Quiz Flashcards
1
Q
A company has guards at the gate, guards at the entrance to its main building, and an access control vestibule inside the building. Access to the office where the company’s data resides is controlled through two additional doors that use RFID (radio frequency identification) locks.
Which controls are being adopted by the company? (Select TWO.)
A. Preventive
B. Deterrent
C. Corrective
D. Physical
Chapter 1
A
The correct answers are option B and option D. All the controls described in the scenario are physical controls. They are set up as deterrent controls to prevent access of unauthorized personnel to the office.
2
Q
One of the file servers of an organization has suffered an attack. The organization’s IT administrator is searching the log files to understand what happened. What type of control are they implementing when carrying out the investigation?
1. Operational
2. Technical
3. Detective
4. Operational
Chapter 1
A
The correct option is option C. Detective controls help in uncovering issues and anomalies that have already occurred. Therefore, log files being searched is a detective control
3
Q
During a monthly team meeting, an IT manager tasks both the mail administrator and the network administrator with creating a standard operating procedure. What type of control describes the mail administrator and network administrator’s task?
A. Directive
B. Managerial
C. Operational
D. Technical
Chapter 1
A
The correct answer is option A. Directive controls provides specific instructions or guidelines.
4
Q
Which control type focuses on eliminating or minimizing potential threats before they can cause harm?
1. Preventive
2. Compensating
3. Deterrent
4. Corrective
Chapter 1
A
The correct answer is option A. Preventive controls are designed to prevent problems or risks from occurring by eliminating or minimizing potential threats.
5
Q
An organization has been sent information by Microsoft that a critical update for Windows 11 has just been released. The organization’s cybersecurity team immediately applies this latest update to all of its Windows 11 computers. What type of control have they carried out?
1. Preventive
2. Compensating
3. Deterrent
4. Corrective
Chapter 1
A
The correct answer is option D. Because the Windows 11 computers were vulnerable, the cybersecurity team needed to take corrective action by patching each computer to harden it and prevent attacks.
6
Q
An organization suffered a ransomware attack, where one of the technical controls was compromised. What type of control should a company implement to prevent a reoccurrence?
1. Preventive
2. Compensating
3. Detective
4. Corrective
Chapter 1
A
The correct answer is option B. Compensating controls are alternative measures implemented when primary controls are not feasible or sufficient. In this case, the primary control needs to be replaced by a secondary control.
7
Q
Which of the following physical controls would deter someone from entering a quarry? (Select TWO.)
A. Bollards
B. Guards
C. Barrier
D. Signs
E. Lights
Chapter 1
A
The correct answers are option B and option C. Using a barrier and guards at the entrance to the quarry could prevent unauthorized personnel from entering the quarry. Once the guard has checked the identification of the personnel, they can raise the barrier to allow entry. The bollards are not useful, as they would prevent everyone from entering the quarry, including people who worked there.
8
Q
Following a third-party compliance audit, a company has been recommended that additional instructions need to be included in the current compliance policies. What type of control BEST describes the recommended action?
1. Operational
2. Directive
3. Deterrent
4. Corrective
Chapter 1
A
The correct answer is option B as directive controls provide specific instructions or guidelines for compliance with policies and procedures.
9
Q
A cybersecurity administrator has decided to use homomorphic encryption to protect data so that they can read the data without needing to decrypt it. What type of control BEST describes the action carried out by the cybersecurity administrator?
1. Managerial
2. Technical
3. Operational
4. Physical
Chapter 1
A
The correct answer is option B. The cybersecurity administrator uses a technical control, which is a control that relies on technology to protect and secure data.
10
Q
Within the spectrum of control categories, which one is tasked with establishing protocols and guidelines to enhance the effectiveness of organizational oversight?
1. Technical
2. Managerial
3. Operational
4. Physical
Chapter 1
A
The correct answer is option B. Top-level executives, including the CEO or president, may set the overall policy direction for the organization. They might also be involved in creating high-level policies that align with the company’s mission, vision, and strategic goals. These are known as managerial controls.
11
Q
An IT administrator has been tasked by the CEO to investigate the latest attack methods being used by a bad actor. Which of the following would be the BEST resource to use?
1. MITRE ATT&CK
2. A honeyfile
3. A honeypot
4. A CVE list
Chapter 2
A
The correct answer is option C. A honeypot is a decoy system or network with lower security to entice an attacker so that the attack methods can be monitored and then mitigated.
Option A is incorrect because, while the MITRE ATT&CK framework has a database of adversaries, tactics, and techniques, it might not have the most recent attack information.
Option B is incorrect as a honeyfile is set up as bait so that the SOC team is alerted as soon as the attacker opens the file.
Option D is incorrect as a CVE list is a list of common vulnerabilities.
12
Q
What type of system is able to track users’ access if the authentication method uses 802.1x?
1. Federation Services
2. Kerberos
3. OAuth
4. RADIUS
Chapter 2
A
The correct answer is option D. RADIUS is a centralized authentication, authorization, and accounting server, providing a way to track and control access to a network. RADIUS clients could be VPN-, WAP-, or 802.1X-managed switches. When users have been authenticated, they are added to a SQL database that logs when they enter and exit a network. This allows users to be tracked.
Option A is incorrect because Federation Services is used for third-party authentication.
Option B is incorrect because Kerberos is used for authentication in a Microsoft environment.
Option C is incorrect because OAuth is used for internetbased authentications.
13
Q
Which of the following can be used to provide non-repudiation?
A. Asymmetric encryption
B. Symmetric encryption
C. A public key
D. A SAML token
Chapter 2
A
The correct answer is option A. Asymmetric encryption generates both private and public keys. The private key can be used to generate a digital signature that can provide non-repudiation. Non-repudiation is a term used in information security and cryptography to describe the concept of ensuring that an entity cannot deny the authenticity or origin of a message or transaction.
Option B is incorrect; in symmetric encryption, everyone shares the same key, so it cannot provide nonrepudiation.
Option C is incorrect as a public key is not kept secret and can be shared with multiple users so it cannot provide non-repudiation.
Option D is incorrect because security Assertion Markup Language (SAML) is an XML-based standard for exchanging authentication and authorization data between parties, typically between an identity provider (IdP) and a service provider (SP). It is not designed to provide non-repudiation.
14
Q
An international bank encountered an insider attack where they suffered the theft of $100,000. The security team has been tasked to find the culprit. Which of the following is the BEST source of information for the security team to use?
1. The system log
2. The application log
3. An audit trail
4. The DNS log
Chapter 2
A
The correct answer is option C. An audit trail provides a comprehensive record of user activities and system actions, which is essential for tracing insider attacks.
Option A is incorrect, as the system log may contain system-related events but lacks the detailed user-specific information found in an audit trail.
Option B is incorrect; the application log focuses on application-specific events and is not as comprehensive as an audit trail. Option D is incorrect, as the DNS log relates to domain name system activities, not to tracing insider attacks.
15
Q
Which of the given security tools fulfills the following?
* Presents itself as a prized target
* Uses dummy data
* Helps track attackers
A. Honeypot
B. A honeyfile
C. A honeytoken
D. PAM
Chapter 2
A
The correct answer is option C. A honeytoken mimics valuable data to lure attackers, serving as a decoy to detect and track unauthorized access.
Option A is incorrect because a honeypot attracts attackers and analyzes their attack methods but isn’t specifically focused on tracking with dummy data.
Option B is incorrect because a honeyfile is the bait used to identify when an attacker opens a file. It does not fulfill the characteristics.
Option D is incorrect because privileged access management is used to control administrative accounts and is not designed as a deceptive tracking tool.
16
Q
In organizational jargon, what process describes scrutinizing the delta between existing resources and future aspirations, aiming to fortify strategic decision-making?
A. A SWOT analysis
B. The capability maturity model
C. Business process reengineering
D. Gap analysis
Chapter 2
A
The correct answer is option D. A gap analysis outlines the difference between current resources and potential future goals.
Option A is incorrect, as a SWOT analysis is a different strategic planning tool that assesses strengths, weaknesses, opportunities, and threats, and it does not specifically focus on resource gaps.
Option B is incorrect because the capability maturity model is a framework for process improvement and is not specifically designed to analyze resource gaps.
Option C is incorrect because business process reengineering is a method for redesigning business processes and is not specifically tailored for analyzing resource disparities.
17
Q
Which of the following uses a private key to provide proof that an email has not been altered in transit and has come from the person who originally sent it?
A. A digital signature
B. Encryption
C. Hashing
D. Domain-based message authentication, reporting, and
conformance
Chapter 2
A
The correct answer is option A.
A digital signature uses a private key to sign the mail, ensuring its integrity and origin. This cryptographic technique provides authentication and non-repudiation.
Option B is incorrect because encryption secures the content but doesn’t provide proof of the sender’s identity or the integrity of the message.
Option C is incorrect because hashing verifies data integrity but doesn’t involve private keys and cannot verify the identity of the sender.
Option D is incorrect because domain-based message authentication, reporting, and conformance (DMARC) verifies which domain sent the email message but not the originator of the email.
18
Q
Which intricate concept involves a dynamic orchestration of access controls, continuously tailoring user permissions based on evolving risk profiles and behavioral analytics?
A. A behavioral authentication framework
B. Dynamic credential ciphering
C. Adaptive identity management
D. A cyber resilience protocol
Chapter 2
A
The correct answer is option C. Adaptive identity management dynamically adjusts user permissions using risk profiles and behavioral analytics, enhancing cybersecurity. Option A is incorrect because a behavioral authentication framework may involve behavior analysis but lacks the broader scope of continuously adapting access controls. Option B is incorrect because dynamic credential ciphering relates to encryption, not the management of evolving access permissions. Option D is incorrect because a cyber resilience protocol deals with overall
system resilience, rather than the specific dynamic adaptation of identity and access controls.
19
Q
Which type of sensors can detect changes in frequency?
A. Microwave sensors
B. Pressure sensors
C. Infrared sensors
D. Ultrasonic sensors
Chapter 2
A
The correct answer is option A. Microwave sensors can detect changes in frequency because they use microwave radiation to detect motion, making them suitable for motion detection applications.
Option B is incorrect because pressure sensors measure pressure changes, which is a reliable indicator of movement, not changes in frequency.
Option C is incorrect because infrared sensors detect infrared radiation, not changes in frequency.
Option D is incorrect because ultrasonic sensors use sound waves, not changes in frequency, for distance measurement and object detection.
20
Q
Which of the following log files ensures that someone is responsible for another person?
A. An IDS log
B. A security log
C. An event log
D. A visitors log
Chapter 2
A
The correct answer is option D. When entering a company or a military base, the person who signs a visitor in at reception is responsible for that person during their stay.
Option A is incorrect because an Intrusion Detection System (IDS) log is designed specifically to detect and log unauthorized or suspicious activities on a network or system.
Option B is incorrect because a security log can record various security-related events but it might not necessarily attribute responsibility for one person’s actions to another.
Option C is incorrect because event logs capture a wide range of system events and activities, but they do not inherently ensure someone is responsible for another person.
21
Q
What component of change management is essential for ensuring that security operations are not adversely affected by new implementations?
Select the BEST option.
A. Ownership
B. Test results
C. An approval process
D. A backout plan
Chapter 3
A
The correct answer is option C. The approval process is a critical aspect of change management that ensures proposed changes are scrutinized before implementation. This step involves assessing the impact of changes on security operations, resource allocation, and potential risks.
Option A is incorrect because ownership is important for accountability, as it designates an individual responsible for overseeing and executing changes. It doesn’t evaluate the potential impact on security operations.
Option B is incorrect as test results ensure that security changes work as intended and will not introduce new problems, however, they do not measure how they affect new implementations.
Option D is incorrect because a backout plan is a rollback option if the changes go wrong.
22
Q
Which of the following is the BEST solution for a cybersecurity team to implement to prevent employees from installing video games on a company’s systems?
A. Sandbox
B. An allow list
C. A block list
D. Least privilege
Chapter 3
A
The correct answer is option B. An application allow list, formerly known as a whitelist, is a list of only those applications that are permitted to be installed. Personal software and malware would never be on the allow list; therefore, they would not be able to be installed or run.
Option A is incorrect, as a sandbox is an isolated virtual machine or application used to test an application for the patching, testing, or investigation of potential malware.
Option C is incorrect, as a block list needs each application to be named; this would prove too difficult to implement. It is easier to create an allow list, and if the application is not on the allow list, t then it cannot be installed.
Option D is incorrect, as least privilege is an access control where a user only gets the minimum permissions to perform their job, and it is not to prevent application installation.
23
Q
When ensuring the accuracy of system representations, what practice is reflective of the actual network infrastructure?
A. Regression testing
B. Updating diagrams
C. Data masking
D. Version control
Chapter 3
A
The correct answer is option B, updating diagrams. This means keeping visual representations such as network diagrams accurate to help network professionals understand and manage security effectively.
Option A is incorrect because regression testing involves testing toensure that code changes haven’t negatively impacted existing functionality, but it does not relate to network infrastructure. Option C is incorrect because data masking involves disguising sensitive information, which is not directly related to network infrastructure.
Option D is incorrect because version control tracks changes to documents and papers. It is not suitable for this task.
24
Q
What component of change management outlines the specific steps to be taken if a change implementation encounters unexpected issues or failures?
A. A snapshot
B. A backout plan
C. A maintenance window
D. Test results
Chapter 3
A
The correct answer is option B. A backout plan is a critical aspect of change management that defines the rollback options if an implementation does not go as planned. It reverts the system to its previous state to minimize disruption and potential security risks if there are failures.
Option A is incorrect because a snapshot is a backup of a virtual machine, and most change management is not done in a virtual environment.
Option C is incorrect because a maintenance window is where a planned change to a system is done to ensure minimal disruption.
Option D is incorrect because test results assess the functionality and suitability of changes before implementation. They do not address the process of reverting changes if there are failures.
25
When creating new software, what is the interconnection of services and system drivers known as? Select the most appropriate answer.
A. Errors in software code
B. Incompatibilities
C. Dependencies
D. Interoperability
## Footnote
Chapter 3
The correct answer is option **C**. Dependencies in software development refer to the interactions and relationships between different software components. These components rely on each other to function properly. If one component fails, then the entire application will fail.
Option A is incorrect, as software defects refer to flaws or errors in software code, not to the relationships between software components.
Option B is incorrect, as incompatibilities could refer to issues between different software or hardware elements, but they don’t capture the concept of dependencies.
Option D is incorrect, as interoperability refers to the ability of different systems or software to work together and exchange information smoothly. It is related to dependencies, but it’s a broader concept that encompasses various aspects of compatibility and functionality between systems. It is not the best choice.
26
In IT operations, what is the primary reason for scheduling a maintenance window for system updates or changes?
A. To maximize resource utilization
B. To reduce the need for regular system backups
C. To bypass the need for change management procedures
D. To ensure updates are implemented without disrupting users
## Footnote
Chapter 3
The correct answer is option **D**. A designated time window allows IT teams to perform necessary tasks while minimizing the impact on system availability and user experience.
Option A is incorrect because while optimizing resource utilization is important, it’s not the primary reason for scheduling a maintenance window.
Option B is incorrect because maintenance windows don’t directly impact system backup procedures.
Option C is incorrect because proper change management procedures are crucial for maintaining security and stability, so bypassing them isn’t advisable and, thus, is not the primary purpose of a maintenance window.
27
Which action involves closing and then reopening an application to address issues, refresh resources, or implement changes?
A. An application refresh
B. An application restart
C. An application reload
D. An application reset
## Footnote
Chapter 3
The correct answer is option **B**. Application restart involves closing and reopening an application to address issues, refresh resources, or implement changes. It’s a common approach to resolving glitches and ensuring an application functions optimally.
Option A is incorrect because while similar, a refresh might involve renewing certain elements without closing and reopening the entire application.
Option C is incorrect because reloading might refer to loading specific data or content but doesn’t capture the complete process of closing and reopening an application.
Option D is incorrect because a reset could encompass broader actions beyond closing and reopening and might even imply returning to default settings.
28
When creating new software, what is the main purpose of reviewing and analyzing test results before deploying changes to a production environment?
A. To validate user documentation
B. To analyze system dependencies
C. To confirm that a team adheres to coding standards
D. To identify and address potential issues or defects
## Footnote
Chapter 3
The correct answer is option **D**. Reviewing and analyzing test results before deployment is crucial to identify and address potential issues or defects in code. This practice helps ensure that changes are stable and secure and won’t adversely impact the production environment.
Option A is incorrect because test results primarily focus on the technical aspects of software, not on user documentation.
Option B is incorrect because while system dependencies can be an important part of software development, especially in a larger context, the primary aim of reviewing test results before deployment is finding and fixing issues or defects in code.
Option C is incorrect because a review of test results mainly aims to find and fix issues, not solely check coding standards compliance.
29
What vital process in change management assesses the potential consequences of alterations for various aspects, such as systems, processes, and resources?
A. Impact analysis
B. A backout plan
C. A standard operating procedure
D. A maintenance window
## Footnote
Chapter 3
The correct answer is option **A**. Impact analysis is a pivotal step in change management that evaluates the potential effects of proposed alterations on different components, such as systems, processes, and resources. This assessment aids in understanding the broader ramifications of changes, including any security implications.
Option B is incorrect because a backout plan is a critical aspect of change management that defines the rollback options if an implementation does not go as planned.
Option C is incorrect because a standard operating procedure is a set of instructions for routine operations. While crucial, it does not focus on assessing the potential impacts of changes.
Option D is incorrect because a maintenance window is a scheduled timeframe for implementing changes. While essential for controlled modifications, it does not involve assessing the consequences of changes.
30
In a complex enterprise environment, what strategic considerations should be weighed before executing a service restart, ensuring optimal system availability while minimizing potential security vulnerabilities?
Select the BEST choice.
A. The temperature of the data center
B. The number of active user sessions
C. The chronological order of code deployment
D. The potential impact on interconnected services
## Footnote
Chapter 3
The correct answer is option **D**. When contemplating a service restart, particularly in intricate enterprise setups, understanding the potential impact on interconnected services is critical. Disruptions caused by a restart can cascade across a system, affecting other services. This assessment is vital to ensure both system availability and to prevent potential security vulnerabilities that could arise due to disruptions.
Option A is incorrect because the temperature of the data center is related to a service restart, as extreme temperatures can affect hardware performance. However, it’s not one of the primary strategic considerations when executing a service restart to ensure system availability and minimize security vulnerabilities.
Option B is incorrect because the number of active user sessions is not a primary strategic consideration for a service restart. A service restart typically revolves around understanding the potential impact on interconnected services to ensure system availability and security. The number of active user sessions is just one aspect of this consideration.
Option C is incorrect because the code deployment order is important for other reasons but isn’t the primary concern when planning a service restart.
31
What is the primary purpose of a private key in a Public Key Infrastructure (PKI)?
A. The encryption of sensitive data
B. Storing cryptographic keys
C. Encrypting messages for secure transmission
D. Decryption and digital signatures
## Footnote
Chapter 4
The correct answer is option **D.** The private key in PKI is used for both decryption and digital signatures. It’s used to decrypt data that has been encrypted, using the corresponding public key, and to digitally sign documents for authentication and data integrity.
Option A is incorrect because public keys, not private keys, are used to encrypt data.
Option B is incorrect because a trusted third party is the key escrow that stores cryptographic keys.
Option C is incorrect because encryption is usually done using the recipient’s public key, not the private key.
32
Which type of encryption employs a single key to encrypt substantial volumes of data, utilizing a block cipher technique?
A. Hashing
B. Asymmetric encryption
C. Symmetric encryption
D. A key exchange
## Footnote
Chapter 4
The correct answer is option **C**. Symmetric encryption has only one key to both encrypt and decrypt large amounts of data using block cipher techniques. This approach is effective for ensuring data confidentiality when encryption and decryption operations are performed using the same key.
Option A is incorrect because hashing is used for data integrity and is a one-way function.
Option B is incorrect because asymmetric encryption uses a pair of keys (private and public). Further, it uses a stream cipher, which is too slow and, thus, not suitable for encrypting large amounts of data.
Option D is incorrect because a key exchange involves securely exchanging cryptographic keys, not the encryption of substantial data volumes.
33
What technique involves transforming sensitive data, such as credit card numbers, into unique tokens that retain no intrinsic value and are used for secure transactions?
A. Obfuscation
B. Salting
C. Tokenization
D. Steganography
## Footnote
Chapter 4
The correct answer is option **C**. Tokenization is the technique of transforming sensitive data into tokens that lack inherent value. These tokens are used in transactions, ensuring security by reducing the risk associated with storing and transmitting actual sensitive data.
Option A is incorrect because obfuscation obscures code complexity and is not used for transforming sensitive data.
Option B is incorrect because salting involves adding random values to credentials and is unrelated to tokenization.
Option D is incorrect because steganography hides data within files, and it’s unrelated to transforming data into tokens.
34
Which cryptographic method involves utilizing intricate mathematical operations to guarantee the irreversible transformation of data during encryption?
A. Transport/communication encryption
B. Asymmetric encryption
C. A key exchange
D. Algorithm encryption
## Footnote
Chapter 4
The correct answer is option **D**. The use of complex mathematical operations to ensure that encrypted data cannot be easily reverted to its original form is known as algorithm encryption.
Option A is incorrect because transport/communication encryption primarily focuses on securing data during its transmission.
Option B is incorrect because asymmetric encryption involves the use of two keys for encryption and decryption, not mathematical operations for irreversibility.
Option C is incorrect because key exchange protocols such as Diffie–Hellman involve mathematical operations to securely exchange keys, and their primary purpose is to establish a shared secret key, rather than performing encryption or ensuring irreversibility.
35
What term is used to describe the catalogs that contain invalidated digital certificates and ensure the security of online communication?
1. Self-signed
2. Certificate signing request (CSR) generation
3. Certificate authorities
4. Certificate revocation lists (CRLs)/the Online Certificate Status Protocol (OCSP)
## Footnote
Chapter 4
The correct answer is option **D**. Certificate revocation lists (CRLs) and the Online Certificate Status Protocol (OCSP) are catalogs that contain lists of invalidated digital certificates. These lists ensure the security of online communication by identifying certificates that are no longer
considered trustworthy. The OCSP is faster and more modern. Option A is incorrect because this refers to self-generated digital certificates lacking third-party validation. Option B is incorrect because this relates to the request for a new certificate, not certificate validation. Option C is incorrect because certificate authorities are entities that issue and verify digital certificates.
36
What do you need to securely store cryptographic keys and perform cryptographic operations within a hardware device, and which encryption level involves the conversion of entire disks into encrypted formats? (Choose TWO.)
A. A Trusted Platform Module (TPM) chip
B. A Hardware Security Module (HSM)
C. Encryption key management software
D. Password-based encryption
E. Full-Disk Encryption (FDE)
## Footnote
Chapter 4
The correct answers are option **A** and option **E**. A trusted platform module (TPM) chip is a dedicated hardware component designed to securely store cryptographic keys and perform various cryptographic operations. Full-disk encryption (FDE) refers to the process of encrypting an entire disk or storage device. This ensures that all data stored on the disk, including the operating system and files, is protected.
Option B is incorrect because hardware Security Modules (HSMs) are devices designed for secure key management, but they are not exclusively for hardware-based cryptographic operations or disk encryption.
Option C is incorrect because encryption key management software is used to manage keys but doesn’t directly perform cryptographic operations or disk encryption.
Option D is incorrect because password-based encryption relies on user-provided passwords and does not specifically relate to hardware-based cryptographic operations or disk encryption.
37
What does a key exchange involve in cryptography?
A. Encrypting large amounts of data using a single key
B. Securely transmitting cryptographic keys
C. Ensuring encryption irreversibility
D. Utilizing private and public keys for decryption
## Footnote
Chapter 4
The correct answer is option **B**. Key exchange in cryptography pertains to the secure transmission of cryptographic keys between communicating parties. This process ensures that the intended recipient obtains the necessary keys to decrypt and access encrypted data.
Option A is incorrect because encrypting large amounts of data using a single key is a characteristic of symmetric encryption. Option C is incorrect because ensuring encryption irreversibility is a general aspect of encryption but is not specific to a key exchange.
Option D is incorrect because utilizing private and public keys for decryption describes asymmetric encryption, not a key exchange.
38
What type of digital certificate is self-generated, lacks third-party validation, and is typically used for multiple internal servers to save costs?
1. A wildcard
2. Certificate authorities
3. Certificate signing request (CSR) generation
4. Self-signed
## Footnote
Chapter 4
The correct answer is option **D**. A self-signed digital certificate is generated without third-party validation and is typically used for internal purposes. It’s not validated by a trusted certificate authority, making it suitable only for limited internal use.
Option A is incorrect because a wildcard certificate is a single certificate securing multiple servers, using the same domain name. It is normally used on the internet or public-facing servers.
Option B is incorrect because certificate authorities have a root key that they use to sign all other certificates.
Option C is incorrect because certificate signing request (CSR) generation is used to request a new certificate.
39
What technology serves as a decentralized digital ledger, ensuring secure and tamper-resistant record-keeping of transactions?
A. Encryption
B. Digital signatures
C. Blockchain
D. Proof of work
## Footnote
Chapter 4
The correct answer is option **C**. A blockchain stands as a decentralized digital record, securely documenting transactions across numerous computers, fostering transparency, unchangeability, and confidence without the need for a central governing entity.
Option A is incorrect because encryption is a technique for securing data, rather than a centralized ledger.
Option B is incorrect because digital signatures provide authentication and integrity. They have nothing to do with financial transactions.
Option D is incorrect because proof of work in a blockchain verifies the accuracy of a new transaction.
40
Which of the following techniques involves the strategic act of deliberately obscuring code to create an intricate puzzle, making the understanding of the code challenging?
A. Obfuscation
B. Tokenization
C. Steganography
D. Data masking
## Footnote
Chapter 4
The correct answer is option **A**. Obfuscation is the technique of intentionally making code more intricate and convoluted to hinder comprehension by outsiders, while still maintaining its functionality. This practice adds an extra layer of security, as it makes reverse engineering and unauthorized access challenging.
Option B is incorrect because tokenization refers to transforming sensitive data into valueless tokens and is unrelated to code obfuscation.
Option C is incorrect because steganography pertains to hiding data within data, rather than obscuring code.
Option D is incorrect because data masking disguises sensitive data without focusing on code.
41
Which threat actor category is most likely to steal a major multinational corporation’s confidential trade secrets for the benefit of a competing company?
A. A nation-state
B. Unskilled attacker
C. A hacktivist
D. Organized crime
## Footnote
Chapter 5
The correct answer is option **D**. Organized crime groups are motivated by financial gains and engage in cyber activities such as ransomware attacks, which involve stealing and leaking confidential trade secrets for monetary benefits.
Option A is incorrect because nation-states have larger geopolitical objectives.
Option B is incorrect because unskilled attackers lack the sophistication to carry out such targeted attacks.
Option C is incorrect because hacktivists focus on ideological motives rather than corporate espionage.
42
A cyber attacker gains access to an organization’s sensitive customer information and threatens to expose it unless a substantial sum of money is paid. What category of cyber threat does this scenario represent? Select the BEST option.
A. Blackmail
B. Financial gain
C. Ransomware attack
D. Espionage
## Footnote
Chapter 5
The correct answer is option **A**. The scenario describes a situation where a cyber attacker extorts the victim by threatening to expose sensitive information unless a ransom is paid, which falls under the category of blackmail.
Option B is incorrect because while there is a monetary aspect involved, the primary motivation is threat and extortion.
Option C is incorrect because ransomware involves encrypting your data in situ and demanding a ransom for decryption.
Option D is incorrect because espionage relates to gathering intelligence without the victim being notified.
43
Which of the following attributes of threat actors defines their operational capacity with respect to their reach and effectiveness?
A. Internal/external
B. Resources/funding
C. The level of sophistication/capability
D. Data exfiltration
## Footnote
Chapter 5
The correct answer is option **B**. The financial dimension of threat actors, reflected in their resources and funding, defines their operational capacity, classifying them into categories ranging from sophisticated state-backed entities to individuals with constrained resources.
Option A is incorrect because internal/external refers to the origin of the threats (within the organization or external sources), not their operational dimension.
Option C is incorrect because the level of sophistication/capability relates to the technical mastery of threat actors, not their operational capacity.
Option D is incorrect because data exfiltration is a motive for cybercriminals to gain financial rewards.
