Practice Test Mistakes

Question 1

Which of the following best describes a typical process for building and implementing an Information Security Continuous Monitoring program as described by NIST Special Publication 800-137?

A. Define, establish, implement, analyze and report, respond, review, and update

B. Design, build, operate, analyze, respond, review, revise

C. Prepare, detect and analyze, contain, respond, recover, report

D. Define, design, build, monitor, analyze, react, revise

Answer 1

A.
NIST SP 800-137 outlines the process for organizations that are establishing, implementing, and maintaining an ISCM as define, establish, implement, analyze and report, respond, review, and update. Prepare, detect and analyze, contain, respond, recover, report is an incident response plan, and the others do not match the NIST process.

Question 2

During a penetration test of her organization, Kathleen’s IPS detects a port scan that has the URG, FIN, and PSH flags set and produces an alarm. What type of scan is the penetration tester attempting?

A. A SYN scan

B. A TCP flag scan

C. An Xmas scan

D. An ACK scan

Answer 2

C.
A TCP scan that sets all or most of the possible TCP flags is called a Christmas tree, or Xmas, scan since it is said to “light up like a Christmas tree” with the flags. A SYN scan would attempt to open TCP connections, whereas an ACK scan sends packets with the ACK flag set. There is no such type of scan known as a TCP flag scan.

Question 3

Which one of the following is not a technique used by virus authors to hide the existence of their virus from antimalware software?

A. Stealth

B. Multipartitism

C. Polymorphism

D. Encryption

Answer 3

B.
Multipartite viruses use multiple propagation mechanisms to defeat system security controls but do not necessarily include techniques designed to hide the malware from antivirus software. Stealth viruses tamper with the operating system to hide their existence. Polymorphic viruses alter their code on each system they infect to defeat signature detection. Encrypted viruses use a similar technique, employing encryption to alter their appearance and avoid signature detection mechanisms.

Question 4

Which of the following is not a valid LDAP DN (distinguished name)?

A. cn=ben+ou=sales

B. ou=example

C. cn=ben,ou=example;

D. ou=example,dc=example,dc=com+dc=org

Answer 4

C.
LDAP distinguished names are made up of zero or more comma-separated components known as relative distinguished names. cn=ben,ou=example; ends with a semicolon and is not a valid DN. It is possible to have additional values in the same RDN by using a plus sign between then.

Question 5

Gordon is concerned about the possibility that hackers may be able to use the Van Eck radiation phenomenon to remotely read the contents of computer monitors in his facility. What technology would protect against this type of attack?

A. TCSEC

B. SCSI

C. GHOST

D. TEMPEST

Answer 5

D.
The TEMPEST program creates technology that is not susceptible to Van Eck phreaking attacks because it reduces or suppresses natural electromagnetic emanations.

Question 6

By default, in what format does OpenLDAP store the value of the user Password attribute?

A. In the clear

B. Salted and hashed

C. MD5 hashed

D. Encrypted using AES256 encryption

Answer 6

A.
By default, OpenLDAP stores the user Password attribute in the clear. This means that ensuring that the password is provided to OpenLDAP in a secure format is the responsibility of the administrator or programmer who builds its provisioning system.

Question 7

Which one of the following laws requires that communications service providers cooperate with law enforcement requests?

A. ECPA

B. CALEA

C. Privacy Act

D. HITECH Act

Answer 7

B.
The Communications Assistance to Law Enforcement Act (CALEA) requires that all communications carriers make wiretaps possible for law enforcement officials who have an appropriate court order.

Question 8

At point A in the diagram, the client sends the username and password to the KDC. How is the username and password protected?

A. 3DES encryption

B. TLS encryption

C. SSL encryption

D. AES encryption

Answer 8

D.
The client in Kerberos logins uses AES to encrypt the username and password prior to sending it to the KDC.

Question 9

What LDAP authentication mode can provide secure authentication?

A. Anonymous

B. SASL

C. Simple

D. S-LDAP

Answer 9

B.

The Simple Authentication and Security Layer (SASL) for LDAP provides support for a range of authentication types, including secure methods. Anonymous authentication does not require or provide security, and simple authentication can be tunneled over SSL or TLS but does not provide security by itself. S-LDAP is not an LDAP protocol.

Question 10

Ben’s team is attempting to categorize a transaction identification issue that is caused by use of a symmetric key shared by multiple servers. What STRIDE category should this fall into?

A. Information disclosure

B. Denial of service

C. Tampering

D. Repudiation

Answer 10

D.
Since a shared symmetric key could be used by any of the servers, transaction identification problems caused by a shared key are likely to involve a repudiation issue. If encrypted transactions cannot be uniquely identified by server, they cannot be proved to have come from a specific server.

Question 11

Which one of the following stakeholders is not typically included on a business continuity planning team?

A. Core business function leaders

B. Information technology staff

C. CEO

D. Support departments

Answer 11

C.
While senior management should be represented on the BCP team, it would be highly unusual for the CEO to fill this role personally.

Question 12

Neal is working with a DynamoDB database. The database is not structured like a relational database but allows Neal to store data using a key-value store. What type of database is DynamoDB?

A. Relational database

B. Graph database

C. Hierarchical database

D. NoSQL database

Answer 12

D.
A key-value store is an example of a NoSQL database that does not follow a relational or hierarchical model like traditional databases. A graph database is another example of a NoSQL database, but it uses nodes and edges to store data rather than keys and values.

Question 13

Tom enables an application firewall provided by his cloud infrastructure as a service provider that is designed to block many types of application attacks. When viewed from a risk management perspective, what metric is Tom attempting to lower?

