Practice Exam Flashcards

Question

Which of the following cloud models allows access to fundamental computer resources? (★) * FaaS * SaaS * IaaS * PaaS

Answer 1

C. IaaS Infrastructure as a Service (IaaS) provides the capability to provision processing, storage, networks, and other fundamental computing resources. Platform as a Service (PaaS) enables the provisioning of applications, programming libraries, services, and tools that the provider supports. Unlike IaaS, consumers do not control their underlying cloud infrastructure (including operating systems and storage). Both Software as a Service (SaaS) and Function as a Service (FaaS) models abstract away from underlying computing infrastructure, thereby allowing providers to focus on providing end users with applications, rather than worrying about how their underlying infrastructure functions.

Answer 2

C. Simulations Simulations are full re-enactments of business continuity procedures and can involve most, if not all, of your workforce. They also tend to take place on-site in the relevant business areas. Thus, they are an exceptionally effective way to test your business continuity plan. Walkthroughs verbally carry out specific recovery steps stipulated in the business Continuity plan. Discussion and reviews are static ways of testing the business continuity plan.

Answer 3

B. IPv6 address An IPv6 address is a 128-bit address represented as a sequence of eight groups of 16-bit hexadecimal values. An IPv4 address is a 32-bit address represented as a sequence of four 8-bit integers. A Mac address is a 48-bit address represented as six groups of 8 bits values in hexadecimal. A web address consists of a protocol name, a server address, and a resource path (see ISC2 Study Guide, chapter 4, module 1 - Understand Computer Networking).

Answer 4

D. identifying inefficient performing systems, detecting compromises, and providing a record of how systems are used According to the ISC2 Study Guide (chapter 5, module 1, under Data Handling Practices), logging and monitoring systems are characterized as being "Essential to identifying inefficient performing systems, detecting compromises, and providing a record of how systems are used". The remaining options are incorrect variations of this definition.

Answer 5

B. Firewalls Firewalls are a type of electronic equipment which connects to a network that filters inbound traffic arriving from the Internet, and, thus are a type of technical security controls. Security cameras, biometric access control and electronic locks, though connected to a network, control access to physical facilities, and thus are types of physical security controls. (ISC2 Study Guide, Chapter 1, Module 3)

Answer 6

A. Provide active and qualified service to principal In the code of ethics, we read "Provide diligent and competent service to principals", and not "Provide active and qualified service to principals."; all the other options are valid canons of the code of ethics (see ISC2 Study Guide Chapter 1, Module 5).

Answer 7

A. Side-channel attack Man-in-the-middle Attacks, Oversized Packet Attacks, and Fragmented Packet Attacks are typical IP network attacks (see ISC2 Study Guide, Chapter 4, Module 1, under Security of the Network). Side Channel Attacks are non-invasive attacks that extract information from devices (typically devices running cryptographic algorithms), and therefore do not aim at IP networks.

Answer 8

A. Authentication Authentication is the verification of the identity of a user, process or device, as a prerequisite to allowing access to the resources in a given system. In contrast, authorization refers to the permission granted to users, processes or devices to access specific assets. Confidentiality and integrity are properties of information and systems, not processes.

Answer 9

A. Separation of Duties According to the principle of Separation of Duties, operations on objects are to be segmented (often referred to as 'transactions'), requiring distinct users and authorizations. The involvement of multiple users guarantees that no single user can perpetrate and conceal errors or fraud in their duties. To the extent that users have to review the work of other users, Separation of Duties can also be considered a mechanism of fraud detection (see ISC2 Study Guide Chapter 1, Module 3). The principle of Least Privilege states that subjects should be given only those privileges required to complete their specific tasks. The principle of Privileged Accounts refers to the existence of accounts with permissions beyond those of regular users. Finally, the principle of Defense in Depth endorses the use of multiple layers of security for holistic protection.

Answer 10

A. 7 Simple Mail Transport Protocol (SNMP) is an application layer protocol that operates at level 7. Level 3 corresponds to the network layer. There are no OSI layers above level 7. The number 25 presumably refers to the TCP/IP port of the SMTP protocol. The number 23, in turn, refers to the TCP/IP port of the Telnet protocol.

Answer 11

A. Exhaustion of device resources. A denial of service attack (DoS) consists in a malicious overload of requests which will eventually lead to the exhaustion of resources, rendering the service unavailable, as well as causing the activation of safety mechanisms that delay or limit the availability of that system or service. This type of attack seeks to compromise service availability, but not to control a device nor to install malware.

Answer 12

B. Acceptable Use Policies Policies are a type of administrative security controls. An access control list is a type of technical security control. A badge reader and a 'No entry' sign are types of physical security controls (see ISC2 Study Guide, Chapter 1, Module 3).

Answer 13

C. Business Impact Analysis The term 'Business Impact Plan' does not exist. A Business Impact Analysis (BIA) is a technique for analyzing how disruptions can affect an organization, and determines the criticality of all business activities and associated resources. A Business Continuity Plan (BCP) is a pre-determined set of instructions describing how the mission/business processes of an organization will be sustained during and after a significant disruption. A Disaster Recovery Plan is a written plan for recovering information systems in response to a major failure or disaster.

Answer 14

A. Trojans Trojans are a type of software that appears legitimate but has hidden malicious functions that evade security mechanisms, typically by exploiting legitimate authorizations of the user that invokes the program. Rootkits try to maintain privilege-level access while concealing malicious activity. They often replace system files, so they are activated when the system is restarted. Trojans often install Rootkits, but Rootkits are not the Trojans themselves). Phishing typically tries to redirect the user to another website. Cross-site scripting attempts to inject malicious executable code into a website.

Answer 15

D. Tutorial The three learning activities that organizations use in training for security awareness are Education, Training and Awareness (see ISC2 Study Guide, chapter 5, module 4). A tutorial is a form of training, but is not on the list of types of learning activities.

Answer 16

A. Storage Controls Storage controls are not a type of security control. Security controls are safeguards or countermeasures that an organization can employ to avoid, counteract or minimize security risks. System-specific controls are security controls that provide security capability for only one specific information system. Common controls are security controls that provide security capability for multiple information systems. Hybrid controls have characteristics of both system-specific and common controls.

Answer 17

D. Access control lists An access control list is a type of technical security control. Bollards, fences and turnstiles control access to physical facilities, and thus are types of physical security controls. (ISC2 Study Guide, Chapter 1, Module 3)

Answer 18

B. Side Channels A side-channel attack is a passive and non-invasive attack aiming to extract information from a running system, by using special-purpose hardware to perform power monitoring, as well as timing and fault analysis attacks. The remaining are software-based attacks.

Answer 19

C. SaaS In Software as a Service (SaaS), consumers may control user-specific application configuration settings, but neither the underlying application logic nor the infrastructure. In the Function as a Service (FaaS) model, cloud customers deploy application-level functionality (typically as microservices) and are charged only when this functionality is executed. In Platform as a Service (PaaS), the cloud customer does not manage or control the underlying cloud infrastructure (wnich includes the network, servers, operating systems, and storage) but has control over the deployed applications and libraries. The Infrastructure as a Service (IaaS) model provides customers with fundamental computing resources (such as processing, storage, or networks) where the consumer is able to deploy and run arbitrary software,and also to choose the operating system.

Answer 20

D. GDPR The General Data Protection Regulation (GDPR) is the official EU regulation for data protection and privacy. The remaining three options only apply to the United States. The Federal Information Security Management Act (FISMA) contains guidelines and security standards that protect government information and operations in the United States. The Sarbanes–Oxley (SOx) Act of 2002 is a United States federal law that mandates and regulates financial record-keeping and reporting practices for corporations. The Health Insurance Portability and Accountability Act (HIPAA) is a United States federal law that establishes national standards to protect sensitive patient health information from being disclosed without the patient's knowledge and permission.

Answer 21

A. Change Management Change Management is the process of implementing necessary changes so that they do not adversely affect business operations (see ISC2 Study Guide, chapter 5, module 3). Vulnerability Management refers to the capacity to identify, track, prioritize and eliminate vulnerabilities in systems and devices. Configuration Management refers to a collection of activities with the purpose of establishing and maintaining the integrity of information systems through their development lifecycle (see NIST SP 1800-16B under Configuration Management). Inventory management refers to the management of keys and/or certificates, so as to monitor their status and owners.

Answer 22

B. Confidentiality The correct answer is B. Confidentiality is the most distinctive property of protected health information (see ISC2 Study Guide, Module 1, under CIA Deep Dive). The remaining options apply to all types of data. All data requires integrity to be usable. Non-repudiation refers to the inability to deny the production, approval, or transmission of information. Authentication refers to guaranteeing that systems and information are accessed by persons and systems that are who they claim to be.

Answer 23

B. * Preparation → Detection and Analysis → Containment, Eradication and Recovery → Post-Incident Activity The components commonly found in an incident response plan are (in this order): Preparation; Detection and Analysis; Containment, Eradication and Recovery; Post-Incident Activity (see the ISC2 Chapter 2, Module 1, under Components of an Incident Response Plan).

Answer 24

C. Denial of service A denial of service attack (DoS) consists in compromising the availability of a system or service through a malicious overload of requests, which causes the activation of safety mechanisms that delay or limit the availability of that system or service. Due to this, systems or services are rendered inaccessible to their intended users. Trojans, phishing, and cross-site scripting attacks try to covertly gain access to the system or data, and therefore do not primarily aim at compromising the system's availability.

Answer 25

C. Restore company operation to the last-known reliable operation state A Disaster Recovery Plan (DRP) is a plan for processing and restoring operations in the event of a significant hardware or software failure, or of the destruction of the organization's facilities. The primary goal of a DRP is to restore the business to the last-known reliable state of operations (see Chapter 2 ISC2 Study Guide, module 4, under The Goal of Disaster Recovery). Maintaining crucial operations is the goal of the Business Continuity Plan (BCP). The remaining options may be included in a DRP, but are not its primary objective.

Answer 26

B. Confidentiality. Confidentiality is the most distinctive property of personally identifiable information (see ISC2 study guide, Module 1, under CIA Deep Dive). The remaining options apply to all types of data. All data requires integrity to be usable. Non-repudiation refers to the inability to deny the production, approval, or transmission of information. Authentication refers to the access to information.

Answer 27

C. Firewalls

Answer 28

B. Provide diligent and competent service to principals Only "Provide diligent and competent service to principals" contains the accurate text of the ISC2 code of ethics. Although a security professional should discourage unsafe practices, no direct reference to acting safely exists in the canons. Aside from society, the common good and infrastructure, security professionals are expected to protect public trust and confidence. Finally, they are expected to protect the profession, and not just advance and promote it. 1.Protect society, the commonwealth and the infrastructure. 2.Act honorably, honestly, justly, responsibly and legally. 3.Provide diligent and competent service to principals. 4.Advance and protect the profession.

