Domain 7 Flashcards

Question 1

Q

Referring to the figure below, what technology is shown that provides fault tolerance for the database servers?

a. Failover cluster
b. UPS
c. Tape backup
d. Cold site

Answer

A

A. The illustration shows an example of a failover cluster, where DB1 and DB2 are both configured as database servers. At any given time, only one will function as the active database server, while the other remains ready to assume responsibility if the first one fails. While the environment may use UPS, tape backup, and cold sites as disaster recovery and business continuity controls, they are not shown in the diagram.

Question 2

Q

Joe is the security administrator for an ERP system. He is preparing to create accounts for several new employees. What default access should he give to all of the new employees as he creates the accounts?

a. Read only
b. Editor
c. Administrator
d. No access

Answer

A

D. The principle of least privilege should guide Joe in this case. He should apply no access permissions by default and then give each user the necessary permissions to perform their job responsibilities. Read only, editor, and administrator permissions may be necessary for one or more of these users, but those permissions should be assigned based upon business need and not by default.

Question 3

Q

Which one of the following is not a privileged administrative activity that should be automatically sent to a log of superuser actions?

a. Purging log entries
b. Restoring a system from backup
c. Logging into a workstation
d. Managing user accounts

Answer

A

C. While most organizations would want to log attempts to log in to a workstation, this is not considered a privileged administrative activity and would go through normal logging processes.

Question 4

Q

Which one of the following individuals is most likely to lead a regulatory investigation?

a. CISO
b. CIO
c. Government agent
d. Private detective

Answer

A

C. Regulatory investigations attempt to uncover whether an individual or organization has violated administrative law. These investigations are almost always conducted by government agents

Question 5

Q

What type of evidence consists entirely of tangible items that may be brought into a court of law?

a. Documentary evidence
b. Parol evidence
c. Testimonial evidence
d. Real evidence

Answer

A

D. Real evidence consists of things that may actually be brought into a courtroom as evidence. For example, real evidence includes hard disks, weapons, and items containing fingerprints. Documentary evidence consists of written items that may or may not be in tangible form. Testimonial evidence is verbal testimony given by witnesses with relevant information. The parol evidence rule says that when an agreement is put into written form, the written document is assumed to contain all the terms of the agreement.

Question 6

Q

Which one of the following trusted recovery types does not fail into a secure operating state?

a. Manual recovery
b. Automated recovery
c. Automated recovery without undue loss
d. Function recovery

Answer

A

A. In a manual recovery approach, the system does not fail into a secure state but requires an administrator to manually restore operations. In an automated recovery, the system can recover itself against one or more failure types. In an automated recovery without undue loss, the system can recover itself against one or more failure types and also preserve data against loss. In function recovery, the system can restore functional processes automatically.

Question 7

Q

Which one of the following might a security team use on a honeypot system to consume an attacker’s time while alerting administrators?

a. Honeynet
b. Pseudoflaw
c. Warning banner
d. Darknet

Answer

A

B. A pseudoflaw is a false vulnerability in a system that may attract an attacker. A honeynet is a network of multiple honeypots that creates a more sophisticated environment for intruders to explore. A darknet is a segment of unused network address space that should have no network activity and, therefore, may be easily used to monitor for illicit activity. A warning banner is a legal tool used to notify intruders that they are not authorized to access a system.

Question 8

Q

Toni responds to the desk of a user who reports slow system activity. Upon checking outbound network connections from that system, Toni notices a large amount of social media traffic originating from the system. The user does not use social media, and when Toni checks the accounts in question, they contain strange messages that appear encrypted. What is the most likely cause of this traffic?

a. Other users are relaying social media requests through Toni’s computer.
b. Toni’s computer is part of a botnet.
c. Toni is lying about her use of social media.
d. Someone else is using Toni’s computer when she is not present.

Answer

A

B. Social media is commonly used as a command-and-control system for botnet activity. The most likely scenario here is that Toni’s computer was infected with malware and joined to a botnet. This accounts for both the unusual social media traffic and the slow system activity.

Question 9

Q

Under what virtualization model does the virtualization platform separate the network control plane from the data plane and replace complex network devices with simpler devices that simply receive instructions from the controller?

a. Virtual machines
b. VSAN
c. VLAN
d. SDN

Answer

A

D. Software-defined networking separates the control plane from the data plane. Network devices then do not contain complex logic themselves but receive instructions from the SDN.

Question 10

Q

Jim would like to identify compromised systems on his network that may be participating in a botnet. He plans to do this by watching for connections made to known command-and-control servers. Which one of the following techniques would be most likely to provide this information if Jim has access to a list of known servers?

a. Netflow records
b. IDS logs
c. Authentication logs
d. RFC logs

Answer

A

A. Netflow records contain an entry for every network communication session that took place on a network and can be compared to a list of known malicious hosts. IDS logs may contain a relevant record but it is less likely because they would only create log entries if the traffic triggers the IDS, as opposed to netflow records which encompass all communications. Authentication logs and RFC logs would not have records of any network traffic.

Question 11

Q

Questions 11–14 refer to the following scenario.

Gary was recently hired as the first chief information security officer (CISO) for a local government agency. The agency recently suffered a security breach and is attempting to build a new information security program. Gary would like to apply some best practices for security operations as he is designing this program.

