Missed Test Questions Flashcards

1
Q

3 Media Management / Control modes

A
  1. Simplex (one direction)
  2. Half-duplex (two way, but only one direction can send data at a time)
  3. Full-duplex (two way, in which data can be sent in both directions simultaneously)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Atomicity

A

Database principle that ensures transactions execute in an all or nothing fashion

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

First Thing a BCP Team should do

A

Business organization analysis

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Best choice for an org that wants to enforce strong passwords, with most users having a single set of credentials

A

Single Sign On (SSO) - A mechanism that allows users to authenticate themselves only once and freely roam the network / access resources without having to be reauthenticated.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Disaster Recovery Plan
Full Interruption type of test

A

Test phase where the primary data center is shut down

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Best choice for admin installing and app on a Windows server. The app needs to run in the context of an account with specific privileges.

A

Service Account

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

End-of-Service (EOS) vs. End-of-Life (EOL)

A

EOS - when a vendor will no longer support a product
EOL - when a vendor will no longer off a product for sale

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Watermarking Digital Data

A

Method to embed unobtrusive labels in digital data. After they are embedded, other methods should be able to detect these labels

The process of digital watermarking hides information within a file that
is known only to the file’s creator. If someone later creates an unauthorized copy of the
content, the watermark can be used to detect the copy and (if uniquely watermarked files are
provided to each original recipient) trace the offending copy back to the source.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Why would a company’s security policy state that user accounts should be disabled during the exit interview for any employee leaving the company?

A

To retain the employee’s decryption key

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Under HIPAA when is it permissible to share PHI with a 3rd party vendor?

A

If the service provider enters into a business associate agreement

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Which technologies specifically defined as part of 802.11 wireless networking?

A
  • WPA3
  • SAE
  • 802.11i
  • WPS
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Symmetric Encryption Table
AES/Rijndael
(Type, Algo Type, Block Size in bits, Key size in bits, Strength)

A

Type: Symmetric
Algo Type: Block Cypher
Block Size (bits): 128
Key Size (bits): 128, 192, 256
Strength: SKRONG

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Network Controls
Quality of Service

A

QoS controls allow admins to prioritize different types of network traffic

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What is a neccessary requirement for an IT network that ensures accountability?

A

Audit Trails

Audit trails provide a record of events in audit logs. They include what happened and who did it. Users can be held accountable for their actions when the logs show what they did. Authentication (not available as a possible answer) is also necessary.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Misuse Case Testing

A

Where you develop a list of possible ways that an attacker may exploit the app and then tries each scenario and seeing if the app is actually vulnerable to that exploit

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

PCI DSS

A

Payment Card Industry Data Security Standard

Applies to orgs involved in storing, transmitting, and processing credit card info

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Privileged Account Management

A

Method to identify when personnel are using elevated privileges, and detect violation of the least privilege principle

Privileged account management ensures that personnel do not have more privileges than they need and do not misuse their privileges. It can identify whether users have excessive privileges violating the least privilege principle. Security logs would be used, but not alone.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

IPT

A

Integrated Product Teams (IPTs)

Introduced by DoD in 1995 to bring together stakeholder and foster parallel decision making

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Software Configuration Management (SCM)
Configuration Control

A

Portion of SCM process that ensures changes to software versions are made in accordance with the change control and configuration management policies

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

While traveling, a worker connects their company-issued computer to a hotel Wi-Fi network, rather than the cellular data service included with the system. After checking email, performing online research, posting a message to a company discussion forum, and updating his itinerary in the company scheduling service, he disconnects. A few days later, the company experiences an intrusion and trade secrets are stolen by an unknown attacker. The incident investigation revealed that the credentials used to gain access to company during the breach belonged to the remote worker. What was the cause of the company compromise?

A

Not using the 4G or 5G link

The most likely cause of this incident was an acceptable use policy violation of not using the 4G/5G cellular service included on the mobile system. If a company-issued computer has a cellular data service, it is likely there is a prohibition of using open Wi-Fi networks.

ARP poisoning might have been involved in the attack if the adversary was in the same hotel and on the same Wi-Fi network as the victim, but this is not the primary reason the attack occurred.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Social Engineering Attack
Hoax
(3 major indicators)

A

A hoax is a social engineering attack that is attempting to trick a user into taking actions that will harm them through the use of fear that not taking action would actually cause harm.

  1. Lack of digital signature
  2. Threat of damage to computer system
  3. Encouragement to take specific steps to resolve

Characteristics NOT attributed to Hoax specifically
- Use of poor grammar
- Lack of correct spelling
- Claim to be from trusted authority
- Inclusion of hyperlinks

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Benefits of IPv6 vs IPv4

A

IPv6
- Uses 16 byte address
- Supports autoconfig without DHCP
- Supports QoS priority values

IPv4
- 32-bit address
- reserves a subnet for loopback
- requires NAT to convert between internal and external addresses
- Also supports QoS values, but it is call type of service in the header

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

East-West Traffic & North-South Traffic

A

East-West Traffic: Flow that occurs within a specific network, data center, or cloud

North-South Traffic: Flow that occurs inbound or outbound between internal systems and external systems

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Type of protocol that replaces certificate revocation lists with a real-time method of verifying the status of a digital certificate?

A

Online Certificate Status Protocol (OCSP)

Provides real time query / response services to digital cert users. This overcomes the latency inherent in the traditional cert revocation list download and cross check process.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Hot Site

A

Type of alternate processing facility that contains a full complement of computing equipment in working order with copies of data ready to go

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

What is the most important consideration when identifying the classification of assets?

A

The Value of the data it holds or processes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

Remote Access Technique Examples

A
  • Remote node operation
  • Remote control
  • Screen scraping
  • Service specific
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

Attackers have exploited the KRBTGT account in an org’s domain. What will this allow them to do?

A

Create golden tickets

Attackers can create golden tickets with access the the Kerberos Service Account (KRBTGT).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

What is in the “something you have” factor of authentication and doesn’t generate a password?

A

Smartcard

  • Synchronous dynamic tokens / asynchronous dynamic tokens create passwords
  • Authentication apps make PINs used as passwords
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

Parol Evidence Rule

A

States that when an agreement between parties is put into written form, the written doc is assumed to contain all the terms of the agreement, and no verbal agreements may modify the written agreement

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

A security manager is implementing techniques to prohibit rogue devices from gaining network access. After they install a NAC, what additional tool would be able to ensure that only known and authenticated systems gain connectivity?

A

IEEE 802.1X

provides port-based access control and is useful both on wired and wireless connections to block access to systems and users that are unknown or that fail authentication. It is a common companion to NAC implementations.

A family of protocols that provides for wireless communications using radio
frequency transmissions. Wireless networks based on this standard use either 2.4 GHz or
5 GHz frequencies to support communications. The wireless networks made possible by this
standard are called Wi-Fi today.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

Similarity between Network-based intrusion detection system (NIDSs) and Network-based Intrusion Prevention Systems (NIPSs)

A

NIDSs and NIPSs can both detect attacks using pattern-matching (also known as signature-based detection and knowledge-based detection).

A NIPS is placed inline with traffic and can prevent attacks from reaching an internal network. While a NIDS can be placed inline with the traffic, it isn’t placed inline by default.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

Xavier has been tasked with redesigning the network in order to minimize the risk related to users in one department accessing the systems in another. Which of the following is not used to segment a network?

A. Screened subnet
B. VPN
C. VLAN
D. ISFW

A

A VPN is not a network segmentation; it is a secured encapsulation tunnel used to connect networks (or network segments) together.

Screened subnets, VLANs, and an internal segmentation firewalls (ISFW) are used to segment a network.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

Which ports should be open to support TACACS+ and RADIUS?

A

UDP 1812 and TCP 49

Only with these ports open on the firewall between the WAP and the intranet will wireless endpoints be able to authenticate via ENT to one of these AAA services.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

DREAD vs STRIDE

A

DREAD
Damage potential
Reproducibility
Exploitability
Affected users
Discoverability

STRIDE
- Elevation of privilege
- Repudiation
- Denial of Service

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

Development Methodologies
Spiral Model

A

Seeks to iteratively produce new prototypes of a system during the development process.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

What is NOT a best practice when pen testing?

A

Performing the attacks without management’s consent

You should never conduct a formal or informal penetration test against any company without the advanced knowledge and express consent of management.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q

Benefits of containerization / virtualization

A
  • Allow for multiple concurrent applications within a single container
  • Offer customization of interaction between applications in separate containers
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
38
Q

3 things to help reduce vulns against fraud from malicious employees:

A
  1. Job rotation
  2. Separation of duties
  3. Mandatory vacations
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
39
Q

Federation

A

Can include 2+ networks and allow users in each network to share network resources. Can provide SSO

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
40
Q

3 Common types of alarms

A
  1. Deterrent
  2. Repellent
  3. Notification
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
41
Q

Your company is planning to launch an e-commerce website. Management wants to ensure this website has adequate security controls in place before the site goes live. Administrators started with a baseline of security controls. What else should be a primary consideration related to security controls?

A. Identifying the data controller
B. Identifying the data processor
C. Selecting a standard
D. Preventing data loss

A

C. Selecting a standard

like PCI DSS

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
42
Q

One problem that can result from incomplete sanitization?

A

Personnel can perform sanitization steps improperly.

Sanitization can be unreliable because personnel can perform the purging, degaussing, or other processes improperly.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
43
Q

How can an org treat data so that it can be transferred without GDPR compliance problems

A

Anonymization techniques remove all data so that it is difficult to identify the original identities.

When done correctly, the GDPR no longer applies.

Pseudonymization is the process of replacing some data with an identifier, such as a pseudonym. An external dataset holds the original data along with the pseudonym. However, if applying pseudonymization techniques, the GDPR still applies.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
44
Q

What federal government agency has the authority to regulate the export of encryption software?

A

Bureau of Industry and Security (BIS) within the Department of Commerce sets regulations on the export of encryption products outside of the United States.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
45
Q

Benefits of NAT

A
  • Hides internal IP addressing scheme
  • Shares a few public internet address with a large number of internal clients
  • Uses the private IP addresses from RFC 1918 on an internal network

Does NOT prevent from brute-force attacks

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
46
Q

Risk-based Access Control

A

It evaluates the environment and the situation and makes decisions to block traffic that is abnormal.

A risk-based access control model can be coded to block malicious traffic from infected IoT devices.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
47
Q

Write blocker

A

Hardware devices used to prevent the accidental writing of data to media that was collected as evidence

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
48
Q

Ways to ensure effectiveness of security training

A
  • Giving a quiz at the end
  • Have workers take a test 6 months after
  • Collect key security indicators that relate to insider security incidents over time
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
49
Q

What is the most important concept in relation to layered security?

A

Series

When security restrictions are performed in a series, they are performed one after the other in a linear fashion. Therefore, a single failure of a security control does not render the entire solution ineffective. Multiple security controls are only important so you can use them in a series, rather than have only one protection.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
50
Q

Which of the following AAA services does Remote Authentication Dial-in User Service (RADIUS) provide?

A

RADIUS provides
- authentication,
- authorization
- accounting

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
51
Q

What is the most important rule to follow when collecting evidence?

A

Avoid the modification of evidence during the collection process

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
52
Q

Adam recently ran a network port scan of a web server running in his organization. He ran the scan from an external network to get an attacker’s perspective on the scan. Which one of the following results is the greatest cause for alarm?

A. 80/open
B. 22/filtered
C. 443/open
D. 1433/open

A

D. 1433/open

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
53
Q

Company proprietary data are discovered on a public social media posting by the CEO. While investigating, a significant number of similar emails were discovered to have been sent to employees, which included links to malicious sites. Some employees report that they had received similar messages to their personal email accounts as well. What improvements should the company implement to address this issue? (Choose two.)

A. Deploy a web application firewall.
B. Block access to personal email from the company network.
C. Update the company email server.
D. Implement multifactor authentication (MFA) on the company email server.
E. Perform an access review of all company files.
F. Prohibit access to social networks on company equipment.
A

B. Block access to personal email from the company network.
F. Prohibit access to social networks on company equipment.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
54
Q

There are many aspects of security controls you need to evaluate, but the primary issues include being able to process significant amounts of data in short periods of time, controlling which applications can access which assets, and being able to prohibit VM sprawl or repetition of operations. Which of the following is not relevant to this selection process?
A. Collections of entities, typically users, but can also be applications and devices, which can be granted or denied access to perform specific tasks or access certain resources or assets
B. A VDI or VMI instance that serves as a virtual endpoint for accessing cloud assets and services
C. The ability of a cloud process to use or consume more resources (such as compute, memory, storage, or networking) when needed
D. A management or security mechanism able to monitor and differentiate between numerous instances of the same VM, service, app, or resource

A

B. A VDI or VMI instance that serves as a virtual endpoint for accessing cloud assets and services

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
55
Q

What is the minimum age a child must be before companies can collect personal identifying information from them without parental consent under COPPA?

