CBK Flashcards

1
Q
1. Alice has some data that is extremely valuable. She backs it up from her computer to a flash stick, and she puts the flash stick in a safe deposit box(保險櫃). Which two principles s of the CIA triad does this address?
A. Confidentiality and integrity
B. Confidentiality and availability
C. Integrity and availability
D. Availability and nonrepudiation
A

The correct answer is B. Alice is ensuring a form of availability by having a backup; if her laptop is lost, stolen, or malfunctions, she does not She is also providing a form of confidentiality by locking up the flash stick this practice deters the ability of others to access the flash stick. (Note this ONLY provides confidentiality for the Flash stick; we have no idea she is also providing confidentiality to the data while it is live on her laptop) The question does not describe any practice that could measure integrity protection, and the CIA triad do Es not deal with nonrepudiation.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q
6. To comply with the payment card industry data security standard (PCI DSS), what data element must not be stored for any length of time beyond the transaction? 
A. Cardholder's name 
B. Social Security number 
C. IP address 
D.Card verification value  (CVV)
A

The correct answer is D. PCI DSS prohibits(禁止) storage of the CVV for any time beyond the transaction.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q
  1. Which of the following describes a personnel security tool that should not require the employee’s signature? A. Nondisclosure agreement (NDA)
    B. Personnel security policy
    C. Acceptable use policy (AUP)
    D. Contract
A

The correct answer is B. The organization’s security policy Is promulgated(頒布) by senior management, and all personnel must comply with it; the employee does not need to sign it. All the other answers are tools that should include the employee’s signature.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q
  1. What is the correct order of the asset lifecycle phases?
    A. Create, use, share, store, archive, and destroy
    B. Create, share, use, archive, store, and destroy
    C. Create, store, use, share, archive , and destroy
    D. Create, share, archive, use, store, and destroy
A

The correct answer is C. This is the correct order of the lifecycle phases of assets: create, store, use, share, archive, and destroy. This is According to the Securosis Blog. Asset classification, therefore, needs to be able to protect assets in whatever phase they are in.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q
  1. Which of the following is the BEST definition of defensible destruction?
    A. The destruction of assets using defense approved methods
    B. The destruction of assets using a controlled, legally defensible, and compliant way
    C. The destruction of assets without the opportunity of The recovery of those assets
    D. The destruction of assets using a method that may not allow attackers to recover data
A

The correct answer is B. The perfect definition of legally defensible destruction of assets, which should end the asset lifecycle, is eliminated data using a Controlled, legally defensible, and regulatory compliant way.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q
4. In an environment where asset classification has been implemented to address the requirements of privacy protection, who in the following list is considered to be the "owner" and, therefore, has t accountability to ensure that the requirements for protection and compliance are addressed  properly?
A.Data processor 
B. Data subject 
C. Data controller 
D. Data steward
A

The correct answer is C. In specific privacy legislation, the roles for accountability of protection of subject’s personal privacy information is assigned to the data controller. The “owner” and, therefore have the accountability to protect based on requirements legislative and legal requirements.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q
5. Which of the following is NOT an Organization for Economic Cooperation and Development (OECD) principle of privacy protection? 
A. Collection Limitation Principle 
B. Right to be Forgotten Principle 
C. Use Limitation Principle 
D. Accountability Principle
A
The correct answer is B.  The right to be forgotten principle is not principle addressed in the OECD guidelines for privacy protection. It has been introduced and is part of the privacy legislation in Europe and Argentina since 2006 and is part of the new General Data Protection Regulation (GDPR) to take effect  in Europe.
#Collection Limitation Principle#Data Quality Principle#Purpose Specification#Use Limitation Principle#Security Safeguards Principle#Openness Principle#Individual Participation Principle#Accountability Principle
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q
  1. Which of the following is not an objective of baseline security controls used in protecting assets?
    A. Specific steps that must be executed
    B. Minimum level of security controls
    C. May be associated with specific architectures and systems
    D. A consistent reference point
A

The correct answer is A. Specific steps required to be executed are actually examples of procedures, not baseline. A baseline is a minimun level of security that must be achieved so that they can be consistently referenced and may be specific to certain architectures and systems.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q
  1. Which of the following is the BEST definition of “scoping”?
    A. Altering baselines to apply specifically more
    B. Modifying assumptions based on previous learned behavior
    C. Limiting general baseline recommendations by removing those that do not apply goals and objectives
    D. Responsible protection of assets based on
A

The correct answer is C. Limiting recommendations by removing those that do not apply is “scoping.” You are apply in the environments that you are trying to understand fully, from the perspective of protecting assets.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q
1. Requirements definition, design, implementation, and operation examples of what type of System and Security Engineering processes? 
A. Technology processes 
B. Acquisition processes 
C. Design processes 
D.Technical processes
A

