Domain 2 Asset Security Flashcards

Question 1

Q

Filip installs and integrates a nondiscretionary system. Which access control policy
gets enforced?
A. Physical
B. Mandatory
C. Role-based
D. Rule-based

Answer

A

Answer: C Role-based models are created implicitly by Non-Discretionary Access
Control (NDAC) systems, in that the users inherit their privileges from within the
role. Mandatory access control puts data into containers, for example, Top Secret,
Secret, and so on. Rule-based access control is defined by specific rules such as
denying an IP address or allowing a MAC address. Physical is a control type,
not a policy.

Question 2

Q

Anett has decided to use a passphrase instead of a dictionary-word password for
better security. Her new password converts into ____________?
A. The strongest password
B. A virtual password
C. An unusual password
D. A username

Answer

A

Answer: B Most systems today convert the password (or biometric) into a hash or
some representation of a password so that if the system gets hacked, the attacker
only has password hashes (garble) instead of actual passwords. The hash acts as a
virtual password because its value authenticates the user, not the password itself.

Question 3

Q

Hubert desires the best and most expensive security protection for his firm. Which
of the following does he select?
A. Passwords
B. Smart cards
C. Palm vein scanner
D. Fingerprint reader

Answer

A

Answer: C Vascular scanners observe and capture vein patterns of palms and
fingers. The biometric scan gets converted into a hash. Passwords are the least
expensive, and not as secure as vascular systems. Fingerprint readers are not as
secure, and not as expensive as vascular systems. Smart cards are not as secure as
vascular scanners.

Question 4

Q

A control category that reacts after an incident is called:
A. Corrective
B. Directive
C. Preventative
D. Deterrent

Answer

A

Answer: A Directives such as signs, deterrent controls such as fake cameras, or
preventatives such as fences are designed to stop an incident, but once an incident
occurs, such as a fire, a corrective control will attempt to mitigate the effects after
the incident; for example, releasing water sprinklers to stop the fire.

Question 5

Q

Alison is a security manager charged with investigating a recent breach into the
corporate network. What control category does this fall under?
A. Retroactive
B. Investigatory
C. Preventative
D. Detective

Answer

A

Answer: D Preventative controls react to stop an incident. Since there was
a breach, these have failed where detective controls activate. Retroactive and
investigatory are not control categories.

Question 6

Q

Reilly is performing a security audit for a customer and finds several cases where
users gained access to data without a formal access approval procedure. Reilly
recommends a formal access approval process to fix the issue. Which role should he
list that approves policies for users to gain access to data?
A. Data processor
B. Data custodian
C. Data subject
D. Data owner

Answer

A

Answer: D Data owners are responsible for allowing access to data they own.
Data owners approve access policies, and then operations implement them. Data
subjects are individuals whose privacy information is being saved. Data custodians
maintain and protect data, and data processors process the data in use with mailing
lists or email blasts.

Question 7

Q

Yulia is setting up an IDS that is rule-based. A rule-based IDS does/contains which
of the following?
A. Recognizes new types of attacks
B. Can recognize patterns and multiple activities
C. IF statements
D. Protocol recognition outside normal settings

Answer

A

Answer: C A rules-based Intrusion Detection System (IDS) uses rules to
evaluate whether packets are allowed or denied. For example, if MAC address
33:44:11:aa:bb:cc is permitted to access the network, those packets will
be allowed. Pattern recognition, attack recognition, and protocol recognition are
characteristics of signature-based or anomaly-based systems.

Question 8

Q

Passive entities that subjects access are called what? (Choose the BEST answer)
A. Objects
B. Computers
C. Processes
D. Files

Answer

A

Answer: A Computers, processes, files, hard drives, printers, and so on, are
different types of objects that can be accessed by subjects. Subjects include people
and processes.

Question 9

Q

David, a writer for RMS Publishing, read his emails and opened an attachment to
help him find a lost package. Later that week, he discovered his bank account no
longer had money, and he was locked out of several social networking accounts.
What MOST LIKELY occurred?
A. Phishing attack
B. Cross-site scripting attack
C. Cross-site request forgery attack
D. Malware in the attachment downloaded passwords from his password manager

Answer

A

Answer: D Although what initiated the attack was a phishing email, the attached
malware downloaded David’s password manager. Cross-site scripting and cross-site
request forgery could both steal session keys from the user if currently logged into
his bank account, but the question does not state he was currently logged in, added
to the fact that other accounts were tampered with.

