Sybex Book Flashcards

Question

Toni is developing a new goal for her information security program. She has currently written it as “We will acquire and implement a new intrusion prevention system that will reduce successful network intrusions by 50%.” What element of the SMART framework is lacking from this goal? 1. Specific 2. Measurable 3. Achievable 4. Relevant 5. Time-bound

Answer 1

E. This goal is specific in that it describes the implementation of an IPS. It is also measurable since it states a clear objective of reducing intrusions by 50 percent. We do not have enough information about the organization to determine whether it is achievable or relevant. It is definitely not time-bound because it contains no deadline. Toni could remedy this situation by adding a deliverable date to the goal.

Answer 2

C. The disclosure of sensitive information to unauthorized individuals is a violation of the principle of confidentiality.

Answer 3

B. The three primary objectives of cybersecurity professionals are confidentiality, integrity, and availability.

Answer 4

C. The span of control is the number of employees who directly report to a manager. Most organizations consider 5–10 employees to be an appropriate span of control.

Answer 5

E. This is an example of a Managed organization: one that begins to implement organized processes on a per-project basis but is still operating in reactive mode. At the Initial level, the organization has unpredictable processes that are poorly controlled. When an organization achieves Level 3: Defined, it has standard processes that are used organization-wide and are adapted for use within each project. Level 4: Quantitatively Managed organizations build measurement and controls on top of their processes to allow them to quickly identify and remediate deficiencies and address control gaps before issues arise. At the top tier of the CMMI, Level 5: Optimizing organizations use a continuous process improvement approach to adjust and fine-tune the way that they work to achieve peak efficiency and effectiveness.

Answer 6

Information security governance efforts should integrate with other corporate governance programs to support both the business's goals and its security strategy. Organizations should draw on existing governance frameworks, such as COBIT and the ISO standards, to avoid redundant effort and to align with industry best practices.

Answer 7

Policies are high-level statements of management intent for the information security program. Standards describe the detailed implementation requirements for policies. Procedures offer step-by-step instructions for carrying out security activities. Compliance with policies, standards, and procedures is mandatory. Guidelines offer optional advice that complements other elements of the policy framework.

Answer 8

Common policies used in security programs include an information security policy, an acceptable use policy, a data ownership policy, a data retention policy, an account management policy, and a password policy. The specific policies adopted by any organization will depend on that organization's culture and business needs.

Answer 9

Exception processes should outline the information required to receive an exception to security policy and the approval authority for each exception. The process should also describe the requirements for compensating controls that mitigate risks associated with approved security policy exceptions.

Answer 10

Merchants and credit card service providers must comply with the Payment Card Industry Data Security Standard (PCI DSS). Organizations handling the personal information of European Union residents must comply with the EU General Data Protection Regulation (GDPR). All organizations should be familiar with the national, territory, and state laws that affect their operations.

Answer 11

Organizations may choose to base their security programs on a framework, such as the NIST Cybersecurity Framework (CSF) or International Organization for Standardization (ISO) standards. U.S. federal government agencies and contractors should also be familiar with the NIST Risk Management Framework (RMF). These frameworks sometimes include maturity models that allow an organization to assess its progress. Some frameworks also offer certification programs that provide independent assessments of an organization's progress toward adopting a framework.

Answer 12

Audits are externally commissioned, formal reviews of the capability of an organization to achieve its control objectives. Assessments are less rigorous reviews of security issues, often performed or commissioned by IT staff. Organizations providing services to other entities may wish to conduct a service organization controls (SOC) audit under SSAE 18.

Answer 13

B. The key term in this scenario is “one way.” This indicates that compliance with the document is not mandatory, so Joe must be authoring a guideline. Policies, standards, and procedures are all mandatory.

Answer 14

B. Governance programs should be flexible and dynamic, rather than static. They should adapt to changes in the environment, as needed. They should be tailored to the enterprise’s needs and cover the enterprise end-to-end. They should clearly distinguish between governance and management activities.

Answer 15

C. The General Data Protection Regulation (GDPR) implements privacy requirements for handling the personal information of EU residents. The Health Insurance Portability and Accountability Act (HIPAA) includes security and privacy rules that affect health-care providers, health insurers, and health information clearinghouses. The Family Educational Rights and Privacy Act (FERPA) applies to educational institutions. The Payment Card Industry Data Security Standard (PCI DSS) applies to credit and debit card information.

Answer 16

B. The five security functions described in the NIST Cybersecurity Framework are identify, protect, detect, respond, and recover.

Answer 17

C. The International Organization for Standardization (ISO) publishes ISO 27701, covering privacy controls. ISO 27001 and 27002 cover cybersecurity, and ISO 31000 covers risk management.

Answer 18

D. Policies require approval from the highest level of management, usually the CEO. Other documents may often be approved by other managers, such as the CISO.

Answer 19

C. Master service agreements (MSAs) provide an umbrella contract for the work that a vendor does with an organization over an extended period of time. The MSA typically includes detailed security and privacy requirements. Each time the organization enters into a new project with the vendor, they may then create a statement of work (SOW) that contains project-specific details and references the MSA.

Answer 20

B. All of these organizations produce security standards and benchmarks. However, only the Center for Internet Security (CIS) is known for producing independent benchmarks covering a wide variety of software and hardware.

Answer 21

C. In the corporate governance model for publicly traded organizations, the shareholders who own the corporation delegate control of the corporation to the elected members of the board of directors. The board is then responsible for selecting the CEO, reviewing the CEO’s performance, and terminating the CEO when necessary.

Answer 22

B. Security policies do not normally contain prescriptive technical guidance, such as a requirement to use a specific encryption algorithm. This type of detail would normally be found in a security standard.

Answer 23

A. The fact that the auditor will not be assessing the effectiveness of the controls means that this is a Type 1 report, not a Type 2 report. The fact that it will be shared only under NDA means that it is an SOC 2 assessment.

Answer 24

C. The common elements of a business case include a scope statement, a strategic context, a cost analysis, an evaluation of alternatives, a project plan, and a management plan. Organizations may develop rollback plans for high-risk changes, but those rollback plans are not a standard component of the business case.

Answer 25

D. The Payment Card Industry Data Security Standard (PCI DSS) provides detailed rules about the storage, processing, and transmission of credit and debit card information. PCI DSS is not a law but rather a contractual obligation that applies to credit card merchants and service providers.

Answer 26

A. Policies should be developed in a manner that obtains input from all relevant stakeholders, but it is not necessary to obtain agreement or approval from all stakeholders. Policies should follow normal corporate policy approval processes and should be written in a manner that fits within the organizational culture and “tone at the top.” Once an information security policy is approved, it commonly falls to the information security manager to communicate and implement the policy.

Answer 27

D. A complete business case should include all relevant financial and human resources costs for an initiative, including both one-time and recurring costs

Answer 28

D. The chief executive officer (CEO) bears ultimate responsibility for the efficiency and effectiveness of the organization in all respects. The chief information officer (CIO), chief information security officer (CISO), and chief financial officer (CFO) are all accountable to the CEO or other senior leader for the areas under their span of control.

Answer 29

D. Any of these terms could reasonably be used to describe this engagement. However, the term audit best describes this effort because of the formal nature of the review and the fact that it was requested by the board.

Answer 30

A. The five COBIT domains are: ## Footnote Evaluate, Direct, and Monitor (EDM) Align, Plan, and Organize (APO) Build, Acquire, and Implement (BAI) Deliver, Service, and Support (DSS) Monitor, Evaluate, and Assess (MEA)

Answer 31

D. The NIST Cybersecurity Framework is designed to help organizations describe their current cybersecurity posture, describe their target state for cybersecurity, identify and prioritize opportunities for improvement, assess progress, and communicate with stakeholders about risk. It does not create specific technology requirements.