44
What is the primary distinction between a hacktivist and an insider threat? Select the BEST option.
A. Hacktivists primarily aim for financial gains, while insider threats are motivated by ideology
B. Insider threats operate on a global scale, while hacktivists target specific organizations
C. Hacktivists seek to deface websites, while insider threats engage in fraud
D. Hacktivists promote causes through cyber campaigns, while insider threats misuse access within an organization
## Footnote
Chapter 5
The correct answer is option **D**. Hacktivists promote causes through cyber campaigns, while insider threats misuse access within an organization.
Option A is incorrect because hacktivists are the ones primarily driven by ideologies. Insider threats often misuse access for personal reasons.
Option B is incorrect because the scope of both threat actors is not accurately represented by these descriptions.
Option C is incorrect because the activities of hacktivists and insider threats can vary widely and aren’t necessarily limited to these actions.
45
What is the primary method cybercriminals use to steal sensitive data and sell it on the black market to generate monetary gains?
A. Service disruption
B. Internal/external factors
C. Data exfiltration
D. Espionage
## Footnote
Chapter 5
The correct answer is option **C**. Data exfiltration refers to cybercriminals stealing sensitive data. This data is often sold on the black market to generate monetary gains.
Option A is incorrect, as service disruption is different from stealing sensitive data.
Option B is incorrect, as internal/external factors do not relate to stealing and selling data.
Option D is incorrect, as espionage typically involves nation-states or, in some cases, rival companies and does not typically refer to independent cyber-criminals.
46
An individual without a lot of experience in IT launches a cyberattack, using readily available tools to disrupt a local government website temporarily. Which threat actor category does this scenario best align with?
A. A nation-state
B. An unskilled attacker
C. A hacktivist
D. Shadow IT
## Footnote
Chapter 5
The correct answer is option **B**. An unskilled attacker with limited technical expertise would use basic tools and methods for cyber mischief or small-scale disruptions, such as temporarily disrupting a local government website.
Option A is incorrect because nation-states are capable of more sophisticated and targeted attacks than simple disruptions of local government websites.
Option C is incorrect because hacktivists typically have ideological motives, and their actions are often more impactful than temporary website disruptions.
Option D is incorrect because shadow IT refers to unauthorized technology usage by employees within an organization.
47
Employees in a company start using a cloud storage service without authorization, bypassing official IT protocols. What term best describes this situation?
A. Shadow IT
B. An unskilled attacker
C. A hacktivist
D. Organized crime
## Footnote
Chapter 5
The correct answer is option **A**. Shadow IT refers to employees adopting unauthorized technologies and applications while bypassing official IT protocols. This can pose security risks, as it circumvents the organization’s established security measures.
Option B is incorrect because an unskilled attacker conducts external cyberattacks, which is different from employees adopting unauthorized technologies.
Option C is incorrect because hacktivists engage in cyber campaigns with ideological motives.
Option D is incorrect because organized crime refers to criminal groups targeting financial gains through cyber activities, not employees adopting unauthorized technologies.
48
Which threat actor category is likely to launch a cyber operation to disrupt the critical infrastructure of a rival as part of a geopolitical conflict? Select the BEST option.
A. An advanced persistent threat
B. Organized crime
C. A hacktivist
D. A nation-state
## Footnote
Chapter 5
The correct answer is option **D**. A nation-state is a sophisticated, wellfunded, and highly skilled adversary that attacks a rival nation as part of a geopolitical conflict.
Option A is incorrect because an Advanced Persistent Threat (APT) is a sophisticated and targeted cyberattack carried out by well-funded and highly skilled adversaries. APTs have been operating for a long time but they are not necessarily geopolitical actors, so the nation-state is the BEST option.
Option B is incorrect because organized crime’s motive is financial gain.
Option C is incorrect because hacktivists engage in cyber campaigns with ideological motives.
49
Nation-states engage in cyber operations to disrupt critical infrastructure and gather intelligence for geopolitical purposes. What action does this activity primarily represent?
A. Service disruption
B. Data exfiltration
C. Ideological advocacy
D. Espionage
## Footnote
Chapter 5
The correct answer is option **D**. Espionage involves nation-states and entities infiltrating systems to gather intelligence covertly to fulfill their geopolitical objectives.
Option A is incorrect because service disruption involves taking systems down, not gathering information.
Option B is incorrect because data exfiltration involves stealing and selling sensitive data, while espionage involves intelligence gathering.
Option C is incorrect, as ideological advocacy can take many forms and is not necessarily malicious.
50
A former employee, who was terminated, hacks into a company’s database to delete critical customer records to disrupt business operations because of a lasting grievance around their termination. What category of motivation does this scenario exemplify?
A. Revenge
B. An insider threat
C. Ethical hacking
D. Data exfiltration
## Footnote
Chapter 5
The correct answer is option **A**. The scenario involves the former employee seeking revenge by maliciously hacking into the company’s database to cause damage and delete customer records.
Option B is incorrect because “insider threat” is a categorization of threat, rather than a motivation.
Option C is incorrect because ethical hacking typically involves authorized security testing to identify vulnerabilities, not unauthorized actions for revenge.
Option D is incorrect because data exfiltration involves stealing data, rather than deleting it.
51
You receive an email claiming to be from the IRS (Internal Revenue Service) informing you of a tax refund. The email contains a link to a website where you can claim the refund by providing your personal and
financial information. You provide this information, but an hour later your bank account has been emptied. What type of attack is this most likely to be?
A. Spear phishing
B. Phishing
C. Smishing
D. Vishing
## Footnote
Chapter 6
The correct answer is option**B** . A phishing attack is where attackers impersonate a trusted entity (the IRS) to deceive recipients into divulging sensitive information. Option A is incorrect because a spear phishing attack is an email attack that targets a group of users. Option C is incorrect as it refers to an SMS phishing attack. Option D is incorrect as it describes an attack carried out over a phone call or by leaving a voicemail.
52
You are working for a government agency and have been tasked with sending data to a field operative. You decide to hide a secret message inside a pretty picture that you attach to a digitally signed email. What is the technique adopted by you called?
A. Steganography
B. Malware injection
C. Phishing
D. Data masking
## Footnote
Chapter 6
The correct answer is option **A**. Steganography is the process of hiding secret information within seemingly ordinary files such as images or audio. It aims to prevent the detection of data by embedding it within the file itself.
Option B is incorrect because malware injection involves inserting malicious code into software or systems, not hiding information within files. An example of malware injection could be the use of the following code: SELECT * FROM users WHERE username = ‘’ OR ‘1’=’1’AND password = ‘...’, which is a SQL injection attack.
Option C is incorrect because phishing is an attack involving deceptive emails or messages to trick the end user into parting with their financial details, not the practice of hiding information within files.
Option D is incorrect because data masking involves hiding partial data. For example, a Visa card number would be **** **** **** *636 if it was data masked.
53
A CEO’s phone was hacked while they were on holiday. Which of the following is the MOST LIKELY Bluetooth attack vector that could have been used to gain access?
A. Installing a firewall on a Bluetooth-enabled device
B. Connecting to a trusted Bluetooth speaker
C. Pairing with a public Bluetooth headset
D. Updating the device’s Bluetooth driver
## Footnote
Chapter 6
The correct answer is option **C**. Pairing with a public Bluetooth headset is a potential Bluetooth attack vector. Attackers can create malicious devices with enticing names and trick users into connecting to them, potentially exposing their data or devices to risks.
Option A is incorrect because installing a firewall would be a defense measure, not an attack vector.
Option B is incorrect because connecting to a trusted Bluetooth speaker doesn’t represent an attack vector, as it implies a legitimate connection.
Option D is incorrect because updating the device’s Bluetooth driver is a maintenance action, not an attack vector.
54
What distinguishes spear phishing from regular phishing?
A. Spear phishing uses phone calls, while regular phishing uses
email
B. Spear phishing targets high-profile individuals, while regular
phishing targets a broader audience
C. Spear phishing relies on fake websites, while regular phishing
uses malicious attachments
D. Spear phishing only targets large corporations, while regular
phishing targets individuals
## Footnote
Chapter 6
The correct answer is option **B**. Spear phishing is a targeted attack that focuses on high-profile individuals or specific groups, gathering personal information to craft convincing messages. Regular phishing, on the other hand, targets a broader audience without personalized details.
Option A is incorrect because spear phishing doesn’t necessarily involve phone calls.
Option C is incorrect because both spear phishing and regular phishing rely on email.
Option D is incorrect because regular phishing is not limited to targeting individuals; it can also target businesses and organizations.
55
You come across a website offering free software downloads and download a program from it. Later, you realize that your computer is behaving strangely, and you suspect a malware infection. What kind of threat might you have encountered?
A. A Trojan disguised as the downloaded software
B. Adware
C. A phishing attack aimed at stealing your personal information
D. Ransomware that encrypts your files and demands payment
## Footnote
Chapter 6
The correct answer is option **A**. Trojans often masquerade as legitimate programs to trick users into downloading and installing them, leading to the compromise of their systems.
Option B is incorrect because adware usually doesn’t disguise itself as software downloads.
Option C is incorrect because phishing attacks involve deceptive attempts to steal personal information, usually through emails or fake websites, but are not directly related to downloaded software.
Option D is incorrect because ransomware encrypts your files and demands payment for decryption but is not directly related to downloading software from a website.
56
Recently, your company suffered data theft from company-owned mobile telephones. You are a cybersecurity administrator and have been tasked with protecting the data stored on company mobile phones. Which of the following can be used to protect data stored on mobile telephones? Select the BEST TWO.
A. VPN software
B. Strong passwords
C. Remote wipe
D. Screen locks
E. Cable locks
## Footnote
Chapter 6
The correct answers are option **B** and option **D**. Strong passwords make it harder to access the phone, and screen locks will lock the phone after a predetermined period, preventing the user from being left logged in.
Option A is incorrect because VPN software protects data that leaves the phone and not the data on the phone.
Option C is incorrect because a remote wipe is used to reset a lost or stolen phone back to factory settings.
Option E is incorrect because cable locks are used to secure hardware devices to prevent them from theft. They are used on small devices such as phones, tablets, and laptops, especially in the retail sector.
57
In the last month, there has been a rise in the number of watering hole attacks. Which of the following BEST describes the goals of a watering hole attack?
A. Installing ransomware on the target’s computer
B. Gaining unauthorized access to a specific user’s email account
C. Compromising a frequently visited website to infect its visitors with malware
D. Tricking users into sharing sensitive information through deceptive emails
## Footnote
Chapter 6
The correct answer is option **C**. The primary goal of a watering hole attack is to compromise a legitimate website that the target group frequently visits, using it as a platform to distribute malware to unsuspecting visitors.
Option A is incorrect because while malware, for example, ransomware, distribution can be the result, it’s not the primary goal of a watering hole attack.
Option B is incorrect because gaining unauthorized email account access is not the central objective of a watering hole attack. A watering hole attack is carried out via a website.
Option D is incorrect because this is closer to phishing, not a watering hole attack
58
Which of the following is a distinguishing feature of a business email compromise (BEC) attack?
A. It involves targeting individuals through text messages.
B. The attacker poses as a legitimate brand or organization
C. It relies on compromising frequently visited websites
D. It involves infecting the target’s computer with malware
## Footnote
Chapter 6
The correct answer is option **B**. In a BEC attack, the attacker impersonates a trusted entity, often an executive or a high-ranking figure within an organization, to deceive recipients into transferring funds or sensitive information.
Option A is incorrect because BEC attacks primarily involve email communication, not text messages.
Option C is incorrect because this describes a watering hole attack, not a BEC attack.
Option D is incorrect because the goal of a BEC attack is typically financial or data-related deception, not malware infection
59
A company executive was researching cloud computing. The executive typed www.microsooft.com into their web browser to get to the Microsoft home page but was redirected to a website with a slightly different home page than expected. What type of attack is this?
A. Brand impersonation
B. Typosquatting
C. Watering hole attack
D. Whaling
## Footnote
Chapter 6
The correct answer is option **B**. Typosquatting involves creating websites with domain names that are like popular websites but contain slight misspellings, aiming to catch users who make typing errors. In this case, Microsoft was misspelled.
Option A is incorrect because brand impersonation involves pretending to be a recognized brand but doesn’t necessarily involve domain name manipulation.
Option C is incorrect because a watering hole attack targets legitimate websites, compromising them to distribute malware to visitors.
Option D is incorrect because whaling is an email attack that targets the CEO or a high-level executive, but in this case, email was not used.
60
Which of the following scenarios best describes the concept of
disinformation?
A. Emily shares an article from a reputable news source about
climate change
B. Liam fact-checks information before including it in his
research paper
C. Alex creates a social media account to impersonate a celebrity
D. Maya engages in a constructive discussion with her colleagues
about office policies
## Footnote
Chapter 6
The correct answer is option **C**. Alex’s creation of a fake social media account with the intent to impersonate a celebrity constitutes disinformation. Alex is deliberately spreading false information by posing as someone else to manipulate others’ perceptions.
Option A is incorrect because sharing an article from a reputable news source, even if it contains inaccurate information, does not align with the concept of disinformation. This is known as misinformation where you believe the information is true but in fact it is false.
Option B is incorrect because Liam’s practice of fact-checking indicates responsible behavior and does not involve spreading false information for manipulation.
Option D is incorrect because participating in a constructive discussion about office policies does not relate to the concept of disinformation, which revolves around the intentional spread of false information to deceive or manipulate.
61
A user has reported to the security team that they left their laptop logged in and unattended. This laptop has a certificate that they use to access the payroll application. What should the security administrator do first?
A. Revoke the certificate for the payroll application
B. Get the user to make a statement
C. Add the certificate to the CRL
D. Report the user to their line manager
## Footnote
Chapter 7
The correct answer is option **C**. The certificate must be added to the Certificate Revocation List (CRL). This invalidates the certificate and prevents its use. As this is for a payroll application, it must be done immediately.
Option A is incorrect as you cannot revoke a certificate for one application; the certificate can only be revoked from all further use.
Option B is incorrect as it is not a main priority. The priority is to deal with the incident and then take a statement.
Option D is incorrect as it is not a main priority. The main problem is to deal with the incident and then report it to the user’s line manager later.
62
After some routine checks of a company’s virtual network, three rogue virtual machines were found connected to the network. These machines were overutilizing resources. What should be done to prevent this from happening again? (Select TWO.)
A. Implement manual procedures for VM provisioning, utilization, and decommissioning, focusing on careful oversight and deliberate decision-making
B. Craft explicit guidelines for the provisioning, utilization, and
eventual decommissioning of Virtual Machines (VMs)
C. Employ automated solutions to instantiate virtual machines
(VMs) by leveraging predefined templates and established
configurations
D. Avoid using predefined templates and automated tools to adapt swiftly to dynamic workload requirements
## Footnote
Chapter 7
The correct answers are option **B** and option **C**. The attack described is known as a Virtual Machine (VM) sprawl. It could lead to leaving the company wide open to other attacks. Creating a policy on resourceallocation followed by using an automated process will prevent VM sprawl. The policy will prevent unmanaged VMs from being deployed on the network. Automating the process of creating VMs will further reduce user error and prevent rogue machines from being added to the virtual network.
Option A is incorrect as manual procedures to provision VMs might be prone to human errors and leave the virtual network vulnerable.
Option D is incorrect as using predefined templates streamlines the process, ensures that there are no deviations from the policies, and reduces the risk of configuration errors.
63
The CEO of a company is going on a trip and taking their company mobile phone with them. They will be listening to music on this phone using earbuds. What security practice should you advise them to follow after each session of the mentioned phone usage? (Select the MOST secure option.)
A. Turn off the phone’s Bluetooth
B. Turn off the phone’s Wi-Fi
C. Clean the earbuds
D. Change the Bluetooth username and password
## Footnote
Chapter 7
The correct answer is option **A**. Earbuds use a Bluetooth connection, and this is very insecure as it is very easy for a malicious actor to pair to the host device. As a security measure, Bluetooth should be turned off when not in use.
Option B is incorrect as earbuds do not typically use a wireless connection because they use Bluetooth.
Option C is incorrect because cleaning the earbuds has no effect on the mobile phone settings.
Option D is incorrect because Bluetooth-enabled devices first pair with each other using a password or PIN. They do not use a traditional username and password for direct login.
64
A company is going to use a third-party service to develop a new human resources application that will hold sensitive information. Which of the following is the GREATEST risk that they will encounter?
A. Outsourcing of some of the code development to their supply chain
B. Weak configurations
C. Default settings being used on the application
D. Integration with current applications
## Footnote
Chapter 7
The correct answer is option **B**. Weak configurations might include using default passwords, inadequate encryption settings, or overly permissive access controls. This could lead to dire consequences, including unauthorized access to sensitive data, loss of critical information, and potential legal or regulatory repercussions.
Option A is incorrect because your contractor outsourcing application development is a risk, but it is not the greatest risk.
Option C is incorrect because default settings can only be configured after the application has already been written.
Option D is incorrect because, although integration is important, it is not the primary concern when it comes to developing applications. It addresses compatibility rather than security.
65
A company recently encountered security breaches resulting in the unauthorized acquisition of sensitive data. What proactive measure can the security team adopt to effectively minimize the potential for such data breaches in the future?
A. Use default settings
B. Implement host-based firewalls
C. Limit the use of admin accounts
D. Implement Data Loss Prevention (DLP)
## Footnote
Chapter 7
The correct answer is option **D**. Data Loss Prevention (DLP) ensures that personally identifiable information (PII) and other sensitive data remain confined within the bounds of your network, impeding any attempts at unauthorized data exfiltration.
Option A is incorrect because the default configuration settings fail to provide a safeguard against the unlawful acquisition of personally identifiable information (PII) and sensitive data.
Option B is incorrect because, while a host-based firewall enhances computer security, its effectiveness against company data theft is limited, given that most breaches occur from servers rather than workstations.
Option C is incorrect because, while implementing restricted admin accounts is a prudent measure, it might not entirely prevent the unauthorized acquisition of sensitive data.
66
In a security incident, a user’s password was compromised through a relentless and automated attack on their account. What proactive measure can organizations adopt to counteract this kind of threat and enhance authentication security?
A. Deployment of Multi-Factor Authentication (MFA)
B. Periodic password rotation for all user accounts
C. Implementation of robust intrusion detection systems
D. Captcha integration for stronger bot detection
## Footnote
Chapter 7
The correct answer is option **A.** Multi-Factor Authentication (MFA) adds an extra layer of security. Even if passwords are compromised through attacks such as brute-force attacks, MFA will ask for additional verification.
Option B is incorrect because periodic password rotation can be burdensome for users and may not effectively prevent compromised passwords.
Option C is incorrect because intrusion detection systems look out for suspicious activity but do not directly prevent password compromise.
Option D is incorrect because captcha integration helps prevent automated bot attacks but does not address compromised passwords directly.
67
A USB drive is discovered on the reception floor of an office. What distinct cybersecurity threat will it pose if plugged into a computer?
A. Unauthorized cloud storage access.
B. Potential device overheating
C. A malicious USB attack
D. Incompatibility with software.
## Footnote
Chapter 7
The correct answer is option **C**. An unattended USB drive can carry malware and initiate a malicious USB attack when connected to a computer, potentially compromising the system.
Option A is incorrect because this could be the result of plugging the USB drive in, but it is only one of a number of outcomes and is not the specific threat.
Option B is incorrect as overheating is not a cybersecurity attack.
Option D is incorrect as it is not a cybersecurity attack
68
What are the unique risks associated with purchasing software from a market stall? (Select TWO.)
A. No proof of purchase
B. Uncertain origin and authenticity
C. Inadequate customization features
D. Poor physical packaging and manuals
## Footnote
Chapter 7
The correct answers are option **A** and option **B**. Purchasing software from a market stall may result in the absence of proof of purchase, making it difficult to seek assistance or refunds if issues arise. Furthermore, software from market stalls might lack clear origin and authenticity verification, posing security and legitimacy concerns.
Option C is incorrect because inadequate customization features are not typically associated with the risks of purchasing software from a market stall.
Option D is incorrect because physical packaging and manuals are not unique to market stall purchases and do not address potential risks.
69
What is a “VM escape” in the context of virtualization and cybersecurity, and why is it significant in virtualized environments?
A. A method to enhance virtual machine (VM) performance by optimizing resource allocation
B. A process of securely transferring VMs between different host servers
C. A breach where an attacker gains unauthorized access to the host system from within a virtual machine
D. A technique to create virtual machine templates for rapid deployment of applications
## Footnote
Chapter 7
The correct answer is option **C**. A VM escape occurs when an attacker breaks out of a virtual machine and gains unauthorized access to the host system, posing significant security risks.
Option A is incorrect because, while resource optimization is a virtualization concern, it does not relate to the concept of VM escape.
Option B is incorrect because transferring VMs between hosts is part of virtualization management but is not directly tied to VM escape.
Option D is incorrect because creating virtual machine templates is part of provisioning and does not describe the concept of VM escape.
70
When incorporating a third-party library to aid in code development, what potential security risk should developers be particularly cautious of, and why is awareness crucial in mitigating this risk?
A. Code complexity, leading to performance degradation
B. Incompatibility with existing software systems
C. Exposure to vulnerabilities within the library code
D. Dependency on external developers for maintenance
## Footnote
Chapter 7
The correct answer is option **C**. Third-party libraries might contain vulnerabilities, such as a backdoor, that can be exploited by attackers. We should always use trusted source code libraries.
Option A is incorrect because code complexity can impact performance, but it is not the primary security risk associated with using third-party libraries.
Option B is incorrect because incompatibility can cause issues, but it is not the security risk emphasized in the question.
Option D is incorrect because dependency on external developers relates to maintenance but doesn’t address the specific security risk discussed
71
On Monday morning at 9 am, the files of a company’s Chief Financial Officer (CFO) are deleted without any warning. The IT Support team restored the data, but on the following Monday morning at 9 am, the files were again deleted. Which of the following BEST describes this type of attack?
A. A logic bomb
B. A buffer overflow
C. A Trojan
D. A rootkit
## Footnote
Chapter 8
The correct answer is option **A**. A logic bomb is malicious code that is set to trigger an event (e.g., file deletion) at a specific time (e.g., Monday morning at 9 am).
Option B is incorrect because a buffer overflow involves manipulating program memory, not scheduled file deletions.
Option C is incorrect because a Trojan normally infiltrates systems with a download but doesn’t exhibit scheduled, recurring actions.
Option D is incorrect because a rootkit conceals malicious activities but doesn’t trigger scheduled file deletions
72
You are the lead cybersecurity analyst at a large financial institution. Lately, your organization has been facing a series of security incidents. In one incident, sensitive customer data was stolen, leading to a data breach. In another, an employee’s computer was compromised, and suspicious activity was detected on the network. After a thorough investigation, you discover that, in both incidents, the attackers used malware that disguised itself as a legitimate program and allowed unauthorized access to the affected systems. What type of cyberattack best describes the scenario?
A. A DDoS attack
B. A logic bomb
C. Trojan
D. A phishing attack
## Footnote
Chapter 8
The correct answer is option **C**. Trojans are malicious programs that often disguise themselves as legitimate software and perform harmful actions when executed. They can provide unauthorized access to systems, steal data, or perform other malicious activities, as described in the scenario.
Option A is incorrect because DDoS attacks involve overwhelming a system with traffic to disrupt services, which is different from the scenario described.
Option B is incorrect because logic bombs are triggered by specific conditions or events to execute malicious actions within a program, but they do not disguise themselves as legitimate software.
Option D is incorrect because phishing attacks are email-based attacks, which are different from the scenario.
73
Your organization’s network security team has detected a series of incidents where user accounts were repeatedly locked out. These incidents have caused disruptions in employee productivity and raised concerns about potential security threats. What type of cyberattack is most likely responsible for the repeated account lockouts described in the scenario?
A. A logic bomb
B. A brute-force attack
C. A Trojan
D. A DDoS attack
## Footnote
Chapter 8
The correct answer is option **B**. During a brute-force attack, accounts are often locked out because of multiple failed login attempts. This happens because account lockout has been set with a low value for attempts.
Option A is incorrect because logic bombs are triggered by specific conditions or events to execute malicious actions within a program, but they are not related to repeated account lockouts. Option C is incorrect because Trojans are malicious programs that typically disguise themselves as legitimate software but do not directly cause repeated account lockouts.
Option D is incorrect because distributed denial of service (DDoS) attacks aim to overwhelm a system with traffic to disrupt services, but they do not typically result in account lockouts.
74
You recently discovered that your online bank account was compromised and unauthorized transactions were made. After investigating, you found that someone had recorded your bank account password without your knowledge. What is the term for the type of malware that may have been used to record your password?
A. Hardware encryption
B. A web development language
C. A keylogger
D. An APT
## Footnote
Chapter 8
The correct answer is option **C**. Keyloggers are malicious software designed to record keystrokes on a computer, capturing user passwords and other confidential information.
Option A is incorrect because hardware encryption refers to a method of securing data during transmission and is not related to password capturing.
Option B is incorrect because it describes a programming language used for web development and is not related to password capturing.
Option D is incorrect because an APT is a more complex and long-term cyber threat, involving a group of attackers with specific targets. It does not specifically describe password capturing.
75
In a cybersecurity investigation, you discover that attackers gained unauthorized access to multiple user accounts on a popular social media platform. The attackers then used the stolen credentials to gain access to a company network. Which of the following attacks was carried out?
A. SQL injection
B. Phishing
C. Credential stuffing
D. Credential harvesting
## Footnote
Chapter 8
The correct answer is option **C**. Credential stuffing is where attackers use stolen credentials obtained from previous data breaches on a different platform, exploiting the fact that users often reuse passwords across multiple websites.
Option A is incorrect because SQL injection attacks involve manipulating SQL queries to access or modify a database, and it does not involve using stolen credentials. You might see 1=1 or a SELECT statement in the code for the attack.
Option B is incorrect because phishing attacks are email-based attacks, different from the given scenario.
Option D is incorrect because credential harvesting refers to an attacker collecting lists of credentials to resell on the dark web.
76
A popular online retail website recently experienced severe disruptions in its services, rendering the site inaccessible to users during peak shopping hours. After investigation, it was determined that the site was flooded with a massive volume of illegitimate traffic, overwhelming its servers. What type of cyberattack is most likely responsible for these disruptions?
A. A Man-in-the-Middle (MitM) attack
B. A ransomware attack
C. A DDoS attack
D. A DoS attack
## Footnote
Chapter 8
The correct answer is option **C**. DDoS attacks aim to disrupt services by flooding a target with excessive traffic, rendering it inaccessible to legitimate users.
Option A is incorrect because an MitM attack involves intercepting and possibly altering communication between two parties, but it does not typically result in service disruptions.
Option B is incorrect because ransomware typically encrypts data or systems and demands a ransom for decryption, but it does not directly involve overwhelming servers with traffic.
Option D is incorrect because a Denial of Service (DoS) attack is where the traffic comes from a single IP address – in this case, the high volume of traffic indicates it came from a number of different IP addresses.
77
You are an IT administrator responsible for the security and maintenance of a web array for a large organization. You discover that an attacker can access files outside the web root directory by manipulating input parameters. This could potentially lead to unauthorized access to sensitive files on the server. What type of vulnerability is this scenario describing?
A. A Cross-Site Scripting (XSS) vulnerability
B. A directory traversal vulnerability
C. A SQL injection vulnerability
D. Cross-Site Request Forgery (CSRF)
## Footnote
Chapter 8
The correct answer is option **B**. A directory traversal vulnerability refers to an attacker manipulating input parameters to access files outside the web root directory. Normally, when investigating the attack, an
administrator will see ../../../ and so on. Each ../ indicates movement up a website directory.
Option A is incorrect because XSS vulnerabilities involve injecting malicious scripts into web pages, not manipulating
input parameters to access files. It uses HTML tags such as .
Option C is incorrect because SQL injection vulnerabilities involve manipulating SQL queries to access or modify a database, not
accessing files on the server. It will be indicated by the SELECT*
statement or the 1=1 parameter in the attack.
Option D is incorrect because CSRF vulnerabilities involve tricking a user into carrying out an unintended action on a web application, such as clicking on a link, but they do not relate to accessing files on the server.
78
What type of attack occurs when two different inputs produce the same hash output in systems that rely on unique hash values? Select the BEST answer.
