Chapter 8 Test 2 Flashcards

1
Q

During a system audit, Casey notices that the private key for her organization’s web server has been stored in a public Amazon S3 storage bucket for more than a year. What should she do?

Remove the key from the bucket.

Notify all customers that their data may have been exposed.

Request a new certificate using a new key.

Nothing, because the private key should be accessible for validation

A

C. The first thing Casey should do is notify her management, but after that, replacing the certificate and using proper key management practices with the new certificate’s key should be at the top of her list.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Which one of the following would be considered an example of infrastructure as a service cloud computing?

Payroll system managed by a vendor and delivered over the web

Application platform managed by a vendor that runs customer code

Servers provisioned by customers on a vendor-managed virtualization platform

Web-based email service provided by a vendor

A

C. One of the core capabilities of infrastructure as a service is providing servers on a vendor-managed virtualization platform. Web-based payroll and email systems are examples of software as a service. An application platform managed by a vendor that runs customer code is an example of platform as a service.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Which of the following is not a common threat to access control mechanisms?

Fake login pages

Phishing

Dictionary attacks

Man-in-the-middle attacks

A

B. Phishing is not an attack against an access control mechanism. While phishing can result in stolen credentials, the attack itself is not against the control system and is instead against the person being phished. Dictionary attacks and man-in-the-middle attacks both target access control systems.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

The IP address 201.19.7.45 is what type of address?

A public IP address

An RFC 1918 address

An APIPA address

A loopback address

A

A. 201.19.7.45 is a public IP address.

RFC 1918 addresses are in the ranges 10.0.0.0 to 0.255.255.255, 172.16.0.0 to 172.31.255.255, and 192.168.0.0 to 192.168.255.255. APIPA addresses are assigned between 169.254.0.0 to 169.254.255.254, and 127.0.0.1 is a loopback address (although technically the entire 127.x.x.x network is reserved for loopback).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What type of alternate processing facility contains the hardware necessary to restore operations but does not have a current copy of data?

Hot site

Warm site

Cold site

Mobile site

A

B. Warm sites contain the hardware necessary to restore operations but do not have a current copy of data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

James has opted to implement a NAC solution that uses a post-admission philosophy for its control of network connectivity. What type of issues can’t a strictly post-admission policy handle?

Out-of-band monitoring

Preventing an unpatched laptop from being exploited immediately after connecting to the network

Denying access when user behavior doesn’t match an authorization matrix

Allowing user access when user behavior is allowed based on an authorization matrix

A

B. A post-admission philosophy allows or denies access based on user activity after connection. Since this doesn’t check the status of a machine before it connects, it can’t prevent the exploit of the system immediately after connection. This doesn’t preclude out-of-band or in-band monitoring, but it does mean that a strictly post-admission policy won’t handle system checks before the systems are admitted to the network.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What process adds a header and a footer to data received at each layer of the OSI model?

Attribution

Encapsulation

TCP wrapping

Data hiding

A

B. Encapsulation is a process that adds a header and possibly a footer to data received at each layer before handoff to the next layer. TCP wrappers are a host-based network access control system, attribution is determining who or what performed an action or sent data, and data hiding is a term from object-oriented programming that is not relevant here.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Which of the following is not one of the four canons of the (ISC)2 code of ethics?

Avoid conflicts of interest that may jeopardize impartiality.

Protect society, the common good, necessary public trust and confidence, and the infrastructure.

Act honorably, honestly, justly, responsibly, and legally.

Provide diligent and competent service to principals.

A

A. The four canons of the (ISC)2 code of ethics are to protect society, the common good, necessary public trust and confidence, and the infrastructure; act honorably, honestly, justly, responsibly, and legally; provide diligent and competent service to principals; and advance and protect the profession.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Jim starts a new job as a system engineer, and his boss provides him with a document entitled “Forensic Response Guidelines.” Which one of the following statements is not true?

Jim must comply with the information in this document.

The document contains information about forensic examinations.

Jim should read the document thoroughly.

The document is likely based on industry best practices.

A

A. Guidelines provide advice based on best practices developed throughout industry and organizations, but they are not compulsory. Compliance with guidelines is optional.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Alex has been employed by his company for more than a decade and has held a number of positions in the company. During an audit, it is discovered that he has access to shared folders and applications because of his former roles. What issue has Alex’s company encountered?

Excessive provisioning

Unauthorized access

Privilege creep

Account review

A

C. Privilege creep occurs when users retain from roles they held previously rights they do not need to accomplish their current job. Unauthorized access occurs when an unauthorized user accesses files. Excessive provisioning is not a term used to describe permissions issues, and account review would help find issues like this.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

RIP, OSPF, and BGP are all examples of protocols associated with what type of network device?

Switches

Bridges

Routers

Gateways

A

C. Routing Information Protocol (RIP), Open Shortest Path First (OSPF), and Border Gateway Protocol (BGP) are all routing protocols and are associated with routers

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

If Susan’s organization requires her to log in with her username, a PIN, a password, and a retina scan, how many distinct authentication factor types has she used?

One

Two

Three

Four

A

B. Susan has used two distinct types of factors: the PIN and password are both Type 1 factors, and the retina scan is a Type 3 factor. Her username is not a factor.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What process makes TCP a connection-oriented protocol?

It works via network connections.

It uses a handshake.

It monitors for dropped connections.

It uses a complex header.

A

B. TCP’s use of a handshake process to establish communications makes it a connection-oriented protocol. TCP does not monitor for dropped connections, nor does the fact that it works via network connections make it connection-oriented.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What is the goal of the BCP process?

RTO < MTD

MTD < RTO

RPO < MTD

MTD < RPO

A

A. The goal of the business continuity planning process is to ensure that your recovery time objectives are all less than your maximum tolerable downtimes.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Which one of the following is an example of an administrative control?

