shield agreements between the European Union and the United States under the EU GDPR? A. Department of Defense B. Department of the Treasury C. State Department D. Department of Commerce
A
D. The US Department of Commerce is responsible for implementing the EU-U.S. Privacy Shield Agreement. This framework replaced an earlier framework known as Privacy Shield, which was ruled insufficient in the wake of the NSA surveillance disclosures.
9
Q
10. Yolanda is the chief privacy officer for a financial institution and is researching privacy issues related to customer checking accounts. Which one of the following laws is most likely to apply to this situation? A. GLBA B. SOX C. HI PAA D. FERPA
A
A. The Gramm-Leach-Bliley Act (GLBA) contains provisions regulating the privacy of customer financial information. It applies specifically to financial institutions.
10
Q
11. Tim’s organization recently received a contract to conduct sponsored(贊助) research as a government contractor(政府承包商). What law now likely applies to the information systems involved in this contract? A. FISMA B. PCI DSS C. HI PAA D. GISRA
A
A. The Federal Information Security Management Act (FISMA) specifically applies to government contractors. The Government Information Security Reform Act (GISRA) was the precursor to FISMA and expired in November 2002. HIPAA and PCI DSS apply to healthcare and credit card information, respectively.
11
Q
12. Chris is advising travelers from his organization who will be visiting many different countries overseas. He is concerned about compliance with export control laws(出口管制法律). Which of the following technologies is most likely to trigger these regulations? A. Memory chips B. Office productivity applications C. Hard drives D. Encryption software
A
D. The export of encryption software to certain countries is regulated under US export control laws.
12
Q
15. Which one of the following control categories does not accurately describe a fence(圍欄) around a facility? A. Physical B. Detective C. Deterrent D. Preventive
A
B. A fence does not have the ability to detect intrusions. It does, however, have the ability to prevent and deter an intrusion. Fences are an example of a physical control.
13
Q
- Tony is developing a business continuity plan and is having difficulty prioritizing resources because of the difficulty of combining information about tangible and intangible assets.
What would be the most effective risk assessment approach for him to use?
A. Quantitative risk assessment
B. Qualitative risk assessment
C. Neither quantitative nor qualitative risk assessment
D. Combination of quantitative and qualitative risk assessment
A
D. Tony would see the best results by combining elements of quantitative and qualitative risk assessment. Quantitative risk assessment excels at analyzing financial risk, while qualitative risk assessment is a good tool for intangible risks. Combining the two techniques provides a well-rounded risk picture.
14
Q
17. What law provides intellectual property protection to the holders of trade secrets? A. Copyright Law B. Lanham Act C. Glass-Steagall Act D. Economic Espionage Act
A
D. The Economic Espionage Act(經濟間諜法) imposes fines and jail sentences on anyone found guilty of stealing trade secrets from a US corporation. It gives true teeth to the intellectual property rights of trade secret owners.
15
Q
18. Which one of the following principles imposes a standard of care upon an individual that is broad and equivalent to what one would expect from a reasonable person under the circumstances? A. Due diligence B. Separation of duties C. Due care D. Least privilege
A
C. The due care principle states that an individual should react in a situation using the same level of care that would be expected from any reasonable person. It is a very broad standard. The due diligence principle is a more specific component of due care that states that an individual assigned a responsibility should exercise due care to complete it accurately and in a timely manner.
16
Q
22. Which one of the following actions might be taken as part of a business continuity plan? A. Restoring from backup tapes B. Implementing RAID C. Relocating to a cold site D. Restarting business operations
A
B. RAID technology provides fault tolerance for hard drive failures and is an example of a business continuity action. Restoring from backup tapes, relocating to a cold site, and restarting business operations are all disaster recovery actions.
#
A. Restoring from backup tapes
17
Q
- Which one of the following organizations would not be automatically subject to the terms of HIPAA if they engage in electronic transactions?#重點在問誰不受影響
A. Healthcare provider
B. Health and fitness application developer
C. Health information clearinghouse
D. Health insurance plan
A
B. A health and fitness application developer would not necessarily be collecting or processing healthcare data, and the terms of HIPAA do not apply to this category of business. HIPAA regulates three types of entities—healthcare providers, health information clearinghouses(健康信息交換所), and health insurance plans—as well as the business associates of any of those covered entities.
18
Q
31. Renee is designing the long-term security plan for her organization and has a three- to five-year planning horizon. What type of plan is she developing? A. Operational B. Tactical C. Summary D. Strategic
A
D. Strategic plans have a long-term planning horizon of up to five years in most cases.
Operational and tactical plans have shorter horizons of a year or less.
19
Q
32. What government agency is responsible for the evaluation and registration of trademarks? A. USPTO B. Library of Congress C. TVA D. NIST
A
A. The United States Patent and Trademark Office (USPTO) bears responsibility for the registration of trademarks.
20
Q
33. The Acme Widgets Company is putting new controls in place for its accounting department. Management is concerned that a rogue accountant may be able to create a new false vendor and then issue checks to that vendor as payment for services that were never rendered. What security control can best help prevent this situation? A. Mandatory vacation B. Separation of duties C. Defense in depth D. Job rotation
A
B. When following the separation of duties principle, organizations divide critical tasks into discrete components and ensure that no one individual has the ability to perform both actions. This prevents a single rogue individual from performing that task in an unauthorized manner.
21
Q
34. Which one of the following categories of organizations is most likely to be covered by the provisions of FISMA? A. Banks B. Defense contractors C. School districts D. Hospitals
A
B. The Federal Information Security Management Act (FISMA) applies to federal government agencies and contractors(承包商). Of the entities listed, a defense contractor is the most likely to have government contracts subject to FISMA.
22
Q
38. Florian receives a flyer from a federal agency announcing that a new administrative law will affect his business operations. Where should he go to find the text of the law? A. United States Code B. Supreme Court rulings C. Code of Federal Regulations D. Compendium of Laws
A
C. The Code of Federal Regulations (CFR) contains the text of all administrative laws promulgated by federal agencies. The United States Code contains criminal and civil law.
Supreme Court rulings contain interpretations of law and are not laws themselves. The Compendium of Laws does not exist.
23
Q
40. Which one of the following individuals would be the most effective organizational owner for an information security program? A. CISSP-certified analyst B. Chief information officer (CIO) C. Manager of network security D. President and CEO
A
B. The owner of information security programs may be different from the individuals responsible for implementing the controls. This person should be as senior an individual as possible who is able to focus on the management of the security program. The president and CEO would not be an appropriate choice because an executive at this level is unlikely to have the time necessary to focus on security. Of the remaining choices, the CIO is the most senior position who would be the strongest advocate at the executive level.
24
Q
- Which one of the following issues is not normally addressed in a service-level agreement (SLA)?
A. Confidentiality of customer information
B. Failover time
C. Uptime
D. Maximum consecutive downtime
A
A. SLAs do not normally address issues of data confidentiality. Those provisions are normally included in a nondisclosure agreement (NDA).
25
```
46. Joan is seeking to protect a piece of computer software that she developed under intellectual property law. Which one of the following avenues of protection would not apply to a piece of software?
A. Trademark
B. Copyright
C. Patent
D. Trade secret
```
A. Trademarks protect words and images that represent a product or service and would not protect computer software.
26
```
48. You are also concerned about the availability of data stored on each office’s server. You would like to add technology that would enable continued access to files located on the server even if a hard drive in a server fails. What integrity control allows you to add robustness without adding additional servers?
A. Server clustering
B. Load balancing
C. RAID
D. Scheduled backups
```
C. RAID uses additional hard drives to protect the server against the failure of a single device. Load balancing and server clustering do add robustness but require the addition of a server. Scheduled backups protect against data loss but do not provide immediate access to data in the event of a hard drive failure.
27
50. What law serves as the basis for privacy rights in the United States?
A. Privacy Act of 1974
B. Fourth Amendment
C. First Amendment
D. Electronic Communications Privacy Act of 1986
B. The Fourth Amendment directly prohibits government agents from searching private property without a warrant and probable cause. The courts have expanded the interpretation of the Fourth Amendment to include protections against other invasions of privacy.
28
```
52. An accounting employee at Doolittle Industries was recently arrested for participation in an embezzlement scheme. The employee transferred money to a personal account and then shifted funds around between other accounts every day to disguise the fraud for months. Which one of the following controls might have best allowed the earlier detection of this fraud?
A. Separation of duties
B. Least privilege
C. Defense in depth
D. Mandatory vacation
```
D. Mandatory vacation programs require that employees take continuous periods of time off each year and revoke their system privileges during that time. This will hopefully disrupt any attempt to engage in the cover-up actions necessary to hide fraud and result in exposing the threat. Separation of duties, least privilege, and defense in depth controls all may help prevent the fraud in the first place but are unlikely to speed the detection of fraud that has already occurred.
29
```
53. Which one of the following is not normally considered a business continuity task?
A. Business impact assessment
B. Emergency response guidelines
C. Electronic vaulting
D. Vital records program
```
C. Electronic vaulting(電子存儲) is a data backup task that is part of disaster recovery, not business continuity, efforts.
30
56. Who should receive initial business continuity plan training in an organization?
A. Senior executives
B. Those with specific business continuity roles
C. Everyone in the organization
D. First responders
C. Everyone in the organization should receive a basic awareness training for the business continuity program. Those with specific roles, such as first responders and senior executives, should also receive detailed, role-specific training.
31
```
57. James is conducting a risk assessment for his organization and is attempting to assign an asset value to the servers in his data center. The organization’s primary concern is ensuring that it has sufficient funds available to rebuild the data center in the event it is damaged or destroyed. Which one of the following asset valuation methods would be most appropriate in this situation?
A. Purchase cost
B. Depreciated cost
C. Replacement cost
D. Opportunity cost
```
C. If the organization’s primary concern is the cost of rebuilding the data center, James should use the replacement cost method to determine the current market price for equivalent servers.
32
58. The Computer Security Act of 1987 gave a federal agency responsibility for developing computer security standards and guidelines for federal computer systems. What agency did the act give this responsibility to?
A. National Security Agency
B. Federal Communications Commission
C. Department of Defense
D. National Institute of Standards and Technology
D. The Computer Security Act of 1987 gave the National Institute of Standards and Technology (NIST) responsibility for developing standards and guidelines for federal computer systems. For this purpose, NIST draws upon the technical advice and assistance of the National Security Agency where appropriate.
33
```
61. What is the formula used to determine risk?
A. Risk = Threat * Vulnerability
B. Risk = Threat / Vulnerability
C. Risk = Asset * Threat
D. Risk = Asset / Threat
```
A. Risks exist when there is an intersection of a threat and a vulnerability. This is described using the equation Risk = Threat * Vulnerability.
34
```
62. The following graphic shows the NIST risk management framework with step 4 missing.
What is the missing step?
A. Assess security controls.
B. Determine control gaps.
C. Remediate control gaps.
D. Evaluate user activity
```
A. The fourth step of the NIST risk management framework is assessing security controls.
35
65. Which one of the following components should be included in an organization’s emergency response guidelines?
A. List of individuals who should be notified of an emergency incident
B. Long-term business continuity protocols
C. Activation procedures for the organization’s cold sites
D. Contact information for ordering equipment
A. The emergency response guidelines should include the immediate steps an organization should follow in response to an emergency situation. These include immediate response procedures, a list of individuals who should be notified of the emergency and secondary response procedures for first responders. They do not include long-term actions such as activating business continuity protocols, ordering equipment, or
activating DR sites.
36
67. Which one of the following actions is not normally part of the project scope and planning phase of business continuity planning?
A. Structured analysis of the organization
B. Review of the legal and regulatory landscape
C. Creation of a BCP team
D. Documentation of the plan
D. The project scope and planning phase includes four actions: a structured analysis of the organization, the creation of a BCP team, an assessment of available resources, and an analysis of the legal and regulatory landscape.
#
Phase 1: Project Scoping and Planning
Business analysis from crisis point of view
Creation of the BCP Team with Approval from senior management
Assessment of resources available to participate in continuity processes
Legal and Regulatory requirements analysis
Business Organizational Analysis
Phase 2: Business Impact Analysis
Phase 3: Continuity Planning - Recovery Strategies and Continuity Development
Phase 4: Approval and Implementation
Phase 5: Testing and Maintenance
Exercise, Test, Drill and Maintain the BCP.
Maintenance includes updating documentation as processes and controls change.
37
```
69. Becka recently signed a contract with an alternate data processing facility that will provide her company with space in the event of a disaster. The facility includes HVAC, power, and communications circuits but no hardware. What type of facility is Becka using?
A. Cold site
B. Warm site
C. Hot site
D. Mobile sit
```
A. A cold site includes the basic capabilities required for data center operations: space, power, HVAC, and communications, but it does not include any of the hardware required to restore operations.
38
```
70. What is the threshold for malicious damage to a federal computer system that triggers the Computer Fraud and Abuse Act?
A. $500
B. $2,500
C. $5,000
D. $10,000
```
C. The Computer Fraud and Abuse Act (CFAA) makes it a federal crime to maliciously cause damage in excess of $5,000 to a federal computer system during any one-year period.
39
```
72. Which one of the following laws requires that communications service providers cooperate with law enforcement requests?
A. ECPA
B. CALEA
C. Privacy Act
D. HITECH Act
```
B. The Communications Assistance to Law Enforcement Act (CALEA) requires that all communications carriers make wiretaps possible for law enforcement officials who have an appropriate court order.
40
```
73. Every year, Gary receives privacy notices in the mail from financial institutions where he has accounts. What law requires the institutions to send Gary these notices?
A. FERPA
B. GLBA
C. HI PAA
D. HITECH
```
B. The Gramm-Leach-Bliley Act (GLBA) places strict privacy regulations on financial institutions, including providing written notice of privacy practices to customers.
41
```
76. Which one of the following stakeholders is not typically included on a business continuity planning team?
A. Core business function leaders
B. Information technology staff
C. CEO
D. Support departments
```
C. While senior management should be represented on the BCP team, it would be highly unusual for the CEO to fill this role personally.
42
```
77. Ben is designing a messaging system for a bank and would like to include a feature that allows the recipient of a message to prove to a third party that the message did indeed come from the purported originator. What goal is Ben trying to achieve?
A. Authentication
B. Authorization
C. Integrity
D. Nonrepudiation
```
D. Nonrepudiation allows a recipient to prove to a third party that a message came from a purported source. Authentication would provide proof to Ben that the sender was authentic, but Ben would not be able to prove this to a third party.
43
79. Which one of the following is not a goal of a formal change management program?
A. Implement change in an orderly fashion.
B. Test changes prior to implementation.
C. Provide rollback plans for changes.
D. Inform stakeholders of changes after they occur.
D. Stakeholders should be informed of changes before, not after, they occur. The other items listed are goals of change management programs.
44
```
80. Ben is responsible for the security of payment card information stored in a database. Policy directs that he remove the information from the database, but he cannot do this for operational reasons. He obtained an exception to policy and is seeking an appropriate compensating control to mitigate the risk. What would be his best option?
A. Purchasing insurance
B. Encrypting the database contents
C. Removing the data
D. Objecting to the exception
```
B. Ben should encrypt the data to provide an additional layer of protection as a compensating control. The organization has already made a policy exception, so he should not react by objecting to the exception or removing the data without authorization. Purchasing insurance may transfer some of the risk but is not a mitigating control.
45
```
84. Helen is the owner of a website that provides information for middle and high school students preparing for exams. She is concerned that the activities of her site may fall under the jurisdiction of the Children’s Online Privacy Protection Act (COPPA). What is the cutoff age below which parents must give consent in advance of the collection of personal information from their children under COPPA?
A. 13
B. 15
C. 17
D. 18
```
A. COPPA requires that websites obtain advance parental consent for the collection of personal information from children under the age of 13.
46
87. Alan is performing threat modeling and decides that it would be useful to decompose the system into the key elements shown here. What tool is he using?
A. Vulnerability assessment
B. Fuzzing
C. Reduction analysis
D. Data modeling
C. In reduction analysis, the security professional breaks the system down into five key elements: trust boundaries, data flow paths, input points, privileged operations, and details about security controls.
47
88. Match the following numbered laws or industry standards to their lettered description:
Laws and industry standards
1. GLBA
2. PCI DSS
3. HI PAA
4. SOX
Descriptions
A. A U.S. law that requires covered financial institutions to provide their customers with
a privacy notice on a yearly basis
B. A U.S. law that requires internal controls assessments, including IT transaction flows
for publicly traded companies
C. An industry standard that covers organizations that handle credit cards
D. A U.S. law that provides data privacy and security requirements for medical
information
ACDB
48
```
91. Which type of business impact assessment tool is most appropriate when attempting to evaluate the impact of a failure on customer confidence?
A. Quantitative
B. Qualitative
C. Annualized loss expectancy
D. Reduction
```
B. Qualitative tools are often used in business impact assessment to capture the impact on intangible factors such as customer confidence, employee morale, and reputation.
49
```
93. Which one of the following security programs is designed to provide employees with the knowledge they need to perform their specific work tasks?
A. Awareness
B. Training
C. Education
D. Indoctrination
```
B. Security training is designed to provide employees with the specific knowledge they need to fulfill their job functions. It is usually designed for individuals with similar job functions.
50
```
95. Ryan is a security risk analyst for an insurance company. He is currently examining a scenario in which a malicious hacker might use a SQL injection attack to deface a web server due to a missing patch in the company’s web application. In this scenario, what is the threat? #ch11Q77 #ch12Q82
A. Unpatched web application
B. Web defacement
C. Malicious hacker
D. Operating system
```
C. Risks are the combination of a threat and a vulnerability. Threats are the external forces seeking to undermine security, such as the malicious hacker in this case.
Vulnerabilities are the internal weaknesses that might allow a threat to succeed. In this case, the missing patch is the vulnerability. In this scenario, if the malicious hacker (threat) attempts a SQL injection attack against the unpatched server (vulnerability), the result is website defacement.
51
```
102. STRIDE, PASTA, and VAST are all examples of what type of tool?
A. Risk assessment methodologies
B. Control matrices
C. Threat modeling methodologies
D. Awareness campaign tools
```
C. STRIDE, Process for Attack Simulation and Threat Analysis (PASTA), and Visual, Agile, and Simple Threat (VAST) modeling are all threat modeling methodologies. STRIDE was designed for applications and operating systems (but can be used more broadly), PASTA is a risk-centric(以風險為中心) modeling system, and VAST is a threat modeling concept based on Agile project management and programming techniques.
52
```
105. Which of the following is not typically included in a prehire screening process?
A. A drug test
B. A background check
C. Social media review
D. Fitness evaluation
```
D. A fitness evaluation is not a typical part of a hiring process. Drug tests, background checks, and social media checks are all common parts of current hiring practices.
53
107. Greg’s company recently experienced a significant data breach involving the personal data of many of their customers. Which breach laws should they review to ensure that they are taking appropriate action?
A. The breach laws in the state where they are headquartered
B. The breach laws of states they do business in
C. Only federal breach laws
D. Breach laws only cover government agencies, not private businesses
B. In general, companies should be aware of the breach laws in any location where they do business. US states have a diverse collection of breach laws and requirements, meaning that in this case, Greg’s company may need to review many different breach laws to determine which they may need to comply with if they conduct business in the state or with the state’s residents.
54
108. Lawrence has been asked to perform vulnerability scans and a risk assessment of systems.
Which organizational process are these more likely to be associated with?
A. A merger
B. A divestiture
C. A layoff
D. A financial audit
A. When organizations merge, it is important to understand the state of the security for both organizations. Running vulnerability scans and performing a risk assessment are both common steps taken when preparing to merge two (or more!) IT environments.
55
```
110. Laura has been asked to perform an SCA. What type of organization is she most likely in?
A. Higher education
B. Banking
C. Government
D. Healthcare
```
C. A security controls assessment (SCA) most often refers to a formal US government process for assessing security controls and is often paired with a Security Test and Evaluation (ST&E) process. This means that Laura is probably part of a government organization or contractor.
56
```
2. Control Objectives for Information and Related Technology (COBIT) is a framework for information technology (IT) management and governance. Which data management role is most likely to select and apply COBIT to balance the need for security controls against business requirements?
A. Business owners
B. Data processors
C. Data owners
D. Data stewards
```
A. Business owners have to balance the need to provide value with regulatory, security, and other requirements. This makes the adoption of a common framework like COBIT attractive. Data owners are more likely to ask that those responsible for control selection identify a standard to use. Data processors are required to perform specific actions under regulations like the EU GDPR. Finally, in many organizations, data stewards are internal roles that oversee how data is used.
57
6. How can a data retention policy help to reduce liabilities(減少負債)?
A. By ensuring that unneeded data isn’t retained
B. By ensuring that incriminating data is destroyed
C. By ensuring that data is securely wiped so it cannot be restored for legal discovery
D. By reducing the cost of data storage required by law
A. A data retention policy can help to ensure that outdated data is purged, removing potential additional costs for discovery. Many organizations have aggressive retention policies to both reduce the cost of storage and limit the amount of data that is kept on hand and discoverable. Data retention policies are not designed to destroy incriminating data, and legal requirements for data retention must still be met.
58
9. Ben has been tasked with identifying security controls for systems covered by his organization’s information classification system. Why might Ben choose to use a security baseline?
A. It applies in all circumstances, allowing consistent security controls.
B. They are approved by industry standards bodies, preventing liability.
C. They provide a good starting point that can be tailored to organizational needs.
D. They ensure that systems are always in a secure state.
C. Security baselines provide a starting point to scope and tailor security controls to your organization’s needs. They aren’t always appropriate to specific organizational needs, they cannot ensure that systems are always in a secure state, and they do not prevent liability(責任).
59
```
10. What term is used to describe overwriting media to allow for its reuse in an environment operating at the same sensitivity level?
A. Clearing
B. Erasing
C. Purging
D. Sanitization
```
A. Clearing describes preparing media for reuse. When media is cleared, unclassified data is written over all addressable locations on the media. Once that’s completed, the media can be reused. Erasing is the deletion of files or media. Purging is a more intensive form of clearing for reuse in lower-security areas, and sanitization is a series of processes that removes data from a system or media while ensuring that the data is unrecoverable by any means.
60
```
11. Which of the following classification levels is the United States (U.S.) government’s classification label for data that could cause damage but wouldn’t cause serious or grave damage?
A. Top S ecret
B. Secret
C. Confidential
D. Classified
```
C. The US government uses the label Confidential for data that could cause damage if it was disclosed without authorization. Exposure of Top Secret data is considered to potentially cause grave damage, while Secret data could cause serious damage. Classified is not a level in the US government classification scheme.
61
12. What issue is common to spare sectors and bad sectors on hard drives as well as overprovisioned space on modern SSDs?
A. They can be used to hide data.
B. They can only be degaussed.
C. They are not addressable, resulting in data remanence.
D. They may not be cleared, resulting in data remanence.
D. Spare sectors, bad sectors, and space provided for wear leveling on SSDs (overprovisioned space) may all contain data that was written to the space that will not be cleared when the drive is wiped. Most wiping utilities only deal with currently addressable space on the drive. SSDs cannot be degaussed, and wear leveling space cannot be reliably used to hide data. These spaces are still addressable by the drive, although they may not be seen by the operating system.
62
For questions 14–16, please refer to the following scenario:
Your organization regularly handles three types of data: information that it shares with customers, information that it uses internally to conduct business, and trade secret information that offers the organization significant competitive advantages. Information shared with customers is used and stored on web servers, while both the internal business data and the trade secret information are stored on internal file servers and employee workstations.
14. What civilian data classifications best fit this data?
A. Unclassified, confidential, top secret
B. Public, sensitive, private
C. Public, sensitive, proprietary(專有)
D. Public, confidential, private
C. Information shared with customers is public, internal business could be sensitive or private, and trade secrets are proprietary. Thus, public, sensitive, proprietary matches this most closely. Confidential is a military classification, which removes two of the remaining options, and trade secrets are more damaging to lose than a private classification would allow.
63
For questions 14–16, please refer to the following scenario:
Your organization regularly handles three types of data: information that it shares with customers, information that it uses internally to conduct business, and trade secret information that offers the organization significant competitive advantages. Information shared with customers is used and stored on web servers, while both the internal business data and the trade secret information are stored on internal file servers and employee workstations.
15. What technique could you use to mark your trade secret information in case it was released or stolen and you need to identify it?
A. Classification
B. Symmetric encryption
C. Watermarks
D. Metadata
C. A watermark is used to digitally label data and can be used to indicate ownership. Encryption would have prevented the data from being accessed if it was lost, while classification is part of the set of security practices that can help make sure the right controls are in place. Finally, metadata is used to label data and might help a data loss prevention system flag it before it leaves your organization.
64
18. Why is it cost effective to purchase high-quality media to contain sensitive data?
A. Expensive media is less likely to fail.
B. The value of the data often far exceeds the cost of the media.
C. Expensive media is easier to encrypt.
D. More expensive media typically improves data integrity.
B. The value of the data contained on media often exceeds the cost of the media, making more expensive media that may have a longer life span or additional capabilities like encryption support a good choice. While expensive media may be less likely to fail, the reason it makes sense is the value of the data, not just that it is less likely to fail. In general, the cost of the media doesn’t have anything to do with the ease of encryption, and data integrity isn’t ensured by better media.
65
```
19. Chris is responsible for workstations throughout his company and knows that some of the company’s workstations are used to handle proprietary information. Which option best describes what should happen at the end of their lifecycle for workstations he is responsible for?#工作站在生命週期結束時應該發生什麼
A. Erasing
B. Clearing
C. Sanitization
D. Destruction
```
C. Sanitization is a combination of processes that ensure that data from a system cannot be recovered by any means. Erasing and clearing are both prone to mistakes and technical problems that can result in remnant data and don’t make sense for systems that handled proprietary information. Destruction is the most complete method of ensuring that data cannot be exposed, and some organizations opt to destroy the entire workstation, but that is not a typical solution due to the cost involved.
66
```
23. The CIS benchmarks(基準) are an example of what practice?
A. Conducting a risk assessment
B. Implementing data labeling
C. Proper system ownership
D. Using security baselines
```
D. The CIS benchmarks are an example of a security baseline. A risk assessment would help identify which controls were needed, and proper system ownership is an important part of making sure baselines are implemented and maintained. Data labeling can help ensure that controls are applied to the right systems and data.
67
27. The government defense contractor that Saria works for has recently shut down a major research project and is planning on reusing the hundreds of thousands of dollars of systems and data storage tapes used for the project for other purposes. When Saria reviews the company’s internal processes, she finds that she can’t reuse the tapes and that the manual says they should be destroyed. Why isn’t Saria allowed to degauss and then reuse the tapes to save her employer money?#就在考你英文
A. Data permanence may be an issue.
B. Data remanence is a concern.
C. The tapes may suffer from bitrot.
D. Data from tapes can’t be erased by degaussing.
B. Many organizations require the destruction of media that contains data at higher levels of classification. Often the cost of the media is lower than the potential costs of data exposure, and it is difficult to guarantee that reused media doesn’t contain remnant data. Tapes can be erased by degaussing, but degaussing is not always fully effective. Bitrot describes the slow loss of data on aging media, while data permanenceis a term
sometimes used to describe the life span of data and media.
68
33. Fred’s organization allows downgrading of systems for reuse after projects have been finished and the systems have been purged. What concern should Fred raise about the reuse of the systems from his Top Secret classified project for a future project classified as Secret?
A. The Top Secret data may be commingled with the Secret data, resulting in a need to relabel the system.
B. The cost of the sanitization process may exceed the cost of new equipment.
C. The data may be exposed as part of the sanitization process.
D. The organization’s DLP system may flag the new system due to the difference in data
labels.
B. Downgrading systems and media is rare due to the difficulty of ensuring that sanitization is complete. The need to completely wipe (or destroy) the media that systems use means that the cost of reuse is often significant and may exceed the cost of purchasing a new system or media. The goal of purging is to ensure that no data remains, so commingling data should not be a concern, nor should the exposure of the data; only staff with the proper clearance should handle the systems! Finally, a DLP system should flag data based on labels, not on the system it comes from.
69
34. Which of the following concerns should not be part of the decision when classifying data?
A. The cost to classify the data#.分類數據的成本
B. The sensitivity of the data
C. The amount of harm that exposure of the data could cause
D. The value of the data to the organizatio
A. Classification should be conducted based on the value of the data to the organization, its sensitivity, and the amount of harm that could result from exposure of the data. Cost should be considered when implementing controls and is weighed against the damage that exposure would create.
70
```
35. Which of the following is the least effective method of removing data from media?
A. Degaussing
B. Purging
C. Erasing
D. Clearing
```
C. Erasing, which describes a typical deletion process in many operating systems, typically removes only the link to the file and leaves the data that makes up the file itself. The data will remain in place but not indexed until the space is needed and it is overwritten. Degaussing works only on magnetic media, but it can be quite effective on it. Purging and clearing both describe more elaborate removal processes.#典型刪除過程,只刪除文件的鏈接並保留構成文件本身的數據
71
```
36. Match each of the numbered data elements shown here with one of the lettered categories.
You may use the categories once, more than once, or not at all. If a data element matches more than one category, choose the one that is most specific.