Answer 29

D. Disaster Recovery Plan A Disaster Recovery Plan (DRP) is a plan for processing and restoring operations in the event of a significant hardware or software failure, or of the destruction of the organization's facilities. The primary goal of a DRP is to restore the business to the last-known reliable state of operations (see Chapter 2 ISC2 Study Guide, module 4, under The Goal of Disaster Recovery). The term 'Business Impact Plan' does not exist. A Business Continuity Plan (BCP) is a pre-determined set of instructions describing how an organization's mission/business processes will be sustained during and after a significant disruption. A Business Impact Analysis (BIA) is a technique for analyzing how disruptions can affect an organization.

Answer 30

C. Procedures Policies are high-level documents that frame all ongoing activities of an organization to ensure that it complies with industry standards and regulations. Regulations are usually devised by governments. Standards are created by governing or professional bodies to support regulations. Both regulations and standards are created outside of the organization (see ISC2 Study Guide Chapter 1, Module 4).

Answer 31

A, SNMP Internet Protocol (IP) is known to be a level 3 protocol. Internet Control Message Protocol (ICMP) and Internet Group Management Protocol (IGMP) are also level 3 protocols. Simple Network Management Protocol (SNMP) is a protocol used to configure and monitor devices attached to networks. It is an application-level protocol (level 7), and therefore the only option that is not from level 3.

Answer 32

B. SYN → SYN/ACK → ACK TCP uses a three-way handshake to establish a reliable connection by exchanging three packets with the SYN, SYN/ACK and ACK flags. Although SYN, ACK and FIN are valid TCP packet flags, the sequence SYN → ACK → FIN is not the TCP handshake. Both the sequences Discover → Offer → Request and Offer → Request → ACK are used in DHCP (but are still incomplete, since DHCP is a four-way handshake).

Answer 33

D. Destroy The data handling procedures are 'Classify', 'Categorize', 'Label', 'Store', 'Encrypt', 'Backup', and 'Destroy' (see ISC2 Study Guide, chapter 5, module 3).

Answer 34

A. Smoke Sensors By definition, smoke detectors are fire protection devices employed for the early detection of fire. Firewalls are devices that filter incoming traffic, and are a type of logical preventive control. Bollards and turnstiles are types of physical preventive controls.

Answer 35

D. Ransomware Ransomware is malware designed to deny a user or organization access to files on their computer, by encrypting them and demanding a ransom payment for the decryption key. Trojans and phishing can be used to install ransomware on a system or device, but are not themselves the ransomware attack.

Answer 36

B. External Worker Typically, external workers should not have access to privileged accounts, due to the possibility of misuse. The Help Desk (or IT Support Staff) may have to view or manipulate endpoints, servers and applications platforms using privileged or restricted operations. Security analysts may require fast access to the IT infrastructure, systems, endpoints and data environment. By definition, systems administrators require privileged accounts, since they are responsible for operating systems, deploying applications, and managing performance.

Answer 37

A. Avoid apparent or actual conflicts of interest The direction for applying the ethical principles of ISC2 states that avoiding conflicts of interest or the appearance thereof is a consequence of providing diligent and competent service to principals (see https://resources.infosecinstitute.com/certification/the-isc2-code-of-ethics-a-binding-requirement-for-certification/). The other options are consequences of the remaining three ethical principles.

Answer 38

A. Network Access Control Network Access Control (NAC) refers to a class of mechanisms that prevent access to a network until a user (or the user's device) either presents the relevant credentials, or passes the results of health checks performed on the client device. Security Information and Event Management (SIEM), Host Intrusion Detection Systems (HIDS), and Intrusion Detection Systems (IDS) are all monitoring systems.

Answer 39

D. Router A router is a device that acts as a gateway between two or more networks by relaying and directing data packets between them. A firewall is a device that filters traffic coming from the Internet but does not seek to distribute traffic. Neither Security Information and Event Management (SIEM) systems nor Host Intrusion Detection Systems (HIDS) are monitoring devices nor applications that aim at inter-network connectivity.

Answer 40

B. Role based access control The role-based access control (RBAC) model is well known for governing access to objects based on the roles of individual users within the organization. Mandatory access control is based on security classifications. Attribute-based access control is based on complex attribute rules. In discretionary access control, subjects can grant privileges to other subjects and change some of the security attributes of the objects they have access to.

Answer 41

D. Segregation In cybersecurity, 'segregation', or 'segregation of duties' (SoD), is a security principle designed to prevent fraud or error by dividing tasks among multiple persons.It is an administrative control that reduces the risk of potential errors or fraud from a single person having control over all aspects of a critical process. The remaining options are valid social engineering techniques. Baiting is a social engineering attack in which a scammer uses a false promise to lure a victim. Pretexting is a social engineering technique that manipulates victims into revealing information. Quid pro quo is a social engineering attack (technically a combination of baiting and pretexting) that promises users a benefit in exchange for information (that can later be used to gain control of a user's account or sensitive information).

Answer 42

B. Risk Transfer Risk transfer is a risk management strategy that contractually shifts a pure risk from one party to another (in this case, to an insurance company). Risk avoidance consists in stopping activities and exposures that can negatively affect an organization and its assets. Risk mitigation consists of mechanisms to reduce the risk. Finally, risk tolerance is the degree of risk that an investor is willing to endure.

Answer 43

C. Impact The sentence matches the definition of the concept of impact (see NIST SP 800-60 Vol. 1 Rev. 1 under Impact). Furthermore, the ISC2 Study Guide, chapter 1, defines likelihood as the probability that a potential vulnerability may be exploited. A threat is defined as a circumstance or event that can adversely impact organizational operations. A vulnerability is a weakness that a threat can exploit.

Answer 44

A. Patch the system According to NIST SP 800-152, hardening is defined as the process of eliminating the means of an attack by simultaneously patching vulnerabilities and turning off nonessential services. The ISC2 Study Guide, chapter 5, module 2, under Configuration Management Overview, reads "One of the best ways to achieve a hardened system is to have updates, patches, and service packs installed automatically". Vulnerability scans and IDS do not eliminate the means of an attack. The DMZ does not eliminate vulnerabilities in a system.

Answer 45

B. Reversible A cryptographic hash function should be unique, deterministic, useful, tamper-evident (also referred to as 'the avalanche effect' or 'integrity assurance') and non-reversible (also referred to as 'one-way'). Nonreversible means it is impossible to reverse the hash function to derive the original text of a message from its hash output value (see ISC2 Study Guide, chapter 5, module 1, under Encryption

Answer 46

C. Rollback In Change Management, the Request For Change (RFC) is the first stage of the request: it formalizes the change from the stakeholders' point of view. The next phase is the Approval phase, where each stakeholder reviews the change, identifies and allocates the corresponding resources, and eventually either approves or rejects the change (appropriately documenting the approval or rejection). Finally, the Rollback phase addresses the actions to take when the monitoring change suggests a failure or inadequate performance.

Answer 47

B. Hybrid Cloud A hybrid cloud is a model that combines (i.e. orchestrates) on-premise infrastructure, private cloud services, and a public cloud to handle storage and service. A community cloud is an infrastructure where multiple organizations share resources and services based on common technological and regulatory necessities. Multi-tenancy refers to a context where several of a cloud vendor's customers share the same computing resources. A private cloud is a cloud computing model where the cloud infrastructure is dedicated to a single organization.

Answer 48

C. Confidentiality Confidentiality, Integrity and Availability are known as the CIA triad, from the model that guides policies for information security. Confidentiality is the property of data or information not being made available or disclosed, which leads to sensitive information being protected from unauthorized access. Integrity refers to the preservation of the consistency, accuracy and trustworthiness of data. Availability is the property of data being consistently and readily accessible to the parties authorized to access it. Finally, non-repudiation refers to the inability to deny the production, approval or transmission of information.

Answer 49

D. Physical Control Physical controls have to do with the architectural features of buildings and facilities. Administrative controls are connected to the actions of people within the organization. Technical controls are implemented inside of computer systems. Authorization controls relate to the assets to which a user is granted access inside a particular computer system (see ISC2 Study Guide Chapter 1, Module 3).

Answer 50

D. Locks A lock is a device that prevents a physical structure (typically a door) from being opened, indicating that only the authorized person (i.e. the person with the key) can open it. A fence or a barrier will prevent ALL access. Turnstiles are physical barriers that can be easily overcome (after all, it is common knowledge that intruders can easily jump over a turnstile when no one is watching).

Answer 51

B. Guarantee the safety of people In the event of a disaster, the primary objective should always be to ensure the safety of people (see ISC2 Study Guide, Chapter 2, Module 1). Human life is the most valuable asset, and ensuring the safety of everyone involved should always be the first priority. For example, in the event of a fire in a data center, the first step should be to evacuate all personnel to a safe location before attempting to salvage any equipment or data. While deploying disaster communications, protecting the production database, and ensuring the continuity of critical systems are important aspects of disaster recovery and business continuity, they are secondary to the safety of people. These tasks focus on minimizing the impact of the disaster on the organization's operations and should be addressed only after the safety of all individuals has been ensured.

Answer 52

C. Phishing A phishing attack emails a fraudulent message to trick the recipient into disclosing sensitive information to the attacker. A Cross-Site Scripting attack tries to execute code on another website. Trojans are software that appear legitimate, but that have hidden malicious functions. Trojans may be sent in a message, but are not the message themselves. A denial of service attack (DoS) consists in compromising the availability of a system or service through a malicious overload of requests, which causes the activation of safety mechanisms that delay or limit the availability of that system or service.

Answer 53

C. Wireshark Wireshark is the world's most widely-used and complete network protocol analyzer that, informally speaking, is the "microscope" of network traffic. John the Ripper is a famous Open Source password security auditing and password recovery tool. Nslookup is a network administration command-line tool for querying the Domain Name System that obtains the mapping between the domain name, IP address, or other DNS records. Finally, Burp Suite is a set of well-known vulnerability scanning, penetration testing, and web app security tools.

Answer 54

C. … importance assigned to information by its owner, or the purpose of representing its need for protection Sensitivity is also defined as the measure of the importance assigned to information by its owner, or the purpose of representing its need for protection (see the ISC2 study guide, module 1, under CIA Deep Dive).

Answer 55

B. Least Privilege The principle of Defense in Depth refers to using multiple layers of security. The principle of Least Privilege states that subjects should be given only those privileges required to complete their specific tasks (ISC2 Study Guide Chapter 1, Module 3). Separation of Duties states that no user should ever be given enough privileges to misuse the system. Finally, Privileged Accounts are accounts with permissions beyond those of regular users, such as manager and administrator accounts.

Answer 56

D. Detection and Analysis Incident responses are prioritized in the Detection and Analysis phase (see the ISC2 Study Guide, Chapter 2, Module 1, under Components of Incident Response).

Answer 57

B. Governance All significant change management practices address typical core activities: Request For Change (RFC), Approval, and Rollback (see ISC2 Study Guide, chapter 5, module 3). Governance is not one of these practices.

Answer 58

A. Human Resource The incident response team carries out the post-incident analysis phase of an incident response plan. They are a cross-functional group of individuals representing the management, technical and functional areas of responsibility most directly impacted by a security incident. In the incident response team, we typically find (i) representatives of senior management, (ii) information security professionals, (iii) legal representatives, (iv) public affairs/communications representatives, (v) engineering representatives (both system and network); however, we don't typically find human resource representatives (see the ISC2 Study Guide Chapter 2, Module 1, under Incident Response Team).

