CISSP Q v1.4 -- Domain1: Security and Risk Management

Question 1

Which listing puts some of the steps of a penetration test in their correct order?
A. Fuzzing, vulnerability mapping, pivoting
B. Discovery, fuzzing, vulnerability scanning
C. Enumeration, vulnerability mapping, exploitation
D. Exploitation, discovery, vulnerability scanning

Answer 1

C

The correct and logical order:
1. Discovery
2. Enumeration
3. Vulnerability mapping
4. Exploitation
5. Document findings
Fuzzing is used to test input validation and while it might be occasionally used in the exploitation process, it is not its own step in any standard pen-test.

Question 2

Controls can MITIGATE identified risks. Which statement below best describes a risk RESPONSE?
A. Accepting a risk because you want to do the task.
B. Rejecting a risk because you decide that the task is something
you do not want to do.
C. Using a cloud provider so that risk is transferred to a third
party.
D. Return on Investment (ROI) determinations for the selection
of controls.

Answer 2

C. Using a cloud provider so that risk is transferred to a third
party.

The first sentence in the question is a distractor and has no effect on the question itself. (A) and (B) do not explain how the control is being utilized, so they are weak if not bad
5
answers. (C) Is a great example of risk transference and one benefit of using cloud services. (D) could be considered when choosing a control, but is not a response itself.

Question 3

Which of the following is NOT a risk decision involved in the practice of doing background checks?

A. Risk mitigation B. Risk acceptance C. Risk avoidance D. Risk transference

Answer 3

D. Risk transference

Organizations should attempt to mitigate the risks associated with bringing in new employees by performing background checks. Determining whether the organization is running an acceptable level of risk by hiring an individual is also part of this process, as is risk avoidance. Meanwhile, background checks do not involve any form of risk transference.

Question 4

What statement below BEST describes Information Security
Management?

A. It is an outline of the configurations that provide the highest level of security for that system.
B. It structures, implements and maintains appropriate policies, procedures, standards and guidelines in order to obtain an acceptable level of risk.
C. It is a brief high-level statement defining what is and is not permitted in the operation of the information system.
D. It is senior management’s listing of the controls that will be used to protect the information system.

Answer 4

B. It structures, implements and maintains appropriate policies, procedures, standards and guidelines in order to obtain an acceptable level of risk.

(A) is incorrect because Security Management is not an outline, nor does it discuss configurations. (C) is the rationale for your security policy, not the policy itself. (D) Security Management is not a list controls.

Question 5

Which of the following BEST describes the goal of an organization’s information security plan?

A. Assure protection of organizational data and information.
B. Select the technology solutions that will enhance
organizational security effectiveness.
C. Identify potential risks of organization’s employee behavior.
D. Align organizational data protection schemes to business
goals.

Answer 5

D. Align organizational data protection schemes to business
goals.

(A) is a wish list. We would love for that to be true, but it isn’t practical. (B) The security plan is much more than the technology solutions. (C) is an HR item and does not describe the goal of the security plan.

The first goal of security, and thereby an organization’s info sec plan, is to help the business thrive and achieve its goals!

Question 6

To whom or what should a Chief Security Officer (CSO) report according to best practices?
A. To the Human Resources department, so that personal violations can be promptly dealt with.
B. To the CEO, to get the messages and suspected impact of an organizational breach known as soon as possible.
C. As high up in the organization as possible to maintain visibility for Information security and limit the inaccurate translation of messages as they move through organizational management levels.
D. To the Administrative services department, so that implications of the breach can be dealt with as soon as possible.

Answer 6

C. As high up in the organization as possible to maintain visibility for Information security and limit the inaccurate translation of messages as they move through organizational management levels.

We don’t know anything about this organization or the industry it is in, so we’ll need an answer that fits most, if not all, organizations. (C) is true for most organizations and really is the best practice in any situation.

Question 7

The Organization for Economic Cooperation and Development (OECD) has generated and published a set of 8 principles for personal privacy. Which of the following is NOT one of these 8 principles?

A. Openness Principle
B. Right to Be Forgotten Principle
C. Individual Participation Principle
D. Data Quality Principle

Answer 7

B. Right to Be Forgotten Principle

THE EIGHT OECD PRINCIPALS:
* Collection Limitation Principle
* Data Quality Principle
* Purpose Specification principle
* Use Limitation Principle
* Security Safeguards Principle
* Openness Principle
* Individual Participation Principle
* Accountability Principle

The “right to be forgotten” also know as the “right to erasure” is part of the GDPR, a privacy regulation found in the EU. This right was not part of the OECD principals that predated the GDPR.

