Practice Test 1 Flashcards

1
Q

NIST SP800-53 discusses a set of security controls as what type of security tool?

a. A configuration list
b. A threat management strategy
c. A baseline
d. The CIS standard

A

C. NIST SP 800-53 discusses security control baselines as a list of security controls. CIS releases security baselines, and a baseline is a useful part of a threat management strategy and may contain a list of acceptable configuration items.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Ed has been tasked with identifying a service that will provide a low-latency, high-performance, and high-availability way to host content for his employer. What type of solution should he seek out to ensure that his employer’s customers around the world can access their content quickly, easily, and reliably?

a. A hot site
b. A CDN
c. Redundant servers
d. A P2P CDN

A

B. A Content Distribution Network (CDN) is designed to provide reliable, low-latency, geographically distributed content distribution. In this scenario, a CDN is an ideal solution. A P2P CDN like BitTorrent isn’t a typical choice for a commercial entity, whereas redundant servers or a hot site can provide high availability but won’t provide the remaining requirements.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Which one of the following is not a function of a forensic device controller?

a. Preventing the modification of data on a storage device
b. Returning data requested from the device
c. Reporting errors sent by the device to the forensic host
d. Blocking read commands sent to the device

A

D. A forensic disk controller performs four functions. One of those, write blocking, intercepts write commands sent to the device and prevents them from modifying data on the device. The other three functions include returning data requested by a read operation, returning access-significant information from the device, and reporting errors from the device back to the forensic host. The controller should not prevent read commands from being sent to the device because those commands may return crucial information.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Mike is building a fault-tolerant server and wishes to implement RAID 1. How many physical disks are required to build this solution?

a. 1
b. 2
c. 3
d. 5

A

B. RAID 1, disk mirroring, requires two physical disks that will contain copies of the same data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Which Kerberos service generates a new ticket and session keys and sends them to the client?

a. KDC
b. TGT
c. AS
d. TGS

A

D. The TGS, or Ticket-Granting Service (which is usually on the same server as the KDC) receives a TGT from the client. It validates the TGT and the user’s rights to access the service they are requesting to use. The TGS then issues a ticket and session keys to the client. The AS serves as the authentication server, which forwards the username to the KDC.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Communication systems that rely on start and stop flags or bits to manage data transmission are known as what type of communication?

a. Analog
b. Digital
c. Synchronous
d. Asynchronous

A

D. Asynchronous communications rely on a a built-in stop and start flag or bit. This makes asynchronous communications less efficient than synchronous communications, but better suited to some types of communication.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What type of motion detector uses high microwave frequency signal transmissions to identify potential intruders?

a. Infrared
b. Heat-based
c. Wave pattern
d. Capacitance

A

C. Wave pattern motion detectors transmit ultrasonic or microwave signals into the monitor area, watching for changes in the returned signals bouncing off objects.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Susan sets up a firewall that keeps track of the status of the communication between two systems, and allows a remote system to respond to a local system after the local system starts communication. What type of firewall is Susan using?

a. A static packet filtering firewall
b. An application-level gateway firewall
c. A stateful packet inspection firewall
d. A circuit-level gateway firewall

A

C. Stateful packet inspection firewalls, also known as dynamic packet filtering firewalls, track the state of a conversation, and can allow a response from a remote system based on an internal system being allowed to start the communication. Static packet filtering and circuit level gateways only filter based on source, destination, and ports, whereas application-level gateway firewalls proxy traffic for specific applications.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Questions 9–11 refer to the following scenario:

Ben owns a coffeehouse and wants to provide wireless Internet service for his customers. Ben’s network is simple and uses a single consumer grade wireless router and a cable modem connected via a commercial cable data contract. Using this information about Ben’s network, answer the following questions.

How can Ben provide access control for his customers without having to provision user IDs before they connect while also gathering useful contact information for his business purposes?

a. WPA2 PSK
b. A captive portal
c. Require customers to use a publicly posted password like “BensCoffee.”
d. Port security

A

B. A captive portal can require those who want to connect to and use Wi-Fi to provide an email address to connect. This allows Ben to provide easy-to-use wireless while meeting his business purposes. WPA2 PSK is the preshared key mode of WPA and won’t provide information about users who are given a key. Sharing a password doesn’t allow for data gathering either. Port security is designed to protect wired network ports based on MAC addresses.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Questions 9–11 refer to the following scenario:

Ben owns a coffeehouse and wants to provide wireless Internet service for his customers. Ben’s network is simple and uses a single consumer grade wireless router and a cable modem connected via a commercial cable data contract. Using this information about Ben’s network, answer the following questions.

Ben intends to run an open (unencrypted) wireless network. How should he connect his business devices?

a. Run WPA2 on the same SSID.
b. Set up a separate SSID using WPA2.
c. Run the open network in Enterprise mode.
d. Set up a separate wireless network using WEP.

A

B. Many modern wireless routers can provide multiple SSIDs. Ben can create a private, secure network for his business operations, but he will need to make sure that the customer and business networks are firewalled or otherwise logically separated from each other. Running WPA2 on the same SSID isn’t possible without creating another wireless network and would cause confusion for customers (SSIDs aren’t required to be unique). Running a network in Enterprise mode isn’t used for open networks, and WEP is outdated and incredibly vulnerable.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Questions 9–11 refer to the following scenario:

Ben owns a coffeehouse and wants to provide wireless Internet service for his customers. Ben’s network is simple and uses a single consumer grade wireless router and a cable modem connected via a commercial cable data contract. Using this information about Ben’s network, answer the following questions.

After implementing the solution from the first question, Ben receives a complaint about users in his cafe hijacking other customers’ web traffic, including using their usernames and passwords. How is this possible?

a. The password is shared by all users, making traffic vulnerable.
b. A malicious user has installed a Trojan on the router.
c. A user has ARP spoofed the router, making all traffic broadcast to all users.
d. Open networks are unencrypted, making traffic easily sniffable.

A

D. Unencrypted open networks broadcast traffic in the clear. This means that unencrypted sessions to websites can be easily captured with a packet sniffer. Some tools like FireSheep have been specifically designed to capture sessions from popular websites. Fortunately, many now use TLS by default, but other sites still send user session information in the clear. Shared passwords are not the cause of the vulnerability, ARP spoofing isn’t an issue with wireless networks, and a Trojan is designed to look like safe software, not to compromise a router.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Which one of the following is not a mode of operation for the Data Encryption Standard?

a. CBC
b. CFB
c. OFB
d. AES

A

D. The DES modes of operation are Electronic Codebook (ECB), Cipher Block Chaining (CBC), Cipher Feedback (CFB), Output Feedback (OFB), and Counter (CTR). The Advanced Encryption Standard (AES) is a separate encryption algorithm.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Tom is tuning his security monitoring tools in an attempt to reduce the number of alerts received by administrators without missing important security events. He decides to configure the system to only report failed login attempts if there are five failed attempts to access the same account within a one-hour period of time. What term best describes the technique that Tom is using?

a. Thresholding
b. Sampling
c. Account lockout
d. Clipping

A

D. Clipping is an analysis technique that only reports alerts after they exceed a set threshold. It is a specific form of sampling, which is a more general term that describes any attempt to excerpt records for review. Thresholding is not a commonly used term. Administrators may choose to configure automatic or manual account lockout after failed login attempts but that is not described in the scenario.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Sally has been tasked with deploying an authentication, authorization, and accounting server for wireless network services in her organization, and needs to avoid using proprietary technology. What technology should she select?

