OPT2 Flashcards
1. NIST SP800-53 discusses a set of security controls as what type of security tool? A. A configuration list B. A threat management strategy C. A baseline D. The CIS standard
C. NIST SP 800-53 discusses security control baselines as a list of security controls. CIS releases security baselines, and a baseline is a useful part of a threat management strategy and may contain a list of acceptable configuration items.
- Which one of the following is not a function of a forensic disk controller?
A. Preventing the modification of data on a storage device
B. Returning data requested from the device
C. Reporting errors sent by the device to the forensic host
D. Blocking read commands sent to the device
D. A forensic disk controller performs four functions. One of those, write blocking, intercepts write commands sent to the device and prevents them from modifying data on the device. The other three functions include returning data requested by a read operation, returning access-significant information from the device, and reporting errors from the device back to the forensic host. The controller should not prevent read commands from being sent to the device because those commands may return crucial information.
5. Which Kerberos service generates a new ticket and session keys and sends them to the client? A. KDC B. TGT C. AS D. TGS
D. The TGS, or Ticket-Granting Service (which is usually on the same server as the KDC), receives a TGT from the client. It validates the TGT and the user’s rights to access the service they are requesting to use. The TGS then issues a ticket and session keys to the client. The AS serves as the authentication server, which forwards the username to the KDC. It’s worth noting that the client doesn’t communicate with the KDC directly.
Instead, it will communicate with the TGT and the AS, which means KDC isn’t an appropriate answer here.
7. What type of motion detector uses high microwave frequency signal transmissions to identify potential intruders? A. Infrared B. Heat-based C. Wave pattern D. Capacitance
C. Wave pattern motion detectors transmit ultrasonic or microwave signals into the monitor area, watching for changes in the returned signals bouncing off objects.
For questions 9–11, please refer to the following scenario:Ben owns a coffeehouse and wants to provide wireless Internet service for his customers. Ben’s network is simple and uses a single consumer-grade wireless router and a cable modem connected via a commercial cable data contract.
9. How can Ben provide access control for his customers without having to provision user IDs before they connect while also gathering useful contact information for his business purposes?
A. WPA2 PSK
B. A captive portal#專屬門戶
C. Require customers to use a publicly posted password like “BensCoffee.”
D. Port security
B. A captive portal can require those who want to connect to and use WiFi to provide an email address to connect. This allows Ben to provide easy-to-use wireless while meeting his business purposes. WPA2 PSK is the preshared key mode of WPA and won’t provide information about users who are given a key. Sharing a password doesn’t allow for data gathering either. Port security is designed to protect wired network ports based on MAC addresses.
For questions 9–11, please refer to the following scenario:Ben owns a coffeehouse and wants to provide wireless Internet service for his customers. Ben’s network is simple and uses a single consumer-grade wireless router and a cable modem connected via a commercial cable data contract.
10. Ben intends to run an open (unencrypted) wireless network. How should he connect his business evices?
A. Run WPA2 on the same SSID.
B. Set up a separate SSID using WPA2.
C. Run the open network in Enterprise mode.
D. Set up a separate wireless network using WEP.
B. Many modern wireless routers can provide multiple SSIDs. Ben can create a private, secure network for his business operations, but he will need to make sure that the customer and business networks are firewalled or otherwise logically separated from each other. Running WPA2 on the same SSID isn’t possible without creating another wireless network and would cause confusion for customers (SSIDs aren’t required to be unique). Running a network in Enterprise mode isn’t used for open networks, and WEP is outdated and incredibly vulnerable.
14. Sally has been tasked with deploying an authentication, authorization, and accounting server for wireless network services in her organization and needs to avoid using proprietary technology. What technology should she select? A. OAuth B. RADIUS C. XTACACS D. TACACS+
B. RADIUS is a common AAA technology used to provide services for dial-up, wireless networks, network devices, and a range of other systems. OAuth is an authentication protocol used to allow applications to act on a user’s behalf without sharing the password, and is used for many web applications. While both XTACACS and TACACS+ provide the functionality Sally is looking for, both are Cisco proprietary protocols.
16. Alice would like to have read permissions on an object and knows that Bob already has those rights and would like to give them to herself. Which one of the rules in the TakeGrant protection model would allow her to complete this operation if the relationship exists between Alice and Bob? A. Take rule B. Grant rule C. Create rule D. Remote rule
A. The take rule allows a subject to take the rights belonging to another object. If Alice has take rights on Bob, she can give herself the same permissions that Bob already possesses.
19. Kim is the system administrator for a small business network that is experiencing security problems. She is in the office in the evening working on the problem, and nobody else is there. As she is watching, she can see that systems on the other side of the office that were previously behaving normally are now exhibiting signs of infection. What type of malware is Kim likely dealing with? A. Virus B. Worm C. Trojan horse D. Logic bomb
B. Worms have built-in propagation mechanisms that do not require user interaction, such as scanning for systems containing known vulnerabilities and then exploiting those vulnerabilities to gain access. Viruses and Trojan horses typically require user interaction to spread. Logic bombs do not spread from system to system but lie in wait until certain conditions are met, triggering the delivery of their payload.
23. Jim is implementing an IDaaS solution for his organization. What type of technology is he putting in place? A. Identity as a service B. Employee ID as a service C. Intrusion detection as a service D. OAuth
A. Identity as a service (IDaaS) provides an identity platform as a third-party service. This can provide benefits, including integration with cloud services and removing overhead for maintenance of traditional on-premise identity systems, but can also create risk due to third-party control of identity services and reliance on an offsite identity infrastructure.
- Gina recently took the CISSP certification exam and then wrote a blog post that included the text of many of the exam questions that she experienced. What aspect of the (ISC)2 code of ethics is most directly violated in this situation?
A. Advance and protect the profession.
B. Act honorably, honestly, justly, responsibly, and legally.
C. Protect society, the common good, necessary public trust and confidence, and the infrastructure.
D. Provide diligent and competent service to principals.
A. Gina’s actions harm the CISSP certification and information security community by undermining the integrity of the examination process. While Gina also is acting dishonestly, the harm to the profession is more of a direct violation of the code of ethics.#講甚麼幹話
25. Gordon is conducting a risk assessment for his organization and determined the amount of damage that flooding is expected to cause to his facilities each year. What metric has Gordon identified? A. ALE B. ARO C. SLE D. EF
A. The annualized loss expectancy is the amount of damage that the organization expects to occur each year as the result of a given risk.
30. Bob is configuring egress filtering on his network, examining traffic destined for the Internet. His organization uses the public address range 12.8.195.0/24. Packets with which one of the following destination addresses should Bob permit to leave the network? A. 12.8.195.15 B. 10.8.15.9 C. 192.168.109.55 D. 129.53.44.124
D. 129.53.44.124 is a valid public IP address and a legitimate destination for traffic leaving Bob’s network. 12.8.195.15 is a public address on Bob’s network and should not be a destination address on a packet leaving the network. 10.8.15.9 and 192.168.109.55 are both private IP addresses that should not be routed to the Internet.#莫名其妙
- What problem drives the recommendation to physically destroy SSD drives to prevent data leaks when they are retired?
