CISSP Practice Test Chapter 7 Security Operations (Sybex) Flashcards

1
Q

Mary is reviewing the availability controls for the system architecture shown here. What technology is shown that provides fault tolerance for the database servers?

A. Failover cluster
B. UPS
C. Tape backup
D. Cold site

A

A. Failover cluster

Explanation:
The illustration shows an example of a failover cluster, where DB1 and DB2 are both configured as database servers. At any given time, only one will function as the active database server, while the other remains ready to assume responsibility if the first one fails. While the environment may use UPS, tape backup, and cold sites as disaster recovery and business continuity controls, they are not shown in the diagram.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Joe is the security administrator for an ERP system. He is preparing to create accounts for several new employees. What default accesss hould he give to all of the new employees as he creates the accounts?

A. Read only
B. Editor
C. Administrator
D. No access

A

D. No access

Explanation:
The principle of least privilege should guide Joe in this case. He should apply no access permissions by default and then give each user the necessary permissions to perform their job responsibilities. Read only, editor, and administrator permissions may be necessary for one or more of these users, but those permissions should be assigned based upon business need and not by default.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Tim is configuring a privileged account management solution for his organization. Which one of the following is not a privileged administrative activity that should be automatically sent to a log of superuser actions?

A. Purging log entries
B. Restoring a system from backup
C. Logging into a workstation
D. Managing user accounts

A

C. Logging into a workstation

Explanation:
While most organizations would want to log attempts to log in to a workstation, this is not considered a privileged administrative activity and would go through normal logging processes.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

When one of the employees of Alice’s company calls in for support, she uses a code word that the company agreed to use if employees were being forced to perform an action. What is this scenario called?

A. Social engineering
B. Duress
C. Force majeure
D. Stockholm syndrome

A

B. Duress

Explanation:
Duress, or being under threat of violence or other constraints, is a concern for organizations such as banks, jewelry stores, or other organizations where an attacker may attempt to force an employee to perform actions. Organizations that expect that a scenario like this may occur will often use duress code words that let others know that they are performing actions under threat.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Jordan is preparing to bring evidence into court after a cybersecurity incident investigation. He is responsible for preparing the physical artifacts, including affected servers and mobile devices. What type of evidence consists entirely of tangible items that may be brought into a court of law?

A. Documentary evidence
B. Parol evidence
C. Testimonial evidence
D. Real evidence

A

D. Real evidence

Explanation:
D. Real evidence consists of things that may actually be brought into a courtroom as evidence. For example, real evidence includes hard disks, weapons, and items containing fingerprints. Documentary evidence consists of written items that may or may not be in tangible form. Testimonial evidence is verbal testimony given by witnesses with relevant information. The parol evidence rule says that when an agreement is put into written form, the written document is assumed to contain all the terms of the agreement.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Lauren wants to ensure that her users only run software that her organization has approved. What technology should she deploy?

A. Blacklisting
B. Configuration management
C. Whitelisting
D. Graylisting

A

C. Whitelisting

Explanation:
A whitelist of allowed applications will ensure that Lauren’s users can run only the applications that she preapproves. Blacklists would require her to maintain a list of every application that she doesn’t want to allow, which is an almost impossible task. Graylisting is not a technology option, and configuration management can be useful for making sure the right applications are on a PC but typically can’t directly prevent users from running undesired applications or programs.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Colin is responsible for managing his organization’s use of cybersecurity deception technologies. Which one of the following should he use on a honeypot system to consume an attacker’s time while alerting administrators?

A. Honeynet
B. Pseudoflaw
C. Warning banner
D. Darknet

A

B. Pseudoflaw

Explanation:
A pseudoflaw is a false vulnerability in a system that may distract an attacker. A honeynet is a network of multiple honeypots that creates a more sophisticated environment for intruders to explore, rather than a feature Colin could use on a honeypot. A darknet is a segment of unused network address space that should have no network activity and, therefore, may be easily used to monitor for illicit activity. A warning banner is a legal tool used to notify intruders that they are not authorized to access a system.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Toni responds to the desk of a user who reports slow system activity. Upon checking outbound network connections from that system, Toni notices a large amount of social media traffic originating from the system. The user does not use social media, and when Toni checks the accounts in question, they contain strange messages that appear encrypted. What is the most likely cause of this traffic?

A. Other users are relaying social media requests through the user’s computer.
B. The user’s computer is part of a botnet.
C. The user is lying about her use of social media.
D. Someone else is using the user’s computer when she is not present.

A

B. The user’s computer is part of a botnet.

Explanation:
Social media is commonly used as a command-and-control system for botnet activity. The most likely scenario here is that the user’s computer was infected with malware and joined to a botnet. This accounts for both the unusual social media traffic and the slow system activity.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

John deploys his website to multiple regions using load balancers around the world through his cloud infrastructure as a service provider. What availability concept is he using?

A. Multiple processing sites
B. Warm sites
C. Cold sites
D. A honeynet

A

A. Multiple processing sites

Explanation:
John’s design provides multiple processing sites, distributing load to multiple regions. Not only does this provide business continuity and disaster recovery functionality, but it also means that his design will be more resilient to denial-of-service attacks.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Jim would like to identify compromised systems on his network that may be participating in a botnet. He plans to do this by watching for connections made to known command-and-control servers. Which one of the following techniques would be most likely to provide this information if Jim has access to a list of known servers?

A. NetFlow records
B. IDS logs
C. Authentication logs
D. RFC logs

A

A. NetFlow records

Explanation:
NetFlow records contain an entry for every network communication session that took place on a network and can be compared to a list of known malicious hosts. IDS logs may contain a relevant record, but it is less likely because they would create log entries only if the traffic triggers the IDS, as opposed to NetFlow records, which encompass all communications. Authentication logs and RFC logs would not have records of any network traffic.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

For questions 11–15, please refer to the following scenario: Gary was recently hired as the first chief information security officer (CISO) for a local government agency. The agency recently suffered a security breach and is attempting to build a new information security program. Gary would like to apply some best practices for security operations as he is designing this program. As Gary decides what access permissions he should grant to each user, what principle should guide his decisions about default permissions?

A. Separation of duties
B. Least privilege
C. Aggregation
D. Separation of privileges

A

B. Least privilege

Explanation:
Gary should follow the least privilege principle and assign users only the permissions they need to perform their job responsibilities. Aggregation is a term used to describe the unintentional accumulation of privileges over time, also known as privilege creep. Separation of duties and separation of privileges are principles used to secure sensitive processes.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

As Gary designs the program, he uses the matrix shown here. What principle of information security does this matrix most directly help enforce?

A. Segregation of duties
B. Aggregation
C. Two-person control
D. Defense in depth

A

A. Segregation of duties

Explanation:
The matrix shown in the figure is known as a segregation of duties matrix. It is used to ensure that one person does not obtain two privileges that would create a potential conflict. Aggregation is a term used to describe the unintentional accumulation of privileges over time, also known as privilege creep. Two-person control is used when two people must work together to perform a sensitive action. Defense in depth is a general security principle used to describe a philosophy of overlapping security controls.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Gary is preparing to create an account for a new user and assign privileges to the HR database. What two elements of information must Gary verify before granting this access?