a. OAuth
b. RADIUS
c. TACACS
d. TACACS+

A

B. RADIUS is a common AAA technology used to provide services for dial-up, wireless networks, network devices, and a range of other systems. OAuth is an authentication protocol used to allow applications to act on a user’s behalf without sharing the password, and is used for many web applications. While both TACACS and TACACS+ provide the functionality Sally is looking for, both are Cisco proprietary protocols.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

An accounting clerk for Christopher’s Cheesecakes does not have access to the salary information for individual employees but wanted to know the salary of a new hire. He pulled total payroll expenses for the pay period before the new person was hired and then pulled the same expenses for the following pay period. He computed the difference between those two amounts to determine the individual’s salary. What type of attack occurred?

a. Aggregation
b. Data diddling
c. Inference
d. Social engineering

A

C. In an inference attack, the attacker uses several pieces of generic nonsensitive information to determine a specific sensitive value.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Alice would like to have read permissions on an object and knows that Bob already has those rights and would like to give them to herself. Which one of the rules in the Take-Grant protection model would allow her to complete this operation if the relationship exists between Alice and Bob?

a. Take rule
b. Grant rule
c. Create rule
d. Remote rule

A

A. The take rule allows a subject to take the rights belonging to another object. If Alice has take rights on Bob, she can give herself the same permissions that Bob already possesses.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

During a log review, Danielle discovers a series of logs that show login failures:

Jan 31 11:39:12 ip-10-0-0-2 sshd[29092]: Invalid user admin from remotehost passwd=aaaaaaaa

Jan 31 11:39:20 ip-10-0-0-2 sshd[29098]: Invalid user admin from remotehost passwd=aaaaaaab

Jan 31 11:39:23 ip-10-0-0-2 sshd[29100]: Invalid user admin from remotehost passwd=aaaaaaac

Jan 31 11:39:31 ip-10-0-0-2 sshd[29106]: Invalid user admin from remotehost passwd=aaaaaaad

Jan 31 20:40:53 ip-10-0-0-254 sshd[30520]: Invalid user admin from remotehost passwd=aaaaaaad

What type of attack has Danielle discovered?

a. A pass-the-hash attack
b. A brute-force attack
c. A man-in-the-middle attack
d. A dictionary attack

A

B. Brute-force attacks try every possible password. In this attack, the password is changing by one letter at each attempt, which indicates that it is a brute-force attack. A dictionary attack would use dictionary words for the attack, whereas a man-in-the-middle or pass-the-hash attack would most likely not be visible in an authentication log except as a successful login.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

What property of a relational database ensures that two executing transactions do not affect each other by storing interim results in the database?

a. Atomicity
b. Isolation
c. Consistency
d. Durability

A

B. Isolation requires that transactions operate separately from each other. Atomicity ensures that if any part of a database transaction fails, the entire transaction must be rolled back as if it never occurred. Consistency ensures that all transactions are consistent with the logical rules of the database, such as having a primary key. Durability requires that once a transaction is committed to the database it must be preserved.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Kim is the system administrator for a small business network that is experiencing security problems. She is in the office in the evening working on the problem and nobody else is there. As she is watching, she can see that systems on the other side of the office that were previously behaving normally are now exhibiting signs of infection. What type of malware is Kim likely dealing with?

a. Virus
b. Worm
c. Trojan horse
d. Logic bomb

A

B. Worms have built-in propagation mechanisms that do not require user interaction, such as scanning for systems containing known vulnerabilities and then exploiting those vulnerabilities to gain access. Viruses and Trojan horses typically require user interaction to spread. Logic bombs do not spread from system to system but lie in wait until certain conditions are met, triggering the delivery of their payload.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Which one of the following attack types takes advantage of a vulnerability in the network fragmentation function of some operating systems?

a. Smurf
b. Land
c. Teardrop
d. Fraggle

A

C. In a teardrop attack, the attacker fragments traffic in such a way that the system is unable to reassemble them. Modern systems are not vulnerable to this attack if they run current operating systems, but the concept of this attack illustrates the danger of relying upon users following protocol specifications instead of performing proper exception handling.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Which of the following sequences properly describes the TCP 3-way handshake?

a. SYN, ACK, SYN/ACK
b. PSH, RST, ACK
c. SYN, SYN/ACK, ACK
d. SYN, RST, FIN

A

C. The TCP three-way handshake consists of initial contact via a SYN, or synchronize flagged packet, which receives a response with a SYN/ACK, or synchronize and acknowledge flagged packet, which is acknowledged by the original sender with an ACK, or acknowledge packet. RST is used in TCP to reset a connection, PSH is used to send data immediately, and FIN is used to end a connection.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Which one of the following technologies is not normally a capability of Mobile Device Management (MDM) solutions?

a. Remotely wiping the contents of a mobile device
b. Assuming control of a nonregistered BYOD mobile device
c. Enforcing the use of device encyrption
d. Managing device backups

A

B. MDM products do not have the capability of assuming control of a device not currently managed by the organization. This would be equivalent to hacking into a device owned by someone else and might constitute a crime.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Jim is implementing an IDaaS solution for his organization. What type of technology is he putting in place?

a. Identity as a Service
b. Employee ID as a service
c. Cloud based RADIUS
d. OAuth

A

A. Identity as a Service (IDaaS) provides an identity platform as a third-party service. This can provide benefits, including integration with cloud services and removing overhead for maintenance of traditional on-premise identity systems, but can also create risk due to third-party control of identity services and reliance on an offsite identity infrastructure.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Gina recently took the CISSP certification exam and then wrote a blog post that included the text of many of the exam questions that she experienced. What aspect of the (ISC)2 code of ethics is most directly violated in this situation?

a. Advance and protect the profession.
b. Act honorably, honestly, justly, responsibly, and legally.
c. Protect society, the common good, necessary public trust and confidence, and the infrastructure.
d. Provide diligent and competent service to principals.

A

A. Gina’s actions harm the CISSP certification and information security community by undermining the integrity of the examination process. While Gina also is acting dishonestly, the harm to the profession is more of a direct violation of the code of ethics.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

Gordon is conducting a risk assessment for his organization and determined the amount of damage that flooding is expected to cause to his facilities each year. What metric has Gordon identified?

a. ALE
b. ARO
c. SLE
d. EF

A

A. The annualized loss expectancy is the amount of damage that the organization expects to occur each year as the result of a given risk.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

Greg would like to implement application control technology in his organization. He would like to limit users to installing only approved software on their systems. What type of application control would be appropriate in this situation?

a. Blacklisting
b. Graylisting
c. Whitelisting
d. Bluelisting

A

C. The whitelisting approach to application control allows users to install only those software packages specifically approved by administrators.. This would be an appropriate approach in a scenario where application installation needs to be tightly controlled.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

Frank is the security administrator for a web server that provides news and information to people located around the world. His server received an unusually high volume of traffic that it could not handle and was forced to reject requests. Frank traced the source of the traffic back to a botnet. What type of attack took place?

a. Denial of service
b. Reconaissance
c. Compromise
d. Malicious insider

A

A. This is a clear example of a denial-of-service attack—denying legitimate users authorized access to the system through the use of overwhelming traffic. It goes beyond a reconnaissance attack because the attacker is affecting the system, but it is not a compromise because the attacker did not attempt to gain access to the system. There is no reason to believe that a malicious insider was involved.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

In the database table shown here, which column would be the best candidate for a primary key?

