Domain 7

Question 1

Why should employers make sure employees take their vacations?
A. They have a legal obligation.
B. It is part of due diligence.
C. It is a way for fraud to be uncovered.
D. To ensure employees do not get burned out.

Answer 1

C. Many times, employees who are carrying out fraudulent activities do not take the vacation they have earned because they do not want anyone to find out what they have been doing. Forcing an employee to take a vacation means that someone else has to do that person’s job and can possibly uncover any misdeeds.

Question 2

Which of the following best describes separation of duties and job rotation?
A. Separation of duties ensures that more than one employee knows how to perform the tasks of a position, and job rotation ensures that one person
cannot perform a high-risk task alone.
B. Separation of duties ensures that one person cannot perform a high-risk task alone, and job rotation can uncover fraud and ensure that more than one
person knows the tasks of a position.
C. They are the same thing, but with different titles.
D. They are administrative controls that enforce access control and protect the organization’s resources.

Answer 2

B. Rotation of duties enables an organization to have more than one person trained in a position and can uncover fraudulent activities. Separation of duties is
put into place to ensure that one entity cannot carry out a critical task alone.

Question 3

If a programmer is restricted from updating and modifying production code, what is this an example of?
A. Rotation of duties
B. Due diligence
C. Separation of duties
D. Controlling input values

Answer 3

C. This is just one of several examples of separation of duties. A system must be set up for proper code maintenance to take place when necessary, instead of
allowing a programmer to make changes arbitrarily. These types of changes should go through a change control process and should have more entities involved than
just one programmer

Question 4

What is the difference between least privilege and need to know?
A. A user should have least privilege that restricts her need to know.
B. A user should have a security clearance to access resources, a need to know about those resources, and least privilege to give her full control of all resources.
C. A user should have a need to know to access particular resources, and least privilege should be implemented to ensure she only accesses the resources she has a need to know.
D. They are two different terms for the same issue.

Answer 4

C. Users should be able to access only the resources they need to fulfill the duties of their positions. They also should only have the level of permissions and rights
for those resources that are required to carry out the exact operations they need for their jobs, and no more. This second concept is more granular than the first,
but they have a symbiotic relationship.

Question 5

Which of the following would not require updated documentation?
A. An antivirus signature update
B. Reconfiguration of a server
C. A change in security policy
D. The installation of a patch to a production server

Answer 5

A. Documentation is a very important part of the change control process. If things are not properly documented, employees will forget what actually took place with each device. If the environment needs to be rebuilt, for example, it may be done
incorrectly if the procedure was poorly or improperly documented. When new changes need to be implemented, the current infrastructure may not be totally
understood. Continually documenting when virus signatures are updated would be overkill. The other answers contain events that certainly require documentation.

Question 6

A company needs to implement a CCTV system that will monitor a large area outside the facility. Which of the following is the correct lens combination for this?
A. A wide-angle lens and a small lens opening
B. A wide-angle lens and a large lens opening
C. A wide-angle lens and a large lens opening with a small focal length
D. A wide-angle lens and a large lens opening with a large focal length

Answer 6

A. The depth of field refers to the portion of the environment that is in focus when shown on the monitor. The depth of field varies depending upon the size of
the lens opening, the distance of the object being focused on, and the focal length of the lens. The depth of field increases as the size of the lens opening decreases,
the subject distance increases, or the focal length of the lens decreases. So if you want to cover a large area and not focus on specific items, it is best to use a wide angle lens and a small lens opening

Question 7

Which of the following is not a true statement about CCTV lenses?
A. Lenses that have a manual iris should be used in outside monitoring.
B. Zoom lenses carry out focus functionality automatically.
C. Depth of field increases as the size of the lens opening decreases.
D. Depth of field increases as the focal length of the lens decreases.

Answer 7

A. Manual iris lenses have a ring around the CCTV lens that can be manually turned and controlled. A lens that has a manual iris would be used in an area that has fixed lighting, since the iris cannot self-adjust to changes of light. An auto iris lens should be used in environments where the light changes, such as an outdoor
setting. As the environment brightens, this is sensed by the iris, which automatically adjusts itself. Security personnel will configure the CCTV to have a specific fixed
exposure value, which the iris is responsible for maintaining. The other answers are true statements about CCTV lenses

Question 8

What is true about a transponder?
A. It is a card that can be read without sliding it through a card reader.
B. It is a biometric proximity device.
C. It is a card that a user swipes through a card reader to gain access to a facility.
D. It exchanges tokens with an authentication server

Answer 8

A. A transponder is a type of proximity-based access control device that does not require the user to slide a card through a reader. The reader and card
communicate directly. The card and reader have a receiver, transmitter, and battery. The reader sends signals to the card to request information. The card sends the reader an access code.

