Domain 1. Security and Risk Management

Question 1

You attempt to access your online banking account and are redirected to another website. What is this and how to prevent it?

Answer 1

Pharming attack. Implement DNSSEC to prevent.

Question 2

After you repair the user’s computer and ensure that the problem is fixed, what you should do next?

Answer 2

Provide the user with a list of the company’s approved software prior to taking any other action.

Question 3

Best described as ignoring the cost of loss when replacement expenses are less than the cost to mitigate the problem.

For example: installing software that is known to have vulnerabilities.

Answer 3

Risk acceptance.

Question 4

Determining the cost-effectiveness of mitigating the potential harm or loss to a company.

Answer 4

Risk management.

Question 5

The process of evaluating threats to ascertain the amount of vulnerability they represent to a company.

Answer 5

Risk assessment.

Question 6

Quantifying the weakness of an asset owned by the company.

Answer 6

Vulnerability assessment.

Question 7

Involves storing and maintaining data and hardware in an offsite location so that the alternate assets can be used in the event that a disaster damages hardware and data at the primary facility.

Answer 7

Disaster recovery (DR).

Question 8

The process of securing weak points in a security implementation. And attempts to close all avenues a malicious user could exploit to gain unauthorized access to a network.

Answer 8

Network hardening.

Question 9

The process of simulating a malicious attack on a system to identify and exploit potential weaknesses in network security. And provides insight into the methods a malicious user might employ in an attempt to compromise a network.

Answer 9

Penetration testing.

Question 10

Must endorse a company’s security policy in order to promote company-wide acceptance.

Responsible for ensuring that all of company’s assets, both physical and logical, are protected.

Answer 10

Senior management.

Question 11

Indicates why a company should have employees acknowledge that they have read and understood the company’s security policy?

Answer 11

To ensure that the company is protected.

Question 12

Not accurate regarding security policy best practices?

Answer 12

Policies need to be changed every year.

Question 13

Policy reviews should include the following:

Answer 13

Need to be reviewed at least once per year.

Reviews should follow a formal process.

Should include an analysis of any security incidents that have occured.

Question 14

To determine the precise components of the policy that need to be rewritten to obtain the desired outcome. And a process by which an existing security policy is compared to a desired outcome.

Answer 14

Gap analysis.

Question 15

It’s a discretionary document. And provide helpful bits of advice to employees. Since they are discretionary, employees are not required to follow this, even though they probably should.

Answer 15

Guidelines.

Question 16

A comprehensive security program includes the following components:

Answer 16

Policies, Procedures, Standards, Baselines, and Guidelines.

Question 17

Provide a high-level overview of the company’s security posture, creating the basic framework upon which a company’s security program is based. Contains mandatory directives that employees must follow.

Answer 17

Policies.

Question 18

A well-formed policy should include the following four elements:

Answer 18

Purpose - the reason the policy exists.

Scope - the entities that are covered by the policy.

Responsibilities - the things that covered individuals must do to comply with the policy.

Compliance - how to measure the effectiveness of the policy and the consequences for violating the policy.

Question 19

Are low-level guides that explain how to accomplish a task. And are specific and providing as much as detail as possible. Step by Step. They are mandatory as well.

Answer 19

Procedures.

Question 20

Define the technical aspects of a security program, including any hardware and software that is required.

Answer 20

Standards.

Question 21

Provide a minimum level of security that a company’s employees and systems must meet.

Answer 21

Baselines.

Question 22

Which documents are mandatory and which are discretionary?

Answer 22

Policies, Procedures, and Standards = Mandatory.

Guidelines and Baselines = Discretionary.

Question 23

A guidelines you should not follow when creating a security policy?

Answer 23

Ensure that the policy is as comprehensive as possible.

Instead, you should keep the policy to two or three pages. The policy should be concise and as understandable as possible.

Question 24

Sometimes called the information owner or the business owner, is responsible for classifying data. Typically a manager who maintains responsibility for the security of a particular information asset. They also assigned sensitivity labels to each asset (sensitivity label ensures that the data is accessible only be users who posses the appropriate level of clearance).

