General

Question 1

What are two ways to measure risk?

Answer 1

Quantitative and Qualitative

Question 2

Which risk response is also included when risk mitigation is performed?

Answer 2

Acceptance

Question 3

This describes the probability of a threat being realized.

Answer 3

Likelihood

Question 4

This describes the amount of loss during a one-year timespan.

Answer 4

Annualized Loss Expectancy (ALE)

Question 5

This phase of the risk management life cycle identifies effective means by which identified risks can be reduced.

Answer 5

Control

Question 6

A ____________ should include detailed descriptions of the necessary steps required to successfully complete a task.

Answer 6

Process

Question 7

This function of the NIST CSF defines capabilities needed for the timely discovery of security incidents.

Answer 7

Detect

Question 8

A formal mechanism designed to measure performance of a program against desired goals.

Answer 8

Key Performance Indicator (KPI)

Question 9

Which cloud service type represents the lowest amount of responsibility for the customer?

Answer 9

SaaS

Question 10

This describes when a customer is completely dependent on a vendor for products or services.

Answer 10

Vendor lock-in

Question 11

This describes when a copy of vendor-developed source code is provided to a trusted third party, in case of disaster.

Answer 11

Source code escrow

Question 12

This describes all of the suppliers, vendors, and partners needed to deliver a final product.

Answer 12

The Supply Chain

Question 13

A set of cybersecurity standards developed by the United States Department of Defense (DoD) and designed to help fortify the DoD supply chain.

Answer 13

CMMC

Question 14

True or False. The use of cloud service providers always reduces risk.

Answer 14

False

Question 15

Which type of data can be used to identify an individual and includes information about past, present, or future health?

Answer 15

Protected Health Information (PHI)

Question 16

Which type of data describes intangible products of human thought and ingenuity?

Answer 16

Intellectual Property (IP)

Question 17

Which data destruction method is focused on the sanitization of the key used to perform decryption of data?

Answer 17

Crypto erase

Question 18

Which concept identifies that the laws governing the country in which data is stored have control over the data?

Answer 18

Data sovereignty

Question 19

A non-regulatory agency in the United States that establishes standards and best-practices across the entire science and technology field is known as:

Answer 19

NIST

Question 20

What regulation enforces rules for organizations that offer services to entities in the European Union (EU) or that collect and/or analyze data on subjects located there?

Answer 20

GDPR

Question 21

Which U.S. federal law is designed to protect the privacy of children?

Answer 21

COPPA

Question 22

Which process is designed to provide assurance that information systems are compliant with federal standards?

Answer 22

Certification and Accreditation

Question 23

This describes the identification of applicable laws depending on the location of the organization, data, or customer/subject.

Answer 23

Jurisdiction

Question 24

What concept is often linked to the “prudent man rule”?

Answer 24

Due care

Question 25

This describes when an organization’s legal team receives notification instructing them to preserve electronically stored information.

Answer 25

Legal Hold

Question 26

What type of agreement is often described as an “umbrella” contract that establishes the agreement between two entities to conduct business?

Answer 26

Master Services Agreement (MSA)

Question 27

Which agreement governs services that are both measurable and repeatable and also generally include enforcement mechanisms that result in financial penalties for non-compliance?

Answer 27

Service Level Agreement (SLA)

Question 28

What is the last step in a business continuity plan?

Answer 28

Maintenance

Question 29

NIST defines this as “An analysis of an information system’s requirements, functions, and interdependencies used to characterize system contingency requirements and priorities in the event of a significant disruption.”

Answer 29

Business Impact Analysis

Question 30

This generally defines the amount of data that can be lost without irreparable harm to the operation of the business.

Answer 30

Recovery Point Objective

Question 31

Which type of assessment seeks to identify specific types of sensitive data so that its use and handling can be properly disclosed?

Answer 31

Privacy Impact Assessment

Question 32

Using other branch locations to manage a disaster response is referred to as:

Answer 32

Alternate Operating Facilities

Question 33

Which type of DR site has lowest operating expense and complexity?

Answer 33

Cold Site

Question 34

This type of site is one that can be activated and used within minutes.

Answer 34

Hot Site

Question 35

This term describes when cloud service offerings are used for DR capabilities.

Answer 35

DRaaS, DR as a Service

Question 36

True or False. Incident response should only involve the information technology department.

Answer 36

False

Question 37

True or False. BCDR is a technical capability and so senior leadership involvement is not required.

Answer 37

False

Question 38

True or False. BCDR plans should not be tested as doing so may break production systems.

Answer 38

False

Question 39

Which type of simulation test includes a meeting to review the plans and analyze their effectiveness against various BCDR scenarios?