A. Degaussing only partially wipes the data on SSDs.
B. SSDs don’t have data remanence.
C. SSDs are unable to perform a zero fill.
D. The built-in erase commands are not completely effective on some SSDs.
D. Research has shown that traditional methods of sanitizing files on SSDs were not reliable. SSDs remap data sectors as part of wear leveling, and erase commands are not consistently effective across multiple SSD brands. Zero fills can be performed on SSDs but may not be effective, much like erase commands. Degaussing doesn’t work on SSDs because they are flash media, rather than magnetic media.
- How should samples(抽樣) be generated when assessing account management practices?
A. They should be generated by administrators.
B. The last 180 days of accounts should be validated.
C. Sampling should be conducted randomly.
D. Sampling is not effective, and all accounts should be audited.
C. Sampling should be done randomly to avoid human bias. Choosing a time frame may miss historic issues or only account for the current administrator’s processes. Sampling is an effective process if it is done on a truly random sample of sufficient size to provide effective coverage of the userbase.
- The EU-U.S. Privacy Shield Framework relies on seven principles. Which of the following correctly lists all seven?
A. Awareness, selection, control, security, data integrity, access, recourse and enforcement
B. Notice, choice, accountability for onward transfer, security, data integrity and purpose limitation, access, recourse and enforcement
C. Privacy, security, control, notification, data integrity and purpose, access, enforcement
D. Submission, editing, updates, confidential, integrity, security, access
B. The EU-U.S. Privacy Shield principles are :
■ Notice ■ Choice ■ Accountability for Onward Transfer ■ Security ■ Data Integrity and Purpose Limitation ■ Access ■ Recourse, Enforcement, and Liability
38. Alex works for the United States (U.S.) federal government and is required to ensure that the devices and components he acquires are not compromised. What program will he participate in to help ensure this? A. TEMPEST B. Trusted foundry C. GovBuy D. MITRE
B. The US Trusted Foundry program helps to protect the supply chain for components and devices by ensuring that the companies that produce and supply them are secure. TEMPEST is the name of a program aimed at capturing data from electronic emissions, GovBuy is not a government program or supplier, and MITRE conducts research and development for the US government.
- When a user attempts to log into their online account, Google sends a text message with a code to their cell phone. What type of verification is this?
A. Knowledge-based authentication
B. Dynamic knowledge–based authentication
C. Out-of-band identity proofing
D. Risk-based identity proofing
C. Identity proofing that relies on a type of verification outside the initial environment that required the verification is out-of-band identity proofing. This type of verification relies on the owner of the phone or phone number having control of it but removes the ability for attackers to use only Internet-based resources to compromise an account. Knowledge-based authentication relies on answers to preselected information, whereas dynamic knowledge–based authentication builds questions using facts or data about the
user. Risk-based identity proofing uses risk-based metrics to determine whether identities should be permitted or denied access. It is used to limit fraud in financial transactions, such as credit card purchases. This is a valid form of proofing but does not necessarily use an out-of-band channel, such as SMS.#ref
43. If Ben needs to share identity information with the business partner shown, what should he investigate? A. Single sign-on B. Multifactor authentication C. Federation D. IDaaS
C. Federation links identity information between multiple organizations. Federating with a business partner can allow identification and authorization to occur between them, making integration much easier. Single sign-on would reduce the number of times a user has to log in but will not facilitate the sharing of identity information. Multifactor can help secure authentication, but again doesn’t help integrate with a third party. Finally, an
identity as a service provider might provide federation but doesn’t guarantee it.
44. What technology is likely to be involved when Ben’s organization needs to provide authentication and authorization assertions to their cloud e-commerce application? A. Active Directory B. SAML C. RADIUS D. SPML
B. Security Assertion Markup Language (SAML) is frequently used to integrate cloud services and provides the ability to make authentication and authorization assertions. Active Directory integrations are possible but are less common for cloud service providers, and RADIUS is not typically used for integrations like this. Service Provisioning Markup Language (SPML) is used to provision users, resources, and services, not for authentication and authorization.
48. Match the following lettered factors to their numbered type: Factors A. A PIN B. A token C. A fingerprint D. A password E. A smart card Types 1. Type 1 =>Something you know 2. Type 2 =>Something you have 3. Type 3 =>Something you are 4. Type 4 =>Somewhere you are (type 5 => Something you do)
12312 ref
53. What principle states that an individual should make every effort to complete his or her responsibilities in an accurate and timely manner? A. Least privilege B. Separation of duties C. Due care D. Due diligence
D. The due care principle states that an individual should react in a situation using the same level of care that would be expected from any reasonable person. It is a very broad standard. The due diligence principle is a more specific component of due care that states that an individual assigned a responsibility should exercise due care to complete it accurately and in a timely manner.
57. Data is sent as bits at what layer of the OSI model? A. Transport B. Network C. Data Link D. Physical
D. The Physical layer deals with the electrical impulses or optical pulses that are sent as bits to convey data.
59. When Ben records data and then replays it against his test website to verify how it performs based on a real production workload, what type of performance monitoring is he undertaking?
59. When Ben records data and then replays it against his test website to verify how it performs based on a real production workload, what type of performance monitoring is he undertaking? A. Passive B. Proactive#主動 C. Reactive D. Replay
B. Proactive monitoring, aka synthetic monitoring, uses recorded or generated traffic to test systems and software. Passive monitoring uses a network span, tap, or other device to capture traffic to be analyzed. Reactiveand replayare not industry terms for types of monitoring.
- Alan is considering the use of new identification cards in his organization that will be used for physical access control. He comes across a sample card and is unsure of the technology. He breaks it open and sees the following internal construction. What type of card is this?
A. Smart card
B. Proximity card#感應卡
C. Magnetic stripe
D. Phase-two card
B. The use of an electromagnetic coil inside the card indicates that this is a proximity card.
62. Mark is planning a disaster recovery test for his organization. He would like to perform a live test of the disaster recovery facility but does not want to disrupt operations at the primary facility. What type of test should Mark choose? A. Full interruption test B. Checklist review C. Parallel test D. Tabletop exercise
C. During a parallel test, the team actually activates the disaster recovery site for testing, but the primary site remains operational. During a full interruption test, the team takes down the primary site and confirms that the disaster recovery site is capable of handling regular operations. The full interruption test is the most thorough test but also the most disruptive. The checklist review is the least disruptive type of disaster recovery test. During a checklist review, team members each review the contents of their disaster recovery checklists on their own and suggest any necessary changes. During a tabletop exercise, team members come together and walk through a scenario without making any changes to information systems.
- During a security audit, Susan discovers that the organization is using hand geometry scanners as the access control mechanism for their secure data center. What recommendation should Susan make about the use of hand geometry scanners?
A. They have a high FRR and should be replaced.
B. A second factor should be added because they are not a good way to reliably distinguish individuals.
C. The hand geometry scanners provide appropriate security for the data center and should be considered for other high-security areas.