A. Credentials and need to know
B. Clearance and need to know
C. Password and clearance
D. Password and biometric scan

A

B. Clearance and need to know

Explanation:
Before granting access, Gary should verify that the user has a valid security clearance and a business need to know the information. Gary is performing an authorization task, so he does not need to verify the user’s credentials, such as a password or biometric scan.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Gary is preparing to develop controls around access to root encryption keys and would like to apply a principle of security designed specifically for very sensitive operations. Which principle should he apply?

A. Least privilege
B. Defense in depth
C. Security through obscurity
D. Two-person control

A

D. Two-person control

Explanation:
Gary should follow the principle of two-person control by requiring simultaneous action by two separate authorized individuals to gain access to the encryption keys. He should also apply the principles of least privilege and defense in depth, but these principles apply to all operations and are not specific to sensitive operations. Gary should avoid the security through obscurity principle, the reliance upon the secrecy of security mechanisms to provide security for a system or process.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

How often should Gary and his team conduct a review of the privileged access that a user has to sensitive systems? (Select all that apply.)

A. On a periodic basis
B. When a user leaves the organization
C. When a user changes roles
D. On a daily basis

A

A. On a periodic basis
B. When a user leaves the organization
C. When a user changes roles

Explanation:
Privileged access reviews are one of the most critical components of an organization’s security program because they ensure that only authorized users have access to perform the most sensitive operations. They should take place whenever a user with privileged access leaves the organization or changes roles as well as on a regular, recurring basis. However, it is not reasonable to expect that these time-consuming reviews would take place on a daily basis.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Which one of the following terms is often used to describe a collection of unrelated patches released in a large collection?

A. Hotfix
B. Update
C. Security fix
D. Service pack

A

D. Service pack

Explanation:
Hotfixes, updates, and security fixes are all synonyms for single patches designed to correct a single problem. Service packs are collections of many different updates that serve as a major update to an operating system or application.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Tonya is collecting evidence from a series of systems that were involved in a cybersecurity incident. A colleague suggests that she use a forensic disk controller for the collection process. What is the function of this device?

A. Masking error conditions reported by the storage device
B. Transmitting write commands to the storage device
C. Intercepting and modifying or discarding commands sent to the storage device
D. Preventing data from being returned by a read operation sent to the device

A

C. Intercepting and modifying or discarding commands sent to the storage device

Explanation:
A forensic disk controller performs four functions. One of those, write blocking, intercepts write commands sent to the device and prevents them from modifying data on the device. The other three functions include returning data requested by a read operation, returning access-significant information from the device, and reporting errors from the device back to the forensic host.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Lydia is processing access control requests for her organization. She comes across a request where the user does have the required security clearance, but there is no business justification for the access. Lydia denies this request. What security principle is she following?

A. Need to know
B. Least privilege
C. Separation of duties
D. Two-person control

A

B. Least privilege

Explanation;
A. Lydia is following the need to know principle. While the user may have the appropriate security clearance to access this information, there is no business justification provided, so she does not know that the user has an appropriate need to know the information.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Helen is tasked with implementing security controls in her organization that might be used to deter fraudulent insider activity. Which one of the following mechanisms would be LEAST useful to her work?

A. Job rotation
B. Mandatory vacations
C. Incident response
D. Two-person control

A

C. Incident response

Explanation:
C. Job rotation and mandatory vacations deter fraud by increasing the likelihood that it will be detected. Two-person control deters fraud by requiring collusion between two employees. Incident response does not normally serve as a deterrent mechanism.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Matt wants to ensure that critical network traffic from systems throughout his company is prioritized over web browsing and social media use at this company. What technology can he use to do this?

A. VLANs
B. QoS
C. VPN
D. ISDN

A

B. QoS

Explanation:
Quality of service is a feature found on routers and other network devices that can prioritize specific network traffic. QoS policies define which traffic is prioritized, and traffic is then handled based on the policy.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Tom is responding to a recent security incident and is seeking information on the approval process for a recent modification to a system’s security settings. Where would he most likely find this information?

A. Change log
B. System log
C. Security log
D. Application log

A

A. Change log

Explanation:
A. The change log contains information about approved changes and the change management process. While other logs may contain details about the change’s effect, the audit trail for change management would be found in the change log.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Staff from Susan’s company often travel internationally and require connectivity to corporate systems for their work. Susan believes that these users may be targeted for corporate espionage activities because of the technologies that her company is developing and wants to include advice in the security training provided to international travelers. What practice should Susan recommend that they adopt for connecting to networks while they travel?

A. Only connect to public WiFi.
B. Use a VPN for all connections.
C. Only use websites that support TLS.
D. Do not connect to networks while traveling.

A

B. Use a VPN for all connections.

Explanation:
While it may be tempting to tell her staff to simply not connect to any network, Susan knows that they will need connectivity to do their work. Using a VPN to connect their laptops and mobile devices to a trusted network and ensuring that all traffic is tunneled through the VPN is her best bet to secure their internet usage. Susan may also want to ensure that they take “clean” laptops and devices that do not contain sensitive information or documents and that those systems are fully wiped and reviewed when they return.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Ricky is seeking a list of information security vulnerabilities in applications, devices, and operating systems. Which one of the following threat intelligence sources would be most useful to him?

A. OWASP
B. Bugtraq
C. Microsoft Security Bulletins
D. CVE

A

D. CVE

Explanation:
The Common Vulnerability and Exposures (CVE) dictionary contains standardized information on many different security issues. The Open Web Application Security Project (OWASP) contains general guidance on web application security issues but does not track specific vulnerabilities or go beyond web applications. The Bugtraq mailing list and Microsoft Security Bulletins are good sources of vulnerability information but are not comprehensive databases of known issues.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Which of the following would normally be considered an example of a disaster when performing disaster recovery planning? (Select all that apply.)

A. Hacking incident
B. Flood
C. Fire
D. Terrorism

A

A. Hacking incident
B. Flood
C. Fire
D. Terrorism

Explanation:
D. A disaster is any event that can disrupt normal IT operations and can be either natural or manmade. Hacking and terrorism are examples of manmade disasters, while flooding and fire are examples of natural disasters.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

Glenda would like to conduct a disaster recovery test and is seeking a test that will allow a review of the plan with no disruption to normal information system activities and as minimal a commitment of time as possible. What type of test should she choose?

A. Tabletop exercise
B. Parallel test
C. Full interruption test
D. Checklist review

A

D. Checklist review

Explanation:
The checklist review is the least disruptive type of disaster recovery test. During a checklist review, team members each review the contents of their disaster recovery checklists on their own and suggest any necessary changes. During a tabletop exercise, team members come together and walk through a scenario without making any changes to information systems. During a parallel test, the team actually activates the disaster recovery site for testing, but the primary site remains operational. During a full interruption test, the team takes down the primary site and confirms that the disaster recovery site is capable of handling regular operations. The full interruption test is the most thorough test but also the most disruptive.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

Which one of the following is not an example of a backup tape rotation scheme?

A. Grandfather/Father/Son
B. Meet in the middle
C. Tower of Hanoi
D. Six Cartridge Weekly

A

B. Meet in the middle

Explanation:
The Grandfather/Father/Son, Tower of Hanoi, and Six Cartridge Weekly schemes are all different approaches to rotating backup media that balance reuse of media with data retention concerns. Meet-in-the-middle is a cryptographic attack against 2DES encryption.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

Helen is implementing a new security mechanism for granting employees administrative privileges in the accounting system. She designs the process so that both the employee’s manager and the accounting manager must approve the request before the access is granted. What information security principle is Helen enforcing?

