CISSP Practice Test Chapter 7 Security Operations (Sybex) Flashcards
Mary is reviewing the availability controls for the system architecture shown here. What technology is shown that provides fault tolerance for the database servers?
A. Failover cluster
B. UPS
C. Tape backup
D. Cold site
A. Failover cluster
Explanation:
The illustration shows an example of a failover cluster, where DB1 and DB2 are both configured as database servers. At any given time, only one will function as the active database server, while the other remains ready to assume responsibility if the first one fails. While the environment may use UPS, tape backup, and cold sites as disaster recovery and business continuity controls, they are not shown in the diagram.
Joe is the security administrator for an ERP system. He is preparing to create accounts for several new employees. What default accesss hould he give to all of the new employees as he creates the accounts?
A. Read only
B. Editor
C. Administrator
D. No access
D. No access
Explanation:
The principle of least privilege should guide Joe in this case. He should apply no access permissions by default and then give each user the necessary permissions to perform their job responsibilities. Read only, editor, and administrator permissions may be necessary for one or more of these users, but those permissions should be assigned based upon business need and not by default.
Tim is configuring a privileged account management solution for his organization. Which one of the following is not a privileged administrative activity that should be automatically sent to a log of superuser actions?
A. Purging log entries
B. Restoring a system from backup
C. Logging into a workstation
D. Managing user accounts
C. Logging into a workstation
Explanation:
While most organizations would want to log attempts to log in to a workstation, this is not considered a privileged administrative activity and would go through normal logging processes.
When one of the employees of Alice’s company calls in for support, she uses a code word that the company agreed to use if employees were being forced to perform an action. What is this scenario called?
A. Social engineering
B. Duress
C. Force majeure
D. Stockholm syndrome
B. Duress
Explanation:
Duress, or being under threat of violence or other constraints, is a concern for organizations such as banks, jewelry stores, or other organizations where an attacker may attempt to force an employee to perform actions. Organizations that expect that a scenario like this may occur will often use duress code words that let others know that they are performing actions under threat.
Jordan is preparing to bring evidence into court after a cybersecurity incident investigation. He is responsible for preparing the physical artifacts, including affected servers and mobile devices. What type of evidence consists entirely of tangible items that may be brought into a court of law?
A. Documentary evidence
B. Parol evidence
C. Testimonial evidence
D. Real evidence
D. Real evidence
Explanation:
D. Real evidence consists of things that may actually be brought into a courtroom as evidence. For example, real evidence includes hard disks, weapons, and items containing fingerprints. Documentary evidence consists of written items that may or may not be in tangible form. Testimonial evidence is verbal testimony given by witnesses with relevant information. The parol evidence rule says that when an agreement is put into written form, the written document is assumed to contain all the terms of the agreement.
Lauren wants to ensure that her users only run software that her organization has approved. What technology should she deploy?
A. Blacklisting
B. Configuration management
C. Whitelisting
D. Graylisting
C. Whitelisting
Explanation:
A whitelist of allowed applications will ensure that Lauren’s users can run only the applications that she preapproves. Blacklists would require her to maintain a list of every application that she doesn’t want to allow, which is an almost impossible task. Graylisting is not a technology option, and configuration management can be useful for making sure the right applications are on a PC but typically can’t directly prevent users from running undesired applications or programs.
Colin is responsible for managing his organization’s use of cybersecurity deception technologies. Which one of the following should he use on a honeypot system to consume an attacker’s time while alerting administrators?
A. Honeynet
B. Pseudoflaw
C. Warning banner
D. Darknet
B. Pseudoflaw
Explanation:
A pseudoflaw is a false vulnerability in a system that may distract an attacker. A honeynet is a network of multiple honeypots that creates a more sophisticated environment for intruders to explore, rather than a feature Colin could use on a honeypot. A darknet is a segment of unused network address space that should have no network activity and, therefore, may be easily used to monitor for illicit activity. A warning banner is a legal tool used to notify intruders that they are not authorized to access a system.
Toni responds to the desk of a user who reports slow system activity. Upon checking outbound network connections from that system, Toni notices a large amount of social media traffic originating from the system. The user does not use social media, and when Toni checks the accounts in question, they contain strange messages that appear encrypted. What is the most likely cause of this traffic?
