Domain 7: Review Questions Flashcards

Question 1

Q

What is the first step of the incident response process?

A. Respond to the incident.
B. Detect the incident.
C. Report the incident.
D. Recover from the incident.

Answer

A

B.

The steps of the incident response process are as follows:
1. Detect the incident.
2. Respond to the incident.
3. Report the incident to the appropriate personnel.
4. Recover from the incident.
5. Remediate all components affected by the incident to ensure that all traces of the incident have been removed.
6. Review the incident and document all findings.

Question 2

Q

What is the second step of the forensic investigations process?

A. Identification
B. Collection
C. Preservation
D. Examination

Answer

A

C.

The steps of the forensic investigation process are as follows:
1. Identification
2. Preservation
3. Collection
4. Examination
5. Analysis
6. Presentation
7. Decision

Question 3

Q

Which of the following is not one of the five rules of evidence?

A. Be accurate.
B. Be complete.
C. Be admissible.
D. Be volatile.

Answer

A

D.

The five rules of evidence are as follows:
* Be authentic.
* Be accurate.
* Be complete.
* Be convincing.
* Be admissible.

Question 4

Q

Which of the following refers to allowing access to users only to the minimum resources required to do their jobs?

A. Job rotation
B. Separation of duties
C. Least privilege
D. Mandatory vacation

Answer

A

C.

When security professionals allow access to resources and assign rights to perform operations, the concept of least privilege should always be applied. In the context of resource access, this means the default level of access should be no access. Users should be given access only to resources required to do their jobs, and that access should require manual implementation after the requirement is verified by a supervisor.

Question 5

Q

Which of the following is an example of an intangible asset?

A. Disc drive
B. Recipe
C. People
D. Windows server

Answer

A

B.

In many cases, some of the most valuable assets for a company are intangible ones, such as secret recipes, formulas, and trade secrets.

Question 6

Q

Which of the following is not a step in incident response management?

A. Detect
B. Respond
C. Monitor
D. Report

Answer

A

C.

The steps in incident response management are
1. Detect the incident.
2. Respond to the incident.
3. Mitigate the incident.
4. Report the incident.
5. Recover from the incident.
6. Remediate the incident.
7. Review and document lessons learned.

Question 7

Q

Which of the following is not a backup type?

A. Full
B. Incremental
C. Grandfather/father/son
D. Transaction log

Answer

A

C. Grandfather/father/son is not a backup type; it is a backup rotation scheme.

In the first in, first out (FIFO) scheme, the newest backup is saved to the oldest media. Although this is the simplest rotation scheme, it does not protect against data errors. If an error in data exists, the organization might not have a version of the data that does not contain the error.

In the grandfather/father/son (GFS) scheme, three sets of backups are defined. Most often these three definitions are daily, weekly, and monthly. The daily backups are the sons, the weekly backups are the fathers, and the monthly backups are the grandfathers. Each week, one son advances to the father set. Each month, one father advances to the grandfather set.

Question 8

Q

Which term is used for a facility that contains all the resources needed for full operation?

A. Cold site
B. Hot site
C. Warm site
D. Tertiary site

Answer

A

B. A hot site is a leased facility that contains all the resources needed for full operation.

Question 9

Q

Which electronic backup type stores data on optical discs and uses robotics to load and unload the optical disks as needed?

A. Optical jukebox
B. Hierarchical storage management
C. Tape vaulting
D. Replication

Answer

A

A. An optical jukebox stores data on optical discs and uses robotics to load and unload the optical discs as needed.

Question 10

Q

What is failsoft?

A. The capacity of a system to switch over to a backup system if a failure in the primary system occurs
B. The capability of a system to terminate noncritical processes when a failure occurs
C. A software product that provides load-balancing services
D. High-capacity storage devices that are connected by a high-speed private network using storage-specific switches

Answer

A

B. Failsoft is the capability of a system to terminate noncritical processes when a failure occurs.

Question 11

Q

An organization’s firewall is monitoring the outbound flow of information from one network to another. What specific type of monitoring is this?

A. Egress monitoring
B. Continuous monitoring
C. CMaaS
D. Resource provisioning

Answer

A

A. Egress monitoring occurs when an organization monitors the outbound flow of information from one network to another. The most popular form of egress monitoring is carried out using firewalls that monitor and control outbound traffic.

Continuous monitoring and Continuous Monitoring as a Service (CMaaS) are not specific enough to answer this question. Any logging and monitoring activities should be part of an organizational continuous monitoring program. The continuous monitoring program must be designed to meet the needs of the organization and implemented correctly to ensure that the organization’s critical infrastructure is guarded. Organizations may want to look into CMaaS solutions deployed by cloud service providers. Resource provisioning is the process in security operations that ensures that the organization deploys only the assets that it currently needs.

Question 12

Q

Which of the following are considered virtual assets? (Choose all that apply.)

A. Software-defined networks
B. Virtual storage-area networks
C. Guest OSs deployed on VMs
D. Virtual routers

Answer

A

a, b, c, d.

Virtual assets include software-defined networks (SDNs), virtual storage-area networks (VSANs), guest operating systems deployed on virtual machines (VMs), and virtual routers. As with physical assets, the deployment and decommissioning of virtual assets should be tightly controlled as part of configuration management because virtual assets, like physical assets, can be compromised.

Question 13

Q

Which of the following describes the ability of a system, device, or data center to recover quickly and continue operating after an equipment failure, power outage, or other disruption?

A. Quality of service (QoS)
B. Recovery time objective (RTO)
C. Recovery point objective (RPO)
D. System resilience

Answer

A

D. System resilience is the ability of a system, device, or data center to recover quickly and continue operating after an equipment failure, power outage, or other disruption. It involves the use of redundant components or facilities.

Quality of service (QoS) is a technology that manages network resources to ensure a predefined level of service. It assigns traffic priorities to the different types of traffic on a network. A recovery time objective (RTO) stipulates the amount of time an organization needs to recover from a disaster, and a recovery point objective (RPO) stipulates the amount of data an organization can lose when a disaster occurs.