A. Least privilege
B. Two-person control
C. Job rotation
D. Separation of duties

A

B. Two-person control

Explanation:
In this scenario, Helen designed a process that requires the concurrence of two people to perform a sensitive action. This is an example of two-person control. This is different from separation of duties, where one individual may not have two separate permissions that, when combined, might allow an unwanted action. Separation of duties applied to a situation like this one might say that the same person may not have both the ability to initiate a request and the ability to approve a request. Least privilege says that an individual should have only the necessary permissions required to carry out their job function. Job rotation is a scheme that has users periodically shift job functions in order to detect malfeasance.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

Frank is considering the use of different types of evidence in an upcoming criminal matter. Which one of the following is not a requirement for evidence to be admissible in court?

A. The evidence must be relevant.
B. The evidence must be material.
C. The evidence must be tangible.
D. The evidence must be competently acquired.

A

C. The evidence must be tangible.

Explanation:
C. Evidence provided in court must be relevant to determining a fact in question, material to the case at hand, and competently obtained. Evidence does not need to be tangible. Witness testimony is an example of intangible evidence that may be offered in court.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

Harold recently completed leading the postmortem review of a security incident. What documentation should he prepare next?

A. A lessons learned document
B. A risk assessment
C. A remediation list
D. A mitigation checklist

A

A. A lessons learned document

Explanation:
A. A lessons learned document is often created and distributed to involved parties after a postmortem review to ensure that those who were involved in the incident and others who may benefit from the knowledge are aware of what they can do to prevent future issues and to improve response in the event that one occurs.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

Beth is creating a new cybersecurity incident response team (CSIRT) and would like to determine the appropriate team membership. Which of the following groups would she normally include? (Select all that apply.)

A. Information security
B. Law enforcement
C. Senior management
D. Public affairs

A

A. Information security
C. Senior management
D. Public affairs

Explanation:
D. CSIRT representation normally includes at least representatives of senior management, information security professionals, legal representatives, public affairs staff, and engineering/technical staff. Law enforcement personnel would not be included on such a team and would only be consulted as necessary.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

Sam is responsible for backing up his company’s primary file server. He configured a backup schedule that performs full backups every Monday evening at 9 p.m. and differential backups on other days of the week at that same time. Files change according to the information shown in the following figure. How many files will be copied in Wednesday’s backup?

A. 2
B. 3
C. 5
D. 6

A

C. 5

Explanation:
C. In this scenario, all the files on the server will be backed up on Monday evening during the full backup. The differential backup on Wednesday will then copy all files modified since the last full backup. These include files 1, 2, 3, 5, and 6: a total of five files.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

Which one of the following security tools is not capable of generating an active response to a security event?

A. IPS
B. Firewall
C. IDS
D. Antivirus software

A

C. IDS

Explanation:
Intrusion detection systems (IDSs) provide only passive responses, such as alerting administrators to a suspected attack. Intrusion prevention systems and firewalls, on the other hand, may take action to block an attack attempt. Antivirus software also may engage in active response by quarantining suspect files.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

Scott is responsible for disposing of disk drives that have been pulled from his company’s SAN as they are retired. Which of the following options should he avoid if the data on the SAN is considered highly sensitive by his organization?

A. Destroy them physically.
B. Sign a contract with the SAN vendor that requires appropriate disposal and provides a certification process.
C. Reformat each drive before it leaves the organization.
D. Use a secure wipe tool like DBAN.

A

C. Reformat each drive before it leaves the organization.

Explanation:
Physical destruction, an appropriate contract with certification, and secure wiping are all reasonable options. In each case, a careful inventory and check should be done to ensure that each drive is handled appropriately. Reformatting drives can leave remnant data, making this a poor data lifecycle choice for drives that contain sensitive data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

What term is used to describe the default set of privileges assigned to a user when a new account is created?

A. Aggregation
B. Transitivity
C. Baseline
D. Entitlement

A

D. Entitlement

Explanation:
Entitlement refers to the privileges granted to users when an account is first provisioned.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

Which one of the following types of agreements is the most formal document that contains expectations about availability and other performance parameters between a service provider and a customer?

A. Service-level agreement (SLA)
B. Operational-level agreement (OLA)
C. Memorandum of understanding (MOU)
D. Statement of work (SOW)

A

A. Service-level agreement (SLA)

Explanation:
The service-level agreement (SLA) is between a service provider and a customer and documents in a formal manner expectations around availability, performance, and other parameters. An MOU may cover the same items but is not as formal a document. An OLA is between internal service organizations and does not involve customers. An SOW is an addendum to a contract describing work to be performed.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

As the CIO of a large organization, Clara would like to adopt standard processes for managing IT activities. Which one of the following frameworks focuses on IT service management and includes topics such as change management, configuration management, and service-level agreements?

A. ITIL
B. PMBOK
C. PCI DSS
D. TOGAF

A

A. ITIL

Explanation:
A. The IT Infrastructure Library (ITIL) framework focuses on IT service management. The Project Management Body of Knowledge (PMBOK) provides a common core of project management expertise. The Payment Card Industry Data Security Standard (PCI DSS) contains regulations for credit card security. The Open Group Architecture Framework (TOGAF) focuses on IT architecture issues.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q

Richard is experiencing issues with the quality of network service on his organization’s network. The primary symptom is that packets are consistently taking too long to travel from their source to their destination. What term describes the issue Richard is facing?

A. Jitter
B. Packet loss
C. Interference
D. Latency

A

D. Latency

Explanation:
Latency is a delay in the delivery of packets from their source to their destination. Jitter is a variation in the latency for different packets. Packet loss is the disappearance of packets in transit that requires retransmission. Interference is electrical noise or other disruptions that corrupt the contents of packets.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
38
Q

Joe wants to test a program he suspects may contain malware. What technology can he use to isolate the program while it runs?

A. ASLR
B. Sandboxing
C. Clipping
D. Process isolation

A

B. Sandboxing

Explanation:
Running the program in a sandbox provides secure isolation that can prevent the malware from impacting other applications or systems. If Joe uses appropriate instrumentation, he can observe what the program does, what changes it makes, and any communications it may attempt. ASLR is a memory location randomization technology, process isolation keeps processes from impacting each other, but a sandbox typically provides greater utility in a scenario like this since it can be instrumented and managed in a way that better supports investigations, and clipping is a term often used in signal processing.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
39
Q

Which one of the following is an example of a non-natural disaster?

A. Hurricane
B. Flood
C. Mudslide
D. Transformer explosion

A

D. Transformer explosion

Explanation:
A transformer explosion is a failure of a human-made electrical component. Flooding, mudslides, and hurricanes are all examples of natural disasters.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
40
Q

Anne wants to gather information about security settings as well as build an overall view of her organization’s assets by gathering data about a group of Windows 10 workstations spread throughout her company. What Windows tool is best suited to this type of configuration management task?

A. SCCM
B. Group Policy
C. SCOM
D. A custom PowerShell script

A

A. SCCM

Explanation:A. System Center Configuration Manager (SCCM) provides this capability and is designed to allow administrators to evaluate the configuration status of Windows workstations and servers, as well as providing asset management data. SCOM is primarily used to monitor for health and performance, Group Policy can be used for a variety of tasks including deploying settings and software, and custom PowerShell scripts could do this but should not be required for a configuration check.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
41
Q

Javier is verifying that only IT system administrators have the ability to log on to servers used for administrative purposes. What principle of information security is he enforcing?

