Chapter 8 Test 2 Flashcards

Question 1

Q

During a system audit, Casey notices that the private key for her organization’s web server has been stored in a public Amazon S3 storage bucket for more than a year. What should she do?

Remove the key from the bucket.

Notify all customers that their data may have been exposed.

Request a new certificate using a new key.

Nothing, because the private key should be accessible for validation

Answer

A

C. The first thing Casey should do is notify her management, but after that, replacing the certificate and using proper key management practices with the new certificate’s key should be at the top of her list.

Question 2

Q

Which one of the following would be considered an example of infrastructure as a service cloud computing?

Payroll system managed by a vendor and delivered over the web

Application platform managed by a vendor that runs customer code

Servers provisioned by customers on a vendor-managed virtualization platform

Web-based email service provided by a vendor

Answer

A

C. One of the core capabilities of infrastructure as a service is providing servers on a vendor-managed virtualization platform. Web-based payroll and email systems are examples of software as a service. An application platform managed by a vendor that runs customer code is an example of platform as a service.

Question 3

Q

Which of the following is not a common threat to access control mechanisms?

Fake login pages

Phishing

Dictionary attacks

Man-in-the-middle attacks

Answer

A

B. Phishing is not an attack against an access control mechanism. While phishing can result in stolen credentials, the attack itself is not against the control system and is instead against the person being phished. Dictionary attacks and man-in-the-middle attacks both target access control systems.

Question 4

Q

The IP address 201.19.7.45 is what type of address?

A public IP address

An RFC 1918 address

An APIPA address

A loopback address

Answer

A

A. 201.19.7.45 is a public IP address.

RFC 1918 addresses are in the ranges 10.0.0.0 to 0.255.255.255, 172.16.0.0 to 172.31.255.255, and 192.168.0.0 to 192.168.255.255. APIPA addresses are assigned between 169.254.0.0 to 169.254.255.254, and 127.0.0.1 is a loopback address (although technically the entire 127.x.x.x network is reserved for loopback).

Question 5

Q

What type of alternate processing facility contains the hardware necessary to restore operations but does not have a current copy of data?

Hot site

Warm site

Cold site

Mobile site

Answer

A

B. Warm sites contain the hardware necessary to restore operations but do not have a current copy of data.

Question 6

Q

James has opted to implement a NAC solution that uses a post-admission philosophy for its control of network connectivity. What type of issues can’t a strictly post-admission policy handle?

Out-of-band monitoring

Preventing an unpatched laptop from being exploited immediately after connecting to the network

Denying access when user behavior doesn’t match an authorization matrix

Allowing user access when user behavior is allowed based on an authorization matrix

Answer

A

B. A post-admission philosophy allows or denies access based on user activity after connection. Since this doesn’t check the status of a machine before it connects, it can’t prevent the exploit of the system immediately after connection. This doesn’t preclude out-of-band or in-band monitoring, but it does mean that a strictly post-admission policy won’t handle system checks before the systems are admitted to the network.

Question 7

Q

What process adds a header and a footer to data received at each layer of the OSI model?

Attribution

Encapsulation

TCP wrapping

Data hiding

Answer

A

B. Encapsulation is a process that adds a header and possibly a footer to data received at each layer before handoff to the next layer. TCP wrappers are a host-based network access control system, attribution is determining who or what performed an action or sent data, and data hiding is a term from object-oriented programming that is not relevant here.

Question 8

Q

Which of the following is not one of the four canons of the (ISC)2 code of ethics?

Avoid conflicts of interest that may jeopardize impartiality.

Protect society, the common good, necessary public trust and confidence, and the infrastructure.

Act honorably, honestly, justly, responsibly, and legally.

Provide diligent and competent service to principals.

Answer

A

A. The four canons of the (ISC)2 code of ethics are to protect society, the common good, necessary public trust and confidence, and the infrastructure; act honorably, honestly, justly, responsibly, and legally; provide diligent and competent service to principals; and advance and protect the profession.

Question 9

Q

Jim starts a new job as a system engineer, and his boss provides him with a document entitled “Forensic Response Guidelines.” Which one of the following statements is not true?

Jim must comply with the information in this document.

The document contains information about forensic examinations.

Jim should read the document thoroughly.

The document is likely based on industry best practices.

Answer

A

A. Guidelines provide advice based on best practices developed throughout industry and organizations, but they are not compulsory. Compliance with guidelines is optional.

Question 10

Q

Alex has been employed by his company for more than a decade and has held a number of positions in the company. During an audit, it is discovered that he has access to shared folders and applications because of his former roles. What issue has Alex’s company encountered?

Excessive provisioning

Unauthorized access

Privilege creep

Account review

Answer

A

C. Privilege creep occurs when users retain from roles they held previously rights they do not need to accomplish their current job. Unauthorized access occurs when an unauthorized user accesses files. Excessive provisioning is not a term used to describe permissions issues, and account review would help find issues like this.

Question 11

Q

RIP, OSPF, and BGP are all examples of protocols associated with what type of network device?

