Chapter 8 Test 1 Flashcards

1
Q

Which of the following is not a type of attack used against access controls?

Dictionary attack

Brute-force attack

Teardrop

Man-in-the-middle attack

A

C. Dictionary, brute-force, and man-in-the-middle attacks are all types of attacks that are frequently aimed at access controls. Teardrop attacks are a type of denial-of-service attack.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

George is assisting a prosecutor with a case against a hacker who attempted to break into the computer systems at George’s company. He provides system logs to the prosecutor for use as evidence, but the prosecutor insists that George testify in court about how he gathered the logs. What rule of evidence requires George’s testimony?

Testimonial evidence rule

Parol evidence rule

Best evidence rule

Hearsay rule

A

D. The hearsay rule says that a witness cannot testify about what someone else told them, except under specific exceptions. The courts have applied the hearsay rule to include the concept that attorneys may not introduce logs into evidence unless they are authenticated by the system administrator. The best evidence rule states that copies of documents may not be submitted into evidence if the originals are available. The parol evidence rule states that if two parties enter into a written agreement, that written document is assumed to contain all the terms of the agreement. Testimonial evidence is a type of evidence, not a rule of evidence.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Jim has been asked to individually identify devices that users are bringing to work as part of a new BYOD policy. The devices will not be joined to a central management system like Active Directory, but he still needs to uniquely identify the systems. Which of the following options will provide Jim with the best means of reliably identifying each unique device?

Record the MAC address of each system.

Require users to fill out a form to register each system.

Scan each system using a port scanner.

Use device fingerprinting via a web-based registration syste

A

D. Device fingerprinting via a web portal can require user authentication and can gather data like operating systems, versions, software information, and many other factors that can uniquely identify systems. Using an automated fingerprinting system is preferable to handling manual registration, and pairing user authentication with data gathering provides more detail than a port scan. MAC addresses can be spoofed, and systems may have more than one depending on how many network interfaces they have, which can make unique identification challenging.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Greg would like to implement application control technology in his organization. He would like to limit users to installing only approved software on their systems. What type of application control would be appropriate in this situation?

Blacklisting

Graylisting

Whitelisting

Bluelisting

A

C. The whitelisting approach to application control allows users to install only those software packages specifically approved by administrators. This would be an appropriate approach in a scenario where application installation needs to be tightly controlled.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Which pair of the following factors is key for user acceptance of biometric identification systems?

The FAR and FRR

The throughput rate and the time required to enroll

The CER and the ERR

How often users must reenroll and the reference profile requirements

A

B. Biometric systems can face major usability challenges if the time to enroll is long (more than a couple of minutes) and if the speed at which the biometric system is able to scan and accept or reject the user is too slow. FAR and FRR may be important in the design decisions made by administrators or designers, but they aren’t typically visible to users. CER and ERR are the same and are the point where FAR and FRR meet. Reference profile requirements are a system requirement, not a user requirement.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Sally is wiring a gigabit Ethernet network. What cabling choices should she make to ensure she can use her network at the full 1000 Mbps she wants to provide to her users?

Cat 5 and Cat 6

Cat 5e and Cat 6

Cat 4e and Cat 5e

Cat 6 and Cat 7

A

B. Category 5e and Category 6 UTP cable are both rated to 1000 Mbps. Cat 5 (not Cat 5e) is rated only to 100 Mbps, whereas Cat 7 is rated to 10 Gbps. There is no Cat 4e.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Vivian works for a chain of retail stores and would like to use a software product that restricts the software used on point-of-sale terminals to those packages on a preapproved list. What approach should Vivian use?

Antivirus

Heuristic

Whitelist

Blacklist

A

C. The blacklist approach to application control blocks certain prohibited packages but allows the installation of other software on systems. The whitelist approach uses the reverse philosophy and allows only approved software. Antivirus software would only detect the installation of malicious software after the fact. Heuristic detection is a variant of antivirus software.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What type of motion detector senses changes in the electromagnetic fields in monitored areas?

Infrared

Wave pattern

Capacitance

Photoelectric

A

C. Capacitance motion detectors monitor the electromagnetic field in a monitored area, sensing disturbances that correspond to motion.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Don’s company is considering the use of an object-based storage system where data is placed in a vendor-managed storage environment through the use of API calls. What type of cloud computing service is in use?

IaaS

PaaS

CaaS

SaaS

A

A. In this scenario, the vendor is providing object-based storage, a core infrastructure service. Therefore, this is an example of infrastructure as a service (IaaS).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What is the minimum interval at which an organization should conduct business continuity plan refresher training for those with specific business continuity roles?

Weekly

Monthly

Semiannually

Annually

A

D. Individuals with specific business continuity roles should receive training on at least an annual basis.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Which one of the following technologies is not normally a capability of mobile device management (MDM) solutions?

Remotely wiping the contents of a mobile device

Assuming control of a nonregistered BYOD mobile device

Enforcing the use of device encryption

Managing device backups

A

B. MDM products do not have the capability of assuming control of a device not currently managed by the organization. This would be equivalent to hacking into a device owned by someone else and might constitute a crime.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Alex is preparing to solicit bids for a penetration test of his company’s network and systems. He wants to maximize the effectiveness of the testing rather than the realism of the test. What type of penetration test should he require in his bidding process?

Black box

Crystal box

Gray box

Zero box

A

B. Crystal-box penetration testing, which is also sometimes called white-box penetration testing, provides the tester with information about networks, systems, and configurations, allowing highly effective testing. It doesn’t simulate an actual attack like black- and gray-box testing can and thus does not have the same realism, and it can lead to attacks succeeding that would fail in a zero- or limited-knowledge attack.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What RADIUS alternative is commonly used for Cisco network gear and supports two-factor authentication?