A. A buffer overflow attack
B. A pass-the-hash attack
C. A resource exhaustion attack
D. A collision attack
## Footnote
Chapter 8
The correct answer is option **D**. A collision attack occurs when two different inputs produce the same hash output. This can lead to vulnerabilities in systems that rely on unique hash values for data integrity and security.
Option A is incorrect because a buffer overflow is a different type of attack where a program writes more data to a buffer (memory storage area) than it can hold, often leading to unauthorized code execution. It’s not directly related to hash collisions.
Option B is incorrect because a pass-the-hash attack involves an attacker using stolen password hashes to authenticate to a system, without needing to know the original passwords. While it involves hashes, it’s not about generating hash collisions.
Option C is incorrect because a resource exhaustion attack aims to deplete a system’s resources to disrupt its operation and is unrelated to hash collisions.
79
In a network security audit, you discover that an attacker successfully intercepted an encrypted communication between a client and a server, downgrading the secure connection to an unencrypted one. As a result, the attacker could eavesdrop on sensitive data. Which of the following is the BEST description of this type of cyberattack?
A. A TLS/SSL downgrade attack
B. A buffer overflow attack
C. An SSL stripping attack
D. A CSRF attack
## Footnote
Chapter 8
The correct answer is option **C**. An SSL stripping attack is where an attacker successfully intercepts encrypted communication and downgrades it to an unencrypted one, allowing them to eavesdrop on sensitive data.
Option A is incorrect because a TLS/SSL downgrade attack specifically focuses on downgrading the security protocol, not intercepting encrypted communication directly. It is very close but not the best choice.
Option B is incorrect because buffer overflow attacks exploit software vulnerabilities to execute malicious code and do not involve intercepting encrypted communication.
Option D is incorrect because CSRF attacks trick users into carrying out unintended actions on a web application and do not involve intercepting encrypted communication.
80
In a security assessment, you noticed a pattern of login attempts where an attacker systematically tried common passwords across multiple user accounts, with long intervals between attempts to evade detection. What type of cyberattack is this scenario describing?
A. A brute-force attack
B. A credential stuffing attack
C. A password spraying attack
D. An XSS attack
## Footnote
Chapter 8
The correct answer is option **C**. Password spraying is where an attacker systematically tries common passwords across multiple user accounts with the goal of finding valid credentials.
Option A is incorrect because a brute-force attack is a method where an attacker continuously tries all possible combinations of passwords or keys to gain unauthorized access. They do not tend to take breaks.
Option B is incorrect because credential stuffing attacks involve using previously stolen credentials to gain unauthorized access, not systematically trying common passwords.
Option D is incorrect because XSS attacks involve injecting malicious scripts into web pages and are unrelated to password-based login attempts.
81
In a large enterprise network, the human resources department and the IT department each require isolation from the rest of the company’s network. Which of the following is the MOST appropriate security technique to achieve this isolation while still allowing these departments to communicate internally?
A. Creating a VLAN for each department
B. Physical segmentation
C. An ACL
D. A NAT
## Footnote
Chapter 9
The correct answer is option **A**. Two separate VLANs can be created, one for HR and another for the IT department within the same physical network switch. This will allow both departments to communicate internally while remaining separate from the rest of the company’s network.
Option B is incorrect because physical segmentation involves physically separating network devices, which may not be necessary in this scenario. The solution is using logical separation.
Option C is incorrect because access control lists (ACLs) are used to control access to resources based on criteria such as IP addresses, but they cannot create isolation between departments.
Option D is incorrect because a network address translation (NAT) is used for translating private IP addresses to public IP addresses and hiding the internal network from external attackers.
82
In an enterprise environment, a user wants to install a game on their workstation, which is against company policy. What is the most effective mitigation technique to prevent the user from installing the game?
A. Implementing strong firewall rules to block gaming websites.
B. Using intrusion detection systems to monitor the workstation
C. Creating an application allow list
D. Increasing user privileges to allow game installations
## Footnote
Chapter 9
The correct answer is option **C**. Creating an application allow list (formerly known as a whitelist) is an effective mitigation technique to prevent unauthorized software installations, including games, on workstations. It allows only approved applications from the allow list to run while blocking all others. Option A is incorrect because blocking gaming websites with firewall rules may restrict access to the websites but will not prevent local software installations.
Option B is incorrect because intrusion detection systems monitor for suspicious network
activity but do not directly prevent local software installations. Option D is incorrect because increasing user privileges would allow the user to
install software.
83
You are the cybersecurity administrator for a multinational corporation where one of your enterprise’s domain controllers has been infected with a virus. What is the first step you should take to mitigate the situation and prevent the further spread of the virus?
A. Shut down the domain controller immediately
B. Disconnect the domain controller from the network
C. Run a full antivirus scan on all computers in the network
D. Increase firewall rules for the domain controller
## Footnote
Chapter 9
The correct answer is option **B**. The first step in this situation to prevent the further spread of the virus is to disconnect the infected domain controller from the network. This isolates the compromised system and
prevents it from infecting other devices, and it also allows access to the contents of the random-access memory for forensic investigation. Option A is incorrect because shutting down the domain controller is an
option but you will lose the contents of the random-access memory that may be needed for forensic investigation. Further, once you restart the domain controller, the virus will reappear. Option C is incorrect because running a full antivirus scan is important but it should come after isolating the infected system. It is likely that your antivirus solution is not up to date; otherwise, it would have prevented the infection. Option D is incorrect because increasing firewall rules may help prevent future infections but the first step when dealing with an infected system is to isolate the system to prevent further spread.
84
A large financial institution is concerned about protecting customer data from potential breaches. They want a real-time solution that can actively inspect and block network threats. Which of the following network security devices or technologies should they consider?
A. A jump server for secure remote access
B. A load balancer to distribute website traffic
C. An inline Intrusion Prevention System (IPS)
D. Layer 7 firewall rules for web application security
## Footnote
Chapter 9
The correct answer is option **C**. An inline Intrusion Prevention System (IPS) would actively inspect and block network threats, helping to protect customer data in real time.
Option A is incorrect because a jump server is used for secure remote access but doesn’t actively inspect and block network threats.
Option B is incorrect because load balancers distribute traffic but don’t provide the same threat protection as an IPS.
Option D is incorrect because Layer 7 firewall rules focus on application security, not real-time threat detection.
85
You are the network administrator for an organization whose critical systems have been compromised by a zero-day vulnerability. The attack has already caused significant damage, and the security team needs to respond promptly. Which of the following patch management strategies should the organization prioritize to mitigate further damage and prevent future attacks?
A. Isolate the compromised systems from the network to prevent further spread of the attack until a patch has been developed
B. Apply the latest patches immediately to all systems, regardless of their criticality
C. Roll back all affected systems to their previous state before the attack occurred, restoring them to a known secure configuration
D. Implement additional network monitoring and intrusion detection systems to monitor for any further malicious activity
## Footnote
Chapter 9
The correct answer is option **A**. A zero-day virus has no patch; therefore, you need to conduct a detailed analysis of the compromised systems, identify the specific zero-day vulnerability, and work with vendors to develop a customized patch. This approach addresses the root cause of the attack (i.e., no patch) and can prevent further incidents by isolating the compromised system. Option B is incorrect because applying the latest patches immediately to all systems, regardless of their criticality, will not address the specific zero-day vulnerability, as there is no known patch for it. Option C is incorrect because rolling back systems to a previous state may remove the immediate threat but does not address the underlying vulnerability. This approach may leave
the organization exposed to future attacks targeting the same vulnerability. Option D is incorrect because implementing additional network monitoring and intrusion detection systems will not help detect a zero-day vulnerability. Immediate isolation takes precedence.
86
Following an audit by a third-party auditor, an enterprise decides to implement additional mitigation techniques to secure its digital infrastructure. What is the primary purpose of this approach? (Select the BEST solution.)
A. To provide real-time protection against physical cyber threats
B. To eliminate all potential vulnerabilities within the network
C. To maximize the organization’s network speed and
performance
D. To reduce the risk and impact of security incidents
## Footnote
Chapter 9
The correct answer is option **D**. The purpose of mitigation techniques is to reduce the risk and impact of security incidents. Mitigation techniques aim to minimize vulnerabilities and protect the organization from cyber threats.
Option A is incorrect because mitigation techniques primarily aim to reduce the risk and impact of security incidents, including both online and physical threats.
Option B is incorrect because mitigation techniques cannot eliminate all potential vulnerabilities entirely.
Option C is incorrect because mitigation techniques primarily focus on security, not on maximizing network speed and performance.
87
What are the two roles of a SOAR system in cybersecurity? (Select TWO.)
A. To provide real-time protection against cyber threats
B. To eliminate all potential vulnerabilities within a network
C. To automate and streamline incident response processes
D. To release IT staff to deal with more important tasks
## Footnote
Chapter 9
The correct answers are option **C** and option **D**. The role of a security orchestration, automation, and response (SOAR) system is to automate and streamline incident response processes in cybersecurity and release IT staff from mundane tasks, freeing them to carry out more important tasks. Option A is incorrect because a SOAR system’s primary purpose is searching log files to detect threats. It is more focused on automating and streamlining the incident response process. Option B is incorrect
because a SOAR system does not eliminate all potential vulnerabilities within a network. It is designed for incident response and process automation, not vulnerability management.
88
Which of the following statements best describes the role of mitigation techniques in the context of enterprise security?
A. Mitigation techniques are only relevant after a security breach
has occurred
B. Mitigation techniques are designed to identify and classify all
vulnerabilities in a network
C. Mitigation techniques aim to reduce the likelihood and impact
of security incidents
D. Mitigation techniques focus solely on data backup and
recovery strategies
## Footnote
Chapter 9
The correct answer is option **C**. Mitigation techniques aim to reduce the likelihood and impact of security incidents because they use measures to prevent security breaches and minimize their consequences.
Option A is incorrect because mitigation techniques are proactive measures aimed at preventing breaches and minimizing their impact rather than reactive measures.
Option B is incorrect because mitigation techniques do not focus on identifying and classifying all vulnerabilities in a network. Their primary goal is to reduce the likelihood and impact of security incidents, thereby addressing specific vulnerabilities but not categorizing them.
Option D is incorrect because mitigation techniques do not focus on data backup and recovery strategies because this is the job of a backup administrator.
89
In an enterprise security setup, which technology is primarily
responsible for collecting, analyzing, and correlating logs from multiple sources, helping to detect and respond to security incidents in real time?
A. A vulnerability scanner
B. EDR
C. SIEM
D. SOAR
## Footnote
Chapter 9
The correct answer is option **C**. A SIEM system can correlate logs from multiple sources and analyze them to detect and respond to security incidents in real time.
Option A is incorrect because a vulnerability scanner’s role is to scan and identify vulnerabilities in systems and networks, not analyze logs in real time.
Option B is incorrect because EDRs focus on monitoring and responding to security incidents on individual endpoints. They do not collect and correlate logs from multiple sources across the enterprise.
Option D is incorrect because SOAR systems can automate incident response workflows and are not the primary technology for correlating logs, which is the role of the SIEM system.
90
Which of the following cybersecurity solutions is primarily responsible for scanning the enterprise network for missing patches and software flaws? (Select the BEST TWO.)
A. A credentialed vulnerability scan
B. EDR
C. SIEM
D. SOAR
E. Nessus
## Footnote
Chapter 9
The correct answers are option **A** and option **E**. Both a credentialed vulnerability scanner and Nessus are cybersecurity solutions that can scan an enterprise network for vulnerabilities, including missing patches and software flaws. They assess the severity of these vulnerabilities and provide recommendations for mitigation.
Option B is incorrect because EDR focuses on monitoring and responding to security incidents on individual endpoints and does not perform vulnerability scanning and assessment.
Option C is incorrect because SIEM systems are used for log collection and correlation, not for vulnerability scanning and assessment.
Option D is incorrect because SOAR systems are used to automate incident response workflows and integrate security tools based on predefined playbooks. They do not conduct vulnerability scanning or assessment.
91
Following a malware attack on an AutoCAD machine, which of the following cybersecurity solutions should a company utilize to detect similar threats early and prevent them from recurring in the future?
A. EDR
B. SIEM
C. SOAR
D. A credentialed vulnerability scanner
## Footnote
Chapter 10
The correct answer is option **A**. EDR solutions are specifically designed for the early detection of threats on individual endpoints, which makes them suitable for identifying and preventing similar malware infections in the future.
Option B is incorrect because SIEM systems are excellent for collecting and correlating logs from various sources to identify security incidents, but they are not designed for prevention on individual endpoints.
Option C is incorrect because SOAR systems can automate incident response workflows. They do not carry out early threat detection on individual endpoints.
Option D is incorrect because a credentialed vulnerability scanner looks for missing patches and software flaws and does not detect threats.
92
In a rapidly evolving technology company, a new software update is about to be implemented that could have a significant impact on the efficiency of customer support operations. What component of change management is essential to ensure that customer support operations are not adversely affected by this update?
A. Ownership
B. Test results
C. An approval process
D. A maintenance window
## Footnote
Chapter 10
The correct answer is option **C**. The approval process is a critical aspect of change management that ensures proposed changes are scrutinized before implementation. This step involves assessing the impact of changes on customer support operations, resource allocation, and potential risks.
Option A is incorrect because although ownership is important for accountability, as it designates an individual responsible for overseeing and executing changes, it does not evaluate potential security impacts.
Option B is incorrect because although test results are crucial to ensuring that changes work as intended, they don’t introduce any unforeseen complications or security flaws.
Option D is incorrect because a maintenance window refers to the period when changes to a system are implemented while causing minimal disruption
93
In the context of digital security, what designation is attributed to a record of explicitly authorized entities or actions that shape a meticulously controlled environment?
A. Cryptography
B. Threat actors
C. An allow list
D. Malware detection
## Footnote
Chapter 10
The correct answer is option **C**. An allow list (formerly known as a whitelist) is a security measure involving a list of explicitly permitted entities, actions, or elements. It’s employed to ensure a highly controlled environment where only approved entities or actions are permitted, thereby reducing the attack surface and enhancing security.
Option A is incorrect because cryptography involves techniques for secure communication but does not provide explicit lists of permitted entities.
Option B is incorrect because threat actors are individuals or groups that pose security risks. They do not provide a record of authorized entities. In fact, these actors should be added to the deny list themselves.
Option D is incorrect because malware detection focuses on identifying malicious software, which would be on the deny list.
94
In the pursuit of maintaining precision in depicting network
configurations, which method aligns most closely with the genuine network infrastructure and allows for a reliable reflection of its current state and structure?
A. Regression testing
B. Updating diagrams
C. Data masking
D. Version control
## Footnote
Chapter 10
The correct answer is option **B**. Updating diagrams is a crucial practice that involves keeping visual representations of the network infrastructure current and accurate to ensure that they closely mirror the real network configuration, which is vital for effective network management and troubleshooting.
Option A is incorrect because regression testing involves testing to ensure that code changes haven’t negatively impacted existing functionality; it does not relate to network infrastructure.
Option C is incorrect, as data masking involves disguising sensitive information, which is not directly related to network infrastructure.
Option D is incorrect, as version control tracks
changes to documents, papers, and software, not infrastructure.
95
Within the framework of change management, which critical element provides a detailed set of instructions to be executed in the event of unexpected issues or failures following change implementation, ensuring a systematic response and recovery process?
A. Ownership
B. A backout plan
C. A maintenance window
D. Test results
## Footnote
Chapter 10
The correct answer is option **B**. A backout plan serves as an essential component of change management that offers a comprehensive set of instructions to address unexpected issues or failures during change implementation, enabling a structured approach to recovery and ensuring minimal disruption to operations.
Option A is incorrect, as ownership involves designating responsible individuals to oversee and execute changes. It does not take any steps to remedy change failures.
Option C is incorrect because a maintenance window refers to the period when changes to a system are implemented while causing minimal disruption.
Option D is incorrect, as test results assess the functionality and suitability of changes before implementation. They do not address change failures.
96
You are the IT manager of a busy e-commerce website. During a routine server maintenance operation, the website’s functionality is temporarily halted to implement important security updates and optimize performance. What specific term describes this period when the website is not operational, causing inconvenience to users but ensuring the long-term security and efficiency of the platform?
A. A maintenance window
B. Overhead
C. Downtime
D. Latency
## Footnote
Chapter 10
The correct answer is option **C**. Downtime is the term used to describe this period when the website is temporarily unavailable due to scheduled maintenance, causing temporary inconvenience to users. Option A is incorrect, as a maintenance window is a scheduled event and causes minimal disruption. Option B is incorrect, as overhead refers to the additional resources or tasks required beyond essential functions, and it’s not directly related to a system’s operational status. Option D is incorrect, as latency refers to the delay between an action and a response. It is often related to network performance, rather than a system’s operational status
97
In the context of software development, what do the terms “software interactions” and “relationships” collectively describe that emphasizes the intricate connections between various software components and their crucial role in project planning and execution?
A. Software defects
B. Incompatibilities
C. Software dependencies
D. Error handling
## Footnote
Chapter 10
The correct answer is option **C**. Software dependencies collectively encompass the complex interactions and relationships between various software components. These dependencies are crucial in software development, as they define how different parts of the software rely on each other, affecting project planning, execution, and overall project success. Option A is incorrect, as software defects refer to flaws or errors in software code, not to the relationships between software components. Option B is incorrect, as incompatibilities could refer to issues between different software or hardware elements, but they do not capture the concept of dependencies. Option D is incorrect, as error handling involves managing errors and exceptions in software, but it’s not directly related to the interactions between software components.
98
You are the IT manager of a busy e-commerce website. The holiday shopping season is approaching, and you need to plan system updates to improve performance. What is the primary objective of scheduling a maintenance window for these updates?
A. To maximize resource utilization
B. To reduce the need for regular system backups
C. To ensure updates are implemented without disrupting users
D. To bypass the need for change management procedures
## Footnote
Chapter 10
The correct answer is option **C**. Scheduling a maintenance window is primarily done to ensure updates are implemented without disrupting users, especially during critical periods such as the holiday shopping season, when website availability is crucial. Option A is incorrect because while optimizing resource utilization is important, it’s not the primary reason for scheduling a maintenance window. Option B is incorrect, as maintenance windows don’t directly relate to system backup procedures. Option D is incorrect because this is not the primary purpose of a maintenance window. Proper change management procedures are crucial for maintaining security and stability, so bypassing them is not advisable.
99
You are using photo editing software when the program suddenly becomes unresponsive. What is the BEST specific action you can take to potentially resolve this issue and refresh the program’s resources?
A. An application refresh
B. An application restart
C. Application reloads
D. An application reset
## Footnote
Chapter 10
The correct answer is option **B**. An application restart involves closing and then reopening an application to address issues, refresh resources, or implement changes and can often resolve software-related problems without the need for more drastic measures, such as reinstalling the software or rebooting the entire system.
Option A is incorrect because while similar to a restart, a refresh involves renewing certain elements without closing and reopening the entire application and would not solve its unresponsiveness.
Option C is incorrect, as reloading mightrefer to loading specific data or content, but it doesn’t capture the complete process of closing and reopening an application.
Option D is incorrect, as a reset could encompass broader actions beyond closing and reopening and could return the program to default settings, increasing the potential for lost work.
100
The cybersecurity team has highlighted the importance of updating network topology diagrams regularly. Why is this practice crucial for enhancing security measures in your organization’s IT infrastructure?
A. It enhances network speed
B. It reduces the need for cybersecurity tools
C. It ensures visual consistency
D. It aids in gaining an understanding of the current environment
## Footnote
Chapter 10
The correct answer is option **D**. Updating network topology diagrams is crucial for enhancing security measures because it facilitates a comprehensive understanding of the current IT environment, allowing for more effective security planning and management.
Option A is incorrect, as updating diagrams doesn’t directly impact network speed; it’s more concerned about accuracy and understanding.
Option B is incorrect, as while accurate diagrams can aid cybersecurity efforts, they don’t inherently reduce the need for dedicated cybersecurity tools.
Option C is incorrect, as while visual consistency is valuable, the
primary reason for updating diagrams is to reflect the accurate state of an environment.
101
You are a software development team lead preparing to deploy a critical update to your company’s e-commerce platform. Before employing the changes to the production environment, what is the primary goal of reviewing and analyzing test results?
A. To validate user documentation
B. To ensure data backup procedures
C. To confirm that the team adheres to coding standards
D. To identify and address potential issues or defect
## Footnote
Chapter 11
The correct answer is option **D**. Reviewing and analyzing test results in software development is primarily done to identify and address potential issues or defects before deploying changes to the production environment, ensuring a smoother and more reliable transition. Option A is incorrect, as test results are primarily focused on the technical aspects of the software, not on user documentation. Option B is incorrect, as while data backup is important, it’s not the main purpose of reviewing test results. Option C is incorrect, as while coding standards are important, the main purpose of reviewing test results is to identify and address issues in code.
102
You are the network administrator for a multinational corporation with a large, complex network environment in which security considerations are paramount. The IT manager has asked you to explain to the board of directors why you have recommended that they include a stateful firewall in next year’s budget to enhance your cybersecurity posture. Which of the following is the BEST description of why the organization should purchase a stateful firewall?
A. To filter packets based solely on IP addresses and port numbers
B. To analyze network traffic patterns and detect anomalies in real time
C. To improve network performance by caching frequently
accessed data
D. To create a secure tunnel for remote access between two
network segments
## Footnote
Chapter 11
The correct answer is option **B**. Stateful firewalls excel in analyzing traffic patterns and identifying unusual behavior, thereby providing enhanced security.
Option A is incorrect because stateful firewalls offer more advanced capabilities beyond simple IP and port filtering. This answer describes a basic packet-filtering firewall.
Option C is incorrect because caching is a function typically associated with proxy servers, not stateful firewalls.
Option D is incorrect because a stateful firewall does not create a secure session between two network segments
103
A multinational corporation is planning to implement a new network security strategy to protect its sensitive data. They have several remote offices worldwide, and their employees frequently travel and work remotely. The company is concerned about potential security threats and data breaches and wants to enhance security while still ensuring seamless connectivity. Which of the following network security measures would be most suitable for their needs?
A. Implementing a site-to-site VPN to secure communication
between office locations
B. Enforcing 802.1X authentication for wireless and wired
network access
C. Using DNS Round Robin for load balancing across their web
servers
D. Deploying a Web Application Firewall (WAF) to protect
against online threats
## Footnote
Chapter 11
The correct answer is option **A**. Implementing a site-to-site VPN would secure communication between office locations, ensuring data confidentiality and integrity while accommodating the organization’s global reach and remote workforce.
Option B is incorrect because while 802.1X authentication is essential for network access control, it doesn’t address the specific concerns of remote office connectivity.
Option C is incorrect because using DNS Round Robin is a simple method for load balancing traffic across web servers and does not relate to secure connections.
Option D is incorrect as a Web Application Firewall (WAF) is essential for protecting web servers and their web applications
but not for securing data in transit between offices.
104
A cybersecurity firm needs a solution to the secure management and monitoring of its clients’ sensitive systems that will minimize the exposure of client networks to potential threats. What network security approach should they adopt? Select the BEST option:
A. Implementing a reverse proxy server for client connections
B. Deploying a jump server within the location of the sensitive
data
C. Using IPsec transport mode for data encryption
D. Enforcing 802.1X authentication for client access
## Footnote
Chapter 11
The correct answer is option **B**. Deploying a jump server will allow the cybersecurity firm to directly access the location that it needs to manage and monitor.
Option A is incorrect as a reverse proxy server is used for authenticating and decrypting incoming requests. It will never be used to access sensitive data.
Option C is incorrect because IPsec transport mode focuses on creating a secure tunnel for internal data encryption between two servers.
Option D is incorrect as 802.1X authentication is typically used for internal network access via a managed switch and RADIUS server.
105
A multinational corporation wants to enhance security and privacy for its employees’ internet usage. They also aim to optimize bandwidth utilization. Where should they place proxy servers to achieve these goals?
A. Inside the Local Area Network (LAN) near employee
workstations
B. In front of the web server hosting the company’s public website
C. At the edge of the screened subnet between the internet and
internal network
D. Between the firewall and external network routers
## Footnote
Chapter 11
The correct answer is option **C**. Placing proxy servers at the edge of the demilitarized zone (DMZ) can enhance security and privacy and optimize bandwidth utilization for employee internet usage.
Option A is incorrect because placing proxy servers inside the Local Area Network (LAN) may not provide the right level of security for outbound internet traffic. Some users may access resources from the screened subnet where no filtering can take place if the proxy server is in the LAN.
Option B is incorrect because placing proxy servers in front of the web server is more focused on protecting the web server rather than monitoring or optimizing employee internet usage. It’s typically part of a WAN setup and wouldn’t be effective for internal traffic management.
Option D is incorrect because placing proxy servers between the
firewall and external routers may not optimize bandwidth utilization effectively.
106
A medium-sized manufacturing company wants to restrict access to its sensitive production network. They need a solution to filter incoming and outgoing traffic based on specific rules. What network device or technology is the BEST choice for this?
A. A Unified Threat Management (UTM) firewall
B. IPsec transport mode for data encryption
C. Access Control Lists (ACLs) for traffic filtering
D. A load balancer for distributing network traffic
## Footnote
Chapter 11
The correct answer is option **C**. Routers and firewalls are the only network devices that use an ACL, and both sit at the edge of your network. Enforcing Access Control Lists (ACLs) allows the company to filter traffic based on specific rules and can restrict access to its network.
Option A is incorrect as while a UTM firewall is important, it
focuses on broader security functions, such as malware inspection, content filtering, and URL filtering, rather than restricting access to an overall network.
Option B is incorrect because IPsec transport mode is
primarily for data encryption, not traffic filtering.
Option D is incorrect because load balancers distribute traffic but don’t provide the same level of traffic filtering as ACLs.
107
A healthcare organization handles sensitive patient records and, as such, must comply with strict data privacy regulations. They want to establish a comprehensive network security solution to prevent exfiltration of this data. Which of the following options BEST fits their requirements?
A. Using a reverse proxy server for web application security
B. Enforcing 802.1X authentication for network access
C. Deploying a UTM firewall
D. Implementing IPsec transport mode for secure data
transmission
## Footnote
Chapter 11
The correct answer is option **C**. Deploying a Unified Threat
Management (UTM) firewall offers comprehensive network security, including threat detection and data loss protection, which are vital for preventing patient records from leaving a network.
Option A is incorrect because a reverse proxy server focuses on incoming authentication and the decryption of incoming traffic. It cannot control outgoing traffic.
Option B is incorrect. 802.1X enhances network security by
authenticating devices and users, controlling access, and enforcing security policies, all of which make it a critical component of overall network security but do not grant it the ability to prevent data from leaving a network.
Option D is incorrect because IPsec transport mode primarily focuses on data encryption within a network. It does not monitor sensitive information.
108
A rapidly growing start-up has recently expanded its online services to offer customers a wide range of new features. However, the Chief Technology Officer (CTO) is concerned about the increasing attack surface. What measures should they take to minimize potential vulnerabilities? Select the BEST option:
A. Implementing a WAF for real-time threat protection
B. Regularly conducting security audits to identify and address
vulnerabilities
C. Enforcing 802.1X authentication for employees accessing the
internal network
D. Using DNS Round Robin for load balancing across multiple
servers
## Footnote
Chapter 11
The correct answer is option **B**. Regularly conducting security audits helps identify and address vulnerabilities across the attack surface.
Option A is incorrect as a Web Application Firewall (WAF) focuses on application layer security by protecting web servers and web
applications but doesn’t directly reduce the attack surface.
Option C is incorrect as 802.1X authentication is for network access control, ensuring that only authenticated users and devices can access a network. It is primarily focused on controlling internal network access rather than securing a customer-facing network.
Option D is incorrect as DNS Round Robin is useful for load balancing but doesn’t address the attack surface concerns.
109
What are the key differentiators between Layer 4 and Layer 7 firewalls?
A. Layer 7 firewalls operate at the network layer, providing better performance
B. perform deep packet inspection for advanced
threat detection
C. Layer 7 firewalls can inspect and block traffic based on
application-specific content
D. Layer 4 firewalls provide more granular access control for user authentication
## Footnote
Chapter 11
The correct answer is option **C**. Layer 7 firewalls can inspect and block traffic based on application-specific content to provide a deeper level of security than their Layer 4 counterparts.