Question 14

Q

Which of the following are the main factors that affect the selection of an alternate location during the development of a DRP? (Choose all that apply.)

A. Geographic location
B. Organizational needs
C. Location’s cost
D. Location’s restoration effort

Answer

A

a, b, c, d. The main factors that affect the selection of an alternate location during the development of a disaster recovery plan (DRP) include the following:

Geographic location
Organizational needs
Location’s cost
Location’s restoration effort

Question 15

Q

Which of the following is a hard-drive technology in which data is written across multiple disks in such a way that when one disk fails, data can be made available from other functioning disks?

A. RAID
B. Clustering
C. Failover
D. Load balancing

Answer

A

A.

Redundant Array of Independent Disks (RAID) is a hard-drive technology in which data is written across multiple disks in such a way that a disk can fail and the data can be quickly made available from remaining disks in the array without restoring from a backup tape or other backup media. Clustering refers to a software product that provides load-balancing services. With clustering, one instance of an application server acts as a master controller and distributes requests to multiple instances using round-robin, weighted round-robin, or least-connections algorithms. Failover is the capacity of a system to switch over to a backup system if a failure in the primary system occurs. Load balancing refers to a hardware product that provides load-balancing services. Application delivery controllers (ADCs) support the same algorithms but also use complex number-crunching processes, such as per-server CPU and memory utilization, fastest response times, and so on, to adjust the balance of the load. Load-balancing solutions are also referred to as farms or pools

Question 16

Q

You need to record incoming and outgoing network traffic information in order to determine the origin of an attack. Which of the following logs would be appropriate for this purpose?

A. System log
B. Application log
C. Firewall log
D. Change log

Answer

A

C.

Firewall logs record network traffic information, including incoming and outgoing traffic. This usually includes important data, such as IP addresses and port numbers that can be used to determine the origin of an attack. System logs record system events, such as system and service startup and shutdown. Applications logs record actions that occur within a specific application. Change logs report changes made to a specific device or application as part of the change management process.

Question 17

Q

What should you perform on all information accepted into a system to ensure that it is of the right data type and format and that it does not place the system in an insecure state?

A. Clipping levels
B. Two-person control
C. Access review audits
D. Input validation

Answer

A

D.

The main thrust of input/output control is to apply controls or checks to the input that is allowed to be submitted to the system. Performing input validation on all information accepted into the system can ensure that it is of the right data type and format and that it does not leave the system in an insecure state. Clipping levels set a baseline for normal user errors, and violations exceeding that threshold will be recorded for analysis of why the violations occurred. A two-person control, also referred to as a two-man rule, occurs when certain access and actions require the presence of two authorized people at all times. Access review audits ensure that object access and user account management practices adhere to the organization’s security policy.

Question 18

Q

Which of the following defenses would you implement to discourage a determined intruder?

A. 3 to 4 feet tall fence
B. 6 to 7 feet tall fence
C. 8 feet and taller fence
D. Geo-fence

Answer

A

C.

Fencing is the first line of defense in the concentric circle paradigm. When selecting the type of fencing to install, consider the determination of the individuals you are trying to discourage. Use the following guidelines with respect to height:
* Fences 3 to 4 feet tall deter only casual intruders.
* Fences 6 to 7 feet tall are too tall to climb easily.
* Fences 8 feet and taller deter more determined intruders, especially when those fences are augmented with razor wire.
A geo-fence is a geographic area within which devices are managed using some sort of radio frequency communication. It is used to track users or devices entering or leaving the geo-fence area.

Question 19

Q

Which of the following actions could you perform to logically harden a system? (Choose all that apply.)

A. Remove unnecessary applications.
B. Disable unnecessary services.
C. Block unused ports.
D. Tightly control the connecting of external storage devices and media.

Answer

A

a, b, c, d.

An ongoing goal of operations security is to ensure that all systems have been hardened to the extent that is possible and still provide functionality. The following actions can be performed to logically harden a system:
* Remove unnecessary applications.
* Disable unnecessary services.
* Block unused ports.
* Tightly control the connecting of external storage devices and media if it’s allowed at all.

Question 20

Q

Mary is reviewing the availability controls for the system architecture shown here. What technology is shown that provides fault tolerance for the database servers?

A. Failover cluster
B. UPS
C. Tape backup
D. Cold site

Answer

A

A.

The illustration shows an example of a failover cluster, where DB1 and DB2 are both configured as database servers. At any given time, only one will function as the active database server, while the other remains ready to assume responsibility if the first one fails. While the environment may use UPS, tape backup, and cold sites as disaster recovery and business continuity controls, they are not shown in the diagram.

Question 21

Q

Joe is the security administrator for an ERP system. He is preparing to create accounts for several new employees. What default access should he give to all of the new employees as he creates the accounts?

A. Read only
B. Editor
C. Administrator
D. No access

Answer

A

D.

The principle of least privilege should guide Joe in this case. He should apply no access permissions by default and then give each user the necessary permissions to perform their job responsibilities. Read only, editor, and administrator permissions may be necessary for one or more of these users, but those permissions should be assigned based upon business need and not by default.

Question 22

Q

When one of the employees of Alice’s company calls in for support, she uses a code word that the company agreed to use if employees were being forced to perform an action. What is this scenario called?

A. Social engineering
B. Duress
C. Force majeure
D. Stockholm syndrome

Answer

A

B.

Duress, or being under threat of violence or other constraints, is a concern for organizations such as banks, jewelry stores, or other organizations where an attacker may attempt to force an employee to perform actions. Organizations that expect that a scenario like this may occur will often use duress code words that let others know that they are performing actions under threat.

Question 23

Q

Tim is configuring a privileged account management solution for his organization. Which one of the following is not a privileged administrative activity that should be automatically sent to a log of superuser actions?

A. Purging log entries
B. Restoring a system from backup
C. Logging into a workstation
D. Managing user accounts

Answer

A

C.

