201-250

Question 1

An organization has three divisions: Accounting, Sales, and Human Resources. Users in the Accounting division require access to a server in the Sales division, but no users in the Human Resources division should have access to resources in any other division, nor should any users in the Sales division have access to resources in the Accounting division.

Which of the following network segmentation schemas would BEST meet this objective?

Answer 1

D.
Create three separate VLANS, one for each division.

A virtual local area network (VLAN) is a hardware-imposed network segmentation created by switches. Communications between ports within the same VLAN occur without hindrance, but communications between VLANs require a routing function.

Question 2

A retail store uses a wireless network for its employees to access inventory from anywhere in the store. Due to concerns regarding the aging wireless network, the store manager has brought in a consultant to harden the network. During the site survey, the consultant discovers that the network was using WEP encryption.

Which of the following would be the BEST course of action for the consultant to recommend?

Answer 2

B.
Change the encryption used so that the encryption protocol is CCMP-based.

CCMP is the standard encryption protocol for use with the WPA2 standard and is much more secure than the WEP protocol and TKIP protocol of WPA. CCMP provides the following security services:

Question 3

A server is configured to communicate on both VLAN 1 and VLAN 12. VLAN 1 communication works fine, but VLAN 12 does not.

Which of the following MUST happen before the server can communicate on VLAN 12?

Answer 3

D.
The server’s network switch port must be 802.1q tagged for VLAN 12.

802.1q is a standard that defines a system of VLAN tagging for Ethernet frames. The purpose of a tagged port is to pass traffic for multiple VLAN’s.

Question 4

What are three of the primary security control types that can be implemented?

Answer 4

C.
Operational, technical, and management.

The National Institute of Standards and Technology (NIST) places controls into various types. The control types fall into three categories: Management, Operational, and Technical.

Question 5

Which of the following technical controls is BEST used to define which applications a user can install and run on a company issued mobile device?

Answer 5

C.
Whitelisting

White lists are closely related to ACLs and essentially, a white list is a list of items that are allowed.

Question 6

To help prevent unauthorized access to PCs, a security administrator implements screen savers that lock the PC after five minutes of inactivity.

Which of the following controls is being described in this situation?

Answer 6

C.
Technical

Controls such as preventing unauthorized access to PC’s and applying screensavers that lock the PC after five minutes of inactivity is a technical control type, the same as Identification and Authentication, Access Control, Audit and Accountability as well as System and Communication Protection.

Question 7

Which of the following is a management control?

Answer 7

B.
Written security policy

Management control types include risk assessment, planning, systems and Services Acquisition as well as Certification, Accreditation and Security Assessment; and written security policy falls in this category.

Question 8

Which of the following can result in significant administrative overhead from incorrect reporting?

Answer 8

C.
False positives

False positives are essentially events that are mistakenly flagged and are not really events to be concerned about. This causes a significant administrative overhead because the reporting is what results in the false positives.

Question 9

A vulnerability scan is reporting that patches are missing on a server. After a review, it is determined that the application requiring the patch does not exist on the operating system.

Which of the following describes this cause?

Answer 9

B.
False positives

False positives are essentially events that are mistakenly flagged and are not really events to be concerned about.

Question 10

Ann, a security technician, is reviewing the IDS log files. She notices a large number of alerts for multicast packets from the switches on the network. After investigation, she discovers that this is normal activity for her network.

Which of the following BEST describes these results?

Answer 10

C.
False positives

False positives are essentially events that are mistakenly flagged and are not really events to be concerned about.

Question 11

Which of the following is an example of a false negative?

Answer 11

A.
The IDS does not identify a buffer overflow.

With a false negative, you are not alerted to a situation when you should be alerted.

Question 12

A company storing data on a secure server wants to ensure it is legally able to dismiss and prosecute staff who intentionally access the server via Telnet and illegally tamper with customer data.

Which of the following administrative controls should be implemented to BEST achieve this?