Question 10

Q

Dayana is a CISO putting together the password policy for her organization and
wants to assure users follow the policy, and don’t find workarounds. Which of the
following is her MOST SECURE choice?
A. Minimum 12-character password with uppercase, lowercase, numbers, and
special characters
B. Minimum 16-character passphrases
C. Minimum 8-character password
D. 4-digit PIN

Answer

A

Answer: B For best password security, passwords must first be long, then complex
because most brute-force tools start with shorter passwords, and then slowly get
longer. Passphrases are easily accepted by users because they allow sentences they
will remember and include the special character space. The policy can be made
stronger by adding a numeral requirement. Once the CISO defines the policy, this
is enforced administratively via the employee agreement, and technologically with
systems such as Pluggable Authentication Modules (PAMs), or Active Directory
(AD) group policies.

Question 11

Q

An SSO system is characterized by which of the following options?
A. Provides multiple usernames and passwords to access resources
B. Provides a single username with various passwords to access resources
C. Provides a single username and password to access each system
D. Provides a single username and password to access the entire network

Answer

A

Answer: D A Single Sign-On (SSO) system allows a user to access network
resources with one login name and password, easing usability. Using a single
username and password to access each system requires the user to log in and log
out of one system and into another to access new resources. SSO does not require
leaving one resource, such as email, to access another, such as a shared file server.

Question 12

Q

When an employee or contractor leaves the company, which of the following steps
is the least important?
A. Return the corporate phone to the organization
B. Return their corporate identification card to the organization
C. Return desk nameplate to the organization
D. Deprovision their username and password from all systems

Answer

A

Answer: C The desk nameplate displays the user’s name and often job title,
but is not a means of access to the firm, because guards are required to see a
corporate ID card to grant access, not a desk nameplate. For best security during
the exit interview, the organization must collect the corporate phone, laptop,
identification card, and desk nameplate from the exiting staff because this could
be used in a social engineering attack, but it is the least important of these. System
administrators must remove their account(s) from the network.

Question 13

Q

Albert logs into an airline website to purchase a plane ticket for a cross-country flight.
The site offers him the ability to also rent a car from a separate company without
having to provide a new login name and password. What is this process called?
A. Identity management
B. Provisioning
C. Single sign-on
D. Federation

Answer

A

Answer: D When the user’s authentication credentials are transferred seamlessly
to another company, this is called federation. SSO allows a user to access multiple
resources or objects on their organization’s network. Provisioning is the process of
setting up a new user’s corporate credentials. Identity management is a general term
that includes SSO, provisioning, deprovisioning, and federation.

Question 14

Q

What do the best performing biometric authentication systems have?
A. Low crossover error rate
B. The greatest type I error rate
C. The least type II error rate
D. High crossover error rate

Answer

A

Answer: A Crossover error rate is defined where type I errors and type II errors
are equal. The lowest crossover error rate device currently is a retinal scan.

Question 15

Q

Nadia is a security administrator tasked with finding users with weak passwords.
Which attack would she attempt FIRST as part of this security audit?
A. Rainbow tables
B. Birthday
C. Dictionary
D. Brute force

Answer

A

Answer: C The weakest passwords that users implement, and the simplest for
hackers to exploit, come from the dictionary. The birthday attack uses probability
and statistics to narrow down passwords from a list of possible passwords. Rainbow
tables are lists of hashes and their passwords. Brute-force attacks would be the final
attack option, as they check for every possible pattern.

Question 16

Q

Lorenzo has been transferred from the marketing department to sales. Six months
earlier he worked in the finance department. Which risk should be MOST considered?
A. Non-disclosure agreement
B. Non-compete agreement
C. Need to know
D. Authorization creep

Answer

A

Answer: D The Non-Disclosure Agreement (NDA) is signed when Lorenzo joins
the company. The non-compete is signed when Lorenzo leaves the company. Need
to know provides Lorenzo with only the authorizations necessary to do his job.
Authorization creep occurs as Lorenzo moves from department to department, and
the rights and privileges from previous departments are not removed.

Question 17

Q

Which SSO system uses secret keys, principals, and tickets?
A. Kerberos
B. SESAME
C. LDAP
D. NDS

Answer

A

Answer: A Kerberos uses a key-distribution center (KDC) to grant tickets to users
for services to use, such as email or file sharing. The system’s security comes from
not passing passwords over networks, making them harder to attack. SESAME is
a SSO service that uses asymmetric keys and certificates to authenticate users into
the network. LDAP and NDS are both directory services that keep track of users’
identities, such as phone numbers, addresses, and emails.