Answer 39

Walk-through

Question 40

Which type of simulation test is used to determine whether all parties involved in the response know what to do and how to work together to complete the exercise?

Answer 40

Tabletop Exercise

Question 41

When performing this type of test, issues and/or mistakes could cause a true DR situation:

Answer 41

Full Interruption

Question 42

What are the two main components of a VPN?

Answer 42

Creating a tunnel and protecting data via encryption

Question 43

Identify some ways a VPN might help an adversary avoid detection.

Answer 43

Answers will vary but should include a description of hiding data/activities and geographic location.

Question 44

Describe a solution designed to validate the health of an endpoint prior to allowing access.

Answer 44

Network Access Control (NAC)

Question 45

This is a passive technology used to provide visibility into network traffic within a switch.

Answer 45

Test Access Port or TAP

Question 46

What version of SNMP should be used whenever possible?

Answer 46

Version 3

Question 47

Which type of environment is characterized by having hosts and networks available for use by visitors, such as the public or vendors?

Answer 47

Guest

Question 48

This describes a specially configured, highly hardened, and closely monitored system used to perform administrative tasks.

Answer 48

Jump Box

Question 49

This type of network segmentation differs from a traditional network segmentation approach as it provides much higher levels of security, granularity, and flexibility.

Answer 49

Microsegmentation

Question 50

What type of architecture adopts the approach of “never trust, always verify”?

Answer 50

Zero Trust Architecture

Question 51

This implementation creates a software-defined network by utilizing existing physical network equipment.

Answer 51

SDN Overlay

Question 52

This describes improving performance by adding additional resources to an individual system, such as adding processors, memory, and storage to an existing server.

Answer 52

Scaling Vertically

Question 53

A ______________________________________ leverages the global footprint of cloud platforms by distributing and replicating the components of a service to improve performance to all the key service areas needing access to the content.

Answer 53

Content Delivery Network (CDN)

Question 54

What design strategy often conflicts with information technology management approaches that look to consolidate platforms and reduce product portfolios?

Answer 54

Heterogeneity/Diversity

Question 55

Which type of virtualization allows the client to either access an application hosted on a server or stream the application from the server to the client for local processing?

Answer 55

Application Virtualization

Question 56

This non-profit organization provides guidance and best practices on the development and protection of web applications.

Answer 56

OWASP

Question 57

What are some of the functions that can be performed via a Container API?

Answer 57

Some examples include list logs generated by an instance; issue commands to the running container; create, update, and delete containers; and list capabilities.

Question 58

What environment is used to merge code from multiple developers to a single master copy and subject it to unit and functional tests?

Answer 58

Test or Integration Environment

Question 59

Which type of application testing is frequently performed using scanning tools such as OWASP’s Zed Attack Proxy (ZAP)?

Answer 59

Dynamic Application Security Testing (DAST)

Question 60

This describes middleware software designed to enable integration and communication between a wide variety of applications throughout an enterprise.

Answer 60

Enterprise Service Bus (ESB)

Question 61

True or False. Traditional software development models incorporate security requirements throughout all phases.

Answer 61

False

Question 62

Which type of software testing ensures that a particular block of code performs the exact action intended and provides the exact output expected?

Answer 62

Unit Testing

Question 63

Which type of testing verifies that individual components of a system are tested together to ensure that they interact as expected?

Answer 63

Integration Testing

Question 64

What development model includes phases that cascade with each phase starting only when all tasks identified in the previous phase are complete?

Answer 64

Waterfall

Question 65

What development model incorporates Security as Code (SaC) and Infrastructure as Code (IaC)?

Answer 65

SecDevOps

Question 66

Storing passwords using this method should be disabled as it provides marginal improvements in protection compared to simply storing passwords in plaintext.

Answer 66

Reversible Encryption

Question 67

What is the term used to describe when credentials created and stored at an external provider are trusted for identification and authentication?

Answer 67

Federation

Question 68

Which access control model is a modern, fine-grained type of access control that uses a type of markup language call XACML?

Answer 68

Attribute-Based Access Control (ABAC)

Question 69

What authentication protocol is comparable to RADIUS and associated with Cisco devices?

Answer 69

TACACS+

Question 70

What authentication scheme uses an HMAC built from a shared secret plus a value derived from a device and server’s local timestamps?

Answer 70

Time-Based One Time Password (TOTP)

Question 71

In which stage of the data life cycle is data shared using various mechanisms, such as email, network folders, websites, or cloud storage?

Answer 71

Use

Question 72

Describe some of the critical elements included in data management.

Answer 72

Answers will vary but should include descriptions of data inventory, data mapping, backups, quality assurance, and integrity controls.

