Flashcards ISC2

Question

Common Port Numbers SMTP

Answer 1

Simple Mail Transfer Protocol 25

Answer 2

Remote Desktop Protocol 338

Answer 3

NetaBIOS 137, 138, 139

Answer 4

Post Office Protocol 110

Answer 5

Internet Message Access Protocol 143

Answer 6

0 - 1023 • reserved for common apps like web servers (80) & secure servers (443)

Answer 7

1024 - 49151 • Use by specific app registered by vendors, such as SQL server (port 1443) & Oracle databases (port 1521)

Answer 8

1024 - 49151 Use by specific app registered by vendors, such as SQL Server (port 1443) & Oracle databases (port 1521)

Answer 9

Well-known ports 0 - 1023 • reserved for common app like web servers (port 80) & secure web servers (port 443) Registered ports 1024 - 49151 • Use by specific app registered by vendors, such as SQL server (port 1443) & Oracle databases (port 1521) • Dynamic Ports Used temporarily by apps

Answer 10

Internet Control Message Protocol It is the housekeeping protocol, performs important administrative functions. *PING command: Confirms connectivity, * TRACE ROUTE command: identify the path between two systems on a network, providing troubleshooting information, * ADMINISTRATIVE functions: handles messages like: - Destination unreachable, - Redirect, - Time Exceeded, - Address Mark Request & Replies

Answer 11

3 way-handshake SYN: open a connection, FIN: closes a connection, ACK: acknowledges a SYN or FIN

Answer 12

1 Physical - wires, radios & optics 2 Data link - data transfers between 2 nodes 3 Network - internet protocol (IP) 4 Transport - TCP & UDP 5 Session - exchanges between systems 6 Presentation - data translation & encryption 7 Application - user programs

Answer 13

Dynamic Host Configurations Protocol Automatic assignment of IP addresses from an administrative-configured pool. Otherwise, they are assigned manually.

Answer 14

D. Information processing. Each person’s immunization or test records represent a set of data; gathering a lot of data together to determine a higher‐level, more abstract finding (is that person safe to board, or should boarding be denied?) is creating new information. Option A might take each individual’s records and extract the fields that contain specific data that the operator needs to use (such as name, vaccination type and date, and so on). Option C might be appropriate for the way that the operator determines if a particular voyage’s total crew and passenger manifest is safe. Option B refers to a general process of organizing, directing, and controlling the ways that information is gathered, used, stored, and disposed of.

Answer 15

C. Tacit knowledge. Collecting all of the current versions of government guidance and turning it into useful, meaningful direction to a team of workers is generating knowledge. If that knowledge is written down, it is made explicit. If it’s left to human memory of a conversation or an experience, that knowledge is tacit—skills and experience possessed but not codified. Thus, option A is incorrect. Option B is incorrect, as this refers to taking many samples of the same kind of measurement (such as a person’s skin temperature) and using a mathematical process to eliminate false readings and find the reading with the greatest likelihood of being correct. Option D is incorrect, as this is a general name for the set of steps used in completing a set of tasks, including the criteria used by workers at each step if necessary to make decisions required as part of that task.

Answer 16

A. Due process B. Due care They have clearly defined a process for making each board/no‐board decision, and they control that process with detailed, written instructions and guidance. Their attention to detail in this suggests taking due care. As described, however, nothing indicates that they monitor the execution of that process to make sure instructions are being used correctly and that this produces correct results; thus, option C is incorrect. No mention is made of holding individual passenger agents, their supervisors, or the company itself responsible for incorrect decisions; thus, option D is incorrect (has not been addressed in the scenario thus far).

Answer 17

Correct answer is E. Authenticity. Ascertaining that a set of input data comes from a trustworthy source and is true and correct is part of establishing the authenticity of that data. The other attributes (options A, B, C, and D) are important, but do not directly bear on whether the source of the data is recognized as being the “authoritative” voice to provide that data in the first place.

Answer 18

B. Integrity. Although it is clear that the necessary parameter files are not available, this seems to have been caused because somebody could violate the integrity requirements of those files—deleting them does not seem to have been an authorized change. That unauthorized change led to (caused) option (C), availability, to be compromised; but lack of availability is not the best statement of the problem. Improper change management and security may have resulted from lack of due care (option D), but that does not identify what needs to be fixed to get machines back into operation.

Answer 19

C. Customers, suppliers, or other companies that work with this business. Explanation Options A and B are both examples of due care; due diligence is the verification that all is being done well and that nothing is not done properly. Option D can be an important part of due diligence but is missing the potential for follow‐up action.

Answer 20

C. Nonrepudiation. Explanation Start with the specifics of the complaints by confirming whether these customers are mistakenly or fraudulently trying to claim they never made the orders in question or whether some other system error may be responsible. After that’s been eliminated, it’s time to investigate whether the security of these customers’ accounts was compromised (option D). If so, that may indicate a failure of the privacy protections (option B). While it’s easy to think this is a data integrity problem (option A), that is a result; Yoshi needs to investigate to find what systems function(s) failed to operate correctly to make that result happen.

Answer 21

C. Processor. Explanation The merchant has to organize, use, and update their records about you as an employee, regardless of where you live or how you do work for them. Option A is incorrect, as it seems to assume that GDPR doesn’t apply to you somehow. Option B is not a defined GDPR role with respect to data protection. Option D is incorrect, as you (in this case) are the subject of the data in question.

Answer 22

b. Controller. Explanation The controller has ultimate responsibility for protecting the data, even when it is in the hands of another who performs processing tasks on it. Option A refers to one who stores the data, but does nothing with it. Option D refers to you, as the data is about you.

Answer 23

C. Set priorities; assess risks; select controls and countermeasures; implement controls; validate correct operation; monitor Explanation Option D incorrectly has the BIA first, but the BIA has to come after the organization’s leadership has agreed to risk tolerance and set priorities. Option B is incorrect partly because the basic “common sense” posture is not part of a formal risk management process but a bare‐minimum immediate set of actions to take if needed. Option A has establishing a posture (which consists of policies and decisions that drive implementation and operation steps) and implementation in the wrong order.

Answer 24

B. They express the logical flow of making decisions about risk: first, what information do you need; second, how you get it, use it, and share it with others in the decision process; and third, what technologies help make all of that happen. The probability of an event causing a disruption to any step of that decision process is a risk. Explanation Option B correctly shows the use of information to make decisions, as well as the roles of processes and technologies in doing so. Option A mistakenly suggests that the IT risks are more important; IT risks may be how important information is lost or compromised, but it is that information loss or impact that puts businesses out of business and not the failure of their IT systems. Option C confuses risk management with information risk. Option D also mistakes the role of information and the roles of processes and technologies, both in achieving objectives and in risk management.

Answer 25

C. You provide the communications capabilities to bring status, state, and health information from all countermeasures and controls, and all systems elements, to information security managers, who can then direct timely changes in these controls in real time as required to respond to an incident Explanation Option C shows both the purpose of an integrated approach (timely incident characterization and management) and the use of communications capabilities in doing so. Options A and D demonstrate that vendor self‐description of their products can sound good but does not really address key needs. Option B is true, and partially addresses how point solutions need to be mutually supportive, but does not go far enough.

Answer 26

D. This could be a case of failing to perform both due care and due diligence. Explanation Options A and C highlight what seem to be Tom’s failures to adequately plan for or implement offsite backup storage of system images and data, and his failures to institute effective verification of the security of that storage. Option B is incorrect—the lack of records does not relieve Tom of the burden to check that things are working correctly anyway.

Answer 27

A. Lost revenues during the downtime caused by the risk incident, including the time it takes to get things back to normal & B. Damage to equipment or facilities, or injury or death to people Explanation Option C is the safeguard value, which we cannot compute until we have completed a risk assessment and a vulnerability assessment, and then designed, specified, or selected such controls or countermeasures. Option D is typically not the loss incurred by damage of an asset; of greater interest regarding impact to an asset would be the cost to repair it (if repairable), replace it, or design and implement new processes to do without the damaged or disrupted asset.