A. Impact

B. RPO

C. MTO

D. Likelihood

Answer 13

D.
Installing a device that will block attacks is an attempt to lower risk by reducing the likelihood of a successful application attack.

Question 14

Which one of the following terms accurately describes the Caesar cipher?

A. Transposition cipher

B. Block cipher

C. Shift cipher

D. Strong cipher

Answer 14

C.
The Caesar cipher is a shift cipher that works on a stream of text and is also a substitution cipher. It is not a block cipher or a transposition cipher. It is extremely weak as a cryptographic algorithm.

Question 15

What type of security vulnerability are developers most likely to introduce into code when they seek to facilitate their own access, for testing purposes, to software they developed?

A. Maintenance hook

B. Cross-site scripting

C. SQL injection

D. Buffer overflow

Answer 15

A.
Maintenance hooks, otherwise known as backdoors, provide developers with easy access to a system, bypassing normal security controls. If not removed prior to finalizing code, they pose a significant security vulnerability if an attacker discovers the maintenance hook.

Question 16

Jim would like to identify compromised systems on his network that may be participating in a botnet. He plans to do this by watching for connections made to known command-and-control servers. Which one of the following techniques would be most likely to provide this information if Jim has access to a list of known servers?

A. Netflow records

B. IDS logs

C. Authentication logs

D. RFC logs

Answer 16

A.
Netflow records contain an entry for every network communication session that took place on a network and can be compared to a list of known malicious hosts. IDS logs may contain a relevant record, but it is less likely because they would only create log entries if the traffic triggers the IDS, as opposed to netflow records, which encompass all communications. Authentication logs and RFC logs would not have records of any network traffic.

Question 17

Google’s identity integration with a variety of organizations and applications across domains is an example of which of the following?

A. PKI

B. Federation

C. Single sign-on

D. Provisioning

Answer 17

B.
Google’s federation with other applications and organizations allows single-sign on as well as management of their electronic identity and its related attributes. While this is an example of SSO, it goes beyond simple single sign-on. Provisioning provides accounts and rights, and a public key infrastructure is used for certificate management.

Question 18

Robin recently conducted a vulnerability scan and found a critical vulnerability on a server that handles sensitive information. What should Robin do next?

A. Patching

B. Reporting

C. Remediation

D. Validation

Answer 18

D.
Once a vulnerability scanner identifies a potential problem, validation is necessary to verify that the issue exists. Reporting, patching, or other remediation actions can be conducted once the vulnerability has been confirmed.

Question 19

Steve has been tasked with implementing a network storage protocol over an IP network. What storage-centric converged protocol is he likely to use in his implementation?

A. MPLS

B. FCoE

C. SDN

D. VoIP

Answer 19

B.
Fiber Channel over Ethernet allows Fiber Channel communications over Ethernet networks, allowing existing high-speed networks to be used to carry storage traffic. This avoids the cost of a custom cable plant for a Fiber Channel implementation. MPLS, or Multiprotocol label Switching, is used for high performance networking; VoIP is Voice over IP; and SDN is Software-Defined Networking.

Question 20

Which of the following tasks are not performed by a system owner per NIST SP 800-18?

A. Develops a system security plan

B. Establishes rules for appropriate use and protection of data

C. Identifies and implements security controls

D. Ensures that system users receive appropriate security training

Answer 20

B.
The data owner sets the rules for use and protection of data. The remaining options all describe tasks for the system owner, including implementation of security controls.

Question 21

Jim configures his LDAP client to connect to an LDAP directory server. According to the configuration guide, his client should connect to the server on port 636. What does this indicate to Jim about the configuration of the LDAP server?

A. It requires connections over SSL/TLS.

B. It supports only unencrypted connections.

C. It provides global catalog services.

D. It does not provide global catalog services.

Answer 21

A.
Port 636 is the default port for LDAP-S, which provides LDAP over SSL or TLS, thus indicating that the server supports encrypted connections. Since neither port 3268 nor 3269 is mentioned, we do not know if the server provides support for a global catalog.

Question 22

Which one of the following systems assurance processes provides an independent third-party evaluation of a system’s controls that may be trusted by many different organizations?

A. Certification

B. Definition

C. Verification

D. Accreditation

Answer 22

C.
The verification process is similar to the certification process in that it validates security controls. Verification may go a step further by involving a third-party testing service and compiling results that may be trusted by many different organizations. Accreditation is the act of management formally accepting an evaluating system, not evaluating the system itself.

Question 23

Ben wants to prevent or detect tampering with data. Which of the following is not an appropriate solution?

A. Hashes

B. Digital signatures

C. Filtering

D. Authorization controls

Answer 23

C.
Filtering is useful for preventing denial of service attacks but won’t prevent tampering with data. Hashes and digital signatures can both be used to verify the integrity of data, and authorization controls can help ensure that only those with the proper rights can modify the data.

Question 24

Which of the following statements is true about heuristic-based antimalware software?

A. It has a lower false positive rate than signature detection.

B. t requires frequent definition updates to detect new malware.

C.It has a higher likelihood of detecting zero-day exploits than signature detection.

D. It monitors systems for files with content known to be viruses.

Answer 24

C.
Heuristic-based anti-malware software has a higher likelihood of detecting a zero-day exploit than signature-based methods. Heuristic-based software does not require frequent signature updates because it does not rely upon monitoring systems for the presence of known malware. The trade-off with this approach is that it has a higher false positive rate than signature detection methods.