Switches

Bridges

Routers

Gateways

Answer

A

C. Routing Information Protocol (RIP), Open Shortest Path First (OSPF), and Border Gateway Protocol (BGP) are all routing protocols and are associated with routers

Question 12

Q

If Susan’s organization requires her to log in with her username, a PIN, a password, and a retina scan, how many distinct authentication factor types has she used?

One

Two

Three

Four

Answer

A

B. Susan has used two distinct types of factors: the PIN and password are both Type 1 factors, and the retina scan is a Type 3 factor. Her username is not a factor.

Question 13

Q

What process makes TCP a connection-oriented protocol?

It works via network connections.

It uses a handshake.

It monitors for dropped connections.

It uses a complex header.

Answer

A

B. TCP’s use of a handshake process to establish communications makes it a connection-oriented protocol. TCP does not monitor for dropped connections, nor does the fact that it works via network connections make it connection-oriented.

Question 14

Q

What is the goal of the BCP process?

RTO < MTD

MTD < RTO

RPO < MTD

MTD < RPO

Answer

A

A. The goal of the business continuity planning process is to ensure that your recovery time objectives are all less than your maximum tolerable downtimes.

Question 15

Q

Which one of the following is an example of an administrative control?

Intrusion detection system

Security awareness training

Firewalls

Security guards

Answer

A

B. Awareness training is an example of an administrative control. Firewalls and intrusion detection systems are technical controls. Security guards are physical controls.

Question 16

Q

What level of RAID is also known as disk mirroring?

RAID 0

RAID 1

RAID 5

RAID 10

Answer

A

B. RAID level 1 is also known as disk mirroring. RAID 0 is called disk striping. RAID 5 is called disk striping with parity. RAID 10 is known as a stripe of mirrors.

Question 17

Q

Lauren needs to send information about services she is provisioning to a third-party organization. What standards-based markup language should she choose to build the interface?

SAML

SOAP

SPML

XACML

Answer

A

C. Service Provisioning Markup Language, or SPML, is an XML-based language designed to allow platforms to generate and respond to provisioning requests. SAML is used to make authorization and authentication data, while XACML is used to describe access controls. SOAP, or Simple Object Access Protocol, is a messaging protocol and could be used for any XML messaging but is not a markup language itself.

Question 18

Q

TCP and UDP both operate at what layer of the OSI model?

Layer 2

Layer 3

Layer 4

Layer 5

Answer

A

C. TCP, UDP, and other transport layer protocols like SSL and TLS operate at the Transport layer.

Question 19

Q

Linda is selecting a disaster recovery facility for her organization, and she wants to retain independence from other organizations as much as possible. She would like to choose a facility that balances cost and recovery time, allowing activation in about one week after a disaster is declared. What type of facility should she choose?

Cold site

Warm site

Mutual assistance agreement

Hot site

Answer

A

B. Linda should choose a warm site. This approach balances cost and recovery time. Cold sites take a long time to activate, measured in weeks or months. Hot sites activate immediately but are quite expensive. Mutual assistance agreements depend on the support of another organization.

Question 20

Q

Which one of the following backup types does not alter the status of the archive bit on a file?

Full backup

Incremental backup

Partial backup

Differential backup

Answer

A

D. Differential backups do not alter the archive bit on a file, whereas incremental and full backups reset the archive bit to 0 after the backup completes. Partial backups are not a backup type.

Question 21

Q

During which phase of the incident response process would administrators design new security controls intended to prevent a recurrence of the incident?

Reporting

Recovery

Remediation

Lessons Learned

Answer

A

C. The Remediation phase of incident handling focuses on conducting a root-cause analysis to identify the factors contributing to an incident and implementing new security controls, as needed.

Question 22

Q

What type of Windows audit record describes events like an OS shutdown or a service being stopped?

An application log

A security log

A system log

A setup log

Answer

A

C. Windows system logs include reboots, shutdowns, and service state changes. Application logs record events generated by programs, security logs track events like logins and uses of rights, and setup logs track application setup.

Question 23

Q

Microsoft’s STRIDE threat assessment framework uses six categories for threats: Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege. If a penetration tester is able to modify audit logs, what STRIDE categories best describe this issue?

Tampering and information disclosure

Elevation of privilege and tampering

Repudiation and denial of service

Repudiation and tampering

Answer

A

D. Modification of audit logs will prevent repudiation because the data cannot be trusted, and thus actions cannot be provably denied. The modification of the logs is also a direct example of tampering. It might initially be tempting to answer elevation of privileges and tampering, as the attacker made changes to files that should be protected, but this is an unknown without more information. Similarly, the attacker may have accessed the files, resulting in information disclosure in addition to tampering, but again, this is not specified in the question. Finally, this did not cause a denial of service, and thus that answer can be ignored.

Question 24

Q

What type of access control is being used in the following permission listing?

Storage Device X

User1: Can read, write, list

User2: Can read, list

User3: Can read, write, list, delete

User4: Can list

Resource-based access controls

Role-based access controls

Mandatory access controls

Rule-based access controls

Answer

A

A. Resource-based access controls match permissions to resources like a storage volume. Resource-based access controls are becoming increasingly common in cloud-based infrastructure as a service environments. The lack of roles, rules, or a classification system indicate that role-based, rule-based, and mandatory access controls are not in use here.