A. Other users are relaying social media requests through the user’s computer.
B. The user’s computer is part of a botnet.
C. The user is lying about her use of social media.
D. Someone else is using the user’s computer when she is not present.
B. The user’s computer is part of a botnet.
Explanation:
Social media is commonly used as a command-and-control system for botnet activity. The most likely scenario here is that the user’s computer was infected with malware and joined to a botnet. This accounts for both the unusual social media traffic and the slow system activity.
John deploys his website to multiple regions using load balancers around the world through his cloud infrastructure as a service provider. What availability concept is he using?
A. Multiple processing sites
B. Warm sites
C. Cold sites
D. A honeynet
A. Multiple processing sites
Explanation:
John’s design provides multiple processing sites, distributing load to multiple regions. Not only does this provide business continuity and disaster recovery functionality, but it also means that his design will be more resilient to denial-of-service attacks.
Jim would like to identify compromised systems on his network that may be participating in a botnet. He plans to do this by watching for connections made to known command-and-control servers. Which one of the following techniques would be most likely to provide this information if Jim has access to a list of known servers?
A. NetFlow records
B. IDS logs
C. Authentication logs
D. RFC logs
A. NetFlow records
Explanation:
NetFlow records contain an entry for every network communication session that took place on a network and can be compared to a list of known malicious hosts. IDS logs may contain a relevant record, but it is less likely because they would create log entries only if the traffic triggers the IDS, as opposed to NetFlow records, which encompass all communications. Authentication logs and RFC logs would not have records of any network traffic.
For questions 11–15, please refer to the following scenario: Gary was recently hired as the first chief information security officer (CISO) for a local government agency. The agency recently suffered a security breach and is attempting to build a new information security program. Gary would like to apply some best practices for security operations as he is designing this program. As Gary decides what access permissions he should grant to each user, what principle should guide his decisions about default permissions?
A. Separation of duties
B. Least privilege
C. Aggregation
D. Separation of privileges
B. Least privilege
Explanation:
Gary should follow the least privilege principle and assign users only the permissions they need to perform their job responsibilities. Aggregation is a term used to describe the unintentional accumulation of privileges over time, also known as privilege creep. Separation of duties and separation of privileges are principles used to secure sensitive processes.
As Gary designs the program, he uses the matrix shown here. What principle of information security does this matrix most directly help enforce?
A. Segregation of duties
B. Aggregation
C. Two-person control
D. Defense in depth
A. Segregation of duties
Explanation:
The matrix shown in the figure is known as a segregation of duties matrix. It is used to ensure that one person does not obtain two privileges that would create a potential conflict. Aggregation is a term used to describe the unintentional accumulation of privileges over time, also known as privilege creep. Two-person control is used when two people must work together to perform a sensitive action. Defense in depth is a general security principle used to describe a philosophy of overlapping security controls.
Gary is preparing to create an account for a new user and assign privileges to the HR database. What two elements of information must Gary verify before granting this access?
A. Credentials and need to know
B. Clearance and need to know
C. Password and clearance
D. Password and biometric scan
B. Clearance and need to know
Explanation:
Before granting access, Gary should verify that the user has a valid security clearance and a business need to know the information. Gary is performing an authorization task, so he does not need to verify the user’s credentials, such as a password or biometric scan.
Gary is preparing to develop controls around access to root encryption keys and would like to apply a principle of security designed specifically for very sensitive operations. Which principle should he apply?
A. Least privilege
B. Defense in depth
C. Security through obscurity
D. Two-person control
D. Two-person control
Explanation:
Gary should follow the principle of two-person control by requiring simultaneous action by two separate authorized individuals to gain access to the encryption keys. He should also apply the principles of least privilege and defense in depth, but these principles apply to all operations and are not specific to sensitive operations. Gary should avoid the security through obscurity principle, the reliance upon the secrecy of security mechanisms to provide security for a system or process.
How often should Gary and his team conduct a review of the privileged access that a user has to sensitive systems? (Select all that apply.)
A. On a periodic basis
B. When a user leaves the organization
C. When a user changes roles
D. On a daily basis
A. On a periodic basis
B. When a user leaves the organization
C. When a user changes roles
Explanation:
Privileged access reviews are one of the most critical components of an organization’s security program because they ensure that only authorized users have access to perform the most sensitive operations. They should take place whenever a user with privileged access leaves the organization or changes roles as well as on a regular, recurring basis. However, it is not reasonable to expect that these time-consuming reviews would take place on a daily basis.
Which one of the following terms is often used to describe a collection of unrelated patches released in a large collection?
