ISC2 CC

Question 1

______ is a difficult balance to achieve when many system users are guests or customers, and it is not known if they are accessing the system from a compromised machine or vulnerable mobile application. So, the security professional’s obligation is to regulate access—protect the data that needs protection, yet permit access to authorized individuals.

Answer 1

Confidentiality is a difficult balance to achieve when many system users are guests or customers, and it is not known if they are accessing the system from a compromised machine or vulnerable mobile application. So, the security professional’s obligation is to regulate access—protect the data that needs protection, yet permit access to authorized individuals.

Question 2

_____ is a term related to the area of confidentiality. It pertains to any data about an individual that could be used to identify them. Other terms related to confidentiality are protected health information (PHI) , which is information regarding one’s health status, and classified or sensitive information, which includes trade secrets, research, business plans and intellectual property.

Answer 2

Personally Identifiable Information (PII) is a term related to the area of confidentiality. It pertains to any data about an individual that could be used to identify them. Other terms related to confidentiality are protected health information, which is information regarding one’s health status, and classified or sensitive information, which includes trade secrets, research, business plans and intellectual property.

Question 3

The address 8be2:4382:8d84:7ce2:ec0f:3908:d29a:903a is an:

IPv6 Address
MAC Address
IPv4 Address
Web Address

Answer 3

IPv6

An IPv6 address is a 128-bit address represented as a sequence of eight groups of 16-bit hexadecimal values. An IPv4 address is a 32-bit address represented as a sequence of four 8-bit integers. A Mac address is a 48-bit address represented as six groups of 8 bits values in hexadecimal. A web address consists of a protocol name, a server address, and a resource path (see ISC2 Study Guide, chapter 4, module 1 - Understand Computer Networking).

Question 4

Which of the following is NOT an ethical canon of the ISC2?

Advance and protect the profession

Protect society, the common good, necessary public trust and confidence, and the infrastructure

Act honorably, honestly, justly, responsibly, and legally

Provide active and qualified service to principal

Answer 4

Provide active and qualified service to principal

In the code of ethics, we read “Provide diligent and competent service to principals”, and not “Provide active and qualified service to principals.”; all the other options are valid canons of the code of ethics (see ISC2 Study Guide Chapter 1, Module 5).

Question 5

Which of the following is NOT a protocol of the OSI Level 3?

IGMP

IP

SNMP

ICMP

Answer 5

SNMP

Internet Protocol (IP) is known to be a level 3 protocol. Internet Control Message Protocol (ICMP) and Internet Group Management Protocol (IGMP) are also level 3 protocols. Simple Network Management Protocol (SNMP) is a protocol used to configure and monitor devices attached to networks. It is an application-level protocol (level 7), and therefore the only option that is not from level 3.

Question 6

Which of the following is NOT a social engineering technique?

Double-dealing

Quid pro quo

Baiting

Pretexting

Answer 6

Double-dealing

Baiting is a social engineering attack wherein a scammer uses a false promise to lure a victim. Pretexting is a social engineering technique that manipulates victims into disclosing information. Quid pro quo is a social engineering attack (technically, one that combines ‘baiting’ with ‘pretexting’) that promises users a profit in exchange for information (that can later be used to gain control of a user’s account or sensitive information). Regarding cybersecurity, ‘Double-dealing’ is not a valid social engineering attack (see ISC2 Study Guide, chapter 5, module 3, under Chapter Resource).

Question 7

In which of the following phases of an Incident Recovery Plan are incident responses prioritized?

Detection and Analysis

Containment, Eradication, and Recovery

Post-incident Activity

Preparation

Answer 7

Detection and Analysis

Incident responses are prioritized in the Detection and Analysis phase (see the ISC2 Study Guide, Chapter 2, Module 1, under Components of Incident Response).

Question 8

In which of the following access control models can the creator of an object delegate permission?

MAC

DAC

ABAC

RBAC

Answer 8

DAC

In a Discretionary Access control model, the permissions associated with each object (file or data) are set by the owner of the object. In this model, the creator of an object implicitly becomes its owner, and therefore can decide who will have permission over the objects. In the remaining models, access specifications are centrally determined.

Question 9

Which of the following principles aims primarily at fraud detection?

Separation of Duties

Least Privilege

Defense in Depth

Privileged Accounts

Answer 9

Separation of Duties

According to the principle of Separation of Duties, operations on objects are to be segmented (often referred to as ‘transactions’), requiring distinct users and authorizations. The involvement of multiple users guarantees that no single user can perpetrate and conceal errors or fraud in their duties. To the extent that users have to review the work of other users, Separation of Duties can also be considered a mechanism of fraud detection (see ISC2 Study Guide Chapter 1, Module 3). The principle of Least Privilege states that subjects should be given only those privileges required to complete their specific tasks. The principle of Privileged Accounts refers to the existence of accounts with permissions beyond those of regular users. Finally, the principle of Defense in Depth endorses the use of multiple layers of security for holistic protection.