a. Company ID
b. Company Name
c. ZIP Code
d. Sales Rep

A

A. The Company ID is likely unique for each row in the table, making it the best choice for a primary key. There may be multiple companies that share the same name or ZIP code. Similarly, a single sales representative likely serves more than one company, making those fields unsuitable for use as a unique identifier.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

Information about an individual like their name, Social Security number, date and place of birth, or their mother’s maiden name is an example of what type of protected information?

a. PHI
b. Proprietary Data
c. PII
d. EDI

A

C. Personally Identifiable Information (PII) includes data that can be used to distinguish or trace that person’s identity, and also includes information like their medical, educational, financial, and employment information. PHI is personal health information, EDI is electronic data interchange, and proprietary data is used to maintain an organization’s competitive advantage.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

Bob is configuring egress filtering on his network, examining traffic destined for the Internet. His organization uses the public address range 12.8.195.0/24. Packets with which one of the following destination addresses should Bob permit to leave the network?

a. 12.8.195.15
b. 10.8.15.9
c. 192.168.109.55
d. 129.53.44.124

A

D. 129.53.44.124 is a valid public IP address and a legitimate destination for traffic leaving Bob’s network. 12.8.195.15 is a public address on Bob’s network and should not be a destination address on a packet leaving the network. 10.8.15.9 and 192.168.109.55 are both private IP addresses that should not be routed to the Internet.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

How many possible keys exist in a cryptographic algorithm that uses 6-bit encryption keys?

a. 12
b. 16
c. 32
d. 64

A

D. Binary keyspaces contain a number of keys equal to 2 raised to the power of the number of bits. Two to the sixth power is 64, so a 6-bit keyspace contains 64 possible keys. The number of viable keys is usually smaller in most algorithms due to the presence of parity bits and other algorithmic overhead or security issues that restrict the use of some key values.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

What problem drives the recommendation to physically destroy SSD drives to prevent data leaks when they are retired?

a. Degaussing only partially wipes the data on SSDs.
b. SSDs don’t have data remanence.
c. SSDs are unable to perform a zero fill.
d. The built-in erase commands are not completely effective on some SSDs.

A

D. Research has shown that traditional methods of sanitizing files on SSDs were not reliable. SSDs remap data sectors as part of wear leveling, and erase commands are not consistently effective across multiple SSD brands. Zero fills can be performed on SSDs but may not be effective, much like erase commands. Degaussing doesn’t work on SSDs because they are flash media, rather than magnetic media. SSDs don’t have data remanence issues, but that doesn’t create the need to destroy them.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

GAD Systems is concerned about the risk of hackers stealing sensitive information stored on a file server. They choose to pursue a risk mitigation strategy. Which one of the following actions would support that strategy?

a. Encrypting the files
b. Deleting the files
c. Purchasing cyberliability insurance
d. Taking no action

A

A. Encrypting the files reduces the probability that the data will be successfully stolen, so it is an example of risk mitigation. Deleting the files would be risk avoidance. Purchasing insurance would be risk transference. Taking no action would be risk acceptance.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

How should samples be generated when assessing account management practices?

a. They should be generated by administrators.
b. The last 180 days of accounts should be validated.
c. Sampling should be conducted randomly.
d. Sampling is not effective, and all accounts should be audited.

A

C. Sampling should be done randomly to avoid human bias. Choosing a timeframe may miss historic issues or only account for the current administrator’s processes. Sampling is an effective process if it is done on a truly random sample of sufficient size to provide effective coverage of the userbase.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

The International Safe Harbor Privacy Principles includes seven tenets. Which of the following lists correctly identifies all seven?

a. Awareness, selection, control, security, data integrity, access, enforcement
b. Notice, choice, onward transfer, security, data integrity, access, enforcement
c. Privacy, security, control, notification, data integrity, access, enforcement
d. Submission, editing, updates, confidential, integrity, security, access

A

B. The European Data Protection Directive’s seven primary tenets are:

Notice

Choice

Onward transfer

Security

Data integrity

Access

Enforcement

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

In what type of software testing does the attacker have complete knowledge of the system implementation prior to beginning the test?

a. Black box
b. Blue box
c. Gray box
d. White box

A

D. In a white box test, the attacker has access to full implementation details of the system, including source code, prior to beginning the test. In gray box testing, the attacker has partial knowledge. In black box testing, the attacker has no knowledge of the system and tests it from a user perspective. Blue boxes are a phone hacking tool and are not used in software testing.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q

What type of log is shown in the figure?

a. Firewall log
b. Change log
c. Application log
d. System log

A

C. The file clearly shows HTTP requests, as evidenced by the many GET commands. Therefore, this is an example of an application log from an HTTP server.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
38
Q

Captain Crunch, famous phone phreak, was known for using a toy whistle to generate the 2600 Hz tones that phone trunk systems used to communicate. What is the common name for a phreaking tool with this capability?

a. A black box
b. A red box
c. A blue box
d. A white box

A

C. A blue box was used to generate the 2600 Hz tones that trunking systems required. White boxes included a dual-tone, multifrequency generator to control phone systems. Black boxes were designed to steal long-distance service by manipulating line voltages, and red boxes simulated the tones of coins being deposited into payphones.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
39
Q

When an attacker calls an organization’s help desk and persuades them to reset a password for them due to the help desk employee’s trust and willingness to help, what type of attack succeeded?

a. A human Trojan
b. Social engineering
c. Phishing
d. Whaling

A

B. Social engineering exploits humans to allow attacks to succeed. Since help desk employees are specifically tasked with being helpful, they may be targeted by attackers posing as legitimate employees. Trojans are a type of malware, whereas phishing is a targeted attack via electronic communication methods intended to capture passwords or other sensitive data. Whaling is a type of phishing aimed at high-profile or important targets.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
40
Q

When a user attempts to log into their online account, Google sends a text message with a code to their cell phone. What type of verification is this?

a. Knowledge-based authentication
b. Dynamic knowledge–based authentication
c. Out-of-band identity proofing
d. Risk-based identity proofing

A

C. Identity proofing that relies on a type of verification outside of the initial environment that required the verification is out-of-band identity proofing. This type of verification relies on the owner of the phone or phone number having control of it but removes the ability for attackers to use only Internet-based resources to compromise an account. Knowledge-based authentication relies on answers to preselected information, whereas dynamic knowledge–based authentication builds questions using facts or data about the user. Risk-based identity proofing uses risk-based metrics to determine whether identities should be permitted or denied access. It is used to limit fraud in financial transactions, such as credit card purchases. This is a valid form of proofing but does not necessairly use an out-of-band channel, such as SMS.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
41
Q

What mathematical operation, when substituted for the blank lines shown here, would make the equations correct?

a. MOD
b. XOR
c. NAND
d. DIV

A

A. The modulo function is the remainder value left over after an integer division operation takes place.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
42
Q

Questions 42–44 refer to the following scenario:

The organization that Ben works for has a traditional onsite Active Directory environment that uses a manual provisioning process for each addition to their 350-employee company. As the company adopts new technologies, they are increasingly using Software as a Service applications to replace their internally developed software stack.

Ben has been tasked with designing an identity management implementation that will allow his company to use cloud services while supporting their existing systems. Using the logical diagram shown here, answer the following questions about the identity recommendations Ben should make.