Question 8

A CISSP candidate signs his or her agreement to the ISC2 Code of Ethics statement. Which of the following would violate this Code and could cause the candidate to lose his or her certification?
A. Submitting comments on the questions of the exam to (ISC)2.
B. Submitting comments to the board of directors regarding the test and content of the class.
C. Conducting a presentation about the CISSP certification and what the certification means.
D. E-mailing remembered test questions from the exam to other CISSP candidates.

Answer 8

D. E-mailing remembered test questions from the exam to other CISSP candidates.

The first three answers are perfectly acceptable according to the ISC2 code. However, (D) is absolutely a violation!

Question 9

Which of the following terms and its associated definition is INCORRECT?

a. Standards are rules that do not have to be followed by top level management.
b. Baselines are the minimum level of security an approved hardware item requires.
c. Guidelines are recommended actions for users, IT and operations staff.
d. Procedures are detailed, step-by-step tasks that should be performed to meet a security goal.

Answer 9

a. Standards are rules that do not have to be followed by top level management.

Standards are well-established ways of doing things, so even top management should follow them. Answers (B), (C), and (D) are correct definitions.

Question 10

Which of the following best describes the process of conducting a Business Impact Analysis (BIA)?

A. Analyzing corporate functions, such as accounting, personnel and legal, to determine which functions must be operational immediately following an outage.
B. Analyzing the organization’s operations to determine what the impact of an outage would be.
C. Documenting the procedures and capabilities necessary to sustain an organization’s essential functions at an alternate site.
D. Documenting viable recovery options for each business unit in the event of an outage.

Answer 10

B. Analyzing the organization’s operations to determine what the impact of an outage would be.

Business impact analysis (BIA) is a systematic process to determine and evaluate the potential effects of an interruption to critical business operations. After the BIA is complete, we can move onto (A), (C), and (D), which would be part of the BCP/DRP cycle.

Question 11

What is the primary organizational benefit of conducting a candidate background check?

A. Reduce the likelihood of fraud or theft.
B. Increased likelihood of productivity.
C. Ability to reduce training costs.
D. Increased security awareness.

Answer 11

A. Reduce the likelihood of fraud or theft.

While an organization would benefit from all of these things, background checks are performed primarily to reduce the risk associated with hiring a new employee. Thereby, (A) is the best and most straightforward answer.

Question 12

Which of the following is the effect of job rotation on organizational security?
A. Privileged personnel will never stay on the job long enough to learn how to bypass security controls.
B. Reassigned personnel will be able to modify their old administrative files.
C. As personnel rotate through jobs, they will learn how to implement new procedures.
D. Privileged personnel involved in violations of security policy cannot be certain that they can always avoid detection.

Answer 12

D. Privileged personnel involved in violations of security policy cannot be certain that they can always avoid detection.

The clue to picking this one is the word “security” in the question. Job rotation here is a “deterrent” control. Because privileged personnel are aware that they will be rotated out of a position, they will be less likely to perform actions that might be detectable by the next person holding that assignment.

Question 13

A company has 3 Tiers of network technicians. Tier 1 connects devices and does troubleshooting for network connectivity, Tier 2 manages switches, and Tier 3 manages firewalls and IDS devices. Allowing Tier 1 technicians read-only access to system routers is an example of which control listed below?

A. Due care and due diligence.
B. Separation of Duties.
C. Least privilege.
D. Job rotation.

Answer 13

C. Least privilege.

While having three separate tiers doing different tasks is considered “separation of duties,” the question is actually asking about the limited permissions of the Tier 1 technicians. Limiting Tier 1 technicians to read only is an example of the technical control known as “least privilege.”

Least Privilege:
Giving a user account or process only those privileges which are essential/required to perform its intended function, thereby reducing risk.

Question 14

Which of the following are the four major steps for successful risk assessments?

