(2) Play It Safe: Manage Security Risks

Question 1

Fill in the blank: The _____ domain is focused on access and authorization to keep data secure by making sure that users follow established policies to control and manage assets.

asset security

communication and network security

security operations

identity and access management

Answer 1

identity and access management

The identity and access management domain is focused on access and authorization to keep data secure by making sure that users follow established policies to control and manage assets.

Question 2

What is the focus of the security and risk management domain?

Optimize data security by ensuring effective processes are in place

Define security goals and objectives, risk mitigation, compliance, business continuity, and regulations

Manage and secure wireless communications

Secure physical networks and wireless communications

Answer 2

Define security goals and objectives, risk mitigation, compliance, business continuity, and regulations

The focus of the security and risk management domain is defining security goals and objectives, risk mitigation, compliance, business continuity, and regulations.

Question 3

In which domain would a security professional conduct security control testing; collect and analyze data; and perform security audits to monitor for risks, threats, and vulnerabilities?

Identity and access management

Communication and network engineering

Security assessment and testing

Security architecture and engineering

Answer 3

Security assessment and testing

In the security assessment and testing domain, a security professional conducts security control testing; collects and analyzes data; and performs security audits to monitor for risks, threats, and vulnerabilities.

Question 4

Fill in the blank: The _____ domain concerns conducting investigations and implementing preventive measures.

asset security

security operations

software development security

communications and networking engineering

Answer 4

security operations

The security operations domain concerns conducting investigations and implementing preventative measures.

Question 5

What is a vulnerability?

Any circumstance or event that can negatively impact assets

An organization’s ability to manage its defense of critical assets and data and react to change

Anything that can impact the confidentiality, integrity, or availability of an asset

A weakness that can be exploited by a threat

Answer 5

A weakness that can be exploited by a threat

Question 6

Fill in the blank: Information protected by regulations or laws is a _____. If it is compromised, there is likely to be a severe negative impact on an organization’s finances, operations, or reputation.

high-risk asset

new-risk asset

low-risk asset

medium-risk asset

Answer 6

high-risk asset

Information protected by regulations or laws is a high-risk asset. If it is compromised, there is likely to be a severe negative impact on an organization’s finances, operations, or reputation.

Question 7

What are the key impacts of threats, risks, and vulnerabilities? Select three answers.

Damage to reputation

Identity theft

Employee retention

Financial damage

Answer 7

Damage to reputation

Identity theft

Financial damage

Question 8

Fill in the blank: The steps in the Risk Management Framework (RMF) are prepare, _____, select, implement, assess, authorize, and monitor.

categorize

communicate

reflect

produce

Answer 8

categorize

The steps in the RMF are prepare, categorize, select, implement, assess, authorize, and monitor. In the categorize step, security professionals develop risk-management processes and tasks.

Question 9

Fill in the blank: Security posture refers to an organization’s ability to react to change and manage its defense of _____ and critical assets.

data

domains

consequences

gaps

Answer 9

data

Question 10

Which of the following examples are key focus areas of the security and risk management domain? Select three answers.

Store data properly

Follow legal regulations

Maintain business continuity

Mitigate risk

Answer 10

Follow legal regulations

Maintain business continuity

Mitigate risk

Question 11

How does business continuity enable an organization to maintain everyday productivity?

By exploiting vulnerabilities

By ensuring return on investment

By outlining faults to business policies

By establishing risk disaster recovery plans

Answer 11

By establishing risk disaster recovery plans

Question 12

Fill in the blank: According to the concept of shared responsibility, employees can help lower risk to physical and virtual security by _____. Select two answers.

recognizing and reporting security concerns

limiting their communication with team members

taking an active role

meeting productivity goals

Answer 12

recognizing and reporting security concerns

taking an active role

Question 13

A security analyst researches ways to improve access and authorization at their business. Their primary goal is to keep data secure. Which security domain does this scenario describe?

Identity and access management

Asset security

Communication and network security

Security assessment and testing

Answer 13

Identity and access management

Question 14

Which of the following activities may be part of establishing security controls? Select three answers.