Answer 28

A. A document identifying all of the impacts to the business due to the risks it has chosen to assess; forms the basis for risk mitigation planning and implementation Explanation The business impact analysis (BIA) is an integrated view of the prioritized risks and the projected impacts they could have on the business. Option B is a misstatement of the confidentiality, integrity, and availability (CIA) needs for information security. Options C and D suggest realistic management needs for bringing together plans, costs, budgets, and timelines, but they are incomplete as stated and may not even exist.

Answer 29

B. The recovery point objective (RPO) establishes the maximum amount of data that is lost due to a risk event. This could be in numbers of transactions or in units of time, and it indicates the amount of rework of information that is acceptable to get systems back into normal operation. C. The recovery time objective (RTO) must be less than or equal to the maximum acceptable outage. The MAO sets a maximum downtime (outage time) before mission impact becomes unacceptable; the RTO can be used to emphasize faster than MAO restoration. D. The maximum acceptable outage (MAO) relates to the mission or business objectives; if multiple systems support those objectives, then all of their recovery time objectives (RTOs) must be less than or equal to the MAO. Explanation Option A is a misstatement of RTO and RPO.

Answer 30

B. Refer to the boundaries of a system and look to identify, understand, assess, and manage anything that attempts to cross that boundary as a way to identify possible threats Explanation Whether the system is small and simple or large and complex, its owners, builders, and users have to treat it like a “black box” and know what can happen across every interface it has with the outside world. Thus Option B is correct. Option A has the steps in the wrong order; detailed threat modeling and assessment needs detailed system architectural information to be valid. Option C misstates how threat modeling is done. While Option D may address a useful set of tools, it does not explain what threat modeling and assessment are or how to do them.

Answer 31

A. Organizational culture determines how willingly managers and workers at all levels will accept greater responsibilities and accountability, which can severely limit the SSCP’s ability to get a risk management plan enacted. B. “Old‐boy” networks and informal information and decision paths may make anything written down in business processes, manuals, and so forth somewhat suspect. Explanation Options C and D may or may not be true in fact, but it’s not clear whether these have any bearing on how the company determines priorities and risk tolerance, or what its decision‐making processes and styles are. Options A and B are key elements of organizational culture that can impede or facilitate implementation of a risk management approach.

Answer 32

A. Yes, because in both cases you have decided to do nothing different and just keep on with business as usual. Explanation All are correct as far as they go in comparing “ignore” and “accept.” However, the key to due care and due diligence is the standard of reasonable and prudent effort. You would not be prudent if you spent millions of dollars to relocate your business from Atlanta, Georgia (1,050 feet above mean sea level [MSL]) to Boulder, Colorado (5,328 feet above MSL) simply to avoid the risk of a tsunami flooding out your facility, given how astronomically huge that tidal wave would have to be! Thus, Options C and D do not apply, and Option B merely restates the due care or due diligence argument.

Answer 33

B. If the SLE exceeds the safeguard value, Kim should advise that the company implement that safeguard. C. If the ALE exceeds the safeguard value, Kim should advise that thee company implement that safeguard. Explanation Option A is correct in that tolerance or appetite for risk should drive setting the maximum allowable outage time; the costs incurred during a maximum outage are part of computing single loss expectancy. Option B is incorrect, since the power outages seem to be happening monthly, so SLE alone overstates the potential losses. Option C annualizes the expected losses, but comparing it to the safeguard value assumes a one‐year payback period is required. Option D reflects that management may be willing to spend significant money on a safeguard that requires more than one year to justify (pay back) its expense in anticipated savings.

Answer 34

B. Security classification is a process that determines possible loss or impact if information of a given type suffers any kind of security compromise. Explanation Option A confuses the results of establishing a security baseline (and thus a labeling and handling procedure) with the classification determination itself. Option C is partly correct, but compromise must consider impacts to more than just confidentiality (i.e., to all of the CIANA+PS characteristics). Option D confuses classification with categorization.

Answer 35

B. Security categorization groups together information types that have comparable loss or impacts if compromised, along with any compliance‐required security protection requirements for that type of data. Explanation Option A confuses the results of establishing a security baseline (and thus a labeling and handling procedure) with the classification determination itself. Option C confuses classification with categorization. Option D confuses categorization with security baselining.

Answer 36

B. A user who copies data that they do not need for work‐related tasks onto a removable storage device Explanation This is an intentional act caused by a human being, which may lead to loss or impact to the organization. Options A and D represent hazards. Option C, which is an intentional act, is not in and of itself a potential risk event (if, for example, the workstation is in a secured work area that only systems administrators can access); however, it may represent one or more exploitable vulnerabilities in the overall security posture of the organization.

Answer 37

B. Multifactor authentication that considers device identification, physical location, and other attributes Explanation Option D is high risk, and therefore incorrect; plugging a device into an empty network connection should start a connection handshake that is an opportunity to block an unknown or unauthorized device from joining the network. Options A and C are parts of how Option B performs such an authentication, and therefore B is the most correct answer and the most secure approach of the three.

Answer 38

B. By making identity more portable, federated access allows multiple organizations to collaborate, but it does require greater attention to access control for each organization and its systems. Explanation Option A is incorrect; SSO is a subset of both the capabilities and security (issues and security solutions) that federated access can support. Option C correctly raises the issue of the trust architecture, but going from there to a full federated access control system, and keeping that secure, can be challenging. Keeping it secure will always require monitoring, analysis, and testing. Option D is incorrect; federated access, like SSO, can use any means of identity authentication that meets the organization’s CIANA needs.

Answer 39

D. Trust architectures are the integrated set of capabilities, connections, systems, and devices that provide different organizations safe, contained, and secure ways to collaborate together by sharing networks, platforms, and data as required; thus, extranets are an example of a trust architecture. Explanation Option A demonstrates misunderstanding of the concept of a trust architecture, which Option D clarifies. Option B also misstates the purpose and intent of trust architectures and their role in reducing the risk of an unconstrained (or totally trusted) extranet. Option C does not correctly state what an extranet is (it allows those external to the organization to share in using the sponsoring organization’s internal systems and data); it also is mistaken in saying that the same systems, technologies, connections, etc., that are the internal trust architecture would therefore be appropriate to secure and protect the extranet.

Answer 40

C. Subjects can change rules pertaining to access control but only if this is uniformly permitted across the system for all subjects. D. Subjects can be permitted to pass on or grant their own privileges to other subjects. Explanation Discretionary access control policies allow the systems administrators to grant capabilities (permissions) to subjects to modify aspects of access control restraints, but these must be uniformly defined for all subjects. Thus, Option C is correct, as is Option D. Options A and B apply to mandatory or nondiscretionary access control policies.

Answer 41

D. Attribute‐based Explanation Option D, attribute‐based, can use complex Boolean logic statements to conditionally evaluate almost any criteria, environmental or situational conditions, and so forth, to authorize an access request. Each of the others provides limited capabilities by comparison; zero trust typically requires the most rigorous access control possible.

Answer 42

A. The standard is IEEE 802.1X; Diameter and XTACACS are implementations of the standard. Explanation Option B is partly correct, but Diameter never caught on in the market for a variety of reasons and is probably out of date by now. Option C is also incorrect—first came TACACS, which gave rise to both XTACACS, a proprietary product, and TACAC+, not the other way around. Option D is incorrect, since systems may be de facto “standards” (because a lot of companies use them), but they are not published standards by appropriate standards agencies.

Answer 43

C. IPSec provides key protocols and services that use encryption to provide confidentiality, authentication, integrity, and nonrepudiation at the packet level; without it, many of the Layer 2, 3, and 4 protocols are still unprotected from attack. Explanation Option A is false; not only does IPv6 contain and support IPSec, it also makes it mandatory. Option B is false; app‐level encryption does not protect lower‐layer traffic from being snooped or spoofed. Thus Option C is correct. Option D is false; IPv6 doesn’t do this encryption, but it builds the features into the protocol stack so that user organizations can choose to implement it. IPv6 and IPv4 are not compatible, so a gateway of some kind will be required anyway, and the issue of security through the gateway will still need to be addressed.

Answer 44

C. Client‐server Explanation Option A is incorrect; VPNs provide connectivity but have no more role in service delivery than other Layer 1 or Layer 2 network elements do. Option B is incorrect, as neither peer controls the other in service sharing. Option D is incorrect; in such a case, either the server is a peer to the other server or the peer is actually a client. Option C correctly identifies that most services need one node to control the service delivery process, and the other node, requesting the service, follows the first node’s control of the conversation.