A. Prepare, Conduct, Perform, Communicate
B. Conduct, Perform, Communicate, Maintain
C. Perform, Conduct, Analyze, Communicate
D. Prepare, Perform, Communicate, Maintain

Answer 14

D. Prepare, Perform, Communicate, Maintain

Maintain, aka maintenance, is a must have for any risk assessment, so we can rule out (A) and (C) since they don’t include it.
Between (B) and (D), it makes sense that we should “Prepare” before “Performing” the assessment, so (D) is correct, and (B) is wrong.

Question 15

Which of the following is NOT correct with respect to quantitative risk assessments?

A. Once in 100 years means an ARO (Annualized Rate of Occurrence) value of 0.01.
B. The SLE (Single Loss Expectancy) is the dollar value lost when an asset is successfully attacked.
C. The ALE (Annualized Loss Expectancy) is the annual percentage of the asset lost when the asset is successfully attacked.
D. The EF (ExposureFactor) value ranges from 0 to 1.

Answer 15

C. The ALE (Annualized Loss Expectancy) is the annual percentage of the asset lost when the asset is successfully attacked.

The ALE is the average dollar value lost every year, not the percentage of the asset lost. The percentage of the asset lost is the EF (Exposure Factor).

Asset Value x Exposure Factor = Single Loss Expectancy
Single Loss Expectancy x Annual Rate of Occurrence = Annual Loss Expectancy

Question 16

Match the following attacks with the descriptions found below.

A. Directive - B. Detective - C. Compensating - D. Corrective

1. Control implemented to substitute
   for the loss of a primary control.
2. Designed to signal a warning or present a notice that a security control has been breached.
3. Implemented to remedy a circumstance, mitigate damage, or restore controls.
4. Specifies acceptable rules of behavior within an organization.

Answer 16

1. Compensating
2. Detective
3. Corrective
4. Directive

Question 17

Which of the following is the best definition of risk avoidance?

A. Not mitigating the risk and absorbing the cost when and if it occurs.
B. Getting rid of the risk by purchasing a proper insurance policy.
C. Because of the activity’s inherent danger, you discontinue the activity.
D. Providing countermeasures to reduce the risk and strengthen the security posture.

Answer 17

C. Because of the activity’s inherent danger, you discontinue the activity.

Each of these answers is a different type of risk response.
(A) – RISK ACCEPTANCE (C) – RISK AVOIDANCE
(B) – RISK TRANSFERENCE (D) – RISK MITIGATION

Question 18

When selecting a control, which of the following is usually the most important to consider?

A. Since assurance is a primary concern, the control that produces the most informative log files should be chosen.
B. The control cost should be less than the value of the asset(s) being protected.
C. The cheapest control that does the job should be chosen.
D. The control from the most reputable vendor should be
chosen.

Answer 18

B. The control cost should be less than the value of the asset(s) being protected.

(B) Is correct. Never spend more on protecting an asset than it is worth!
You wouldn’t spend a million dollars to protect a computer system (data included) that was only valued at a half million.

Question 19

The International Organization for Standardization (ISO) standard 27002 helps vendors comply with organizational needs by describing:

A. Financial soundness and various business viability metrics.
B. Standard best practices for procurement of various controls.
C. Guidelines and practices of security controls.
D. Contract-agreement writing standards.

Answer 19

C. Guidelines and practices of security controls.

While not the worst answer, (B) is incorrect because 27002 isn’t specifically focused on the procurement of various controls. Instead, 27002 is far more
general, and focuses on best practice (aka guidelines) for selecting, improving, and maintaining controls. This leaves us with (C) as the best answer.

Question 20

Match the following attacks with the descriptions found below.

A. Pretexting attack B. Baiting attack C. Phishing Attack D. Vishing Attack

1 Using email or malicious websites to solicit personal information by posing as a trustworthy organization.

2 Leaving USB flash drives with “interesting” labels in locations sure to be found by others.

3 Using a phone system to send a legitimate-sounding copy of a bank’s Interactive Voice Response (IVR) system, instructing the victim to call back.

4 Creating an invented scenario to engage a targeted victim, with the intent of getting him or her to divulge information.

Answer 20

1- C. Phishing Attack
2- B. Baiting attack
3- D. Vishing Attack
4- A. Pretexting attack

Question 21

If a company truly wants to protect its intellectual property, which of the following is the MOST important policy to implement?

A. Employees should sign a non-disclosure agreement.
B. Employees should implement and configure their own desktop controls.
C. Employees should be made aware that countermeasures are in place.
D. Employees should be made aware that the company does business internationally and sign off on the company’s trans-border agreement.