A

13

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
56
Q

Trademark Icons
®

A

® symbol is reserved for trademarks that have received official registration status by the U.S. Patent and Trademark Office.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
57
Q

Trademark Icons

A

The ™ symbol would be used before receiving USPTO approval.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
58
Q

Trademark Icons
©

A

The © symbol is used to represent a copyright.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
59
Q

Trademark Icons

A

The † symbol is not associated with intellectual property protections.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
60
Q

Main action taken at remediation stage of incident response

A

Root Cause Analysis

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
61
Q

OpenID Connect (OIDC)

A

uses the OAuth framework (described in RFC 6749) and is maintained by the OpenID Foundation. RFC 6749 describes OAuth and is maintained by the Internet Engineering Task Force (IETF).

authentication solution on a website allowing users to authenticate with a third party. The website doesn’t see or store the user’s credentials.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
62
Q

Test Coverage Analysis Technique
Branch Coverage

A

Evaluates whether every if statement has been executed under all if and else conditions.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
62
Q

Test Coverage Analysis Technique
Condition coverage

A

Condition coverage tests whether every logical test in the code has been executed under all sets of input.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
63
Q

Test Coverage Analysis Technique
Function coverage

A

Function coverage verifies that every function in the code has been called and returned results.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
64
Q

Test Coverage Analysis Technique
Loop coverage

A

Loop coverage verifies that every loop in the code has been executed under conditions that cause code execution multiple times, only once, and not at all.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
65
Q

Distributed Computing Environment Interface Definition Language (DCE IDL)

A

There are numerous examples DCE IDL or frameworks, such as
- remote procedure calls (RPC),
- the Common Object Request Broker Architecture (CORBA),
- and the Distributed Component Object Model (DCOM)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
66
Q

Control Objectives for Information and Related Technologies (COBIT)

A

a documented set of best IT security practices crafted by ISACA and the IT Governance Institute (ITGI).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
67
Q

With Agile , how often should business users be involved in development?

A

Daily

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
68
Q

What is the purpose of a Kerberos Ticket-Granting Ticket (TGT)?

A

A TGT provides proof that a subject has authenticated with a key distribution center (KDC) and can request network service access.

  • The TGT does verify the existence of a user account, but it does much more.
  • It proves the user has authenticated and can request a ticket.
  • A ticket (not a ticket-granting ticket) is an encrypted message that proves a user can access an object.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
69
Q

VM Escape Protection

A

M escaping occurs when software within a guest OS is able to breach the isolation protection provided by the hypervisor in order to violate the container of other guest OSs or to infiltrate a host OS.

  • This is a serious concern that must be addressed before full deployment into production of this new infrastructure solution.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
70
Q

Distributed Data Model

A

The distributed data model has data stored in more than one database, but the data is still logically connected.

  • The user perceives the database as a single entity, even though it comprises numerous parts interconnected over a network.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
71
Q

Open Database Connectivity (ODBC)

A

a database feature that allows applications to communicate with different types of databases without having to be directly programmed for interaction with each type.

  • ODBC acts as a proxy between applications and backend database drivers, giving application programmers greater freedom in creating solutions without having to worry about the backend database system.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
72
Q

Attribute-Based Access Control (ABAC)

A

ABAC model can require user devices to meet specific requirements, such as being up-to-date with a current operating system.

Commonly used for SDNs

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
73
Q

Internet Security Association and Key Management Protocol (ISAKMP)

A

an element of Internet Key Exchange (IKE), is used to organize and manage the encryption keys that have been generated and exchanged by OAKLEY and SKEME.
- A security association is the agreed-on method of authentication and encryption used by two entities (a bit like a digital keyring).
- ISAKMPs’ use of security associations is what enables IPsec to support multiple simultaneous VPNs from each host.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
74
Q

Encapsulating Security Payload (ESP)

A

provides confidentiality and integrity of packet contents. ESP provides encryption and limited authentication, and prevents replay attacks.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
75
Q

Secure Key Exchange Mechanism (SKEME)

A

an element of Internet Key Exchange (IKE), is a means of exchanging keys securely.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
76
Q

Authentication Header (AH)

A

provides assurances of message integrity and nonrepudiation.

  • AH also provides authentication and access control, and prevents replay attacks.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
77
Q

Jen is conducting a review of privileged account activity and does not have time to review 100% of accounts. What technique would be the best way to conduct this review?
A. Review the first 20% of accounts alphabetically
B. Review the 20% of accounts most recently used
C. Review a random sample of 20% of accounts
D. Review the 20% of accounts least recently used

A

C. Review a random sample of 20% of accounts

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
78
Q

Temporary internet files or the internet files cache is the temporary storage of files downloaded from internet sites that are being held by the client’s utility (typically a browser) for current and possibly future use. What type of attack is possible if an adversary is able to gain access to this cache? (Choose all that apply.)
A. Split-response attack
B. Cache poisoning
C. Identity theft
D. DOM XSS

A

A. Split-response attack
B. Cache poisoning
D. DOM XSS

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
79
Q

Split-response attacks

A

cause the client to download content and store it in the cache that was not an intended element of a requested web page. Once files have been poisoned in the cache, then even when a legitimate web document calls on a cached item, the malicious item will be activated.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
80
Q

Radio Frequency Identification (RFID)

A

is effectively a field-powered proximity device.

  • RFID does not use a magnet, but an antenna to generate current from a magnet field provided by an external source.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
81
Q

Alan conducted a vulnerability scan of a system and discovered that it is susceptible to a SQL injection attack. Which one of the following ports would an attacker most likely use to carry out this attack?
A. 443
B. 565
C. 1433
D. 1521

A

A. 443

While SQL injection attacks do target databases, they do so by using web servers as intermediaries. Therefore, SQL injection attacks take place over web ports, such as 80 and 443, and not database ports, such as 1433 and 1521.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
82
Q

OpenVAS

A

network vulnerability scanning tool that searches systems for known vulnerabilities while minimizing damage caused during the assessment.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
83
Q

DevSecOps

A

DevSecOps approach integrates software development, cybersecurity, and operations into a single approach where the teams work closely together.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
84
Q

Network Time Protocol (NTP)

A

may be used to synchronize the clocks of all devices in an organization with a centralized source, improving the ability to correlate log entries from different sources.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
85
Q

Security governance

A

Type of security management that should include acquisitions, divestitures, and governance committees.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
86
Q

IPsec

A

a security protocol that automatically performs reauthentication of the client system throughout the connected session in order to detect session hijacking.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
87
Q

What evidence standard do most civil investigations follow?

A. Beyond a reasonable doubt
B. Beyond the shadow of a doubt
C. Preponderance of the evidence
D. Clear and convincing evidence
A

C. Preponderance of the evidence

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
88
Q

primary purpose of information classification processes?

A

To identify security classifications for sensitive data and define the requirements to protect it.
- Information classification processes will typically include requirements to protect sensitive data at rest (in backups and stored on media), but not requirements for backing up and storing all data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
89
Q

A security auditor recently completed an account access review. Which of the following privileged accounts did they most likely include? (Choose two.)
A. User accounts
B. Root accounts
C. Service accounts
D. Guest accounts

A

B. Root accounts
C. Service accounts

  • Regular user accounts and guest accounts aren’t granted elevated privileges.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
90
Q

cold site

A

is any facility that provides only the physical space for recovery operations while the organization using the space provides its own hardware and software systems.

  • backup facility is large enough to support current operational capacity and load but lacks the supportive infrastructure
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
91
Q

scoping process

A

removes controls from a list of controls from a suggested baseline.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
92
Q

Primary benefit of job rotation and separation of duties policies

A

Preventing Fraud

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
93
Q

When you install a new wireless access point to extend your company’s network into a newly opened portion of the building, someone raises the concern of interference between the existing Wi-Fi network and the new extension. What media access technology is used by 802.11 networks to manage collisions?
A. Token passing
B. CSMA/CD
C. CSMA/CA
D. Polling

A

C. CSMA/CA

  • IEEE 802.11 wireless networks use Carrier-Sense Multiple Access with Collision Avoidance (CSMA/CA) to manage (technically avoid) collisions. Ethernet (IEEE 802.3) uses Carrier-Sense Multiple Access with Collision Detection (CSMA/CD). Token Ring networks used token passing. Polling is used by some mainframe systems.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
94
Q

Which of the following algorithms/protocols provides inherent support for nonrepudiation?
A. HMAC
B. ECDSA
C. MD5
D. SHA-1

A

B. ECDSA

Elliptic Curve Digital Signature Algorithm (ECDSA) is the only one of the algorithms listed here that supports true digital signatures, providing integrity verification and nonrepudiation.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
95
Q

Which one of the following disaster types is not usually covered by standard business insurance?
A. Earthquake
B. Flood
C. Fire
D. Theft

A

B. Flood

  • Most general business insurance and homeowner’s insurance policies do not provide any protection against the risk of flooding or flash floods. If floods pose a risk to your organization, you should consider purchasing supplemental flood insurance under FEMA’s National Flood Insurance Program.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
96
Q

You’ve performed a standard quantitative risk analysis on a specific threat/vulnerability/risk relation. You select a possible countermeasure. When performing the calculations again, which of the following factors will change?

A

A countermeasure primary affects the annualized rate of occurrence (ARO), because the countermeasure is designed to prevent (or mitigate or reduce) the occurrence of the risk, thus reducing its frequency per year.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
97
Q

Familiarity (attacks)

A

Familiarity or liking as a social engineering principle attempts to exploit a person’s native trust in that which is familiar.

  • This could include claiming to know a coworker even when that person doesn’t exist.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
98
Q

How many threads can run on a dual core processor?

A

2

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
99
Q

You need to run networking cables between two office buildings. Between the buildings are several electrical boxes that manage the primary power for the entire business park. Which of the following cable is the worst option to use?
A. Wireless
B. UTP
C. STP
D. Fiber

A

B. UTP

  • UTP is the least resistant to EMI because it is unshielded. STP is a shielded form of twisted pair that resists EMI. Fiber is not affected by terrestrial EMI. Wireless is not a cable, but it could be affected by EMI if the interference occurred in the wireless transmission frequencies.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
100
Q

Playbook vs Runbook

A

A playbook is a document or checklist that defines steps taken to validate an incident and steps taken in response to an incident. A runbook implements the checklists from a playbook.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
101
Q

VLAN (virtual LAN)

A

is a hardware-imposed network segmentation created by switches that requires a routing function to support communication between different segments.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
102
Q

John is configuring a router that will stand between the network 10.8.6.0/24 and the internet. He would like to configure egress filtering rules to minimize the potential of malicious hackers originating a DDoS attack from his network. What type of traffic should be filtered out to help achieve this goal?
A. Inbound traffic with a source private IP address
B. Outbound traffic with a destination private IP address
C. Inbound traffic with a source address in the range 10.8.6.0/24
D. Outbound traffic with a source address outside the range 10.8.6.0/24

A

D. Outbound traffic with a source address outside the range 10.8.6.0/24

Although it is true that John would probably want to filter out all of these types of traffic for various reasons, he would be specifically interested in filtering out outbound traffic with an address not belonging to his network (10.8.6.0/24) to achieve his stated goal of stopping malicious hackers originating a DDoS attack from his network. The other options are all forms of false addressing or spoofing filtering, but they don’t address the issue in this scenario.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
103
Q

SOC 3 audit engagements

A

SOC 3 engagements assess the organization’s controls that affect the security and privacy of information stored in a system. The results of a SOC 3 audit are intended for public disclosure.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
104
Q

What type of attack can be used against cryptographic algorithms that do not incorporate temporal protections?
A. Chosen plaintext attack
B. Meet-in-the-middle attack
C. Man-in-the-middle attack
D. Replay attack

A

D. Replay attack

In a replay attack, the malicious individual intercepts an encrypted message between two parties (often a request for authentication) and then later replays the captured message to open a new session. Challenge-response protocols and the use of ephemeral session keys also provide protection against replay attacks.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
105
Q

Mutual authentication

A

ensures that a server provides authentication before the client provides authentication.
- This prevents employees from revealing their credentials to rogue servers.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
106
Q

A mission-critical server has experienced a compromise that caused it to go offline for seven hours. This nearly caused the organization to go out of business. After the attack, investigations revealed malicious code that would have corrupted the core database, but it was coded poorly and did not execute. This incident has caused the organization to rethink their security precautions against compromise, downtime, and disaster events. In order to prevent future downtime or at least reduce it significantly, which of the following technologies should be deployed? (Choose all that apply.)
A. FDE
B. RAID
C. UPS
D. Dual power supplies
E. Offsite backups of system images and snapshots
F. MFA
G. SIEM
H. Replication
I. Clustering

A

B. RAID
C. UPS
D. Dual power supplies
E. Offsite backups of system images and snapshots
H. Replication
I. Clustering

For this scenario, many different redundancy, resiliency, or uptime management options should be considered. This includes option B: Redundant array of inexpensive disks (RAID) to maintain data availability; option C: Uninterruptible power supply (UPS) to protect against power issues; option D: Dual power supplies to provide redundancy against power supply failures; option E: Offsite backups to provide a recovery path in the event of a major disaster’ option H: Replication to ensure multiple similar servers are hosting cloned material so that no matter which server is accessed the most current version of data is available; and option I: Clustering that is used to operate numerous servers as a collective to support a single or primary resource and provide high availability. The following options are incorrect for this scenario: option A: Full-disk encryption (FDE), though a good security practice, is not related to redundancy, resiliency, or uptime management; option F: Multifactor authentication (MFA), though a good security practice, is not related to redundancy, resiliency, or uptime management; and option G: Security information and event management (SIEM) is a centralized application to automate the monitoring of network systems, which a good security practice, but is not related to redundancy, resiliency, or uptime management.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
107
Q

community cloud deployment model

A

Provides cloud-based assets to two or more organizations.