Option A is incorrect because Layer 7 firewalls operate at the application layer, not the network layer, and performance can vary depending on the specific firewall.
Option B is incorrect because Layer 4 firewalls focus on network-level controls, not deep packet inspection.
Option D is incorrect because Layer 4 firewalls provide access control but not to the granularity of applicationspecific content filtering
110
A large enterprise hosts critical web applications internally and wants to ensure their security. They’re considering the use of a reverse proxy server. In what way can this enhance the security of their web applications?
A. By encrypting internal network communications
B. By optimizing load balancing for web traffic
C. By providing a secure gateway for external users
D. By enforcing strong password policies for web application
user
## Footnote
Chapter 11
The correct answer is option **C.** A reverse proxy server can provide a secure gateway for external users, protecting web applications from direct exposure to the internet.
Option A is incorrect because encrypting internal network communications is not the primary role of a reverse proxy and would not increase the security of web applications.
Option B is incorrect because load balancing optimization is a feature but would not directly increase security.
Option D is incorrect because enforcing strong password policies is a user management task, not a function of a reverse proxy.
111
You are tasked with protecting sensitive information that includes personally identifiable data subject to strict privacy laws. Which data type should you focus on safeguarding?
A. Regulated
B. Trade secrets
C. Intellectual property
D. The results of an internal audit
## Footnote
Chapter 12
The correct answer is option **A.** Regulated data refers to information governed by specific laws and regulations, such as data protection and privacy laws. Personally identifiable data (PII) is regulated.
Option B is incorrect because trade secrets relate to proprietary business information and not personal data.
Option C is incorrect, as intellectual property includes patents, copyrights, and trademarks, not personal data.
Option D is incorrect, as the data would be corporate confidential and not personal data
112
A multinational corporation stores sensitive customer data. To comply with data privacy regulations, it implements a method to restrict access to this data to the sales team, based on which hotel they are in while they are on national and international sales trips. Which security method are they using?
A. Geographic restrictions
B. Encryption
C. Masking
D. Hashing
## Footnote
Chapter 12
The correct answer is option **A**. Geographic restrictions are used to limit data access based on the physical location of users. Salespeople visit different countries and stay in different hotels while on sales trips. This helps them comply with data privacy regulations by ensuring that only authorized users in specific geographic regions can access sensitive customer data.
Option B is incorrect, as encryption transforms plaintext data into ciphertext but doesn’t restrict access based on location.
Option C is incorrect, as masking conceals sensitive data but doesn’t specifically control access based on geography.
Option D is incorrect, as hashing is a one-way function that provides data integrity and is used for storing passwords
113
Your organization holds a portfolio of patents, copyrights, and
trademarks. What category of data types do these assets fall under?
A. Regulated
B. Trade secrets
C. Intellectual property
D. Legal information
## Footnote
Chapter 12
The correct answer is option **C**. Intellectual property encompasses unique creations such as patents, copyrights, and trademarks, which are legal assets that require protection.
Option A is incorrect, as regulated data relates to data governed by specific laws and regulations but does not specifically address intellectual property.
Option B is incorrect, as trade secrets focus on proprietary and confidential business information and may not cover the entire range of intellectual property.
Option D is incorrect, as legal information relates to matters of law and may encompass intellectual property, but this is a broader category.
114
A financial institution wants to protect sensitive customer transactions during online communication. What method should they employ to transform the data into unreadable code?
A. HTTP
B. Hashing
C. TLS
D. Tokenization
## Footnote
Chapter 12
The correct answer is option **C**. The description in the question relates to data in transit, and that data is encrypted using transport layer security (TLS).
Option A is incorrect, as the hypertext transfer protocol
(HTTP) is used for online communication but is insecure and would never be used for financial transactions.
Option B is incorrect, as hashing is used for storing passwords and data integrity.
Option D is incorrect, as tokenization is a data security technique that involves replacing sensitive data with a unique token but is not used for customer transactions
115
You work for a company that sells mortgages and maintains customer account information and transaction records. What data type is MOST relevant to the company?
A. Regulated
B. Legal information
C. Intellectual property
D. Financial information
## Footnote
Chapter 12
The correct answer is option **D**. Financial information includes data about monetary transactions, customer account information, and transaction records, making it the right choice.
Option A is incorrect, as regulated data refers to information governed by specific laws and regulations, such as data protection and privacy laws.
Option B is incorrect, as legal information refers to various categories of data within the field of law (such as statutes, case law, regulations, contracts, and legal opinions) used for analysis and decision-making. Although some account information could fall under the legal category, it is not the best option.
Option C is incorrect, as intellectual property encompasses
unique creations such as patents, copyrights, and trademarks, which are legal assets that require protection
116
An organization wants to protect the passwords stored in its database. It uses a method that transforms passwords into unique, fixed-length strings of characters, making it difficult for attackers to reverse-engineer the original passwords. Which security method are they using?
A. Encryption
B. Hashing
C. Obfuscation
D. Segmentation
## Footnote
Chapter 12
The correct answer is option **B**. Hashing transforms data (in this case, passwords) into unique fixed-length strings of characters, making it difficult for attackers to retrieve the original passwords from the hashes.
Option A is incorrect, as encryption transforms data into ciphertext, which is not fixed-length.
Option C is incorrect, as obfuscation is a technique used to make source code or data deliberately more complex or obscure, preventing theft by making the data harder to understand.
Option D is incorrect, as segmentation involves isolating parts of a
network into smaller segments and is unrelated to password hashing.
117
A network engineer used Wireshark to capture some network packet traces that were saved as PCAP files. Later that day, they were subnetting using binary. What data type best describes these different types of data?
A. Regulated
B. Human-readable data
C. Intellectual property
D. Non-human-readable data
## Footnote
Chapter 12
The correct answer is option **D**. Non-human-readable data includes binary code, machine language, and encrypted data.
Option A is incorrect, as regulated data refers to information governed by specific laws and regulations, such as data protection and privacy laws.
Option B is incorrect, as human-readable data can be easily understood by humans, such as text, images, and audio.
Option C is incorrect, as intellectual property encompasses unique creations such as patents, copyrights, and trademarks, which are legal assets that require protection.
118
You want to make a new will and leave all of your money to a dog sanctuary. Which data type is the MOST relevant to your task?
A. Regulated
B. California Consumer Privacy Data
C. Intellectual property
D. Legal information
## Footnote
Chapter 12
The correct answer is option **D**. Legal information includes documents and data related to law and legal matters. Making a will is a legal matter.
Option A is incorrect, as regulated data refers to data governed
by specific laws and regulations, which may apply but do not
specifically address the making of a legal document such as a will.
Option B is incorrect, as the California Consumer Privacy Act (CCPA) governs the collection, use, and sharing of personal information of California residents by businesses operating in the state.
Option C is incorrect, as intellectual property includes patents, copyrights, and trademarks, which are valuable but may not encompass confidential legal documents.
119
A healthcare provider needs to share patient records with researchers while also protecting patient privacy. They use a method that replaces patient names with pseudonyms, such that individuals cannot be identified. Which security method does this describe?
A. Masking
B. Tokenization
C. Permission restrictions
D. Obfuscation
## Footnote
Chapter 12
The correct answer is option **B**. The healthcare provider uses
tokenization to replace patient names with pseudonyms. Tokenization replaces sensitive data with tokens or pseudonyms to preserve data integrity and ensure that individuals cannot be directly identified.
Option A is incorrect, as masking conceals data but typically retains the original information.
Option C is incorrect, as permission restrictions control who can access data but are not related to pseudonymization.
Option D is incorrect, as obfuscation is a technique used to make source code or data deliberately more complex or obscure, preventing theft by making it harder to understand.
120
A software company plans to create an application that will hold
sensitive information and, therefore, wants to protect its proprietary source code from unauthorized access. Which of the following methods should they use to protect the source code?
A. Geographic restrictions
B. Hashing
C. Masking
D. Obfuscation
## Footnote
Chapter 12
The correct answer is option **D**. Obfuscation is a technique used to make source code or data deliberately more complex or obscure, preventing theft by making it harder to understand.
Option A is incorrect because geographic restrictions are used to limit data access based on the physical location of users and, thus, should not be used as a general security measure.
Option B is incorrect because hashing is used to check for data integrity and is not used for source code protection.
Option C is incorrect because masking conceals data but is not specific to source code obfuscation.
121
A large corporation is setting up a web array, consisting of eight web servers, to sell goods on its e-commerce website. It has been decided that they will purchase F5 load balancers so that their web traffic can be optimized for speedy customer delivery. Which of the following BEST describes why load balancing is useful in this scenario?
A. Load balancing will ensure that only authorized users can gain access to the network
B. Load balancing will provide redundancy for critical data
storage
C. Load balancing will evenly distribute network traffic to prevent
bottlenecks
D. Load balancing will monitor user activity to identify potential
threats
## Footnote
Chapter 13
The correct answer is option **C**. Load balancing is crucial in this scenario because it evenly distributes network traffic, preventing overloads, ensuring optimal performance and reliability, and maintaining server availability.
Option A is incorrect because load balancing is not used for user authorization but, rather, for resource allocation.
Option B is incorrect because while load balancing can provide redundancy, that will not directly optimize loading speeds in this scenario.
Option D is incorrect because load balancing monitors
traffic for performance optimization, not threat identification.
122
A cybersecurity organization has spent six months rewriting its incident response procedures for a client. Which of the following would be the BEST method to evaluate the new procedures with the least administrative overhead?
A. Failover
B. Parallel processing
C. A simulation
D. A tabletop exercise
## Footnote
Chapter 13
The correct answer is option **D**. Tabletop exercises are paper-based exercises in which the key stakeholders can evaluate each procedure with minimal setup and overhead.
Option A is incorrect because failover is about system redundancy, not incident response.
Option B is incorrect because parallel processing enables multiple processes to work simultaneously, thereby increasing resiliency, but it will not help evaluation.
Option C is incorrect because a simulation is an effective evaluation method, as it closely mirrors the real event; however, it takes an enormous amount of administrative overhead to set up.
123
During a meeting of all department heads, the CEO of a company requests information regarding staffing needs to relocate the entire company to an alternative hot site following a disaster. Which of the following BEST describes the CEO’s primary objective in seeking this information?
A. Business continuity
B. Labor costing
C. Capacity planning
D. Operational load distribution
## Footnote
Chapter 13
The correct answer is option **C**. The CEO wants to determine the staffing requirements for the hot site, focusing on capacity planning to ensure the company’s smooth transition and continued operation in the event of a disaster.
Option A is incorrect because business continuity is closely related but does not specifically address the CEO’s inquiry about staffing needs.
Option B is incorrect because labor costing focuses on calculating labor expenses, which is not the CEO’s primary objective. The CEO wants to determine staffing needs for disaster recovery, not cost estimation.
Option D is incorrect because operational load distribution refers to the process of distributing computational operational workloads across resources and does not relate to human resources.
124
Over the past six months, a company has suffered power failures about once a week. This has affected business operations, and the company is now moving to the cloud. Which of the following cloud features would be beneficial to company operations?
A. Cloud backups
B. Redundant power
C. Geographic dispersion
D. Reduced cost
## Footnote
Chapter 13
The correct answer is option **C**. Geographic dispersion refers to spreading resources across various locations, which can be beneficial for a company experiencing frequent power failures. It provides redundancies and ensures that business operations can continue from various locations, even if one faces a power outage.
Option A is incorrect because cloud backups are valuable for data protection, but they do not directly address ongoing power failures affecting operations.
Option B is incorrect, as redundant or backup power on-site would not impact cloud operations.
Option D is incorrect because reduced cost is a benefit of cloud migration, but this is a general consideration not related to power failure mitigation. It does not directly address the company’s current issue.
125
An organization has a site in a remote location that has been suffering intermittent power outages that last between 3 and 10 seconds. Which of the following should the company implement so that the servers can maintain power for up to 10 seconds to shut down gracefully?
A. A generator
B. An uninterruptible power supply
C. A managed power distribution unit
D. An additional power unit on each server
## Footnote
Chapter 13
The correct answer is option **B**. An uninterruptible power supply provides temporary power during short outages, allowing servers to shut down safely within 10 seconds.
Option A is incorrect because a generator will normally have a startup time, which would leave a system without power during the interruptions.
Option C is incorrect because a power distribution unit (PDU) manages power but does not provide backup.
Option D is incorrect because additional power units on each server will still lose power with the rest of the system in the event of an outage.
126
A legal department has been advised by a third-party auditor that it needs to maintain a log of all incoming and outgoing emails, due to data compliance. This data must be retained for a period of three years.
Which of the following is the BEST solution?
A. Journaling
B. Weekly backup
C. Daily backup
D. Clustering
## Footnote
Chapter 13
The correct answer is option **A**. Journaling involves capturing and recording all incoming and outgoing emails in real time. This method is ideal for compliance, as it ensures that all email data is logged and retained for the mandated three-year period to meet the auditor’s requirements.
Option B is incorrect because weekly backups would not provide real-time logging of emails, and they may miss crucial data if
the legal department needs to maintain a comprehensive record.
Option C is incorrect because daily backups are better than weekly ones but still may not capture all emails in real time, and failure to do so may lead to data gaps and compliance issues.
Option D is incorrect because clustering is not used for email data retention. Its purpose lies in ensuring high availability and load balancing in server setups, not compliance logging.
127
You are managing a large-scale scientific simulation project that
requires you to perform complex calculations on massive datasets. To optimize the project’s performance, you need to choose the right processing technique. Which technique would be most effective to accelerate your simulation’s calculations and manage the massive datasets efficiently?
A. Sequential processing
B. Multithreading
C. Parallel processing
D. Batch processing
## Footnote
Chapter 13
The correct answer is option **C**. Parallel processing allows you to break down the calculations into smaller tasks and execute them simultaneously on multiple processors, significantly improving the simulation’s speed and efficiency.
Option A is incorrect, as sequential processing executes tasks one after another, slowing down the simulation.
Option B is incorrect, as multithreading assists with concurrent execution but may not fully utilize multiple processors.
Option D is incorrect, as batch processing is suitable for processing large volumes of data but not for real-time simulations with parallelism requirements.
128
Which of the following plans is the MOST appropriate for setting out how you inform company stakeholders of an incident without alerting the general public?
A. A disaster recovery plan
B. An incident response plan
C. A business continuity plan
D. A communication plan
## Footnote
Chapter 13
The correct answer is option **D**. A communication plan is the best option because it is used to inform stakeholders discreetly during incidents, ensuring effective communication without alerting the public. It outlines who needs to be informed, when, and how, as well as what privacy procedures should be implemented.
Option A is incorrect, as a disaster recovery plan focuses on IT recovery strategies and does not address the nuances of communication.
Option B is incorrect, as an incident response plan concentrates on responding to and mitigating incidents but may not provide detailed guidance on stakeholder communication.
Option C is incorrect, as a business continuity plan focuses on
maintaining critical business operations, not the finer aspects of
stakeholder communication during incidents.
129
Which of the following is the BEST backup and restore solution to utilize in a Virtual Desktop Infrastructure (VDI) environment?
A. A full daily backup
B. A snapshot
C. A failover cluster
D. A differential backup
## Footnote
Chapter 13
The correct answer is option **B**. A snapshot is the best choice for VDI, as it captures a point-in-time image of the virtual desktop, making it an efficient and quick backup and restore solution. It allows you to return to a specific state when needed, facilitating easy recovery if there are issues or data loss.
Option A is incorrect, as a full daily backup in a VDI environment can be resource-intensive and time-consuming.
Option C is incorrect, as failover clusters provide high availability but don’t provide restore operations if there is a failure.
Option D is incorrect, as differential backups are used in traditional backup scenarios only. They do not apply to VDI environments.
130
In a data center, which device provides controlled power distribution to servers and networking equipment, ensuring efficient power management and protection against overloads?
A. An uninterruptible power supply
B. A generator
C. A managed power distribution unit
D. A redundant power supply
## Footnote
Chapter 13
The correct answer is option **C**. A managed power distribution unit (PDU) controls power distribution in data centers, offering efficient power management and protection.
Option A is incorrect, as an uninterruptible power supply provides backup power during outages for a brief period but does not protect against overloads or provide power management.
Option B is incorrect, as generators are backup power sources during prolonged outages and are not designed for the continuous, fine-grained power control needed in data center
environments. Option D is incorrect, as a redundant power supply
ensures power redundancy but does not manage distribution and
management like a PDU.
131
During software development and distribution, what multifaceted purpose does code signing primarily serve?
A. Validating the software’s source and integrity while enhancing
trustworthiness
B. Improving code performance and execution speed for an
optimal user experience
C. Simplifying the software installation process for end users
D. Ensuring compatibility with legacy systems and reducing
system resource overhead
## Footnote
Chapter 14
The correct answer is option **A**. Code signing serves the dual purpose of validating the software’s source and integrity, thereby assuring users of the trustworthiness of that software. This process further enhances the overall security posture of software systems by preventing tampering and ensuring authenticity. Option B is incorrect, as code signing does not directly impact code performance or execution speed. Its primary role is in security and trust, not optimization.
Option C is incorrect, as while code signing may be part of the software installation process, its primary purpose is security-related.
Option D is incorrect, as code signing does not ensure compatibility with legacy systems or reduce system resource overhead. Its focus is on security and trustworthiness
132
You are a systems administrator for a large multinational corporation and have recently failed a third-party audit, due to two outdated mail servers’ patches. The audit recommended that you implement the current CIS benchmarks. Which of the following is the most likely reason for this recommendation?
A. To enhance system performance and resource utilization
B. To ensure you follow industry-standard security configurations
C. To automatically patch the servers
D. To streamline data backup and recovery procedures
## Footnote
Chapter 14
The correct answer is option **B**. CIS benchmarks aim to establish industry-standard security configurations and best practices, including keeping certain patches up to date.
Option A is incorrect, as while security is a focus, the primary objective of CIS benchmarks is not system performance enhancement.
Option C is incorrect, as CIS benchmarks are guidelines and configuration settings for administrators and will not automatically patch anything.
Option D is incorrect, as while data backup and recovery are important, they are not a part of CIS benchmarks.
133
# Chapter 14
What does the term “Bluesnarfing” refer to in the context of wireless technology?
A. The process of gaining unauthorized access from a Bluetooth-enabled device to steal sensitive data
B. A method for increasing the range of Bluetooth connections
C. An authentication protocol used in Bluetooth pairing
D. A technique for enhancing the audio quality of Bluetooth audio devices
## Footnote
Chapter 14
The correct answer is option **A**. Bluesnarfing refers to gaining access to a Bluetooth-enabled device, usually with the intention of theft.
Option B is incorrect because increasing the range of Bluetooth connections is unrelated to Bluesnarfing.
Option C is incorrect because Bluesnarfing is not an authentication protocol; it is a security vulnerability.
Option D is incorrect because enhancing audio quality is not related to Bluesnarfing.
134
# Chapter 14
What is the primary purpose of conducting a wireless site survey?
A. Identifying and eliminating network bottlenecks
B. Ensuring compliance with environmental regulations
C. Assessing and optimizing wireless network coverage and
performance
D. Evaluating the physical security of network infrastructure
## Footnote
Chapter 14
The correct answer is option **C**. A wireless site survey is conducted to assess and optimize wireless network coverage and performance by looking at blind spots and potential interference for placement.
Option A is incorrect because while network performance is considered, eliminating bottlenecks is not the primary purpose of a site survey.
Option B is incorrect because ensuring compliance with environmental regulations is not the primary goal of a site survey. Option D is incorrect because physical security assessment is not the primary purpose of a wireless site survey.
135
When hardening a mobile device, what security measure should you prioritize?
A. Disabling screen locks
B. Enabling automatic software updates
C. Enabling full device encryption and strong passcodes
D. Enabling geolocation services for enhanced tracking
## Footnote
Chapter 14
The correct answer is option **C**. Enabling full device encryption (FDE) and using strong passcodes are crucial security measures when hardening a mobile device. FDE encrypts data, and strong passwords present a greater challenge to would-be hackers attempting to guess your credentials.
Option A is incorrect because disabling screen locks simply ensures that you remain logged into your mobile device without
the need for subsequent authentication. This means that, should your device be stolen, the thief will have easy access to your data. Option B is incorrect because enabling automatic software updates is an additional security measure, but it is not the primary measure.
Option D is incorrect because enabling geolocation services may have privacy implications, but tracking is not a top security measure when hardening a device.
136
Your office is currently being refurbished, and while this renovation is ongoing, you have been moved to a vacant office opposite your normal place of work. When you arrive at the new office, you try to connect your laptop to the corporate Wi-Fi but are unsuccessful. Thirty minutes later, you appear to have an internet connection with the same SSID as the corporate network, but it seems to be slower than normal. You are not able to connect to the corporate file servers but, on investigation, data has been stolen from your laptop. Which of the following BEST describes this type of attack?
A. A rogue access point
B. A remote access Trojan
C. A rootkit
D. Evil twin
## Footnote
Chapter 14
The correct answer is option **D**. This scenario describes an evil twin attack. The reason that you cannot access the corporate data is that you are connected to a network with a similar SSID, but not your true SSID. Evil twin attacks often intercept data, hence the data theft.
Option A is incorrect because a rogue access point is another example of an unauthorized access point, but it will not use a similar SSID.
Option B is incorrect because a remote access Trojan also takes remote control but does not use a similar SSID.
Option C is incorrect, as a rootkit also hides its malware presence, but it is not specific to Wi-Fi or data thef
137
Consumers of an online marketplace have complained that items added to their cart suddenly increase tenfold from their advertised purchase price. The website developer intends to correct this error by implementing input validation to accomplish which of the following?
A. Optimizing code execution speed
B. Preventing security vulnerabilities and data manipulation
C. Enhancing the graphical user interface (GUI)
D. Ensuring backward compatibility with older systems
## Footnote
Chapter 14
The correct answer is option **B**. Input validation in software
development primarily aims to prevent security vulnerabilities and data manipulation. Here, it would help to ensure that the data (in this case, the prices of items) is correct and has not been tampered with.
Option A is incorrect because optimizing code execution speed would not be impacted by implementing input validation.
Option C is incorrect because enhancing the GUI will speed up load times but not impact data.
Option D is incorrect because input validation does not impact
compatibility.
138
You are a developer for a multinational corporation, currently working on bespoke software packages for a customer. As part of your quality control, you need to ensure that your software can withstand various attacks without crashing. One such attack is fuzzing, which is a technique whereby an attacker injects unexpected or invalid input into your software to identify vulnerabilities. Which of the following BEST describes the testing methods that should be employed to ensure that the software is resilient to this specific attack?
A. Code documentation
B. Dynamic code analysis
C. A manual code review
D. Regression testing
## Footnote
Chapter 14
The correct answer is option **B**. Dynamic code analysis is the best choice because it directly addresses the user’s concern about the web application’s ability to manage unexpected input without crashing, by analyzing its behavior during runtime. Option A is incorrect, as while good documentation is essential for understanding and maintaining software, it does not contribute to directly identifying vulnerabilities that could be exploited through fuzzing.
Option C is incorrect because a manual code review involves inspecting code to find issues, but it’s a static analysis technique. It’s not ideal for assessing how an application reacts to unexpected or random input during runtime, which is the
primary concern in the question.
Option D is incorrect because regression testing is a type of testing that focuses on ensuring that recent code changes (such as new features, bug fixes, or updates) do not introduce new defects or break existing functionality in software. It verifies that the previously working parts of an application remain functional after changes are made.
139
A large multinational corporation has just upgraded its wireless
networks at two production sites. One of the sites has no issues, but connectivity at the other site has problems, with some areas not getting strong signals or having connection issues. Which of the following is the BEST solution to identify the problems at the production site that is having issues?
A. A network diagram
B. A site survey
C. A Wi-Fi analyzer
D. Heat maps
## Footnote
Chapter 14
The correct answer is option **D**. Heat maps show the areas where wireless networks are strong and weak, thereby helping to identify the areas with poor connectivity.
Option A is incorrect because a network diagram only shows the network layout. It cannot identify poor wireless connectivity.
Option B is incorrect because a site survey should be conducted before implementation, as it helps identify the best locations
for WAP placement. However, it cannot identify poor wireless
connectivity in a network.
Option C is incorrect because a Wi-Fi analyzer can monitor wireless traffic and troubleshoot access to a WAP, but it is not the best option for identifying strong and weak areas of wireless connectivity.
140
A student has recently purchased a new mobile phone. Immediately following activation, the phone displays a message indicating that the device is pairing. How can the student prevent it from happening again in the future? (Choose TWO.)
A. By combining multiple Bluetooth devices into a single network
B. By activating Bluetooth connectivity on a device
C. By establishing a secure connection between two Bluetooth
devices
D. By adjusting the transmission power of a Bluetooth device
E. By disabling Bluetooth on the new phone
## Footnote
Chapter 14
The correct answers are options **C** and **E**. In Bluetooth technology, “pairing” refers to establishing a secure connection between two Bluetooth devices. Disabling Bluetooth prevents pairing.
Option A is incorrect because pairing is not about combining devices into a single network.
Option B is incorrect because activating Bluetooth connectivity is a different operation from pairing, but it needs to be enabled to be able to pair.
Option D is incorrect because adjusting transmission power is not the purpose of pairing.
141
You have just received a shipment of 10 desktop computers from a third-party vendor. However, these computers are no longer operational, and the vendor wants to use your company to dispose of the computers securely. What is the MOST essential action you need to carry out in this situation?
A. Pay for the destruction
B. Obtain a destruction certificate
C. Develop a maintenance schedule for the computers
D. Remove them from your inventory list of computers
## Footnote
Chapter 15
The correct answer is option **B**. After securely disposing of the ten desktop computers that are no longer needed, the most essential action is obtaining a destruction certificate. This certificate verifies that the computers have been securely disposed of in a manner that irreversibly destroyed any sensitive data or components.
Option A is incorrect; payment for the destruction would be taken by an administrator in advance.
Option C is incorrect; maintenance schedules are used for
keeping equipment in working condition, not for disposal.
Option D is incorrect; these computers would never have been added to your inventory because you did not purchase them
142
In a top-secret government facility, an intelligence officer needs to dispose of classified documents that contain highly sensitive
information. Which of the following is the most effective method for securely destroying these documents?
A. Shredding the documents into small, unreadable pieces using a high-security shredder
B. Sending the documents to a certified document destruction
company
C. Placing the documents in a recycling bin for eco-friendly
disposal
D. Burning the documents in a designated incinerator until they
turn to ash
## Footnote
Chapter 15
The correct answer is option **D**. Burning the documents in a designated incinerator until they turn to ash is considered the most effective method. It ensures that the information is destroyed and cannot be reconstructed and meets the stringent security requirements of top secret facilities.
Option A is incorrect; shredding the documents into small, unreadable pieces using a high-security shredder is a secure
method but may not guarantee the same level of irreversibility as
burning. Shredded documents can sometimes be reconstructed.
Option B is incorrect; sending the documents to a certified document destruction company is a responsible approach, but it may involve transportation risks and may not offer the immediate and controlled destruction that burning provides.
Option C is incorrect; placing the documents in a recycling bin for eco-friendly disposal is not suitable for highly sensitive classified documents, as recycling focuses on reusing materials rather than securely destroying information.
143
In a large corporate network, the IT team needs to perform a
comprehensive enumeration of all connected devices to assess their security posture. Which of the following tools is the most suitable choice for this task?
A. A custom-built network scanning tool designed specifically for
the organization’s network infrastructure
B. A commercial software package known for its user-friendly
interface and support services
C. A well-established open-source network scanning tool (NMAP)
renowned for its flexibility and extensive capabilities
D. A manual approach of individually inspecting each device,
noting their details, and compiling a network inventory
## Footnote
Chapter 15
The correct answer is option **C**. Well-established open-source network scanning tools, such as Nmap (Network Mapper), are widely recognized as the most suitable choice for performing a comprehensive enumeration of devices in a large corporate network due to their flexibility and extensive capabilities. Nmap offers features for network discovery, service detection, and vulnerability assessment, making it a preferred tool for such tasks.
Option A is incorrect; a custom-built network scanning tool designed specifically for the organization’s network infrastructure may not have the same level of flexibility,
community support, and comprehensive features as well-established open-source tools like Nmap.
Option B is incorrect; a commercial software package with a user-friendly interface and support services can be convenient but may not necessarily provide the same level of capabilities and cost-effectiveness as open-source alternatives.