Question 25

Which one of the following might a security team use on a honeypot system to consume an attacker’s time while alerting administrators? A. Honeynet B. Pseudoflaw C. Warning banner D. Darknet

Answer 25

B. A pseudoflaw is a false vulnerability in a system that may attract an attacker. A honeynet is a network of multiple honeypots that creates a more sophisticated environment for intruders to explore. A darknet is a segment of unused network address space that should have no network activity and, therefore, may be easily used to monitor for illicit activity. A warning banner is a legal tool used to notify intruders that they are not authorized to access a system.

Question 26

Which California law requires conspicuously posted privacy policies on commercial websites that collect the personal information of California residents? A. The Personal Information Protection and Electronic Documents Act B. The California Online Privacy Protection Act C. California Online Web Privacy Act D. California Civil Code 1798.82

Answer 26

B. The California Online Privacy Protection Act (COPPA). requires that operators of commercial websites and services post a prominently displayed privacy policy if they collect personal information on California residents. The Personal Information Protection and Electronic Documents Act is a Canadian privacy law, while California Civil Code 1798.82 is part of the set of California codes that requires breach notification. The California Online Web Privacy Act does not exist.

Question 27

Under the Digital Millennium Copyright Act (DMCA), what type of offenses do not require prompt action by an Internet service provider after it receives a notification of infringement claim from a copyright holder? A. Storage of information by a customer on a provider’s server B. Caching of information by the provider C. Transmission of information over the provider’s network by a customer D. Caching of information in a provider search engine

Answer 27

C. The DMCA states that providers are not responsible for the transitory activities of their users. Transmission of information over a network would qualify for this exemption. The other activities listed are all nontransitory actions that require remediation by the provider.

Question 28

A software company developed two systems that share information. System A provides information to the input of System B, which then reciprocates by providing information back to System A as input. What type of composition theory best describes this practice? A. Cascading B. Feedback C. Hookup D. Elementary

Answer 28

B. The feedback model of composition theory occurs when one system provides input for a second system and then the second system provides input for the first system. This is a specialized case of the cascading model, so the feedback model is the most appropriate answer.

Question 29

What challenge is most common for endpoint security system deployments? A. Compromises B. The volume of data C. Monitoring encrypted traffic on the network D. Handling non-TCP protocols

Answer 29

B. Endpoint security solutions face challenges due to the sheer volume of data that they can create. When each workstation is generating data about events, this can be a massive amount of data. Endpoint security solutions should reduce the number of compromises when properly implemented, and they can also help by monitoring traffic after it is decrypted on the local host. Finally, non-TCP protocols are relatively uncommon on modern networks, making this a relatively rare concern for endpoint security system implementations.

Question 30

Ben’s development team needs to address an authorization issue using STRIDE, resulting in an elevation of privilege threat. Which of the following controls is most appropriate to this type of issue? A. Auditing and logging is enabled. B. RBAC is used for specific operations. C. Data type and format checks are enabled. D. User input is tested against a whitelist.

Answer 30

B. Microsoft’s STRIDE threat assessment model places threats into one of six categories: Spoofing—threats that involve user credentials and authentication, or falsifying legitimate communications Tampering—threats that involve the malicious modification of data Repudiation—threats that cause actions to occur that cannot be denied by a user Information disclosure—threats that involve exposure of data to unauthorized individuals Denial of service—threats that deny service to legitimate users Elevation of privilege—threats that provide higher privileges to unauthorized users Using role-based access controls (RBACs) for specific operations will help to ensure that users cannot perform actions that they should not be able to. Auditing and logging can help detect abuse but won’t prevent it, and data type, format checks, and whitelisting are all useful for preventing attacks like SQL injection and buffer overflow attacks but are not as directly aimed at authorization issues.

Question 31

What issue is the validation portion of the NIST SP 800-88 sample certificate of sanitization (shown here) intended to help prevent? A. Destruction B. Reuse C. Data remanence D. Attribution

Answer 31

C. Validation processes are conducted to ensure that the sanitization process was completed, avoiding data remanence. A form like this one helps to ensure that each device has been checked and that it was properly wiped, purged, or sanitized. This can allow reuse, does not prevent destruction, and does not help with attribution, which is a concept used with encryption to prove who created or sent a file.

Question 32

Which one of the following testing methodologies typically works without access to source code? A. Dynamic testing B. Static testing C. White box testing D. Code review

Answer 32

A. Dynamic testing of software typically occurs in a black box environment where the tester does not have access to the source code. Static testing, white box testing, and code review approaches all require access to the source code of the application.

Question 33

Which of the following is not a single sign-on implementation? A. Kerberos B. ADFS C. CAS D. RADIUS

Answer 33

D. Kerberos, Active Directory Federation Services (ADFS), and Central Authentication Services (CAS) are all SSO implementations. RADIUS is not a single sign-on implementation, although some vendors use it behind the scenes to provide authentication for proprietary SSO.

Question 34

During a third-party audit, Jim’s company receives a finding that states, “The administrator should review backup success and failure logs on a daily basis, and take action in a timely manner to resolve reported exceptions.” What is the biggest issue that is likely to result if Jim’s IT staff need to restore from a backup? A. They will not know if the backups succeeded or failed. B. The backups may not be properly logged. C. The backups may not be usable. D. The backup logs may not be properly reviewed.

Answer 34

C. The audit finding indicates that the backup administrator may not be monitoring backup logs and taking appropriate action based on what they report, thus resulting in potentially unusable backups. Issues with review, logging, or being aware of the success or failure of backups are less important than not having usable backups.