If availability of authentication services is the organization’s biggest priority, what type of identity platform should Ben recommend?

a. Onsite
b. Cloud based
c. Hybrid
d. Outsourced

A

C. A hybrid authentication service can provide authentication services in both the cloud and on-premise, ensuring that service outages due to interrupted links are minimized. An onsite service would continue to work during an Internet outage but would not allow the e-commerce website to authenticate. A cloud service would leave the corporate location offline. Outsourcing authentication does not indicate whether the solution is on or off-premise, and thus isn’t a useful answer.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
43
Q

Questions 42–44 refer to the following scenario:

The organization that Ben works for has a traditional onsite Active Directory environment that uses a manual provisioning process for each addition to their 350-employee company. As the company adopts new technologies, they are increasingly using Software as a Service applications to replace their internally developed software stack.

Ben has been tasked with designing an identity management implementation that will allow his company to use cloud services while supporting their existing systems. Using the logical diagram shown here, answer the following questions about the identity recommendations Ben should make.

If Ben needs to share identity information with the business partner shown, what should he investigate?

a. Single sign-on
b. Multifactor authentication
c. Federation
d. IDaaS

A

C. Federation links identity information between multiple organizations. Federating with a business partner can allow identification and authorization to occur between them, making integration much easier. Single sign-on would reduce the number of times a user has to log in but will not facilitate the sharing of identity information. Multifactor can help secure authentication, but again, doesn’t help integrate with a third party. Finally, an Identity as a Service provider might provide federation but doesn’t guarantee it.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
44
Q

Questions 42–44 refer to the following scenario:

The organization that Ben works for has a traditional onsite Active Directory environment that uses a manual provisioning process for each addition to their 350-employee company. As the company adopts new technologies, they are increasingly using Software as a Service applications to replace their internally developed software stack.

Ben has been tasked with designing an identity management implementation that will allow his company to use cloud services while supporting their existing systems. Using the logical diagram shown here, answer the following questions about the identity recommendations Ben should make.

What technology is likely to be involved when Ben’s organization needs to provide authentication and authorization assertions to their e-commerce cloud partner?

a. Active Directory
b. SAML
c. RADIUS
d. SPML

A

B. Security Assertion Markup Language (SAML) is frequently used to integrate cloud services and provides the ability to make authentication and authorization assertions. Active Directory integrations are possible but are less common for cloud service providers, and RADIUS is not typically used for integrations like this. Service Provisioning Markup Language (SPML) is used to provision users, resources, and services, not for authentication and authorization.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
45
Q

Dave is responsible for password security in his organization and would like to strengthen the security of password files. He would like to defend his organization against the use of rainbow tables. Which one of the following techniques is specifically designed to frustrate the use of rainbow tables?

a. Password expiration policies
b. Salting
c. User education
d. Password complexity policies

A

B. Rainbow tables use precomputed password hashes to conduct cracking attacks against password files. They may be frustrated by the use of salting, which adds a specified value to the password prior to hashing, making it much more difficult to perform precomputation. Password expiration policies, password complexity policies, and user education may all contribute to password security, but they are not direct defenses against the use of rainbow tables.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
46
Q

Which one of the following is a single system designed to attract attackers because it seemingly contains sensitive information or other attractive resources?

a. Honeynet
b. Darknet
c. Honeypot
d. Pseudoflaw

A

C. A honeypot is a decoy computer system used to bait intruders into attacking. A honeynet is a network of multiple honeypots that creates a more sophisticated environment for intruders to explore. A pseudoflaw is a false vulnerability in a system that may attract an attacker. A darknet is a segment of unused network address space that should have no network activity and, therefore, may be easily used to monitor for illicit activity.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
47
Q

When evaluating biometric devices, what is another term used to describe the equal error rate?

a. FAR
b. FRR
c. CER
d. ERR

A

C. The crossover error rate (CER) is the point where both the false acceptance rate and the false rejection rate cross. CER and ERR, or equal error rate, mean the same thing and are used interchangeably.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
48
Q

A smart card is an example of what type of authentication factor?

a. Type 1
b. Type 2
c. Type 3
d. Type 4

A

B. A Type 2 is something you have, like a smart card or hardware token. A Type 1 authentication factor is something you know. A Type 3 authentication factor is something you are, like a biometric identifier. There is no such thing as a Type 4 authentication factor.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
49
Q

Sean suspects that an individual in his company is smuggling out secret information despite his company’s careful use of data loss prevention systems. He discovers that the suspect is posting photos, including the one shown here, to public Internet message boards. What type of technique may the individuals be using to hide messages inside this image?

a. Watermarking
b. VPN
c. Steganography
d. Covert timing channel

A

C. Steganography is the art of using cryptographic techniques to embed secret messages within other content. Steganographic algorithms work by making invisible alterations to files, such as modifying the least significant bits of the many bits that make up image files. VPNs may be used to obscure secret communications, but they provide protection in transit and can’t be used to embed information in an image. Watermarking does embed information in an image but with the intent of protecting intellectual property. A still image would not be used for a covert timing channel because it is a fixed file.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
50
Q

Roger is concerned that a third-party firm hired to develop code for an internal application will embed a backdoor in the code. The developer retains rights to the intellectual property and will only deliver the software in its final form. Which one of the following languages would be least susceptible to this type of attack because it would provide Roger with code that is human-readable in its final form?

a. JavaScript
b. C
c. C++
d. Java

A

A. JavaScript is an interpreted language so the code is not compiled prior to execution, allowing Roger to inspect the contents of the code. C, C++, and Java are all compiled languages—a compiler produces an executable file that is not human-readable.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
51
Q

Jesse is looking at the /etc/passwd file on a system configured to use shadowed passwords. What should she expect to see in the password field of this file?

a. Plaintext passwords
b. Encrypted passwords
c. Hashed passwords
d. x

A

D. When a system is configured to use shadowed passwords, the /etc/passwd file contains only the character x in the place of a password. It would not contain any passwords, in either plaintext, encrypted, or hashed form.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
52
Q

Ping of Death, Smurf attacks, and ping floods all abuse features of what important protocol?

a. IGMP
b. UDP
c. IP
d. ICMP

A

D. Internet Control Message Protocol (ICMP) is used for normal pings, as well as Pings of Death. Ping of Death describes attacks that were used to overflow poorly implemented ICMP handlers; Smurf attacks, which spoof broadcast pings to create huge amounts of traffic on a network; and ping floods, which are a type of denial-of-service attack.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
53
Q

What principle states that an individual should make every effort to complete his or her responsibilities in an accurate and timely manner?

a. Least privilege
b. Separation of duties
c. Due care
d. Due diligence

A

D. The due care principle states that an individual should react in a situation using the same level of care that would be expected from any reasonable person. It is a very broad standard. The due diligence principle is a more specific component of due care that states an individual assigned a responsibility should exercise due care to complete it accurately and in a timely manner.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
54
Q

Cable modems, ISDN, and DSL are all examples of what type of technology?

a. Baseband
b. Broadband
c. Digital
d. Broadcast

A

B. ISDN, cable modems, DSL, and T1 and T3 lines are all examples of broadband technology that can support multiple simultaneous signals. They are analog, not digital, and are not broadcast technologies.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
55
Q

What penetration testing technique can best help assess training and awareness issues?

a. Port scanning
b. Discovery
c. Social engineering
d. Vulnerability scanning

A

C. Social engineering is the best answer, as it can be useful to penetration testers who are asked to assess whether staff members are applying security training and have absorbed the awareness messages the organization uses. Port and vulnerability scanning find technical issues that may be related to awareness or training issues but that are less likely to be directly related. Discovery can involve port scanning or other data-gathering efforts, but is also less likely to be directly related to training and awareness.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
56
Q