  • A cloud application has been deployed and shared among several organizations with similar concerns.
108
Q

Cryptographic Shredding

A

Used in the cloud

Involves destroying the encryption key used to encrypt data, making it permanently inaccessible.

  • Mainly affects symmetric algos because losing the key means loosing the data
109
Q

Which of these is LEAST computationally efficient but offers the highest level of security?
A. AES
B. RSA
C. ECC
D. Blowfish

A

B. RSA

Asymmetric algos are more computationally demanding. AES, Blowfish are symmetric.

ECC is asymmetric but uses a smaller key size

110
Q

SOC 1 Reports

A

What it covers:
Internal controls for financial statements and reporting

Who needs one:
Orgs providing a service that can impact a client’s financial statements
Ex) Payroll providers, collections agencies

111
Q

SOC 2 Reports

A

What it covers:
Internal controls for security, confidentiality, processing integrity, privacy, and availability of customer data.

Who needs one:
Orgs that store, process, or transmit any kind of customer data
Ex) SaaS companies, Cloud storage services, data hosting service

112
Q

SOC 3 Reports

A

What it covers:
SOC 2 results but tailored for a public / general audience

Who needs one:
Orgs that require a SOC 2 who want to use compliance for marketing to the general public

113
Q

SOC Type I vs Type II reports

A

Type I: evaluate an organization’s controls at a single point in time.

Type II: examines how well those controls perform over a period of time (typically 3-12 months).

114
Q

CVSS v3 Base Score

A

Range from 0.0 to 10.0 with higher values indicating higher severity.

If it is harder to exploit then it will lower the score

115
Q

How a digital signature works

A

Digital Signature is basically an encrypted hash with the sender’s private key

  • Takes a message
  • Hashes the message, to produce a cryptographic hash
  • encrypts the hash with the sender’s private key
  • DS is sent along with plaintext message
  • When recieved, recv hashes the message
  • and then decodes the DS with the sender’s public key
  • If you see that the decoded hash and the recv’s hash match then you know that the sender is authentic AND the message did not change

Ensures:
- Nonrepudiation
- Integrity

116
Q

Primary goal of security governance framework

A

Aligning security with business objectives

  • over Compliance with industry standards
117
Q

M of N Control

A

requires that a minimum number of agents (M) out of the total number of agents (N) work together to perform high-security tasks. M of N Control is an example of a split knowledge technique, but not all split knowledge techniques are used for key escrow.

118
Q

In addition to maintaining an updated system and controlling physical access, which of the following is the most effective countermeasure against PBX fraud and abuse?
A. Encrypting communications
B. Changing default passwords
C. Using transmission logs
D. Taping and archiving all conversations

A

B. Changing default passwords

Changing default passwords on PBX systems provides the most effective increase in security. PBX systems typically do not support encryption, although some VoIP PBX systems may support encryption in specific conditions. PBX transmission logs may provide a record of fraud and abuse, but they are not a preventive measure to stop it from happening. Taping and archiving all conversations is also a detective measure rather than a preventive one against fraud and abuse.

119
Q

Password Authentication Protocol (PAP)

A

is a standardized authentication protocol for PPP. PAP transmits usernames and passwords in the clear. It offers no form of encryption. It provides a means to transport the logon credentials from the client to the authentication server.

120
Q

Which of the following are valid incident management steps or phases as listed in the CISSP objectives? (Choose all that apply.)
A. Prevention
B. Detection
C. Reporting
D. Lessons learned
E. Backup

A

B. Detection
C. Reporting
D. Lessons learned

Detection, reporting, and lessons learned are valid incident management steps. Prevention is done before an incident. Creating backups can help recover systems, but it isn’t one of the incident management steps. The seven steps (in order) are detection, response, mitigation, reporting, recovery, remediation, and lessons learned.

121
Q

Algorithms valid under Digital Signature Standard

A

Digital Signature Algorithm, RSA, or the Elliptic Curve DSA in conjunction with the SHA-1 hashing function to produce secure digital signatures.

122
Q

3 Primary concerns of multilayer protocols

A
  1. They can conceal covert channels (and thus covert channels are allowed),
  2. filters can be bypassed by traffic concealed in layered protocols,
  3. and the logical boundaries put in place by network segments can be bypassed under some circumstances.

Benefits:
Multilayer protocols allow encryption at various layers and support a range of protocols at higher layers.

123
Q

Nonrepudiation

A

occurs when the recipient of a message is able to demonstrate to a third party that the message came from the purported sender.

124
Q

CPU Process States
Ready, Waiting, Running, Stopped

A
  • The Ready state is used when a process is prepared to execute but the CPU is not available.
  • The Running state is used when a process is executing on the CPU.
  • The Waiting state is used when a process is blocked waiting for an external event.
  • The Stopped state is used when a process terminates.
125
Q

Lucas runs the accounting systems for his company. The morning after a key employee was fired, systems began mysteriously losing information. Lucas suspects that the fired employee tampered with the systems prior to his departure. What type of attack should Lucas suspect?
A. Privilege escalation
B. SQL injection
C. Logic bomb
D. Remote code execution

A

C. Logic bomb

The key to this question is that Lucas suspects the tampering took place before the employee departed. This is the signature of a logic bomb: malicious code that lies dormant until certain conditions are met. The other attack types listed here: privilege escalation, SQL injection, and remote code execution would more likely take place in real time.

126
Q

The X.500 standards cover what type of important identity systems?
A. Kerberos
B. Provisioning services
C. Biometric authentication systems
D. Directory services

A

D. Directory services

The X.500 series of standards covers directory services. Kerberos is described in RFCs; biometric systems are covered by a variety of standards, including ISO standards; and provisioning standards include SCIM, SPML, and others.

127
Q

Two-Person Control

A

A process that requires two people to perform a sensitive action

128
Q

SPML

A

Service Provisioning Markup Language

is an XML-based language designed to allow platforms to generate and respond to provisioning requests.

129
Q

SOAP

A

Simple Object Access Protocol

a messaging protocol and could be used for any XML messaging but is not a markup language itself.

130
Q

Under the GDPR, which requirement for processing personal information states that individuals may request that their data no longer be disseminated or processed?

A

The right to be forgotten

also known as the right to erasure, guarantees the data subject the ability to have their information removed from processing or use. It may be tied to consent given for data processing; if a subject revokes consent for processing, the data controller may need to take additional steps, including erasure.

131
Q

FCoE

A

Fiber Channel over Ethernet allows Fiber Channel communications over Ethernet networks, allowing existing high-speed networks to be used to carry storage traffic. This avoids the cost of a custom cable plant for a Fiber Channel implementation.

132
Q

MPLS

A

Multiprotocol label Switching, is used for high performance networking;

133
Q

What open protocol was designed to replace RADIUS—including support for additional commands and protocols, replacing UDP traffic with TCP, and providing for extensible commands—but does not preserve backward compatibility with RADIUS?

A

Diameter was designed to provide enhanced, modern features to replace RADIUS. Diameter provides better reliability and a broad range of improved functionality

134
Q

Blue Screen of Death

A

The error message shown in the figure is the infamous “Blue Screen of Death” that occurs when a Windows system experiences a dangerous failure and enters a fail secure state. If the system had “failed open,” it would have continued operation. The error described is a memory fault that is likely recoverable by rebooting the system.

135
Q

Ben is an information security professional at an organization that is replacing its physical servers with virtual machines. As the organization builds its virtual environment, it is decreasing the number of physical servers it uses while purchasing more powerful servers to act as the virtualization platforms.

The VM administrators recommend enabling cut and paste between virtual machines. What security concern should Ben raise about this practice?

A

Cut and paste between virtual machines can bypass normal network-based data loss prevention tools and monitoring tools like an IDS or IPS. Thus, it can act as a covert channel, allowing the transport of data between security zones. So far, cut and paste has not been used as a method for malware spread in virtual environments and has not been associated with denial-of-service attacks. Cut and paste requires users to be logged in and does not bypass authentication requirements.

136
Q

What does nmap scan in default settings?

A

Nmap only scans 1000 TCP and UDP ports by default, including ports outside of the 0–1024 range of “well-known” ports. By using the defaults for nmap, Ben missed 64,535 ports.

137
Q

Lauren’s organization has deployed VoIP phones on the same switches that the desktop PCs are on. What security issue could this create, and what solution would help?
A. VLAN hopping; use physically separate switches.
B. VLAN hopping; use encryption.
C. Caller ID spoofing; MAC filtering.
D. Denial-of-service attacks; use a firewall between networks.

A

A. VLAN hopping; use physically separate switches.

VLAN hopping between the voice and computer VLANs can be accomplished when devices share the same switch infrastructure. Using physically separate switches can prevent this attack. Encryption won’t help with VLAN hopping because it relies on header data that the switch needs to read (and this is unencrypted), while Caller ID spoofing is an inherent problem with VoIP systems. A denial of service is always a possibility, but it isn’t specifically a VoIP issue and a firewall may not stop the problem if it’s on a port that must be allowed through.

138
Q

mean time to failure (MTTF)

A

provides the average amount of time before a device of that particular specification fails.

139
Q

What type of attack is the creation and exchange of state tokens intended to prevent?
A. XSS
B. CSRF
C. SQL injection
D. XACML

A

B. CSRF

The anti-forgery state token exchanged during OAuth sessions is intended to prevent cross-site request forgery. This makes sure that the unique session token with the authentication response from Google’s OAuth service is available to verify that the user, not an attacker, is making a request. XSS attacks focus on scripting and would have script tags involved, SQL injection would have SQL code included, and XACML is the eXtensible Access Control Markup Language, not a type of attack.

140
Q

Biometric Type 1 vs Type 2 Errors

A

Type 2 (False Acceptance) errors occur in biometric systems when an invalid subject is incorrectly authenticated as a valid user. In this case, nobody except the actual customer should be validated when fingerprints are scanned.

Type 1 (False Rejection) errors occur when a valid subject is not authenticated; if the existing customer was rejected, it would be a Type 1 error

141
Q

Which of the following events would constitute a security incident?

An attempted network intrusion
A successful database intrusion
A malware infection
A violation of a confidentiality policy
An unsuccessful attempt to remove information from a secured area

A. 2, 3, and 4
B. 1, 2, and 3
C. 4 and 5
D. All of the above
A

D. All of the above

Any attempt to undermine the security of an organization or violation of a security policy is a security incident. Each of the events described meets this definition and should be treated as an incident.

142
Q

Chris needs to design a firewall architecture that can support a DMZ, a database, and a private internal network in a secure manner that separates each function. What type of design should he use, and how many firewalls does he need?
A. A four-tier firewall design with two firewalls
B. A two-tier firewall design with three firewalls
C. A three-tier firewall design with at least one firewall
D. A single-tier firewall design with three firewalls

A

C. A three-tier firewall design with at least one firewall

A three-tier design separates three distinct protected zones and can be accomplished with a single firewall that has multiple interfaces. Single- and two-tier designs don’t support the number of protected networks needed in this scenario, while a four-tier design would provide a tier that isn’t needed.

143
Q

Chris has recently been hired into a new organization. The organization that Chris belongs to uses the following classification process:

Criteria are set for classifying data.
Data owners are established for each type of data.
Data is classified.
Required controls are selected for each classification.
Baseline security standards are selected for the organization.
Controls are scoped and tailored.
Controls are applied and enforced.
Access is granted and managed.

Chris manages a team of system administrators. What data role are they fulfilling if they conduct steps 6, 7, and 8 of the classification process?

A

The system administrators are acting in the roles of data administrators who grant access and will also act as custodians who are tasked with the day-to-day application of security controls. They are not acting as data owners who own the data itself. Typically, system administrators are delegated authority by system owners, such as a department head, and of course they are tasked with providing access to users.

144
Q

Under the Common Criteria, what element describes the security requirements for a product?
A. TCSEC
B. ITSEC
C. PP
D. ST

A

C. PP

Protection Profiles (PPs) specify the security requirements and protections that must be in place for a product to be accepted under the Common Criteria.

145
Q

WPA2’s Counter Mode Cipher Block Chaining Message Authentication Mode Protocol (CCMP) is based on which common encryption scheme?
A. DES
B. 3DES
C. AES
D. TLS

A

C. AES

WPA2’s CCMP encryption scheme is based on AES. As of the writing of this book, there have not been any practical real-world attacks against WPA2. DES has been successfully broken, and neither 3DES nor TLS is used for WPA2.