Answer 12

C.
Warning banners

Within Microsoft Windows, you have the ability to put signs (in the form of onscreen pop-up banners) that appear before the login telling similar information—authorized access only, violators will be prosecuted, and so forth. Such banners convey warnings or regulatory information to the user that they must “accept” in order to use the machine or network. You need to make staff aware that they may legally be prosecuted and a message is best given via a banner so that all staff using workstation will get notification.

Question 13

Joe, a security analyst, asks each employee of an organization to sign a statement saying that they understand how their activities may be monitored.

Which of the following BEST describes this statement? (Choose two.)

Answer 13

A. Acceptable use policy
C. Privacy policy

Privacy policies define what controls are required to implement and maintain the sanctity of data privacy in the work environment. Privacy policy is a legal document that outlines how data collected is secured. It should encompass information regarding the information the company collects, privacy choices you have based on your account, potential information sharing of your data with other parties, security measures in place, and enforcement.
Acceptable use policies (AUPs) describe how the employees in an organization can use company systems and resources, both software and hardware.

Question 14

Joe, a newly hired employee, has a corporate workstation that has been compromised due to several visits to P2P sites. Joe insisted that he was not aware of any company policy that prohibits the use of such websites.

Which of the following is the BEST method to deter employees from the improper use of the company’s information systems?

Answer 14

A.
Acceptable Use Policy

Acceptable use policies (AUPs) describe how the employees in an organization can use company systems and resources, both software and hardware.

Question 15

Pete, a security analyst, has been informed that the development team has plans to develop an application which does not meet the company’s password policy.

Which of the following should Pete do NEXT?

Answer 15

B.
Tell the application development manager to code the application to adhere to the company’s password policy.

Since the application is violating the security policy, it should be coded differently to comply with the password policy.

Question 16

A major security risk with co-mingling of hosts with different security requirements is:

Answer 16

A.
Security policy violations

The entire network is only as strong as the weakest host. Thus, with the co-mingling of hosts with different security requirements would be risking security policy violations.

Question 17

Which of the following provides the BEST explanation regarding why an organization needs to implement IT security policies?

Answer 17

C.
To reduce the organizational risk

Once risks have been identified and assessed then there are five possible actions that should be taken. These are: Risk avoidance, Risk transference, Risk mitigation, Risk deterrence and Risk acceptance. Anytime you engage in steps to reduce risk, you are busy with risk mitigation and implementing IT security policy is a risk mitigation strategy.

Question 18

Which of the following should Pete, a security manager, implement to reduce the risk of employees working in collusion to embezzle funds from their company?

Answer 18

D.
Mandatory vacations

A mandatory vacation policy requires all users to take time away from work to refresh. But not only does mandatory vacation give the employee a chance to refresh, but it also gives the company a chance to make sure that others can fill in any gaps in skills and satisfies the need to have replication or duplication at all levels as well as an opportunity to discover fraud.

Question 19

Two members of the finance department have access to sensitive information. The company is concerned they may work together to steal information.

Which of the following controls could be implemented to discover if they are working together?

Answer 19

D.
Mandatory vacations

A mandatory vacation policy requires all users to take time away from work to refresh. Mandatory vacation gives the employee a chance to refresh, but it also gives the company a chance to make sure that others can fill in any gaps in skills and satisfies the need to have replication or duplication at all levels. Mandatory vacations also provide an opportunity to discover fraud. In this case mandatory vacations can prevent the two members from colluding to steal the information that they have access to.

Question 20

Mandatory vacations are a security control which can be used to uncover the following:

Answer 20

A.
Fraud committed by a system administrator

Mandatory vacations also provide an opportunity to discover fraud apart from the obvious benefits of giving employees a chance to refresh and making sure that others in the company can fill those positions and make the company less dependent on those persons; a sort pf replication and duplication at all levels.

Question 21

While rarely enforced, mandatory vacation policies are effective at uncovering:

Answer 21

D.
Acts of gross negligence on the part of system administrators with unfettered access to system and no oversight.

Least privilege (privilege reviews) and job rotation is done when mandatory vacations are implemented. Then it will uncover areas where the system administrators neglected to check all users’ privileges since the other users must fill in their positions when they are on their mandatory vacation.