Answer 24

Data owner.

Question 25

Responsible for the hands-on protection of data.

Answer 25

Data custodian.

Question 26

Responsible for protecting the data that they access on a daily basis.

Answer 26

End users.

Question 27

Eliminates the use of a technology or a service altogether rather than deal with the risks that are incurred by implementing the technology or service. Should be performed whenever the costs of mitigating or accepting the risk are higher than the benefits gained by providing the service.

Answer 27

Risk avoidance.

Question 28

Lowers the chance that a risk event occurs or lowers the damage that a risk event causes.

Answer 28

Risk mitigation.

Question 29

Occurs when a company chooses to leave an asset unprotected rather than undergo the time and expense to protect the asset. Should be performed only when the risk or the consequences of exposure are low.

Answer 29

Risk acceptance.

Question 30

What is AV, EF, ARO, SLE, and ALE

Answer 30

AV - the value of the asset that is at risk, including any data stored on the asset.

EF - is the percentage of value that is lost when a risk event occurs. For example: Failure only? 10% Theft? 100%.

ARO - the frequency at which a risk event occurs and is expressed as the number of losses that occur in one year. For example (1 failure divided by 5 years = 0.2 failures per year)

SLE - the cost of a loss, including the cost of materials, the technical service hours required, and loss productivity that is experienced because of the loss.

ALE - average yearly cost of a particular risk. For example ($1,200 “SLE” x 0.25 “ARO” = $300 ALE).

Question 31

Tricking an individual into revealing authentication credentials or other PII to a potential attacker.

Answer 31

Social engineering.

Question 32

Installing software that is known to have vulnerabilities is what example of risk responses.

Answer 32

Risk acceptance.

Question 33

Is the practice of contracting with a third party in another country to perform a business function or service.

For example: a healthcare provider who offshores the storage of medical imaging files? ensure the foreign company will take proper steps to protect the data. If not, healthcare provider will be liable. U.S laws does not apply to companies located in other countries.

Answer 33

Offshoring.

Question 34

Practice of contracting with a third party to perform business function or service. (this can be performed within the country). Subject to the U.S laws and regulations (U.S and foreign companies).

Answer 34

Outsourcing.

Question 35

Allowing a business function or service to be performed by employees within the company rather than by a third party.

Answer 35

Insourcing.

Question 36

Third-party contractors outsource work that was originally assigned to them.

Answer 36

Subcontracting.

Question 37

A healthcare company is hiring you as an ISO. You will be tasked with securing the company’s networks and workstations. Which individuals or departments would you be least likely to report?

Answer 37

The internal audit department. Why? they’re tasked with evaluating how the company’s employees are handling business processes, including IT security. Conflict of Interest.

Question 38

Which of the following situations would be most likely to delete a user account?

Answer 38

termination of an employee who is starting a new job the next day.

Why? user accounts should be deleted only if the user is unlikely to return to the company and the user’s account is not tied to data that cannot be easily accessed by another user account, such as encrypted information.

Question 39

A connection attempt by a malicious program on the network and can propagate without user interaction is called?

Answer 39

Worm.

Question 40

A stream of MAC addresses being sent to a switch on a network and attempt to overload the ARP (is a network protocol that maps IP addresses to MAC addresses) cache of a switch, which could induce the switch to act as a hub by broadcasting information out each port is called?

Answer 40

MAC flooding attack.

Question 41

An attacker intercepting transmissions between two target hosts. And the flow of traffic between the target hosts is typically routed through a device that the attacker controls is known as?

Answer 41

Man-in-the-middle attack.

Question 42

Is an intellectual property attack in which an entity registers an internet domain name that is a common misspelling of or is closely related to another entity’s trademark.

Example: legitimate (example.com), typosquatter might register (exampel.com).

Answer 42

Typosquatting.

Question 43

Is an intellectual property attack that focuses on infringement of a trademark. Occurs when an entity registers an internet domain name that infringes on a different entity’s trademark.

For example: well-known company with a trademark for “ExampleBrand”, a cybersquatter might purchase the domain ‘examplebrand.com’ before the company has a chance to register it. Then the squatter might sell that to the company for an inflated price, or might use the domain to create a website that capitalizes on the trademarked name’s popularity for their own benefit.