Intrusion detection system

Security awareness training

Firewalls

Security guards

A

B. Awareness training is an example of an administrative control. Firewalls and intrusion detection systems are technical controls. Security guards are physical controls.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What level of RAID is also known as disk mirroring?

RAID 0

RAID 1

RAID 5

RAID 10

A

B. RAID level 1 is also known as disk mirroring. RAID 0 is called disk striping. RAID 5 is called disk striping with parity. RAID 10 is known as a stripe of mirrors.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Lauren needs to send information about services she is provisioning to a third-party organization. What standards-based markup language should she choose to build the interface?

SAML

SOAP

SPML

XACML

A

C. Service Provisioning Markup Language, or SPML, is an XML-based language designed to allow platforms to generate and respond to provisioning requests. SAML is used to make authorization and authentication data, while XACML is used to describe access controls. SOAP, or Simple Object Access Protocol, is a messaging protocol and could be used for any XML messaging but is not a markup language itself.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

TCP and UDP both operate at what layer of the OSI model?

Layer 2

Layer 3

Layer 4

Layer 5

A

C. TCP, UDP, and other transport layer protocols like SSL and TLS operate at the Transport layer.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Linda is selecting a disaster recovery facility for her organization, and she wants to retain independence from other organizations as much as possible. She would like to choose a facility that balances cost and recovery time, allowing activation in about one week after a disaster is declared. What type of facility should she choose?

Cold site

Warm site

Mutual assistance agreement

Hot site

A

B. Linda should choose a warm site. This approach balances cost and recovery time. Cold sites take a long time to activate, measured in weeks or months. Hot sites activate immediately but are quite expensive. Mutual assistance agreements depend on the support of another organization.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Which one of the following backup types does not alter the status of the archive bit on a file?

Full backup

Incremental backup

Partial backup

Differential backup

A

D. Differential backups do not alter the archive bit on a file, whereas incremental and full backups reset the archive bit to 0 after the backup completes. Partial backups are not a backup type.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

During which phase of the incident response process would administrators design new security controls intended to prevent a recurrence of the incident?

Reporting

Recovery

Remediation

Lessons Learned

A

C. The Remediation phase of incident handling focuses on conducting a root-cause analysis to identify the factors contributing to an incident and implementing new security controls, as needed.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

What type of Windows audit record describes events like an OS shutdown or a service being stopped?

An application log

A security log

A system log

A setup log

A

C. Windows system logs include reboots, shutdowns, and service state changes. Application logs record events generated by programs, security logs track events like logins and uses of rights, and setup logs track application setup.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Microsoft’s STRIDE threat assessment framework uses six categories for threats: Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege. If a penetration tester is able to modify audit logs, what STRIDE categories best describe this issue?

Tampering and information disclosure

Elevation of privilege and tampering

Repudiation and denial of service

Repudiation and tampering

A

D. Modification of audit logs will prevent repudiation because the data cannot be trusted, and thus actions cannot be provably denied. The modification of the logs is also a direct example of tampering. It might initially be tempting to answer elevation of privileges and tampering, as the attacker made changes to files that should be protected, but this is an unknown without more information. Similarly, the attacker may have accessed the files, resulting in information disclosure in addition to tampering, but again, this is not specified in the question. Finally, this did not cause a denial of service, and thus that answer can be ignored.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

What type of access control is being used in the following permission listing?

Storage Device X

User1: Can read, write, list

User2: Can read, list

User3: Can read, write, list, delete

User4: Can list

Resource-based access controls

Role-based access controls

Mandatory access controls

Rule-based access controls

A

A. Resource-based access controls match permissions to resources like a storage volume. Resource-based access controls are becoming increasingly common in cloud-based infrastructure as a service environments. The lack of roles, rules, or a classification system indicate that role-based, rule-based, and mandatory access controls are not in use here.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

Fred’s company wants to ensure the integrity of email messages sent via its central email servers. If the confidentiality of the messages is not critical, what solution should Fred suggest?

Digitally sign and encrypt all messages to ensure integrity.

Digitally sign but don’t encrypt all messages.

Use TLS to protect messages, ensuring their integrity.

Use a hashing algorithm to provide a hash in each message to prove that it hasn’t changed.

A

B. Fred’s company needs to protect integrity, which can be accomplished by digitally signing messages. Any change will cause the signature to be invalid. Encrypting isn’t necessary because the company does not want to protect confidentiality. TLS can provide in-transit protection but won’t protect integrity of the messages, and of course a hash used without a way to verify that the hash wasn’t changed won’t ensure integrity either.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

Which one of the following goals of physical security environments occurs first in the functional order of controls?

Delay

Detection

Deterrence

Denial

A

C. Deterrence is the first functional goal of physical security mechanisms. If a physical security control presents a formidable challenge to a potential attacker, they may not attempt the attack in the first place.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

Lauren is responsible for building a banking website. She needs proof of the identity of the users who register for the site. How should she validate user identities?

Require users to create unique questions that only they will know.

Require new users to bring their driver’s license or passport in person to the bank.

Use information that both the bank and the user have such as questions pulled from their credit report.

Call the user on their registered phone number to verify that they are who they claim to be.

A

C. Identity proofing can be done by comparing user information that the organization already has, such as account numbers or personal information. Requiring users to create unique questions can help with future support by providing a way for them to do password resets. Using a phone call only verifies that the individual who created the account has the phone that they registered and won’t prove their identity. In-person verification would not fit the business needs of most websites.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

Surveys, interviews, and audits are all examples of ways to measure what important part of an organization’s security posture?

Code quality

Service vulnerabilities

Awareness

Attack surface

A

C. Interviews, surveys, and audits are all useful for assessing awareness. Code quality is best judged by code review, service vulnerabilities are tested using vulnerability scanners and related tools, and the attack surface of an organization requires both technical and administrative review.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

Which one of the following is not a valid key length for the Advanced Encryption Standard?