Question 22

Which of the following controls has a company that has implemented a mandatory vacation policy?

Answer 22

A.
Risk control

Risk mitigation is done anytime you take steps to reduce risks. Thus, mandatory vacation implementation is done as a risk control measure because it is a step that is taken as risk mitigation.

Question 23

Which of the following should Joe, a security manager, implement to reduce the risk of employees working in collusion to embezzle funds from his company?

Answer 23

D.
Mandatory Vacations

When one person fills in for another, such as for mandatory vacations, it provides an opportunity to see what the person is doing and potentially uncover any fraud.

Question 24

A company is looking to reduce the likelihood of employees in the finance department being involved with money laundering.

Which of the following controls would BEST mitigate this risk?

Answer 24

B.
Enforce mandatory vacations

A mandatory vacation policy requires all users to take time away from work to refresh. And in the same time it also gives the company a chance to make sure that others can fill in any gaps in skills and satisfy the need to have replication or duplication at all levels in addition to affording the company an opportunity to discover fraud for when others do the same job in the absence of the regular staff member then there is transparency.

Question 25

The Chief Security Officer (CSO) is concerned about misuse of company assets and wishes to determine who may be responsible.

Which of the following would be the BEST course of action?

Answer 25

C.
Enact a policy that employees must use their vacation time in a staggered schedule.

A policy that states employees should use their vacation time in a staggered schedule is a way of employing mandatory vacations. A mandatory vacation policy requires all users to take time away from work while others step in and do the work of that employee on vacation. This will afford the CSO the opportunity to see who is using the company assets responsibly and who is abusing it.

Question 26

A software developer is responsible for writing the code on an accounting application. Another software developer is responsible for developing code on a system in human resources. Once a year they have to switch roles for several weeks.

Which of the following practices is being implemented?

Answer 26

B.
Job rotation

A job rotation policy defines intervals at which employees must rotate through positions.

Question 27

Which of the following types of risk reducing policies also has the added indirect benefit of cross training employees when implemented?

Answer 27

B.
Job rotation

A job rotation policy defines intervals at which employees must rotate through positions. Similar in purpose to mandatory vacations, it helps to ensure that the company does not become too dependent on one person and it does afford the company with the opportunity to place another person in that same job.

Question 28

In order to prevent and detect fraud, which of the following should be implemented?

Answer 28

A.
Job rotation

A job rotation policy defines intervals at which employees must rotate through positions. Similar in purpose to mandatory vacations, it helps to ensure that the company does not become too dependent on one person and it does afford the company with the opportunity to place another person in that same job and in this way the company can potentially uncover any fraud perhaps committed by the incumbent.

Question 29

The Chief Technical Officer (CTO) has been informed of a potential fraud committed by a database administrator performing several other job functions within the company.

Which of the following is the BEST method to prevent such activities in the future?

Answer 29

B.
Separation of duties

Separation of duties means that users are granted only the permissions they need to do their work and no more. More so it means that you are employing best practices. The segregation of duties and separation of environments is a way to reduce the likelihood of misuse of systems or information. A separation of duties policy is designed to reduce the risk of fraud and to prevent other losses in an organization.

Question 30

Separation of duties is often implemented between developers and administrators in order to separate the following:

Answer 30

B.
Changes to program code and the ability to deploy to production

Separation of duties means that there is differentiation between users, employees and duties per se which form part of best practices.

Question 31

A user in the company is in charge of various financial roles but needs to prepare for an upcoming audit. They use the same account to access each financial system.
Which of the following security controls will MOST likely be implemented within the company?

Answer 31

D.
Separation of duties

Separation of duties means that users are granted only the permissions they need to do their work and no more. More so it means that there is differentiation between users, employees and duties per se which form part of best practices.