Answer 59

C. Discretionary Access Control In a Discretionary Access control model, the permissions associated with each object (file or data) are set by the owner of the object. In this model, the creator of an object implicitly becomes its owner, and therefore can decide who will have permission over the objects. In the remaining models, access specifications are centrally determined.

Answer 60

C. A previously unknown system vulnerability A 'Zero Day' is an unknown system vulnerability that can be exploited since it does not yet exist in any vulnerability database. Moreover, these vulnerabilities do not generally fit recognized patterns, signatures or methods (see ISC2 Study Guide Chapter 2, Module 1, under Incident Terminology), making them very hard to detect and prevent.

Answer 61

D. TCP TCP is used for connection-oriented communication, verifies data delivery, and is known to favor reliability. In a congested network, TCP delays data transmission, and thus cannot guarantee delivery under time constraints. UDP favors speed and efficiency over reliability, and thus cannot ensure a reliable connection. DHCP and SNMP are (respectively) a device configuration and a device management protocol, which means that neither aims to establish connections between devices.

Answer 62

D. Pre-existing The three possible models for incident response are Leveraged, Dedicated, and Hybrid (see the ISC2 Study Guide, Chapter 2, Module 1, under Chapter Takeaways). The term 'Pre-existing' is not a valid model for an IRT.

Answer 63

A. The identification, evaluation and prioritization of risks Risk Management is the process of identifying, assessing and mitigating risks (ISC2 Study Guide, chapter 1, module 2). "Impact and likelihood of a threat" is a definition of risk. "Creating an incident response team" and "assessing the potential impact of a threat" can be considered Risk Management actions, but are not in themselves Risk Management.

Answer 64

A. Confidentiality The correct answer is A. A digital signature is the result of a cryptographic transformation of data which is useful for providing: data origin authentication, data integrity, and non-repudiation of the signer (see NIST SP 800-12 Rev. 1 under Digital Signature). However, digital signatures cannot guarantee confidentiality (i.e. the property of data or information not being made available or disclosed).

Answer 65

B. Backdoors Trojans and Rootkits are often used to install backdoors. A backdoor is a malicious feature that listens for commands on a specific logical port (TCP or UDP) and executes them on the attacked system or device, thereby giving direct control of the system or device to a malicious outside entity (or program). Cross-Site Scripting can execute code with the same permissions as the scripts generated by the target website, compromising the confidentiality and integrity of data transfers between the website and the client.

Answer 66

C. 13.16.123.1 The ranges of IP addresses 10.0.0.0 to 10.255.255.254, 172.16.0.0 to 172.31.255.254, and 192.168.0.0 to 192.168.255.254 are reserved for private use (see ISC2 Study Guide, chapter 4, module 1, under Internet Protocol - IPv4 and IPv6). Therefore, the IP address 13.16.123.1 is the only address in a public range.

Answer 67

D. Defense in Depth Defense in depth describes a cybersecurity approach that uses multiple layers of security for holistic protection (see ISC2 Study Guide Chapter 1, Module 3). According to the principle of Separation of Duties, no user should ever be given enough privileges to misuse the system on their own. The principle of Least Privilege dictates that users should be given only those privileges required to complete their specific tasks. Privileged Accounts are a class of accounts that have permissions exceeding those of regular users, such as manager and administrator accounts.

Answer 68

C. OTP One-time passwords are typically generated by a device (i.e. "something you have") and are required in addition to the actual main password (i.e. "something you know"). Badges, keys and passwords with no other overlapping authentication controls are considered single-factor (and thus are not 2FA).

Answer 69

C. Mandatory Access Control The Bell and LaPadula access control model arranges subjects and objects into security levels and defines access specifications, whereby subjects can only access objects at certain levels based on their security level. Typical access specifications can be things like "Unclassified personnel cannot read data at confidential levels" or "Top-Secret data cannot be written into the files at unclassified levels". Since subjects cannot change access specifications, this model is a form of mandatory access control (MAC). In contrast, Discretionary Access Control (DAC) leaves a certain level of access control to the discretion of the object's owner. The Attribute Based Access Control (ABAC) is based on subject and object attributes (not only classification). Finally, Role Based Access Control (RBAC) is a model for controlling access to objects where permitted actions are identified with roles rather than individual subject identities.

Answer 70

A, Business Continuity Plan A Business Continuity Plan (BCP) is a pre-determined set of instructions describing how an organization's mission/business processes will be sustained during and after a significant disruption (see Chapter 2 ISC2 Study Guide, module 4, under Terms and Definitions). A Business Impact Analysis (BIA) is a technique for analyzing how disruptions can affect an organization. A Disaster Recovery Plan is a written plan for recovering information systems in response to a major failure or disaster. The term 'Business Impact Plan' does not exist.

Answer 71

B. Create → Store → Use → Share → Archive → Destroy According to the data security lifecycle model, the six phases of data security lifecycle model are Create -> Store -> Use -> Share -> Archive -> Destroy (see ISC2 Study Guide, chapter 5, module 1 under data handling).

Answer 72

A. John the Ripper John the Ripper is a famous Open Source password security auditing and password recovery tool. Burp Suite is a well-known set of tools for vulnerability scanning, penetration testing, and web app security (not for cracking passwords). The remaining options are both network analysis tools. Wireshark is the most used network protocol analyzer in the world. Nslookup is a network administration command-line tool for querying the Domain Name System to obtain the mapping between the domain name, IP address, or other DNS records.

Answer 73

D. Whaling Phishing is a digital social engineering attack that uses authentic-looking (but counterfeit) e-mail messages to request information from users, or to get them to unknowingly execute an action that will make way for the attacker. Whaling attacks are phishing attacks that target high-ranking members of organizations. After gaining root-level access to a host, rootkits are used by an attacker to conceal malicious activities while keeping root-level access. Trojans are a type of software that appears legitimate but has hidden malicious functions that evade security mechanisms.

Answer 74

D. Security Information and Event Manager Security Information and Event Management (SIEM) is software for aggregating logs and events from applications, servers, network equipment, and specialized security equipment such as firewalls or Intrusion Prevention systems (IPS). SIEM offers a unified view of security-related data, and is capable of identifying deviations to the regular operation of systems that are often symptoms of attacks. The remaining options do not refer to any common term in Cybersecurity.

Answer 75

D. Audit Logs System Security Configuration Management elements are inventories, baselines, updates and patches. Audit logs can be generated after 'Verification and Audit'. However, 'Verification and Audit' is a configuration management procedure, and not a configuration management element (see ISC2 Study Guide, chapter 5, module 2, under Chapter Resource).

Answer 76

A. Security Control Security safeguards are approved security measures taken to protect computational resources by eliminating or reducing the risk to a system. These can be measures like hardware and software mechanisms, policies, procedures, and physical controls (see NIST SP 800-28 Version 2, under safeguard). This definition matches the definition of security control as the means of managing risk, including policies, procedures, guidelines, practices, or organizational structures, which can be of an administrative, technical, management, or legal nature (see NIST SP 800-160 Vol. 2 Rev. 1 under control).

Answer 77

B. Movement Sensors Detective controls alert us to security problems by constantly monitoring activity and recording information, so as to take immediate action in the event of a security control failure (such as bollards or turnstiles). Therefore, a movement sensor is considered a detective control, and is complementary to physical controls. Firewalls are network devices used to filter network traffic, and are thus considered technical controls. Logging and monitoring tools, such as Security Information and Event Management (SIEM), are detective access controls (see ISC2 Study Guide, chapter 1, module 3).

Answer 78

C. The expected cost per year of not performing a given risk-mitigating action The Annualized Loss Expectancy (ALE) is a standard metric of risk exposure that refers to the expected cost per year of a given risk if it is not mitigated. The business impact of a risk is technically considered a loss, and is better captured by a metric called Single Loss Expectancy (see ISC2 Study Guide, chapter 1, module 2). The probability of a risk coming to pass in a given year is best captured by a metric called Annualized Rate of Occurrence (ARO). Asset Lost Efficiency is a misleading term that is not directly related to risk management.

Answer 79

A. Trust but Verify The "Trust but verify" model is a method of threat protection that involves granting privileged accounts access to the network and other resources, while at the same time verifying their actions and activities. However, over time, this model was found to have limitations that expose organizations to a wide array of security threats. Therefore, "Trust but verify" is being progressively abandoned in favor of the Zero Trust model. The remaining options are all best practices of access management.

Answer 80

A. Risk Transference The purpose of any insurance is to transfer risk from one party to another. The insurer is obligated to indemnify the insured for a loss caused by an unexpected event, over the course of a definite and mutually-agreed period of time. Risk avoidance consists in avoiding or eliminating the actions and conditions that give rise to the risk. Risk spreading consists in spreading a significant amount of risk over a larger part of the organization or activity, namely by manipulating the sequence or size of related events or activities. Finally, risk acceptance means that the possibility of loss is assumed in that risk, and that no positive action is taken to avoid, reduce or transfer the risk (see ISC2 Study Guide, chapter 1, module 2).

Answer 81

C. Advance and protect the profession The four canons of ISC2 are (see ISC2 Study Guide, chapter 1, module 5): * Advance and protect the profession; * Act honorably, honestly, justly, responsibly and legally; * Provide diligent and competent service to principals; * Protect society, the common good, necessary public trust and confidence and the infrastructure.

Answer 82

A. Whaling When executives receive malicious emails that try to trick them, the attackers are likely attempting a whaling attack (see ISC2 Study Guide, chapter 4, module 2). Whaling is a type of spear phishing, and, in turn, spear phishing is a type of phishing. Whaling is a spear phishing attack targeted at a group of high-level executives, or at other influential individuals inside the organization. Spear phishing is a targeted attack in which the attacker uses email or other digital communication to trick a specific individual or group into divulging sensitive information. Phishing is an attack in which attackers send fake emails or text messages that seem to come from legitimate sources, so as to trick the recipient into revealing sensitive information or clicking on a malicious link.

Answer 83

C. Guidelines Of the document types listed above, guidelines are generally the least formal. Guidelines provide recommendations or suggestions for achieving a particular goal or objective. They are often less formal than standards and policies, and are used to specify best practices or recommended approaches. Standards are generally more formal than guidelines, and describe the requirements, specifications or characteristics that a product, service or system should possess. Policies are usually more formal than guidelines, and outline the rules or principles that an organization or governing body has established to guide the actions of its members or employees. Regulations are typically created by government agencies or regulatory bodies, and are enforceable by law. They are generally more formal than guidelines.

Answer 84

D. Attributes Attributes such as a person's name, age, location, job title, and even characteristics such as height or hair color, may all be associated with their identity. None of these describe biometric factors used for authentication. Identity factors are something you know, are or have. Account permissions determine what an authenticated person (a user) can do, and not attributes related to the user's identity.