Question 9

When is a security guard the best choice for a physical access control mechanism?
A. When discriminating judgment is required
B. When intrusion detection is required
C. When the security budget is low
D. When access controls are in place

Answer 9

A. Although many effective physical security mechanisms are on the market today, none can look at a situation, make a judgment about it, and decide what the next step should be. A security guard is employed when an organization needs to have a countermeasure that can think and make decisions in different scenarios.

Question 10

Which of the following is not a characteristic of an electrostatic intrusion detection system?
A. It creates an electrostatic field and monitors for a capacitance change.
B. It can be used as an intrusion detection system for large areas.
C. It produces a balance between the electric capacitance and inductance of an object.
D. It can detect if an intruder comes within a certain range of an object.

Answer 10

B. An electrostatic IDS creates an electrostatic field, which is just an electric field associated with static electric charges. The IDS creates a balanced electrostatic field between itself and the object being monitored. If an intruder comes within a certain range of the monitored object, there is capacitance change. The IDS can
detect this change and sound an alarm.

Question 11

What is a common problem with vibration-detection devices used for perimeter security?
A. They can be defeated by emitting the right electrical signals in the protected area.
B. The power source is easily disabled.
C. They cause false alarms.
D. They interfere with computing devices.

Answer 11

C. This type of system is sensitive to sounds and vibrations and detects the changes in the noise level of an area it is placed within. This level of sensitivity can cause many false alarms. These devices do not emit any waves; they only listen for sounds within an area and are considered passive devices.

Question 12

Which of the following is not considered a delaying mechanism?
A. Locks
B. Defense-in-depth measures
C. Warning signs
D. Access controls

Answer 12

C. Every physical security program should have delaying mechanisms, which have the purpose of slowing down an intruder so security personnel can be alerted and
arrive at the scene. A warning sign is a deterrence control, not a delaying control.

Question 13

What are the two general types of proximity identification devices?
A. Biometric devices and access control devices
B. Swipe card devices and passive devices
C. Preset code devices and wireless devices
D. User-activated devices and system sensing devices

Answer 13

D. A user-activated device requires the user to do something: swipe the card through the reader and/or enter a code. A system sensing device recognizes the presence of the card and communicates with it without the user needing to carry
out any activity.

Question 14

Which is not a drawback of an intrusion detection system?
A. It’s expensive to install.
B. It cannot be penetrated.
C. It requires human response.
D. It’s subject to false alarms

Answer 14

B. Intrusion detection systems are expensive, require someone to respond when they set off an alarm, and, because of their level of sensitivity, can cause several
false alarms. Like any other type of technology or device, they have their own vulnerabilities that can be exploited and penetrated.

Question 15

What is a cipher lock?
A. A lock that uses cryptographic keys
B. A lock that uses a type of key that cannot be reproduced
C. A lock that uses a token and perimeter reader
D. A lock that uses a keypad

Answer 15

D. Cipher locks, also known as programmable locks, use keypads to control access into an area or facility. The lock can require a swipe card and a specific combination that’s entered into the keypad.

Question 16

If a cipher lock has a door delay option, what does that mean?
A. After a door is open for a specific period, the alarm goes off.
B. It can only be opened during emergency situations.
C. It has a hostage alarm capability.
D. It has supervisory override capability.

Answer 16

A. A security guard would want to be alerted when a door has been open for an extended period. It may be an indication that something is taking place other
than a person entering or exiting the door. A security system can have a threshold set so that if the door is open past the defined time period, an alarm sounds.

Question 17

Use the following scenario to answer Questions 1–3. The startup company at which you are the director of security is going through a huge growth spurt and the CEO has decided it’s time to let you build out a security operations center (SOC). You already have two
cybersecurity analysts (one is quite experienced), a brand-new security information and
event management (SIEM) platform, and pretty good security processes in place.
1. The number of alerts on your SIEM is overwhelming your two analysts and many alerts go uninvestigated each day. How can you correct this?
A. Hire an intelligence analyst to help you focus your collection efforts.
B. Tune the SIEM platform to reduce false-positive alerts.
C. Establish a threat hunting program to find attackers before they trigger alerts.
D. Establish thresholds below which events will not generate alerts.