Answer 21

A. Employees should sign a non-disclosure agreement.

Question 22

Which answer contains first, an ADMINISTRATIVE control and second, a LOGICAL control?

A. Login Passwords and Fences.
B. Job supervision and automated fail-over to a mirrored site.
C. Job Rotation and “Beware of Dog” sign.
D. Job Supervision and Disaster Recovery Plan.

Answer 22

B. Job supervision and automated fail-over to a mirrored site.

We are looking for administrative, followed by logical.
(A) Loginpasswordsislogical,whilefencesarephysical
(B) Jobsupervisionisadministrative,andautomatedfail-overislogical–correctanswer! (C) Jobrotationisadministrative,andsignsarephysical
(D) Jobsupervisionisadministrative,andDRPisadministrative

Question 23

Match each of the documents or processes with the definitions below.

A. Due Diligence
B. Service Level Requirement
C. Service Level Report
D. Service Level Agreement

1- Contains the client’s view of what is expected from the purchased service.
2- Performing activities such as on-site assessments, document exchanges, and process or policy reviews.
3- Defines the agreed upon level of performance, and penalties to be paid if not achieved.
4- Gives insight into a service provider’s ability to deliver the agreed upon service quality.

Answer 23

1- B SERVICE LEVEL REQUIREMENT

2- A DUE DILIGENCE

3- D SERVICE LEVEL AGREEMENT

4- C SERVICE LEVEL REPORT

Question 24

How should a request by an IT auditor for access to programs and data which are protected by logical access control software be treated?

A. The request should be approved and the auditor given access via a guest user-id and password.
B. The request should be refused, and the auditor provided with access to audit logs only.
C. The request should be refused based on the principle of least privilege.
D. The request should be in writing and must receive written approval before access is allowed.

Answer 24

D. The request should be in writing and must receive written approval before access is allowed.

Any requests from the auditor should be formalized and company procedures followed.

Question 25

Match the following forms of protection to their respective definitions.

A: Trade Secret
B: Copyright
C: Patent
D: Trademark

1: Protects a company’s investment in its brand. Must be registered to be effective.
2: Provides the strongest from of legal protection. Usually, lasts less than 30 years.
3: Protects intellectual property in the form of music, art, or software.
4: Protects something not generally know, but economically advantageous.

Answer 25

1: D TRADEMARK
2: C PATENT
3: B COPYRIGHT
4: A TRADE SECRET

Question 26

The media portrays cybercrime as coming mostly from externalhackers. Thisstatementis______.

A. Partially true. Cybercrime typically originates equally from inside and outside the organization.
B. Not correct. The greatest risk of cybercrime comes from inside the organization.
C. Correct. The greatest threat of cybercrime comes from outside the organization
D.The media’s way of creating headlines in the technological arena.

Answer 26

B. Not correct. The greatest risk of cybercrime comes from inside the organization.

Question 27

What is the most compelling reason an end user would abide by an organization’s computer security policy?
A. They know who wrote it and when to follow it.
B. They understanding the rationale for it and the penalties for not following it.
C. When it is a simple document and is also easy to read.
D. When everybody else in the organization seems to follow it.

Answer 27

B. They understanding the rationale for it and the penalties for not following it.

Question 28

What is it called when an organization comes up with several alternatives so that a risk will not be realized?

A. Risk Acceptance
B. Risk Mitigation
C. Risk Transfer
D. Risk Avoidance

Answer 28

D. Risk Avoidance

Question 29

Which of the following describes a collection of processes that are performed in a predetermined order to ensure that security controls are implemented correctly and operating appropriately?

A. A Kerberos Assurance Test
B. A Backup and Recovery Test
C. An Information Assurance Test
D. A Compliance Test

Answer 29

D. A Compliance Test

Question 30

Identifying an organization’s business functions, the capabilities of each business unit with respect to handling outages, and the priority and sequence of functions and applications to be recovered is closely tied to which of the following practices?

A. Strategy development.
B. Business Impact Analysis (BIA).
C. Contingency plan development.
D. Vital records, backup and recovery.

Answer 30

B. Business Impact Analysis (BIA).

The question is almost a definition of a BIA.
(A) is too broad for the question.
(C) contingency planning occurs after the items in the question have been done.
(D) describes some of the steps in the question, but is otherwise too specific.