A. Need to know
B. Least privilege
C. Two-person control
D. Transitive trust

A

B. Least privilege

Explanation:
The principle of least privilege says that an individual should only have the privileges necessary to complete their job functions. Removing administrative privileges from nonadministrative users is an example of least privilege.

42
Q

Which one of the following is not a basic preventative measure that you can take to protect your systems and applications against attack?

A. Implement intrusion detection and prevention systems.
B. Maintain current patch levels on all operating systems and applications.
C. Remove unnecessary accounts and services.
D. Conduct forensic imaging of all systems.

A

D. Conduct forensic imaging of all systems.

Explanation:
There is no need to conduct forensic imaging as a preventative measure. Rather, forensic imaging should be used during the incident response process. Maintaining patch levels, implementing intrusion detection/prevention, and removing unnecessary services and accounts are all basic preventative measures.

43
Q

Tim is a forensic analyst who is attempting to retrieve information from a hard drive. It appears that the user attempted to erase the data, and Tim is trying to reconstruct it. What type of forensic analysis is Tim performing?

A. Software analysis
B. Media analysis
C. Embedded device analysis
D. Network analysis

A

B. Media analysis

Explanation:
The scrutiny of hard drives for forensic purposes is an example of media analysis. Embedded device analysis looks at the computers included in other large systems, such as automobiles or security systems. Software analysis analyzes applications and their logs. Network analysis looks at network traffic and logs.

44
Q

Which one of the following is an example of a computer security incident? (Select all that apply.)

A. Failure of a backup to complete properly
B. System access recorded in a log
C. Unauthorized vulnerability scan of a file server
D. Update of antivirus signatures

A

A. Failure of a backup to complete properly
C. Unauthorized vulnerability scan of a file server

Explanation:
Security incidents negatively affect the confidentiality, integrity, or availability of information or assets and/or violate a security policy. The unauthorized vulnerability scan of a server does violate security policy and may negatively affect the security of that system, so it qualifies as a security incident. The failure of a backup to complete properly jeopardizes availability and is, therefore, also a security incident. The logging of system access and update of antivirus signatures are all routine actions that do not violate policy or jeopardize security, so they are all events rather than incidents.

45
Q

Roland is a physical security specialist in an organization that has a large amount of expensive lab equipment that often moves around the facility. Which one of the following technologies would provide the most automation of an inventory control process in a cost-effective manner?

A. IPS
B. WiFi
C. RFID
D. Ethernet

A

C. RFID

Explanation:
C. Radio Frequency IDentification (RFID) technology is a cost-effective way to track items around a facility. While WiFi could be used for the same purpose, it would be much more expensive to implement.

46
Q

Connor’s company recently experienced a denial-of-service attack that Connor believes came from an inside source. If true, what type of event has the company experienced?

A. Espionage
B. Confidentiality breach

D. Integrity breach

A

C. Sabotage

Explanation:
An attack committed against an organization by an insider, such as an employee, is known as sabotage. Espionage and confidentiality breaches involve the theft of sensitive information, which is not alleged to have occurred in this case. Integrity breaches involve the unauthorized modification of information, which is not described in this scenario.

47
Q

Evan detects an attack against a server in his organization and examines the TCP flags on a series of packets, shown in the following diagram. What type of attack most likely took place?

A. SYN flood
B. Ping flood
C. Smurf
D.Fraggle

A

A. SYN flood

Explanation:
A. In a SYN flood attack, the attacker sends a large number of SYN packets to a system but does not respond to the SYN/ACK packets, attempting to overwhelm the attacked system’s connection state table with half-open connections.

48
Q

Florian is building a disaster recovery plan for his organization and would like to determine the amount of time that a particular IT service may be down without causing serious damage to business operations. What variable is Florian calculating?

A. RTO
B. MTD
C. RPO
D. SLA

A

B. MTD

Explanation:
The maximum tolerable downtime (MTD) is the longest amount of time that an IT service or component may be unavailable without causing serious damage to the organization. The recovery time objective (RTO) is the amount of time expected to return an IT service or component to operation after a failure. The recovery point objective (RPO) identifies the maximum amount of data, measured in time, that may be lost during a recovery effort. Service-level agreements (SLAs) are written contracts that document service expectations.

49
Q

Which of the following would normally be classified as zero-day attacks? (Select all that apply.)

A. An attacker who is new to the world of hacking
B. A database attack that places the date 00/00/0000 in data tables in an attempt to exploit flaws in business logic
C. An attack previously unknown to the security community
D. An attack that sets the operating system date and time to 00/00/0000 and 00:00:00

A

C. An attack previously unknown to the security community

Explanation:
C. Zero-day attacks are those that are previously unknown to the security community and, therefore, have no available patch. These are especially dangerous attacks because they may be highly effective until a solution becomes available. The other attacks described here are all known attacks and would not be classified as zero-day events.

50
Q

Grant is collecting records as part of the preparation for a possible lawsuit and is worried that his team may be spending too much time collecting information that may be Grant is collecting records as part of the preparation for a possible lawsuit and is worried that his team may be spending too much time collecting information that may be irrelevant. What concept from the Federal Rules of Civil Procedure (FCRP) helps to ensure that additional time and expense are not incurred as part of electronic discovery when the benefits do not outweigh the costs?

A. Tool-assisted review
B. Cooperation
C. Spoilation
D. Proportionality

A

D. Proportionality

Explanation:
The benefits of additional discovery must be proportional to the additional costs that they will require. This prevents additional discovery requests from becoming inordinately expensive, and the requester will typically have to justify these requests to the judge presiding over the case.

51
Q

During an incident investigation, investigators meet with a system administrator who may have information about the incident but is not a suspect. What type of conversation is taking place during this meeting?

A. Interview
B. Interrogation
C. Both an interview and an interrogation
D. Neither an interview nor an interrogation

A

A. Interview

Explanation:
Interviews occur when investigators meet with an individual who may have information relevant to their investigation but is not a suspect. If the individual is a suspect, then the meeting is an interrogation.

52
Q

What technique has been used to protect the intellectual property in the following image?

A. Steganography
B. Clipping
C. Sampling
D. Watermarking

A

D. Watermarking

Explanation:
The image clearly contains the watermark of the U.S. Geological Survey (USGS), which ensures that anyone seeing the image knows its origin. It is not possible to tell from looking at the image whether steganography was used. Sampling and clipping are data analysis techniques and are not used to protect images.

53
Q

You are working to evaluate the risk of flood to an area as part of a business continuity planning (BCP) effort. You consult the flood maps from the Federal Emergency Management Agency (FEMA). According to those maps, the area lies within a 200-year flood plain. What is the annualized rate of occurrence (ARO) of a flood in that region?

A. 200
B. 0.01
C. 0.02
D. 0.005

A

D. 0.005

Explanation:
The annualized rate of occurrence (ARO) is the expected number of times an incident will occur each year. In the case of a 200-year flood plain, planners should expect a flood once every 200 years. This is equivalent to a 1/200 chance of a flood in any given year, or 0.005 floods per year.

54
Q

Which one of the following individuals poses the greatest risk to security in most well-defended organizations?