As Gary decides what access permissions he should grant to each user, what principle should guide his decisions about default permissions?

a. Separation of duties
b. Least privilege
c. Aggregation
d. Separation of privileges

Answer

A

B. Gary should follow the least privilege principle and assign users only the permissions they need to perform their job responsibilities. Aggregation is a term used to describe the unintentional accumulation of privileges over time, also known as privilege creep. Separation of duties and separation of privileges are principles used to secure sensitive processes.

Question 12

Q

Questions 11–14 refer to the following scenario.

Gary was recently hired as the first chief information security officer (CISO) for a local government agency. The agency recently suffered a security breach and is attempting to build a new information security program. Gary would like to apply some best practices for security operations as he is designing this program.

As Gary designs the program, he uses the matrix shown below. What principle of information security does this matrix most directly help enforce?

a. Segregation of duties
b. Aggregation
c. Two-person control
d. Defense in depth

Answer

A

A. The matrix shown in the figure is known as a segregation of duties matrix. It is used to ensure that one person does not obtain two privileges that would create a potential conflict. Aggregationis a term used to describe the unintentional accumulation of privileges over time, also known as privilege creep. Two-person control is used when two people must work together to perform a sensitive action. Defense in depth is a general security principle used to describe a philosophy of overlapping security controls.

Question 13

Q

Questions 11–14 refer to the following scenario.

Gary was recently hired as the first chief information security officer (CISO) for a local government agency. The agency recently suffered a security breach and is attempting to build a new information security program. Gary would like to apply some best practices for security operations as he is designing this program.

Gary is preparing to create an account for a new user and assign privileges to the HR database. What two elements of information must Gary verify before granting this access?

a. Credentials and need to know
b. Clearance and need to know
c. Password and clearance
d. Password and biometric scan

Answer

A

B. Before granting access, Gary should verify that the user has a valid security clearance and a business need to know the information. Gary is performing an authorization task, so he does not need to verify the user’s credentials, such as a password or biometric scan.

Question 14

Q

Questions 11–14 refer to the following scenario.

Gary was recently hired as the first chief information security officer (CISO) for a local government agency. The agency recently suffered a security breach and is attempting to build a new information security program. Gary would like to apply some best practices for security operations as he is designing this program.

Gary is preparing to develop controls around access to root encryption keys and would like to apply a principle of security designed specifically for very sensitive operations. Which principle should he apply?

a. Least privilege
b. Defense in depth
c. Security through obscurity
d. Two-person control

Answer

A

D. Gary should follow the principle of two-person control by requiring simultaneous action by two separate authorized individuals to gain access to the encryption keys. He should also apply the principles of least privilege and defense in depth, but these principles apply to all operations and are not specific to sensitive operations. Gary should avoid the security through obscurity principle, the reliance upon the secrecy of security mechanisms to provide security for a system or process.

Question 15

Q

When should an organization conduct a review of the privileged access that a user has to sensitive systems?

a. On a periodic basis
b. When a user leaves the organization
c. When a user changes roles
d. All of the above

Answer

A

D. Privileged access reviews are one of the most critical components of an organization’s security program because they ensure that only authorized users have access to perform the most sensitive operations. They should take place whenever a user with privileged access leaves the organization or changes roles as well as on a regular, recurring basis.

Question 16

Q

Which one of the following terms is often used to describe a collection of unrelated patches released in a large collection?

a. Hotfix
b. Update
c. Security fix
d. Service pack

Answer

A

D. Hotfixes, updates, and security fixes are all synonyms for single patches designed to correct a single problem. Service packs are collections of many different updates that serve as a major update to an operating system or application.

Question 17

Q

Which one of the following tasks is performed by a forensic disk controller?

a. Masking error conditions reported by the storage device
b. Transmitting write commands to the storage device
c. Intercepting and modifying or discarding commands sent to the storage device
d. Preventing data from being returned by a read operation sent to the device

Answer

A

C. A forensic disk controller performs four functions. One of those, write blocking, intercepts write commands sent to the device and prevents them from modifying data on the device. The other three functions include returning data requested by a read operation, returning access-significant information from the device, and reporting errors from the device back to the forensic host.

Question 18

Q

Lydia is processing access control requests for her organization. She comes across a request where the user does have the required security clearance, but there is no business justification for the access. Lydia denies this request. What security principle is she following?

a. Need to know
b. Least privilege
c. Separation of duties
d. Two-person control

Answer

A

A. Lydia is following the need to know principle. While the user may have the appropriate security clearance to access this information, there is no business justification provided, so she does not know that the user has an appropriate need to know the information.

Question 19

Q

Which one of the following security tools consists of an unused network address space that may detect unauthorized activity?

a. Honeypot
b. Honeynet
c. Psuedoflaw
d. Darknet

Answer

A

D. A darknet is a segment of unused network address space that should have no network activity and, therefore, may be easily used to monitor for illicit activity. A honeypot is a decoy computer system used to bait intruders into attacking. A honeynet is a network of multiple honeypots that creates a more sophisticated environment for intruders to explore. A pseudoflaw is a false vulnerability in a system that may attract an attacker.