Question 31

Of the options below, which would be best illustrate the need to conduct a qualitative risk assessment?
A. The timeframe to complete the risk assessment is long.
B. The organization has a significant amount of data readily available.
C. The available team members are experienced employees and the timeframe is short.
D. The organization’s Chief Financial Officer (CFO) demands justification for recent expenses in your department.

Answer 31

C. The available team members are experienced employees and the timeframe is short.

Quantitative risk assessments rely on data being collected (AV, EF, ARO), and can therefore take longer. (A) and (B) are absolutely describing a quantitative risk assessment. The benefit of qualitative risk assessment is that, assuming the employees are experienced, the assessment can be performed very quickly. (D) is completely unrelated to risk assessments.

Question 32

When corporate officers and other executives with fiduciary responsibilities meet requirements with respect to protecting the company’s assets, what is the company practicing?
A. Monetary policy and Separation of Duties.
B. Due care and Due Diligence.
C. PCI/DSS Legal Requirements and Mandatory Vacations.
D. Securities and Exchange Commission E-Commerce Regulations.

Answer 32

Answer: B Due care and due diligence!

Due diligence refers to being able to prove that your business has done everything reasonably possible to comply with current legislation and regulations. In other words, providing evidence of due care. Due care is acting in a reasonable way, as in to look out for and promote the safety of others. Sometimes it is referred to as the prudent person rule.

Question 33

Standards provide well known and accepted practices to help meet an organization’s security challenges. Which answer below describes the activities that BEST MEET the organization’s security needs?

A. The OWASP Top 10 Security Project.
B. The CWE/SANS Top 25 Dangerous Software Errors.
C. The security policies and control objectives agreed upon by organizational management.
D.The ISO 27000 family of ISMS specifications.

Answer 33

C. The security policies and control objectives agreed upon by organizational management.

“Following the organization’s policies” is almost always the correct answer. Furthermore, without knowing more about the organization, there’s no way to know if the other answers are even relevant or applicable.

Question 34

Exercising the same care in managing company affairs as would another well-run company in a similar industry is most often referred to as which of the following?

A. The first Rule of Business Continuity.
B. The Prudent Person Rule.
C. The Leadership 101 Mandate.
D. Minding Your Own Business.

Answer 34

B. The Prudent Person Rule.

The prudent person rule, essentially due care, is about meeting the reasonable expectation, to exercise care, and promote safety.

Question 35

What is the best and most common description of a security champion?

A. Enforce company policy and report non-compliance.
B. Spread awareness and promote good security practices within a business unit.
C. Provide oversight and data governance within the
organization.
D. Monitor the emerging risks to the growing business.

Answer 35

B. Spread awareness and promote good security practices within a business unit.

Security champions are employees that are capable of promoting security and best practice throughout their respective departments. They may lead their department during security briefings, manage awareness campaigns, and keep everyone up to date on any changes to company policy.

Question 36

Before business continuity planning can begin, management has requested a business impact analysis (BIA). Of the options below, which best illustrates the core characteristics of a BIA?

A. Analysis of crisis management methods
B. Identification of asset location
C. Determine criticality and resource allocation
D. Documentation of known threat actors

Answer 36

C. Determine criticality and resource allocation

The goal of a BIA is to articulate critical business functions and explore tolerable downtime and recovery objectives.

Question 37

An internal security audit has revealed the following:

1. A server in the DMZ is still using its default system password.
2. The Network Intrusion Detection System (NIDS) has not been updated with new signatures.
3. Least privilege was not properly implemented during the creation of user accounts.
   What best describes the auditors’ findings?

A. A single risk control response
B. A single risk control type
C. A single risk control category
D. None of the above

Answer 37

B. A single risk control type

All of the findings are the TECHNICAL/LOGICAL control TYPE.
(A) Risk control response isn’t a thing. (C) Is wrong since #2 is detective control and #3 is preventative control category. (D) is wrong since (B) is correct!

Question 38

An organization that is located in a coastal city has been paying an insurance company for natural disaster coverage for the last twelve years. This year they accidentally forgot to renew the plan and have been without any coverage since. Today the Chief Risk Officer announces that they will not be renewing the insurance coverage. What type of response does this describe?