Answer 32

C. Requests for an exception to a security policy would not normally include a proposed revision to the policy. Exceptions are documented variances from the policy because of specific technical and/or business requirements. They do not alter the original policy, which remains in force for systems not covered by the exception.

Answer 33

Evaluate, Direct, and Monitor (EDM) Align, Plan, and Organize (APO) Build, Acquire, and Implement (BAI) Deliver, Service, and Support (DSS) Monitor, Evaluate, and Assess (MEA)

Answer 34

Evaluate, Direct, and Monitor (EDM) objectives provide for effective IT governance and the selection and monitoring of strategic goals.

Answer 35

Align, Plan, and Organize (APO) objectives describe how the IT function should be organized and how it should structure its work.

Answer 36

Build, Acquire, and Implement (BAI) objectives describe how the IT organization should create and acquire new information systems and integrate them into the business.

Answer 37

Deliver, Service, and Support (DSS) objectives describe how the organization should manage the operational tasks of information technology.

Answer 38

Monitor, Evaluate, and Assess (MEA) objectives describe how the organization should measure its effectiveness against performance targets, control objectives, and any external requirements it faces.

Answer 39

Describe their current cybersecurity posture. Describe their target state for cybersecurity. Identify and prioritize opportunities for improvement within the context of a continuous and repeatable process. Assess progress toward the target state. Communicate among internal and external stakeholders about cybersecurity risk.

Answer 40

ISO 27001 is a standard titled “Information technology—Security techniques—Information security management systems—Requirements.”

Answer 41

ISO 27002 goes beyond control objectives and describes the actual controls that an organization may implement to meet cybersecurity objectives.

Answer 42

ISO 27004 helps organizations implement a consistent process for the monitoring, measurement, analysis, and evaluation of its information security management function.

Answer 43

ISO 27701 contains standard guidance for managing privacy controls.

Answer 44

ISO 31000 provides guidelines for risk management programs.

Answer 45

SOC 1 engagements assess the organization's controls that might impact the accuracy of financial reporting. SOC 2 engagements assess the organization's controls that affect the security (confidentiality, integrity, and availability) and privacy of information stored in a system. SOC 2 audit results are confidential and are normally only shared outside the organization under an NDA. SOC 3 engagements also assess the organization's controls that affect the security (confidentiality, integrity, and availability) and privacy of information stored in a system. However, SOC 3 audit results are intended for public disclosure. Type 1 reports provide the auditor's opinion on the description provided by management and the suitability of the design of the controls as of a specific date. Type 2 reports go further and also provide the auditor's opinion on the operating effectiveness of the controls—that is, the auditor actually confirms that the controls are functioning properly over a period of time.

Answer 46

SOC 1 engagements assess the organization's controls that might impact the accuracy of financial reporting.

Answer 47

SOC 2 engagements assess the organization's controls that affect the security (confidentiality, integrity, and availability) and privacy of information stored in a system. SOC 2 audit results are confidential and are normally only shared outside the organization under an NDA.

Answer 48

SOC 3 engagements also assess the organization's controls that affect the security (confidentiality, integrity, and availability) and privacy of information stored in a system. However, SOC 3 audit results are intended for public disclosure.

Answer 49

Type 1 reports provide the auditor's opinion on the description provided by management and the suitability of the design of the controls as of a specific date.

Answer 50

Type 2 reports go further and also provide the auditor's opinion on the operating effectiveness of the controls—that is, the auditor actually confirms that the controls are functioning properly over a period of time.

Answer 51

The goal is specific. It describes clearly what the organization intends to achieve. The goal is measurable. It includes clear criteria by which the organization can measure success. The goal is achievable. The organization can realistically achieve the goal within the specified time period. The goal is relevant. If achieved, the goal will advance the organization's strategic objectives. The goal is time-bound. It includes a specific deadline for achievement.

Answer 52

Level 1: Initial Level 2: Managed Level 3: Defined Level 4: Quantitatively Managed Level 5: Optimizing

Answer 53

Level 1: Initial, the organization has unpredictable processes that are poorly controlled. This level is characterized by reactive management and a “firefighting” approach.

Answer 54

Level 2: Managed, it begins to implement organized processes on a per-project basis but is still operating in reactive mode.

Answer 55

Level 3: Defined, the organization has standard processes that are used organization wide and are adapted for use within each project. This level marks a shift from reactive to proactive management.

Answer 56

Level 4: Quantitatively Managed organizations build measurement and controls on top of their processes to allow them to quickly identify and remediate deficiencies and address control gaps before issues arise.

Answer 57

Level 5: Optimizing organizations use a continuous process improvement approach to adjust and fine-tune the way that they work to achieve peak efficiency and effectiveness.

Answer 58

Responsible (R) roles are those who actually carry out the work involved. There must be at least one role assigned as responsible for each responsibility, although there may be more than one. Accountable (A) roles bear ultimate and final responsibility for achieving the objective. Consider this the “buck stops here” role for the responsibility. Each responsibility in the matrix must have one, and only one, accountable role. Consulted (C) roles are those who provide input that affects the responsibility because of their subject matter expertise. Informed (I) roles are those who are provided with regular updates on the status of the effort. They may need this information to complete their work, oversee the organization, or perform other tasks, but the key characteristic is that, unlike consulted roles, informed roles receive updates but do not provide input.

Answer 59

Cybersecurity analysts try to identify all of the risks facing their organization and then conduct a business impact analysis to assess the potential degree of risk based on the probability that it will occur and the magnitude of the potential effect on the organization. This work allows security professionals to prioritize risks and communicate risk factors to others in the organization.

Answer 60

Organizations should conduct their own systems assessments as part of their risk assessment practices, but they should conduct supply chain assessments as well. Performing vendor due diligence reduces the likelihood that a previously unidentified risk at a vendor will negatively impact the organization. Hardware source authenticity techniques verify that hardware was not tampered with after leaving the vendor's premises.

Answer 61

Risk avoidance strategies change business practices to eliminate a risk. Risk mitigation techniques reduce the probability or magnitude of a risk. Risk transference approaches move some of the risk to a third party. Risk acceptance acknowledges the risk and continues normal business operations despite the presence of the risk.

Answer 62

Disaster recovery plans activate when an organization experiences a natural or human-made disaster that disrupts normal operations. The disaster recovery plan helps the organization quickly recover its information and systems and resume normal operations.

Answer 63

Organizations handling sensitive personal information should develop privacy programs that protect that information from misuse and unauthorized disclosure. The plan should cover personally identifiable information (PII), protected health information (PHI), financial information, and other records maintained by the organization that might impact personal privacy.

Answer 64

C. By applying the patch, Jen has removed the vulnerability from her server. This also has the effect of eliminating this particular risk. Jen cannot control the external threat of an attacker attempting to gain access to her server.

Answer 65

C. Installing a web application firewall reduces the probability that an attack will reach the web server. Vulnerabilities may still exist in the web application, and the threat of an external attack is unchanged. The impact of a successful SQL injection attack is also unchanged by a web application firewall.

Answer 66

C. The asset at risk in this case is the customer database. Losing control of the database would result in a $500,000 fine, so the asset value (AV) is $500,000.

Answer 67

D. The attack would result in the total loss of customer data stored in the database, making the exposure factor (EF) 100 percent.

Answer 68

C. We compute the single loss expectancy (SLE) by multiplying the asset value (AV) ($500,000) and the exposure factor (EF) (100%) to get an SLE of $500,000.

Answer 69

A. Aziz's threat intelligence research determined that the threat has a 5 percent likelihood of occurrence each year. This is an ARO of 0.05.