Question 18

Q

Sam, a security manager, is considering Kerberos as his single sign-on system for
the organization. He knows the system is very secure but wants to also learn its
weaknesses. Which of the following is he NOT concerned with?
A. Brute-force attacks against the keys
B. Keys temporarily sit on users’ computers, which are prone to attack
C. Asymmetric keys are vulnerable to attackers
D. If the KDC goes down, users will not have access

Answer

A

Answer: C Kerberos only uses symmetric keys called session keys and secret keys as
part of the system. Provide redundancy with the KDC to mitigate it being a single
point of failure. Make certain to use long keys to resist brute-force attacks. Protect
the network from hackers by assuring security patches are installed as needed.

Question 19

Q

Diskless computers with lots of memory and fast CPUs that obtain their operating
system and data from a centralized server are called what?
A. Thick clients
B. Distributed computing
C. Backup servers
D. Thin clients

Answer

A

Answer: D Thick clients and backup servers have hard drives. Thin clients can
be used for distributed computing, but the question asked is what type of computer
this is, not what can it be used for.

Question 20

Q

Ekaterina is an air force captain and has top-secret access to all objects, including
submarines. A review shows that since she is not in the Navy, she does not need
access to ship and submarine details. What is this enforcing?
A. Least privilege
B. Need to know
C. Single sign-on
D. Federation

Answer

A

Answer: B Need to know is similar to least privilege but contains the user’s rights
based on their role. SSO grants a user access to the network with a single username
and password. Federation grants a user additional services based on relationships
with the primary vendor, that is, the user logs into the bank, and then the user’s
credentials are federated to the check printing company without having to enter
them again.

Question 21

Q

Which of the following is NOT an SSO system?
A. CIRCUMFERENCE
B. RADIUS
C. DIAMETER
D. Kerberos

Answer

A

Answer: A SSO allows a user access and authorizations for all of the resources on
the network with a single username and password. SSO systems include RADIUS,
DIAMETER, Kerberos, TACACS, TACACS+, and more.

Question 22

Q

Qiang is a systems administrator charged with implementing security containers
on her systems. These will be divided into top-secret, secret, confidential, and
unclassified. Which type of system is she implementing?
A. DAC
B. MAC
C. Rule-BAC
D. NDAC

Answer

A

Answer: B Mandatory Access Control (MAC) allows users with specific
clearances, such as secret, to access files in containers marked secret, confidential,
and unclassified. Discretionary Access Control (DAC) allows users to set
authorizations of files they own, as desired. Role-based Access Control (RBAC)
is used within firewalls. NDAC is the same as role-based access control, where
authorizations are defined by a user’s job or position in the organization.

Question 23

Q

Miomir needs to tighten security access into the server room and wants to add
three-factor authentication. Which two should he combine along with a swipe card
to enter the room? (Choose two)
A. Authenticator
B. OTP
C. Retina scan
D. PIN

Answer

A

Answer: C, D For three-factor authentication, Miomir needs to provide something
you have, with something you know, and something you are type authentications.
Smartphone authenticators and One-Time Passwords (OTP) are both somethingyou-
have type devices and would not qualify. Retina scans and PINs finalize the
authentication with something you are, and something you know, respectively.

Question 24

Q

Which of the following access control models prioritizes availability over
confidentiality and integrity, so that owners of their files determine the
authorizations of their objects?
A. Rule-BAC
B. Role-BAC
C. MAC
D. DAC

Answer

A

Answer: D Discretionary Access Control (DAC) allows users to set authorizations
on their data at their discretion; usually used within corporate environments where
access to information is prioritized. Mandatory Access Control (MAC) prioritizes
confidentiality over availability and integrity so that once files are stored in the Top
Secret bin, only those with that clearance can access the file. Role-BAC is defined by
the user’s job title, and rule-BAC is used within firewalls and routers.

Question 25

Q

Jordan adds the following to a file:
Allow MAC Address 35:35:43:ab:ac:1b
Deny All
This is an example of what?
A. Rule-based access control
B. Role-based access control
C. Non-discretionary access control
D. Discretionary access control

Answer

A

Answer: A Rules such as allowing a MAC address or denying an IP address are
found in firewalls, routers, and switches where access is allowed or denied with
single-line entries. Role-based access control (RBAC) and NDAC are the same in
that group, for example, junior administrators have rights to add hard drives, but
not to configure networks. DAC allows users to set rights per their discretion.