Question 73

Identify some practical DLP example use-cases.

Answer 73

Blocking use of external media, print blocking, Remote Desktop Protocol (RDP) blocking, clipboard privacy controls, restricted virtual desktop infrastructure (VDI) implementation, data classification blocking.

Question 74

What is the name of the data obfuscation method that replaces sensitive data with an irreversible value?

Answer 74

Tokenization

Question 75

What data obfuscation method is designed to protect personally identifiable information so that data can be shared?

Answer 75

Anonymization

Question 76

Which type of virtualization platform supports microservices and server-less architecture?

Answer 76

Containerization

Question 77

_____________________________ is assigned to cloud resources through the use of tags and is frequently exploited to expose configuration parameters which may reveal misconfigured settings.

Answer 77

Metadata

Question 78

Which type of cloud service model can be described as virtual machines and software running on a shared platform to save costs and provide the highest level of flexibility?

Answer 78

Multi-tenant

Question 79

After powering-up a virtual machine after performing maintenance, the virtual machine is no longer accessible by applications previously configured to connect to it. What is a possible cause of this issue?

Answer 79

The IP address was reassigned to another instance.

Question 80

Which type of storage model supports large amounts of unstructured data and is commonly used to store archives and backup sets?

Answer 80

Blob Storage

Question 81

Which technology uses a ledger distributed across a peer-to-peer (P2P) network?

Answer 81

Blockchain

Question 82

___________________ reality emulates a real-life environment through computer-generated sights and sounds.

Answer 82

Augmented/Virtual

Question 83

This term describes computer-generated images or video of a person that appear to be real but are instead completely synthetic and artificially generated.

Answer 83

Deep Fake

Question 84

______________ computers use information represented by spin properties, momentum, or even location of matter as opposed to the bits of a traditional computer.

Answer 84

Quantum

Question 85

Which technology allows the crafting of components on-demand, and potentially eliminates the need to share designs or plans that may lead to intellectual property theft?

Answer 85

3D Printing

Question 86

Identify two types of certificates commonly used to implement access controls for mobile devices.

Answer 86

Trust (device) and user certificates

Question 87

Which standard is associated with the Simultaneous Authentication of Equals (SAE)?

Answer 87

WPA3 (Wi-Fi 6)

Question 88

Which type of device attack allows complete control of a device without the target device being paired with the attacker?

Answer 88

BlueBorne

Question 89

Identify some reasons why DoH poses a security threat in an enterprise setting.

Answer 89

Answers may vary. DoH, if approved, must be configured to use a trusted provider. DoH encapsulates DNS traffic within https traffic making it harder to identify. DoH can bypass external DNS query restrictions configured on firewalls.

Question 90

Identify how Bluetooth can be used for physical reconnaissance.

Answer 90

Answers may vary. Bluetooth devices are discoverable using freely available tools, meaning an attacker can locate out-of-sight devices and also collect information about the hardware and vendor.

Question 91

Identify some reasons why EOL software and hardware are concerning.

Answer 91

Responses will vary but should include a description regarding the lack of vendor support and vendor-supplied security patches.

Question 92

True or False. Operating System instances running in the cloud are patched automatically by the cloud provider.

Answer 92

False

Question 93

Which types of attacks on the Android OS can bypass the protections of mandatory access control?

Answer 93

Inter-app communication attacks

Question 94

Which control is designed to prevent a computer from being hijacked by a malicious OS?

Answer 94

Answers may vary but secure boot, measured boot, or attestation services all apply.

Question 95

Which type of host protection should provide capabilities that directly align to the NIST Cybersecurity Framework Core?

Answer 95

Endpoint Protection and Response

Question 96

True or False. Operating in a public cloud removes the need for BCDR plans due to the fact that cloud platforms are so reliable.

Answer 96

False

Question 97

What name is given to the practice of splitting encrypted data outputs into multiple parts which are subsequently stored in disparate storage locations?

Answer 97

Bit Splitting or Cryptographic Splitting

Question 98

Which cloud computing practice eliminates the use of traditional virtual machines to deliver cloud services?

Answer 98

Serverless Computing

Question 99

What is a critical component dictating the implementation of logging capabilities in the cloud?

Answer 99

Legal and regulatory compliance

Question 100

What is the primary source of data breach in the cloud?

Answer 100

Misconfiguration

Question 101

Which component integrates practically all the components of a traditional chipset including GPU?

Answer 101

System on a Chip, or SoC

Question 102

Which type of industrial computer is typically used to enable automation in assembly lines and is programmed using ladder language?

Answer 102

Programmable Logic Controller, or PLC

Question 103

Which type of availability attack are industrial computers most sensitive to?