Data elements
1. Medical records
2. Credit card numbers
3. Social Security numbers
4. Driver’s license numbers
Categories
A. PCI DSS
B. PHI
C. PII
```
BACC
Medical records are an example of protected health information (PHI). Credit card numbers are personally identifiable information (PII), but they are also covered by the Payment Card Industry Data Security Standard (PCI DSS), which is a more specific category governing only credit card information and is a better answer. Social Security numbers and driver’s license numbers are examples of PII.
72
```
38. Lauren’s employer asks Lauren to classify patient X-ray data that has an internal patient identifier associated with it but does not have any way to directly identify a patient. The company’s data owner believes that exposure of the data could cause damage (but not exceptional damage) to the organization. How should Lauren classify the data?
A. Public
B. Sensitive
C. Private
D. Confidential
```
C. We know that the data classification will not be the top level classification of “Confidential” because the loss of the data would not cause severe damage. This means we have to choose between private (PHI) and sensitive (confidential). Calling this private due to the patient’s personal health information fits the classification scheme, giving us the correct answer.
73
43. Chris is responsible for his organization’s security standards and has guided the selection and implementation of a security baseline for Windows PCs in his organization. How can Chris most effectively make sure that the workstations he is responsible for are being checked for compliance and that settings are being applied as necessary?
A. Assign users to spot-check baseline compliance.
B. Use Microsoft Group Policy.
C. Create startup scripts to apply policy at system start.
D. Periodically review the baselines with the data owner and system owners.
B. Group Policy provides the ability to monitor and apply settings in a security baseline. Manual checks by users and using startup scripts provide fewer reviews and may be prone to failure, while periodic review of the baseline won’t result in compliance being checked.
74
```
44. What term is used to describe a set of common security configurations, often provided by a third party?
A. Security policy
B. Baseline
C. DSS
D. NIST SP 800-53
```
B. A baseline is a set of security configurations that can be adopted and modified to fit an organization’s security needs. A security policy is written to describe an organization’s approach to security, while DSS is the second half of the Payment Card Industry Data Security Standard. The NIST SP-800 series of documents address computer security in a variety of areas.
75
48. Joe works at a major pharmaceutical research(大型製藥研發) and development company and has been tasked with writing his organization’s data retention policy. As part of its legal requirements, the organization must comply with the U.S. Food and Drug Administration’s Code of Federal Regulations Title 21. To do so, it is required to retain records with electronic signatures. Why would a signature be part of a retention requirement?
A. It ensures that someone has reviewed the data.
B. It provides confidentiality.
C. It ensures that the data has not been changed.
D. It validates who approved(批准) the data.
D. Electronic signatures, as used in this rule, prove that the signature was provided by the intended signer. Electronic signatures as part of the FDA code are intended to ensure that electronic records are “trustworthy, reliable, and generally equivalent to paper records and handwritten signatures executed on paper.” Signatures cannot provide confidentiality or integrity and don’t ensure that someone has reviewed the data.
76
```
49. What protocol is preferred over Telnet for remote server administration(管理) via the command line?
A. SCP
B. SFTP
C. WDS
D. SSH
```
D. Secure Shell (SSH) is an encrypted protocol for remote login and command-line access. SCP and SFTP are both secure file transfer protocols, while WDS is the acronym for Windows Deployment Services, which provides remote installation capabilities for Windows operating systems.
77
```
52. Alex works for a government agency that is required to meet U.S. federal government requirements for data security. To meet these requirements, Alex has been tasked with making sure data is identifiable by its classification level. What should Alex do to the data?
A. Classify the data.
B. Encrypt the data.
C. Label the data.
D. Apply DRM to the data.
```
C. Data labels are crucial to identify the classification level of information contained on the media. Digital rights management (DRM) tools provide ways to control how data is used, while encrypting it can help maintain the confidentiality and integrity of the data. Classifying the data is necessary to label it, but it doesn’t automatically place a label on the data.
78
53. Ben is following the National Institute of Standards and Technology (NIST) Special Publication 800-88 guidelines for sanitization and disposition as shown here. He is handling information that his organization classified as sensitive, which is a moderate security categorization in the NIST model. If the media is going to be sold as surplus, what process does Ben need to follow?
A. Destroy, validate, document
B. Clear, purge, document
C. Purge, document, validate
D. Purge, validate, document
D. The NIST SP 800-88 process for sanitization and disposition shows that media that will be reused and was classified at a moderate level should be purged and then that purge should be validated. Finally, it should be documented.
79
For questions 57–59, please refer to the following scenario:
Chris has recently been hired into a new organization. The organization that Chris belongs to uses the following classification process:
1. Criteria are set for classifying data.#設定分類數據的標準
2. Data owners are established for each type of data.
3. Data is classified.
4. Required controls are selected for each classification.
5. Baseline security standards are selected for the organization.
6. Controls are scoped and tailored.
7. Controls are applied and enforced.
8. Access is granted and managed.
57. If Chris is one of the data owners for the organization, what steps in this process is he most likely responsible for?
A. He is responsible for steps 3, 4, and 5.
B. He is responsible for steps 1, 2, and 3.
C. He is responsible for steps 5, 6, and 7.
D. All of the steps are his direct responsibility.
A. Chris is most likely to be responsible for classifying the data that he owns as well as assisting with or advising the system owners on security requirements and control selection. In an organization with multiple data owners, Chris is unlikely to set criteria for classifying data on his own. As a data owner, Chris will also not typically have direct responsibility for scoping, tailoring, applying, or enforcing those controls.
80
For questions 57–59, please refer to the following scenario:
Chris has recently been hired into a new organization. The organization that Chris belongs to uses the following classification process:
1. Criteria are set for classifying data.#設定分類數據的標準
2. Data owners are established for each type of data.
3. Data is classified.
4. Required controls are selected for each classification.
5. Baseline security standards are selected for the organization.
6. Controls are scoped and tailored.
7. Controls are applied and enforced.
8. Access is granted and managed.
58. Chris manages a team of system administrators. What data role are they fulfilling if they conduct steps 6, 7, and 8 of the classification process?
A. They are system owners and administrators.
B. They are administrators and custodians.
C. They are data owners and administrators.
D. They are custodians and users.
B. The system administrators are acting in the roles of data administrators who grant access and will also act as custodians who are tasked with the day-to-day application of security controls. They are not acting as data owners who own the data itself. Typically, system administrators are delegated authority by system owners, such as a department head, and of course they are tasked with providing access to users.
81
For questions 57–59, please refer to the following scenario:
Chris has recently been hired into a new organization. The organization that Chris belongs to uses the following classification process:
1. Criteria are set for classifying data.#設定分類數據的標準
2. Data owners are established for each type of data.
3. Data is classified.
4. Required controls are selected for each classification.
5. Baseline security standards are selected for the organization.
6. Controls are scoped and tailored.
7. Controls are applied and enforced.
8. Access is granted and managed.
59. If Chris’s company operates in the European Union and has been contracted to handle the data for a third party, what role is his company operating in when it uses this process to classify and handle data?
A. Business owners
B. Mission owners
C. Data processors
D. Data administrators
C. Third-party organizations that process personal data on behalf of a data controller are known as data processors. The organization that they are contracting with would act in the role of the business or mission owners, and others within Chris’s organization would have the role of data administrators, granting access as needed to the data based on their operational procedures and data classification.
82
60. Which of the following is not one of the European Union’s General Data Protection Regulation (GDPR) principles?
A. Information must be processed fairly.#必須公平處理信息
B. Information must be deleted within one year of acquisition.
C. Information must be maintained securely.
D. Information must be accurate.
B. The GDPR does include requirements that data be processed fairly, maintained securely, and maintained accurately. It does not include a requirement that information be deleted within one year, although it does specify that information should not be kept longer than necessary.
83
61. Ben’s company, which is based in the European Union, hires a third-party organization that processes data for it. Who has responsibility to protect the privacy of the data and ensure that it isn’t used for anything other than its intended purpose?
A. Ben’s company is responsible.
B. The third-party data processor is responsible.
C. The data controller is responsible.
D. Both organizations bear equal responsibility
D. Under EU regulations,both the organization sharing data and the third-party data processor bear responsibility for maintaining the privacy and security of personal information.
84
```
62. Major Hunter, a member of the armed forces(武裝部隊), has been entrusted with information that, if exposed, could cause serious damage to national security. Under U.S. government classification standards, how should this data be classified?#考英文&情境判斷,這個人有點重要但還沒到會毀滅國家
A. Unclassified
B. Top S ecret
C. Confidential
D. Secret
```
D. The U.S. government specifies Secret as the classification level for information that, if disclosed, could cause serious harm to national security. Top Secret is reserved for information that could cause exceptionally grave harm, while confidential data could be expected to cause less harm. Unclassified is not an actual classification but only indicates that the data may be released to unclassified individuals. Organizations may still restrict access to unclassified information.
85
```
63. When a computer is removed from service and disposed of, the process that ensures that all storage media has been removed or destroyed is known as what?
A. Sanitization
B. Purging
C. Destruction
D. Declassification
```
A. Sanitization is the combination of processes used to remove data from a system or media. When a PC is disposed of, sanitization includes the removal or destruction of drives, media, and any other storage devices it may have. Purging, destruction, and declassification are all other handling methods.
86
```
64. Linux systems that use bcrypt are using a tool based on what DES alternative encryption scheme?
A. 3DES
B. AES
C. Diffie–Hellman
D. Blowfish
```
D. Bcrypt is based on Blowfish (the b is a key hint here). AES and 3DES are both replacements for DES, while Diffie-Hellman is a protocol for key exchange.
87
65. Susan works in an organization that labels all removable media with the classification level of the data it contains, including public data. Why would Susan’s employer label all media instead of labeling only the media that contains data that could cause harm if it was exposed?
A. It is cheaper to order all prelabeled media.
B. It prevents sensitive media from not being marked by mistake.
C. It prevents reuse of public media for sensitive data.
D. Labeling all media is required by HIPAA.
B. Requiring all media to have a label means that when unlabeled media is found, it should immediately be considered suspicious. This helps to prevent mistakes that might leave sensitive data unlabeled. Prelabeled media is not necessarily cheaper (nor may it make sense to buy!), while reusing public media simply means that it must be classified based on the data it now contains. HIPAA does not have specific media labeling requirements.
88
68. Why is declassification rarely chosen as an option for media reuse?
A. Purging is sufficient for sensitive data.
B. Sanitization is the preferred method of data removal.
C. It is more expensive than new media and may still fail.
D. Clearing is required first.
C. Ensuring that data cannot be recovered is difficult,and the time and effort required to securely and completely wipe media as part of declassification can exceed the cost of new media.
Sanitization, purging, and clearing may be part of declassification, but they are not reasons that it is not frequently chosen as an option for organizations with data security concerns.
89
```
69. Incineration(焚燒), crushing, shredding, and disintegration all describe what stage in the lifecycle of media?
A. Sanitization
B. Degaussing
C. Purging
D. Destruction
```
D. Destruction is the final stage in the lifecycle of media and can be done via disintegration, incineration, or a variety of other methods that result in the media and data being nonrecoverable. Sanitization is a combination of processes used when data is being removed from a system or media. Purging is an intense form of clearing, and degaussing uses strong magnetic fields to wipe data from magnetic media.
90
70. The European Union (EU) General Data Protection Regulation (GDPR) does not include which of the following key elements?
A. The need to collect information for specified, explicit, and legitimate purposes
B. The need to ensure that collection is limited to the information necessary to achieve the stated purpose
C. The need to protect data against accidental destruction
D. The need to encrypt information at rest
D. The GDPR does include the need to collect information for specified, explicit, and legitimate purposes; the need to ensure that collection is limited to the information necessary to achieve the stated purpose; and the need to protect data against accidental destruction. It does not include a specific requirement to encrypt information at rest.
91
72. Charles has been asked to downgrade the media used for storage of private data for his organization. What process should Charles follow?
A. Degauss the drives, and then relabel them with a lower classification level.
B. Pulverize the drives, and then reclassify them based on the data they contain.
C. Follow the organization’s purging process, and then downgrade and replace labels.
D. Relabel the media, and then follow the organization’s purging process to ensure that the media matches the label.
C. If an organization allows media to be downgraded, the purging process should be followed, and then the media should be relabeled. Degaussing may be used for magnetic media but won’t handle all types of media. Pulverizing would destroy the media, preventing reuse, while relabeling first could lead to mistakes that result in media that hasn’t been purged entering use.
92
73. Which of the following tasks are not performed by a system owner per NIST SP 800-18?
A. Develops a system security plan
B. Establishes rules for appropriate use and protection of data
C. Identifies and implements security controls
D. Ensures that system users receive appropriate security training
B. The data owner sets the rules for use and protection of data. The remaining options all describe tasks for the system owner, including implementation of security controls.
93
74. NIST SP 800-60 provides a process shown in the following diagram to assess information systems. What process does this diagram show?
A. Selecting a standard and implementing it
B. Categorizing and selecting controls
C. Baselining and selecting controls
D. Categorizing and sanitizing
B. In the NIST SP 800-60 diagram, the process determines appropriate categorization levels resulting in security categorization and then uses that as an input to determine controls. Standard selection would occur at an organizational level, while baselining occurs when systems are configured to meet a baseline. Sanitization would require the intentional removal of data from machines or media.
94
77. What is the best way to secure files that are sent from workstation A via the internet service (C) to remote server E?
A. Use AES at rest at point A, and use TLS in transit via B and D.
B. Encrypt the data files and send them.
C. Use 3DES and TLS to provide double security.
D. Use full disk encryption at A and E, and use SSL at B and D.
B. Sending a file that is encrypted before it leaves means that exposure of the file in transit will not result in a confidentiality breach and the file will remain secure until decrypted at location E. Since answers A, C, and D do not provide any information about what happens at point C, they should be considered insecure, as the file may be at rest at point C in an unencrypted form.
95
78. Susan needs to provide a set of minimum security requirements for email. What steps should she recommend for her organization to ensure that the email remains secure?
A. All email should be encrypted.
B. All email should be encrypted and labeled.
C. Sensitive email should be encrypted and labeled.
D. Only highly sensitive email should be encrypted.
C. Encrypting and labeling sensitive email will ensure that it remains confidential and can be identified. Performing these actions only on sensitive email will reduce the cost and effort of encrypting all email, allowing only sensitive email to be the focus of the organization’s efforts. Only encrypting highly sensitive email not only skips labeling but might expose other classifications of email that shouldn’t be exposed.
96
```
79. What term describes the process of reviewing baseline security controls and selecting only the controls that are appropriate for the IT system you are trying to protect?
A. Standard creation
B. CIS benchmarking
C. Baselining
D. Scoping
```
D. Scoping is performed when you match baseline controls to the IT system you’re working to secure. Creation of standards is part of the configuration process and may involve the use of baselines. Baselining can mean the process of creating a security baseline or configuring systems to meet the baseline. CIS, the Center for Internet Security, provides a variety of security baselines.
97
```
80. What data role does a system that is used to process data have?
A. Mission owner
B. Data owner
C. Data processor
D. Custodian
```
C. Systems used to process data are data processors. Data owners are typically CEOs or other very senior staff, custodians are granted rights to perform day-to-day tasks when handling data, and mission owners are typically program or information system owners.
98
```
81. Which one of the following is not considered PII under U.S. federal government regulations?
A. Name
B. Social security number
C. Student ID number
D. ZIP code
```
D. Personally identifiable information includes any information that can uniquely identify an individual. This would include name, Social Security number, and any other unique identifier (including a student ID number). ZIP code, by itself, does not uniquely identify an individual.
99
```
82. What type of health information is the Health Insurance Portability and Accountability Act required to protect?
A. PII
B. PHI
C. SHI
D. HPHI
```
B. Protected health information, or PHI, includes a variety of data in multiple formats, including oral and recorded data, such as that created or received by healthcare providers, employers, and life insurance providers. PHI must be protected by HIPAA. PII is personally identifiable information. SHIand HPHIare both made-up acronyms.
100
```
84. Lauren’s multinational company wants to ensure compliance with the EU GDPR. Which principle of the GDPR states that the individual should have the right to receive personal information concerning himself or herself and share it with another data controller?
A. Onward transfer
B. Data integrity
C. Enforcement
D. Data portability#可移植性
```
D. The principle of data portability says that the data subject has the right to receive personal information and to transfer that information to another data controller. The principle of data integrity states that data should be reliable and that information should not be used for purposes other than those that users are made aware of by notice and that they have accepted through choice. Enforcement is aimed at ensuring that compliance with principles is assured. Onward transfer limits transfers to other organizations that comply with the principles of notice and choice.
101
```
85. What is the best method to sanitize a solid-state drive (SSD)?
A. Clearing
B. Zero fill
C. Disintegration
D. Degaussing
```
C. Due to problems with remnant data, the US National Security Agency requires physical destruction of SSDs. This process, known as disintegration#崩解, results in very small fragments via a shredding process. Zero fill wipes a drive by replacing data with zeros, degaussing uses magnets to wipe magnetic media, and clearing is the process of preparing media for reuse.
102
For questions 86–88, please refer to the following scenario:
As shown in the following security lifecycle diagram (loosely based on the NIST reference architecture), NIST uses a five-step process for risk management. Using your knowledge of data roles and practices, answer the following questions based on the NIST framework process.
86. What data role will own responsibility for step 1, the categorization of information systems; to whom will they delegate(委派) step 2; and what data role will be responsible for step 3?
A. Data owners, system owners, custodians
B. Data processors, custodians, users
C. Business owners, administrators, custodians
D. System owners, business owners, administrators
A. The data owner bears responsibility for categorizing information systems and delegates selection of controls to system owners, while custodians implement the controls. Users don’t perform any of these actions, while business owners are tasked with ensuring that systems are fulfilling their business purpose.
103
For questions 86–88, please refer to the following scenario:
As shown in the following security lifecycle diagram (loosely based on the NIST reference architecture), NIST uses a five-step process for risk management. Using your knowledge of data roles and practices, answer the following questions based on the NIST framework process.
87. If the systems that are being assessed all handle credit card information (and no other sensitive data), at what step would the PCI DSS first play an important role?
A. Step 1
B. Step 2
C. Step 3
D. Step 4
B. PCI DSS provides a set of required security controls and standards. Step 2 would be guided by the requirements of PCI DSS. PCI DSS will not greatly influence step 1 because all of the systems handle credit card information, making PCI DSS apply to all systems covered. Steps 3 and 4 will be conducted after PCI DSS has guided the decisions in step 2.
104
For questions 86–88, please refer to the following scenario:
As shown in the following security lifecycle diagram (loosely based on the NIST reference architecture), NIST uses a five-step process for risk management. Using your knowledge of data roles and practices, answer the following questions based on the NIST framework process.
88. What data security role is primarily responsible for step 5?
A. Data owners
B. Data processors
C. Custodians
D. User
C. Custodians are tasked with the day-to-day monitoring of the integrity and security of data. Step 5 requires monitoring, which is a custodial(監管) task. A data owner may grant rights to custodians but will not be responsible for conducting monitoring. Data processors process data on behalf of the data controller, and a user simply uses the data via a computing system.
105
89. Susan’s organization performs a zero fill on hard drives before they are sent to a third-party organization to be shredded. What issue is her organization attempting to avoid?
A. Data remanence while at the third-party site
B. Mishandling of drives by the third party
C. Classification mistakes
D. Data permanence
B. Susan’s organization is limiting its risk by sending drives that have been sanitized before they are destroyed. This limits the possibility of a data breach if drives are mishandled by the third party, allowing them to be stolen, resold, or simply copied. The destruction of the drives will handle any issues with data remanence, while classification mistakes are not important if the drives have been destroyed. Data permanence and the life span of the data are not important on a destroyed drive.
106
```
90. Embedded data used to help identify the owner of a file is an example of what type of label?
A. Copyright notice
B. DLP
C. Digital watermark#數字水印
D. Steganography
```
C. A digital watermark is used to identify the owner of a file or to otherwise label it. A copyright notice provides information about the copyright asserted on the file, while data loss prevention (DLP) is a solution designed to prevent data loss. Steganography is the science of hiding information, often in images or files.
107
```
94. Which data role is tasked with granting appropriate access to staff members?
A. Data processors
B. Business owners
C. Custodians
D. Administrators
```
D. Administrators have the rights to assign permissions to access and handle data.
Custodians are trusted with day-to-day data handling tasks. Business owners are typically system or project owners, and data processors are systems used to process data.
108
95. Which California law requires conspicuously posted privacy policies on commercial websites that collect the personal information of California residents?
A. The Personal Information Protection and Electronic Documents Act
B. The California Online Privacy Protection Act
C. California Online Web Privacy Act
D. California Civil Code 1798.82
B. The California Online Privacy Protection Act (COPPA) requires that operators of commercial websites and services post a prominently displayed privacy policy if they collect personal information on California residents.
The Personal Information Protection and Electronic Documents Act is a Canadian privacy law, while California Civil Code 1798.82 is part of the set of California codes that requires breach notification. The California Online Web Privacy Act does not exist.
109
```
99. Ed has been asked to send data that his organization classifies as confidential and proprietary via email. What encryption technology would be appropriate to ensure that the contents of the files attached to the email remain confidential as they traverse the internet?
A. SSL
B. TLS
C. PGP
D. VPN
```
C. PGP, or Pretty Good Privacy (or its open-source alternative, GPG) provide strong encryption of files, which can then be sent via email. Email traverses multiple servers and will be unencrypted at rest at multiple points along its path as it is stored and forwarded to its destination.
110
```
1. Matthew is the security administrator for a consulting firm and must enforce access controls that restrict users’ access based upon their previous activity. For example, once a consultant accesses data belonging to Acme Cola, a consulting client, they may no longer access data belonging to any of Acme’s competitors. What security model best fits Matthew’s needs?
A. Clark-Wilson
B. Biba
C. Bell-LaPadula
D. Brewer-Nash
```
D. The Brewer-Nash model allows access controls to change dynamically based upon a user’s actions. It is often used in environments like Matthew’s to implement a “Chinese wall” between data belonging to different clients.
當主體無法讀取位於不同數據集中的另一個對象時,主體才能寫入對象。 它的創建是為了提供可根據用戶之前的操作動態更改的訪問控制。 該模型的主要目標是通過用戶的訪問嘗試來防止利益衝突。
111
2. Referring to the figure shown here, what is the earliest stage of a fire where it is possible to use detection technology to identify it?
A. Incipient#初期
B. Smoke
C. Flame
D. Heat
```
A. Fires may be detected as early as the incipient stage. During this stage, air ionization takes place, and specialized incipient fire detection systems can identify these changes to provide early warning of a fire.
#早在初期階段就可以檢測到火災。 在此階段,空氣電離發生,專門的初期火災探測系統可以識別這些變化,以提供火災的早期預警。
```
112
```
3. Ralph is designing a physical security infrastructure for a new computing facility that will remain largely unstaffed. He plans to implement motion detectors in the facility but would also like to include a secondary verification control for physical presence. Which one of the following would best meet his needs?
A. CCTV
B. IPS
C. Turnstiles
D. Faraday cages
```
A. Closed-circuit television (CCTV) systems act as a secondary verification mechanism for physical presence because they allow security officials to view the interior of the facility when a motion alarm sounds to determine the current occupants and their activities.
113
```
4. Harry would like to retrieve a lost encryption key from a database that uses m of n control, with m = 4 and n = 8. What is the minimum number of escrow agents required to retrieve the key?
A. 2
B. 4
C. 8
D. 12
```
```
B. In an M of n control system, at least M of n possible escrow agents must collaborate to retrieve an encryption key from the escrow database.
#秘密共享用於希望在N股之間分配秘密的情況,使得其中的M
```
114
```
6. Bob is a security administrator with the federal government and wishes to choose a digital signature approach that is an approved part of the federal Digital Signature Standard under FIPS 186-4. Which one of the following encryption algorithms is not an acceptable choice for use in digital signatures?
A. DSA
B. HAVAL
C. RSA
D. ECDSA
```
B. The Digital Signature Standard approves three encryption algorithms for use in digital signatures: the Digital Signature Algorithm (DSA); the Rivest, Shamir, Adleman (RSA) algorithm; and the Elliptic Curve DSA (ECDSA) algorithm. HAVAL is a hash function, not an encryption algorithm. While hash functions are used as
part of the digital signature process, they do not provide encryption.
115
```
9. Helen is a software engineer and is developing code that she would like to restrict to running within an isolated sandbox for security purposes. What software development technique is Helen using?
A. Bounds
B. Input validation
C. Confinement
D. TCB
```
C. The use of a sandbox is an example of confinement, where the system restricts the access of a particular process to limit its ability to affect other processes running on the same system.
116
```
10. What concept describes the degree of confidence that an organization has that its controls satisfy security requirements?
A. Trust
B. Credentialing
C. Verification
D. Assurance
```
D. Assurance is the degree of confidence that an organization has that its security controls are correctly implemented. It must be continually monitored and reverified.
117
12. In the figure shown here, Sally is blocked from reading the file due to the Biba integrity model. Sally has a Secret security clearance, and the file has a Confidential classification.
What principle of the Biba model is being enforced?
A. Simple Security Property
B. Simple Integrity Property
C. *-Security Property
D. *-Integrity Property
B. The Simple Integrity Property states that an individual may not read a file classified at a lower security level than the individual’s security clearance.#不要讀到不乾淨的
118
```
14. Sonia recently removed an encrypted hard drive from a laptop and moved it to a new device because of a hardware failure. She is having difficulty accessing encrypted content on the drive despite the fact that she knows the user’s password. What hardware security feature is likely causing this problem?
A. TCB
B. TPM
C. NIACAP
D. RSA
```
B. The Trusted Platform Module (TPM) is a hardware security technique that stores an encryption key on a chip on the motherboard and prevents someone from accessing an encrypted drive by installing it in another computer.
119
```
15. Chris wants to verify that a software package that he downloaded matches the original version. What hashing tool should he use if he believes that technically sophisticated attackers may have replaced the software package with a version containing a backdoor?
A. MD5
B. 3DES
C. SHA1
D. SHA 256
```
D. Intentional collisions have been created with MD5, and a real-world collision attack against SHA 1 was announced in early 2017. 3DES is not a hashing tool, leaving SHA 256 (sometimes called SHA 2) as the only real choice that Chris has in this list.#選安全的
120
```
22. What type of fire suppression system fills with water when the initial stages of a fire are detected and then requires a sprinkler head heat activation before dispensing(發放) water?
A. Wet pipe
B. Dry pipe
C. Deluge
D. Preaction
```
D. A preaction fire suppression system activates in two steps. The pipes fill with water once the early signs of a fire are detected. The system does not dispense water until heat sensors on the sprinkler heads trigger the second phase.
121
```
26. How many bits of keying material does the Data Encryption Standard use for encrypting information?
A. 56 bits
B. 64 bits
C. 128 bits
D. 256 bits
```
A. DES uses a 64-bit encryption key, but only 56 of those bits are actually used as keying material in the encryption operation. The remaining 8 bits are used to detect tampering or corruption of the key.
122
```
29. Under the Common Criteria, what element describes the security requirements for a product?
A. TCSEC
B. ITSEC
C. PP
D. ST
```
C. Protection Profiles (PPs) specify the security requirements and protections that must be in place for a product to be accepted under the Common Criteria.
123
33. Referring to the figure shown here, what is the name of the security control indicated by the arrow?
A. Mantrap
B. Turnstile
C. Intrusion prevention system
D. Portal
A. Mantraps use a double set of doors to prevent piggybacking by allowing only a single individual to enter a facility at a time.
124
34. Which one of the following does not describe a standard physical security requirement for wiring closets(配線間)?
A. Place only in areas monitored by security guards.
B. Do not store flammable items in the closet.
C. Use sensors on doors to log entries.
D. Perform regular inspections of the closet.
A. While it would be ideal to have wiring closets in a location where they are monitored by security staff, this is not feasible in most environments. Wiring closets must be distributed geographically in multiple locations across each building used by an organization.#理想的,但在大多數環境中這是不可行的
125
```
37. What is the minimum number of independent parties necessary to implement the Fair Cryptosystems(公平密碼系統) approach to key escrow?
A. 1
B. 2
C. 3
D. 4
```
B. In the Fair Cryptosystem approach to key escrow, the secret keys used in communications are divided into two or more pieces, each of which is given to an independent third party.
126
```
38. In what state does a processor’s scheduler place a process when it is prepared to execute but the CPU is not currently available?
A. Ready
B. Running
C. Waiting
D. Stopped
```
A. The Ready state is used when a process is prepared to execute but the CPU is not available. The Running state is used when a process is executing on the CPU. The Waiting state is used when a process is blocked waiting for an external event. The Stopped state is used when a process terminates.