A. Hotfix
B. Update
C. Security fix
D. Service pack
D. Service pack
Explanation:
Hotfixes, updates, and security fixes are all synonyms for single patches designed to correct a single problem. Service packs are collections of many different updates that serve as a major update to an operating system or application.
Tonya is collecting evidence from a series of systems that were involved in a cybersecurity incident. A colleague suggests that she use a forensic disk controller for the collection process. What is the function of this device?
A. Masking error conditions reported by the storage device
B. Transmitting write commands to the storage device
C. Intercepting and modifying or discarding commands sent to the storage device
D. Preventing data from being returned by a read operation sent to the device
C. Intercepting and modifying or discarding commands sent to the storage device
Explanation:
A forensic disk controller performs four functions. One of those, write blocking, intercepts write commands sent to the device and prevents them from modifying data on the device. The other three functions include returning data requested by a read operation, returning access-significant information from the device, and reporting errors from the device back to the forensic host.
Lydia is processing access control requests for her organization. She comes across a request where the user does have the required security clearance, but there is no business justification for the access. Lydia denies this request. What security principle is she following?
A. Need to know
B. Least privilege
C. Separation of duties
D. Two-person control
B. Least privilege
Explanation;
A. Lydia is following the need to know principle. While the user may have the appropriate security clearance to access this information, there is no business justification provided, so she does not know that the user has an appropriate need to know the information.
Helen is tasked with implementing security controls in her organization that might be used to deter fraudulent insider activity. Which one of the following mechanisms would be LEAST useful to her work?
A. Job rotation
B. Mandatory vacations
C. Incident response
D. Two-person control
C. Incident response
Explanation:
C. Job rotation and mandatory vacations deter fraud by increasing the likelihood that it will be detected. Two-person control deters fraud by requiring collusion between two employees. Incident response does not normally serve as a deterrent mechanism.
Matt wants to ensure that critical network traffic from systems throughout his company is prioritized over web browsing and social media use at this company. What technology can he use to do this?
A. VLANs
B. QoS
C. VPN
D. ISDN
B. QoS
Explanation:
Quality of service is a feature found on routers and other network devices that can prioritize specific network traffic. QoS policies define which traffic is prioritized, and traffic is then handled based on the policy.
Tom is responding to a recent security incident and is seeking information on the approval process for a recent modification to a system’s security settings. Where would he most likely find this information?
A. Change log
B. System log
C. Security log
D. Application log
A. Change log
Explanation:
A. The change log contains information about approved changes and the change management process. While other logs may contain details about the change’s effect, the audit trail for change management would be found in the change log.
Staff from Susan’s company often travel internationally and require connectivity to corporate systems for their work. Susan believes that these users may be targeted for corporate espionage activities because of the technologies that her company is developing and wants to include advice in the security training provided to international travelers. What practice should Susan recommend that they adopt for connecting to networks while they travel?
A. Only connect to public WiFi.
B. Use a VPN for all connections.
C. Only use websites that support TLS.
D. Do not connect to networks while traveling.
B. Use a VPN for all connections.
Explanation:
While it may be tempting to tell her staff to simply not connect to any network, Susan knows that they will need connectivity to do their work. Using a VPN to connect their laptops and mobile devices to a trusted network and ensuring that all traffic is tunneled through the VPN is her best bet to secure their internet usage. Susan may also want to ensure that they take “clean” laptops and devices that do not contain sensitive information or documents and that those systems are fully wiped and reviewed when they return.
Ricky is seeking a list of information security vulnerabilities in applications, devices, and operating systems. Which one of the following threat intelligence sources would be most useful to him?
A. OWASP
B. Bugtraq
C. Microsoft Security Bulletins
D. CVE
D. CVE
Explanation:
The Common Vulnerability and Exposures (CVE) dictionary contains standardized information on many different security issues. The Open Web Application Security Project (OWASP) contains general guidance on web application security issues but does not track specific vulnerabilities or go beyond web applications. The Bugtraq mailing list and Microsoft Security Bulletins are good sources of vulnerability information but are not comprehensive databases of known issues.
Which of the following would normally be considered an example of a disaster when performing disaster recovery planning? (Select all that apply.)
A. Hacking incident
B. Flood
C. Fire
D. Terrorism
A. Hacking incident
B. Flood
C. Fire
D. Terrorism
Explanation:
D. A disaster is any event that can disrupt normal IT operations and can be either natural or manmade. Hacking and terrorism are examples of manmade disasters, while flooding and fire are examples of natural disasters.