Answer 85

D. 192.255.121.255 IPv4 addresses are 32-bits represented as a sequence of four 8-bit integers separated by a dot. Addresses ending with 0 are reserved to specifically signify the network itself (and not a specific device on that network). In contrast, addresses ending in 255 are generally reserved for broadcasting to all devices on that network (see ISC2 Study Guide, chapter 4, module 1).

Answer 86

A. Spear Phishing Spear phishing is a highly targeted phishing attack (and not just random spam) which aims to get specific individuals to reveal confidential information. The particularity of spear phishing is that these attacks are sent with prior knowledge about the target (person or company), so as to increase its chance of success. Whaling is a phishing attack targeted at a group (typically an organization's executives) (see ISC2 Study Guide, chapter 4, module 3). A pharming attack corrupts an infrastructure service such as DNS (Domain Name System), which causes traffic to be misdirected to a forged site, thereby getting users to reveal sensitive information or download malware. Therefore, pharming is not directed at a specific individual. Vishing is an attack carried out by voice where the attacker calls the victim (for example, claiming they are from their bank).

Answer 87

D. Consider the social consequences of the systems you are designing Considering the social consequences of the systems you are designing is a valid concern, since the professional must abide by the canon of their protecting society, the common good, necessary public trust and confidence, and the infrastructure. However, this is not in itself a canon. The four canons of (ISC)² are: Protect society, the common good, necessary public trust and confidence, and the infrastructure; Act honorably, honestly, justly, responsibly, and legally; Provide diligent and competent service to principals; Advance and protect the profession (see ISC2 Study Guide, chapter 1, module 5).

Answer 88

B. Phishing into disclosing sensitive information to the attacker (see ISC2 Study Guide, chapter 4, module 2). A Cross-Site Scripting attack tries to execute code on another website. Trojans are software that seem legitimate, but has hidden malicious functions. Trojans may be sent in a message, but are not themselves the message. A denial of service attack (DoS) compromises the availability of a system or service through a malicious overload of requests, thereby activating safety mechanisms that delay or limit the availability of that system or service.

Answer 89

C: 25 The Simple Mail Transfer Protocol (SMTP) is well-known for accepting connections on port 25, so as to receive unencrypted email messages. The more secure alternative is to use port 587 for SMTP by using Transport Layer Security (TLS), which encrypts the data between the mail client and the server (see ISC2 Study Guide, chapter 4, module 1).

Answer 90

B. Password and username Multi-Factor Authentication uses authentication from more than one factor. Passwords and usernames are not multifactor, since they are both 'something you know' (see ISC2 Study Guide, chapter 3, module 1).

Answer 91

A. IDS Detective controls are a crucial component of a cybersecurity program, since they provide visibility into malicious activity, breaches and attacks on an organization's IT environment. An intrusion detection system (IDS) is a device or software application which monitors a network or systems for malicious activity or policy violations (meaning that it's a detective control) (see ISC2 Study Guide, chapter 4, module 1). Patches are corrective controls. Backups are compensating controls, since they provide redundancy for the information in a given system.

Answer 92

A. Financial Executives and Public Relations staff need to be aware of the company's Disaster Recovery Plan (DRP) to properly handle the expectations of the public, as well as of company stakeholders. IT personnel should be focused on helping businesses return to normal operations. A company's financial department is rarely involved in a disaster recovery plan, except when the issue at hand is directly connected to company finances (see Chapter 2 ISC2 Study Guide, module 3, under Components of a Disaster Recovery Plan).

Answer 93

B. Data left over after routine removal and deletion Data Remanence refers to data left over after routine removal and deletion of data from a storage device (see ISC2 Study Guide, chapter 4, module 3). When digital data is deleted, instead of being erased from the storage media, it is often only marked deleted, and the corresponding space is then made available to be overwritten later on. Consequently, deleted data can still be present on the storage media, and can be recovered using the proper media analysis and recovery tools. Data remanence is a concern when media storage devices containing sensitive or confidential data need to be disposed of. Specialized techniques and tools can be used to securely erase data and reduce the risk of data remanence, such as degaussing and other specialized data destruction tools. Therefore, the term data remanence is unrelated to any of the other options.

Answer 94

A. Containerization Containerization allows users to run corporate applications and access corporate data in a secure environment that applications outside the container cannot access. Containerization solutions for mobile devices typically use encryption and other isolation techniques to ensure that data and applications do not cross over. Full-device encryption helps reduce the risk of theft or loss of a device, thereby reducing the risk of a data breach. Biometrics and context-aware authentication are helpful in ensuring that the right user is using a device, but do not guarantee this separation themselves (see ISC2 Study Guide, chapter 4, module 3).

Answer 95

B. Using out-dated anti-malware software Using out-dated anti-malware software is NOT an effective way to protect an organization from cybercriminals. Anti-malware software (such as antivirus programs) are designed to detect and remove malware from computer systems and networks. To be effective, it is vital, instead, to ensure that running software is kept up-to-date with the latest security updates and definitions. Other effective ways to protect an organization from cybercriminals are: * Removing or disabling unneeded services and protocols; * Using intrusion detection and prevention systems;

Answer 96

B. Something you trust Authentication generally requires that users provide identity factors (that others can't not easily provide). Because no single factor is ever foolproof, multi-factor authentication typically uses one or several of the following (see ISC2 Study Guide, chapter 3, module 1): * 'Something you know', such as a password or personal identification number (PIN); * 'Something you have', such as a smart card or certificate; * 'Something you are', which would be based on your physical characteristics, in which biometric reading may be used.

Answer 97

C. Conceiving systems with duplicate components so that, if a failure occurs, there will be a backup In cybersecurity, redundancy refers to conceiving systems for resilience with duplicate components so that, if a failure occurs, the redundant component will take over and maintain operations, thereby helping to prevent outages or other disruptions (see ISC2 Study Guide, chapter 4, module 3). Examples of this are redundant servers, redundant network links, and redundant power supplies. Redundancy is also effective against attacks, since the attacked nodes can be quarantined and then replaced by the backup.

Answer 98

A: Bollards Corrective security controls are measures used to address security vulnerabilities or weaknesses already identified. Backups, patches, and Disaster Recovery Plans are all corrective security controls (see ISC2 Study Guide, chapter 3, module 2). Backups can help ensure that important information is not lost in the event of an incident. Patches can help fix vulnerabilities and improve security. Disaster Recovery Plans are administrative security controls that establish the corrective measures to be implemented in case of a disaster. Bollards are not typically considered a corrective security control.

Answer 99

B: IaaS Infrastructure as a Service (IaaS) is a cloud service model that allows the customer to manage the computing resources (including the operating systems). Software as a Service (SaaS) is a model that provides customers with access to software applications (typically on a subscription-based or pay-per-use model) but does not allow them to access the underlying infrastructure. Platform as a Service (PaaS) is a service model that provides a platform for building, deploying and managing applications; however, like SaaS, it does not offer the ability to access the underlying infrastructure (including the operating system). An SLA is simply a service-level agreement (and not a cloud service deployment model) (see ISC2 Study Guide, chapter 4, module 3).

Answer 100

D: Anonymity A Message Authentication Code (MAC) does not guarantee anonymity. MAC is a cryptographic function that guarantees a message's integrity, authenticity, and non-repudiation. In particular:

Answer 101

B: Mediate, execute and decide top-level decisions Managed Service Providers (MSPs) specialize in remotely managing a client's IT infrastructure and/or end-user systems (see ISC2 Study Guide, chapter 4, module 3). While they provide expert advice and technical support, they typically don't get involved in the strategic business decision-making process for their clients. For example, consider a company that hires an MSP to oversee its IT security. The MSP will monitor for threats, respond to incidents, and even suggest security software. But they won't be making decisions about the company's overall business strategy or mediating high-level internal disputes.

Answer 102

C: In MAC, security administrators assign access permissions; in DAC, access permissions are set at the object owner’s discretion Both Mandatory Access Control (MAC) and Discretionary Access Control (DAC) are used to control access to resources in computer systems (see ISC2 Study Guide, chapter 3, module 3). That being said, the two differ in how the access control rules are enforced. In MAC systems, access to resources is granted or denied based on the resource's sensitivity and the user's clearance level, as determined by a central authority. This means that users cannot grant resource access to other users. In contrast, DAC is a type of access control in which access to resources is based on the discretion of the owner of the resource. In DAC systems, users can grant or deny access to their files or resources. In practice, a resource owner can decide which users have access to that resource (see ISC2 Study Guide, chapter 1, module 3, under Understand Logical Access Controls).

Answer 103

B: Transport Layer TCP (Transmission Control Protocol) and UDP (User Datagram Protocol) are both transport layer protocols, which operate at the fourth layer of the OSI (Open Systems Interconnection) model (see ISC2 Study Guide, chapter 4, module 1). The transport layer (also known as "Layer 4") ensures that data is delivered reliably and efficiently between different devices on a network. TCP is a connection-oriented protocol which establishes a dedicated end-to-end connection. UDP is a connectionless protocol, and therefore does not establish a reliable connection before transmitting data. The choice between using TCP or UDP is typically based on tradeoffs between requirements of reliability and speed. The physical layer ("Layer 1") is responsible for transmitting raw data over a physical medium, such as a copper wire or fiber optic cable. The session layer ("Layer 5") is responsible for establishing, maintaining and terminating connections between different devices on a network. The application layer ("Layer 7") is the highest layer of the OSI model, and is responsible for enabling communication between applications, as well as for providing services to the user.

Answer 104

B. Restore the system to its last state before the change was made In the context of the change management process, the primary objective of a rollback is to restore the system to its last state before the change was made. By rolling back the change, the system can be returned to its previous state, which may help to resolve issues and restore regular operation. Rollbacks can be either triggered automatically in response to a failure or error, or initiated manually during the change management process (see ISC2 Study Guide, chapter 5, module 2). Establishing a minimum understood and acceptable level of security requirements refers to the definition of the minimum acceptable level of security for a system or network. In turn, identifying the required changes refers to identifying any weaknesses or vulnerabilities that need to be addressed in a system or network, as well as to determining the best course of action to address them. Finally, validating the system change process refers to verifying that the process used to implement change to a system is working as intended. This validation involves testing changes to ensure they do not cause unintended consequences or disruptions.

Answer 105

D. Spoofing Spoofing is an attack whose primary goal is to gain access to a target system through a falsified identity. In a spoofing attack, the attacker creates or manipulates a digital identity or communication, so as to deceive the target into believing that the attacker is someone or something else. There are many different types of spoofing attacks, including email spoofing, IP spoofing, and URL spoofing. Such attacks are used to gain unauthorized access to systems or networks, steal sensitive information, or spread malware (see ISC2 Study Guide, chapter 4, module 2). The other types of attacks listed above have different primary goals. DDoS (Distributed Denial of Service) attacks aim at overwhelming a target system with traffic to disrupt its operation; amplification attacks involve using a third-party system to amplify the strength of an attack; and ransomware attacks typically encrypt a target system's data, and then demand a ransom in exchange for the decryption code.