RADIUS+

TACACS+

XTACACS

Kerberos

A

B. TACACS+ is the most modern version of TACACS, the Terminal Access Controller Access-Control System. It is a Cisco proprietary protocol with added features beyond what RADIUS provides, meaning it is commonly used on Cisco networks. XTACACS is an earlier version, Kerberos is a network authentication protocol rather than a remote user authentication protocol, and RADIUS+ is a made-up term.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What type of fire extinguisher is useful against liquid-based fires?

Class A

Class B

Class C

Class D

A

B. Class B fire extinguishers use carbon dioxide, halon, or soda acid as their suppression material and are useful against liquid-based fires. Water may not be used against liquid-based fires because it may cause the burning liquid to splash, and many burning liquids, such as oil, will float on water.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Which one of the following components should be included in an organization’s emergency response guidelines?

Immediate response procedures

Long-term business continuity protocols

Activation procedures for the organization’s cold sites

Contact information for ordering equipment

A

A. The emergency response guidelines should include the immediate steps an organization should follow in response to an emergency situation. These include immediate response procedures, a list of individuals who should be notified of the emergency, and secondary response procedures for first responders. They do not include long-term actions such as activating business continuity protocols, ordering equipment, or activating DR sites.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Which one of the following disaster recovery test types involves the actual activation of the disaster recovery facility?

Simulation test

Tabletop exercise

Parallel test

Checklist review

A

C. During a parallel test, the team activates the disaster recovery site for testing, but the primary site remains operational. A simulation test involves a roleplay of a prepared scenario overseen by a moderator. Responses are assessed to help improve the organization’s response process. The checklist review is the least disruptive type of disaster recovery test. During a checklist review, team members each review the contents of their disaster recovery checklists on their own and suggest any necessary changes. During a tabletop exercise, team members come together and walk through a scenario without making any changes to information systems.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Susan is configuring her network devices to use syslog. What should she set to ensure that she is notified about issues but does not receive normal operational issue messages?

The facility code

The log priority

The security level

The severity level

A

D. Implementations of syslog vary, but most provide a setting for severity level, allowing configuration of a value that determines what messages are sent. Typical severity levels include debug, informational, notice, warning, error, critical, alert, and emergency. The facility code is also supported by syslog but is associated with which services are being logged. Security level and log priority are not typical syslog settings.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

While Lauren is monitoring traffic on two ends of a network connection, she sees traffic that is inbound to a public IP address show up inside the production network bound for an internal host that uses an RFC 1918 reserved address. What technology should she expect is in use at the network border?

NAT

VLANs

S/NAT

BGP

A

A. Network address translation (NAT) translates an internal address to an external address. VLANs are used to logically divide networks, BGP is a routing protocol, and S/NAT is a made-up term.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Michelle is in charge of her organization’s mobile device management efforts and handles lost and stolen devices. Which of the following recommendations will provide the most assurance to her organization that data will not be lost if a device is stolen?

Mandatory passcodes and application management

Full device encryption and mandatory passcodes

Remote wipe and GPS tracking

Enabling GPS tracking and full device encryption

A

B. While full device encryption doesn’t guarantee that data cannot be accessed, it provides Michelle’s best option for preventing data from being lost with a stolen device when paired with a passcode. Mandatory passcodes and application management can help prevent application-based attacks and unwanted access to devices but won’t keep the data secure if the device is lost. Remote wipe and GPS location is useful if the thief allows the device to connect to a cellular or Wi-Fi network. Unfortunately, many modern thieves immediately take steps to ensure that the device will not be trackable or allowed to connect to a network before they capture data or wipe the device for resale

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Dogs, guards, and fences are all common examples of what type of control?

Detective

Recovery

Administrative

Physical

A

D. Dogs, guards, and fences are all examples of physical controls. While dogs and guards might detect a problem, fences cannot, so they are not all examples of detective controls. None of these controls would help repair or restore functionality after an issue, and thus they are not recovery controls, nor are they administrative controls that involve policy or procedures, although the guards might refer to them when performing their duties.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

In which cloud computing model does a customer share computing infrastructure with other customers of the cloud vendor where one customer may not know the other’s identity?

Public cloud

Private cloud

Community cloud

Shared cloud

A

A. In the public cloud computing model, the vendor builds a single platform that is shared among many different customers. This is also known as the shared tenancy model.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

What type of firewall uses multiple proxy servers that filter traffic based on analysis of the protocols used for each service?

A static packet filtering firewall

An application-level gateway firewall

A circuit-level gateway firewall

A stateful inspection firewall

A

B. An application-level gateway firewall uses proxies for each service it filters. Each proxy is designed to analyze traffic for its specific traffic type, allowing it to better understand valid traffic and to prevent attacks. Static packet filters and circuit-level gateways simply look at the source, destination, and ports in use, whereas a stateful packet inspection firewall can track the status of communication and allow or deny traffic based on that understanding.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

James is building a disaster recovery plan for his organization and would like to determine the amount of acceptable data loss after an outage. What variable is James determining?

SLA

RTO

MTD

RPO

A

D. The recovery point objective (RPO) identifies the maximum amount of data, measured in time, that may be lost during a recovery effort. The recovery time objective (RTO) is the amount of time expected to return an IT service or component to operation after a failure. The maximum tolerable downtime (MTD) is the longest amount of time that an IT service or component may be unavailable without causing serious damage to the organization. Service-level agreements (SLAs) are written contracts that document service expectations.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Which one of the following is not one of the canons of the (ISC)2 Code of Ethics?