128 bits

192 bits

256 bits

384 bits

A

D. The Advanced Encryption Standard supports encryption with 128-bit keys, 192-bit keys, and 256-bit keys.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

Which one of the following is not a technique used by virus authors to hide the existence of their virus from anti-malware software?

Stealth

Multipartitism

Polymorphism

Encryption

A

B. Multipartite viruses use multiple propagation mechanisms to defeat system security controls but do not necessarily include techniques designed to hide the malware from antivirus software. Stealth viruses tamper with the operating system to hide their existence. Polymorphic viruses alter their code on each system they infect to defeat signature detection. Encrypted viruses use a similar technique, employing encryption to alter their appearance and avoid signature detection mechanisms.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

Which one of the following is an example of risk transference?

Building a guard shack

Purchasing insurance

Erecting fences

Relocating facilities

A

B. Risk transference involves actions that shift risk from one party to another. Purchasing insurance is an example of risk transference because it moves risk from the insured to the insurance company.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

Kyle is being granted access to a military computer system that uses System High mode. What is not true about Kyle’s security clearance requirements?

Kyle must have a clearance for the highest level of classification processed by the system, regardless of his access.

Kyle must have access approval for all information processed by the system.

Kyle must have a valid need to know for all information processed by the system.

Kyle must have a valid security clearance.

A

C. For systems running in System High mode, the user must have a valid security clearance for all information processed by the system, access approval for all information processed by the system, and a valid need to know for some, but not necessarily all, information processed by the system.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

Tom is conducting a business continuity planning effort for Orange Blossoms, a fruit orchard located in Central Florida. During the assessment process, the committee determined that there is a small risk of snow in the region but that the cost of implementing controls to reduce the impact of that risk is not warranted. They elect to not take any specific action in response to the risk. What risk management strategy is Orange Blossoms pursuing?

Risk mitigation

Risk transference

Risk avoidance

Risk acceptance

A

D. Risk acceptance occurs when an organization determines that the costs involved in pursuing other risk management strategies are not justified and they choose not to pursue any action.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

Carla has worked for her company for 15 years and has held a variety of different positions. Each time she changed positions, she gained new privileges associated with that position, but no privileges were ever taken away. What concept describes the sets of privileges she has accumulated?

Entitlement

Aggregation

Transitivity

Isolation

A

B. Carla’s account has experienced aggregation, where privileges accumulated over time. This condition is also known as privilege creep and likely constitutes a violation of the least privilege principle.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

Which one of the following types of agreements is the most formal document that contains expectations about availability and other performance parameters between a service provider and a customer?

Service-level agreement (SLA)

Operational-level agreement (OLA)

Memorandum of understanding (MOU)

Statement of work (SOW)

A

A. The service-level agreement (SLA) is between a service provider and a customer and documents in a formal manner expectations around availability, performance, and other parameters. An MOU may cover the same items but is not as formal a document. An OLA is between internal service organizations and does not involve customers. An SOW is an addendum to a contract describing work to be performed.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

Chris has been assigned to scan a system on all of its possible TCP and UDP ports. How many ports of each type must he scan to complete his assignment?

65,536 TCP ports and 32,768 UDP ports

1,024 common TCP ports and 32,768 ephemeral UDP ports

65,536 TCP and 65,536 UDP ports

16,384 TCP ports and 16,384 UDP ports

A

C. Both TCP and UDP port numbers are a 16-digit binary number, which means there can be 216 ports, or 65,536 ports, numbered from 0 to 65,535.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

Lauren starts at her new job and finds that she has access to a variety of systems that she does not need to accomplish her job. What problem has she encountered?

Privilege creep

Rights collision

Least privilege

Excessive privileges

A

D. When users have more rights than they need to accomplish their job, they have excessive privileges. This is a violation of the concept of least privilege. Unlike creeping privileges, this is a provisioning or rights management issue rather than a problem of retention of rights the user needed but no longer requires. Rights collision is a made-up term and thus is not an issue here.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q

Jim has been contracted to perform a penetration test of a bank’s primary branch. To make the test as real as possible, he has not been given any information about the bank other than its name and address. What type of penetration test has Jim agreed to perform?

A crystal-box penetration test

A gray-box penetration test

A black-box penetration test

A white-box penetration test

A

C. Jim has agreed to a black-box penetration test, which provides no information about the organization, its systems, or its defenses. A crystal- or white-box penetration test provides all of the information an attacker needs, whereas a gray-box penetration test provides some, but not all, information.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
38
Q

Lauren builds a table that includes assigned privileges, objects, and subjects to manage access control for the systems she is responsible for. Each time a subject attempts to access an object, the systems check the table to ensure that the subject has the appropriate rights to the objects. What type of access control system is Lauren using?

A capability table

An access control list

An access control matrix

A subject/object rights management system

A

C. An access control matrix is a table that lists objects, subjects, and their privileges. Access control lists focus on objects and which subjects can access them. Capability tables list subjects and what objects they can access. Subject/object rights management systems are not based on an access control model.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
39
Q

A cloud-based service that provides account provisioning, management, authentication, authorization, reporting, and monitoring capabilities is known as what type of service?

PaaS

IDaaS

IaaS

SaaS

A

B. Identity as a service (IDaaS) provides capabilities such as account provisioning, management, authentication, authorization, reporting, and monitoring. Platform as a service (PaaS), infrastructure as a service (IaaS), and software as a service (SaaS) are other types of cloud computing capabilities that are not specialized identity management services.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
40
Q

What is the maximum penalty that may be imposed by an (ISC)2 peer review board when considering a potential ethics violation?

Revocation of certification

Termination of employment

Financial penalty

Suspension of certification

A

A. If the (ISC)2 peer review board finds that a certified individual has violated the (ISC)2 code of ethics, the board may revoke their certification. The board is not able to terminate an individual’s employment or assess financial penalties.