Answer 106

A. Spoofing Spoofing is not a type of malware. Spoofing is an attack whose primary goal is to gain access to a target system through a falsified identity (see ISC2 Study Guide, chapter 4, module 2). Trojans, rootkits and worms are all different types of malware. A Trojan is a type of malware that disguises itself as a legitimate program or file. A Rootkit is a type of malware that hides itself to go unnoticed in the compromised system, or in the victim's computer. A Worm is a type of malware designed to replicate itself and spread to other computers, often over a network

Answer 107

C. Message Digest The primary function of message digesting is to ensure data integrity (which can be defined as maintaining and ensuring the accuracy and consistency of data throughout its lifecycle). Message digesting is a technique that uses cryptographic hash functions, such as MD5 or SHA-256, to create a unique, fixed-length summary, or "digest," of the original message data. For example, when a file is downloaded from a Web site, the Web site can provide a hash value (message digest) for the file. After downloading, the user can perform the same hash function on the file. If the resulting message digest matches the one provided by the Web site, the integrity of the file is confirmed because it has not been altered during transmission. As for the other options, content encryption is used primarily for confidentiality, not integrity. While it can provide some level of integrity, its primary purpose is to prevent unauthorized access to data. Labeling is used for data classification, not integrity. It helps identify the sensitivity of data and apply appropriate protection measures. Finally, backups do not actively prevent data corruption or tampering, and may not even be able to detect changes in the data unless a comparison with the original data is made.

Answer 108

B. Service Pack A service pack comprises a collection of updates, fixes or enhancements to a software program delivered as a single installable package. A hotfix (or quick-fix) engineering update is a cumulative package which includes information that will be used to address a problem in a software product. A software patch is a quick-repair job for a piece of programming, and is designed to resolve functionality issues, improve security and/or add new features.

Answer 109

B. Walk Through Exercise A walk-through exercise reviews each step of the incident, in order to ensure that every team member knows exactly what they should do, and how they should do it. In tabletop exercises, team members are given a scenario and asked how they would respond, as well as what tasks they believe would be relevant. A simulation exercise attempts to recreate an actual incident so as to thoroughly test responses. Checklists are essential in incident response, but aren't actually a specific type of exercise.

Answer 110

D. Digital Signatures Non-repudiation means ensuring that the sender cannot later deny having sent the message. Digital signatures provide an undeniable match between sender and digital signature. We can think of a digital signature as a Message Digest encrypted with an asymmetric key: first, the message hash is encrypted using the sender's private key; then, the message (possibly encrypted) previously encrypted message hash; finally, the recipient decrypts the signature with the sender's public key, and transfers the decrypted content to the same cryptographic hash. Non-repudiation is guaranteed because, if the output of the hash matches the decrypted hash, then the recipient knows that the message is not forged, and that no one else but the sender could have created that signature and sent that message (see ISC2 Study Guide, chapter 1, module 1). A Virtual Private Network (VPN) creates a secure tunnel between endpoints, thereby ensuring confidentiality. However, without a digital signature, an attacker could still send a message over a secure channel and then deny having sent it. Passwords are a mechanism for authentication, and are not typically used for non-repudiation. Some applications ask the sender to enter a password previously sent by the receiver to sign a message. Finally, encryption is the cryptographic transformation of data in order to conceal its original meaning. This concept is distinct from non-repudiation. Consider the scenario where we may need to guarantee the non-repudiation of a plain (that is, non-encrypted) message.

Answer 111

D. Physical The physical layer exists in the OSI model, but not in the TCP/IP model. The TCP/IP Protocol Architecture Layers are: [1] Application (Determines the protocols for the Transport layer); [2] Transport (Allows for data to move among devices); [3] Internet (Creates and inserts packets); [4] Network Interface (Governs how data will move through the network) (for more on this, see ISC2 Study Guide, Chapter 4, Module 1).

Answer 112

D. Risk Mitigation Risk mitigation is not part of risk assessment. Risk mitigation is a process that follows risk assessment. It involves developing strategies and actions to reduce and control the risk to the organization's data or IT infrastructure. For example, a cybersecurity engineer might identify a risk in a financial organization, such as potential phishing attacks. The engineer would then assess this risk, evaluate its potential impact, and prioritize it among other identified risks. However, the process of managing that risk—deciding how to mitigate it, implementing the necessary controls, and monitoring the effectiveness of those controls—falls under risk mitigation, not risk assessment. On the other hand, risk identification, risk evaluation, and risk prioritization are all components of risk assessment. Risk identification involves identifying potential threats or vulnerabilities. Risk evaluation involves determining the potential impact of those identified risks, and risk prioritization involves ranking those risks in order of potential impact or likelihood of occurrence

Answer 113

A. Hybrid A hybrid cloud deployment model combines public and private cloud storage. For example: an organization might use private cloud storage for sensitive or proprietary data that needs to be kept confidential, while at the same time using public cloud storage for less sensitive data or workloads, which are more suited to a shared infrastructure. This allows the organization to tailor its cloud storage strategy to meet the specific needs of its workloads, while at the same time taking advantage of the economies of scale and flexibility offered by public cloud storage (see ISC2 Study Guide, chapter 4, module 3). Other types of cloud deployment models include the public cloud, where the infrastructure is owned and operated by a third-party provider and made available to the public; and the private cloud, where the infrastructure is owned and operated by a single organization and not made available to the public. Finally, a community cloud is a type of cloud infrastructure shared by organizations with similar needs, and is not made available to the public.

Answer 114

D. To sustain business operations while recovering from a disruption The primary objective of a Business Continuity Plan (BCP) is to maintain business operations while recovering from a disruption (see Chapter 2 ISC2 Study Guide, Module 4, under Terms and Definitions). A BCP is designed to ensure that critical business functions continue during a crisis and that the organization can recover effectively. For example, suppose a company's headquarters is damaged by a natural disaster. In this case, a well-prepared BCP might include moving operations to a secondary location or having employees work from home to ensure that business operations are not disrupted. The remaining options, while important aspects of an organization's overall risk management strategy, are not the primary objective of a business continuity plan (BCP). Restoring the business to its last known reliable operating state is the goal of a disaster recovery plan, not a BCP. A Disaster Recovery Plan focuses more on restoring the IT infrastructure and systems to their pre-disaster state. In contrast, a BCP focuses on ensuring that critical business operations continue during and after a disruption. Assessing the impact of a disruption is then part of risk analysis, which is a component of business continuity planning but not its primary objective. Risk analysis helps identify potential threats and vulnerabilities and the impact they could have on the business, but the primary goal of a BCP is to outline how the business will continue to operate during and after a disruption. Finally, compliance management is the regular review of the organization's compliance with applicable regulations.

Answer 115

D. VPN A VPN is a type of network technology that creates a secure encrypted connection between a device and a network. This connection allows users to communicate with each other and access network resources as if they were on the same local network, even if they are in different locations (see ISC2 Study Guide, chapter 4, module 3). A VLAN (Virtual Local Area Network) is a network segmentation technology that allows devices on a network to be logically grouped, even if they are in different locations. Firewalls are network security systems that control incoming and outgoing network traffic according to predetermined security rules. Finally, a router is a networking device that forwards data packets between computer networks, but does not provide the same level of security as a VPN.

Answer 116

A. Zero Customer Responsibility The characteristics of the cloud, also known as the "five essential characteristics" of cloud computing, are (see ISC2 Study Guide, chapter 4, module 3): 1. Broad network access: Cloud resources, such as the internet, can be accessed over a network; 2. Rapid elasticity: Cloud resources can be scaled up or down quickly and automatically to meet changing demand; 3. Measured service: Cloud providers track and measure the use of resources, and users are typically charged based on their usage; 4. Resource pooling: Cloud providers pool resources (such as storage and computing power) and allocate them to users on demand; 5. On-demand self-service: Cloud users can access computing resources on demand without human intervention. Finally, the cloud model is typically run under the shared responsibility model, where the provider is responsible for both maintaining the infrastructure and delivering the resources and services to the customer. In contrast, the customer uses the resources and services according to the terms of their agreement with the provider. Therefore, zero customer responsibility is NOT a characteristic of the cloud.

Answer 117

B. To guarantee that system changes are performed without negatively affecting business operations The primary goal of a Change Management Policy is to realize the benefits of the system's changes while minimizing disruptions to business operations, namely by ensuring the integrity of the organization's systems and processes (see ISC2 Study Guide, chapter 5, module 3). Guaranteeing that systems have the latest security patches is the goal of a Patch Management Policy. A Networking Policy governs the usage of networks, and an Acceptable Use Policy governs the usage of computer systems. The creation of networks and computer systems in an organization is governed by the following: * Networking standards: cover the protocols, technologies, and practices used to create and operate networks, including local area networks (LANs), wide area networks (WANs) and the internet; * System development standards: guide the design, development and maintenance of both software and computer systems

Answer 118

B. References, education, political affiliation, employment history When conducting background checks on new employees, it is illegal for an organization to discriminate on the basis of political affiliation to prevent a potential or current employee's political preferences from being a factor in hiring or career decisions (see ISC2 Study Guide, chapter 5, module 4). For example, a company hiring for a cybersecurity role can legally consider factors such as a candidate's references, education, work history, and even criminal or credit history. However, they cannot reject or select a candidate based on their political affiliation or views. The remaining options are incorrect because they include factors such as credit history, employment history, references, and criminal history. While these factors can be potentially controversial and must be handled with care, they are not generally prohibited from being considered during the hiring process. Indeed, collecting these factors are legal in certain jurisdictions

Answer 119

D. Applying the longest retention periods to the information A common mistake in record retention is applying the longest retention period without taking into account the sensitivity or importance of the corresponding information. Retaining unnecessary data has considerable costs in terms of storage and management. Less important or sensitive information can have shorter retention periods, thereby allowing longer retention periods for more important or sensitive information (see ISC2 Study Guide, chapter 5, module 1).

Answer 120

C. A network on a building or limited geographical area A local area network (LAN) typically covers a single floor or building. Long-distance connections between geographically-distant networks form something called a wide area network (WAN). Multiple devices in a network are connected through hubs or switches. The management and control of network traffic and protection is achieved by specialized equipment, such as firewalls

Answer 121

A. Patches Patches are a type of corrective security control, since they repair damage and restore resources and capabilities to a secure and previously-updated state (see ISC2 Study Guide, chapter 5, module 2). Encryption is a preventive security control that ensures data confidentiality. Intrusion detection systems are detective controls, since they monitor a given system for unwanted activity. Intrusion detection systems (IDS) alert administrators to potential security breaches or attacks. Although they help prevent or mitigate their impact, they are not in themselves corrective controls. Guidelines provide recommendations or suggestions for achieving a particular goal or objective, and are often used to guide best practices or recommended approaches; furthermore, they are not typically considered corrective security controls.