Question 26

Q

Svetlana’s security manager asks her to provide data as to whether they should
stay on their RADIUS AAA server or move to TACACS. What are two differences
between TACACS and RADIUS? (Choose two)
A. TACACS encrypts all the data. RADIUS encrypts the password only.
B. TACACS encrypts all the data. RADIUS encrypts the username and
password only.
C. TACACS transmits data via TCP, and RADIUS transmits data via UDP.
D. TACACS transmits data via UDP, and RADIUS transmits data via TCP.

Answer

A

Answer: A, C TACACS is an improvement over the older RADIUS, which even
offers dial-in access. TACACS can separate authentication, authorization, and
accounting, whereas RADIUS combines authentication and authorization.

Question 27

Q

Which of the following is NOT a physical access control type?
A. 8-foot fencing
B. Data backups
C. Security-awareness training
D. Network segregation

Answer

A

Answer: C Training is an administrative control. Examples of technical access
controls include network access rules, encryption, system logging, and monitoring.

Question 28

Q

Which of the following are examples of deterrent control functions? (Choose two)
A. Fake security cameras
B. Secure hiring practices
C. Guard dogs
D. Security cameras

Answer

A

Answer: A, D Security cameras are both a deterrent, discouraging attacks, and
detective control functions, which help to identify attacks. Other control functions
include compensating, which provides an alternative backup control, such as an
online, replicated backup system, and directive control functions, which inform, for
example, a “beware of the dog” sign.

Question 29

Q

Which of the following are examples of administrative controls? (Choose two)
A. Non-disclosure agreement
B. Dress code policy
C. Firewall rules
D. Painted parking lot lines

Answer

A

Answer: A, B Policies and agreements are administrative controls because they
are developed by management. Firewall rules are an example of technical controls.
Painted parking lines are an example of a physical control.

Question 30

Q

Aljaz, a security engineer, is tasked with finding and installing a device that
monitors network activities. Which of the following does he recommend?
A. Intrusion detection system
B. Intrusion prevention system
C. Data loss prevention
D. Proxy server

Answer

A

Answer: A An intrusion detection system (IDS) is a detective access control type
device that identifies activities. An Intrusion Prevention System (IPS) and Data
Loss Prevention (DLP) are preventative access control type devices that block
incidents. IPS blocks incoming traffic, and DLP blocks outgoing traffic, usually
from insider threats desiring to leak corporate secrets. A proxy server is simply a
go-between for message passing, often designed to hide original IP addresses or
help with traffic management.

Question 31

Q

Barbara is a junior administrator given privileges to manage printers and hard
drives. She is not given the privilege to manage networks and users. This is an
example of enforcing which practice?
A. Mandatory access control
B. Need to know
C. Separation of duties
D. Least privilege

Answer

A

Answer: D In this example, Barbara is given only the privileges she needs to do
her job. The separation-of-duties policy does not come into play here because she
installs and tests the printers and hard drives and does not leave that to another
party. Need to know has to do with rights to view documents, and mandatory access
control contains levels of top-secret, secret, and confidential access to documents.

Question 32

Q

Tommy is a senior system administrator looking to mitigate external threats
against his Unix and Linux systems. What is the BEST feature to implement to
mitigate brute-force attacks?
A. Encrypt the hard drive
B. Hash passwords using SHA-256
C. Implement stronger password policies
D. Change the root login name to roto-root3r

Answer

A

Answer: D Changing the root user’s name to some unknown name makes it
harder for attackers to break into Linux or UNIX systems because attackers know
that the administrator account is named root. When the account is renamed,
attackers are attempting their brute-force attack on root, an account that no longer
exists. The other options harden the system but will not mitigate brute-force attacks.

Question 33

Q

Tempest equipment is used to mitigate which of the following?
A. Ship damage due to storms
B. Building damage due to storms
C. Electromagnetic emissions
D. Electronic fires

Answer

A

Answer: C Electromagnetic emissions can be converted back to data and must be
blocked at the source to maintain confidentiality.

Question 34

Q

Some switches have an extra port for a NIDS called the switch port analyzer or
SPAN port. This allows the NIDS to monitor the traffic on the network using
mirrored data, also known as which mode?
A. Monitor
B. Promiscuous
C. Audit
D. Accounting

Answer

A

Answer: B Tools such as Wireshark monitor network activity on a computer.
Wireshark requires mirrored traffic, and this is done using a packet capture utility,
or PCAP. Some systems for Windows and Linux include libpcap, WinPcap,
and Npcap.