Question 35

Which data role is tasked with granting appropriate access to staff members? A. Data processors B. Business owners C. Custodians D. Administrators

Answer 35

D. Administrators have the rights to assign permissions to access and handle data. Custodians are trusted with day-to-day data handling tasks. Business owners are typically system or project owners, and data processors are systems used to process data.

Question 36

Becka recently signed a contract with an alternate data processing facility that will provide her company with space in the event of a disaster. The facility includes HVAC, power, and communications circuits but no hardware. What type of facility is Becka using? A. Cold site B. Warm site C. Hot site D. Mobile site

Answer 36

A. A cold site includes the basic capabilities required for data center operations: space, power, HVAC, and communications, but it does not include any of the hardware required to restore operations.

Question 37

During a port scan, Lauren found TCP port 443 open on a system. Which tool is best suited to scanning the service that is most likely running on that port? A. zzuf B. Nikto C. Metasploit D. sqlmap

Answer 37

B. TCP port 443 normally indicates an HTTPS server. Nikto is useful for vulnerability scanning web servers and applications and is the best choice listed for a web server. Metasploit includes some scanning functionality but is not a purpose-built tool for vulnerability scanning. zzuf is a fuzzing tool and isn’t relevant for vulnerability scans, whereas sqlmap is a SQL injection testing tool.

Question 38

Warren is designing a physical intrusion detection system for his data center and wants to include technology that issues an alert if the communications lines for the alarm system are unexpectedly cut. What technology would meet this requirement? A. Heartbeat sensor B. Emanation security C. Motion detector D. Faraday cage

Answer 38

A. Heartbeat sensors send periodic status messages from the alarm system to the monitoring center. The monitoring center triggers an alarm if it does not receive a status message for a prolonged period of time, indicating that communications were disrupted.

Question 39

Why should passive scanning be conducted in addition to implementing wireless security technologies like wireless intrusion detection systems? A. It can help identify rogue devices. B. It can test the security of the wireless network via scripted attacks. C. Their short dwell time on each wireless channel can allow them to capture mo e packets. D. They can help test wireless IDS or IPS systems.

Answer 39

A. Passive scanning can help identify rogue devices by capturing MAC address vendor IDs that do not match deployed devices, by verifying that systems match inventories of organizationally owned hardware by hardware address, and by monitoring for rogue SSIDs or connections. Scripted attacks are part of active scanning rather than passive scanning, and active scanning is useful for testing IDS or IPS systems, whereas passive scanning will not be detected by detection systems. Finally, a shorter dwell time can actually miss troublesome traffic, so balancing dwell time versus coverage is necessary for passive wireless scanning efforts.

Question 40

Ben has deployed a 1000Base-T 1 gigabit network and needs to run a cable to another building. If Ben is running his link directly from a switch to another switch in that building, what is the maximum distance Ben can cover according to the 1000Base-T specification? A. 2 kilometers B. 500 meters C. 185 meters D. 100 meters

Answer 40

D. 1000Base-T is capable of a 100 meter run according to its specifications. For longer distances, a fiber-optic cable is typically used in modern networks.

Question 41

Tom is a cryptanalyst and is working on breaking a cryptographic algorithm’s secret key. He has a copy of an intercepted message that is encrypted, and he also has a copy of the decrypted version of that message. He wants to use both the encrypted message and its decrypted plaintext to retrieve the secret key for use in decrypting other messages. What type of attack is Tom engaging in? A. Chosen ciphertext B. Chosen plaintext C. Known plaintext D. Brute force

Answer 41

C. In a known plaintext attack, the attacker has a copy of the encrypted message along with the plaintext message used to generate that ciphertext.

Question 42

What application development method uses the cycle shown here? A. Waterfall B. Spiral C. Agile D. RAD

Answer 42

D. Rapid Application Development, or RAD, focuses on fast development and the ability to quickly adjust to changing requirements. RAD uses four phases: requirements planning, user design, construction, and cutover.

Question 43

Which one of the following traffic types should not be blocked by an organization’s egress filtering policy? A. Traffic destined to a private IP address B. Traffic with a broadcast destination C. Traffic with a source address from an external network D. Traffic with a destination address on an external network

Answer 43

D. Egress filtering scans outbound traffic for potential security policy violations. This includes traffic with a private IP address as the destination, traffic with a broadcast address as the destination, and traffic that has a falsified source address not belonging to the organization.

Question 44

What encryption algorithm would provide strong protection for data stored on a USB thumb drive? A. TLS B. SHA1 C. AES D. DES

Answer 44

C. AES is a strong symmetric cipher that is appropriate for use with data at rest. SHA1 is a cryptographic hash, while TLS is appropriate for data in motion. DES is an outdated and insecure symmetric encryption method.

Question 45

Which of the following is not a type of attack used against access controls? A. Dictionary attack B. Brute-force attack C. Teardrop D. Man-in-the-middle attack

Answer 45

C. Dictionary, brute-force, and man-in-the-middle attacks are all types of attacks that are frequently aimed at access controls. Teardrop attacks are a type of denial-of-service attack.

Question 46

Which mapping correctly matches data classifications between nongovernment and government classification schemes? A. Top Secret – Confidential/Proprietary Secret – Private Confidential – Sensitive B. Secret – Business confidential Classified – Proprietary Confidential – Business Internal C. Top Secret – Business sensitive Secret – Business internal Confidential – Business proprietary D. Secret – Proprietary Classified – Private Unclassified – Public

Answer 46

A. While many nongovernment organizations create their own classification schemes, a common model with levels that align with the U.S. government’s classification labels is shown here. In the given options, B and D do not match the U.S. government’s Top Secret, Secret, Confidential scheme, and C incorrectly matches business proprietary data with confidential data as well as Top Secret data with business sensitive data. Business internal is often another term for business sensitive, meaning that it is used to match two classifications!