Question 10

The SMTP protocol operates at OSI Level:

25

7

3

23

Answer 10

7

Simple Mail Transport Protocol (SNMP) is an application layer protocol that operates at level 7. Level 3 corresponds to the network layer. There are no OSI layers above level 7. The number 25 presumably refers to the TCP/IP port of the SMTP protocol. The number 23, in turn, refers to the TCP/IP port of the Telnet protocol.

Question 11

What is an effective way of hardening a system?

Patch the system

Have an IDS in place

Run a vulnerability scan

Create a DMZ for web application services

Answer 11

Patch the system

According to NIST SP 800-152, hardening is defined as the process of eliminating the means of an attack by simultaneously patching vulnerabilities and turning off nonessential services. The ISC2 Study Guide, chapter 5, module 2, under Configuration Management Overview, reads “One of the best ways to achieve a hardened system is to have updates, patches, and service packs installed automatically”. Vulnerability scans and IDS do not eliminate the means of an attack. The DMZ does not eliminate vulnerabilities in a system.

Question 12

Which of these is the PRIMARY objective of a Disaster Recovery Plan?

Maintain crucial company operations in the event of a disaster

Communicate to the responsible entities the damage caused to operations in the event of a disaster

Outline a safe escape procedure for the organization’s personnel

Restore company operation to the last-known reliable operation state

Answer 12

Restore company operation to the last-known reliable operation state

A Disaster Recovery Plan (DRP) is a plan for processing and restoring operations in the event of a significant hardware or software failure, or of the destruction of the organization’s facilities. The primary goal of a DRP is to restore the business to the last-known reliable state of operations (see Chapter 2 ISC2 Study Guide, module 4, under The Goal of Disaster Recovery). Maintaining crucial operations is the goal of the Business Continuity Plan (BCP). The remaining options may be included in a DRP, but are not its primary objective.

Question 13

Risk Management is:

The impact and likelihood of a threat.

The assessment of the potential impact of a threat.

The creation of an incident response team.

The identification, evaluation and prioritization of risks.

Answer 13

The identification, evaluation and prioritization of risks.

Risk Management is the process of identifying, assessing and mitigating risks (ISC2 Study Guide, chapter 1, module 2). “Impact and likelihood of a threat” is a definition of risk. “Creating an incident response team” and “assessing the potential impact of a threat” can be considered Risk Management actions, but are not in themselves Risk Management.

Question 14

In risk management, the highest priority is given to a risk where:

The expected probability of occurrence is high, and the potential impact is low

The frequency of occurrence is high, and the expected impact value is low

The expected probability of occurrence is low, and the potential impact is low

The frequency of occurrence is low, and the expected impact value is high

Answer 14

The frequency of occurrence is low, and the expected impact value is high

The highest priority is given to risks estimated to have high impact and low probability over high probability and low impact value (ISC2 Study Guide, Chapter 1, Module 2). In qualitative risk analysis, the ‘expected probability of occurrence’ and the ‘frequency of occurrence’ refer to the same thing. The same goes for the concepts of expected impact value (NIST SP 800-30 Rev. 1 under Impact Value) and potential impact (NIST SP 800-60 Vol. 1 Rev. 1 under Potential Impact).

Question 15

According to ISC2, which are the six phases of data handling?

Create -> Share -> Use -> Store -> Archive -> Destroy

Create -> Use -> Store -> Share -> Archive -> Destroy

Create -> Share -> Store -> Use -> Archive -> Destroy

Create -> Store -> Use -> Share -> Archive -> Destroy

Answer 15

Create -> Store -> Use -> Share -> Archive -> Destroy

According to the data security lifecycle model, the six phases of data security lifecycle model are Create -> Store -> Use -> Share -> Archive -> Destroy (see ISC2 Study Guide, chapter 5, module 1 under data handling).

Question 16

Which of the following is NOT a type of learning activity used in Security Awareness?

Education

Training

Tutorial

Awareness

Answer 16

Tutorial

The three learning activities that organizations use in training for security awareness are Education, Training and Awareness (see ISC2 Study Guide, chapter 5, module 4). A tutorial is a form of training, but is not on the list of types of learning activities.

Question 17

Which of these has the PRIMARY objective of identifying and prioritizing critical business processes?

Disaster Recovery Plan

Business Continuity Plan

Business Impact Analysis

Business Impact Plan

Answer 17

Business Impact Analysis

The term ‘Business Impact Plan’ does not exist. A Business Impact Analysis (BIA) is a technique for analyzing how disruptions can affect an organization, and determines the criticality of all business activities and associated resources. A Business Continuity Plan (BCP) is a pre-determined set of instructions describing how the mission/business processes of an organization will be sustained during and after a significant disruption. A Disaster Recovery Plan is a written plan for recovering information systems in response to a major failure or disaster.

Question 18

The implementation of Security Controls is a form of:

Risk acceptance

Risk avoidance

Risk reduction

Risk transference

Answer 18

Risk reduction

The implementation of Security Controls involves taking actions to mitigate risk, and thus is a form of risk reduction. Risk acceptance will take no action, risk avoidance will modify operations in order to avoid risk entirely, and risk transference will transfer the risk to another party.

