301-350

Question 1

During which of the following phases of the Incident Response process should a security administrator define and implement general defense against malware?

Answer 1

B.
Preparation

Incident response procedures involve: Preparation; Incident identification; Escalation and notification; Mitigation steps; Lessons learned; Reporting; Recover/reconstitution procedures; First responder; Incident isolation (Quarantine; Device removal); Data breach; Damage and loss control. It is important to stop malware before it ever gets hold of a system –thus, you should know which malware is out there and take defensive measures - this means preparation to guard against malware infection should be done.

Question 2

The Chief Technical Officer (CTO) has tasked The Computer Emergency Response Team (CERT) to develop and update all Internal Operating Procedures and Standard Operating Procedures documentation in order to successfully respond to future incidents.

Which of the following stages of the Incident Handling process is the team working on?

Answer 2

D.
Preparation

Incident response procedures involve: Preparation; Incident identification; Escalation and notification; Mitigation steps; Lessons learned; Reporting; Recover/reconstitution procedures; First responder; Incident isolation (Quarantine; Device removal); Data breach; Damage and loss control. Developing and updating all internal operating and standard operating procedures documentation to handle future incidents is preparation.

Question 3

The helpdesk reports increased calls from clients reporting spikes in malware infections on their systems.

Which of the following phases of incident response is MOST appropriate as a FIRST response?

Answer 3

D.
Identification

To be able to respond to the incident of malware infection you need to know what type of malware was used since there are many types of malware around. This makes identification critical in this case.

Question 4

Who should be contacted FIRST in the event of a security breach?

Answer 4

C.
Incident response team

A security breach is an incident and requires a response. The incident response team would be better equipped to deal with any incident insofar as all their procedures are concerned. Their procedures in addressing incidents are: Preparation; Incident identification; Escalation and notification; Mitigation steps; Lessons learned; Reporting; Recover/reconstitution procedures; First responder; Incident isolation (Quarantine; Device removal); Data breach; Damage and loss control.

Question 5

In which of the following steps of incident response does a team analyze the incident and determine steps to prevent a future occurrence?

Answer 5

D.
Lessons learned

Incident response procedures involve in chronological order: Preparation; Incident identification; Escalation and notification; Mitigation steps; Lessons learned; Reporting; Recover/reconstitution procedures; First responder; Incident isolation (Quarantine; Device removal); Data breach; Damage and loss control. Thus, lessons are only learned after the mitigation occurred. For only then can you ‘step back’ and analyze the incident to prevent the same occurrence in the future.

Question 6

After a recent security breach, the network administrator has been tasked to update and backup all router and switch configurations. The security administrator has been tasked to enforce stricter security policies. All users were forced to undergo additional user awareness training.

All of these actions are due to which of the following types of risk mitigation strategies?

Answer 6

D.
Lessons learned

Incident response procedures involve: Preparation; Incident identification; Escalation and notification; Mitigation steps; Lessons learned; Reporting; Recover/reconstitution procedures; First responder; Incident isolation (Quarantine; Device removal); Data breach; Damage and loss control. Described in the question is a situation where a security breach had occurred and its response which shows that lessons have been learned and used to put in place measures that will prevent any future security breaches of the same kind.

Question 7

A server dedicated to the storage and processing of sensitive information was compromised with a rootkit and sensitive data was extracted.

Which of the following incident response procedures is best suited to restore the server?

Answer 7

A.

Wipe the storage, reinstall the OS from original media and restore the data from the last known good backup.

Question 8

In the initial stages of an incident response, Matt, the security administrator, was provided the hard drives in question from the incident manager.

Which of the following incident response procedures would he need to perform in order to begin the analysis? (Choose two.)

Answer 8

A.
Take hashes

D.
Capture the system image

A: Take Hashes. NIST (the National Institute of Standards and Technology) maintains a National Software Reference Library (NSRL). One of the purposes of the NSRL is to collect “known, traceable software applications” through their hash values and store them in a Reference Data Set(RDS). The RDS can then be used by law enforcement, government agencies, and businesses to determine which files are important as evidence in criminal investigations.
D: A system image is a snapshot of what exists. Capturing an image of the operating system in its exploited state can be helpful in revisiting the issue after the fact to learn more about it.

Question 9

Which of the following is the LEAST volatile when performing incident response procedures?