Answer 45

C. Check the DHCP server on your LAN to see if it’s functioning correctly. Explanation This IP address is the link local address, which is assigned to your system by the operating system and its network protocol stack when a DHCP server does not respond. Check the configuration settings for any switches, routers, and modems between your system and your ISP so that you know where the DHCP service resides; then find that device. Thus, Options A and B are incorrect. Option D may be a good step after you determine which device is supposed to be your DHCP server. Option C is your best next step. Ping it or use tracert it to see if it responds.

Answer 46

A. They get shorter as the headers and footers are removed as the datagrams move from one layer to the next. Explanation Option A is correct; this is “unwrapping” as datagrams have their headers and footers removed on their way up the stack. Option B is incorrect—wrapping happens on the way down from Transport (or higher) to Physical (by way of Data Link). Options C and D describe what the presentation layer does as it passes datagrams to applications, which is beyond the Transport layer and going up, not down, the stack.

Answer 47

B. Place them on the links between your ISP’s point of presence and your internal systems. Explanation In almost all circumstances, the boundary between an organization’s information infrastructure and the outside world of the Internet is the highest‐risk threat surface. Any channel crossing this boundary should be rigorously assessed for vulnerabilities, and all access via should be it well controlled and well monitored. Thus Option B is probably the best recommendation. Internal systems links, such as Options A and C, might help in containment of intrusions, but there may be other ways to do this than with IDS/IPS remotes. Option D restricts the effectiveness of the IPS or IDS to just those network segments and resources it can directly see and control, which may be a very small subset of your network.

Answer 48

A. MDM systems & B. Effective access control and identity management, including device‐level control Explanation Option C is false; the physical access point itself needs to be protected from somebody attacking it with an unauthorized firmware update, for example, or simply plugging into an unblocked network jack on it. Option D is one component of mobile device management, but it is not sufficient. Option B can reduce exposure to many threats related to mobile device access, whereas a mobile device management system can help track, force compliance, block, or lock down a device reported lost or stolen.

Answer 49

B. Log data they generate and keep during operation may provide some useful insight after an incident, but nothing in real time would be helpful. & C. Such tools usually can generate alarms on out‐of‐limits conditions, which may be indicative of a system or component failure or an attack or intrusion in progress. & D. Given sufficient historical data, such systems may help network administrators see that greater‐than‐normal systems usage is occurring, which may be worthy of closer attention or investigation. Explanation Options B, C, and D all describe ways that having better insight into how your systems and networks are being used, right now, can help you determine if they might be suffering some kind of problems. And if they are, that data can help you resolve whether this is a security event or not. Option A is false and also lacks the insight to apply these systems to your overall information systems security strategy.

Answer 50

B. With the increased emphasis on security, senior managers and stakeholders may feel that not having a security operations center is not taking the risks seriously enough. & C. The focus of a NOC is different than that of a SOC. Explanation Option A shows a conceptual misunderstanding about network operations and security operations, regardless of who conducts them or is responsible for them. Option D is also incorrect; many smaller organizations can easily and affordably have their network operations team handle the key security operations functions. Option B may indeed be true in some organizations and in some marketplaces, but the organization should always let its business case for security drive the decision. Option C is correct; NOC focuses on design, deployment, operation, and maintenance of the network and changes to it, and the SOC focus is on keeping it secure, detecting events and characterizing them, and containing and responding to them if necessary.

Answer 51

A. Relocation of business operations to alternate sites B. Temporary staffing Explanation Option A is incorrect; relocation of business operations is typically part of disaster recovery plans. Option B is incorrect, as temporary staffing implies that existing staff are not available to work or cannot work for some reason, and this is more in the scope of disaster recovery. Option C, off‐site systems and data archives, may well be used in the restoration phase of an information security incident response. Option D is part of all incident response, continuity, and recovery planning.

Answer 52

D. SIEM, SDN, SDS, SOAR Explanation The correct sequence is SIEM, SDN, SDS, and then SOAR. SOAR depends upon centralized, virtualized control of security (SDS), which is built on top of network virtualization (SDN). SIEM systems do not in general require network virtualization. This reflects integration of data from physical network and systems security devices, virtualized networks providing for scripted configuration (and reconfiguration) of network VMs, including their security characteristics; specialized applications that integrate security monitoring and configuration for virtual and physical systems; and process and activity workflow management and execution.

Answer 53

B. Physical protection of network infrastructure and endpoint devices, at each employee’s remote location, from loss or compromise. & D. Ensure that each remote work location had suitable backup power and connectivity. Explanation Option A addresses a worker health and safety issue that is legitimate, but not normally in the scope of an information systems security plan or activity. Option C is primarily implemented by technical, not physical, security controls. Option D does address physical availability and might be necessary on a case‐by‐case basis for individual workers or workgroups requiring high availability.

Answer 54

A. Inbound supply chain risks B. Outbound supply chain risks Explanation In effect, this organization is creating new things (the mashups) from the inputs selected in response to user inputs. Option A addresses how many different threats can cause search results to be tainted (misdirected or contaminated with malformed data) or that code libraries selected for reuse are infected with malware of many types. Option B addresses the passing on of these risks to customers, who then use those mashups for business or leisure use. Options C and D are not unique to this business model.

Answer 55

C. SQL injection Explanation Option C best describes the improper entry of a query instead of data values, and having the application process that query as a query, rather than as data field values. Options B and D might describe parts of the problem in this situation, but they are too broad to focus attention on the specific problem. Option A is false, as this incident does not involve the attacker placing bogus scripts into web pages for other users to execute.

Answer 56

A. User and entity behavior analytics, applied to ongoing activities Explanation Each of these answers is a valid technique to reduce the risk that malformed data attacks can occur; only option A provides a real‐time opportunity to check user and entity actions, across the organization’s systems and infrastructures, for behaviors that are suspicious and might be exploiting a malformed data vulnerability. Option B simulates such attacks and is valuable in finding such vulnerabilities or stress‐testing the controls put in place to mitigate them. Option C can identify attacks that have happened during the audit period, but not usually in real time. It may still be the only way to detect that your systems were successfully invaded weeks or months ago and might reveal where they are currently abusing your resources and assets. Option D, trending, will highlight types of errors, if the systems and applications generate log entries or other telemetry when these events happen; this may be useful in highlighting vulnerabilities, but not in identifying that a specific attack has been made.

Answer 57

B. Vulnerability management informs the planning and conduct of continuous assessment, the results of which are used as updates to vulnerability management. Explanation Option A is incorrect, in that other operational, compliance, and the current risk and threat context may be better sources of priority and urgency to use for assessment activity planning and conduct. Option B correctly refers to the one process informing, but not driving, the other. Option C is incorrect and misstates the relationship of monitoring with assessment and compliance. Option D is incorrect, as the successful validation of an assessment activity actually drives both the close‐out of the vulnerability and the completion of a compliance check.

Answer 58

C. Administering an allowed listing system can require a lot of effort, but when an unknown program is trying to execute (or be installed), you know it is not yet trusted and can prevent harm. Explanation Option C is correct in terms of the major benefit of allowed listing; Option D, its logical opposite, addresses the zero day risks of blocked listing approaches without saying why any other approach (such as allowed listing) is better. Option A is false on its face; no such program (thankfully!) exists to “trust‐mark” applications. However, digitally signed installation kits do give some assurance that the software came from the vendor you thought provided it. Option B is true on its face but does not say why one approach provides better security than the other.

Answer 59

B. Your contracts with these third parties should use a shared responsibility model to clearly delineate which party has which responsibilities; this will, in most cases, hold you harmless when the third party goes outside of the contract C. Since third parties are by definition on a contract with you, as your subcontractor, you are not liable or responsible for mistakes they make in performing their duties. Explanation Option D most correctly states the bottom line to most organizations in terms of how stakeholders, investors, legal and regulatory authorities, customers, and others will judge responsibility when things go wrong. Option A is a specific example; due care requires that you have the contractual, technical, and administrative ways to do such verifications, while due diligence requires that you actually do such verifications and hold the third party to task. Option B can only set day‐to‐day expectations; when a major data breach happens, Option D suggests that even if the service provider failed to fulfill their contract, your stakeholders will still hold you responsible. Option C is false.