D. They may create accessibility concerns, and an alternate biometric system should be considered.
B. Hand geometry scanners assess the physical dimensions of an individual’s hand but do not verify other unique factors about the individual, or even verify if they are alive. This means that hand geometry scanners should not be implemented as the sole authentication factor for secure environments. Hand geometry scanners do not have an abnormally high FRR and do not stand out as a particular issue from an accessibility standpoint compared to other biometric systems.#殺了人拿他的手來用也可以(有道理…)
68. What term best describes an attack that relies on stolen or falsified authentication credentials to bypass an authentication mechanism? A. Spoofing B. Replay C. Masquerading#偽裝 D. Modification
C. Masquerading (or impersonation#模擬) attacks use stolen or falsified credentials to bypass authentication mechanisms. Spoofing attacks rely on falsifying an identity like an IP address or hostname without credentials. Replay attacks are a more specific type of masquerading attack that relies on captured network traffic to reestablish authorized connections. Modification attacks occur when captured packets are modified and replayed to a system to attempt to perform an action.
70. Owen recently designed a security access control structure that prevents a single user from simultaneously holding the role required to create a new vendor and the role required to issue a check. What principle is Owen enforcing? A. Two-person control B. Least privilege C. Separation of duties D. Job rotation
C. This scenario describes separation of duties—not allowing the same person to hold two roles that, when combined, are sensitive. While two-person control is a similar concept, it does not apply in this case because the scenario does not say that either action requires the concurrence of two users.#好機車…
71. Denise is preparing for a trial relating to a contract dispute between her company and a software vendor. The vendor is claiming that Denise made a verbal agreement that amended their written contract. What rule of evidence should Denise raise in her defense? A. Real evidence rule B. Best evidence rule C. Parol evidence rule#口頭證據 D. Testimonial evidence rule
C. The parol evidence rule states that when an agreement between two parties is put into written form, it is assumed to be the entire agreement unless amended in writing. The best evidence rule says that a copy of a document is not admissible if the original document is available. Real evidence and testimonial evidence are evidence types, not rules of evidence.
- Which of the following statements about SSAE-18 is not true?
A. It mandates a specific control set.
B. It is an attestation standard.
C. It is used for external audits.
D. It uses a framework, including SOC 1, SOC 2, and SOC 3 reports.
A. SSAE-18 does not assert specific controls. Instead, it reviews the use and application of controls in an audited organization. It is an attestation standard, used for external audits, and forms part of the underlying framework for SOC 1, 2, and 3 reports.#其他都是對的
77. What type of fire extinguisher is useful against liquid-based fires? A. Class A B. Class B C. Class C D. Class D
B. Class B fire extinguishers use carbon dioxide, halon, or soda acid as their suppression material and are useful against liquid-based fires. Water may not be used against liquidbased fires because it may cause the burning liquid to splash, and many burning liquids, such as oil, will float on water. #ref
78. The company Chris works for has notifications posted at each door reminding employees to be careful to not allow people to enter when they do. Which type of controls best describes this? A. Detective B. Physical C. Preventive D. Directive
D. Notifications and procedures like the signs posted at the company Chris works for are examples of directive access controls. Detective controls are designed to operate after the fact. The doors and the locks on them are examples of physical controls. Preventive controls are designed to stop an event, and could also include the locks that are present on the doors.
79. Which one of the following principles is not included in the seven EU-U.S. Privacy Shield provisions? A. Access B. Security C. Recourse D. Nonrepudiation
D. The seven principles that the EU-U.S. Privacy Shield spell out for handling personal information are notice, choice, accountability for onward transfer, security, data integrity and purpose limitation, access, and recourse, enforcement, and liability.
- Alex is the system owner for the HR system at a major university. According to NIST SP 800-18, what action should he take when a significant change occurs in the system?
A. He should develop a data confidentiality plan.
B. He should update the system security plan.
C. He should classify the data the system contains.
D. He should select custodians to handle day-to-day operational tasks.
B. According to NIST SP 800-18, a system owner should update the system security plan when the system they are responsible for undergoes a significant change. Classification, selection of custodians, and designing ways to protect data confidentiality might occur if new data was added but should have already been done otherwise.
For questions 82–84, please refer to the following scenario:
Alex has been with the university he works at for over 10 years. During that time, he has been a system administrator and a database administrator, and he has worked in the university’s help desk. He is now a manager for the team that runs the university’s web applications.
Using the provisioning diagram shown here, answer the following questions.
82. If Alex hires a new employee and the employee’s account is provisioned after HR manually inputs information into the provisioning system based on data Alex provides via a series of forms, what type of provisioning has occurred?
A. Discretionary account provisioning
B. Workflow-based account provisioning
C. Automated account provisioning
D. Self-service account provisioning
B. Provisioning that occurs through an established workflow, such as through an HR process, is workflow-based account provisioning. If Alex had set up accounts for his new hire on the systems he manages, he would have been using discretionary account provisioning. If the provisioning system allowed the new hire to sign up for an account on their own, they would have used self-service account provisioning, and if there was a central, software-driven process, rather than HR forms, it would have been automated account provisioning.
For questions 82–84, please refer to the following scenario:
Alex has been with the university he works at for over 10 years. During that time, he has been a system administrator and a database administrator, and he has worked in the university’s help desk. He is now a manager for the team that runs the university’s web applications.
Using the provisioning diagram shown here, answer the following questions.
83. Alex has access to B, C, and D. What concern should he raise to the university’s identity management team?
A. The provisioning process did not give him the rights he needs.
B. He has excessive privileges.
C. Privilege creep may be taking place.
D. Logging is not properly enabled.
C. As Alex has changed roles, he retained access to systems that he no longer administers. The provisioning system has provided rights to workstations and the application servers he manages, but he should not have access to the databases he no longer administers. Privilege levels are not specified, so we can’t determine if he has excessive rights. Logging may or may not be enabled, but it isn’t possible to tell from the diagram or problem.
For questions 82–84, please refer to the following scenario:
Alex has been with the university he works at for over 10 years. During that time, he has been a system administrator and a database administrator, and he has worked in the university’s help desk. He is now a manager for the team that runs the university’s web applications.
Using the provisioning diagram shown here, answer the following questions.
87. During what phase of the electronic discovery reference model does an organization ensure that potentially discoverable information is protected against alteration or deletion?
A. Identification
B. Preservation
C. Collection
D. Production
B. During the preservation phase, the organization ensures that information related to the matter at hand is protected against intentional or unintentional alteration or deletion. The identification phase locates relevant information but does not preserve it. The collection phase occurs after preservation and gathers responsive information. The processing phase performs a rough cut of the collected information for relevance.#AIOp245
90. What is the process that occurs when the Session layer removes the header from data sent by the Transport layer? A. Encapsulation B. Packet unwrapping C. De-encapsulation D. Payloading
C. The process of removing a header (and possibly a footer) from the data received from a previous layer in the OSI model is known as de-encapsulation. Encapsulation occurs when the header and/or footer are added. Payloads are part of a virus or malware package that are delivered to a target, and packet unwrappingis a made-up term.