41
Q

Matthew, Richard, and Christopher would like to exchange messages with each other using symmetric cryptography. They want to ensure that each individual can privately send a message to another individual without the third person being able to read the message. How many keys do they need?

1

2

3

6

A

C. They need a key for every possible pair of users in the cryptosystem. The first key would allow communication between Matthew and Richard. The second key would allow communication between Richard and Christopher. The third key would allow communication between Christopher and Matthew.

42
Q

What UDP port is typically used by the syslog service?

443

514

515

445

A

B. Syslog uses UDP port 514. TCP-based implementations of syslog typically use port 6514. The other ports may look familiar because they are commonly used TCP ports: 443 is HTTPS, 515 is the LPD print service, and 445 is used for Windows SMB.

43
Q

During which of the following disaster recovery tests does the team sit together and discuss the response to a scenario but not actually activate any disaster recovery controls?

Checklist review

Full interruption test

Parallel test

Tabletop exercise

A

D. During a tabletop exercise, team members come together and walk through a scenario without making any changes to information systems. The checklist review is the least disruptive type of disaster recovery test. During a checklist review, team members each review the contents of their disaster recovery checklists on their own and suggest any necessary changes. During a parallel test, the team actually activates the disaster recovery site for testing, but the primary site remains operational. During a full interruption test, the team takes down the primary site and confirms that the disaster recovery site is capable of handling regular operations. The full interruption test is the most thorough test but also the most disruptive.

44
Q

Which one of the following is a detailed, step-by-step document that describes the exact actions that individuals must complete?

Policy

Standard

Guideline

Procedure

A

D. Procedures are formal, mandatory documents that provide detailed, step-by-step actions required from individuals performing a task.

45
Q

Which one of the following statements about malware is correct?

Malware authors do not target Macintosh or Linux systems.

The most reliable way to detect known malware is watching for unusual system activity.

Signature detection is the most effective technique to combat known malware.

APT attackers typically use malware designed to exploit vulnerabilities identified in security bulletins.

A

C. Signature detection is extremely effective against known strains of malware because it uses a reliable pattern matching technique to identify known malware. Signature detection is, therefore, the most reliable way to detect known malware. This technique is not, however, effective against the zero-day malware typically used by advanced persistent threats (APTs) that does not exploit vulnerabilities identified in security bulletins. While malware authors once almost exclusively targeted Windows systems, malware now exists for all major platforms.

45
Q

Tammy is selecting a disaster recovery facility for her organization. She would like to choose a facility that balances the time required to recover operations with the cost involved. What type of facility should she choose?

Hot site

Warm site

Cold site

Red site

A

B. Tammy should choose a warm site. This type of facility meets her requirements for a good balance between cost and recovery time. It is less expensive than a hot site but facilitates faster recovery than a cold site. A red site is not a type of disaster recovery facility.

46
Q

Ben needs to verify that the most recent patch for his organization’s critical application did not introduce issues elsewhere. What type of testing does Ben need to conduct to ensure this?

Unit testing

White box

Regression testing

Black box

A

C. Regression testing ensures proper functionality of an application or system after it has been changed. Unit testing focuses on testing each module of a program instead of against its previous functional state. White- and black-box testing both describe the amount of knowledge about a system or application, rather than a specific type or intent for testing.

47
Q

Warren is designing a physical intrusion detection system for his data center and wants to include technology that issues an alert if the communications lines for the alarm system are unexpectedly cut. What technology would meet this requirement?

Heartbeat sensor

Emanation security

Motion detector

Faraday cage

A

A. Heartbeat sensors send periodic status messages from the alarm system to the monitoring center. The monitoring center triggers an alarm if it does not receive a status message for a prolonged period of time, indicating that communications were disrupted.

48
Q

Greg is battling a malware outbreak in his organization. He used specialized malware analysis tools to capture samples of the malware from three different systems and noticed that the code is changing slightly from infection to infection. Greg believes that this is the reason that antivirus software is having a tough time defeating the outbreak. What type of malware should Greg suspect is responsible for this security incident?

Stealth virus

Polymorphic virus

Multipartite virus

Encrypted virus

A

B. Polymorphic viruses mutate each time they infect a system by making adjustments to their code that assists them in evading signature detection mechanisms. Encrypted viruses also mutate from infection to infection but do so by encrypting themselves with different keys on each device.

49
Q

Which group is best suited to evaluate and report on the effectiveness of administrative controls an organization has put in place to a third party?

Internal auditors

Penetration testers

External auditors

Employees who design, implement, and monitor the controls

A

C. External auditors can provide an unbiased and impartial view of an organization’s controls to third parties. Internal auditors are useful when reporting to senior management of the organization but are typically not asked to report to third parties. Penetration tests test technical controls but are not as well suited to testing many administrative controls. The employees who build and maintain controls are more likely to bring a bias to the testing of those controls and should not be asked to report on them to third parties.

50
Q

In virtualization platforms, what name is given to the module that is responsible for controlling access to physical resources by virtual resources?

Guest machine

SDN

Kernel

Hypervisor

A

D. The hypervisor runs within the virtualization platform and serves as the moderator between virtual resources and physical resources.

51
Q

Google’s identity integration with a variety of organizations and applications across domains is an example of which of the following?

PKI

Federation

Single sign-on

Provisioning

A

B. Google’s federation with other applications and organizations allows single sign-on as well as management of their electronic identity and its related attributes. While this is an example of SSO, it goes beyond simple single sign-on. Provisioning provides accounts and rights, and a public key infrastructure is used for certificate management.

52
Q

Joe wants to test a program he suspects may contain malware. What technology can he use to isolate the program while it runs?