Answer 43

Cybersquatting.

Question 44

An industry standard that an entity in a particular industry should strive to meet or exceed.

Answer 44

Best practice.

Question 45

Best described as business practices that a reasonable individual would consider appropriate.

It’s a legal liability concept that defines the minimum level of information protection that an organization must achieve.

Answer 45

Prudent Man Rule or Due Care.

Tip: the Prudent Man Rule is often applied to the process of due care, which is a legal liability concept that defines the minimum level of information protection that a business must achieve.

Question 46

An organization to continually review its practices to ensure that protection requirements are met.

Answer 46

Due diligence.

Question 47

Occurs when an individual who was already planning to commit a crime is eventually lured into doing so at the urging of law enforcement.

Answer 47

Enticement.

Question 48

Justification for the seizure of evidence without a warrant in order to protect the evidence from being destroyed.

Answer 48

Exigent circumstances.

Question 49

Is an aggregated threat-modeling methodology that was developed by Microsoft.

Answer 49

STRIDE

Spoofing
Tampering
Repudiation
Information disclosure
Denial of Service
Elevation of Privilege

Question 50

Is a risk-based threat modeling methodology that contains the following seven stages.

Answer 50

Process for Attack Simulation and Threat Analysis (PASTA).

Stage I: Definition of the Objectives (DO) for the Analysis of Risks.
Stage II: Definition of the Technical Scope (DTS).
Stage III: Application Decomposition and Analysis (ADA).
Stage IV: Threat Analysis (TA).
Stage V: Weakness and Vulnerability Analysis (WVA)
Stage VI: Attack Modeling & Simulation (AMS)
Stage VII: Risk Analysis & Management (RAM).

Question 51

Is a risk-based threat-modeling methodology that allows security audits to be performed consistently, reliably, and repeatably. And an acceptable of risk is assigned to each class of asset; these risk levels are then used to determine the appropriate response to each threat.

Answer 51

Trike.

Question 52

Is a classification methodology that is used to rank threats numerically. And is used to calculate a risk score based on the following five categories.

Answer 52

DREAD.

Damage: how much damage will be caused?
- 0 = no damage
- 10 = complete destruction

Reproducibility: How easy is it to reproduce?
- 0 = impossible
- 10 = easy and without authentication

Exploitability: What is needed to exploit the threat?
- 0 = advanced knowledge and tools
- 10 = a web browser

Affected Users: How many users will be affected?
- 0 = none
- 10 = all

Discoverability: How easy is it to discover the threat?
- 0 = nearly impossible and source code or administrator access is required
- 10 = visible in a web browser address bar or in a form

The sum of the five ratings is then divided by 5 to calculate a final risk score from 0 through 10. The higher the risk score, the greater the risk.

Question 53

Maintains a variety of projects that provide assistance in detecting and addressing security vulnerabilities.

Answer 53

Open Web Application Security Project (OWASP).

Question 54

OWASP 2017. Top 10.

Answer 54

1. Injection
2. Broken Authentication
3. Sensitive Data Exposure
4. XML External Entities (XXE)
5. Broken Access Control
6. Security Misconfiguration
7. Cross-Site Scripting (XSS)
8. Insecure Deserialization
9. Using Components with Known Vulnerabilities
10. Insufficient Logging & Monitoring

Question 55

Occurs when a malicious user is able to inject code into the webpage of a legitimate company or user.

Answer 55

XSS.

Question 56

Includes flaws in authentication and session management systems that enable attackers to compromise passwords, encryption keys, or session tokens.

Answer 56

Broken Authentication.

Question 57

Enables an attacker to send information to a target system that could reveal sensitive information.

Answer 57

Injection.

Examples: SQL Injections, OS injections, LDAP injections.

Question 58

Best described as a set of mandatory directives that employees must follow, providing the basic framework upon which a company’s security program is based.

Answer 58

Security policy.

Question 59

Should not be included in the security policy? And these should be included in a standards document.