Answer 60

B. The countries where the cloud host’s datacenters are located, plus all of the countries in which Fred’s company has a business presence, office, or other facility, have jurisdiction over company data. C. In addition to staying compliant with all of those different countries’ laws and regulations, Fred’s company must also ensure that it does not violate cultural, religious, or political taboos in any of those countries. Explanation Option A is false; the laws of the host nation apply to the cloud datacenter operator in that country, and that means they apply to all of the data and processing performed on that cloud datacenter. Option D is false, as nearly all countries claim the right to control the import and export of information, particularly (as in Option C) where that information violates, attacks, or ridicules a strong cultural, religious, or political value in that country. Options B and C are true.

Answer 61

A. These each contribute to availability in similar ways. B. These each contribute to availability and nonrepudiation. C. As part of an incident response or disaster recovery plan, prompt restore to a known good data configuration may prevent other data from being compromised or breached, thus contributing to confidentiality. Explanation Option D is incorrect. Authentication data, which defines user and process privileges, identity verification, and so forth, is as subject to being wiped out, corrupted, lost, or stolen as any other data on any information system.

Answer 62

B. Most information processes involve a set of related data items that represent or model a real person, activity, or part of the world. When that set of data is mutually inconsistent, or inconsistent with other data on hand about that real entity, each field may be within range but the overall meaning of the data set is corrupt. This “garbage,” when processed (as input) by apps, produces equally meaningless but valid‐looking outputs. Explanation Option A is a real risk but not what GIGO is about. Option C may involve throwing things in the “garbage” that should have been destroyed or zeroized first, but it’s also incorrect. Option D is a very common attack attempt against many apps, but it usually does not lead to the application producing what looks like correctly formed outputs with distorted meanings. GIGO processing, as in Option B, can result in incorrect transactions being posted to an account, such as when a patient billing record has too many copies of the same lab procedure billed incorrectly to it.

Answer 63

B. True. After all, each endpoint is (by definition) embedded in or part of one or more threat surfaces; from there, the same threat modeling and assessment processes will lead us through the same risk management and mitigation processes, with choices tailored as needed. Explanation Option A glosses over the growing “BYOx,” where x can be infrastructure, device, or most any service; you might argue that Option A also ignores the blurring of the boundary between an endpoint and the information system itself. Option B reminds us to do integrated, coherent threat modeling and analysis across our total systems environment. Option C just echoes what the boss said, although it does add a minor bit about tailoring; overall, it doesn’t contribute much to the conversation with the boss. Option D offers no support for this rather unusual viewpoint.

Answer 64

D. Your organization’s IT vulnerabilities assessment Explanation Starting with Option A is a common sense approach to quickly implementing some reasonable and prudent protection, but it lacks any judgment as to which vulnerabilities are important to your organization’s risk management strategy and which are not. Option B is the systems inventory, and you will need it, as it describes the as‐built systems. Option C is what drives Option D. Therefore, start shopping for countermeasures with Option D in hand.

Answer 65

D. Theft, or being misplaced or lost Explanation All of these are legitimate risks to worry about; some big box stores’ computer repair services are known to do full scans and voluntarily report what they find to law enforcement, or possibly others, for example. Option A happens frequently, but it’s more of an impact to ongoing availability than it is an exploitable vulnerability. Option B can cause equipment to fail or behave erratically. Option D is far and away the most prevalent hardware‐related cause of data loss, systems breach, or information security failures, of the items on this list.

Answer 66

B. As a trust root, a TPM can make hierarchies of trust more reliable Explanation Since trusted platform modules (TPMs) are special, sealed hardware modules added to the motherboards of computers or phones by their manufacturers, Option D is incorrect, even though TPM device driver software must be incorporated into most OSs to enable their use. Option A is incorrect; the TPM doesn’t simplify this but allows for a more trustworthy hardware storage and management of certificates, digital signatures, and so forth. Option C is not correct; these functions in the OS and host hardware remain, while all the TPM provides is its own implementations with which it secures keys, manages certificates, and hashes (preserves) machine identification information.

Answer 67

FTP 21 File Transfer Protocol

Answer 68

SSH 22 Secure Shell

Answer 69

DNS UDP 53 Domain Name Service

Answer 70

HTTP 80 HyperText Transfer Protocol

Answer 71

HTTPS 443 HyperText Transfer Protocol

Answer 72

SMTP 25 Simple Mail Transfer Protocol

Answer 73

RDP 338 Remote Desktop Protocol

Answer 74

NetBios 137, 138, 139

Answer 75

POP 110 Post Office Protocol

Answer 76

IMAP 143 Internet Message Access Protocol

Answer 77

Security function that checks every action, specifically access attempts, to see if it is properly authorized; if it is not, the action will be blocked. Reference monitors can also force a system into a secure shutdown if they determine that system security may be fatally compromised.

Answer 78

Physical security controls that can restrict entry to a protected area; can also detain a potential intruder between their entry and exit doors

Answer 79

Address Resolution Protocol (ARP) provides a way to query other network devices so as to resolve a device’s media access control (MAC) address into its corresponding Internet Protocol (IP) address. It is a cross‐layer protocol and can work across Layers 2, 3, and 4.

Answer 80

Role‐based access control

Answer 81

Most information processes involve a set of related data items that represent or model a real person, activity, or part of the world. When that set of data is mutually inconsistent, or inconsistent with other data on hand about that real entity, each field may be within range but the overall meaning of the data set as a whole has an incorrect or possibly harmful meaning. This “garbage,” when processed (as input) by apps, produces equally meaningless but valid‐looking outputs.

Answer 82

Education and training of the users so that they know how, why, and when to protect what should not be shared

Answer 83

All identity management and access control decisions for an organization are handled by one server system.

Answer 84

Simple Mail Transfer Protocol (SMTP), transmission control protocol (TCP) 25; post office protocol 3 (POP3, via TCP 110.

Answer 85

(a) Remote or onsite device management (or mismanagement) attacks that allow a hacker to initiate a firmware update using a hacked firmware file

Answer 86

Explicitly naming or identifying subjects, addresses, identities, and actions that are prohibited from taking actions with systems resources and assets.

Answer 87

Access control standard that defines the port‐based network access controller (PNAC) and its use of Extensible Authentication Protocol over 802.11, known as EAPOL (“EAP over LAN”).

Answer 88

Internet Protocol Security (IPSec) is a set of security protocols added to Internet Protocol version 4 and built into the design of Internet Protocol version 6. It uses Internet Protocol (IP) addresses and thus runs at Layer 3.

Answer 89

Internet Control Message Protocol is used to communicate control information between network devices and can perform some network and device management functions. It uses Internet Protocol (IP) addresses and thus runs at Layer 3.

Answer 90

A security model property that prohibits writing down to a process at a lower security level; from the Bell‐LaPadula model

Answer 91

Operational technologies (OT) use information from physical sensors to make physical actions happen, such as opening a valve or moving a mechanism. As a result, OT systems can directly damage property, inflict injury, or kill people. IT systems move, shape, store, create, and share information; they do not directly interact with the physical world (except through the humans that use them). To interact directly, IT needs an OT endpoint system, whether directly connected, mobile, or autonomous, such as a UAV or robot.

Answer 92

Establishes the truthfulness of documents or other information that attest to a person’s claim to be that person, and is used during the identity provisioning process

Answer 93

To allow an attacker a limited, controlled access to the organization’s systems so that more can be learned about systems vulnerabilities by watching the attacker attempt to exploit vulnerabilities in those systems

Answer 94

False negative, denying an authorized subject or user to gaining access

Answer 95

An effective hash algorithm has no mathematical inverse; you cannot take the resulting hash value and unencrypt it to reproduce the original plaintext.

Answer 96

Traditionally, the IT community considered loss of IT and communications as the “disaster,” as these were the only services they had responsibilities for. IT disaster recovery planning, for example, often uses this narrow view. As recent cyberattacks have demonstrated, the general public, investors, governments, and organizational leaders consider “disasters” as including any and all aspects of the functions of the organization. SSCPs and others need to recognize the need for and benefit from using the larger view.