Option D is incorrect; a manual approach of individually inspecting each device is time-consuming, error-prone, and impractical for a large corporate network, making it less suitable for the task compared to using dedicated network scanning tools like Nmap.
144
In a highly sensitive data center environment, where data security is paramount, the IT team needs to decommission and dispose of a hard drive from a server. They want to ensure that no data can be recovered from the drive. Which of the following methods is the MOST effective for securely disposing of the hard drives?
A. Physically smashing the hard drive into small pieces using a
sledgehammer until it is completely destroyed
B. Submerging the hard drive-in water for an extended period,
followed by exposure to a powerful magnetic field
C. Using an approved shredder to destroy the hard drive
D. Placing the hard drive in a recycling bin designated for
electronic waste, ensuring environmentally responsible
disposal
## Footnote
Chapter 15
The correct answer is option **C**. Using a hard drive shredder ensures that all the hard drive platters have been destroyed. It breaks the disk down into very small fragments.
Option A is incorrect because physically smashing the hard drive into small pieces may render it inoperable, but it may still leave recoverable data on the drive’s components since the pieces might not be as small as those in a hard drive shredder.
Option B is incorrect because submerging the hard drive-in water and exposing it to a magnetic field are not recognized data destruction methods and may not guarantee data irreversibility. Option D is incorrect because placing the hard drive in a recycling bin for electronic waste disposal is a responsible approach to recycling but does not ensure the secure destruction of data. Proper data destruction methods should be used before recycling electronic devices
145
In the context of cybersecurity, what does the term “enumeration” MOST COMMONLY refer to?
A. Listing all the potential vulnerabilities in a system to assess its
security posture
B. The process of identifying and listing network resources and
services, such as user accounts and shares
C. Encrypting sensitive data to protect it from unauthorized access
D. The act of physically securing data centers and server rooms to prevent breaches
## Footnote
Chapter 15
The correct answer is option **B**. In the context of cybersecurity,
“enumeration” refers to the process of identifying and listing network resources and services, such as user accounts, shares, and other information that can be useful for an attacker.
Option A is incorrect; listing vulnerabilities is a common cybersecurity practice but although it is referred to as enumerating vulnerabilities it is not the primary definition of “enumeration.”
Option C is incorrect; encrypting sensitive data is essential for data security, but it does not define “enumeration.”
Option D is incorrect; securing data centers and server rooms is
important for physical security, but it does not relate to the term
“enumeration” in cybersecurity.
146
Which of the following is the responsibility of a data owner? (Select two)
A. Ensuring network security measures are in place to protect
assets
B. Ensuring that only authorized individuals can interact with the
assets
C. Overseeing the disposal and decommissioning of assets
D. Managing software licenses associated with the asset
E. Implementing cybersecurity policies for the entire organization
## Footnote
Chapter 15
The correct answers are option **B** and option **D**. Data owners typically have the responsibility of ownership of assets and ensuring that only authorized individuals can interact with them. The data owner is also responsible for managing software licenses associated with assets.
Option A is incorrect; ensuring network security measures usually falls under the responsibility of the networking team.
Option C is incorrect; overseeing the disposal and decommissioning of assets is often carried out by individuals or teams responsible for asset management or IT operations.
Option E is incorrect; implementing cybersecurity policies
for the entire organization is typically the role of the IT security team or the Chief Information Security Officer (CISO), not the data owner
147
You work for a large organization that has just experienced a cyber incident that has caused significant disruption to its IT infrastructure. In this critical situation, which of the following BEST attributes will determine which assets are to be prioritized to get them up and running?
A. The financial value of the affected assets
B. The assets’ proximity to the incident’s point of origin
C. The assets’ classification and their availability
D. The age of the affected assets and their warranty status
## Footnote
Chapter 15
The correct answer is option **C**. The primary factor in prioritizing assets for recovery is their classification. The assets that are classified critical and have an impact on business operations should have top priority. This ensures that the most important systems are restored first to minimize the overall impact of the incident.
Option A is incorrect; the financial value of assets is important for accounting and financial management but is not the primary factor in incident response prioritization. It may well have a low value.
Option B is incorrect; the proximity of assets to the incident’s point of origin may be considered in certain situations but is not the primary factor in prioritizing asset recovery.
Option D is incorrect; the age of assets and their warranty status are relevant for maintenance and replacement considerations but
are not the main factors in incident response asset prioritization.
148
A large organization’s finance department has brought in a hard drive for data sanitization. They want to reuse the hard drive after the data is destroyed. Which of the following methods of data destruction will fulfil this requirement? Select the BEST TWO Options.
A. Wiping
B. Degaussing
C. Pulverizing
D. Overwriting
## Footnote
Chapter 15
The correct answers are option **A** and option **D**. Overwriting is a data destruction method that involves replacing existing data on a storage medium, such as a hard drive, with random or meaningless information. Wiping makes the original data unrecoverable, ensuring data privacy and security. In both cases the hard drive is reuseable.
Option B is incorrect; degaussing places a charge across the hard drive, rendering it unusable.
Option C is incorrect; pulverizing refers to using a sledgehammer to smash the hard drive into small pieces.
149
You are working in the second line of IT support in an organization, and you have received a shipment of fifty new laptops. You need to unbox them, label them, and deliver them to the relevant departments. You are going to add those laptops to the asset register, prior to labelling the laptops. Which of the following should be the first consideration?
A. Department location
B. Laptop specifications
C. Name of the laptop’s owner
D. Standard Naming Convention
## Footnote
Chapter 15
The correct answer is option **D**. Standard Naming Convention is required before creating the laptop labels. This convention ensures that all laptops are labeled consistently and helps with organization and tracking.
Option A is incorrect as knowing the department’s location is
essential for delivery, it is not vital for creating labels.
Option B is incorrect; laptop specifications are important but are not the immediate concern before labeling. You can gather this information afterward.
Option C is incorrect; identifying the owner is important but not the initial step. This information can be added later in the asset register
150
A medical center in New York has been upgrading all its systems and has been sanitizing data that is no longer useful. However, 70% of this data was not sanitized. Which of the following is the BEST reason that this data was not sanitized?
A. Broken Shredder
B. Intellectual Property concerns
C. Data Retention requirements
D. Data was encrypted
## Footnote
Chapter 15
The correct answer is option **C**. There is a legal requirement to retain medical data for at least 6 years in the US; this option is the BEST reason for not sanitizing the data.
Option A is incorrect; a broken shredder could be a reason for not sanitizing data, but it is not the BEST reason in this context . A malfunctioning shredder is a technical issue that can be resolved or worked around.
Option B is incorrect; Intellectual property refers to legal rights protecting creative and innovative works, such as patents, copyrights, and trademarks, granting exclusivity to creators and inventors. It does not apply to medical data held in a small medical center.
Option D is incorrect; encryption is a security measure, and while it can protect data from unauthorized access, it does not necessarily govern data sanitizing protocols.
151
The board of directors of an organization is convening to decide on its vulnerability management policies. What key framework or system will help them prioritize vulnerabilities effectively?
A. CVSS
B. CMS
C. CVE
D. SEO
## Footnote
Chapter 16
The correct answer is option **A**. Common vulnerability scoring system (CVSS) is a standardized framework used in cybersecurity to assess and prioritize vulnerabilities based on their impact and severity, Incorrect Answers:
Option B is incorrect because CMS is a platform for creating
and managing digital content on websites.
Option C is incorrect. common vulnerabilities and exposure (CVE)is a list of vulnerabilities that incorporated by vulnerability scanners.
Option D is incorrect because search engine optimization (SEO) is a set of techniques used to improve a website’s visibility on search engines.
152
A multinational technology company is seeking to enhance its
cybersecurity defenses. To achieve this, they have launched a bug bounty program, inviting security researchers, ethical hackers, and cybersecurity enthusiasts to participate. Which of the following describes the benefit and objective of a Bug Bounty?
A. The organization intends to identify and fix security
vulnerabilities, while participants earn rewards and contribute
to overall online safety
B. The organization seeks to promote its products, while
participants receive free access to its premium services
C. The organization aims to reduce security expenses, while
participants gain monetary rewards and experience
D. The organization expects the bug bounty program to serve as a substitute for regular security audits, ensuring comprehensive
vulnerability assessment
## Footnote
Chapter 16
The correct answer is option **A**. Bug bounties can be an effective way of testing security in an almost real-world scenario because third parties are incentivized to find issues that internal staff might overlook.
Option B is incorrect as the focus is on cybersecurity, not product promotion or free services.
Option C is incorrect as the primary goal is not to reduce security expenses but to enhance security.
Option D is incorrect as bug bounty programs and regular security audits serve different purposes
153
A cybersecurity team conducts vulnerability assessments using both credentialed and uncredentialed scans. Which type of scan would MOST likely identify missing patches for third-party software on Windows workstations and servers?
A. A scan of vulnerabilities associated with known malware
signatures
B. Non-credentialed scans exposing open ports
C. A scan of unauthorized access attempts on the organization’s
firewall
D. Credentialed scans with valid access credentials
## Footnote
Chapter 16
The correct answer is option **D**. Credentialed scans with valid access credentials are used to access system details and identify missing patches for third-party software on Windows workstations and servers.
Option A is incorrect. malware signatures are detected through other security measures and are not directly related to identifying missing software patches.
Option B is incorrect. non-credentialed scans are not logged in and can only see what the attacker can see from the network.
Option C is incorrect as this describes a different type of activity which involves monitoring unauthorized access attempts on the organization’s firewall and is not directly related to identifying missing patches for third-party software on Windows workstations and servers.
154
Which network is commonly associated with providing anonymous access to the internet, making it a preferred choice for users seeking privacy and anonymity?
A. VPN
B. DNS
C. Tor
D. LAN
## Footnote
Chapter 16
The correct answer is option **C**. Tor, also known as The Onion Router, is a network that offers users anonymous access. It is used to access the dark web.
Option A is incorrect as VPNs enhance online privacy and security; they do not provide the same level of anonymity as Tor. VPNs
primarily focus on securing network connections.
Option B is incorrect as DNS is not associated with providing anonymous access to the internet. It is a system used to translate domain names into IP addresses.
155
A security researcher is conducting an in-depth analysis of a cyber adversary’s infrastructure and tactics, techniques, and procedures (TTPs). To effectively track and document the activities of this adversary, the researcher is looking for a source specifically for this purpose. Which of the following sources will the researcher MOST likely use?
A. MITRE ATT&CK
B. SCAP
C. OSINT
D. Threat Feeds
## Footnote
Chapter 16
The correct answer is option **A**. MITRE ATT&CK is the ideal source for tracking and documenting an adversary’s tactics, techniques, and procedures (TTPs).
Option B is incorrect as SCAP focuses on security policy compliance and automated vulnerability management, not
adversary TTPs.
Option C is incorrect as OSINT collects publicly available information but may not provide detailed tracking of
adversary activities.
Option D is incorrect as threat feeds offer real-time threat intelligence but may not cover adversary-specific tactics,
techniques, and procedures as comprehensively as MITRE ATT&CK
156
A security analyst is reviewing the vulnerability scan report for a web server following an incident. The vulnerability that exploited the web server is present in historical vulnerability scan reports, and a patch is available for the vulnerability. Which of the following is the MOST probable cause of the incident?
A. An untested security patch update overwrote the existing patch
B. The scan reported that a false negative identified the
vulnerability
C. The CVE list updating the vulnerability scan was not updated
D. A zero-day vulnerability was used to exploit the web server
## Footnote
Chapter 16
The correct answer is option **A**. The most probable cause of the incident is that an untested security patch update overwrote the existing patch. This scenario often occurs when a new patch is applied without proper testing, potentially causing unintended consequences or vulnerabilities.
Option B is incorrect as a false negative happens when the vulnerability scanner cannot identify the vulnerability.
Option C is incorrect as the CVE is always up to date.
Option D is incorrect as a zero-day vulnerability has no patch.
157
An organization is encountering challenges with maintaining and
securing a decades-old computer system that plays a critical role in its operations. Which of the following is the MOST likely reason for these challenges?
A. Inadequate employee training on the legacy system
B. A lack of available hardware resources for the legacy system
C. The absence of up-to-date antivirus software on the legacy
system
D. Lack of vendor support for the legacy system
## Footnote
Chapter 16
The correct answer is option **D**. Legacy systems have a lack of vendor support, or it is so old the vendor has gone out of business. It could be that the system has the end of its service life. Option A is incorrect as employee training is essential for effective system use but is not the primary reason for challenges associated with legacy systems.
Option B is incorrect as hardware resource availability can affect system performance but is not the primary reason for challenges with legacy systems.
Option C is incorrect as the absence of up-to-date antivirus
software on the legacy system is a possibility but is not the main
challenge.
158
An organization is going to share cyberthreat intelligence data with external security partners. Which of the following will the company MOST likely implement to share this data?
A. TAXII
B. TLS
C. STIX
D. CVE
## Footnote
Chapter 16
The correct answer is option **A**. TAXII (Trusted Automated Exchange of Intelligence Information) is a standard protocol designed for sharing cyber threat intelligence data between organizations. It is a suitable choice for secure and automated information exchange.
Option B is incorrect as TLS (Transport Layer Security) is essential for secure communication but is not used for sharing cyber threat intelligence.
Option C is incorrect as STIX (Structured Threat Information
eXpression) is a language for describing cyber threat intelligence and is not a protocol for sharing data directly.
Option D is incorrect as CVE (Common Vulnerabilities and Exposures) is a system for identifying and cataloguing vulnerabilities and is not a protocol for sharing cyber threat
intelligence data
159
In the context of cybersecurity, risk tolerance refers to:
A. The maximum amount of risk an organization is willing to
accept without mitigation
B. The percentage of risk reduction achieved through security
controls
C. The amount of risk that is remaining after mitigation
D. The amount of inherent risk a company has
## Footnote
Chapter 16
The correct answer is option **A**. Risk tolerance is the level of risk an organization is willing to accept. Companies must balance factors such as availability, efficiency, cost and security when making decisions about risk.
Option B is incorrect as the percentage of risk reduction achieved through security controls is related to risk mitigation efforts and does not directly refer to risk tolerance.
Option C is incorrect as the amount of risk that remains after applying mitigation measures is residual risk, while risk tolerance refers to the organization’s threshold for accepting risk before mitigation.
Option D is incorrect as inherent risk is the raw risk before any risk treatment.
160
During a routine security scan of a corporate network, the security system failed to detect a critical vulnerability in a widely used software component. This vulnerability had a known patch available, but the security system did not flag it as a threat. Subsequently, a cyber attacker exploited this vulnerability, leading to a significant data breach. What type of assessment outcome does this scenario represent?
A. True Positive
B. False Positive
C. False Negative
D. True Negative
## Footnote
Chapter 16
The correct answer is option **C**. A false negative represents a situation where a vulnerability cannot be detected. In this case a patch is available, so it is a known vulnerability.
Option A is incorrect as a true positive means the security system found the vulnerability.
Option B is incorrect as a false positive means the security system generates a threat alert when there is no threat.
Option D is incorrect as a true negative occurs when a security system correctly identifies that there is no vulnerability
161
Your antivirus software scans a file and reports that it is free from malware. However, upon closer examination, it is discovered that the file does, in fact, contain a previously unknown malware variant. What type of result does this scenario represent?
A. True positive
B. False positive
C. True negative
D. False negative
## Footnote
Chapter 17
Explanation: The correct answer is option **D**. A false negative happens when the antivirus software incorrectly identifies a file as clean when it actually contains malware. In this scenario, the antivirus software reported the file as malware-free, but it was later discovered to contain a previously unknown malware variant. This is a false negative.
Option A is incorrect because a true positive indicates the correctly identified presence of malware.
Option B is incorrect because a false positive occurs when the system incorrectly identifies a non-malicious file as malware. Option C is incorrect because a true negative occurs when the
system correctly identifies non-malicious files as non-malicious.
162
Your organization is integrating a new system into its existing network and wants to ensure that the new system is secure before putting it into operation to protect the network and sensitive data. What is the MOST IMPORTANT security measure to take before putting the new system into operation, and why?
A. Configuring the firewall rules
B. Installing the latest antivirus software
C. Running a vulnerability scan
D. Updating the system’s drivers
## Footnote
Chapter 17
Explanation: The correct answer is option **C**. Running a vulnerability scan helps security professionals identify potential vulnerabilities in the new system before it’s operational, allowing for timely fixes and ensuring overall network security.
Option A is incorrect because configuring the firewall rules is an essential security step, but it’s not the most important one initially. Option B is incorrect because installing antivirus software is crucial for malware protection, but it’s not the most important measure at the initial integration stage.
Option D is incorrect because updating system drivers is necessary for hardware functionality, but it’s not the most important security measure before system integration
163
What advantage does a credentialed scanner have over a non-credentialed scanner when it comes to network security assessments?
A. Access to network traffic data for real-time monitoring
B. Ability to identify open ports and services on target systems
C. Visibility into missing patches for third-party software
D. Enhanced encryption capabilities for secure data transmission
## Footnote
Chapter 17
Explanation: The correct answer is option **C**. A significant advantage of credentialed scanners over non-credentialed ones is their ability to access the target system with appropriate credentials (such as administrative or privileged access). This access allows them to perform more in-depth assessments, including identifying missing patches for third-party software installed on the target system. This information is crucial for assessing and mitigating security vulnerabilities.
Option A is incorrect because while credentialed scanners can gather detailed information about the target systems, they do not have direct access to network traffic data for real-time monitoring.
Option B is incorrect because both credentialed and non-credentialed scanners can identify open ports and services on target systems, so this is not a unique advantage of a credentialed scanner.
Option D is incorrect because encryption capabilities primarily depend on the scanner’s configuration and do not represent a specific advantage of credentialed scanners over non-credentialed ones
164
In your organization, a recent incident occurred in which sensitive personally identifiable information (PII) was not encrypted, leading to data exfiltration. This incident has raised concerns about the security of sensitive data within the organization. What is the MOST effective security measure to prevent such incidents?
A. Implementing strong passwords for user accounts
B. Conducting security awareness training for employees
C. Regularly updating antivirus software
D. Deploying DLP solutions
## Footnote
Chapter 17
Explanation: The correct answer is option **D**. DLP solutions are specifically designed to prevent sensitive data (such as PII) from leaving the organization without proper authorization. They monitor data in real-time, enforce policies, and can block or encrypt data to prevent unauthorized exfiltration. Deploying DLP solutions is the most effective measure for preventing incidents like data exfiltration of PII or sensitive information.
Option B is incorrect because security awareness training is essential for educating employees, but it may not directly prevent data loss.
Option C is incorrect because updating antivirus software is crucial for malware protection but does not protect PII or sensitive information.
165
You are the IT administrator in charge of network security at your organization. Your organization’s Security Information and Event Management (SIEM) system has just detected a virus on the network. The SIEM system has alerted you to the potential threat, and you need to take immediate action to address it. What should you do FIRST?
A. Immediately delete the virus to prevent further damage
B. Isolate the infected system from the network
C. Contact law enforcement to report the cyberattack
D. Run a full system scan to identify the extent of the infection
## Footnote
Chapter 17
Explanation: The correct answer is option **B**. The first action should be to isolate the infected system from the network. This prevents the virus from spreading to other systems and allows a controlled response. Isolation is a critical containment step in incident response.
Option A is incorrect because while removing the virus is important, doing so immediately without understanding the scope of the infection or taking preventive measures may lead to data loss or incomplete mitigation.
Option C is incorrect because law enforcement should be contacted after containment and assessment. It’s essential to gather information and evidence before involving external authorities.
Option D is incorrect because running a full system scan is a valuable step but should always be performed after isolating the infected system to prevent further spread of the virus.
166
An engineer installs a new monitoring system in a complex network environment. On the first night after installation, the system generates thousands of errors and alerts, overwhelming the team. What is the MOST likely reason for the system generating thousands of errors and alerts on the first night?
A. The monitoring system is faulty and needs replacement
B. The network environment is too secure, leading to false alerts
C. The alerts have not been properly tuned for the specific
environment
D. The network devices are outdated and incompatible with the
monitoring system
## Footnote
Chapter 17
Explanation: The correct answer is option **C**. When a new monitoring system is installed, it typically comes with default alert configurations that may not be suitable for the specific network environment. To reduce noise and prevent alert fatigue, it is essential to tune the alerts to match the organization’s requirements and the unique characteristics of the network. Failure to do so can result in an excessive number of alerts,
many of which may be false positives or not relevant to the
organization’s priorities.
Option A is incorrect because this is a new system and therefore unlikely to be faulty or in need of replacement. This answer is not the most likely reason.
Option B is incorrect because a very secure network environment might generate some false alerts, but it is unlikely to result in thousands of errors and alerts. The type of issue
described is more often related to alert tuning rather than excessive security measures.
Option D is incorrect because outdated network (that
is, legacy) devices will not be purchased as a new monitoring system as they will not have vendor support. The primary concern in the scenario is alert tuning.
167
Which of the following tasks can a vulnerability scanner BEST use to assess the security posture of a system?
A. Checking for missing patches and software flaws
B. Enforcing strict access control policies
C. Assessing compliance with CIS benchmarks
D. Monitoring real-time network traffic
## Footnote
Chapter 17
Explanation: The correct answer is option **C**. Assessing compliance with CIS (Center for Internet Security) benchmarks is a highly effective way for a vulnerability scanner to assess the security posture of a system. CIS benchmarks are industry-recognized guidelines that provide specific configuration recommendations for securing various software and systems. By checking whether a system adheres to these benchmarks, you can identify potential security weaknesses and vulnerabilities.
Option A is incorrect because checking for missing patches and software flaws is an essential aspect of vulnerability scanning, but it may not be the BEST way to assess the overall security posture of a system.
Option B is incorrect because enforcing access control policies is crucial for security, but vulnerability scanners typically do not handle policy enforcement.
Option D is incorrect because monitoring real-time network traffic is typically the role of network monitoring tools
168
You are the IT manager in a large organization that operates a complex network environment. This environment collects data from various sources, including firewalls, servers, network devices, and applications. Which of the following is the primary component responsible for correlating the log files from these sources to identify potential security threats and anomalies?
A. Syslog Server
B. Credentialed Vulnerability Scan
C. Data analysts
D. Security Information and Event Management (SIEM) system
## Footnote
Chapter 17
Explanation: The correct answer is option **D**. A Security Information and Event Management (SIEM) system is primarily responsible for correlating log files from various sources in a complex network environment. A SIEM system aggregates, analyzes, and correlates log data from diverse sources to identify potential security threats and anomalies. It provides a centralized platform for real-time monitoring and threat detection.
Option A is incorrect because a syslog server is used to collect and store log data, and its primary function is to serve as a repository for log files. It does not perform the advanced correlation and analysis needed to identify security threats and anomalies.
Option B is incorrect because credentialed vulnerability scanning is a process focused on identifying vulnerabilities in systems and applications. It does not correlate log files but rather scans systems to find weaknesses that may be exploited.
Option C is incorrect because data analysts can analyze log data, but they are not typically responsible for the primary correlation of log files in a network environment. The task of log correlation is better suited for automated systems like SIEM.
169
You are the network administrator for a large organization with a complex network infrastructure that includes numerous network devices such as routers, switches, and servers. Your responsibility includes monitoring these network devices in real-time and providing status reports to ensure smooth network operation and early detection of issues. Which of the following systems will you use to complete these tasks?
A. SIEM
B. Syslog
C. SNMP
D. Agentless Monitor
## Footnote
Chapter 17
Explanation: The correct answer is option **C**. SNMP is commonly used to monitor network devices in real-time and provide status reports. It allows network administrators to collect information from network devices such as routers and switches, including details about their performance, health, and status. SNMP provides a standardized way to manage and monitor network equipment.
Option A is incorrect because SIEM systems are primarily used for security monitoring and event management. While they can collect data from various sources, including network devices, their main focus is on security-related events and threats, rather than providing status reports for network devices.
Option B is incorrect because Syslog is a protocol used for collecting and forwarding log messages from various network devices and servers. While it helps centralize log data, it is not primarily used for real-time monitoring or providing status reports on network devices. It focuses on logging and storing event data.
Option D is incorrect. ’Agentless monitor’ is a generic term and not a specific system or protocol. It could refer to various monitoring tools or approaches, but it is not commonly
associated with real-time monitoring and status reporting for network devices in the same way that SNMP is.
170
You are the chief information security officer of a large organization, and you are responsible for managing cybersecurity risks and vulnerabilities. A critical part of your role is assessing the impact of vulnerabilities on the organization’s assets, taking into account factors like confidentiality, integrity, and availability. Which of the following is the BEST tool for your operations?
A. NIST
B. CIS
C. CVE
D. CVSS
## Footnote
Chapter 17
The correct answer is option **D**. CVSS is commonly used in
cybersecurity management to assess and determine the impact of vulnerabilities on an organization’s assets. It provides a standardized framework for calculating vulnerability severity scores by considering factors such as confidentiality, integrity, and availability. This scoring system helps organizations prioritize and address vulnerabilities based on their potential impact. If the vulnerability has a CVSS score between 9 and 10, it is critical; and if the CVSS score is between 0.1-3.9, the the vulnerability is considered low.
Option A is incorrect because The National Institute of Standards and Technology (NIST) provides cybersecurity guidelines but is not primarily focused on assessing the impact of vulnerabilities.
Option B is incorrect because the Center for Internet Security (CIS) is a nonprofit organization that focuses on enhancing the cybersecurity readiness and resilience of public and private sector entities.
Option C is incorrect because common vulnerability and exposure (CVE) is a list of publicly known vulnerabilities. It provides a unique identifier for each vulnerability but does not directly assess or determine the impact of vulnerabilities on
assets. CVE is more about tracking and identifying vulnerabilities and involved OSs rather than scoring their impact.
171
A company has recently delivered a presentation on the use of secure protocols and is testing the attendees on the information being delivered. Match the insecure protocols (on the left) with their secure replacements (on the right). Choose the correct pairing for each. (SELECT all that apply):
**Insecure Protocol Secure Protocol**
A Telnet SSH
B HTTP HTTPS
C POP3S HTTP
D SMTP POP3S
E HTTP IMAPS
F FTPS SMTPS
G FTP SFTP
## Footnote
Chapter 18
The correct answers are option **A**, option **B**, and option **G**. Telnet is insecure, and its secure replacement is SSH (Secure Shell). These are used for remote administration. HTTP is used for insecure web browsing and can be replaced by HTTPS. FTP is insecure and can be replaced with SFTP.
Option C is incorrect because POP3S is a secure email client, and HTTP for web browsing is insecure.
Option D is incorrect because SMTP is used for transfer of mail between mail servers and should be replaced by SMTPS. POP3S is a mail client and is used to pull mail securely from the mail server.
Option E is incorrect because HTTP should be replaced with HTTPS, not IMAPS, which is a secure mail client.
Option F is incorrect because FTPS is a secure file transfer protocol, not insecure and SMTPS is for secure mail between
mail servers.
172
What does DMARC provide in email security?
A. End-to-end encryption of email messages
B. Real-time monitoring of email server performance
C. Sender authentication and reporting on email authentication results
D. Automatic filtering of email attachments
## Footnote
Chapter 18
The correct answer is option **C**. Domain-based Message Authentication Reporting and Conformance DMARC provides sender authentication and reporting on email authentication results, allowing domain owners to specify handling instructions for emails that fail authentication checks. For example, it helps you decide whether such emails should be quarantined or deleted. It can also create reports on its activities.
Option A is incorrect because end-to-end encryption is not the primary function of DMARC.
Option B is incorrect because real-time monitoring of email server performance is not a direct feature of DMARC.
Option D is incorrect because automatic filtering of email attachments is not a core function of DMARC.
173
To prevent phishing attacks and improve email deliverability, which type of DNS record should you create to specify authorized email servers for your domain?
A. A PTR record
B. A TXT record
C. An MX record
D. An A record
## Footnote
Chapter 18
The correct answer is option **B**. To specify authorized email servers for your domain and prevent phishing attacks, you should create an SPF (Sender Policy Framework) record in your DNS settings. This requires a TXT record.
Option A is incorrect because PTR records are used for reverse DNS lookups, not for specifying authorized email servers.
Option C is incorrect because MX records are used for specifying mail exchange servers, not for SPF purposes.
Option D is incorrect because A records are created for each host and are not related to SPF records.