Glenda would like to conduct a disaster recovery test and is seeking a test that will allow a review of the plan with no disruption to normal information system activities and as minimal a commitment of time as possible. What type of test should she choose?
A. Tabletop exercise
B. Parallel test
C. Full interruption test
D. Checklist review
D. Checklist review
Explanation:
The checklist review is the least disruptive type of disaster recovery test. During a checklist review, team members each review the contents of their disaster recovery checklists on their own and suggest any necessary changes. During a tabletop exercise, team members come together and walk through a scenario without making any changes to information systems. During a parallel test, the team actually activates the disaster recovery site for testing, but the primary site remains operational. During a full interruption test, the team takes down the primary site and confirms that the disaster recovery site is capable of handling regular operations. The full interruption test is the most thorough test but also the most disruptive.
Which one of the following is not an example of a backup tape rotation scheme?
A. Grandfather/Father/Son
B. Meet in the middle
C. Tower of Hanoi
D. Six Cartridge Weekly
B. Meet in the middle
Explanation:
The Grandfather/Father/Son, Tower of Hanoi, and Six Cartridge Weekly schemes are all different approaches to rotating backup media that balance reuse of media with data retention concerns. Meet-in-the-middle is a cryptographic attack against 2DES encryption.
Helen is implementing a new security mechanism for granting employees administrative privileges in the accounting system. She designs the process so that both the employee’s manager and the accounting manager must approve the request before the access is granted. What information security principle is Helen enforcing?
A. Least privilege
B. Two-person control
C. Job rotation
D. Separation of duties
B. Two-person control
Explanation:
In this scenario, Helen designed a process that requires the concurrence of two people to perform a sensitive action. This is an example of two-person control. This is different from separation of duties, where one individual may not have two separate permissions that, when combined, might allow an unwanted action. Separation of duties applied to a situation like this one might say that the same person may not have both the ability to initiate a request and the ability to approve a request. Least privilege says that an individual should have only the necessary permissions required to carry out their job function. Job rotation is a scheme that has users periodically shift job functions in order to detect malfeasance.
Frank is considering the use of different types of evidence in an upcoming criminal matter. Which one of the following is not a requirement for evidence to be admissible in court?
A. The evidence must be relevant.
B. The evidence must be material.
C. The evidence must be tangible.
D. The evidence must be competently acquired.
C. The evidence must be tangible.
Explanation:
C. Evidence provided in court must be relevant to determining a fact in question, material to the case at hand, and competently obtained. Evidence does not need to be tangible. Witness testimony is an example of intangible evidence that may be offered in court.
Harold recently completed leading the postmortem review of a security incident. What documentation should he prepare next?
A. A lessons learned document
B. A risk assessment
C. A remediation list
D. A mitigation checklist
A. A lessons learned document
Explanation:
A. A lessons learned document is often created and distributed to involved parties after a postmortem review to ensure that those who were involved in the incident and others who may benefit from the knowledge are aware of what they can do to prevent future issues and to improve response in the event that one occurs.
Beth is creating a new cybersecurity incident response team (CSIRT) and would like to determine the appropriate team membership. Which of the following groups would she normally include? (Select all that apply.)
A. Information security
B. Law enforcement
C. Senior management
D. Public affairs
A. Information security
C. Senior management
D. Public affairs
Explanation:
D. CSIRT representation normally includes at least representatives of senior management, information security professionals, legal representatives, public affairs staff, and engineering/technical staff. Law enforcement personnel would not be included on such a team and would only be consulted as necessary.
Sam is responsible for backing up his company’s primary file server. He configured a backup schedule that performs full backups every Monday evening at 9 p.m. and differential backups on other days of the week at that same time. Files change according to the information shown in the following figure. How many files will be copied in Wednesday’s backup?
A. 2
B. 3
C. 5
D. 6
C. 5
Explanation:
C. In this scenario, all the files on the server will be backed up on Monday evening during the full backup. The differential backup on Wednesday will then copy all files modified since the last full backup. These include files 1, 2, 3, 5, and 6: a total of five files.
Which one of the following security tools is not capable of generating an active response to a security event?
A. IPS
B. Firewall
C. IDS
D. Antivirus software
C. IDS
Explanation:
Intrusion detection systems (IDSs) provide only passive responses, such as alerting administrators to a suspected attack. Intrusion prevention systems and firewalls, on the other hand, may take action to block an attack attempt. Antivirus software also may engage in active response by quarantining suspect files.