Protect society, the common good, necessary public trust and confidence, and the infrastructure.

Act honorably, honestly, justly, responsibly, and legally.

Provide diligent and competent service to principals.

Maintain competent records of all investigations and assessments

A

D. The four canons of the (ISC)2 code of ethics are to protect society, the common good, necessary public trust and confidence, and the infrastructure; act honorably, honestly, justly, responsibly, and legally; provide diligent and competent service to principals; and advance and protect the profession.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

Dave is responsible for password security in his organization and would like to strengthen the security of password files. He would like to defend his organization against the use of rainbow tables. Which one of the following techniques is specifically designed to frustrate the use of rainbow tables?

Password expiration policies

Salting

User education

Password complexity policies

A

B. Rainbow tables use precomputed password hashes to conduct cracking attacks against password files. They may be frustrated by the use of salting, which adds a specified value to the password prior to hashing, making it much more difficult to perform precomputation. Password expiration policies, password complexity policies, and user education may all contribute to password security, but they are not direct defenses against the use of rainbow tables.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

What is the process that occurs when the Session layer removes the header from data sent by the Transport layer?

Encapsulation

Packet unwrapping

De-encapsulation

Payloading

A

C. The process of removing a header (and possibly a footer) from the data received from a previous layer in the OSI model is known as de-encapsulation. Encapsulation occurs when the header and/or footer are added. Payloads are part of a virus or malware package that are delivered to a target, and packet unwrapping is a made-up ter

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

Which one of the following types of firewalls does not have the ability to track connection status between different packets?

Stateful inspection

Application proxy

Packet filter

Next generation

A

C. Static packet filtering firewalls are known as first-generation firewalls and do not track connection state. Stateful inspection, application proxying, and next-generation firewalls all add connection state tracking capability.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

Alice wants to send Bob a message with the confidence that Bob will know the message was not altered while in transit. What goal of cryptography is Alice trying to achieve?

Confidentiality

Nonrepudiation

Authentication

Integrity

A

D. Integrity ensures that unauthorized changes are not made to data while stored or in transit.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

Chris is troubleshooting an issue with his organization’s SIEM reporting. After analyzing the issue, he believes that the timestamps on log entries from different systems are inconsistent. What protocol can he use to resolve this issue?

SSH

FTP

TLS

NTP

A

D. The Network Time Protocol (NTP) allows the synchronization of system clocks with a standardized time source. The Secure Shell (SSH) protocol provides encrypted administrative connections to servers. The File Transfer Protocol (FTP) is used for data exchange. Transport Layer Security (TLS) is an encryption process used to protect information in transit over a network.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

Alan is installing a fire suppression system that will kick in after a fire breaks out and protect the equipment in the data center from extensive damage. What metric is Alan attempting to lower?

Likelihood

RTO

RPO

Impact

A

D. Fire suppression systems do not stop a fire from occurring but do reduce the damage that fires cause. This is an example of reducing risk by lowering the impact of an event.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

Which one of the following technologies is designed to prevent a web server going offline from becoming a single point of failure in a web application architecture?

Load balancing

Dual-power supplies

IPS

RAID

A

A. Load balancing helps to ensure that a failed server will not take a website or service offline. Dual power supplies only work to prevent failure of a power supply or power source. IPS can help to prevent attacks, and RAID can help prevent a disk failure from taking a system offline.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

When an application or system allows a logged-in user to perform specific actions, it is an example of what?

Roles

Group management

Logins

Authorization

A

D. Authorization provides a user with capabilities or rights. Roles and group management are both methods that could be used to match users with rights. Logins are used to validate a user.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

What is the minimum number of cryptographic keys necessary to achieve strong security when using the 3DES algorithm?

1

2

3

4

A

B. Triple DES functions by using either two or three encryption keys. When used with only one key, 3DES produces weakly encrypted ciphertext that is the insecure equivalent of DES.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

Gina recently took the SSCP certification exam and then wrote a blog post that included the text of many of the exam questions that she experienced. What aspect of the (ISC)2 code of ethics is most directly violated in this situation?

Advance and protect the profession.

Act honorably, honestly, justly, responsibly, and legally.

Protect society, the common good, necessary public trust and confidence, and the infrastructure.

Provide diligent and competent service to principals

A

A. Gina’s actions harm the SSCP certification and information security community by undermining the integrity of the examination process. While Gina also is acting dishonestly, the harm to the profession is more of a direct violation of the code of ethics.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

What type of access controls allow the owner of a file to grant other users access to it using an access control list?

Role-based

Nondiscretionary

Rule-based

Discretionary

A

D. When the owner of a file makes the decisions about who has rights or access privileges to it, they are using discretionary access control. Role-based access controls would grant access based on a subject’s role, while rule-based controls would base the decision on a set of rules or requirements. Nondiscretionary access controls apply a fixed set of rules to an environment to manage access. Nondiscretionary access controls include rule-, role-, and lattice-based access controls.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

Which one of the following components is used to assign classifications to objects in a mandatory access control system?

Security label

Security token

Security descriptor

Security capability

A

A. Administrators and processes may attach security labels to objects that provide information on an object’s attributes. Labels are commonly used to apply classifications in a mandatory access control system.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q

Tommy handles access control requests for his organization. A user approaches him and explains that he needs access to the human resources database to complete a headcount analysis requested by the CFO. What has the user demonstrated successfully to Tommy?