Question 25

Q

Fred’s company wants to ensure the integrity of email messages sent via its central email servers. If the confidentiality of the messages is not critical, what solution should Fred suggest?

Digitally sign and encrypt all messages to ensure integrity.

Digitally sign but don’t encrypt all messages.

Use TLS to protect messages, ensuring their integrity.

Use a hashing algorithm to provide a hash in each message to prove that it hasn’t changed.

Answer

A

B. Fred’s company needs to protect integrity, which can be accomplished by digitally signing messages. Any change will cause the signature to be invalid. Encrypting isn’t necessary because the company does not want to protect confidentiality. TLS can provide in-transit protection but won’t protect integrity of the messages, and of course a hash used without a way to verify that the hash wasn’t changed won’t ensure integrity either.

Question 26

Q

Which one of the following goals of physical security environments occurs first in the functional order of controls?

Delay

Detection

Deterrence

Denial

Answer

A

C. Deterrence is the first functional goal of physical security mechanisms. If a physical security control presents a formidable challenge to a potential attacker, they may not attempt the attack in the first place.

Question 27

Q

Lauren is responsible for building a banking website. She needs proof of the identity of the users who register for the site. How should she validate user identities?

Require users to create unique questions that only they will know.

Require new users to bring their driver’s license or passport in person to the bank.

Use information that both the bank and the user have such as questions pulled from their credit report.

Call the user on their registered phone number to verify that they are who they claim to be.

Answer

A

C. Identity proofing can be done by comparing user information that the organization already has, such as account numbers or personal information. Requiring users to create unique questions can help with future support by providing a way for them to do password resets. Using a phone call only verifies that the individual who created the account has the phone that they registered and won’t prove their identity. In-person verification would not fit the business needs of most websites.

Question 28

Q

Surveys, interviews, and audits are all examples of ways to measure what important part of an organization’s security posture?

Code quality

Service vulnerabilities

Awareness

Attack surface

Answer

A

C. Interviews, surveys, and audits are all useful for assessing awareness. Code quality is best judged by code review, service vulnerabilities are tested using vulnerability scanners and related tools, and the attack surface of an organization requires both technical and administrative review.

Question 29

Q

Which one of the following is not a valid key length for the Advanced Encryption Standard?

128 bits

192 bits

256 bits

384 bits

Answer

A

D. The Advanced Encryption Standard supports encryption with 128-bit keys, 192-bit keys, and 256-bit keys.

Question 30

Q

Which one of the following is not a technique used by virus authors to hide the existence of their virus from anti-malware software?

Stealth

Multipartitism

Polymorphism

Encryption

Answer

A

B. Multipartite viruses use multiple propagation mechanisms to defeat system security controls but do not necessarily include techniques designed to hide the malware from antivirus software. Stealth viruses tamper with the operating system to hide their existence. Polymorphic viruses alter their code on each system they infect to defeat signature detection. Encrypted viruses use a similar technique, employing encryption to alter their appearance and avoid signature detection mechanisms.

Question 31

Q

Which one of the following is an example of risk transference?

Building a guard shack

Purchasing insurance

Erecting fences

Relocating facilities

Answer

A

B. Risk transference involves actions that shift risk from one party to another. Purchasing insurance is an example of risk transference because it moves risk from the insured to the insurance company.

Question 32

Q

Kyle is being granted access to a military computer system that uses System High mode. What is not true about Kyle’s security clearance requirements?

Kyle must have a clearance for the highest level of classification processed by the system, regardless of his access.

Kyle must have access approval for all information processed by the system.

Kyle must have a valid need to know for all information processed by the system.

Kyle must have a valid security clearance.

Answer

A

C. For systems running in System High mode, the user must have a valid security clearance for all information processed by the system, access approval for all information processed by the system, and a valid need to know for some, but not necessarily all, information processed by the system.

Question 33

Q

Tom is conducting a business continuity planning effort for Orange Blossoms, a fruit orchard located in Central Florida. During the assessment process, the committee determined that there is a small risk of snow in the region but that the cost of implementing controls to reduce the impact of that risk is not warranted. They elect to not take any specific action in response to the risk. What risk management strategy is Orange Blossoms pursuing?

Risk mitigation

Risk transference

Risk avoidance

Risk acceptance

Answer

A

D. Risk acceptance occurs when an organization determines that the costs involved in pursuing other risk management strategies are not justified and they choose not to pursue any action.

Question 34

Q

Carla has worked for her company for 15 years and has held a variety of different positions. Each time she changed positions, she gained new privileges associated with that position, but no privileges were ever taken away. What concept describes the sets of privileges she has accumulated?

Entitlement

Aggregation

Transitivity

Isolation

Answer

A

B. Carla’s account has experienced aggregation, where privileges accumulated over time. This condition is also known as privilege creep and likely constitutes a violation of the least privilege principle.

Question 35

Q

Which one of the following types of agreements is the most formal document that contains expectations about availability and other performance parameters between a service provider and a customer?

Service-level agreement (SLA)

Operational-level agreement (OLA)

Memorandum of understanding (MOU)

Statement of work (SOW)

Answer

A

A. The service-level agreement (SLA) is between a service provider and a customer and documents in a formal manner expectations around availability, performance, and other parameters. An MOU may cover the same items but is not as formal a document. An OLA is between internal service organizations and does not involve customers. An SOW is an addendum to a contract describing work to be performed.