The correct answer is D. A is incorrect terminology. B And C are specific processes, not types of processes.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q
2. One security model includes a set of rules that can has already accessed in order to prevent any potential conflict of interest. This model is known as the: 
A.Biba model 
B. Brewer  /Nash model 
C.Graham-Denning model 
D. Harrison, Ruzzo, Ullman model
A

The correct answer is B. A, C, and D are models that describe an information system’s rules for operation, but those rules are universally. The Brewer/Nash Model is the only model that explicitly addressed conflicts of interest.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q
  1. Select the best answer. Inheritable or “common” security controls are characterized as:
    A. Controls that are passed down from older systems to new systems through code sharing
    B. Introduces unacceptable risk in most systems
    C. Controls that are never assessed in an operational environment
    D Controls that are provided from one system to another in an operational environment
A

The correct answer is D. D is the correct definition of the term. A, B. and C are not types of controls. All controls must be assessed whether inherited or not And while inheritable controls may introduce risk if not operating properly, they do not generally introduce unacceptable risk, which makes D a better answer

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q
  1. Three common types of industrial control systems include:
    A. Supervisory control and data acquisition, distributed control systems, programmable logic controllers
    B. Supervisory control and data anonymization, distributed control systems, programmable logic capability
    C. Supervisory control and data anonymization(匿名), distributed chip systems, programmable Logic controllers
    D. Supervisory control and data acquisition, distributed chip systems, programmable logic capability
A
The correct answer is A. Items B, C, and D compliant incorrect terminology.
#Programmable Logic Controllers (PLC)#Distributed Control System (DCS)#Supervisory Control and Data Acquisition (SCADA)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q
  1. The tour most common types of sprinkler systems are:
    A. Soaking, wet pipe, dry pipe, and pre-action
    B. Wet pipe, dry pipe, deluge, and pre-action
    C. Wet pipe, dry pipe, soaking And hybrid
    D. Dry pipe, soaking, deluge, and hybrid
A

The correct answer is B. Items A, C, and D each contain at least a worst element #背起來

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q
  1. You have inherited a version 1 Simple Network Management Protocol (SNMP) system. What is the primary risk associated with utilizing this version?
    A. Unencrypted traffic
    B. Routers rejecting “gets”
    C. Switches rejecting “not”
    D. Connecting to systems without Authentication
A

The correct answer is D. A rogue user can simply connect to an SNMPv1 system by means of a public or private community string without need for authentication.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q
10. At. what plane can you locate routers and switches in software defined network (SDN)? 
A. Data-link and network plane 
B. Data plane 
C. Control plane 
D. Application plane
A

The correct answer is B. Routers and switches are in the data plne.

17
Q
  1. What are the two primary types of access control systems, and what in one way that access control systems are maintained?
    A. Physical and network; due diligence
    B. Deterrent and corrective; due care and due diligence as much security
    C. Integrity and availability; by applied as can be safelly
    D.Logical and physical; central administration of access contro systems
A

The correct answer is D. NIST SP 800-53 defines two primary access control systems, logical and physical, and both are maintained by administration And security policy. Due diligence and care are overarching organizational postures and actions that aid in avoiding the accusation of negligence and liability. Using as much security as can be safely applied is not a prudent approach to security and doesn’t the question. Integrity and Availability information security. overarching tenants of information security.

18
Q
2. What actions specify enrolling(注冊) and the opposite of enrolling user IDs within an organization? 
A. Identity creation and disposition 
B. Disposition only 
C.Creation only 
D. Provisioning and deprovisioning
A

The correct answer is D. Identity creation is an activity that would be included in provisioning, But the only correct answer is provisioning and deprovisioning.

19
Q
  1. What are the three roles within Security Assertion Markup Language (SAML)?
    A. Identity provider, relying party, service provider
    B. Identity provider, relying party, user
    C Identity provider, service provider, relative token
    D.Attributes, principal, bindings
A

The Correct answer is B. Attributes and bindings are components of SAML. Relative token is a distractor. Relying party is an alternate term for a service provider.
#SPML:Client/PSP/PST
#SAML:Identity provider, relying party, user
#OpenID: End user/Relying party/OpenID provider
#OAuth: Client/Resource server/Authorization server/Resource owner
ref:http://lab.hiiir.com/wp-content/uploads/2016/10/OAuth.pdf

20
Q
  1. Name two roles related to Open Authorization (OAuth).
    A. Resource provider, resource server
    B. Resource provider, resource relying party
    C. Authorization server, resource server
    D. Authorization server, authorization owner
A

The correct answer is C. There isn’t a resource provider owner in OAuth, but there is a resource owner and server. There is also no authorization owner.