Implement multi-factor authentication

Evaluate whether current controls help achieve business goals

Monitor and record user requests

Collect and analyze security data regularly

Answer 14

Implement multi-factor authentication

Evaluate whether current controls help achieve business goals

Collect and analyze security data regularly

Question 15

Fill in the blank: The software development security domain involves the use of the software development ___, which is an efficient process used by teams to quickly build software products and services.

lifecycle

functionality

staging

operations

Answer 15

lifecycle

Question 16

Which of the following statements accurately describe risk? Select all that apply.

A high-risk asset is any information protected by regulations or laws.

Another way to think of risk is the likelihood of a threat occurring.

If compromised, a low-risk asset would have a severe negative impact on an organization’s ongoing reputation.

If compromised, a medium-risk asset may cause some damage to an organization’s ongoing operations.

Answer 16

A high-risk asset is any information protected by regulations or laws.

Another way to think of risk is the likelihood of a threat occurring.

If compromised, a medium-risk asset may cause some damage to an organization’s ongoing operations.

Question 17

A business experiences an attack. As a result, its critical business operations are interrupted and it faces regulatory fines. What type of consequence does this scenario describe?

Financial

Identity

Reputation

Practical

Answer 17

Financial

Question 18

Fill in the blank: In the Risk Management Framework (RMF), the _____ step might involve implementing a plan to change password requirements in order to reduce requests to reset employee passwords.

authorize

prepare

categorize

implement

Answer 18

implement

Question 19

How do security frameworks enable security professionals to help mitigate risk?

They are used to establish laws that reduce a specific security risk.

They are used to create unique physical characteristics to verify a person’s identity.

They are used to establish guidelines for building security plans.

They are used to refine elements of a core security model known as the CIA triad.

Answer 19

They are used to establish guidelines for building security plans.

Security frameworks are used to establish guidelines for building security plans that enable security professionals to help mitigate risk.

Question 20

Competitor organizations are the biggest threat to a company’s security.

True

False

Answer 20

True

People are the biggest threat to a company’s security. This is why educating employees about security challenges is essential for minimizing the possibility of a breach.

Question 21

Fill in the blank: Security controls are safeguards designed to reduce _____ security risks.

broadscale

specific

general

public

Answer 21

specific

Security controls are safeguards designed to reduce specific risks.

Question 22

A security analyst works on a project designed to reduce the risk of vishing. They develop a plan to protect their organization from attackers who could exploit biometrics. Which type of security control does this scenario describe?

Encryption

Ciphertext

Classification

Authentication

Answer 22

Authentication

This describes authentication, which is the process of implementing controls to verify who someone or something is before granting access to specific resources within a system.

Question 23

What is the CIA triad?

A foundational security model used to set up security policies and systems

A mandatory security framework involving the selection of appropriate controls

A set of security controls used to update systems and networks

Ongoing validation processes involving all employees in an organization

Answer 23

A foundational security model used to set up security policies and systems

The CIA triad is a foundational security model used to set up security policies and systems. The core principles of the model are confidentiality, integrity, and availability.

Question 24

Which element of the CIA triad specifies that only authorized users can access specific information?

Confidentiality

Confirmation

Integrity

Access

Answer 24

Confidentiality

Confidentiality specifies that only authorized users can access specific information.

Question 25

A security analyst discovers that certain data is inaccessible to authorized users, which is preventing these employees from doing their jobs efficiently. The analyst works to fix the application involved in order to allow for timely and reliable access. Which element of the CIA triad does this scenario describe?

Applicability

Capacity

Integrity

Availability

Answer 25

Availability

This scenario describes availability. Availability specifies that data is accessible to authorized users.

Question 26

Fill in the blank: According to the CIA triad, _____ refers to ensuring that an organization’s data is verifiably correct, authentic, and reliable.

Integrity

Accuracy

Credibility

Availability

Answer 26

Integrity

According to the CIA triad, integrity refers to ensuring that an organization’s data is verifiably correct, authentic, and reliable.