Bill implemented RAID level 5 on a server that he operates using a total of three disks. How many disks may fail without the loss of data?

a. 0
b. 1
c. 2
d. 3

A

B. RAID level 5 is also known as disk striping with parity. It uses three or more disks, with one disk containing parity information used to restore data to another disk in the event of failure. When used with three disks, RAID 5 is able to withstand the loss of a single disk.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
57
Q

Data is sent as bits at what layer of the OSI model?

a. Transport
b. Network
c. Data Link
d. Physical

A

D. The Physical layer deals with the electrical impulses or optical pulses that are sent as bits to convey data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
58
Q

Bert is considering the use of an infrastructure as a service cloud computing partner to provide virtual servers. Which one of the following would be a vendor responsibility in this scenario?

a. Maintaining the hypervisor
b. Managing operating system security settings
c. Maintaining the host firewall
d. Configuring server access control

A

A. In an IaaS server environment, the customer retains responsibility for most server security operations under the shared responsibility model. This includes managing OS security settings, maintaining host firewalls, and configuring server access control. The vendor would be responsible for all security mechanisms at the hypervisor layer and below.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
59
Q

When Ben records data, then replays it against his test website to verify how it performs based on a real production workload, what type of performance monitoring is he undertaking?

a. Passive
b. Proactive
c. Reactive
d. Replay

A

B. Proactive monitoring, aka synthetic monitoring, uses recorded or generated traffic to test systems and software. Passive monitoring uses a network span, tap, or other device to capture traffic to be analyzed. Reactive and replay are not industry terms for types of monitoring.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
60
Q

What technology ensures that an operating system allocates separate memory spaces used by each application on a system?

a. Abstraction
b. Layering
c. Data hiding
d. Process isolation

A

D. Process isolation ensures that the operating system allocates a separate area of memory for each process, preventing processes from seeing each other’s data. This is a requirement for multilevel security systems.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
61
Q

Alan is considering the use of new identification cards in his organization that will be used for physical access control. He comes across a sample card and is unsure of the technology. He breaks it open and sees the following internal construction. What type of card is this?

a. Smart card
b. Proximity card
c. Magnetic stripe
d. Phase-two card

A

B. The use of an eletcromagnetic coil inside the card indicates that this is a proximity card.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
62
Q

Mark is planning a disaster recovery test for his organization. He would like to perform a live test of the disaster recovery facility but does not want to disrupt operations at the primary facility. What type of test should Mark choose?

a. Full interruption test
b. Checklist review
c. Parallel test
d. Tabletop exercise

A

C. During a parallel test, the team actually activates the disaster recovery site for testing, but the primary site remains operational. During a full interruption test, the team takes down the primary site and confirms that the disaster recovery site is capable of handling regular operations. The full interruption test is the most thorough test but also the most disruptive. The checklist review is the least disruptive type of disaster recovery test. During a checklist review, team members each review the contents of their disaster recovery checklists on their own and suggest any necessary changes. During a tabletop exercise, team members come together and walk through a scenario without making any changes to information systems.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
63
Q

Which one of the following is not a principle of the Agile approach to software development?

a. The best architecture, requirements, and designs emerge from self-organizing teams.
b. Deliver working software infrequently, with an emphasis on creating accurate code over longer timelines.
c. Welcome changing requirements, even late in the development process.
d. Simplicity is essential.

A

B. The Agile approach to software development embraces 12 core principles, found in the Agile Manifesto. One of these principles is that the best architecture, requirements, and designs emerge from self-organizing teams. Another is that teams should welcome changing requirements at any step in the process. A third is that simplicity is essential. The Agile approach emphasizes delivering software frequently, not infrequently.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
64
Q

During a security audit, Susan discovers that the organization is using hand geometry scanners as the access control mechanism for their secure data center. What recommendation should Susan make about the use of hand geometry scanners?

a. They have a high FRR, and should be replaced.
b. A second factor should be added because they are not a good way to reliably distinguish individuals.
c. The hand geometry scanners provide appropriate security for the data center and should be considered for other high-security areas.
d. They may create accessibility concerns and an alternate biometric system should be considered.

A

B. Hand geometry scanners assess the physical dimensions of an individual’s hand, but do not verify other unique factors about the individual, or even verify if they are alive. This means that hand geometry scanners should not be implemented as the sole authentication factor for secure environments. Hand geometry scanners do not have an abnormally high FRR, and do not stand out as a particular issue from an accessibility standpoint compared to other biometric systems.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
65
Q

Colleen is conducting a business impact assessment for her organization. What metric provides important information about the amount of time that the organization may be without a service before causing irreparable harm?

a. MTD
b. ALE
c. RPO
d. RTO

A

A. The maximum tolerable downtime (MTD) is the amount of time that a business may be without a service before irreparable harm occurs. This measure is sometimes also called maximum tolerable outage (MTO).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
66
Q

An attack that changes a symlink on a Linux system between the time that an account’s rights to the file are verified and the file is accessed is an example of what type of attack?

a. Unlinking
b. Tick/tock
c. setuid
d. TOC/TOU

A

D. Attacks that change a symlink between the time that rights are checked and the file is accessed, in order to access a file that the account does not have rights to, are time of check/time of use (TOC/TOU) attacks, a form of race condition. Unlinking removes names from a Linux filesystem, setuid allows a user to run an executable with the permissions of its owner, and tick/tock is not a type of attack or Linux command.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
67
Q

An authentication factor that is “something you have,” and that typically includes a microprocessor and one or more certificates, is what type of authenticator?

a. A smart card
b. A token
c. A Type I validator
d. A Type III authenticator

A

A. Smart cards are a Type II authentication factor, and include both a microprocessor and at least one certificate. Since they are something you have, they’re not a Type I or III authentication factor. Tokens do not necessarily contain certificates.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
68
Q

What term best describes an attack that relies on stolen or falsified authentication credentials to bypass an authentication mechanism?

a. Spoofing
b. Replay
c. Masquerading
d. Modification

A

C. Masquerading (or impersonation) attacks use stolen or falsified credentials to bypass authentication mechanisms. Spoofing attacks rely on falsifying an identity like an IP address or hostname without credentials. Replay attacks are a more specific type of masquerading attack that relies on captured network traffic to reestablish authorized connections. Modification attacks occur when captured packets are modified and replayed to a system to attempt to perform an action.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
69
Q

What speed is a T1 line?

a. 64 Kbps
b. 128 Kbps
c. 1.544 Mbps
d. 44.736 Mbps

A

C. A T1 (DS1) line is rated at 1.544 Mbps. ISDN is often 64 or 128 Kbps, and T3 lines are 44.736 Mbps.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
70
Q

Owen recently designed a security access control structure that prevents a single user from simultaneously holding the role required to create a new vendor and the role required to issue a check. What principle is Owen enforcing?

a. Two-person control
b. Least privilege
c. Separation of duties
d. Job rotation

A

C. This scenario describes separation of duties—not allowing the same person to hold two roles that, when combined, are sensitive. While two-person control is a similar concept, it does not apply in this case because the scenario does not say that either action requires the concurrence of two users.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
71
Q

Denise is preparing for a trial relating to a contract dispute between her company and a software vendor. The vendor is claiming that Denise made a verbal agreement that amended their written contract. What rule of evidence should Denise raise in her defense?

a. Real evidence rule
b. Best evidence rule
c. Parol evidence rule
d. Testimonial evidence rule

A

C. The parol evidence rule states that when an agreement between two parties is put into written form, it is assumed to be the entire agreement unless amended in writing. The best evidence rule says that a copy of a document is not admissible if the original document is available. Real evidence and testimonial evidence are evidence types, not rules of evidence.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
72
Q

While Lauren is monitoring traffic on two ends of a network connection, she sees traffic that is inbound to a public IP address show up inside of the production network bound for an internal host that uses an RFC 1918 reserved address. What technology should she expect is in use at the network border?

a. NAT
b. VLANs
c. S/NAT
d. BGP

A

A. Network Address Translation (NAT) translates an internal address to an external address. VLANs are used to logically divide networks, BGP is a routing protocol, and S/NAT is a made-up term.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
73
Q

Which of the following statements about SSAE-16 is not true?

a. It mandates a specific control set.
b. It is an attestation standard.
c. It is used for external audits.
d. It uses a framework, including SOC 1, SOC 2, and SOC 3 reports.