ASLR

Sandboxing

Clipping

Process isolation

A

B. Running the program in a sandbox provides secure isolation that can prevent the malware from impacting other applications or systems. If Joe uses appropriate instrumentation, he can observe what the program does, what changes it makes, and any communications it may attempt. ASLR is a memory location randomization technology, process isolation keeps processes from impacting each other, but a sandbox typically provides greater utility in a scenario like this since it can be instrumented and managed in a way that better supports investigations, and clipping is a term often used in signal processing.

53
Q

What type of attack would the following precautions help prevent?

Requesting proof of identity

Requiring callback authorizations on voice-only requests

Not changing passwords via voice communications

DoS attacks

Worms

Social engineering

Shoulder surfing

A

C. Each of the precautions listed helps to prevent social engineering by helping prevent exploitation of trust. Avoiding voice-only communications is particularly important since establishing identity over the phone is difficult. The other listed attacks would not be prevented by these techniques.

54
Q

Mike has been tasked with preventing an outbreak of malware like Mirai. What type of systems should be protected in his organization?

Servers

SCADA

Mobile devices

Internet of Things (IoT) devices

A

D. Mirai targeted Internet of Things devices, including routers, cameras, and DVRs. As organizations bring an increasing number of devices like these into their corporate networks, protecting both internal and external targets from insecure, infrequently updated, and often vulnerable IoT devices is increasingly important.

55
Q

Ben has written the password hashing system for the web application he is building. His hashing code function for passwords results in the following process for a series of passwords:

hash (password1 + 07C98BFE4CF67B0BFE2643B5B22E2D7D) =
10B222970537B97919DB36EC757370D2
hash (password2 + 07C98BFE4CF67B0BFE2643B5B22E2D7D) =
F1F16683F3E0208131B46D37A79C8921
What flaw has Ben introduced with his hashing implementation?

Plaintext salting

Salt reuse

Use of a short salt

Poor salt algorithm selection

A

B. Ben is reusing his salt. When the same salt is used for each hash, all users with the same password will have the same hash, and the attack can either attempt to steal the salt or may attempt to guess the salt by targeting the most frequent hash occurrences based on commonly used passwords. Short salts are an issue, but the salts used here are 32 bytes (256 bits) long. There is no salting algorithm used or mentioned here; salt is an added value for a hash, and plaintext salting is a made-up term

56
Q

Which one of the following tools is most often used for identification purposes and is not suitable for use as an authenticator?

Password

Retinal scan

Username

Token

A

C. Usernames are an identification tool. They are not secret, so they are not suitable for use as a password.

57
Q

Theresa is implementing a new access control system and wants to ensure that developers do not have the ability to move code from development systems into the production environment. What information security principle is she most directly enforcing?

Separation of duties

Two-person control

Least privilege

Job rotation

A

A. While developers may feel like they have a business need to be able to move code into production, the principle of separation of duties dictates that they should not have the ability to both write code and place it on a production server. The deployment of code is often performed by change management staff.

58
Q

NIST Special Publication 800-92, the Guide to Computer Security Log Management, describes four types of common challenges to log management:

Many log sources

Inconsistent log content

Inconsistent timestamps

Inconsistent log formats

Which of the following solutions is best suited to solving these issues?

Implement SNMP for all logging devices.

Implement a SIEM.

Standardize on the Windows event log format for all devices and use NTP.

Ensure that logging is enabled on all endpoints using their native logging formats and set their local time correctly.

A

B. A security information and event management (SIEM) tool is designed to centralize logs from many locations in many formats and to ensure that logs are read and analyzed despite differences between different systems and devices. The Simple Network Management Protocol (SNMP) is used for some log messaging but is not a solution that solves all of these problems. Most non-Windows devices, including network devices among others, are not designed to use the Windows event log format, although using NTP for time synchronization is a good idea. Finally, local logging is useful, but setting clocks individually will result in drift over time and won’t solve the issue with many log sources.

59
Q

Which one of the following components should be included in an organization’s emergency response guidelines?

Secondary response procedures for first responders

Long-term business continuity protocols

Activation procedures for the organization’s cold sites

Contact information for ordering equipment

A

A. The emergency response guidelines should include the immediate steps an organization should follow in response to an emergency situation. These include immediate response procedures, a list of individuals who should be notified of the emergency, and secondary response procedures for first responders. They do not include long-term actions such as activating business continuity protocols, ordering equipment, or activating disaster recovery sites.

60
Q

Gary is analyzing a security incident and, during his investigation, encounters a user who denies having performed an action that Gary believes he did perform. What type of threat has taken place under the STRIDE model?

Repudiation

Information disclosure

Tampering

Elevation of privilege

A

A. Repudiation threats allow an attacker to deny having performed an action or activity without the other party being able to prove differently.

61
Q

After scanning all the systems on his wireless network, Mike notices that one system is identified as an iOS device running a massively out-of-date version of Apple’s mobile operating system. When he investigates further, he discovers that the device is an original iPad and that it cannot be updated to a current secure version of the operating system. What should Mike recommend?

Retire or replace the device.

Isolate the device on a dedicated wireless network.

Install a firewall on the tablet.

Reinstall the OS.

A

A. When operating system patches are no longer available for mobile devices, the best option is typically to retire or replace the device. Building isolated networks will not stop the device from being used for browsing or other purposes, which means it is likely to continue to be exposed to threats. Installing a firewall will not remediate the security flaws in the OS, although it may help somewhat. Finally, reinstalling the OS will not allow new updates or fix the root issue.

62
Q

Rick is an application developer who works primarily in Python. He recently decided to evaluate a new service where he provides his Python code to a vendor who then executes it on their server environment. What type of cloud computing environment is this service?

SaaS

PaaS

IaaS

CaaS

A

B. Cloud computing systems where the customer only provides application code for execution on a vendor-supplied computing platform are examples of platform as a service (PaaS) computing.

63
Q

During a penetration test, Chris recovers a file containing hashed passwords for the system he is attempting to access. What type of attack is most likely to succeed against the hashed passwords?