Answer 9

D.
Hard drive

An example of OOV in an investigation may be RAM, hard drive data, CDs/DVDs, and printouts. Of the options stated in the question the hard drive would be the least volatile.

Question 10

The security officer is preparing a read-only USB stick with a document of important personal phone numbers, vendor contacts, an MD5 program, and other tools to provide to employees.

At which of the following points in an incident should the officer instruct employees to use this information?

Answer 10

B.
First Responder

Incident response procedures involve: Preparation; Incident identification; Escalation and notification; Mitigation steps; Lessons learned; Reporting; Recover/reconstitution procedures; First responder; Incident isolation (Quarantine; Device removal); Data breach; Damage and loss control. In this scenario the security officer is carrying out an incident response measure that will address and be of benefit to those in the vanguard, i.e. the employees and they are the first responders.

Question 11

After a number of highly publicized and embarrassing customer data leaks as a result of social engineering attacks by phone, the Chief Information Officer (CIO) has decided user training will reduce the risk of another data leak.

Which of the following would be MOST effective in reducing data leaks in this situation?

Answer 11

A.
Information Security Awareness

Education and training with regard to Information Security Awareness will reduce the risk of data leaks and as such forms an integral part of Security Awareness. By employing social engineering data can be leaked by employees and only when company users are made aware of the methods of social engineering via Information Security Awareness Training, you can reduce the risk of data leaks.

Question 12

Sara, a company’s security officer, often receives reports of unauthorized personnel having access codes to the cipher locks of secure areas in the building.

Which of the following should Sara immediately implement?

Answer 12

D.
Security awareness training

Security awareness and training include explaining policies, procedures, and current threats to both users and management. A security awareness and training program can do much to assist in your efforts to improve and maintain security. A good security awareness training program for the entire organization should cover the following areas: Importance of security; Responsibilities of people in the organization; Policies and procedures; Usage policies; Account and password- selection criteria as well as Social engineering prevention.
Security awareness training

Question 13

Human Resources (HR) would like executives to undergo only two specific security training programs a year.

Which of the following provides the BEST level of security training for the executives? (Choose two.)

Answer 13

D.
Phishing threats and attacks

F.
Information security awareness

Question 14

The method to provide end users of IT systems and applications with requirements related to acceptable use, privacy, new threats and trends, and use of social networking is:

Answer 14

A.
Security awareness training.

Security awareness and training are critical to the success of a security effort. They include explaining policies, procedures, and current threats to both users and management.

Question 15

Sara, an employee, tethers her smartphone to her work PC to bypass the corporate web security gateway while connected to the LAN. While Sara is out at lunch her PC is compromised via the tethered connection and corporate data is stolen.

Which of the following would BEST prevent this from occurring again?

Answer 15

C.
Security policy and threat awareness training.

BYOD (In this case Sara’s smartphone) involves the possibility of a personal device that is infected with malware introducing that malware to the network and security awareness training will address the issue of the company’s security policy with regard to BYOD.

Question 16

Which of the following is the BEST reason to provide user awareness and training programs for organizational staff?

Answer 16

B.

To reduce organizational IT risk

Question 17

Ann would like to forward some Personal Identifiable Information to her HR department by email, but she is worried about the confidentiality of the information.
Which of the following will accomplish this task securely?

Answer 17

D.
Encryption

Encryption is used to prevent unauthorized users from accessing data. Data encryption will support the confidentiality of the email.

Question 18

Ann, a technician, received a spear-phishing email asking her to update her personal information by clicking the link within the body of the email.

Which of the following type of training would prevent Ann and other employees from becoming victims to such attacks?

Answer 18

C.
Personal Identifiable Information

Personally identifiable information (PII) is a catchall for any data that can be used to uniquely identify an individual. This data can be anything from the person’s name to a fingerprint (think biometrics), credit card number, or patient record. Employees should be made aware of this type of attack by means of training.

Question 19

End-user awareness training for handling sensitive personally identifiable information would include secure storage and transmission of customer:

Answer 19

A.

Date of birth.

Question 20

Which of the following concepts is a term that directly relates to customer privacy considerations?

Answer 20

B.

Personally identifiable information

Question 21

Which of the following policies is implemented in order to minimize data loss or theft?

Answer 21

A.

PII handling

Question 22

Used in conjunction, which of the following are PII? (Choose two.)