Answer 17

B. False positives are a very common problem with automated platforms like SIEMs, but they can be alleviated by fine-tuning the platform. An intelligence analyst could help a little bit but would clearly not be the best answer, while threat hunting would be a distractor for such a young SOC that still needs to get alerts
under control. Ignoring low-scoring alerts as a matter of policy would be a very dangerous move when dealing with stealthy attackers.

Question 18

2. You hire an intelligence analyst and want her to start addressing intelligence requirements. Which of the following should be her first step?
   A. Finding out what questions decision-makers need answered
   B. Establishing a collection management framework
   C. Identifying data sources
   D. Subscribing to a threat data feed

Answer 18

A. Threat intelligence is meant to help decision-makers choose what to do about a threat. It answers a question that these leaders may have. The CMF and data sources are all important, of course, but they are driven by the requirements that come out of leaders’ questions. After the requirements are known, the intelligence analyst may (or may not) need to subscribe to a threat data feed.

Question 19

Your SOC is maturing rapidly and you are ready to start a cyberthreat hunting program. Which of the following describes the crux of this effort?
A. Proving or negating hypotheses of threat actions based on threat intelligence
B. Neutralizing threat actors before they can breach your organization
C. Digging deeper into the alerts to determine if they constitute security incidents
D. Allowing hunters an opportunity to observe techniques used by their adversaries

Answer 19

A. The crux of threat hunting is to develop a hypothesis of adversarial action based on threat intelligence, and then to prove or negate the hypothesis. Inherent in this description are two factors: a) the adversary is already inside the network, and b) no alerts tipped off the defenders to the adversary’s presence. These factors negate answers B and C. Answer D describes the purpose of a honeypot, not threat hunting.

Question 20

A firewall that can only make decisions based on examining a single network layer header is called a
A. Stateful firewall
B. Screened host
C. Packet filter
D. Next-generation firewall

Answer 20

C. Packet filtering is a firewall technology that makes access decisions based upon
network-level protocol header values. The device that is carrying out packet-filtering processes is configured with access control lists (ACLs), which dictate the type of
traffic that is allowed into and out of specific networks.

Question 21

A firewall that understands the three-step handshake of a TCP connection is called a
A. Packet filter
B. Proxy firewall
C. Transport-layer proxy
D. Stateful firewall

Answer 21

D. Stateful firewalls keep track of the state of a protocol connection, which means they understand the three-step handshake a TCP connection goes through
(SYN, SYN/ACK, ACK).

Question 22

What is the main challenge with anomaly-based approaches to intrusion detection and prevention?
A. False positives
B. Needing a rule that accurately captures the attack
C. Cost
D. Immaturity of the technology

Answer 22

A. The main challenge with anomaly-based approaches is that of false positives—detecting intrusions when none happened. These can lead to fatigue and
desensitizing the personnel who need to examine each of these alerts. Despite this shortcoming, anomaly-based approaches are mature and cost-effective
technologies that are differentiated from rule-based systems by not needing rules that accurately capture attacks

Question 23

Which of the following is an effective technique for tuning automated detection systems like IDS/IPS and SIEMs?
A. Access control lists
B. State tables
C. Whitelists
D. Supervised machine learning

Answer 23

C. One of the most effective ways to tune detection platforms like IDS/IPS is to develop lists of things that are definitely benign and those that are definitely malicious. The platform, then, just has to figure out the stuff that is not on either
list. A whitelist (more inclusively called an allow list) is a set of known-good resources such as IP addresses, domain names, or applications.

Question 24

Which of the following terms would describe a system designed to ascertain a specific attacker’s intent and dynamically spawn multiple virtual devices that are
designed to be appealing to that particular attacker?
A. Honeypot
B. Honeyclient
C. Honeyseeker
D. Honeynet

Answer 24

D. Some honeynets are designed to ascertain a specific attacker’s intent and dynamically spawn honeypots that are designed to be appealing to that particular attacker. These very sophisticated honeynets are not networks of preexisting
honeypots, but rather adaptive networks that interact with the adversaries to keep them engaged (and thus under observation) for as long as possible.

