Domain 7 Flashcards
Referring to the figure below, what technology is shown that provides fault tolerance for the database servers?
a. Failover cluster
b. UPS
c. Tape backup
d. Cold site

A. The illustration shows an example of a failover cluster, where DB1 and DB2 are both configured as database servers. At any given time, only one will function as the active database server, while the other remains ready to assume responsibility if the first one fails. While the environment may use UPS, tape backup, and cold sites as disaster recovery and business continuity controls, they are not shown in the diagram.
Joe is the security administrator for an ERP system. He is preparing to create accounts for several new employees. What default access should he give to all of the new employees as he creates the accounts?
a. Read only
b. Editor
c. Administrator
d. No access
D. The principle of least privilege should guide Joe in this case. He should apply no access permissions by default and then give each user the necessary permissions to perform their job responsibilities. Read only, editor, and administrator permissions may be necessary for one or more of these users, but those permissions should be assigned based upon business need and not by default.
Which one of the following is not a privileged administrative activity that should be automatically sent to a log of superuser actions?
a. Purging log entries
b. Restoring a system from backup
c. Logging into a workstation
d. Managing user accounts
C. While most organizations would want to log attempts to log in to a workstation, this is not considered a privileged administrative activity and would go through normal logging processes.
Which one of the following individuals is most likely to lead a regulatory investigation?
a. CISO
b. CIO
c. Government agent
d. Private detective
C. Regulatory investigations attempt to uncover whether an individual or organization has violated administrative law. These investigations are almost always conducted by government agents
What type of evidence consists entirely of tangible items that may be brought into a court of law?
a. Documentary evidence
b. Parol evidence
c. Testimonial evidence
d. Real evidence
D. Real evidence consists of things that may actually be brought into a courtroom as evidence. For example, real evidence includes hard disks, weapons, and items containing fingerprints. Documentary evidence consists of written items that may or may not be in tangible form. Testimonial evidence is verbal testimony given by witnesses with relevant information. The parol evidence rule says that when an agreement is put into written form, the written document is assumed to contain all the terms of the agreement.
Which one of the following trusted recovery types does not fail into a secure operating state?
a. Manual recovery
b. Automated recovery
c. Automated recovery without undue loss
d. Function recovery
A. In a manual recovery approach, the system does not fail into a secure state but requires an administrator to manually restore operations. In an automated recovery, the system can recover itself against one or more failure types. In an automated recovery without undue loss, the system can recover itself against one or more failure types and also preserve data against loss. In function recovery, the system can restore functional processes automatically.
Which one of the following might a security team use on a honeypot system to consume an attacker’s time while alerting administrators?
a. Honeynet
b. Pseudoflaw
c. Warning banner
d. Darknet
B. A pseudoflaw is a false vulnerability in a system that may attract an attacker. A honeynet is a network of multiple honeypots that creates a more sophisticated environment for intruders to explore. A darknet is a segment of unused network address space that should have no network activity and, therefore, may be easily used to monitor for illicit activity. A warning banner is a legal tool used to notify intruders that they are not authorized to access a system.
Toni responds to the desk of a user who reports slow system activity. Upon checking outbound network connections from that system, Toni notices a large amount of social media traffic originating from the system. The user does not use social media, and when Toni checks the accounts in question, they contain strange messages that appear encrypted. What is the most likely cause of this traffic?
a. Other users are relaying social media requests through Toni’s computer.
b. Toni’s computer is part of a botnet.
c. Toni is lying about her use of social media.
d. Someone else is using Toni’s computer when she is not present.
B. Social media is commonly used as a command-and-control system for botnet activity. The most likely scenario here is that Toni’s computer was infected with malware and joined to a botnet. This accounts for both the unusual social media traffic and the slow system activity.
Under what virtualization model does the virtualization platform separate the network control plane from the data plane and replace complex network devices with simpler devices that simply receive instructions from the controller?
a. Virtual machines
b. VSAN
c. VLAN
d. SDN
D. Software-defined networking separates the control plane from the data plane. Network devices then do not contain complex logic themselves but receive instructions from the SDN.
Jim would like to identify compromised systems on his network that may be participating in a botnet. He plans to do this by watching for connections made to known command-and-control servers. Which one of the following techniques would be most likely to provide this information if Jim has access to a list of known servers?
a. Netflow records
b. IDS logs
c. Authentication logs
d. RFC logs
A. Netflow records contain an entry for every network communication session that took place on a network and can be compared to a list of known malicious hosts. IDS logs may contain a relevant record but it is less likely because they would only create log entries if the traffic triggers the IDS, as opposed to netflow records which encompass all communications. Authentication logs and RFC logs would not have records of any network traffic.
Questions 11–14 refer to the following scenario.
Gary was recently hired as the first chief information security officer (CISO) for a local government agency. The agency recently suffered a security breach and is attempting to build a new information security program. Gary would like to apply some best practices for security operations as he is designing this program.
As Gary decides what access permissions he should grant to each user, what principle should guide his decisions about default permissions?
a. Separation of duties
b. Least privilege
c. Aggregation
d. Separation of privileges