Scott is responsible for disposing of disk drives that have been pulled from his company’s SAN as they are retired. Which of the following options should he avoid if the data on the SAN is considered highly sensitive by his organization?
A. Destroy them physically.
B. Sign a contract with the SAN vendor that requires appropriate disposal and provides a certification process.
C. Reformat each drive before it leaves the organization.
D. Use a secure wipe tool like DBAN.
C. Reformat each drive before it leaves the organization.
Explanation:
Physical destruction, an appropriate contract with certification, and secure wiping are all reasonable options. In each case, a careful inventory and check should be done to ensure that each drive is handled appropriately. Reformatting drives can leave remnant data, making this a poor data lifecycle choice for drives that contain sensitive data.
What term is used to describe the default set of privileges assigned to a user when a new account is created?
A. Aggregation
B. Transitivity
C. Baseline
D. Entitlement
D. Entitlement
Explanation:
Entitlement refers to the privileges granted to users when an account is first provisioned.
Which one of the following types of agreements is the most formal document that contains expectations about availability and other performance parameters between a service provider and a customer?
A. Service-level agreement (SLA)
B. Operational-level agreement (OLA)
C. Memorandum of understanding (MOU)
D. Statement of work (SOW)
A. Service-level agreement (SLA)
Explanation:
The service-level agreement (SLA) is between a service provider and a customer and documents in a formal manner expectations around availability, performance, and other parameters. An MOU may cover the same items but is not as formal a document. An OLA is between internal service organizations and does not involve customers. An SOW is an addendum to a contract describing work to be performed.
As the CIO of a large organization, Clara would like to adopt standard processes for managing IT activities. Which one of the following frameworks focuses on IT service management and includes topics such as change management, configuration management, and service-level agreements?
A. ITIL
B. PMBOK
C. PCI DSS
D. TOGAF
A. ITIL
Explanation:
A. The IT Infrastructure Library (ITIL) framework focuses on IT service management. The Project Management Body of Knowledge (PMBOK) provides a common core of project management expertise. The Payment Card Industry Data Security Standard (PCI DSS) contains regulations for credit card security. The Open Group Architecture Framework (TOGAF) focuses on IT architecture issues.
Richard is experiencing issues with the quality of network service on his organization’s network. The primary symptom is that packets are consistently taking too long to travel from their source to their destination. What term describes the issue Richard is facing?
A. Jitter
B. Packet loss
C. Interference
D. Latency
D. Latency
Explanation:
Latency is a delay in the delivery of packets from their source to their destination. Jitter is a variation in the latency for different packets. Packet loss is the disappearance of packets in transit that requires retransmission. Interference is electrical noise or other disruptions that corrupt the contents of packets.
Joe wants to test a program he suspects may contain malware. What technology can he use to isolate the program while it runs?
A. ASLR
B. Sandboxing
C. Clipping
D. Process isolation
B. Sandboxing
Explanation:
Running the program in a sandbox provides secure isolation that can prevent the malware from impacting other applications or systems. If Joe uses appropriate instrumentation, he can observe what the program does, what changes it makes, and any communications it may attempt. ASLR is a memory location randomization technology, process isolation keeps processes from impacting each other, but a sandbox typically provides greater utility in a scenario like this since it can be instrumented and managed in a way that better supports investigations, and clipping is a term often used in signal processing.
Which one of the following is an example of a non-natural disaster?
A. Hurricane
B. Flood
C. Mudslide
D. Transformer explosion
D. Transformer explosion
Explanation:
A transformer explosion is a failure of a human-made electrical component. Flooding, mudslides, and hurricanes are all examples of natural disasters.
Anne wants to gather information about security settings as well as build an overall view of her organization’s assets by gathering data about a group of Windows 10 workstations spread throughout her company. What Windows tool is best suited to this type of configuration management task?
A. SCCM
B. Group Policy
C. SCOM
D. A custom PowerShell script
A. SCCM
Explanation:A. System Center Configuration Manager (SCCM) provides this capability and is designed to allow administrators to evaluate the configuration status of Windows workstations and servers, as well as providing asset management data. SCOM is primarily used to monitor for health and performance, Group Policy can be used for a variety of tasks including deploying settings and software, and custom PowerShell scripts could do this but should not be required for a configuration check.