A

A. SSAE-16 does not assert specific controls. Instead it reviews the use and application of controls in an audited organization. It is an attestation standard, used for external audits, and forms part of the underlying framework for SOC 1, 2, and 3 reports.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
74
Q

What does a constrained user interface do?

a. It prevents unauthorized users from logging in.
b. It limits the data visible in an interface based on the content.
c. It limits the access a user is provided based on what activity they are performing.
d. It limits what users can do or see based on privileges.

A

D. A constrained user interface restricts what users can see or do based on their privileges. This can result in grayed-out or missing menu items, or other interface changes. Activity-based controls are called context-dependent controls, whereas controls based on the content of an object are content-dependent controls. Preventing unauthorized users from logging in is a basic authentication function.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
75
Q

Greg is building a disaster recovery plan for his organization and would like to determine the amount of time that it should take to restore a particular IT service after an outage. What variable is Greg calculating?

a. MTO
b. RTO
c. RPO
d. SLA

A

B. The recovery time objective (RTO) is the amount of time expected to return an IT service or component to operation after a failure. The maximum tolerable downtime (MTD) is the longest amount of time that an IT service or component may be unavailable without causing serious damage to the organization. The recovery point objective (RPO) identifies the maximum amount of data, measured in time, that may be lost during a recovery effort. Service-level agreements (SLAs) are written contracts that document service expectations.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
76
Q

In object-oriented programming, what type of variable exists only once and shares the same value across all instances of an object?

a. Instance variable
b. Member variable
c. Class variable
d. Global variable

A

C. Class variables exist only once and share their value across all instances of that object class. Instance variables have different values for each instance. Member variables are the combination of class and instance variables associated with a particular class. Global variables do not exist in an object-oriented programming language.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
77
Q

What type of fire extinguisher is useful against liquid-based fires?

a. Class A
b. Class B
c. Class C
d. Class D

A

B. Class B fire extinguishers use carbon dioxide, halon, or soda acid as their suppression material and are useful against liquid-based fires. Water may not be used against liquid-based fires because it may cause the burning liquid to splash, and many burning liquids, such as oil, will float on water.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
78
Q

The company Chris works for has notifications posted at each door reminding employees to be careful to not allow people to enter when they do. Which type of controls best describes this?

a. Detective
b. Physical
c. Preventive
d. Directive

A

D. Notifications and procedures like the signs posted at the company Chris works for are examples of directive access controls. Detective controls are designed to operate after the fact. The doors and the locks on them are examples of physical controls. Preventive controls are designed to stop an event, and could also include the locks that are present on the doors.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
79
Q

Which one of the following principles is not included in the International Safe Harbor Provisions?

a. Access
b. Security
c. Enforcement
d. Nonrepudiation

A

D. The seven principles that the International Safe Harbor Provisions spell out for handling personal information are notice, choice, onward transfer, access, security, data integrity, and enforcement.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
80
Q

What group is eligible to receive safe harbor protection under the terms of the Digital Millennium Copyright Act (DMCA)?

a. Music producers
b. Book publishers
c. Internet service providers
d. Banks

A

C. The DMCA provides safe harbor protection for the operators of Internet service providers who only handle information as a common carrier for transitory purposes.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
81
Q

Alex is the system owner for the HR system at a major university. According to NIST SP 800-18, what action should he take when a significant change occurs in the system?

a. He should develop a data confidentiality plan.
b. He should update the system security plan.
c. He should classify the data the system contains.
d. He should select custodians to handle day-to-day operational tasks.

A

B. According to NIST SP 800-18, a system owner should update the system security plan when the system they are responsible for undergoes a significant change. Classification, selection of custodians, and designing ways to protect data confidentiality might occur if new data was added, but should have already been done otherwise.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
82
Q

Questions 82–84 refer to the following scenario:

Alex has been with the university he works at for over 10 years. During that time, he has been a system administrator and a database administrator, and he has worked in the university’s help desk. He is now a manager for the team that runs the university’s web applications. Using the provisioning diagram shown here, answer the following questions.

If Alex hires a new employee and the employee’s account is provisioned after HR manually inputs information into the provisioning system based on data Alex provides via a series of forms, what type of provisioning has occurred?

a. Discretionary account provisioning
b. Workflow-based account provisioning
c. Automated account provisioning
d. Self-service account provisioning

A

B. Provisioning that occurs through an established workflow, such as through an HR process, is workflow-based account provisioning. If Alex had set up accounts for his new hire on the systems he manages, he would have been using discretionary account provisioning. If the provisioning system allowed the new hire to sign up for an account on their own, they would have used self-service account provisioning, and if there was a central, software-driven process, rather than HR forms, it would have been automated account provisioning.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
83
Q

Questions 82–84 refer to the following scenario:

Alex has been with the university he works at for over 10 years. During that time, he has been a system administrator and a database administrator, and he has worked in the university’s help desk. He is now a manager for the team that runs the university’s web applications. Using the provisioning diagram shown here, answer the following questions.

Alex has access to B, C, and D. What concern should he raise to the university’s identity management team?

a. The provisioning process did not give him the rights he needs.
b. He has excessive privileges.
c. Privilege creep may be taking place.
d. Logging is not properly enabled.

A

C. As Alex has changed roles, he retained access to systems that he no longer administers. The provisioning system has provided rights to workstations and the application servers he manages, but he should not have access to the databases he no longer administers. Privilege levels are not specified, so we can’t determine if he has excessive rights. Logging may or may not be enabled, but it isn’t possible to tell from the diagram or problem.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
84
Q

Questions 82–84 refer to the following scenario:

Alex has been with the university he works at for over 10 years. During that time, he has been a system administrator and a database administrator, and he has worked in the university’s help desk. He is now a manager for the team that runs the university’s web applications. Using the provisioning diagram shown here, answer the following questions.

When Alex changes roles, what should occur?

a. He should be de-provisioned and a new account should be created.
b. He should have his new rights added to his existing account.
c. He should be provisioned for only the rights that match his role.
d. He should have his rights set to match those of the person he is replacing.

A

C. When a user’s role changes, they should be provisioned based on their role and other access entitlements. De-provisioning and re-provisioning is time consuming and can lead to problems with changed IDs and how existing credentials work. Simply adding new rights leads to privilege creep, and matching another user’s rights can lead to excessive privileges due to privilege creep for that other user.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
85
Q

Robert is reviewing a system that has been assigned the EAL2 evaluation assurance level under the Common Criteria. What is the highest level of assurance that he may have about the system?

a. It has been functionally tested.
b. It has been structurally tested.
c. It has been formally verified, designed, and tested.
d. It has been semiformally designed and tested.