A. Political activist
B. Malicious insider
C. Script kiddie
D. Thrill attacker

A

B. Malicious insider

Explanation:
While all hackers with malicious intent pose a risk to the organization, the malicious insider poses the greatest risk to security because they likely have legitimate access to sensitive systems that may be used as a launching point for an attack. Other attackers do not begin with this advantage.

55
Q

Veronica is considering the implementation of a database recovery mechanism recommended by a consultant. In the recommended approach, an automated process will move database backups from the primary facility to an off-site location each night. What type of database recovery technique is the consultant describing?

A. Remote journaling
B. Remote mirroring
C. Electronic vaulting
D. Transaction logging

A

C. Electronic vaulting

Explanation:
In an electronic vaulting approach, automated technology moves database backups from the primary database server to a remote site on a scheduled basis, typically daily. Transaction logging is not a recovery technique alone; it is a process for generating the logs used in remote journaling. Remote journaling transfers transaction logs to a remote site on a more frequent basis than electronic vaulting, typically hourly. Remote mirroring maintains a live database server at the backup site and mirrors all transactions at the primary site on the server at the backup site.

56
Q

When designing an access control scheme, Hilda set up roles so that the same person does not have the ability to provision a new user account and assign superuser privileges to an account. What information security principle is Hilda following?

A. Least privilege
B. Separation of duties
C. Job rotation
D. Security through obscurity

A

B. Separation of duties

Explanation:
Hilda’s design follows the principle of separation of duties. Giving one user the ability to both create new accounts and grant administrative privileges combines two actions that would result in a significant security change that should be divided among two users.

57
Q

Patrick was charged with implementing a threat hunting program for his organization. Which one of the following is the basic assumption of a threat hunting program that he should use as he plans his work?

A. Security controls were designed using a defense-in-depth strategy.
B. Audits may uncover control deficiencies.
C. Attackers may already be present on the network.
D. Defense mechanisms may contain unpatched vulnerabilities.

A

C. Attackers may already be present on the network.

Explanation:
While all of these assumptions are valid premises that Patrick might have going into the exercise, the basic assumption of a threat hunting exercise is the so-called presumption of compromise. This means that Patrick should assume that attackers have already gained access to his system and then hunt for indicators of their presence.

58
Q

Brian is developing the training program for his organization’s disaster recovery program and would like to make sure that participants understand when disaster activity concludes. Which one of the following events marks the completion of a disaster recovery process?

A. Securing property and life safety
B. Restoring operations in an alternate facility
C. Restoring operations in the primary facility
D. Standing down first responders

A

C. Restoring operations in the primary facility

Explanation:
The end goal of the disaster recovery process is restoring normal business operations in the primary facility. All of the other actions listed may take place during the disaster recovery process, but the process is not complete until the organization is once again functioning normally in its primary facilities.

59
Q

Melanie suspects that someone is using malicious software to steal computing cycles from her company. Which one of the following security tools would be in the best position to detect this type of incident?

A. NIDS
B. Firewall
C. HIDS
D. DLP

A

C. HIDS

Explanation:
A host-based intrusion detection system (HIDS) may be able to detect unauthorized processes running on a system. The other controls mentioned, network intrusion detection systems (NIDSs), firewalls, and DLP systems, are network-based and may not notice rogue processes.

60
Q

Brandon observes that an authorized user of a system on his network recently misused his account to exploit a system vulnerability against a shared server that allowed him to gain root access to that server. What type of attack took place?

A. Denial-of-service
B. Privilege escalation
C. Reconnaissance
D. Brute-force

A

B. Privilege escalation

Epxlanation:
The scenario describes a privilege escalation attack where a malicious insider with authorized access to a system misused that access to gain privileged credentials.

61
Q

Carla has worked for her company for 15 years and has held a variety of different positions. Each time she changed positions, she gained new privileges associated with that position, but no privileges were ever taken away. What concept describes the sets of privileges she has accumulated?

A. Entitlement
B. Aggregation
C. Transitivity
D. Isolation

A

B. Aggregation

Explanation:
Carla’s account has experienced aggregation, where privileges accumulated over time. This condition is also known as privilege creep and likely constitutes a violation of the least privilege principle.

62
Q

During what phase of the incident response process do administrators take action to limit the effect or scope of an incident?

A. Detection
B. Response
C. Mitigation
D. Recovery

A

C. Mitigation

Explanation:
The mitigation phase of incident response focuses on actions that can contain the damage incurred during an incident. This includes limiting the scope and or effectiveness of the incident. The detection phase identifies that an incident is taking place. The response phase includes steps taken to assemble a team and triage the incident. The recovery phase resumes normal operations.

63
Q

For questions 63–66, please refer to the following scenario:

Ann is a security professional for a midsize business and typically handles log analysis and security monitoring tasks for her organization. One of her roles is to monitor alerts originating from the organization’s intrusion detection system. The system typically generates several dozen alerts each day, and many of those alerts turn out to be false alarms after her investigation.

This morning, the intrusion detection system alerted because the network began to receive an unusually high volume of inbound traffic. Ann received this alert and began looking into the origin of the traffic. At this point in the incident response process, what term best describes what has occurred in Ann’s organization?

A. Security occurrence
B. Security incident
C. Security event
D. Security intrusion

A

C. Security event

Explanation:
At this point in the process, Ann has no reason to believe that any actual security compromise or policy violation took place, so this situation does not meet the criteria for a security incident or intrusion. Rather, the alert generated by the intrusion detection system is simply a security event requiring further investigation. Security occurrence is not a term commonly used in incident handling.

64
Q

Ann continues her investigation and realizes that the traffic generating the alert is abnormally high volumes of inbound UDP traffic on port 53. What service typically uses this port?

A. DNS
B. SSH/SCP
C. SSL/TLS
D. HTTP

A

A. DNS

Explanation:
DNS traffic commonly uses port 53 for both TCP and UDP communications. SSH and SCP DNS traffic commonly uses port 53 for both TCP and UDP communications. SSH and SCP

65
Q

As Ann analyzes the traffic further, she realizes that the traffic is coming from many different sources and has overwhelmed the network, preventing legitimate uses. The inbound packets are responses to queries that she does not see in outbound traffic. The responses are abnormally large for their type. What type of attack should Ann suspect?

A. Reconnaissance
B. Malicious code
C. System penetration
D. Denial-of-service

A

D. Denial-of-service

Explanation:
The attack described in this scenario has all the hallmarks of a denial-of-service attack. More specifically, Ann’s organization is likely experiencing a DNS amplification attack where an attacker sends false requests to third-party DNS servers with a forged source IP address belonging to the targeted system. Because the attack uses UDP requests, there is no three-way handshake. The attack packets are carefully crafted to elicit a lengthy response from a short query. The purpose of these queries is to generate responses headed to the target system that are sufficiently large and numerous enough to overwhelm the targeted network or system.

66
Q

Now that Ann understands that an attack has taken place that violates her organization’s security policy, what term best describes what has occurred in Ann’s organization?

A. Security occurrence
B. Security incident
C. Security event
D. Security intrusion

A

B. Security incident

Explanation:
Now that Ann suspects an attack against her organization, she has sufficient evidence to declare a security incident. The attack underway seems to have undermined the availability of her network, meeting one of the criteria for a security incident. This is an escalation beyond a security event but does not reach the level of an intrusion because there is no evidence that the attacker has even attempted to gain access to systems on Ann’s network. Security occurrence is not a term commonly used in incident handling.