Question 35

Q

This type of IDS learns what is normal for the environment, and triggers events
when outside of these profiles. What is this BEST described as?
A. Rule-based IDS
B. Stateful IDS
C. Signature-based IDS
D. Anomaly-based IDS

Answer

A

Answer: D Signature-based and rule-based IDS cannot identify new attacks or zero
days like an anomaly-based IDS because either their signature or rules need to be
updated. Anomaly-based IDS can also compare protocols outside what is normally
used or identify unusual network activity patterns.

Question 36

Q

Lucas is a hacker at a coffee shop who uses a network sniffing device called
Pineapple to monitor network traffic, copy password hashes, and download session
IDs. This would BEST be known as what type of attack?
A. Phishing
B. Spoofing
C. MITM
D. Sniffing

Answer

A

Answer: C This is best known as a man-in-the-middle attack since he is
technically in between the users and the services they are connecting to. He is using
sniffing to conduct this attack. Spoofing would mean that he is attempting to imitate
one of the servers that the user is connecting to. Phishing is a spoofed email, usually
containing a link or attachment with a payload.

Question 37

Q

Shuai is an attacker monitoring the network traffic of users accessing their bank
accounts. She sniffs for passwords, and will use them as part of which type of attack?
A. Social engineering
B. Rainbow attack
C. Replay attack
D. Brute-force attack

Answer

A

Answer: C Shuai is collecting and saving passwords for later abuse of the users’
accounts by entering their passwords or password hashes. Mitigations include
encryption and session IDs. Brute-force attacks would attempt to use every password.
Rainbow attacks would attempt to authenticate with various password hashes. Social
engineering is a non-technical attack, tricking user’s into giving their passwords.

Question 38

Q

Which statement is true about federated identity management (FIM)?
A. A transportable ID obtained when connected with dialup access
B. A transportable ID used to access different services within an organization
C. A transportable ID used across different organizations’ computer systems
D. A transportable ID used to keep domain identities consistent

Answer

A

Answer: C Federation is used in systems to make customer experiences smoother,
allowing users to authenticate with their bank, for example, and then automatically
federate their identity to the check printing company, making it unnecessary to
re-authenticate. A system that uses identities within dial-up is called RADIUS.
Kerberos uses tickets to access different services within an organization, and
domains are used within Microsoft Windows systems.

Question 39

Q

The compilation and derivation of data from databases is called which of
the following?
A. Aggregation and inference
B. Compilation and derivation
C. Compiling and deriving
D. Certification and accreditation

Answer

A

Answer: A When there are large pools of data, such as big data, the compilation
of the information is known as aggregation. Deriving private information from
the data pool is inference; for example, being able to narrow down the suspect of a
crime because his relatives provided DNA to researchers. Certification is verifying
that a product will function in an organization. Accreditation is management
approval to use the product.

Question 40

Q

David-Michael runs the RMS hospital in Cleveland. Randigreg is the owner/
operator of SGI Medical Billing, a supplier to the RMS hospital. SGI Medical Billing
was attacked by overseas hackers, and the RMS hospital’s records were stolen. Which
organization is legally accountable for the data breach?
A. SGI Medical Billing because they are the data owners
B. The RMS hospital because they are the data custodians
C. SGI Medical Billing because they are the data custodians
D. The RMS hospital because they are data owners

Answer

A

Answer: D When there is a data breach, the data owner is accountable for any
legal issues due to the breach. The data owner could sue their suppliers as needed,
but to the data subjects of the Personal Health Information (PHI), the owner is
accountable. In this case, SGI Medical Billing is the data custodian.

Question 41

Q

Which of the following would an organization hire to be responsible for policies
around PII and PHI?
A. Chief security officer
B. Chief information security officer
C. Chief executive officer
D. Chief privacy officer

Answer

A

Answer: D Personal Identifiable Information (PII), and Personal Health
Information (PHI), and risks around those are managed by the Chief Privacy
Officer (CPO). The Chief Security Officer creates policy around the types of
mechanisms to use to maintain security. The CISO focuses on controls around
information (data) security. The CEO’s main concerns are sales and marketing.

Question 42

Q

Which of the following members of the staff are responsible for the implementation
of security controls?
A. Security administrator
B. Systems administrator
C. Chief security officer
D. Chief information security officer

Answer

A

Answer: A The security administrator handles the implementation and
maintenance of security controls. The systems administrator manages computer
uptime and access control. The Chief Security Officer (CSO) and Chief
Information Security Officer (CISO) create policies that security administrators
and systems administrators must follow.