B. Gary should follow the least privilege principle and assign users only the permissions they need to perform their job responsibilities. Aggregation is a term used to describe the unintentional accumulation of privileges over time, also known as privilege creep. Separation of duties and separation of privileges are principles used to secure sensitive processes.
Questions 11–14 refer to the following scenario.
Gary was recently hired as the first chief information security officer (CISO) for a local government agency. The agency recently suffered a security breach and is attempting to build a new information security program. Gary would like to apply some best practices for security operations as he is designing this program.
As Gary designs the program, he uses the matrix shown below. What principle of information security does this matrix most directly help enforce?
a. Segregation of duties
b. Aggregation
c. Two-person control
d. Defense in depth

A. The matrix shown in the figure is known as a segregation of duties matrix. It is used to ensure that one person does not obtain two privileges that would create a potential conflict. Aggregationis a term used to describe the unintentional accumulation of privileges over time, also known as privilege creep. Two-person control is used when two people must work together to perform a sensitive action. Defense in depth is a general security principle used to describe a philosophy of overlapping security controls.
Questions 11–14 refer to the following scenario.
Gary was recently hired as the first chief information security officer (CISO) for a local government agency. The agency recently suffered a security breach and is attempting to build a new information security program. Gary would like to apply some best practices for security operations as he is designing this program.
Gary is preparing to create an account for a new user and assign privileges to the HR database. What two elements of information must Gary verify before granting this access?
a. Credentials and need to know
b. Clearance and need to know
c. Password and clearance
d. Password and biometric scan

B. Before granting access, Gary should verify that the user has a valid security clearance and a business need to know the information. Gary is performing an authorization task, so he does not need to verify the user’s credentials, such as a password or biometric scan.
Questions 11–14 refer to the following scenario.
Gary was recently hired as the first chief information security officer (CISO) for a local government agency. The agency recently suffered a security breach and is attempting to build a new information security program. Gary would like to apply some best practices for security operations as he is designing this program.
Gary is preparing to develop controls around access to root encryption keys and would like to apply a principle of security designed specifically for very sensitive operations. Which principle should he apply?
a. Least privilege
b. Defense in depth
c. Security through obscurity
d. Two-person control