Question 36

Q

Chris has been assigned to scan a system on all of its possible TCP and UDP ports. How many ports of each type must he scan to complete his assignment?

65,536 TCP ports and 32,768 UDP ports

1,024 common TCP ports and 32,768 ephemeral UDP ports

65,536 TCP and 65,536 UDP ports

16,384 TCP ports and 16,384 UDP ports

Answer

A

C. Both TCP and UDP port numbers are a 16-digit binary number, which means there can be 216 ports, or 65,536 ports, numbered from 0 to 65,535.

Question 37

Q

Lauren starts at her new job and finds that she has access to a variety of systems that she does not need to accomplish her job. What problem has she encountered?

Privilege creep

Rights collision

Least privilege

Excessive privileges

Answer

A

D. When users have more rights than they need to accomplish their job, they have excessive privileges. This is a violation of the concept of least privilege. Unlike creeping privileges, this is a provisioning or rights management issue rather than a problem of retention of rights the user needed but no longer requires. Rights collision is a made-up term and thus is not an issue here.

Question 38

Q

Jim has been contracted to perform a penetration test of a bank’s primary branch. To make the test as real as possible, he has not been given any information about the bank other than its name and address. What type of penetration test has Jim agreed to perform?

A crystal-box penetration test

A gray-box penetration test

A black-box penetration test

A white-box penetration test

Answer

A

C. Jim has agreed to a black-box penetration test, which provides no information about the organization, its systems, or its defenses. A crystal- or white-box penetration test provides all of the information an attacker needs, whereas a gray-box penetration test provides some, but not all, information.

Question 39

Q

Lauren builds a table that includes assigned privileges, objects, and subjects to manage access control for the systems she is responsible for. Each time a subject attempts to access an object, the systems check the table to ensure that the subject has the appropriate rights to the objects. What type of access control system is Lauren using?

A capability table

An access control list

An access control matrix

A subject/object rights management system

Answer

A

C. An access control matrix is a table that lists objects, subjects, and their privileges. Access control lists focus on objects and which subjects can access them. Capability tables list subjects and what objects they can access. Subject/object rights management systems are not based on an access control model.

Question 40

Q

A cloud-based service that provides account provisioning, management, authentication, authorization, reporting, and monitoring capabilities is known as what type of service?

PaaS

IDaaS

IaaS

SaaS

Answer

A

B. Identity as a service (IDaaS) provides capabilities such as account provisioning, management, authentication, authorization, reporting, and monitoring. Platform as a service (PaaS), infrastructure as a service (IaaS), and software as a service (SaaS) are other types of cloud computing capabilities that are not specialized identity management services.

Question 41

Q

What is the maximum penalty that may be imposed by an (ISC)2 peer review board when considering a potential ethics violation?

Revocation of certification

Termination of employment

Financial penalty

Suspension of certification

Answer

A

A. If the (ISC)2 peer review board finds that a certified individual has violated the (ISC)2 code of ethics, the board may revoke their certification. The board is not able to terminate an individual’s employment or assess financial penalties.

Question 42

Q

Matthew, Richard, and Christopher would like to exchange messages with each other using symmetric cryptography. They want to ensure that each individual can privately send a message to another individual without the third person being able to read the message. How many keys do they need?

1

2

3

6

Answer

A

C. They need a key for every possible pair of users in the cryptosystem. The first key would allow communication between Matthew and Richard. The second key would allow communication between Richard and Christopher. The third key would allow communication between Christopher and Matthew.

Question 43

Q

What UDP port is typically used by the syslog service?

443

514

515

445

Answer

A

B. Syslog uses UDP port 514. TCP-based implementations of syslog typically use port 6514. The other ports may look familiar because they are commonly used TCP ports: 443 is HTTPS, 515 is the LPD print service, and 445 is used for Windows SMB.

Question 44

Q

During which of the following disaster recovery tests does the team sit together and discuss the response to a scenario but not actually activate any disaster recovery controls?

Checklist review

Full interruption test

Parallel test

Tabletop exercise

Answer

A

D. During a tabletop exercise, team members come together and walk through a scenario without making any changes to information systems. The checklist review is the least disruptive type of disaster recovery test. During a checklist review, team members each review the contents of their disaster recovery checklists on their own and suggest any necessary changes. During a parallel test, the team actually activates the disaster recovery site for testing, but the primary site remains operational. During a full interruption test, the team takes down the primary site and confirms that the disaster recovery site is capable of handling regular operations. The full interruption test is the most thorough test but also the most disruptive.

Question 45

Q

Which one of the following is a detailed, step-by-step document that describes the exact actions that individuals must complete?

Policy

Standard

Guideline

Procedure

Answer

A

D. Procedures are formal, mandatory documents that provide detailed, step-by-step actions required from individuals performing a task.

Question 46

Q

Which one of the following statements about malware is correct?

Malware authors do not target Macintosh or Linux systems.

The most reliable way to detect known malware is watching for unusual system activity.

Signature detection is the most effective technique to combat known malware.