Question 19

Which of the following is NOT an element of System Security Configuration Management?

Audit logs

Inventory

Updates

Baseline

Answer 19

Audit logs

System Security Configuration Management elements are inventories, baselines, updates and patches. Audit logs can be generated after ‘Verification and Audit’. However, ‘Verification and Audit’ is a configuration management procedure, and not a configuration management element (see ISC2 Study Guide, chapter 5, module 2, under Chapter Resource).

Question 20

If there is no time constraint, which protocol should be employed to establish a reliable connection between two devices?

SNMP

DHCP

UDP

TCP

Answer 20

TCP

TCP is used for connection-oriented communication, verifies data delivery, and is known to favor reliability. In a congested network, TCP delays data transmission, and thus cannot guarantee delivery under time constraints. UDP favors speed and efficiency over reliability, and thus cannot ensure a reliable connection. DHCP and SNMP are (respectively) a device configuration and a device management protocol, which means that neither aims to establish connections between devices.

Question 21

Which of the following is NOT a possible model for an Incident Response Team (IRT)?

Pre-existing

Leveraged

Hybrid

Dedicated

Answer 21

Pre-existing

The three possible models for incident response are Leveraged, Dedicated, and Hybrid (see the ISC2 Study Guide, Chapter 2, Module 1, under Chapter Takeaways). The term ‘Pre-existing’ is not a valid model for an IRT.

Question 22

Which are the components of an incident response plan?

Preparation -> Detection and Analysis -> Containment -> Eradication -> Post-Incident Activity -> Recovery

Preparation -> Detection and Analysis -> Eradication -> Recovery -> Containment -> Post-Incident Activity

Preparation -> Detection and Analysis -> Recovery -> Containment -> Eradication -> Post-Incident Activity

Preparation -> Detection and Analysis -> Containment, Eradication and Recovery -> Post-Incident Activity

Answer 22

Preparation -> Detection and Analysis -> Containment, Eradication and Recovery -> Post-Incident Activity

The components commonly found in an incident response plan are (in this order): Preparation; Detection and Analysis; Containment, Eradication and Recovery; Post-Incident Activity (see the ISC2 Chapter 2, Module 1, under Components of an Incident Response Plan).

Question 23

Which of the following canons is found in the ISC2 code of ethics?

Advance and promote the profession

Provide diligent and competent service to principals

Protect society, the common good, and the infrastructure

Act honorably, honestly, safely and legally

Answer 23

Provide diligent and competent service to principals

Only “Provide diligent and competent service to principals” contains the accurate text of the ISC2 code of ethics. Although a security professional should discourage unsafe practices, no direct reference to acting safely exists in the canons. Aside from society, the common good and infrastructure, security professionals are expected to protect public trust and confidence. Finally, they are expected to protect the profession, and not just advance and promote it.

Question 24

Which of these is NOT a change management component?

RFC

Governance

Rollback

Approval

Answer 24

Governance

All significant change management practices address typical core activities: Request For Change (RFC), Approval, and Rollback (see ISC2 Study Guide, chapter 5, module 3). Governance is not one of these practices.

Question 25

Which of the following attacks take advantage of poor input validation in websites?

Phishing

Trojans

Rootkits

Cross-Site Scripting

Answer 25

Cross-Site Scripting

Cross-Site Scripting (XSS) is a type of attack where malicious executable scripts are injected into the code of an otherwise benign website (or web application). Websites are vulnerable to XSS when they display data originating from requests or forms without validating it (and further sanitizing it, so that it is not executable). Trojans and phishing are attacks where software applications and messages try to appear legitimate but have hidden malicious functions, not necessarily relying on poor input validations. Finally, input validation does not even apply to a rootkit attack.

Question 26

In which cloud model does the cloud customer have LESS responsibility over the infrastructure? (★)

IaaS

PaaS

FaaS

SaaS

Answer 26

SaaS

In Software as a Service (SaaS), consumers may control user-specific application configuration settings, but neither the underlying application logic nor the infrastructure. In the Function as a Service (FaaS) model, cloud customers deploy application-level functionality (typically as microservices) and are charged only when this functionality is executed. In Platform as a Service (PaaS), the cloud customer does not manage or control the underlying cloud infrastructure (wnich includes the network, servers, operating systems, and storage) but has control over the deployed applications and libraries. The Infrastructure as a Service (IaaS) model provides customers with fundamental computing resources (such as processing, storage, or networks) where the consumer is able to deploy and run arbitrary software,and also to choose the operating system.

Question 27

In the event of a disaster, which of these should be the PRIMARY objective? (★)

Guarantee the continuity of critical systems

Application of disaster communication

Protection of the production database

Guarantee the safety of the people

Answer 27

Guarantee the safety of people

In the event of a disaster, the clear priority is to guarantee the safety of human life above all. The remaining options, though important from the point of view of disaster recovery and business continuity, are secondary when compared to safety.