Question 20

Q

Which one of the following mechanisms is not commonly seen as a deterrent to fraud?

a. Job rotation
b. Mandatory vacations
c. Incident response
d. Two-person control

Answer

A

C. Job rotation and mandatory vacations deter fraud by increasing the likelihood that it will be detected. Two-person control deters fraud by requiring collusion between two employees. Incident response does not normally serve as a deterrent mechanism.

Question 21

Q

Brian recently joined an organization that runs the majority of its services on a virtualization platform located in its own data center but also leverages an IaaS provider for hosting its web services and a SaaS email system. What term best describes the type of cloud environment this organization uses?

a. Public cloud
b. Dedicated cloud
c. Private cloud
d. Hybrid cloud

Answer

A

D. The scenario describes a mix of public cloud and private cloud services. This is an example of a hybrid cloud environment.

Question 22

Q

Tom is responding to a recent security incident and is seeking information on the approval process for a recent modification to a system’s security settings. Where would he most likely find this information?

a. Change log
b. System log
c. Security log
d. Application log

Answer

A

A. The change log contains information about approved changes and the change management process. While other logs may contain details about the change’s effect, the audit trail for change management would be found in the change log.

Question 23

Q

Mark is considering replacing his organization’s customer relationship management (CRM) solution with a new product that is available in the cloud. This new solution is completely managed by the vendor and Mark’s company will not have to write any code or manage any physical resources. What type of cloud solution is Mark considering?

a. IaaS
b. CaaS
c. PaaS
d. SaaS

Answer

A

D. In a Software as a Service solution, the vendor manages both the physical infrastructure and the complete application stack, providing the customer with access to a fully managed application.

Question 24

Q

Which one of the following information sources is useful to security administrators seeking a list of information security vulnerabilities in applications, devices, and operating systems?

a. OWASP
b. Bugtraq
c. Microsoft Security Bulletins
d. CVE

Answer

A

D. The Common Vulnerability and Exposures (CVE) dictionary contains standardized information on many different security issues. The Open Web Application Security Project (OWASP) contains general guidance on web application security issues but does not track specific vulnerabilities or go beyond web applications. The Bugtraq mailing list and Microsoft Security Bulletins are good sources of vulnerability information but are not comprehensive databases of known issues.

Question 25

Q

Which of the following would normally be considered an example of a disaster when performing disaster recovery planning?

I. Hacking incident

II. Flood

III. Fire

IV. Terrorism

a. II and III only
b. I and IV only
c. II, III, and IV only
d. I, II, III, and IV

Answer

A

D. A disaster is any event that can disrupt normal IT operations and can be either natural or manmade. Hacking and terrorism are examples of manmade disasters, while flooding and fire are examples of natural disasters.

Question 26

Q

Glenda would like to conduct a disaster recovery test and is seeking a test that will allow a review of the plan with no disruption to normal information system activities and as minimal a commitment of time as possible. What type of test should she choose?

a. Tabletop exercise
b. Parallel test
c. Full interruption test
d. Checklist review

Answer

A

D. The checklist review is the least disruptive type of disaster recovery test. During a checklist review, team members each review the contents of their disaster recovery checklists on their own and suggest any necessary changes. During a tabletop exercise, team members come together and walk through a scenario without making any changes to information systems. During a parallel test, the team actually activates the disaster recovery site for testing, but the primary site remains operational. During a full interruption test, the team takes down the primary site and confirms that the disaster recovery site is capable of handling regular operations. The full interruption test is the most thorough test but also the most disruptive.

Question 27

Q

Which one of the following is not an example of a backup tape rotation scheme?

a. Grandfather/Father/Son
b. Meet in the middle
c. Tower of Hanoi
d. Six Cartridge Weekly

Answer

A

B. The Grandfather/Father/Son, Tower of Hanoi, and Six Cartridge Weekly schemes are all different approaches to rotating backup media that balance reuse of media with data retention concerns. Meet-in-the-middle is a cryptographic attack against 2DES encryption.

Question 28

Q

Helen is implementing a new security mechanism for granting employees administrative privileges in the accounting system. She designs the process so that both the employee’s manager and the accounting manager must approve the request before the access is granted. What information security principle is Helen enforcing?

a. Least privilege
b. Two-person control
c. Job rotation
d. Separation of duties

Answer

A

B. In this scenario, Helen designed a process that requires the concurrence of two people to perform a sensitive action. This is an example of two-person control.

Question 29

Q

Which one of the following is not a requirement for evidence to be admissible in court?

a. The evidence must be relevant.
b. The evidence must be material.
c. The evidence must be tangible.
d. The evidence must be competent.

Answer

A

C. Evidence provided in court must be relevant to determining a fact in question, material to the case at hand, and competently obtained. Evidence does not need to be tangible. Witness testimony is an example of intangible evidence that may be offered in court.

Question 30

Q

In which cloud computing model does a customer share computing infrastructure with other customers of the cloud vendor where one customer may not know the other’s identity?

a. Public cloud
b. Private cloud
c. Community cloud
d. Shared cloud

Answer

A

A. In the public cloud computing model, the vendor builds a single platform that is shared among many different customers. This is also known as the shared tenancy model.

Question 31

Q

Which of the following organizations would be likely to have a representative on a CSIRT?