Question 47

What speed and frequency range is used by 802.11n? A. 54 Mbps, 5 GHz B. 200+ Mbps, 5GHz C. 200+ Mbps, 2.4 and 5 GHz D. 1 Gbps, 5 GHz

Answer 47

C. 802.11n can operate at speeds over 200 Mbps, and it can operate on both the 2.4 and 5 GHz frequency range. 802.11g operates at 54 Mbps using the 2.4 GHz frequency range, and 802.11ac is capable of 1 Gbps using the 5 GHz range. 802.11a and b are both outdated and are unlikely to be encountered in modern network installations.

Question 48

NIST SP800-53 discusses a set of security controls as what type of security tool? A. A configuration list B. A threat management strategy C. A baseline D. The CIS standard

Answer 48

C. NIST SP 800-53 discusses security control baselines as a list of security controls. CIS releases security baselines, and a baseline is a useful part of a threat management strategy and may contain a list of acceptable configuration items.

Question 49

Which one of the following is not a function of a forensic disk controller? A. Preventing the modification of data on a storage device B. Returning data requested from the device C. Reporting errors sent by the device to the forensic host D. Blocking read commands sent to the device

Answer 49

D. A forensic disk controller performs four functions. One of those, write blocking, intercepts write commands sent to the device and prevents them from modifying data on the device. The other three functions include returning data requested by a read operation, returning access-significant information from the device, and reporting errors from the device back to the forensic host. The controller should not prevent read commands from being sent to the device because those commands may return crucial information.

Question 50

Communication systems that rely on start and stop flags or bits to manage data transmission are known as what type of communication? A. Analog B. Digital C. Synchronous D. Asynchronous

Answer 50

D. Asynchronous communications rely on a built-in stop and start flag or bit. This makes asynchronous communications less efficient than synchronous communications but better suited to some types of communication.

Question 51

How can Ben provide access control for his customers over wireless without having to provision user IDs before they connect while also gathering useful contact information for his business purposes? A. WPA2 PSK B. A captive portal C. Require customers to use a publicly posted password like “BensCoffee.” D. Port security

Answer 51

B. A captive portal can require those who want to connect to and use Wi-Fi to provide an email address to connect. This allows Ben to provide easy-to-use wireless while meeting his business purposes. WPA2 PSK is the preshared key mode of WPA and won’t provide information about users who are given a key. Sharing a password doesn’t allow for data gathering either. Port security is designed to protect wired network ports based on MAC addresses.

Question 52

After implementing the solution from the first question, Ben receives a complaint about users in his cafe hijacking other customers’ web traffic, including using their usernames and passwords. How is this possible? A. The password is shared by all users, making traffic vulnerable. B. A malicious user has installed a Trojan on the router. C. A user has ARP spoofed the router, making all traffic broadcast to all users. D. Open networks are unencrypted, making traffic easily sniffable.

Answer 52

D. Unencrypted open networks broadcast traffic in the clear. This means that unencrypted sessions to websites can be easily captured with a packet sniffer. Some tools like FireSheep have been specifically designed to capture sessions from popular websites. Fortunately, many now use TLS by default, but other sites still send user session information in the clear. Shared passwords are not the cause of the vulnerability, ARP spoofing isn’t an issue with wireless networks, and a Trojan is designed to look like safe software, not to compromise a router.

Question 53

Sally has been tasked with deploying an authentication, authorization, and accounting server for wireless network services in her organization and needs to avoid using proprietary technology. What technology should she select? A. OAuth B. RADIUS C. XTACACS D. TACACS+

Answer 53

B. RADIUS is a common AAA technology used to provide services for dial-up, wireless networks, network devices, and a range of other systems. OAuth is an authentication protocol used to allow applications to act on a user’s behalf without sharing the password, and is used for many web applications. While both XTACACS and TACACS+ provide the functionality Sally is looking for, both are Cisco proprietary protocols.

Question 54

An accounting clerk for Christopher’s Cheesecakes does not have access to the salary information for individual employees but wanted to know the salary of a new hire. He pulled total payroll expenses for the pay period before the new person was hired and then pulled the same expenses for the following pay period. He computed the difference between those two amounts to determine the individual’s salary. What type of attack occurred? A. Aggregation B. Data diddling C. Inference D. Social engineering

Answer 54

C. In an inference attack, the attacker uses several pieces of generic nonsensitive information to determine a specific sensitive value.

Question 55

Alice would like to have read permissions on an object and knows that Bob already has those rights and would like to give them to herself. Which one of the rules in the Take-Grant protection model would allow her to complete this operation if the relationship exists between Alice and Bob? A. Take rule B. Grant rule C. Create rule D. Remote rule

Answer 55

A. The take rule allows a subject to take the rights belonging to another object. If Alice has take rights on Bob, she can give herself the same permissions that Bob already possesses.

Question 56

What property of a relational database ensures that two executing transactions do not affect each other by storing interim results in the database? A. Atomicity B. Isolation C. Consistency D. Durability

Answer 56

B. Isolation requires that transactions operate separately from each other. Atomicity ensures that if any part of a database transaction fails, the entire transaction must be rolled back as if it never occurred. Consistency ensures that all transactions are consistent with the logical rules of the database, such as having a primary key. Durability requires that once a transaction is committed to the database it must be preserved.