Answer 59

The hardware and software that must be used.

Question 60

What is Risk, Threat, Vulnerability, Impact, and exploit?

Answer 60

Risk - potential for loss or damage when a threat exploits a vulnerability.

Threat - anything that has the potential to cause harm by exploiting a vulnerability (something that could cause harm to the asset).

Vulnerability - weakness or gap in security that can be exploited by a threat to gain unauthorized access to an asset (the asset’s weakness to a particular threat).

Impact - potential consequences or damage that could result from a threat exploiting a vulnerability (the cost realized by the company if the asset is lost).

Exploit - method or technique used to take advantage of a vulnerability in a system.

Risk = Threat x Vulnerability x Impact

Question 61

What are the Seven categories of access controls?

Answer 61

Directive
Deterrent
Preventive
Compensating
Detective
Corrective
Recovery

Question 62

Used to define appropriate use and behavior within an organization with regard to that organization’s systems and services.

Answer 62

Directive access controls.

Question 63

Used to dissuade (persuade someone not to take a particular course of action) potential attacks

Answer 63

Deterrent access controls.

Question 64

Used to stop potential attacks by preventing users from performing specific actions of functions on a system.

Answer 64

Preventive access controls.

For example, installing a firewall that blocks access to specific network ports.

Question 65

Are used to supplement directive access controls.

Answer 65

Compensating access controls.

Reviewing log files for violations of a company policy is a compensating access control, not a preventive access control.

Question 66

Used to monitor or send alerts about malicious activity. And it can also record activity in low-light conditions.

Answer 66

Detective access controls.

Implementing an alarm system that detects breaking glass is a detective access control, not a preventive access control.

Question 67

Used to repair damage caused by malicious events.

Answer 67

Corrective access controls.

Question 68

Used to restore a system to a normal state after malicious activity has occurred.

Answer 68

Recovery access controls.

If a computer virus has corrupted some important data files on the Accounting department’s server and you are unable to locate any antivirus software that will repair the damage.

Question 69

What are the access control types?

Answer 69

Physical - is implemented by using a person, animal, or object.

Technical - implemented by using technology instead of a physical entity.

Administrative - implemented by using policies, procedures, and the assignment of roles within an organization instead of a physical entity or technical control.

Question 70

Is an access control threat that involves modifying source data in an internet protocol (IP) packet. Also known as masquerading, enables an attacker to compromise a network by pretending to be a trusted source.

Answer 70

Spoofing.

Question 71

Are an access control vulnerability that involves the theft of information by capturing and analyzing the electromagnetic leakage of electronic devices.

Answer 71

Emanations.

Question 72

Involves gleaning valuable information from printed documents. It’s a physical information-gathering technique whereby an attacker sifts through an organization’s garbage to find valuable information that might have been thrown away.

Answer 72

Dumpster diving.

Question 73

Involves the collection and analysis of large amounts of data to find patterns.

Answer 73

Data mining.

Question 74

Is a threat in which fragments of deleted data can be recovered from a storage device.

Answer 74

Data remanence.

Question 75

Is a threat that typically involves the collection of information that an application or process has shared in memory or cached to disk.

Answer 75

Object reuse.

Also, authentication credentials that are not properly erased from memory can be used to authenticate an unauthorized user or another application or process.

Question 76

Requirements for an analyst who is performing a vulnerability assessment?

Answer 76

• Examination of existing access controls on the systems to be analyzed.
• A knowledge of potential threats to the systems to be analyzed.
• An understanding of the systems to be analyzed.

Question 77

Occurs when an assessment identifies a business requirement as a vulnerability. And If a potential vulnerability in a system conflicts with the business purpose of that system.

Answer 77

False positive.

Question 78

Account for all personnel after an evacuation.

Answer 78

Meeting point leader.

Question 79

Responsible for ensuring that everyone safely evacuates the building.

Answer 79

Safety warden.

Question 80

A reason to NOT implement rotation of duties (job rotation)?

Answer 80

It can be expensive to implement. Because of the number of employees that must be hired and trained to perform the duties.

rotation of duties (job rotation) is an access control principle that does not allow one user to perform the same function for more than one consecutive interval of time.