174
You are the IT administrator for a medium-sized company that takes email security and data protection seriously. As part of your responsibilities, you oversee the configuration and management of your company’s mail gateway, which is a crucial component of your email infrastructure. One of your tasks is to ensure that the mail gateway effectively blocks certain types of content to prevent security breaches and data leaks. One day, you receive a report from your security team that an email with potentially harmful content almost made its way into your company’s inbox. This incident prompts a review of the types of content that are often blocked by your mail gateway. Which of the following is a type of content often blocked by a mail gateway?
A. Router Configuration Data
B. Email containing sensitive personal information
C. Phishing Email
D. Firewall Log Data
## Footnote
Chapter 18
The correct answer is option **C**. A mail gateway often blocks phishing emails to enhance email security. Phishing emails are a common threat. They attempt to deceive recipients into revealing sensitive information, and a mail gateway helps prevent these deceptive emails from reaching the inbox.
Option A is incorrect; router configuration data pertains to
network device settings and is not typically blocked by a mail gateway.
Option B is incorrect; when it comes to emails that contain sensitive personal data, such as financial information or social security numbers, data loss prevention (DLP) normally prevents sensitive emails from being sent, while mail gateway impacts incoming mail.
Option D is incorrect because firewall log data is generated by network security devices and is not a type of email content.
175
A company wants to prevent employees from sending sensitive customer information via email. Which DLP action should they implement to achieve this?
A. Blocking specific email domains
B. Encrypting all outgoing emails
C. Implementing content inspection and keyword detection
D. Restricting email attachments
## Footnote
Chapter 18
The correct answer is option **C**. To prevent sensitive customer information from being sent via email, implementing content inspection and keyword detection is an effective data loss prevention (DLP) action. This allows the system to scan email content for specific keywords or patterns associated with sensitive data and take appropriate actions to prevent unauthorized sharing.
Option A is incorrect because data loss prevention (DLP) does not block email domains; this is the job of a mail gateway.
Option B is incorrect because email encryption enhances security; it focuses on protecting email content during transmission rather than detecting and preventing the inclusion of sensitive data in
emails.
Option D is incorrect because restricting attachments may not
prevent sensitive data from being included in the body of an email, which is the primary concern in this scenario.
176
A company has recently delivered a presentation on the use of secure protocols and is testing the attendees on the information being delivered. Can you match the insecure port numbers (on the left) with their secure replacements (on the right). Choose the correct pairing for each.
**Insecure Protocol Secure Protocol**
A. 80 443
B. 22 23
C. 21 22
D. 25 587
E. 80 993
F. 23 22
G. 143 993
## Footnote
Chapter 18
The correct answers are option **A**, option **C**, option **D**, option **F**, and option **G**. Port 80 is used by HTTP and port 443 is used by HTTPS. Port 21 is used by FTP and port 22 is used by SFTP. Port 22 can be used by SSH, SCP and SFTP, but this usage is uncommon. Port 25 is SMTP, and it should be replaced by SMTPS (587). Port 23 is telnet; it is insecure and should be replaced by SSH port 22 for secure remote administration. Port 143 is IMAP 4 and Secure IMAP is port 993.
Option B is incorrect because port 22 is SSH which is secure, and not insecure, and it replaces port 23 telnet. Option E is incorrect because port 80 is HTTP web browser, and IMAP4S is 993 which is a mail client.
177
You are the network administrator for a small business, and you are configuring a firewall for the very first time. You find the complex network firewall challenging. There seems to be an issue with some traffic getting blocked unintentionally. Below are four
firewall rules currently in place:
Rule#, Action, Protocol, Source IP, Destination IP, Destination
Port
1 BLOCK TCP 192.168.1.0/24 0.0.0.0 80
2 ALLOW TCP 0.0.0.0 192.168.2.0/24 ANY
3 ALLOW TCP 192.168.3.0/24 0.0.0.0 443
4 ALLOW TCP 192.168.4.12/24 192.168.4.0/24 22
Which rule(s) should you modify to resolve the complex issue and allow traffic to flow correctly while maintaining security?
A. Rule #1
B. Rule #2
C. Rule #3
D. Rule #4
## Footnote
Chapter 18
The correct answer is option **A**. Rule #1 should be modified to ALLOW traffic from the source IP range 192.168.1.0/24 to any destination on port 80. This rule is currently blocking web traffic.
Option B is incorrect because Rule #2 is not related to the issue. It allows all traffic to the destination IP range 192.168.2.0/24. However, since Rule #2 is below Rule #1, web traffic is blocked.
Option C is incorrect because Rule #3 is not related to the issue It allows traffic from the source IP range 192.168.3.0/24 to port 443.
Option D is incorrect because Rule #4 is not part of the issue as it allows traffic from the host on 192.168.4.12 to the destination IP range 192.168.4.0/24 on port 22.
178
A system administrator wants to ensure the integrity of critical system files on a Windows server. The system administrator needs to scan the system files and repair any anomalies. Which command or action should they employ for File Integrity Monitoring (FIM)?
A. Running “chkdsk /f” to check for disk errors
B. Executing “sfc /scannow” to scan and repair system files
C. Enabling Windows Defender Antivirus
D. Executing “sfc /verifyfile” to scan and repair system files
## Footnote
Chapter 18
The correct answer is option **B**. For File Integrity Monitoring (FIM) of system files on a Windows server, executing the “sfc /scannow” command is a recommended action. This command scans for and repairs corrupted or missing system files, ensuring the integrity and stability of the operating system.
Option A is incorrect because “chkdsk” checks for disk errors; it does not specifically monitor or repair system file integrity.
Option C is incorrect because Windows Defender is primarily an antivirus and antimalware tool, not a file integrity monitoring (FIM) solution.
Option D is incorrect because executing “sfc /verifyfile” verifies the integrity of the file with a given file path. No repair operation is performed.
179
In a Windows Active Directory environment, which tool or feature allows administrators to define and enforce computer and user settings, such as password policies and software installation restrictions?
A. Windows Defender
B. Group Policy
C. Windows Firewall
D. Microsoft Intune
## Footnote
Chapter 18
The correct answer is option **B**. Group Policy is a powerful tool in Windows Active Directory environments that allows administrators to define and enforce computer and user settings. It can be used to configure various security policies, password policies, and software installation restrictions.
Option A is incorrect because Windows Defender is an antivirus tool and does not provide the capabilities to define and enforce computer and user settings.
Option C is incorrect because Windows Firewall is primarily focused on controlling network traffic and does not configure password policies or software installation restrictions.
Option D is incorrect because Microsoft Intune is a mobile
device management (MDM) solution and does not directly configure computer and user settings within an Active Directory environment.
180
In a Linux-based system, what does SELinux primarily provide in terms of security?
A. Mandatory access controls and fine-grained permissions
B. Real-time network monitoring
C. Antivirus scanning and malware protection
D. Secure boot and firmware integrity checks
## Footnote
Chapter 18
The correct answer is **A**. SELinux (Security-Enhanced Linux) enhances Linux security by providing mandatory access controls and fine-grained permissions. It enforces strict access policies, restricting what processes and users can do and thereby enhancing system security.
Option B is incorrect; while SELinux contributes to security, it primarily focuses on access controls and permissions rather than real-time network monitoring.
Option C is incorrect because SELinux is not an antivirus tool; its primary function is enforcing access controls.
Option D is incorrect; secure boot and firmware integrity checks are related to the system’s boot process and firmware security rather than SELinux’s primary function.
181
In a secure authentication system, which type of authentication token relies on physical devices to generate authentication codes or keys?
A. Hard Authentication Tokens
B. Soft Authentication Tokens
C. Biometric Authentication Tokens
D. Hybrid Authentication Tokens
## Footnote
Chapter 19
The correct answer is option **A**. Hard authentication tokens are physical devices, such as hardware tokens or smart cards, which generate authentication codes or keys for secure authentication. They are highly resistant to online attacks. Option B is incorrect; a soft authentication token uses passwords or PINs and does not rely on physical devices.
Option C is incorrect; biometric tokens use physiological characteristics (e.g., fingerprints or facial recognition) for authentication, not physical devices.
Option D is incorrect; hybrid tokens combine multiple authentication methods but do not inherently rely on physical devices.
182
You are configuring secure access to an Apache web server. To enhance security, you enable passwordless access. Which technology should you primarily use for this?
A. HTTPS with SSL/TLS
B. SSH keys
C. 2FA
D. Username and password authentication
## Footnote
Chapter 19
The correct answer is option **B**. SSH keys provide a secure and passwordless method for accessing remote Linux servers. Apache is a Linux web server.
Option A is incorrect; HTTPS with SSL/TLS provides secure communication between the client and the web server; they do not replace authentication methods for server access.
Option C is incorrect; Two-factor authentication (2FA) can enhance security but needs two separate factors. In this question we are using a single factor.
Option D is incorrect as passwordless access means you are not going to use a password at all
183
What is the main purpose of ephemeral credentials in the context of security?
A. To securely store passwords
B. To grant temporary access rights
C. To manage privileged accounts
D. To provide long-lasting access tokens
## Footnote
Chapter 19
The correct answer is option **B**. Ephemeral credentials are short-lived access tokens that are typically used to provide temporary access to resources or systems. They are designed to enhance security by limiting the duration of access.
Option A is incorrect; securely storing passwords is the primary purpose of password vaulting, not ephemeral credentials.
Option C is incorrect; managing privileged accounts involves various tasks, including password management, but it is not the main purpose of ephemeral credentials.
Option D is incorrect; ephemeral credentials are not intended to provide long-lasting access tokens; their purpose is to limit access duration for security reasons
184
In a multi-factor authentication implementation, which of the following factors would be classified as a “something you are” factor?
A. Username and Password
B. OTP sent via SMS
C. Fingerprint Scan
D. Security Questions Answers
## Footnote
Chapter 19
The correct answer is option **C**. A fingerprint scan is deemed as a “something you are” factor as it refers to a part of your body used for biometric authentication.
Option A is incorrect as username and password are considered a “Something You Know.”
Option B is incorrect as a One-Time Password (OTP) via SMS is “something you know.”
Option D is incorrect as security questions answers are considered to be “something you know.”
185
You have discovered that someone is using the same password for all their online accounts, including email, social media, and banking. What should you recommend implementing to enhance their online security?
A. 2FA
B. Stronger encryption protocols
C. Regularly changing passwords
D. Password manager
## Footnote
Chapter 19
The correct answer is option **D**. Implementing a password manager is a secure and convenient way to store and manage unique, complex passwords for each online account. It helps eliminate the risk of using the same password across multiple accounts, significantly enhancing online security.
Option A is incorrect; using two-factor authentication (2FA) is an excellent security measure but it does not directly address the issue of using the same password for multiple accounts.
Option B is incorrect; implementing stronger encryption protocols is important but does not address the issue of using the same password.
Option C is incorrect; while regularly changing passwords is a recommended security practice, it does not prevent someone from using the same password.
186
How many factors of authentication does using a smart card involve?
A. Single
B. Two factors
C. Multiple factors
D. Dual-factor
## Footnote
Chapter 19
The correct answer is option **C**. A smart card falls under “something you have.” You insert it into the reader, which is “something you do” and then you insert the PIN that is “something you know”. Option A, option B and option D do not have the correct number of factors.
187
In an organization, the IT security team wants to prevent users from recycling their passwords too frequently. Which security policy should they implement to achieve this goal?
A. Maximum password age
B. Minimum password age
C. Password complexity requirements
D. Account lockout policy
## Footnote
Chapter 19
The correct answer is option **B**. A minimum password age prevents users from recycling their passwords too frequently. If you use a value of 5 days, they can change their password with a maximum frequency of once every 5 days.
Option A is incorrect; the maximum password age refers to the maximum amount of time a user can keep their password before they are required to change it. It does not prevent password recycling.
Option C is incorrect; Password complexity requirements typically involve using a combination of uppercase letters, lowercase letters, numbers, and special characters. It does not prevent password recycling.
Option D is incorrect; an account lockout policy sets the rules
for temporarily locking out user accounts after a certain number of unsuccessful login attempts. It does not prevent password recycling.
188
Which security concept involves granting users temporary
administrative access rights for a specific task or period to reduce the exposure of privileged access? Select the BEST choice.
A. Just-in-time permissions
B. Password vaulting
C. Ephemeral credentials
D. Privileged access management
## Footnote
Chapter 19
The correct answer is option **A**. Just-in-time permissions involve granting users temporary administrative access rights only when needed.
Option B is incorrect; password vaulting primarily involves securely storing and managing passwords, not granting temporary access.
Option C is incorrect; ephemeral credentials refer to short-lived
access tokens but may not necessarily be tied to just-in-time
permissions.
Option D is incorrect; privileged access management encompasses various security measures, including just-in-time
permissions, but it is a broader concept
189
Two organizations are collaborating on a joint venture and need to establish secure access to shared resources. Which approach is most suitable for achieving seamless authentication and access control on these resources?
A. Password sharing
B. Identity proofing
C. Federation services
D. Provisioning user accounts
## Footnote
Chapter 19
The correct answer is option **C**. Federation services enable secure authentication and access control across organizations, making them ideal for joint ventures and shared resources.
Option A is incorrect; password sharing is insecure and not a recommended approach for securing access to shared resources.
Option B is incorrect; identity proofing focuses on verifying identities and may not directly address access control for shared resources.
Option D is incorrect; provisioning user accounts involves creating and granting access but does not specifically address secure access to shared resources between organizations.
190
In a scenario where two organizations are sharing resources and need to implement secure identity federation, which service can they leverage to enable authentication and authorization between their systems?
A. LDAP
B. OAuth 20
C. SAML
D. Kerberos
## Footnote
Chapter 19
The correct answer is option **C**. SAML (Security Assertion Markup Language) is commonly used for secure identity federation and the exchange of authentication and authorization data between organizations.
Option A is incorrect; LDAP (Lightweight Directory Access Protocol) is used for querying and modifying directory services
but is not used for secure identity federation.
Option B is incorrect; OAuth 2.0 is used for internet-based authorization and delegation, not for secure identity federation. Option D is incorrect; Kerberos is a network authentication protocol but is not a suitable choice for secure identity federation between organizations
191
You are an IT consultant tasked with explaining the use cases of
automation and scripting related to secure operations to a group of business executives during a presentation. You need to clarify which of the following options is a use case for automation and scripting in the context of ensuring secure operations within an organization.
A. User provisioning
B. Cost management
C. Marketing strategy
D. Office space allocation
## Footnote
Chapter 20
The correct answer is option **A.** User provisioning is a use case of automation and scripting related to secure operations. It involves automating the process of creating, configuring, and managing user accounts, enhancing security and efficiency. Option B is incorrect; automation and scripting can help with cost management in various ways, but it is not directly related to secure operations. Secure operations typically pertain to ensuring the security and integrity of data, systems, and access controls within an organization.
Option C is incorrect; automation and scripting can be used in marketing automation for various tasks, but it is not related to secure operations. Secure operations focus on safeguarding an organization’s digital assets and minimizing security risks.
Option D is incorrect; office space allocation is unrelated to secure operations or automation in this context.
192
You are the chief information security officer of a medium-sized
company, and you have been asked to present the benefits of automation and orchestration in secure operations to your executive team during a meeting. Which of the following is the BEST reason for introducing automation and orchestration in secure operations?
A. Increasing complexity
B. Slowing down response time
C. Enhancing efficiency
D. Encouraging employee retention
## Footnote
Chapter 20
The correct answer is option **C**. One of the key benefits of automation and orchestration in secure operations is enhancing efficiency by automating routine tasks, reducing manual effort, and streamlining processes.
Option A is incorrect; automation and orchestration can
increase complexity if not planned properly, it is not a benefit. Option B is incorrect as the goal is to speed up response time, not slow it down.
Option D is incorrect; while automation and orchestration can improve job satisfaction by reducing the burden of manual, repetitive tasks, their primary purpose is to encourage employee retention. Employee retention is a broader HR and organizational concern, whereas automation and orchestration in secure operations aim to enhance security processes. This is not the best choice.
193
A cybersecurity analyst performs automated weekly vulnerability scans on their organization’s database servers. Which of the following describes the administrator’s activities?
A. Continuous validation
B. Continuous integration
C. Continuous deployment
D. Continuous monitoring
## Footnote
Chapter 20
The correct answer is option **A**. Continuous validation involves regular and ongoing validation and assessment of systems, which includes activities like vulnerability scanning and providing detailed reports.
Option B is incorrect; continuous integration involves the integration of code changes into a shared repository and automated testing, not vulnerability scanning.
Option C is incorrect; continuous deployment is related to software development and release, not vulnerability scanning.
Option D is incorrect; continuous monitoring typically refers to real time or near-real-time monitoring of systems, not periodic vulnerability scans.
194
You are the IT security manager of a mid-sized technology company, and you are conducting a training session for your IT team on the importance of enforcing security baselines. During the training, you want to emphasize the significance of adhering to security policies and standards. Which of the following represents an example of enforcing baselines related to security?
A. Automating software updates
B. Regularly conducting security awareness training
C. Allowing unauthenticated access
D. Using weak passwords
## Footnote
Chapter 20
The correct answer is option **B**. Enforcing security baselines involves adhering to established security policies, standards, and best practices within an organization. Strictly following security policies is a prime example of enforcing security baselines. This ensures that all systems and processes align with the defined security standards, which can help protect against various security threats and vulnerabilities.
Option A is incorrect; automating software updates is essential for maintaining security, but it is not an example of enforcing security baselines directly related to employee education and awareness.
Option C is incorrect; allowing unauthenticated access is a security violation, not enforcing baselines.
Option D is incorrect as Using weak passwords is a security
risk, not enforcing baselines
195
Which consideration is crucial to avoid technical debt when
implementing automation?
A. Complexity
B. Cost
C. Standardization
D. Speed of deployment
## Footnote
Chapter 20
The correct answer is option **C**. Standardization is crucial to avoid technical debt when implementing automation because it ensures that processes and configurations are consistent and sustainable.
Option A is incorrect; complexity, if not managed properly, can contribute to technical debt but is not the primary factor.
Option B is incorrect; while cost is a consideration, it is not directly related to avoiding technical debt.
Option D is incorrect; speed of deployment is important but does
not directly address technical debt.
196
You are the head of the cybersecurity department in a large financial institution, and you are meeting with your team to discuss improving incident detection and response procedures. You want to find a solution that allows your team to establish workflows for detecting four new types of incidents while incorporating automated decision points and actions based on predefined playbooks. Which of the following is the BEST solution?
A. SOAR
B. CASB
C. SWG
D. SIEM
## Footnote
Chapter 20
The correct answer is option **A**. To integrate incident response processes with automated decision points and predefined playbooks, the organization should implement a Security Orchestration, Automation, and Response (SOAR) solution.
Option B is incorrect because cloud access security broker (CASB) solutions are designed for cloud security management and do not provide incident response automation.
Option C is incorrect; a secure web gateway (SWG) aims to protect organizations and users from web-based threats while enforcing security policies for internet traffic.
Option D is incorrect; a security information and event management (SIEM) system is important for security monitoring and does not provide the same level of automation and
orchestration as a SOAR platform
197
What is a key benefit of scaling in a secure manner using automation?
A. Reducing efficiency
B. Increasing security risks
C. Adapting to changing workloads
D. Encouraging technical debt
## Footnote
Chapter 20
The correct answer is option **C**. Scaling in a secure manner using automation allows organizations to adapt to changing workloads and resource demands while maintaining security. Option A is incorrect as scaling in a secure manner should not reduce efficiency.
Option B is incorrect as the goal of scaling securely is to reduce security risks, not increase them.
Option D is incorrect as properly implemented scaling
should not encourage technical debt.
198
You are the director of IT operations for a large technology company, and you are conducting a staff training session on the importance of ongoing supportability in the context of automation and orchestration. Which of the following are the BEST reasons for ongoing supportability in the context of automation and orchestration? Select TWO.
A. To increase complexity
B. To enhance efficiency
C. To sustain effectiveness
D. To discourage employee retention
## Footnote
Chapter 20
The correct answers are **B** and option **C**. Ongoing supportability in automation and orchestration ensures that automated processes continue to run smoothly and efficiently, ultimately improving the efficiency of IT operations and preventing issues that may impact their ability to achieve desired outcomes. Option A is incorrect; organizations may intentionally increase the complexity of their automation and orchestration solutions to address specific needs, but it should be managed carefully to avoid unnecessary complications.
Option D is incorrect; ongoing supportability can improve job satisfaction and employee retention by maintaining effective automation.
199
You are the chief executive officer for a multinational corporation who just suffered a data breach. As part of the lessons-learned phase, the cybersecurity team needs to develop an early detection system to prevent such an incident in future. Which of the following should the cybersecurity team implement?
A. Implement a Data Loss Prevention system
B. Implementing rules in the NGFW
C. Creating a playbook within the SOAR
D. Implement an audit trail so the incident can be tracked
## Footnote
Chapter 20
The correct answer is option **C**. Creating a playbook within the Security Orchestration, Automation and Response (SOAR) tool provides real time detection. This would allow the security analyst to detect whether an event is reoccurring by triggering automated actions based on the previous incident’s characteristics. SOAR would detect the incident very quickly as it is an automated system.
Option A is incorrect; data loss prevention system prevents outbound data from leaving and does not respond to inbound or incident response events.
Option B is incorrect; while NGFW (Next-Generation Firewall) rules can enhance security, they are not specifically designed for detecting recurring incidents.
Option D is incorrect as auditing is not a real-time detection process.
200
Which of the following involves ten programmers’ development all writing their own code and then merging it in a shared repository as soon as it is finished?
A. Continuous integration
B. Continuous deployment
C. Continuous validation
D. Continuous monitoring
## Footnote
Chapter 20
The correct answer is option **A**. Continuous integration involves the practice of including code changes into the main codebase as soon as they are written. This helps identify integration issues early in the development process.
Option B is incorrect; continuous deployment is related to the automated release of code changes into production, not code integration.
Option C is incorrect; continuous validation involves regular assessment and validation of systems, not code integration.
Option D is incorrect; continuous monitoring refers to ongoing
surveillance of systems, not code integration.
201
You are the lead incident responder for a large organization’s
cybersecurity team. During the Analysis phase of incident response, you discover a sophisticated malware infection on a critical server that contains sensitive data and supports critical business operations. What should be your immediate action?
A. Isolate the server and proceed with root cause analysis.
B. Disconnect the server from the network and restore from
backups.
C. Immediately report the incident to legal authorities.
D. Conduct a tabletop exercise to assess incident response
procedures.
## Footnote
Chapter 21
The correct answer is option **A**. In the analysis phase, you should isolate the affected system to prevent further damage while conducting root cause analysis to understand the extent of the incident.
Option B is incorrect because disconnecting the server from the network is containment and would be the right things to do, but when coupled with restoring from backups. It is incorrect as backup is part of the restore phase , it is not part of the analysis phase but recover phase.
Option C is incorrect as reporting to legal authorities, if required, is done later in the incident response process.
Option D is incorrect because a tabletop exercise is a paper-based preparation activity and not an immediate response to an incident.
202
You are the cybersecurity incident response lead for a financial
institution. You find yourself in the containment phase of incident response, addressing a ransomware attack that has struck multiple critical systems used for processing transactions and managing customer data.
What is the primary objective during this phase?
A. Isolate the affected critical system from the network
B. Eliminate the ransomware from affected systems.
C. Reimage the affected systems
D. Analyze the malware code to prevent future attacks.
## Footnote
Chapter 21
The correct answer is option **A**. The primary objective during the Containment phase is to remove the infected critical system from the network.
Option B is incorrect because eliminating malware is the eradication phase.
Option C is incorrect because reimaging the affected systems is part of the recovery phase. Option D is incorrect because
analyzing malware code is a task often performed during root cause analysis
203
During the preparation phase of incident response, what activities are typically involved?
A. Containing and eradicating threats in real-time.
B. Developing and documenting incident response procedures.
C. Reflecting on past incidents for improvement.
D. Restoring affected systems to normal operations.
## Footnote
Chapter 21
The correct answer is option **B**. The preparation phase involves developing and documenting incident response procedures, including roles and responsibilities.
Option A is incorrect because containing and eradicating threats occurs in later phases.
Option C is incorrect as reflecting on past incidents is part of the lessons learned phase.
Option D is incorrect because restoring affected systems is part of the recovery phase.
204
You are a digital forensics investigator working for a law enforcement agency. You have just begun a digital forensics investigation related to a cybercrime incident involving the theft of sensitive financial data from a major corporation. As you gather electronic evidence on a criminal you use legal hold to assist in the investigation. Which of the following BEST describes the purpose of legal hold?
A. Safeguarding evidence from alteration or deletion.
B. Documenting the chain of custody meticulously.
C. Collecting digital evidence for analysis.
D. Retrieving electronic evidence for legal purposes
## Footnote
Chapter 21
The correct answer is option **A**. Legal hold’s primary purpose is to safeguard evidence from alteration or deletion to ensure its integrity during an investigation or legal proceedings.
Option B is incorrect because documenting the chain of custody aligns with Chain of Custody.
Option C is incorrect as collecting digital evidence for analysis
is part of the acquisition phase.
Option D is incorrect because retrieving electronic evidence for legal purposes is related to E-Discovery.
205
Which of the following BEST describes the concept of “order of
volatility” in digital forensics??
A. It determines the chronological sequence of incidents.
B. It specifies the order in which evidence should be collected.
C. It identifies the root causes of incidents.
D. It ensures evidence is securely preserved
## Footnote
Chapter 21
The correct answer is option **B**. “Order of Volatility” in digital forensics specifies the order in which volatile evidence should be collected to ensure its preservation and relevance to the investigation.
Option A is incorrect because Order of Volatility is not related to determining the chronological sequence of incidents.
Option C is incorrect as identifying root causes aligns more with root cause analysis to find out what cause the incident in the first place.
Option D is incorrect because ensuring evidence is securely preserved relates to the Preservation phase
206
Which of the following BEST describes a “Right to Audit Clause” in a contract?
A. It is the legal right to conduct an audit or inspection of a
contract
B. It allows for the retrieval of electronic evidence for legal
purposes.
C. It enables meticulous documentation of findings.
D. It provides the legal authority to conduct digital forensics.
## Footnote
Chapter 21
The correct answer is option **A**. A “Right to Audit Clause” is a clause written into a contract that grants the legal right to conduct an audit or inspection of a contract.
Option B is incorrect because allowing for the retrieval of electronic evidence for legal purposes is related to E-Discovery itself.
Option C is incorrect as meticulous documentation of findings is part of the reporting phase.
Option D is incorrect because providing legal authority for digital forensics is a separate legal process, not covered by the clause.
207
During a simulated incident response scenario, your team identifies a data breach involving customer information. What is the primary goal of the team during the analysis phase?
A. Develop incident response playbooks for future incidents.
B. Determine the scope and impact of the data breach.
C. Eradicate the threat and recover the affected data.
D. Prepare lessons learned documentation for stakeholders.
## Footnote
Chapter 21
The correct answer is option **B**. In the analysis phase, the primary goal is to determine the scope and impact of the incident, such as the extent of the data breach.
Option A is incorrect because developing playbooks is part of the Preparation phase.
Option C is incorrect as eradication and recovery typically come after Analysis.
Option D is incorrect because lessons learned documentation occurs after the incident is resolved. And is used to prevent reoccurrence.
208
Which of the following BEST describes the final phase of the incident response process?
A. Containment
B. Lessons learned
C. Detection
D. Recovery
## Footnote
Chapter 21
The correct answer is option **B**. The “lessons learned” phase is the final phase of the incident response process, where organizations reflect on the incident and make improvements for the future.
Option A is incorrect because containment is one of the earlier phases in the incident response process.
Option C is incorrect as detection is also one of the early phases.
Option D is incorrect because sis typically not the final phase, as Lessons Learned follows it.
209
Which of the following BEST describes the primary objective of root cause analysis?
A. Identifying and mitigating current threats.
B. Conducting digital forensics on affected systems
C. Developing incident response playbooks for future incidents.
D. Determining the fundamental issues contributing to incidents.
## Footnote
Chapter 21
The correct answer is option **D**. Root cause analysis’s primary objective is to determine the fundamental issues and underlying reasons contributing to incidents, allowing organizations to address them at their core.
Option A is incorrect because identifying and mitigating current
threats aligns more with Threat Hunting.
Option B is incorrect because conducting digital forensics is conducted after the incident.