67
Q

Frank is seeking to introduce a hacker’s laptop in court as evidence against the hacker. The laptop does contain logs that indicate the hacker committed the crime, but the court ruled that the search of the apartment that resulted in police finding the laptop was unconstitutional. What admissibility criteria prevents Frank from introducing the laptop as evidence?

A. Materiality
B. Relevance
C. Hearsay
D. Competence

A

D. Competence

Explanation:
To be admissible, evidence must be relevant, material, and competent. The laptop in this case is clearly material because it contains logs related to the crime in question. It is also relevant because it provides evidence that ties the hacker to the crime. It is not competent because the evidence was not legally obtained.

68
Q

Gordon suspects that a hacker has penetrated a system belonging to his company. The system does not contain any regulated information, and Gordon wants to conduct an investigation on behalf of his company. He has permission from his supervisor to conduct the investigation. Which of the following statements is true?

A. Gordon is legally required to contact law enforcement before beginning the investigation.
B. Gordon may not conduct his own investigation.
C. Gordon’s investigation may include examining the contents of hard disks, network traffic, and any other systems or information
D. Gordon may ethically perform “hack back” activities after identifying the perpetrator.

A

C. Gordon’s investigation may include examining the contents of hard disks, network traffic, and any other systems or information

Explanation:
Gordon may conduct his investigation as he wishes and use any information that is legally available to him, including information and systems belonging to his employer. There is no obligation to contact law enforcement. However, Gordon may not perform “hack back” activities because those may constitute violations of the law and/or (ISC)2 Code of Ethics.

69
Q

Which one of the following tools provides an organization with the greatest level of protection against a software vendor going out of business?

A. Service-level agreement
B. Escrow agreement
C. Mutual assistance agreement
D. PCI DSS compliance agreement

A

B. Escrow agreement

Explanation:
B. Software escrow agreements place a copy of the source code for a software package in the hands of an independent third party who will turn the code over to the customer if the vendor ceases business operations. Service-level agreements, mutual assistance agreements, and compliance agreements all lose some or all of their effectiveness if the vendor goes out of business.

70
Q

Fran is considering new human resources policies for her bank that will deter fraud. She plans to implement a mandatory vacation policy. What is typically considered the shortest effective length of a mandatory vacation?

A. Two days
B. Four days
C. One week
D. One month

A

C. One week

Explanation:
Most security professionals recommend at least one, and preferably two, weeks of vacation to deter fraud. The idea is that fraudulent schemes will be uncovered during the time that the employee is away and does not have the access required to perpetuate a cover-up.

71
Q

Which of the following events would constitute a security incident? (Select all that apply.)

A. An attempted network intrusion
B. A successful database intrusion
C. A malware infection
D. A successful attempt to access a file
E. A violation of a confidentiality policy
F. An unsuccessful attempt to remove information from a secured area

A

A. An attempted network intrusion
B. A successful database intrusion
C. A malware infection
E. A violation of a confidentiality policy
F. An unsuccessful attempt to remove information from a secured area

Explanation:
Any attempt to undermine the security of an organization or violation of a security policy is a security incident. All of the events described meet this definition and should be treated as an incident, with one exception. A successful attempt to access a file is certainly a security event, but it is not a security incident unless it is established that the individual accessing the file was not authorized to do so.

72
Q

Amanda is configuring her organization’s firewall to implement egress filtering. Which one of the following traffic types should not be blocked by her organization’s egress filtering policy? (Select all that apply.)

A. Traffic rapidly scanning many IP addresses on port 22
B. Traffic with a broadcast destination
C. Traffic with a source address from an external network
D. Traffic with a destination address on an external network

A

A. Traffic rapidly scanning many IP addresses on port 22
B. Traffic with a broadcast destination
C. Traffic with a source address from an external network

Explanation:
Egress filtering scans outbound traffic for potential security policy violations. This includes traffic that is likely malicious, such as an outbound SSH scan on port 22. It also includes traffic that appears to be part of an attack or misconfiguration, such as sending traffic to a broadcast destination address. Finally, it includes spoofed traffic generated by internal systems, which may bear a source address from an external network. The normal traffic that the firewall should expect to see is that bearing a destination address on an external network.

73
Q

Allie is responsible for reviewing authentication logs on her organization’s network. She does not have the time to review all logs, so she decides to choose only records where there have been four or more invalid authentication attempts. What technique is Allie using to reduce the size of the pool?

A. Sampling
B. Random selection
C. Clipping
D. Statistical analysis

A

C. Clipping

Explanation:
The two main methods of choosing records from a large pool for further analysis are sampling and clipping. Sampling uses statistical techniques to choose a sample that is representative of the entire pool, while clipping uses threshold values to select those records that exceed a predefined threshold because they may be of most interest to analysts.

74
Q

You are performing an investigation into a potential bot infection on your network and want to perform a forensic analysis of the information that passed between different systems on your network and those on the internet. You believe that the information was likely encrypted. You are beginning your investigation after the activity concluded. What would be the best and easiest way to obtain the source of this information?

A. Packet captures
B. NetFlow data
C. Intrusion detection system logs
D. Centralized authentication records

A

B. NetFlow data

Explanation:
NetFlow data contains information on the source, destination, and size of all network communications and is routinely saved as a matter of normal activity. Packet capture data would provide relevant information, but it must be captured during the suspicious activity and cannot be re-created after the fact unless the organization is already conducting 100 percent packet capture, which is rare. Additionally, the use of encryption limits the effectiveness of packet capture. Intrusion detection system logs would not likely contain relevant information because the encrypted traffic would probably not match intrusion signatures. Centralized authentication records would not contain information about network traffic.

75
Q

Which one of the following tools helps system administrators by providing a standard, secure template of configuration settings for operating systems and applications?

A. Security guidelines
B. Security policy
C. Baseline configuration
D. Running configuration

A

C. Baseline configuration

Explanation:
Baseline configurations serve as the starting point for configuring secure systems and applications. They contain the security settings necessary to comply with an organization’s security policy and may then be customized to meet the specific needs of an implementation. While security policies and guidelines may contain information needed to secure a system, they do not contain a set of configuration settings that may be applied to a system. The running configuration of a system is the set of currently applied settings, which may or may not be secure. In this case, Allie is only selecting records that exceed an invalid login threshold, making this an example of clipping. She is not using statistical techniques to select a subset of records, so this is not an example of sampling.

76
Q

What type of disaster recovery test activates the alternate processing facility and uses it to conduct transactions but leaves the primary site up and running?

A. Full interruption test
B. Parallel test
C. Checklist review
D. Tabletop exercise

A

B. Parallel test

Explanation:
B. During a parallel test, the team actually activates the disaster recovery site for testing, but the primary site remains operational. During a full interruption test, the team takes down the primary site and confirms that the disaster recovery site is capable of handling regular operations. The full interruption test is the most thorough test but also the most disruptive. The checklist review is the least disruptive type of disaster recovery test. During a checklist review, team members each review the contents of their disaster recovery checklists on their own and suggest any necessary changes. During a tabletop exercise, team members come together and walk through a scenario without making any changes to information systems.

77
Q

During which phase of the incident response process would an analyst receive an intrusion detection system alert and verify its accuracy?