Question 43

Q

Shivani finds web traffic log files over 20 years old. The retention policy is to
defensibly destroy web traffic log data over 7 years old. Which is her BEST strategy?
A. Save the data for best security
B. Overwrite the 20+-year-old data with zeros
C. Mechanically shred and melt the hard drives with the 20+-year-old data
D. Overwrite the 20+-year-old data with zeros three times and encrypt

Answer

A

Answer: C Defensible destruction assures there is no way to recover the
information. Data that resides after its retention policy puts organizations at risk if
there is a legal discovery request for this information. Sometimes having the data
could make the organization liable in certain prosecutorial situations.

Question 44

Q

Data that resides on a hard drive, solid-state drive, optical disk, or magnetic tape,
is also known as what?
A. Data in use
B. Data in motion
C. Data at rest
D. Data on disk

Answer

A

Answer: C Data on disk is the incorrect terminology for data states. Data in
motion is traveling through a network. Data in use is data being processed on the
central processing unit, or on the computer screen.

Question 45

Q

Virtual private networks connected from home to office have an extra layer of
protection that encrypts the internet address headers, as well as the messages. What
is this type of encryption called?
A. Header encryption
B. Meta encryption
C. End-to-end encryption
D. Link encryption

Answer

A

Answer: D End-to-end encryption encrypts messages only, but not the headers.
Header and meta encryption are both distractors.

Question 46

Q

Jeremy is a systems administrator that secures data by backing it up to magnetic
tapes. After backing up the data, he labels the tapes and stores them in a room with
restricted access. What is the BEST next step he should take to secure the data?
A. Encrypt the data on the backup tapes
B. Verify the data on the backup tapes
C. Make duplicate backups on WORM drives
D. Make a duplicate backup to cloud-based servers

Answer

A

Answer: B If the backup tapes are blank, encrypting, duplicating, or relocating
backups with nothing saved will be useless when restoring data after a disaster.
Remember, availability is a security component of CIA (confidentiality, integrity,
and availability). Write Once, Read Many (WORM) media includes CD-ROM and
DVD-ROM drives. Also, encryption occurs during the backup process, so the next
best step is to verify the backup is complete.

Question 47

Q

Marie is finished with her development project. After backing up the important
data, her drive will be wiped for reuse on another project. Which mode of data
erasure will she use?
A. Erasing
B. Purging
C. Clearing
D. Destruction

Answer

A

Answer: C Clearing is done for the reuse of hard drives within the organization.
Purging, which includes degaussing, or a minimum of seven overwrites allows a
drive to be reused when selling or donating equipment. Destruction destroys the
media, such as with use from hard drive shredding or melting. Erasing is a type of
clearing, and clearing is the proper terminology.

Question 48

Q

Polona, a systems administrator is investigating performance issues and verified that
log files exist to help resolve slowness issues. What is her next step?
A. Validation
B. Verification
C. Processing
D. Testing

Answer

A

Answer: A Polona seeing that the log files exist is verification. Assuring that the
log files contain data to resolve the performance issues is validation. Processing
already occurred as the log files contain the recorded information of the events.
Testing occurs after analysis and resolutions are made to the system.

Question 49

Q

Frances is following up on several Data Subject Requests (DSRs) and is charged
with updating the records for these customers. What is his data role?
A. Data subject
B. Data controller
C. Data owner
D. Data steward

Answer

A

Answer: D The data steward is responsible for the data content. The subject is the
user that the personally identifiable information (PII) is about. The data owner
(the organization) is legally accountable for any data loss, and the controller
(an individual) works directly for the organization.

Question 50

Q

Ankita is president of SUN Mail Order Services and is a vendor to firms that need
bulk letters sent to their clients. According to GDPR, what is SUN Mail Order
Services BEST considered as?
A. Data custodian
B. Data processor
C. Data controller
D. Data steward

Answer

A

Answer: B The data processor utilizes the data for the data owner or data
controller. The data steward is responsible for the internal data integrity, and the
data custodian is responsible for data backups.

Question 51

Q

The NIST Risk Management Framework is also known as?
A. SP 800-37
B. SP 800-53
C. SP 800-60
D. SP 800-94

Answer

A

Answer: A The other NIST standards posed in the question are:
NIST Special Publication 800-53 – Security and Privacy Controls for Federal
Information Systems and Organizations
NIST SP 800-60 – Guide to Mapping Types of Information and Information
Systems to Security Categories
NIST SP 800-94 – Guide to Intrusion Detection and Prevention Systems

Question 52

Q

The Organization of Economic Cooperation and Development has classified ____
principles to ensure PII is secured?
A. 6
B. 7
C. 8
D. 9

Answer

A

Answer: C The principles include collection limitation, data quality, purpose
specification, use limitation, security safeguards, openness, individual participation,
and accountability.