Clearance

Separation of duties

Need to know

Isolation

A

C. The user has successfully explained a valid need to know the data—completing the report requested by the CFO requires this access. However, the user has not yet demonstrated that he or she has appropriate clearance to access the information. A note from the CFO would meet this requirement.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
38
Q

Which one of the following is not a mode of operation for the Data Encryption Standard?

CBC

CFB

OFB

AES

A

D. The DES modes of operation are Electronic Codebook (ECB), Cipher Block Chaining (CBC), Cipher Feedback (CFB), Output Feedback (OFB), and Counter (CTR). The Advanced Encryption Standard (AES) is a separate encryption algorithm.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
39
Q

Voice pattern recognition is what type of authentication factor?

Something you know

Something you have

Something you are

Somewhere you are

A

C. Voice pattern recognition is “something you are,” a biometric authentication factor, because it measures a physical characteristic of the individual authenticating.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
40
Q

Which of the following is not a single sign-on implementation?

Kerberos

ADFS

CAS

RADIUS

A

D. Kerberos, Active Directory Federation Services (ADFS), and Central Authentication Services (CAS) are all SSO implementations. RADIUS is not a single sign-on implementation, although some vendors use it behind the scenes to provide authentication for proprietary SSO.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
41
Q

Chris is conducting a risk assessment for his organization and has determined the amount of damage that a single flood could be expected to cause to his facilities. What metric has Chris identified?

ALE

SLE

ARO

AV

A

B. The single loss expectancy (SLE) is the amount of damage that a risk is expected to cause each time that it occurs.

42
Q

Susan has discovered that the smart card–based locks used to keep the facility she works at secure are not effective because staff members are propping the doors open. She places signs on the doors reminding staff that leaving the door open creates a security issue, and she adds alarms that will sound if the doors are left open for more than five minutes. What type of controls has she put into place?

Physical

Administrative

Compensation

Recovery

A

C. She has placed compensation controls in place. Compensation controls are used when controls like the locks in this example are not sufficient. While the alarm is a physical control, the signs she posted are not. Similarly, the alarms are not administrative controls. These controls do not help to recover from an issue and are thus not recovery controls.

43
Q

During what phase of the electronic discovery reference model does an organization ensure that potentially discoverable information is protected against alteration or deletion?

Identification

Preservation

Collection

Production

A

B. During the preservation phase, the organization ensures that information related to the matter at hand is protected against intentional or unintentional alteration or deletion. The identification phase locates relevant information but does not preserve it. The collection phase occurs after preservation and gathers responsive information. The processing phase performs a rough cut of the collected information for relevance.

44
Q

Marty discovers that the access restrictions in his organization allow any user to log into the workstation assigned to any other user, even if they are from completely different departments. This type of access most directly violates which information security principle?

Separation of duties

Two-person control

Need to know

Least privilege

A

D. This broad access may indirectly violate all of the listed security principles, but it is most directly a violation of least privilege because it grants users privileges that they do not need for their job functions.

45
Q

Which of the following tools is best suited to testing known exploits against a system?

Nikto

Ettercap

Metasploit

THC Hydra

A

C. Metasploit is a tool used to exploit known vulnerabilities. Nikto is a web application and server vulnerability scanning tool, Ettercap is a man-in-the-middle attack tool, and THC Hydra is a password brute-force tool

46
Q

Denise is preparing for a trial relating to a contract dispute between her company and a software vendor. The vendor is claiming that Denise made a verbal agreement that amended their written contract. What rule of evidence should Denise raise in her defense?

Real evidence rule

Best evidence rule

Parol evidence rule

Testimonial evidence rule

A

C. The parol evidence rule states that when an agreement between two parties is put into written form, it is assumed to be the entire agreement unless amended in writing. The best evidence rule says that a copy of a document is not admissible if the original document is available. Real evidence and testimonial evidence are evidence types, not rules of evidence.

47
Q

During which phase of the incident response process would an organization determine whether it is required to notify law enforcement officials or other regulators of the incident?

Detection

Recovery

Remediation

Reporting

A

D. During the Reporting phase, incident responders assess their obligations under laws and regulations to report the incident to government agencies and other regulators.

48
Q

Gordon is conducting a risk assessment for his organization and determined the amount of damage that flooding is expected to cause to his facilities each year. What metric has Gordon identified?

ALE

ARO

SLE

EF

A

A. The annualized loss expectancy is the amount of damage that the organization expects to occur each year as the result of a given risk.

49
Q

Data is sent as bits at what layer of the OSI model?

Transport

Network

Data Link

Physical

A

D. The Physical layer deals with the electrical impulses or optical pulses that are sent as bits to convey data.

50
Q

Angie is configuring egress monitoring on her network to provide added security. Which one of the following packet types should Angie allow to leave the network headed for the Internet?

Packets with a source address from Angie’s public IP address block

Packets with a destination address from Angie’s public IP address block

Packets with a source address outside Angie’s address block

Packets with a source address from Angie’s private address block

A

A. All packets leaving Angie’s network should have a source address from her public IP address block. Packets with a destination address from Angie’s network should not be leaving the network. Packets with source addresses from other networks are likely spoofed and should be blocked by egress filters. Packets with private IP addresses as sources or destinations should never be routed onto the Internet.

51
Q

Harry would like to access a document owned by Sally stored on a file server. Applying the subject/object model to this scenario, who or what is the object of the resource request?

Harry

Sally

File server

Document

A

D. In the subject/object model, the object is the resource being requested by a subject. In this example, Harry would like access to the document, making the document the object of the request.

52
Q

Information about an individual like their name, Social Security number, date and place of birth, or their mother’s maiden name is an example of what type of protected information?