A. Response
B. Mitigation
C. Detection
D. Reporting

A

C. Detection

Explanation:
Both the receipt of alerts and the verification of their accuracy occur during the Detection phase of the incident response process.

78
Q

Kevin is developing a continuous security monitoring strategy for his organization. Which one of the following is not normally used when determining assessment and monitoring frequency?

A. Threat intelligence
B. System categorization/impact level
C. Security control operational burden
D. Organizational risk tolerance

A

C. Security control operational burden

Explanation:
According to NIST SP 800-137, organizations should use the following factors to determine assessment and monitoring frequency: security control volatility, system categorizations/impact levels, security controls or specific assessment objects providing critical functions, security controls with identified weaknesses, organizational risk tolerance, threat information, vulnerability information, risk assessment results, the output of monitoring strategy reviews, and reporting requirements.

79
Q

Hunter is reviewing his organization’s monitoring strategy and identifying new technologies that they might deploy. His assessment reveals that the firm is not doing enough to monitor employee activity on endpoint devices. Which one of the following technologies would best meet his needs?

A. EDR
B. IPS
C. IDS
D. UEBA

A

D. UEBA

Explanation:
D. All of these technologies have the potential to monitor user behavior on endpoint devices. The key to answering this question correctly is realizing the emphasis on the user. Intrusion detection and prevention systems (IDSs/IPSs) focus on network and host behavior. Endpoint detection and response (EDR) systems focus on endpoint devices. User and entity behavior analytics (UEBA) solutions focus on the user and, therefore, would be the best way to meet Hunter’s requirement.

80
Q

Bruce is seeing quite a bit of suspicious activity on his network. After consulting records in his SIEM, it appears that an outside entity is attempting to connect to all of his systems using a TCP connection on port 22. What type of scanning is the outsider likely engaging in?

A. FTP scanning
B. Telnet scanning
C. SSH scanning
D. HTTP scanning

A

C. SSH scanning

Explanation:
C. SSH uses TCP port 22, so this attack is likely an attempt to scan for open or weakly secured SSH servers. FTP uses ports 20 and 21. Telnet uses port 23, and HTTP uses port 80.

81
Q

Dylan believes that a database server in his environment was compromised using a SQL injection attack. Which one of the following actions would Dylan most likely take during the remediation phase of the attack?

A. Rebuilding the database from backups
B. Adding input validation to a web application
C. Reviewing firewall logs
D. Reviewing database logs

A

B. Adding input validation to a web application

Explanation:
Remediation activities seek to address the issue that caused the incident. In this case, that was a web application that was open to SQL injection attack. Adding input validation seeks to remediate this vulnerability. Rebuilding the database is a recovery action, while reviewing logs is done as part of the detection and response effort.

82
Q

Roger recently accepted a new position as a security professional at a company that runs its entire IT infrastructure within an IaaS environment. Which one of the following would most likely be the responsibility of Roger’s firm?

A. Configuring the network firewall
B. Applying hypervisor updates
C. Patching operating systems
D. Wiping drives prior to disposal

A

C. Patching operating systems

Explanation:
C. In an infrastructure as a service environment, the vendor is responsible for hardware- and network-related responsibilities.
These include configuring network firewalls, maintaining the hypervisor, and managing physical equipment. The customer retains responsibility for patching operating systems on its virtual machine instances.

83
Q

What technique can application developers use to test applications in an isolated virtualized environment before allowing them on a production network?

A. Penetration testing
B. Sandboxing
C. White-box testing
D. Black-box testing

A

B. Sandboxing

Explanation:
Sandboxing is a technique where application developers (or the recipients of an untrusted application) may test the code in a virtualized environment that is isolated from production systems. White-box testing, black-box testing, and penetration testing are all common software testing techniques but do not require the use of an isolated system.

84
Q

Gina is the firewall administrator for a small business and recently installed a new firewall. After seeing signs of unusually heavy network traffic, she checked the intrusion detection system, which reported that a SYN flood attack was underway. What firewall configuration change can Gina make to most effectively prevent this attack?

A. Block SYN from known IPs.
B. Block SYN from unknown IPs.
C. Enable SYN-ACK spoofing at the firewall.
D> Disable TCP.

A

C. Enable SYN-ACK spoofing at the firewall.

Explanation:
While it may not immediately seem like the obvious answer, many firewalls have a built-in anti–SYN flood defense that responds to SYNs on behalf of protected systems. Once the remote system proves to be a legitimate connection by continuing the three-way handshake, the rest of the TCP session is passed through. If the connection proves to be an attack, the firewall handles the additional load using appropriate mitigation techniques. Blocking SYNs from known or unknown IP addresses is likely to cause issues with systems that should be able to connect, and turning off TCP will break most modern network services!

85
Q

Nancy is leading an effort to modernize her organization’s antimalware protection and would like to add endpoint detection and response (EDR) capabilities. Which of the following actions are normally supported by EDR systems? (Select all that apply.)

A. Analyzing endpoint memory, filesystem, and network activity for signs of malicious activity
B. Automatically isolating possible malicious activity to contain the potential damage
C. Conducting simulated phishing campaigns
D. Integration with threat intelligence sources

A

A. Analyzing endpoint memory, filesystem, and network activity for signs of malicious activity
B. Automatically isolating possible malicious activity to contain the potential damage
D. Integration with threat intelligence sources

Explanation:
EDR platforms do not conduct simulated phishing campaigns. The most common features of EDR systems are analyzing endpoint memory, filesystem, and network activity for signs of malicious activity; isolating possible malicious activity to contain the potential damage; integrating with threat intelligence sources; and integrating with other incident response mechanisms.

86
Q

Alan is assessing the potential for using machine learning and artificial intelligence in his cybersecurity program. Which of the following activities is most likely to benefit from this technology?

A. Intrusion detection
B. Account provisioning
C. Firewall rule modification
D. Media sanitization

A

A. Intrusion detection

Explanation;
While any cybersecurity activity has the potential to benefit from machine learning and artificial intelligence capabilities, this technology really shines when used for pattern detection and anomaly detection problems. This is the type of activity performed by an intrusion detection system, and, therefore, this system would benefit the most from the use of ML/AI technology.

87
Q

Timber Industries recently got into a dispute with a customer. During a meeting with his account representative, the customer stood up and declared, “There is no other solution. We will have to take this matter to court.” He then left the room. When does Timber Industries have an obligation to begin preserving evidence?

A. Immediately
B. Upon receipt of a notice of litigation from opposing attorneys
C. Upon receipt of a subpoena
D. Upon receipt of a court order

A

A. Immediately

Explanation:
Companies have an obligation to preserve evidence whenever they believe that the threat of litigation is imminent. The statement made by this customer that “we will have to take this matter to court” is a clear threat of litigation and should trigger the preservation of any related documents and records.

88
Q

Candace is designing a backup strategy for her organization’s file server. She would like to perform a backup every weekday that has the smallest possible storage footprint. What type of backup should she perform?

A. Incremental backup
B. Full backup
C. Differential backup
D. Transaction log backup

A

A. Incremental backup

Explanation:
A. Incremental backups provide the option that includes the smallest amount of data. In this case, that would be only the data modified since the most recent incremental backup. A differential backup would back up all data modified since the last full backup, which would be a substantial amount. The full backup would include all information on the server. Transaction log backups are specifically designed to support database servers and would not be effective on a file server.