A

B. EAL2 assurance applies when the system has been structurally tested. It is the second-to-lowest level of assurance under the Common Criteria.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
86
Q

Adam is processing an access request for an end user. What two items should he verify before granting the access?

a. Separation and need to know
b. Clearance and endorsement
c. Clearance and need to know
d. Second factor and clearance

A

C. Before granting any user access to information, Adam should verify that the user has an appropriate security clearance as well as a business need to know the information in question.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
87
Q

During what phase of the electronic discovery reference model does an organization ensure that potentially discoverable information is protected against alteration or deletion?

a. Identification
b. Preservation
c. Collection
d. Production

A

B. During the preservation phase, the organization ensures that information related to the matter at hand is protected against intentional or unintentional alteration or deletion. The identification phase locates relevant information but does not preserve it. The collection phase occurs after preservation and gathers responsive information. The processing phase performs a rough cut of the collected information for relevance.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
88
Q

Nessus, OpenVAS, and SAINT are all examples of what type of tool?

a. Port scanners
b. Patch management suites
c. Port mappers
d. Vulnerability scanners

A

D. Nessus, OpenVAS, the Open Vulnerability Assessment scanner and manager, and SAINT are all vulnerability scanning tools. All provide port scanning capabilities as well but are more than simple port scanning tools.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
89
Q

Harry would like to access a document owned by Sally stored on a file server. Applying the subject/object model to this scenario, who or what is the object of the resource request?

a. Harry
b. Sally
c. File server
d. Document

A

D. In the subject/object model, the object is the resource being requested by a subject. In this example, Harry would like access to the document, making the document the object of the request.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
90
Q

What is the process that occurs when the session layer removes the header from data sent by the transport layer?

a. Encapsulation
b. Packet unwrapping
c. De-encapsulation
d. Payloading

A

C. The process of removing a header (and possibly a footer) from the data received from a previous layer in the OSI model is known as de-encapsulation. Encapsulation occurs when the header and/or footer are added. Payloads are part of a virus or malware package that are delivered to a target, and packet unwrapping is a made-up term.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
91
Q

Which of the following tools is best suited to testing known exploits against a system?

a. Nikto
b. Ettercap
c. Metasploit
d. THC Hydra

A

C. Metasploit is a tool used to exploit known vulnerabilities. Nikto is a web application and server vulnerability scanning tool, Ettercap is a man-in-the-middle attack tool, and THC Hydra is a password brute-force tool.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
92
Q

What markup language uses the concepts of a Requesting Authority, a Provisioning Service Point, and a Provisioning Service Target to handle its core functionality?

a. SAML
b. SAMPL
c. SPML
d. XACML

A

C. Service Provisioning Markup Language (SPML) uses Requesting Authorities to issue SPML requests to a Provisioning Service Point. Provisioning Service Targets are often user accounts, and are required to be allowed unique identification of the data in its implementation. SAML is used for security assertions, SAMPL is an algebraic modeling language, and XACML is an access control markup language used to describe and process access control policies in an XML format.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
93
Q

What type of risk assessment uses tools such as the one shown here?

a. Quantitative
b. Loss expectancy
c. Financial
d. Qualitative

A

D. The use of a probability/impact matrix is the hallmark of a qualitative risk assessment It uses subjective measures of probability and impact, such as “high” and “low,” in place of quantitative measures.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
94
Q

MAC models use three types of environments. Which of the following is not a mandatory access control design?

a. Hierarchical
b. Bracketed
c. Compartmentalized
d. Hybrid

A

B. Mandatory access control systems can be hierarchical, where each domain is ordered and related to other domains above and below it; compartmentalized, where there is no relationship between each domain; or hybrid, where both hierarchy and compartments are used. There is no concept of bracketing in mandatory access control design.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
95
Q

What level of RAID is also called disk striping with parity?

a. RAID 0
b. RAID 1
c. RAID 5
d. RAID 10

A

C. RAID level 5 is also known as disk striping with parity. RAID 0 is called disk striping. RAID 1 is called disk mirroring. RAID 10 is known as a stripe of mirrors.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
96
Q

Sally is wiring a gigabit Ethernet network. What cabling choices should she make to ensure she can use her network at the full 1000 Mbps she wants to provide to her users?

a. Cat 5 and Cat 6
b. Cat 5e and Cat 6
c. Cat 4e and Cat 5e
d. Cat 6 and Cat 7

A

B. Category 5e and Category 6 UTP cable are both rated to 1000 Mbps. Cat 5 (not Cat 5e) is only rated to 100 Mbps, whereas Cat 7 is rated to 10 Gbps. There is no Cat 4e.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
97
Q

Which one of the following is typically considered a business continuity task?

a. Business impact assessment
b. Alternate facility selection
c. Activation of cold sites
d. Restoration of data from backup

A

A. Developing a business impact assessment is an integral part of the business continuity planning effort. The selection of alternate facilities, activation of those facilities, and restoration of data from backup are all disaster recovery tasks.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
98
Q

Robert is the network administrator for a small business and recently installed a new firewall. After seeing signs of unusually heavy network traffic, he checked his intrusion detection system, which reported that a Smurf attack was under way. What firewall configuration change can Robert make to most effectively prevent this attack.

a. Block the source IP address of the attack.
b. Block inbound UDP traffic.
c. Block the destination IP address of the attack.
d. Block inbound ICMP traffic.

A

D. Smurf attacks use a distributed attack approach to send ICMP echo replies at a targeted system from many different source addresses. The most effective way to block this attack would be to block inbound ICMP traffic. Blocking the source addresses is not feasible because the attacker would likely simply change the source addresses. Blocking destination addresses would likely disrupt normal activity. The Smurf attack does not use UDP, so blocking that traffic would have no effect.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
99
Q

Which one of the following types of firewalls does not have the ability to track connection status between different packets?

a. Stateful inspection
b. Application proxy
c. Packet filter
d. Next generation

A

C. Static packet filtering firewalls are known as first-generation firewalls and do not track connection state. Stateful inspection, application proxying, and next-generation firewalls all add connection state tracking capability.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
100
Q

Which of the following is used only to encrypt data in transit over a network and cannot be used to encrypt data at rest?

a. TKIP
b. AES
c. 3DES
d. RSA

A

A. TKIP is only used as a means to encrypt transmissions and is not used for data at rest. RSA, AES, and 3DES are all used on data at rest as well as data in transit.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
101
Q

What type of fuzzing is known as intelligent fuzzing?

a. Zzuf
b. Mutation
c. Generational
d. Code based

A

C. Generational fuzzing is also known as intelligent fuzzing because it relies on the development of data models using an understanding of how the data is used by the program. Zzuf is a fuzzing program. Mutation simply modifies the inputs each time, and code based is not a description used for a type of fuzzing.

102
Q

Matthew is experiencing issues with the quality of network service on his organization’s network. The primary symptom is that packets are occasionally taking too long to travel from their source to their destination. What term describes the issue Matthew is facing?

a. Latency

Jb. itter

c. Packet loss
d. Interference

A

B. Latency is a delay in the delivery of packets from their source to their destination. Jitter is a variation in the latency for different packets. Packet loss is the disappearance of packets in transit that requires retransmission. Interference is electrical noise or other disruptions that corrupt the contents of packets.