PHI

Proprietary data

PII

EDI

A

C. Personally identifiable information (PII) includes data that can be used to distinguish or trace that person’s identity and also includes information such as their medical, educational, financial, and employment information. PHI is personal health information, EDI is Electronic Data Interchange, and proprietary data is used to maintain an organization’s competitive advantage.

53
Q

Greg is building a disaster recovery plan for his organization and would like to determine the amount of time that it should take to restore a particular IT service after an outage. What variable is Greg calculating?

MTD

RTO

RPO

SLA

A

B. The recovery time objective (RTO) is the amount of time expected to return an IT service or component to operation after a failure. The maximum tolerable downtime (MTD) is the longest amount of time that an IT service or component may be unavailable without causing serious damage to the organization. The recovery point objective (RPO) identifies the maximum amount of data, measured in time, that may be lost during a recovery effort. Service-level agreements (SLAs) are written contracts that document service expectations.

54
Q

What type of access control is intended to discover unwanted or unauthorized activity by providing information after the event has occurred?

Preventive

Corrective

Detective

Directive

A

C. Detective access controls operate after the fact and are intended to detect or discover unwanted access or activity. Preventive access controls are designed to prevent the activity from occurring, whereas corrective controls return an environment to its original status after an issue occurs. Directive access controls limit or direct the actions of subjects to ensure compliance with policies.

55
Q

What business process typically requires sign-off from a manager before modifications are made to a system?

SDN

Release management

Change management

Versioning

A

C. Change management typically requires sign-off from a manager or supervisor before changes are made. This helps to ensure proper awareness and communication. SDN stands for software-defined networking, release management is the process that new software releases go through to be accepted, and versioning is used to differentiate versions of software, code, or other objects.

56
Q

Gordon is developing a business continuity plan for a manufacturing company’s IT operations. The company is located in North Dakota and currently evaluating the risk of earthquake. They choose to pursue a risk acceptance strategy. Which one of the following actions is consistent with that strategy?

Purchasing earthquake insurance

Relocating the data center to a safer area

Documenting the decision-making process

Reengineering the facility to withstand the shock of an earthquake

A

C. In a risk acceptance strategy, the organization chooses to take no action other than documenting the risk. Purchasing insurance would be an example of risk transference. Relocating the data center would be risk avoidance. Reengineering the facility is an example of a risk mitigation strategy.

57
Q

What type of motion detector uses high microwave frequency signal transmissions to identify potential intruders?

Infrared

Heat-based

Wave pattern

Capacitance

A

C. Wave pattern motion detectors transmit ultrasonic or microwave signals into the monitor area, watching for changes in the returned signals bouncing off objects.

58
Q

Bert is considering the use of an infrastructure as a service cloud computing partner to provide virtual servers. Which one of the following would be a vendor responsibility in this scenario?

Maintaining the hypervisor

Managing operating system security settings

Maintaining the host firewall

Configuring server access control

A

A. In an IaaS server environment, the customer retains responsibility for most server security operations under the shared responsibility model. This includes managing OS security settings, maintaining host firewalls, and configuring server access control. The vendor would be responsible for all security mechanisms at the hypervisor layer and below.

59
Q

Callback to a landline phone number is an example of what type of factor?

Something you know

Somewhere you are

Something you have

Something you are

A

B. A callback to a landline phone number is an example of a “somewhere you are” factor because of the fixed physical location of a wired phone. A callback to a mobile phone would be a “something you have” factor.

60
Q

Renee is using encryption to safeguard sensitive business secrets when in transit over the Internet. What risk metric is she attempting to lower?

Likelihood

RTO

MTO

Impact

A

A. Using encryption reduces risk by lowering the likelihood that an eavesdropper will be able to gain access to sensitive information.

61
Q

Kim is the system administrator for a small business network that is experiencing security problems. She is in the office in the evening working on the problem, and nobody else is there. As she is watching, she can see that systems on the other side of the office that were previously behaving normally are now exhibiting signs of infection. What type of malware is Kim likely dealing with?

Virus

Worm

Trojan horse

Logic bomb

A

B. Worms have built-in propagation mechanisms that do not require user interaction, such as scanning for systems containing known vulnerabilities and then exploiting those vulnerabilities to gain access. Viruses and Trojan horses typically require user interaction to spread. Logic bombs do not spread from system to system but lie in wait until certain conditions are met, triggering the delivery of their payload.

62
Q

What two logical network topologies can be physically implemented as a star topology?

A bus and a mesh

A ring and a mesh

A bus and a ring

It is not possible to implement other topologies as a star.

A

C. Both a logical bus and a logical ring can be implemented as a physical star. Ethernet is commonly deployed as a physical star by placing a switch as the center of a star, but Ethernet still operates as a bus. Similarly, Token Ring deployments using a multistation access unit (MAU) were deployed as physical stars but operated as rings.

63
Q

Jim has worked in human relations, payroll, and customer service roles in his company over the past few years. What type of process should his company perform to ensure that he has appropriate rights?

Re-provisioning

Account review

Privilege creep

Account revocation

A

B. As an employee’s role changes, they often experience privilege creep, which is the accumulation of old rights and roles. Account review is the process of reviewing accounts and ensuring that their rights match their owners’ role and job requirements. Account revocation removes accounts, while reprovisioning might occur if an employee was terminated and returned or took a leave of absence and returned.

64
Q

What type of inbound packet is characteristic of a ping flood attack?

ICMP echo request

ICMP echo reply

ICMP destination unreachable

ICMP route changed

A

A. The ping flood attack sends echo requests at a targeted system. These pings use inbound ICMP echo request packets, causing the system to respond with an outbound ICMP echo reply.