A. Risk Ignorance
B. Risk Transference
C. Risk Mitigation
D. Risk Acceptance

Answer 38

D. Risk Acceptance

While insurance is usually attributed to Transference, given that the Risk Officer is willfully deciding not to renew the policy, the risk is being accepted. Given what we know of the situation, though the policy lapsed accidentally, the decision not to renew is conscious so it is not ignorance of the risk that led to the final decision.

Question 39

A newly hired chief security manager is shocked to discover that the organization has not been auditing its users, lacks any form of risk management, and disregarded the implementation of compulsory controls. Realizing that there is a lot that the company needs to do, what should be considered first?

A. Legal counsel
B. Frameworks
C. Standards
D. Guidelines

Answer 39

B. Frameworks

While there are a number of different reasons that ALL of these items are
important, a Framework will actively compel the others. Frameworks will instantiate proper risk management, governance, and compliance concerns when applied properly. Without formal structure, simply consulting with lawyers or knowing what standards ought to be adopted won’t provide a repeatable method or take into account necessary resource allocation.

Question 40

After an incident response activity failed to contain the malware, management began investigating the response chosen by the Cyber Incident Response Team (CIRT) that was on-duty. Considering that the company lacked any formal plan for this type of incident, they decided to consult the off-duty CIRT to see how they would have responded. What practice is the management trying to verify?

A. Risk assessment
B. Due diligence
C. Change management
D. Due care

Answer 40

D. Due care

Due care is the practice of taking proper action tempered and considered through the lens of a comparable level of skill and reasoning.

Question 41

As the result of a data breach, government authorities began an investigation as to the nature of the breach and the company’s ensuing response. They found that the company had violated several reporting regulations and ignored compulsory countermeasures. What is the best description of what the incident response team at the company violated?

A. Procedures
B. Standards
C. Best practices
D. Policies

Answer 41

B. Standards

While the incident response team may have been in violation (or compliant) with policy/procedure, regulations are dictated by Standards.

Question 42

To determine how to spend the next quarter’s security budget, management invested in a thorough risk assessment that analyzed concerns throughout the business. They determined that a new VPN solution would be best for the enterprise. Meanwhile, a highly skilled engineer is complaining that the network vulnerability they reported during the risk assessment is continuing to go unpatched. They are adamant that a data breach is imminent. As the CISO, and with limited time to make a decision, what would be the best way to proceed?

A. Only invest in the VPN solution and explain management’s reasoning to the engineer.
B. Design and deploy a completely new control to avoid upsetting either party.
C. Divide the security budget between the VPN solution and the network upgrade.
D. Explain the engineer’s concerns to management and invest only in the network
upgrade.

Answer 42

A. Only invest in the VPN solution and explain management’s reasoning to the engineer.

Considering a risk assessment was conducted, we should side with management’s business driven concerns. Deviation illustrates a lack of appreciation for governance which is fundamental to this exam.

Question 43

Management has issued several concise written documents that outline their expectations for security. It is well understood that these documents should be followed without reservation. What is the best description of these documents?

A. Standard
B. Framework
C. Procedure
D. Policy

Answer 43

D. Policy

Management’s expectations are usually conveyed as “concise written documents” that do not convey (but expect) standards to be adhered to and individual steps to be carried out (procedure). However, the actual conveyance of these concerns/needs/desires are through written and binding policy.

Question 44

Several threat intelligence outlets have identified a zero-day attack that is specifically designed to target apache web servers. Your organization has several apache web servers, and it is currently unknown if they have been targeted by the zero-day threat. As the system security manager, what is the first thing
you should do?

A. Consider migrating to a different webserver platform that is not vulnerable.
B. Consult a variety of news outlets for additional information.
C. Determine the significance of the attack on business continuity.
D. Air gap the web servers to prevent the attack.

Answer 44

C. Determine the significance of the attack on business continuity.

The goal of monitoring emergent attacks is to maintain/optimize business continuity. Air gapping the servers (disconnecting them) is likely an overreaction and migrating to a different platform is not practical. Consulting other news sources may be conducted as a matter of course whilst pursuing the significance against business continuity.

Question 45

**THIS QUESTION DROPPED**
Upper management is looking to find a new cloud provider to host the company’s software as a service product. Considering the problems your organization had with the last provider, they instructed you to find a provider who has displayed good internal governance. What indicator should be used when looking for this new provider?