A brute-force attack

A pass-the-hash attack

A rainbow table attack

A salt recovery attack

A

C. Rainbow tables are databases of prehashed passwords paired with high-speed lookup functions. Since they can quickly compare known hashes against those in a file, using rainbow tables is the fastest way to quickly determine passwords from hashes. A brute-force attack may eventually succeed but will be very slow against most hashes. Pass-the-hash attacks rely on sniffed or otherwise acquired NTLM or LanMan hashes being sent to a system to avoid the need to know a user’s password. Salts are data added to a hash to avoid the use of tools like rainbow tables. A salt added to a password means the hash won’t match a rainbow table generated without the same salt.

64
Q

Kay is selecting an application management approach for her organization. Employees need the flexibility to install software on their systems, but Kay wants to prevent them from installing certain prohibited packages. What type of approach should she use?

Antivirus

Whitelist

Blacklist

Heuristic

A

C. The blacklist approach to application control blocks certain prohibited packages but allows the installation of other software on systems. The whitelist approach uses the reverse philosophy and allows only approved software. Antivirus software would detect the installation of malicious software only after the fact. Heuristic detection is a variant of antivirus software.

65
Q

Owen recently designed a security access control structure that prevents a single user from simultaneously holding the role required to create a new vendor and the role required to issue a check. What principle is Owen enforcing?

Two-person control

Least privilege

Separation of duties

Job rotation

A

C. This scenario describes separation of duties—not allowing the same person to hold two roles that, when combined, are sensitive. While two-person control is a similar concept, it does not apply in this case because the scenario does not say that either action requires the concurrence of two users.

66
Q

IP addresses like 10.10.10.10 and 172.19.24.21 are both examples of what type of IP address?

Public IP addresses

Prohibited IP addresses

Private IP addresses

Class B IP ranges

A

C. These are examples of private IP addresses. RFC1918 defines a set of private IP addresses for use in internal networks. These private addresses including 10.0.0.0 to 10.255.255.255, 172.16.0.0 to 172.31.255.255, and 192.168.0.0 to 196.168.255.255 should never be routable on the public Internet.

67
Q

Fran’s company is considering purchasing a web-based email service from a vendor and eliminating its own email server environment as a cost-saving measure. What type of cloud computing environment is Fran’s company considering?

SaaS

IaaS

CaaS

PaaS

A

A. This is an example of a vendor offering a fully functional application as a web-based service. Therefore, it fits under the definition of software as a service (SaaS). In infrastructure as a service (IaaS), compute as a service (CaaS), and platform as a service (PaaS) approaches, the customer provides their own software. In this example, the vendor is providing the email software, so none of those choices is appropriate.

68
Q

Which component of IPsec provides authentication, integrity, and nonrepudiation?

L2TP

Encapsulating Security Payload

Encryption Security Header

Authentication Header

A

D. The Authentication Header provides authentication, integrity, and nonrepudiation for IPsec connections. The Encapsulating Security Payload provides encryption and thus provides confidentiality. It can also provide limited authentication. L2TP is an independent VPN protocol, and Encryption Security Header is a made-up term.

69
Q

Alex’s job requires him to see protected health information (PHI) to ensure proper treatment of patients. His access to their medical records does not provide access to patient addresses or billing information. What access control concept best describes this control?

Separation of duties

Constrained interfaces

Context-dependent control

Need to know

A

D. Need to know is applied when subjects like Alex have access to only the data they need to accomplish their job. Separation of duties is used to limit fraud and abuse by having multiple employees perform parts of a task. Constrained interfaces restrict what a user can see or do and would be a reasonable answer if need to know did not describe his access more completely in this scenario. Context-dependent control relies on the activity being performed to apply controls, and this question does not specify a workflow or process.

70
Q

Which one of the following investigation types has the loosest standards for collecting and preserving information?

Civil investigation

Operational investigation

Criminal investigation

Regulatory investigation

A

B. Operational investigations are performed by internal teams to troubleshoot performance or other technical issues. They are not intended to produce evidence for use in court and, therefore, do not have the rigid collection standards of criminal, civil, or regulatory investigations.

71
Q

Susan is working to improve the strength of her organization’s passwords by changing the password policy. The password system that she is using allows uppercase and lowercase letters as well as numbers but no other characters. How much additional complexity does adding a single character to the minimum length of passwords for her organization create?

26 times more complex

62 times more complex

36 times more complex

2^62 times more complex

A

B. The complexity of brute-forcing a password increases based on both the number of potential characters and the number of letters added. In this case, there are 26 lowercase letters, 26 uppercase letters, and 10 possible digits. That creates 62 possibilities. Since we added only a single letter of length, we get 62^1, or 62 possibilities, and thus, the new passwords would be 62 times harder to brute-force on average.

72
Q

Purchasing insurance is a form of what type of risk response?

Transfer

Avoid

Mitigate

Accept

A

A. Purchasing insurance is a way to transfer risk to another entity.

73
Q

Which one of the following metrics specifies the amount of time that business continuity planners find acceptable for the restoration of service after a disaster?

MTD

RTO

RPO

MTO

A

B. The recovery time objective (RTO) is the amount of time that it may take to restore a service after a disaster without unacceptable impact on the business. The RTO for each service is identified during a business impact assessment.

74
Q

Jacob is planning his organization’s biometric authentication system and is considering retina scans. What concern may be raised about retina scans by others in his organization?

Retina scans can reveal information about medical conditions.

Retina scans are painful because they require a puff of air in the user’s eye.

Retina scanners are the most expensive type of biometric device.

Retina scanners have a high false positive rate and will cause support issues.

A

A. Retina scans can reveal additional information, including high blood pressure and pregnancy, causing privacy concerns. Newer retina scans don’t require a puff of air, and retina scanners are not the most expensive biometric factor. Their false positive rate can typically be adjusted in software, allowing administrators to adjust their acceptance rate as needed to balance usability and security.