Answer 97

A cryptographic system is the full set of components necessary to use encryption to achieve security needs. A cryptographic algorithm (one part of a system) provides the process for transforming plaintext into ciphertext (encryption) or the reverse (decryption); the algorithm uses a cryptographic key and other cryptovariables (parameters) to accomplish and control this. A cryptographic protocol is a process that uses encryption in order to achieve a specific purpose, such as digitally signing a file or an email.

Answer 98

Human error. All software vulnerabilities result from errors introduced during the lifecycle of design, development, test, and use of that software. Compromises between schedule, cost, and performance can introduce or fail to detect errors in processes, tools, libraries, and systems. Data quality programs that should enforce data consistency, completeness, and correctness are often not robust enough. Configuration management is often lacking or poorly done. Hardware may fail, but software doesn’t. It’s just built vulnerable.

Answer 99

Mobile device management (MDM) systems that are used to configure and control the device, prior to its being lost or stolen; the MDM systems can then lock or zeroize the device if it is reported lost or stolen

Answer 100

Directive, deterrent, preventative, detective, reactive, corrective, compensating, and recovery

Answer 101

Authentication (validate a subject is legitimate); authorization (validate that the access request itself is permitted for that subject, object, and conditions); and accounting (keep records of every attempt and what it resulted in)

Answer 102

Attacks on any element of inward supply or outbound consumption of the organization’s goods and services can disrupt its business activities. Inbound attacks on its IT and OT supply chains can cause security compromises and possibly lead to safety problems. Inbound attacks that ripple through the organization can get passed on to its own customers as well, causing additional disruption through reputational damage.

Answer 103

Transmission Control Protocol (TCP) is a connection‐oriented protocol that provides a degree of error correction, lost packet retransmission, and other quality services. It uses sender and recipient port numbers as addresses. User Datagram Protocol (UDP) is a connectionless protocol and uses sender and recipient port numbers as addresses. These both run at Layer 4.

Answer 104

Administrative statement of what uses of company‐provided information systems and assets are allowed and what uses are prohibited

Answer 105

Address Resolution Protocol, which discovers the corresponding IP address for a given media access control (MAC) address by asking other devices for it. Failing to find it, it will seek it from a Dynamic Host Configuration Protocol (DHCP) server.

Answer 106

(a) Digitally sign the file

Answer 107

Keeping sensitive, private, or proprietary data from being revealed to or accessed by an unauthorized subject

Answer 108

Wireless Intrusion Detection System (WIDS): This focuses on monitoring wireless networks for unauthorized access points, rogue devices, and suspicious activities. Its primary role is detecting potential security threats specific to wireless communications and alerting administrators. Typically operates at Layer 1 (Physical) and Layer 2 (Data Link) of the OSI model. It monitors wireless signals and activity, including MAC addresses, Wi-Fi frames, and other wireless-specific data. Network Intrusion Detection System (NIDS): This is designed to monitor wired network traffic. It analyzes data packets flowing through the network to detect malicious activities, such as viruses, malware, or hacking attempts. NIDS works across the whole network and is protocol-agnostic—it’s not limited to wireless environments. Operates at Layer 3 (Network) and Layer 4 (Transport) of the OSI model. It examines network packets and protocols such as IP, TCP, UDP, and others to detect unauthorized or malicious traffic. Some advanced systems may also analyze Layer 7 (Application) traffic for deeper insights. In short, WIDS is specific to wireless environments, while NIDS monitors network traffic across various infrastructures. WIDS is tailored to protect against Wi-Fi-based threats, whereas NIDS offers broader protection against intrusions on traditional networks.

Answer 109

No. A cryptographic hash (which is what a digital signature is) can take an arbitrarily large file and reduce it to a fixed‐length hash value (perhaps 512 bits). It is mathematically impossible to derive what all of the other bits in the original file must be. The same is true for the keys used in the signature.

Answer 110

Recognizable malware signatures, attempts to access IP addresses or URLs known or suspected to be of hostile or compromising intent, or domain names associated with known or suspected botnet control servers.

Answer 111

UDP port 53 for name queries; TCP port 53 for zone transfers

Answer 112

A device or software program no longer supported by its vendor or manufacturer; no more upgrades, updates, or support to migrate to a new operating system is available.

Answer 113

Key exchange involves using asymmetric encryption to generate and exchange session keys with someone you might not know. The key exchange process does not require exchanging secret or private individual data. Key distribution is used to transmit or provide symmetric encryption keys to authorized users, which does require the sending of secret information (the keys themselves).

Answer 114

Linked to FAR (False Acceptance Rate), this happens when an unauthorized user is mistakenly granted access. A high FAR indicates a security risk, as it reflects the system’s leniency in wrongly accepting invalid attempts.

Answer 115

Subnetting provides the network designer with a way to logically group hosts on a network segment by treating the host address field as two sets of bits: one for subnetwork number, the other for host number. Both IPv4 and IPv6 provide for subnetting, but the much larger IPv6 address field makes this a lot simpler to design and manage.

Answer 116

A security model property that prohibits “write up” from a lower to a higher security level; from the Biba model

Answer 117

Safety requires that when systems are in use or when they fail, they do no unauthorized harm or injury to other systems, people, or property. Reliability requires them to produce accurate, on‐time answers as and when required.

Answer 118

Unintended and unauthorized channels, within a system, for the transfer of information in ways that violates security policies.

Answer 119

Secure the scene, protect evidence, establish and maintain chain of custody of evidence

Answer 120

MultiProtocol Label Switching (MPLS) provides routing based on shortest paths within a network and is often used in virtual private network (VPN) implementations. It uses Internet Protocol (IP) addresses and thus runs at Layer 3.

Answer 121

Taking steps to ensure that all of your responsibilities can be accomplished satisfactorily

Answer 122

An entity is a single, unique person, physical device, or instance of a software task or virtual machine. An identity is a label or name for an entity, valid for a particular context. Just as a biological person has multiple identities (in work, social, family, online, or business and commerce settings), each copy of a VM or each instance of a software task running on a device may have multiple identities. All these identities may be legitimate, just different.

Answer 123

Standardized IALs enable systems to use just‐in‐time or self‐provisioning identity and account creation to meet their overall system security needs. IALs describe third‐party identity service providers’ validation processes. IAL1, the lowest level, does nothing to validate an entity’s claim to an identity. IAL2 requires validation by means of another online identity provider such as LinkedIn or Facebook. IAL3 requires physical verification of the authenticity and correctness of documents that attest to the identity being claimed.

Answer 124

TCP: reliable, connection‐oriented, segment retransmission and sequencing; segments acknowledged. UDP: unreliable, connectionless, no windowing, retransmission, sequencing or acknowledgment.

Answer 125

A local area network (LAN) is an instance of an intranet, typically connecting devices physically nearby each other. Wide area networks (WANs) connect LANs, WANS, or other networks, and can span cities or even globally. Personal area networks (PANs) connect devices carried by, worn by, or implanted into a person’s body; PANs often use other communications technologies such as Near‐Field Communication (NFC) or Bluetooth and require one device in the PAN to act as a gateway to IP networks if required.

Answer 126

Policies that allocate parts of sensitive or critical job functions to different systems elements (people, systems, or processes) so that no one single element performs all tasks and can see or modify all data associated with it.

Answer 127

A risk of such significant or extensive impact that it can put the organization or business out of business (cause it to cease to exist as a legal, functioning entity)

Answer 128

Checking to make sure that all of your due care tasks are actually getting the job done correctly and completely

Answer 129

1. Initiation 2. Development/Acquisition 3. Implementation/Assessment 4. Operations/Maintenance 5. Sunset

Answer 130

Type 2 errors occur in biometric systems when an invalid subject is incorrectly authenticated as a valid user. In this case, nobody except the actual customer should be validated when fingerprints are scanned. Type 2 errors are also known as false positive errors. Type 1 (or false negative) errors occur when a valid subject is not authenticated; if the existing customer was rejected, it would be a Type 1 error. Registration is the process of adding users, but registration errors and time‐of‐use, method‐of‐use errors are not specific biometric authentication terms.

Answer 131

C. Security Assertion Markup Language (SAML) is the best choice for providing authentication and authorization information, particularly for browser‐based SSO. HTML is primarily used for web pages, SPML is used to exchange user information for SSO, and XACML is used for access control policy markup.