While most organizations would want to log attempts to log in to a workstation, this is not considered a privileged administrative activity and would go through normal logging processes.

Question 24

Q

Jordan is preparing to bring evidence into court after a cybersecurity incident investigation. He is responsible for preparing the physical artifacts, including affected servers and mobile devices. What type of evidence consists entirely of tangible items that may be brought into a court of law?

A. Documentary evidence
B. Parol evidence
C. Testimonial evidence
D. Real evidence

Answer

A

D.

Real evidence consists of things that may actually be brought into a courtroom as evidence. For example, real evidence includes hard disks, weapons, and items containing fingerprints. Documentary evidence consists of written items that may or may not be in tangible form. Testimonial evidence is verbal testimony given by witnesses with relevant information. The parol evidence rule says that when an agreement is put into written form, the written document is assumed to contain all the terms of the agreement.

Question 25

Q

Lauren wants to ensure that her users only run software that her organization has approved. What technology should she deploy?

A. Blacklisting
B. Configuration management
C. Whitelisting
D. Graylisting

Answer

A

C.

A whitelist of allowed applications will ensure that Lauren’s users can run only the applications that she preapproves. Blacklists would require her to maintain a list of every application that she doesn’t want to allow, which is an almost impossible task. Graylisting is not a technology option. Configuration management can be useful for making sure the right applications are on a PC but typically can’t directly prevent users from running undesired applications or programs.

Question 26

Q

Colin is responsible for managing his organization’s use of cybersecurity deception technologies. Which one of the following should he use on a honeypot system to consume an attacker’s time while alerting administrators?

A. Honeynet
B. Pseudo-flaw
C. Warning banner
D. Darknet

Answer

A

B.

A pseudo-flaw is a false vulnerability in a system that may distract an attacker. A honeynet is a network of multiple honeypots that creates a more sophisticated environment for intruders to explore, rather than a feature Colin could use on a honeypot. A darknet is a segment of unused network address space that should have no network activity and, therefore, may be easily used to monitor for illicit activity. A warning banner is a legal tool used to notify intruders that they are not authorized to access a system.

Question 27

Q

Toni responds to the desk of a user who reports slow system activity. Upon checking outbound network connections from that system, Toni notices a large amount of social media traffic originating from the system. The user does not use social media, and when Toni checks the accounts in question, she sees they contain strange messages that appear encrypted. What is the most likely cause of this traffic?

A. Other users are relaying social media requests through the user’s computer.
B. The user’s computer is part of a botnet.
C. The user is lying about her use of social media.
D. Someone else is using the user’s computer when she is not present.

Answer

A

B.

Social media is commonly used as a command-and-control system for botnet activity. The most likely scenario here is that the user’s computer was infected with malware and joined to a botnet. This accounts for both the unusual social media traffic and the slow system activity.

Question 28

Q

John deploys his website to multiple regions using load balancers around the world through his cloud infrastructure as a service provider. What availability concept is he using?

A. Multiple processing sites
B. Warm sites
C. Cold sites
D. A honeynet

Answer

A

A.

John’s design provides multiple processing sites, distributing load to multiple regions. Not only does this provide business continuity and disaster recovery functionality, but it also means that his design will be more resilient to denial-of-service attacks.

Question 29

Q

Jim would like to identify compromised systems on his network that may be participating in a botnet. He plans to do this by watching for connections made to known command-and-control servers. Which one of the following techniques would be most likely to provide this information if Jim has access to a list of known servers?

A. NetFlow records
B. IDS logs
C. Authentication logs
D. RFC logs

Answer

A

A.

NetFlow records contain an entry for every network communication session that took place on a network and can be compared to a list of known malicious hosts. IDS logs may contain a relevant record, but it is less likely because they would create log entries only if the traffic triggers the IDS, as opposed to NetFlow records, which encompass all communications. Authentication logs and RFC logs would not have records of any network traffic.

Question 30

Q

Gary was recently hired as the first chief information security officer (CISO) for a local government agency. The agency recently suffered a security breach and is attempting to build a new information security program. Gary would like to apply some best practices for security operations as he is designing this program.

As Gary decides what access permissions he should grant to each user, what principle should guide his decisions about default permissions?

A. Segregation of duties
B. Least privilege
C. Privilege creep
D. Separation of privileges

Answer

A

B.

Gary should follow the least privilege principle and assign users only the permissions they need to perform their job responsibilities. Privilege creep is a term used to describe the unintentional accumulation of privileges over time. Segregation of duties and separation of privileges are principles used to secure sensitive processes.

Question 31

Q

Gary was recently hired as the first chief information security officer (CISO) for a local government agency. The agency recently suffered a security breach and is attempting to build a new information security program. Gary would like to apply some best practices for security operations as he is designing this program.

As Gary designs the program, he uses the matrix shown here. What principle of information security does this matrix most directly help enforce?

A. Segregation of duties
B. Privilege creep
C. Two-person control
D. Defense in depth

Answer

A

A.

The matrix shown in the figure is known as a segregation of duties matrix. It is used to ensure that one person does not obtain two privileges that would create a potential conflict. Privilege creep is a term used to describe the unintentional accumulation of privileges over time. Two-person control is used when two people must work together to perform a sensitive action. Defense in depth is a general security principle used to describe a philosophy of overlapping security controls.

Question 32

Q

Gary was recently hired as the first chief information security officer (CISO) for a local government agency. The agency recently suffered a security breach and is attempting to build a new information security program. Gary would like to apply some best practices for security operations as he is designing this program.

Gary is preparing to create an account for a new user and assign privileges to the HR database. What two elements of information must Gary verify before granting this access?

A. Credentials and need to know
B. Clearance and need to know
C. Password and clearance
D. Password and biometric scan

Answer

A

B.

Before granting access, Gary should verify that the user has a valid security clearance and a business need to know the information. Gary is performing an authorization task, so he does not need to verify the user’s credentials, such as a password or biometric scan.