21
Q
  1. If an organization demanded that an enrolling party or claimant needed to present themselves in person at an onrolling agent to authenticate their assertion to their identity, what level of assurance would they be providing according to NIST SP 800-63-3?
    A. IAL1
    B. IAL 2
    C. IAL 3
    D.None of the above in-person authentication
A

The correct answer is B. IAL2 is remote or of an identity. IAL 1 is self-assertion. IAL 3 is assertion verified by a credential service provider.

22
Q
8. Special Publications 800-53r4 defines physical as an automated system that manages the passage of people or assets through an opening(s) in a secure perimeter(s) based access control on (a). 
A. Audit and assurance 
B. Scoping and tailoring  
C. Guidelines and tailoring 
D.Set of authorization rules
A

The correct answer is D. Tailoring and scoping are used to apply set of controls within an environment that fit the internal requirement utilizing specific controls. Auditing the controls would provide assurance about the effectiveness of the controls. 工三小

23
Q
  1. If an organization’s security assessment and testing plans include both internal and external testing, in what order should the test be performed?
    A. Always choose the order based upon cost/benefit analysis
    B. Internal testing
    C. External testing
    D. Internal and external testing should be performed simultaneous
A

The correct answer is C. External testing is performed first so as not to provide leakage from insider information to outsider environments. Internal and external testing would not be done done simulataneously otherwise the indentification of valunerabilities sources could be misconstrued. Cost/benefit analysis would not be a primary justification for choosing which testing should be accomplished first.

24
Q
2. This type of testing would inform an organization of the vulnerabilities that could be exposed by a bad actor with little  Or information about the organization's systems. 
A. Internal testing 
B. Nocturnal testing 
C. External testing 
D. White-box testing
A

The correct answer is C. External testing is done to emulate an attacker that is outside of the organization’s perimeter. Nocturnal testing doesn’t exist. External testing by its definition doesn’t have insider Information that would be identified with white-box testing.

25
Q

Scenario Questions 3-6:
Your organization develops security-as-a-service (SECaas) software ohat is consumed via your private cloud. You employ 50 developers ghat practice agile discipline in releasing tools to market. A potential client approaches your organization with the Intent to acquire your services. Before the potential client commits to a Contractual agreement, they have informed your organization that they need to be provided with the highest degree of assurance possible that risks to your operational effectiveness are well contained or mitigated, and they will receive your services delivered in the same operable from they were created in without being changed.

3. What report would be most appropriate to answer the needs the potential client? 
A. SOC 2 Type II 
B. SOC 2 Type I 
C. SOC 1 Type II 
D  .SOC 1 Type I
A

The correct answer is A. SOC 2 Type Il is a report on technology security controls within an organization. Type II proves design fectiveness. SOC 2 Type I would only confirm t SOC 1 is for reviewing financial controls.

26
Q

Your organization develops security-as-a-service (SECaas) software ohat is consumed via your private cloud. You employ 50 developers ghat practice agile discipline in releasing tools to market. A potential client approaches your organization with the Intent to acquire your services. Before the potential client commits to a Contractual agreement, they have informed your organization that they need to be provided with the highest degree of assurance possible that risks to your operational effectiveness are well contained or mitigated, and they will receive your services delivered in the same operable from they were created in without being changed.
4. What report would be good for attracting additional clients yet unknown to your business?
A. SOC 5 Type II
B. SOC 3
C. SOC 5 Type II New Client
D. SOC 5 Type I Existing Client

A

The correct answer is B. SOC 3 is an executive summary that can be used as a web seal to advertise a summary opinion of technical Controls. The summary can be posted to a website to advertise for potential customers. There are no SOC 5 reports.

27
Q

Scenario Questions 3-6:
Your organization develops security-as-a-service (SECaas) software ohat is consumed via your private cloud. You employ 50 developers ghat practice agile discipline in releasing tools to market. A potential client approaches your organization with the Intent to acquire your services. Before the potential client commits to a Contractual agreement, they have informed your organization that they need to be provided with the highest degree of assurance possible that risks to your operational effectiveness are well contained or mitigated, and they will receive your services delivered in the same operable from they were created in without being changed.
5. What is the difference between a Type I and a Type II SOC report?
A. Type I is developed over a time period; Type II is a snapshot.
B. There are no Type I or II reports.
C. Type I is longer than Type I is concerned with control effectiveness;
D. Type I is concerned with control design; Type II is concerned with control effectiveness.