APT attackers typically use malware designed to exploit vulnerabilities identified in security bulletins.

Answer

A

C. Signature detection is extremely effective against known strains of malware because it uses a reliable pattern matching technique to identify known malware. Signature detection is, therefore, the most reliable way to detect known malware. This technique is not, however, effective against the zero-day malware typically used by advanced persistent threats (APTs) that does not exploit vulnerabilities identified in security bulletins. While malware authors once almost exclusively targeted Windows systems, malware now exists for all major platforms.

Question 47

Q

Tammy is selecting a disaster recovery facility for her organization. She would like to choose a facility that balances the time required to recover operations with the cost involved. What type of facility should she choose?

Hot site

Warm site

Cold site

Red site

Answer

A

B. Tammy should choose a warm site. This type of facility meets her requirements for a good balance between cost and recovery time. It is less expensive than a hot site but facilitates faster recovery than a cold site. A red site is not a type of disaster recovery facility.

Question 48

Q

Ben needs to verify that the most recent patch for his organization’s critical application did not introduce issues elsewhere. What type of testing does Ben need to conduct to ensure this?

Unit testing

White box

Regression testing

Black box

Answer

A

C. Regression testing ensures proper functionality of an application or system after it has been changed. Unit testing focuses on testing each module of a program instead of against its previous functional state. White- and black-box testing both describe the amount of knowledge about a system or application, rather than a specific type or intent for testing.

Question 49

Q

Warren is designing a physical intrusion detection system for his data center and wants to include technology that issues an alert if the communications lines for the alarm system are unexpectedly cut. What technology would meet this requirement?

Heartbeat sensor

Emanation security

Motion detector

Faraday cage

Answer

A

A. Heartbeat sensors send periodic status messages from the alarm system to the monitoring center. The monitoring center triggers an alarm if it does not receive a status message for a prolonged period of time, indicating that communications were disrupted.

Question 50

Q

Greg is battling a malware outbreak in his organization. He used specialized malware analysis tools to capture samples of the malware from three different systems and noticed that the code is changing slightly from infection to infection. Greg believes that this is the reason that antivirus software is having a tough time defeating the outbreak. What type of malware should Greg suspect is responsible for this security incident?

Stealth virus

Polymorphic virus

Multipartite virus

Encrypted virus

Answer

A

B. Polymorphic viruses mutate each time they infect a system by making adjustments to their code that assists them in evading signature detection mechanisms. Encrypted viruses also mutate from infection to infection but do so by encrypting themselves with different keys on each device.

Question 51

Q

Which group is best suited to evaluate and report on the effectiveness of administrative controls an organization has put in place to a third party?

Internal auditors

Penetration testers

External auditors

Employees who design, implement, and monitor the controls

Answer

A

C. External auditors can provide an unbiased and impartial view of an organization’s controls to third parties. Internal auditors are useful when reporting to senior management of the organization but are typically not asked to report to third parties. Penetration tests test technical controls but are not as well suited to testing many administrative controls. The employees who build and maintain controls are more likely to bring a bias to the testing of those controls and should not be asked to report on them to third parties.

Question 52

Q

In virtualization platforms, what name is given to the module that is responsible for controlling access to physical resources by virtual resources?

Guest machine

SDN

Kernel

Hypervisor

Answer

A

D. The hypervisor runs within the virtualization platform and serves as the moderator between virtual resources and physical resources.

Question 53

Q

Google’s identity integration with a variety of organizations and applications across domains is an example of which of the following?

PKI

Federation

Single sign-on

Provisioning

Answer

A

B. Google’s federation with other applications and organizations allows single sign-on as well as management of their electronic identity and its related attributes. While this is an example of SSO, it goes beyond simple single sign-on. Provisioning provides accounts and rights, and a public key infrastructure is used for certificate management.

Question 54

Q

Joe wants to test a program he suspects may contain malware. What technology can he use to isolate the program while it runs?

ASLR

Sandboxing

Clipping

Process isolation

Answer

A

B. Running the program in a sandbox provides secure isolation that can prevent the malware from impacting other applications or systems. If Joe uses appropriate instrumentation, he can observe what the program does, what changes it makes, and any communications it may attempt. ASLR is a memory location randomization technology, process isolation keeps processes from impacting each other, but a sandbox typically provides greater utility in a scenario like this since it can be instrumented and managed in a way that better supports investigations, and clipping is a term often used in signal processing.

Question 55

Q

What type of attack would the following precautions help prevent?

Requesting proof of identity

Requiring callback authorizations on voice-only requests

Not changing passwords via voice communications

DoS attacks

Worms

Social engineering

Shoulder surfing

Answer

A

C. Each of the precautions listed helps to prevent social engineering by helping prevent exploitation of trust. Avoiding voice-only communications is particularly important since establishing identity over the phone is difficult. The other listed attacks would not be prevented by these techniques.

Question 56

Q

Mike has been tasked with preventing an outbreak of malware like Mirai. What type of systems should be protected in his organization?

Servers

SCADA

Mobile devices

Internet of Things (IoT) devices

Answer

A

D. Mirai targeted Internet of Things devices, including routers, cameras, and DVRs. As organizations bring an increasing number of devices like these into their corporate networks, protecting both internal and external targets from insecure, infrequently updated, and often vulnerable IoT devices is increasingly important.