Question 81

The contracts typically state that the employee will not disclose confidential information that is revealed to the employee as a result of his or her duties.

Answer 81

NDA.

Question 82

Is the intellectual property concept that is most associated with marketing. And is typically protect branding, such as a slogan, a logo, or another means of creating a distinction between a product that is produced by one company and a similar product that is produced by a competitor.

Answer 82

Trademark.

Question 83

Is an intellectual property concepts that protects the holder’s exclusive right to use, create, or sell an invention.

Answer 83

Parent.

Question 84

Is an intellectual property concept that protects art, music, literature, or source code created by an individual or an organization.

Answer 84

Copyright.

Question 85

Is an intellectual property concept that enables a copyright owner to grant a specific uses of copyrighted material to others.

Answer 85

License.

Question 86

Is most likely to be subject to legal export restrictions in the U.S?

Answer 86

Source code for a new cryptographic application.

Because cryptography can be used to prevent government law enforcement agencies from intercepting communications, the U.S and other countries have imposed export restrictions on specific type of strong cryptography.

Question 87

Is an information sharing agreement that requires a user to act in order to prevent an entity from sharing that user’s information?

Answer 87

Opt-out agreement.

Question 88

Is NOT an information sharing agreement that requires a user to act in order to prevent an entity from sharing that user’s information.

Instead, it’s an information sharing agreement that prevents an entity from sharing a user’s information by default.

Requires the organization to obtain user’s permission to share that user’s PII with third parties.

Answer 88

Opt-in agreement.

Question 89

Is a form of software license. For example, software licenses typically specify what users are and are not allowed to with software once the software has been licensed to the user.

Answer 89

End-user license agreement (EULA).

Question 90

Was created by the U.S Dept of Commerce and EU Commission to enable companies in the U.S to process personal information of individuals in EU member nations.

Answer 90

EU-US. Privacy Shield Framework.

Question 91

Ensures the protection of information for individuals in EU member nations. The EU requires that all organizations must adhere to this ____ whether or not they are based in the EU.

Answer 91

General data protection regulation (GDPR).

Question 92

GDPR contains the following provisions:

Answer 92

1. Companies must inform authorities of major data breaches within 72 hours
2. Each EU member nation must create a centralized data protection authority.
3. Individuals must have access to their own data.
4. Information regarding an individual must be transferrable to another service provider at the individual’s request.
5. Individuals retain the “right to be forgotten” and have their information deleted if it is no longer required.
6. Organizations located outside the EU must adhere to the GDPR if they collect information about EU residents.

Question 93

Was created in 1980 to provide a framework for how information traverses international borders.

Answer 93

Organization for Economic Cooperation and Development (OECD) Guidelines on the Protection of Privacy and Transborder Flows of Personal Data.

Principles:
1. Collection Limitation Principle
2. Data Quality Principle
3. Purpose Specification Principle
4. Use Limitation Principle
5. Security Safeguards Principle
6. Opennes Principle
7. Individual Participation Principle
8. Accountability Principle

Question 94

Was created in December of 1974 to govern the way federal agencies use and distribute the personal information of U.S citizens. And it states that federal agencies cannot disseminate personal information without the permission of the individual.

Answer 94

U.S Privacy Act of 1974.

Question 95

Was created in 2000 by the Parliament of Canada to govern how private organizations can collect, use, and disclose personal information. Does not apply to government agencies and not-for-profit organizations.

Answer 95

The Personal Information Protection and Electronic Documents Act (PIPEDA).

Principles:
1. Accountability
2. Identifying Purposes
3. Consent
4. Limiting Collection
5. Limiting Use, Disclosure, and Retention
6. Accuracy
7. Safeguards
8. Openness
9. Individual Access
10. Challenging Compliance

Question 96

Also known as Title 18, was created in 1984 to aid the deterring and the prosecution of computer crimes that resulted in attacks on government systems, infrastructure, financial systems, or systems that engage in international or interstate commerce.

Answer 96

The U.S Computer Fraud and Abuse Act.