Answer 122

B. /27 A subnet mask is a number that distinguishes between the network address and the host address. Subnetting divides a network into two or more subnets (see ISC2 Study Guide, chapter 4, module 1). To allow 30 hosts + 2 addresses for broadcast and network addresses. Thus, we are looking for the mask 255.255.255.224, or /27 using CIDR (Classless Inter-Domain Routing) notation. For 32 addresses, we need 5 bits and the mask /32 - log2(32) = /32 - 5 = /27. As for the remaining masks, /26 would result in 64 hosts, /29 in 8 hosts, and /30 in 4 hosts.

Answer 123

B. Regulations Regulations are created by governments or national authorities, and often lead to financial fines for infringement. For example, the EU's GDPR prescribes penalties of up to 2% of annual revenue. Standards are created by governing or professional bodies (not by governments), and thus are not legally enforceable. Regulations are mandatory, while standards are voluntary. Policies and guidelines are internal to organizations, and are therefore not subject to financial penalties (see ISC2 Study Guide Chapter 1, Module 4).

Answer 124

A. Requiring approval before accessing privileged tools Requiring authorization before accessing privileged tools is an example of an administrative control, specifically an instance of segregation of duties (SoD), which refers to the division of roles and responsibilities among different people to reduce the risk of potential errors or fraud. For example, in a software development organization, a developer may need access to certain privileged tools for debugging purposes. However, instead of granting unrestricted access, the company's policy can require that the developer first obtain approval from a manager or system administrator. This divides the responsibility for accessing privileged tools between the requester and the approver, ensuring that no single person has complete control over this sensitive task. The remaining examples are physical controls, not administrative controls. Using a turnstile to prevent tailgating is a physical control. Posting a sign to direct vendors to their entrance is a physical control that manages the flow of people through a facility. Installing video cameras to monitor access to a facility is a physical control that monitors and records physical access.

Answer 125

C. Cross-Site Scripting Cross-Site Scripting (XSS) is an attack where malicious executable scripts are injected into an otherwise benign website (or web application) code. Websites are vulnerable to XSS when they display data originating from requests or forms without validating it (and further sanitizing it, so that it is not executable) (see ISC2 Study Guide, chapter 4, module 2). Trojans and phishing are attacks where software applications and messages try to appear legitimate, but have hidden malicious functions. They do not necessarily rely on poor input validations. Finally, input validation does not even apply to a rootkit attack.

Answer 126

D. Changing security attributes As a principle, users can perform Read, Write and Execute actions with every Access Control policy. However, in discretionary access control policies, the permissions associated with each object (files or system resources) are set by the object's owner. In this model, the creator of an object implicitly becomes its owner, and therefore can decide who will have permission to the objects (see ISC2 Study Guide, chapter 3, module 3). A major weakness of DAC is that it gives users complete control to set security level settings for other users, which can result in users having more privileges than they are supposed to.

Answer 127

A. Management On most incident response teams, members of management or organizational leadership act as a primary conduit to senior management (see ISC2 Study Guide, chapter 2, module 1). The management team member also ensures that difficult or urgent decisions can be made without escalating authority. Communications and public relations staff focus on internal and external communications that typically differ from the direct conduit to senior management. Technical and information security experts are primarily concerned with undertaking incident response work.

Answer 128

C. 00-51-02-1F-58-F6 All network devices have a 48-bit Media Access Control (MAC) address, represented as six groups of 8 bits values in hexadecimal (see ISC2 Study Guide, chapter 4, module 1 - Understand Computer Networking). An example of a MAC address would be 00-51-02-1F-58-F6. An IPv4 address is a 32-bit address represented as a sequence of four 8-bit integers, an example of which would be 10.23.19.49. An IPv6 address is a 128-bit address represented as a sequence of eight groups of 16-bit hexadecimal values, an example of which would be 2001 : db8: 3333 : 4444 : 5555 : 6666 : 7777 : 8888. The string 0051021f58 is a 40-bit WEP key consisting of 10 hexadecimal digits typically represented as a string of 5 ASCII characters. WEP keys are used to secure wireless networks, and can be either 40 bits or 104 bits in length, depending on the encryption mode that is used.

Answer 129

A. Data at rest Data at rest is stored data that resides on hard drives, on tapes, in the cloud, or on other storage media like (in this case) a USB pen. Data in processing (also called data in use) is actively used by a computer system. Data sent over a network is called data in motion. Data in transit is a term that does not usually apply to such a situation.

Answer 130

B. Trust but verify The "Trust but verify" model is a method of threat protection that involves granting privileged accounts access to the network and other resources, while at the same time verifying their actions and activities. However, over time, this model was found to have limitations that expose organizations to a wide array of security threats. Therefore, "Trust but verify" is being progressively abandoned in favor of the Zero Trust model. The remaining options are all best practices of access management.

Answer 131

B. Password complexity requirements Password complexity requirements do not prevent the sharing of complex passwords, making it the least effective option from the list. Enforcing complex passwords is a good practice for improving account security, but it does not effectively prevent account sharing. Users can still share complex passwords, making this the least effective measure for preventing account sharing. For example, consider a scenario in an enterprise environment where a team shares a single account for a software tool. Even if the password is complex, one team member can easily share the password with others, defeating the purpose of individual accountability and potentially compromising security. The other options are more effective at preventing shared accounts. Requiring biometric authentication requires the registered user to be physically present when logging in, making account sharing much more difficult. One-time passwords via a token or application are difficult to share because they are valid for a single login session and then expire. With one-time passwords, even if a user wanted to share their account, they would have to share the token or give access to the application that generates the one-time password each time, which is very inconvenient and discourages account sharing. Therefore, these methods are more effective at preventing account sharing than password complexity requirements.

Answer 132

D. Protected Health Information PHI is an acronym that stands for Protected Health Information (see ISC2 Study Guide, chapter 1, module 1). The remaining options are incorrect.

Answer 133

A. Worm A worm is a type of malware designed to replicate itself and spread to other computers without human intervention. Worms exploit operating systems, network servers and other software vulnerabilities in order to propagate themselves. They can cause various damaging effects, including disrupting network performance, consuming bandwidth, and stealing sensitive information (see ISC2 Study Guide, chapter 4, module 2). Some worms can also perform directly malicious actions, such as installing rootkits, backdoors or other malicious software on the systems they infect. Viruses, like worms, replicate themselves and exploit vulnerabilities in systems or software to propagate themselves. However, viruses typically require human intervention (like being activated from an e-mail or downloaded from the internet to be run on a system). On the other hand, Trojans do not replicate themselves, and typically rely on human intervention to be delivered and installed. Finally, rootkits are malware that conceals the presence of other malicious software (such as viruses or Trojans) on a system, namely by hiding their files, processes, and other system artifacts.

Answer 134

A. Awareness An awareness poster or campaign can be effective in engaging a user's attention and encouraging them to consider their password practices. Specific strategies include highlighting the risks associated with weak or easily guessable passwords (such as the risk of account compromise or data theft) and encouraging users to remember to use a password manager to store and manage their passwords securely. The primary goal of education is to help learners improve both their understanding of concepts and their ability to relate to them. Education about password management may involve learning how to create and manage passwords effectively. Training focuses on building proficiency in a set of skills. Methods such as lectures, workshops, and online courses can be considered training. Schooling is the process of teaching in a school, which may or may not include posters (see ISC2 Study Guide, chapter 5, module 4).

Answer 135

C. Secure Credut Cards Payments PCI-DSS (Payment Card Industry Data Security Standard) is a standard used in the payment card industry. Protected Health Information (PHI) is any individually identifiable health information that is created, used or disclosed while providing healthcare services. The Health Insurance Portability and Accountability Act (HIPAA) is a United States law aimed at protecting PHI. Personally Identifiable Information (PII) is any information that is capable of identifying an individual. PII is protected by regulations, such as GDPR (in the EU) and HIPAA and PCI-DSS (in the US). Finally, Change management is the process of planning, implementing and controlling changes to a company's information systems.

Answer 136

C. A cost prediction of the immediate response procedures Cost predictions of response procedures are not typical components of business continuity plans (BCP). A BCP typically includes the following elements: * A list of BCP team members, who will be responsible for implementing the BCP and coordinating the response to an incident; * Immediate response procedures and checklists, with step-by-step instructions for responding to an incident and restoring operations; * Notification systems and call trees for alerting personnel, the purpose of which is to effectively communicate with personnel and coordinate incident response; * Procedures for backup and restoration of critical systems and data, including steps for backing up and restoring essential systems and data, in the event of an incident; * Procedures for maintaining business operations, detailing the steps for maintaining business operations during and after an incident; * BCP testing and maintenance procedures for regularly testing and maintaining the BCP, in order to ensure that it is both effective and up-to-date; * Communications and PR plan, for communicating with stakeholders, customers and the public about a given incident and the actions needed to address it.

Answer 137

A. Web application vulnerability scanner Intrusion detection systems are designed to detect attacks, not vulnerabilities. The remaining three tools could all possibly discover cross-site scripting (XSS) vulnerabilities. However, a web application vulnerability scanner is the one that's most likely to detect it, since it is specifically designed to test web applications (see ISC2 Study Guide, chapter 4, module 3).

Answer 138

C. IPSec VPN A replay attack is when an attacker captures and resends (i.e. "replays") authenticated messages (see ISC2 Study Guide, chapter 4, module 2). An IPSec VPN can prevent a replay attack because it tracks packet sequencing and includes the sender's signature on all packets; therefore preventing forged packages. Message digesting is ineffective in preventing resends (and thus also replay attacks), since it doesn't matter whether the attacker can read or decipher the original message and key (all they would have to do would be to resend the message and key together). One-time passwords can be used as a temporary session key known both to the sender and to the receiver that cannot be reused; although related, the concept 'password authentication' refers to a means to identify a user to a given system, and this is different from a one-time password. Firewalls are equipment that filters inbound Internet traffic, and are ineffective against replay attacks inside a network.

Answer 139

D. Ransomware Ransomware is an attack that encrypts an organization's information (thereby rendering it inaccessible or unusable) and then demands payment in exchange for the decryption code (see ISC2 Study Guide, chapter 4, module 2). A distributed denial-of-service (DDoS) attack is a type of attack in which a large amount of malicious traffic is directed at a specific target (such as a website or server), so as to overwhelm it, thus making it unavailable to users. Phishing is an attack in which attackers send fake emails or text messages that seem to come from legitimate sources, so as to trick the recipient into revealing sensitive information or clicking on a malicious link. Finally, spoofing is an attack in which an attacker impersonates another person or device to gain unauthorized access to a system, or to steal

Answer 140

D. Security Awareness Training The correct answer is that D. Security Awareness Training refers to educational programs that teach users to recognize and avoid security threats. Security Awareness Training is not a security principle but rather a human-focused control. Zero Trust model, Separation of Duties and Least Privilege are all security principles. The Zero Trust model is based on the idea that organizations should not trust any user, device or network (even within the organization's own network) until appropriately verified. Separation of Duties is a principle that involves dividing tasks and responsibilities among different individuals or groups, in order to prevent any single individual or group from having too much control over a given process. This helps reduce the risk of fraud or errors. Least Privilege prescribes limiting privileges and access to resources only to those users and processes that actually need them. This helps reduce the risk of unauthorized access, or of misuse of resources.