146
Q

The Windows ipconfig command displays the following information:

BC-5F-F4-7B-4B-7D

What term describes this, and what information can usually be gathered from it?
A. The IP address, the network location of the system
B. The MAC address, the network interface card’s manufacturer
C. The MAC address, the media type in use
D. The IPv6 client ID, the network interface card’s manufacturer

A

B. The MAC address, the network interface card’s manufacturer

Machine Access Control (MAC) addresses are the hardware address the machine uses for layer 2 communications. The MAC addresses include an organizationally unique identifier (OUI), which identifies the manufacturer. MAC addresses can be changed, so this is not a guarantee of accuracy, but under normal circumstances you can tell what manufacturer made the device by using the MAC address.

147
Q

Susan’s organization performs a zero fill on hard drives before they are sent to a third-party organization to be shredded. What issue is her organization attempting to avoid?
A. Data remanence while at the third-party site
B. Mishandling of drives by the third party
C. Classification mistakes
D. Data permanence

A

B. Mishandling of drives by the third party

Susan’s organization is limiting its risk by sending drives that have been sanitized before they are destroyed. This limits the possibility of a data breach if drives are mishandled by the third party, allowing them to be stolen, resold, or simply copied. The destruction of the drives will handle any issues with data remanence, while classification mistakes are not important if the drives have been destroyed. Data permanence and the life span of the data are not important on a destroyed drive.

148
Q

During a third-party vulnerability scan and security test, Danielle’s employer recently discovered that the embedded systems that were installed to manage her company’s new buildings have a severe remote access vulnerability. The manufacturer has gone out of business, and there is no patch or update for the devices. What should Danielle recommend that her employer do about the hundreds of devices that are vulnerable?
A. Identify a replacement device model and replace every device
B. Turn off all of the devices
C. Move the devices to a secured network segment
D. Reverse engineer the devices and build an in-house patch

A

C. Move the devices to a secured network segment

The most reasonable choice presented is to move the devices to a secure and isolated network segment. This will allow the devices to continue to serve their intended function while preventing them from being compromised. All of the other scenarios either create major new costs or deprive her organization of the functionality that the devices were purchased to provide.

149
Q

Which one of the following systems assurance processes provides an independent third-party evaluation of a system’s controls that may be trusted by many different organizations?
A. Certification
B. Definition
C. Verification
D. Accreditation

A

C. Verification

The verification process is similar to the certification process in that it validates security controls. Verification may go a step further by involving a third-party testing service and compiling results that may be trusted by many different organizations. Accreditation is the act of management formally accepting an evaluating system, not evaluating the system itself.

150
Q

Jake’s company keeps their certificate signing server disconnected from the network to prevent it from being compromised by network attacks. What is this type of solution called?
A. Store-and-forward
B. Out-of-band
C. In-band
D. Air-gapping

A

D. Air-gapping

Air-gaps are physical separations between systems or devices that prevent communications or connections between them. This prevents network-based attacks and limits the ways that attackers could access the devices.

Store-and-forward stores communications and send them after checking for errors.

In-band administration occurs over existing interfaces or connections; out-of-band administration uses a separate network or management interface.

151
Q

Beth is creating a new cybersecurity incident response team (CSIRT) and would like to determine the appropriate team membership. Which of the following groups would she normally include? (Select all that apply.)
A. Information security
B. Law enforcement
C. Senior management
D. Public affairs

A

A. Information security
C. Senior management
D. Public affairs

CSIRT representation normally includes at least representatives of senior management, information security professionals, legal representatives, public relations staff, human resources, and engineering/technical staff. Law enforcement personnel would not be included on such a team and would only be consulted as necessary.

152
Q

Darcy’s organization is deploying serverless computing technology to better meet the needs of developers and users. In a serverless model, who is normally responsible for configuring operating system security controls?
A. Software developer
B. Cybersecurity professional
C. Cloud architect
D. Vendor

A

D. Vendor

In a serverless computing model, the vendor does not expose details of the operating system to its customers. Therefore, the vendor retains full responsibility for configuring it securely under the shared responsibility model of cloud computing.

153
Q

Service pack

A

Service packs are collections of many different updates that serve as a major update to an operating system or application.

Hotfixes, updates, and security fixes are all synonyms for single patches designed to correct a single problem.

154
Q

Warren is designing a physical intrusion detection system for use in a sensitive media storage facility and wants to include technology that issues an alert if the communications lines for the alarm system are unexpectedly cut. What technology would meet this requirement?
A. Heartbeat sensor
B. Emanation security
C. Motion detector
D. Faraday cage

A

A. Heartbeat sensor

Heartbeat sensors send periodic status messages from the alarm system to the monitoring center. The monitoring center triggers an alarm if it does not receive a status message for a prolonged period of time, indicating that communications were disrupted.

155
Q

What type of tool is most frequently used to match assets to users and owners in enterprises?
A. An enterprise content management tool
B. Barcoded property tags
C. RFID-based property tags
D. A system inventory

A

D. A system inventory

A system inventory is most frequently used to associate individuals with systems or devices. This can help when tracking their support history and aids in provisioning the proper tools, permissions, and data to a system. Both barcode and RFID property tags are used to identify systems, which can then be checked against a system inventory. Finally, enterprise content management tools are used to manage files and data as part of workflows and other business processes.

156
Q

Susan wants to ensure that the audit report that her organization requested includes input from an external auditor and information about control implementation over a period of time. What type of report should she request?
A. SOC 2, Type 1
B. SOC 3, Type 1
C. SOC 2, Type 2
D. SOC 3, Type 2

A

C. SOC 2, Type 2

An SOC 2, Type 2 report includes information about a data center’s security, availability, processing integrity, confidentiality, and privacy, and includes an auditor’s opinion on the operational effectiveness of the controls. SOC 3 does not have types, and a SOC 2 Type 1 is only conducted at a point in time.

157
Q

Sharif’s U.S.-based company wants to build a data center with AI-focused GPU-based computation nodes in China. What concern about regulations should Sharif express about the hardware needed?
A. AI hardware may not be legal in China.
B. The total dollar value of the hardware may exceed what can be shipped to China.
C. Export controls may limit what hardware can be imported to China.
D. There may be ethical issues with the use of AI hardware across international borders.

A

C. Export controls may limit what hardware can be imported to China.

Hardware and software can be subject to import and export controls. In the case of AI computation hardware, there are specific limits on what can be exported to China, including limits on performance. Sharif needs to engage the appropriate experts to determine what can and cannot be exported. AI hardware is legal in China, dollar values are not typically the limiting factor for hardware import/export restrictions, and ethics are not a regulatory issue.

158
Q

What RAID level is commonly used for distributed parity, allowing for resilience while being space efficient?
A. RAID 0
B. RAID 1
C. RAID 3
D. RAID 5

A

D. RAID 5

RAID 5 is commonly used because it balances resilience and efficiency of storage space used by relying on distributed parity.

RAID 0 uses two disks as a single volume, allowing for an increase in speed but a decrease in reliability.

In RAID 1, also known as disk mirroring, systems contain two physical disks. Each disk contains copies of the same data, and either one may be used in the event the other disk fails

RAID 3 is rarely used and uses byte-level striping and a dedicated parity disk.

159
Q

What is the minimum interval at which an organization should conduct business continuity plan refresher training for those with specific business continuity roles?
A. Weekly
B. Monthly
C. Semiannually
D. Annually

A

D. Annually

160
Q

The large business that Jack works for has been using noncentralized logging for years. They have recently started to implement centralized logging, however, and as they reviewed logs, they discovered a breach that appeared to have involved a malicious insider.

How can Jack detect issues such as this using his organization’s new centralized logging?
A. Deploy and use an IDS.
B. Send logs to a central logging server.
C. Deploy and use a SIEM tool.
D. Use syslog.

A

C. Deploy and use a SIEM tool.

A security information and event management (SIEM) tool is designed to provide automated analysis and monitoring of logs and security events. A SIEM tool that receives access to logs can help detect and alert on events such as logs being purged or other breach indicators. An IDS can help detect intrusions, but IDSs are not typically designed to handle central logs. A central logging server can receive and store logs but won’t help with analysis without taking additional actions. Syslog is simply a log format.

161
Q

Which one of the following intellectual property protection mechanisms has the shortest duration in the United States?
A. Copyright
B. Patent
C. Trademark
D. Trade secret

A

B. Patent

Patents have the shortest duration of the techniques listed: at most, 20 years. Copyrights last for 70 years beyond the death of the author if owned by an individual, or 95 years from publication or 120 years from creation if owned by a corporation. Trademarks are renewable indefinitely, and trade secrets are protected as long as they remain secret.

162
Q

Gordon is working on a business continuity plan for a manufacturing company’s IT operations, which is located in North Dakota. The company is currently assessing the risk of an earthquake and has decided to adopt a risk acceptance strategy. Which of the following actions is in line with this strategy?
A. Purchasing earthquake insurance
B. Relocating the data center to a safer area
C. Documenting the decision-making process
D. Reengineering the facility to withstand the shock of an earthquake

A

C. Documenting the decision-making process

In a risk acceptance strategy, the organization chooses to take no action other than documenting the risk. Purchasing insurance would be an example of risk transference. Relocating the data center would be risk avoidance. Reengineering the facility is an example of a risk mitigation strategy.

163
Q

Elle’s organization has had to shift to remote work. Each staff member needs access to specific applications, and due to the quick shift, staff members are working from systems that may be home systems or borrowed laptops. What is the best option for remote access in a situation like the one that Elle is facing?
A. An IPsec VPN
B. A dedicated fiber connection to each remote work location
C. An HTML5-based VPN
D. Use of remote desktop to connect to an existing workstation at the company’s office building

A

C. An HTML5-based VPN

An HTML5-based VPN will provide Elle’s staff with access to the applications they need without requiring the installation of a client that might be challenging or impossible without managed machines.

A client-based IPsec VPN provides additional opportunities for control that a broadly deployed base of directly accessed machines via RDP does not, making it the second-best choice here. Deploying fiber for direct connections for end users is not viable for most organizations based on cost and complexity.

164
Q

What type of authenticator generates dynamic passwords using time- or algorithm-based methods?
A. A biometric scanner
B. A smart card
C. A token
D. A CAC

A

C. A token

Tokens are hardware devices (something you have) that generate a one-time password (OTP) based on time or an algorithm. They are typically combined with another factor like a password to authenticate users. CAC and PIV cards are U.S. government–issued smartcards.

165
Q

What three types of interfaces are typically tested during software testing?
A. Network, physical, and application interfaces
B. APIs, UIs, and physical interfaces
C. Network interfaces, APIs, and UIs
D. Application, programmatic, and user interfaces

A

B. APIs, UIs, and physical interfaces

Application programming interfaces (APIs), user interfaces (UIs), and physical interfaces are all tested during the software testing process. Network interfaces are not typically tested, and programmatic interfaces are another term for APIs.

166
Q

Which one of the following activities transforms a zero-day vulnerability into a less dangerous attack vector?
A. Discovery of the vulnerability
B. Implementation of transport-layer encryption
C. Reconfiguration of a firewall
D. Release of a security patch

A

D. Release of a security patch

Zero-day vulnerabilities remain in the dangerous zero-day category until the release of a patch that corrects the vulnerability. At that time, it becomes the responsibility of IT professionals to protect their systems by applying the patch. Implementation of other security controls, such as encryption or firewalls, does not change the nature of the zero-day vulnerability.

167
Q

Alaina wants to use a broadly adopted threat modeling framework for her organization’s threat intelligence efforts. Which of the following would you advise her to adopt if she wants to use pre-existing tools to help her threat modeling team integrate both internally created intelligence and external threat feed data?
A. The Diamond Model of Intrusion Analysis
B. ATT&CK
C. Microsoft’s Threat-JUMP modeling system
D. Threat-EN

A

B. ATT&CK

MITRE’s ATT&CK framework is broadly adopted by threat modeling and threat intelligence organizations and is used as a default model in many software packages and tools. The Diamond Model specifically addresses how to think about intrusions but does not address broader threats, and the other answers were made up for this question.

168
Q

What two important factors does accountability for access control rely on?
A. Identification and authorization
B. Authentication and authorization
C. Identification and authentication
D. Accountability and authentication

A

C. Identification and authentication

Access control systems rely on identification and authentication to provide accountability. Effective authorization systems are desirable, but not required, since logs can provide information about who accessed what resources, even if access to those resources is not managed well. Of course, poor authorization management can create many other problems.

169
Q

Theresa is implementing a new access control system and wants to ensure that developers do not have the ability to move code from development systems into the production environment. She wants to ensure that a developer who checks in code cannot then approve their own code as part of the process. What information security principle is she most directly enforcing?
A. Separation of duties
B. Two-person control
C. Least privilege
D. Job rotation

A

A. Separation of duties

While developers may feel like they have a business need to be able to move code into production, the principle of separation of duties dictates that they should not have the ability to both write code and place it on a production server. The deployment of code is often performed by change management staff.

Two-person control requires two individuals to perform an action to ensure appropriate oversight. Least privilege is the concept of only providing privileges required to perform a role, and job rotation moves individuals through job roles to ensure that different people perform tasks preventing an individual from exploiting their job function over time.

170
Q

Which ITU-T standard should Alex expect to see in use when he uses his smartcard to provide a certificate to an upstream authentication service?
A. X.500
B. SPML
C. X.509
D. SAML

A

C. X.509

X.509 defines standards for public key certificates like those used with many smartcards. X.500 is a series of standards defining directory services. The Service Provisioning Markup Language (SPML) and the Security Assertion Markup Language (SAML) aren’t standards that Alex should expect to see when using a smartcard to authenticate.