Question 27

What is the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF)?

A set of security controls that help analysts determine what to do if a data breach occurs

Standards, guidelines, and best practices that organizations follow voluntarily in order to manage cybersecurity risk

A collection of security principles focused on maintaining confidentiality, integrity, and availability

A required business framework for ensuring security updates and repairs are successful

Answer 27

Standards, guidelines, and best practices that organizations follow voluntarily in order to manage cybersecurity risk

The NIST CSF is a voluntary framework that consists of standards, guidelines, and best practices to manage cybersecurity risk.

Question 28

Fill in the blank: The five core functions that make up the CSF are: identify, protect, detect, _____, and recover.

reevaluate

reflect

regulate

respond

Answer 28

respond

The five core functions that make up the CSF are: identify, protect, detect, respond, and recover.

Question 29

Fill in the blank: The CSF _____ function relates to monitoring systems and devices in an organization’s internal network to help security teams manage potential cybersecurity risks and their effects.

protect

identify

respond

recover

Answer 29

identify

The CSF identify function relates to monitoring systems and devices in an organization’s internal network to help security teams manage potential cybersecurity risks and their effects.

Question 30

What does a security analyst’s work involve during the CSF recover function?

Return affected systems back to normal operation

Protect an organization through the implementation of employee training

Contain, neutralize, and analyze security incidents

Pinpoint threats and improve monitoring capabilities

Answer 30

Return affected systems back to normal operation

During the recover function, a security analyst’s work involves returning affected systems back to normal operation.

Question 31

A security analyst disables certain software features to reduce the potential vulnerabilities that an attacker could exploit at their organization. Which OWASP security principle does this scenario describe?

Minimize the attack surface

Defense in depth

Fix security issues correctly

Separation of duties

Answer 31

Minimize the attack surface

This scenario describes minimizing the attack surface.

Question 32

Fill in the blank: A security _____ is a review of an organization’s security controls, policies, and procedures against a set of expectations.

survey

classification

audit

examination

Answer 32

audit

A security audit is a review of an organization’s security controls, policies, and procedures against a set of expectations.

Question 33

A security professional closely examines their organization’s network, then evaluates potential risks to the network. Their goal is to ensure internal safeguards and processes are effective. What security concept does this scenario describe?

Controls assessment

Communicating results

Security recommendations

Compliance regulations

Answer 33

Controls assessment

This scenario describes a controls assessment. A controls assessment involves closely reviewing an organization’s existing assets, then evaluating potential risks to those assets in order to ensure internal controls and processes are effective.

Question 34

A security professional is asked to communicate the results of an internal security audit to stakeholders. What should be included in that communication? Select three answers.

A list of questions for stakeholders to answer

A list of risks and compliance requirements that need to be addressed

A recommendation about how to improve the organization’s security posture

A summary of the audit’s scope and goals

Answer 34

A list of risks and compliance requirements that need to be addressed

A recommendation about how to improve the organization’s security posture

A summary of the audit’s scope and goals

When communicating the results of an internal audit to stakeholders, the communication should include a summary of the audit’s scope and goals; a list of risks and compliance requirements that need to be addressed; and a recommendation about how to improve the organization’s security posture.

Question 35

What does a security professional use to create guidelines and plans that educate employees about how they can help protect the organization?

Security posture

Security hardening

Security audit

Security framework

Answer 35

Security framework

Question 36

Fill in the blank: A security professional uses _____ to verify that an employee has permission to access a resource.

admission

authorization

integrity

encryption

Answer 36

authorization

Question 37

What type of social engineering attack attempts to exploit biometrics?

Spear phishing

Cryptographic attack

Vishing

Whaling

Answer 37

Vishing

Question 38

You work as a security analyst for a community organization that has large amounts of private data. Which core principle of the CIA triad do you use to ensure private information is kept safe?