I. Information security

II. Legal counsel

III. Senior management

IV. Engineering

a. I, III, and IV
b. I, II, and III
c. I, II, and IV
d. All of the above

Answer

A

D. CSIRT representation normally includes at least representatives of senior management, information security professionals, legal representatives, public affairs staff, and engineering/technical staff.

Question 32

Q

Sam is responsible for backing up his company’s primary file server. He configured a backup schedule that performs full backups every Monday evening at 9 p.m. and differential backups on other days of the week at that same time. Files change according to the information shown in the figure below. How many files will be copied in Wednesday’s backup?

a. 2
b. 3
c. 5
d. 6

Answer

A

C. In this scenario, all of the files on the server will be backed up on Monday evening during the full backup. The differential backup on Wednesday will then copy all files modified since the last full backup. These include files 1, 2, 3, 5, and 6: a total of five files.

Question 33

Q

Which one of the following security tools is not capable of generating an active response to a security event?

a. IPS
b. Firewall
c. IDS
d. Antivirus software

Answer

A

C. Intrusion detection systems (IDSs) provide only passive responses, such as alerting administrators to a suspected attack. Intrusion prevention systems and firewalls, on the other hand, may take action to block an attack attempt. Antivirus software also may engage in active response by quarantining suspect files.

Question 34

Q

In virtualization platforms, what name is given to the module that is responsible for controlling access to physical resources by virtual resources?

a. Guest machine
b. SDN
c. Kernel
d. Hypervisor

Answer

A

D. The hypervisor runs within the virtualization platform and serves as the moderator between virtual resources and physical resources.

Question 35

Q

What term is used to describe the default set of privileges assigned to a user when a new account is created?

a. Aggregation
b. Transitivity
c. Baseline
d. Entitlement

Answer

A

D. Entitlement refers to the privileges granted to users when an account is first provisioned.

Question 36

Q

Which one of the following types of agreements is the most formal document that contains expectations about availability and other performance parameters between a service provider and a customer?

a. Service-level agreement (SLA)
b. Operations level agreement (OLA)
c. Memorandum of understanding (MOU)
d. Statement of work (SOW)

Answer

A

A. The service-level agreement (SLA) is between a service provider and a customer and documents in a formal manner expectations around availability, performance, and other parameters. An MOU may cover the same items but is not as formal a document. An OLA is between internal service organizations and does not involve customers. An SOW is an addendum to a contract describing work to be performed.

Question 37

Q

Which one of the following frameworks focuses on IT service management and includes topics such as change management, configuration management, and service-level agreements?

a. ITIL
b. PMBOK
c. PCI DSS
d. TOGAF

Answer

A

A. The IT Infrastructure Library (ITIL) framework focuses on IT service management. The Project Management Body of Knowledge (PMBOK) provides a common core of project management expertise. The Payment Card Industry Data Security Standard (PCI DSS) contains regulations for credit card security. The Open Group Architecture Framework (TOGAF) focuses on IT architecture issues.

Question 38

Q

Richard is experiencing issues with the quality of network service on his organization’s network. The primary symptom is that packets are consistently taking too long to travel from their source to their destination. What term describes the issue Richard is facing?

a. Jitter
b. Packet loss
c. Interference
d. Latency

Answer

A

D. Latency is a delay in the delivery of packets from their source to their destination. Jitter is a variation in the latency for different packets. Packet loss is the disappearance of packets in transit that requires retransmission. Interference is electrical noise or other disruptions that corrupt the contents of packets.

Question 39

Q

Joe is an investigator with a law enforcement agency. He received a tip that a suspect is communicating sensitive information with a third party via a message board. After obtaining a warrant for the message, he obtained the contents and found that the message only contains the image shown in the figure below. If this is the sole content of the communication, what technique could the suspect have used to embed sensitive information in the message?

a. Steganography
b. Watermarking
c. Clipping
d. Sampling

Answer

A

A. Steganography is a technique used to hide information in an otherwise innocuous-seeming file. The suspect may have used this technique to embed hidden information in the image file. Watermarking also manipulates images but does so in an attempt to protect intellectual property. Clipping and sampling are techniques used to reduce a large set of data to a small quantity that may be used for analysis.

Question 40

Q

Which one of the following is an example of a manmade disaster?

a. Hurricane
b. Flood
c. Mudslide
d. Transformer failure

Answer

A

D. A transformer failure is a failure of a manmade electrical component. Flooding, mudslides, and hurricanes are all examples of natural disasters.

Question 41

Q

Which of the following is not true about the (ISC)2code of ethics?

a. Adherence to the code is a condition of certification.
b. Failure to comply with the code may result in revocation of certification.
c. The code applies to all members of the information security profession.
d. Members who observe a breach of the code are required to report the possible violation.

Answer

A

C. The (ISC)2 code of ethics applies only to information security professionals who are members of (ISC)2. Adherence to the code is a condition of certification, and individuals found in violation of the code may have their certifications revoked. (ISC)2 members who observe a breach of the code are required to report the possible violation by following the ethics complaint procedures.

Question 42

Q

Javier is verifying that only IT system administrators have the ability to log on to servers used for administrative purposes. What principle of information security is he enforcing?

a. Need to know
b. Least privilege
c. Two-person control
d. Transitive trust

Answer

A

B. The principle of least privilege says that an individual should only have the privileges necessary to complete their job functions. Removing administrative privileges from nonadministrative users is an example of least privilege.