89
Q

Darcy is a computer security specialist who is assisting with the prosecution of a hacker. The prosecutor requests that Darcy give testimony in court about whether, in her opinion, the logs and other records in a case are indicative of a hacking attempt. What type of evidence is Darcy being asked to provide?

A. Expert opinion
B. Direct evidence
C. Real evidence
D. Documentary evidence

A

A. Expert opinion

Explanation:
Expert opinion evidence allows individuals to offer their opinion based upon the facts in evidence and their personal knowledge. Expert opinion evidence may be offered only if the court accepts the witness as an expert in a particular field. Direct evidence is when witnesses testify about their direct observations. Real evidence consists of tangible items brought into court as evidence. Documentary evidence consists of written records used as evidence in court.

90
Q

Which one of the following techniques is not commonly used to remove unwanted remnant data from magnetic tapes?

A. Physical destruction
B. Degaussing
C. Overwriting
D. Reformatting

A

D. Reformatting

Explanation:
The standard methods for clearing magnetic tapes, according to the NIST Guidelines for Media Sanitization, are overwriting the tape with nonsensitive data, degaussing, and physical destruction via shredding or incineration. Reformatting a tape does not remove remnant data.

91
Q

Sally is building a new server for use in her environment and plans to implement RAID level 1 as a storage availability control. What is the minimum number of physical hard disks that she needs to implement this approach?

A. One
B. Two
C. Three
D. Five

A

B. Two

Explanation:
RAID level 1, also known as disk mirroring, uses two disks that contain identical information. If one disk fails, the other contains the data needed for the system to continue operation.

92
Q

Jerome is conducting a forensic investigation and is reviewing database server logs to investigate query contents for evidence of SQL injection attacks. What type of analysis is he performing?

A. Hardware analysis
B. Software analysis
C. Network analysis
D. Media analysis

A

B. Software analysis

Explanation:
The analysis of application logs is one of the core tasks of software analysis. This is the correct answer because SQL injection attacks are application attacks.

93
Q

Quigley Computing regularly ships tapes of backup data across the country to a secondary facility. These tapes contain confidential information. What is the most important security control that Quigley can use to protect these tapes?

A. Locked shipping containers
B. Private couriers
C. Data encryption
D. Media rotation

A

C. Data encryption

Explanation:
Quigley may choose to use any or all of these security controls, but data encryption is, by far, the most important control. It protects the confidentiality of data stored on the tapes, which are most vulnerable to theft while in transit between two secure locations.

94
Q

Carolyn is concerned that users on her network may be storing sensitive information, such as Social Security numbers, on their hard drives without proper authorization or security controls. What third-party security service can she implement to best detect this activity?

A. IDS
B. IPS
C. DLP
D. TLS

A

C. DLP

Explanation:
Data loss prevention (DLP) systems may identify sensitive information stored on endpoint systems or in transit over a network. This is their primary purpose. DLP systems are commonly available as a third party managed service offering. Intrusion detection and prevention systems (IDSs/IPSs) may be used to identify some sensitive information using signatures built for that purpose, but this is not the primary role of those tools and they would not be as effective as DLP systems at this task. TLS is a network encryption protocol that may be used to protect sensitive information, but it does not have any ability to identify sensitive information.

95
Q

Gavin is the disaster recovery team leader for his organization, which is currently in the response phase of an incident that has severe customer impact. Gavin just received a phone call from a reporter asking for details on the root cause and an estimated recovery time. Gavin has this information at his fingertips. What should he do?

A. Provide the information to the reporter.
B. Request a few minutes to gather the information and return the call.
C. Refer the matter to the public relations department.
D. Refuse to provide any information.

A

C. Refer the matter to the public relations department.

Explanation:
C. Disaster recovery teams should always refer media inquiries to the public relations team to ensure a coordinated, consistent response. They should not attempt to answer questions themselves.

96
Q

Pauline is reviewing her organization’s emergency management plans. What should be the highest priority when creating these plans?

A. Protection of mission-critical data
B. Preservation of operational systems
C. Collection of evidence
D. Preservation of safety

A

D. Preservation of safety

Explanation:

All of these considerations are important when developing an emergency management plan. However, the safety of human life should always be the overwhelming priority, above all other considerations.

97
Q

Barry is the CIO of an organization that recently suffered a serious operational issue that required activation of the disaster recovery plan. He would like to conduct a lessons learned session to review the incident. Who would be the best facilitator for this session?

A. Barry, as chief information officer
B. Chief information security officer
C. Disaster recovery team leader
D. External consultant

A

D. External consultant

Explanation:
Barry should recruit an independent moderator to facilitate the session. Having a moderator who was not directly involved in the effort encourages honest and open feedback. While it is not necessary to use an external consultant, they may easily fill this role. While it is also possible to find a qualified internal employee to fill this position, it should not be someone who was involved in the incident response effort or has a major stake in the plan, such as Barry, the CISO, or the DR team leader.

98
Q

Brent is reviewing the controls that will protect his organization in the event of a sustained period of power loss. Which one of the following solutions would best meet his needs?

A. Redundant servers
B. Uninterruptible power supply (UPS)
C. Generator
D. RAID

A

C. Generator

Explanation:
Generators are capable of providing backup power for a sustained period of time in the event of a power loss, but they take time to activate. Uninterruptible power supplies (UPS) provide immediate, battery-driven power for a short period of time to cover momentary losses of power, which would not cover a sustained period of power loss. RAID and redundant servers are high-availability controls but do not cover power loss scenarios.

99
Q

Match each of the numbered terms with its correct lettered definition:

Terms

  1. Honeypot
  2. Honeynet
  3. Pseudoflaw
  4. Darknet

Definitions

A. An intentionally designed vulnerability used to lure in an attacker
B. A network set up with intentional vulnerabilities
C. A system set up with intentional vulnerabilities
D. A monitored network without any hosts

A

The terms match with the definitions as follows:

  1. Honeypot: C. A system set up with intentional vulnerabilities
  2. Honeynet: B. A network set up with intentional vulnerabilities
  3. Pseudoflaw: A. An intentionally designed vulnerability used to lure in an attacker
  4. Darknet: D. A monitored network without any hosts

A darknet is a segment of unused network address space that should have no network activity and, therefore, may be easily used to monitor for illicit activity.
A honeypot is a decoy computer system used to bait intruders into attacking.
A honeynet is a network of multiple honeypots that creates a more sophisticated environment for intruders to explore. A pseudoflaw is a false vulnerability in a system that may attract an attacker.

100
Q

Match each of the numbered types of recovery capabilities to their correct lettered definition:

Terms

  1. Hot site
  2. Cold site
  3. Warm site
  4. Service bureau

Definitions

A. An organization that can provide on-site or off-site IT services in the event of a disaster
B. A site with dedicated storage and real-time data replication, often with shared equipment that allows restoration of service in a very short time
C. A site that relies on shared storage and backups for recovery
D. A rented space with power, cooling, and connectivity that can accept equipment as part of a recovery effort

A

The terms match with the definitions as follows:

  1. Hot site: B. A site with dedicated storage and real-time data replication, often with shared equipment that allows restoration of service in a very short time
  2. Cold site: D. A rented space with power, cooling, and connectivity that can accept equipment as part of a recovery effort
  3. Warm site: C. A site that relies on shared storage and backups for recovery
  4. Service bureau: A. An organization that can provide on-site or off-site IT services in the event of a disaster