Option C is incorrect as developing playbooks is part of the Preparation phase.
210
In digital forensics, what does the chain of custody primarily involve?
A. Placing evidence in a locked drawer in a secure office before
going to lunch
B. Eradicating the root causes of incidents in a timely manner.
C. Documenting the handling and transfer of evidence throughout an investigation
D. Analyzing network traffic patterns to identify security
vulnerabilities.
## Footnote
Chapter 21
The correct answer is option **C**. The chain of custody in digital forensics primarily involves documenting the handling and transfer of evidence throughout an investigation to ensure its integrity and admissibility in legal proceedings.
Option A is incorrect as you have broken the chain of custody, leaving the evidence unattended whilst you go to lunch.
Option B is incorrect as it refers to the eradication phase of incident response, not the chain of custody.
Option D is incorrect as analyzing network traffic patterns relates to network security and vulnerability assessments, not the chain of custody.
211
What type of log is used to record system-level events and security-related activities on an operating system? Select the BEST option.
A. Application logs
B. Network logs
C. Firewall logs
D. NIDS logs
## Footnote
Chapter 22
The correct answer is option **C**. Firewall logs are designed to record events related to the firewall’s operation, including blocked and allowed traffic, intrusion attempts, and other security-related activities. They are crucial for monitoring and maintaining the security of a network and often provide valuable insights into system-level security events.
Option A is incorrect as application logs are primarily used to record events related to a specific application or software running on a system. These logs are useful for troubleshooting application-specific issues but are not primarily concerned with system-level events and security.
Option B is incorrect as network logs track data flow but do not specifically record system-level security events on an operating system.
Option D is incorrect as NIDS (Network Intrusion Detection System) logs primarily capture suspicious network activity to detect intrusion attempts, not system-level events within the operating system.
212
Which type of log file is essential for monitoring and auditing security related activities on your desktop, such as failed login attempts and access control changes? Select the BEST option.
A. Security logs
B. Network logs
C. Application logs
D. Endpoint logs
## Footnote
Chapter 22
The correct answer is option **A**. Security logs are crucial for monitoring and auditing security-related activities on an operating system, including failed login attempts and access control changes.
Option B is incorrect; as network logs track data flow, not security-related activities on a desktop.
Option C is incorrect; as application logs focus on user interactions within applications, not security-related activities on a
desktop.
Option D is incorrect, as endpoint logs primarily document user activities and security events on devices.
213
What kind type of logs provide insights into user interactions, errors, and events within software programs?
A. Endpoint logs
B. Network logs
C. Application logs
D. OS-specific security logs
## Footnote
Chapter 22
The correct answer is option **C**. Application logs capture details about user interactions, errors, and events within applications, aiding in troubleshooting and understanding user behavior.
Option A is incorrect; as endpoint logs primarily document user activities and security events on devices, and do not provide insights into user interactions within applications.
Option B is incorrect; network logs track data flow but do
not provide insights into user interactions within applications. Option D is incorrect as OS-specific security logs record system-level security events but do not focus on user interactions within applications.
214
Which of the following data sources helps identify and prioritize system weaknesses, including outdated software and misconfigurations?
A. Automated reports
B. Patch Management
C. Packet captures
D. Vulnerability scans
## Footnote
Chapter 22
The correct answer is option **D**. Vulnerability scans systematically probe systems to identify weaknesses, including outdated software and misconfigurations, and prioritize them based on severity.
Option A is incorrect as automated reports provide information but cannot identify and prioritize system weaknesses like vulnerability scans.
Option B is incorrect as patch management is the process of applying software updates (patches) to fix vulnerabilities and security issues in the system. It helps address weaknesses, including outdated software. However, it cannot identify or prioritize system weaknesses; its primary purpose is to remediate them after they have been identified through other means.
Option C is incorrect; as packet captures capture raw network traffic but does not offer real-time insights or aid in compliance tracking but do not perform vulnerability assessments.
215
You are the Chief Information Security Officer (CISO) of a large financial institution. Your team is responsible for ensuring the organization’s cybersecurity. You need a data source that can provide real-time information about your organization’s security status, highlight anomalies, and aid in compliance tracking. Which of the following data sources should you choose?
A. Dashboards
B. Packet captures
C. Automated reports
D. Network logs
## Footnote
Chapter 22
The correct answer is option **C**. Automated reports offer real-time information about an organization’s security status, highlight anomalies, and are valuable for compliance tracking. Option A is incorrect as dashboards offer real-time monitoring but do not provide detailed information about security status and compliance tracking like automated reports.
Option B is incorrect as packet captures capture record raw network traffic but do not offer real-time information or aid
in compliance tracking.
Option D is incorrect because network logs track data flow but cannot conduct real-time security status information and compliance tracking.
216
Which type of type of log file tracks packets including connections, data transfers, and errors going to your intranet web server, including connections, data transfers, and errors?
A. Application logs
B. OS-specific security logs
C. Network logs
D. Security logs
## Footnote
Chapter 22
The correct answer is option **C**. Network logs record the flow of data across a network, including connections, data transfers, and errors, across a network, aiding in network monitoring and troubleshooting.
Option A is incorrect as application logs focus on user interactions
within applications, not network traffic.
Option B is incorrect as OS-specific security logs record system-level security events but do not track network traffic.
Option D is incorrect as security logs primarily monitor and audit security-related activities on an operating system but do not track network traffic.
217
You are a cybersecurity analyst working for a large technology company. Your responsibility is to monitor and audit security-related activities on the company’s network and operating systems to ensure the organization’s digital assets are protected. Which of the following should choose?
A. Endpoint logs
B. Application logs
C. Security logs
D. System Logs
## Footnote
Chapter 22
The correct answer is option **C**. Security logs primarily monitor and audit security-related activities on an operating system, providing essential information for security management.
Option A is incorrect as endpoint logs are generated by individual devices (endpoints) such as computers, servers, and mobile devices. They can provide valuable information about activities on these devices, including security-related events. They do not cover security-related events across the network
and operating systems.
Option B is incorrect as application logs capture user interactions and errors within applications but do not primarily monitor security-related activities on an operating system.
Option D is incorrect as system logs cover a wide range of events related to the operation of an operating system, including system start-up/shutdown, hardware and driver issues, software installations, user account management, system errors, and application events. They focus on system operations and performance rather than security-specific events.
218
You are a cybersecurity analyst working for a large financial institution. Your role involves investigating security incidents and conducting forensic analysis to understand the nature and impact of potential breaches. Which of the following would be the BEST option to help you perform your job?
A. Vulnerability scans
B. Automated reports
C. Nmap
D. Packet captures
## Footnote
Chapter 22
The correct answer is option **D**. Packet captures capture record raw network traffic and save them as packet capture files (PCAP). Wireshark, tcpdump and packet sniffers can conduct this task. The PCAP files can be used for forensic analysis during security incidents, allowing investigators to reconstruct events. Option A is incorrect as vulnerability scans identify system weaknesses but do not capture raw network traffic for forensic analysis.
Option B is incorrect because automated reports provide pre-compiled information but do not capture raw network traffic. They are helpful for regular monitoring but are not suitable for forensic analysis during security incidents.
Option C is incorrect because Nmap is a network scanning tool used for discovering devices and open ports on a network, but it does not capture raw network traffic. It can give you an inventory of your network and the operating system and services running on each host. It cannot conduct forensic analysis.
219
You are the security administrator for a medium-sized company. Part of your responsibility is to identify vulnerabilities that are visible to potential external attackers and assess open ports on your organization’s network. Which of the following data sources would be BEST?
A. Automated reports
B. Credentialed Vulnerability Scan
C. Packet captures
D. Non-Credentialed Vulnerability Scan
## Footnote
Chapter 22
The correct answer is option **D**. A non-credentialed vulnerability scan is performed without authenticated credentials and can identify vulnerabilities visible to potential external attackers. It has the same view as an external attacker. It is also suitable for assessing open ports, making it the best choice for this specific task.
Option A is incorrect as automated reports provide pre-compiled information and do not focus on identifying any vulnerabilities.
Option B is incorrect because dashboards provide a visual data representation of data but cannot identify vulnerabilities visible to external attackers and assessing open ports.
Option C is incorrect as packet captures capture record raw
network traffic but cannot identify vulnerabilities visible to external attackers.
220
You are the IT administrator for a medium-sized company. As part of your responsibilities, you need to ensure that user activities, system changes, and security events on devices are properly monitored and recorded for security and compliance purposes. Which of the following would be the BEST data sources to fulfil your duties?
A. Endpoint logs
B. Application logs
C. OS-specific security logs
D. Metadata
## Footnote
Chapter 22
The correct answer is option **A**. Endpoint logs. Endpoint logs are the primary data source for documenting user activities, system changes, and security events on devices. They provide detailed records of what occurs on individual devices, making them essential for monitoring, auditing, and maintaining the security and compliance of the organization’s IT environment. Option B is incorrect; as application logs primarily capture details about user interactions within applications, not user activities and system changes on devices.
Option C is incorrect as OS-specific security logs record system-level security events but do not primarily document user activities and system changes on devices.
Option D is incorrect as Metadata typically contains information about data and its attributes but does not directly document user activities, system changes, or security events on devices.
221
As a compliance officer in a healthcare organization, you are tasked with ensuring adherence to industry regulations and standards. Which type of governance structure would be most concerned ensuring compliance with external regulatory requirements?
A. Boards
B. Centralized governance
C. Committees
D. Government entities
## Footnote
Chapter 23
The correct answer is option **D**. Government entities are most concerned with enforcing and ensuring compliance with industry regulations and standards, especially in areas such as healthcare.
Option A is incorrect because boards provide internal oversight and may not be primarily focused on external regulatory compliance.
Option B is incorrect because centralized refers to a type of governance structure, which is still internal and not as salient as government entities.
Option C is incorrect because committees might make decisions but are not in charge of ensuring compliance with external regulations. It is an internal task force.
222
You are the Chief Financial Officer (CFO) of an e-commerce company that processes credit card transactions. To ensure the secure handling of cardholder data and maintain compliance, which of the following regulations should your organization adhere to?
A. ISO 27001
B. ISO/IEC 27017
C. ISO/IEC 27018
D. PCI-DSS
## Footnote
Chapter 23
The correct answer is option **D**. PCI-DSS (Payment Card Industry Data Security Standard) is specifically designed to ensure the security of payment card data and is relevant for organizations handling credit card transactions.
Option A is incorrect because ISO 27001 focuses on information security management but not specifically on payment card data.
Option B is incorrect because ISO/IEC 27017 pertains to cloud
security.
Option C is incorrect because ISO/IEC 27018 deals with cloud privacy, not payment card security
223
As the CEO of a growing e-commerce business, you face a sudden system outage during a peak shopping season. Sales are plummeting, and customers are frustrated. What is the BEST policy you can implement to rectify this situation?
A. Business Continuity
B. Change Management
C. Software Development Lifecycle (SDLC)
D. Disaster Recovery
## Footnote
Chapter 23
The correct answer is option **A**. Business continuity is crucial for addressing system outages and ensuring the organization can continue operations during disruptions.
Option B is incorrect because change management focuses on controlled changes, not system outages.
Option C is incorrect because SDLC pertains to software development practices, not system outages.
Option D is incorrect because disaster recovery deals with system recovery but would not impact the actual system outage.
224
You are the head of a large financial institution and are contemplating the governance structure that best suits your organization’s diverse branches and subsidiaries. What type of governance structure allows for local autonomy and decision-making at the branch level?
A. Government entities
B. Centralized
C. Committees
D. Decentralized
## Footnote
Chapter 23
The correct answer is option **D**. A decentralized governance structure allows local branches or entities to have autonomy and decision-making authority.
Option A is incorrect because government entities are external
to the organization; they are not part of an internal governance structure.
Option B is incorrect because centralized governance structures focus on central authority, not local autonomy.
Option C is incorrect because committees may handle specific functions but may not provide local decision-making autonomy.
225
In which stage of the SDLC do developers merge their code changes into a shared repository?
A. Testing
B. Staging
C. Development
D. Production
## Footnote
Chapter 23
The correct answer is option **C**. Development is the first stage of SDLC where developers collaborate and merge their code changes into a shared repository.
Option A is incorrect because testing is the stage at which regression testing is carried out. This is the final version of code
before staging.
Option B is incorrect because during staging, testing is
completed, and the code becomes an application.
Option D is incorrect as production is where the application is dispatched after being sold.
226
You are the IT manager of a US government agency tasked with
securing critical infrastructure against cyber threats. Which regulation is most pertinent to you and your systems?
A. ISO 27001
B. ISO/IEC 27017
C. NIST SP 800-53
D. PCI-DSS
## Footnote
Chapter 23
The correct answer is option **C**. NIST SP 800-53 is a comprehensive cybersecurity framework developed by the National Institute of Standards and Technology (NIST) for federal information systems.
Option A is incorrect because ISO 27001 focuses on information
security but is not specific to government systems.
Option B is incorrect because ISO/IEC 27017 pertains to cloud security.
Option D is incorrect because PCI-DSS relates to credit card data security, not government systems.
227
You are the Chief Information Officer (CIO) of a multinational
corporation responsible for ensuring compliance with data protection regulations. In this role, what primary responsibility do you hold as the data controller?
A. Managing data storage and infrastructure
B. Determining the purpose and means of data processing
C. Executing data backup and recovery procedures
D. Conducting data access audits
## Footnote
Chapter 23
The correct answer is option **B**. As the data controller, your primary responsibility is to determine the purpose and means of data processing, including how and why personal data is collected, processed, and stored.
Option A is incorrect because managing data storage and
infrastructure may be the responsibility of the data custodian. Option C is incorrect because executing data backup and recovery procedures are the data custodians, but this is not the role of the data controller.
Option D is incorrect because conducting data access audits is part of data governance but is not the role of the data controller
228
In the Software Development Lifecycle (SDLC), which stage typically involves the final version of the code?
A. Testing
B. Staging
C. Development
D. Production
## Footnote
Chapter 23
The correct answer is option **A**. Testing is where regression testing is carried out. This is the final version of the code before staging.
Option B is incorrect because staging is where the tested code becomes an application.
Option C is incorrect because the Development stage deals
with code creation, not the final version.
Option D is incorrect because production is the stage at which the application is manufactured
228
As the CISO of a healthcare organization, you are responsible for
ensuring the confidentiality, integrity, and availability of patient data. Which regulation should you primarily abide by to establish a robust information security management system (ISMS)?
A. ISO 27001
B. ISO/IEC 27017
C. NIST SP 800-53
D. PCI-DSS
## Footnote
Chapter 23
The correct answer is option **A**. ISO 27001. This is the international standard for information security management and provides a framework for establishing an ISMS.
Option B is incorrect because ISO/IEC 27017 focuses on cloud security.
Option C is incorrect because NIST SP 800-53 primarily deals with cybersecurity controls.
Option D is incorrect because PCI-DSS pertains to credit card data security, not general information security.
229
As the Data Privacy Officer (DPO) for a cloud service provider, your role involves safeguarding customer data and ensuring privacy in the cloud environment. Which regulation should guide your efforts to protect personal data in the cloud?
A. ISO/IEC 27701
B. ISO/IEC 27017
C. ISO/IEC 27018
D. NIST SP 800-53
## Footnote
Chapter 23
The correct answer is option **C**. ISO/IEC 27018 specifically addresses cloud privacy and the protection of personal data in cloud environments.
Option A is incorrect because ISO/IEC 277001 focuses on data privacy on a non-cloud environment.
Option B is incorrect because ISO/IEC 27017 deals with cloud security.
Option D is incorrect because NIST SP 800-53 is centered on cybersecurity controls
230
Which of the following is a phase in risk management during which potential risks are determined?
A. Risk assessment
B. Risk identification
C. Risk mitigation
D. Risk monitoring
## Footnote
Chapter 24
The correct answer is option **B**. Risk Identification is the phase at which potential risks are determined and listed.
Option A is incorrect because risk assessment involves evaluating risks that have already been determined.
Option C is incorrect because risk mitigation involves implementing strategies to manage and minimize the impact of risks that have already been determined.
Option D is incorrect because risk monitoring involves the ongoing process of tracking and monitoring the risks that have already been determined
231
Which type of risk assessment is performed to monitor and assess risks in real-time and is most effective for instantaneous detection of issues?
A. Ad hoc
B. Scheduled
C. Continuous
D. Recurring
## Footnote
Chapter 24
The correct answer is option **C**. Continuous risk assessment involves real-time, ongoing assessment of risks. Because it is constantly working, it is the type of assessment most like to give instantaneous detection.
Option A is incorrect because ad hoc assessments are performed only as needed or in response to a specific incident.
Option B is incorrect because scheduled risk assessments are performed at predetermined intervals or on a set schedule. They are not used to continuously monitor and assess risks in real-time.
Option D is incorrect because recurring assessments are performed at regular, scheduled intervals. They are not continuous
232
Which type of risk assessment typically occurs at regular and scheduled intervals?
A. One-time
B. Ad-hoc
C. Continuous
D. Recurring
## Footnote
Chapter 24
The correct answer is option **D**. Recurring risk assessments are performed at regular, scheduled intervals.
Option A is incorrect because one-time assessments are performed only once, typically at a specified point in time.
Option B is incorrect because an ad assessment is
performed only when needed or in response to a specific incident.
Option C is incorrect because continuous assessments are ongoing, realtime risk assessments
233
In risk management strategies, which analytical approach quantifies risk by applying numerical values, statistical methods, and calculations such as annualized loss expectancy (ALE) to measure and assess the impact of risk?
A. Quantitative risk analysis
B. Qualitative risk analysis
C. Subjective loss expectancy analysis
D. Exposure factor
## Footnote
Chapter 24
The correct answer is option **A**. The quantitative risk analysis approach applies numerical values and statistical methods to quantify risk, providing a measurable and objective assessment of risk impact.
Option B is incorrect because qualitative risk analysis uses subjective judgment, opinions, and categorizations, such as high, medium, or low rather than numerical values to assess and prioritize risks.
Option C is incorrect because subjective loss expectancy analysis is not a recognized analytical method in risk management; it’s a fabricated term combining elements from various risk analysis concepts.
Option D is incorrect because the exposure factor (EF) is a measure of the magnitude of loss or damage that can be expected if a risk event occurs.
234
Which risk analysis methodology assesses the potential impacts and likelihoods of risks by utilizing subjective insights and evaluations, without emphasizing the computation of probable financial loss?
A. Qualitative risk analysis
B. Quantitative risk analysis
C. Risk magnitude evaluation
D. Risk impact analysis
## Footnote
Chapter 24
The correct answer is option **A**. Qualitative risk analysis focuses on using subjective evaluations such as high, medium, or low to assess and prioritize risks, considering the potential impacts and likelihoods.
Option B is incorrect because quantitative risk analysis employs
numerical values and statistical models to compute probable financial loss and objectively measure the impact and likelihood of risks.
Option C is incorrect because a risk magnitude evaluation determines the magnitude of risk. It does not employ subjective insights and evaluations without emphasizing the computation of probable financial loss.
Option D is incorrect because a risk impact analysis considers the
impact of risk but does not utilize subjective evaluations and insights without computing probable financial loss
235
A company experienced the repeated theft of computer systems valued at $10,000 five times in the last year. What is the annualized loss expectancy (ALE) for this risk event?
A. $2,000
B. $10,000
C. $50,000
D. $20,000
## Footnote
Chapter 24
The correct answer is option **C**. The ALE is calculated by multiplying the SLE by the Annualized Rate of Occurrence (ARO). ALE = $10,000 (SLE) * 5 (ARO) = $50,000.
Option A, option B, and option D are incorrect as per the calculation.
236
Which risk management strategy focuses on mitigating risk through insurance or outsourcing your IT?
A. Acceptance
B. Transfer
C. Mitigation
D. Avoidance
## Footnote
Chapter 24
The correct answer is option **B**. Transferring risk means to assign the responsibility of a risk to a third party, typically through contracts or insurance policies.
Option A is incorrect because to accept risk is to acknowledge the existence of the risk and decide not to take action. This
usually occurs when the risk is deemed too low to require action. Option C is incorrect because mitigating a risk involves implementing actions or controls to reduce the likelihood or impact of the risk.
Option D is incorrect because avoiding risk involves changing plans or approaches to eliminate the risk altogether when the risk is deemed too high to ignore/accept. .
237
Which of the following risk management strategies involves the
acknowledgment of a risk where no proactive measures are taken to address it, due to its negligible impact?
A. Exemption
B. Exception
C. Acceptance
D. Transfer
## Footnote
Chapter 24
The correct answer is option **C**. Acceptance of risk refers to the
acknowledgment of the risk and a conscious decision not to take
proactive measures to address it, typically due to its low predicted
impact or likelihood.
Option A is incorrect because an exemption refers to the act of relieving an individual, group, or entity from a specific obligation, rule, or policy that is generally applied across the organization. This is not a standard risk management strategy.
Option B is incorrect because an exception in risk management pertains to an approved deviation from a set policy or standard. This deviation is typically temporary and is allowed due to the absence of a viable alternative, often with compensatory controls to mitigate associated risks. This is not a standard risk management strategy.
Option D is incorrect because transferring risk involves the allocation of risk to another entity or party, typically through contracts or insurance. This does not lessen its impact or likelihood.
238
Which statement BEST describes the critical difference between
recovery time objective and recovery point objective within the context of business impact analysis?
A. Recovery time objective refers to the maximum allowable
downtime, while recovery point objective refers to the
maximum allowable data loss.
B. Recovery time objective refers to the frequency of system
failures, while recovery point objective refers to the maximum
allowable downtime.
C. Recovery time objective refers to the maximum allowable data
loss, while recovery point objective refers to the maximum
allowable downtime.
D. Recovery time objective and recovery point objective both
refer to the maximum allowable downtime but are used in
different contexts
## Footnote
Chapter 24
The correct answer is option **A**. Recovery time objective (RTO)is the maximum tolerable length of time that a service, application, or system can be down (also known as downtime) after an incident before there is an unacceptable impact on the business. Recovery point objective (RPO) is the maximum age of files that an organization must recover from backup storage for normal operations to resume if a computer, system, or network goes down because of a disruption.
Option B is incorrect because this statement incorrectly assigns the definition of MTBF to RTO and incorrectly defines RPO as maximum allowable downtime.
Option C is incorrect because this statement switches the
definitions of RTO and RPO.
Option D is incorrect because RTO and RPO have different definitions; they don’t both refer to the maximum allowable downtime.
239
In business impact analysis, which component is crucial for determining the acceptable data loss and downtime in IT systems?
A. Mean time between failures
B. Recovery point objective and recovery time objective
C. Data frequency analysis
D. Impact acceptance threshold
## Footnote
Chapter 24
The correct answer is option **B**. Recovery Point Objective (RPO) and Recovery Time Objective (RTO) are critical components in a business impact analysis (BIA) for determining the acceptable level of data loss and downtime. RPO determines the acceptable amount of data loss measured in time, and RTO determines the acceptable amount of service or system downtime.
Option A is incorrect because mean time between failures (MTBF) is a measure of the reliability of a system and refers to the average time between failures but does not directly determine
acceptable data loss or downtime.
Option C is incorrect because data frequency analysis is not a standard term used in BIA, and it does not determine acceptable data loss or downtime.
Option D is incorrect because impact acceptance threshold is a fabricated term and not a recognized concept in BIA for determining acceptable data loss or downtime.
240
When completing a risk assessment of a vendor, which of the following processes plays a pivotal role in comprehensively assessing the potential vulnerabilities of a vendor’s digital infrastructure to show the vendor’s security weaknesses? Select the BEST option.
A. Supply chain analysis
B. Due diligence
C. Penetration testing
D. Conflict of interest
## Footnote
Chapter 25
The correct answer is option **C**. Penetration testing is a simulated cyberattack against the vendors computer system to check for exploitable vulnerabilities.
Option A is incorrect because supply chain analysis involves evaluating risks within the supply chain but does not assess
specific vulnerabilities in the vendor’s infrastructure.
Option B is incorrect because due diligence is a comprehensive appraisal of the business but does not necessarily assess vulnerabilities.
Option D is incorrect because a conflict of interest refers to a situation where a party’s responsibility to a second party limits certain abilities to assess and change – it would not help assess vulnerabilities, and could potentially hinder any such assessment..
241
Which clause is integral in evaluating a vendor’s adherence to policy and compliance?
A. Compliance clause
B. Right-to-audit clause
C. Investigation clause
D. Assessment clause
## Footnote
Chapter 25
The correct answer is option **B**. Right-to-audit clause allows
organizations to conduct audits on the vendor’s policies, processes, and controls to ensure they are compliant.
Option A is incorrect because a compliance clause refers to a statement in the agreement requiring adherence to applicable laws and regulations, but it does not specifically allow for evaluation or audit.
Option C is incorrect because an investigation clause may involve certain investigations but does not specifically address auditing or adherence to policies.
Option D is incorrect because an assessment clause is too broad and does not specifically pertain to auditing compliance or policies.
242
Within the framework of vendor management and compliance, what mechanism plays a role in confirming a vendor’s commitment to internal organizational policies and regulatory requirements? Select the BEST option.
A. Independent assessments
B. Evidence of internal audits
C. Penetration testing
D. Supply chain analysis
## Footnote
Chapter 25
The correct answer is option **B**. By suppling evidence of internal audits you can check the actions and procedures in place to adhere to internal policies and regulatory requirements. Option A is incorrect because independent assessments focus on external evaluations and do not verify adherence to internal policies.
Option C is incorrect because penetration testing mainly identifies vulnerabilities in the systems or networks but does not take into account internal policies or regulatory requirements.
Option D is incorrect because supply chain analysis relates to evaluating risks within the supply chain, not to internal policy adherence.
243
Which of the following types of assessment provides an impartial
evaluation of a vendor’s security posture?
A. Vendor assessment
B. Internal audit
C. Independent assessments
D. Penetration testing
## Footnote
Chapter 25
The correct answer is option **C** independent assessments are conducted by an external entity to provide an unbiased evaluation.
Option A is incorrect because a vendor assessment is a general assessment and may not be impartial.
Option B is incorrect because an internal audit is not impartial as it is conducted by the organization itself.
Option D is incorrect because penetration testing identifies vulnerabilities but is not necessarily an impartial evaluation of overall security posture.
244
Which of the following processes is crucial for evaluating risks that may arise from a vendor’s suppliers and subcontractors?
A. Vendor assessment
B. Supply chain analysis
C. Due diligence
D. Conflict of interest analysis
## Footnote
Chapter 25
The correct answer is option **B**. Supply chain analysis assesses the risks within the entire supply chain, including suppliers and subcontractors.
Option A is incorrect because a vendor assessment is a general
assessment of the vendor.
Option C is incorrect because due diligence requires a comprehensive appraisal of a business with no particular focus on suppliers and subcontractors.
Option D is incorrect because conflict-of-interest analysis evaluates conflicts of interest, not risks within the supply chain.
245
During vendor selection, which process is fundamental for assessing the potential risks and benefits associated with a potential vendor?
A. Conflict of interest review
B. Right-to-audit clause enforcement
C. Due diligence
D. Penetration testing
## Footnote
Chapter 25
The correct answer is option **C** due diligence involves an appraisal of the vendor’s capabilities, financial stability, and reputation to assess the risks and benefits of working with that vendor.
Option A is incorrect because a conflict-of-interest review assesses potential conflicts of interest, not the overall risks and benefits of a vendor.
Option B is incorrect because right-to-audit clause enforcement relates to auditing and compliance, not the assessment of potential risks and benefits.
Option D is incorrect because penetration testing focuses on identifying vulnerabilities in systems or networks. It does not relate to the assessment of vendor risks and benefits.
246
Which document typically outlines confidential obligations between parties to protect sensitive information?
A. MSA
B. NDA
C. MOA
D. BPA
## Footnote
Chapter 25
The correct answer is option **B**. A non-disclosure agreement (NDA) is designed to protect sensitive information and outlines the confidential obligations of the parties involved.
Option A is incorrect because a master service agreement (MSA) outlines the overall terms of engagement but does not go into detail on confidential obligations.
Option C is incorrect because a memorandum of agreement (MOA) is a formal business document that outlines an agreement between two parties but is not go into details on confidentiality. Option D is incorrect because a business partners agreement (BPA) defines the relationship between business partners but does not go into detail on confidential obligations.