Answer 141

B. Retention Policies For many organizations, retention policies entail keeping data only for a limited time. Because of the high costs of data storage capacity, organizations maintain specific logs only for a short period of time (a few hours to several days), and keep other data records for more extended periods (months to years). Because of this, not all data regarding an incident may be available. Communication and incident response policies can provide valuable help to an incident investigation. Finally, configuration standards are not considered policies (see ISC2 Study Guide, chapter 1, module 4).

Answer 142

A. Business Continuity Plan A Business Continuity Plan (BCP) is a predetermined set of instructions describing how an organization's business processes will be sustained during and after a significant disruption (see Chapter 2 ISC2 Study Guide, module 4, under Terms and Definitions). A Business Impact Analysis (BIA) is a method of analyzing how such disruptions can affect an organization. A Disaster Recovery Plan is used to recover systems after a major failure or disaster. The term 'Business Impact Plan' does not actually exist in Cybersecurity.

Answer 143

A. Mandatory Access Control Mandatory Access Control (MAC) is a model of access control that is commonly used in the military, because it enables the centralized management of access rights, as well as the enforcement of strict security policies (see ISC2 Study Guide, chapter 3, module 3). In MAC, access to resources is based on the classification level of a given resource, as well as on the clearance level of the user. The use of classification and clearance levels allows for a hierarchical approach to security, whereby access to more sensitive resources is restricted to users with a higher clearance level. This is important in the military, where the risk of unauthorized access or actions can have very serious consequences. Role-Based Access Control (RBAC) restricts access to the resources of a computer or network according to the roles of each individual user in the organization. Attribute-Based Access Control (ABAC) is based on complex attribute rules. In Discretionary Access Control (DAC), users can grant privileges to other subjects, as well as change the security attributes of objects they have access to.

Answer 144

A. RBAC Role-Based Access Control (RBAC) restricts access to the resources of a computer or network according to the roles of each individual user in the organization (see ISC2 Study Guide, chapter 3, module 3). Attribute-Based Access Control (ABAC) is based on complex attribute rules. In Discretionary Access Control (DAC), users can grant privileges to other subjects, as well as change the security attributes of objects they have access to. In Mandatory Access Control (MAC), no roles are required, since access is established by both the security level of documents and the level of clearance of the user.

Answer 145

C. IPv6's NAT implementation is insecure IPv6 does not include network address translation (NAT), since many IP addresses are available. As a result, there is no NAT implementation, and so IPv6 can't actually have an insecure version. Rules based on static IPv6 addresses may not work, since IPv6 addresses are often dynamically assigned. Thus, certain security controls that rely on static address rules (such as firewalls or access controls) may not work in all cases. Reputation services are still relatively rare, and also somewhat less useful for IPv6 traffic. Finally, an organization needs to configure its security controls to handle IPv6 traffic adequately; otherwise, IPv6 traffic may bypass many existing IPv4 security tools (see ISC2 Study Guide, chapter 4, module 3).

Answer 146

C. Senior Management Senior management is typically responsible for setting the organization's overall direction and strategy, and for ensuring that policies and procedures are in place to support that strategy. Therefore, it is the senior management's responsibility to sign the organization's policies. Although other departments and stakeholders may be called in to develop and draft policies, it is ultimately the responsibility of senior management to sign off on the policies, indicating their approval and support.

Answer 147

B. Log Auditing Log auditing is not a feature of a SIEM (Security Information and Event Management). A SIEM typically provides the following features: * Log consolidation, which consists in collecting logs from various sources (like servers, firewalls or IDS/IPS) and then storing them in one central location. * Log retention, which consists in storing logs for a specific period (like 90 days), so as to allow security analysts to keep track of and investigate past events. * Log encryption, which is an optional feature that safeguards the confidentiality of log data. * Log analysis, which involves identifying patterns, trends and anomalies related to security events, in or close to real time. Though related to log analysis, log auditing specifically refers to ensuring the reliability and trustworthiness of log data for debugging, performance monitoring, security, and compliance purposes. This is usually done on a periodic basis (not in real-time).

Answer 148

C. MOU A Memorandum of Understanding (MOU) outlines the terms and conditions for collaboration, including eventual restrictions on the use of information (see ISC2 Study Guide, chapter 4, module 3). A Memorandum of Agreement (MOA) is similar to an MOU, but is both more formal and legally binding. A Service Level Agreement (SLA) is a contract between a service provider and a customer which specifies service-related guarantees or warranties. A non-disclosure agreement (NDA) restricts parties from sharing confidential information.

Answer 149

A. Differential Backup A differential backup is a backup that captures the changes made since the latest full backup. Incremental backups capture changes since the latest backup (which can be full or incremental), and snapshots are live copies of a system. Neither incremental backups nor snapshots necessarily capture changes since a full backup (see ISC2 Study Guide, chapter 5, module 1).

Answer 150

B. Defense in depth An organization that uses a layered approach when designing its security architecture is using a defense in-depth approach. In a defense in-depth approach, different layers of security controls may be implemented at different levels of the organization, such as at the network, application and user levels (see ISC2 Study Guide, chapter 4, module 3). Network Access Control refers to the process of controlling access to a network. Network layers refer to the different levels of a computer network, such as the network infrastructure, network applications and network devices. Zero trust is a security strategy which assumes that all network traffic is potentially malicious and requires verification.

Answer 151

C. Warm Site A warm site is a type of recovery site that has most or all of the necessary systems in place, but does not have the current data needed to immediately take over operations in the event of a disaster (see the ISC2 Study Guide, Chapter 2, Module 3). These sites have hardware and connectivity, but data is typically restored from backups that may not be current. For example, a financial services company might have a warm site in another city. This site would have all the necessary servers, storage, and networking equipment. In the event of a disaster at the primary site, the company would use backups to restore the data at the warm site. However, because the data is not continuously updated, operations could be delayed until the most recent data is restored. On the other hand, a hot site is a fully operational duplicate of the primary site, with real-time data replication, ready to take over immediately. A cold site is a basic facility with infrastructure such as power and cooling, but no pre-installed hardware or data, and requires significant time to become operational. Finally, a cloud site is not a standard term used in disaster recovery or cybersecurity (and it doesn't refer to a hot, warm, or cold site).

Answer 152

D. Motion Detection Motion-detecting cameras record only when motion is detected, and thus help in reducing video storage requirements. A recording will occur more rarely in low-occupancy places (like data centers), thus conserving storage. In more heavily used areas, the impact on total storage space used will be negligible. Infrared cameras, facial recognition, and the ability to pan, tilt, and zoom (PTZ) a camera are important features, but more is needed to conserve storage space.

Answer 153

D. The rule An Access Control List (ACL) is a list of rules that specifies which users or systems are granted or denied access (i.e., have permission to access) to a particular object or system resource (see ISC2 Study Guide, chapter 3, module 4). Each rule in the ACL specifies the permissions, such as read, write, or execute, that a subject has over an object. For instance, in a file system, an ACL might include a rule that grants read and write access to a specific user for a particular file. This rule determines the permissions that the user has for that file. The subject is a user or a process run by a user, which inherits the user authorization. The object is the resource or data in the system (or the network) to be accessed. Firmware is a type of software embedded in a hardware system; therefore, the concept of an Access Control List does not directly apply to it.

Answer 154

D. Access of private information by an unauthorized person A privacy breach is a compromise of confidentiality (see ISC2 Study Guide, chapter 2, module 1). The NIST defines privacy breach as "the loss of control, compromise, unauthorized disclosure, unauthorized acquisition, or any similar occurrence where a person other than an authorized user accesses (or potentially accesses) personally identifiable information, or uses it for anything other than its authorized purpose". The unavailability of a critical system is a compromise of availability (not of confidentiality). Finally, not every occurrence in a network is an instance of a security breach, and virtually every system and organization is exposed to the possibility of being attacked.

Answer 155

B. Ping sweep A ping sweep is a commonly used method to map live hosts in a network. A ping sweep involves sending a series of ping messages (ICMP Echo Request packets) to a range of IP addresses on a network so as to determine which hosts are currently online. Hosts that are online will respond with a reply message when a ping is sent to them. Collecting the replies makes it possible to map which hosts are currently online on the network (see ISC2 Study Guide, chapter 4, module 3). The remaining options are not typically used to map live hosts in a network. Geolocation is a process for determining a device or user's physical location, based on information obtained from the device's IP or MAC address. Traceroute is a method to determine the sequence of hops that the packets took to a given IP address, so as to both map a network's topology and diagnose connectivity or routing issues. Finally, Wireshark is a network protocol analyzer tool that can be used to view and analyze packets' contents, including the IP addresses and host names.

Answer 156

B. Bollards Bollards are short, vertical posts that block vehicles from accessing a data center. They are, however, ineffective at preventing access to individuals. Fences can be placed around the perimeter of the data center, so as to block unauthorized access and deter potential intruders. Barriers such as gates, walls or barricades can be used to block access to the data center. Finally, turnstiles can be used to control access to a data center, namely by allowing entry only to authorized individuals.

Answer 157

A. Information Security Management System ISO 27002 is a supplementary standard aimed at guiding implementation controls in order to maintain security controls for Information Security Management Systems (ISMS), as defined in ISO 27001. Among many other aspects, these security controls comprise application security. Risk management is an activity that is touched on in this standard, but is not its primary focus (it is the focus of the ISO 31000 standard). HIPAA is the United States law that governs the privacy of healthcare information.

Answer 158

C. ... a minimum understood and acceptable level of security requirements A security baseline is a set of security standards, guidelines and procedures used to ensure that a system or network meets a minimum level of security. Security baselines are typically based on industry best practices, regulatory requirements, and an organization's specific security needs. The primary objective of a security baseline is to establish a minimum understood and acceptable level of security requirements. While it is true that a security baseline specifies security and configuration requirements that must be met to ensure that the system or network is adequately protected, that is actually not its primary goal (see ISC2 Study Guide, chapter 5, module 2). The other options do not apply, since they do not align the definition of a security baseline. Moreover, enforcing a maximum number of security requirements is not necessarily a good practice, since practically no organization could bear such a cost.

Answer 159

A. Instructions on data ownership and destruction A Service Level Agreement (SLA) is a contract between a service provider and a customer which defines the level of service that the provider will deliver. It must include instructions on data ownership and destruction in order to ensure that sensitive data is properly protected. A set of instructions or procedures to detect, respond, and limit the consequences of a cyber-attack is called an Incident Response Plan (see ISC2 Study Guide chapter 2, module 1, under The Goal of Incident Response). A plan to sustain business operations while recovering from a significant disruption is called a Business Continuity Plan (see ISC2 Study Guide chapter 2, module 2, under The Importance of Business Continuity). A plan to prepare an organization for the continuation of critical business functions is called a Disaster Recovery Plan (see ISC2 Study Guide chapter 2, module 3, under The Goal of Disaster Recovery).