Answer 22

D.
Birthday

E.
Full name

Question 23

Which of the following helps to apply the proper security controls to information?

Answer 23

A.
Data classification

Information classification is done by confidentiality and comprises of three categories, namely: public use, internal use and restricted use. These categories make applying the appropriate policies and security controls practical.

Question 24

Which of the following security awareness training is BEST suited for data owners who are concerned with protecting the confidentiality of their data?

Answer 24

D.

Information classification training

Question 25

An organization is recovering data following a datacenter outage and determines that backup copies of files containing personal information were stored in an unsecure location, because the sensitivity was unknown.

Which of the following activities should occur to prevent this in the future?

Answer 25

C.

Data classification

Question 26

What is the term for the process of luring someone in (usually done by an enforcement officer or a government agent)?

Answer 26

A.
Enticement

Enticement is the process of luring someone into your plan or trap.

Question 27

In which of the following categories would creating a corporate privacy policy, drafting acceptable use policies, and group based access control be classified?

Answer 27

B.
Best practice

Best practices are based on what is known in the industry and those methods that have consistently shown superior results over those achieved by other means. Furthermore, best practices are applied to all aspects in the work environment.

Question 28

Which of the following is the process in which a law enforcement officer or a government agent encourages or induces a person to commit a crime when the potential criminal expresses a desire not to go ahead?

Answer 28

B.
Entrapment

Entrapment is the process in which a law enforcement officer or a government agent encourages or induces a person to commit a crime when the potential criminal expresses a desire not to go ahead. Entrapment is a valid legal defense in a criminal prosecution.

Question 29

Results from a vulnerability analysis indicate that all enabled virtual terminals on a router can be accessed using the same password. The company’s network device security policy mandates that at least one virtual terminal have a different password than the other virtual terminals.

Which of the following sets of commands would meet this requirement?

Answer 29

C.
line vty 0 3 password Qwer++!Y line vty 4 password P@s5W0Rd

The VTY lines are the Virtual Terminal lines of the router, used solely to control inbound Telnet connections. They are virtual, in the sense that they are a function of software - there is no hardware associated with them.

Question 30

Why would a technician use a password cracker?

Answer 30

A.
To look for weak passwords on the network

A password cracker will be able to expose weak passwords on a network.

Question 31

Which of the following security concepts would Sara, the security administrator, use to mitigate the risk of data loss?

Answer 31

B.

Clean desk policy

Question 32

The manager has a need to secure physical documents every night, since the company began enforcing the clean desk policy.

The BEST solution would include: (Choose two.)

Answer 32

A.
Fire- or water-proof safe.

E.
Locking cabinets and drawers.

Using a safe and locking cabinets to protect backup media, documentation, and any other physical artifacts that could do harm if they fell into the wrong hands would form part of keeping employees desks clean as in a clean desk policy.

Question 33

XYZ Corporation is about to purchase another company to expand its operations. The CEO is concerned about information leaking out, especially with the cleaning crew that comes in at night.

The CEO would like to ensure no paper files are leaked.

Which of the following is the BEST policy to implement?

Answer 33

D.
Clean desk policy

Clean Desk Policy Information on a desk—in terms of printouts, pads of note paper, sticky notes, and the like—can be easily seen by prying eyes and taken by thieving hands. To protect data and your business, encourage employees to maintain clean desks and to leave out only those papers that are relevant to the project they are working on at that moment. All sensitive information should be put away when the employee is away from their desk.

Question 34

Which of the following could a security administrator implement to mitigate the risk of tailgating for a large organization?

Answer 34

D.

Train employees on risks associated with social engineering attacks and enforce policies.

Question 35

Which of the following is a security concern regarding users bringing personally-owned devices that they connect to the corporate network?

Answer 35

B.

Lack of controls in place to ensure that the devices have the latest system patches and signature files

Question 36

Several employees submit the same phishing email to the administrator. The administrator finds that the links in the email are not being blocked by the company’s security device.

Which of the following might the administrator do in the short term to prevent the emails from being received?

Answer 36

C.
Add the domain to a block list

Blocking e-mail is the same as preventing the receipt of those e-mails and this is done by applying a filter. But the filter must be configured to block it. Thus, you should add that specific domain from where the e-mails are being sent to the list of addresses that is to be blocked.

Question 37

A security researcher wants to reverse engineer an executable file to determine if it is malicious. The file was found on an underused server and appears to contain a zero-day exploit.