Question 57

Q

Ben has written the password hashing system for the web application he is building. His hashing code function for passwords results in the following process for a series of passwords:

hash (password1 + 07C98BFE4CF67B0BFE2643B5B22E2D7D) =
10B222970537B97919DB36EC757370D2
hash (password2 + 07C98BFE4CF67B0BFE2643B5B22E2D7D) =
F1F16683F3E0208131B46D37A79C8921
What flaw has Ben introduced with his hashing implementation?

Plaintext salting

Salt reuse

Use of a short salt

Poor salt algorithm selection

Answer

A

B. Ben is reusing his salt. When the same salt is used for each hash, all users with the same password will have the same hash, and the attack can either attempt to steal the salt or may attempt to guess the salt by targeting the most frequent hash occurrences based on commonly used passwords. Short salts are an issue, but the salts used here are 32 bytes (256 bits) long. There is no salting algorithm used or mentioned here; salt is an added value for a hash, and plaintext salting is a made-up term

Question 58

Q

Which one of the following tools is most often used for identification purposes and is not suitable for use as an authenticator?

Password

Retinal scan

Username

Token

Answer

A

C. Usernames are an identification tool. They are not secret, so they are not suitable for use as a password.

Question 59

Q

Theresa is implementing a new access control system and wants to ensure that developers do not have the ability to move code from development systems into the production environment. What information security principle is she most directly enforcing?

Separation of duties

Two-person control

Least privilege

Job rotation

Answer

A

A. While developers may feel like they have a business need to be able to move code into production, the principle of separation of duties dictates that they should not have the ability to both write code and place it on a production server. The deployment of code is often performed by change management staff.

Question 60

Q

NIST Special Publication 800-92, the Guide to Computer Security Log Management, describes four types of common challenges to log management:

Many log sources

Inconsistent log content

Inconsistent timestamps

Inconsistent log formats

Which of the following solutions is best suited to solving these issues?

Implement SNMP for all logging devices.

Implement a SIEM.

Standardize on the Windows event log format for all devices and use NTP.

Ensure that logging is enabled on all endpoints using their native logging formats and set their local time correctly.

Answer

A

B. A security information and event management (SIEM) tool is designed to centralize logs from many locations in many formats and to ensure that logs are read and analyzed despite differences between different systems and devices. The Simple Network Management Protocol (SNMP) is used for some log messaging but is not a solution that solves all of these problems. Most non-Windows devices, including network devices among others, are not designed to use the Windows event log format, although using NTP for time synchronization is a good idea. Finally, local logging is useful, but setting clocks individually will result in drift over time and won’t solve the issue with many log sources.

Question 61

Q

Which one of the following components should be included in an organization’s emergency response guidelines?

Secondary response procedures for first responders

Long-term business continuity protocols

Activation procedures for the organization’s cold sites

Contact information for ordering equipment

Answer

A

A. The emergency response guidelines should include the immediate steps an organization should follow in response to an emergency situation. These include immediate response procedures, a list of individuals who should be notified of the emergency, and secondary response procedures for first responders. They do not include long-term actions such as activating business continuity protocols, ordering equipment, or activating disaster recovery sites.

Question 62

Q

Gary is analyzing a security incident and, during his investigation, encounters a user who denies having performed an action that Gary believes he did perform. What type of threat has taken place under the STRIDE model?

Repudiation

Information disclosure

Tampering

Elevation of privilege

Answer

A

A. Repudiation threats allow an attacker to deny having performed an action or activity without the other party being able to prove differently.

Question 63

Q

After scanning all the systems on his wireless network, Mike notices that one system is identified as an iOS device running a massively out-of-date version of Apple’s mobile operating system. When he investigates further, he discovers that the device is an original iPad and that it cannot be updated to a current secure version of the operating system. What should Mike recommend?

Retire or replace the device.

Isolate the device on a dedicated wireless network.

Install a firewall on the tablet.

Reinstall the OS.

Answer

A

A. When operating system patches are no longer available for mobile devices, the best option is typically to retire or replace the device. Building isolated networks will not stop the device from being used for browsing or other purposes, which means it is likely to continue to be exposed to threats. Installing a firewall will not remediate the security flaws in the OS, although it may help somewhat. Finally, reinstalling the OS will not allow new updates or fix the root issue.

Question 64

Q

Rick is an application developer who works primarily in Python. He recently decided to evaluate a new service where he provides his Python code to a vendor who then executes it on their server environment. What type of cloud computing environment is this service?

SaaS

PaaS

IaaS

CaaS

Answer

A

B. Cloud computing systems where the customer only provides application code for execution on a vendor-supplied computing platform are examples of platform as a service (PaaS) computing.

Answer 65

A

C. Rainbow tables are databases of prehashed passwords paired with high-speed lookup functions. Since they can quickly compare known hashes against those in a file, using rainbow tables is the fastest way to quickly determine passwords from hashes. A brute-force attack may eventually succeed but will be very slow against most hashes. Pass-the-hash attacks rely on sniffed or otherwise acquired NTLM or LanMan hashes being sent to a system to avoid the need to know a user’s password. Salts are data added to a hash to avoid the use of tools like rainbow tables. A salt added to a password means the hash won’t match a rainbow table generated without the same salt.