Question 53

Q

Iga needs an asset inventory system to help track hardware and software assets, as
well as system updates and upgrades. Which of the following systems would assist
her BEST?
A. SYSLOG
B. CMDB
C. SIEM
D. NESSUS

Answer

A

Answer: B A Configuration Management Database (CMDB) tracks inventory
and modifications for the entire organization. Security Information and
Event Management (SIEM) tracks syslogs and accounting data for the entire
organization’s network. Nessus is a vulnerability management scanning tool.

Question 54

Q

A company that provides cloud security features such as defining and monitoring
cloud risks and security is known as what?
A. Cloud provider
B. CASB
C. SAAS
D. Private cloud

Answer

A

Answer: B A CASB is placed between the organization and the cloud provider
to enforce security policies, and comply with legal, contractual, and regulatory
requirements. A cloud provider that provides the application is offering a Software
as a Service (SaaS) implementation. If the service is only for that client, they will be
on a private cloud.

Question 55

Q

Agent-based CASBs inspect which of the following data?
A. Organizational data only
B. Personal data only
C. Both organizational and personal data
D. Lower-privileged data only

Answer

A

Answer: C An Agentless CASB inspects organizational data only, and not personal
data. An API-only CASB manages security with APIs. Multi-mode CASBs offer
management and security.

Question 56

Q

Which of the following is NOT a trait of DRM?
A. Product keys
B. Watermarking
C. Automatic failover
D. Copy restriction

Answer

A

Answer: C Other Digital Rights Management (DRM) traits include limited install
activations, persistent online authentication, encryption, anti-tampering, and
regional lockout. Automatic failover is unrelated to DRM but is a server feature so
that when one computer fails, another boots up automatically to take its place.

Question 57

Q

The Center for Strategic and International Studies (CSIS) has defined 20 critical
security controls. Which of the following options is NOT included in the top 5?
A. Offense informs defense
B. Boundary defense
C. Metrics
D. Automation

Answer

A

Answer: B Also, in the top 5 are prioritization and continuous monitoring.
Boundary defense, data protection, and data recovery capability are all parts of the
top 20.

Question 58

Q

Which of the following is NOT one of the Generally Accepted Security Principles?
A. Prevent, detect, respond, recover
B. External systems are assumed to be insecure
C. Auditability and accountability
D. HSM for every computer

Answer

A

Answer: D Hardware Security Modules (HSMs) save and maintain encryption
keys on computers. Although this is important, this would be a procedure and not
a principle. The other principles include information system security objectives,
protection of information while being processed, in transit, and in storage, and
resilience for critical information systems.

Question 59

Q

Juan, a security manager, decides to use the United States Government
Configuration Baseline system, but needs to remove some of the options because
they do not fit with his environment. This is also known as what?
A. Tailoring
B. Scoping
C. Fine-tuning
D. Baselining

Answer

A

Answer: B Scoping is removing security considerations that do not apply
to the environment. Tailoring is adding considerations that are specific to
the environment. Baselines are the security starting point, and fine-tuning a
specification includes both tailoring and scoping.

Question 60

Q

Which OECD principle states that user data may not be shared with outside
companies?
A. Collection limitation principle
B. Use limitation principle
C. Individual participation principle
D. Accountability principle

Answer

A

Answer: B Collection limitation states a firm collects the minimum PII required.
Individual participation states a data subject can get a report of their PII. The
accountability principle means the data controller is accountable for any data
breach issues.

Question 61

Q

An enterprise operates in a hybrid cloud environment, employing on-site and cloud-based systems. It has adequate on-site monitoring but needs to impose security policies on user activities and report exceptions in its increasing number of cloud services. What kind of tool would be most suitable for this requirement?
A. A Next-Generation Firewall (NGFW)
B. A Cloud Access Security Broker (CASB)
C. An Intrusion Detection System (IDS)
D. A Security Orchestration, Automation, and Response (SOAR) tool

Answer

A

Answer: B. A Cloud Access Security Broker (CASB)
Explanation: A Cloud Access Security Broker (CASB) is a tool that sits between cloud service consumers and cloud service providers to enforce security, compliance, and governance policies for cloud applications. It can help monitor and secure the hybrid cloud environment.