Question 28

The Bell and LaPadula access control model is a form of: (★)

ABAC

DAC

RBAC

MAC

Answer 28

MAC

The Bell and LaPadula access control model arranges subjects and objects into security levels and defines access specifications, whereby subjects can only access objects at certain levels based on their security level. Typical access specifications can be things like “Unclassified personnel cannot read data at confidential levels” or “Top-Secret data cannot be written into the files at unclassified levels”. Since subjects cannot change access specifications, this model is a form of mandatory access control (MAC). In contrast, Discretionary Access Control (DAC) leaves a certain level of access control to the discretion of the object’s owner. The Attribute Based Access Control (ABAC) is based on subject and object attributes (not only classification). Finally, Role Based Access Control (RBAC) is a model for controlling access to objects where permitted actions are identified with roles rather than individual subject identities.

Question 29

According to the canon “Provide diligent and competent service to principals”, ISC2 professionals are to:

Take care not to tarnish the reputation of other professionals through malice or indifference.

Treat all members fairly and, when resolving conflicts, consider public safety and duties to principals, individuals and the profession, in that order.

Avoid apparent or actual conflicts of interest.

Promote the understanding and acceptance of prudent information security measures.

Answer 29

Avoid apparent or actual conflicts of interest.

The direction for applying the ethical principles of ISC2 states that avoiding conflicts of interest or the appearance thereof is a consequence of providing diligent and competent service to principals (see https://resources.infosecinstitute.com/certification/the-isc2-code-of-ethics-a-binding-requirement-for-certification/). The other options are consequences of the remaining three ethical principles.

Question 30

Which cloud service model provides the most suitable environment for customers who want to install their custom operating system?

SaaS

IaaS

PaaS

SLA

Answer 30

IaaS

Infrastructure as a Service (IaaS) is a cloud service model that allows the customer to manage the computing resources (including the operating systems). Software as a Service (SaaS) is a model that provides customers with access to software applications (typically on a subscription-based or pay-per-use model) but does not allow them to access the underlying infrastructure. Platform as a Service (PaaS) is a service model that provides a platform for building, deploying and managing applications; however, like SaaS, it does not offer the ability to access the underlying infrastructure (including the operating system). An SLA is simply a service-level agreement (and not a cloud service deployment model) (see ISC2 Study Guide, chapter 4, module 3).

Question 31

Which of these is part of the canons (ISC)² code of ethics?

Prevent and detect unauthorized use of digital assets in a society

Advance and protect the profession

Act always in the best interest of your client

Provide diligent and competent services to stakeholders

Answer 31

Advance and protect the profession

The four canons of ISC2 are (see ISC2 Study Guide, chapter 1, module 5):

Advance and protect the profession;

Act honorably, honestly, justly, responsibly and legally;

Provide diligent and competent service to principals;

Protect society, the common good, necessary public trust and confidence and the infrastructure.

Although some options seem right, only ‘Advance and protect the profession’ is correct.

Question 32

In a DAC policy scenario, which of these tasks can only be performed by a subject granted access to information?

Modifying the information

Executing the information

Reading the information

Changing security attributes

Answer 32

Changing security attributes

As a principle, users can perform Read, Write and Execute actions with every Access Control policy. However, in discretionary access control policies, the permissions associated with each object (files or system resources) are set by the object’s owner. In this model, the creator of an object implicitly becomes its owner, and therefore can decide who will have permission to the objects (see ISC2 Study Guide, chapter 3, module 3). A major weakness of DAC is that it gives users complete control to set security level settings for other users, which can result in users having more privileges than they are supposed to.

Question 33

(★) Which of these statements is TRUE about cybersquatting?

It is an illegal practice

It is a partially illegal practice

It is a legal practice

It is an unethical practice but everyone does it

Answer 33

It’s an illegal practice

Cybersquatting (also known as domain squatting) is the practice of speculatively registering and then selling (typically at a high price) a domain name, with the intent of profiting from someone else’s trademark. An example would be someone registering the domain name “mycompany.com” and then offering to sell it to the owner of the trademark “MyCompany” for a high price. Cybersquatting can cause confusion and damage to the trademark owner’s brand, which is generally considered unethical and deceptive. Indeed, cybersquatting is an illegal practice under the United States’ Anticybersquatting Consumer Protection Act (ACPA), as well as under similar laws in other countries.

Question 34

Which of these attacks take advantage of inadequate input validation in websites?

Cross-Site Scripting

Rootkits

Phishing

Trojans

Answer 34

Cross-Site Scripting

Cross-Site Scripting (XSS) is an attack where malicious executable scripts are injected into an otherwise benign website (or web application) code. Websites are vulnerable to XSS when they display data originating from requests or forms without validating it (and further sanitizing it, so that it is not executable) (see ISC2 Study Guide, chapter 4, module 2). Trojans and phishing are attacks where software applications and messages try to appear legitimate, but have hidden malicious functions. They do not necessarily rely on poor input validations. Finally, input validation does not even apply to a rootkit attack.