Answer 103

Denial of Service, or DoS

Question 104

An ________ ________ describes the method by which ICS are isolated from other networked systems.

Answer 104

Air Gap

Question 105

What makes attacks against ICS uniquely concerning?

Answer 105

Answers will vary, but essentially because ICS control systems that interact with the real world and can cause humanitarian and/or environmental disasters when breached or attacked.

Question 106

What is the name of the algorithm used by SHA-3?

Answer 106

Kekkack

Question 107

Which MAC method is commonly paired with Salsa20 on hardware that does not have integrated AES support?

Answer 107

Poly1305

Question 108

Describe the key distribution problem.

Answer 108

Answers will vary. Should identify that it is associated with symmetric encryption and that sharing the key between two parties can be risky if not performed carefully.

Question 109

Is Salsa20 a stream or block cipher?

Answer 109

Stream

Question 110

How are modes of operation related to symmetric encryption?

Answer 110

Answers will vary. Modes of operation are like “techniques” used to make symmetric block ciphers operate in a way that is comparable to stream ciphers.

Question 111

What symmetric encryption problem is asymmetric encryption uniquely equipped to solve?

Answer 111

Key distribution

Question 112

What is the bulk encryption method used in the following cipher suite? ECDHE-RSA-AES128-GCM-SHA256

Answer 112

AES

Question 113

What encryption scheme is generally associated with protecting email?

Answer 113

Secure/Multipurpose Internet Mail Extensions (S/MIME)

Question 114

What issue related to the use of authentication header (AH) makes it difficult/problematic to implement?

Answer 114

It does not work across NAT gateways.

Question 115

Which implementation of Elliptic Curve Cryptography (ECC) is no longer recommended for use by the NSA?

Answer 115

P256

Question 116

True or False. Private keys are contained within digital certificates.

Answer 116

False. Public keys are contained within digital certificates.

Question 117

Which of the following would be best suited to protecting data stored on a removable disk: IPSec, TLS or AES?

Answer 117

AES is a symmetric block cipher and best suited to this. IPSec and TLS are associated with transport encryption.

Question 118

Which device used to provide strong authentication stores a user’s digital certificate, private key associated with the certificate, and a personal identification number (PIN)?

Answer 118

Smart card

Question 119

How do device certificates help security operations?

Answer 119

Answers will vary. A description of using device certificates to identify authorized endpoints is appropriate.

Question 120

What is the purpose of a bridge CA?

Answer 120

Answers will vary. A bridge CA allows the interoperability and shared trust between multiple, otherwise independent, PKIs. Bridge CAs enable cross-certification.

Question 121

_________________ ___________________ is the entity responsible for issuing and guaranteeing certificates.

Answer 121

Certificate Authority

Question 122

True or False. A website protected with a valid digital certificate is guaranteed to be safe.

Answer 122

False. The digital certificate provides assurance that the site is genuine, but it could still be rogue in nature.

Question 123

What is another term to describe the requirement for both client and server devices to use certificates to verify identity?

Answer 123

Mutual authentication

Question 124

What is the name of the response header configured on a web server to notify a browser to connect to the requested website using HTTPS only?

Answer 124

HTTP Strict Transport Security (HSTS)

Question 125

The error message “your connection is not private” is displayed when accessing a known website. What is a possible cause of this error?

Answer 125

The website is configured to use a weak signing algorithm.

Question 126

Which threat assessment approach is described as emulating known TTPs to mimic the actions of a threat in a realistic way, without emulating a specific threat actor?

Answer 126

Threat emulation

Question 127

Which defensive approach describes a team of specialists working with the viewpoint of “assume breach”?

Answer 127

Threat Hunting

Question 128

Which threat actor group includes adversaries such as Anonymous, WikiLeaks, or LulzSec?

Answer 128

Hacktivists

Question 129

Developed by Lockheed Martin, this describes the steps/actions an adversary must complete in order to achieve their goals.

Answer 129

Cyber Kill Chain

Question 130

True or False. CPE is a list of records where each item contains a unique identifier used to describe publicly known vulnerabilities.

Answer 130

False. The description is for CVE.CPE uses a syntax similar to Uniform Resource Identifiers (URI), CPE is a standardized naming format used to identify systems and software.

Question 131

What vulnerability assessment analysis approach requires the evaluation of a system or software while it is running?

Answer 131

Dynamic assessment

Question 132

What testing method uses specialty software tools designed to identify problems and issues with an application by purposely inputting/injecting malformed data to it?

Answer 132

Fuzzing or fuzz testing

Question 133

This describes the actions of an attacker using one exploited system to access another within the same organization.

Answer 133

Pivoting

Question 134

What document describes the manner in which a pen-test may be performed?