Answer 132

C. Mandatory access control systems are based on a lattice‐based model. Lattice‐based models use a matrix of classification labels to compartmentalize data. Discretionary access models allow object owners to determine access to the objects they control, role‐based access controls are often group‐based, and rule‐based access controls like firewall ACLs apply rules to all subjects they apply to.

Answer 133

B. Data gathering, clumping, masking, and aggregating C. Installing and using covert command and control capabilities Explanation Phishing and many other social engineering tactics have played a major role in more than 60 percent of major data breaches in the past few years. Such tactics have high payoff to the attacker during their search for a possible target, gathering information about its systems and security, and then their initial entry into the target’s systems. Thus, options A and D are likely phases for phishing attacks, and incorrect answers to this question (note the “not make use”). Options B and C are almost exclusively done surreptitiously, exploiting information that social engineering may have revealed to the attacker; few if any signs of phishing in these activities have been noted.

Answer 134

B. Remote or onsite device management (or mismanagement) attacks that allow a hacker to initiate a firmware update using a hacked firmware file C. Phishing or misdirection attacks that fool operators or users into initiating an upload of a hacked firmware file Explanation Option A is false; Simple Network Management Protocol (SNMP) by itself cannot trigger a device to download and install a firmware patch file. Option D is false, because that operator action can be misdirected to use the wrong file as the update. Option B may be true in some cases, if the device is set to allow remote management from other than a connected endpoint system such as a laptop or smartphone. Attacks like those in option C happen a lot!

Answer 135

B. As a trust root, a TPM can make hierarchies of trust more reliable. Explanation Since TPMs are special, sealed hardware modules added to the motherboards of computers or phones by their manufacturers, option D is incorrect, even though TPM device driver software must be incorporated into most OSs to enable their use. Option A is incorrect; the TPM doesn’t simplify this but allows for a more trustworthy hardware storage and management of certificates, digital signatures, and so forth. Option C is not correct; these functions in the OS and host hardware remain, while all the TPM provides is its own implementations with which it secures keys, manages certificates, and hashes (preserves) machine identification information.

Answer 136

A. It should be tamper‐resistant. Explanation The reference monitor is the functionality that checks every access attempt to see if it should be authorized or denied. As a result, option D is false (accounting is a recordkeeping function, necessary to access control but done after the access request is granted or denied). Option C is false, since the reference monitor is in fact implemented in operating systems (typically in their security kernel) or as part of a trusted computing base (TCB) module on a motherboard. Option B is the reverse of what’s required; we need to be able to inspect, analyze, and verify that the logic and code of the reference monitor does its job completely and correctly and that it does nothing else if we are to consider it highly trustworthy.

Answer 137

B. Reading or writing/modifying the metadata associated with an object D. Reading, writing, deleting, or asking the system to load the object as an executable task or thread and run it Explanation Mandatory access control policies do not allow subjects or objects to modify the security‐related aspects of the system, its subjects, and its objects; thus, granting the privileges in option A or C cannot be allowed. Options B and D reflect reasonable and prudent access control checks that all systems should perform before granting access but that are not part of mandatory access control policies.

Answer 138

B. False positive, because they lead to a threat actor being granted access Explanation A positive result of an authentication test means that the claimant is who (or what) they claim to be. Thus, a false positive is allowing an incorrect identity to access the system, which probably is a threat actor. A negative result denies an identity’s claim to be who (or what) they claim to be. Therefore, a false negative denies a legitimate identity from system access. As a result, options A and D incorrectly use the concept of negative and positive authentication results (correct and false). While option C is true, option B indicates the situation of greatest risk—a threat actor has been legitimized and granted access.

Answer 139

B. Multifactor requires greater implementation, maintenance, and management but can be extremely hard to spoof as a result. Explanation B. Option A is false; each additional factor checked increases the challenge an attacker has to overcome to spoof an identity claim. Option C is false; hardware is needed only for factors involving what the subject has, such as a keyfob code generator or biometric factors. Option D is tempting, and high‐risk functions might be best protected with additional security measures, but compared to option B, it is not as compellingly correct.

Answer 140

A. No, because the differences in addressing, packet header structure, and other features would not allow an IPv4 packet to successfully travel on an IPv6 network Explanation Option B is incorrect, because the changes in address field sizes, and therefore packet header structures, have nothing to do with security (although IPv6 does provide enhancements to security). Option C is incorrect; such a conversion could be done by a gateway, but that is not part of IPv6, although IPv6 supports it. Option D is incorrect, although the transport protocols (like TCP and UDP) have not changed, but this is not where the incompatibility comes from.

Answer 141

B. Both IPv4 and IPv6 provide for subnetting, but the much larger IPv6 address field makes this a lot simpler to design and manage. Explanation Options A and C both incorrectly leave out subnetting in IPv6 and misstate what classless inter‐domain routing (CIDR) is about, even though the two options say different incorrect things about CIDR. Option D is partly correct in that IPv6 does have a 16‐bit subnet field, and as option B says, the overall address field size makes subnetting much easier to do, but there is no subnet field in IPv4.

Answer 142

A. Using port numbers as part of addressing and routing was necessary during the early days of the Internet, largely because of the small size of the address field, but IPv6 makes most port usage obsolete & D. Many modern devices, such as those using Android, cannot support ports, and so apps have to be redesigned to use alternate service connection strategies. Explanation Ports are a fundamental part of the way apps request services from processes running on other nodes on the Internet. Standardized port numbers make applications designs easier to manage; thus, port 80 and HTTP are associated with each other. Therefore, options A and D show a misunderstanding of what ports are and why they are necessary.

Answer 143

A, B & C Explanation Option D is typically an example of remediating, sometimes called fixing or mitigating the risk.

Answer 144

D. Developing an information classification policy and process Explanation Improving product quality is a laudable goal, but in and of itself it is not related to information systems security; thus option A is incorrect. Option B refers to activities after an incident; mitigation activities happen before an incident occurs or result from lessons learned because of the incident. Option C is most likely being done to implement new or revised security policies. Option D is part of information risk management and should precede information risk mitigation.

Answer 145

C. Set priorities; assess risks; select controls and countermeasures; implement controls; validate correct operation; monitor Explanation Option D incorrectly has the BIA first when it has to come after the organization’s leadership has agreed to risk tolerance and set priorities. Option B is incorrect, partly because the basic “commonsense” posture is not part of a formal risk management process but a bare minimum immediate set of actions to take if needed. Option A has establishing a posture (which is policy and decisions that drive implementation and operation steps) and implementation in the wrong order.

Answer 146

B. The probability of an event occurring that disrupts your information and the business processes and systems that use it Explanation Option B is the simplest and most effective definition of information risk. Options A and C do not include probability of occurrence (risks are not certain to happen) and describe how risks become events rather than what the risk actually is. Option D is one example, but it does not define information risk.

Answer 147

A. Lost revenues during the downtime caused by the risk incident, including time it takes to get things back to normal & B. Damage to equipment or facilities, or injury or death to people Explanation Option C is the safeguard value, which we cannot compute until we have completed risk assessment and vulnerability assessment and then designed, specified, or selected such controls or countermeasures. Option D is typically not the loss incurred by damage of an asset; of greater interest regarding impact to an asset would be the cost to repair it (if repairable), replace it, or design and implement new processes to do without it.

Answer 148

Explanation Option A is a misstatement of RTO and RPO.

Answer 149

A. Organizational code of ethics Explanation The situation Darlene finds herself in is an ethical dilemma, and a code of ethics would be the best place to look for guidance. This situation is specific to her employer, so she should turn to her organization’s code of ethics, rather than the more general (ISC)2 Code of Ethics.

Answer 150

B. Disclose breaches of privacy, trust, and ethics. Explanation The (ISC)2 code of ethics also includes “Act honorably, honestly, justly, responsibly, and legally” but does not specifically require credential holders to disclose all breaches of privacy, trust, or ethics.

Answer 151

C. RAID Explanation RAID uses additional hard drives to protect the server against the failure of a single device. Load balancing and server clustering do add robustness but require the addition of a server. Scheduled backups protect against data loss but do not provide immediate access to data in the event of a hard drive failure.