Question 57

Gina recently took the CISSP certification exam and then wrote a blog post that included the text of many of the exam questions that she experienced. What aspect of the (ISC)2 code of ethics is most directly violated in this situation? A. Advance and protect the profession. B. Act honorably, honestly, justly, responsibly, and legally. C. Protect society, the common good, necessary public trust and confidence, and the infrastructure. D. Provide diligent and competent service to principals.

Answer 57

A. Gina’s actions harm the CISSP certification and information security community by undermining the integrity of the examination process. While Gina also is acting dishonestly, the harm to the profession is more of a direct violation of the code of ethics.

Question 58

What problem drives the recommendation to physically destroy SSD drives to prevent data leaks when they are retired? A. Degaussing only partially wipes the data on SSDs. B. SSDs don’t have data remanence. C. SSDs are unable to perform a zero fill. D. The built-in erase commands are not completely effective on some SSDs.

Answer 58

D. Research has shown that traditional methods of sanitizing files on SSDs were not reliable. SSDs remap data sectors as part of wear leveling, and erase commands are not consistently effective across multiple SSD brands. Zero fills can be performed on SSDs but may not be effective, much like erase commands. Degaussing doesn’t work on SSDs because they are flash media, rather than magnetic media.

Question 59

The EU-U.S. Privacy Shield Framework relies on seven principles. Which of the following correctly lists all seven? A. Awareness, selection, control, security, data integrity, access, recourse and enforcement B. Notice, choice, accountability for onward transfer, security, data integrity and purpose limitation, access, recourse and enforcement C. Privacy, security, control, notification, data integrity and purpose, access, enforcement D. Submission, editing, updates, confidential, integrity, security, access

Answer 59

B. The EU-U.S. Privacy Shield principles are Notice Choice Accountability for Onward transfer Security Data Integrity and Purpose Limitation Access Recourse, Enforcement, and Liability

Question 60

What type of log is shown in the figure? A. Firewall log B. Change log C. Application log D. System log

Answer 60

C. The file clearly shows HTTP requests, as evidenced by the many GET commands. Therefore, this is an example of an application log from an HTTP server.

Question 61

Alex works for the U.S. federal government and is required to ensure that the devices and components he acquires are not compromised. What program will he participate in to help ensure this? A. TEMPEST B. Trusted foundry C. GovBuy D. MITRE

Answer 61

B. The U.S. Trusted Foundry program helps to protect the supply chain for components and devices by ensuring that the companies that produce and supply them are secure. TEMPEST is the name for a program aimed at capturing data from electronic emissions, GovBuy is not a government program or supplier, and MITRE conducts research and development for the U.S. government.

Question 62

When a user attempts to log into their online account, Google sends a text message with a code to their cell phone. What type of verification is this? A. Knowledge-based authentication B. Dynamic knowledge–based authentication C. Out-of-band identity proofing D. Risk-based identity proofing

Answer 62

C. Identity proofing that relies on a type of verification outside of the initial environment that required the verification is out-of-band identity proofing. This type of verification relies on the owner of the phone or phone number having control of it but removes the ability for attackers to use only Internet-based resources to compromise an account. Knowledge-based authentication relies on answers to preselected information, whereas dynamic knowledge–based authentication builds questions using facts or data about the user. Risk-based identity proofing uses risk-based metrics to determine whether identities should be permitted or denied access. It is used to limit fraud in financial transactions, such as credit card purchases. This is a valid form of proofing but does not necessarily use an out-of-band channel, such as SMS.

Question 63

If availability of authentication services is the organization’s biggest priority, what type of identity platform should Ben recommend? A. Onsite B. Cloud based C. Hybrid D. Outsourced

Answer 63

C. A hybrid authentication service can provide authentication services in both the cloud and on-premises, ensuring that service outages due to interrupted links are minimized. An onsite service would continue to work during an Internet outage but would not allow the e-commerce website to authenticate. A cloud service would leave the corporate location offline. Outsourcing authentication does not indicate whether the solution is on or off-premise and thus isn’t a useful answer.

Question 64

Match the following lettered factors to their numbered type: Factors Types A. A PIN Type 1 B. A token Type 2 C. A fingerprint Type 4 D. A password Type 1 E. A smart card Type 3

Answer 64

The factors match to the types as follows: A. A PIN: Type 1. B. A token: Type 2. C. A fingerprint: Type 3. D. A password: Type 1. E. A smart card: Type 2.

Question 65

Jesse is looking at the /etc/passwd file on a system configured to use shadowed passwords. What should she expect to see in the password field of this file? A. Plaintext passwords B. Encrypted passwords C. Hashed passwords D. x

Answer 65

D. When a system is configured to use shadowed passwords, the /etc/passwd file contains only the character x in the place of a password. It would not contain any passwords, in either plaintext, encrypted, or hashed form.

Question 66

What principle states that an individual should make every effort to complete his or her responsibilities in an accurate and timely manner? A. Least privilege B. Separation of duties C. Due care D. Due diligence

Answer 66

D. The due care principle states that an individual should react in a situation using the same level of care that would be expected from any reasonable person. It is a very broad standard. The due diligence principle is a more specific component of due care that states an individual assigned a responsibility should exercise due care to complete it accurately and in a timely manner.