Integrity

Availability

Confidentiality

Consistency

Answer 38

Confidentiality

Question 39

Which of the following statements accurately describe the CSF? Select all that apply.

The identify function of the CSF involves managing cybersecurity risk and its effects on an organization’s people and assets.

The CSF is a voluntary framework that consists of standards, guidelines, and best practices to manage cybersecurity risk.

The protect function of the CSF involves returning affected systems back to normal operation.

Implementing improvements to a security process is part of the respond function of the CSF.

Answer 39

The CSF is a voluntary framework that consists of standards, guidelines, and best practices to manage cybersecurity risk.

Implementing improvements to a security process is part of the respond function of the CSF.

Question 40

A security team has just finished addressing a recent security incident. They now conduct tests to ensure that all of their repairs were successful. Which OWASP principle does this scenario describe?

Separation of duties

Principle of least privilege

Fix security issues correctly

Minimize attack surface area

Answer 40

Fix security issues correctly

Question 41

What are some of the primary objectives of an internal security audit? Select all that apply.

Help security teams correct compliance issues

Enable security teams to assess controls

Limit traffic on an organization’s firewall

Identify any security gaps or weaknesses within an organization

Answer 41

Help security teams correct compliance issues

Enable security teams to assess controls

Identify any security gaps or weaknesses within an organization

Question 42

Fill in the blank: The planning elements of an internal security audit include establishing scope and _____, then conducting a risk assessment.

goals

limitations

compliance

controls

Answer 42

goals

Question 43

A security analyst performs an internal security audit. They determine that the organization needs to install surveillance cameras at various store locations. What are they working to establish?

Technical controls

Administrative controls

Communication controls

Physical controls

Answer 43

Physical controls

Question 44

What information is typically communicated to stakeholders after completion of an internal security audit? Select three answers.

Results and recommendations

A summary of the scope

Questions about specific controls

A list of existing risks

Answer 44

Results and recommendations

A summary of the scope

A list of existing risks

Question 45

Which log source records events related to websites, emails, and file shares, as well as password and username requests?

Network

Receiving

Server

Firewall

Answer 45

Server

Server logs record events related to websites, emails, and file shares. They include actions such as login requests, password and username requests, as well as the ongoing use of these services.

Question 46

Fill in the blank: A security information and _____ management (SIEM) tool is an application that collects and analyzes log data to monitor critical activities in an organization.

employee

emergency

event

efficiency

Answer 46

event

A security information and event management (SIEM) tool is an application that collects and analyzes log data to monitor critical activities in an organization. SIEM tools index and minimize the scope of logs a security professional should manually review and analyze.

Question 47

A security professional evaluates a software application by reviewing key technical attributes including response time, availability, and failure rate. What are they using to assess performance?

Models

Metrics

Cloud tools

Index standards

Answer 47

Metrics

They are using metrics. Metrics are key technical attributes including response time, availability, and failure rate, which are used to assess the performance of a software application. SIEM dashboards can be customized to display relevant metrics.

Question 48

Fill in the blank: SIEM tools must be configured and _____ to meet each organization’s unique security needs.

customized

centralized

reviewed

indexed

Answer 48

customized

SIEM tools must be configured and customized to meet each organization’s unique security needs.

Question 49

A security team wants some of its services to be hosted on the internet instead of local devices. However, they also need to maintain physical control over certain confidential data. What type of SIEM solution should they select?

Self-hosted

Hybrid

Remote

Cloud-hosted

Answer 49

Hybrid

They should select a hybrid solution. Hybrid solutions use a combination of both self- and cloud-hosted SIEM tools to leverage the benefits of the cloud while maintaining physical control over confidential data.

Question 50

Security information and event management (SIEM) tools provide dashboards that help cybersecurity professionals organize and focus their security efforts.

True

False

Answer 50

True

SIEM tools provide dashboards that help cybersecurity professionals organize and focus their security efforts. This allows analysts to reduce risk by identifying, analyzing, and remediating the highest priority items in a timely manner.