94. MAC models use three types of environments. Which of the following is not a mandatory access control design? A. Hierarchical B. Bracketed C. Compartmentalized D. Hybrid
B. Mandatory access control systems can be hierarchical, where each domain is ordered and related to other domains above and below it; compartmentalized, where there is no relationship between each domain; or hybrid, where both hierarchy and compartments are used. There is no concept of bracketing in mandatory access control design.#AIOp836
95. What level of RAID is also called disk striping with parity? A. RAID 0 B. RAID 1 C. RAID 5 D. RAID 10
C. RAID level 5 is also known as disk striping with parity. RAID 0 is called disk striping. RAID 1 is called disk mirroring. RAID 10 is known as a stripe of mirrors.
96. Sally is wiring a gigabit Ethernet network. What cabling choices should she make to ensure she can use her network at the full 1000 Mbps she wants to provide to her users? A. Cat 5 and Cat 6 B. Cat 5e and Cat 6 C. Cat 4e and Cat 5e D. Cat 6 and Cat 7
B. Category 5e and Category 6 UTP cable are both rated to 1000 Mbps. Cat 5 (not Cat 5e) is only rated to 100 Mbps, whereas Cat 7 is rated to 10 Gbps. There is no Cat 4e.
101. What type of fuzzing is known as intelligent fuzzing? A. Zzuf B. Mutation C. Generational D. Code based
C. Generational fuzzing is also known as intelligent fuzzing because it relies on the development of data models using an understanding of how the data is used by the program. zzuf is a fuzzing program. Mutation simply modifies the inputs each time, and code basedis not a description used for a type of fuzzing.
102. Matthew is experiencing issues with the quality of network service on his organization’s network. The primary symptom is that packets are occasionally taking too long to travel from their source to their destination. The length of this delay changes for individual packets. What term describes the issue Matthew is facing? A. Latency B. Jitter C. Packet loss D. Interference
B. Latency is a delay in the delivery of packets from their source to their destination. Jitter is a variation in the latency for different packets. Packet loss is the disappearance of packets in transit that requires retransmission. Interference is electrical noise or other disruptions that corrupt the contents of packets.
103. Which of the following multifactor authentication technologies provides both low management overhead and flexibility? A. Biometrics B. Software tokens C. Synchronous hardware tokens D. Asynchronous hardware tokens
B. Software tokens are flexible, with delivery options including mobile applications, SMS, and phone delivery. They have a relatively low administrative overhead, as users can typically self-manage. Biometrics require significant effort to register users and to deploy and maintain infrastructure, and require hardware at each authentication location. Both types of hardware tokens can require additional overhead for distribution and
maintenance, and token failure can cause support challenges.
104. What type of testing would validate support for all the web browsers that are supported by a web application? A. Regression testing B. Interface testing C. Fuzzing D. White box testing
B. Web applications communicate with web browsers via an interface, making interface testing the best answer here. Regression testing might be used as part of the interface test but is too specific to be the best answer. Similarly, the test might be a white box, or full knowledge test, but interface testing better describes this specific example. Fuzzing is less likely as part of a browser compatibility test, as it tests unexpected inputs, rather than functionality.
106. Alan is installing a fire suppression system that will kick in after a fire breaks out and protect the equipment in the data center from extensive damage. What metric is Alan attempting to lower? A. Likelihood B. RTO C. RPO D. Impact
D. Fire suppression systems do not stop a fire from occurring but do reduce the damage that fires cause. This is an example of reducing risk by lowering the impact of an event.
108. Ben wants to interface with the National Vulnerability Database using a standardized protocol. What option should he use to ensure that the tools he builds work with the data contained in the NVD? A. XACML B. SCML C. VSML D. SCAP
D. The Security Content Automation Protocol (SCAP) is a suite of specifications used to handle vulnerability and security configuration information. The National Vulnerability Database provided by NIST uses SCAP. XACML is the eXtensible Access Control Markup Language, an OASIS standard used for access control decisions, and neither VSML nor SCML are industry terms.#SCAP
- Norm is starting a new software project with a vendor that uses an SDLC approach to development. When he arrives on the job, he receives a document that has the sections shown here. What type of planning document is this?
A. Functional requirements
B. Work breakdown structure
C. Test analysis report
D. Project plan
B. The work breakdown structure (WBS) is an important project management tool that divides the work done for a large project into smaller components. It is not a project plan because it does not describe timing or resources. Test analyses are used during later phases of the development effort to report test results. Functional requirements may be included in a work breakdown structure, but they are not the full WBS.
112. Kolin is searching for a network security solution that will allow him to help reduce zeroday attacks while using identities to enforce a security policy on systems before they connect to the network. What type of solution should Kolin implement? A. Afirewall B. ANAC system C. An intrusion detection system D. Port security
B. Network Access Control (NAC) systems can be used to authenticate users and then validate their system’s compliance with a security standard before they are allowed to connect to the network. Enforcing security profiles can help reduce zero-day attacks, making NAC a useful solution. A firewall can’t enforce system security policies, whereas an IDS can only monitor for attacks and alarm when they happen. Thus, neither a firewall nor an IDS meets Kolin’s needs. Finally, port security is a MAC address–based security
feature that can only restrict which systems or devices can connect to a given port.
114. Which of the following is not a type of structural coverage in a code review process? A. Statement B. Trace C. Loop D. Data flow
B. Trace coverage is not a type of structural coverage. Common types of structural coverage include statement, branch or decision coverage, loop coverage, path coverage, and data flow coverage.
For questions 116–118, please refer to the following scenario:
During a web application vulnerability scanning test, Steve runs Nikto against a web server he believes may be vulnerable to attacks. Using the Nikto output shown here, answer the following questions.
- Why does Nikto flag the /testdirectory?
A. The /testdirectory allows administrative access to PHP.
B. It is used to store sensitive data.
C. Test directories often contain scripts that can be misused.
D. It indicates a potential compromise.
C. Test directories often include scripts that may have poor protections or may have other data that can be misused. There is not a default test directory that allows administrative access to PHP. Test directories are not commonly used to store sensitive data, nor is the existence of a test directory a common indicator of compromise. #測試目錄通常包含腳本,這些腳本可能防護不佳,或者包含其他可能被濫用的數據。 沒有默認的測試目錄,該目錄允許對PHP進行管理訪問。 測試目錄通常不用於存儲敏感數據,測試目錄的存在也不是常見的危害指標。
For questions 116–118, please refer to the following scenario:
During a web application vulnerability scanning test, Steve runs Nikto against a web server he believes may be vulnerable to attacks. Using the Nikto output shown here, answer the following questions.
118. Nikto lists OSVDB-877, noting that the system may be vulnerable to XST. What would this type of attack allow an attacker to do?