Question 33

Q

Gary was recently hired as the first chief information security officer (CISO) for a local government agency. The agency recently suffered a security breach and is attempting to build a new information security program. Gary would like to apply some best practices for security operations as he is designing this program.

Gary is preparing to develop controls around access to root encryption keys and would like to apply a principle of security designed specifically for very sensitive operations. Which principle should he apply?

A. Least privilege
B. Defense in depth
C. Security through obscurity
D. Two-person control

Answer

A

D.

Gary should follow the principle of two-person control by requiring simultaneous action by two separate authorized individuals to gain access to the encryption keys. He should also apply the principles of least privilege and defense in depth, but these principles apply to all operations and are not specific to sensitive operations. Gary should avoid the security through obscurity principle, the reliance upon the secrecy of security mechanisms to provide security for a system or process.

Question 34

Q

Gary was recently hired as the first chief information security officer (CISO) for a local government agency. The agency recently suffered a security breach and is attempting to build a new information security program. Gary would like to apply some best practices for security operations as he is designing this program.

How often should Gary and his team conduct a review of the privileged access that a user has to sensitive systems? (Select all that apply.)

A. On a periodic basis
B. When a user leaves the organization
C. When a user changes roles
D. On a daily basis

Answer

A

A, B, C.

Privileged access reviews are one of the most critical components of an organization’s security program because they ensure that only authorized users have access to perform the most sensitive operations. They should take place whenever a user with privileged access leaves the organization or changes roles as well as on a regular, recurring basis. However, it is not reasonable to expect that these time-consuming reviews would take place on a daily basis.

Question 35

Q

Which one of the following terms is often used to describe a collection of unrelated patches released in a large collection?

A. Hotfix
B. Update
C. Security fix
D. Service pack

Answer

A

D.

Hotfixes, updates, and security fixes are all synonyms for single patches designed to correct a single problem. Service packs are collections of many different updates that serve as a major update to an operating system or application.

Question 36

Q

Lydia is processing access control requests for her organization. She comes across a request where the user does have the required security clearance, but there is no business justification for the access. Lydia denies this request. What security principle is she following?

A. Need to know
B. Least privilege
C. Segregation of duties
D. Two-person control

Answer

A

A.

Lydia is following the need to know principle. While the user may have the appropriate security clearance to access this information, there is no business justification provided, so she does not know that the user has an appropriate need to know the information.

Question 37

Q

Tonya is collecting evidence from a series of systems that were involved in a cybersecurity incident. A colleague suggests that she use a write blocker for the collection process. What is the function of this device?

A. Masking error conditions reported by the storage device
B. Transmitting write commands to the storage device
C. Intercepting and modifying or discarding commands sent to the storage device
D. Preventing data from being returned by a read operation sent to the device

Answer

A

C.

A forensic disk controller performs four functions. One of those, write blocking, intercepts write commands sent to the device and prevents them from modifying data on the device. The other three functions include returning data requested by a read operation, returning access-significant information from the device, and reporting errors from the device back to the forensic host.

Question 38

Q

Helen is tasked with implementing security controls in her organization that might be used to deter fraudulent insider activity. Which one of the following mechanisms would be LEAST useful to her work?

A. Job rotation
B. Mandatory vacations
C. Incident response
D. Two-person control

Answer

A

C.

Job rotation and mandatory vacations deter fraud by increasing the likelihood that it will be detected. Two-person control deters fraud by requiring collusion between two employees. Incident response does not normally serve as a deterrent mechanism.

Question 39

Q

Matt wants to ensure that critical network traffic from systems throughout his company is prioritized over web browsing and social media use at this company. What technology can he use to do this?

A. VLANs
B. QoS
C. VPN
D. ISDN

Answer

A

B.

Quality of service is a feature found on routers and other network devices that can prioritize specific network traffic. QoS policies define which traffic is prioritized, and traffic is then handled based on the policy.

Question 40

Q

Tom is responding to a recent security incident and is seeking information on the approval process for a recent modification to a system’s security settings. Where would he most likely find this information?

A. Change log
B. System log
C. Security log
D. Application log

Answer

A

A.

The change log contains information about approved changes and the change management process. While other logs may contain details about the change’s effect, the audit trail for change management would be found in the change log.

Question 41

Q

Staff from Susan’s company often travel internationally and require connectivity to corporate systems for their work. Susan believes that these users may be targeted for corporate espionage activities because of the technologies that her company is developing and wants to include advice in the security training provided to international travelers. What practice should Susan recommend that they adopt for connecting to networks while they travel?

A. Only connect to public Wi-Fi.
B. Use a VPN for all connections.
C. Only use websites that support TLS.
D. Do not connect to networks while traveling.

Answer

A

B.

While it may be tempting to tell her staff to simply not connect to any network, Susan knows that they will need connectivity to do their work. Using a VPN to connect their laptops and mobile devices to a trusted network and ensuring that all traffic is tunneled through the VPN is her best bet to secure their Internet usage. Susan may also want to ensure that they take “clean” laptops and devices that do not contain sensitive information or documents and that those systems are fully wiped when they return.

Question 42

Q

Ricky is seeking a list of information security vulnerabilities in applications, devices, and operating systems. Which one of the following threat intelligence sources would be most useful to him?

A. OWASP
B. CIS
C. Microsoft Security Bulletins
D. CVE

Answer

A

D.

The Common Vulnerabilities and Exposures (CVE) database contains standardized information on many different security issues. The Open Worldwide Application Security Project (OWASP) contains general guidance on web application security issues but does not track specific vulnerabilities or go beyond web applications. The Center for Internet Security (CIS) maintains benchmarks for securely configuring devices, operating systems, and applications. They do not track vulnerabilities. Microsoft Security Bulletins are also good sources of vulnerability information but are not comprehensive databases of known issues.

Question 43

Q

Which of the following would normally be considered an example of a disaster when performing disaster recovery planning? (Select all that apply.)