Question 97

Designed to protect electronic communications, such as internet traffic, from illegal wiretapping techniques.

Answer 97

The U.S Electronic Communications Privacy Act (ECPA).

Question 98

Is a counter-terrorism act that expanded the ability of U.S law enforcement to use electronic monitoring techniques with less judicial oversight. In addition, the ability of law enforcement to wiretap was expanded and required less oversight.

Answer 98

The USA Patriot Act of 2001

Question 99

What are Host site, Warm site, Cold site, and Mobile site?

Answer 99

Hot sites (a location that can take over for a failed site) - fully configured. Contain all of the equipment and services required by the company. Company can transition to a hot site within minutes or hours.

Warm sites (providing some level of infrastructure to aid disaster recovery) - more expensive than cold sites. Typically contain equipment and data circuits but no data. Can be brought online faster than a cold site can, typically within one to three days.

Cold sites - takes the longest amount of time. Provides an alternate data center location but contains no technology; all of the hardware and software must be purchased after the disaster occurs. Typically require several days or weeks.

Mobile sites - typically trailers or temporary buildings that can be deployed to other locations.

Question 100

Facts about mutual assistance agreement (MAA).

Answer 100

• also known as a backup-site agreement or reciprocal agreement, is a legal arrangement between two organizations in which the parties agree to aid one another by providing space and network resources in the event that a disaster renders one of the parties incapable of functioning at its own location.
• Cost effective than other alternate site solutions.
• Should require that the organizations be in close proximity to each other in order to reduce downtime for the disaster-affected company.

Question 101

Prevent an employee from violating a noncompete agreement (NCA)?

Answer 101

Time and Cost of a court battle.

Why? court battles are cost and time consuming. Therefore, it might be in an employee’s best interests to abide by an NCA rather than take the matter to the legal system.

Question 102

The total of owning an asset for a period of time, including the cost of the asset as well as the cost of mitigating any risks to the asset. Also risk mitigation costs might include vendor support contracts, software purchases, and IT employee salaries.

Answer 102

Total Cost of Ownership (TCO).

For example, the TCO for 100 laptops over a two-year period might be calculated as shown below:

Laptops: $240,000
Extended warranty service: $57,000
Operating system (OS) upgrade: $22,000
Antivirus software: $8,000
IT employee salaries: $120,000
TCO: $447,000 ($4,470 per laptop)

Question 103

Is the process of assigning a user’s rights and permissions to a system?

Answer 103

Authorization.

Question 104

Is the process of providing proof that an authorized user’s identification is accurate. For example, an attacker masquerades as an authorized user to gain access to data.

Answer 104

Authentication.

Question 105

Your company’s password policy instructs employees to use strong passwords. However, you have discovered that many employees are still using weak passwords. What will you do NEXT?

Answer 105

Review the password policy with each user who has a weak password.

Question 106

Describes how company resources can be used, not how passwords should be selected.

Answer 106

Acceptable use policy.

Question 107

Is a technology that displays a name, number, or other identifier on the receiving end of a call. And enables the receiver to know the identity of a caller prior to accepting the call?

Answer 107

Caller ID.

Question 108

Enables callers to trick receivers into answering calls from vishing and Spam over internet Telephony (SPIT) agents.

Answer 108

Caller ID spoofing attack.

Question 109

An attacker attempts to inject packets into other VALNs by accessing the VLAN trunk and double-tagging 802.1Q frames.

Answer 109

VLAN hopping attack.

Question 110

Is used to obtain sensitive information by sending SMS text messages or instant messages. The messages will typically direct users to visit fake websites or to call a phone number and enter their personal information, such as SSN or credit card information.

Answer 110

Smishing or Short Message Service (SMS) phishing.

Question 111

The ISC2 Code of Ethics contains a preamble and the following four canons ranked in order of importance:

Answer 111

1. Protect society, the common good, necessary public trust and confidence, and the infrastructure.
2. Act honorable, honestly, justly, responsibly, and legally.
3. Provide diligent and competent service to principals.
4. Advance and protect the profession.