Answer 160

B. Communicating with top management regarding the circumstances of the cybersecurity event While communicating with senior management about the circumstances of a cybersecurity event is important, it is not a primary responsibility of the incident response team. The response team's primary responsibility is to address the immediate impact of the incident and restore security as quickly as possible. For example, if a data breach occurs, the response team's focus would be on determining the extent of the breach, determining if any confidential information has been compromised, and implementing recovery procedures to restore security and recover from the damage. In fact, when an incident occurs, a response team's primary responsibilities include the following * Determine the extent of the damage caused by the incident and the resources required to recover from it; * Determine if any confidential information was compromised during the incident; * Implementing the recovery procedures necessary to restore security and recover from the damage caused by the incident (including restoring systems, recovering data, and implementing any necessary security controls); * Communicating with relevant parties (such as users, customers, and other stakeholders) about the incident and the steps needed to address it. Communication with senior management is typically the responsibility of the incident manager or designated spokesperson, not the incident response team.

Answer 161

B. Routers A router is a networking device whose primary objective is to determine the most efficient path for traffic to flow across a network. Routers connect two or more networks and forward data packets between them according to their destination address (see ISC2 Study Guide, chapter 4, module 1). When a router receives a data packet, it checks the destination address and determines the best route on which to forward the packet, based on its routing table. The routing table is a set of rules that the router uses to determine the next hop for a given data packet. Hubs connect multiple devices on a network and broadcast incoming data packets to all connected devices. Hubs cannot route data based on destination address; as a result, all connected devices receive all incoming data packets. Switches connect multiple devices on a network and forward data packets between them based on the MAC address of the destination device. Switches use MAC addresses to create a forwarding table that efficiently routes data to the correct destination. Firewalls are network devices or software designed to protect a network from external threats (like hacking and malware). Firewalls can block or allow traffic based on various criteria, such as the source or destination of the traffic, as well as the type of data.

Answer 162

A. Privacy Policy A Privacy Policy outlines the data security mechanisms which ensure that customer data is protected; namely, how Personal Identifiable Information (PII) is collected, stored and processed (see ISC2 Study Guide, chapter 5, module 3). The General Data Protection Regulation (GDPR) is a data protection and privacy regulation for the European Union and the European Economic Area (not a policy). An Acceptable Use Policy (AUP) defines the guidelines and limitations that users must agree on while accessing the organization's network, computer systems or other related resources. Finally, the Remote Access Policy (RAP) defines acceptable methods of remotely connecting to an organization's internal network.

Answer 163

D. Intrusion Prevention System (IPS) An intrusion prevention system (IPS) is designed to monitor network traffic in real-time, identifying patterns or behaviors that may indicate an attempted intrusion or other malicious activity. Whenever an IPS detects suspicious activity, it can also act to protect the network (such as by blocking suspicious traffic, alerting the network administrator, or initiating a response to contain the threat) (see ISC2 Study Guide, chapter 4, module 2). Another type of network security tool is an intrusion detection system (IDS), which is similar to an IPS, except that it focuses on detecting rather than preventing attacks. Firewalls are network security equipment or software that controls the incoming and outgoing network traffic according to predetermined security rules. They are indeed valuable in network security, but do not typically have the detection capabilities of IDS or IPS. Finally, a router is a networking device that forwards data packets between computer networks, but does not have the same security features as an IPS, IDS or firewall.

Answer 164

A. Availability Distributed Denial-of-Service (DDoS) attacks are malicious attempts to block businesses from their traffic by flooding a target server, service or network with malicious coordinated traffic generated by a wide number of systems on the internet. The goal of DDoS attacks is to compromise availability (see ISC2 Study Guide, chapter 1, module 1 and also chapter 4, module 3) . A DDoS attack does not target confidentiality, but it may accidentally compromise integrity. Accountability is the property that actions of an entity can be traced uniquely to that entity (according to NIST SP 800-12), and is not directly threatened by DDoS attacks.

Answer 165

C. Denial of service A denial of service attack (DoS) compromises the availability of a system or service through a malicious overload of requests, thereby activating safety mechanisms that delay or limit the availability of that system or service. As a result, systems or services become temporarily inaccessible to their intended users (see ISC2 Study Guide, chapter 4, module 2). Trojans, phishing and cross-site scripting attacks try to gain access to the system or data covertly, and therefore do not primarily aim at compromising the system's availability.

Answer 166

C. Corrective CCTV cameras are considered a deterrent to criminal activity. In addition, combined with other sensors, they can detect movement, and thus are considered a detective control. Image recordings provide evidence after the fact. According to the NIST, preventive controls are measures to detect, deter and/or reduce an impact of a system. CCTV cameras are not corrective controls, as they are not deployed to repair detected errors or irregularities (see ISC2 Study Guide, chapter 3, module 2).

Answer 167

D, Logic Bomb A logic bomb is a piece of malicious code intentionally inserted into a software system that triggers a negative function when certain conditions are met. An infection does not typically install logic bombs, they are planted by someone with inside access to the system, such as a disgruntled employee (see ISC2 Study Guide, chapter 4, module 2). For example, a programmer might write a logic bomb to delete important files if they ever leave the company. Keyloggers, Trojans, and backdoors are all commonly installed through infections. Keyloggers are designed to record keystrokes to capture sensitive information, Trojans are malware that masquerade as legitimate software, and backdoors provide unauthorized remote access to a computer. Any of these can be installed on a system without the user's knowledge, typically through phishing attacks, malicious downloads, or the exploitation of software vulnerabilities.

Answer 168

D. Identification The correct answer is D. The identification phase of an incident response process involves recognizing the signs of a security incident, understanding its impact, and prioritizing the response. Indicators of compromise and log analysis are key tools used in this phase to review events and identify potential security incidents. For example, suppose an organization's network monitoring system detects unusual traffic patterns. The cybersecurity team would then use indicators of compromise, such as known malicious IP addresses or unusual file modifications, to determine whether a security incident has occurred. They would also analyze logs from various systems to identify any abnormal activity that could indicate an attack. The remaining options are incorrect because they represent other phases of the incident response process that do not primarily involve the use of indicators of compromise and log analysis. Specifically, preparation involves developing the tools, processes, and procedures necessary to respond to potential incidents. Containment is the phase of limiting the impact of the incident to prevent further damage, and remediation involves removing the threat from the system and restoring any affected components.

Answer 169

B. Do what is right in each situation you encounter on the job The concept of 'due Care' (also known as 'the prudent person rule') refers to what a prudent person would do in a given situation. In cybersecurity, 'due care' means taking reasonable steps to secure and protect the organization's assets, reputation and finances. The concept is holistic and includes, among other things: implementing the appropriate security standards, policies and procedures; ensuring proper cybersecurity awareness training; and promoting the continuous improvement of monitoring controls. Applying patches, continuing security practices and acquiring knowledge for the job are specific tasks included in 'due care', but are not good overall definitions of the concept (see ISC2 Study Guide, chapter 1, module 5).

Answer 170

C. Company Management The code of ethics requires security professionals to be honest, but not to behave as law enforcers. The violation of a company's security policy should be reported and handled within the company itself (this will typically involve the human resources, legal, and/or management departments) (see ISC2 Study Guide, chapter 2, module 1). Moreover, only individuals can be reported to the (ISC)² Ethics Committee (not companies). National authorities can only deal with direct violations of laws and regulations.

Answer 171

D, Allocation The three most common goals of cybersecurity attackers are disclosure, alteration, and denial (DAD), which correspond directly to to the cybersecurity triad: confidentiality, integrity, and availability (CIA) (see ISC2 Study Guide, chapter 1, module 1). Allocation means assigning controls to specific system elements responsible for providing a security or privacy capability (e.g., access control systems, routers, servers, etc.), and therefore is not a common goal of a cybersecurity attacker.

Answer 172

A. Advanced Persistent Threat An Advanced Persistent Threat is a threat with unusually high technical and operational sophistication. APTs can be difficult to detect and defend against, as the attackers often use sophisticated techniques to evade detection, and to remain stealthy for extended periods of time. APTs are typically carried out by highly skilled and well-funded attackers (such as nation-state actors or well-organized criminal groups), and often target specific organizations or individuals with the goal of stealing sensitive information or disrupting operations (see ISC2 Study Guide, chapter 4, module 2). The other options listed above are all related to different types of cyber threats, but are not typically associated with APTs. Rootkits are a type of malware designed to conceal the presence of other malicious software on a system, while a ping of death is a type of denial of service (DoS) attack which involves sending a maliciously large ping packet to a target system, in an attempt to overwhelm it. Side-channel attacks exploit information leaked through non-traditional channels (such as power consumption, electromagnetic emissions, or physical timing), in order to gain access to sensitive information or perform other malicious actions.

Answer 173

A, It is an illegal practice Cybersquatting (also known as domain squatting) is the practice of speculatively registering and then selling (typically at a high price) a domain name, with the intent of profiting from someone else's trademark. An example would be someone registering the domain name "mycompany.com" and then offering to sell it to the owner of the trademark "MyCompany" for a high price. Cybersquatting can cause confusion and damage to the trademark owner's brand, which is generally considered unethical and deceptive. Indeed, cybersquatting is an illegal practice under the United States' Anticybersquatting Consumer Protection Act (ACPA), as well as under similar laws in other countries.

Answer 174

B. Erasing the data on a disk Degaussing is a technique used to erase data from a magnetic storage device, such as a hard disk drive (HDD) or magnetic tape. In degaussing, devices are exposed to strong magnetic fields that neutralize the magnetic records of the data stored on the device. This effectively erases the data, making it difficult or impossible to recover. Degaussing is often used to securely erase data from storage devices before disposing or repurposing them, thereby ensuring that unauthorized parties cannot access sensitive or confidential information. Conceivably, a magnetic side-channel attack could target the magnetic fields emitted by a disk, in order to extract information from it. Therefore, strictly speaking, degaussing the disk would prevent the side channel attack by rendering it unusable. However, this is not the primary goal of degaussing (see ISC2 Study Guide, chapter 5, module 1).

Answer 175

B. Determining the likelihood of occurrence of a set of risks Determining the likelihood of occurrence of a set of risks involves estimating the likelihood that the identified risks will occur, along with the potential impact it could have on the organization. Once the likelihood of occurrence has been determined, the next step is to select the appropriate controls to mitigate those risks, such as encryption, access controls, or administrative controls (like policies and procedures). Identifying the risks associated with loss of confidentiality (such as unauthorized access or disclosure of sensitive data) is important but insufficient on its own, as many other risks must also be considered. Finally, accepting all evaluated risks is typically not advisable, as some risks should be mitigated or eliminated. Only risks at a residual level acceptable to the organization should be accepted.

Answer 176

B. Having fake social media profiles and accounts Having fake social media profiles and accounts can be socially objectionable, but does not violate the (ISC)² Ethics Canons (see ISC2 Study Guide, chapter 1, module 5). That being said, seeking to gain unauthorized access to resources on the internet, compromising the privacy of users, and disrupting the intended use of the internet are all considered unethical behaviors by (ISC)², as well as by other similar professional organizations. Aside from being violations of professional codes of conduct, such actions may also be in violation of laws and regulations.