247
Which document typically serves as the foundation for producing work orders and statements of work that detail specific activities and deliverables?
A. MOA
B. BPA
C. MSA
D. NDA
## Footnote
Chapter 25
The correct answer is option **C** master service agreement (MSA) outlines the overall terms of engagement and serves as a foundation for producing specific documents like work orders and statements of work.
Option A is incorrect because a memorandum of agreement (MOA) outlines the mutual goals and expectations but does not serve as a foundation for work orders or statements of work. Option B is incorrect because a business partners agreement (BPA) defines the relationship between business partners but does not serve as a foundation for work orders or statements of work.
Option D is incorrect because a nondisclosure agreement (NDA) is designed to protect sensitive information and does not serve as a foundation for work orders or statements of work.
248
Which of the following agreements is specifically focused on mutual goals and expectations of a project or partnership and is typically legally binding?
A. MOU
B. MOA
C. SLA
D. NDA
## Footnote
Chapter 25
The correct answer is option **B**. A Memorandum of agreement (MOA) is a formal document outlining mutual goals and expectations. It focuses on mutual agreements between parties and is typically more binding than an MOU .
Option A is incorrect because a memorandum of understanding (MOU) indicates an intention to work together but is not legally binding.
Option C is incorrect because a service-level agreement
(SLA) outlines the expected level of service but it does not detail
mutual goals and expectations.
Option D is incorrect because a nondisclosure agreement (NDA) is designed to protect sensitive information and outlines the confidential obligations of the parties involved, not their mutual goals and expectations.
249
When conducting a third-party risk assessment, which of the following is the BEST method to evaluate the strategic alignment between the vendor’s capabilities and the organization’s objectives?
A. Independent assessments
B. Penetration testing
C. Vendor monitoring
D. SLA review
## Footnote
Chapter 25
Option **D** is correct.
Option A is incorrect because independent assessments provide an objective evaluation of a vendor’s capabilities and controls; they do not assess strategic alignment with the organization’s objectives.
Option B is incorrect because penetration testing focuses on identifying vulnerabilities in the vendor’s systems. It does not evaluate strategic alignment.
Option C is incorrect because vendor monitoring involves ongoing observation of vendor activities to ensure compliance and performance but does not specifically assess strategic alignment with the organization’s objectives.
250
A brokerage firm has consistently failed to adhere to crucial regulatory requirements, resulting in a series of serious violations. What is the MOST significant consequence this organization could face for its noncompliance?
Choose the BEST answer.
A. Regulatory fines
B. Loss of license
C. Reputational damage
D. Data mismanagement
## Footnote
Chapter 26
The correct answer is option **B**. The organization may face the severe consequence of losing its license, which would hinder the organization’s ability to conduct business.
Option A is incorrect though regulatory fines are significant, a loss of license would be more significant because it would cause the firm to stop operating.
Option C is incorrect because reputational damage may occur, but it is not the most significant consequence the organization is likely to face.
Option D is incorrect because data mismanagement is unrelated to the scenario and focuses on handling data assets, not compliance consequences
251
In the context of data protection and privacy regulations, which of the following best describes the role of a data processor?
A. An individual who exercises control over the processing of
personal data
B. An organization or person that determines the purposes and
means of processing personal data
C. An entity that processes personal data on behalf of the data
controller
D. A government authority responsible for enforcing data
protection laws
## Footnote
Chapter 26
The correct answer is option **C**. A data processor is an entity or organization that processes personal data on behalf of (and according to the instructions of) the data controller.
Option A is incorrect because this description is closer to that of a data controller, who determines the purposes and means of processing personal data.
Option B is incorrect because this is the definition of a data controller, not a data processor.
Option D is incorrect because this describes a regulatory authority responsible for overseeing and enforcing data protection laws, not the role of a data processor.
252
Imagine you are the head of the security compliance team at a large financial institution. Your team is responsible for ensuring the organization adheres to regulatory standards and internal policies. Which of the following elements is essential for effective internal compliance reporting?
A. Consistently update stakeholders about the progress of
compliance initiatives through regular meetings and reports.
B. Keep compliance documentation concise to reduce clutter and
minimize the risk of data breaches.
C. Restrict access to compliance reports to a select few individuals to maintain confidentiality.
D. Address compliance issues as they arise, without proactively
identifying potential risks.
## Footnote
Chapter 26
The correct answer is option **A**. Regular updates ensure that everyone is aware of the organization’s compliance status and can take corrective actions when needed.
Option B is incorrect as compliance documentation should be comprehensive and detailed, not minimal.
Option C is incorrect as restricting access to compliance reports to only a select few individuals is not recommended.
Option D is incorrect as a reactive approach to compliance is not effective, we need to take a proactive approach.
253
You are the chief compliance officer at a multinational corporation considering a merger with a smaller company in a different industry. Which aspect of due diligence is crucial to assess potential risks and ensure a successful merger? (SELECT TWO)
A. Evaluating the smaller company’s stock performance
B. Conducting a cultural compatibility analysis
C. Focusing solely on financial metrics
D. Reviewing intellectual property assets
## Footnote
Chapter 26
The correct answers are option **B**, Option **D**. Conducting a cultural compatibility analysis is crucial during due diligence in a merger. It involves assessing the alignment of organizational cultures, values, and leadership styles between the two companies. Reviewing intellectual property (IP) assets is a crucial aspect of due diligence, especially when merging with a company in a different industry.
Option A is incorrect as stock performance can provide some insights; it is not the primary focus of due diligence in a merger. Option C is incorrect as financial metrics are important, due diligence should not solely focus on them.
254
Your organization is preparing for its annual internal compliance
reporting to assess adherence to security standards and regulations. The compliance team is debating whether to rely on internal reporting alone or incorporate external compliance reports. Which of the following statements best explains why it is better to use an external compliance report in this scenario?
A. External reports provide internal teams with more
comprehensive data.
B. Internal reports offer a more accurate assessment of the
organization’s compliance status.
C. External reports help identify alignment with industry best
practices for compliance.
D. Internal reports allow for better customization to address
specific organizational needs.
## Footnote
Chapter 26
The correct answer is option **C**. External reports help identify industry best practices for compliance.
Option A is incorrect as external reports offer industry insights but may lack detail internal information.
Option B is incorrect as internal reports are detailed but may lack broader industry context.
Option D is incorrect as internal reports can be customized but may lack industry context.
255
In the context of security compliance reporting, which type of report typically includes third-party audits?
A. Internal compliance reports
B. Regulatory compliance reports
C. External compliance audits
D. Security incident reports
## Footnote
Chapter 26
The correct answer is option **C.** These audits are typically documented in external compliance reports.
Option A is incorrect as internal compliance reports primarily focus on an organization’s self-assessment of adherence to security standards and regulations.
Option B is incorrect as regulatory compliance reports demonstrate an organization’s compliance with specific regulations or industry standards.
Option D is incorrect as security incident reports are related to the documentation of internal security breaches or incidents
256
You are the data privacy officer at a large technology company, and your team is responsible for ensuring compliance with privacy regulations. You deal with data protection and privacy on a daily basis. Which of the following individuals or entities is considered a data subject in your role?
A. A company’s chief information officer
B. An individual using a smartphone app
C. A data security analyst
D. A server hosting customer database.
## Footnote
Chapter 26
The correct answer is option **B**. In data protection and privacy regulations, a data subject refers to an individual whose personal data is collected, processed, or stored. An individual using a smartphone app provides their personal data and is considered a data subject.
Option A is incorrect as the chief information officer is a company executive responsible for technology strategy but is not a data subject.
Option C is incorrect as a data security analyst is responsible for protecting data but is not a data subject.
Option D is incorrect as a server hosting customer database is a data processing entity, not a data subject
257
Which of the following is the BEST type of auditing where you
typically encounter a risk assessment as a fundamental component?
A. Financial auditing
B. Environmental auditing
C. Information security auditing
D. Human resources auditing
## Footnote
Chapter 26
The correct answer is option **A**. Financial auditing often includes a risk assessment as a fundamental component. This would be reviewed in an internal compliance reporting.
Option B is incorrect as environmental auditing may involve assessing risks related to environmental compliance, it is not typically associated with the same kind of risk assessment as financial auditing.
Option C is incorrect as information security auditing does involve risk assessments, but it focuses on assessing risks related to information security controls, data breaches, and cyber threats, Option D is incorrect as human resources auditing focuses on assessing HR policies, practices, and compliance.
258
A multinational technology company has recently relocated its
headquarters from New York to Paris to expand its operations in
Europe. In light of this move, the company must now navigate a new set of privacy laws and regulations. What privacy laws does it need to comply with following its office relocation?
A. GDPR
B. CCPA
C. HIPAA
D. GLBA
## Footnote
Chapter 26
The correct answer is option **A**. General Data Protection Regulation (GDPR), which is the primary data protection regulation in the European Union.
Option B is incorrect as The California Consumer Privacy Act (CCPA) is a privacy law specific to the state of California in the US. It does not apply to the company’s operations in Europe.
Option C is incorrect as The Health Insurance Portability and
Accountability Act (HIPAA) is a US law that regulates the privacy and security of health information.
Option D is incorrect as The Gramm-Leach-Bliley Act (GLBA) is a US law that applies to financial institutions and their handling of consumer financial information.
259
In a corporate environment, what is the primary purpose of an
attestation process?
A. To confirm the authenticity of employee acknowledgments
B. To certify the financial statements of a company
C. To verify the identity of customers during onboarding
D. To acknowledge the receipt of an employee handbook
## Footnote
Chapter 26
The correct answer is option **A**. An attestation process is often used to confirm the authenticity of various documents, statements, or acknowledgments made by employees, such as confirming the accuracy of expense reports or compliance with corporate policies.
Option B is incorrect as the certification of financial statements is typically done by auditors, not through an attestation process.
Option C is incorrect as customer identity verification is part of the Know Your Customer (KYC) process and is separate from an attestation process.
Option D is incorrect as acknowledging the receipt of an employee handbook is a straightforward acknowledgment process, but it is not the primary purpose of an attestation process, which typically involves more formal verification.
260
You work in third-line support dealing with both cybersecurity and network security assessments. Your organization is looking to assess its security posture by employing ethical hackers to identify vulnerabilities and weaknesses in its defenses. Which of the following types of penetration testing best fits your requirements?
A. Defensive penetration testing
B. Passive reconnaissance
C. Active reconnaissance
D. Offensive penetration testing
## Footnote
Chapter 27
The correct answer is option **D**. Offensive penetration testing. Offensive penetration testing simulates real-world attacks and uses the tactics of malicious hackers to identify vulnerabilities.
Option A is incorrect because defensive penetration testing focuses on assessing an organization’s readiness to defend against cyberattacks, and is not typically carried out through ethical hacking,
Option B is incorrect because passive reconnaissance gathers initial data without direct interaction with the target and does not require ethical hackers.
Option C is incorrect because active reconnaissance involves interacting with target systems to assess their configurations and vulnerabilities but does not require ethical hackers.
261
Which reconnaissance type aims to gather initial data about the target without alerting or engaging with its systems to minimize the risk of detection?
A. Active reconnaissance
B. Passive reconnaissance
C. Defensive penetration testing
D. Online survey
## Footnote
Chapter 27
The correct answer is option **B**. Passive reconnaissance collects initial data without direct interaction with the target. Option A is incorrect because active reconnaissance entails direct interaction with the systems of the target.
Option C is incorrect because defensive penetration testing
focuses on assessing an organization’s readiness to defend against cyberattacks and comes after reconnaissance.
Option D is incorrect because an online survey engages with the target.
262
Which of the following reconnaissance types involves sending requests to target systems to assess their responses and determine their configuration and vulnerabilities?
A. Offensive penetration testing
B. Passive reconnaissance
C. Active reconnaissance
D. Defensive penetration testing
## Footnote
Chapter 27
The correct answer is option **C**. Active reconnaissance involves interacting with target systems to assess their configurations and vulnerabilities.
Option A is incorrect because offensive penetration testing simulates real-world attacks and can take many different forms,
not just sending requests.
Option B is incorrect because passive reconnaissance collects data without actively interacting with the target.
Option D is incorrect because defensive penetration testing focuses on assessing an organization’s readiness to defend against cyberattacks and has a wider scope than sending requests to target systems.
263
What process involves the meticulous examination and validation of information, often by a qualified independent party, to ensure its accuracy and compliance with established standards and regulations?
A. Offensive penetration testing
B. Passive reconnaissance
C. Attestation
D. Active reconnaissance
## Footnote
Chapter 27
The correct answer is option **C**. Attestation is the process of validating information to ensure accuracy and compliance with standards and regulations.
Option A is incorrect because offensive penetration testing
is for simulating real-world attacks, but it does not validate accuracy or compliance.
Option B is incorrect as passive reconnaissance collects data but does not have the scope of analysis described,
Option D is incorrect as active reconnaissance also does not have the scope analysis described.
264
Which of the following is a primary benefit of an external audit for an organization?
A. Identifying weaknesses in internal controls
B. Enhancing operational efficiency
C. Providing independent assurance on the accuracy of financial
statements
D. Ensuring compliance with internal policies and procedures
## Footnote
Chapter 27
The correct answer is option **C**. Because the audit is done externally, we can assume the auditor has no incentive to confirm false information and should also pick up on internal errors.
Option A is incorrect because while external audits may identify weaknesses in internal controls as a byproduct, their primary benefit is to provide independent assurance regarding the accuracy of financial statements.
Option B is incorrect because external audits will confirm accuracy of data, any resulting enhancing operational efficiency is not the primary purpose.
Option D is incorrect Ensuring compliance with internal policies and procedures is not the primary focus of external audits. External audits are measured against industry best practices.
265
You are the chief operating officer of a rapidly growing technology startup. Your company has recently expanded its operations and increased its workforce, leading to a more complex organizational structure. To ensure effective oversight and management of your business processes, you decide to establish an internal audit function. Which of the following is your primary objective?
A. Confirming alignment with organizational needs and priorities
B. Enhancing the organization’s market competitiveness
C. Providing independent assurance on financial statements
D. Evaluating compliance with external regulations
## Footnote
Chapter 27
The correct answer is option **A**. Internal audits verify that business operations are aligned with organizational needs and priorities.
Option B is incorrect because internal audits may indirectly contribute to enhancing market competitiveness, but their primary objective is to assess alignment with organizational needs and priorities.
Option C is incorrect because providing independent assurance on financial statements is a primary objective of external audits, not internal audits.
Option D is incorrect because evaluating compliance with external
regulations is an aspect of both internal and external audits, but it is not the primary objective of internal audits.
266
Which of the following limitations is MOST LIKELY to be associated
with the scope of external audits?
A. Identifying operational inefficiencies
B. Providing independent assurance on financial statements
C. Assessing compliance with internal policies
D. Limited access to internal records and systems
## Footnote
Chapter 27
The correct answer is option **D**. External auditors might not have access to all internal systems, due to security and permissions.
Option A is incorrect because identifying operational inefficiencies is not typically a limitation of external audits but may be a focus of internal audits.
Option B is incorrect because providing independent assurance on financial statements is the primary purpose of external audits, not a limitation.
Option C is incorrect because assessing compliance with internal policies is primarily the role of internal audits. It is not a limitation of external audits.
267
You are the CEO of a publicly traded company in the healthcare sector. Your organization has a complex governance structure and a diverse range of stakeholders, including investors, regulatory bodies, and the public. To ensure transparency and accountability in your corporate governance, you have established an audit committee as part of your board of directors. Which of the following should be their key responsibility?
A. Conducting external audits
B. Enhancing operational efficiency
C. Providing independent assurance on financial statements
D. Overseeing the effectiveness of internal audit functions
## Footnote
Chapter 27
The correct answer is option **D.** Members of the management committee do not carry out the audit but advise a dedicated unit on issues that will impact its effectiveness .
Option A is incorrect because conducting external audits is typically performed by external auditors, not the audit committee.
Option B is incorrect because although one goal of an audit could be to enhance operational efficiency, the audit committee is primarily tasked with overseeing effectiveness of the audit, rather than whole company operations.
Option C is incorrect because providing independent assurance on financial statements is the role of external auditors, not the audit committee.
268
You are the chief compliance officer of a pharmaceutical company that specializes in manufacturing and distributing medical devices. Your organization operates in a highly regulated industry, and it is essential to comply with strict external regulations and industry standards to ensure the safety and quality of your products. How do auditing practices influence your organization’s compliance with external regulations and
industry standards? Select the BEST choice.
A. Auditing ensures strict adherence to internal policies.
B. Auditing imposes financial penalties for non-compliance.
C. Auditing provides independent verification of compliance
efforts.
D. Auditing eliminates the need for regulatory reporting.
## Footnote
Chapter 27
The correct answer is option **C.** During the auditing process the auditor should check all relevant regulations for your operations and report on your compliance thereof.
Option A is incorrect because auditing primarily focuses on assessing and verifying compliance with external regulations and industry standards, not internal policies.
Option B is incorrect because auditing may identify non-compliance, but the imposition of financial penalties is typically the responsibility of regulatory authorities rather than auditors. Option D is incorrect as auditing may identify non-compliance but does not eliminate the need for compliance.
269
You are the quality assurance manager at a food manufacturing
company known for producing high-quality, organic products. Your organization operates in a sector with stringent regulatory requirements and industry standards, and ensuring compliance is a top priority to maintain the trust of consumers and regulators. What role does auditing play in an organization’s efforts to maintain regulatory compliance and adherence to industry standards?
A. Auditing ensures compliance without any organizational effort.
B. Auditing identifies areas for improvement but does not impact compliance.
C. Auditing provides a systematic evaluation and verification of
compliance efforts.
D. Auditing solely relies on self-reporting for compliance
assessment.
## Footnote
Chapter 27
270
The cybersecurity team has observed multiple instances of hacked passwords among employees. In response, they are planning to implement a password management policy. Which of the following practices should they adopt to enhance password security?
A. A policy that encourages employees to share their passwords
with colleagues.
B. A policy that requires employees to use the same password for all their accounts.
C. Promoting the use of strong, unique passwords that include a
combination of uppercase and lowercase letters, numbers, and
symbols.
D. Advising employees to use passwords consisting of only
uppercase letters and numbers.
## Footnote
Chapter 28
The correct answer is option **C**. Complex passwords use a combination of at least three of the following four: uppercase, lowercase letters, numbers, and symbols. This practice enhances password security by making it more difficult for hackers to guess or crack passwords.
Option A is incorrect because sharing passwords is a security risk and should be discouraged.
Option B is incorrect because using the same password across multiple accounts is a security vulnerability that leads to credential stuffing.
Option D is incorrect because advising employees to use passwords consisting of only uppercase letters and numbers is
incorrect because such passwords may lack the complexity provided by symbols and a mix of uppercase and lowercase letters.
271
You are the chief information security officer at a global technology company that has transitioned to a predominantly remote work environment. With employees working from various locations around the world, ensuring the security of your company’s data and systems is paramount. Which of the following security practices is crucial to mitigate the risks associated with remote work environments?
A. Encouraging employees to use open system authentication for Wi-Fi networks for convenience.
B. Allowing employees to store sensitive data on their personal
devices.
C. Implementing multi-factor authentication (MFA) for remote
access to company resources
D. Allow employees to visit websites using virtual private
networks (VPNs) for remote connections.
## Footnote
Chapter 28
The correct answer is option **C.** MFA adds an extra layer of security by requiring employees to provide multiple forms of identification before gaining access to sensitive data. This makes it more difficult for unauthorized users to breach the system.
Option A is incorrect because using open system authentication to access insecure public Wi-Fi networks can expose sensitive data to eavesdropping and security threats.
Option B is incorrect because allowing employees to store
sensitive data on their personal devices is a security risk as that data may not be encrypted.
Option D is incorrect because this practice could lead to split tunnelling, allowing an attacker to gain access to your corporate network.
272
You are the security analyst for a large financial institution. You notice that one of your employees, who typically works regular hours, has been accessing sensitive financial data at unusual times and from different locations. What type of security issue does this scenario most likely indicate?
A. Risky Behavior
B. Unexpected Behavior
C. Anomalous Behavior
D. Unintentional Behavior
## Footnote
Chapter 28
The correct answer is option **C**. Anomalous behavior recognition involves identifying activities or actions that deviate from established patterns or norms (in this case, hours and locations of the employee’s usual account access). Recognizing such behavior is essential for detecting potential security threats.
Option A is incorrect as risky behavior typically involves knowingly engaging in actions that pose security risks. In this scenario, the employee’s behavior is not necessarily risky, simply unusual.
Option B is incorrect because unexpected behavior may refer to actions that are surprising but not necessarily indicative of security issues. This employee’s behavior is not merely unexpected; it is anomalous due to its deviation from the norm.
Option D is incorrect because unintentional behavior involves actions that occur accidentally or without deliberate intent. The employee’s behavior in this scenario does not appear to be unintentional but rather deliberate and unusual.
273
You are the human resources director at a financial services company that handles sensitive customer data and is dedicated to maintaining a strong cybersecurity posture. You are tasked with enhancing the organization’s cybersecurity training program to address the specific needs and responsibilities of different employee roles. What is a significant benefit of implementing role-based cybersecurity training in an organization?
A. It simplifies the training process by providing a one-size-fits-all
approach.
B. It helps employees develop a deep understanding of all security domains.
C. It tailors training content to specific job responsibilities and
risks.
D. It reduces the need for ongoing security awareness efforts.
## Footnote
Chapter 28
The correct answer is option **C.** Role-based cybersecurity training customizes training content to align with specific job responsibilities and security risks associated with different roles in the organization. This ensures that employees receive relevant and targeted training.
Option A is incorrect because role-based training aims to avoid a onesize-fits-all approach by tailoring content to individual roles and responsibilities.
Option C is incorrect because role-based training focuses on specific domains relevant to a role and may not cover all
security domains in-depth for every employee.
Option D is incorrect because role-based training complements ongoing security awareness efforts by ensuring that training content is role-specific. It does not eliminate the need for ongoing awareness initiatives.
274
Your organization has implemented strict data access policies, but an employee accidentally sends a sensitive customer database to a colleague outside the company. What type of security issue does this scenario most likely indicate?
A. Unintentional behavior
B. Unexpected behavior
C. Anomalous behavior
D. Risky behavior
## Footnote
Chapter 28
The correct answer is option **A**. The action of accidentally sending a sensitive customer database to a colleague outside the company is a clear example of unintentional behavior. Unintentional behavior involves actions that occur accidentally or without deliberate intent, often resulting from human error. Option B is incorrect because unexpected behavior may refer to actions that are surprising but not necessarily indicative of security issues. This action is primarily characterized as unintentional, not unexpected.
Option C is incorrect because anomalous behavior relates to activities that deviate from established patterns or norms. This action is not necessarily anomalous but rather an unintentional error.
Option D is incorrect as risky behavior typically involves knowingly engaging in actions that pose security risks. The employee’s action in this scenario is not a result of knowingly engaging in risky behavior; it is accidental.
275
A company has recently suffered many phishing and spear phishing attacks. In response to this, the chief information security officer has decided to run a phishing campaign. What is the primary goal of this phishing campaign?
A. To describe the details of the phishing attacks to employees
B. To educate employees about the benefits of successful phishing campaigns
C. To assess how vulnerable employees are to phishing attempts.
D. To encourage employees to participate in more phishing
attacks.
## Footnote
Chapter 28
The correct answer is option **C**. The goal of a phishing campaign is to assess how vulnerable employees are to phishing attempts by creating a fake phishing email so they can track the results. Those that participate in the scam are retrained.
Option A is incorrect because the primary purpose of a phishing campaign is not to describe past attacks but to test and raise awareness among employees regarding potential threats.
Option B is incorrect because educating employees about the benefits of successful phishing campaigns would not be productive, as the risks are more salient because they are potential victims. The goal is to educate employees about the risks and consequences of falling for phishing attempts.
Option D is incorrect because the goal of a phishing campaign
is not to encourage employees to participate in more attacks but rather to reduce susceptibility to such attacks through education and awareness.
276
You are the chief information security officer at a medium-sized
healthcare organization. You recently implemented a comprehensive cybersecurity awareness training program to educate your employees about the importance of data security and how to identify and respond to potential threats. What is the most effective method to determine whether or not cybersecurity awareness training was successful in an organization?
A. Tracking the number of security incidents
B. Measuring employee satisfaction with the training content
C. Assessing the organization’s financial performance
D. Conducting simulated phishing tests and monitoring results
## Footnote
Chapter 28
The correct answer is option **D**. Conducting simulated phishing tests and monitoring the results is an effective way to evaluate the success of cybersecurity awareness training, as it measures how well employees can recognize and respond to phishing attempts, which are a common cybersecurity threat. Option A is incorrect because tracking security incidents may provide insights into the effectiveness of training, but it is
reactive rather than a direct measure of training success.
Option B is incorrect because employee satisfaction is important but does not directly measure the effectiveness of cybersecurity awareness training in terms of security awareness and behavior change.
Option C is incorrect because assessing financial performance is not a direct measure of cybersecurity training effectiveness.
277
While reviewing network logs, you discover that a software developer is accessing a server they don’t typically work on and are attempting to modify critical system files. What type of security issue does this scenario most likely indicate?
A. Unintentional behavior
B. User behavior
C. Risky behavior
D. Unexpected behavior
## Footnote
Chapter 28
The correct answer is option **D**. These actions are classified as unexpected, because it might not necessarily be risky, and you don’t know if it’s intentional or accidental, but it should be noted because it is not something this developer should do.
Option A is incorrect because unintentional behavior involves actions that occur accidentally or without deliberate intent, in this scenario it is impossible to ascertain intent.
Option B is incorrect as user behavior relates to tasks done on a
day-to-day basis. Option C is incorrect because risky behavior typically involves knowingly engaging in actions that pose security risks, in this scenario there aren’t any explicit security risks.
278
You are an employee at a large financial institution receiving training on cybersecurity awareness due to recent phishing attacks that have targeted your organization’s employees. One morning, you receive an email that appears suspicious, with unusual links and a request for sensitive information. What is the most appropriate next action for you to take?
A. Delete the suspicious email.
B. Forward the email to colleagues for their opinion before
reporting it.
C. Report the suspicious email to the organization’s IT or security
department.
D. Reply to the email requesting more information to confirm its
legitimacy.
## Footnote
Chapter 28
The correct answer is option **C**. The most appropriate action an employee should take upon suspecting a phishing attempt is to report the suspicious email to the organization’s IT or security department. Reporting ensures that the organization’s security team can investigate and take appropriate action to mitigate potential threats.
Option A is incorrect because deleting a suspicious email is a reasonable step, but it is not the most appropriate action because it doesn’t provide the organization with information to investigate the potential threat.
Option B is incorrect because you should never forward a phishing email to another colleague. The most crucial step is to report it to the IT or security department promptly.
Option D is incorrect because responding to a suspicious email is not recommended, as it can confirm to attackers that the email address is active and lead to further phishing attempts. Reporting is the safer and more appropriate action.
279
As the chief information security officer of an organization, you have determined that security awareness in your organization needs improvement. Which of the following topics or initiatives would you consider adding to the agenda of your security awareness training?
(Select FOUR)
A. Phishing awareness and email security
B. Workplace safety protocols and first aid training
C. Social engineering and recognizing manipulation tactics.
D. Cybersecurity policies and compliance requirements
E. Time management and productivity tips
F. Identifying potential workplace hazards
G. Password management and strong authentication practices
H. Effective communication and conflict resolution skills
## Footnote
Chapter 28
The correct answers are option **A**, option **C**, option **D**, and option **G**. Phishing awareness is crucial for recognizing and avoiding phishing attempts, which are common cybersecurity threats. Social engineering is a significant cybersecurity risk, and recognizing manipulation tactics is
essential for preventing attacks. Understanding cybersecurity policies and compliance requirements ensures that employees are aware of the organization’s security standards and legal obligations. Password management and strong authentication practices help protect sensitive data and systems from unauthorized access.
Option B is incorrect because workplace safety and first aid training, while important, are not directly related to cybersecurity awareness.
Option E is incorrect because time management and productivity tips, while valuable for productivity, are not directly related to cybersecurity awareness.
Option F is incorrect because identifying workplace hazards is important for physical safety but is not a primary focus of cybersecurity awareness training.
Option H is incorrect because effective communication and
conflict resolution skills, while important for a harmonious workplace, are not directly related to cybersecurity awareness.