Answer 134

Rules of Engagement (RoE)

Question 135

Which category of tool describes the Metasploit tool?

Answer 135

An exploit framework

Question 136

Which type of deceptive technology is generally less complicated to deploy than other deceptive technologies but can serve a similar purpose?

Answer 136

Simulator

Question 137

Honeytoken and canary files are types of _______________ files.

Answer 137

Decoy

Question 138

An ___________________________ system is one that is “unchangeable.”

Answer 138

Immutable

Question 139

______________________________ describes the set of configuration changes made to improve the security of an endpoint from what the default configuration provides.

Answer 139

Hardening

Question 140

In Linux, ________________ describe self-contained software applications which include all the necessary components and libraries they need to be able to operate on an immutable system.

Answer 140

Flatpaks

Question 141

Which type of vulnerability is caused by processes operating under the assumption that a critical parameter or piece of information has not changed?

Answer 141

TOCTOU

Question 142

When reviewing the operation of a web application, the following is observed: https://www.foo.com/products/jsessionid=8858PNRX949WM26378/?item=bigscreen-tv.
What is problematic with this?

Answer 142

The session ID is included in the URL, meaning that anyone with access to the jsessionid information could perform an authentication bypass attack for the identified user.

Question 143

Which approach describes how software can be analyzed for open-source components?

Answer 143

Software Composition Analysis

Question 144

True or False. JSON is not dependent upon web technologies.

Answer 144

False. JSON is designed to leverage common web technologies as part of its operation.

Question 145

What type of attack is most closely associated with the use of characters such as ‘ OR ‘x’ = ‘x’ – ?

Answer 145

Authentication Bypass, a type of SQL injection attack.

Question 146

True or False. By default, switches provide packet capture utilities full visibility into all traffic flows for connected devices.

Answer 146

False. A switch must be configured to mirror traffic or utilize a tap in order to provide full visibility for packet capture. Switches natively isolate traffic.

Question 147

Two alerts are generated by an IDS, one with a priority value of 1 and the other with a priority value of 10. Which should be investigated first?

Answer 147

The one with a priority value of 1, which represents a more concerning event type.

Question 148

Which security product is most likely to support the use of YARA rules?

Answer 148

Antivirus

Question 149

In what ways does the support of security incidents differ from traditional tickets/requests in IT?

Answer 149

Answers will vary. The answer should describe how security incidents must be handled based on severity rather than order received.

Question 150

What is most concerning regarding false negatives?

Answer 150

They represent legitimate security incidents that do not generate an alert.

Question 151

What term describes evidence handling from collection through presentation in court?

Answer 151

Chain of custody

Question 152

Which utility can be used to extract data from binary files and can display the contents in hexadecimal, decimal, octal, or ASCII formats

Answer 152

hexdump

Question 153

Which tool can be used to identify interactions between processes and the Linux kernel?

Answer 153

strace

Question 154

________________________ is a popular command line utility used to analyze memory dumps.

Answer 154

volatility

Question 155

Which command line utility is designed to display real-time information about system memory, running processes, interrupts, paging, and I/O statistics?

Answer 155

vmstat

Question 156

Risk management

Answer 156

The cyclical process of identifying, assessing, analyzing, and responding to risks.

Question 157

enterprise risk management (ERM)

Answer 157

The comprehensive process of evaluating, measuring, and mitigating the many risks that pervade an organization.

Question 158

Risk Management Framework (RMF) or ISO 31000

Answer 158

A comprehensive set of standards for enterprise risk management.

Question 159

Risk

Answer 159

Likelihood and impact (or consequence) of a threat actor exercising a vulnerability.

Question 160

Likelihood

Answer 160

In risk calculation, the chance of a threat being realized, expressed as a percentage.

Question 161

Impact

Answer 161

The severity of the risk if realized by factors such as the scope, value of the asset, or the financial impacts of the event.

Question 162

Single Loss Expectancy (SLE)

Answer 162

The amount that would be lost in a single occurrence of a particular risk factor.

Question 163

Annual Loss Expectancy (ALE)

Answer 163

The total cost of a risk to an organization on an annual basis. This is determined by multiplying the SLE by the annual rate of occurrence (ARO).

Question 164

Annual Rate of Occurrence (ARO)

Answer 164

In risk calculation, an expression of the probability/likelihood of a risk as the number of times per year a particular loss is expected to occur.

Question 165

Asset Value (AV)

Answer 165

The value of an asset, such as a server or even an entire building.

Question 166

Exposure Factor (EF)

Answer 166

In risk calculation, the percentage of an asset’s value that would be lost during a security incident or disaster scenario.