65
Q

What penetration testing technique can best help assess training and awareness issues?

Port scanning

Discovery

Social engineering

Vulnerability scanning

A

C. Social engineering is the best answer, as it can be useful to penetration testers who are asked to assess whether staff members are applying security training and have absorbed the awareness messages the organization uses. Port scanning and vulnerability scanning find technical issues that may be related to awareness or training issues but that are less likely to be directly related. Discovery can involve port scanning or other data-gathering efforts but is also less likely to be directly related to training and awareness.

66
Q

GAD Systems is concerned about the risk of hackers stealing sensitive information stored on a file server. They choose to pursue a risk mitigation strategy. Which one of the following actions would support that strategy?

Encrypting the files

Deleting the files

Purchasing cyber-liability insurance

Taking no action

A

A. Encrypting the files reduces the probability that the data will be successfully stolen, so it is an example of risk mitigation. Deleting the files would be risk avoidance. Purchasing insurance would be risk transference. Taking no action would be risk acceptance.

67
Q

Sally’s organization needs to be able to prove that certain staff members sent emails, and she wants to adopt a technology that will provide that capability without changing their existing email system. What is the technical term for the capability Sally needs to implement as the owner of the email system, and what tool could she use to do it?

Integrity; IMAP

Repudiation; encryption

Nonrepudiation; digital signatures

Authentication; DKIM

A

C. Sally needs to provide nonrepudiation, the ability to provably associate a given email with a sender. Digital signatures can provide nonrepudiation and are her best option. IMAP is a mail protocol, encryption can provide confidentiality, and DKIM is a tool for identifying domains that send email.

68
Q

What type of virus is characterized by the use of two or more different propagation mechanisms to improve its likelihood of spreading between systems?

Stealth virus

Polymorphic virus

Multipartite virus

A

C. Multipartite viruses use multiple propagation mechanisms to spread between systems. This improves their likelihood of successfully infecting a system because it provides alternative infection mechanisms that may be successful against systems that are not vulnerable to the primary infection mechanism.

69
Q

Which one of the following provides an authentication mechanism that would be appropriate for pairing with a password to achieve multifactor authentication?

Username

Personal identification number (PIN)

Security question

Fingerprint scan

A

D. A fingerprint scan is an example of a “something you are” factor, which would be appropriate for pairing with a “something you know” password to achieve multifactor authentication. A username is not an authentication factor. PINs and security questions are both “something you know,” which would not achieve multifactor authentication when paired with a password because both methods would come from the same category, failing the requirement for multifactor authentication.

70
Q

Colleen is conducting a business impact assessment for her organization. What metric provides important information about the amount of time that the organization may be without a service before causing irreparable harm?

MTD

ALE

RPO

RTO

A

A. The maximum tolerable downtime (MTD) is the amount of time that a business may be without a service before irreparable harm occurs. This measure is sometimes also called maximum tolerable outage (MTO).

71
Q

The separation of network infrastructure from the control layer, combined with the ability to centrally program a network design in a vendor-neutral, standards-based implementation, is an example of what important concept?

MPLS, a way to replace long network addresses with shorter labels and support a wide range of protocols

FCoE, a converged protocol that allows common applications over Ethernet

SDN, a converged protocol that allows network virtualization

CDN, a converged protocol that makes common network designs accessible

A

C. Software-defined networking (SDN) is a converged protocol that allows virtualization concepts and practices to be applied to networks. MPLS handles a wide range of protocols like ATM, DSL, and others, but isn’t intended to provide the centralization capabilities that SDN does. Content distribution network (CDN) is not a converged protocol, and FCoE is Fibre Channel over Ethernet, a converged protocol for storage.

72
Q

Ben is selecting an encryption algorithm for use in an organization with 10,000 employees. He must facilitate communication between any two employees within the organization. Which one of the following algorithms would allow him to meet this goal with the least time dedicated to key management?

RSA

IDEA

3DES

Skipjack

A

A. RSA is an asymmetric encryption algorithm that requires only two keys for each user. IDEA, 3DES, and Skipjack are all symmetric encryption algorithms and would require a key for every unique pair of users in the system.

73
Q

Which of the following is used only to encrypt data in transit over a network and cannot be used to encrypt data at rest?

TKIP

AES

3DES

RSA

A

A. TKIP is used only as a means to encrypt transmissions and is not used for data at rest. RSA, AES, and 3DES are all used on data at rest as well as data in transit.

74
Q

Which one of the following tools may be used to achieve the goal of nonrepudiation?

Digital signature

Symmetric encryption

Firewall

IDS

A

A. Applying a digital signature to a message allows the sender to achieve the goal of nonrepudiation. This allows the recipient of a message to prove to a third party that the message came from the purported sender. Symmetric encryption does not support nonrepudiation. Firewalls and IDS are network security tools that are not used to provide nonrepudiation.

75
Q

When should an organization conduct a review of the privileged access that a user has to sensitive systems?

On a periodic basis

When a user leaves the organization

When a user changes roles

All of the above

A

D. Privileged access reviews are one of the most critical components of an organization’s security program because they ensure that only authorized users have access to perform the most sensitive operations. They should take place whenever a user with privileged access leaves the organization or changes roles as well as on a regular, recurring basis.

76
Q

Nessus, OpenVAS, and SAINT are all examples of what type of tool?

Port scanners

Patch management suites

Port mappers

Vulnerability scanners

A

D. Nessus, OpenVAS, and SAINT are all vulnerability scanning tools. All provide port scanning capabilities as well but are more than simple port scanning tools.