Answer 70

B. We compute the annualized loss expectancy (ALE) by multiplying the SLE ($500,000) and the ARO (0.05) to get an ALE of $25,000.

Answer 71

C. Installing new controls or upgrading existing controls is an effort to reduce the probability or magnitude of a risk. This is an example of a risk mitigation activity.

Answer 72

B. Changing business processes or activities to eliminate a risk is an example of risk avoidance.

Answer 73

D. Insurance policies use a risk transference strategy by shifting some or all of the financial risk from the organization to an insurance company.

Answer 74

A. When an organization decides to take no further action to address the remaining risk, they are choosing a strategy of risk acceptance.

Answer 75

A. Under the General Data Protection Regulation (GDPR), the data protection officer (DPO) is an individual who is assigned the direct responsibility for carrying out an organization's privacy program.

Answer 76

A. In this case, the physicians maintain the data ownership role. They have chosen to outsource data processing to Helen's organization, making that organization a data processor.

Answer 77

C. The recovery time objective (RTO) is the amount of time that the organization can tolerate a system being down before it is repaired. That is the metric that Gene has identified in this scenario.

Answer 78

B. This is a tricky question as it is possible to find all of these categories of information in patient records. However, they are most likely to contain protected health information (PHI). PHI could also be described as a subcategory of personally identifiable information (PII), but PHI is a better description. It is also possible that the records might contain payment card information (PCI) or personal financial information (PFI), but that is less likely than PHI.

Answer 79

C. Organizations should only use data for the purposes disclosed during the collection of that data. In this case, the organization collected data for technical support purposes and is now using it for marketing purposes. That violates the principle of purpose limitation.

Answer 80

C. Top Secret is the highest level of classification under the U.S. system and, therefore, requires the highest level of security control.

Answer 81

A. Tokenization techniques use a lookup table and are designed to be reversible. Masking and hashing techniques replace the data with values that can't be reversed back to the original data if performed properly. Shredding, when conducted properly, physically destroys data so that it may not be recovered.

Answer 82

B. Data controllers are the entities who determine the reasons for processing personal information and direct the methods of processing that data. This term is used primarily in European law, and it serves as a substitute for the term data owner to avoid a presumption that anyone who collects data has an ownership interest in that data.

Answer 83

D. The residual risk is the risk that remains after an organization implements controls designed to mitigate, avoid, and/or transfer the inherent risk.

Answer 84

We can classify threat actors using four major criteria. First, threat actors may be internal to the organization, or they may come from external sources. Second, threat actors differ in their level of sophistication and capability. Third, they differ in their available resources and funding. Finally, different threat actors have different motivations and levels of intent.

Answer 85

Threat actors may be very simplistic in their techniques, such as script kiddies using exploit code written by others, or quite sophisticated, such as the advanced persistent threat posed by nation-state actors and criminal syndicates. Hacktivists may seek to carry out political agendas, whereas competitors may seek financial gain. We can group hackers into white-hat, gray-hat, and black-hat categories based on their motivation and authorization.

Answer 86

Attackers may attempt to gain initial access to an organization remotely over the Internet, through a wireless connection, or by attempting direct physical access. They may also approach employees over email or social media. Attackers may seek to use removable media to trick employees into unintentionally compromising their networks, or they may seek to spread exploits through cloud services. Sophisticated attackers may attempt to interfere with an organization's supply chain.

Answer 87

Security teams may leverage threat intelligence from public and private sources to learn about current threats and vulnerabilities. They may seek out detailed indicators of compromise and perform predictive analytics on their own data. Threat intelligence teams often supplement open source and closed source intelligence that they obtain externally with their own research.

Answer 88

Modern enterprises depend on hardware, software, and cloud service vendors to deliver IT services to their internal and external customers. Vendor management techniques protect the supply chain against attackers seeking to compromise these external links into an organization's network. Security professionals should pay particular attention to risks posed by outsourced code development, cloud data storage, and integration between external and internal systems.

Answer 89

B. Although higher levels of detail can be useful, they aren't a common measure used to assess threat intelligence. Instead, the timeliness, accuracy, and relevance of the information are considered critical to determining whether you should use the threat information.

Answer 90

C. STIX is an XML-based language, allowing it to be easily extended and modified while also using standard XML-based editors, readers, and other tools.

Answer 91

A. Attacks that are conducted as part of an authorized penetration test are white-hat hacking attacks, regardless of whether they are conducted by internal employees or an external firm. Kolin is, therefore, engaged in white-hat hacking. If he were acting on his own, without authorization, his status would depend on his intent. If he had malicious intent, his activity would be considered black-hat hacking. If he simply intended to report vulnerabilities to the hospital, his attack would be considered gray hat. Green hat is not a commonly used category of attacker.

Answer 92

A. Advanced persistent threats (APTs) are most commonly associated with nation-state actors. It is unlikely that an APT group would leverage the unsophisticated services of a script kiddie. It is also unlikely that a hacktivist would have access to APT resources. Although APTs may take advantage of insider access, they are most commonly associated with nation-state actors.

Answer 93

D. The U.S. government created the Information Sharing and Analysis Centers (ISACs). ISACs help infrastructure owners and operators share threat information, and they provide tools and assistance to their members.

Answer 94

A. Nation-state actors are government-sponsored, and they typically have the greatest access to resources, including tools, money, and talent.

Answer 95

A. Email is the most common threat vector exploited by attackers who use phishing and other social engineering tactics to gain access to an organization. The other vectors listed here—direct access, wireless, and removable media—all require physical proximity to an organization and are not easily executed from a remote location.

Answer 96

D. The Chinese military and U.S. government are examples of nation-state actors and advanced persistent threats (APTs). The Russian mafia is an example of a criminal syndicate. Anonymous is the world's most prominent hacktivist group.

Answer 97

A. Behavioral assessments are very useful when you are attempting to identify insider threats. Since insider threats are often hard to distinguish from normal behavior, the context of the actions performed—such as after-hours logins, misuse of credentials, logins from abnormal locations, or abnormal patterns—and other behavioral indicators are often used.

Answer 98

D. TAXII, the Trusted Automated Exchange of Intelligence Information protocol, is specifically designed to communicate cyberthreat information at the application layer. OpenIOC is a compromise indicator framework, and STIX is a threat description language.

Answer 99

A. Tampering with equipment before it reaches the intended user is an example of a supply chain threat. It is also possible to describe this attack as a direct access attack because it involved physical access to the device, but supply chain is a more relevant answer. You should be prepared to select the best possible choice from several possible correct answers when you take the exam. Exam questions often use this type of misdirection.

Answer 100

B. All of these resources might contain information about the technical details of TLS, but Internet Request for Comments (RFC) documents are the definitive technical standards for Internet protocols. Consulting the RFCs would be Ken's best option.

Answer 101

C. All of these items could be concerning, depending on the circumstances. However, API keys should never be found in public repositories because they may grant unauthorized individuals access to information and resources.

Answer 102

A. Threat maps are graphical tools that display information about the geographic locations of attackers and their targets. These tools are most often used as interesting marketing gimmicks, but they can also help identify possible threat sources.

Answer 103

B. Specific details of attacks that may be used to identify compromises are known as indicators of compromise (IoCs). This data may also be described as an adversary tactic, technique, or procedure (TTP), but the fact that it is a set of file signatures makes it more closely match the definition of an IoC.

Answer 104

A. The developers in question are using unapproved technology for business purposes. This is the classic definition of shadow IT. It is possible to describe this as data exfiltration, but there is no indication that the data security has been compromised, so shadow IT is a better description here. Remember, you will often be asked to choose the best answer from multiple correct answers on the exam.