Answer 66

A

C. The blacklist approach to application control blocks certain prohibited packages but allows the installation of other software on systems. The whitelist approach uses the reverse philosophy and allows only approved software. Antivirus software would detect the installation of malicious software only after the fact. Heuristic detection is a variant of antivirus software.

Answer 67

A

C. This scenario describes separation of duties—not allowing the same person to hold two roles that, when combined, are sensitive. While two-person control is a similar concept, it does not apply in this case because the scenario does not say that either action requires the concurrence of two users.

Answer 68

A

C. These are examples of private IP addresses. RFC1918 defines a set of private IP addresses for use in internal networks. These private addresses including 10.0.0.0 to 10.255.255.255, 172.16.0.0 to 172.31.255.255, and 192.168.0.0 to 196.168.255.255 should never be routable on the public Internet.

Answer 69

A

A. This is an example of a vendor offering a fully functional application as a web-based service. Therefore, it fits under the definition of software as a service (SaaS). In infrastructure as a service (IaaS), compute as a service (CaaS), and platform as a service (PaaS) approaches, the customer provides their own software. In this example, the vendor is providing the email software, so none of those choices is appropriate.

Answer 70

A

D. The Authentication Header provides authentication, integrity, and nonrepudiation for IPsec connections. The Encapsulating Security Payload provides encryption and thus provides confidentiality. It can also provide limited authentication. L2TP is an independent VPN protocol, and Encryption Security Header is a made-up term.

Answer 71

A

D. Need to know is applied when subjects like Alex have access to only the data they need to accomplish their job. Separation of duties is used to limit fraud and abuse by having multiple employees perform parts of a task. Constrained interfaces restrict what a user can see or do and would be a reasonable answer if need to know did not describe his access more completely in this scenario. Context-dependent control relies on the activity being performed to apply controls, and this question does not specify a workflow or process.

Answer 72

A

B. Operational investigations are performed by internal teams to troubleshoot performance or other technical issues. They are not intended to produce evidence for use in court and, therefore, do not have the rigid collection standards of criminal, civil, or regulatory investigations.

Answer 73

A

B. The complexity of brute-forcing a password increases based on both the number of potential characters and the number of letters added. In this case, there are 26 lowercase letters, 26 uppercase letters, and 10 possible digits. That creates 62 possibilities. Since we added only a single letter of length, we get 62^1, or 62 possibilities, and thus, the new passwords would be 62 times harder to brute-force on average.

Answer 74

A

A. Purchasing insurance is a way to transfer risk to another entity.

Answer 75

A

B. The recovery time objective (RTO) is the amount of time that it may take to restore a service after a disaster without unacceptable impact on the business. The RTO for each service is identified during a business impact assessment.

Answer 76

A

A. Retina scans can reveal additional information, including high blood pressure and pregnancy, causing privacy concerns. Newer retina scans don’t require a puff of air, and retina scanners are not the most expensive biometric factor. Their false positive rate can typically be adjusted in software, allowing administrators to adjust their acceptance rate as needed to balance usability and security.

Answer 77

A

C. The SMTP protocol does not guarantee confidentiality between servers, making TLS or SSL between the client and server only a partial measure. Encrypting the email content can provide confidentiality; digital signatures can provide nonrepudiation

Answer 78

A

B. When data reaches the Transport layer, it is sent as segments (TCP) or datagrams (UDP). Above the Transport layer, data becomes a data stream, while below the Transport layer they are converted to packets at the Network layer, frames at the Data Link layer, and bits at the Physical layer.

Answer 79

A

A. Authenticated scans use a read-only account to access configuration files, allowing more accurate testing of vulnerabilities. Web application, unauthenticated scans, and port scans don’t have access to configuration files unless they are inadvertently exposed.

Answer 80

A

B. A baseline is used to ensure a minimum security standard. A policy is the foundation that a standard may point to for authority, and a configuration guide may be built from a baseline to help staff who need to implement it to accomplish their task. An outline is helpful, but outline isn’t the term you’re looking for here.

Answer 81

A

B. Full disk encryption only protects data at rest. Since it encrypts the full disk, it does not distinguish between labeled and unlabeled data.

Answer 82

A

C. This scenario violates the least privilege principle because an application should never require full administrative rights to run. Gwen should update the service account to have only the privileges necessary to support the application.

Answer 83

A

B. When a message reaches the Data Link layer, it is called a frame. Data streams exist at the Application, Presentation, and Session layers, whereas segments and datagrams exist at the Transport layer (for TCP and UDP, respectively).

Answer 84

A

B. Criminal forensic investigations typically have the highest standards for evidence, as they must be able to help prove the case beyond a reasonable doubt. Administrative investigations merely need to meet the standards of the organization and to be able to be defended in court, while civil investigations operate on a preponderance of evidence. There is not a category of forensic investigation referred to as “industry” in the CISSP® exam’s breakdown of forensic types.