Question 35

Which of these entities is responsible for signing an organization’s policies?

Human Resources

Financial Department

Security Engineer

Senior Management

Answer 35

Senior Management

Senior management is typically responsible for setting the organization’s overall direction and strategy, and for ensuring that policies and procedures are in place to support that strategy. Therefore, it is the senior management’s responsibility to sign the organization’s policies. Although other departments and stakeholders may be called in to develop and draft policies, it is ultimately the responsibility of senior management to sign off on the policies, indicating their approval and support.

Question 36

(★) Which of these is an example of a MAC address?

0051021f58

10.23.19.49

2001:db8:3333:4444:5555:6666:7777:8888

00-51-02-1F-58-F6

Answer 36

00-51-02-1F-58-F6

All network devices have a 48-bit Media Access Control (MAC) address, represented as six groups of 8 bits values in hexadecimal (see ISC2 Study Guide, chapter 4, module 1 - Understand Computer Networking). An example of a MAC address would be 00-51-02-1F-58-F6. An IPv4 address is a 32-bit address represented as a sequence of four 8-bit integers, an example of which would be 10.23.19.49. An IPv6 address is a 128-bit address represented as a sequence of eight groups of 16-bit hexadecimal values, an example of which would be 2001 : db8: 3333 : 4444 : 5555 : 6666 : 7777 : 8888. The string 0051021f58 is a 40-bit WEP key consisting of 10 hexadecimal digits typically represented as a string of 5 ASCII characters. WEP keys are used to secure wireless networks, and can be either 40 bits or 104 bits in length, depending on the encryption mode that is used.

Question 37

Which of these is NOT a characteristic of an MSP implementation?

Monitor and respond to security incidents

Mediate, execute and decide top-level decisions

Manage all in-house company infrastructure

Utilize expertise for the implementation of a product or service

Answer 37

Manage all in-house company infrastructure

Manage all-in-house company infrastructure is not a characteristic of an MSP (Managed Service Provider) implementation. MSPs provide an outsourced IT service to manage a company’s IT infrastructure and endpoints, rather than managing it all in-house. Some characteristics of an MSP implementation include the following (see ISC2 Study Guide, chapter 4, module 3):

Utilizing expertise for the implementation of a product or service

Monitoring and responding to security incidents

Mediating, executing and deciding top-level decisions

Manage all in-house IT infrastructure

In contrast, managing an all-in-house IT infrastructure refers to the scenario where an organization’s internal IT team is responsible for all aspects of its IT systems and infrastructure.

Question 38

Which of these addresses is commonly reserved specifically for broadcasting?

192.299.121.14

192.299.121.0

192.299.121.254

192.299.121.255

Answer 38

192.299.121.255

IPv4 addresses are 32-bits represented as a sequence of four 8-bit integers separated by a dot. Addresses ending with 0 are reserved to specifically signify the network itself (and not a specific device on that network). In contrast, addresses ending in 255 are generally reserved for broadcasting to all devices on that network (see ISC2 Study Guide, chapter 4, module 1).

Question 39

A security consultant hired to design the security policies for the PHI within an organization will be primarily handling:

Public Health Information

Personal Health Information

Protected Health Information

Procedural Health Information

Answer 39

Protected Health Information

PHI is an acronym that stands for Protected Health Information (see ISC2 Study Guide, chapter 1, module 1). The remaining options are incorrect.

Question 40

Which of these terms refers to a collection of fixes?

Hotfix

Service Pack

Downgrade

Patch

Answer 40

Service Pack

A service pack comprises a collection of updates, fixes or enhancements to a software program delivered as a single installable package. A hotfix (or quick-fix) engineering update is a cumulative package which includes information that will be used to address a problem in a software product. A software patch is a quick-repair job for a piece of programming, and is designed to resolve functionality issues, improve security and/or add new features.

Question 41

When an incident occurs, which of these is not a PRIMARY responsibility of an organization’s response team?

Communicating the top management regarding the circumstances of the cybersecurity event

Determining whether any confidential information has been compromised over the course of the entire incident

Determining the scope of the damage caused by the incident

Implementing the recovery procedures necessary to restore security and recover from any incident-related damage

Answer 41

Communicating the top management regarding the circumstances of the cybersecurity event

While communicating with top management about the circumstances of the cybersecurity event is always important, it is not a primary responsibility of the response team. Indeed, the primary responsibility of the response team is to address the immediate impact of the incident, and to restore security as quickly as possible. When an incident occurs, the primary duties of a response team include the following:

Determining the scope of the damage caused by the incident, and ascertaining the resources that will be needed to recover from it;

Determining whether any confidential information has been compromised over the course of the entire incident;

Implementing the recovery procedures necessary to restore security and recover from incident-related damage (including restoring systems, recovering data, and implementing any required security controls);

Communicating with relevant parties (such as users, customers and other stakeholders) about the incident itself, and about the steps needed to address it.