Question 67

Bill implemented RAID level 5 on a server that he operates using a total of three disks. How many disks may fail without the loss of data? A. 0 B. 1 C. 2 D. 3

Answer 67

B. RAID level 5 is also known as disk striping with parity. It uses three or more disks, with one disk containing parity information used to restore data to another disk in the event of failure. When used with three disks, RAID 5 is able to withstand the loss of a single disk.

Question 68

When Ben records data and then replays it against his test website to verify how it performs based on a real production workload, what type of performance monitoring is he undertaking? A. Passive B. Proactive C. Reactive D. Replay

Answer 68

B. Proactive monitoring, aka synthetic monitoring, uses recorded or generated traffic to test systems and software. Passive monitoring uses a network span, tap, or other device to capture traffic to be analyzed. Reactive and replay are not industry terms for types of monitoring.

Question 69

During a security audit, Susan discovers that the organization is using hand geometry scanners as the access control mechanism for their secure data center. What recommendation should Susan make about the use of hand geometry scanners? A. They have a high FRR and should be replaced. B. A second factor should be added because they are not a good way to reliably distinguish individuals. C. The hand geometry scanners provide appropriate security for the data center and should be considered for other high-security areas. D. They may create accessibility concerns, and an alternate biometric system should be considered.

Answer 69

B. Hand geometry scanners assess the physical dimensions of an individual’s hand but do not verify other unique factors about the individual, or even verify if they are alive. This means that hand geometry scanners should not be implemented as the sole authentication factor for secure environments. Hand geometry scanners do not have an abnormally high FRR and do not stand out as a particular issue from an accessibility standpoint compared to other biometric systems.

Question 70

Colleen is conducting a business impact assessment for her organization. What metric provides important information about the amount of time that the organization may be without a service before causing irreparable harm? A. MTD B. ALE C. RPO D. RTO

Answer 70

A. The maximum tolerable downtime (MTD) is the amount of time that a business may be without a service before irreparable harm occurs. This measure is sometimes also called maximum tolerable outage (MTO).

Question 71

An authentication factor that is “something you have,” and that typically includes a microprocessor and one or more certificates, is what type of authenticator? A. A smart card B. A token C. A Type I validator D. A Type III authenticator

Answer 71

A. Smart cards are a Type II authentication factor and include both a microprocessor and at least one certificate. Since they are something you have, they’re not a Type I or III authentication factor. Tokens do not necessarily contain certificates.

Question 72

What term best describes an attack that relies on stolen or falsified authentication credentials to bypass an authentication mechanism? A. Spoofing B. Replay C. Masquerading D. Modification

Answer 72

C. Masquerading (or impersonation) attacks use stolen or falsified credentials to bypass authentication mechanisms. Spoofing attacks rely on falsifying an identity like an IP address or hostname without credentials. Replay attacks are a more specific type of masquerading attack that relies on captured network traffic to reestablish authorized connections. Modification attacks occur when captured packets are modified and replayed to a system to attempt to perform an action.

Question 73

Denise is preparing for a trial relating to a contract dispute between her company and a software vendor. The vendor is claiming that Denise made a verbal agreement that amended their written contract. What rule of evidence should Denise raise in her defense? A. Real evidence rule B. Best evidence rule C. Parol evidence rule D.Testimonial evidence rule

Answer 73

C. The parol evidence rule states that when an agreement between two parties is put into written form, it is assumed to be the entire agreement unless amended in writing. The best evidence rule says that a copy of a document is not admissible if the original document is available. Real evidence and testimonial evidence are evidence types, not rules of evidence.

Question 74

Which of the following statements about SSAE-18 is not true? A. It mandates a specific control set. B. It is an attestation standard. C. It is used for external audits. D. It uses a framework, including SOC 1, SOC 2, and SOC 3 reports.

Answer 74

A. SSAE-18 does not assert specific controls. Instead, it reviews the use and application of controls in an audited organization. It is an attestation standard, used for external audits, and forms part of the underlying framework for SOC 1, 2, and 3 reports.

Question 75

Which one of the following principles is not included in the seven EU-U.S. Privacy Shield provisions? A. Access B. Security C. Recourse D. Nonrepudiation

Answer 75

D. The seven principles that the EU-U.S. Privacy Shield spell out for handling personal information are notice, choice, accountability for onward transfer, security, data integrity and purpose limitation, access, and recourse, enforcement, and liability.

Question 76

Alex is the system owner for the HR system at a major university. According to NIST SP 800-18, what action should he take when a significant change occurs in the system? A. He should develop a data confidentiality plan. B. He should update the system security plan. C. He should classify the data the system contains. D. He should select custodians to handle day-to-day operational tasks.

Answer 76

B. According to NIST SP 800-18, a system owner should update the system security plan when the system they are responsible for undergoes a significant change. Classification, selection of custodians, and designing ways to protect data confidentiality might occur if new data was added but should have already been done otherwise.

Question 77

Alex has been with the university he works at for over 10 years. During that time, he has been a system administrator and a database administrator, and he has worked in the university’s help desk. He is now a manager for the team that runs the university’s web applications. Using the provisioning diagram shown here, answer the following questions. Alex has access to B, C, and D. What concern should he raise to the university’s identity management team? A. The provisioning process did not give him the rights he needs. B. He has excessive privileges. C. Privilege creep may be taking place. D. Logging is not properly enabled.

Answer 77

C. As Alex has changed roles, he retained access to systems that he no longer administers. The provisioning system has provided rights to workstations and the application servers he manages, but he should not have access to the databases he no longer administers. Privilege levels are not specified, so we can’t determine if he has excessive rights. Logging may or may not be enabled, but it isn’t possible to tell from the diagram or problem.