127
39. Alan is reviewing a system that has been assigned the EAL1 evaluation assurance level under the Common Criteria. What is the degree of assurance that he may have about the system?
A. It has been functionally tested.
B. It has been structurally tested.
C. It has been formally verified, designed, and tested.
D. It has been methodically designed, tested, and reviewed.
A. EAL1 assurance applies when the system in question has been functionally tested. It is the lowest level of assurance under the Common Criteria.
#EAL(Evaluation Assurance Level of CC)
EAL1:Functionally tested
EAL2:Structurally tested
EAL3:Methodically tested & checked
EAL4:Methodically designed, tested & reviewed
EAL5:Semi-formally designed & tested
EAL6:Semi-formally verified designed & tested
EAL7:Formally verified designed & tested
128
```
40. Which one of the following components is used to assign classifications to objects in a mandatory access control system?
A. Security label
B. Security token
C. Security descriptor
D. Security capability
```
A. Administrators and processes may attach security labels to objects that provide information on an object’s attributes. Labels are commonly used to apply classifications in a mandatory access control system.
129
```
45. James is working with a Department of Defense system(國防部系統) that is authorized to simultaneously handle information classified at the Secret and Top Secret levels. What type of system is he using?
A. Single state
B. Unclassified
C. Compartmented
D. Multistate
```
D. Multistate systems are certified to handle data from different security classifications simultaneously by implementing protection mechanisms that segregate data appropriately.
130
46. Kyle is being granted access to a military computer system that uses System High mode.
What is not true about Kyle’s security clearance requirements?
A. Kyle must have a clearance for the highest level of classification processed by the system, regardless of his access.
B. Kyle must have access approval for all information processed by the system.
C. Kyle must have a valid need to know for all information processed by the system.
D. Kyle must have a valid security clearance.
C. For systems running in System High mode, the user must have a valid security clearance for all information processed by the system, access approval for all information processed by the system, and a valid need to know for some, but not necessarily all, information processed by the system.
131
```
50. In an infrastructure as a service (IaaS) environment where a vendor supplies a customer with access to storage services, who is normally responsible for removing sensitive data from drives that are taken out of service(已停止使用)?
A. Customer’s security team
B. Customer’s storage team
C. Customer’s vendor management team
D. Vendor
```
D. In an infrastructure as a service environment, security duties follow a shared responsibility model. Since the vendor is responsible for managing the storage hardware, the vendor would retain responsibility for destroying or wiping drives as they are taken out of service. However, it is still the customer’s responsibility to validate that the vendor’s sanitization procedures meet their requirements prior to utilizing the vendor’s storage services.
132
```
51. Which one of the following is an example of a code, not a cipher?#在問機制
A. Data Encryption Standard
B. “One if by land; two if by sea”
C. Shifting letters by three
D. Word scramble
```
B. The major difference between a code and a cipher is that ciphers alter messages at the character or bit level, not at the word level. DES, shift ciphers, and word scrambles all work at the character or bit level and are ciphers. “One if by land; two if by sea” is a message with hidden meaning(某些人才看得懂,但和密碼無關) in the words and is an example of a code.
133
```
52. Which one of the following systems assurance processes provides an independent thirdparty evaluation of a system’s controls that may be trusted by many different organizations?
A. Certification
B. Definition
C. Verification
D. Accreditation
```
C. The verification process is similar to the certification process in that it validates security controls. Verification may go a step further by involving a third-party testing service and compiling results that may be trusted by many different organizations. Accreditation is the act of management formally accepting an evaluating system, not evaluating the system itself.
134
```
54. Harold is assessing the susceptibility of his environment to hardware failures and would like to identify the expected lifetime of a piece of hardware. What measure should he use for this?
A. MTTR
B. MTTF
C. RTO
D. MTO
```
B. The mean time to failure (MTTF) provides the average amount of time before a device of that particular specification fails.
135
```
55. What type of fire extinguisher(滅火器) is useful only against common combustibles(可燃物)?
A. Class A
B. Class B
C. Class C
D. Class D
```
```
A. Class A fire extinguishers are useful only against common combustible materials. They use water or soda acid as their suppressant(抑製劑). Class B extinguishers are for liquid fires. Class C extinguishers are for electrical fires, and Class D fire extinguishers are for combustible metals(可燃金屬).
#1可燃,2水水,3電火,4電金
```
136
59. Gordon is concerned about the possibility that hackers may be able to use the Van Eck radiation phenomenon(輻射現象) to remotely read the contents of computer monitors in his facility.
What technology would protect against this type of attack?
A. TCSEC
B. SCSI
C. GHOST
D. TEMPEST
D. The TEMPEST program creates technology that is not susceptible to Van Eck phreaking attacks because it reduces or suppresses natural electromagnetic emanations(電磁輻射).
137
60. In the diagram shown here of security boundaries within a computer system, what component’s name has been replaced with XXX?
A. Kernel
B. TCB
C. Security perimeter
D. User execution
B. The Trusted Computing Base (TCB) is a small subset of the system contained within the kernel that carries out critical system activities.
138
```
61. Sherry conducted an inventory(清點) of the cryptographic technologies in use within her organization and found the following algorithms and protocols in use. Which one of these technologies should she replace because it is no longer considered secure?#考英文
A. MD5
B. 3DES
C. PGP
D. WPA2
```
A. The MD5 hash algorithm has known collisions and, as of 2005, is no longer considered secure for use in modern environments.
139
```
62. What action can you take to prevent accidental data disclosure due to wear leveling on an SSD device before reusing the drive?
A. Reformatting
B. Disk encryption
C. Degaussing
D. Physical destruction
```
B. Encrypting data on SSD drives does protect against wear leveling. Disk formatting does not effectively remove data from any device. Degaussing is only effective for magnetic media. Physically destroying the drive would not permit reuse.
140
```
64. A hacker recently violated the integrity of data in James’s company by modifying a file using a precise timing attack. The attacker waited until James verified the integrity of a file’s contents using a hash value and then modified the file between the time that James verified the integrity and read the contents of the file. What type of attack took place?
A. Social engineering
B. TOCTOU
C. Data diddling
D. Parameter checking
```
B. In a time of check to time of use (TOCTOU) attack, the attacker exploits the difference in time between when a security control is verified and the data protected by the control is actually used.
141
```
66. What is the minimum fence height that makes a fence difficult to climb easily, deterring most intruders?
A. 3 feet
B. 4 feet
C. 5 feet
D. 6 feet
```
D. Fences designed to deter more than the casual intruder should be at least 6 feet high. If a physical security system is designed to deter even determined intruders, it should be at least 8 feet high and topped with three strands of barbed wire.
142
```
68. What physical security control broadcasts false emanations constantly to mask the presence of true electromagnetic emanations from computing equipment?
A. Faraday cage
B. Copper-infused windows
C. Shielded cabling
D. White noise
```
D. While all of the controls mentioned protect against unwanted electromagnetic emanations, only white noise is an active control. White noise generates false emanations that effectively “jam” the true emanations from electronic equipment.
143
```
70. Alice has read permissions on an object, and she would like Bob to have those same rights. Which one of the rules in the Take-Grant protection model would allow her to complete this operation?
A. Create rule
B. Remove rule
C. Grant rule
D. Take rule
```
C. The grant rule allows a subject to grant rights that it possesses on an object to another subject(擁有的權利授予另一個主體).
144
```
71. As part of his incident response process, Charles securely wipes the drive of a compromised machine and reinstalls the operating system (OS) from original media. Once he is done, he patches the machine fully and applies his organization’s security templates before reconnecting the system to the network. Almost immediately after the system is returned to service, he discovers that it has reconnected to the same botnet it was part of before. Where should Charles look for the malware that is causing this behavior?
A. The operating system partition
B. The system BIOS or firmware
C. The system memory
D. The installation media
```
D. The system Charles is remediating may have a firmware or BIOS infection, with malware resident on the system board. While uncommon, this type of malware can be difficult to find and remove. Since he used original media, it is unlikely that the malware came from the software vendor. Charles wiped the system partition, and the system would have been rebooted before being rebuilt, thus clearing system memory.
145
```
72. Which one of the following computing models allows the execution of multiple concurrent tasks within a single process?
A. Multitasking
B. Multiprocessing
C. Multiprogramming
D. Multithreading
```
D. Multithreading permits multiple tasks to execute concurrently within a single process. These tasks are known as threads and may be alternated between without switching processes.
146
```
73. Alan intercepts an encrypted message and wants to determine what type of algorithm was used to create the message. He first performs a frequency analysis and notes that the frequency of letters in the message closely matches the distribution of letters in the English language. What type of cipher was most likely used to create this message?
A. Substitution cipher
B. AES
C. Transposition cipher
D. 3DES
```
C. This message was most likely encrypted with a transposition cipher. The use of a substitution cipher, a category that includes AES and 3DES, would change the frequency distribution so that it did not mirror that of the English language.
147
```
74. The Double DES (2DES) encryption algorithm was never used as a viable alternative to the original DES algorithm. What attack is 2DES vulnerable to that does not exist for the DES or 3DES approach?
A. Chosen ciphertext
B. Brute force
C. Man in the middle
D. Meet in the middle
```
D. The meet-in-the-middle attack uses a known plaintext message and uses both encryption of the plaintext and decryption of the ciphertext simultaneously in a brute-force manner to identify the encryption key in approximately double the time of a brute-force attack against the basic DES algorithm.
#這個術語指的是用於嘗試從兩端打破數學問題的數學分析。
這是一種同時處理函數的正向映射和第二函數的逆的技術。 攻擊的工作原理是從一端加密並從另一端解密,從而在中間進行會議。
中間會合攻擊使用已知的明文消息,並以強力方式同時使用明文加密和密文解密,以大約兩倍於暴力攻擊的時間識別加密密鑰。 基本的DES算法。
148
```
76. Warren is designing a physical intrusion detection system for his data center and wants to include technology that issues an alert if the communications lines for the alarm system are unexpectedly cut. What technology would meet this requirement?
A. Heartbeat sensor
B. Emanation security
C. Motion detector
D. Faraday cage
```
A. Heartbeat sensors send periodic status messages from the alarm system to the monitoring center. The monitoring center triggers an alarm if it does not receive a status message for a prolonged period of time, indicating that communications were disrupted.#都叫Heartbeat
149
77. John and Gary are negotiating a business transaction, and John must demonstrate to Gary that he has access to a system. He engages in an electronic version of the “magic door” scenario shown here. What technique is John using?
A. Split-knowledge proof
B. Zero-knowledge proof
C. Logical proof
D. Mathematical proof
```
B. In a zero-knowledge proof, one individual demonstrates to another that they can achieve a result that requires sensitive information without actually disclosing the sensitive information.
#在零知識證明中,一個人向另一個人證明他們可以在不實際披露敏感信息的情況下獲得需要敏感信息的結果。
```
150
```
78. Raj is selecting an encryption algorithm for use in his organization and would like to be able to vary the strength of the encryption with the sensitivity of the information. Which one of the following algorithms allows the use of different key strengths?
A. Blowfish
B. DES
C. Skipjack
D. IDEA
```
A. Blowfish allows the user to select any key length between 32 and 448 bits.
151
```
79. Referring to the fire triangle shown here, which one of the following suppression materials attacks a fire by removing the fuel source?
A. Water
B. Soda acid
C. Carbon dioxide
D. Halon
```
```
B. Soda acid and other dry powder extinguishers work to remove the fuel supply. Water suppresses temperature, while halon and carbon dioxide remove the oxygen supply from a fire.
#蘇打酸和其他乾粉滅火器用於去除燃料供應。水可以抑制溫度,而哈龍和二氧化碳可以消除火災中的氧氣供應。#考英文&化學
```
152
```
82. The Bell-LaPadula and Biba models implement state machines in a fashion that uses what specific state machine model?
A. Information flow
B. Noninterference
C. Cascading
D. Feedback
```
A. The information flow model applies state machines to the flow of information. The Bell-LaPadula model applies the information flow model to confidentiality while the Biba model applies it to integrity.
153
```
83. The _____ of a process consist(s) of the limits set on the memory addresses and resources that the process may access.
A. Perimeter
B. Confinement limits
C. Metes
D. Bounds
```
D. Each process that runs on a system is assigned certain physical or logical bounds for resource access, such as memory.
154
```
84. What type of motion detector senses changes in the electromagnetic fields in monitored areas?
A. Infrared
B. Wave pattern
C. Capacitance
D. Photoelectric
```
C. Capacitance(電容) motion detectors monitor the electromagnetic field in a monitored area, sensing disturbances that correspond to motion.
155
```
88. Beth would like to include technology in a secure area of her data center to protect against unwanted electromagnetic emanations. What technology would assist her with this goal?
A. Heartbeat sensor
B. Faraday cage
C. Piggybacking
D. WPA2
```
```
B. A Faraday cage is a metal skin that prevents electromagnetic emanations from exiting. It is a rarely used technology because it is unwieldy and expensive, but it is quite effective at blocking unwanted radiation.
#法拉第籠是一種金屬皮,可防止電磁輻射的流出。 它是一種很少使用的技術,因為它既笨重又昂貴,但在阻擋不需要的輻射方面非常有效。
```
156
```
91. A software company developed two systems that share information. System A provides information to the input of System B, which then reciprocates by providing information back to System A as input. What type of composition theory best describes this practice?
A. Cascading
B. Feedback
C. Hookup
D. Elementary
```
B. The feedback model of composition theory occurs when one system provides input for a second system and then the second system provides input for the first system. This is a specialized case of the cascading model, so the feedback model is the most appropriate answer.
157
```
92. Tommy is planning to implement a power conditioning UPS for a rack of servers in his data center. Which one of the following conditions will the UPS be unable to protect against if it persists for an extended period of time?
A. Fault#指短暫的電力故障
B. Blackout#指較長期的斷電
C. Sag#下降
D. Noise
```
B. UPSs are designed to protect against short-term power losses, such as power faults. When they conduct power conditioning, they are also able to protect against sags and noise. UPSs have limited-life batteries and are not able to maintain continuous operating during a sustained(連續) blackout.
158
```
93. Which one of the following humidity values is within the acceptable range for a data center operation?
A. 0%
B. 10%
C. 25%
D. 40%
```
D. Data center humidity should be maintained between 40% and 60%. Values below this range increase the risk of static electricity, while values above this range may generate moisture that damages equipment.
159
```
95. What term is used to describe the formal declaration by a designated approving authority (DAA) that an information technology (IT) system is approved to operate in a specific environment?
A. Certification
B. Accreditation
C. Evaluation
D. Approval
```
B. Accreditation is the formal approval by a DAA that an IT system may operate in a described risk environment.
160
96. Object-oriented programming languages use a black box approach to development, where users of an object do not necessarily need to know the object’s implementation details.
What term is used to describe this concept?
A. Layering
B. Abstraction
C. Data hiding
D. Process isolation
B. Abstraction uses a black box approach to hide the implementation details of an object from the users of that object.#你眼殘
161
```
97. Todd wants to add a certificate to a certificate revocation list. What element of the certificate goes on the list?
A. Serial number
B. Public key
C. Digital signature
D. Private key
```
A. The certificate revocation list contains the serial numbers of digital certificates issued by a certificate authority that have later been revoked.
162
99. Which one of the following is an example of a covert timing channel when used to exfiltrate information from an organization?
A. Sending an electronic mail message
B. Posting a file on a peer-to-peer file sharing service
C. Typing with the rhythm of Morse code
D. Writing data to a shared memory space
C. Covert channels use surreptitious communications’ paths. Covert timing channels alter the use of a resource in a measurable fashion to exfiltrate information. If a user types using a specific rhythm of Morse code, this is an example of a covert timing channel. Someone watching or listening to the keystrokes could receive a secret message with no trace of the message left in logs.
163
```
100. Which one of the following would be a reasonable application for the use of self-signed digital certificates?
A. E-commerce website
B. Banking application
C. Internal scheduling application
D. Customer portal
```
```
C. Self-signed digital certificates should be used only for internal-facing applications, where the user base trusts the internally generated digital certificate.
#自簽名數字證書應僅用於面向內部的應用程序,其中用戶群信任內部生成的數字證書。
```
164
```
104. Lauren implements ASLR to help prevent system compromises. What technique has she used to protect her system?
A. Encryption
B. Mandatory access control
C. Memory address randomization
D. Discretionary access control
```
C. Lauren has implemented "address space layout randomization"(ALSR), a memory protection methodology that randomizes memory locations, which prevents attackers from using known address spaces and contiguous memory regions to execute code via overflow or stack smashing attacks.
165
```
106. Joanna wants to review the status of the industrial control systems her organization uses for building control. What type of systems should she inquire(詢問) about access to?
A. SCADA
B. DSS
C. BAS
D. ICS-CSS
```
A. Supervisory Control and Data Acquisition systems, or SCADA systems, provide a graphical interface to monitor industrial control systems (ICS).
Joanna should ask about access to her organization’s SCADA systems.
166
107. After scanning all of the systems on his wireless network, Mike notices that one system is identified as an iOS device running a massively out-of-date version of Apple’s mobile operating system. When he investigates further, he discovers that the device is an original iPad and that it cannot be updated to a current secure version of the operating system. What should Mike recommend?
A. Retire or replace the device
B. Isolate the device on a dedicated wireless network
C. Install a firewall on the tablet
D. Reinstall the OS
A. When operating system patches are no longer available for mobile devices, the best option is typically to retire or replace the device. Building isolated networks will not stop the device from being used for browsing or other purposes, which means it is likely to continue to be exposed to threats. Installing a firewall will not remediate the security flaws in the OS, although it may help somewhat. Finally, reinstalling the OS will not allow new updates or fix the root issue.
167
108. During a third-party vulnerability scan and security test, Danielle’s employer recently discovered that the embedded systems that were installed to manage her company’s new buildings have a severe remote access vulnerability. The manufacturer has gone out of business, and there is no patch or update for the devices. What should Danielle recommend that her employer do about the hundreds of devices that are vulnerable?
A. Identify a replacement device model and replace every device
B. Turn off all of the devices
C. Move the devices to a secured network segment
D. Reverse engineer the devices and build an in-house patch
C. The most reasonable choice presented is to move the devices to a secure and isolated network segment. This will allow the devices to continue to serve their intended function while preventing them from being compromised. All of the other scenarios either create major new costs or deprive her organization of the functionality that the devices were purchased to provide.#就很...都給他講這樣= =
168
```
109. Alex’s employer creates most of their work output as PDF files. Alex is concerned about limiting the audience for the PDF files to those individuals who have paid for them. What technology can he use to most effectively control the access to and distribution of these files?
A. EDM
B. Encryption
C. Digital signatures
D. DRM
```
D. Alex can use digital rights management technology to limit use of the PDFs to paying customers. While DRM is rarely a perfect solution, in this case, it may fit his organization’s needs. EDM is electronic dance music, which his customers may appreciate but which won’t solve the problem. Encryption and digital signatures can help to keep the files secure and to prove who they came from but won’t solve the rights management issue Alex is tackling.
169
110. Match the following numbered security models with the appropriate lettered security descriptions:
Security models
1. Clark-Wilson
2. Graham-Denning
3. Bell-LaPadula
4. Sutherland
5. Biba
Descriptions
A. This model blocks lower-classified objects from accessing higher-classified objects,
thus ensuring confidentiality.
B. The * property of this model can be summarized as “no write-up.”
C. This model uses security labels to grant access to objects via transformation procedures and a restricted interface model.
D. This model focuses on the secure creation and deletion of subjects and objects using
eight primary protection rules or actions.
E. This integrity model focuses on preventing interference in support of integrity.
CDAEB
170
1. What important factor differentiates Frame Relay from X.25?
A. Frame Relay supports multiple PVCs over a single WAN carrier connection.
B. Frame Relay is a cell-switching technology instead of a packet-switching technology like X.25.
C. Frame Relay does not provide a committed information rate (CIR).
D. Frame Relay only requires a DTE on the provider side.
A. Frame Relay supports multiple private virtual circuits (PVCs), unlike X.25. It is a packet-switching technology that provides a Committed Information Rate (CIR), which is a minimum bandwidth guarantee provided by the service provider to customers. Finally, Frame Relay requires a DTE/DCE at each connection point, with the DTE providing access to the Frame Relay network, and a provider-supplied DCE, which transmits the data over the network.
171
2. During a security assessment of a wireless network, Jim discovers that LEAP is in use on a network using WPA. What recommendation should Jim make?
A. Continue to use LEAP. It provides better security than TKIP for WPA networks.
B. Use an alternate protocol like PEAP or EAP-TLS and implement WPA2 if supported.
C. Continue to use LEAP to avoid authentication issues, but move to WPA2.
D. Use an alternate protocol like PEAP or EAP-TLS, and implement Wired Equivalent Privacy to avoid wireless security issues.
B. LEAP, the Lightweight Extensible Authentication Protocol, is a Cisco proprietary protocol designed to handle problems with TKIP. Unfortunately, LEAP has significant security issues as well and should not be used. Any modern hardware should support WPA2 and technologies like PEAP or EAP-TLS. Using WEP, the predecessor to WPA and WPA2, would be a major step back in security for any network.
172
```
6. Gary is deploying a wireless network and wants to deploy the fastest possible wireless technology. Due to technical constraints, he is limited to using a 2.4 GHz option. Which one of the following wireless networking standards should he use?
A. 802.11a
B. 802.11g
C. 802.11n
D. 802.11ac
```
C. He should choose 802.11n, which supports 200+ Mbps in the 2.4 GHz or the 5 GHz frequency range.
802.11a and 802.11ac are both 5 GHz only,
while 802.11g is only capable of 54 Mbps.
802. 11a 5G
802. 11g 2.4G 54Mbps
802. 11n 2.4/5G 200+ Mbps
802. 11ac 5G 1G Mbps
173
```
7. Match each of the numbered TCP ports listed with the associated lettered protocol provided:
TCP ports
1. 23
2. 25
3. 143
4. 515
Protocols
A. SMTP
B. LPD
C. IMAP
D. Telnet
```
DACB. These common ports are important to know, although some of the protocols are becoming less common. SMTP is the Simple Mail Transfer Protocol, IMAP is the Internet Message Access Protocol, and LPD is the Line Printer Daemon protocol used to send print jobs to printers.
174
```
9. FHSS, DSSS, and OFDM all use what wireless communication method that occurs over multiple frequencies simultaneously?
A. WiFi
B. Spread Spectrum
C. Multiplexing
D. Orthogonal modulation
```
B. Frequency Hopping Spread Spectrum (FHSS), Direct Sequence Spread Spectrum (DSSS), and Orthogonal Frequency-Division Multiplexing (OFDM) all use spread spectrum techniques to transmit on more than one frequency at the same time. Neither FHSS nor DHSS uses orthogonal modulation, while multiplexing describes combining multiple signals over a shared medium of any sort. WiFi may receive interference from
FHSS systems but doesn’t use it.
175
```
10. Brian is selecting an authentication protocol for a PPP connection. He would like to select an option that encrypts both usernames and passwords and protects against replay using a challenge/response dialog. He would also like to re-authenticate remote systems periodically. Which protocol should he use?
A. PAP
B. CHAP
C. EAP
D. LEAP
```
B. The Challenge-Handshake Authentication Protocol, or CHAP, is used by PPP servers to authenticate remote clients. It encrypts both the username and password and performs periodic reauthentication while connected using techniques to prevent replay attacks. LEAP provides reauthentication but was designed for WEP, while PAP sends passwords unencrypted. EAP is extensible and was used for PPP connections, but it doesn’t directly address the listed items.
176
```
11. Which one of the following protocols is commonly used to provide backend authentication services for a VPN?
A. HTTPS
B. RADIUS
C. ESP
D. AH
```
B. The Remote Access Dial In User Service (RADIUS) protocol was originally designed to support dial-up modem connections but is still commonly used for VPN-based authentication. HTTPS is not an authentication protocol. ESP and AH are IPsec protocols but do not provide authentication services for other systems.
177
Chris is designing layered network security for his organization. Using the following diagram, answer questions 13 through 15.
```
13. What type of firewall design is shown in the diagram?
A. A single-tier firewall
B. A two-tier firewall
C. A three-tier firewall
D. A four-tier firewall
```
B. The firewall in the diagram has two protected zones behind it, making it a two-tier firewall design.
178
Chris is designing layered network security for his organization. Using the following diagram, answer questions 13 through 15.
14. If the VPN grants remote users the same access to network and system resources as local workstations have, what security issue should Chris raise?
A. VPN users will not be able to access the web server.
B. There is no additional security issue; the VPN concentrator’s logical network location matches the logical network location of the workstations.
C. Web server traffic is not subjected to stateful inspection.
D. VPN users should only connect from managed PCs.
D. Remote PCs that connect to a protected network need to comply with security settings and standards that match those required for the internal network. The VPN concentrator logically places remote users in the protected zone behind the firewall, but that means that user workstations (and users) must be trusted in the same way that local workstations are.
179
Chris is designing layered network security for his organization. Using the following diagram, answer questions 13 through 15.
17. Ben has configured his network to not broadcast an SSID. Why might Ben disable SSID broadcast, and how could his SSID be discovered?
A. Disabling SSID broadcast prevents attackers from discovering the encryption key. The SSID can be recovered from decrypted packets.
B. Disabling SSID broadcast hides networks from unauthorized personnel. The SSID can be discovered using a wireless sniffer.
C. Disabling SSID broadcast prevents issues with beacon frames. The SSID can be recovered by reconstructing the BSSID.
D. Disabling SSID broadcast helps avoid SSID conflicts. The SSID can be discovered by attempting to connect to the network.
B. Disabling SSID broadcast can help prevent unauthorized personnel from attempting to connect to the network. Since the SSID is still active, it can be discovered by using a wireless sniffer. Encryption keys are not related to SSID broadcast, beacon frames are used to broadcast the SSID, and it is possible to have multiple networks with the same SSID.
180
```
18. What network tool can be used to protect the identity of clients while providing Internet access by accepting client requests, altering the source addresses of the requests, mapping requests to clients, and sending the modified requests out to their destination?
A. A gateway
B. A proxy
C. A router
D. A firewall
```
B. A proxy is a form of gateway that provide clients with a filtering, caching, or other service that protects their information from remote systems. A router connects networks, while a firewall uses rules to limit traffic permitted through it. A gateway translates between protocols.
181
```
20. A remote access tool that copies what is displayed on a desktop PC to a remote computer is an example of what type of technology?
A. Remote node operation
B. Screen scraping
C. Remote control
D. RDP
```
B. Screen scrapers copy the actual screen displayed and display it at a remote location. RDP provides terminal sessions without doing screen scraping, remote node operation is the same as dial-up access, and remote control is a means of controlling a remote system (screen scraping is a specialized subset of remote control).
182
21. Which email security solution provides two major usage modes:
(1) signed messages that provide integrity, sender authentication, and nonrepudiation; and
(2) an enveloped message mode that provides integrity, sender authentication, and confidentiality?
A. S/MIME
B. MOSS
C. PEM
D. DKIM
A. S/MIME supports both signed messages and a secure envelope method. While the functionality of S/MIME can be replicated with other tools, the secure envelope is an S/MIME-specific concept. MOSS, or MIME Object Security Services, and PEM can also both provide authentication, confidentiality, integrity, and nonrepudiation, while DKIM, or Domain Keys Identified Mail, is a domain validation tool.
183
22. During a security assessment, Jim discovers that the organization he is working with uses a multilayer protocol to handle SCADA systems and recently connected the SCADA network to the rest of the organization’s production network. What concern should he raise about serial data transfers carried via TCP/IP?
A. SCADA devices that are now connected to the network can now be attacked over the network.
B. Serial data over TCP/IP cannot be encrypted.
C. Serial data cannot be carried in TCP packets.
D. TCP/IP’s throughput can allow for easy denial of service attacks against serial devices.
A. Multilayer protocols like DNP3 allow SCADA and other systems to use TCP/IP-based networks to communicate. Many SCADA devices were never designed to be exposed to a network, and adding them to a potentially insecure network can create significant risks. TLS or other encryption can be used on TCP packets, meaning that even serial data can be protected. Serial data can be carried via TCP packets because TCP packets don’t care about their content; it is simply another payload. Finally, TCP/IP does not have a specific
throughput as designed, so issues with throughput are device-level issues.
184
```
23. What type of key does WEP use to encrypt wireless communications?
A. An asymmetric key
B. Unique key sets for each host
C. A predefined shared static key
D. Unique asymmetric keys for each host
```
C. WEP has a very weak security model that relies on a single, predefined, shared static key. This means that modern attacks can break WEP encryption in less than a minute.