Question 167

Total Cost of Ownership (TCO)

Answer 167

Associated costs of an asset including acquisition costs and costs to maintain and safely operate the asset over its entire lifespan.

Question 168

Return on Investment (ROI)

Answer 168

A metric to calculate whether an asset is worth the cost of deploying and maintaining it.

Question 169

Mean Time To Recovery (MTTR)

Answer 169

Metric representing average time taken for a device or component to be repaired, replaced, or otherwise recover from a failure.

Question 170

Mean Time Between Failures (MTBF)

Answer 170

Metric for a device or component that predicts the expected time between failures.

Question 171

Gap Analysis

Answer 171

An analysis that measures the difference between current state and desired state in order to help assess the scope of work included in a project.

Question 172

Risk avoidance

Answer 172

In risk mitigation, the practice of ceasing activity that presents risk.

Question 173

Risk acceptance

Answer 173

The response of determining that a risk is within the organization’s appetite and no countermeasures other than ongoing monitoring is needed.

Question 174

Risk mitigation

Answer 174

The response of reducing risk to fit within an organization’s risk appetite.

Question 175

Risk transference

Answer 175

In risk mitigation, the response of moving or sharing the responsibility of risk to another entity, such as by purchasing cybersecurity insurance.

Question 176

attack vectors

Answer 176

A specific path by which a threat actor gains unauthorized access to a system.

Question 177

residual risk

Answer 177

Risk that remains even after controls are put into place.

Question 178

Risk appetite

Answer 178

A strategic assessment of what level of residual risk is tolerable for an organization.

Question 179

Key Performance Indicators (KPI)

Answer 179

A formal mechanism designed to measure performance of a program against desired goals.

Question 180

Key Risk Indicators (KRI)

Answer 180

The method by which emerging risks are identified and analyzed so that changes can be adopted to proactively avoid issues from occuring.

Question 181

Scalability

Answer 181

Property by which a computing environment is able to gracefully fulfill its ever-increasing resource needs.

Question 182

Reliability

Answer 182

The fundamental security goal of ensuring that an information processing system is trustworthy.

Question 183

Availability

Answer 183

The fundamental security goal of ensuring that computer systems operate continuously and that authorized persons can access data that they need.

Question 184

Risk tolerance

Answer 184

Determines the thresholds that separate different levels of risk.

Question 185

Tradeoff analysis

Answer 185

Comparing potential benefits to potential risks and determining a course of action based on adjusting factors that contribute to each area.

Question 186

Separation of duties

Answer 186

Security policy concept that states that duties and responsibilities should be divided among individuals to prevent ethical conflicts or abuse of powers.

Question 187

Job rotation

Answer 187

The policy of preventing any one individual performing the same role or tasks for too long. This deters fraud and provides better oversight of the person’s duties.

Question 188

Mandatory vacation

Answer 188

The principle that states when and how long an employee must take time off from work so that their activities may be subjected to a security review.

Question 189

Least privilege

Answer 189

Basic principle of security stating that something should be allocated the minimum necessary rights, privileges, or information to perform its role.

Question 190

Cloud Service Provider (CSP)

Answer 190

A cloud service provider is any third-party organization providing infrastructure, application and/or storage services via an “as a service” subscription-based, cloud-centric offering.

Question 191

Shared responsibility model

Answer 191

Identifies that responsibility for the implementation of security as applications, data and workloads are transitioned into a cloud platform are shared between the customer and the cloud service provider (CSP.)

Question 192

Software as a Service (SaaS)

Answer 192

Cloud service model that provisions fully developed application services to users.

Question 193

Platform as a Service (PaaS)

Answer 193

Cloud service model that provisions application and database services as a platform for development of apps.

Question 194

Infrastructure as a Service (IaaS)

Answer 194

Cloud service model that provisions virtual machines and network infrastructure.

Question 195

Vendor Lock-in

Answer 195

A customer is dependent on a vendor for products or services because switching is either impossible or would result in substantial complexity and costs.

Question 196

Vendor Lockout

Answer 196

A vendor’s product is developed in a way that makes it inoperable with other products, the ability to integrate it with other vendor products is not a feasible option or does not exist.

Question 197

Vendor Viability

Answer 197

A vendor that has a viable and in-demand product and the financial means to remain in business on an ongoing basis.

Question 198

Source Code Escrow

Answer 198

A copy of vendor-developed source code provided to a trusted third party in the event the vendor ceases business.

Question 199

Support Availability

Answer 199

Verifying the type and level of support to be provided by the vendor in support of their product or service.

Question 200

Meeting Client Requirements

Answer 200

Formally defining what functionality is required of a product or service, and taking steps to verify that a vendor’s service or product provides at least this level of functionality.