77
Q

Kolin is searching for a network security solution that will allow him to help reduce zero-day attacks while using identities to enforce a security policy on systems before they connect to the network. What type of solution should Kolin implement?

A firewall

A NAC system

An intrusion detection system

Port security

A

B. Network access control (NAC) systems can be used to authenticate users and then validate their system’s compliance with a security standard before they are allowed to connect to the network. Enforcing security profiles can help reduce zero-day attacks, making NAC a useful solution. A firewall can’t enforce system security policies, whereas an IDS can only monitor for attacks and alarm when they happen. Thus, neither a firewall nor an IDS meets Kolin’s needs. Finally, port security is a MAC address-based security feature that can restrict only which systems or devices can connect to a given port.

78
Q

How many possible keys exist when using a cryptographic algorithm that has an 8-bit binary encryption key?

16

128

256

512

A

C. Binary keyspaces contain a number of keys equal to 2 raised to the power of the number of bits. Two to the eighth power is 256, so an 8-bit keyspace contains 256 possible keys.

79
Q

In what cloud computing model does the customer build a cloud computing environment in his or her own data center or build an environment in another data center that is for the customer’s exclusive use?

Public cloud

Private cloud

Hybrid cloud

Shared cloud

A

B. In the private cloud computing model, the cloud computing environment is dedicated to a single organization and does not follow the shared tenancy model. The environment may be built by the company in its own data center or built by a vendor at a co-location site.

80
Q

What major issue often results from decentralized access control?

Access outages may occur.

Control is not consistent.

Control is too granular.

Training costs are high.

A

B. Decentralized access control can result in less consistency because the individuals tasked with control may interpret policies and requirements differently and may perform their roles in different ways. Access outages, overly granular control, and training costs may occur, depending on specific implementations, but they are not commonly identified issues with decentralized access control.

81
Q

In what model of cloud computing do two or more organizations collaborate to build a shared cloud computing environment that is for their own use?

Public cloud

Private cloud

Community cloud

Shared cloud

A

C. In the community cloud computing model, two or more organizations pool their resources to create a cloud environment that they then share.

82
Q

Susan’s organization is updating its password policy and wants to use the strongest possible passwords. What password requirement will have the highest impact in preventing brute-force attacks?

Change maximum age from 1 year to 180 days.

Increase the minimum password length from 8 characters to 16 characters.

Increase the password complexity so that at least three character classes (such as uppercase, lowercase, numbers, and symbols) are required.

Retain a password history of at least four passwords to prevent reuse.

A

B. Password complexity is driven by length, and a longer password will be more effective against brute-force attacks than a shorter password. Each character of additional length increases the difficulty by the size of the potential character set (for example, a single lowercase character makes the passwords 26 times more difficult to crack). While each of the other settings is useful for a strong password policy, they won’t have the same impact on brute-force attacks.

83
Q

Which of the following statements is true about heuristic-based anti-malware software?

It has a lower false positive rate than signature detection.

It requires frequent definition updates to detect new malware.

It has a higher likelihood of detecting zero-day exploits than signature detection.

It monitors systems for files with content known to be viruses.

A

C. Heuristic-based antimalware software has a higher likelihood of detecting a zero-day exploit than signature-based methods. Heuristic-based software does not require frequent signature updates because it does not rely upon monitoring systems for the presence of known malware. The trade-off with this approach is that it has a higher false positive rate than signature detection methods.

84
Q

Which one of the following malware types uses built-in propagation mechanisms that exploit system vulnerabilities to spread?

Trojan horse

Worm

Logic bomb

Virus

A

B. Worms have built-in propagation mechanisms that do not require user interaction, such as scanning for systems containing known vulnerabilities and then exploiting those vulnerabilities

85
Q

When Chris verifies an individual’s identity and adds a unique identifier like a user ID to an identity system, what process has occurred?

Identity proofing

Registration

Directory management

Session management

A

B. Registration is the process of adding a user to an identity management system. This includes creating their unique identifier and adding any attribute information that is associated with their identity. Proofing occurs when the user provides information to prove who they are. Directories are managed to maintain lists of users, services, and other items. Session management tracks application and user sessions.

86
Q

Fred needs to deploy a network device that can connect his network to other networks while controlling traffic on his network. What type of device is Fred’s best choice?

A switch

A bridge

A gateway

A router

A

D. Fred should choose a router. Routers are designed to control traffic on a network while connecting to other similar networks. If the networks are very different, a bridge can help connect them. Gateways are used to connect to networks that use other protocols by transforming traffic to the appropriate protocol or format as it passes through them. Switches are often used to create broadcast domains and to connect endpoint systems or other devices.

87
Q

Bill implemented RAID level 5 on a server that he operates using a total of three disks. How many disks may fail without the loss of data?

0

1

2

3

A

B. RAID level 5 is also known as disk striping with parity. It uses three or more disks, with one disk containing parity information used to restore data to another disk in the event of failure. When used with three disks, RAID 5 is able to withstand the loss of a single disk.

88
Q

Which one of the following is normally used as an authorization tool?

ACL

Token

Username

Password

A

A. Access control lists (ACLs) are used for determining a user’s authorization level. Usernames are identification tools. Passwords and tokens are authentication tools.

89
Q

Ben is concerned about password cracking attacks against his system. He would like to implement controls that prevent an attacker who has obtained those hashes from easily cracking them. What two controls would best meet this objective?