185
```
25. What speed and frequency range is used by 802.11n?
A. 54 Mbps, 5 GHz
B. 200+ Mbps, 5GHz
C. 200+ Mbps, 2.4 and 5 GHz
D. 1 Gbps, 5 GHz
```
C. 802.11n can operate at speeds over 200 Mbps, and it can operate on both the 2.4 and 5 GHz frequency range. 802.11g operates at 54 Mbps using the 2.4 GHz frequency range, and 802.11ac is capable of 1 Gbps using the 5 GHz range. 802.11a and b are both outdated and are unlikely to be encountered in modern network installations.
186
```
27. Which of the following is a converged protocol that allows storage mounts over TCP, and which is frequently used as a lower-cost alternative to Fibre Channel?
A. MPLS
B. SDN
C. VoI P
D. iSCSI
```
D. iSCSI is a converged protocol that allows location-independent file services over traditional network technologies. It costs less than traditional Fibre Channel. VoIP is Voice over IP, SDN is software-defined networking, and MPLS is Multiprotocol Label Switching, a technology that uses path labels instead of network addresses.
187
28. Chris is building an Ethernet network and knows that he needs to span a distance of more than 150 meters with his 1000BaseT network. What network technology should he use to help with this?
A. Install a repeater or a concentrator before 100 meters.
B. Use Category 7 cable, which has better shielding for higher speeds.
C. Install a gateway to handle the distance.
D. Use STP cable to handle the longer distance at high speeds.
A. A repeater or concentrator will amplify the signal, ensuring that the 100-meter distance limitation of 1000BaseT is not an issue. A gateway would be useful if network protocols were changing, while Cat7 cable is appropriate for a 10Gbps network at much shorter distances. STP cable is limited to 155 Mbps and 100 meters, which would leave Chris with network problems.
188
Lauren’s organization has used a popular messaging service for a number of years.
Recently, concerns have been raised about the use of messaging. Using the following diagram, answer questions 29 through 31 about messaging.
31. How could Lauren’s company best address a desire for secure messaging for users of internal systems A and C?
A. Use a third-party messaging service.
B. Implement and use a locally hosted service.
C. UseHTTPS.
D. Discontinue use of messaging and instead use email, which is more secure.
B. If a business need requires messaging, using a local messaging server is the best option.
This prevents traffic from traveling to a third-party server and can offer additional benefits such as logging, archiving, and control of security options like the use of encryption.
189
```
35. In her role as an information security professional, Susan has been asked to identify areas where her organization’s wireless network may be accessible even though it isn’t intended to be. What should Susan do to determine where her organization’s wireless network is accessible?
A. A site survey
B. Warwalking
C. Wardriving
D. A design map
```
```
A. Wardriving and warwalking are both processes used to locate wireless networks, but are not typically as detailed and thorough as a site survey, and design mapis a made-up term.
#現場調查
```
190
36. The DARPA TCP/IP model’s Application layer matches up to what three OSI model layers?
A. Application, Presentation, and Transport.
B. Presentation, Session, and Transport.
C. Application, Presentation, and Session.
D. There is not a direct match. The TCP model was created before the OSI model.
C. The DARPA TCP/IP model was used to create the OSI model, and the designers of the OSI model made sure to map the OSI model layers to it. The Application layer of the TCP model maps to the Application, Presentation, and Session layers, while the TCP and OSI models both have a distinct Transport layer.
191
39. Jim’s audit of a large organization’s traditional PBX showed that Direct Inward System Access (DISA) was being abused by third parties. What issue is most likely to lead to this problem?
A. The PBX was not fully patched.
B. The dial-in modem lines use unpublished numbers.
C. DISA is set up to only allow local calls.
D. One or more users’ access codes have been compromised.
```
D. Direct Inward System Access uses access codes assigned to users to add a control layer for external access and control of the PBX. If the codes are compromised, attackers can make calls through the PBX or even control it. Not updating a PBX can lead to a range of issues, but this question is looking for a DISA issue. Allowing only local calls and using unpublished numbers are both security controls and might help keep the PBX more secure.
#一個或多個用戶的訪問代碼已被洩露
```
192
```
41. Lauren uses the ping utility to check whether a remote system is up as part of a penetration testing exercise. If she does not want to see her own ping packets, what protocol should she filter out from her packet sniffer’s logs?
A. UDP
B. TCP
C. IP
D. ICMP
```
D. Ping uses ICMP, the Internet Control Message Protocol, to determine whether a system responds and how many hops there are between the originating system and the remote system. Lauren simply needs to filter out ICMP to not see her pings.
193
```
43. Ben has deployed a 1000BaseT 1 gigabit network and needs to run a cable to another building. If Ben is running his link directly from a switch to another switch in that building, what is the maximum distance Ben can cover according to the 1000BaseT specification?
A. 2kilometers
B. 500 meters
C. 185 meters
D. 100 meters
```
D. 1000BaseT is capable of a 100-meter run according to its specifications. For longer distances, a fiber-optic cable is typically used in modern networks.
194
```
44. Jim is building the network for a remote site that only has ISDN as an option for connectivity. What type of ISDN should he look for to get the maximum speed possible?#考古老的
A. BRI
B. BPRI
C. PRI
D. D channel
```
C. PRI, or Primary Rate Interface, can use between 2 and 23 64 Kbps channels, with a maximum potential bandwidth of 1.544 Mbps. Actual speeds will be lower due to the D channel, which can’t be used for actual data transmission, but PRI beats BRI’s two B channels paired with a D channel for 144 Kbps of bandwidth.
195
```
45. SPIT attacks target what technology?
A. Virtualization platforms
B. Web services
C. VoIP systems
D. Secure Process Internal Transfers
```
C. SPIT stands for Spam over Internet Telephony and targets VoIP systems.
196
```
49. There are four common VPN protocols. Which group listed contains all of the common VPN protocols?
A. PPTP, LTP, L2TP, I Psec
B. PPP, L2TP, IPsec, VNC
C. PPTP, L2F, L2TP, IPsec
D. PPTP, L2TP, IPsec, SPAP
```
C. PPTP, L2F, L2TP, and IPsec are the most common VPN protocols. TLS is also used for an increasingly large percentage of VPN connections and may appear at some point in the CISSP exam. PPP is a dial-up protocol, LTP is not a protocol, and SPAP is the Shiva Password Authentication Protocol sometimes used with PPTP.
197
```
51. Which OSI layer includes electrical specifications, protocols, and interface standards?
A. The Transport layer
B. The Device layer
C. The Physical layer
D. The Data Link layer
```
C. The Physical layer includes electrical specifications, protocols, and standards that allow control of throughput, handling line noise, and a variety of other electrical interface and signaling requirements. The OSI layer doesn’t have a Device layer. The Transport layer connects the Network and Session layers, and the Data Link layer packages packets from the network layer for transmission and receipt by devices operating on the Physical layer.
198
53. If your organization needs to allow attachments in email to support critical business processes, what are the two best options for helping to avoid security problems caused by attachments?
A. Train your users and use antimalware tools.
B. Encrypt your email and use antimalware tools.
C. Train your users and require S/MIME for all email.
D. Use S/MIME by default and remove all ZIP (.zip) file attachments.
A. User awareness is one of the most important tools when dealing with attachments. Attachments are often used as a vector for malware, and aware users can help prevent successful attacks by not opening the attachments. Antimalware tools, including antivirus software, can help detect known threats before users even see the attachments. Encryption, including tools like S/MIME, won’t help prevent attachment-based security
problems, and removing ZIP file attachments will only stop malware that is sent via those ZIP files.
199
56. Chris has been asked to choose between implementing PEAP and LEAP for wireless authentication. What should he choose, and why?
A. LEAP, because it fixes problems with TKIP, resulting in stronger security
B. PEAP, because it implements CCMP for security
C. LEAP, because it implements EAP-TLS for end-to-end session encryption
D. PEAP, because it can provide a TLS tunnel that encapsulates EAP methods, protecting the entire session
D. PEAP provides encryption for EAP methods and can provide authentication. It does not implement CCMP, which was included in the WPA2 standard. LEAP is dangerously insecure and should not be used due to attack tools that have been available since the early 2000s.
200
57. Ben is troubleshooting a network and discovers that the NAT router he is connected to has the 192.168.x.x subnet as its internal network and that its external IP is 192.168.1.40. What problem is he encountering?
A. 192.168.x.x is a nonroutable network and will not be carried to the Internet.
B. 192.168.1.40 is not a valid address because it is reserved by RFC 1918.
C. Double NATing is not possible using the same IP range.
D. The upstream system is unable to de-encapsulate his packets and he needs to use PAT instead.
C. Double NATing isn’t possible with the same IP range; the same IP addresses cannot appear inside and outside a NAT router. RFC 1918 addresses are reserved, but only so they are not used and routable on the Internet, and changing to PAT would not fix the issue.
201
59. Jim’s organization uses a traditional PBX for voice communication. What is the most common security issue that its internal communications are likely to face, and what should he recommend to prevent it?
A. Eavesdropping, encryption
B. Man-in-the-middle attacks, end-to-end encryption
C. Eavesdropping, physical security
D. Wardialing, deploy an IPS
C. Traditional private branch exchange (PBX) systems are vulnerable to eavesdropping because voice communications are carried directly over copper wires. Since standard telephones don’t provide encryption (and you’re unlikely to add encrypted phones unless you’re the NSA), physically securing access to the lines and central connection points is the best strategy available.
202
60. What common security issue is often overlooked with cordless phones?
A. Their signal is rarely encrypted and thus can be easily monitored.
B. They use unlicensed frequencies.
C. They can allow attackers access to wireless networks.
D. They are rarely patched and are vulnerable to malware.
A. Most cordless phones don’t use encryption, and even modern phones that use DECT (which does provide encryption) have already been cracked. This means that a determined attacker can almost always eavesdrop on cordless phones, and makes them a security risk if they’re used for confidential communication.
203
61. Lauren’s organization has deployed VoIP phones on the same switches that the desktop PCs are on. What security issue could this create, and what solution would help?
A. VLAN hopping; use physically separate switches.
B. VLAN hopping; use encryption.
C. Caller ID spoofing; MAC filtering.
D. Denial of service attacks; use a firewall between networks.
A. VLAN hopping between the voice and computer VLANs can be accomplished when devices share the same switch infrastructure. Using physically separate switches can prevent this attack. Encryption won’t help with VLAN hopping because it relies on header data that the switch needs to read (and this is unencrypted), while Caller ID spoofing is an inherent problem with VoIP systems. A denial of service is always a possibility, but it isn’t specifically a VoIP issue and a firewall may not stop the problem if it’s on a port that must be allowed through.
204
For questions 62–65, please refer to a stateful inspection firewall running the rulebase shown here. The source ports have been omitted from the figure, but you may assume that they are specified correctly for the purposes of answering questions 62–64.
62. Which one of the following rules is not shown in the rulebase but will be enforced by the firewall?
A. Stealth
B. Implicit deny
C. Connection proxy
D. Egress filter
B. All stateful inspection firewalls enforce an implicit deny rule as the final rule of the rulebase. It is designed to drop all inbound traffic that was not accepted by an earlier rule. Stealth rules hide the firewall from external networks, but they are not included by default. This firewall does not contain any egress filtering rules, and egress filtering is not enforced by default. Connection proxying is an optional feature of stateful inspection
firewalls and would not be enforced without a rule explicitly implementing it.
205
67. Chris needs to design a firewall architecture that can support a DMZ, a database, and a private internal network in a secure manner that separates each function. What type of design should he use, and how many firewalls does he need?#看要切幾個zone
A. A four-tier firewall design with two firewalls
B. A two-tier firewall design with three firewalls
C. A three-tier firewall design with at least one firewall
D. Asingle-tier firewall design with three firewalls
C. A three-tier design separates three distinct protected zones and can be accomplished with a single firewall that has multiple interfaces. Single- and two-tier designs don’t support the number of protected networks needed in this scenario, while a four-tier design would provide a tier that isn’t needed.
206
```
69. Cable modems, ISDN, and DSL are all examples of what type of technology?
A. Baseband
B. Broadband
C. Digital
D. Broadcast
```
B. ISDN, cable modems, DSL, and T1 and T3 lines are all examples of broadband technology that can support multiple simultaneous signals. They are analog, not digital, and are not broadcast technologies.
207
71. During a review of her organization’s network, Angela discovered that it was suffering from broadcast storms and that contractors, guests, and organizational administrative staff were on the same network segment. What design change should Angela recommend?
A. Require encryption for all users.
B. Install a firewall at the network border.
C. Enable spanning tree loop detection.
D. Segment the network based on functional requirements.
D. Network segmentation can reduce issues with performance as well as diminish the chance of broadcast storms by limiting the number of systems in a segment. This decreases broadcast traffic visible to each system and can reduce congestion. Segmentation can also help provide security by separating functional groups who don’t need to be able to access each other’s systems. Installing a firewall at the border would only help with inbound and outbound traffic, not cross-network traffic. Spanning tree loop prevention helps prevent loops in Ethernet networks (for example, when you plug a switch into a switch via two ports on each), but it won’t solve broadcast storms that aren’t caused by a loop or security issues.
Encryption might help prevent some problems between functional groups, but it won’t stop them from scanning other systems, and it definitely won’t stop a broadcast storm!
208
For questions 73–75, please refer to the following scenario:Ben is an information security professional at an organization that is replacing its physical servers with virtual machines. As the organization builds its virtual environment, it is decreasing the number of physical servers it uses while purchasing more powerful servers
to act as the virtualization platforms.
73. The IDS Ben is responsible for is used to monitor communications in the data center using a mirrored port on the data center switch. What traffic will Ben see once the majority of servers in the data center have been virtualized?
A. The same traffic he currently sees
B. All inter-VM traffic
C. Only traffic sent outside the VM environment
D. All inter-hypervisor traffic
C. One of the visibility risks of virtualization is that communication between servers and systems using virtual interfaces can occur “inside” the virtual environment. This means that visibility into traffic in the virtualization environment has to be purpose-built as part of its design. Option D is correct but incomplete because inter-hypervisor traffic isn’t the only traffic the IDS will see.#VM內部看不到
209
74. The VM administrators recommend enabling cut and paste between virtual machines.
What security concern should Ben raise about this practice?
A. It can cause a denial of service condition.
B. It can serve as a covert channel.
C. It can allow viruses to spread.
D. It can bypass authentication controls.
B. Cut and paste between virtual machines can bypass normal network-based data loss prevention tools and monitoring tools like an IDS or IPS. Thus, it can act as a covert channel, allowing the transport of data between security zones. So far, cut and paste has not been used as a method for malware spread in virtual environments and has not been associated with denial of service attacks. Cut and paste requires users to be logged in and does not bypass authentication requirements.
210
75. Ben is concerned about exploits that allow VM escape. What option should Ben suggest to help limit the impact of VM escape exploits?
A. Separate virtual machines onto separate physical hardware based on task or data types.
B. Use VM escape detection tools on the underlying hypervisor.
C. Restore machines to their original snapshots on a regular basis.
D. Use a utility like Tripwire to look for changes in the virtual machines.
A. While virtual machine escape has only been demonstrated in laboratory environments, the threat is best dealt with by limiting what access to the underlying hypervisor can prove to a successful tracker. Segmenting by data types or access levels can limit the potential impact of a hypervisor compromise. If attackers can access the underlying system, restricting the breach to only similar data types or systems will limit the impact.
Escape detection tools are not available on the market, restoring machines to their original snapshots will not prevent the exploit from occurring again, and Tripwire detects file changes and is unlikely to catch exploits that escape the virtual machines themselves.
211
```
76. WPA2’s Counter Mode Cipher Block Chaining Message Authentication Mode Protocol (CCMP) is based on which common encryption scheme?
A. DES
B. 3DES
C. AES
D. TLS
```
C. WPA2’s CCMP encryption scheme is based on AES. As of the writing of this book, there have not been any practical real-world attacks against WPA2. DES has been successfully broken, and neither 3DES nor TLS is used for WPA2.
212
```
78. What is the speed of a T3 line?
A. 128 kbps
B. 1.544 Mbps
C. 44.736 Mbps
D. 155 Mbps
```
C. A T3 (DS-3) line is capable of 44.736 Mbps. This is often referred to as 45 Mbps.
A T1 is 1.544 Mbps,
ATM is 155 Mbps, and
ISDN is often 64 or 128 Kbps.#記下來
213
```
79. What type of firewall design does the following image show?
A. A single-tier firewall
B. A two-tier firewall
C. A three-tier firewall
D. A fully protected DMZ firewall
```
B. A two-tier firewall uses a firewall with multiple interfaces or multiple firewalls in series. This image shows a firewall with two protected interfaces, with one used for a DMZ and one used for a protected network. This allows traffic to be filtered between each of the zones (Internet, DMZ, and private network).
214
80. What challenge is most common for endpoint security system deployments?
A. Compromises
B. The volume of data
C. Monitoring encrypted traffic on the network
D. Handling non-TCP protocols
B. Endpoint security solutions face challenges due to the sheer volume of data that they can create. When each workstation is generating data about events, this can be a massive amount of data. Endpoint security solutions should reduce the number of compromises when properly implemented, and they can also help by monitoring traffic after it is decrypted on the local host. Finally, non-TCP protocols are relatively uncommon on
modern networks, making this a relatively rare concern for endpoint security system implementations.
215
82. Susan is writing a best practices statement for her organizational users who need to use Bluetooth. She knows that there are many potential security issues with Bluetooth and wants to provide the best advice she can. Which of the following sets of guidance should Susan include?
A. Use Bluetooth’s built-in strong encryption, change the default PIN on your device, turn off discovery mode, and turn off Bluetooth when it’s not in active use.
B. Use Bluetooth only for those activities that are not confidential, change the default PIN on your device, turn off discovery mode, and turn off Bluetooth when it’s not in active use.
C. Use Bluetooth’s built-in strong encryption, use extended (8 digit or longer) Bluetooth
PINs, turn off discovery mode, and turn off Bluetooth when it’s not in active use.
D. Use Bluetooth only for those activities that are not confidential, use extended (8 digit or longer) Bluetooth PINs, turn off discovery mode, and turn off Bluetooth when it’s not in active use.
B. Since Bluetooth doesn’t provide strong encryption, it should only be used for activities that are not confidential. Bluetooth PINs are four-digit codes that often default to 0000. #反正他就是不安全
Turning it off and ensuring that your devices are not in discovery mode can help prevent Bluetooth attacks.
216
84. Steve has been tasked with implementing a network storage protocol over an IP network.
What storage-centric converged protocol is he likely to use in his implementation?
A. MPLS
B. FCoE
C. SDN
D. VoI P
B. Fibre Channel over Ethernet allows Fibre Channel communications over Ethernet networks, allowing existing high-speed networks to be used to carry storage traffic. This avoids the cost of a custom cable plant for a Fibre Channel implementation. MPLS, or Multiprotocol Label Switching, is used for high performance networking; VoIP is Voice over IP; and SDN is software-defined networking.
217
```
88. Phillip maintains a modem bank in support of several legacy services used by his organization. Which one of the following protocols is most appropriate for this purpose?
A. SLIP
B. SLAP
C. PPTP
D. PPP
```
D. The Point-to-Point Protocol (PPP) is used for dial-up connections for modems, IDSN, Frame Relay, and other technologies. It replaced SLIP in almost all cases. PPTP is the Point-to-Point Tunneling Protocol used for VPNs, and SLAP is not a protocol at all!
218
89. One of the findings that Jim made when performing a security audit was the use of non-IP protocols in a private network. What issue should Jim point out that may result from the use of these non-IP protocols?
A. They are outdated and cannot be used on modern PCs.
B. They may not be able to be filtered by firewall devices.
C. They may allow Christmas tree attacks.
D. IPX extends on the IP protocol and may not be supported by all TCP stacks.
B. While non-IP protocols like IPX/SPX, NetBEUI, and AppleTalk are rare in modern networks, they can present a challenge because many firewalls are not capable of filtering them. This can create risks when they are necessary for an application or system’s function
219
91. Lauren has been asked to replace her organization’s PPTP implementation with an L2TP implementation for security reasons. What is the primary security reason that L2TP would replace PPTP?
A. L2TP can use IPsec.
B. L2TP creates a point-to-point tunnel, avoiding multipoint issues.
C. PPTP doesn’t support EAP.
D. PPTP doesn’t properly encapsulate PPP packets.
A. L2TP can use IPsec to provide encryption of traffic, ensuring confidentiality of the traffic carried via an L2TP VPN. PPTP sends the initial packets of a session in plaintext, potentially including usernames and hashed passwords. PPTP does support EAP and was designed to encapsulate PPP packets. All VPNs are point to point, and multipoint issues are not a VPN problem.
220
```
92. Jim is building a research computing system that benefits from being part of a full mesh topology between systems. In a five-node full mesh topology design, how many connections will an individual node have?
A. Two
B. Three
C. Four
D. Five
```
C. A full mesh topology directly connects each machine to every other machine on the network. For five systems, this means four connections per system.
221
```
93. What topology correctly describes Ethernet?
A. A ring
B. A star
C. A mesh
D. Abus
```
D. Ethernet uses a bus topology. While devices may be physically connected to a switch in a physical topology that looks like a star, systems using Ethernet can all transmit on the bus simultaneously, possibly leading to collisions.
222
```
95. What speed is Category 3 UTP cable rated for?#背背背背背
A. 5Mbps
B. 10 Mbps
C. 100 Mbps
D. 1000 Mbps
```
B. Category 3 UTP cable is primarily used for phone cables and was also used for early Ethernet networks where it provided 10 Mbps of throughput. Cat 5 cable provides 100 Mbps (and 1000 Mbps if it is Cat 5e). Cat 6 cable can also provide 1000 Mbps.
223
```
96. What issue occurs when data transmitted over one set of wires is picked up by another set of wires?
A. Magnetic interference
B. Crosstalk
C. Transmission absorption
D. Amplitude modulation
```
B. Crosstalk occurs when data transmitted on one set of wires is picked up on another set of wires. Interference like this is electromagnetic rather than simply magnetic, transmission absorptionis a made-up term, and amplitude modulation is how AM radio works.
224
97. What two key issues with the implementation of RC4 make Wired Equivalent Privacy (WEP) even weaker than it might otherwise be?
A. Its use of a static common key and client-set encryption algorithms
B. Its use of a static common key and a limited number of initialization vectors
C. Its use of weak asymmetric keys and a limited number of initialization vectors
D. Its use of a weak asymmetric key and client-set encryption algorithms
B. WEP’s implementation of RC4 is weakened by its use of a static common key and a limited number of initialization vectors. It does not use asymmetric encryption, and clients do not select encryption algorithms.
225
```
98. Chris is setting up a hotel network and needs to ensure that systems in each room or suite can connect to each other, but systems in other suites or rooms cannot. At the same time, he needs to ensure that all systems in the hotel can reach the internet. What solution should he recommend as the most effective business solution?
A. Per-room VPNs
B. VLANs
C. Port security
D. Firewalls
```
B. VLANs can be used to logically separate groups of network ports while still providing access to an uplink. Per-room VPNs would create significant overhead for support as well as create additional expenses. Port security is used to limit what systems can connect to ports, but it doesn’t provide network security between systems. Finally, while firewalls might work, they would add additional expense and complexity without adding any benefits over a VLAN solution.
226
```
100. Ben knows that his organization wants to be able to validate the identity of other organizations based on their domain name when receiving and sending email. What tool should Ben recommend?
A. PEM
B. S/MIME
C. DKIM
D. MOSS
```
C. Domain Keys Identified Mail, or DKIM, is designed to allow assertions of domain identity to validate email. S/MIME, PEM, and MOSS are all solutions that can provide authentication, integrity, nonrepudiation, and confidentiality, depending on how they are used.
227
```
1. Which of the following is best described as an access control model that focuses on subjects and identifies the objects that each subject can access?
A. An access control list
B. An implicit denial list
C. A capability table
D. Arights management matrix
```
C. Capability tables list the privileges assigned to subjects and identify the objects that subjects can access. Access control lists are object-focused rather than subject-focused.
Implicit deny is a principle that states that anything that is not explicitly allowed is denied, and a rights management matrix is not an access control model.#ACL vs CT
228
2. Jim’s organization-wide implementation of IDaaS offers broad support for cloud-based applications. Jim’s company does not have in-house identity management staff(人員) and does not use centralized identity services. Instead, they rely upon Active Directory for AAA services. Which of the following options should Jim recommend to best handle the company’s onsite identity needs?
A. Integrate onsite systems using OAuth.
B. Use an on-premises third-party identity service.
C. Integrate onsite systems using SAML.
D. Design an in-house solution to handle the organization’s unique needs.
```
#本地第三方身份服務
B. Since Jim’s organization is using a cloud-based identity as a service solution, a third-party, on-premises identity service can provide the ability to integrate with the IDaaS solution, and the company’s use of Active Directory is widely supported by third-party vendors. OAuth is used to log into third-party websites using existing credentials and would not meet the needs described. SAML is a markup language and would not meet the full set of AAA needs. Since the organization is using Active Directory, a custom in-house solution is unlikely to be as effective as a pre-existing third-party solution and may take far more time and expense to implement.
```
229
3. Which of the following is not a weakness in Kerberos?
A. The KDC is a single point of failure.
B. Compromise of the KDC would allow attackers to impersonate any user.
C. Authentication information is not encrypted.
D. It is susceptible to password guessing.
C. Kerberos encrypts messages using secret keys, providing protection for authentication traffic. The KDC both is a single point of failure and can cause problems if compromised because keys are stored on the KDC that would allow attackers to impersonate any user. Like many authentication methods, Kerberos can be susceptible to password guessing.
230
```
6. Which of the following items are not commonly associated with restricted interfaces?
A. Shells
B. Keyboards
C. Menus
D. Database views
```
B. Menus, shells, and database views are all commonly used for constrained interfaces.
A keyboard is not typically a constrained interface, although physically constrained interfaces like those found on ATMs, card readers, and other devices are common.
231
7. During a log review, Saria discovers a series of logs that show login failures, as shown here:
Jan 31 11:39:12 ip-10-0-0-2 sshd[29092]: Invalid user admin from remotehost passwd=orange
Jan 31 11:39:20 ip-10-0-0-2 sshd[29098]: Invalid user admin from remotehost passwd=Orang3
Jan 31 11:39:23 ip-10-0-0-2 sshd[29100]: Invalid user admin from remotehost passwd=Orange93
Jan 31 11:39:31 ip-10-0-0-2 sshd[29106]: Invalid user admin from remotehost passwd=Orangutan1
Jan 31 20:40:53 ip-10-0-0-254 sshd[30520]: Invalid user admin from remotehost passwd=Orangemonkey
What type of attack has Saria discovered?
A. A brute-force attack
B. Aman-in-the-middle attack
C. A dictionary attack
D. A rainbow table attack
C. Dictionary attacks use a dictionary or list of common passwords as well as variations of those words to attempt to login as an authorized user. This attack shows a variety of passwords based on a similar base word, which is often a good indicator of a dictionary attack. A brute-force attack will typically show simple iteration of passwords, while a man-in-the-middle attack would not be visible in the authentication log. A rainbow table
attack is used when attackers already have password hashes in their possession and would also not show up in logs.
232
8. Place the following steps in the order in which they occur during the Kerberos authentication process.
A. Client/server ticket generated
B. TGT generated
C. Client/TGS key generated
D. User accesses service
E. User provides authentication credentials
During the Kerberos authentication process, the steps take place in the following order:
```
ECBAD.
User provides authentication credentials =>
Client/TGS key generated=>
TGT generated=>
Client/server ticket generated=>
User accesses service
```
233
```
10. Callback to a landline phone number(回撥座機電話號碼) is an example of what type of factor?
A. Something you know
B. Somewhere you are
C. Something you have
D. Something you are
```
B. A callback to a landline phone number is an example of a “somewhere you are” factor because of the fixed physical location of a wired phone.
A callback to a mobile phone would be a “something you have” factor.
#考你英文差
234
```
11. Kathleen needs to set up an Active Directory trust to allow authentication with an existing Kerberos K5 domain. What type of trust does she need to create?
A. A shortcut trust
B. A forest trust
C. An external trust
D. A realm trust
```
D. Kerberos uses realms, and the proper type of trust to set up for an Active Directory environment that needs to connect to a K5 domain is a realm trust.
A shortcut trust is a transitive trust between parts of a domain tree or forest that shortens the trust path,
a forest trust is a transitive trust between two forest root domains,
and an external trust is a nontransitive trust between AD domains in separate forests.
235
```
13. Which of the following is not a single sign-on implementation?
A. Kerberos
B. ADFS
C. CAS
D. RADIUS
```
D. Kerberos, Active Directory Federation Services (ADFS), and Central Authentication Services (CAS) are all SSO implementations. RADIUS is not a single sign-on implementation, although some vendors use it behind the scenes to provide authentication for proprietary SSO.#考你沒常識
236
```
14. As shown in the following image, a user on a Windows system is not able to use the “Send Message” functionality. What access control model best describes this type of limitation?