Which of the following can the researcher do to determine if the file is malicious in nature?

Answer 37

C.

OS Baseline comparison

Question 38

A security administrator has concerns about new types of media which allow for the mass distribution of personal comments to a select group of people.

To mitigate the risks involved with this media, which of the following should employees receive training on?

Answer 38

C.

Social networking

Question 39

The information security team does a presentation on social media and advises the participants not to provide too much personal information on social media websites.

Which of the following would this advice BEST protect people from?

Answer 39

D.
Cognitive passwords attacks

Social Networking Dangers are ‘amplified’ in that social media networks are designed to mass distribute personal messages. If an employee reveals too much personal information, it would be easy for miscreants to use the messages containing the personal information to work out possible passwords.

Question 40

Pete, the system administrator, has blocked users from accessing social media websites.

In addition to protecting company information from being accidentally leaked, which additional security benefit does this provide?

Answer 40

B.
Protection against malware introduced by banner ads

Banner, or header information messages sent with data to find out about the system(s) does happen. Banners often identify the host, the operating system running on it, and other information that can be useful if you are going to attempt to later breach the security of it.

Question 41

Which of the following is a security risk regarding the use of public P2P as a method of collaboration?

Answer 41

A.
Data integrity is susceptible to being compromised.

Peer-to-peer (P2P) networking is commonly used to share files such as movies and music, but you must not allow users to bring in devices and create their own little networks. All networking must be done through administrators and not on a P2P basis. Data integrity can easily be compromised when using public P2P networking.

Question 42

Which of the following has serious security implications for large organizations and can potentially allow an attacker to capture conversations?

Answer 42

C.
Jabber

Jabber is a new unified communications application and could possible expose you to attackers that want to capture conversations because Jabber provides a single interface across presence, instant messaging, voice, video messaging, desktop sharing and conferencing.

Question 43

The use of social networking sites introduces the risk of:

Answer 43

A.

Disclosure of proprietary information

Question 44

Which of the following statements is MOST likely to be included in the security awareness training about P2P?

Answer 44

D.
P2P may cause excessive network bandwidth.

P2P networking by definition involves networking which will reduce available bandwidth for the rest of the users on the network.

Question 45

A security team has established a security awareness program.

Which of the following would BEST prove the success of the program?

Answer 45

C.
Metrics

All types of training should be followed up and tested to see if it worked and how much was learned in the training process. You must follow up and gather training metrics to validate compliance and security posture. By training metrics, we mean some quantifiable method for determining the efficacy of training.

Question 46

Which of the following is an attack vector that can cause extensive physical damage to a datacenter without physical access?

Answer 46

C.
Changing environmental controls

Environmental systems include heating, air conditioning, humidity control, fire suppression, and power systems. All of these functions are critical to a well-designed physical plant. A computer room will typically require full-time environmental control. Changing any of these controls (when it was set to its optimum values) will result in damage.

Question 47

A company that purchased an HVAC system for the datacenter is MOST concerned with he following:

Answer 47

A.
Availability

Availability means simply to make sure that the data and systems are available for authorized users. Data backups, redundant systems, and disaster recovery plans all support availability; as does environmental support by means of HVAC.

Question 48

Which of the following should be connected to the fire alarm system in order to help prevent the spread of a fire in a server room without data loss to assist in an FM-200 deployment?

Answer 48

C.

HVAC

Question 49

Which of the following is a security benefit of providing additional HVAC capacity or increased tonnage in a datacenter?

Answer 49

B.
Longer MTBF of hardware due to lower operating temperatures

The mean time between failures (MTBF) is the measure of the anticipated incidence of failure for a system or component. This measurement determines the component’s anticipated lifetime. If the MTBF of a cooling system is one year, you can anticipate that the system will last for a one-year period; this means that you should be prepared to replace or rebuild the system once a year. If the system lasts longer than the MTBF, your organization receives a bonus. MTBF is helpful in evaluating a system’s reliability and life expectancy. Thus longer MTBF due to lower operating temperatures is a definite advantage

Question 50

Which of the following fire suppression systems is MOST likely used in a datacenter?

Answer 50

A.
FM-200

FM200 is a gas and the principle of a gas system is that it displaces the oxygen in the room, thereby removing this essential component of a fire. The preferred choice in a data center is a fire suppressant.