Longer passwords and salting

Over-the-wire encryption and use of SHA1 instead of MD5

Salting and use of MD5

Using shadow passwords and salting

A

A. Rainbow tables rely on being able to use databases of precomputed hashes to quickly search for matches to known hashes acquired by an attacker. Making passwords longer can greatly increase the size of the rainbow table required to find the matching hash, and adding a salt to the password will make it nearly impossible for the attacker to generate a table that will match unless they can acquire the salt value. MD5 and SHA1 are both poor choices for password hashing compared to modern password hashes, which are designed to make hashing easy and recovery difficult. Rainbow tables are often used against lists of hashes acquired by attacks rather than over-the-wire attacks, so over-the-wire encryption is not particularly useful here. Shadow passwords simply make the traditionally world-readable list of password hashes on Unix and Linux systems available in a location readable only by root. This doesn’t prevent a rainbow table attack once the hashes are obtained.

90
Q

Mark is planning a disaster recovery test for his organization. He would like to perform a live test of the disaster recovery facility but does not want to disrupt operations at the primary facility. What type of test should Mark choose?

Full interruption test

Checklist review

Parallel test

Tabletop exercise

A

C. During a parallel test, the team actually activates the disaster recovery site for testing, but the primary site remains operational. During a full interruption test, the team takes down the primary site and confirms that the disaster recovery site is capable of handling regular operations. The full interruption test is the most thorough test but also the most disruptive. The checklist review is the least disruptive type of disaster recovery test. During a checklist review, team members each review the contents of their disaster recovery checklists on their own and suggest any necessary changes. During a tabletop exercise, team members come together and walk through a scenario without making any changes to information systems.

91
Q

Alice sends a message to Bob and wants to ensure that Mal, a third party, does not read the contents of the message while in transit. What goal of cryptography is Alice attempting to achieve?

Confidentiality

Integrity

Authentication

Nonrepudiation

A

A. Confidentiality ensures that data cannot be read by unauthorized individuals while stored or in transit.

92
Q

The company Chris works for has notifications posted at each door reminding employees to be careful to not allow people to enter when they do. Which type of controls best describes this?

Detective

Physical

Preventive

Directive

A

D. Notifications and procedures like the signs posted at the company Chris works for are examples of directive access controls. Detective controls are designed to operate after the fact. The doors and the locks on them are examples of physical controls. Preventive controls are designed to stop an event and could also include the locks that are present on the doors.

93
Q

Jim is implementing an IDaaS solution for his organization. What type of technology is he putting in place?

Identity as a service

Employee ID as a service

Intrusion detection as a service

OAuth

A

A. Identity as a service (IDaaS) provides an identity platform as a third-party service. This can provide benefits, including integration with cloud services and removing overhead for maintenance of traditional on-premise identity systems but can also create risk because of third-party control of identity services and reliance on an offsite identity infrastructure.

94
Q

How many possible keys exist in a cryptographic algorithm that uses 6-bit encryption keys?

12

16

32

64

A

D. Binary keyspaces contain a number of keys equal to 2 raised to the power of the number of bits. Two to the sixth power is 64, so a 6-bit keyspace contains 64 possible keys. The number of viable keys is usually smaller in most algorithms because of the presence of parity bits and other algorithmic overhead or security issues that restrict the use of some key values.

95
Q

When an attacker calls an organization’s help desk and persuades them to reset a password for them because of the help desk employee’s trust and willingness to help, what type of attack succeeded?

A human Trojan

Social engineering

Phishing

Whaling

A

B. Social engineering exploits humans to allow attacks to succeed. Since help desk employees are specifically tasked with being helpful, they may be targeted by attackers posing as legitimate employees. Trojans are a type of malware, whereas phishing is a targeted attack via electronic communication methods intended to capture passwords or other sensitive data. Whaling is a type of phishing aimed at high-profile or important targets.

96
Q

Which one of the following is typically considered a business continuity task?

Business impact assessment

Alternate facility selection

Activation of cold sites

Restoration of data from backup

A

A. Developing a business impact assessment is an integral part of the business continuity planning effort. The selection of alternate facilities, activation of those facilities, and restoration of data from backup are all disaster recovery tasks.

97
Q

Kathleen needs to set up an Active Directory trust to allow authentication with an existing Kerberos K5 domain. What type of trust does she need to create?

A shortcut trust

A forest trust

An external trust

A realm trust

A

D. Kerberos uses realms, and the proper type of trust to set up for an Active Directory environment that needs to connect to a K5 domain is a realm trust. A shortcut trust is a transitive trust between parts of a domain tree or forest that shortens the trust path, a forest trust is a transitive trust between two forest root domains, and an external trust is a nontransitive trust between AD domains in separate forests.

98
Q

Frank is the security administrator for a web server that provides news and information to people located around the world. His server received an unusually high volume of traffic that it could not handle and was forced to reject requests. Frank traced the source of the traffic back to a botnet. What type of attack took place?

Denial-of-service

Reconnaissance

Compromise

Malicious insider

A

A. This is a clear example of a denial-of-service attack—denying legitimate users authorized access to the system through the use of overwhelming traffic. It goes beyond a reconnaissance attack because the attacker is affecting the system, but it is not a compromise because the attacker did not attempt to gain access to the system. There is no reason to believe that a malicious insider was involved.

99
Q

SYN floods rely on implementations of what protocol to cause denial-of-service conditions?

IGMP

UDP

TCP

ICMP

A

C. SYN floods rely on the TCP implementation on machines and network devices to cause denial-of-service conditions.

100
Q

What is the longest encryption key supported by the Advanced Encryption Standard (AES) algorithm?

256 bits

512 bits

1,024 bits

2,048 bits

A

A. The Advanced Encryption Standard (AES) supports the use of encryption keys that are 128 bits, 192 bits, or 256 bits in length.