A. Usecross-site targeting.
B. Steal a user’s cookies.
C. Counter SQL tracing.
D. Modify a user’s TRACE information.
B. Cross-site tracing (XST) leverages the HTTP TRACE or TRACK methods and could be used to steal a user’s cookies via cross-site scripting (XSS). The other options are not industry terms for web application or web server attacks or vulnerabilities.#老Bug,記著就好,反正是偷cookie的
123. Alice wants to send Bob a message with the confidence that Bob will know the message was not altered while in transit. What goal of cryptography is Alice trying to achieve? A. Confidentiality B. Nonrepudiation C. Authentication D. Integrity
D. Integrity ensures that unauthorized changes are not made to data while stored or in transit.
2. Fred needs to deploy a network device that can connect his network to other networks while controlling traffic on his network. What type of device is Fred’s best choice? A. Aswitch B. Abridge C. Agateway D. Arouter
D. Fred should choose a router. Routers are designed to control traffic on a network while connecting to other similar networks. If the networks are very different, a bridge can help connect them. Gateways are used to connect to networks that use other protocols by transforming traffic to the appropriate protocol or format as it passes through them. Switches are often used to create broadcast domains and to connect endpoint systems or other devices.
- Jim has been asked to individually identify devices that users are bringing to work as part of a new BYOD policy. The devices will not be joined to a central management system like Active Directory, but he still needs to uniquely identify the systems. Which of the following options will provide Jim with the best means of reliably identifying each unique device?
A. Record the MAC address of each system.
B. Require users to fill out a form to register each system
C. Scan each system using a port scanner.
D. Use device fingerprinting via a web-based registration system.
D. Device fingerprinting via a web portal can require user authentication and can gather data like operating systems, versions, software information, and many other factors that can uniquely identify systems. Using an automated fingerprinting system is preferable to handling manual registration, and pairing user authentication with data gathering provides more detail than a port scan. MAC addresses can be spoofed, and systems may
have more than one depending on how many network interfaces they have, which can make unique identification challenging.
7. David works in an organization that uses a formal data governance program. He is consulting with an employee working on a project that created an entirely new class of data and wants to work with the appropriate individual to assign a classification level to that information. Who is responsible for the assignment of information to a classification level? A. Data creator B. Data owner C. CISO D. Data custodian
B. The data owner is normally responsible for classifying information at an appropriate level. This role is typically filled by a senior manager or director, who then delegates operational responsibility to a data custodian.
8. What type of inbound packet is characteristic of a ping flood attack? A. ICMP echo request B. ICMP echo reply C. ICMP destination unreachable D. ICMP route changed
A. The ping flood attack sends echo requests at a targeted system. These pings use inbound ICMP echo request packets, causing the system to respond with an outbound ICMP echo reply.
11. Susan is preparing to decommission her organization’s archival DVD-ROMs that contain Top Secret data. How should she ensure that the data cannot be exposed? A. Degauss B. Zero wipe C. Pulverize D. Secure erase
C. The best way to ensure that data on DVDs is fully gone is to destroy them, and pulverizing(粉碎) DVDs is an appropriate means of destruction. DVD-ROMs are write-only media, meaning that secure erase and zero wipes won’t work. Degaussing only works on magnetic media and cannot guarantee that there will be zero data remanence.
- Angie is configuring egress monitoring on her network to provide added security. Which one of the following packet types should Angie allow to leave the network headed for the Internet?#考英文
A. Packets with a source address from Angie’s public IP address block
B. Packets with a destination address from Angie’s public IP address block
C. Packets with a source address outside Angie’s address block
D. Packets with a source address from Angie’s private address block
A. All packets leaving Angie’s network should have a source address from her public IP address block. Packets with a destination address from Angie’s network should not be leaving the network. Packets with source addresses from other networks are likely spoofed and should be blocked by egress filters. Packets with private IP addresses as sources or destinations should never be routed onto the Internet.
15. Theresa is implementing a new access control system and wants to ensure that developers do not have the ability to move code from development systems into the production environment. What information security principle is she most directly enforcing? A. Separation of duties B. Two-person control C. Least privilege D. Job rotation
A. While developers may feel like they have a business need to be able to move code into production, the principle of separation of duties dictates that they should not have the ability to both write code and place it on a production server. The deployment of code is often performed by change management staff.
18. What RADIUS alternative is commonly used for Cisco network gear and supports two factor authentication? A. RADIUS+ B. TACACS+ C. XTACACS D. Kerberos
B. TACACS+ is the most modern version of TACACS, the Terminal Access Controller Access-Control System. It is a Cisco proprietary protocol with added features beyond what RADIUS provides, meaning it is commonly used on Cisco networks. XTACACS is an earlier version, Kerberos is a network authentication protocol rather than a remote user authentication protocol, and RADIUS+is a made-up term.
19. What two types of attacks are VoIP call managers and VoIP phones most likely to be susceptible to? A. DoS and malware B. Worms and Trojans C. DoS and host OS attacks D. Host OS attacks and buffer overflows
C. Call managers and VoIP phones can be thought of as servers or appliances and embedded or network devices. That means that the most likely threats that they will face are denial of service (DoS) attacks and attacks against the host operating system. Malware and Trojans are less likely to be effective against a server or embedded system that doesn’t browse the Internet or exchange data files; buffer overflows are usually aimed at specific applications or services.
26. What type of error occurs when a valid subject using a biometric authenticator is not authenticated? A. A Type 1 error B. A Type 2 error C. A Type 3 error D. A Type 4 error
A. Type 1 errors occur when a valid subject is not authenticated. Type 2 errors occur when an invalid subject is incorrectly authenticated. Type 3 and Type 4 errors are not associated with biometric authentication.
- Jackie is creating a database that contains the Customers table, shown here. She is designing a new table to contain Orders and plans to use the Company ID in that table to uniquely identify the customer associated with each order. What role does the Company ID field play in the Orders table?
A. Primary key
B. Foreign key
C. Candidate key
D. Referential key
B. The Company ID is a field used to identify the corresponding record in another table.
This makes it a foreign key. Each customer may place more than one order, making Company ID unsuitable for use as a primary or candidate key in this table. Referential keys are not a type of database key.
- What three types of interfaces are typically tested during software testing?
A. Network, physical, and application interfaces
B. APIs, UIs, and physical interfaces
C. Network interfaces, APIs, and UIs
D. Application, programmatic, and user interfaces
B. Application programming interfaces (APIs), user interfaces (UIs), and physical interfaces are all tested during the software testing process. Network interfaces are not typically tested, and programmatic interfacesis another term for APIs.
29. George is assisting a prosecutor with a case against a hacker who attempted to break into the computer systems at George’s company. He provides system logs to the prosecutor for use as evidence, but the prosecutor insists that George testify in court about how he gathered the logs. What rule of evidence requires George’s testimony? A. Testimonial evidence rule B. Parol evidence rule C. Best evidence rule D. Hearsay rule
D. The hearsay(傳聞) rule says that a witness cannot testify about what someone else told them, except under very specific exceptions. The courts have applied the hearsay rule to include the concept that attorneys may not introduce logs into evidence unless they are authenticated by the system administrator. The best evidence rule states that copies of documents may not be submitted into evidence if the originals are available. The parol evidence rule states that if two parties enter into a written agreement, that written document is assumed to contain all of the terms of the agreement. Testimonial evidence is a type of evidence, not a rule of evidence.