A. Least privilege
B. Need to know
C. Constrained interface
D. Separation of duties
```
C. Interface restrictions based on user privileges is an example of a constrained interface.
Least privilege describes the idea of providing users with only the rights they need to accomplish their job, while need to know limits access based on whether a subject needs to know the information to accomplish an assigned task. Separation of duties focuses on preventing fraud or mistakes by splitting tasks between multiple subjects.
237
Use your knowledge of the Kerberos logon process and the following diagram to answer
questions 17–19.
19. What tasks must the client perform before it can use the TGT?
A. It must generate a hash of the TGT and decrypt the symmetric key.
B. It must accept the TGT and decrypt the symmetric key.
C. It must decrypt the TGT and the symmetric key.
D. It must send a valid response using the symmetric key to the KDC and must install the TGT.
B. The client needs to install the TGT for use until it expires and must also decrypt the symmetric key using a hash of the user’s password.#session key
238
20. Jacob is planning his organization’s biometric authentication system and is considering retina scans. What concern may be raised about retina scans by others in his organization?
A. Retina scans can reveal information about medical conditions.
B. Retina scans are painful because they require a puff of air in the user’s eye.
C. Retina scanners are the most expensive type of biometric device.
D. Retina scanners have a high false positive rate and will cause support issues.
A. Retina scans can reveal additional information, including high blood pressure and pregnancy, causing privacy concerns. Newer retina scans don’t require a puff of air, and retina scanners are not the most expensive biometric factor. Their false positive rate can typically be adjusted in software, allowing administrators to adjust their acceptance rate as needed to balance usability and security.
239
```
21. Mandatory Access Control is based on what type of model?
A. Discretionary
B. Group based
C. Lattice based
D. Rule based
```
C. Mandatory access control systems are based on a lattice-based model. Lattice-based models use a matrix of classification labels to compartmentalize data. Discretionary access models allow object owners to determine access to the objects they control, role-based access controls are often group based, and rule-based access controls like firewall ACLs apply rules to all subjects they apply to.
240
```
23. What is the best way to provide accountability for the use of identities?
A. Logging
B. Authorization
C. Digital signatures
D. Type 1 authentication
```
A. Logging systems can provide accountability for identity systems by tracking the actions, changes, and other activities a user or account performs.
241
```
24. Jim has worked in human relations, payroll, and customer service roles in his company over the past few years. What type of process should his company perform to ensure that
he has appropriate rights?
A. Re-provisioning
B. Account review
C. Privilege creep
D. Account revocation
```
B. As an employee’s role changes, they often experience privilege creep, which is the accumulation of old rights and roles. Account review is the process of reviewing accounts and ensuring that their rights match their owners’ role and job requirements. Account revocation(撤銷) removes accounts, while re-provisioning might occur if an employee was terminated and returned or took a leave of absence and returned.
242
```
25. Biba is what type of access control model?
A. MAC
B. DAC
C. Role BAC
D. ABAC
```
A. Biba uses a lattice to control access and is a form of the mandatory access control (MAC) model. It does not use rules, roles, or attributes, nor does it allow user discretion. Users can create content at their level or lower but cannot decide who gets access, levels are not roles, and attributes are not used to make decisions on access control.
243
```
26. Which of the following is a client/server protocol designed to allow network access servers to authenticate remote users by sending access request messages to a central server?
A. Kerberos
B. EAP
C. RADIUS
D. OAuth
```
C. RADIUS is an AAA protocol used to provide authentication and authorization; it’s often used for modems, wireless networks, and network devices. It uses network access servers to send access requests to central RADIUS servers. Kerberos is a ticket-based authentication protocol; OAuth is an open standard for authentication allowing the use of credentials from one site on third-party sites; and EAP is the Extensible Authentication Protocol, an authentication framework often used for wireless networks.
244
```
27. What type of access control is being used in the following permission listing:
Storage Device X
User1: Can read, write, list
User2: Can read, list
User3: Can read, write, list, delete
User4: Can list
A. Resource-based access controls
B. Role-based access controls
C. Mandatory access controls
D. Rule-based access controls
```
```
A. Resource-based access controls match permissions to resources like a storage volume.
Resource-based access controls are becoming increasingly common in cloud-based infrastructure as a service environments. The lack of roles, rules, or a classification system indicate that role-based, rule-based, and mandatory access controls are not in use here.
#基於雲的基礎架構即服務環境中
```
245
28. Angela uses a sniffer to monitor traffic from a RADIUS server configured with default settings. What protocol should she monitor, and what traffic will she be able to read?
A. UDP, none. All RADIUS traffic is encrypted.
B. TCP, all traffic but the passwords, which are encrypted.
C. UDP, all traffic but the passwords, which are encrypted.
D. TCP, none. All RADIUS traffic is encrypted.
C. By default, RADIUS uses UDP and only encrypts passwords. RADIUS supports TCP and TLS, but this is not a default setting.
246
```
29. Which of the following is not part of a Kerberos authentication system?#記一下官方的名稱
A. KDC
B. TGT
C. AS
D. TS
```
D. A key distribution center (KDC) provides authentication services, and ticket-granting tickets (TGTs) provide proof that a subject has authenticated and can request tickets to access objects. Authentication services (ASs) are part of the KDC. There is no TS in a Kerberos infrastructure.
247
```
32. Which of the following is not a common threat to access control mechanisms?
A. Fake login pages
B. Phishing
C. Dictionary attacks
D. Man-in-the-middle attacks
```
B. Phishing is not an attack against an access control mechanism. While phishing can result in stolen credentials, the attack itself is not against the control system and is instead against the person being phished. Dictionary attacks and man-in-the-middle attacks both target access control systems.
248
34. What type of access control scheme is shown in the following table?
A. RBAC
B. DAC
C. MAC
D. TBAC
Highly Sensitive Red Blue Green
---------------------------------------------------------------
Confidential Purple Orange Yellow
Internal Use Black Gray White
Public Clear Clear Clear
C. Mandatory access controls use a lattice to describe how classification labels relate to each other.
In this image, classification levels are set for each of the labels shown.
A discretionary access control (DAC) system would show how the owner of the objects allows access.
RBAC could be either rule- or role-based access control and would use either system-wide rules or roles.
Task-based access control (TBAC) would list tasks for users.
#注意看是不是格子式控管
249
```
35. Which of the following is not a valid LDAP DN (distinguished name)?
A. cn=ben+ou=sales
B. ou=example
C. cn=ben,ou=example;
D. ou=example,dc=example,dc=com+dc=org
```
C. LDAP distinguished names are made up of zero or more comma-separated components known as relative distinguished names. cn=ben,ou=example; ends with a semicolon and is not a valid DN. It is possible to have additional values in the same RDN by using a plus sign between then.
250
```
39. What is the stored sample of a biometric factor called?
A. A reference template
B. A token store
C. A biometric password
D. An enrollment artifact
```
A. The stored sample of a biometric factor is called a reference profile or a reference template. None of the other answers is a common term used for biometric systems.
251
42. Which pair of the following factors is key for user acceptance of biometric identification systems?
A. The FAR
B. The throughput rate and the time required to enroll
C. The CER and the ERR
D. How often users must reenroll and the reference profile requiremen
B. Biometric systems can face major usability challenges if the time to enroll is long (over a couple of minutes) and if the speed at which the biometric system is able to scan and accept or reject the user is too slow. FAR and FRR may be important in the design decisions made by administrators or designers, but they aren’t typically visible to users. CER and ERR are the same and are the point where FAR and FRR meet. Reference profile requirements are a system requirement, not a user requirement.
252
Alex is in charge of SAML integration with a major third-party partner that provides a variety of business productivity services for his organization. Use the following diagram and your knowledge of SAML integrations and security architecture design to answer questions 43–45.
43. Alex is concerned about eavesdropping on the SAML traffic and also wants to ensure that forged(偽造) assertions will not be successful. What should he do to prevent these potential attacks?#考觀念&英文
A. Use SAML’s secure mode to provide secure authentication.
B. Implement TLS using a strong cipher suite, which will protect against both types of attacks.
C. Implement TLS using a strong cipher suite and use digital signatures.
D. Implement TLS using a strong cipher suite and message hashing.
C. TLS provides message confidentiality and integrity, which can prevent eavesdropping. When paired with digital signatures, which provide integrity and authentication, forged assertions can also be defeated. SAML does not have a security mode and relies on TLS and digital signatures to ensure security if needed. Message hashing without a signature would help prevent modification of the message but won’t necessarily provide
authentication.#SAML是Web based & 防偽造的概念
253
Alex is in charge of SAML integration with a major third-party partner that provides a variety of business productivity services for his organization. Use the following diagram and your knowledge of SAML integrations and security architecture design to answer questions 43–45.
44. If Alex’s organization is one that is primarily made up of offsite, traveling users, what availability risk does integration of critical business applications to onsite authentication create, and how could he solve it?
A. Third-party integration may not be trustworthy; use SSL and digital signatures.
B. If the home organization is offline, traveling users won’t be able to access third-party applications; implement a hybrid cloud/local authentication system.
C. Local users may not be properly redirected to the third-party services; implement a local gateway.
D. Browsers may not properly redirect; use host files to ensure that issues with redirects are resolved.
B. Integration with cloud-based third parties that rely on local authentication can fail if the local organization’s Internet connectivity or servers are offline. Adopting a hybrid cloud and local authentication system can ensure that Internet or server outages are handled, allowing authentication to work regardless of where the user is or if their home organization is online. Using encrypted and signed communication does not address availability, redirects are a configuration issue with the third party, and a local gateway won’t handle remote users. Also, host files don’t help with availability issues with services other than DNS.#考英文
254
Alex is in charge of SAML integration with a major third-party partner that provides a variety of business productivity services for his organization. Use the following diagram and your knowledge of SAML integrations and security architecture design to answer questions 43–45.
45. What solution can best help address concerns about third parties that control SSO redirects as shown in step 2 in the diagram?
A. An awareness campaign about trusted third parties
B. TLS
C. Handling redirects at the local site
D. Implementing an IPS to capture SSO redirect attacks
A. While many solutions are technical, if a trusted third party redirects to an unexpected authentication site, awareness is often the best defense. Using TLS would keep the transaction confidential but would not prevent the redirect. Handling redirects locally only works for locally hosted sites, and using a third-party service requires offsite redirects. An IPS might detect an attacker’s redirect, but tracking the multitude of load-balanced servers most large providers use can be challenging, if not impossible. In addition, an IPS relies on visibility into the traffic, and SAML integrations should be encrypted for security, which would require a man-in-the-middle type of IPS to be configured.
255
```
48. Lauren needs to send information about services she is provisioning to a third-party organization. What standards-based markup language should she choose to build the interface?
A. SAML
B. SOAP
C. SPML
D. XACML
```
C. Service Provisioning Markup Language, or SPML, is an XML-based language designed to allow platforms to generate and respond to provisioning requests. SAML is used to make authorization and authentication data, while XACML is used to describe access controls. SOAP, or Simple Object Access Protocol, is a messaging protocol and could be used for any XML messaging but is not a markup language itself.
256
```
50. Google’s identity integration with a variety of organizations and applications across domains is an example of which of the following?
A. PKI
B. Federation
C. Single sign-on
D. Provisioning
```
B. Google’s federation(ex:openID) with other applications and organizations allows single sign-on as well as management of their electronic identity and its related attributes. While this is an example of SSO, it goes beyond simple single sign-on. Provisioning provides accounts and rights, and a public key infrastructure is used for certificate management.
257
```
51. Lauren starts at her new job and finds that she has access to a variety of systems that she does not need to accomplish her job. What problem has she encountered?
A. Privilege creep
B. Rights collision
C. Least privilege
D. Excessive privileges
```
D. When users have more rights than they need to accomplish their job, they have excessive privileges. This is a violation of the concept of least privilege. Unlike creeping privileges, this is a provisioning or rights management issue rather than a problem of retention of rights the user needed but no longer requires. Rights collisionis a made-up term and thus is not an issue here.
258
```
52. When Chris verifies an individual’s identity and adds a unique identifier like a user ID to an identity system, what process has occurred?
A. Identity proofing
B. Registration
C. Directory management
D. Session management
```
B. Registration is the process of adding a user to an identity management system. This includes creating their unique identifier and adding any attribute information that is associated with their identity. Proofing occurs when the user provides information to prove who they are. Directories are managed to maintain lists of users, services, and other items. Session management tracks application and user sessions.
259
53. Jim configures his LDAP client to connect to an LDAP directory server. According to the configuration guide, his client should connect to the server on port 636. What does this indicate to Jim about the configuration of the LDAP server?
A. It requires connections over SSL/TLS.
B. It supports only unencrypted connections.
C. It provides global catalog services.
D. It does not provide global catalog services.
A. Port 636 is the default port for LDAP-S, which provides LDAP over SSL or TLS, thus indicating that the server supports encrypted connections. Since neither port 3268 nor 3269 is mentioned, we do not know if the server provides support for a global catalog.
260
```
54. The X.500 standards cover what type of important identity systems?
A. Kerberos
B. Provisioning services
C. Biometric authentication systems
D. Directory services
```
D. The X.500 series of standards covers directory services. Kerberos is described in RFCs; biometric systems are covered by a variety of standards, including ISO standards; and provisioning standards include SCIM, SPML, and others.
261
```
55. Microsoft’s Active Directory Domain Services is based on which of the following technologies?
A. RADIUS
B. LDAP
C. SSO
D. PKI
```
B. Active Directory Domain Services is based on LDAP, the Lightweight Directory Access Protocol. Active Directory also uses Kerberos for authentication.
262
```
57. By default, in what format does OpenLDAP store the value of the userPassword attribute?
A. In the clear
B. Salted and hashed
C. MD5 hashed
D. Encrypted using AES256 encryption
```
A. By default, OpenLDAP stores the userPassword attribute in the clear. This means that ensuring that the password is provided to OpenLDAP in a secure format is the responsibility of the administrator or programmer who builds its provisioning system.
263
61. Kathleen works for a data center hosting facility that provides physical data center space for individuals and organizations. Until recently, each client was given a magnetic-stripbased keycard to access the section of the facility where their servers are located, and they were also given a key to access the cage or rack where their servers reside. In the past month, a number of servers have been stolen, but the logs for the passcards show only valid IDs. What is Kathleen’s best option to make sure that the users of the passcards are
who they are supposed to be?
A. Add a reader that requires a PIN for passcard users.
B. Add a camera system to the facility to observe who is accessing servers.
C. Add a biometric factor.
D. Replace the magnetic stripe keycards with smartcards.
```
C. Kathleen should implement a biometric factor. The cards and keys are an example of a Type 2 factor, or “something you have.” Using a smart card replaces this with another Type 2 factor, but the cards could still be loaned out or stolen. Adding a PIN suffers from the same problem: a PIN can be stolen. Adding cameras doesn’t prevent access to the facility and thus doesn’t solve the immediate problem (but it is a good idea!).
#淦話題
```
264
```
63. What type of access control is composed of policies and procedures that support regulations, requirements, and the organization’s own policies?
A. Corrective
B. Logical
C. Compensating
D. Administrative
```
D. Administrative access controls are procedures and the policies from which they derive. They are based on regulations, requirements, and the organization’s own policies. Corrective access controls return an environment to its original status after an issue, while logical controls are technical access controls that rely on hardware or software to protect systems and data. Compensating controls are used in addition to or as an alternative to other controls.
265
```
64. In a Kerberos environment, when a user needs to access a network resource, what is sent to the TGS?
A. A TGT
B. An AS
C. The SS
D. A session key
```
A. When clients perform a client service authorization, they send a TGT and the ID of the requested service to the TGS, and the TGS responds with a client-to-server ticket and session key back to the client if the request is validated. An AS is an authentication server, and the SS is a service server, neither of which can be sent.
266
65. Which objects and subjects have a label in a MAC model?
A. Objects and subjects that are classified as Confidential, Secret, or Top Secret have a label.
B. All objects have a label, and all subjects have a compartment.
C. All objects and subjects have a label.
D. All subjects have a label and all objects have a compartment.
C. In a mandatory access control system, all subjects and objects have a label.
Compartments may or may not be used, but there is not a specific requirement for either subjects or objects to be compartmentalized. The specific labels of Confidential, Secret, and Top Secret are not required by MAC.
Chris is the identity architect for a growing e-commerce website that wants to leverage social identity. To do this, he and his team intend to allow users to use their existing Google accounts as their primary accounts when using the e-commerce site. This means that when a new user initially connects to the e-commerce platform, they are given the choice between using their Google account using OAuth 2.0 or creating a new account on the platform using their own email address and a password of their choice.
267
Use this information and the following diagram of an example authentication flow to answer questions 66–68.
```
68. What type of attack is the creation and exchange of state tokens intended to prevent?
A. XSS
B. CSRF
C. SQL injection
D. XACML
```
B. The anti-forgery state token exchanged during OAuth sessions is intended to prevent cross-site request forgery. This makes sure that the unique session token with the authentication response from Google’s OAuth service is available to verify that the user, not an attacker, is making a request. XSS attacks focus on scripting and would have script tags involved, SQL injection would have SQL code included, and XACML is the
eXtensible Access Control Markup Language, not a type of attack.
268
70. Lauren builds a table that includes assigned privileges, objects, and subjects to manage access control for the systems she is responsible for. Each time a subject attempts to access an object, the systems check the table to ensure that the subject has the appropriate rights to the objects. What type of access control system is Lauren using?
A. A capability table
B. An access control list
C. An access control matrix
D. A subject/object rights management system
C. An access control matrix is a table that lists objects, subjects, and their privileges.
Access control lists focus on objects and which subjects can access them. Capability tables list subjects and what objects they can access. Subject/object rights management systems are not based on an access control model.
269
```
75. Match each of the numbered security controls listed with exactly one of the lettered categories shown. Choose the category that best describes each control. You may use each control category once, more than once, or not at all.
Controls
1. Password
2. Account reviews
3. Badge readers
4. MFA
5. IPS
Categories
A. Administrative
B. Technical
C. Physical
```
The security controls match with the categories as follows:
1. Password: B. Technical.
2. Account reviews: A. Administrative.
3. Badge readers: C. Physical.
4. MFA: B. Technical.
5. IPS: B. Technical.
Passwords, multi-factor authentication (MFA) techniques, and intrusion prevention systems (IPS) are all examples of technical controls. Account reviews are an administrative control, while using badges to control access is a physical control.
270
76. The financial services company that Susan works for provides a web portal for its users.
When users need to verify their identity, the company uses information from third-party sources to ask questions based on their past credit reports, such as “Which of the following streets did you live on in 2007?” What process is Susan’s organization using?
A. Identity proofing
B. Password verification
C. Authenticating with Type 2 authentication factor
D. Out-of-band identity proofing
A. Verifying information that an individual should know about themselves using third-party factual information (a Type 1 authentication factor) is sometimes known as dynamic knowledge-based authentication and is a type of identity proofing. Out-of-band identity proofing would use another means of contacting the user, like a text message or phone call, and password verification requires a password.#ref
271
```
77. The United States (U.S.) government CAC is an example of what form of Type 2 authentication factor?
A. A token
B. Abiometric identifier
C. A smart card
D. A PIV
```
C. The US government’s Common Access Card is a smart card. The US government also issues PIV cards, or personal identity verification cards.
272
```
78. What authentication technology can be paired with OAuth to perform identity verification and obtain user profile information using a RESTful API?
A. SAML
B. Shibboleth
C. OpenID Connect
D. Higgins
```
C. OpenID Connect is a RESTful, JSON-based authentication protocol that, when paired with OAuth, can provide identity verification and basic profile information. SAML is the Security Assertion Markup Language, Shibboleth is a federated identity solution designed to allow web-based SSO, and Higgins is an open-source project designed to provide users with control over the release of their identity information.
273
```
80. The security administrators at the company that Susan works for have configured the workstation she uses to allow her to log in only during her work hours. What type of access control best describes this limitation?
A. Constrained interface
B. Context-dependent control
C. Content-dependent control
D. Least privilege
```
B. Time-based controls are an example of context-dependent controls. A constrained interface would limit what Susan was able to do in an application or system interface, while content-dependent control would limit her access to content based on her role or rights. Least privilege is used to ensure that subjects only receive the rights they need to perform their role.
274
```
83. Ben uses a software-based token that changes its code every minute. What type of token is he using?
A. Asynchronous
B. Smart card
C. Synchronous
D. Static
```
C. Synchronous soft tokens, such as Google Authenticator, use a time-based algorithm that generates a constantly changing series of codes. Asynchronous tokens typically require a challenge to be entered on the token to allow it to calculate a response, which the server compares to the response it expects. Smartcards typically present a certificate but may have other token capabilities built in. Static tokens are physical devices that can contain credentials and include smart cards and memory cards.
275
87. What should Ben do if the FAR and FRR shown in this diagram does not provide an acceptable performance level for his organization’s needs?
A. Adjust the sensitivity of the biometric devices.
B. Assess other biometric systems to compare them.
C. Move the CER.
D. Adjust the FRR settings in software.
B. CER is a standard used to assess biometric devices. If the CER for this device does not fit the needs of the organization, Ben should assess other biometric systems to find one with a lower CER. Sensitivity is already accounted for in CER charts, and moving the CER isn’t something Ben can do. FRR is not a setting in software, so Ben can’t use that as an option either.
276
```
88. What LDAP authentication mode can provide secure authentication?
A. Anonymous
B. SASL
C. Simple
D. S-LDAP
```
B. The Simple Authentication and Security Layer (SASL) for LDAP provides support for a range of authentication types, including secure methods. Anonymous authentication does not require or provide security, and simple authentication can be tunneled over SSL or TLS but does not provide security by itself. S-LDAP is not an LDAP protocol.
277
```
89. Which of the following Type 3 authenticators is appropriate to use by itself rather than in combination with other biometric factors?
A. Voice pattern recognition
B. Hand geometry
C. Palm scans
D. Heart/pulse patterns
```
C. Palm scans compare the vein patterns in the palm to a database to authenticate a user.
Vein patterns are unique, and this method is a better single-factor authentication method than voice pattern recognition, hand geometry, and pulse patterns, each of which can be more difficult to uniquely identify between individuals or can be fooled more easily.
278
90. What danger is created by allowing the OpenID relying party to control the connection to the OpenID provider?
A. It may cause incorrect selection of the proper OpenID provider.
B. It creates the possibility of a phishing attack by sending data to a fake OpenID provider.
C. The relying party may be able to steal the client’s username and password.
D. The relying party may not send a signed assertion.
B. Allowing the relying party to provide the redirect to the OpenID provider could allow a phishing attack by directing clients to a fake OpenID provider that can capture valid credentials. Since the OpenID provider URL is provided by the client, the relying party cannot select the wrong provider. The relying party never receives the user’s password, which means that they can’t steal it. Finally, the relying party receives the signed assertion but does not send one.
279
```
92. RAID-5 is an example of what type of control?
A. Administrative
B. Recovery
C. Compensation
D. Logical
```
B. Drives in a RAID-5 array are intended to handle failure of a drive. This is an example of a recovery control, which is used to return operations to normal function after a failure. Administrative controls are policies and procedures. Compensation controls help cover for issues with primary controls or improve them. Logical controls are software and hardware mechanisms used to protect resources and systems.
280
```
95. LDAP distinguished names (DNs) are made up of comma-separated components called relative distinguished names (RDNs) that have an attribute name and a value. DNs become less specific as they progress from left to right. Which of the following LDAP DNs best fits this rule?
A. uid=ben,ou=sales,dc=example,dc=com
B. uid=ben,dc=com,dc=example
C. dc=com,dc=example,ou=sales,uid=ben
D. ou=sales,dc=com,dc=example
```
A. In this example, uid=ben,ou=sales,dc=example,dc=com, the items proceed from most specific to least specific (broadest) from left to right, as required by a DN.
281
```
97. Kerberos, KryptoKnight, and SESAME are all examples of what type of system?
A. SSO
B. PKI
C. CMS
D. Directory
```
A. Kerberos, KryptoKnight, and SESAME are all single sign-on, or SSO, systems. PKI systems are public key infrastructure systems, CMS systems are content management systems, and LDAP and other directory servers provide information about services, resources, and individuals.
282
```
98. Which of the following access control categories would not include a door lock(門鎖)?
A. Physical
B. Directive
C. Preventative
D. Deterrent
```
B. Locks can be preventative access controls by stopping unwanted access, can deter potential intruders by making access difficult, and are physical access controls. They are not directive controls because they don’t control the actions of subjects.
283
```
99. What authentication protocol does Windows use by default for Active Directory systems?
A. RADIUS
B. Kerberos
C. OAuth
D. TACACS+
```
B. Windows uses Kerberos for authentication. RADIUS is typically used for wireless networks, modems, and network devices, while OAuth is primarily used for web applications. TACACS+ is used for network devices.
284
100. Alex configures his LDAP server to provide services on 636 and 3269. What type of LDAP services has he configured based on LDAP’s default ports?
A. Unsecure LDAP and unsecure global directory
B. Unsecure LDAP and secure global directory
C. Secure LDAP and secure global directory
D. Secure LDAP and unsecure global directory
C. The default ports for SSL/TLS LDAP directory information and global catalog services are 636 and 3269, respectively.
Unsecure LDAP uses 389, and unsecure global directory services use 3268.
285
```
2. Which of the following is a method used to design new software tests(新軟件測試) and to ensure the quality of tests?
A. Code auditing
B. Static code analysis
C. Regression testing
D. Mutation testing
```
D. Mutation(變異) testing modifies a program in small ways and then tests that mutant to determine if it behaves as it should or if it fails. This technique is used to design and test software tests through mutation.
Static code analysis and regression testing are both means of testing code, whereas code auditing is an analysis of source code rather than a means of designing and testing software tests.
286
```
7. NIST Special Publication 800-53A describes four major types of assessment objects that can be used to identify items being assessed. If the assessment covers IPS devices, which type of assessment objects is being assessed?
A. A specification
B. A mechanism
C. An activity
D. An individual
```
B. An IPS is an example of a mechanism like a hardware-, software-, or firmware-based control or system.
Specifications are document-based artifacts like policies or designs, activities are actions that support an information system that involves people, and an individual is one or more people applying specifications, mechanisms, or activities.
287
9. Alex is using nmap to perform port scanning of a system, and he receives three different port status messages in the results. Match each of the numbered status messages with the appropriate lettered description. You should use each item exactly once.
Status message
1. Open
2. Closed
3. Filtered
Description
A. The port is accessible on the remote system, but no application is accepting connections on that port.
B. The port is not accessible on the remote system.
C. The port is accessible on the remote system, and an application is accepting connections on that port.
CAB
288
10. In a response to a Request for Proposal, Susan receives an SSAE 18 SOC 1 report. If she wants a report that includes operating effectiveness detail, what should Susan ask for as follow-up and why?
A. A SOC 2 Type II report, because Type I does not cover operating effectiveness
B. A SOC 1 Type I report, because SOC 2 does not cover operating effectiveness
C. A SOC 2 Type I report, because SOC 2 Type II does not cover operating effectiveness
D. A SOC 3 report, because SOC 1 and SOC 2 reports are outdated
A. Service Organization Control (SOC) reports replaced SAS-70 reports in 2010. A Type I report only covers a point in time, so Susan needs an SOC Type II report to have the information she requires to make a design and operating effectiveness decision based on the report.
289
14. Which of the following is not a potential problem with active wireless scanning?
A. Accidently scanning apparent rogue devices that actually belong to guests
B. Causing alarms on the organization’s wireless IPS
C. Scanning devices that belong to nearby organizations
D. Misidentifying rogue devices
B. Not only should active scanning be expected to cause wireless IPS alarms, but they may actually be desired if the test is done to test responses. Accidentally scanning guests or neighbors or misidentifying devices belonging to third parties are all potential problems with active scanning and require the security assessor to carefully verify the systems that she is scanning.#他覺得那個不叫問題
290
```
15. Ben uses a fuzzing tool that tests an application by developing data models and creating fuzzed data based on information about how the application uses data. What type of fuzzing is Ben doing?
A. Mutation
B. Parametric
C. Generational
D. Derivative
```
C. Generational fuzzing relies on models for application input and conducts fuzzing attacks based on that information. Mutation-based fuzzers are sometimes called “dumb” fuzzers because they simply mutate or modify existing data samples to create new test samples. Neither parametricnor derivativeis a term used to describe types of fuzzers.
291
```
16. Saria wants to log and review traffic information between parts of her network. What type of network logging should she enable on her routers to allow her to perform this analysis?
A. Audit logging
B. Flow logging
C. Trace logging
D. Route logging
```
B. Flows, also often called network flows, are captured to provide insight into network traffic for security, troubleshooting, and performance management. Audit logging provides information about events on the routers, route logging is not a common network logging function, and trace logs are used in troubleshooting specific software packages as they perform their functions.