Question 43

Q

Which one of the following is not a basic preventative measure that you can take to protect your systems and applications against attack?

a. Implement intrusion detection and prevention systems.
b. Maintain current patch levels on all operating systems and applications.
c. Remove unnecessary accounts and services.
d. Conduct forensic imaging of all systems.

Answer

A

D. There is no need to conduct forensic imaging as a preventative measure. Rather, forensic imaging should be used during the incident response process. Maintaining patch levels, implementing intrusion detection/prevention, and removing unnecessary services and accounts are all basic preventative measures.

Question 44

Q

Tim is a forensic analyst who is attempting to retrieve information from a hard drive. It appears that the user attempted to erase the data, and Tim is trying to reconstruct it. What type of forensic analysis is Tim performing?

a. Software analysis
b. Media analysis
c. Embedded device analysis
d. Network analysis

Answer

A

B. The scrutiny of hard drives for forensic purposes is an example of media analysis. Embedded device analysis looks at the computers included in other large systems, such as automobiles or security systems. Software analysis analyzes applications and their logs. Network analysis looks at network traffic and logs.

Question 45

Q

Which one of the following is an example of a computer security incident?

a. Completion of a backup schedule
b. System access recorded in a log
c. Unauthorized vulnerability scan of a file server
d. Update of antivirus signatures

Answer

A

C. Security incidents negatively affect the confidentiality, integrity, or availability of information or assets and/or violate a security policy. The unauthorized vulnerability scan of a server does violate security policy and may negatively affect the security of that system, so it qualifies as a security incident. The completion of a backup schedule, logging of system access, and update of antivirus signatures are all routine actions that do not violate policy or jeopardize security, so they are all events rather than incidents.

Question 46

Q

Which one of the following technologies would provide the most automation of an inventory control process in a cost-effective manner?

a. IPS
b. Wi-Fi
c. RFID
d. Ethernet

Answer

A

C. Radio Frequency IDentification (RFID) technology is a cost-effective way to track items around a facility. While Wi-Fi could be used for the same purpose, it would be much more expensive to implement.

Question 47

Q

Connor’s company recently experienced a denial of service attack that Connor believes came from an inside source. If true, what type of event has the company experienced?

a. Espionage
b. Confidentiality breach
c. Sabotage
d. Integrity breach

Answer

A

C. An attack committed against an organization by an insider, such as an employee, is known as sabotage. Espionage and confidentiality breaches involve the theft of sensitive information, which is not alleged to have occurred in this case. Integrity breaches involve the unauthorized modification of information, which is not described in this scenario.

Question 48

Q

What type of attack is shown in the figure below?

a. SYN flood
b. Ping flood
c. Smurf
d. Fraggle

Answer

A

A. In a SYN flood attack, the attacker sends a large number of SYN packets to a system but does not respond to the SYN/ACK packets, attempting to overwhelm the attacked system’s connection state table with half-open connections.

Question 49

Q

Florian is building a disaster recovery plan for his organization and would like to determine the amount of time that a particular IT service may be down without causing serious damage to business operations. What variable is Florian calculating?

a. RTO
b. MTD
c. RPO
d. SLA

Answer

A

B. The maximum tolerable downtime (MTD) is the longest amount of time that an IT service or component may be unavailable without causing serious damage to the organization. The recovery time objective (RTO) is the amount of time expected to return an IT service or component to operation after a failure. The recovery point objective (RPO) identifies the maximum amount of data, measured in time, that may be lost during a recovery effort. Service-level agreements (SLAs) are written contracts that document service expectations.

Question 50

Q

Which one of the following statements best describes a zero-day vulnerability?

a. An attacker that is new to the world of hacking
b. A database attack that places the date 00/00/0000 in data tables in an attempt to exploit flaws in business logic
c. An attack previously unknown to the security community
d. An attack that sets the operating system date and time to 00/00/0000 and 00:00:00

Answer

A

C. Zero-day attacks are those that are previously unknown to the security community and, therefore, have no available patch. These are especially dangerous attacks because they may be highly effective until a solution becomes available.

Question 51

Q

Which one of the following is not a canon of the (ISC)2 code of ethics?

a. Protect society, the common good, necessary public trust and confidence, and the infrastructure.
b. Promptly report security vulnerabilities to relevant authorities.
c. Act honorably, honestly, justly, responsibly, and legally.
d. Provide diligent and competent service to principals.

Answer

A

B. The four canons of the (ISC)2 code of ethics are to protect society, the common good, necessary public trust and confidence and the infrastructure; act honorably, honestly, justly, responsibly and legally; provide diligent and competent service to principals; and advance and protect the profession.

Question 52

Q

During an incident investigation, investigators meet with a system administrator who may have information about the incident but is not a suspect. What type of conversation is taking place during this meeting?

a. Interview
b. Interrogation
c. Both an interview and an interrogation
d. Neither an interview nor an interrogation

Answer

A

A. Interviews occur when investigators meet with an individual who may have information relevant to their investigation but is not a suspect. If the individual is a suspect, then the meeting is an interrogation.