A. Hacking incident
B. Flood
C. Fire
D. Terrorism

Answer

A

A, B, C, D.

A disaster is any event that can disrupt normal IT operations and can be either natural or human made. Hacking and terrorism are examples of human-made disasters, while flooding and fire are examples of natural disasters.

Question 44

Q

Glenda would like to conduct a disaster recovery test and is seeking a test that will allow a review of the plan with no disruption to normal information system activities and as minimal a commitment of time as possible. What type of test should she choose?

A. Tabletop exercise
B. Parallel test
C. Full interruption test
D. Read-through

Answer

A

D.

The read-through is the least disruptive type of disaster recovery test. During a read-through, team members each review the contents of their disaster recovery checklists on their own and suggest any necessary changes. During a tabletop exercise, team members come together and discuss a specific scenario without making any changes to information systems. During a parallel test, the team actually activates the disaster recovery site for testing, but the primary site remains operational. During a full interruption test, the team takes down the primary site and confirms that the disaster recovery site is capable of handling regular operations. The full interruption test is the most thorough test but also the most disruptive.

Question 45

Q

Which one of the following is not an example of a backup tape rotation scheme?

A. Grandfather-Father-Son
B. Meet-in-the-Middle
C. Tower of Hanoi
D. Six Cartridge Weekly

Answer

A

B.

The Grandfather-Father-Son, Tower of Hanoi, and Six Cartridge Weekly schemes are all different approaches to rotating backup media that balance reuse of media with data retention concerns. Meet-in-the-middle is a cryptographic attack against 2DES encryption.

Question 46

Q

Helen is implementing a new security mechanism for granting employees administrative privileges in the accounting system. She designs the process so that both the employee’s manager and the accounting manager must approve the request before the access is granted. What information security principle is Helen enforcing?

A. Least privilege
B. Two-person control
C. Job rotation
D. Segregation of duties

Answer

A

B.

In this scenario, Helen designed a process that requires the concurrence of two people to perform a sensitive action. This is an example of two-person control. This is different from segregation of duties, where one individual may not have two separate permissions that, when combined, might allow an unwanted action. Segregation of duties applied to a situation like this one might say that the same person may not have both the ability to initiate a request and the ability to approve a request. Least privilege says that an individual should have only the necessary permissions required to carry out their job function. Job rotation is a scheme that has users periodically shift job functions in order to detect malfeasance.

Question 47

Q

Frank is considering the use of different types of evidence in an upcoming criminal matter. Which one of the following is not a requirement for evidence to be admissible in court?

A. The evidence must be relevant.
B. The evidence must be material.
C. The evidence must be tangible.
D. The evidence must be competently acquired.

Answer

A

C.

Evidence provided in court must be relevant to determining a fact in question, material to the case at hand, and competently obtained. Evidence does not need to be tangible. Witness testimony is an example of intangible evidence that may be offered in court.

Question 48

Q

Harold recently completed leading the postmortem review of a security incident. What documentation should he prepare next?

A. A lessons learned document
B. A risk assessment
C. A remediation list
D. A mitigation checklist

Answer

A

A.

A lessons learned document is often created and distributed to involved parties after a postmortem review to ensure that those who were involved in the incident and others who may benefit from the knowledge are aware of what they can do to prevent future issues and to improve response in the event that one occurs.

Question 49

Q

Beth is creating a new cybersecurity incident response team (CSIRT) and would like to determine the appropriate team membership. Which of the following groups would she normally include? (Select all that apply.)

A. Information security
B. Law enforcement
C. Senior management
D. Public affairs

Answer

A

A, C, D.

CSIRT representation normally includes at least representatives of senior management, information security professionals, legal representatives, public relations staff, human resources, and engineering/technical staff. Law enforcement personnel would not be included on such a team and would only be consulted as necessary.

Question 50

Q

Sam is responsible for backing up his company’s primary file server. He configured a backup schedule that performs full backups every Monday evening at 9 p.m. and differential backups on other days of the week at that same time. Files change according to the information shown here. How many files will be copied in Wednesday’s backup?

A. 2
B. 3
C. 5
D. 6

Answer

A

C.

In this scenario, all the files on the server will be backed up on Monday evening during the full backup. The differential backup on Wednesday will then copy all files modified since the last full backup. These include files 1, 2, 3, 5, and 6: a total of five files.

Question 51

Q

Which one of the following security tools is not capable of generating an active response to a security event?

A. IPS
B. Firewall
C. IDS
D. Antivirus software

Answer

A

C.

Intrusion detection systems (IDSs) provide only passive responses, such as alerting administrators to a suspected attack. Intrusion prevention systems and firewalls, on the other hand, may take action to block an attack attempt. Antivirus software also may engage in active response by quarantining suspect files.

Question 52

Q

Scott is responsible for disposing of disk drives that have been pulled from his company’s SAN as they are retired. Which of the following options should he avoid if the data on the SAN is considered highly sensitive by his organization?

A. Destroy them physically.
B. Sign a contract with the SAN vendor that requires appropriate disposal and provides a certification process.
C. Reformat each drive before it leaves the organization.
D. Use a secure wipe tool like DBAN.

Answer

A

C.

Physical destruction, an appropriate contract with certification, and secure wiping are all reasonable options. In each case, a careful inventory and check should be done to ensure that each drive is handled appropriately. Reformatting drives can leave remnant data, making this a poor data life-cycle choice for drives that contain sensitive data.

Question 53

Q

Which of the following topics is least likely to be included in a company’s user security training and awareness program?

A. Insider threat
B. Social media impact
C. 2FA fatigue
D. Secure router configuration guidelines

Answer

A

D.

Secure router configuration guidelines are typically more technical and specific to IT professionals, making them less likely to be included in a general security training and awareness program. These programs usually focus on broader and more universally applicable topics like insider threats, which address risks from employees or contractors; social media impact, which covers the risks of sharing information online; and 2FA fatigue, which relates to the weariness or complacency in using two-factor authentication. These are relevant to a wider audience and are crucial for overall organizational security awareness. In contrast, the specifics of router configuration are usually handled by specialized IT staff.