A. Maturity level
B. Risk identification
C. SOC reports
D. Loss history

Answer 45

A. Maturity level

Maturity levels (CMM) account for a better indication of governance, surpassing losses, audits, or the ability simply ID risk.

Question 46

“All employees must use a secure connection when remotely accessing the company server.”

What best, and most likely, describes this statement?

A. Procedure
B. Standard
C. Policy
D. Best Practice

Answer 46

C. Policy

Short, prescriptive, and without describing by what means, this statement adequately reflects an example of a policy.

Question 47

A cloud service provider (CSP) outlines in a contract that the customer has the ultimate responsibility of ensuring the resources and services provided by the CSP are not used for illegal or fraudulent activity. Which of the risk responses is the CSP demonstrating?

A. Risk avoidance
B. Risk acceptance
C. Risk transference
D. Risk mitigation

Answer 47

C. Risk transference

Transference: The cloud provider has transferred the risk, and thereby the responsibility for securing the services, to the customer.

Question 48

Emily has received a suspicious email that claims she won a multi- million dollar sweepstake. The email instructs her to reply with her full name, birthdate, and home address so her identity can be validated before she is given the prize. What best describes this type of social engineering attack?

A. Vishing
B. Phishing
C. Whaling
D. Spear phishing
– A type of phishing but specifically over the phone. Think Voice-phishing
– Great answer! Phishing is typically performed through email or social media.
– A type of spear phishing, the target must be upper management (boss, CEO, board of directors).
– A type of phishing, that targets a specific group/person and customizes its attack to match.

Answer 48

B. Phishing

Since this attack came through email, (A) is out. Since the attack wasn’t specifically crafted for Emily, a group, or upper management, (C) and (D) are both out too.

A. Vishing
B. Phishing
C. Whaling
D. Spear phishing
– A type of phishing but specifically over the phone. Think Voice-phishing
– Great answer! Phishing is typically performed through email or social media.
– A type of spear phishing, the target must be upper management (boss, CEO, board of directors).
– A type of phishing, that targets a specific group/person and customizes its attack to match.

Question 49

The company’s Chief Financial Officer received an email from a branch office manager who claims to have lost their company credit cards. They are requesting $12,000 be sent to a private bank account to cover various business expenses. What type of social engineer attack does this best illustrate?

A. Pharming
B. Phishing
C. Typo squatting
D. Whaling

Answer 49

D. Whaling

Whaling: A form of spear phishing where the target is upper management.

Question 50

Instead of relying on in-house application security, an organization has decided to outsource their application security by adopting a SaaS (software as a service) from a CSP (cloud service provider). What type of risk management has the company performed by implementing this change?

A. Acceptance
B. Transference
C. Avoidance
D. Mitigation

Answer 50

B. Transference

Question 51

Your company wants to build another office that is expected to cost two million dollars. The town that this new office will be built in has a history of terrible earthquakes, once every 50 years. The estimated damage is 50% of the buildings cost. What is the SLE (Single Loss Expectancy)?

A. 20,000
B. 40,000
C. 500,000
D. 1,000,000
E. 4,000,000

Answer 51

D. 1,000,000

We are given the AV, EF, and ARO. We need to solve for SLE.
(AV) Asset Value - $2Million
(EF) Exposure Factor - .5 (Half the value, %50)
(SLE) Single Lost Expectancy - $ 1 Million <-Answer
(ARO) Annual Rate of Occurrence - .02 (1 every 50 years)
(ALE) Annual Loss Expectancy - $20,000

EQUATIONS
AV x EF= SLE 2Million * .5 = 1Million

SLE x ARO = ALE (this equation is not needed in this question)

Question 52

The service level agreement created with the cloud storage provider outlines the acceptable amount of data loss must be no greater than one hour in the event of a disaster. What metric is being described in this agreement?

A. Disaster Recover Plan
B. Recovery Point Objective
C. Recovery Time Objective
D. Mean Time to Restore

Answer 52

B. Recovery Point Objective

Recovery Point Objective (RPO) is the acceptable amount of data loss. If the cloud provider was to lose more than one hour worth of data for any reason, they would be subject to penalties as outlined in the SLA (service level agreement).