Question 32

Everyone in the accounting department has the ability to print and sign checks. Internal audit has asked that only one group of employees may print checks while only two other employees may sign the checks.

Which of the following concepts would enforce this process?

Answer 32

A.
Separation of Duties

Separation of duties means that users are granted only the permissions they need to do their work and no more.

Question 33

One of the system administrators at a company is assigned to maintain a secure computer lab. The administrator has rights to configure machines, install software, and perform user account maintenance. However, the administrator cannot add new computers to the domain, because that requires authorization from the Information Assurance Officer.

Which of the following is this an example of?

Answer 33

C.
Least privileged

A least privilege policy should be used when assigning permissions. Give users only the permissions that they need to do their work and no more.

Question 34

A security administrator notices that a specific network administrator is making unauthorized changes to the firewall every Saturday morning.

Which of the following would be used to mitigate this issue so that only security administrators can make changes to the firewall?

Answer 34

C.
Least privilege

A least privilege policy is to give users only the permissions that they need to do their work and no more. That is only allowing security administrators to be able to make changes to the firewall by practicing the least privilege principle.

Question 35

Which of the following risk mitigation strategies will allow Ann, a security analyst, to enforce least privilege principles?

Answer 35

A.
User rights reviews

A least privilege policy should be used when assigning permissions. Give users only the permissions and rights that they need to do their work and no more.

Question 36

A least privilege policy should be used when assigning permissions. Give users only the permissions and rights that they need to do their work and no more.

Answer 36

D.
Threats X vulnerability X asset value

Threats X vulnerability X asset value is equal to asset value (AV) times exposure factor (EF). This is used to calculate a risk.

Question 37

A company is preparing to decommission an offline, non-networked root certificate server. Before sending the server’s drives to be destroyed by a contracted company, the Chief Security Officer (CSO) wants to be certain that the data will not be accessed.
Which of the following, if implemented, would BEST reassure the CSO? (Choose two.)

Answer 37

B.
Full disk encryption

D.
Disk wiping procedures

B: Full disk encryption is when the entire volume is encrypted; the data is not accessible to someone who might boot another operating system in an attempt to bypass the computer’s security. Full disk encryption is sometimes referred to as hard drive encryption.

D: Disk wiping is the process of overwriting data on the repeatedly, or using a magnet to alter the magnetic structure of the disks. This renders the data unreadable.

Question 38

Identifying residual risk is MOST important to which of the following concepts?

Answer 38

B.
Risk acceptance

Risk acceptance is often the choice you must make when the cost of implementing any of the other four choices exceeds the value of the harm that would occur if the risk came to fruition. To truly qualify as acceptance, it cannot be a risk where the administrator or manager is unaware of its existence; it has to be an identified risk for which those involved understand the potential cost or damage and agree to accept it. Residual risk is always present and will remain a risk thus it should be accepted (risk acceptance)

Question 39

A software company has completed a security assessment. The assessment states that the company should implement fencing and lighting around the property. Additionally, the assessment states that production releases of their software should be digitally signed.

Given the recommendations, the company was deficient in which of the following core security areas? (Choose two.)

Answer 39

D.
Integrity

E.
Safety

Aspects such as fencing, proper lighting, locks, CCTV, Escape plans Drills, escape routes and testing controls form part of safety controls.
Integrity refers to aspects such as hashing, digital signatures, certificates and non-repudiation – all of which has to do with data integrity.

Question 40

A Security administrator wants to implement strong security on the company smart phones and terminal servers located in the data center. Drag and Drop the applicable controls to each asset type.

Instructions: Controls can be used multiple times and not all the placeholders need to be filled. When you have completed the simulation, Please Choose Done to submit.

Answer 40

SEE QUESTION 240 FOR ANSWER

Question 41

Which of the following defines a business goal for system restoration and acceptable data loss?

Answer 41

C.
RPO

The recovery point objective (RPO) defines the point at which the system needs to be restored. This could be where the system was two days before it crashed (whip out the old backup tapes) or five minutes before it crashed (requiring complete redundancy). This is an essential business goal insofar as system restoration and acceptable data loss is concerned.