Question 42

Which of these techniques is PRIMARILY used to ensure data integrity?

Message Digest

Backups

Hashing

Content Encryption

Answer 42

Message Digest

Data integrity means that a message has not been tampered with or altered. A Message Digest ensures the integrity of any message data that is transmitted over an insecure channel (since a channel that may alter the message’s content) (see ISC2 Study Guide, chapter 1, module 1). Cryptographic hash functions (like MD5 or SHA-256) create a fixed-length digital fingerprint of the message data called the Message Digest. If the Message Digest does not match, then the message’s integrity has been compromised.

In itself, hashing doesn’t guarantee integrity, since integrity follows from the protocol whereby the sender and the receiver both digest the message. Content encryption guarantees the property of confidentiality whereby the contents of a message can only be accessed from the original data with the knowledge of a key. Backups are copies of data stored in a separate location that can be used to restore data in the event of data loss or corruption. They can ensure data integrity by providing a way to verify its authenticity and accuracy. However, backups do not actively prevent data corruption or tampering, and may not even be able to detect changes in the data unless a comparison with the original data is made.

Question 43

(★) A USB pen with data passed around the office is an example of:

Data in motion

Data in transit

Data at rest

Data in use

Answer 43

Data at rest

Data at rest is stored data that resides on hard drives, on tapes, in the cloud, or on other storage media like (in this case) a USB pen. Data in processing (also called data in use) is actively used by a computer system. Data sent over a network is called data in motion. Data in transit is a term that does not usually apply to such a situation.

Question 44

When a company collects PII, which policy is required?

Acceptable Use Policy

Remote Access Policy

Privacy Policy

GDPR

Answer 44

A Privacy Policy

A Privacy Policy outlines the data security mechanisms which ensure that customer data is protected; namely, how Personal Identifiable Information (PII) is collected, stored and processed (see ISC2 Study Guide, chapter 5, module 3). The General Data Protection Regulation (GDPR) is a data protection and privacy regulation for the European Union and the European Economic Area (not a policy). An Acceptable Use Policy (AUP) defines the guidelines and limitations that users must agree on while accessing the organization’s network, computer systems or other related resources. Finally, the Remote Access Policy (RAP) defines acceptable methods of remotely connecting to an organization’s internal network.

Question 45

Which of these terms refers to threats with unusually high technical and operational sophistication, spanning months or even years?

APT

Rootkit

Ping of death

Side-channel

Answer 45

APT

An Advanced Persistent Threat is a threat with unusually high technical and operational sophistication. APTs can be difficult to detect and defend against, as the attackers often use sophisticated techniques to evade detection, and to remain stealthy for extended periods of time. APTs are typically carried out by highly skilled and well-funded attackers (such as nation-state actors or well-organized criminal groups), and often target specific organizations or individuals with the goal of stealing sensitive information or disrupting operations (see ISC2 Study Guide, chapter 4, module 2).

The other options listed above are all related to different types of cyber threats, but are not typically associated with APTs. Rootkits are a type of malware designed to conceal the presence of other malicious software on a system, while a ping of death is a type of denial of service (DoS) attack which involves sending a maliciously large ping packet to a target system, in an attempt to overwhelm it. Side-channel attacks exploit information leaked through non-traditional channels (such as power consumption, electromagnetic emissions, or physical timing), in order to gain access to sensitive information or perform other malicious actions.

Question 46

Which of these documents is MORE directly related to what can be done with a system or with its information?

ROE

MOA

SLA

MOU

Answer 46

MOU

A Memorandum of Understanding (MOU) outlines the terms and conditions for collaboration, including eventual restrictions on the use of information (see ISC2 Study Guide, chapter 4, module 3). A Memorandum of Agreement (MOA) is similar to an MOU, but is both more formal and legally binding. A Service Level Agreement (SLA) is a contract between a service provider and a customer which specifies service-related guarantees or warranties. In Cybersecurity, Rules of Engagement (ROE) are guidelines and principles outlining the conditions under which a cybersecurity team or organization can act to defend against cyber threats. ROE may include the types of actions that are authorized, the circumstances under which such actions can be taken, and the procedures for obtaining approval or authorization to take such actions. ROEs are important, since they ensure that an organization does not become vulnerable to further attacks while defending itself from an ongoing attack.

Question 47

Which of these is NOT a characteristic of the cloud?

Rapid Elasticity

Broad Network Access

Measured Service

Zero Customer Responsibility

Answer 47

Zero Customer Responsibility

The characteristics of the cloud, also known as the “five essential characteristics” of cloud computing, are (see ISC2 Study Guide, chapter 4, module 3):

Broad network access: Cloud resources, such as the internet, can be accessed over a network;

Rapid elasticity: Cloud resources can be scaled up or down quickly and automatically to meet changing demand;

Measured service: Cloud providers track and measure the use of resources, and users are typically charged based on their usage;

Resource pooling: Cloud providers pool resources (such as storage and computing power) and allocate them to users on demand;

On-demand self-service: Cloud users can access computing resources on demand without human intervention.