171
Q

James is building a disaster recovery plan for his organization and would like to determine the amount of acceptable data loss after an outage. What variable is James determining?
A. SLA
B. RTO
C. MTD
D. RPO

A

D. RPO

The recovery point objective (RPO) identifies the maximum amount of data, measured in time, that may be lost during a recovery effort.

The recovery time objective (RTO) is the amount of time expected to return an IT service or component to operation after a failure.

The maximum tolerable downtime (MTD) is the longest amount of time that an IT service or component may be unavailable without causing serious damage to the organization.

Service-level agreements (SLAs) are written contracts that document service expectations.

172
Q

Which of the following concerns should not be on Amanda’s list of potential issues when penetration testers suggest using Metasploit during their testing?
A. Metasploit can only test vulnerabilities it has plug-ins for.
B. Penetration testing only covers a point-in-time view of the organization’s security.
C. Tools like Metasploit can cause denial-of-service issues.
D. Penetration testing cannot test process and policy.

A

A. Metasploit can only test vulnerabilities it has plug-ins for.

Metasploit provides an extensible framework, allowing penetration testers to create their own exploits in addition to those that are built into the tool. Unfortunately, penetration testing can only cover the point in time when it is conducted. When conducting a penetration test, the potential to cause a denial of service due to a fragile service always exists, but it can test processes and policies through social engineering and operational testing that validates how those processes and policies work.

173
Q

Which accounts are typically assessed during an account management assessment?
A. A random sample
B. Highly privileged accounts
C. Recently generated accounts
D. Accounts that have existed for long periods of time

A

B. Highly privileged accounts

The most frequent target of account management reviews are highly privileged accounts, as they create the greatest risk. Random samples are the second most likely choice. Accounts that have existed for a longer period of time are more likely to have a problem due to privilege creep than recently created accounts, but neither of these choices is likely unless there is a specific organizational reason to choose them.

174
Q

Alice would like to add another object to a security model and grant herself rights to that object. Which one of the rules in the Take-Grant protection model would allow her to complete this operation?
A. Take rule
B. Grant rule
C. Create rule
D. Remove rule

A

C. Create rule

The create rule allows a subject to create new objects and also creates an edge from the subject to that object, granting rights to the new object.

175
Q

CAPEC, STIX, and TAXII are all used for what purpose?
A. Federated authentication
B. Vulnerability scanning
C. Threat intelligence feeds
D. Risk assessment and relative ranking

A

C. Threat intelligence feeds

CAPEC, or Common Attack Pattern Enumeration and Classification, is a dictionary of known attack patterns.

STIX is the Structured Threat Information eXpression language used to describe threats in a standardized way, and

TAXII, the Trusted Automated eXchange of Indicator Information, defines how threat information can be shared and exchanged. All of these are examples of threat intelligence feed standards.

176
Q

Dawson is preparing to hire a new staff member for a role that requires very high levels of integrity and trust. Which of the following is most commonly used as part of the hiring process to determine if an employee is likely to be trustworthy?
A. Signing an NDA
B. A background check
C. Signing a noncompete
D. A COA

A

B. A background check

Background checks are frequently performed to identify potential issues before hiring a new employee. They can identify a variety of concerns and are commonly used across many industries.

Nondisclosure agreements (NDAs) are used during and after employment to protect confidential information.

Noncompetes are used to prevent employees from working in a similar industry for a given period of time after departure.

COA, or certificate of authenticity, is not used in employment situations.

177
Q

Jill wants to use a breach attack system to test her organization’s security. Which of the following is not typically part of a BAS solution’s portfolio of testing platforms?
A. User-owned mobile devices
B. Software agents
C. Software-as-a-service platforms
D. Virtual machines

A

A. User-owned mobile devices

Breach-and-attack simulation (BAS) tools typically leverage SaaS platforms as well as software agents and virtual machines to perform simulated attacks, which they leverage to provide detailed reports about security issues and their relative risk levels.

178
Q

Ed’s organization has 5 IP addresses allocated to them by their ISP but needs to connect more than 100 computers and network devices to the Internet. What technology can he use to connect his entire network via the limited set of IP addresses he can use?
A. IPsec
B. PAT
C. SDN
D. IPX

A

B. PAT

Port address translation (PAT) is used to allow a network to use any IP address set inside without causing a conflict with the public Internet.

PAT is often confused with network address translation (NAT), which maps one internal address to one external address.

IPsec is a security protocol suite, software-defined networking (SDN) is a method of defining networks programmatically, and IPX is a non-IP network protocol.

179
Q

Which of the following statements is the least important to include in his report?
A. The missing clickjacking x-frame options could be used to redirect input to a malicious site or frame.
B. Cross-site scripting protections should be enabled, but aren’t.
C. Inode information leakage from a Linux system is a critical vulnerability allowing direct access to the filesystem using node references.
D. The server is a Linux server.

A

C. Inode information leakage from a Linux system is a critical vulnerability allowing direct access to the filesystem using node references.

While inode information leakage could represent a security concern, it does not pose the same immediate and direct risk as clickjacking, XSS vulnerabilities, or even the contextual importance of knowing the server’s operating system. Clickjacking and cross-site scripting are both important issues, and knowing that the server is a Linux server is also important.

180
Q

In the OSI model, when a packet changes from a data stream to a segment or a datagram, what layer has it traversed?
A. The Transport layer
B. The Application layer
C. The Data Link layer
D. The Physical layer

A

A. The Transport layer

When a data stream is converted into a segment (TCP) or a datagram (UDP), it transitions from the Session layer to the Transport layer. This change from a message sent to an encoded segment allows it to then traverse the Network layer.

181
Q

Olivia is conducting a risk analysis of a web application that her organization obtained from a third party and is concerned that it might contain vulnerabilities. Which one of the following activities might she take to best mitigate the risk?
A. Deploy a WAF.
B. Implement strong encryption.
C. Purchase an insurance policy.
D. Discontinue use of the software.

A

A. Deploy a WAF.

Deploying a web application firewall (WAF) may reduce the likelihood or impact of a web application vulnerability and is, therefore, a good example of risk mitigation. Encryption is also a risk mitigation control, but it is less likely be effective against a web application security flaw. Purchasing an insurance policy is an example of risk transference, not risk mitigation. Discontinuing use of the software is an example of risk avoidance, not risk mitigation.

182
Q

Susan would like to configure IPsec in a manner that provides confidentiality for the content of packets. What component of IPsec provides this capability?
A. AH
B. ESP
C. IKE
D. ISAKMP

A

B. ESP

The Encapsulating Security Payload (ESP) protocol provides confidentiality and integrity for packet contents. It encrypts packet payloads and provides limited authentication and protection against replay attacks.

183
Q

Data stored in RAM is best characterized as what type of data?
A. Data at rest
B. Data in use
C. Data in transit
D. Data at large

A

B. Data in use

Data in use is data that is in a temporary storage location while an application or process is using it. Thus, data in memory is best described as data in use or ephemeral data.

Data at rest is in storage, while data in transit is traveling over a network or other channel.

Data at large is a made-up term.

184
Q

Which of the following is a common account setting for a service account?
A. Disable password expiration.
B. Set maximum password age to 90 days.
C. Set minimum password age to 1 day.
D. Disable complexity requirements.

A

A. Disable password expiration.

Service accounts are commonly set to not have expiring passwords to prevent service outages. Organizations may choose to rotate passwords on a regular basis using automation tools as part of their password management strategy to help avoid issues with exposed or compromised service passwords. Disabling complexity requirements and setting a minimum password age are not commonly done for service accounts

185
Q

Samantha wants to log all sudo activity under individual user accounts. What first step should she take to ensure that she captures privileged use like this?
A. Prevent the use of sudo su -.
B. Add all users to the sudoers file.
C. Remove all users from the sudoers.
D. Disable sudo.

A

A. Prevent the use of sudo su -.

Ensure that users cannot bypass logging by switching to the root user using sudo su -. Instead, users who need the ability to perform privileged actions should be added to the sudoers list and then logged as themselves performing the actions. Adding all users is likely an overly broad action, whereas removing all users would not allow individual logging under their accounts, nor would they have rights to take administrative actions. Disabling sudo doesn’t allow administrative tasks except as root, which defeats this requirement as well.

186
Q

TCP/IP Stack

A
  1. Application Layer
  2. Transport Layer
  3. Internet Layer
  4. Network Access Layer
187
Q

Susan wants to manage her data’s life cycle based on retention rules. What technique can she use to ensure that data that has reached the end of its life cycle can be identified and disposed of based on her organization’s disposal processes?
A. Rotation
B. DRM
C. DLP
D. Tagging

A

D. Tagging

Tags that include information about the life span of the data and when it has expired can help with life-cycle management processes, part of data maintenance for organizations. Tags can be as simple as timestamps, or they can include additional metadata like the data type, creator, or purpose that can help inform the retention and disposal process. Rotation of files like logs is commonly done to limit how much space they take up, but rotation itself does not address disposal requirements and information that would guide the disposal process. DRM, or digital rights management, and DLP, or data loss prevention, both address data security and use but not disposal.

188
Q

Which of the following is a converged protocol that allows storage mounts over TCP, and which is frequently used as a lower-cost alternative to Fibre Channel?
A. MPLS
B. SDN
C. VoIP
D. iSCSI

A

D. iSCSI

Internet Small Computer Systems Interface (iSCSI) is a converged protocol that allows location-independent file services over traditional network technologies. It costs less than traditional Fibre Channel. VoIP is Voice over IP, SDN is software-defined networking, and MPLS is Multiprotocol Label Switching, a technology that uses path labels instead of network addresses.

189
Q

Kathleen is reviewing the Ruby code shown here. What security technique is this code using?

A. Parameterization
B. Typecasting
C. Gem cutting
D. Stored procedures
A

A. Parameterization

This code is an example of parameterization, which can help avoid SQL injection. Note that each parameter has a placeholder, which is then passed to the query.

190
Q

A new law is passed that would result in significant financial harm to your company if the data that it covers was stolen or inadvertently released. What should your organization do about this?
A. Select a new security baseline.
B. Relabel the data.
C. Encrypt all of the data at rest and in transit.
D. Review its data classifications and classify the data appropriately

A

D. Review its data classifications and classify the data appropriately

When the value of data changes due to legal, compliance, or business reasons, reviewing classifications and reclassifying the data is an appropriate response. Once the review is complete, data can be reclassified and handled according to its classification level. Simply relabeling the data avoids the classification process and may not result in the data being handled appropriately. Similarly, selecting a new baseline or simply encrypting the data may not handle all of the needs that the changes affecting the data create.

191
Q

Isaac wants to ensure that his VoIP session initialization is secure. What protocol should he ensure is enabled and required?
A. SVOIP
B. PBSX
C. SIPS
D. SRTP

A

C. SIPS

SIPS, the secure version of the Session Initialization Protocol for VoIP, adds TLS encryption to keep the session initialization process secure. SVOIP and PBSX are not real protocols, but SRTP is the secure version of RTP, the Real time Transport Protocol.

192
Q

Data streams occur at what three layers of the OSI model?
A. Application, Presentation, and Session
B. Presentation, Session, and Transport
C. Physical, Data Link, and Network
D. Data Link, Network, and Transport

A

A. Application, Presentation, and Session

Data streams are associated with the Application, Presentation, and Session layers. Once they reach the Transport layer, they become segments (TCP) or datagrams (UDP). From there, they are converted to packets at the Network layer, frames at the Data Link layer, and bits at the Physical layer.

193
Q

What term is used to describe the level of confidence that software is free from vulnerabilities, either intentionally designed into the software or accidentally inserted at any time during its life cycle, and that the software functions in the intended manner?
A. Validation
B. Accreditation
C. Confidence interval
D. Assurance

A

D. Assurance

Assurance, when it comes to software, is the level of confidence that software is free from vulnerabilities, either intentionally designed into the software or accidentally inserted at any time during its life cycle, and that the software functions in the intended manner. It is a term typically used in military and defense environments.

194
Q

Donna is a security administrator for a healthcare provider located in the United States and is reviewing their payment processing system. It contains data relating to the past, present, or future payment for the provision of healthcare to an individual. How would this information be classified under HIPAA?
A. PCI
B. Personal billing data
C. PHI
D. PII

A

C. PHI

Protected health information (PHI) is specifically defined by HIPAA to include information about an individual’s medical bills. PCI could refer to the payment card industry’s security standard but would apply only in relation to payment cards. PII is a broadly defined term for personally identifiable information, and personal billing data isn’t a broadly used industry term.

195
Q

Megan needs to create a forensic copy of a hard drive that will be used in an investigation. Which of the following tools is best suited to her work?
A. xcopy
B. dd
C. DBAN
D. ImageMagick

A

B. dd

The Linux tool dd creates a bit-by-bit copy of the target drive that is well suited to forensic use, and special forensic versions of dd exist that can provide even more forensic features. Simply copying files using a tool like xcopy does not create a forensically sound copy. DBAN is a drive wiping tool and would cause Megan to lose the data she is seeking to copy. ImageMagick is a graphics manipulation and editing program.