Answer 105

A. Tom's greatest concern should be that running unsupported software exposes his organization to the risk of new, unpatchable vulnerabilities. It is certainly true that Tom will no longer receive technical support, but this is a less important issue from a security perspective. There is no indication in this scenario that discontinuing the product will result in the theft of customer information or increased costs.

Answer 106

C. Port scans are an active reconnaissance technique that probe target systems and would not be considered open source intelligence (OSINT). Search engine research, DNS lookups, and WHOIS queries are all open source resources.

Answer 107

A, C. As a government contractor, Snowden had authorized access to classified information and exploited this access to make an unauthorized disclosure of that information. This clearly makes him fit into the category of an insider. He did so with political motivations, making him fit the category of hacktivist as well.

Answer 108

C. Renee was not authorized to perform this security testing, so her work does not fit into the category of white-hat hacking. However, she also does not have malicious intent, so her work cannot be categorized as a black-hat attack. Instead, it fits somewhere in between the two extremes and would best be described as gray-hat hacking.

Answer 109

Key performance indicators (KPIs) are metrics that demonstrate the success of the security program in achieving its objectives. KPIs look at historical performance. Key goal indicators (KGIs) measure progress toward defined goals. Key risk indicators (KRIs) try to quantify the security risk facing an organization. KRIs look forward at future potential risks.

Answer 110

Security training programs impart new knowledge to employees and other stakeholders. They should be tailored to meet the specific requirements of an individual's role in the organization. Security awareness programs seek to remind users of the information they have already learned, keeping their security responsibilities top-of-mind

Answer 111

Security managers lead a team of professionals and are responsible for the motivation, development, and management of those team members. This includes providing training that helps employees keep their skills current and certifications that help employees validate their skills.

Answer 112

Security managers bear responsibility for managing a budget allocated to the information security program. They must understand how the fiscal year used by their organization affects funds availability and how to work within the budgeting and accounting processes used by their organization.

Answer 113

Security managers should cultivate relationships with other business leaders to ensure that security is well integrated with other business functions. This includes integrating with the human resources function for employee hiring, transfers, and termination. It also includes aligning with procurement and accounting functions for product and service acquisitions. Security leaders should also work carefully with other information technology leaders and the organization's auditors.

Answer 114

B. Information security program charters commonly contain high-level organizational items, such as a scope statement, statement of roles and responsibilities, and description of the governance structure. A project schedule is a more tactical document that would not normally be included in a program-level charter due to its changing nature.

Answer 115

C. Privilege creep occurs when an employee transfers within the organization and does not have their old privileges revoked. Privilege creep may occur when transfers are not properly processed and, if left unchecked, violates the principle of least privilege.

Answer 116

C. The best-case scenario is that expenses are close to the budgeted amount but do not exceed the actual budget. Budget overages are difficult because funds may not be available to cover all expenses. When expenses are significantly under budget, the organization suffers an opportunity cost because those funds could have been used for other purposes or returned to shareholders as profit.

Answer 117

D. Steering committees help facilitate alignment between security and business objectives. The security manager can convene a group that represents business units and get their input in the development of security plans. The change advisory board (CAB) is designed to manage change requests, not to provide input on security activities. Senior leadership teams and the board operate at an executive level and would not likely have the time or expertise to participate in this effort.

Answer 118

D. The information security program charter should contain program documentation procedures that formalize how the organization will establish, communicate, and maintain information security standards and other documents. This would not be found in a short scope statement, a request for change (RFC), or a nondisclosure agreement (NDA).

Answer 119

D. Awareness efforts are not designed to impart new knowledge but simply to remind employees of security information they have already learned. Of the techniques listed here, only posters are an awareness mechanism. All of the other techniques are training tools designed to impart new knowledge.

Answer 120

A. Data ownership language should be legally binding and part of the master agreement with the vendor. As it is such an important topic, it should be included in the formal contract with the vendor. It is not appropriate subject matter for a nondisclosure agreement (NDA) that focuses on confidentiality or a less formal vehicle, such as a memorandum of understanding (MOU) or statement of work (SOW).

Answer 121

D. Key performance indicators (KPIs) are metrics that demonstrate the success of the security program in achieving its objectives. KPIs are mutually agreed-upon measures that evaluate whether a security program is meeting its defined goals. Generally speaking, KPIs are a look back at historical performance, providing a measuring stick to evaluate the past success of the program. Key goal indicators (KGIs) are similar to KPIs but measure progress toward defined goals. For example, if an organization has a goal to eliminate all stored Social Security numbers (SSNs), a KGI might track the percentage of SSNs removed. Key risk indicators (KRIs) are measures that seek to quantify the security risk facing an organization. KRIs, unlike KPIs and KGIs, are a look forward. They attempt to show how much risk exists that may jeopardize the future security of the organization. KMIs are not a standard metric for cybersecurity programs.

Answer 122

D. This is an operational expense, since it is a payroll expenditure, rather than a large purchase of capital equipment. The cost of hiring an employee is a recurring cost, rather than a one-time cost. The scenario does not identify whether the expense was budgeted or unbudgeted.

Answer 123

A. Gary's organization uses a fiscal year beginning on January 1. This means that the fiscal year and calendar year are aligned and they will always be the same. June 2024 is a month during the calendar year 2024 and, because the fiscal year is aligned with the calendar year, it is also the fiscal year 2024.

Answer 124

B. When following the separation of duties principle, organizations divide critical tasks into discrete components and ensure that no one individual has the ability to perform both actions. This prevents a single rogue individual from performing that task in an unauthorized manner.

Answer 125

D. Mandatory vacation programs require that employees take continuous periods of time off each year and revoke their system privileges during that time. The purpose of these required vacation periods is to disrupt any attempt to engage in the cover-up actions necessary to hide fraud and result in exposing the threat. Separation of duties, least privilege, and defense-in-depth controls all may help prevent the fraud in the first place but are unlikely to speed the detection of fraud that has already occurred.

Answer 126

A. Charles is tracking a key performance indicator (KPI). A KPI is used to measure performance (and success). Without a definition of success, this would simply be a metric, but Charles is working toward a known goal and can measure against it. There is not a return investment calculation in this problem, and the measure is not a control.

Answer 127

B. Certifications help employees validate their skills and are an important recruiting and retention tool. Training programs help employees keep their skills current and develop skills in new areas of cybersecurity. Awareness efforts are meant to reinforce security knowledge. Accreditation processes are used to formally certify systems in government and military applications.

Answer 128

C. In a formal change management program, all changes require an RFC, no matter how minor. However, some routine changes have preapproved status and may be made as soon as the RFC is submitted. RFCs for these changes are automatically approved. Once someone submits an RFC for review, it must be approved by a relevant authority. For minor changes, this may simply be the person's manager. In the case of major changes, the organization's CAB may review and approve the change. The primary purpose of change management is to minimize the probability and impact of disruptions to IT services due to changes. Change management does support audits, but this is not the primary purpose of the function.

Answer 129

A. Background screening often includes criminal background checks, sex offender registry lookups, reference checks, and employment/education verification. In some cases, organizations may perform credit checks to further investigate an employee's background, although obtaining and using this information requires written consent and is heavily regulated, so many organizations skip this part of checks.

Answer 130

A. The most appropriate standard to use as a baseline when evaluating vendors is to determine whether the vendor's security controls meet the organization's own standards. Compliance with laws and regulations should be included in that requirement and are a necessary, but not sufficient, condition for working with the vendor. Vendor compliance with their own policies also fits into the category of necessary, but not sufficient, controls, since the vendor's policy may be weaker than the organization's own requirements. The elimination of all identified security risks is an impossible requirement for a potential vendor to meet.

Answer 131

B. The current governance structure allows these subsidiaries to remain independent. Therefore, it is not appropriate to include them in the parent organization's program or replace their programs. Instead, Abe should limit the portion of the organization included in his program, which is a limitation of scope.