Question 54

Q

Which one of the following types of agreements is the most formal document that contains expectations about availability and other performance parameters between a service provider and a customer?

A. Service-level agreement (SLA)
B. Operational-level agreement (OLA)
C. Memorandum of understanding (MOU)
D. Statement of work (SOW)

Answer

A

A.

The service-level agreement (SLA) is between a service provider and a customer and documents in a formal manner expectations around availability, performance, and other parameters. An MOU may cover the same items but is not as formal a document. An OLA is between internal service organizations and does not involve customers. An SOW is an addendum to a contract describing work to be performed.

Question 55

Q

As the CIO of a large organization, Clara would like to adopt standard processes for managing IT activities. Which one of the following frameworks focuses on IT service management and includes topics such as change management, configuration management, and service-level agreements?

A. ITIL
B. PMBOK
C. PCI DSS
D. TOGAF

Answer

A

A.

The ITIL framework focuses on IT service management. The Project Management Body of Knowledge (PMBOK) provides a common core of project management expertise. The Payment Card Industry Data Security Standard (PCI DSS) contains regulations for payment card security. The Open Group Architecture Framework (TOGAF) focuses on IT architecture issues.

Question 56

Q

Richard is experiencing issues with the quality of network service on his organization’s network. The primary symptom is that packets are consistently taking too long to travel from their source to their destination. What term describes the issue Richard is facing?

A. Jitter
B. Packet loss
C. Interference
D. Latency

Answer

A

D.

Latency is a delay in the delivery of packets from their source to their destination. Jitter is a variation in the latency for different packets. Packet loss is the disappearance of packets in transit that requires retransmission. Interference is electrical noise or other disruptions that corrupt the contents of packets.

Question 57

Q

Joe wants to test a program he suspects may contain malware. What technology can he use to isolate the program while it runs?

A. ASLR
B. Sandboxing
C. Clipping
D. Process isolation

Answer

A

B.

Running the program in a sandbox provides secure isolation that can prevent the malware from impacting other applications or systems. If Joe uses appropriate instrumentation, he can observe what the program does, what changes it makes, and any communications it may attempt. ASLR is a memory location randomization technology. Process isolation keeps processes from impacting each other. A sandbox typically provides greater utility in a scenario like this since it can be instrumented and managed in a way that better supports investigations. Clipping is a term often used in signal processing.

Question 58

Q

Which one of the following is an example of a non-natural disaster?

A. Hurricane
B. Flood
C. Mudslide
D. Transformer explosion

Answer

A

D.

A transformer explosion is a failure of a human-made electrical component. Flooding, mudslides, and hurricanes are all examples of natural disasters.

Question 59

Q

Anne wants to gather information about security settings as well as build an overall view of her organization’s assets by gathering data about a group of Windows 11 workstations spread throughout her company. What Windows tool is best suited to this type of configuration management task?

A. ConfigMgr
B. Group Policy
C. SCOM
D. A custom PowerShell script

Answer

A

A.

Microsoft Configuration Manager (ConfigMgr) provides this capability and is designed to allow administrators to evaluate the configuration status of Windows workstations and servers, as well as providing asset management data. System Center Operations Manager (SCOM) is primarily used to monitor for health and performance. Group Policy can be used for a variety of tasks including deploying settings and software, and custom PowerShell scripts could do this but should not be required for a configuration check.

Question 60

Q

Javier is verifying that only IT system administrators have the ability to log on to servers used for administrative purposes. What principle of information security is he enforcing?

A. Need to know
B. Least privilege
C. Two-person control
D. Transitive trust

Answer

A

B.

The principle of least privilege says that an individual should only have the privileges necessary to complete their job functions. Removing administrative privileges from nonadministrative users is an example of least privilege.

Question 61

Q

Which one of the following is not a basic preventive measure that you can take to protect your systems and applications against attack?

A. Implement intrusion detection and prevention systems.
B. Maintain current patch levels on all operating systems and applications.
C. Remove unnecessary accounts and services.
D. Conduct forensic imaging of all systems.

Answer

A

D.

There is no need to conduct forensic imaging as a preventative measure. Rather, forensic imaging should be used during the incident response process. Maintaining patch levels, implementing intrusion detection/prevention, and removing unnecessary services and accounts are all basic preventive measures.

Question 62

Q

Chas is a cybersecurity manager who is concerned that the cloud provider his organization relies upon for disaster recovery may not be able to meet their needs in the event that a disaster strikes multiple customers simultaneously. What type of agreement should Chas enter into with this provider?

A. Nondisclosure agreement
B. Resource capacity agreement
C. Mutual assistance agreement
D. Business partnership agreement

Answer

A

B.

A resource capacity agreement is the most appropriate for Chas’s concern, as it specifically addresses the availability of resources in a disaster scenario. This type of agreement ensures that the cloud provider has sufficient resources to meet the needs of their clients, even in the event of multiple simultaneous disasters. It directly tackles the issue of resource allocation and availability, which is Chas’s primary concern. In contrast, a nondisclosure agreement is more about confidentiality and doesn’t address resource capacity. A mutual assistance agreement typically involves agreements between organizations for support during emergencies but doesn’t guarantee specific resource availability. A business partnership agreement is broader and may not specifically cover the detailed aspects of resource availability in disaster scenarios.

Question 63

Q

Which one of the following is an example of a computer security incident?

A. Failure of a backup to complete properly
B. System access recorded in a log
C. Unauthorized vulnerability scan of a file server
D. Update of antivirus signatures

Answer

A

C.