Question 51

Fill in the blank: A _____ SIEM tool is specifically designed to take advantage of cloud computing capabilities including availability, flexibility, and scalability.

cloud-native

cloud-local

cloud-hardware

cloud-infrastructure

Answer 51

cloud-native

A cloud-native SIEM tool, such as Chronicle, is specifically designed to take advantage of cloud computing capabilities including availability, flexibility, and scalability.

Question 52

What are the different types of SIEM tools? Select three answers.

Self-hosted

Cloud-hosted

Hybrid

Physical

Answer 52

Self-hosted

Cloud-hosted

Hybrid

Question 53

Which of the following statements correctly describe logs? Select three answers.

A record of connections between devices and services on a network is part of a network log.

SIEM tools rely on logs to monitor systems and detect security threats.

A record of events related to employee logins and username requests is part of a server log.

Actions such as username requests are recorded in a network log.

Answer 53

A record of connections between devices and services on a network is part of a network log.

SIEM tools rely on logs to monitor systems and detect security threats.

A record of events related to employee logins and username requests is part of a server log.

Question 54

What are some of the key benefits of SIEM tools? Select three answers.

Automatic updates customized to new threats and vulnerabilities

Store all log data in a centralized location

Monitor critical activities in an organization

Provide visibility

Answer 54

Store all log data in a centralized location

Monitor critical activities in an organization

Provide visibility

Question 55

Fill in the blank: To assess the performance of a software application, security professionals use _____, including response time, availability, and failure rate.

metrics

logs

SIEM tools

dashboards

Answer 55

metrics

Question 56

A security team chooses to implement a SIEM tool that they will install, operate, and maintain using their own physical infrastructure. What type of tool are they using?

Cloud-hosted

Self-hosted

Hybrid

Log-hosted

Answer 56

Self-hosted

Question 57

You are a security professional, and you want to save time by using a SIEM tool that will be managed by a provider and only be accessible through the internet. What type of tool do you choose?

IT-hosted

Self-hosted

Hybrid

Cloud-hosted

Answer 57

Cloud-hosted

Question 58

Fill in the blank: SIEM tools are used to search, analyze, and _____ an organization’s log data to provide security information and alerts in real-time.

separate

retain

release

modify

Answer 58

retain

Question 59

A security analyst receives an alert about hundreds of login attempts from unusual geographic locations within the last few minutes. What can the analyst use to review a timeline of the login attempts, locations, and time of activity?

A network protocol analyzer (packet sniffer)

A playbook

An operating system

A SIEM tool dashboard

Answer 59

A SIEM tool dashboard

Question 60

Fill in the blank: The wide exposure and immediate access to the source code of open-source tools makes it _____ likely that issues will occur.

less

equally

more

very

Answer 60

less

Question 61

In the event of a security incident, when would it be appropriate to refer to an incident response playbook?

Throughout the entire incident

Only prior to the incident occurring

At least one month after the incident is over

Only when the incident first occurs

Answer 61

Throughout the entire incident

In the event of a security incident, it is appropriate to refer to an incident response playbook throughout the entire incident. An incident response playbook is a guide with six phases used to help mitigate and manage security incidents from beginning to end.

Question 62

Fill in the blank: During the _____ phase, security professionals use tools and strategies to determine whether a breach has occurred and to evaluate its potential magnitude.

coordination

containment

preparation

detection and analysis

Answer 62

detection and analysis

During the detection and analysis phase, security professionals use tools and strategies to determine whether a breach has occurred and to evaluate its potential magnitude.

Question 63

In which incident response playbook phase would a security team document an incident to ensure that their organization is better prepared to handle future security events?

Eradication and recovery

Coordination

Post-incident activity

Containment

Answer 63

Post-incident activity

In the post-incident activity phase, a security team documents an incident to ensure that their organization is better prepared to handle future incidents.

Question 64

What is the relationship between SIEM tools and playbooks?

Playbooks collect and analyze data, then SIEM tools guide the response process.

Playbooks detect threats and generate alerts, then SIEM tools provide the security team with a proven strategy.