292
```
18. Karen’s organization has been performing system backups for years but has not used the backups frequently. During a recent system outage, when administrators tried to restore from backups, they found that the backups had errors and could not be restored. Which of the following options should Karen avoid when selecting ways to ensure that her organization’s backups will work next time?#考你英文
A. Log review
B. MTD verification
C. Hashing
D. Periodic testing
```
B. Karen can’t use MTD verification because MTD is the Maximum Tolerable Downtime.Verifying it will only tell her how long systems can be offline without significant business impact. Reviewing logs, using hashing to verify that the logs are intact, and performing periodic tests are all valid ways to verify that the backups are working properly.
"should Karen avoid""應避免使用"
293
```
20. During normal operations, Jennifer’s team uses the SIEM appliance to monitor for exceptions received via syslog. What system shown does not natively have support for syslog events?
A. Enterprise wireless access points
B. Windows desktop systems
C. Linux web servers
D. Enterprise firewall devices
```
B. Windows systems generate logs in the Windows native logging format. To send syslog events, Windows systems require a helper application or tool. Enterprise wireless access points, firewalls, and Linux systems all typically support syslog.#M$要另外想辦法弄出來
294
```
25. What method is commonly used to assess how well software testing covered the potential uses of an application?
A. A test coverage analysis
B. A source code review
C. A fuzz analysis
D. A code review report
```
A. A test coverage analysis is often used to provide insight into how well testing covered the set of use cases that an application is being tested for. Source code reviews look at the code of a program for bugs, not necessarily at a use case analysis, whereas fuzzing tests invalid inputs. A code review report might be generated as part of a source code review.
295
```
27. What type of monitoring uses simulated traffic to a website to monitor performance?
A. Log analysis
B. Synthetic monitoring
C. Passive monitoring
D. Simulated transaction analysis
```
B. Synthetic monitoring uses emulated or recorded transactions to monitor for performance changes in response time, functionality, or other performance monitors.
Passive monitoring uses a span port or other method to copy traffic and monitor it in real time. Log analysis is typically performed against actual log data but can be performed on simulated traffic to identify issues. Simulated transaction analysisis not an industry term.
296
```
30. Emily builds a script that sends data to a web application that she is testing. Each time the script runs, it sends a series of transactions with data that fits the expected requirements of the web application to verify that it responds to typical customer behavior. What type of transactions is she using, and what type of test is this?
A. Synthetic, passive monitoring
B. Synthetic, use case testing
C. Actual, dynamic monitoring
D. Actual, fuzzing
```
B. Emily is using synthetic transactions, which can use recorded or generated transactions, and is conducting use case testing to verify that the application responds properly to actual use cases. Neither actual datanor dynamic monitoringis an industry term. Fuzzing involves sending unexpected inputs to a program to see how it responds. Passive monitoring uses a network tap or other capture technology to allow monitoring of actual traffic to a system or application.
297
32. Earlier this year, the information security team at Jim’s employer identified a vulnerability in the web server that Jim is responsible for maintaining. He immediately applied the patch and is sure that it installed properly, but the vulnerability scanner has continued to incorrectly flag the system as vulnerable due to the version number it is finding even though Jim is sure the patch is installed. Which of the following options is Jim’s best choice to deal with the issue?
A. Uninstall and reinstall the patch.
B. Ask the information security team to flag the system as patched and not vulnerable.
C. Update the version information in the web server’s configuration.
D. Review the vulnerability report and use alternate remediation options.
B. Jim should ask the information security team to flag the issue as resolved if he is sure the patch was installed. Many vulnerability scanners rely on version information or banner information and may flag patched versions if the software provider does not update the information they see. Uninstalling and reinstalling the patch will not change this. Changing the version information may not change all of the details that are being flagged by the scanner and may cause issues at a later date. Reviewing the vulnerability information for a workaround may be a good idea but should not be necessary if the proper patch is installed; it can create maintenance issues later.
298
```
34. STRIDE, which stands for Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege, is useful in what part of application threat modeling?
A. Vulnerability assessment
B. Misuse case testing
C. Threat categorization
D. Penetration test planning
```
C. An important part of application threat modeling is threat categorization. It helps to assess attacker goals that influence the controls that should be put in place. The other answers all involve topics that are not directly part of application threat modeling.
299
35. Why should passive scanning be conducted in addition to implementing wireless security technologies like wireless intrusion detection systems?
A. It can help identify rogue devices.
B. It can test the security of the wireless network via scripted attacks.
C. Their short dwell time on each wireless channel can allow them to capture more packets.
D. They can help test wireless IDS or IPS systems.
A. Passive scanning can help identify rogue devices by capturing MAC address vendor IDs that do not match deployed devices, by verifying that systems match inventories of organizationally owned hardware by hardware address, and by monitoring for rogue SSIDs or connections.
Scripted attacks are part of active scanning rather than passive scanning, and active scanning is useful for testing IDS or IPS systems, whereas passive scanning will not be detected by detection systems. Finally, a shorter dwell time can actually miss troublesome traffic, so balancing dwell time versus coverage is necessary for passive wireless scanning efforts
300
36. During a penetration test, Lauren is asked to test the organization’s Bluetooth security.
Which of the following is not a concern she should explain to her employers(雇主)?
A. Bluetooth scanning can be time-consuming.
B. Many devices that may be scanned are likely to be personal devices.
C. Bluetooth passive scans may require multiple visits at different times to identify all targets.
D. Bluetooth active scans can’t evaluate the security mode of Bluetooth devices.
D. Bluetooth active scans can determine both the strength of the PIN and what security mode the device is operating in. Unfortunately, Bluetooth scans can be challenging due to the limited range of Bluetooth and the prevalence of personally owned Bluetooth enabled devices. Passive Bluetooth scanning only detects active connections and typically requires multiple visits to have a chance of identifying all devices.
301
```
37. What term describes software testing that is intended to uncover new bugs introduced by patches or configuration changes?
A. Nonregression testing
B. Evolution testing
C. Smoke testing
D. Regression testing
```
D. Regression testing, which is a type of functional or unit testing, tests to ensure that changes have not introduced new issues. Non-regression testing checks to see whether a change has had the effect it was supposed to, smoke testing focuses on simple problems with impact on critical functionality, and evolution testing is not a software testing technique.
302
44. What four types of coverage criteria are commonly used when validating the work of a code testing suite?
A. Input, statement, branch, and condition coverage
B. Function, statement, branch, and condition coverage
C. API, branch, bounds, and condition coverage
D. Bounds, branch, loop, and condition coverage
B. Code coverage testing most frequently requires that every function has been called, that each statement has been executed, that all branches have been fully explored, and that each condition has been evaluated for all possibilities. API, input, and loop testing are not common types of code coverage testing measures.
303
45. As part of his role as a security manager, Jacob provides the following chart to his organization’s management team. What type of measurement is he providing for them?
A. A coverage rate measure
B. A key performance indicator
C. A time to live metric#生存時間指標
D. A business criticality indicator
B. Time to remediate a vulnerability is a commonly used key performance indicator for security teams. Time to live measures how long a packet can exist in hops, business criticality is a measure used to determine how important a service or system is to an organization, and coverage rates are used to measure how effective code testing is.
304
```
47. Which of the following is not an interface that is typically tested during the software testing process?
A. APIs
B. Network interfaces
C. UIs
D. Physical interfaces
```
B. Application programming interfaces (APIs), user interfaces (UIs), and physical interfaces are all important to test when performing software testing. Network interfaces are not a part of the typical list of interfaces tested in software testing.
305
```
48. Alan’s organization uses the Security Content Automation Protocol (SCAP) to standardize its vulnerability management program. Which component of SCAP can Alan use to reconcile the identity of vulnerabilities generated by different security assessment tools?
A. OVAL
B. XCCDF
C. CVE
D. SCE
```
C. The Common Vulnerabilities and Exposures (CVE) database provides a consistent reference for identifying security vulnerabilities. The Open Vulnerability and Assessment Language (OVAL) is used to describe the security condition of a system. The Extensible Configuration Checklist Description Format (XCCDF) is used to create security checklists in a standardized fashion. The Script Check Engine (SCE) is designed to make scripts interoperable with security policy definitions.
306
```
49. Misconfiguration, logical and functional flaws, and poor programming practices are all causes of what common security issue?
A. Fuzzing
B. Security vulnerabilities
C. Buffer overflows
D. Race conditions
```
B. Security vulnerabilities can be created by misconfiguration, logical or functional design or implementation issues, or poor programming practices. Fuzzing is a method of software testing and is not a type of issue. Buffer overflows and race conditions are both caused by logical or programming flaws, but they are not typically caused by misconfiguration or functional issues.
307
50. Which of the following strategies is not a reasonable approach for remediating a vulnerability identified by a vulnerability scanner?
A. Install a patch.
B. Use a workaround fix.
C. Update the banner or version number.
D. Use an application layer firewall or IPS to prevent attacks against the identified vulnerability.
C. Simply updating the version that an application provides may stop the vulnerability scanner from flagging it, but it won’t fix the underlying issue. Patching, using workarounds, or installing an application layer firewall or IPS can all help to remediate or limit the impact of the vulnerability.
308
```
53. Which of the following is not a hazard(風險) associated with penetration testing?
A. Application crashes
B. Denial of service
C. Exploitation of vulnerabilities
D. Data corruption
```
C. Penetration tests are intended to help identify vulnerabilities, and exploiting them is part of the process rather than a hazard. Application crashes; denial of service due to system, network, or application failures; and even data corruption can all be hazards of penetration tests.#那是他本來就在做的事情
309
```
54. Which NIST special publication covers the assessment of security and privacy controls?
A. 800-12
B. 800-53A
C. 800-34
D. 800-86
```
B. NIST SP 800-53A is titled “Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans,” and covers methods for assessing and measuring controls.
NIST 800-12 is an introduction to computer security, 800-34 covers contingency planning, and 800-86 is the “Guide to Integrating Forensic Techniques into Incident Response.”
310
```
59. Jim is helping his organization decide on audit standards for use throughout their international organization. Which of the following is not an IT standard that Jim’s organization is likely to use as part of its audits?
A. COBIT
B. SSAE-18
C. ITIL
D. ISO 27002
```
C. ITIL, which originally stood for IT Infrastructure Library, is a set of practices for IT service management, and is not typically used for auditing. COBIT, or the Control Objectives for Information and Related Technology, ISO 27002, and SSAE-18, or the Statement on Standards for Attestation Engagements number 18, are all used for auditing.
311
60. Which of the following best describes a typical process for building and implementing an Information Security Continuous Monitoring program as described by NIST Special Publication 800-137?
A. Define, establish, implement, analyze and report, respond, review, and update
B. Design, build, operate, analyze, respond, review, revise
C. Prepare, detect and analyze, contain, respond, recover, report
D. Define, design, build, monitor, analyze, react, revise
A. NIST SP 800-137 outlines the process for organizations that are establishing, implementing, and maintaining an ISCM as define, establish, implement, analyze and report, respond, review, and update. Prepare, detect and analyze, contain, respond, recover, report is an incident response plan, and the others do not match the NIST process.
312
61. Lauren’s team conducts regression testing on each patch that they release. What key performance measure should they maintain to measure the effectiveness of their testing?
A. Time to remediate vulnerabilities
B. A measure of the rate of defect recurrence
C. A weighted risk trend
D. A measure of the specific coverage of their testing
B. Lauren’s team is using regression testing, which is intended to prevent the recurrence of issues. This means that measuring the rate of defect recurrence is an appropriate measure for their work. Time to remediate vulnerabilities is associated with activities like patching, rather than preparing the patch, whereas a weighted risk trend is used to measure risk over time to an organization. Finally, specific coverage may be useful to determine if they are fully testing their effort, but regression testing is more specifically covered by defect recurrence rates.
313
```
62. Which of the following types of code review is not typically performed by a human?
A. Software inspections
B. Code review
C. Static program analysis
D. Software walkthroughs
```
C. Static program reviews are typically performed by an automated tool. Program understanding, program comprehension, code review, software inspections and software walkthroughs are all human-centric methods for reviewing code.
314
For questions 63–65, please refer to the following scenario:
Susan is the lead of a Quality Assurance team at her company. The team has been tasked with the testing for a major release of their company’s core software product.
64. As part of the continued testing of their new application, Susan’s quality assurance team has designed a set of test cases for a series of black box tests. These functional tests are then run, and a report is prepared explaining what has occurred. What type of report is typically generated during this testing to indicate test metrics?
A. A test coverage report
B. A penetration test report
C. A code coverage report
D. A line coverage report
A. A test coverage report measures how many of the test cases have been completed and is used as a way to provide test metrics when using test cases. A penetration test report is provided when a penetration test is conducted—this is not a penetration test. A code coverage report covers how much of the code has been tested, and a line coverage report is a type of code coverage report.#不要看到黑盒子就開槍
315
For questions 63–65, please refer to the following scenario:
Susan is the lead of a Quality Assurance team at her company. The team has been tasked with the testing for a major release of their company’s core software product.
65. As part of their code coverage testing, Susan’s team runs the analysis in a nonproduction environment using logging and tracing tools. Which of the following types of code issues is most likely to be missed during testing due to this change in the operating environment?
A. Improper bounds checking
B. Input validation
C. A race condition
D. Pointer manipulation
C. The changes from a testing environment with instrumentation inserted into the code and the production environment for the code can mask timing-related issues like race conditions. Bounds checking, input validation, and pointer manipulation are all related to coding issues rather than environmental issues and are more likely to be discoverable in a test environment.
316
```
66. Robin recently conducted a vulnerability scan and found a critical vulnerability on a server that handles sensitive information. What should Robin do next?
A. Patching
B. Reporting
C. Remediation
D. Validation
```
D. Once a vulnerability scanner identifies a potential problem, validation is necessary to verify that the issue exists. Reporting, patching, or other remediation actions can be conducted once the vulnerability has been confirmed.
317
```
67. Kathleen is reviewing the code for an application. She first plans the review, conducts an overview session with the reviewers and assigns roles, and then works with the reviewers to review materials and prepare for their roles. Next, she intends to review the code, rework it, and ensure that all defects found have been corrected. What type of review is Kathleen conducting?
A. A dynamic test
B. Fagan inspection
C. Fuzzing
D. ARoth-Parker review
```
B. Fagan testing is a detailed code review that steps through planning, overview, preparation, inspection, rework, and follow-up phases. Dynamic tests test the code in a real runtime environment, whereas fuzzing is a type of dynamic testing that feeds invalid inputs to software to test its exception-handling capabilities. Roth-Parker reviews were made up for this question.#中文那本p452
318
```
68. Danielle wants to compare vulnerabilities she has discovered in her data center based on how exploitable they are, if exploit code exists, and how hard they are to remediate. What scoring system should she use to compare vulnerability metrics like these?
A. CSV
B. NVD
C. VSS
D. CVSS
```
D. The Common Vulnerability Scoring System (CVSS) includes metrics and calculation tools for exploitability, impact, how mature exploit code is, and how vulnerabilities can be remediated, as well as a means to score vulnerabilities against users’ unique requirements. NVD is the National Vulnerability Database, CSV is short for comma-separated values, and VSS (Visual SourceSafe)is an irrelevant term related to software development rather than vulnerability management.
319
```
71. Place the following elements of a Fagan inspection code review in the correct order.
A. Follow-up
B. Inspection
C. Overview
D. Planning
E. Preparation
F. Rework
```
DCEBFA. Planning=>Overview=>Preparation=>Inspection=>Rework=>Follow-up
320
```
75. Ken is having difficulty correlating information from different security teams in his organization. Specifically, he would like to find a way to describe operating systems in a consistent fashion. What SCAP component can assist him?
A. CVE
B. CPE
C. CWE
D. OVAL
```
B. The Common Platform Enumeration (CPE) component of SCAP provides a consistent way to refer to operating systems and other system components. The Common Vulnerabilities and Exposures (CVE) component provides a consistent way to refer to security vulnerabilities. The Common Weaknesses Enumeration (CWE) component helps describe the root causes of software flaws. The Open Vulnerability and Assessment Language (OVAL) standardizes steps of the vulnerability assessment process.
321
```
76. When a Windows system is rebooted, what type of log is generated?
A. Error
B. Warning
C. Information
D. Failure audit
```
C. Rebooting a Windows machine results in an information log entry. Windows defines five types of events: errors, which indicate a significant problem; warnings, which may indicate future problems; information, which describes successful operation; success audits, which record successful security accesses; and failure audits, which record failed security access attempts.
322
```
78. What type of vulnerability scan accesses configuration information from the systems it is run against as well as information that can be accessed via services available via the network?
A. Authenticated scans
B. Web application scans
C. Unauthenticated scans
D. Port scans
```
A. Authenticated scans use a read-only account to access configuration files, allowing more accurate testing of vulnerabilities. Web application, unauthenticated scans, and port scans don’t have access to configuration files unless they are inadvertently exposed.
323
```
80. Ben’s team is attempting to categorize a transaction identification issue that is caused by use of a symmetric key shared by multiple servers. What STRIDE category should this fall into?
A. Information disclosure
B. Denial of service
C. Tampering
D. Repudiation
```
D. Since a shared symmetric key could be used by any of the servers, transaction identification problems caused by a shared key are likely to involve a repudiation issue. If encrypted transactions cannot be uniquely identified by server, they cannot be proved to have come from a specific server.
324
```
81. Ben wants to prevent or detect tampering with data. Which of the following is not an appropriate solution?
A. Hashes
B. Digital signatures
C. Filtering
D. Authorization controls
```
C. Filtering is useful for preventing denial of service attacks but won’t prevent tampering with data. Hashes and digital signatures can both be used to verify the integrity of data, and authorization controls can help ensure that only those with the proper rights can modify the data.
325
83. Ryan is considering the use of fuzz testing in his web application testing program. Which one of the following limitations of fuzz testing should Ryan consider when making his decision?
A. They often find only simple faults.
B. Testers must manually generate input.
C. Fuzzers may not fully cover the code.
D. Fuzzers can’t reproduce errors.
X. A & C right B & D wrong
Fuzz testers are capable of automatically generating input sequences to test an application. Therefore, testers do not need to manually generate input, although they may do so if they wish. Fuzzers can reproduce errors (and thus, “fuzzers can’t reproduce errors” is not an issue) but typically don’t fully cover the code—code coverage tools are usually paired with fuzzers to validate how much coverage was possible. Fuzzers are often
limited to simple errors because they won’t handle business logic or attacks that require knowledge from the application user.
326
```
84. Ken is designing a testing process for software developed by his team. He is designing a test that verifies that every line of code was executed during the test. What type of analysis is Ken performing?
A. Branch coverage
B. Condition coverage
C. Function coverage
D. Statement coverage
```
D. Statement coverage tests verify that every line of code was executed during the test. Branch coverage verifies that every if statement was executed under all if and else conditions. Condition coverage verifies that every logical test in the code was executed under all sets of inputs. Function coverage verifies that every function in the code was called and returns results.
327
87. Ben’s manager expresses concern about the coverage of his scan. Why might his manager have this concern?
A. Ben did not test UDP services.
B. Ben did not discover ports outside the “well-known ports.”
C. Ben did not perform OS fingerprinting.
D. Ben tested only a limited number of ports.
D. Nmap only scans 1000 TCP and UDP ports by default, including ports outside the 0–1024 range of “well-known” ports. By using the defaults for nmap, Ben missed 64,535 ports. OS fingerprinting won’t cover more ports but would have provided a best guess of the OS running on the scanned system.
328
```
92. Kevin is a database administrator and would like to use a tool designed to test the security of his databases. Which one of the following tools is best suited for this purpose?
A. sqlmap
B. nmap
C. sqlthrash
D. Nessus
```
A. Sqlmap is a dedicated database vulnerability scanner and is well suited for Kevin’s purposes. Nmap is a network port scanner that would not provide relevant results. Nessus is a network vulnerability scanner and may detect issues with a database but would not be as effective as sqlmap. Sqlthrash does not exist.
329
```
97. When designing an assessment following NIST SP 800-53A, which assessment component includes policies and procedures?
A. Specifications
B. Mechanisms
C. Activities
D. Individuals
```
A. Specifications are the documents associated with the system being audited.
Specifications generally include policies, procedures, requirements, and designs.
330
For questions 98–100, please refer to the following scenario. NIST Special Publication 800-115, the Technical Guide to Information Security Testing and Assessment, provides NIST’s process for penetration testing. Use this image as well as your knowledge of penetration testing to answer the questions.
99. NIST specifies four attack phase steps: gaining access, escalating privileges, system browsing, and installing additional tools. Once attackers install additional tools, what phase will a penetration tester typically return to?
A. Discovery
B. Gaining access
C. Escalating privileges
D. System browsing
B. Once additional tools have been installed, penetration testers will typically use them to gain additional access. From there they can further escalate privileges, search for new targets or data, and once again, install more tools to allow them to pivot further into infrastructure or systems.
331
```
3. Which one of the following is not a privileged administrative activity that should be automatically sent to a log of super-user actions?
A. Purging log entries
B. Restoring a system from backup
C. Logging into a workstation
D. Managing user accounts
```
C. While most organizations would want to log attempts to log in to a workstation, this is not considered a privileged administrative activity and would go through normal logging processes.
332
```
5. What type of evidence consists entirely of tangible items that may be brought into a court of law?
A. Documentary evidence
B. Parol evidence#口頭
C. Testimonial evidence#推薦
D. Real evidence
```
D. Real evidence consists of things that may actually be brought into a courtroom as evidence. For example, real evidence includes hard disks, weapons, and items containing fingerprints. Documentary evidence consists of written items that may or may not be in tangible form. Testimonial evidence is verbal testimony given by witnesses with relevant information. The parol evidence rule says that when an agreement is put into written form, the written document is assumed to contain all the terms of the agreement.
333
6. Which one of the following trusted recovery types does not fail into a secure operating state?
A. Manual recovery
B. Automated recovery
C. Automated recovery without undue loss#而不會造成不必要的損失
D. Function recovery
```
A. In a manual recovery approach, the system does not fail into a secure state but requires an administrator to manually restore operations. In an automated recovery, the system can recover itself against one or more failure types. In an automated recovery without undue loss, the system can recover itself against one or more failure types and also preserve data against loss. In function recovery, the system can restore functional processes automatically.
#在手動恢復方法中,系統不會故障進入安全狀態,而是需要管理員手動恢復操作。 在自動恢復中,系統可以針對一種或多種故障類型進行自我恢復。 在沒有不適當損失的自動恢復中,系統可以針對一種或多種故障類型進行自我恢復,還可以保留數據以防丟失。 在功能恢復中,系統可以自動恢復功能過程。
```
334
```
10. Jim would like to identify compromised systems on his network that may be participating in a botnet. He plans to do this by watching for connections made to known command-and-control servers. Which one of the following techniques would be most likely to provide this information if Jim has access to a list of known servers?
A. Netflow records
B. IDS logs
C. Authentication logs
D. RFC logs
```
A. Netflow records contain an entry for every network communication session that took place on a network and can be compared to a list of known malicious hosts. IDS logs may contain a relevant record, but it is less likely because they would only create log entries if the traffic triggers the IDS, as opposed to netflow records, which encompass all communications. Authentication logs and RFC logs would not have records of any network traffic.
335
```
13. Gary is preparing to create an account for a new user and assign privileges to the HR database. What two elements of information must Gary verify before granting this access?
A. Credentials and need to know
B. Clearance and need to know
C. Password and clearance
D. Password and biometric scan
```
B. Before granting access, Gary should verify that the user has a valid security clearance and a business need to know the information. Gary is performing an authorization task, so he does not need to verify the user’s credentials, such as a password or biometric scan.
336
```
14. Gary is preparing to develop controls around access to root encryption keys and would like to apply a principle of security designed specifically for very sensitive operations. Which principle should he apply?
A. Least privilege
B. Defense in depth
C. Security through obscurity
D. Two-person control
```
D. Gary should follow the principle of two-person control by requiring simultaneous action by two separate authorized individuals to gain access to the encryption keys. He should also apply the principles of least privilege and defense in depth, but these principles apply to all operations and are not specific to sensitive operations. Gary should avoid the security through obscurity principle, the reliance upon the secrecy of security mechanisms to provide security for a system or process.
337
```
16. Which one of the following terms is often used to describe a collection of unrelated patches released in a large collection?
A. Hotfix
B. Update
C. Security fix
D. Service pack
```
D. Hotfixes, updates, and security fixes are all synonyms for single patches designed to correct a single problem. Service packs are collections of many different updates that serve as a major update to an operating system or application.
338
17. Which one of the following tasks is performed by a forensic disk controller?
A. Masking error conditions reported by the storage device
B. Transmitting write commands to the storage device
C. Intercepting and modifying or discarding commands sent to the storage device
D. Preventing data from being returned by a read operation sent to the device
C. A forensic disk controller performs four functions. One of those, write blocking, intercepts write commands sent to the device and prevents them from modifying data on the device. The other three functions include returning data requested by a read operation, returning access-significant information from the device, and reporting errors from the device back to the forensic host.
339
```
22. Tom is responding to a recent security incident and is seeking information on the approval process for a recent modification to a system’s security settings. Where would he most likely find this information?
A. Change log
B. System log
C. Security log
D. Application log
```
A. The change log contains information about approved changes and the change management process. While other logs may contain details about the change’s effect, the audit trail for change management would be found in the change log.
340
```
25. Which of the following would normally be considered an example of a disaster when performing disaster recovery planning?
I. Hacking incident
II. Flood
III. Fire
IV. Terrorism#恐怖主義
A. II and III only
B. I and IV only
C. II, III, and IV only
D. I, II, III, and IV
```
D. A disaster is any event that can disrupt normal IT operations and can be either natural or manmade. Hacking and terrorism are examples of manmade disasters, while flooding and fire are examples of natural disasters.
341
```
26. Glenda would like to conduct a disaster recovery test and is seeking a test that will allow a review of the plan with no disruption to normal information system activities and as minimal a commitment of time as possible. What type of test should she choose?
A. Tabletop exercise
B. Parallel test
C. Full interruption test
D. Checklist review
```
D. The checklist review is the least disruptive type of disaster recovery test. During a checklist review, team members each review the contents of their disaster recovery checklists on their own and suggest any necessary changes. During a tabletop exercise, team members come together and walk through a scenario without making any changes to information systems. During a parallel test, the team actually activates the
disaster recovery site for testing, but the primary site remains operational. During a full interruption test, the team takes down the primary site and confirms that the disaster recovery site is capable of handling regular operations. The full interruption test is the most thorough test but also the most disruptive.
342
```
27. Which one of the following is not an example of a backup tape rotation scheme?
A. Grandfather/Father/Son
B. Meet in the middle
C. Tower of Hanoi
D. Six Cartridge Weekly
```
B. The Grandfather/Father/Son, Tower of Hanoi, and Six Cartridge Weekly schemes are all different approaches to rotating backup media that balance reuse of media with data retention concerns. Meet-in-the-middle is a cryptographic attack against 2DES encryption.
343
```
29. Which one of the following is not a requirement for evidence to be admissible in court?
A. The evidence must be relevant.
B. The evidence must be material.
C. The evidence must be tangible.
D. The evidence must be competent.
```
C. Evidence provided in court must be relevant to determining a fact in question, material to the case at hand, and competently obtained. Evidence does not need to be tangible.
Witness testimony is an example of intangible evidence that may be offered in court.
344
```
31. Which of the following organizations would be likely to have a representative on a CSIRT?
I. Information security
II. Legal counsel
III. Senior management
IV. Engineering
A. I, III, and IV
B. I, II, and III
C. I, II, and IV
D. All of the above
```
D. 電腦資安事件應變小組(Computer Security Incident Response Team)CSIRT representation normally includes at least representatives of senior management, information security professionals, legal representatives, public affairs staff, and engineering/technical staff.
345
```
33. Which one of the following security tools is not capable of generating an active response to a security event?
A. IPS
B. Firewall
C. IDS
D. Antivirus software
```
C. Intrusion detection systems (IDSs) provide only passive responses, such as alerting administrators to a suspected attack. Intrusion prevention systems and firewalls, on the other hand, may take action to block an attack attempt. Antivirus software also may engage in active response by quarantining suspect files.
346
```
35. What term is used to describe the default set of privileges assigned to a user when a new account is created?
A. Aggregation
B. Transitivity
C. Baseline
D. Entitlement
```
D. Entitlementrefers#權利 to the privileges granted to users when an account is first provisioned.
347
41. Which of the following is not true about the (ISC)2code of ethics?
A. Adherence(遵守) to the code is a condition of certification.
B. Failure to comply with the code may result in revocation of certification.
C. The code applies to all members of the information security profession.
D. Members who observe a breach of the code are required to report the possible violation.
C. The (ISC)2code of ethics applies only to information security professionals who are members of (ISC)2. Adherence to the code is a condition of certification, and individuals found in violation of the code may have their certifications revoked. (ISC)2members who observe a breach of the code are required to report the possible violation by following the ethics complaint procedures.
348
```
42. Javier is verifying that only IT system administrators have the ability to log on to servers used for administrative purposes. What principle of information security is he enforcing?