Answer 132

C. Key risk indicators (KRIs) are measures that seek to quantify the security risk facing an organization. KRIs, unlike KPIs and KGIs, are a look forward. They attempt to show how much risk exists that may jeopardize the future security of the organization. Key performance indicators (KPIs) are metrics that demonstrate the success of the security program in achieving its objectives. KPIs are mutually agreed-upon measures that evaluate whether a security program is meeting its defined goals. Generally speaking, KPIs are a look back at historical performance, providing a measuring stick to evaluate the past success of the program. Key goal indicators (KGIs) are similar to KPIs but measure progress toward defined goals. For example, if an organization has a goal to eliminate all stored Social Security numbers (SSNs), a KGI might track the percentage of SSNs removed. KMIs are not a standard metric for cybersecurity programs.

Answer 133

D. One common mistake made by information security managers is to develop a dashboard or web page with updated metrics and then simply inform stakeholders that they may view those metrics whenever they like. This approach has two major drawbacks. First, stakeholders who are not involved in security on a day-to-day basis are unlikely to revisit the site unless prompted to do so periodically. Second, providing metrics is only one piece of the picture. Security managers should also provide context for those metrics to explain changes and update stakeholders on the progress of the program.

Answer 134

Cybersecurity professionals should remain aware of the risks posed by vulnerabilities both on-premises and in the cloud. Improper or weak patch management can be the source of many of these vulnerabilities, providing attackers with a path to exploit operating systems, applications, and firmware. Weak configuration settings that create vulnerabilities include open permissions, unsecured root accounts, errors, weak encryption settings, insecure protocol use, default settings, and open ports and services. When a scan detects a vulnerability that does not exist, the report is known as a false positive. When a scan does not detect a vulnerability that actually exists, the report is known as a false negative.

Answer 135

Threat hunting activities presume that an organization is already compromised and search for indicators of those compromises. Threat hunting efforts include the use of advisories, bulletins, and threat intelligence feeds in an intelligence fusion program. They search for signs that attackers gained initial access to a network and then conducted maneuver activities on that network.

Answer 136

Vulnerability scans leverage application, network, and web application testing to check for known issues. These scans may be conducted in a credentialed or noncredentialed fashion and may be intrusive or nonintrusive, depending on the organization's needs. Analysts reviewing scans should also review logs and configurations for additional context.

Answer 137

Penetration tests may be conducted in a manner that provides the testers with full access to information before the test (white box), no information at all (black box), or somewhere in between those two extremes (gray box). Testers conduct tests within the rules of engagement and normally begin with reconnaissance efforts, including war driving, war flying, footprinting, and open source intelligence (OSINT). They use this information to gain initial access to a system. From there, they seek to conduct privilege escalation to increase their level of access and lateral movement/pivoting to expand their access to other systems. They seek to achieve persistence to allow continued access after the vulnerability they initially exploited is patched. At the conclusion of the test, they conduct cleanup activities to restore systems to normal working order and remove traces of their activity.

Answer 138

Bug bounty programs allow external security professionals to probe the security of an organization's public-facing systems. Testers who discover vulnerabilities are provided with financial rewards for their participation. This approach is a good way to motivate hackers to work for good, rather than using discovered vulnerabilities against a target.

Answer 139

Exercises are designed to test the skills of security professionals. Blue teams are responsible for managing the organization's defenses. Offensive hacking is used by red teams as they attempt to gain access to systems on the target network. White teams serve as the neutral moderators of the exercise. Purple teaming is conducted after an exercise to bring together the red and blue teams for knowledge sharing.

Answer 140

C. Threat hunting is an assessment technique that makes an assumption of compromise and then searches the organization for indicators of compromise that confirm the assumption. Vulnerability scanning, penetration testing, and war driving are all assessment techniques that probe for vulnerabilities but do not assume that a compromise has already taken place.

Answer 141

D. Credentialed scans require only read-only access to target servers. Renee should follow the principle of least privilege and limit the access available to the scanner.

Answer 142

C. Ryan should first run his scan against a test environment to identify likely vulnerabilities and assess whether the scan itself might disrupt business activities.

Answer 143

C. The scenario does not provide us with enough information to determine whether this exercise involved red team, blue team, or purple team tactics, and in fact, those exercises typically involve live access to systems. Tabletop exercises, on the other hand, are designed to walk teams through a scenario, and that is what Tina is doing in this instance.

Answer 144

A. A false positive error occurs when the vulnerability scanner reports a vulnerability that does not actually exist.

Answer 145

B. By allowing students to change their own grades, this vulnerability provides a pathway to unauthorized alteration of information. Brian should recommend that the school deploy integrity controls that prevent unauthorized modifications.

Answer 146

D. There is no reason that an organization can’t run vulnerability scans on weekends or holidays. On the other hand, vulnerability scan possibilities may be limited by technical constraints, regulatory requirements, and license limitations.

Answer 147

A. This vulnerability is corrected by a patch that was released by Microsoft in 2017. A strong patch management program would have identified and remediated the missing patch.

Answer 148

B. Intrusion detection systems do not detect vulnerabilities; they detect attacks. The remaining three tools could all possibly discover a cross-site scripting (XSS) vulnerability, but a web application vulnerability scanner is the most likely to detect it because it is specifically designed to test web applications.

Answer 149

A. Moving from one compromised system to other systems on the same network is known as lateral movement. Privilege escalation attacks increase the level of access that an attacker has to an already compromised system. Footprinting and OSINT are reconnaissance techniques.

Answer 150

A. Offensive hacking is used by red teams as they attempt to gain access to systems on the target network. Blue teams are responsible for managing the organization's defenses. White teams serve as the neutral moderators of the exercise. Purple teaming is conducted after an exercise to bring together the red and blue teams for knowledge sharing.

Answer 151

C. Bug bounty programs are designed to allow external security experts to test systems and uncover previously unknown vulnerabilities. Bug bounty programs offer successful testers financial rewards to incentivize their participation.

Answer 152

D. Backdoors are a persistence tool, designed to make sure that the attacker's access persists after the original vulnerability is remediated. Kyle can use this backdoor to gain access to the system in the future, even if the original exploit that he used to gain access is no longer effective.

Answer 153

C. WHOIS lookups use external registries and are an example of open source intelligence (OSINT), which is a passive reconnaissance technique. Port scans, vulnerability scans, and footprinting all require active engagement with the target and are, therefore, active reconnaissance.

Answer 154

D. Penetration testers must take a very different approach in their thinking. Instead of trying to defend against all possible threats, they only need to find a single vulnerability that they might exploit to achieve their goals. To find these flaws, they must think like the adversary who might attack the system in the real world. This approach is commonly known as adopting the *hacker mindset*.

Answer 155

C. White-box tests are performed with full knowledge of the underlying technology, configurations, and settings that make up the target. Black-box tests are intended to replicate what an attacker would encounter. Testers are not provided with access to or information about an environment, but instead, they must gather information, discover vulnerabilities, and make their way through an infrastructure or systems as an attacker would. Gray-box tests are a blend of black-box and white-box testing. Blue-box tests are not a type of penetration test.

Answer 156

C. The rules of engagement provide technical details on the parameters of the test. This level of detail would not normally be found in a contract or statement of work. The lessons learned report is not produced until after the test.

Answer 157

B. All of these techniques might provide Grace with information about the operating system running on a device. However, footprinting is a technique specifically designed to elicit this information.

Answer 158

A. Privilege escalation is the act of increasing the level of access that an attacker has to a system. It is a common exploit to launch after gaining initial access to a system in an attempt to gain administrative access (otherwise known as root or superuser access).