- Which of the following is not a valid use for key risk indicators?
A. Provide warnings before issues occur.
B. Provide real-time incident response information.
C. Provide historical views of past risks.
D. Provide insight into risk tolerance for the organization.
B. While key risk indicators can provide useful information for organizational planning and a deeper understanding of how organizations view risk, KRIs are not a great way to handle a real-time security response. Monitoring and detection systems like IPS, SIEM, and other tools are better suited to handling actual attacks.
32. Don’s company is considering the use of an object-based storage system where data is placed in a vendor-managed storage environment through the use of API calls. What type of cloud computing service is in use? A. IaaS B. PaaS C. CaaS D. SaaS
A. In this scenario, the vendor is providing object-based storage, a core infrastructure service. Therefore, this is an example of infrastructure as a service (IaaS).
35. Harry is concerned that accountants within his organization will use data diddling attacks to cover up fraudulent activity in accounts that they normally access. Which one of the following controls would best defend against this type of attack? A. Encryption B. Access controls C. Integrity verification D. Firewalls
C. Encryption, access controls, and firewalls would not be effective in this example because the accountants have legitimate access to the data. Integrity verification software would protect against this attack by identifying unexpected changes in protected data.
- What important factor differentiates Frame Relay from X.25?
A. Frame Relay supports multiple PVCs over a single WAN carrier connection.
B. Frame Relay is a cell switching technology instead of a packet switching technology like X.25.
C. Frame Relay does not provide a Committed Information Rate (CIR).
D. Frame Relay only requires a DTE on the provider side.
A. Frame Relay supports multiple private virtual circuits (PVCs), unlike X.25. It is a packet switching technology that provides a Committed Information Rate, which is a minimum bandwidth guarantee provided by the service provider to customers. Finally, Frame Relay requires a DTE/DCE at each connection point, with the DTE providing access to the Frame Relay network, and a provider-supplied DCE that transmits the data over the network. #Frame relay and X.25 are packet-switched WAN technologies that use virtual circuits instead of dedicated ones
- When Susan requests a SOC 2 report, she receives a SAS 70 report. What issue should Susan raise?
A. SAS 70 does not include Type 2 reports, so control evaluation is only point in time.
B. SAS 70 has been replaced.
C. SAS 70 is a financial reporting standard and does not cover data centers.
D. SAS 70 only uses a 3-month period for testing.
B. SAS 70 was superseded in 2010 by the SSAE 16 standard with three SOC levels for reporting. SAS 70 included Type 2 reports, covered data centers, and used 6-month testing periods for Type 2 reports.
43. Martha is the information security officer for a small college and is responsible for safeguarding the privacy of student records. What law most directly applies to her situation? A. HI PAA B. HITECH C. COPPA D. FERPA
D. The Family Educational Rights and Privacy Act (FERPA) protects the privacy of students in any educational institution that accepts any form of federal funding.
45. Which one of the following techniques can an attacker use to exploit a TOC/TOU vulnerability? A. File locking B. Exception handling C. Algorithmic complexity D. Concurrency control
C. Attackers may use algorithmic complexity as a tool to exploit a TOC/TOU race condition. By varying the workload on the CPU, attackers may exploit the amount of time required to process requests and use that variance to effectively schedule the exploit’s execution. File locking, exception handling, and concurrency controls are all methods used to defend against TOC/TOU attacks.
46. Susan is configuring her network devices to use syslog. What should she set to ensure that she is notified about issues but does not receive normal operational issue messages? A. The facility code B. The log priority C. The security level D. The severity level
D. Implementations of syslog vary, but most provide a setting for severity level, allowing configuration of a value that determines what messages are sent. Typical severity levels include debug, informational, notice, warning, error, critical, alert, and emergency. The facility code is also supported by syslog, but is associated with which services are being logged. Security level and log priority are not typical syslog settings.
- What type of firewall uses multiple proxy servers that filter traffic based on analysis of the protocols used for each service?
A. A static packet filtering firewall
B. An application-level gateway firewall
C. A circuit-level gateway firewall
D. A stateful inspection firewall
B. An application-level gateway firewall uses proxies for each service it filters. Each proxy is designed to analyze traffic for its specific traffic type, allowing it to better understand valid traffic and to prevent attacks. Static packet filters and circuit-level gateways simply look at the source, destination, and ports in use, whereas a stateful packet inspection firewall can track the status of communication and allow or deny traffic based on that understanding.
49. Surveys, interviews, and audits are all examples of ways to measure what important part of an organization’s security posture? A. Code quality B. Service vulnerabilities C. Awareness D. Attack surface
C. Interviews, surveys, and audits are all useful for assessing awareness. Code quality is best judged by code review, service vulnerabilities are tested using vulnerability scanners and related tools, and the attack surface of an organization requires both technical and administrative review.
50. Tom is the general counsel for an Internet service provider, and he recently received notice of a lawsuit against the firm because of copyrighted content illegally transmitted over the provider’s circuits by a customer. What law protects Tom’s company in this case? A. Computer Fraud and Abuse Act B. Digital Millennium Copyright Act C. Wiretap Act D. Copyright Code
B. The Digital Millennium Copyright Act extends common carrier protection to Internet service providers, who are not liable for the “transitory activities” of their customers.
51. A Type 2 authentication factor that generates dynamic passwords based on a time- or algorithm-based system is what type of authenticator? A. A PIV B. A smart card C. A token D. ACAC
C. Tokens are hardware devices (something you have) that generate a onetime password based on time or an algorithm. They are typically combined with another factor like a password to authenticate users. CAC and PIV cards are US government–issued smartcards.
52. Fred’s new employer has hired him for a position with access to their trade secrets and confidential internal data. What legal tool should they use to help protect their data if he chooses to leave to work at a competitor? A. Astop-loss order B. An NDA C. An AUP D. Encryption
B. A nondisclosure agreement (NDA) is a legal agreement between two parties that specifies what data they will not disclose. NDAs are common in industries that have sensitive or trade secret information they do not want employees to take to new jobs.
Encryption would only help in transit or at rest, and Fred will likely have access to the data in unencrypted form as part of his job. An AUP is an acceptable use policy, and a stop-loss order is used on the stock market.
53. Which one of the following computing models allows the execution of multiple processes on a single processor by having the operating system switch between them without requiring modification to the applications?#多程序在單處理器 A. Multitasking B. Multiprocessing C. Multiprogramming D. Multithreading
A. Multitasking handles multiple processes on a single processor by switching between them using the operating system. #一個處理器上跑多個程序叫Multitasking
Multiprocessing uses multiple processors to perform multiple processes simultaneously. #多個處理器上同時進行多個程序叫Multiprocessing
Multiprogramming requires modifications to the underlying applications.