A. Need to know
B. Least privilege
C. Two-person control
D. Transitive trust
```
B. The principle of least privilege says that an individual should only have the privileges necessary to complete their job functions. Removing administrative privileges from nonadministrative users is an example of least privilege.
349
43. Which one of the following is not a basic preventative measure that you can take to protect your systems and applications against attack?
A. Implement intrusion detection and prevention systems.
B. Maintain current patch levels on all operating systems and applications.
C. Remove unnecessary accounts and services.
D. Conduct forensic imaging of all systems.
D. There is no need to conduct forensic imaging as a preventative measure. Rather, forensic imaging should be used during the incident response process. Maintaining patch levels, implementing intrusion detection/prevention, and removing unnecessary services and accounts are all basic preventative measures.
350
```
44. Tim is a forensic analyst who is attempting to retrieve information from a hard drive. It appears that the user attempted to erase the data, and Tim is trying to reconstruct it. What type of forensic analysis is Tim performing?
A. Software analysis
B. Media analysis
C. Embedded device analysis
D. Network analysis
```
B. The scrutiny of hard drives for forensic purposes is an example of media analysis.
Embedded device analysis looks at the computers included in other large systems, such as automobiles or security systems. Software analysis analyzes applications and their logs.
Network analysis looks at network traffic and logs.
351
```
47. Connor’s company recently experienced a denial of service attack that Connor believes came from an inside source. If true, what type of event has the company experienced?
A. Espionage
B. Confidentiality breach
C. Sabotage
D. Integrity breach
```
```
C. An attack committed against an organization by an insider, such as an employee, is known as sabotage. Espionage and confidentiality breaches involve the theft of sensitive information, which is not alleged to have occurred in this case. Integrity breaches involve the unauthorized modification of information, which is not described in this scenario.
A. Espionage#間諜活動
B. Confidentiality breach#違反保密規定
C. Sabotage#破壞
D. Integrity breach
```
352
52. During an incident investigation, investigators meet with a system administrator who may have information about the incident but is not a suspect. What type of conversation is taking place during this meeting?
A. Interview
B. Interrogation
C. Both an interview and an interrogation
D. Neither an interview nor an interrogation
A. Interviews occur when investigators meet with an individual who may have information relevant to their investigation but is not a suspect. If the individual is a suspect, then the meeting is an interrogation.
353
54. What technique has been used to protect the intellectual property in the following image?
A. Steganography
B. Clipping
C. Sampling
D. Watermarking
D. The image clearly contains the watermark of the US Geological Survey (USGS), which ensures that anyone seeing the image knows its origin. It is not possible to tell from looking at the image whether steganography was used. Sampling and clipping are data analysis techniques and are not used to protect images.
354
```
57. Veronica is considering the implementation of a database recovery mechanism recommended by a consultant. In the recommended approach, an automated process will move database backups from the primary facility to an offsite location each night. What type of database recovery technique is the consultant describing?
A. Remote journaling
B. Remote mirroring
C. Electronic vaulting
D. Transaction logging
```
C. In an electronic vaulting approach, automated technology moves database backups from the primary database server to a remote site on a scheduled basis, typically daily.
Transaction logging is not a recovery technique alone; it is a process for generating the logs used in remote journaling. Remote journaling transfers transaction logs to a remote site on a more frequent basis than electronic vaulting, typically hourly. Remote mirroring maintains a live database server at the backup site and mirrors all transactions at the primary site on the server at the backup site.
355
60. Which one of the following events marks the completion of a disaster recovery process?
A. Securing property and life safety
B. Restoring operations in an alternate facility
C. Restoring operations in the primary facility
D. Standing down first responders
```
#恢復主要設施的運營
C. The end goal of the disaster recovery process is restoring normal business operations in the primary facility. All of the other actions listed may take place during the disaster recovery process, but the process is not complete until the organization is once again functioning normally in its primary facilities.
```
356
```
61. Melanie suspects that someone is using malicious software to steal computing cycles from her company. Which one of the following security tools would be in the best position to detect this type of incident?
A. NIDS
B. Firewall
C. HIDS
D. DLP
```
C. A host-based intrusion detection system (HIDS) may be able to detect unauthorized processes running on a system. The other controls mentioned, network intrusion detection systems (NIDSs), firewalls, and DLP systems, are network-based and may not notice rogue processes.
357
```
63. Carla has worked for her company for 15 years and has held a variety of different positions. Each time she changed positions, she gained new privileges associated with that position, but no privileges were ever taken away. What concept describes the sets of privileges she has accumulated?
A. Entitlement
B. Aggregation
C. Transitivity
D. Isolation
```
B. Carla’s account has experienced aggregation, where privileges accumulated over time.
This condition is also known as privilege creep and likely constitutes a violation of the least privilege principle.
358
```
64. During what phase of the incident response process do administrators take action to limit the effect or scope of an incident?
A. Detection
B. Response
C. Mitigation
D. Recovery
```
C. The Mitigation phase of incident response focuses on actions that can contain the damage incurred during an incident. This includes limiting the scope and or effectiveness of the incident.
359
```
69. Frank is seeking to introduce a hacker’s laptop in court as evidence against the hacker. The laptop does contain logs that indicate the hacker committed the crime, but the court ruled that the search of the apartment that resulted in police finding the laptop was unconstitutional. What admissibility criteria prevents Frank from introducing the laptop as evidence?
A. Materiality
B. Relevance
C. Hearsay
D. Competence
```
D. To be admissible, evidence must be relevant, material, and competent. The laptop in this case is clearly material because it contains logs related to the crime in question.
It is also relevant because it provides evidence that ties the hacker to the crime. It is not competent because the evidence was not legally obtained.
A. Materiality#重要性
B. Relevance#關聯性
C. Hearsay#傳聞
D. Competence#能力
360
```
71. Which one of the following tools provides an organization with the greatest level of protection against a software vendor going out of business?
A. Service level agreement
B. Escrow agreement
C. Mutual assistance agreement
D. PCI DSS compliance agreement
```
B. Software escrow agreements place a copy of the source code for a software package in the hands of an independent third party who will turn the code over to the customer if the vendor ceases business operations. Service level agreements, mutual assistance agreements, and compliance agreements all lose some or all of their effectiveness if the vendor goes out of business.
361
73. Which of the following events would constitute a security incident?
1. An attempted network intrusion
2. A successful database intrusion
3. Amalware infection
4. Aviolation of a confidentiality policy
5. An unsuccessful attempt to remove information from a secured area
A. 2, 3, and 4
B. 1, 2, and 3
C. 4 and 5
D. All of the above
D. Any attempt to undermine the security of an organization or violation of a security policy is a security incident. Each of the events described meets this definition and should be treated as an incident.
362
74. Which one of the following traffic types should not be blocked by an organization’s egress filtering policy?
A. Traffic destined to a private IP address
B. Traffic with a broadcast destination
C. Traffic with a source address from an external network
D. Traffic with a destination address on an external network
D. Egress filtering scans outbound traffic for potential security policy violations. This includes traffic with a private IP address as the destination, traffic with a broadcast address as the destination, and traffic that has a falsified source address not belonging to the organization.#除了D以外其他都要BAN
363
```
76. You are performing an investigation into a potential bot infection on your network and wish to perform a forensic analysis of the information that passed between different systems on your network and those on the Internet. You believe that the information was likely encrypted. You are beginning your investigation after the activity concluded. What would be the best and easiest way to obtain the source of this information?
A. Packet captures
B. Netflow data
C. Intrusion detection system logs
D. Centralized authentication records
```
B. Netflow data contains information on the source, destination, and size of all network communications and is routinely saved as a matter of normal activity. Packet capture data would provide relevant information, but it must be captured during the suspicious activity and cannot be re-created after the fact unless the organization is already conducting 100 percent packet capture, which is very rare. Additionally, the use of encryption limits the effectiveness of packet capture. Intrusion detection system logs would not likely contain relevant information because the encrypted traffic would probably not match intrusion signatures. Centralized authentication records would not contain information about network traffic.
364
```
80. In what virtualization model do full guest operating systems run on top of a virtualization platform?
A. Virtual machines
B. Software-defined networking
C. Virtual SAN
D. Application virtualization
```
A. Virtual machines run full guest operating systems on top of a host platform known as the hypervisor.
365
```
84. Roger recently accepted a new position as a security professional at a company that runs its entire IT infrastructure within an IaaS environment. Which one of the following would most likely be the responsibility of Roger’s firm?
A. Configuring the network firewall
B. Applying hypervisor updates
C. Patching operating systems
D. Wiping drives prior to disposal
```
C. In an infrastructure as a service environment, the vendor is responsible for hardware- and network-related responsibilities. These include configuring network firewalls, maintaining the hypervisor, and managing physical equipment. The customer retains responsibility for patching operating systems on its virtual machine instances.
366
```
87. What type of trust relationship extends beyond the two domains participating in the trust to one or more of their subdomains?
A. Transitive trust
B. Inheritable trust
C. Nontransitive trust
D. Noninheritable trust
```
A. Transitive trusts go beyond the two domains directly involved in the trust relationship and extend to their subdomains.
367
```
90. What legal protection prevents law enforcement agencies from searching a facility or electronic system without either probable cause or consent?
A. First Amendment
B. Fourth Amendment
C. Fifth Amendment
D. Fifteenth Amendment
```
B. The Fourth Amendment states, in part, that “the right of the people to be secure in their persons, houses, papers and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.” The First Amendment contains protections related to freedom of speech. The Fifth Amendment ensures that no person will be required to serve as a witness
against themselves. The Fifteenth Amendment protects the voting rights of citizens.
368
```
91. Darcy is a computer security specialist who is assisting with the prosecution of a hacker. The prosecutor requests that Darcy give testimony in court about whether, in her opinion, the logs and other records in a case are indicative of a hacking attempt. What type of evidence is Darcy being asked to provide?
A. Expert opinion
B. Direct evidence
C. Real evidence
D. Documentary evidence
```
A. Expert opinion evidence allows individuals to offer their opinion based upon the facts in evidence and their personal knowledge. Expert opinion evidence may be offered only if the court accepts the witness as an expert in a particular field. Direct evidence is when witnesses testify about their direct observations. Real evidence consists of tangible items brought into court as evidence. Documentary evidence consists of written records used as evidence in court.
369
```
92. Which one of the following techniques is not commonly used to remove unwanted remnant data from magnetic tapes?
A. Physical destruction
B. Degaussing
C. Overwriting
D. Reformatting
```
D. The standard methods for clearing magnetic tapes, according to the NIST Guidelines for Media Sanitization, are overwriting the tape with nonsensitive data, degaussing, and physical destruction via shredding or incineration. Reformatting a tape does not remove remnant data.
370
```
94. Jerome is conducting a forensic investigation and is reviewing database server logs to investigate query contents for evidence of SQL injection attacks. What type of analysis is he performing?
A. Hardware analysis
B. Software analysis
C. Network analysis
D. Media analysis
```
B. The analysis of application logs is one of the core tasks of software analysis. This is the correct answer because SQL injection attacks are application attacks.
371
```
95. Quantum Computing regularly ships tapes of backup data across the country to a secondary facility. These tapes contain confidential information. What is the most important security control that Quantum can use to protect these tapes?
A. Locked shipping containers
B. Private couriers
C. Data encryption
D. Media rotation
```
C. Quantum may choose to use any or all of these security controls, but data encryption is, by far, the most important control. It protects the confidentiality of data stored on the tapes, which are most vulnerable to theft while in transit between two secure locations.
372
```
97. Under what type of software license does the recipient of software have an unlimited right to copy, modify, distribute, or resell a software package?
A. GNU Public License
B. Freeware
C. Open source
D. Public domain
```
D. If software is released into the public domain, anyone may use it for any purpose, without restriction. All other license types contain at least some level of restriction.
373
```
100. Which one of the following controls protects an organization in the event of a sustained period of power loss?
A. Redundant servers
B. Uninterruptible power supply (UPS)
C. Generator
D. RAID
```
```
#持續
C. Generators are capable of providing backup power for a sustained period of time in the event of a power loss, but they take time to activate. Uninterruptible power supplies (UPS) provide immediate, battery-driven power for a short period of time to cover momentary losses of power, which would not cover a sustained period of power loss. RAID and redundant servers are high-availability controls but do not cover power loss scenarios.
```
374
```
101. What concept from the Federal Rules of Civil Procedure (FCRP) helps to ensure that additional time and expense are not incurred as part of electronic discovery when the benefits do not outweigh the costs?
A. Tool-assisted review
B. Cooperation
C. Spoilation
D. Proportionality
```
D. The benefits of additional discovery must be proportional to the additional costs that they will require. This prevents additional discovery requests from becoming inordinately expensive, and the requester will typically have to justify these requests to the judge presiding over the case.
375
```
102. Anne wants to gather information about security settings as well as build an overall view of her organization’s assets by gathering data about a group of Windows 10 workstations spread throughout her company. What Windows tool is best suited to this type of configuration management task?
A. SCCM
B. Group Policy
C. SCOM
D. A custom PowerShell script
```
A. System Center Configuration Manager (SCCM) provides this capability and is designed to allow administrators to evaluate the configuration status of Windows workstations and servers, as well as providing asset management data. SCOM is primarily used to monitor for health and performance, Group Policy can be used for a variety of tasks including deploying settings and software, and custom PowerShell scripts could do this but should not be required for a configuration check.
376
```
107. John deploys his website to multiple regions using load balancers around the world through his cloud infrastructure as a service provider. What availability concept is he using?
A. Multiple processing sites
B. Warm sites
C. Cold sites
D. Ahoneynet
```
A. John’s design provides multiple processing sites, distributing load to multiple regions.
Not only does this provide business continuity and disaster recovery functionality, but it also means that his design will be more resilient to denial of service attacks.
377
```
109. When one of the employees of Alice’s company calls in for support, she uses a code word that the company agreed to use if employees were being forced to perform an action. What is this scenario called?
A. Social engineering
B. Duress
C. Force majeure
D. Stockholm syndrome
```
B. Duress, or being under threat of violence or other constraints, is a concern for organizations such as banks, jewelry stores, or other organizations where an attacker may attempt to force an employee to perform actions. Organizations that expect that a scenario like this may occur will often use duress code words that let others know that they are performing actions under threat.
378
3. Which one of the following statements is not true about code review?
A. Code review should be a peer-driven process that includes multiple developers.
B. Code review may be automated.
C. Code review occurs during the design phase.
D. Code reviewers may expect to review several hundred lines of code per hour.
C. Code review takes place after code has been developed, which occurs after the design phase of the system’s development lifecycle (SDLC). Code review may use a combination of manual and automated techniques, or rely solely on one or the other. It should be a peer-driven(同行驅動) process that includes developers who did not write the code. Developers should expect to complete the review of around 300 lines per hour, on average.
379
```
5. Which process is responsible for ensuring that changes to software include acceptance testing?
A. Request control
B. Change control
C. Release control
D. Configuration control
```
C. One of the responsibilities of the release control process is ensuring that the process includes acceptance testing that confirms that any alterations to end-user work tasks are understood and functional prior to code release. The request control, change control, and configuration control processes do not include acceptance testing.
380
7. When using the SDLC, which one of these steps should you take before the others?
A. Functional requirements determination
B. Control specifications development
C. Code review
D. Design review
A. The SDLC consists of seven phases, in the following order: conceptual definition(概念定義), functional requirements determination, control specifications development, design review, code review, system test review, and maintenance and change management.
381
```
8. Jaime is a technical support analyst and is asked to visit a user whose computer is displaying the error message shown here. What state has this computer entered?
(藍屏)
A. Fail open
B. Irrecoverable error#不可恢復的錯誤
C. Memory exhaustion#內存耗盡
D. Fail secure
```
D. The error message shown in the figure is the infamous “Blue Screen of Death” that occurs when a Windows system experiences a dangerous failure and enters a fail secure state. If the system had “failed open,” it would have continued operation. The error described is a memory fault that is likely recoverable by rebooting the system. There is no indication that the system has run out of usable memory.
382
9. Which one of the following is not a goal of software threat modeling?
A. To reduce the number of security-related design flaws
B. To reduce the number of security-related coding flaws
C. To reduce the severity of non-security-related flaws
D. To reduce the number of threat vectors
D. Software threat modeling is designed to reduce the number of security-related design and coding flaws as well as the severity of other flaws. The developer or evaluator of software has no control over the threat environment, because it is external to the organization.
軟件威脅建模旨在減少與安全相關的設計和編碼缺陷的數量,以及其他缺陷的嚴重性。 軟件開發人員或評估人員無法控制威脅環境,因為它在組織外部。
383
```
11. Which one of the following is considered primary storage?
A. Memory
B. Hard disk
C. Flash drive
D. DVD
```
A. Primary storage is a technical term used to refer to the memory that is directly available to the CPU. Nonvolatile storage mechanisms, such as flash drives, DVDs, and hard drives, are classified as secondary storage.
主存儲是一個技術術語,用於指代CPU直接可用的內存。 非易失性存儲機制(例如閃存驅動器,DVD和硬盤驅動器)被分類為輔助存儲。
384
25. When should a design review take place when following an SDLC approach to software development?
A. After the code review
B. After user acceptance testing
C. After the development of functional requirements
D. After the completion of unit testing
C. Design reviews should take place after the development of functional and control specifications but before the creation of code. The code review, unit testing, and functional testing all take place after the creation of code and, therefore, after the design review.
385
```
27. What term is used to describe the level of confidence that software is free from vulnerabilities, either intentionally designed into the software or accidentally inserted at any time during its life cycle, and that the software functions in the intended manner?
A. Validation
B. Accreditation
C. Confidence interval
D. Assurance
```
D. Assurance, when it comes to software, is the level of confidence that software is free from vulnerabilities, either intentionally designed into the software or accidentally inserted at any time during its lifecycle, and that the software functions in the intended manner. It is a term typically used in military and defense environments.
386
```
29. What type of database security issue exists when a collection of facts has a higher classification than the classification of any of those facts standing alone?#aggregation link:inference
A. Inference
B. SQL injection
C. Multilevel security
D. Aggregation
```
D. Aggregation is a security issue that arises when a collection of facts has a higher classification than the classification of any of those facts standing alone. An inference problem occurs when an attacker can pull together pieces of less sensitive information and use them to derive information of greater sensitivity. SQL injection is a web application exploit. Multilevel security is a system control that allows the simultaneous processing of information at different classification levels.
387
```
30. What are the two types of covert channels that are commonly exploited by attackers seeking to surreptitiously exfiltrate information?
A. Timing and storage
B. Timing and firewall
C. Storage and memory
D. Firewall and storage
```
A. The two major classifications of covert channels are timing and storage. A covert timing channel conveys information by altering the performance of a system component or modifying a resource’s timing in a predictable manner. A covert storage channel conveys information by writing data to a common storage area where another process can read it. There is no such thing as a covert firewall channel. Memory is a type of storage, so a memory-based covert channel would fit into the covert storage channel category.
388
32. Referring to the database transaction shown here, what would happen if no account exists in the Accounts table with account number 1001?
-----------------------------------
BEGIN TRANSACTION
UPDATE accounts SET balance = balance + 250
WHERE account_number = 1001;
UPDATE accounts
SET balance = balance-250
WHERE account_number = 2002;
END TRANSACTION
----------------------------------
A. The database would create a new account with this account number and give it a $250 balance.
B. The database would ignore that command and still reduce the balance of the second account by $250.
C. The database would roll back the transaction, ignoring the results of both commands.
D. The database would generate an error message.
```
B. In this example, the two SQL commands are indeed bundled in a transaction, but it is not an error to issue an update command that does not match any rows. Therefore, the first command would “succeed” in updating zero rows and not generate an error or cause the transaction to roll back. The second command would then execute, reducing the balance of the second account by $250.
#在此示例中,兩個SQL命令確實捆綁在一個事務中,但是發出不匹配任何行的更新命令"並不是錯誤"。 因此,第一個命令將“成功”更新零行,並且不會產生錯誤或導致事務回滾。 然後執行第二個命令,將第二個帳戶的餘額減少$ 250。
```
389
```
34. Kim is troubleshooting an application firewall that serves as a supplement to the organization’s network and host firewalls and intrusion prevention system, providing added protection against web-based attacks. The issue the organization is experiencing is that the firewall technology suffers somewhat frequent restarts that render it unavailable for 10 minutes at a time. What configuration might Kim consider to maintain availability during that period at the lowest cost to the company?
A. High availability cluster$$
B. Failover device$$
C. Fail open#bypass
D. Redundant disks
```
C. A fail open configuration may be appropriate in this case. In this configuration, the firewall would continue to pass traffic without inspection while it is restarting. This would minimize downtime, and the traffic would still be protected by the other security controls described in the scenario. Failover devices and high availability clusters would indeed increase availability, but at potentially significant expense. Redundant disks would not
help in this scenario because no disk failure is described.
390
```
35. What type of security issue arises when an attacker can deduce a more sensitive piece of information by analyzing several pieces of information classified at a lower level?#Inference link:aggregation
A. SQL injection
B. Multilevel security
C. Aggregation
D. Inference
```
D. An inference problem occurs when an attacker can pull together pieces of less sensitive information and use them to derive information of greater sensitivity. Aggregation is a security issue that arises when a collection of facts has a higher classification than the classification of any of those facts standing alone. SQL injection is a web application exploit. Multilevel security is a system control that allows the simultaneous processing of information at different classification levels.
391
```
36. Greg is battling a malware outbreak in his organization. He used specialized malware analysis tools to capture samples of the malware from three different systems and noticed that the code is changing slightly from infection to infection. Greg believes that this is the reason that antivirus software is having a tough time defeating the outbreak. What type of malware should Greg suspect is responsible for this security incident?
A. Stealth virus
B. Polymorphic virus
C. Multipartite virus
D. Encrypted virus
```
B. Polymorphic viruses mutate each time they infect a system by making adjustments to their code that assists them in evading signature detection mechanisms. Encrypted viruses also mutate from infection to infection but do so by encrypting themselves with different keys on each device.
392
[題組37~40]Linda is reviewing posts to a user forum on her company’s website and, when she browses a certain post, a message pops up in a dialog box on her screen reading “Alert.” She reviews the source code for the post and finds the following code snippet:
alert(‘Alert’);
38. What was the likely motivation of the user who posted the message on the forum containing this code?
A. Reconnaissance
B. Theft of sensitive information
C. Credential stealing
D. Social engineering
A. The script that Linda discovered merely pops up a message on a user’s screen and does not perform any more malicious action. This type of script, using an alert() call, is commonly used to probe websites for cross-site scripting vulnerabilities.
393
[題組37~40]Linda is reviewing posts to a user forum on her company’s website and, when she browses a certain post, a message pops up in a dialog box on her screen reading “Alert.” She reviews the source code for the post and finds the following code snippet:
alert(‘Alert’);
40. In further discussions with the vendor, Linda finds that they are willing to correct the issue but do not know how to update their software. What technique would be most effective in mitigating the vulnerability of the application to this type of attack?
A. Bounds checking
B. Peer review
C. Input validation
D. OS patching
C. Input validation verifies that user-supplied input does not violate security conditions and is the most effective defense against cross-site scripting attacks. Bounds checking is a form of input validation, but it is used to ensure that numeric input falls within an acceptable range and is not applicable against cross-site scripting attacks. Peer review and OS patching are both good security practices but are unlikely to be effective against a cross-site scripting attack.
394
```
42. Lauren wants to use software review process for the application she is working on. Which of the following processes would work best if she is a remote worker who works different
hours from the rest of her team?
A. Pass around
B. Pair programming
C. Team review
D. Fagan inspection
```
A. Pass-around reviews are often done via email or using a central code review system, allowing developers to review code asynchronously. Pair programming requires two programmers to work together, with one writing code and the other reviewing and tracking progress. Team reviews are typically done in a group, and Fagan inspection is a formal review process that would involve both the developer and a team to review the
code using a formal process.
395
```
43. Which one of the following is not a technique used by virus authors to hide the existence of their virus from antimalware software?
A. Stealth
B. Multipartitism
C. Polymorphism
D. Encryption
```
B. Multipartite viruses use multiple propagation mechanisms to defeat system security controls but do not necessarily include techniques designed to hide the malware from antivirus software. Stealth viruses tamper with the operating system to hide their existence. Polymorphic viruses alter their code on each system they infect to defeat signature detection. Encrypted viruses use a similar technique, employing encryption to
alter their appearance and avoid signature detection mechanisms.
396
```
44. Which one of the following types of software testing usually occurs last and is executed against test scenarios?
A. Unit testing
B. Integration testing
C. User acceptance testing
D. System testing
```
C. User acceptance testing (UAT) is typically the last phase of the testing process. It verifies that the solution developed meets user requirements and validates it against use cases. Unit testing, integration testing, and system testing are all conducted earlier in the process leading up to UAT.
397
```
47. If Chris is writing code for an application, what phase of the Agile process is he in?
A. Planning
B. Sprints
C. Deployment
D. Development
```
B. Chris is in an Agile sprint phase and is likely developing code based on user stories.
Planning includes stakeholder stories, as well as design and test case preparation.
Deployment includes the actual deployment of the application, as well as additional verification and testing.
398
```
51. Which one of the following is the most effective control against session hijacking attacks?
A. TLS
B. Complex session cookies
C. SSL
D. Expiring cookies frequently
```
A. Transport Layer Security (TLS) provides the most effective defense against session hijacking because it encrypts all traffic between the client and server, preventing the attacker from stealing session credentials. Secure Sockets Layer (SSL) also encrypts traffic, but it is vulnerable to attacks against its encryption technology. Complex and expiring cookies are a good idea, but they are not sufficient protection against session hijacking.
399
```
55. Which one of the following is not an effective control against SQL injection attacks?
A. Escaping
B. Client-side input validation
C. Parameterization
D. Limiting database permissions
```
B. Client-side input validation is not an effective control against any type of attack because the attacker can easily bypass the validation by altering the code on the client.
Escaping restricted characters prevents them from being passed to the database, as does parameterization. Limiting database permissions prevents dangerous code from executing.
400
60. Which of the following statements is true about heuristic-based(啟發式) anti-malware software?
A. It has a lower false positive rate than signature detection.
B. It requires frequent definition updates to detect new malware.
C. It has a higher likelihood of detecting zero-day exploits than signature detection.
D. It monitors systems for files with content known to be viruses.
C. Heuristic-based anti-malware software has a higher likelihood of detecting a zero-day exploit than signature-based methods. Heuristic-based software does not require frequent signature updates because it does not rely upon monitoring systems for the presence of known malware. The trade-off with this approach is that it has a higher false positive rate than signature detection methods.
401
```
61. Martin is inspecting a system where the user reported unusual activity, including disk activity when the system is idle and abnormal CPU and network usage. He suspects that the machine is infected by a virus but scans come up clean. What malware technique might be in use here that would explain the clean scan results?
A. File infector virus
B. MBR virus
C. Service injection virus
D. Stealth virus
```
D. One possibility for the clean scan results is that the virus is using stealth techniques, such as intercepting read requests from the antivirus software and returning a correct-looking version of the infected file. The system may also be the victim of a zero-day attack, using a virus that is not yet included in the signature definition files provided by the antivirus vendor.
402
62.Tomas discovers a line in his application log that appears to correspond with an attempt to conduct a directory traversal attack. He believes the attack was conducted using URL encoding. The line reads:
%252E%252E%252F%252E%252E%252Fetc/passwd
What character is represented by the %252E value?
A. .
B. ,
C. ;
D. /
A. In URL encoding, the . character is replaced by %252E and the / character is replaced by %252F. You can see this in the log entry, where the expected pattern of ../../ is replaced by %252E%252E%252F%252E%252E%252F.
403
64. Which one of the following is not a principle of the Agile software development process?
A. Welcome changing requirements, even late in the development process.
B. Maximizing the amount of work not done is essential.
C. Clear documentation is the primary measure of progress.
D. Build projects around motivated individuals.
C. The Agile Manifesto includes 12 principles for software development. Three of those are listed as answer choices: maximizing the amount of work not done is essential, build projects around motivated individuals, and welcome changing requirements throughout the development process. Agile does not, however, consider clear documentation the primary measure of progress. Instead, working software is the primary measure of progress.
404
68. In the transaction shown here, what would happen if the database failed in between the first and second update statements?
-----------------------------
BEGIN TRANSACTION
UPDATE accounts SET balance = balance + 250
WHERE account_number = 1001;
UPDATE accounts SET balance = balance-250
WHERE account_number = 2002;
END TRANSACTION
-----------------------------
A. The database would credit the first account with $250 in funds but then not reduce the balance of the second account.
B. The database would ignore the first command and only reduce the balance of the second account by $250.
C. The database would roll back the transaction, ignoring the results of both commands.
D. The database would successfully execute both commands.
C. A database failure in the middle of a transaction causes the rollback of the entire transaction. In this scenario, the database would not execute either command.