75
Q

What is the best way to ensure email confidentiality in motion?

Use TLS between the client and server.

Use SSL between the client and server.

Encrypt the email content.

Use a digital signature.

A

C. The SMTP protocol does not guarantee confidentiality between servers, making TLS or SSL between the client and server only a partial measure. Encrypting the email content can provide confidentiality; digital signatures can provide nonrepudiation

76
Q

What layer of the OSI model is associated with datagrams?

Session

Transport

Network

Data Link

A

B. When data reaches the Transport layer, it is sent as segments (TCP) or datagrams (UDP). Above the Transport layer, data becomes a data stream, while below the Transport layer they are converted to packets at the Network layer, frames at the Data Link layer, and bits at the Physical layer.

77
Q

What type of vulnerability scan accesses configuration information from the systems it is run against as well as information that can be accessed via services available via the network?

Authenticated scans

Web application scans

Unauthenticated scans

Port scans

A

A. Authenticated scans use a read-only account to access configuration files, allowing more accurate testing of vulnerabilities. Web application, unauthenticated scans, and port scans don’t have access to configuration files unless they are inadvertently exposed.

78
Q

What term is used to describe a starting point for a minimum security standard?

Outline

Baseline

Policy

Configuration guide

A

B. A baseline is used to ensure a minimum security standard. A policy is the foundation that a standard may point to for authority, and a configuration guide may be built from a baseline to help staff who need to implement it to accomplish their task. An outline is helpful, but outline isn’t the term you’re looking for here.

79
Q

Full disk encryption like Microsoft’s BitLocker is used to protect data in what state?

Data in transit

Data at rest

Unlabeled data

Labeled data

A

B. Full disk encryption only protects data at rest. Since it encrypts the full disk, it does not distinguish between labeled and unlabeled data.

80
Q

Gwen comes across an application that is running under a service account on a web server. The service account has full administrative rights to the server. What principle of information security does this violate?

Need to know

Separation of duties

Least privilege

Job rotation

A

C. This scenario violates the least privilege principle because an application should never require full administrative rights to run. Gwen should update the service account to have only the privileges necessary to support the application.

81
Q

Using the OSI model, what format does the Data Link layer use to format messages received from higher up the stack?

A data stream

A frame

A segment

A datagram

A

B. When a message reaches the Data Link layer, it is called a frame. Data streams exist at the Application, Presentation, and Session layers, whereas segments and datagrams exist at the Transport layer (for TCP and UDP, respectively).

82
Q

What type of forensic investigation typically has the highest evidentiary standards?

Administrative

Criminal

Civil

Industry

A

B. Criminal forensic investigations typically have the highest standards for evidence, as they must be able to help prove the case beyond a reasonable doubt. Administrative investigations merely need to meet the standards of the organization and to be able to be defended in court, while civil investigations operate on a preponderance of evidence. There is not a category of forensic investigation referred to as “industry” in the CISSP® exam’s breakdown of forensic types.

83
Q

Lauren’s healthcare provider maintains such data as details about her health, treatments, and medical billing. What type of data is this?

Protected health information

Personally identifiable information

Protected health insurance

Individual protected data

A

A. Protected health information (PHI) is defined by HIPAA to include health information used by healthcare providers, such as medical treatment, history, and billing. Personally identifiable information is information that can be used to identify an individual, which may be included in the PHI but isn’t specifically this type of data. Protected health insurance and individual protected data are both made-up terms.

84
Q

In Jen’s job as the network administrator for an industrial production facility, she is tasked with ensuring that the network is not susceptible to electromagnetic interference due to the large motors and other devices running on the production floor. What type of network cabling should she choose if this concern is more important than cost and difficulty of installation?

10Base2

100BaseT

1000BaseT

Fiber-optic

A

D. Fiber-optic cable is more expensive and can be much harder to install than stranded copper cable or coaxial cable, but it isn’t susceptible to electromagnetic interference (EMI). That makes it a great solution for Jen’s problem, especially if she is deploying EMI-hardened systems to go with her EMI-resistant network cables.

85
Q

What type of penetration testing provides detail on the scope of a penetration test—including items like what systems would be targeted—but does not provide full visibility into the configuration or other details of the systems or networks the penetration tester must test?

Crystal box

White box

Black box

Gray box

A

D. Gray-box testing is a blend of crystal-box (or white-box) testing, which provides full information about a target, and black-box testing, which provides little or no knowledge about the target.

86
Q

You are the CISO for a major hospital system and are preparing to sign a contract with a software as a service (SaaS) email vendor and want to ensure that its business continuity planning measures are reasonable. What type of audit might you request to meet this goal?

SOC 1

FISMA

PCI DSS

SOC 2

A

D. The Service Organizations Control audit program includes business continuity controls in a SOC 2, but not SOC 1, audit. Although FISMA and PCI DSS may audit business continuity, they would not apply to an email service used by a hospital.

87
Q

Which of the following types of controls does not describe a mantrap?

Deterrent

Preventive

Compensating

Physical

A

C. A mantrap, which is composed of a pair of doors with an access mechanism that allows only one door to open at a time, is an example of a preventive access control because it can stop unwanted access by keeping intruders from accessing a facility because of an opened door or following legitimate staff in. It can serve as a deterrent by discouraging intruders who would be trapped in it without proper access, and of course, doors with locks are an example of a physical control. A compensating control attempts to make up for problems with an existing control or to add additional controls to improve a primary control.

88
Q

What should be true for salts used in password hashes?

A single salt should be set so passwords can be de-hashed as needed.

A single salt should be used so the original salt can be used to check passwords against their hash.

Unique salts should be stored for each user.

Unique salts should be created every time a user logs in.