Answer 152

A. Hashing Explanation Hashing allows you to computationally verify that a file has not been modified between hash evaluations. ACLs and read‐only attributes are useful controls that may help you prevent unauthorized modification, but they cannot verify that files were not modified. Firewalls are network security controls and do not verify file integrity.

Answer 153

B. Analysis/Impact Assessment Explanation During the Analysis/Impact Assessment phase, the organization subjects the change to peer review. In the peer review, technologists verify the accuracy and completeness of the change request and attempt to uncover any impact on other systems that might occur as result of the change.

Answer 154

B. Encrypting the database contents Explanation Ben should encrypt the data to provide an additional layer of protection as a compensating control. The organization has already made a policy exception, so he should not react by objecting to the exception or removing the data without authorization. Purchasing insurance may transfer some of the risk but is not a mitigating control.

Answer 155

D. Awareness Explanation Awareness establishes a minimum standard of information security understanding. It is designed to accommodate all personnel in an organization, regardless of their assigned tasks.

Answer 156

C. Sanitization Explanation Sanitization is a combination of processes that ensure that data from a system cannot be recovered by any means. Erasing and clearing are both prone to mistakes and technical problems that can result in remnant data and don’t make sense for systems that handled proprietary information. Destruction is the most complete method of ensuring that data cannot be exposed, and some organizations opt to destroy the entire workstation, but that is not a typical solution because of the cost involved.

Answer 157

B. Baseline Explanation A baseline is a set of security configurations that can be adopted and modified to fit an organization’s security needs. A security policy is written to describe an organization’s approach to security, while DSS is the second half of the Payment Card Industry Data Security Standard. The NIST SP‐800 series of documents address computer security in a variety of areas.

Answer 158

D. Preaction Explanation A preaction fire suppression system activates in two steps. The pipes fill with water once the early signs of a fire are detected. The system does not dispense water until heat sensors on the sprinkler heads trigger the second phase.

Answer 159

C. Parameter checking Explanation Parameter checking, or input validation, is used to ensure that input provided by users to an application matches the expected parameters for the application. Developers may use parameter checking to ensure that input does not exceed the expected length, preventing a buffer overflow attack.

Answer 160

C. SCIF Explanation Sensitive compartmented information facilities (SCIFs) are highly secure government facilities designed for processing classified information. They would have stricter physical security requirements than any other type of facility.

Answer 161

C. The code applies to all members of the information security profession. Explanation The (ISC)2 code of ethics applies only to information security professionals who are members of (ISC)2. Adherence to the code is a condition of certification, and individuals found in violation of the code may have their certifications revoked. (ISC)2 members who observe a breach of the code are required to report the possible violation by following the ethics complaint procedures.

Answer 162

C Explanation Regression testing is software testing that runs a set of known inputs against an application and then compares the results to those produced by an earlier version of the software. It is designed to capture unanticipated consequences of deploying new code versions prior to introducing them into a production environment.

Answer 163

B. Require authentication for all actions taken and capture logs centrally. Explanation Requiring authentication can help provide accountability by ensuring that any action taken can be tracked back to a specific user. Storing logs centrally ensures that users can’t erase the evidence of actions that they have taken. Reviewing the logs can be useful when identifying issues, but digital signatures are not a typical part of a logging environment. Logging the use of administrative credentials helps for users with privileged access but won’t cover all users, and encrypting the logs doesn’t help with accountability. Authorization helps, but being able to specifically identify users through authentication is more important.

Answer 164

B. Analysis/Impact Assessment Explanation During the Analysis/Impact Assessment phase, the organization subjects the change to peer review. In the peer review, technologists verify the accuracy and completeness of the change request and attempt to uncover any impact on other systems that might occur as result of the change.

Answer 165

B. Change manager Explanation Organizations adopting change management practices should appoint a change manager who will be responsible for managing policies and procedures. The change manager is also responsible for developing and maintaining the processes for requesting, approving, testing, and controlling changes.

Answer 166

D. Inform stakeholders of changes after they occur. Explanation Stakeholders should be informed of changes before, not after, they occur. The other items listed are goals of change management programs.

Answer 167

B. Baseline Explanation A baseline is a set of security configurations that can be adopted and modified to fit an organization’s security needs. A security policy is written to describe an organization’s approach to security, while DSS is the second half of the Payment Card Industry Data Security Standard. The NIST SP‐800 series of documents address computer security in a variety of areas.

Answer 168

B. Least privilege Explanation The principle of least privilege says that an individual should only have the privileges necessary to complete their job functions. Removing administrative privileges from non administrative users is an example of least privilege.

Answer 169

C. Baseline configuration configuration D. Running configuration Explanation Baseline configurations serve as the starting point for configuring secure systems and applications. They contain the security settings necessary to comply with an organization’s security policy and may then be customized to meet the specific needs of an implementation. While security policies and guidelines may contain information needed to secure a system, they do not contain a set of configuration settings that may be applied to a system. The running configuration of a system is the set of currently applied settings, which may or may not be secure.

Answer 170

C. Regression testing Explanation Regression testing is software testing that runs a set of known inputs against an application and then compares the results to those produced by an earlier version of the software. It is designed to capture unanticipated consequences of deploying new code versions prior to introducing them into a production environment.

Answer 171

B. Require authentication for all actions taken and capture logs centrally. Explanation Requiring authentication can help provide accountability by ensuring that any action taken can be tracked back to a specific user. Storing logs centrally ensures that users can’t erase the evidence of actions that they have taken. Reviewing the logs can be useful when identifying issues, but digital signatures are not a typical part of a logging environment. Logging the use of administrative credentials helps for users with privileged access but won’t cover all users, and encrypting the logs doesn’t help with accountability. Authorization helps, but being able to specifically identify users through authentication is more important.

Answer 172

The correct answer is A. Degaussing only works on magnetic media and formatting doesn’t permanently delete data, as it may still be recovered forensically. Overwriting is not effective on SSDs

Answer 173

The correct answer is D. Risk mitigation always leaves some residual risk; the purpose of risk mitigation is to get risk down to an acceptable level.

Answer 174

The correct answer is D. A is a process to calculate risk. C is a testing process and B is a different business process.

Answer 175

A. Federated authentication Explanation This type of authentication, where one domain trusts users from another domain, is called federation. Federation may involve transitive trusts, where the trusts may be followed through a series of domains, but this scenario only describes the use of two domains. The scenario only describes use of credentials for a single system and does not describe a multiple‐system scenario where single sign‐on would be relevant. There is no requirement described for the use of multifactor authentication, which would require the use of two or more diverse authentication techniques.

Answer 176

C. Authentication Explanation When you input a username and password, you are authenticating yourself by providing a unique identifier and a verification that you are the person who should have that identifier (the password). Authorization is the process of determining what a user is allowed to do. Validation and login both describe elements of what is happening in the process; however, they aren’t the most important identity and access management activity.

Answer 177

D. Kerberos Explanation Kerberos is an authentication protocol that uses tickets and provides secure communications between the client, key distribution center (KDC), ticket‐granting service (TGS), authentication server (AS), and endpoint services. RADIUS does not provide the same level of security by default, SAML is a markup language, and OAuth is designed to allow third‐party websites to rely on credentials from other sites like Google or Microsoft.

Answer 178

A. Asynchronous Explanation Asynchronous tokens use a challenge/response process in which the system sends a challenge and the user responds with a PIN and a calculated response to the challenge. The server performs the same calculations, and if both match, it authenticates the user. Synchronous tokens use a time‐based calculation to generate codes. Smart cards are paired with readers and don’t need to have challenges entered, and RFID devices are not used for challenge/response tokens.

Answer 179

C. A smart card Explanation The U.S. government’s Common Access Card is a smart card. The U.S. government also issues PIV cards, or personal identity verification cards.

Answer 180

C. All objects and subjects have a label. Explanation In a mandatory access control system, all subjects and objects have a label. Compartments may or may not be used, but there is not a specific requirement for either subjects or objects to be compartmentalized. The specific labels of Confidential, Secret, and Top Secret are not required by MAC.

Answer 181

B. Mandatory access control Explanation Mandatory access control systems allow an administrator to configure access permissions but do not allow users to delegate permission to others. Discretionary access control systems do allow this delegation. The scenario does not provide information to indicate whether a decentralized or rule‐based approach is appropriate.