Answer 159

A. Black-box tests are intended to replicate what an attacker would encounter. Testers are not provided with access to or information about an environment, and instead, they must gather information, discover vulnerabilities, and make their way through an infrastructure or systems like an attacker would. White-box tests are performed with full knowledge of the underlying technology, configurations, and settings that make up the target. Gray-box tests are a blend of black-box and white-box testing. Blue-box tests are not a type of penetration test.

Answer 160

Antimalware software protects endpoint devices from many different threats. Antimalware software uses signature detection and heuristic detection to prevent malware infections. Endpoint detection and response (EDR) platforms manage the detection, containment, investigation, and remediation of endpoint security incidents. Data loss prevention (DLP) systems prevent the unauthorized exfiltration of sensitive data. Change and configuration management systems maintain secure system configurations, whereas patch management ensures that security updates are consistently applied. System hardening techniques close holes that might be exploited by an attacker.

Answer 161

Network segmentation techniques place systems and users of different security levels on different network segments, containing the damage caused by a potential security incident. Firewalls provide segmentation of networks into security zones, whereas VLANs group users and devices by function.

Answer 162

Routers and switches must be protected against unauthorized physical access to avoid compromise. Switch security techniques include VLAN pruning, the prevention of VLAN hopping, and port security. Router security techniques include the use of access control lists to filter traffic and quality of service controls to prioritize important network use.

Answer 163

In the anything-as-a-service (XaaS) approach to computing, there are three major cloud service models. Infrastructure-as-a-service (IaaS) offerings allow customers to purchase and interact with the basic building blocks of a technology infrastructure. Software-as-a-service (SaaS) offerings provide customers with access to a fully managed application running in the cloud. Platform-as-a-service (PaaS) offerings provide a platform where customers may run applications that they have developed themselves.

Answer 164

*Public cloud* service providers deploy infrastructure and then make it accessible to any customers who wish to take advantage of it in a multitenant model. The term *private cloud* is used to describe any cloud infrastructure that is provisioned for use by a single customer. A *community cloud* service shares characteristics of both the public and private models. Community cloud services do run in a multitenant environment, but the tenants are limited to members of a specifically designed community. *Hybrid cloud* is a catch-all term used to describe cloud deployments that blend public, private, and/or community cloud services together.

Answer 165

Under the shared responsibility model of cloud security, cloud customers must divide responsibilities between one or more service providers and the customers' own cybersecurity teams. In an IaaS environment, the cloud provider takes on the most responsibility, providing security for everything below the operating system layer. In PaaS, the cloud provider takes over added responsibility for the security of the operating system itself. In SaaS, the cloud provider is responsible for the security of the entire environment, except for the configuration of access controls within the application and the choice of data to store in the service.

Answer 166

Software should be created using a standardized software development lifecycle that moves software through development, test, staging, and production environments. Developers should understand the issues associated with code reuse and software diversity. Web applications should be developed in alignment with industry-standard principles such as those developed by the Open Web Application Security Project (OWASP).

Answer 167

Code repositories serve as a version control mechanism and centralized authority for the secure provisioning and deprovisioning of code. Developers and operations teams should work together on developing automated courses of action as they implement a DevOps approach to creating and deploying software. Software applications should be designed to support both scalability and elasticity.

Answer 168

The four goals of cryptography are confidentiality, integrity, authentication, and nonrepudiation. Confidentiality is the use of encryption to protect sensitive information from prying eyes. Integrity is the use of cryptography to ensure that data is not maliciously or unintentionally altered. Authentication refers to the uses of encryption to validate the identity of individuals. Nonrepudiation ensures that individuals can prove to a third party that a message came from its purported sender.

Answer 169

Symmetric encryption uses the same shared secret key to encrypt and decrypt information. Users must have some mechanism to exchange these shared secret keys. Asymmetric encryption provides each user with a pair of keys: a public key, which is freely shared, and a private key, which is kept secret. Anything encrypted with one key from the pair may be decrypted with the other key from the same pair.

Answer 170

Digital signatures provide nonrepudiation by allowing a third party to verify the authenticity of a message. Senders create digital signatures by using a hash function to generate a message digest and then encrypting that digest with their own private key. Others may verify the digital signature by decrypting it with the sender's public key and comparing this decrypted message digest to one that they compute themselves using the hash function on the message.

Answer 171

Digital certificates provide a trusted mechanism for sharing public keys with other individuals. Users and organizations obtain digital certificates from certificate authorities (CAs), who demonstrate their trust in the certificate by applying their digital signature. Recipients of the digital certificate can rely on the public key it contains if they trust the issuing CA and verify the CA's digital signature.

Answer 172

Identity and access management systems perform three major functions: identification, authentication, and authorization. Identification is the process of a user making a claim of identity, such as by providing a username. Authentication allows the user to prove their identity. Authentication may be done using something you know, something you have, or something you are. Multifactor authentication combines different authentication techniques to provide stronger security. Authorization ensures that authenticated users may only perform actions necessary to carry out their assigned responsibilities.

Answer 173

D. The cloud service provider bears the most responsibility for implementing security controls in an SaaS environment and the least responsibility in an IaaS environment. This is due to the division of responsibilities under the cloud computing shared responsibility model.

Answer 174

B. Adam is conducting static code analysis by reviewing the source code. Dynamic code analysis requires running the program, and both mutation testing and fuzzing are types of dynamic analysis.

Answer 175

B. Port security restricts the number of unique MAC addresses that may originate from a single switch port. It is commonly used to prevent someone from unplugging an authorized device from the network and connecting an unauthorized device but may also be used to prevent existing devices from spoofing MAC addresses of other devices.

Answer 176

B. Developers working on active changes to code should always work in the development environment. The test environment is where the software or systems can be tested without impacting the production environment. The staging environment is a transition environment for code that has successfully cleared testing and is waiting to be deployed into production. The production environment is the live system. Software, patches, and other changes that have been tested and approved move to production.

Answer 177

C. One of the important characteristics of cloud computing is that customers can access resources on-demand with minimal service provider interaction. Cloud customers do not need to contact a sales representative each time they wish to provision a resource but can normally do so on a self-service basis.

Answer 178

A. If Patricia's major concern is a compromised operating system, she can bypass the operating system on the device by booting it from live boot media and running her own operating system on the hardware. Running a malware scan may provide her with some information but may not detect all compromises, and Patricia likely does not have the necessary permissions to correct any issues. Using a VPN or accessing secure sites would not protect her against a compromised operating system, as the operating system would be able to view the contents of her communication prior to encryption.

Answer 179

C. In a true positive report, the system reports an attack when an attack actually exists. A false positive report occurs when the system reports an attack that did not take place. A true negative report occurs when the system reports no attack and no attack took place. A false negative report occurs when the system does not report an attack that did take place.

Answer 180

A. Hardware security modules (HSMs) provide an effective way to manage encryption keys. These hardware devices store and manage encryption keys in a secure manner that prevents humans from ever needing to work directly with the keys.

Answer 181

D. The attack in question could be most quickly stopped with a network firewall rule blocking all traffic from the origin system. Host firewall rules would also address the issue but would be more time-consuming to create on every system. An operating system update would not stop attack traffic. There is also no indication that a DDoS attack is underway, so a DDoS mitigation service would not be helpful.

Answer 182

C. This is an example of adding additional capacity to an existing server, which is also known as vertical scaling. Kevin could also have used horizontal scaling by adding additional web servers. Elasticity involves the ability to both add and remove capacity on demand, and though it does describe this scenario, it's not as good a description as vertical scaling. There is no mention of increasing the server's availability.