A

The correct answer is D. Type I is concerned with control design; Type II is concerned with control effectiveness.

28
Q

Your organization develops security-as-a-service (SECaas) software ohat is consumed via your private cloud. You employ 50 developers ghat practice agile discipline in releasing tools to market. A potential client approaches your organization with the Intent to acquire your services. Before the potential client commits to a Contractual agreement, they have informed your organization that they need to be provided with the highest degree of assurance possible that risks to your operational effectiveness are well contained or mitigated, and they will receive your services delivered in the same operable from they were created in without being changed.
6. For the potential client to understand the probability That your department of 50 developers remain properly compensated and incentivized to continue to support the security-as-a-service that they wish to consume, what report might they consider?
A. SOC 2 Type II
B. SOC 2 Type I
C. SOC 1 Type II
D.SOC 1 Type I

A

The correct answer is C. A SOC 1 Type | report would be appropriate since it would reflect what the effectiveness of the internal.controls over financial reporting is. Special attention could be associated with benef management. SOC 1 is for reviewing financial controls. Typ SOC 1 Type I is proof of the design of the financial control alone. SOC 2 Type II&I are reports on technology security controls within an organization.

29
Q
  1. According to ISO 27002 a backup policy should define
    A. How many times a tape has been used
    B. Retention and protection requirements
    C. All the information that can be used in business requirements
    D. Technical training for all backup administrators
A

The correct answer is B ISO 27002 states that a backup policy should define retention and protection requirements. None of the other statements are true concerning what is stated in ISO 27002.

30
Q
  1. What statement is true of key risk indicators (KRIs)?
    A. Aid in monitoring emerging Risk
    B. Aid in understanding if goals have been met
    C. Aid in shedding light on performance metrics
    D. Aid in alerting when team metrics haven’t been met
A

The correct answer is A. KRIS are designed to monitor risk to take proactive action. B , C, and D are all key performance indicator KPI) markers.

31
Q
2. Which of the following is paramount(最重要的) in all emergeney actions/responses? 
A. Asset protection 
B. Health and human safety 
C. Regulatory compliance 
D. Confidentiality
A

The correct answer is B. Health and human safety is always the most important aspect of security.

32
Q
3. A duress code should  be \_\_\_\_\_\_\_
A. reusable 
B. immediately recognizable 
C. covert 
D. complex
A

The correct answer is C. The duress code should be something eubtle and unrecognizable to anyone outside the organization, to remember in times of stress, and of limited simple duration duration.

33
Q
  1. The organization should provide specific BCDR plan training to _____
    A. all members of the security team
    B. critical personnel and response team members
    C. all stakeholders
    D. members of external first response teams (fire, police, medical, etc.)
A

The Correct answer is B. Organizational personnel who will be involved in an actual BCDR response should receive specific training from the organization. External responders will be trained by their agencies. Not all members of the security team will be involved in BCDR actions.

34
Q
5. Honeypots/  Honeynets are intended to attackers. 
A. deter #威懾
B. attract 
C. distract   #分散注意力
D. prevent
A

The correct answer is C. A honeypot/honeynet is meant to occupy the attacker’s time, attention, and efforts while the organization collects information about the attack. /honeynets will not deter or prevent attacks and should not be examples as attractive.

35
Q

8.Which of the following is true about evidence?
A. Evidence useless if the original version has been changed in any way
B. Evidence can expire
C.Electronic evidence is inadmissible
D.Evidence should be believable

A

The correct answer is D. Evidence is material supporting Argument; it must be believable to be effective.

36
Q
1.The Software Engineering Institute's Capability Maturity Model (CMM) Integration focuses on: 
A. Software development methodologies 
B. Systems integration 
C. Process management 
D. Software testing and evaluation
A

The correct answer is C. CMMis a process improvement methodolog) To allow organizations to mature to better levels in relation to pracess improvement.

37
Q
5. Copies of essential application programs, documentation, and electronic data should be: 
A. Stored with the computer system 
B. Licensed by the users 
C. Maintained by the developers 
D. Stored at a backup site
A

The correct answer is D. Key word in the question is the word “copies” or even the word “essential” that tells us that we need to provide redundancy. None of the other answers really make sense in relation to “essential” valuable assets.

38
Q
  1. The purpose of polyinstantiation is to prevent:
    A. Low-level users from inferring the existence of higher level data Domai
    B. Low-level users from inferring the existence of data in other databases
    C. Low-level users from accessing low- Level data
    D. High-level users from inferring the existence of data at lower levels
A

The correct answer is A. Polyinstantiation allows different versions of the same information to exist at different classification levels to prevent inference of more sensitive information that exists at higher levels.