Question 53

After a server failure, it took the cloud provider 120 minutes to bring the system back online. Meanwhile, an affected company expected the server would be available again within 60 minutes. Of the answers below, what best illustrates the company’s expectation?

A. MRW – Minimum Recovery Window
B. RPO – Recovery Point Objective
C. MTTR – Mean Time To Recovery
D. RTO – Recovery Time Objective

Answer 53

D. RTO – Recovery Time Objective -
(goal/expected time for recovery)

A. MRW – Minimum Recovery Window This is not a real metric.
B. RPO – Recovery Point Objective -(acceptable amount of data loss)
C. MTTR – Mean Time To Recovery -(real world average time for recovery)

Question 54

Before a news team takes a tour of the new state-of-the-art office complex, a manager instructs employees to clean all whiteboards and clear off all of their desks. What threat is the manager most likely trying to mitigate?

A. Credential exposure
B. Release of proprietary information C. Damage to the company’s reputation
D. Social engineering attacks

Answer 54

B. Release of proprietary information

Proprietary Information = Trade Secrets

While all of the answers are things to avoid, the threat appears to be shoulder surfing and (B) is the most likely to damage the company as the result of that.

Question 55

What category of control would a sign, like the one attached, be
considered?

A. Detective
B. Compensating
C. Deterrent
D. Corrective

Answer 55

C. Deterrent

While the automatic alarm system could be detective, this sign is only a deterrent to threat actors.

Question 56

Which of the following limits the transfer or use of encryption technologies?

A. Acceptable use policy
B. Remote access policy
C. Data loss prevention
D. International export control

Answer 56

D. International export control

The Wassenaar Arrangement is an international export control that has been established in order to contribute to regional and international security and stability, by promoting transparency and greater responsibility in transfers of conventional arms and dual-use technologies, thus preventing destabilizing accumulations. The aim is also to prevent the acquisition of these items by terrorists.
Since ENCRYPTION is considered a DUAL-USE technology, it is carefully managed under this international export control.

Question 57

Before accepting credit cards on a new shopping website, what standard must a company follow?

A. PCI DSS
B. NIST CSF
C. ISO 22301
D. ISO 27001

Answer 57

A. PCI DSS

PCI DSS = Payment Card Industry Data Security Standard
NIST CSF = National Institute of Standards and Technology, Cyber Security Framework ISO 22301 – security & resilience, business continuity management
ISO 27001 – information security rules and requirements (compliance/regulations)

Question 58

A penetration tester revealed that an end of life server is using 3DES to encrypt its traffic. Unfortunately, the server which is mission critical cannot be upgraded to AES, replaced, or removed. What category of control could help reduce the risk created by this server considering the company must continue to use it?

A. Corelating
B. Physical
C. Detective
D. Preventative
E. Compensation

Answer 58

E. Compensation

Question 59

An international company is expanding it services and is creating several new servers to store customer data. Of the options listed below, which would likely contain an outline of roles/responsibilities for data controllers/processors that the company should follow?

A. ISO 31000
B. GDPR
C. PCI DSS
D. SSAE SOC2

Answer 59

B. GDPR - The European Union’s regulation that states that personal data cannot be collected or processed without the individual’s informed consent. The GDPR (General Data Protection Regulation) is an evolved form of the OECD principals and DOES outline responsibilities for data controllers/processors/users. As a regulation, it is legally enforceable within the EU.

A. ISO 31000 - International risk management best practices
C. PCI DSS - Outlines how credit card/bank info must be safely managed.
D. SSAE SOC2 - An audit/test that reports on an organization’s controls relative to the CIA triad.

Question 60

A company’s Chief Information Officer (CIO) is meeting with the Chief Information Security Officer (CISO) to plan some activities to enhance the skill levels of the company’s developers. Which of the following would be MOST suitable for training the developers?

A. A gamified capture-the-flag competition
B. A phishing simulation and awareness campaign
C. Physical security training with authorized pen-testers
D. Basic awareness training and tabletop exercises

Answer 60

A. A gamified capture-the-flag competition

Besides (A), none of the other options would enhance the “SKILL LEVELS” of the developers.
Capture the Flag (CTF) is usually used in ethical hacker training programs and gamified competitions. Participants must complete a series of challenges within a virtualized computing environment to discover a flag. The flag will represent either finding threat actor activity (for blue team exercises) or discovering a vulnerability (for red team exercises).