Question 53

Q

Beth is selecting a disaster recovery facility for her organization. She would like to choose a facility that has appropriate environmental controls and power for her operations but wants to minimize costs. She is willing to accept a lengthy recovery time. What type of facility should she choose?

a. Hot site
b. Cold site
c. Warm site
d. Service bureau

Answer

A

B. Beth should choose a cold site. This type of facility meets her requirements for environmental controls and power but, does not have the equipment or data found in a warm site, hot site, or service bureau. However, it does have the lowest cost of the four options.

Question 54

Q

What technique has been used to protect the intellectual property in the image shown below?

a. Steganography
b. Clipping
c. Sampling
d. Watermarking

Answer

A

D. The image clearly contains the watermark of the US Geological Survey (USGS), which ensures that anyone seeing the image knows its origin. It is not possible to tell from looking at the image whether steganography was used. Sampling and clipping are data analysis techniques and are not used to protect images.

Question 55

Q

You are working to evaluate the risk of flood to an area and consult the flood maps from the Federal Emergency Management Agency (FEMA). According to those maps, the area lies within a 200-year flood plain. What is the annualized rate of occurrence (ARO) of a flood in that region?

a. 200
b. 0.01
c. 0.02
d. 0.005

Answer

A

D. The annualized rate of occurrence (ARO) is the expected number of times an incident will occur each year. In the case of a 200-year flood plain, planners should expect a flood once every 200 years. This is equivalent to a 1/200 chance of a flood in any given year, or 0.005 floods per year.

Question 56

Q

Which one of the following individuals poses the greatest risk to security in most well-defended organizations?

a. Political activist
b. Malicious insider
c. Script kiddie
d. Thrill attcker

Answer

A

B. While all hackers with malicious intent pose a risk to the organization, the malicious insider poses the greatest risk to security because they likely have legitimate access to sensitive systems that may be used as a launching point for an attack. Other attackers do not begin with this advantage.

Question 57

Q

Veronica is considering the implementation of a database recovery mechanism recommended by a consultant. In the recommended approach, an automated process will move database backups from the primary facility to an offsite location each night. What type of database recovery technique is the consultant describing?

a. Remote journaling
b. Remote mirroring
c. Electronic vaulting
d. Transaction logging

Answer

A

C. In an electronic vaulting approach, automated technology moves database backups from the primary database server to a remote site on a scheduled basis, typically daily. Transaction logging is not a recovery technique alone; it is a process for generating the logs used in remote journaling. Remote journaling transfers transaction logs to a remote site on a more frequent basis than electronic vaulting, typically hourly. Remote mirroring maintains a live database server at the backup site and mirrors all transactions at the primary site on the server at the backup site.

Question 58

Q

When designing an access control scheme, Hilda set up roles so that the same person does not have the ability to provision a new user account and assign superuser privileges to an account. What information security principle is Hilda following?

a. Least privilege
b. Separation of duties
c. Job rotation
d. Security through obscurity

Answer

A

B. Hilda’s design follows the principle of separation of duties. Giving one user the ability to both create new accounts and grant administrative privileges combines two actions that would result in a significant security change that should be divided among two users.

Question 59

Q

Reggie recently received a letter from his company’s internal auditors scheduling the kickoff meeting for an assessment of his group. Which of the following should Reggie not expect to learn during that meeting?

a. Scope of the audit
b. Purpose of the audit
c. Expected timeframe
d. Expected findings

Answer

A

D. An audit kickoff meeting should clearly describe the scope and purpose of the audit as well as the expected timeframe. Auditors should never approach an audit with any expectations about what they will discover because the findings should only be developed based upon the results of audit examinations.

Question 60

Q

Which one of the following events marks the completion of a disaster recovery process?

a. Securing property and life safety
b. Restoring operations in an alternate facility
c. Restoring operations in the primary facility
d. Standing down first responders

Answer

A

C. The end goal of the disaster recovery process is restoring normal business operations in the primary facility. All of the other actions listed may take place during the disaster recovery process but the process is not complete until the organization is once again functioning normally in its primary facilities.

Question 61

Q

Melanie suspects that someone is using malicious software to steal computing cycles from her company. Which one of the following security tools would be in the best position to detect this type of incident?

a. NIDS
b. Firewall
c. HIDS
d. DLP

Answer

A

C. A host-based intrusion detection system (HIDS) may be able to detect unauthorized processes running on a system. The other controls mentioned, network intrusion detection systems (NIDSs), firewalls, and DLP systems, are network-based and may not notice rogue processes.

Question 62

Q

Brandon observes that an authorized user of a system on his network recently misused his account to exploit a system vulnerability against a shared server that allowed him to gain root access to that server. What type of attack took place?

a. Denial of service
b. Privilege escalation
c. Reconaissance
d. Brute force

Answer

A

B. The scenario describes a privilege escalation attack where a malicious insider with authorized access to a system misused that access to gain privileged credentials.

Question 63

Q

Carla has worked for her company for 15 years and has held a variety of different positions. Each time she changed positions, she gained new privileges associated with that position, but no privileges were ever taken away. What concept describes the sets of privileges she has accumulated?

a. Entitlement
b. Aggregation
c. Transitivity
d. Isolation

Answer

A

B. Carla’s account has experienced aggregation, where privileges accumulated over time. This condition is also known as privilege creep and likely constitutes a violation of the least privilege principle.