An incident negatively affects the confidentiality, integrity, or availability of information or assets and/or violates a security policy. A computer security incident is an incident that is the result of an attack or the result of malicious or intentional actions on the part of users. The unauthorized vulnerability scan of a server does violate security policy and may negatively affect the security of that system, so it qualifies as a security incident. The failure of a backup to complete properly jeopardizes availability and is, therefore, an incident, but not a computer security incident. The logging of system access and update of antivirus signatures are all routine actions that do not violate policy or jeopardize security, so they are all events rather than incidents.

Question 64

Q

Roland is a physical security specialist in an organization that has a large amount of expensive lab equipment that often moves around the facility. Which one of the following technologies would provide the most automation of an inventory control process in a cost-effective manner?

A. IPS
B. Wi-Fi
C. RFID
D. Ethernet

Answer

A

C.

Radio Frequency Identification (RFID) technology is a cost-effective way to track items around a facility. While Wi-Fi could be used for the same purpose, it would be much more expensive to implement.

Answer 65

A

C.

An attack committed against an organization by an insider, such as an employee, is known as sabotage. Espionage and confidentiality breaches involve the theft of sensitive information, which is not alleged to have occurred in this case. Integrity breaches involve the unauthorized modification of information, which is not described in this scenario.

Answer 66

A

A.

In a SYN flood attack, the attacker sends a large number of SYN packets to a system but does not respond to the SYN/ACK packets, attempting to overwhelm the attacked system’s connection state table with half-open connections.

Answer 67

A

B.

The maximum tolerable downtime (MTD) is the longest amount of time that an IT service or component may be unavailable without causing serious damage to the organization. The recovery time objective (RTO) is the amount of time expected to return an IT service or component to operation after a failure. The recovery point objective (RPO) identifies the maximum amount of data, measured in time, that may be lost during a recovery effort. Service-level agreements (SLAs) are written contracts that document service expectations.

Answer 68

A

C.

Zero-day attacks are those that are previously unknown to the security community and, therefore, have no available patch. These are especially dangerous attacks because they may be highly effective until a solution becomes available. The other attacks described here are all known attacks and would not be classified as zero-day events.

Answer 69

A

D.

Locard’s principle is most relevant to Rob’s forensic investigation for trace digital evidence, as it suggests that any contact between two objects results in an exchange of materials. In the context of digital forensics, this principle implies that there is always some form of digital trace or residue left behind when devices interact or when data is transferred.
Kerckhoff’s principle states that a system’s security should not depend on the secrecy of its algorithm but rather on the secrecy of its keys. The principle of least privilege is a security concept in which a user is given the minimum levels of access—or permissions—needed to perform his job functions. Lastly, the defense-in-depth principle is a layered security approach that establishes multiple levels of defense to protect information. While these other three principles are important in cybersecurity, they do not directly relate to the collection and analysis of digital trace evidence like Locard’s principle does.

Answer 70

A

A.

Interviews occur when investigators meet with an individual who may have information relevant to their investigation but is not a suspect. If the individual is a suspect, then the meeting is an interrogation.

Answer 71

A

D.

The image clearly contains the watermark of the U.S. Geological Survey (USGS), which ensures that anyone seeing the image knows its origin. It is not possible to tell from looking at the image whether steganography was used. Sampling and clipping are data analysis techniques and are not used to protect images.

Answer 72

A

D.

The annualized rate of occurrence (ARO) is the expected number of times an incident will occur each year. In the case of a 200-year flood plain, planners should expect a flood once every 200 years. This is equivalent to a 1/200 chance of a flood in any given year, or 0.005 floods per year.

Answer 73

A

B.

While all hackers with malicious intent pose a risk to the organization, the malicious insider poses the greatest risk to security because they likely have legitimate access to sensitive systems that may be used as a launching point for an attack. Other attackers do not begin with this advantage.

Answer 74

A

C.

In an electronic vaulting approach, automated technology moves database backups from the primary database server to a remote site on a scheduled basis, typically daily. Transaction logging is not a recovery technique alone; it is a process for generating the logs used in remote journaling. Remote journaling transfers transaction logs to a remote site on a more frequent basis than electronic vaulting, typically hourly. Remote mirroring maintains a live database server at the backup site and mirrors all transactions at the primary site on the server at the backup site.

Answer 75

A

B.

Hilda’s design follows the principle of segregation of duties. Giving one user the ability to both create new accounts and grant administrative privileges combines two actions that would result in a significant security change that should be divided among two users.

Answer 76

A

C.

While all of these assumptions are valid premises that Patrick might have going into the exercise, the basic assumption of a threat-hunting exercise is the so-called presumption of compromise. This means that Patrick should assume that attackers have already gained access to his system and then hunt for indicators of their presence.

Answer 77

A

C.

The end goal of the disaster recovery process is restoring normal business operations in the primary facility. All of the other actions listed may take place during the disaster recovery process, but the process is not complete until the organization is once again functioning normally in its primary facilities.

Answer 78

A

C.

A host-based intrusion detection system (HIDS) may be able to detect unauthorized processes running on a system. The other controls mentioned, network intrusion detection systems (NIDSs), firewalls, and DLP systems, are network-based and may not notice rogue processes.

Answer 79

A

B.

The scenario describes a privilege escalation attack where a malicious insider with authorized access to a system misused that access to gain privileged credentials.

Answer 80

A

B.

Carla’s account has experienced privilege creep, where privileges accumulated over time. This condition is also known as aggregation and likely constitutes a violation of the least privilege principle.

Answer 81

A

C.

The mitigation phase of incident response focuses on actions that can contain the damage incurred during an incident. This includes limiting the scope and/or effectiveness of the incident. The detection phase identifies that an incident is taking place. The response phase includes steps taken to assemble a team and triage the incident. At the conclusion of the recovery phase, normal operations are resumed.

Answer 82

A

C.

At this point in the process, Ann has no reason to believe that any actual security compromise or policy violation took place, so this situation does not meet the criteria for a security incident or intrusion. Rather, the alert generated by the intrusion detection system is simply a security event requiring further investigation. Security occurrence is not a term commonly used in incident handling.

A.