Finally, the cloud model is typically run under the shared responsibility model, where the provider is responsible for both maintaining the infrastructure and delivering the resources and services to the customer. In contrast, the customer uses the resources and services according to the terms of their agreement with the provider. Therefore, zero customer responsibility is NOT a characteristic of the cloud.

Question 48

Which of these is a COMMON mistake made when implementing record retention policies?

Not categorized the type of information to be retained

Applying shorter retention periods to the information

Not labeling the type of information to be retained

Applying the longest retention periods to the information

Answer 48

Applying the longest retention periods to the information

A common mistake in record retention is applying the longest retention period without taking into account the sensitivity or importance of the corresponding information. Retaining unnecessary data has considerable costs in terms of storage and management. Less important or sensitive information can have shorter retention periods, thereby allowing longer retention periods for more important or sensitive information (see ISC2 Study Guide, chapter 5, module 1).

Question 49

As an (ISC)² member, you are expected to perform with due care. What does ‘due care’ specifically mean?

Researching and acquiring the knowledge to do your job right

Do what is right in each situation you encounter on the job

Apply patches annually

Give continuity to the legacy of security practices of your company

Answer 49

Do what is right in each situation you encounter on the job

The concept of ‘due Care’ (also known as ‘the prudent person rule’) refers to what a prudent person would do in a given situation. In cybersecurity, ‘due care’ means taking reasonable steps to secure and protect the organization’s assets, reputation and finances. The concept is holistic and includes, among other things: implementing the appropriate security standards, policies and procedures; ensuring proper cybersecurity awareness training; and promoting the continuous improvement of monitoring controls. Applying patches, continuing security practices and acquiring knowledge for the job are specific tasks included in ‘due care’, but are not good overall definitions of the concept (see ISC2 Study Guide, chapter 1, module 5).

Question 50

(★) Which of these statements about the security implications of IPv6 is NOT true?

IPv6’s NAT implementation is insecure

Rules based on static IPv6 addresses may not work

IPv^ traffic may bypass existing security controls

IPv6 reputation services may not be mature useful

Answer 50

IPv6’s NAT implementation is insecure

IPv6 does not include network address translation (NAT), since many IP addresses are available. As a result, there is no NAT implementation, and so IPv6 can’t actually have an insecure version. Rules based on static IPv6 addresses may not work, since IPv6 addresses are often dynamically assigned. Thus, certain security controls that rely on static address rules (such as firewalls or access controls) may not work in all cases. Reputation services are still relatively rare, and also somewhat less useful for IPv6 traffic. Finally, an organization needs to configure its security controls to handle IPv6 traffic adequately; otherwise, IPv6 traffic may bypass many existing IPv4 security tools (see ISC2 Study Guide, chapter 4, module 3).

Question 51

Which method is COMMONLY used to map live hosts in the network?

Ping sweep

Traceroute

Wireshark

Geolocation

Answer 51

Ping sweep

A ping sweep is a commonly used method to map live hosts in a network. A ping sweep involves sending a series of ping messages (ICMP Echo Request packets) to a range of IP addresses on a network so as to determine which hosts are currently online. Hosts that are online will respond with a reply message when a ping is sent to them. Collecting the replies makes it possible to map which hosts are currently online on the network (see ISC2 Study Guide, chapter 4, module 3).

The remaining options are not typically used to map live hosts in a network. Geolocation is a process for determining a device or user’s physical location, based on information obtained from the device’s IP or MAC address. Traceroute is a method to determine the sequence of hops that the packets took to a given IP address, so as to both map a network’s topology and diagnose connectivity or routing issues. Finally, Wireshark is a network protocol analyzer tool that can be used to view and analyze packets’ contents, including the IP addresses and hostnames.

Question 52

Which of these is not a common goal of a cybersecurity attacker?

Denial

Allocation

Alteration

Disclosure

Answer 52

Allocation

The three most common goals of cybersecurity attackers are disclosure, alteration, and denial (DAD), which correspond directly to to the cybersecurity triad: confidentiality, integrity, and availability (CIA) (see ISC2 Study Guide, chapter 1, module 1). Allocation means assigning controls to specific system elements responsible for providing a security or privacy capability (e.g., access control systems, routers, servers, etc.), and therefore is not a common goal of a cybersecurity attacker.

Question 53

(★) In the event of a disaster, what should be the PRIMARY objective?

Protect the production database

Guarantee the safety of people

Apply disaster communication

Guarantee the continuity of critical systems

Answer 53

Guarantee the safety of people

The correct answer is A. In the event of a disaster, the number one priority is always to guarantee the safety of human life above all else (see ISC2 Study Guide, chapter 2, module 1) The remaining options, though essential to business continuity, are never as important as the safety of actual human beings.

Question 54

(★) Which is the PRIMARY focus of the ISO 27002 standard?