Answer 182

C. Add a biometric factor. Explanation Kathleen should implement a biometric factor. The cards and keys are an example of a Type 2 factor, or “something you have.” Using a smart card replaces this with another Type 2 factor, but the cards could still be loaned out or stolen. Adding a PIN suffers from the same problem: A PIN can be stolen. Adding cameras doesn’t prevent access to the facility and thus doesn’t solve the immediate problem (but it is a good idea!).

Answer 183

D. Entitlement Explanation Entitlement refers to the privileges granted to users when an account is first provisioned. Aggregation is the accumulation of privileges over time. Transitivity is the inheritance of privileges and trust through relationships. Baselines are snapshots of a system or application’s security that allow analysts to detect future modifications.

Answer 184

C. Out‐of‐band identity proofing Explanation Identity proofing that relies on a type of verification outside the initial environment that required the verification is out‐of‐band identity proofing. This type of verification relies on the owner of the phone or phone number having control of it but removes the ability for attackers to use only Internet‐based resources to compromise an account. Knowledge‐based authentication relies on answers to preselected information, whereas dynamic knowledge–based authentication builds questions using facts or data about the user. Risk‐based identity proofing uses risk‐based metrics to determine whether identities should be permitted or denied access. It is used to limit fraud in financial transactions, such as credit card purchases. This is a valid form of proofing but does not necessarily use an out‐of‐band channel, such as SMS.

Answer 185

A. Identity of a user or device

Answer 186

B. Bracketed Explanation Mandatory access control systems can be hierarchical, where each domain is ordered and related to other domains above and below it; compartmentalized, where there is no relationship between each domain; or hybrid, where both hierarchy and compartments are used. There is no concept of bracketing in mandatory access control design.

Answer 187

C. A capability table Explanation Capability tables list the privileges assigned to subjects and identify the objects that subjects can access. Access control lists are object‐focused rather than subject‐focused. Implicit deny is a principle that states that anything that is not explicitly allowed is denied, and a rights management matrix is not an access control model.

Answer 188

C. OpenID Explanation OpenID is a widely supported standard that allows a user to use a single account to log into multiple sites, and Google accounts are frequently used with OpenID.

Answer 189

C. Synchronous Explanation Synchronous soft tokens, such as Google Authenticator, use a time‐based algorithm that generates a constantly changing series of codes. Asynchronous tokens typically require a challenge to be entered on the token to allow it to calculate a response, which the server compares to the response it expects. Smartcards typically present a certificate but may have other token capabilities built in. Static tokens are physical devices that can contain credentials and include smart cards and memory cards.

Answer 190

B. Software tokens Explanation Software tokens are flexible, with delivery options including mobile applications, SMS, and phone delivery. They have a relatively low administrative overhead, as users can typically self‐manage. Biometrics require significant effort to register users and to deploy and maintain infrastructure, and they require hardware at each authentication location. Both types of hardware tokens can require additional overhead for distribution and maintenance, and token failure can cause support challenges.

Answer 191

B. Set up a one‐way transitive trust. Explanation A trust that allows one forest to access another’s resources without the reverse being possible is an example of a one‐way trust. Since Jim doesn’t want the trust path to flow as the domain tree is formed, this trust has to be nontransitive.

Answer 192

A. A credential management system Explanation Lauren’s team would benefit from a credential management system. Credential management systems offer features such as password management, multifactor authentication to retrieve passwords, logging, audit, and password rotation capabilities. A strong password policy would only make maintenance of passwords for many systems a more difficult task if done manually. Single sign‐on would help if all of the systems had the same sensitivity levels, but different credentials are normally required for higher‐sensitivity systems.

Answer 193

A. Transitive trust Explanation Transitive trusts go beyond the two domains directly involved in the trust relationship and extend to their subdomains. Nontransitive trusts are not inheritable to other domains. The terms inheritable trust and noninheritable trust are not normally used.

Answer 194

B. File server Explanation We know that both Adam and the server administrator have the username and password, but this is information used for identification and authentication, not authorization. We do not know what information Adam’s supervisor might have. The server is a standalone file server, so it must have information about the activities that Adam is authorized to perform.

Answer 195

B. DAC, because allowing individual administrators to make choices about the objects they control provides scalability and flexibility Explanation Discretionary access control (DAC) can provide greater scalability by leveraging many administrators, and those administrators can add flexibility by making decisions about access to their objects without fitting into an inflexible mandatory access control (MAC) system. MAC is more secure because of the strong set of controls it provides, but it does not scale as well as DAC and is relatively inflexible in comparison.

Answer 196

C. Signature‐based detection Explanation While signature‐based detection is used to detect attacks, review of provisioning processes typically involves checking logs, reviewing the audit trail, or performing a manual review of permissions granted during the provisioning process.

Answer 197

D. No access Explanation The principle of least privilege should guide Joe in this case. He should apply no access permissions by default and then give each user the necessary permissions to perform their job responsibilities. Read‐only, editor, and administrator permissions may be necessary for one or more of these users, but those permissions should be assigned based upon business need and not by default.

Answer 198

C. A Type 2 error Explanation Type 2 errors occur in biometric systems when an invalid subject is incorrectly authenticated as a valid user. In this case, nobody except the actual customer should be validated when fingerprints are scanned. Type 2 errors are also known as false positive errors. Type 1 (or false negative) errors occur when a valid subject is not authenticated; if the existing customer was rejected, it would be a Type 1 error. Registration is the process of adding users, but registration errors and time‐of‐use, method‐of‐use errors are not specific biometric authentication terms.

Answer 199

D. No expiration Explanation Current best practice guidance from NIST, published in NIST Special Publication 800‐63b, suggests that organizations should not impose password expiration requirements on end users.

Answer 200

C. SAML Explanation Security Assertion Markup Language (SAML) is the best choice for providing authentication and authorization information, particularly for browser‐based SSO. HTML is primarily used for web pages, SPML is used to exchange user information for SSO, and XACML is used for access control policy markup.

Answer 201

C. Lattice‐based Explanation Mandatory access control systems are based on a lattice‐based model. Lattice‐based models use a matrix of classification labels to compartmentalize data. Discretionary access models allow object owners to determine access to the objects they control, role‐based access controls are often group‐based, and rule‐based access controls like firewall ACLs apply rules to all subjects they apply to.

Answer 202

A. Federated authentication Explanation This type of authentication, where one domain trusts users from another domain, is called federation. Federation may involve transitive trusts, where the trusts may be followed through a series of domains, but this scenario only describes the use of two domains. The scenario only describes use of credentials for a single system and does not describe a multiple‐system scenario where single sign‐on would be relevant. There is no requirement described for the use of multifactor authentication, which would require the use of two or more diverse authentication techniques.

Answer 203

D. Data classification Explanation Session timeouts, password aging, and encryption are all examples of technical controls. Data classification is an administrative control.

Answer 204

Annual Rate of Ocurrence = how many times the event is expected to happen in a year / total of the given years ie. ARO = 1 (the event happens once a year) / 200 (the event happens once every 200 years) = 0.005 it means the expectancy is very low

Answer 205

Exposure Factor = amount of damage / total of the asset value ie. EF=$5.000.000/$10.000.000 = 50%

Answer 206

Annual Loss Expectancy = single loss expectancy x ARO ie. ALE = $5.000.000 x 0.005 = $25.000 per year in a total of 200 years

Answer 207

CAT 1 - Voice only, no data CAT 2 - 4 Mbps CAT 3 - 10 Mbps CAT 4 - 16 Mbps CAT 5 - 100 Mbps CAT 5e - 1 Gbps CAT 6 - 1 Gbps over 100m - 10 Gbps over 5 m (used in data centers, networks & racks) CAT 6a - 10 Gbps Cat 7 - 10 Gbps CAT 7a - 25 to 40 Gbps CAT 8 - 25 to 40 Gbps over 30 to 26m (used in data centers and short runs)

Answer 208

Type 1: Something you know (e.g., passwords or PINs). Type 2 Access Control refers to an access control system that involves the use of something you have as a means of authentication. This generally includes physical objects or tokens that grant access to a resource, such as: Smart cards Key fobs ID badges Physical keys Type 3: Something you are (e.g., biometric data like fingerprints or iris scans).