Question 78

During what phase of the electronic discovery reference model does an organization ensure that potentially discoverable information is protected against alteration or deletion? A. Identification B. Preservation C. Collection D. Production

Answer 78

B. During the preservation phase, the organization ensures that information related to the matter at hand is protected against intentional or unintentional alteration or deletion. The identification phase locates relevant information but does not preserve it. The collection phase occurs after preservation and gathers responsive information. The processing phase performs a rough cut of the collected information for relevance.

Question 79

MAC models use three types of environments. Which of the following is not a mandatory access control design? A. Hierarchical B. Bracketed C. Compartmentalized D. Hybrid

Answer 79

B. Mandatory access control systems can be hierarchical, where each domain is ordered and related to other domains above and below it; compartmentalized, where there is no relationship between each domain; or hybrid, where both hierarchy and compartments are used. There is no concept of bracketing in mandatory access control design.

Question 80

Which one of the following is typically considered a business continuity task? A. Business impact assessment B. Alternate facility selection C. Activation of cold sites D. Restoration of data from backup

Answer 80

A. Developing a business impact assessment is an integral part of the business continuity planning effort. The selection of alternate facilities, activation of those facilities, and restoration of data from backup are all disaster recovery tasks.

Question 81

What type of fuzzing is known as intelligent fuzzing? A. Zzuf B. Mutation C. Generational D. Code based

Answer 81

C. Generational fuzzing is also known as intelligent fuzzing because it relies on the development of data models using an understanding of how the data is used by the program. Zzuf is a fuzzing program. Mutation simply modifies the inputs each time, and code based is not a description used for a type of fuzzing.

Question 82

Matthew is experiencing issues with the quality of network service on his organization’s network. The primary symptom is that packets are occasionally taking too long to travel from their source to their destination. The length of this delay changes for individual packets. What term describes the issue Matthew is facing? A. Latency B. Jitter C. Packet loss D. Interference

Answer 82

B. Latency is a delay in the delivery of packets from their source to their destination. Jitter is a variation in the latency for different packets. Packet loss is the disappearance of packets in transit that requires retransmission. Interference is electrical noise or other disruptions that corrupt the contents of packets.

Question 83

Ben wants to interface with the National Vulnerability Database using a standardized protocol. What option should he use to ensure that the tools he builds work with the data contained in the NVD? A. XACML B. SCML C. VSML D. SCAP SOLUTIONS

Answer 83

D. The Security Content Automation Protocol (SCAP) is a suite of specifications used to handle vulnerability and security configuration information. The National Vulnerability Database provided by NIST uses SCAP. XACML is the eXtensible Access Control Markup Language, an OASIS standard used for access control decisions, and neither VSML nor SCML are industry terms.

Question 84

Which of the following is not one of the three components of the DevOps model? A. Software development B. Change management C. Quality assurance D. Operations

Answer 84

B. The three components of the DevOps model are software development, operations, and quality assurance.

Question 85

Norm is starting a new software project with a vendor that uses an SDLC approach to development. When he arrives on the job, he receives a document that has the sections shown here. What type of planning document is this? A. Functional requirements B. Work breakdown structure C. Test analysis report D. Project plan

Answer 85

B. The work breakdown structure (WBS) is an important project management tool that divides the work done for a large project into smaller components. It is not a project plan because it does not describe timing or resources. Test analyses are used during later phases of the development effort to report test results. Functional requirements may be included in a work breakdown structure, but they are not the full WBS.

Question 86

During a web application vulnerability scanning test, Steve runs Nikto against a web server he believes may be vulnerable to attacks. Using the Nikto output shown here, answer the following questions. Why does Nikto flag the /test directory? A. The /test directory allows administrative access to PHP. B. It is used to store sensitive data. C. Test directories often contain scripts that can be misused. D. It indicates a potential compromise.

Answer 86

C. Test directories often include scripts that may have poor protections or may have other data that can be misused. There is not a default test directory that allows administrative access to PHP. Test directories are not commonly used to store sensitive data, nor is the existence of a test directory a common indicator of compromise.

Question 87

During a web application vulnerability scanning test, Steve runs Nikto against a web server he believes may be vulnerable to attacks. Using the Nikto output shown here, answer the following questions. Why does Nikto identify directory indexing as an issue? A. It lists files in a directory. B. It may allow for XDRF. C. Directory indexing can result in a denial-of-service attack. D. Directory indexing is off by default, potentially indicating compromise.

Answer 87

A. Directory indexing may not initially seem like an issue during a penetration test, but simply knowing the name and location of files can provide an attacker with quite a bit of information about an organization, as well as a list of potentially accessible files. XDRF is not a type of attack, and indexing is not a denial-of-service attack vector. Directory indexing being turned on is typically either due to misconfiguration or design, or because the server was not properly configured at setup, rather than being a sign of attack.

Question 88

During a web application vulnerability scanning test, Steve runs Nikto against a web server he believes may be vulnerable to attacks. Using the Nikto output shown here, answer the following questions. Nikto lists OSVDB-877, noting that the system may be vulnerable to XST. What would this type of attack allow an attacker to do? A. Use cross-site targeting. B. Steal a user’s cookies. C. Counter SQL tracing. D. Modify a user’s TRACE information.

Answer 88

B. Cross-site tracing (XST) leverages the HTTP TRACE or TRACK methods and could be used to steal a user’s cookies via cross-site scripting (XSS). The other options are not industry terms for web application or web server attacks or vulnerabilities.