405
```
72. Barry is a software tester who is working with a new gaming application developed by his company. He is playing the game on a smartphone to conduct his testing in an environment that best simulates a normal end user, but he is referencing the source code as he conducts his test. What type of test is Barry conducting?
A. White box
B. Black box
C. Blue box
D. Gray box
```
D. In a gray box test, the tester evaluates the software from a user perspective but has access to the source code as the test is conducted. White box tests also have access to the source code but perform testing from a developer’s perspective. Black box tests work from a user’s perspective but do not have access to source code. Blue boxes are a telephone hacking tool and not a software testing technique.
406
74. What part of the security review process are the input parameters shown in the diagram used for?
A. SQL injection review
B. Sprint review
C. Fagan inspection
D. Attack surface identification
D. Each of these input parameters makes up part of the attack surface of the application. Attackers may opt to target any of them to attack the code or its supporting infrastructure.
407
75. What application security process can be described in these three major steps?
1. Decomposing the application
2. Determining and ranking threats
3. Determining countermeasures and mitigation
A. Fagan inspection
B. Threat modeling
C. Penetration testing
D. Code review
B. Threat modeling commonly involves decomposing the application to understand it and how it interacts with other components or users. Next, identifying and ranking threats allows you to focus on the threats that should be prioritized. Finally, identifying how to mitigate those threats finishes the process. Once complete, an organization can take action to handle the threats that were identified with appropriate controls.
408
```
76. Which one of the following approaches to failure management is the most conservative from a security perspective?
A. Fail open
B. Fail mitigation
C. Fail clear
D. Fail closed
```
D. The fail closed approach prevents any activity from taking place during a system security failure and is the most conservative approach to failure management. Fail open takes the opposite philosophy, allowing all activity in the event of a security control failure. Fail clear and fail mitigation are not failure management approaches.
409
```
82. During what phase of the IDEAL model do organizations develop a specific plan of action for implementing change?
A. Initiating
B. Diagnosing
C. Establishing
D. Acting
```
C. In the Establishing phase of the IDEAL model, the organization takes the general recommendations from the Diagnosing phase and develops a specific plan of action that achieves those changes.#中文那本p598
410
```
84. Charles is developing a mission-critical application that has a direct impact on human safety. Time and cost are less important than correctly functioning software. Which of the following software development methodologies should he choose given these requirements?
A. Agile
B. DevOps
C. Spiral
D. Waterfall
```
D. Despite many organizations moving to Agile, DevOps, or other more responsive development methodologies, waterfall remains a strong contender when clear objectives and stable requirements are combined with a need to prevent flaws and to have a high level of control over the development process and output.
411
```
85. Which one of the following types of artificial intelligence attempts to use complex computations to replicate the partial function of the human mind?
A. Decision support systems
B. Expert systems
C. Knowledge bank
D. Neural networks
```
D. Neural networks attempt to use complex computational techniques to model the behavior of the human mind. Knowledge banks are a component of expert systems, which are designed to capture and reapply human knowledge. Decision support systems are designed to provide advice to those carrying out standard procedures and are often driven by expert systems.
412
```
100. What type of virus is characterized by the use of two or more different propagation mechanisms to improve its likelihood of spreading between systems?
A. Stealth virus
B. Polymorphic virus
C. Multipartite virus
D. Encrypted virus
```
C. Multipartite viruses use multiple propagation mechanisms to spread between systems.
This improves their likelihood of successfully infecting a system because it provides alternative infection mechanisms that may be successful against systems that are not vulnerable to the primary infection mechanism.
413
```
101. What root security issue causes the following issues?
■ Cross-site scripting
■ SQL injection
■ Buffer overflows
■ Cross-site request forgery
A. Lack of API security
B. Improper error handling
C. Improper or missing input validation
D. Source code design issues
```
C. Each of these problems is caused by improper or missing input validation and can be resolved by handling inputs properly. In many cases, this can be done using libraries or methods already built into the language or framework that the developer is using.
414
102. What application development method uses the cycle shown here?
A. Waterfall
B. Spiral
C. Agile
D. RAD
D. Rapid Application Development, or RAD, focuses on fast development and the ability to quickly adjust to changing requirements. RAD uses four phases: requirements planning, user design, construction, and cutover(轉換).
415
23. When developing a business impact analysis, the team should first create a list of assets.
What should happen next?
A. Identify vulnerabilities in each asset.
B. Determine the risks facing the asset.
C. Develop a value for each asset.
D. Identify threats facing each asset.
23. C. After developing a list of assets, the business impact analysis team should assign values to each asset.
416
41. What important function do senior managers normally fill on a business continuity planning team?
A. Arbitrating disputes about criticality
B. Evaluating the legal environment
C. Training staff
D. Designing failure controls
```
A. Senior managers play several business continuity planning roles. These include setting priorities, obtaining resources, and arbitrating disputes among team members.
#A:高級經理扮演多個業務連續性計劃角色。 其中包括確定優先級,獲取資源以及仲裁團隊成員之間的爭議。
```
417
51. Which one of the following is not normally included in business continuity plan
documentation?
A. Statement of accounts
B. Statement of importance
C. Statement of priorities
D. Statement of organizational responsibility
A. Business continuity plan documentation normally includes the continuity planning goals, a statement of importance, statement of priorities, statement of organizational responsibility, statement of urgency and timing, risk assessment and risk acceptance and mitigation documentation, a vital records program, emergency response guidelines, and documentation for maintaining and testing the plan.
418
```
92. Which one of the following is the first step in developing an organization’s vital records program?
A. Identifying vital records
B. Locating vital records
C. Archiving vital records
D. Preserving vital records
```
A. An organization pursuing a vital records management program should begin by identifying all of the documentation that qualifies as a vital business record. This should include all of the records necessary to restart the organization invoke its business continuity plan.
419
```
94. Which one of the following security programs is designed to establish a minimum standard common denominator of security understanding?
A. Training
B. Education
C. Indoctrination
D. Awareness
```
D. Awareness establishes a minimum standard of information security understanding. It is designed to accommodate all personnel in an organization, regardless of their assigned tasks.
420
```
109. Which of the following is not typically part of a termination process?
A. An exit interview
B. Recovery of property
C. Account termination
D. Signing an NCA
```
D. Signing a noncompete or nondisclosure agreement is typically done at hiring. Exit interviews, recovery of organizational property, and account termination are all common elements of a termination process.
421
```
24. Adjusting the CIS benchmarks to your organization’s mission and your specific IT systems would involve what two processes?
A. Scoping and selection
B. Scoping and tailoring
C. Baselining and tailoring
D. Tailoring and selection
```
B. Scoping involves selecting only the controls that are appropriate for your IT systems, while tailoring matches your organization’s mission and the controls from a selected baseline. Baselining is the process of configuring a system or software to match a baseline
or building a baseline itself. Selectionisn’t a technical term used for any of these processes.
422
25. How should you determine what controls from the baseline a given system or software package should receive?
A. Consult the custodians of the data.
B. Select based on the data classification of the data it stores or handles.
C. Apply the same controls to all systems.
D. Consult the business owner of the process the system or data supports.
B. The controls implemented from a security baseline should match the data classification of the data used or stored on the system. Custodians are trusted to ensure the day-to-day security of the data and should do so by ensuring that the baseline is met and maintained. Business owners often have a conflict of interest between functionality and data security, and of course, applying the same controls everywhere is expensive and may not meet business needs or be a responsible use of resources.
423
```
29. What is the primary information security risk to data at rest?
A. Improper classification
B. Data breach
C. Decryption
D. Loss of data integrity
```
B. The biggest threat to data at rest is typically a data breach. Data at rest with a high level of sensitivity is often encrypted to help prevent this. Decryption is not as significant of a threat if strong encryption is used and encryption keys are well secured. Data integrity issues could occur, but proper backups can help prevent this, and of course data could be improperly classified, but this is not the primary threat to the data.
424
31. Sue’s employer has asked her to use an IPsec VPN to connect to its network. When Sue connects, what does the IPsec VPN allow her to do?
A. Send decrypted data over a public network and act like she is on her employer’s internal network.
B. Create a private encrypted network carried via a public network and act like she is on her employer’s internal network.
C. Create a virtual private network using TLS while on her employer’s internal network.
D. Create a tunneled network that connects her employer’s network to her internal home network
B. One way to use an IPsec VPN is to create a private, encrypted network (or tunnel) via a public network, allowing users to be a virtual part of their employer’s internal network. IPsec is distinct from TLS and provides encryption for confidentiality and integrity, and of course, in this scenario Sue is connecting to her employer’s network rather than the employer connecting to hers.
425
```
46. Which attack helped drive vendors to move away from SSL toward TLS-only by default?
A. POODLE
B. Stuxnet
C. BEAST
D. CRIME
```
A. The POODLE (or Padding Oracle On Downgraded Legacy Encryption) attack helped force the move from SSL 3.0 to TLS because it allowed attackers to easily access SSL encrypted messages. Stuxnet was a worm aimed at the Iranian nuclear program, while CRIME and BEAST were earlier attacks against SSL.
426
```
55. Which one of the following data roles bears ultimate organizational responsibility for data?
A. System owners
B. Business owners
C. Data owners
D. Mission owners
```
C. The data owner has ultimate responsibility for data belonging to an organization and is typically the CEO, president, or another senior employee. Business and mission owners typically own processes or programs. System owners own a system that processes sensitive data.
427
92. Which of the following activities is not a consideration during data classification?
A. Who can access the data
B. What the impact would be if the data was lost or breached
C. How much the data cost to create
D. What protection regulations may be required for the data
C. The cost of the data is not directly included in the classification process. Instead, the impact to the organization if the data were exposed or breached is considered. Who can access the data and what regulatory or compliance requirements cover the data are also important considerations.
428
```
42. Adam recently configured permissions on an NTFS filesystem to describe the access that different users may have to a file by listing each user individually. What did Adam create?
A. An access control list
B. An access control entry
C. Role-based access control
D. Mandatory access control
```
A. Adam created a list of individual users that may access the file. This is an access control list, which consists of multiple access control entries. It includes the names of users, so it is not role-based, and Adam was able to modify the list, so it is not mandatory access control.
429
```
48. Which one of the following terms accurately describes the Caesar cipher?
A. Transposition cipher
B. Block cipher
C. Shift cipher
D. Strong cipher
```
```
C. The Caesar cipher is a shift cipher that works on a stream of text and is also a substitution cipher. It is not a block cipher or a transposition cipher. It is extremely weak as a cryptographic algorithm.
#also substitution cipher
```
430
```
16. Susan is deploying a routing protocol that maintains a list of destination networks with metrics that include the distance in hops to them and the direction traffic should be sent to them. What type of protocol is she using?
A. Alink-state protocol
B. Alink-distance protocol
C. Adestination metric protocol
D. Adistance-vector protocol
```
D. Distance-vector protocols use metrics including the direction and distance in hops to remote networks to make decisions. A link-state routing protocol considers the shortest distance to a remote network. Destination metric and link-distance protocols don’t exist.
431
34. Chris uses a cellular hot spot (modem) to provide internet access when he is traveling. If he leaves the hot spot connected to his PC while his PC is on his organization’s corporate network, what security issue might he cause?
A. Traffic may not be routed properly, exposing sensitive data.
B. His system may act as a bridge from the internet to the local network.
C. His system may be a portal for a reflected DDoS attack.
D. Security administrators may not be able to determine his IP address if a security issue occurs.
```
B. When a workstation or other device is connected simultaneously to both a secure and a nonsecure network like the Internet, it may act as a bridge, bypassing the security protections located at the edge of a corporate network. It is unlikely that traffic will be routed improperly leading to the exposure of sensitive data, as traffic headed to internal systems and networks is unlikely to be routed to the external network. Reflected DDoS attacks are used to hide identities rather than to connect through to an internal network, and security administrators of managed systems should be able to determine both the local and wireless IP addresses his system uses.
#讓過資安設備的問題
```
432
```
46. What does a bluesnarfing attack target?
A. Data on IBM systems
B. An outbound phone call via Bluetooth
C. 802.11b networks
D. Data from a Bluetooth-enabled device
```
D. Bluesnarfing targets the data or information on Bluetooth-enabled devices. Bluejacking occurs when attackers send unsolicited messages via Bluetooth.
433
```
50. What network technology is best described as a token-passing network that uses a pair of rings with traffic flowing in opposite directions?
A. Aring topology
B. Token Ring
C. FDDI
D. SONET
```
C. FDDI, or Fiber Distributed Data Interface, is a token-passing network that uses a pair of rings with traffic flowing in opposite directions. It can bypass broken segments by dropping the broken point and using the second, unbroken ring to continue to function.
Token Ring also uses tokens, but it does not use a dual loop. SONET is a protocol for sending multiple optical streams over fiber, and a ring topology is a design, not a technology.
434
```
9. What major issue often results from decentralized access control?
A. Access outages may occur.
B. Control is not consistent.
C. Control is too granular.
D. Training costs are high.
```
```
B. Decentralized access control can result in less consistency because the individuals tasked with control may interpret policies and requirements differently and may perform their roles in different ways. Access outages, overly granular control, and training costs may occur, depending on specific implementations, but they are not commonly identified issues with decentralized access control.
#
B.分散的訪問控制可能會導致一致性降低,因為負責控制的個人可能對策略和要求的解釋不同,並且可能以不同的方式履行其職責。 取決於特定的實現方式,可能會發生訪問中斷,過於精細的控制以及培訓成本,但分散訪問控制通常不會發現這些問題。
```
435
Use your knowledge of the Kerberos logon process and the following diagram to answer
questions 17–19.
18. At point B in the diagram, what two important elements does the KDC send to the client after verifying that the username is valid?
A. An encrypted TGT and a public key
B. An access ticket and a public key
C. An encrypted, time-stamped TGT and a symmetric key encrypted with a hash of the user’s password
D. An encrypted, time-stamped TGT and an access token
C. The KDC uses the user’s password to generate a hash and then uses that hash to encrypt a symmetric key. It transmits both the encrypted symmetric key and an encrypted time-stamped TGT to the client.
436
```
33. What term properly describes what occurs when two or more processes require access to the same resource and must complete their tasks in the proper order for normal function?
A. Collisions
B. Race conditions
C. Determinism
D. Out-of-order execution
```
B. Race conditions occur when two or more processes need to access the same resource in the right order. If an attacker can disrupt this order, they may be able to affect the normal operations of the system and gain unauthorized access or improper rights. Collisions occur when two different files produce the same result from a hashing operation, out-of-order execution is a CPU architecture feature that allows the use of otherwise unused cycles, and determinismis a philosophical term rather than something you should see on the CISSP exam!
437
56. Lauren is responsible for building a banking website. She needs proof of the identity of the users who register for the site. How should she validate user identities?
A. Require users to create unique questions that only they will know.
B. Require new users to bring their driver’s license or passport in person to the bank.
C. Use information that both the bank and the user have such as questions pulled from their credit report.
D. Call the user on their registered phone number to verify that they are who they claim to be.
C. Identity proofing can be done by comparing user information that the organization already has, like account numbers or personal information. Requiring users to create unique questions can help with future support by providing a way for them to do password resets. Using a phone call only verifies that the individual who created the account has the phone that they registered and won’t prove their identity. In-person verification would not fit the business needs of most websites.
438
72. Brian’s large organization has used RADIUS for AAA services for its network devices for years and has recently become aware of security issues with the unencrypted information transferred during authentication. How should Brian implement encryption for RADIUS?
A. Use the built-in encryption in RADIUS.
B. Implement RADIUS over its native UDP using TLS for protection.
C. Implement RADIUS over TCP using TLS for protection.
D. Use an AES256 pre-shared cipher between devices.
C. RADIUS supports TLS over TCP. RADIUS does not have a supported TLS mode over UDP. AES pre-shared symmetric ciphers are not a supported solution and would be very difficult to both implement and maintain in a large environment, and the built-in encryption in RADIUS only protects passwords.
439
```
73. Jim wants to allow cloud-based applications to act on his behalf to access information from other sites. Which of the following tools can allow that?
A. Kerberos
B. OAuth
C. OpenID
D. LDAP
```
B. OAuth provides the ability to access resources from another service and would meet Jim’s needs.
OpenID would allow him to use an account from another service with his application, and Kerberos and LDAP are used more frequently for in-house services.
440
79. Jim has Secret clearance and is accessing files that use a mandatory access control scheme to apply the Top Secret, Secret, Confidential, and Unclassified label scheme. What classification levels of data can he access, provided that he has a valid need-to-know?
A. Top Secret and Secret
B. Secret, Confidential, and Unclassified
C. Secret data only
D. Secret and Unclassified
C. In a mandatory access control system, classifications do not have to include rights to lower levels. This means that the only label we can be sure Jim has rights to is Secret.
Despite that it is unclassified, Unclassified data remains a different label, and Jim may not be authorized to access it.
441
```
84. What type of token-based authentication system uses a challenge/response process in which the challenge has to be entered on the token?
A. Asynchronous
B. Smart card
C. Synchronous
D. RFID
```
A. Asynchronous tokens use a challenge/response process in which the system sends a challenge and the user responds with a PIN and a calculated response to the challenge.
The server performs the same calculations, and if both match, it authenticates the user.
Synchronous tokens use a time-based calculation to generate codes. Smart cards are paired with readers and don’t need to have challenges entered, and RFID devices are not used for challenge/response tokens.
442
```
94. What open protocol was designed to replace RADIUS—including support for additional commands and protocols, replacing UDP traffic with TCP, and providing for extensible commands—but does not preserve backward compatibility with RADIUS?
A. TACACS
B. RADIUS-NG
C. Kerberos
D. Diameter
```
D. Diameter was designed to provide enhanced, modern features to replace RADIUS.
Diameter provides better reliability and a broad range of improved functionality.
RADIUS-NG does not exist, Kerberos is not a direct competitor for RADIUS, and TACACS is not an open protocol.
443
```
28. Which of the following vulnerabilities is unlikely to be found by a web vulnerability scanner?
A. Path disclosure
B. Local file inclusion
C. Race condition
D. Buffer overflow
```
C. Path disclosures, local file inclusions, and buffer overflows are all vulnerabilities that may be found by a web vulnerability scanner, but race conditions that take advantage of timing issues tend to be found either by code analysis or using automated tools that specifically test for race conditions as part of software testing.
444
39. Susan needs to predict high-risk areas for her organization and wants to use metrics to assess risk trends as they occur. What should she do to handle this?
A. Perform yearly risk assessments.
B. Hire a penetration testing company to regularly test organizational security.
C. Identify and track key risk indicators.
D. Monitor logs and events using a SIEM device.
```
C. Key risk indicators are used to tell those in charge of risk management how risky an activity is and how much impact changes are having on that risk profile. Identifying key risk indicators and monitoring them can help to identify high-risk areas earlier in their lifecycle. Yearly risk assessments may be a good idea, but only provide a point-in-time view, whereas penetration tests may miss out on risks that are not directly security related. Monitoring logs and events using a SIEM device can help detect issues as they occur but won’t necessarily show trends in risk.
#KRI
```
445
39. Susan needs to predict high-risk areas for her organization and wants to use metrics to assess risk trends as they occur. What should she do to handle this?
A. Perform yearly risk assessments.
B. Hire a penetration testing company to regularly test organizational security.
C. Identify and track key risk indicators.
D. Monitor logs and events using a SIEM device.
C. Key risk indicators are used to tell those in charge of risk management how risky an activity is and how much impact changes are having on that risk profile. Identifying key risk indicators and monitoring them can help to identify high-risk areas earlier in their lifecycle. Yearly risk assessments may be a good idea, but only provide a point-in-time view, whereas penetration tests may miss out on risks that are not directly security related. Monitoring logs and events using a SIEM device can help detect issues as they occur but won’t necessarily show trends in risk.
446
43. Which of these concerns is the most important to address during planning to ensure that the reporting phase does not cause problems?
A. Which CVE format to use
B. How the vulnerability data will be stored and sent
C. Which targets are off-limits
D. How long the report should be
B. Penetration test reports often include information that could result in additional exposure if they were accidentally released or stolen. Therefore, determining how vulnerability data should be stored and sent is critical. Problems with off-limits targets are more likely to result in issues during the vulnerability assessment and exploitation phase, and reports should not be limited in length but should be as long as they need to be to accomplish the goals of the test.
447
43. Which of these concerns is the most important to address during planning to ensure that the reporting phase does not cause problems?
A. Which CVE format to use
B. How the vulnerability data will be stored and sent
C. Which targets are off-limits
D. How long the report should be
B. Penetration test reports often include information that could result in additional exposure if they were accidentally released or stolen. Therefore, determining how vulnerability data should be stored and sent is critical. Problems with off-limits targets are more likely to result in issues during the vulnerability assessment and exploitation phase, and reports should not be limited in length but should be as long as they need to be to accomplish the goals of the test.
448
52. In this image, what issue may occur due to the log handling settings?
#20MB
#Archive the log when full, do not overwrite events
A. Log data may be lost when the log is archived.
B. Log data may be overwritten.
C. Log data may not include needed information.
D. Log data may fill the system disk.
D. The menu shown will archive logs when they reach the maximum size allowed (20 MB). These archives will be retained, which could fill the disk. Log data will not be overwritten, and log data should not be lost when the data is archived. The question does not include enough information to determine if needed information may not be logged.
449
58. During a third-party audit, Jim’s company receives a finding that states, “The administrator should review backup success and failure logs on a daily basis, and take action in a timely manner to resolve reported exceptions.” What is the biggest issue that is likely to result if Jim’s IT staff need to restore from a backup?
A. They will not know if the backups succeeded or failed.
B. The backups may not be properly logged.
C. The backups may not be usable.
D. The backup logs may not be properly reviewed.
C. The audit finding indicates that the backup administrator may not be monitoring backup logs and taking appropriate action based on what they report, thus resulting in potentially unusable backups. Issues with review, logging, or being aware of the success or failure of backups are less important than not having usable backups.#考英文
450
```
73. Susan needs to ensure that the interactions between the components of her e-commerce application are all handled properly. She intends to verify communications, error handling, and session management capabilities throughout her infrastructure. What type of testing is she planning to conduct?
A. Misuse case testing
B. Fuzzing
C. Regression testing
D. Interface testing
```
D. Susan is conducting interface testing. Interface testing involves testing system or application components to ensure that they work properly together. Misuse case testing focuses on how an attacker might misuse the application and would not test normal cases. Fuzzing attempts to send unexpected input and might be involved in interface testing, but it won’t cover the full set of concerns. Regression testing is conducted when testing changes and is used to ensure that the application or system functions as it did before the update or change.
451
```
90. What type of diagram used in application threat modeling includes malicious users as well as descriptions like mitigatesand threatens?
A. Threat trees
B. STRIDE charts
C. Misuse case diagrams
D. DREAD diagrams
```
C. Misuse case diagrams use language beyond typical use case diagrams, including threatensand mitigates. Threat trees are used to map threats but don’t use specialized language like threatensand mitigates. STRIDE is a mnemonic and model used in threat modeling, and DREAD is a risk assessment model.
452
53. Match each of the numbered types of recovery capabilities to their correct lettered definition:
Terms
1. Hot site
2. Cold site
3. Warm site
4. Service bureau
Definitions
A. An organization that can provide onsite or offsite IT services in the event of a disaster
B. A site with dedicated storage and real-time data replication, often with shared equipment that allows restoration of service in a very short time
C. A site that relies on shared storage and backups for recovery
D. A rented space with power, cooling, and connectivity that can accept equipment as part of a recovery effort
The terms match with the definitions as follows:
1. Hot site: B. A site with dedicated storage and real-time data replication, often with shared equipment that allows restoration of service in a very short time.
2. Cold site: D. A rented space with power, cooling, and connectivity that can accept equipment as part of a recovery effort.
3. Warm site: C. A site that relies on shared storage and backups for recovery.
4. Service bureau: A. An organization that can provide onsite or offsite IT services in the event of a disaster.
453
```
58. When designing an access control scheme, Hilda set up roles so that the same person does not have the ability to provision a new user account and assign superuser privileges to an account. What information security principle is Hilda following?
A. Least privilege
B. Separation of duties
C. Job rotation
D. Security through obscurity
```
B. Hilda’s design follows the principle of separation of duties. Giving one user the ability to both create new accounts and grant administrative privileges combines two actions that would result in a significant security change that should be divided among two users.
454
70. Gordon suspects that a hacker has penetrated a system belonging to his company. The system does not contain any regulated information, and Gordon wishes to conduct an investigation on behalf of his company. He has permission from his supervisor to conduct the investigation. Which of the following statements is true?
A. Gordon is legally required to contact law enforcement before beginning the investigation.
B. Gordon may not conduct his own investigation.
C. Gordon’s investigation may include examining the contents of hard disks, network traffic, and any other systems or information belonging to the company.
D. Gordon may ethically perform “hack back” activities after identifying the perpetrator.
C. Gordon may conduct his investigation as he wishes and use any information that is legally available to him, including information and systems belonging to his employer. There is no obligation to contact law enforcement. However, Gordon may not perform “hack back” activities because those may constitute violations of the law and/or (ISC) 2 Code of Ethics.
455
```
72. Fran is considering new human resources policies for her bank that will deter fraud. She plans to implement a mandatory vacation policy. What is typically considered the shortest effective length of a mandatory vacation?
A. Two days
B. Four days
C. One week
D. One month
```
C. Most security professionals recommend at least one, and preferably two, weeks of vacation to deter fraud. The idea is that fraudulent schemes will be uncovered during the time that the employee is away and does not have the access required to perpetuate a cover-up.
456
```
83. The historic ping of death attack is most similar to which of the following modern attack types?
A. SQL injection
B. Cross-site scripting
C. Buffer overflow
D. Brute-force password cracking
```
C. The ping of death attack placed more data than allowed by the specification in the payload of an ICMP echo request packet. This is similar to the modern-day buffer overflow attack where attackers attempt to place more data in a targeted system’s memory that consumes more space than is allocated for that data.
457
```
104. What documentation is typically prepared after a postmortem review of an incident has been completed?
A. A lessons learned document
B. Arisk assessment
C. Aremediation list
D. Amitigation checklist
```
```
#對事件進行事後審查後,通常準備什麼文件
A. A lessons learned document is often created and distributed to involved parties after a postmortem review to ensure that those who were involved in the incident and others who may benefit from the knowledge are aware of what they can do to prevent future issues and to improve response in the event that one occurs.
```
458
```
4. Harold’s company has a strong password policy that requires a minimum length of 12 characters and the use of both alphanumeric characters and symbols. What technique would be the most effective way for an attacker to compromise passwords in Harold’s organization?
A. Brute-force attack
B. Dictionary attack
C. Rainbow table attack
D. Social engineering attack
```
D. A social engineering attack may trick a user into revealing their password to the attacker. Other attacks that depend on guessing passwords, such as brute-force attacks, rainbow table attacks, and dictionary attacks, are unlikely to be successful in light of the organization’s strong password policy.
459
```
45. What type of requirement specifies what software must do by describing the inputs, behavior, and outputs of software?
A. Derived requirements
B. Structural requirements
C. Behavioral requirements
D. Functional requirements
```
```
D. Functional requirements specify the inputs, behavior, and outputs of software. Derived requirements are requirements developed from other requirement definitions. Structural and behavioral requirements focus on the overall structure of a system and the behaviors it displays.
#功能需求指定軟件的輸入,行為和輸出。 派生需求是從其他需求定義中開發的需求。 結構和行為要求集中在系統的整體結構及其顯示的行為上。
```
460
103. Kathleen is reviewing the Ruby code shown here. What security technique is this code using?
insert new user =db.prepare "INSERT INTO users (name, userid, gender, usertype) VALUES (?,?, ?,?)"
insert new user.execute 'davids ',' 194567 ',' male ',' admin '
A. Parameterization
B. Ty pecast ing
C. Gem cutting
D. Stored procedures
A. This code is an example of parameterization, which can help avoid SQL injection. Note that each parameter has a placeholder, which is then passed to the query.
461
104. Susan provides a public RESTful API for her organization’s data but wants to limit its use to trusted partners. She intends to use API keys. What other recommendation would you give Susan to limit the potential abuse of the service?
A. Limit request rates
B. Force HTTP-only requests
C. Avoid tokens due to bandwidth constraints
D. Blacklist HTTP methods such as GET, POST, and PUT
A. Limiting request rates can prevent abuse of APIs like this one. The other suggestions are all poor recommendations. In general, requests should require HTTPS, tokens are used for security using tools like JSON web tokens (JWT), and HTTP methods may be restricted, but GET, POST, and PUT are some of the most common methods used for API access and are far more typically whitelisted.
462
```
10.What concept describes the degree of confidence that an organization has that its security controls satisfy security requirements?
A.Trust
B.Credentialing
C.Vertification
D.Assurance
```
D.Assurance is the degree of confidence that an organization has that its security controls are correctly implemented. It must be continually monitored and reverified.