196
Q

SCP

A

Secure Copy Protocol (SCP), secure file transfer protocol.

197
Q

Bethany received an email from one of her colleagues with an unusual attachment named smime.p7s. She does not recognize the attachment and is unsure what to do. What is the most likely scenario?
A. This is an encrypted email message.
B. This is a phishing attack.
C. This is embedded malware.
D. This is a spoofing attack.

A

A. This is an encrypted email message.

The S/MIME secure email format uses the P7S format for encrypted email messages. If the recipient does not have a mail reader that supports S/MIME, the message will appear with an attachment named smime.p7s.

198
Q

What happens when a Windows system has failed to get a DHCP address?

A

Windows systems will assign themselves an APIPA address between 169.254.0.1 and 169.254.255.254 if they cannot contact a DHCP server.

199
Q

Incident Response Steps

A
  1. Detection
  2. response,
  3. mitigation,
  4. reporting,
    5.recovery,
  5. remediation, and
  6. lessons learned
200
Q

Please refer to the following scenario:

Kim is the database security administrator for Aircraft Systems, Inc. (ASI). ASI is a military contractor engaged in the design and analysis of aircraft avionics systems and regularly handles classified information on behalf of the government and other government contractors. Kim is concerned about ensuring the security of information stored in ASI databases.
Kim’s database is a multilevel security database, and different ASI employees have different security clearances. The database contains information on the location of military aircraft containing ASI systems to allow ASI staff to monitor those systems.

Kim’s database uniquely identifies aircrafts by using their tail number. Which one of the following terms would not necessarily accurately describe the tail number?
A. Database field
B. Foreign key
C. Primary key
D. Candidate key

A

B. Foreign key

The tail number is a database field because it is stored in the database. It is also a primary key because the question states that the database uniquely identifies aircraft using this field. Any primary key is, by definition, also a candidate key. There is no information provided that the tail number is a foreign key used to reference a different database table.

201
Q

Which individual bears the ultimate responsibility for data protection tasks?
A. Data owner
B. Data custodian
C. User
D. Audito

A

A. Data owner

The data owner is a senior manager who bears ultimate responsibility for data protection tasks. The data owner typically delegates this responsibility to one or more data custodians.

202
Q

Please refer to the following scenario:

Alejandro is an incident response analyst for a large corporation. He is on the midnight shift when an intrusion detection system alerts him to a potential brute-force password attack against one of the company’s critical information systems. He performs an initial triage of the event before taking any additional action.

What stage of the incident response process is Alejandro currently conducting?
A. Detection
B. Response
C. Recovery
D. Mitigation

A

A. Detection

Alejandro is in the first stage of the incident response process, detection. During this stage, the intrusion detection system provides the initial alert, and Alejandro performs preliminary triaging to determine if an intrusion is actually taking place and whether the scenario fits the criteria for activating further steps of the incident response process (which include response, mitigation, reporting, recovery, remediation, and lessons learned).

203
Q

Gina is performing the initial creation of user accounts for a batch of new employees. What phase of the provisioning process is she conducting?
A. Enrollment
B. Clearance verification
C. Background checks
D. Initialization

A

A. Enrollment

Enrollment, or registration, is the initial creation of a user account in the provisioning process. Clearance verification and background checks are sometimes part of the process that ensures that the identity of the person being enrolled matches who they claim to be. Initialization is not used to describe the provisioning process.

204
Q

Doug is choosing a software development life-cycle model for use in a project he is leading to develop a new business application. He has clearly defined requirements and would like to choose an approach that places an early emphasis on developing comprehensive documentation. He does not have a need for the production of rapid prototypes or iterative improvement. Which model is most appropriate for this scenario?
A. Agile
B. Waterfall
C. Spiral
D. DevOp

A

B. Waterfall

The waterfall model uses an approach that develops software sequentially, spending quite a bit of time up front on the development and documentation of requirements and design. The spiral and Agile models focus on iterative development and are appropriate when requirements are not well understood or iterative development is preferred. DevOps is an approach to integrating development and operations activities and is not an SDLC model.

205
Q

Warren’s organization recently completed a massive phishing awareness campaign, and he would like to measure its effectiveness. Which of the following tools would best provide this measurement?
A. Survey
B. Simulation
C. Code review
D. Third-party assessment

A

B. Simulation

Warren could use a survey or third-party assessment to evaluate the effectiveness of the campaign, but the best evidence would be provided by a phishing simulation where the organization measures user responses to simulated phishing attacks. Code reviews would not be useful in evaluating the effectiveness of antiphishing campaigns.

206
Q

Which one of the following is not an essential process area for the Repeatable phase of the Software Capability Maturity Model (SW-CMM)?
A. Software Project Planning
B. Software Quality Management
C. Software Project Tracking
D. Software Subcontract Management

A

B. Software Quality Management

In level 2, the Repeatable level of the SW-CMM, the organization introduces basic life-cycle management processes. Reuse of code in an organized fashion begins, and repeatable results are expected from similar projects. The crucial process areas for this level include Requirements Management, Software Project Planning, Software Project Tracking and Oversight, Software Subcontract Management, Software Quality Assurance, and Software Configuration Management. Software Quality Management is a process that occurs during level 4, the Managed stage of the SW-CMM.

207
Q

Olivia is selecting a new biometric authentication technology and is considering purchasing iris scanners. What advantage do iris scans have over most other types of biometric factors?
A. Iris scanners are harder to deceive.
B. Irises don’t change as much as other factors.
C. Iris scanners are cheaper than other factors.
D. Iris scans cannot be easily replicated.

A

B. Irises don’t change as much as other factors.

Iris scans have a longer useful life than many other types of biometric factors because they don’t change throughout a person’s life span (unless the eye itself is damaged). Iris scanners can be fooled in some cases by high-resolution images of an eye, and iris scanners are not significantly cheaper than other scanners.

208
Q

Hadley is reviewing network traffic logs and is searching for syslog activity on his network. When he creates a filter to look for this traffic, which UDP port should he include?
A. 443
B. 514
C. 515
D. 445

A

B. 514

Syslog uses UDP port 514. TCP-based implementations of syslog use TCP port 601 when unencrypted and use TCP port 6514 when encrypted with TLS. The other ports may look familiar because they are commonly used TCP ports: 443 is HTTPS, 515 is the LPD print service, and 445 is used for Windows SMB.

209
Q

Fred’s data role requires him to maintain system security plans and to ensure that system users and support staff get the training they need about security practices and acceptable use. What is the role that Fred is most likely to hold in the organization?
A. Data owner
B. System owner
C. User
D. Custodian

A

B. System owner

NIST SP 800-18 describes system owner responsibilities that include helping to develop system security plans, maintaining the plan, ensuring training, and identifying, implementing, and assessing security controls. A data owner is more likely to delegate these tasks to the system owner. Custodians may be asked to enforce those controls, whereas a user will be directly affected by them

210
Q

Grayson is reviewing his organization’s password policies and would like to follow modern best practices. What is the recommended expiration period for passwords?
A. 30 days
B. 90 days
C. 180 days
D. None

A

D. None

Modern recommendations from the National Institute of Standards and Technology (NIST) are that users should not be forced to change their passwords through the use of password expiration policies. More information on these recommendations can be found in NIST Special Publication (SP) 800-63B, “Digital Identity Guidelines.”

211
Q

Microsoft’s STRIDE threat assessment framework uses six categories for threats: Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege. If a penetration tester is able to modify audit logs, what STRIDE categories best describe this issue?
A. Tampering and information disclosure
B. Elevation of privilege and tampering
C. Repudiation and denial of service
D. Repudiation and tampering

A

D. Repudiation and tampering

Modification of audit logs will allow repudiation because the data cannot be trusted, and thus actions can be provably denied. The modification of the logs is also a direct example of tampering. It might initially be tempting to answer elevation of privileges and tampering, as the attacker made changes to files that should be protected, but this is an unknown without more information. Similarly, the attacker may have accessed the files, resulting in information disclosure in addition to tampering, but again, this is not specified in the question. Finally, this did not cause a denial of service, and thus that answer can be ignored.

212
Q

After you do automated functional testing with 100% coverage of an application, what type of error is most likely to remain?
A. Business logic errors
B. Input validation errors
C. Runtime errors
D. Error handling errors

A

A. Business logic errors

Business logic errors are most likely to be missed by automated functional testing. If a complete coverage code test was conducted, runtime, input validation, and error handling issues are likely to have been discovered by automated testing. Any automated system is more likely to miss business logic errors, because humans are typically necessary to understand business logic issues.

213
Q

Which one of the following controls would be most effective in detecting zero-day attack attempts?
A. Signature-based intrusion detection
B. Anomaly-based intrusion detection
C. Strong patch management
D. Full-disk encryption

A

B. Anomaly-based intrusion detection

Anomaly-based intrusion detection systems may identify a zero-day vulnerability because it deviates from normal patterns of activity. Signature-based detection methods would not be effective because there are no signatures for zero-day vulnerabilities. Strong patch management would not be helpful because, by definition, zero-day vulnerabilities do not have patches available. Full-disk encryption would not detect an attack because it is not a detective control.

214
Q

Amanda is considering the implementation of a database recovery mechanism recommended by a consultant. In the recommended approach, an automated process will move records of transactions from the primary site to a backup site on an hourly basis. What type of database recovery technique is the consultant describing?
A. Electronic vaulting
B. Transaction logging
C. Remote mirroring
D. Remote journaling

A

D. Remote journaling

Remote journaling transfers transaction logs to a remote site on a more frequent basis than electronic vaulting, typically hourly. Transaction logging is not a recovery technique alone; it is a process for generating the logs used in remote journaling. In an electronic vaulting approach, automated technology moves database backups from the primary database server to a remote site on a scheduled basis, typically daily. Remote mirroring maintains a live database server at the backup site and mirrors all transactions at the primary site on the server at the backup site.

215
Q

Kim would like to create a key that enforces referential integrity for the database. What type of key does she need to create?
A. Primary key
B. Foreign key
C. Candidate key
D. Master key

A

B. Foreign key

Foreign keys are used to create relationships between tables in a database. The database enforces referential integrity by ensuring that the foreign key used in a table has a corresponding record with that value as the primary key in the referenced table.

216
Q

What feature of a Trusted Platform Module (TPM) creates a hash summary of the system configuration to verify that changes have not been made?
A. Remote attestation
B. Binding
C. Sealing
D. RNG

A

A. Remote attestation

Remote attestation creates a hash value from the system configuration to confirm the integrity of the configuration. Binding and sealing are techniques used by the TPM to encrypt data. The random number generator (RNG) function of the TPM is used to support cryptographic operations.

217
Q

Andrew believes that a digital certificate belonging to his organization was compromised and would like to add it to a certificate revocation list (CRL). Who must add the certificate to the CRL?
A. Andrew
B. The root authority for the top-level domain
C. The CA that issued the certificate
D. The revocation authority for the top-level domain

A

C. The CA that issued the certificate

Certificates may only be added to a certificate revocation list by the certificate authority that created the digital certificate.

218
Q

Ben is building his organization’s security awareness and training program and would like to include interactive activities that better engage users. What techniques would best help him meet this goal?
A. Policy reviews
B. Gamification
C. Classroom training
D. Phishing simulations

A

B. Gamification
D. Phishing simulations

All of these techniques are valid components of a security awareness and training program. However, users generally find policy reviews and classroom training boring. Gamification and phishing simulations are designed to bring interactivity to the effort and make it more interesting and engaging for users.

219
Q

What network topology is used by modern-day Ethernet networks?
A. Star
B. Mesh
C. Ring
D. Bus

A

A. Star

Ethernet networks in modern organizations use a star topology, where each device is directly connected to the switch and receives only traffic intended for that device. This reduces the possibility of eavesdropping on other devices.

220
Q

Evelyn is preparing a training program that will provide cybersecurity advice to users who often travel internationally. Which of the following topics requires special training to ensure that users do not run afoul of U.S. export control laws?
A. Encryption software
B. Content filtering
C. Firewall rules
D. Phishing simulations

A

A. Encryption software

U.S. export control laws contain special provisions around the use of encryption technology, and Evelyn should include details about the software used by her firm in the training. These regulations do not affect content filtering controls, firewall rules, or phishing simulations.

221
Q

During which phase of the incident response process would administrators design new security controls intended to prevent a recurrence of the incident?
A. Reporting
B. Recovery
C. Remediation
D. Lessons learned

A

C. Remediation

The remediation phase of incident handling focuses on conducting a root-cause analysis to identify the factors contributing to an incident and implementing new security controls, as needed.

222
Q

Ben’s New York–based commercial web service collects personal information from California residents. What does the California Online Privacy Protection Act require Ben to do to be compliant?
A. Ben must encrypt all personal data he receives.
B. Ben must comply with the EU GDPR.
C. Ben must have a conspicuously posted privacy policy on his site.
D. Ben must provide notice and choice for users of his website.