Question 64

Q

During what phase of the incident response process do administrators take action to limit the effect or scope of an incident?

a. Detection
b. Response
c. Mitigation
d. Recovery

Answer

A

C. The Mitigation phase of incident response focuses on actions that can contain the damage incurred during an incident. This includes limiting the scope and or effectiveness of the incident.

Answer 65

A

C. At this point in the process, Ann has no reason to believe that any actual security compromise or policy violation took place, so this situation does not meet the criteria for a security incident or intrusion. Rather, the alert generated by the intrusion detection system is simply a security event requiring further investigation. Security occurrence is not a term commonly used in incident handling.

Answer 66

A

A. DNS traffic commonly uses port 53 for both TCP and UDP communications. SSH and SCP use TCP port 22. SSL and TLS do not have ports assigned to them but are commonly used for HTTPS traffic on port 443. Unencrypted web traffic over HTTP often uses port 80.

Answer 67

A

D. The attack described in this scenario has all of the hallmarks of a denial of service attack. More specifically, Ann’s organization is likely experiencing a DNS amplification attack where an attacker sends false requests to third-party DNS servers with a forged source IP address belonging to the targeted system. Because the attack uses UDP requests, there is no three-way handshake. The attack packets are carefully crafted to elicit a lengthy response from a short query. The purpose of these queries is to generate responses headed to the target system that are sufficiently large and numerous enough to overwhelm the targeted network or system.

Answer 68

A

B. Now that Ann suspects an attack against her organization, she has sufficient evidence to declare a security incident. The attack underway seems to have undermined the availability of her network, meeting one of the criteria for a security incident. This is an escalation beyond a security event but does not reach the level of an intrusion because there is no evidence that the attacker has even attempted to gain access to systems on Ann’s network. Security occurrence is not a term commonly used in incident handling.

Answer 69

A

D. To be admissible, evidence must be relevant, material, and competent. The laptop in this case is clearly material because it contains logs related to the crime in question. It is also relevant because it provides evidence that ties the hacker to the crime. It is not competent because the evidence was not legally obtained.

Answer 70

A

C. Gordon may conduct his investigation as he wishes and use any information that is legally available to him, including information and systems belonging to his employer. There is no obligation to contact law enforcement. However, Gordon may not perform “hack back” activities because those may constitute violations of the law and/or (ISC)2 Code of Ethics.

Answer 71

A

B. Software escrow agreements place a copy of the source code for a software package in the hands of an independent third party who will turn the code over to the customer if the vendor ceases business operations. Service-level agreements, mutual assistance agreements, and compliance agreements all lose some or all of their effectiveness if the vendor goes out of business.

Answer 72

A

C. Most security professionals recommend at least one, and preferably two, weeks of vacation to deter fraud. The idea is that fraudulent schemes will be uncovered during the time that the employee is away and does not have the access required to perpetuate a cover-up.

Answer 73

A

D. Any attempt to undermine the security of an organization or violation of a security policy is a security incident. Each of the events described meets this definition and should be treated as an incident.

Answer 74

A

D. Egress filtering scans outbound traffic for potential security policy violations. This includes traffic with a private IP address as the destination, traffic with a broadcast address as the destination, and traffic that has a falsified source address not belonging to the organization.

Answer 75

A

C. The two main methods of choosing records from a large pool for further analysis are sampling and clipping. Sampling uses statistical techniques to choose a sample that is representative of the entire pool, while clipping uses threshold values to select those records that exceed a predefined threshold because they may be of most interest to analysts.

Answer 76

A

B. Netflow data contains information on the source, destination, and size of all network communications and is routinely saved as a matter of normal activity. Packet capture data would provide relevant information, but it must be captured during the suspicious activity and cannot be re-created after the fact unless the organization is already conducting 100 percent packet capture, which is very rare. Additionally, the use of encryption limits the effectiveness of packet capture. Intrusion detection system logs would not likely contain relevant information because the encrypted traffic would probably not match intrusion signatures. Centralized authentication records would not contain information about network traffic.

Answer 77

A

C. Baseline configurations serve as the starting point for configuring secure systems and applications. They contain the security settings necessary to comply with an organization’s security policy and may then be customized to meet the specific needs of an implementation. While security policies and guidelines may contain information needed to secure a system, they do not contain a set of configuration settings that may be applied to a system. The running configuration of a system is the set of currently applied settings, which may or may not be secure.

Answer 78

A

B. During a parallel test, the team actually activates the disaster recovery site for testing but the primary site remains operational. During a full interruption test, the team takes down the primary site and confirms that the disaster recovery site is capable of handling regular operations. The full interruption test is the most thorough test but also the most disruptive. The checklist review is the least disruptive type of disaster recovery test. During a checklist review, team members each review the contents of their disaster recovery checklists on their own and suggest any necessary changes. During a tabletop exercise, team members come together and walk through a scenario without making any changes to information systems.

Answer 79

A

C. Both the receipt of alerts and the verification of their accuracy occurs during the Detection phase of the incident response process.