Question 201

supply chain

Answer 201

The end-to-end process of supplying, manufacturing, distributing, and finally releasing goods and services to a customer.

Question 202

Supply Chain Visibility (SCV)

Answer 202

The capacity to understand how all vendor hardware, software, and services are produced and delivered as well as how they impact an organization’s operations or finished products.

Question 203

Cloud Security Alliance (CSA)

Answer 203

Industry body providing security guidance to CSPs, including enterprise reference architecture and security controls matrix.

Question 204

Security Trust and Risk (STAR)

Answer 204

A framework of security best practices for Cloud service providers that is developed and maintained by the Cloud Security Alliance (CSA).

Question 205

System and Organization Controls (SOC)

Answer 205

Use of standards established by the American Institute of Certified Public Accountants (AICPA) to evaluate the policies, processes, and procedures in place and designed to protect technology and financial operations.

Question 206

International Organization for Standardization (ISO)

Answer 206

Develops many standards and frameworks governing the use of computers, networks, and telecommunications, including ones for information security (27K series) and risk management (31K series).

Question 207

Cybersecurity Maturity Model Certification (CMMC)

Answer 207

A set of cybersecurity standards developed by the United States Department of Defense (DoD) and designed to help fortify the DoD supply chain by requiring suppliers to demonstrate that they have mature cybersecurity capabilities.

Question 208

virtual local area networks (VLAN)

Answer 208

A logically separate network, created by using switching technology. Even though hosts on two VLANs may be physically connected to the same cabling, local traffic is isolated to each VLAN so they must use a router to communicate.

Question 209

Protected Health Information (PHI)

Answer 209

Data that can be used to identify an individual and includes information about past, present, or future health, as well as related payments and data used in the operation of a healthcare business.

Question 210

Personal Identifiable Financial Information (PIFI)

Answer 210

Personal information about a consumer provided to a financial institution that can include account number, credit/debit card number, name, social security number and other information.

Question 211

Intellectual property (IP)

Answer 211

Data that is of commercial value and can be granted rights of ownership, such as copyrights, patents, and trademarks.

Question 212

data owner

Answer 212

A senior (executive) role with ultimate responsibility for maintaining the confidentiality, integrity, and availability of an information asset.

Question 213

Data classification

Answer 213

The process of applying confidentiality and privacy labels to information.

Question 214

Data retention

Answer 214

The process an organization uses to maintain the existence of and control over certain data in order to comply with business policies and/or applicable laws and regulations.

Question 215

Data sovereignty

Answer 215

In data protection, the principle that countries and states may impose individual requirements on data collected or stored within their jurisdiction.

Question 216

data subject

Answer 216

An individual that is identified by privacy data.

Question 217

attestation of compliance (AOC)

Answer 217

A set of policies, contracts and standards identified as essential in the agreement between two parties.

Question 218

Certification and accreditation (C&A)

Answer 218

A process executed in four distinct phases: initiation and planning, certification, accreditation, and continuous monitoring.

Question 219

Information System Security Officer (ISSO)

Answer 219

Organizational role with technical responsibilities for implementation of security policies, frameworks, and controls.

Question 220

Certifying Authority

Answer 220

The entity responsible for reviewing the results of a certification and accreditation package, including audits reports, and making the final decision regarding accreditation status.

Question 221

Authority to Operate (ATO)

Answer 221

A formal letter of accreditation provided to the system owner granting them permission to operate a system.

Question 222

Common Criteria (CC)

Answer 222

A set of standards developed by a group of governments working together to create a baseline of security assurance for a trusted operating system (TOS).

Question 223

Due care

Answer 223

Organizational security policies are (to some extent) driven by legislation introduced as a response to the growing appreciation of the threat posed by computer crime. Legislation can cover many aspects of security policy but the key concepts are due diligence (demonstrating awareness of security issues) and due care (demonstrating responses to identified threats). Security policy is also driven by adherence to industry codes of practice and standards.

Question 224

due diligence

Answer 224

A legal principal that a subject has used best practice or reasonable care when setting up, configuring, and maintaining a system.

Question 225

legal hold

Answer 225

A process designed to preserve all relevant information when litigation is reasonably expected to occur.

Question 226

e-Discovery

Answer 226

Procedures and tools to collect, preserve, and analyze digital evidence.

Question 227

Cold Site

Answer 227

Predetermined alternate location where a network can be rebuilt after a disaster.

Question 228

warm site

Answer 228

Alternate processing location that is dormant or performs noncritical functions under normal conditions, but which can be rapidly converted to a key operations site if needed.

Question 229

hot site

Answer 229

Fully configured alternate processing site that can be brought online either instantly or very quickly after a disaster.