Answer 183

B. Although this example includes continuous integration, the important thing to notice is that the code is then deployed into production. This means that Susan is operating in a continuous deployment environment, where code is both continually integrated and deployed. Agile is a development methodology that often uses CI/CD, but we cannot determine if Susan is using an Agile methodology.

Answer 184

D. Facial recognition technology is an example of a biometric authentication technique, or “something you are.” A passcode is an example of a knowledge-based authentication technique, or “something you know.”

Answer 185

B. The false rejection rate (FRR) identifies the number of times that an individual who should be allowed access to a facility is rejected. The false acceptance rate (FAR) identifies the number of times that an individual who should not be allowed access to a facility is admitted. Both the FAR and FRR may be manipulated by changing system settings. The crossover error rate (CER) is the rate at which the FRR and FAR are equal and is less prone to manipulation. Therefore, the CER is the best measure for Fred to use. IRR is not a measure of biometric system effectiveness.

Answer 186

C. Gary is proving his identity with his fingerprint, a biometric mechanism. Steps that prove your identity are examples of authentication techniques.

Answer 187

B. This type of authentication, where one domain trusts users from another domain, is called federation. Federation may involve transitive trusts, where the trusts may be followed through a series of domains, but this scenario only describes the use of two domains. And it also only describes the use of credentials for a single system and not for a multiple-system scenario where single sign-on would be relevant. There is no requirement described for the use of multifactor authentication, which would require the use of two or more diverse authentication techniques.

Answer 188

D. The principle of data sovereignty states that data is subject to the legal restrictions of any jurisdiction where it is collected, stored, or processed. In this case, Howard needs to assess the laws of all three jurisdictions.

Answer 189

C. When encrypting a confidential message using an asymmetric encryption algorithm, the person performing the encryption does so using the recipient's public key.

Answer 190

D. In an asymmetric encryption algorithm, the recipient of a confidential message uses their own private key to decrypt messages that they receive.

Answer 191

B. The sender of a message may digitally sign the message by encrypting a message digest with the sender's own private key.

Answer 192

A. The recipient of a digitally signed message may verify the digital signature by decrypting it with the public key of the individual who signed the message.

Answer 193

An event is any observable occurrence in a system or network. A security event includes any observable occurrence that relates to a security function. A security incident is a violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices. Every incident consists of one or more events, but every event is not an incident.

Answer 194

The four phases of incident response are preparation; detection and analysis; containment, eradication, and recovery; and post-incident activities. The process is not a simple progression of steps from start to finish. Instead, it includes loops that allow responders to return to prior phases as needed during the response.

Answer 195

Alerts originate from intrusion detection and prevention systems, security information and event management systems, antivirus software, file integrity checking software, and third-party monitoring services. Logs are generated by operating systems, services, applications, network devices, and network flows. Publicly available information exists about new vulnerabilities and exploits detected “in the wild” or in a controlled laboratory environment. People from inside the organization or external sources report suspicious activity that may indicate that a security incident is in progress.

Answer 196

The incident response policy serves as the cornerstone of an organization's incident response program. This policy should be written to guide efforts at a high level and provide the authority for incident response. Procedures provide the detailed, tactical information that CSIRT members need when responding to an incident. CSIRTs often develop playbooks that describe the specific procedures that they will follow in the event of a specific type of cybersecurity incident.

Answer 197

The core incident response team normally consists of cybersecurity professionals with specific expertise in incident response. In addition to the core team members, the CSIRT may include representation from technical subject matter experts, IT support staff, legal counsel, human resources staff, and public relations and marketing teams.

Answer 198

Common attack vectors for security incidents include external/removable media, attrition, the web, email, impersonation, improper usage, loss or theft of equipment, and other/unknown sources.

Answer 199

The functional impact of an incident is the degree of impairment that it causes to the organization. The economic impact is the amount of financial loss that the organization incurs. In addition to measuring the functional and economic impact of a security incident, organizations should measure the time that services will be unavailable and the recoverability effort. Finally, the nature of the data involved in an incident also contributes to the severity of the information impact.

Answer 200

D. A former employee crashing a server is an example of a computer security incident because it is an actual violation of the availability of that system. An intruder breaking into a building may be a security event, but it is not necessarily a computer security event unless they perform some action affecting a computer system. A user accessing a secure file and an administrator changing a file permission settings are examples of security events but are not security incidents.

Answer 201

A. Organizations should build solid, defense-in-depth approaches to cybersecurity during the preparation phase of the incident response process. The controls built during this phase serve to reduce the likelihood and impact of future incidents.

Answer 202

C. A security information and event management (SIEM) system correlates log entries from multiple sources and attempts to identify potential security incidents.

Answer 203

C. The definition of a medium functional impact is that the organization has lost the ability to provide a critical service to a subset of system users. That accurately describes the situation that Ben finds himself in. Assigning a low functional impact is only done when the organization can provide all critical services to all users at diminished efficiency. Assigning a high functional impact is only done if a critical service is not available to all users.

Answer 204

C. The containment protocols included in the containment, eradication, and recovery phases are designed to limit the damage caused by an ongoing security incident.

Answer 205

D. National Archives General Records Schedule (GRS) 24 requires that all U.S. federal agencies retain incident handling records for at least three years.

Answer 206

C. In a proprietary breach, unclassified proprietary information is accessed or exfiltrated. Protected critical infrastructure information (PCII) is an example of unclassified proprietary information.

Answer 207

A. The Network Time Protocol (NTP) provides a common source of time information that allows the synchronizing of clocks throughout an enterprise.

Answer 208

A. An organization's incident response policy should contain a clear description of the authority assigned to the CSIRT while responding to an active security incident.

Answer 209

D. A web attack is an attack executed from a website or web-based application—for example, a cross-site scripting attack used to steal credentials or redirect to a site that exploits a browser vulnerability and installs malware.

Answer 210

A. CSIRT members do not normally communicate directly with the perpetrator of a cybersecurity incident. Although team members may have contact with the perpetrator in the case of ransomware attacks, this would not normally be the case during an incident involving the theft of information. It is far more likely that the CSIRT would be in routine contact with vendors, law enforcement, and information sharing partners as the incident unfolds.

Answer 211

A. The incident response policy provides the CSIRT with the authority needed to do their job. Therefore, it should be approved by the highest possible level of authority within the organization, preferably the CEO.

Answer 212

A. Detection of a potential incident occurs during the detection and analysis phase of incident response. The other activities listed might all be objectives of the containment, eradication, and recovery phase.

Answer 213

C. Extended recoverability effort occurs when the time to recovery is unpredictable. In those cases, additional resources and outside help are typically needed

Answer 214

D. An attrition attack employs brute-force methods to compromise, degrade, or destroy systems, networks, or services—for example, a DDoS attack intended to impair or deny access to a service or application or a brute-force attack against an authentication mechanism.

Answer 215

C. Lessons learned sessions are most effective when facilitated by an independent party who was not involved in the incident response effort.

Answer 216

D. Procedures for rebuilding systems are highly technical and would normally be included in a playbook or procedure document rather than an incident response policy.

Answer 217

B. An impersonation attack involves the replacement of something benign with something malicious—spoofing, on-path attacks, rogue wireless access points, and SQL injection attacks all involve impersonation

Answer 218

C. Incident response playbooks contain detailed step-by-step instructions that guide the early response to a cybersecurity incident. Organizations typically have playbooks prepared for high-severity and frequently occurring incident types.

Answer 219

A. The event described in this scenario would not qualify as a security incident with measurable information impact. Although the laptop did contain information that might cause a privacy breach, that breach was avoided by the use of encryption to protect the contents of the laptop.

Answer 220

Business continuity planning involves four distinct phases: project scope and planning, business impact analysis, continuity planning, and approval and implementation. Each task contributes to the overall goal of ensuring that business operations continue uninterrupted in the face of an emergency.