Question 25

9. Which of the following is not a typical application of machine learning?
   A. Classification
   B. Prediction
   C. Clustering
   D. Knowledge engineering

Answer 25

D. Machine learning (ML), which is a non-symbolic approach to artificial
intelligence (AI), is typically used for classification and prediction (using supervised or semi-supervised learning) as well as clustering (using unsupervised learning). Knowledge engineering is a requirement for symbolic forms for AI, such as expert systems, which are not ML in the common sense of the term

Question 26

Which of the following is not true about continuous monitoring?
A. It involves ad hoc processes that provide agility in responding to novel attacks.
B. Its main goal is to support organizational risk management.
C. It helps determine whether security controls remain effective.
D. It relies on carefully chosen metrics and measurements.

Answer 26

A. Continuous monitoring is a deliberate, data-driven process supporting organizational risk management. One of the key questions it answers is whether
controls are still effective at mitigating risks. Continuous monitoring could potentially lead to a decision to implement specific ad hoc processes, but these would not really be part of continuous monitoring.

Question 27

What are the phases of incident management?
A. Identification, collection, acquisition, and preservation
B. Detection, response, mitigation, reporting, recovery, remediation, and lessons learned
C. Protection, containment, response, remediation, and reporting
D. Analysis, classification, incident declaration, containment, eradication, and investigation

Answer 27

B. Incident management encompasses seven phases according to the CISSP CBK:
detection, response, mitigation, reporting, recovery, remediation, and lessons learned.

Question 28

During which phase of incident management does the IR team contain the damage caused by a security incident?
A. Preservation
B. Response
C. Eradication
D. Remediation

Answer 28

B. The goal of containment during the response phase is to prevent or reduce any further damage from this incident so that you can begin to mitigate and recover. Done properly, this buys the IR team time for a proper investigation and
determination of the incident’s root cause.

Question 29

During which phase of incident management are security controls deployed or changed to prevent the incident from recurring?
A. Preservation
B. Response
C. Eradication
D. Remediation

Answer 29

D. In the remediation phase, you decide which control changes (e.g., firewall or IDS/IPS rules) are needed to preclude this incident from happening again. Another aspect of remediation is the identification of indicators of attack (IOAs) that can be used in the future to detect this attack in real time (i.e., as it is happening) as well as indicators of compromise (IOCs), which tell you when an attack has been successful and your security has been compromised.

Question 30

Which document establishes authorities and responsibilities with regard to incidents across the entire organization?
A. Incident management policy
B. Incident response plan
C. Incident response runbook
D. Incident classification criteria

Answer 30

A. The incident management policy (IMP) establishes authorities and
responsibilities across the entire organization, identifies the incident response (IR) lead for the organization, and describes what every staff member is required to do with regard to incidents. The incident response plan (IRP) gets into the details of what should be done when responding to suspected incidents, and includes roles and responsibilities, incident classification, notifications, and operational tasks. A runbook is a collection of procedures that the IR team will follow for specific types of incidents.

Question 31

After a computer forensic investigator seizes a computer during a crime investigation, what is the next step?
A. Label and put it into a container, and then label the container
B. Dust the evidence for fingerprints
C. Make an image copy of the disks
D. Lock the evidence in the safe

Answer 31

C. Several steps need to be followed when gathering and extracting evidence from a scene. Once a computer has been confiscated, the first thing the computer forensics team should do is make an image of the hard drive. The team will work from this
image instead of the original hard drive so that the original stays in a pristine state and the evidence on the drive is not accidentally corrupted or modified.

Question 32

Which of the following is a necessary characteristic of evidence for it to be admissible?
A. It must be real.
B. It must be noteworthy.
C. It must be reliable.
D. It must be important.

Answer 32

C. For evidence to be admissible, it must be relevant to the case, reliable, and legally obtained. For evidence to be reliable, it must be consistent with fact and must not be based on opinion or be circumstantial.

Question 33

Which of the following is not considered a best practice when interviewing willing witnesses?
A. Compartmentalize information
B. Interview one interviewee at a time
C. Be fair and objective
D. Record the interview

Answer 33

D. Recording devices can have a chilling effect on interviewees. Instead, have at least one notetaker in the room and, after the interview is complete, read back the notes to the interviewee to ensure their accuracy.

Question 34

Which best describes a hot-site facility versus a warm- or cold-site facility?
A. A site that has disk drives, controllers, and tape drives
B. A site that has all necessary PCs, servers, and telecommunications
C. A site that has wiring, central air-conditioning, and raised flooring
D. A mobile site that can be brought to the organization’s parking lot

Answer 34

B. A hot site is a facility that is fully equipped and properly configured so that it can be up and running within hours to get an organization back into production. Answer B gives the best definition of a fully functional environment.