Information Security Management System (ISMS)

Risk Management

Health Insurance Portability and Accountability Act (HIPAA)

Application Security

Answer 54

Information Security Management System (ISMS)

ISO 27002 is a supplementary standard aimed at guiding implementation controls in order to maintain security controls for Information Security Management Systems (ISMS), as defined in ISO 27001. Among many other aspects, these security controls comprise application security. Risk management is an activity that is touched on in this standard, but is not its primary focus (it is the focus of the ISO 31000 standard). HIPAA is the United States law that governs the privacy of healthcare information.

Question 55

On an Incident Response team, which role acts as the team’s main link to Senior Management?

Technical expert

Information security

Management

Communications and public relations

Answer 55

Management

On most incident response teams, members of management or organizational leadership act as a primary conduit to senior management (see ISC2 Study Guide, chapter 2, module 1). The management team member also ensures that difficult or urgent decisions can be made without escalating authority. Communications and public relations staff focus on internal and external communications that typically differ from the direct conduit to senior management. Technical and information security experts are primarily concerned with undertaking incident response work.

Question 56

(★) The best defense method to stop a ‘Replay Attack’ is to:

Use password authentication

Use an IPSec VPN

Use a firewall

Use message digesting

Answer 56

Use an IPSec VPN

A replay attack is when an attacker captures and resends (i.e. “replays”) authenticated messages (see ISC2 Study Guide, chapter 4, module 2). An IPSec VPN can prevent a replay attack because it tracks packet sequencing and includes the sender’s signature on all packets; therefore preventing forged packages. Message digesting is ineffective in preventing resends (and thus also replay attacks), since it doesn’t matter whether the attacker can read or decipher the original message and key (all they would have to do would be to resend the message and key together). One-time passwords can be used as a temporary session key known both to the sender and to the receiver that cannot be reused; although related, the concept ‘password authentication’ refers to a means to identify a user to a given system, and this is different from a one-time password. Firewalls are equipment that filters inbound Internet traffic, and are ineffective against replay attacks inside a network.

Question 57

Which of these types of layers is NOT part of the TCP/IP model?

Application

Internet

Physical

Transport

Answer 57

Physical

The physical layer exists in the OSI model, but not in the TCP/IP model. The TCP/IP Protocol Architecture Layers are: [1] Application (Determines the protocols for the Transport layer); [2] Transport (Allows for data to move among devices); [3] Internet (Creates and inserts packets); [4] Network Interface (Governs how data will move through the network) (for more on this, see ISC2 Study Guide, Chapter 4, Module 1).

Question 58

(★) Which of these different sub-masks will allow 30 hosts?

/26

/29

/30

/27

Answer 58

/27

A subnet mask is a number that distinguishes between the network address and the host address. Subnetting divides a network into two or more subnets (see ISC2 Study Guide, chapter 4, module 1). To allow 30 hosts + 2 addresses for broadcast and network addresses. Thus, we are looking for the mask 255.255.255.224, or /27 using CIDR (Classless Inter-Domain Routing) notation. For 32 addresses, we need 5 bits and the mask /32 - log2(32) = /32 - 5 = /27. As for the remaining masks, /26 would result in 64 hosts, /29 in 8 hosts, and /30 in 4 hosts.

Question 59

Which of these is included in an SLA document?

A plan to keep business operations going while recovering from a significant disruption

A plan to prepare the organization for the continuation of critical business functions

Instructions on data ownership and destruction

Instructions to detect, respond to, and limit the consequences of a cyber-attack

Answer 59

Instructions on data ownership and destruction

A Service Level Agreement (SLA) is a contract between a service provider and a customer which defines the level of service that the provider will deliver. It must include instructions on data ownership and destruction in order to ensure that sensitive data is properly protected. A set of instructions or procedures to detect, respond, and limit the consequences of a cyber-attack is called an Incident Response Plan (see ISC2 Study Guide chapter 2, module 1, under The Goal of Incident Response). A plan to sustain business operations while recovering from a significant disruption is called a Business Continuity Plan (see ISC2 Study Guide chapter 2, module 2, under The Importance of Business Continuity). A plan to prepare an organization for the continuation of critical business functions is called a Disaster Recovery Plan (see ISC2 Study Guide chapter 2, module 3, under The Goal of Disaster Recovery).

Question 60

Which of these is NOT a feature of a SIEM (Security Information and Event Management)?

Log auditing

Log retention

Log encryption

Log consolidation

Answer 60

Log Auditing

Log auditing is not a feature of a SIEM (Security Information and Event Management). A SIEM typically provides the following features:

Log consolidation, which consists in collecting logs from various sources (like servers, firewalls or IDS/IPS) and then storing them in one central location.

Log retention, which consists in storing logs for a specific period (like 90 days), so as to allow security analysts to keep track of and investigate past events.

Log encryption, which is an optional feature that safeguards the confidentiality of log data.

Log analysis, which involves identifying patterns, trends and anomalies related to security events, in or close to real time.

Though related to log analysis, log auditing specifically refers to ensuring the reliability and trustworthiness of log data for debugging, performance monitoring, security, and compliance purposes. This is usually done on a periodic basis (not in real-time).