Answer 221

In the business organization analysis, the individuals responsible for leading the BCP process determine which departments and individuals have a stake in the business continuity plan. This analysis serves as the foundation for BCP team selection and, after validation by the BCP team, is used to guide the next stages of BCP development.

Answer 222

The BCP team should contain, at a minimum, representatives from each of the operational and support departments; technical experts from the IT department; physical and IT security personnel with BCP skills; legal representatives familiar with corporate legal, regulatory, and contractual responsibilities; and representatives from senior management. Additional team members depend on the structure and nature of the organization.

Answer 223

Business leaders must exercise due diligence to ensure that shareholders' interests are protected in the event disaster strikes. Some industries are also subject to federal, state, and local regulations that mandate specific BCP procedures. Many businesses also have contractual obligations to their clients that they must meet before, during, and after a disaster.

Answer 224

he five stages of the business impact analysis process are the identification of priorities, risk identification, likelihood assessment, impact analysis, and resource prioritization.

Answer 225

During the strategy development phase, the BCP team determines which risks they will mitigate. In the provisions and processes phase, the team designs mechanisms and procedures that will mitigate identified risks. The plan must then be approved by senior management and implemented. Personnel must also receive training on their roles in the BCP process.

Answer 226

Committing the plan to writing provides the organization with a written record of the procedures to follow when disaster strikes. It prevents the “it's in my head” syndrome and ensures the orderly progress of events in an emergency.

Answer 227

The common types of recovery facilities are cold sites, warm sites, hot sites, mobile sites, and multiple sites. Be sure you understand the benefits and drawbacks for each such facility.

Answer 228

Databases benefit from three backup technologies. Electronic vaulting is used to transfer database backups to a remote site as part of a bulk transfer. In remote journaling, data transfers occur on a more frequent basis. With remote mirroring technology, database transactions are mirrored at the backup site in real time.

Answer 229

These programs should take a comprehensive approach to planning and include considerations related to the initial response effort, personnel involved, communication among the team and with internal and external entities, assessment of response efforts, and restoration of services. DR programs should also include training and awareness efforts to ensure personnel understand their responsibilities and lessons learned sessions to continuously improve the program.

Answer 230

The five types of disaster recovery plan tests are: read-through tests, structured walk-throughs, simulation tests, parallel tests, and full-interruption tests. Checklist tests are purely paperwork exercises, whereas structured walk-throughs involve a project team meeting. Neither has an impact on business operations. Simulation tests may shut down noncritical business units. Parallel tests involve relocating personnel but do not affect day-to-day operations. Full-interruption tests involve shutting down primary systems and shifting responsibility to the recovery facility.

Answer 231

C. This question requires that you exercise some judgment, as do many questions on the CISM exam. All of these answers are plausible things that Tracy could bring up, but we're looking for the best answer. In this case, that is ensuring that the organization is ready for an emergency—a mission-critical goal. Telling managers that the exercise is already scheduled or required by policy doesn't address their concerns that it is a waste of time. Telling them that it won't be time-consuming is not likely to be an effective argument because they are already raising concerns about the amount of time requested

Answer 232

C. A firm's officers and directors are legally bound to exercise due diligence in conducting their activities. This concept creates a fiduciary responsibility on their part to ensure that adequate business continuity plans are in place. This is an element of corporate responsibility, but that term is vague and not commonly used to describe a board's responsibilities. Disaster requirement and going concern responsibilities are also not risk management terms.

Answer 233

C. The annualized loss expectancy (ALE) represents the amount of money a business expects to lose to a given risk each year. This figure is quite useful when performing a quantitative prioritization of business continuity resource allocation.

Answer 234

C. The maximum tolerable downtime (MTD) represents the longest period a business function can be unavailable before causing irreparable harm to the business. This figure is useful when determining the level of business continuity resources to assign to a particular function.

Answer 235

B. The single loss expectancy (SLE) is the product of the asset value (AV) and the exposure factor (EF). From the scenario, you know that the AV is $3 million and the EF is 90 percent, based on that the same land can be used to rebuild the facility. This yields an SLE of $2,700,000

Answer 236

A. This problem requires you to compute the ALE, which is the product of the SLE and ARO. From the scenario, you know that the ARO is 0.10 (or 10 percent). From the scenario presented, you know that the SLE is $7.5 million. This yields an ALE of $750,000.

Answer 237

D. The safety of human life must always be the paramount concern in business continuity planning. Be sure that your plan reflects this priority, especially in the written documentation that is disseminated to your organization's employees!

Answer 238

C. It is difficult to put a dollar figure on the business lost because of negative publicity. Therefore, this type of concern is better evaluated through qualitative analysis. The other items listed here are all more easily quantifiable.

Answer 239

A. The annualized rate of occurrence (ARO) is the likelihood that the risk will materialize in any given year. The fact that a power outage did not occur in any of the past three years doesn't change the probability that one will occur in the upcoming year. Unless other circumstances have changed, the ARO should remain the same.

Answer 240

C. You should strive to have the highest-ranking person possible sign the BCP's statement of importance. Of the choices given, the chief executive officer (CEO) is the highest ranking

Answer 241

C. The recovery point objective (RPO) specifies the maximum amount of data that may be lost during a disaster and should be used to guide backup strategies. The maximum tolerable downtime (MTD) and recovery time objective (RTO) are related to the duration of an outage, rather than the amount of data lost. The mean time between failures (MTBF) is related to the frequency of failure events.

Answer 242

D. The lessons learned session captures discoveries made during the disaster recovery process and facilitates continuous improvement. It may identify deficiencies in training and awareness or the BIA.

Answer 243

B. Redundant arrays of inexpensive disks (RAID) are a fault tolerance control that allows an organization's storage service to withstand the loss of one or more individual disks. Load balancing, clustering, and HA pairs are all fault-tolerance services designed for server compute capacity, not storage.

Answer 244

C. Cloud computing services provide an excellent location for backup storage because they are accessible from any location. The primary data center is a poor choice, as it may be damaged during a disaster. A field office is reasonable, but it is in a specific location and is not as flexible as a cloud-based approach. The IT manager's home is a poor choice, as the IT manager may leave the organization or may not have appropriate environmental and physical security controls in place.

Answer 245

B. The term *100-year flood plain* is used to describe an area where flooding is expected once every 100 years. It is, however, more mathematically correct to say that this label indicates a 1 percent probability of flooding in any given year.

Answer 246

C. All of these are good practices that could help improve the quality of service that Bryn provides from her website. Installing dual power supplies or deploying RAID arrays could reduce the likelihood of a server failure, but these measures only protect against a single risk each. Deploying multiple servers behind a load balancer is the best option because it protects against any type of risk that would cause a server failure. Backups are an important control for recovering operations after a disaster and different backup strategies could indeed alter the RTO, but it is even better if Bryn can design a web architecture that lowers the risk of the outage occurring in the first place.

Answer 247

C. The cold site contains none of the equipment necessary to restore operations. All of the equipment must be brought in and configured and data must be restored to it before operations can commence. This often takes weeks, but cold sites also have the lowest cost to implement. Hot sites, warm sites, and mobile sites all have quicker recovery times.

Answer 248

D. The parallel test involves relocating personnel to the alternate recovery site and implementing site activation procedures. Checklist tests, structured walkthroughs, and simulations are all test types that do not involve actually activating the alternate site.

Answer 249

A. Differential backups involve always storing copies of all files modified since the most recent full backup regardless of any incremental or differential backups created during the intervening time period.

Answer 250

B. People should always be your highest priority in business continuity planning. As a life safety system, fire suppression systems should always receive high prioritization.

Sybex Book Flashcards

(278 cards)