Multithreading runs multiple threads within a single process.#一個程序上跑多個線程叫Multithreading
#AIO:Many resources state that today’s operating systems provide multiprogramming and multitasking. This is true, in that multiprogramming just means more than one application can be loaded into memory at the same time. But in reality, multiprogramming was replaced by multitasking, which means more than one application can be in memory at the same time and the operating system can deal with requests from these different applications simultaneously. Multiprogramming is a legacy term.
55. What activity is being performed when you apply security controls based on the specific needs of the IT system that they will be applied to? A. Standardizing B. Baselining C. Scoping D. Tailoring
C. Scoping is the process of reviewing and selecting security controls based on the system that they will be applied to. Tailoring is the process of matching a list of security controls to the mission of an organization. Baselines are used as a base set of security controls, often from a third-party organization that creates them. Standardization isn’t a relevant term here.
56. During what phase of the electronic discovery process does an organization perform a rough cut of the information gathered to discard irrelevant(不相干) information? A. Preservation B. Identification C. Collection D. Processing
D. During the preservation phase, the organization ensures that information related to the matter at hand is protected against(以防止) intentional or unintentional alteration or deletion.
The identification phase locates relevant information but does not preserve it.
The collection phase occurs after preservation and gathers responsive information.
The processing phase performs a rough cut of the collected information for relevance.
#Electronic discovery (e-discovery) is the process of producing for a court or external attorney all electronically stored information (ESI) pertinent to a legal proceeding.
57. Ben’s job is to ensure that data is labeled with the appropriate sensitivity label. Since Ben works for the US government, he has to apply the labels Unclassified, Confidential, Secret, and Top Secret to systems and media. If Ben is asked to label a system that handles Secret, Confidential, and Unclassified information, how should he label it? A. Mixed classification B. Confidential C. Top S ecret D. Secret
D. Systems and media should be labeled with the highest level of sensitivity that they store or handle. In this case, based on the US government classification scheme, the highest classification level in use on the system is Secret. Mixed classification provides no useful information about the level, whereas Top Secret and Confidential are too high and too low, respectively.
58. Susan has discovered that the smart card-based locks used to keep the facility she works at secure are not effective because staff members are propping the doors open. She places signs on the doors reminding staff that leaving the door open creates a security issue, and she adds alarms that will sound if the doors are left open for more than five minutes. What type of controls has she put into place? A. Physical B. Administrative C. Compensation D. Recovery
C. She has placed compensation controls in place. Compensation controls are used when controls like the locks in this example are not sufficient. While the alarm is a physical control, the signs she posted are not. Similarly, the alarms are not administrative controls. None of these controls help to recover from an issue and are thus not recovery controls.
- Ben is concerned about password cracking attacks against his system. He would like to implement controls that prevent an attacker who has obtained those hashes from easily cracking them. What two controls would best meet this objective?
A. Longer passwords and salting
B. Over-the-wire encryption and use of SHA1 instead of MD5
C. Salting and use of MD5
D. Using shadow passwords and salting
A. Rainbow tables rely on being able to use databases of precomputed hashes to quickly search for matches to known hashes acquired by an attacker. Making passwords longer can greatly increase the size of the rainbow table required to find the matching hash, and adding a salt to the password will make it nearly impossible for the attacker to generate a table that will match unless they can acquire the salt value. MD5 and SHA1 are both poor choices for password hashing compared to modern password hashes, which are designed to make hashing easy and recovery difficult. Rainbow tables are often used against lists of hashes acquired by attacks rather than over-the-wire attacks, so over-the-wire encryption is not particularly useful here. Shadow passwords simply make the traditionally worldreadable list of password hashes on Unix and Linux systems available in a location readable only by root. This doesn’t prevent a rainbow table attack once the hashes are obtained.
- Which group is best suited to evaluate and report on the effectiveness of administrative controls an organization has put in place to a third party?
A. Internal auditors
B. Penetration testers
C. External auditors
D. Employees who design, implement, and monitor the controls
C. External auditors can provide an unbiased and impartial view of an organization’s controls to third parties. Internal auditors are useful when reporting to senior management of the organization but are typically not asked to report to third parties. Penetration tests test technical controls but are not as well suited to testing many administrative controls. The employees who build and maintain controls are more likely to bring a bias to the testing of those controls and should not be asked to report on them to third parties.
61. Renee is using encryption to safeguard sensitive business secrets when in transit over the Internet. What risk metric is she attempting to lower? A. Likelihood B. RTO C. MTO D. Impact
A. Using encryption reduces risk by lowering the likelihood that an eavesdropper will be able to gain access to sensitive information.
65. Which one of the following intellectual property protection mechanisms has the shortest duration? A. Copyright B. Patent C. Trademark D. Trade secret
B. Patents(專利) have the shortest duration of the techniques listed: 20 years. Copyrights last for 70 years beyond the death of the author. Trademarks are renewable indefinitely and trade secrets are protected as long as they remain secret.
- Gordon is developing a business continuity plan for a manufacturing company’s IT operations. The company is located in North Dakota and currently evaluating the risk of earthquake. They choose to pursue a risk acceptance strategy. Which one of the following actions is consistent with that strategy?
A. Purchasing earthquake insurance
B. Relocating the data center to a safer area
C. Documenting the decision-making process
D. Reengineering the facility to withstand the shock of an earthquake
C. In a risk acceptance strategy, the organization chooses to take no action other than documenting the risk. Purchasing insurance would be an example of risk transference. Relocating the data center would be risk avoidance. Reengineering the facility is an example of a risk mitigation strategy.
67. Carol would like to implement a control that protects her organization from the momentary(瞬間) loss of power to the data center. Which control is most appropriate for her needs? A. Redundant servers B. RAID C. UPS D. Generator
C. Uninterruptible power supplies (UPSs) provide immediate, battery-driven power for a short period of time to cover momentary losses of power. Generators are capable of providing backup power for a sustained period of time in the event of a power loss, but they take time to activate. RAID and redundant servers are high-availability controls but do not cover power loss scenarios.
70. The removal of a hard drive from a PC before it is retired and sold as surplus is an example of what type of action? A. Purging B. Sanitization C. Degaussing D. Destruction
B. Sanitization includes steps like removing the hard drive and other local storage from PCs before they are sold as surplus.
Degaussing uses magnetic fields to wipe media;
purging is an intense form of clearing used to ensure that data is removed and unrecoverable from media;
and removing does not necessarily imply destruction of the drive.
71. During which phase of the incident response process would an organization determine whether it is required to notify law enforcement officials or other regulators of the incident? A. Detection B. Recovery C. Remediation D. Reporting
D. During the Reporting phase, incident responders assess their obligations under laws and regulations to report the incident to government agencies and other regulators.#AIO沒寫
72. What OASIS standard markup language is used to generate provisioning requests both within organizations and with third parties? A. SAML B. SPML C. XACML D. SOA
B. Service Provisioning Markup Language (SPML) is an OASIS developed markup language designed to provide service, user, and resource provisioning between organizations. Security Assertion Markup Language (SAML) is used to exchange user authentication and authorization data. Extensible Access Control Markup Language (XACML) is used to describe access controls. Service-oriented architecture (SOA) is not a markup language.