Question 42

Sara, the Chief Security Officer (CSO), has had four security breaches during the past two years.
Each breach has cost the company $3,000. A third party vendor has offered to repair the security hole in the system for $25,000. The breached system is scheduled to be replaced in five years.

Which of the following should Sara do to address the risk?

Answer 42

D.
Transfer the risk saving $5,000.

Risk transference involves sharing some of the risk burden with someone else, such as an insurance company. The cost of the security breach over a period of 5 years would amount to $30,000 and it is better to save $5,000.

Question 43

Which of the following concepts are included on the three sides of the “security triangle”? (Choose three.)

Answer 43

A. Confidentiality
B. Availability
C. Integrity

Confidentiality, integrity, and availability are the three most important concepts in security. Thus, they form the security triangle.

Question 44

Elastic cloud computing environments often reuse the same physical hardware for multiple customers over time as virtual machines are instantiated and deleted.

This has important implications for which of the following data security concerns?

Answer 44

B.
Data confidentiality

Data that is not kept separate or segregated will impact on that data’s confidentiality maybe being compromised. Be aware of the fact that your data is only as safe as the data with which it is integrated. For example, assume that your client database is hosted on a server that another company is also using to test an application that they are creating. If their application obtains root- level access at some point (such as to change passwords) and crashes at that point, then the user running the application could be left with root permissions and conceivably be to access data on the server for which they are not authorized, such as your client database. Data segregation is crucial; keep your data on secure servers.

Question 45

The system administrator notices that their application is no longer able to keep up with the large amounts of traffic their server is receiving daily. Several packets are dropped and sometimes the server is taken offline.

Which of the following would be a possible solution to look into to ensure their application remains secure and available?

Answer 45

A.
Cloud computing

Cloud computing means hosting services and data on the Internet instead of hosting it locally. There is thus no issue when the company’s server is taken offline.

Question 46

Users can authenticate to a company’s web applications using their credentials from a popular social media site.

Which of the following poses the greatest risk with this integration?

Answer 46

D.
Password breaches to the social media site affect the company application as well

Social networking and having your company’s application authentication ‘linked’ to users’ credential that they use on social media sites exposes your company’s application exponentially more than is necessary. You should strive to practice risk avoidance.

Question 47

Which of the following is the GREATEST security risk of two or more companies working together under a Memorandum of Understanding?

Answer 47

C.
MOUs are generally loose agreements and therefore may not have strict guidelines in place to protect sensitive data between the two entities.

The document Memorandum of Understanding is used in many settings in the information industry. It is a brief summary of which party is responsible for what portion of the work. For example, Company A may be responsible for maintaining the database server and Company B may be responsible for telecommunications. MOUs are not legally binding but they carry a degree of seriousness and mutual respect, stronger than a gentlemen’s agreement. Often, MOUs are the first steps towards a legal contract.

Question 48

Which of the following describes the purpose of an MOU?

Answer 48

D.

Define responsibilities of each party

Question 49

A company has decided to move large data sets to a cloud provider in order to limit the costs of new infrastructure. Some of the data is sensitive and the Chief Information Officer wants to make sure both parties have a clear understanding of the controls needed to protect the data.

Which of the following types of interoperability agreement is this?

Answer 49

A. ISA

ISA/ Interconnection Security Agreement is an agreement between two organizations that have connected systems. The agreement documents the technical requirements of the connected systems.

Question 50

Which of the following is the primary security concern when deploying a mobile device on a network?

Answer 50

C.
Data security

Mobile devices, such as laptops, tablet computers, and smartphones, provide security challenges above those of desktop workstations, servers, and such in that they leave the office and this increases the odds of their theft which makes data security a real concern. At a bare minimum, the following security measures should be in place on mobile devices: Screen lock, Strongpassword, Device encryption, Remote Wipe or Sanitation, voice encryption, GPS tracking, Application control, storage segmentation, asses tracking and device access control.