Question 35

Which of the following describes a cold site?
A. Fully equipped and operational in a few hours
B. Partially equipped with data processing equipment
C. Expensive and fully configured
D. Provides environmental measures but no equipment

Answer 35

D. A cold site only provides environmental measures—wiring, HVAC, raised floors—basically a shell of a building and no more.

Question 36

Which is the best description of remote journaling?
A. Backing up bulk data to an offsite facility
B. Backing up transaction logs to an offsite facility
C. Capturing and saving transactions to two mirrored servers in-house
D. Capturing and saving transactions to different media types

Answer 36

B. Remote journaling is a technology used to transmit data to an offsite facility, but this usually only includes moving the journal or transaction logs to the offsite facility, not the actual files.

Question 37

Which of the following does not describe a reciprocal agreement?
A. The agreement is enforceable.
B. It is a cheap solution.
C. It may be able to be implemented right after a disaster.
D. It could overwhelm a current data processing site.

Answer 37

A. A reciprocal agreement is not enforceable, meaning that the organization that agreed to let the damaged organization work out of its facility can decide not to allow this to take place. A reciprocal agreement is a better secondary backup option if the original plan falls through.

Question 38

If a system is fault tolerant, what would you expect it to do?
A. Continue to operate as expected even if something unexpected takes place
B. Continue to function in a degraded fashion
C. Tolerate outages caused by known faults
D. Raise an alarm, but tolerate an outage caused by any fault

Answer 38

A. Fault tolerance is the capability of a technology to continue to operate as expected even if something unexpected takes place (a fault), with no degradations
or outages.

Question 39

Which of the following approaches to testing your disaster recovery plan would be least desirable if you had to maintain high availability of over 99.999 percent?
A. Checklist test
B. Parallel test
C. Full-interruption test
D. Structured walkthrough test

Answer 39

C. A full-interruption test is the most intrusive to regular operations and business
productivity. The original site is actually shut down, and processing takes place at the alternate site. This is almost guaranteed to exceed your allowed downtime
unless everything went extremely well.

Question 40

Use the following scenario to answer Questions 7–10. You are the CISO of a small research and development (R&D) company and realize that you don’t have a disaster recovery plan (DRP). The projects your organization handles are extremely sensitive and, despite having a very limited budget, you have to bring the risk of project data being lost as close
to zero as you can. Recovery time is not as critical because you bill your work based on monthly deliverables and have some leeway at your disposal. Because of the sensitivity of your work, remote working is frowned upon and you keep your research data on local servers (including exchange for e-mail, Matter most for group chat, and Apache for web) at your headquarters (and only) site.
7. Which recovery site strategy would be best for you to consider?
A. Reciprocal agreement
B. Hot site
C. Warm site
D. Cold site

Answer 40

D. Because you are working on a tight budget and have the luxury of recovery time, you want to consider the least expensive option. A reciprocal agreement would be ideal except for the sensitivity of your data, which could not be shared with a similar organization (that could, presumably, be a competitor at some point). The next option (cost-wise) is a cold site, which would work in the given
scenario.

Question 41

Which of the following recovery site characteristics would be best for your organization?
A. As close to headquarters as possible within budgetary constraints
B. 100 miles away from headquarters, on a different power grid
C. 15 miles away from headquarters on a different power grid
D. As far away from headquarters as possible

Answer 41

C. An ideal recovery site would be on a different power grid to minimize the risk that power will be out on both sites, but close enough for employees to commute.
This second point is important because, due to the sensitivity of your work, your organization has a low tolerance for remote work.

Question 42

Which data backup storage strategy would you want to implement?
A. Direct-attached storage
B. Network-attached storage
C. Offline media
D. Cloud storage

Answer 42

C. Since your data is critical enough that you have to bring the risk of it being lost as close to zero as you can, you would want to use offline media such as tape backups, optical discs, or even external drives that are disconnected after each backup (and potentially removed offsite). This is the slowest and most expensive approach, but is also the most resistant to attacks.

Question 43

Which of the following would be the best way to communicate with all members of the organization in the event of a disaster that takes out your site?
A. Internal Matter most channel
B. External Slack channel
C. Exchange e-mail
D. Call trees

Answer 43

B. If your site is taken out, you would lose both Exchange and Matter most since those servers are hosted locally. Call trees only work well for initial notification, leaving an externally hosted Slack channel as the best option. This would require your staff to be aware of this means of communication and have accounts created before the disaster.