Question 112

Requires a security professional to abstain from spreading FUD. FUD is a term that is used to describe the dissemination of negative, false, and frightening information to influence consumers, politicians, or other individuals to act in a certain way. Spreading FUD would erode public trust and confidence.

Answer 112

Protect society, the common good, necessary public trust and confidence, and the infrastructure.

Question 113

An attacker targets a specific group of users by infecting a website they are likely to visit. The website can be an existing site that the attacker infects, or it can be a website that the attacker creates. The attacker will then convince users to visit the infected site. The users are specifically targeted as part of a company, an organization, a religious group, or residents of a particular location.

Answer 113

Watering hole attack.

Question 114

Legitimate applications that are installed on a device get replaced by malware that appears to be legitimate.

Answer 114

Agent Smith attack.

Question 115

An attacker tricks users into clicking a transparent image that is placed over a legitimate link. Also called a user interface (UI) redress attack. And typically wrap a trusted page in an inline frame or iframe. Transparent elements are placed on top of clickable graphics or fields. When the user clicks on something that has a transparent element on top of it, the attacker will launch, potentially sending credentials to the attacker or redirecting the user to a malware-infected site.

Answer 115

Malvertising attack.

Question 116

Load balancing between nodes. Is a storage solution in which client workloads are distributed among two identical nodes. This configuration ensures availability by providing data redundancy and reducing the likelihood that a single device will become overwhelmed. Also helps mitigate data loss if one of the devices in the cluster becomes unavailable.

Answer 116

active-active cluster.

Question 117

Best describe as enabling transfer from local infrastructure to the cloud. It’s more effective for organization that use a private cloud in combination with configuration management mechanisms like Puppet (is a tool for applying and managing system configurations). The combination of these tools can allow an organization to temporarily reprovision its private cloud applications and data to a third-party cloud provider’s infrastructure.

Answer 117

Cloud-bursting or Cloud-hopping.

Question 118

Is a set of core concepts that define the three goals of a security initiative.

Answer 118

The CIA Triad.

Confidentiality - protect confidential information from exposure to unauthorized people.

Integrity - protect systems and information against compromise by unauthorized modification.

Availability - protect systems against unplanned downtime as a result of security breaches.

Question 119

Is a component of access control in which a user claims to be an authorized user of a particular system?

Answer 119

Identification.

Question 120

Typically the most tangible type of evidence because it includes physical objects.

Answer 120

Real evidence.

Question 121

Evidence that includes copies or oral descriptions of original documents.

Answer 121

Secondary evidence.

Question 122

Evidence that can support a fact that was established by other evidence but cannot by itself establish that fact.

Answer 122

Corroborative evidence.

Question 123

Typically includes descriptions and accounts of the facts of an event by eyewitnesses to the even in question.

Answer 123

Direct evidence.

Question 124

is evidence that can indirectly establish a fact but cannot be used to directly establish that fact.

Answer 124

Circumstantial evidence.

Question 125

Is the process of ensuring that each supplier in the chain is reliable, trustworthy, and reputable?

Answer 125

Supply chain risk management (SCRM).

Question 126

Is a process in which an entity’s security documentation is analyzed and evaluated for compliance with standards?

Answer 126

Documentation review.

Question 127

What are Civil, Criminal, Administrative, Regulatory Investigations.

Answer 127

Civil investigations - attempt to resolve disputes between two parties, such as private individuals or corporate entities. Preponderance of evidence standard of proof.

Criminal investigations - typically conducted by law enforcement personnel and attempt to determine whether a criminal law has been violated. Beyond a reasonable doubt standard of proof.

Regulatory investigations - determine whether an administrative law or industry standard has been violated. For example, a third-party auditor investigating the adherence of a business to an industry standard is an example of a regulatory investigation.

Administrative investigations - are internal investigations that attempt to determine whether organizational policies or operational procedures have been violated.

Question 128

Is a factor that is typically used in a risk matrix to rank threats?

Answer 128

Probability.

Question 129

Typically uses a simple, three-value rating system to describe the probability and damage level for each threat. Common rating values are high/medium/low, 1/2/3, or green/yellow/red.

Answer 129

Risk matrix.