Answer 80

A

A. Virtual machines run full guest operating systems on top of a host platform known as the hypervisor.

Answer 81

A

B. RAID level 1 is also known as disk mirroring. RAID-0 is called disk striping. RAID-5 is called disk striping with parity. RAID-10 is known as a stripe of mirrors.

Answer 82

A

C. SSH uses TCP port 22, so this attack is likely an attempt to scan for open or weakly secured SSH servers. FTP uses ports 20 and 21. Telnet uses port 23, and HTTP uses port 80.

Answer 83

A

C. The ping of death attack placed more data than allowed by the specification in the payload of an ICMP echo request packet. This is similar to the modern-day buffer overflow attack where attackers attempt to place more data in a targeted system’s memory that consumes more space than is allocated for that data.

Answer 84

A

C. In an Infrastructure as a Service environment, the vendor is responsible for hardware- and network-related responsibilities. These include configuring network firewalls, maintaining the hypervisor, and managing physical equipment. The customer retains responsibility for patching operating systems on its virtual machine instances.

Answer 85

A

B. Sandboxing is a technique where application developers (or the recipients of an untrusted application) may test the code in a virtualized environment that is isolated from production systems. White box testing, black box testing, and penetration testing are all common software testing techniques but do not require the use of an isolated system.

Answer 86

A

B. Fraggle attacks use a distributed attack approach to send UDP traffic at a targeted system from many different source addresses on ports 7 and 9. The most effective way to block this attack would be to block inbound UDP traffic on those ports. Blocking the source addresses is not feasible because the attacker would likely simply change the source addresses. Blocking destination addresses would likely disrupt normal activity. The fraggle attack does not use ICMP, so blocking that traffic would have no effect.

Answer 87

A

A. Transitive trusts go beyond the two domains directly involved in the trust relationship and extend to their subdomains.

Answer 88

A

C. In a Platform as a Service solution, the customer supplies application code that the vendor then executes on its own infrastructure.

Answer 89

A

A. Companies have an obligation to preserve evidence whenever they believe that the threat of litigation is imminent. The statement made by this customer that “we will have to take this matter to court” is a clear threat of litigation and should trigger the preservation of any related documents and records.

Answer 90

A

B. The Fourth Amendment states, in part, that “the right of the people to be secure in their persons, houses, papers and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.” The First Amendment contains protections related to freedom of speech. The Fifth Amendment ensures that no person will be required to serve as a witness against themselves. The Fifteenth Amendment protects the voting rights of citizens.

Answer 91

A

A. Expert opinion evidence allows individuals to offer their opinion based upon the facts in evidence and their personal knowledge. Expert opinion evidence may be offered only if the court accepts the witness as an expert in a particular field. Direct evidence is when witnesses testify about their direct observations. Real evidence consists of tangible items brought into court as evidence. Documentary evidence consists of written records used as evidence in court.

Answer 92

A

D. The standard methods for clearing magnetic tapes, according to the NIST Guidelines for Media Sanitization, are overwriting the tape with nonsensitive data, degaussing, and physical destruction via shredding or incineration. Reformatting a tape does not remove remnant data.

Answer 93

A

B. RAID level 1, also known as disk mirroring, uses two disks that contain identical information. If one disk fails, the other contains the data needed for the system to continue operation.

Answer 94

A

B. The analysis of application logs is one of the core tasks of software analysis because SQL injection attacks are application attacks.

Answer 95

A

C. Quantum may choose to use any or all of these security controls, but data encryption is, by far, the most important control. It protects the confidentiality of data stored on the tapes, which are most vulnerable to theft while in transit between two secure locations.

Answer 96

A

C. Data loss prevention (DLP) systems may identify sensitive information stored on endpoint systems or in transit over a network. This is their primary purpose. Intrusion detection and prevention systems (IDS/IDP) may be used to identify some sensitive information using signatures built for that purpose, but this is not the primary role of those tools and they would not be as effective as DLP systems at this task. TLS is a network encryption protocol that may be used to protect sensitive information, but it does not have any ability to identify sensitive information.

Answer 97

A

D. If software is released into the public domain, anyone may use it for any purpose, without restriction. All other license types contain at least some level of restriction.

Answer 98

A

A. In a man-in-the-middle attack, attackers manage to insert themselves into a connection between a user and a legitimate website, relaying traffic between the two parties while eavesdropping on the connection. Although similarly named, the meet-in-the-middle attack is a cryptographic attack that does not necessarily involve connection tampering. Fraggle is a network-based denial of service attack using UDP packets. Wardriving is a reconnaissance technique for discovering open or weakly secured wireless networks.

Answer 99

A

C. The two main methods of choosing records from a large pool for further analysis are sampling and clipping. Sampling uses statistical techniques to choose a sample that is representative of the entire pool, while clipping uses threshold values to select those records that exceed a predefined threshold because they may be of most interest to analysts.

Answer 100

A

C. Generators are capable of providing backup power for a sustained period of time in the event of a power loss, but they take time to activate. Uninterruptible power supplies (UPS) provide immediate, battery-driven power for a short period of time to cover momentary losses of power, which would not cover a sustained period of power loss. RAID and redundant servers are high availability controls but do not cover power loss scenarios.

Brainscape's Knowledge GenomeTM

Domain 7 Flashcards

Brainscape's Knowledge Genome^TM