Answer 85

A

A. Protected health information (PHI) is defined by HIPAA to include health information used by healthcare providers, such as medical treatment, history, and billing. Personally identifiable information is information that can be used to identify an individual, which may be included in the PHI but isn’t specifically this type of data. Protected health insurance and individual protected data are both made-up terms.

Answer 86

A

D. Fiber-optic cable is more expensive and can be much harder to install than stranded copper cable or coaxial cable, but it isn’t susceptible to electromagnetic interference (EMI). That makes it a great solution for Jen’s problem, especially if she is deploying EMI-hardened systems to go with her EMI-resistant network cables.

Answer 87

A

D. Gray-box testing is a blend of crystal-box (or white-box) testing, which provides full information about a target, and black-box testing, which provides little or no knowledge about the target.

Answer 88

A

D. The Service Organizations Control audit program includes business continuity controls in a SOC 2, but not SOC 1, audit. Although FISMA and PCI DSS may audit business continuity, they would not apply to an email service used by a hospital.

Answer 89

A

C. A mantrap, which is composed of a pair of doors with an access mechanism that allows only one door to open at a time, is an example of a preventive access control because it can stop unwanted access by keeping intruders from accessing a facility because of an opened door or following legitimate staff in. It can serve as a deterrent by discouraging intruders who would be trapped in it without proper access, and of course, doors with locks are an example of a physical control. A compensating control attempts to make up for problems with an existing control or to add additional controls to improve a primary control.

Answer 90

A

C. A unique salt should be created for each user using a secure generation method and stored in that user’s record. Since attacks against hashes rely on building tables to compare the hashes against, unique salts for each user make building tables for an entire database essentially impossible—the work to recover a single user account may be feasible, but large-scale recovery requires complete regeneration of the table each time. A single salt allows rainbow tables to be generated if the salt is stolen or can be guessed based on frequently used passwords. Creating a unique salt each time a user logs in does not allow a match against a known salted hashed password.

Answer 91

A

C. An important part of application threat modeling is threat categorization. It helps to assess attacker goals that influence the controls that should be put in place. The other answers all involve topics that are not directly part of application threat modeling.

Answer 92

A

D. There is no need to conduct forensic imaging as a preventative measure. Rather, forensic imaging should be used during the incident response process. Maintaining patch levels, implementing intrusion detection/prevention, and removing unnecessary services and accounts are all basic preventative measures.

Answer 93

A

C. The two most important elements of a qualitative risk assessment are determining the probability and impact of each risk upon the organization. Likelihood is another word for probability. Cost should be taken into account but is only one element of impact, which also includes reputational damage, operational disruption, and other ill effects.

Answer 94

A

C. The Secure File Transfer Protocol (SFTP) is specifically designed for encrypted file transfer. SSH is used for secure command-line access, whereas TCP is one of the bundles of Internet protocols commonly used to transmit data across a network. IPsec could be used to create a tunnel to transfer the data but is not specifically designed for file transfer.

Answer 95

A

B. Criminal investigations have high stakes with severe punishment for the offender that may include incarceration. Therefore, they use the strictest standard of evidence of all investigations: beyond a reasonable doubt. Civil investigations use a preponderance-of-the-evidence standard. Regulatory investigations may use whatever standard is appropriate for the venue where the evidence will be heard. This may include the beyond-a-reasonable-doubt standard, but it is not always used in regulatory investigations. Operational investigations do not use a standard of evidence.

Answer 96

A

A. During a full interruption test, the team takes down the primary site and confirms that the disaster recovery site is capable of handling regular operations. The full interruption test is the most thorough test but also the most disruptive. During a parallel test, the team actually activates the disaster recovery site for testing but the primary site remains operational. The checklist review is the least disruptive type of disaster recovery test. During a checklist review, team members each review the contents of their disaster recovery checklists on their own and suggest any necessary changes. During a tabletop exercise, team members come together and walk through a scenario without making any changes to information systems.

Answer 97

A

B. Personally identifiable information (PII) can be used to distinguish a person’s identity. Protected health information (PHI) includes data such as medical history, lab results, insurance information, and other details about a patient. Personal protected data is a made-up term, and PID is an acronym for process ID, the number associated with a running program or process.

Answer 98

A

A. Information that is modifiable between a client and a server also means that it is accessible, pointing to both tampering and information disclosure. Spoofing in STRIDE is aimed at credentials and authentication, and there is no mention of this in the question. Repudiation would require that proving who performed an action was important, and elevation of privilege would come into play if privilege levels were involved.

Answer 99

A

C. Risk transference involves shifting the impact of a potential risk from the organization incurring the risk to another organization. Insurance is a common example of risk transference.

Answer 100

A

C. The goal of business continuity planning exercises is to reduce the amount of time required to restore operations. This is done by minimizing the recovery time objective (RTO).

Answer 101

A

B. The maximum allowed length of a Cat 6 cable is 100 meters, or 328 feet. Long distances are typically handled by a fiber run or by using network devices like switches or repeaters.

Answer 102

A

A. Hot sites contain all of the hardware and data necessary to restore operations and may be activated very quickly.

Brainscape's Knowledge GenomeTM

Chapter 8 Test 2 Flashcards

Brainscape's Knowledge Genome^TM