A

C. Ben must have a conspicuously posted privacy policy on his site.

The California Online Privacy Protection Act requires that commercial websites that collect personal information from users in California conspicuously post a privacy policy. The act does not require compliance with the EU GDPR, nor does it use the GDPR concepts of notice or choice, and it does not require encryption of all personal data.

223
Q

Carlos is planning a design for a data center that will be constructed within a new four-story corporate headquarters. The building consists of a basement and three above-ground floors. What is the best location for the data center?
A. Basement
B. First floor
C. Second floor
D. Third floor

A

C. Second floor

Data centers should be located in the core of a building. Locating it on lower floors makes it susceptible to flooding and physical break-ins. Locating it on the top floor makes it vulnerable to wind and roof damage.

224
Q

James has opted to implement a NAC solution that uses a post-admission philosophy for its control of network connectivity. What type of issues can’t a strictly post-admission policy handle?
A. Out-of-band monitoring
B. Preventing an unpatched laptop from being exploited immediately after connecting to the network
C. Denying access when user behavior doesn’t match an authorization matrix
D. Allowing a user access to a specific object when user behavior is allowed based on an authorization matrix

A

B. Preventing an unpatched laptop from being exploited immediately after connecting to the network

A post-admission philosophy allows or denies access based on user activity after connection based on a predefined authorization matrix. Since this doesn’t check the status of a machine before it connects, it can’t prevent the exploit of the system immediately after connection. This doesn’t preclude out-of-band or in-band monitoring, but it does mean that a strictly post-admission policy won’t handle system checks before the systems are admitted to the network.

225
Q

Ed is building a network that supports IPv6 but needs to connect it to an IPv4 network. What type of device should Ed place between the networks?
A. A switch
B. A router
C. A bridge
D. A gateway

A

D. A gateway

Ed’s best option is to install an IPv6 to IPv4 gateway that can translate traffic between the networks. A bridge would be appropriate for different types of networks, whereas a router would make sense if the networks were similar. A modern switch might be able to carry both types of traffic but wouldn’t be much help translating between the two protocols.

226
Q

The mean time to detect a compromise is what type of security measurement?
A. An MTO
B. A technical control objective
C. A compliance objective
D. A KPI

A

D. A KPI

The mean time to detect a compromise is a security KPI, or key performance indicator. KPIs are used to determine how effective practices, procedures, and staff are.

227
Q

What does a service ticket (ST) provide in Kerberos authentication?
A. It serves as the authentication host.
B. It provides proof that the subject is authorized to access an object.
C. It provides proof that a subject has authenticated through a KDC and can request tickets to access other objects.
D. It provides ticket granting services.

A

B. It provides proof that the subject is authorized to access an object.

The service ticket in Kerberos authentication provides proof that a subject is authorized to access an object. Ticket granting services are provided by the TGS. Proof that a subject has authenticated and can request tickets to other objects and uses ticket-granting tickets, and authentication host is a made-up term.

228
Q

What three important items should be considered if you are attempting to control the strength of signal for a wireless network as well as where it is accessible?
A. Antenna placement, antenna type, antenna power levels
B. Antenna design, power levels, use of a captive portal
C. Antenna placement, antenna design, use of a captive portal
D. Power levels, antenna placement, FCC minimum strength requirements

A

A. Antenna placement, antenna type, antenna power levels

Antenna placement, antenna design, and power levels are the three important factors in determining where a signal can be accessed and how usable it is. A captive portal can be used to control user logins, and antenna design is part of antenna types. The FCC does provide maximum broadcast power guidelines but does not require a minimum power level.

229
Q

Andrea wants to ensure that her virtualized networks are secure between virtual environments. She uses virtual machine clusters in multiple locations in her state with third-party Internet service providers between those locations. Which of the following solutions is best suited to protecting her traffic if she runs a flattened layer 2 network between those locations?
A. TLS
B. BGP
C. IPsec
D. AES

A

C. IPsec

An IPsec VPN will allow Andrea to keep her networks running as layer 2 flattened networks when necessary while providing the security for her traffic that she wants. TLS operates at a higher network layer, although traffic could be tunneled through it. BGP is a routing protocol, and AES is an encryption algorithm.

230
Q

Which component of IPsec provides authentication, integrity, and nonrepudiation?
A. L2TP
B. Encapsulating Security Payload
C. Encryption Security Header
D. Authentication Header

A

D. Authentication Header

The Authentication Header provides authentication, integrity, and nonrepudiation for IPsec connections. The Encapsulating Security Payload provides encryption and thus provides confidentiality. It can also provide limited authentication. L2TP is an independent VPN protocol, and Encryption Security Header is a made-up term.

231
Q

The leadership at Susan’s company has asked her to implement an access control system that can support rule declarations like “Only allow access to salespeople from managed devices on the wireless network between 8 a.m. and 6 p.m.” What type of access control system would be Susan’s best choice?
A. ABAC
B. RBAC
C. DAC
D. MAC

A

A. ABAC

An attribute-based access control (ABAC) system will allow Susan to specify details about subjects, objects, and access, allowing granular control. Although a rule-based access control system (RBAC) might allow this, the attribute-based access control system can be more specific and thus is more flexible. Discretionary access control (DAC) would allow object owners to make decisions, and mandatory access controls (MACs) would use classifications; neither of these capabilities was described in the requirements.

232
Q

Chris has been assigned to scan a system on all of its possible TCP and UDP ports. How many ports of each type must he scan to complete his assignment?
A. 65,536 TCP ports and 32,768 UDP ports
B. 1,024 common TCP ports and 32,768 ephemeral UDP ports
C. 65,536 TCP and 65,536 UDP ports
D. 16,384 TCP ports, and 16,384 UDP ports

A

C. 65,536 TCP and 65,536 UDP ports

Both TCP and UDP port numbers are a 16-digit binary number, which means there can be 216 ports, or 65,536 ports, numbered from 0 to 65,535.

233
Q

What is the most common risk that cellular phone hotspots create for business networks?
A. They can provide attackers with an unsecured network path into your network.
B. They can be used like rogue access points for man-in-the-middle attacks.
C. They allow wireless data to be intercepted.
D. They are unencrypted and can be easily sniffed.

A

A. They can provide attackers with an unsecured network path into your network.

Organizations are most often concerned about hotspots creating an unsecured network connection into their secure network via laptops or other devices that are connected to them. Bridging a cellular connection to a network connection to the business’s network creates a path that bypasses security controls. Hotspots could be used as rogue access points, but this is a less common scenario. They do not specifically allow wireless data to be intercepted and, in most modern implementations, are encrypted, thus limiting the likelihood of sniffing providing useful data.

234
Q

What level of RAID is also known as disk striping?
A. RAID 0
B. RAID 1
C. RAID 5
D. RAID 10

A

A. RAID 0

RAID level 0 is also known as disk striping. RAID 1 is called disk mirroring. RAID 5 is called disk striping with parity. RAID 10 is known as a stripe of mirrors.

235
Q

Rick’s risk assessment for his company’s web application noted that it could suffer from SQL injection attacks. Which of the following mitigation techniques would you recommend Rick apply to help reduce this risk? (Select all that apply.)
A. Stored procedures
B. Escaping all user-supplied input
C. Parameterized queries
D. Input validation

A

A. Stored procedures
B. Escaping all user-supplied input
C. Parameterized queries
D. Input validation

All of these options are useful to help prevent SQL injection. Stored procedures limit what can be done via the database server, and escaping user input makes dangerous characters less likely to be a problem. Parameterized queries limit what can be sent in a query, and input validation adds another layer of protection by limiting what can be successfully input by a user.

236
Q

What protocol takes the place of certificate revocation lists and adds real-time status verification?
A. RTCP
B. RTVP
C. OCSP
D. CSRTP

A

C. OCSP

The Online Certificate Status Protocol (OCSP) eliminates the latency inherent in the use of certificate revocation lists by providing a means for real-time certificate verification.

237
Q

If the client has already authenticated to the KDC, what does the client workstation send to the KDC at point A when it wants to access a resource?
A. It resends the password.
B. A TGR.
C. Its TGT.
D. A service ticket.

A

C. Its TGT.

The client sends its existing valid TGT to the KDC and requests access to the resourc

238
Q

Melissa is in charge of her organization’s security compliance efforts and has been told that the organization does not install Windows patches until a month has passed since the patch has been released unless there is a zero-day exploit that is being actively exploited. Why would the company delay patching like this?
A. To minimize business impact of the installation
B. To allow any flaws with the patch to be identified
C. To prevent malware in the patches from being installed before it is identified
D. To allow the patch to be distributed to all systems

A

B. To allow any flaws with the patch to be identified

Many organizations delay patches for a period of time to ensure that any previously unidentified flaws are found before the patches are installed throughout their organization. Melissa needs to balance business impact against security in her role and may choose to support this or to push for more aggressive installation practices depending on the organization’s risk tolerance and security needs.

239
Q

Henry’s company has deployed an extensive IoT infrastructure for building monitoring that includes environmental controls, occupancy sensors, and a variety of other sensors and controllers that help manage the building. Which of the following security concerns should Henry report as the most critical in his analysis of the IoT deployment?
A. The lack of local storage space for security logs that is common to IoT devices.
B. The IoT devices may not have a separate administrative interface, allowing anybody on the same network to attempt to log into them and making brute-force attacks possible.
C. The IoT devices may not support strong encryption for communications, exposing the log and sensor data to interception on the network.
D. The long-term support and patching model for the IoT devices may create security and operational risks for the organization.

A

D. The long-term support and patching model for the IoT devices may create security and operational risks for the organization.

Henry’s biggest concern should be the long-term security and supportability of the IoT devices. As these devices are increasingly embedded in buildings and infrastructure, the support model and security model are important to understand. Both the lack of separate administrative access and the lack of strong encryption can be addressed by placing the IoT devices on a dedicated subnet or network that prevents other users from accessing the devices directly. This will help limit the risk without undue expense or complexity and is a common practice. Finally, lack of storage space can be a concern but is not the most important when looking at the risks IoT devices can create.

240
Q

NIST specifies four attack phase steps: gaining access, escalating privileges, system browsing, and installing additional tools. Once attackers install additional tools, what phase will a penetration tester typically return to?
A. Discovery
B. Gaining access
C. Escalating privileges
D. System browsing

A

B. Gaining access

Once additional tools have been installed, penetration testers will typically use them to gain additional access. From there they can further escalate privileges, search for new targets or data, and, once again, install more tools to allow them to pivot further into infrastructure or systems.

241
Q

Elle is planning her organization’s asset retention efforts and wants to establish when the company will remove assets from use. Which of the following is typically the last event in a manufacturer or software provider’s life cycle?
A. End of life
B. End of support
C. End of sales
D. General availability

A

B. End of support

The end of support of a device or product typically occurs after the end of life and end of sales. Support may continue for a period of months or even years, but eventually support stops too. General availability is found during the main part of a life cycle, rather than at the end, and helps note when the product is out of testing and can be acquired or used by customers or others instead of specific groups like beta testers or early release partners.

242
Q

Selah’s networking team has been asked to identify a technology that will allow them to separate the routing process for the network from the packet switching process while increasing centralization?
A. A network that follows the 5-4-3 rule
B. A converged network
C. A software-defined network
D. A hypervisor-based network

A

C. A software-defined network

Software-defined networking provides a network architecture that can be defined and configured as code or software and separates routing processes from packet switching while centralizing control. The 5-4-3 rule is an old design rule for networks that relied on repeaters or hubs. A converged network carries multiple types of traffic like voice, video, and data. A hypervisor-based network may be software defined, but it could also use traditional network devices running as virtual machines.

243
Q

Joe is the security administrator for an ERP system. He is preparing to create accounts for several new employees. What default access should he give to all of the new employees as he creates the accounts?
A. Read only
B. Editor
C. Administrator
D. No access

A

D. No access

The principle of least privilege should guide Joe in this case. He should apply no access permissions by default and then give each user the necessary permissions to perform their job responsibilities. Read only, editor, and administrator permissions may be necessary for one or more of these users, but those permissions should be assigned based upon business need and not by default.

244
Q

Jacob is planning his organization’s biometric authentication system and is considering retina scans. What concern may be raised about retina scans by others in his organization?
A. Retina scans can reveal information about medical conditions.
B. Retina scans are painful because they require a puff of air in the user’s eye.
C. Retina scanners are the most expensive type of biometric device.
D. Retina scanners have a high false positive rate and will cause support issues.

A

A. Retina scans can reveal information about medical conditions.

Retina scans can reveal additional information, including high blood pressure and pregnancy, causing privacy concerns. Newer retina scans don’t require a puff of air, and retina scanners are not the most expensive biometric factor. Their false positive rate can typically be adjusted in software, allowing administrators to adjust their acceptance rate as needed to balance usability and security.

245
Q

Sally is building a new server for use in her environment and plans to implement RAID level 1 as a storage availability control. What is the minimum number of physical hard disks that she needs to implement this approach?
A. One
B. Two
C. Three
D. Five

A

B. Two

RAID level 1, also known as disk mirroring, uses a minimum of two disks that contain identical information. If one disk fails, the other contains the data needed for the system to continue operation.