- Michelle is in charge of her organization’s mobile device management efforts and handles lost and stolen devices. Which of the following recommendations will provide the most assurance to her organization that data will not be lost if a device is stolen?
A. Mandatory passcodes and application management
B. Full device encryption and mandatory passcodes
C. Remote wipe and GPS tracking
D. Enabling GPS tracking and full device encryption
B. While full device encryption doesn’t guarantee that data cannot be accessed, it provides Michelle’s best option for preventing data from being lost with a stolen device when paired with a passcode. Mandatory passcodes and application management can help prevent application-based attacks and unwanted access to devices, but won’t keep the data secure if the device is lost. Remote wipe and GPS location is useful if the thief allows the device to connect to a cellular or Wi-Fi network. Unfortunately, many modern thieves immediately take steps to ensure that the device will not be trackable or allowed to connect to a network before they capture data or wipe the device for resale.
74. Susan’s SMTP server does not authenticate senders before accepting and relaying email. What is this security configuration issue known as? A. An email gateway B. An SMTP relay C. An X.400-compliant gateway D. An open relay
D. SMTP servers that don’t authenticate users before relaying their messages are known as open relays. Open relays that are Internet exposed are typically quickly exploited to send email for spammers.
75~77
The large business that Jack works for has been using noncentralized logging for years.
They have recently started to implement centralized logging, however, and as they reviewed logs, they discovered a breach that appeared to have involved a malicious insider.
75. When the breach was discovered and the logs were reviewed, it was discovered that the attacker had purged the logs on the system that they compromised. How can this be prevented in the future?
A. Encrypt local logs
B. Require administrative access to change logs
C. Enable log rotation
D. Send logs to a bastion host
D. Sending logs to a secure log server, sometimes called a bastion host(堡壘主機), is the most effective way to ensure that logs survive a breach. Encrypting local logs won’t stop an attacker from deleting them, and requiring administrative access won’t stop attackers who have breached a machine and acquired escalated privileges. Log rotation archives logs based on time or file size, and can also purge logs after a threshold is hit. Rotation won’t prevent an attacker from purging logs.
75~77
The large business that Jack works for has been using noncentralized logging for years.
They have recently started to implement centralized logging, however, and as they reviewed logs, they discovered a breach that appeared to have involved a malicious insider.
76. How can Jack detect issues like this using his organization’s new centralized logging?
A. Deploy and use an IDS
B. Send logs to a central logging server
C. Deploy and use a SIEM
D. Use syslog
C. A Security Information and Event Management (SIEM) tool is designed to provide automated analysis and monitoring of logs and security events. A SIEM tool that receives access to logs can help detect and alert on events like logs being purged or other breach indicators. An IDS can help detect intrusions, but IDSs are not typically designed to handle central logs. A central logging server can receive and store logs but won’t help with analysis without taking additional actions. Syslog is simply a log format.
75~77
The large business that Jack works for has been using noncentralized logging for years.
They have recently started to implement centralized logging, however, and as they reviewed logs, they discovered a breach that appeared to have involved a malicious insider.
77. How can Jack best ensure accountability for actions taken on systems in his environment?
A. Log review and require digital signatures for each log.
B. Require authentication for all actions taken and capture logs centrally.
C. Log the use of administrative credentials and encrypt log data in transit.
D. Require authorization and capture logs centrally.
B. Requiring authentication can help provide accountability by ensuring that any action taken can be tracked back to a specific user. Storing logs centrally ensures that users can’t erase the evidence of actions that they have taken. Log review can be useful when identifying issues, but digital signatures are not a typical part of a logging environment. Logging the use of administrative credentials helps for those users but won’t cover all users, and encrypting the logs doesn’t help with accountability. Authorization helps, but being able to specifically identify users through authentication is more important.
- What type of attack would the following precautions help prevent?
■ Requesting proof of identity
■ Requiring callback authorizations on voice-only requests
■ Not changing passwords via voice communications
A. DoS attacks
B. Worms
C. Social engineering
D. Shoulder surfing
C. Each of the precautions listed helps to prevent social engineering by helping prevent exploitation of trust. Avoiding voice-only communications is particularly important, since establishing identity over the phone is difficult. The other listed attacks would not be prevented by these techniques.
80. Fred’s organization needs to use a non-IP protocol on their VPN. Which of the common VPN protocols should he select to natively handle non-IP protocols? A. PPTP B. L2F C. L2TP D. IPsec
C. L2TP is the only one of the four common VPN protocols that can natively support non-IP protocols. PPTP, L2F, and IPsec are all IP-only protocols.
81. Residual data is another term for what type of data left after attempts have been made to erase it? A. Leftover data B. MBR C. Bitrot D. Remnant data
D. Remnant data is data that is left after attempts have been made to remove or erase it.
Bitrot is a term used to describe aging media that decays over time. MBR is the master boot record, a boot sector found on hard drives and other media. Leftover datais not an industry term.
87. Ben is working on integrating a federated identity management system and needs to exchange authentication and authorization information for browser-based single sign-on. What technology is his best option? A. HTML B. XACML C. SAML D. SPML
C. Security Assertion Markup Language (SAML) is the best choice for providing authentication and authorization information, particularly for browser-based SSO. HTML is primarily used for web pages, SPML is used to exchange user information for SSO, and XACML is used for access control policy markup.
88. What is the minimum interval at which an organization should conduct business continuity plan refresher training for those with specific business continuity roles? A. Weekly B. Monthly C. Semiannually D. Annually
D. Individuals with specific business continuity roles should receive training on at least an annual basis.
91. Lauren wants to monitor her LDAP servers to identify what types of queries are causing problems. What type of monitoring should she use if she wants to be able to use the production servers and actual traffic for her testing? A. Active B. Real-time C. Passive D. Replay
C. Since Lauren wants to monitor her production server, she should use passive monitoring by employing a network tap, span port, or other means of copying actual traffic to a monitoring system that can identify performance and other problems. This will avoid introducing potentially problematic traffic on purpose while capturing actual traffic problems. Active monitoring relies on synthetic or previously recorded traffic, and both
replayand real timeare not common industry terms used to describe types of monitoring.
92. Steve is developing an input validation routine that will protect the database supporting a web application from SQL injection attack. Where should Steve place the input validation code? A. JavaScript embedded in the web pages B. Backend code on the web server C. Stored procedure on the database D. Code on the user’s web browser
B. For web applications, input validation should always be performed on the web application server. By the time the input reaches the database, it is already part of a SQL command that is properly formatted and input validation would be far more difficult, if it is even possible. Input validation controls should never reside in the client’s browser, as is the case with JavaScript, because the user may remove or tamper with the validation code.