DNS traffic commonly uses port 53 for both TCP and UDP communications. SSH and SCP use TCP port 22. SSL and TLS do not have ports assigned to them but are commonly used for HTTPS traffic on port 443. Unencrypted web traffic over HTTP often uses port 80.

D.

The attack described in this scenario has all the hallmarks of a denial-of-service attack. More specifically, Ann’s organization is likely experiencing a DNS amplification attack where an attacker sends false requests to third-party DNS servers with a forged source IP address belonging to the targeted system. Because the attack uses UDP requests, there is no three-way handshake. The attack packets are carefully crafted to elicit a lengthy response from a short query. The purpose of these queries is to generate responses headed to the target system that are sufficiently large and numerous enough to overwhelm the targeted network or system.

B.

Now that Ann suspects an attack against her organization, she has sufficient evidence to declare a security incident. The attack underway seems to have undermined the availability of her network, meeting one of the criteria for a security incident. This is an escalation beyond a security event but does not reach the level of an intrusion because there is no evidence that the attacker has even attempted to gain access to systems on Ann’s network. Security occurrence is not a term commonly used in incident handling.

Answer 83

A

D.

To be admissible, evidence must be relevant, material, and competent. The laptop in this case is clearly material because it contains logs related to the crime in question. It is also relevant because it provides evidence that ties the hacker to the crime. It is not competent because the evidence was not legally obtained.

Answer 84

A

C.

Gordon may conduct his investigation as he wants and use any information that is legally available to him, including information and systems belonging to his employer. There is no obligation to contact law enforcement. However, Gordon may not perform “hack back” activities because those may constitute violations of the law and/or ISC2 Code of Ethics.

Answer 85

A

B.

Software escrow agreements place a copy of the source code for a software package in the hands of an independent third party who will turn the code over to the customer if the vendor ceases business operations. Service-level agreements, mutual assistance agreements, and compliance agreements all lose some or all of their effectiveness if the vendor goes out of business.

Answer 86

A

C.

Most security professionals recommend at least one, and preferably two, weeks of vacation to deter fraud. The idea is that fraudulent schemes will be uncovered during the time that the employee is away and does not have the access required to perpetuate a cover-up.

Answer 87

A

A, B, C, E, F.

Any attempt to undermine the security of an organization or violation of a security policy is a security incident. All of the events described meet this definition and should be treated as an incident, with one exception. A successful attempt to access a file is certainly a security event, but it is not a security incident unless it is established that the individual accessing the file was not authorized to do so.

Answer 88

A

A, B, C.

Egress filtering scans outbound traffic for potential security policy violations. This includes traffic that is likely malicious, such as an outbound SSH scan on port 22. It also includes traffic that appears to be part of an attack or misconfiguration, such as sending traffic to a broadcast destination address. Finally, it includes spoofed traffic generated by internal systems, which may bear a source address from an external network. The normal traffic that the firewall should expect to see is that bearing a destination address on an external network.

Answer 89

A

C.

The two main methods of choosing records from a large pool for further analysis are sampling and clipping. Sampling uses statistical techniques to choose a sample that is representative of the entire pool, while clipping uses threshold values to select those records that exceed a predefined threshold because they may be of most interest to analysts. In this case, Allie is only selecting records that exceed an invalid login threshold, making this an example of clipping.
She is not using statistical techniques to select a subset of records, so this is not an example of sampling.

Answer 90

A

B.

NetFlow data contains information on the source, destination, and size of all network communications and is routinely saved as a matter of normal activity. Packet capture data would provide relevant information, but it must be captured during the suspicious activity and cannot be re-created after the fact unless the organization is already conducting 100% packet capture, which is rare. Additionally, the use of encryption limits the effectiveness of packet capture. Intrusion detection system logs would not likely contain relevant information because the encrypted traffic would probably not match intrusion signatures. Centralized authentication records would not contain information about network traffic.

Answer 91

A

C.

Baseline configurations serve as the starting point for configuring secure systems and applications. They contain the security settings necessary to comply with an organization’s security policy and may then be customized to meet the specific needs of an implementation. While security policies and guidelines may contain information needed to secure a system, they do not contain a set of configuration settings that may be applied to a system. The running configuration of a system is the set of currently applied settings, which may or may not be secure.

Answer 92

A

B.

During a parallel test, the team actually activates the disaster recovery site for testing, but the primary site remains operational. During a full interruption test, the team takes down the primary site and confirms that the disaster recovery site is capable of handling regular operations. The full interruption test is the most thorough test but also the most disruptive. The read-through is the least disruptive type of disaster recovery test. During a read-through, team members each review the contents of their disaster recovery checklists on their own and suggest any necessary changes. During a tabletop exercise, team members come together and work through a specific scenario without making any changes to information systems.

Answer 93

A

C.

Both the receipt of alerts and the verification of their accuracy occur during the Detection phase of the incident response process.

Answer 94

A

C.

According to NIST SP 800-137, organizations should use the following factors to determine assessment and monitoring frequency: security control volatility, system categorizations/impact levels, security controls or specific assessment objects providing critical functions, security controls with identified weaknesses, organizational risk tolerance, threat information, vulnerability information, risk assessment results, the output of monitoring strategy reviews, and reporting requirements.

Answer 95

A

D.

All of these technologies have the potential to monitor user behavior on endpoint devices. The key to answering this question correctly is realizing the emphasis on the user. Intrusion detection and prevention systems (IDSs/IPSs) focus on network and host behavior. Endpoint detection and response (EDR) systems focus on endpoint devices. User and entity behavior analytics (UEBA) solutions focus on the user and, therefore, would be the best way to meet Hunter’s requirement.

Answer 96

A

C.

SSH uses TCP port 22, so this attack is likely an attempt to scan for open or weakly secured SSH servers. FTP uses ports 20 and 21. Telnet uses port 23, and HTTP uses port 80.

Brainscape's Knowledge GenomeTM

Domain 7: Review Questions Flashcards

Brainscape's Knowledge Genome^TM