Question 62

Q

Among the following information security risks to data at rest, which one would inflict the most substantial reputational damage to an organization?
A. Incorrect classification
B. Data breach
C. Decryption
D. A deliberate insider threat

Answer

A

Answer: B. Data breach
Explanation: A data breach involving unauthorized access and retrieval of sensitive information often has the most significant reputational impact on an organization. It can lead to losing trust among customers and stakeholders, legal repercussions, and financial losses.

Question 63

Q

An employer issues mobile phones to its staff for work purposes and renews the devices every two years. How would you describe this practice if the phones are still operational and receiving system updates?
A. End of Life (EOL)
B. Planned obsolescence
C. End of Support (EOS)
D. Device risk management

Answer

A

Answer: B. Planned obsolescence
Explanation: Planned obsolescence is a policy of planning or designing a product with an artificially limited useful life or a purposely frail design, so it becomes outdated or nonfunctional after a certain period. In this case, even though the phones are still operational and receiving updates, they are replaced every two years. This is a form of planned obsolescence, where the company ensures that the old devices are phased out and replaced, even though they might still be usable. EOL is when the device is no longer suitable for use and is discarded. EOS means that the manufacturer has stopped providing updates or fixes for the product. Device risk management is a process to identify, assess, and prioritize the risks associated with using devices in an organization. None of these options describes the scenario as accurately as planned obsolescence.

Question 64

Q

What term refers to the process of identifying and categorizing an organization’s resources?
A. Resource classification
B. Asset classification
C. Asset allocation
D. Resource allocation

Answer

A

Answer: B. Asset classification
Explanation: Asset classification defines an organization’s assets based on their criticality, sensitivity, and other factors. This helps organizations apply appropriate security measures and prioritize their resources.

Answer 65

A

Answer: B. Setting information and asset handling guidelines
Explanation: Establishing information and asset handling requirements means setting up policies and procedures determining how data and assets should be managed, stored, transmitted, and disposed of. This is an essential part of an organization’s information security strategy, helping to ensure that sensitive information and valuable assets are appropriately protected.

Answer 66

A

Answer: D. Data owner
Explanation: The data owner is typically a senior executive with legal authority and responsibility for a dataset.

Answer 67

A

Answer: C. The time when an asset is no longer useful for the organization and is disposed of
Explanation: EOL generally refers to a stage in the asset’s life cycle when it is no longer beneficial or productive for the organization. This could be due to obsolescence, failure, or when it is more cost-effective to replace the asset than to continue maintaining it.

Answer 68

A

Answer: C. To prevent unauthorized access or data breaches
Explanation: When an asset reaches its End-of-Life (EOL) stage, it’s crucial to ensure that all data on the asset is either transferred or destroyed

Answer 69

A

Answer: A. To prevent data breaches by detecting potential data breach/data ex-filtration transmissions
Explanation: DLP ensures that end users do not send sensitive or critical information outside the corporate network. The term also describes software products that help a network administrator control what data end users can transfer.

Answer 70

A

Answer: A. File encryption software
Explanation: File encryption software allows for the encryption of specific files, providing flexibility in securing particular data elements.

Answer 71

A

Answer: C. Serving as data custodians
Explanation: Data custodians ensure that important datasets are developed, maintained, and accessible within their specifications. This role is crucial in an organization’s overall data management and protection strategy.

Answer 72

A

Answer: A. RAM
Explanation: RAM (Random Access Memory) is a type of computer memory used to read and write data that is being actively used or processed by the computer. Hence, it is an example of “data in use.”

Answer 73

A

Answer: C. SSH
Explanation: SSH (Secure Shell) is a secure protocol that can replace Telnet for secure server management.

Answer 74

A

Answer: A. Data in motion
Explanation: The Transport Layer Security (TLS) protocol is primarily designed to provide privacy and data integrity between two or more communicating computer applications, making it suitable for securing data in motion.

Answer 75

A

Answer: B. Home address
Explanation: A home address can identify an individual even when seen in isolation. Hence, it is considered PII.

Answer 76

A

Answer: D. System owner
Explanation: The system owner, or information system owner or information owner, is typically responsible for the overall procurement, development, integration, modification, or operation and maintenance of the information system. When there is a significant change in the system, they are primarily responsible for updating the system security plan (SSP). This includes documenting changes in the system environment, updating the system inventory, and reevaluating the security controls. The business owner, data processor, and data owner also have crucial roles in the organization but are not primarily responsible for the SSP. The business owner usually oversees the business process that the system supports. The data processor processes data on behalf of the data owner, who is responsible for the data’s accuracy, privacy, and security.

Brainscape's Knowledge GenomeTM

Domain 2 Asset Security Flashcards

Brainscape's Knowledge Genome^TM