Question 230

after action report (AAR)

Answer 230

An analysis of events that can provide insight into how to improve response processes in the future.

Question 231

Firewalls

Answer 231

Software or hardware device that protects a system or network by blocking unwanted network traffic.

Question 232

Routers

Answer 232

An intermediate system working at the Network layer capable of forwarding packets around logical networks of different layer 1 and layer 2 types.

Question 233

Load Balancer

Answer 233

Type of switch, router, or software that distributes client requests between different resources, such as communications links or similarly-configured servers. This provides fault tolerance and improves throughput.

Question 234

Virtual Private Cloud (VPC)

Answer 234

A private network segment made available to a single cloud consumer on a public cloud.

Question 235

elastic IP address

Answer 235

A public IPv4 address that can be assigned to any instance or network interface in a VPC within an AWS account.

Question 236

social engineering

Answer 236

Activity where the goal is to use deception and trickery to convince unsuspecting users to provide sensitive data or to violate security guidelines.

Question 237

virtual appliance

Answer 237

A preconfigured, self-contained virtual machine image ready to be deployed and run on a hypervisor.

Question 238

MX records

Answer 238

A special type of DNS record used to identify the email servers used by a domain.

Question 239

Distributed Denial of Service

Answer 239

Attack that involves the use of infected Internet-connected computers and devices to disrupt the normal flow of traffic of a server or service by overwhelming the target with traffic.

Question 240

Rate Limiting

Answer 240

An approach that protects the attack from consuming all available bandwidth and impacting other servers and services on the network. It reduces the amount of throughput available to the server or service being attacked.

Question 241

Web Application Firewall (WAF)

Answer 241

A firewall designed specifically to protect software running on web servers and their backend databases from code injection and DoS attacks.

Question 242

Blackhole Routing

Answer 242

Retrieves all the traffic intended for an endpoint and drops both legitimate and malicious traffic.

Question 243

Cloud Service Providers

Answer 243

A cloud service provider is any third-party organization providing infrastructure, application and/or storage services via an “as a service” subscription-based, cloud-centric offering.

Question 244

DDoS Mitigation Software/Appliance

Answer 244

Reflects the methods used to reduce the impact of a distributed denial of service (DDoS) attack. DDoS mitigation can be implemented through the use of special software or by deploying a virtual appliance designed to provide DDoS protection.

Question 245

unified threat management (UTM)

Answer 245

All-in-one security appliances and agents that combine the functions of a firewall, malware scanner, intrusion detection, vulnerability scanner, data loss prevention, content filtering, and so on.

Question 246

Content Filtering

Answer 246

A security measure performed on email and internet traffic to identify suspicious, malicious and/or inappropriate content in accordance with an organization’s policies.

Question 247

MIME (Multi-Purpose Internet Mail Extensions)

Answer 247

A protocol specifying Internet mail message formats and attachments.

Question 248

Data Loss Prevention (DLP)

Answer 248

Software solution that detects and prevents sensitive information from being stored on unauthorized systems or transmitted over unauthorized networks.

Question 249

SPAM

Answer 249

Junk messages sent over email (or instant messaging, which is called spim). It can also be utilized within social networking sites.

Question 250

SPAM Block Lists (SBL)

Answer 250

Identifies known bad senders. Security companies typically provide this as a service to organizations to reduce SPAM messages.

Question 251

Antivirus

Answer 251

Inspecting traffic to locate and block viruses.

Question 252

caching engines

Answer 252

A feature of many proxy servers that enables the servers to retain a copy of frequently requested web pages.

Question 253

non-transparent proxy

Answer 253

A server that redirects requests and responses for clients configured with the proxy address and port.

Question 254

transparent proxy

Answer 254

A server that redirects requests and responses without the client being explicitly configured to use it. Also referred to as a forced or intercepting proxy.

Question 255

SQL injection

Answer 255

An attack that injects a database query into the input data directed at a server by accessing the client side of the application.

Question 256

cross-site scripting (XSS)

Answer 256

A malicious script hosted on the attacker’s site or coded in a link injected onto a trusted site designed to compromise clients browsing the trusted site, circumventing the browser’s security model of trusted zones.

Question 257

cross-site request forgery (XSRF)

Answer 257

A malicious script hosted on the attacker’s site that can exploit a session started on another site in the same browser.

Question 258

file inclusion

Answer 258

A web application vulnerability that allows an attacker either to download a file from an arbitrary location on the host file system or to upload an executable or script file to open a backdoor.

Question 259

directory traversal

Answer 259

An application attack that allows access to commands, files, and directories that may or may not be connected to the web document root directory.