They work together to predict future threats and eliminate the need for human intervention.

They work together to provide a structured and efficient way of responding to security incidents.

Answer 64

They work together to provide a structured and efficient way of responding to security incidents.

SIEM tools and playbooks work together to provide a structured and efficient way of responding to security incidents.

Question 65

Playbooks are permanent, best-practice documents, so a security team should not make changes to them.

True

False

Answer 65

False

Playbooks are living documents, so a security team will make frequent changes, updates, and improvements to address new threats and vulnerabilities.

Question 66

A business recently experienced a security breach. Security professionals are currently restoring the affected data using a clean backup that was created before the incident. What playbook phase does this scenario describe?

Containment

Eradication and recovery

Post-incident activity

Detection and analysis

Answer 66

Eradication and recovery

This scenario describes eradication and recovery. This phase involves removing the incident’s artifacts and restoring the affected environment to a secure state.

Question 67

Fill in the blank: Once a security incident is resolved, security analysts perform various post-incident activities and _____ efforts with the security team.

preparation

detection

coordination

eradication

Answer 67

coordination

Once a security incident is resolved, security analysts perform various post-incident activities and coordination efforts with the security team. Coordination involves reporting incidents and sharing information based on established standards.

Question 68

Which action can a security analyst take when they are assessing a SIEM alert?

Analyze log data and related metrics

Isolate an infected network system

Restore the affected data with a clean backup

Create a final report

Answer 68

Analyze log data and related metrics

An action that a security analyst can take when they are assessing a SIEM alert is to analyze log data and related metrics. This helps in identifying why the alert was generated by the SIEM tool and determining if the alert is valid.

Question 69

Which of the following statements accurately describe playbooks? Select three answers.

A playbook can be used to respond to an incident

A playbook is an essential tool used in cybersecurity.

A playbook is used to develop compliance regulations.

A playbook improves efficiency when identifying and mitigating an incident.

Answer 69

A playbook can be used to respond to an incident

A playbook is an essential tool used in cybersecurity.

A playbook improves efficiency when identifying and mitigating an incident.

Question 70

What does a security team do when updating and improving a playbook? Select all that apply.

Refine response strategies for future incidents

Discuss ways to improve security posture

Improve antivirus software performance

Consider learnings from past security incidents

Answer 70

Refine response strategies for future incidents

Discuss ways to improve security posture

Consider learnings from past security incidents

Question 71

Fill in the blank: Incident response playbooks outline processes for communication and ______ of a security breach.

documentation

implementation

iteration

concealment

Answer 71

documentation

Question 72

A security analyst reports to stakeholders about a security breach. They provide details based on the organization’s established standards. What phase of an incident response playbook does this scenario describe?

Preparation

Detection and analysis

Eradication and recovery

Coordination

Answer 72

Coordination

Question 73

Which phase of an incident response playbook is primarily concerned with preventing further damage and reducing the immediate impact of a security incident?

Preparation

Post-incident activity

Containment

Detection and analysis

Answer 73

Containment

Question 74

Fill in the blank: During the post-incident activity phase, organizations aim to enhance their overall _____ by determining the incident’s root cause and implementing security improvements.

security posture

security audit

user experience

employee engagement

Answer 74

security posture

Question 75

A security analyst wants to set the foundation for successful incident response. They outline roles and responsibilities of each security team member. What phase of an incident response playbook does this scenario describe?

Post-incident activity

Detection and analysis

Preparation

Containment

Answer 75

Preparation

Question 76

In what ways do SIEM tools and playbooks help security teams respond to an incident? Select all that apply.

SIEM tools analyze data.

SIEM alerts provide security teams with specific steps to identify and respond to security incidents.

SIEM alerts inform security teams of potential threats.

SIEM tools and playbooks work together to provide an efficient way of handling security incidents.

Answer 76

SIEM tools analyze data.

SIEM alerts inform security teams of potential threats.

SIEM tools and playbooks work together to provide an efficient way of handling security incidents.