A

C. A unique salt should be created for each user using a secure generation method and stored in that user’s record. Since attacks against hashes rely on building tables to compare the hashes against, unique salts for each user make building tables for an entire database essentially impossible—the work to recover a single user account may be feasible, but large-scale recovery requires complete regeneration of the table each time. A single salt allows rainbow tables to be generated if the salt is stolen or can be guessed based on frequently used passwords. Creating a unique salt each time a user logs in does not allow a match against a known salted hashed password.

89
Q

STRIDE, which stands for Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege, is useful in what part of application threat modeling?

Vulnerability assessment

Misuse case testing

Threat categorization

Penetration test planning

A

C. An important part of application threat modeling is threat categorization. It helps to assess attacker goals that influence the controls that should be put in place. The other answers all involve topics that are not directly part of application threat modeling.

90
Q

Which one of the following is not a basic preventative measure that you can take to protect your systems and applications against attack?

Implement intrusion detection and prevention systems.

Maintain current patch levels on all operating systems and applications.

Remove unnecessary accounts and services.

Conduct forensic imaging of all systems.

A

D. There is no need to conduct forensic imaging as a preventative measure. Rather, forensic imaging should be used during the incident response process. Maintaining patch levels, implementing intrusion detection/prevention, and removing unnecessary services and accounts are all basic preventative measures.

91
Q

You are conducting a qualitative risk assessment for your organization. The two important risk elements that should weigh most heavily in your analysis of risk are probability and ___________.

Likelihood

History

Impact

Cost

A

C. The two most important elements of a qualitative risk assessment are determining the probability and impact of each risk upon the organization. Likelihood is another word for probability. Cost should be taken into account but is only one element of impact, which also includes reputational damage, operational disruption, and other ill effects.

92
Q

Fred needs to transfer files between two servers on an untrusted network. Since he knows the network isn’t trusted, he needs to select an encrypted protocol that can ensure that his data remains secure. What protocol should he choose?

SSH

TCP

SFTP

IPsec

A

C. The Secure File Transfer Protocol (SFTP) is specifically designed for encrypted file transfer. SSH is used for secure command-line access, whereas TCP is one of the bundles of Internet protocols commonly used to transmit data across a network. IPsec could be used to create a tunnel to transfer the data but is not specifically designed for file transfer.

93
Q

Which one of the following investigation types always uses the beyond-a-reasonable-doubt standard of proof?

Civil investigation

Criminal investigation

Operational investigation

Regulatory investigation

A

B. Criminal investigations have high stakes with severe punishment for the offender that may include incarceration. Therefore, they use the strictest standard of evidence of all investigations: beyond a reasonable doubt. Civil investigations use a preponderance-of-the-evidence standard. Regulatory investigations may use whatever standard is appropriate for the venue where the evidence will be heard. This may include the beyond-a-reasonable-doubt standard, but it is not always used in regulatory investigations. Operational investigations do not use a standard of evidence.

94
Q

Norm would like to conduct a disaster recovery test for his organization and wants to choose the most thorough type of test, recognizing that it may be quite disruptive. What type of test should Norm choose?

Full interruption test

Parallel test

Tabletop exercise

Checklist review

A

A. During a full interruption test, the team takes down the primary site and confirms that the disaster recovery site is capable of handling regular operations. The full interruption test is the most thorough test but also the most disruptive. During a parallel test, the team actually activates the disaster recovery site for testing but the primary site remains operational. The checklist review is the least disruptive type of disaster recovery test. During a checklist review, team members each review the contents of their disaster recovery checklists on their own and suggest any necessary changes. During a tabletop exercise, team members come together and walk through a scenario without making any changes to information systems.

95
Q

Ed is tasked with protecting information about his organization’s customers, including their name, Social Security number, birthdate, and place of birth, as well as a variety of other information. What is this information known as?

PHI

PII

Personal protected data

PID

A

B. Personally identifiable information (PII) can be used to distinguish a person’s identity. Protected health information (PHI) includes data such as medical history, lab results, insurance information, and other details about a patient. Personal protected data is a made-up term, and PID is an acronym for process ID, the number associated with a running program or process.

96
Q

Susan is conducting a STRIDE threat assessment by placing threats into one or more of the following categories: Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege. As part of her assessment, she has discovered an issue that allows transactions to be modified between a web browser and the application server that it accesses. What STRIDE categorization(s) best fit this issue?

Tampering and Information Disclosure

Spoofing and Tampering

Tampering and Repudiation

Information Disclosure and Elevation of Privile

A

A. Information that is modifiable between a client and a server also means that it is accessible, pointing to both tampering and information disclosure. Spoofing in STRIDE is aimed at credentials and authentication, and there is no mention of this in the question. Repudiation would require that proving who performed an action was important, and elevation of privilege would come into play if privilege levels were involved.

97
Q

Tamara recently decided to purchase cyber-liability insurance to cover her company’s costs in the event of a data breach. What risk management strategy is she pursuing?

Risk acceptance

Risk mitigation

Risk transference

Risk avoidance

A

C. Risk transference involves shifting the impact of a potential risk from the organization incurring the risk to another organization. Insurance is a common example of risk transference.

98
Q

Elaine is developing a business continuity plan for her organization. What value should she seek to minimize?

AV

SSL

RTO

MTO

A

C. The goal of business continuity planning exercises is to reduce the amount of time required to restore operations. This is done by minimizing the recovery time objective (RTO).

99
Q

Chris is deploying a gigabit Ethernet network using Category 6 cable between two buildings. What is the maximum distance he can run the cable according to the Category 6 standard?

50 meters

100 meters

200 meters

300 meters

A

B. The maximum allowed length of a Cat 6 cable is 100 meters, or 328 feet. Long distances are typically handled by a fiber run or by using network devices like switches or repeaters.

100
Q

What type of alternate processing facility includes all of the hardware and data necessary to restore operations in a matter of minutes or seconds?

Hot site

Warm site

Cold site

Mobile site

A

A. Hot sites contain all of the hardware and data necessary to restore operations and may be activated very quickly.