D. Gary should follow the principle of two-person control by requiring simultaneous action by two separate authorized individuals to gain access to the encryption keys. He should also apply the principles of least privilege and defense in depth, but these principles apply to all operations and are not specific to sensitive operations. Gary should avoid the security through obscurity principle, the reliance upon the secrecy of security mechanisms to provide security for a system or process.
When should an organization conduct a review of the privileged access that a user has to sensitive systems?
a. On a periodic basis
b. When a user leaves the organization
c. When a user changes roles
d. All of the above
D. Privileged access reviews are one of the most critical components of an organization’s security program because they ensure that only authorized users have access to perform the most sensitive operations. They should take place whenever a user with privileged access leaves the organization or changes roles as well as on a regular, recurring basis.
Which one of the following terms is often used to describe a collection of unrelated patches released in a large collection?
a. Hotfix
b. Update
c. Security fix
d. Service pack
D. Hotfixes, updates, and security fixes are all synonyms for single patches designed to correct a single problem. Service packs are collections of many different updates that serve as a major update to an operating system or application.
Which one of the following tasks is performed by a forensic disk controller?
a. Masking error conditions reported by the storage device
b. Transmitting write commands to the storage device
c. Intercepting and modifying or discarding commands sent to the storage device
d. Preventing data from being returned by a read operation sent to the device
C. A forensic disk controller performs four functions. One of those, write blocking, intercepts write commands sent to the device and prevents them from modifying data on the device. The other three functions include returning data requested by a read operation, returning access-significant information from the device, and reporting errors from the device back to the forensic host.
Lydia is processing access control requests for her organization. She comes across a request where the user does have the required security clearance, but there is no business justification for the access. Lydia denies this request. What security principle is she following?
a. Need to know
b. Least privilege
c. Separation of duties
d. Two-person control
A. Lydia is following the need to know principle. While the user may have the appropriate security clearance to access this information, there is no business justification provided, so she does not know that the user has an appropriate need to know the information.
Which one of the following security tools consists of an unused network address space that may detect unauthorized activity?
a. Honeypot
b. Honeynet
c. Psuedoflaw
d. Darknet
D. A darknet is a segment of unused network address space that should have no network activity and, therefore, may be easily used to monitor for illicit activity. A honeypot is a decoy computer system used to bait intruders into attacking. A honeynet is a network of multiple honeypots that creates a more sophisticated environment for intruders to explore. A pseudoflaw is a false vulnerability in a system that may attract an attacker.
Which one of the following mechanisms is not commonly seen as a deterrent to fraud?
a. Job rotation
b. Mandatory vacations
c. Incident response
d. Two-person control
C. Job rotation and mandatory vacations deter fraud by increasing the likelihood that it will be detected. Two-person control deters fraud by requiring collusion between two employees. Incident response does not normally serve as a deterrent mechanism.
Brian recently joined an organization that runs the majority of its services on a virtualization platform located in its own data center but also leverages an IaaS provider for hosting its web services and a SaaS email system. What term best describes the type of cloud environment this organization uses?
a. Public cloud
b. Dedicated cloud
c. Private cloud
d. Hybrid cloud
D. The scenario describes a mix of public cloud and private cloud services. This is an example of a hybrid cloud environment.
Tom is responding to a recent security incident and is seeking information on the approval process for a recent modification to a system’s security settings. Where would he most likely find this information?
a. Change log
b. System log
c. Security log
d. Application log
A. The change log contains information about approved changes and the change management process. While other logs may contain details about the change’s effect, the audit trail for change management would be found in the change log.
Mark is considering replacing his organization’s customer relationship management (CRM) solution with a new product that is available in the cloud. This new solution is completely managed by the vendor and Mark’s company will not have to write any code or manage any physical resources. What type of cloud solution is Mark considering?
a. IaaS
b. CaaS
c. PaaS
d. SaaS
D. In a Software as a Service solution, the vendor manages both the physical infrastructure and the complete application stack, providing the customer with access to a fully managed application.
Which one of the following information sources is useful to security administrators seeking a list of information security vulnerabilities in applications, devices, and operating systems?
a. OWASP
b. Bugtraq
c. Microsoft Security Bulletins
d. CVE
D. The Common Vulnerability and Exposures (CVE) dictionary contains standardized information on many different security issues. The Open Web Application Security Project (OWASP) contains general guidance on web application security issues but does not track specific vulnerabilities or go beyond web applications. The Bugtraq mailing list and Microsoft Security Bulletins are good sources of vulnerability information but are not comprehensive databases of known issues.