246
Q

Srini is building a high-performance computing cluster that requires very high bandwidth and very low latency. What converged protocol is he most likely to select for this purpose?
A. iSCSI
B. VoIP
C. Infiniband over Ethernet
D. CXL

A

C. Infiniband over Ethernet

Infiniband over Ethernet is commonly used for purposes like this, allowing direct memory access over Ethernet while providing high bandwidth and low latency. iSCSI is used for storage, VoIP is used for telephony, and Compute Express Link (CXL) is used for CPU to device and CPU to memory connections.

247
Q

Nick wants to do session management for his web application. Which of the following are common web application session management techniques or methods? (Select all that apply.)
A. IP tracking
B. Cookies
C. URL rewriting
D. TLS tokens

A

B. Cookies
C. URL rewriting

Common session management techniques include the use of cookies, hidden form fields, URL rewriting, and built-in frameworks like Java’s HTTPS session. IP tracking may be included in session information but is not itself a complete session identifier, and TLS token binding is used to make TLS sessions more secure, not to provide session identification.

248
Q

Chas is a cybersecurity manager who is concerned that the cloud provider his organization relies upon for disaster recovery may not be able to meet their needs in the event that a disaster strikes multiple customers simultaneously. What type of agreement should Chas enter into with this provider?
A. Nondisclosure agreement
B. Resource capacity agreement
C. Mutual assistance agreement
D. Business partnership agreement

A

B. Resource capacity agreement

A resource capacity agreement is the most appropriate for Chas’s concern, as it specifically addresses the availability of resources in a disaster scenario. This type of agreement ensures that the cloud provider has sufficient resources to meet the needs of their clients, even in the event of multiple simultaneous disasters. It directly tackles the issue of resource allocation and availability, which is Chas’s primary concern. In contrast, a nondisclosure agreement is more about confidentiality and doesn’t address resource capacity. A mutual assistance agreement typically involves agreements between organizations for support during emergencies but doesn’t guarantee specific resource availability. A business partnership agreement is broader and may not specifically cover the detailed aspects of resource availability in disaster scenarios.

249
Q

Susan has been asked to recommend whether her organization should use a MAC scheme or a DAC scheme. If flexibility and scalability are important requirements for implementing access controls, which scheme should she recommend and why?
A. MAC, because it provides greater scalability and flexibility because you can simply add more labels as needed
B. DAC, because allowing individual administrators to make choices about the objects they control provides scalability and flexibility
C. MAC, because compartmentalization is well suited to flexibility and adding compartments will allow it to scale well
D. DAC, because a central decision process allows quick responses and will provide scalability by reducing the number of decisions required and flexibility by moving those decisions to a central authority

A

B. DAC, because allowing individual administrators to make choices about the objects they control provides scalability and flexibility

Discretionary access control (DAC) can provide greater scalability by leveraging many administrators, and those administrators can add flexibility by making decisions about access to their objects without fitting into an inflexible mandatory access control system (MAC). MAC is more secure due to the strong set of controls it provides, but it does not scale as well as DAC and is relatively inflexible in comparison.

250
Q

Roger’s organization suffered a breach of customer credit card records. Under the terms of PCI DSS, what organization may choose to pursue an investigation of this matter?
A. FBI
B. Local law enforcement
C. Bank
D. PCI SSC

A

C. Bank

PCI DSS is a standard promulgated by the Payment Card Industry Security Standards Council (PCI SSC) but is enforced through contractual relationships between merchants and their banks. Therefore, the bank would be the appropriate entity to initiate an investigation under PCI DSS. Local and federal law enforcement agencies (such as the FBI) could decide to pursue a criminal investigation if the circumstances warrant it, but they do not have the authority to enforce PCI DSS requirements.

251
Q

If the systems that are being assessed all handle credit card information (and no other sensitive data), at what step would the PCI DSS first play an important role?
A. Step 1
B. Step 2
C. Step 3
D. Step 4

A

B. Step 2

PCI DSS provides a set of required security controls and standards. Step 2 would be guided by the requirements of PCI DSS. PCI DSS will not greatly influence step 1 because all of the systems handle credit card information, making PCI DSS apply to all systems covered. Steps 3 and 4 will be conducted after PCI DSS has guided the decisions in step 2.

252
Q

Wanda is working with one of her organization’s European Union business partners to facilitate the exchange of customer information. Wanda’s organization is located in the United States. What would be the best method for Wanda to use to ensure GDPR compliance?
A. Binding corporate rules
B. Privacy Shield
C. Standard contractual clauses
D. Safe harbor

A

C. Standard contractual clauses

The European Union provides standard contractual clauses that may be used to facilitate data transfer. That would be the best choice in a case where two different companies are sharing data. If the data was being shared internally within a company, binding corporate rules would also be an option. The EU/U.S. Privacy Shield was a safe harbor agreement that would previously have allowed the transfer but is no longer valid.

253
Q

Vincent believes that a former employee took trade secret information from his firm and brought it with him to a competitor. He wants to pursue legal action. Under what law could he pursue charges?
A. Copyright law
B. Lanham Act
C. Glass-Steagall Act
D. Economic Espionage Act

A

D. Economic Espionage Act

The Economic Espionage Act imposes fines and jail sentences on anyone found guilty of stealing trade secrets from a U.S. corporation. It gives true teeth to the intellectual property rights of trade secret owners. Copyright law does not apply in this situation because there is no indication that the information was copyrighted. The Lanham Act applies to trademark protection cases. The Glass-Steagall Act was a banking reform act that is not relevant in this situation.

254
Q

Ben is troubleshooting a network and discovers that the NAT router he is connected to has the 192.168.x.x subnet as its internal network and that its external IP is 192.168.1.40. What problem is he encountering?
A. 192.168.x.x is a nonroutable network and will not be carried to the Internet.
B. 192.168.1.40 is not a valid address because it is reserved by RFC 1918.
C. Double NATing is not possible using the same IP range.
D. The upstream system is unable to de-encapsulate his packets, and he needs to use PAT instead.

A

C. Double NATing is not possible using the same IP range.

Double NATing isn’t possible with the same IP range; the same IP addresses cannot appear inside and outside a NAT router. RFC 1918 addresses are reserved, but only so they are not used and routable on the Internet, and changing to PAT would not fix the issue.

255
Q

oanna wants to deploy 4G LTE as an out-of-band management solution for devices at remote sites. Which of the following security capabilities is not commonly available from 4G service providers?
A. Encryption capabilities
B. Device-based authentication
C. Dedicated towers and antennas for secure service subscribers
D. SIM-based authentication

A

C. Dedicated towers and antennas for secure service subscribers

While security features vary from provider to provider, encryption, device-based authentication (for example, using certificates), and SIM-based authentication are all common options for 4G connectivity solutions. Joanna should work with her provider to determine what capabilities are available and assess whether they meet her needs.

256
Q

What mode of switching is best suited to low-latency, high-throughput data transfer?
A. Store-and-forward switching
B. Blind switching
C. Forward switching
D. Cut-through switching

A

D. Cut-through switching

Cut-through switching forwards packets as soon as the destination address is known without waiting for the rest of the frame to arrive. This means that packets are not checked for integrity before being forwarded, optimizing throughput and reducing latency at the expense of error checking. Store-and-forward waits for the entire frame to allow it to be checked using a cyclic redundancy check (CRC) before forwarding it. Blind and forward switching were made up for this question.

257
Q

Robin recently conducted a vulnerability scan and found a critical vulnerability on a server that handles sensitive information. What should Robin do next?
A. Patching
B. Reporting
C. Remediation
D. Validation

A

D. Validation

Once a vulnerability scanner identifies a potential problem, validation is necessary to verify that the issue exists. Reporting, patching, or other remediation actions can be conducted once the vulnerability has been confirmed.

258
Q

Please use your knowledge of password policies and their application to answer the question.

With her organization’s password behavior under control, Ifeoma wants to ensure that a lost password will not result in easy compromise of her company’s accounts. Which of the following controls provides the best protection against password loss or exposure-related compromise?
A. MFA
B. SSO
C. Federation
D. Password rotation

A

A. MFA

Requiring multifactor authentication (MFA) is a common security measure used to prevent unauthorized access to an account in case of password loss or exposure. SSO allows the use of an account throughout systems or services. Federation connects different organizations together, allowing the use of credentials between trusted partners, and password rotation can help, but lost passwords remain dangerous until the rotation happens allowing days, weeks, or even months of potential vulnerable time.

259
Q

Tom is responsible for maintaining the security of systems used to control industrial processes located within a power plant. What term is used to describe these systems?
A. POWER
B. SCADA
C. HAVAL
D. COBOL

A

B. SCADA

Supervisory control and data acquisition (SCADA) systems are used to control and gather data from industrial processes. They are commonly found in power plants and other industrial environments.

260
Q

In the transaction shown here, what would happen if the database failed in between the first and second update statements?

BEGIN TRANSACTION

UPDATE accounts
SET balance = balance + 250
WHERE account_number = 1001;

UPDATE accounts
SET balance = balance - 250
WHERE account_number = 2002;

COMMIT TRANSACTION

A. The database would credit the first account with $250 in funds but then not reduce the balance of the second account.
B. The database would ignore the first command and only reduce the balance of the second account by $250.
C. The database would roll back the transaction, ignoring the results of both commands.
D. The database would successfully execute both commands.
A

C. The database would roll back the transaction, ignoring the results of both commands.

A database failure in the middle of a transaction causes the rollback of the entire transaction. In this scenario, the database would not execute either command because doing so would violate the atomicity property of the transaction.

261
Q

Monica wants to gather information about security awareness in her organization. What technique is most frequently used to assess the broad range elements that make up security awareness?
A. Phishing simulations
B. Gamified applications
C. Assessment tests
D. Surveys

A

D. Surveys

Most organizations use surveys to assess security awareness. Phishing simulators are also frequently used, but only test awareness of phishing issues and techniques, not general security awareness. Gamified applications are continuing to grow in popularity, but the ease of use and availability of surveys make them the most popular. Finally, assessment tests may be used when compliance knowledge assessments are required to meet a specific standard, but testing is not as common as surveying.

262
Q

What solution can best help address concerns about third parties that control SSO redirects as shown in step 2 in the diagram?
A. An awareness campaign about trusted third parties
B. TLS
C. Handling redirects at the local site
D. Implementing an IPS to capture SSO redirect attacks

A

A. An awareness campaign about trusted third parties

While many solutions are technical, if a trusted third party redirects to an unexpected authentication site, awareness is often the best defense. Using TLS would keep the transaction confidential but would not prevent the redirect. Handling redirects locally works only for locally hosted sites, and using a third-party service requires off-site redirects. An IPS might detect an attacker’s redirect, but tracking the multitude of load-balanced servers most large providers use can be challenging, if not impossible. In addition, an IPS relies on visibility into the traffic, and SAML integrations should be encrypted for security, which would require a man-in-the-middle type of IPS to be configured.

263
Q

Chris is advising travelers from his organization who will be visiting many different countries overseas. He is concerned about compliance with export control laws. Which of the following technologies is most likely to trigger these regulations?
A. Memory chips
B. Office productivity applications
C. Hard drives
D. Encryption software

A

D. Encryption software

The export of encryption software to certain countries is regulated under U.S. export control laws. Memory chips, office productivity applications, and hard drives are less likely to be covered by these regulations, unless they contain hardware dedicated to encryption.

264
Q

Todd believes that a digital certificate used by his organization has been compromised, and he wants to add it to the certificate revocation list (CRL). What element of the certificate goes on the CRL?
A. Serial number
B. Public key
C. Digital signature
D. Private key

A

A. Serial number

The certificate revocation list contains the serial numbers of digital certificates issued by a certificate authority that have later been revoked.

265
Q

Which one of the following actions might be taken as part of a business continuity plan?
A. Restoring from backup tapes
B. Implementing RAID
C. Relocating to a cold site
D. Restarting business operations

A

B. Implementing RAID

RAID technology provides fault tolerance for hard drive failures and is an example of a business continuity action. Restoring from backup tapes, relocating to a cold site, and restarting business operations are all disaster recovery actions.

266
Q

What type of fire suppression system fills with water after a valve opens when the initial stages of a fire are detected and then requires a sprinkler head heat activation before dispensing water?
A. Wet pipe
B. Dry pipe
C. Deluge
D. Preaction

A

D. Preaction

A preaction fire suppression system activates in two steps. The pipes fill with water once the early signs of a fire are detected. The system does not dispense water until heat sensors on the sprinkler heads trigger the second phase.

267
Q

Veronica is considering the implementation of a database recovery mechanism recommended by a consultant. In the recommended approach, an automated process will move database backups from the primary facility to an off-site location each night. What type of database recovery technique is the consultant describing?
A. Remote journaling
B. Remote mirroring
C. Electronic vaulting
D. Transaction logging

A

C. Electronic vaulting

In an electronic vaulting approach, automated technology moves database backups from the primary database server to a remote site on a scheduled basis, typically daily. Transaction logging is not a recovery technique alone; it is a process for generating the logs used in remote journaling. Remote journaling transfers transaction logs to a remote site on a more frequent basis than electronic vaulting, typically hourly. Remote mirroring maintains a live database server at the backup site and mirrors all transactions at the primary site on the server at the backup site.

268
Q
A