103
Q

Which of the following multifactor authentication technologies provides both low management overhead and flexibility?

a. Biometrics
b. Software tokens
c. Synchronous hardware tokens
d. Asynchronous hardware tokens

A

B. Software tokens are flexible, with delivery options including mobile applications, SMS, and phone delivery. They have a relatively low administrative overhead, as users can typically self-manage. Biometrics require significant effort to register users and to deploy and maintain infrastructure, and require hardware at each authentication location. Both types of hardware tokens can require additional overhead for distribution and maintenance, and token failure can cause support challenges.

104
Q

What type of testing would validate support for all the web browsers that are supported by a web application?

a. Regression testing
b. Interface testing
c. Fuzzing
d. White box testing

A

B. Web applications communicate with web browsers via an interface, making interface testing the best answer here. Regression testing might be used as part of the interface test, but is too specific to be the best answer. Similarly, the test might be a white box, or full knowledge test, but interface testing better describes this specific example. Fuzzing is less likely as part of a browser compatibility test, as it tests unexpected inputs, rather than functionality.

105
Q

Kathleen is implementing an access control system for her organization and builds the following array:

Reviewers: update files, delete files

Submitters: upload files

Editors: upload files, update files

Archivists: delete files

What type of access control system has Kathleen implemented?

a. Role-based access control
b. Task-based access control
c. Rule-based access control
d. Discretionary access control

A

A. Role-based access control gives each user an array of permissions based on their position in the organization, such as the scheme shown here. Task-based access control is not a standard approach. Rule-based access controls use rules that apply to all subjects, which isn’t something we see in the list. Discretionary access control gives object owners rights to choose how the objects they own are accessed, which is not what this list shows.

106
Q

Alan is installing a fire suppression system that will kick in after a fire breaks out and protect the equipment in the data center from extensive damage. What metric is Alan attempting to lower?

a. Likelihood
b. RTO
c. RPO
d. Impact

A

D. Fire suppression systems do not stop a fire from occurring but do reduce the damage that fires cause. This is an example of reducing risk by lowering the impact of an event.

107
Q

Alan’s Wrenches recently developed a new manufacturing process for its product. They plan to use this technology internally and not share it with others. They would like it to remain protected for as long as possible. What type of intellectual property protection is best suited for this situation?

a. Patent
b. Copyright
c. Trademark
d. Trade secret

A

D. Patents and trade secrets can both protect intellectual property in the form of a process. Patents require public disclosure and have expiration dates while trade secrets remain in force for as long as they remain secret. Therefore, trade secret protection most closely aligns with the company’s goals.

108
Q

Ben wants to interface with the National Vulnerability Database using a standardized protocol. What option should he use to ensure that the tools he builds work with the data contained in the NVD?

a. XACML
b. SCML
c. VSML
d. SCAP

A

D. The Security Content Automation Protocol (SCAP) is a suite of specifications used to handle vulnerability and security configuration information. The National Vulnerability Database provided by NIST uses SCAP. XACML is the eXtensible Access Control Markup Language, an OASIS standard used for access control decisions, and neither VSML nor SCML are industry terms.

109
Q

Which of the following is not one of the three components of the DevOps model?

a. Software development
b. Change management
c. Quality assurance
d. Operations

A

B. The three components of the DevOps model are software development, operations, and quality assurance.

110
Q

In the figure shown here, Harry’s request to read the data file is blocked. Harry has a Secret security clearance and the data file has a Top Secret classification. What principle of the Bell-LaPadula model blocked this request?

a. Simple Security Property
b. Simple Integrity Property
c. *-Security Property
d. Discretionary Security Property

A

A. The Simple Security Property prevents an individual from reading information at a higher security level than his or her clearance allows. This is also known as the “no read up” rule. The Simple Integrity Property says that a user can’t write data to a higher integrity level than their own. The *-Security Property says that users can’t write data to a lower security level than their own. The Discretionary Security Property allows the use of a matrix to determine access permissions.

111
Q

Norm is starting a new software project with a vendor that uses an SDLC approach to development. When he arrives on the job, he receives a document that has the sections shown here. What type of planning document is this?

a. Functional requirements
b. Work breakdown structure
c. Test analysis report
d. Project plan

A

B. The work breakdown structure (WBS) is an important project management tool that divides the work done for a large project into smaller components. It is not a project plan because it does not describe timing or resources. Test analyses are used during later phases of the development effort to report test results. Functional requirements may be included in a work breakdown structure, but they are not the full WBS.

112
Q

Kolin is searching for a network security solution that will allow him to help reduce zero-day attacks while using identities to enforce a security policy on systems before they connect to the network. What type of solution should Kolin implement?

a. A firewall
b. An NAC system
c. An intrusion detection system
d. Port security

A

B. Network Access Control (NAC) systems can be used to authenticate users, and then validate their system’s compliance with a security standard before they are allowed to connect to the network. Enforcing security profiles can help reduce zero-day attacks, making NAC a useful solution. A firewall can’t enforce system security policies, whereas an IDS can only monitor for attacks and alarm when they happen. Thus neither a firewall nor an IDS meets Kolin’s needs. Finally, port security is a MAC address–based security feature that can only restrict which systems or devices can connect to a given port.

113
Q

Gwen comes across an application that is running under a service account on a web server. The service account has full administrative rights to the server. What principle of information security does this violate?

a. Need to know
b. Separation of duties
c. Least privilege
d. Job rotation

A

C. This scenario violates the least privilege principle because an application should never require full administrative rights to run. Gwen should update the service account to have only the privileges necessary to support the application.

114
Q

Which of the following is not a type of structural coverage?

a. Statement
b. Trace
c. Loop
d. Data flow

A

B. Trace coverage is not a type of structural coverage. Common types of structural coverage include statement, branch or decision coverage, loop coverage, path coverage, and data flow coverage.

115
Q

Which of the following tools is best suited to the information gathering phase of a penetration test?

a. Whois
b. zzuf
c. Nessus
d. Metasploit

A

A. During the information gathering and discovery phase of a penetration test, testers will gather information about the target. Whois can provide information about an organization, including IP ranges, physical addresses, and staff contacts. Nessus would be useful during a vulnerability detection phase, and Metasploit would be useful during exploitation. zzuf is a fuzzing tool and is less likely to be used during a penetration test.

116
Q

Questions 116–118 refer to the following scenario:

During a web application vulnerability scanning test, Steve runs Nikto against a web server he believes may be vulnerable to attacks. Using the Nikto output shown here, answer the following questions.

Why does Nikto flag the /test directory?

a. . The /test directory allows administrative access to PHP.
b. It is used to store sensitive data.
c. Test directories often contain scripts that can be misused.
d. It indicates a potential compromise.

A

C. Test directories often include scripts that may have poor protections or may have other data that can be misused. There is not a default test directory that allows administrative access to PHP. Test directories are not commonly used to store sensitive data, nor is the existence of a test directory a common indicator of compromise.

117
Q

Questions 116–118 refer to the following scenario:

During a web application vulnerability scanning test, Steve runs Nikto against a web server he believes may be vulnerable to attacks. Using the Nikto output shown here, answer the following questions.

Why does Nikto identify directory indexing as an issue?

a. It lists files in a directory.
b. It may allow for XDRF.
c. Directory indexing can result in a denial-of-service attack.
d. Directory indexing is off by default, potentially indicating compromise.

A

A. Directory indexing may not initially seem like an issue during a penetration test, but simply knowing the name and location of files can provide an attacker with quite a bit of information about an organization, as well as a list of potentially accessible files. XDRF is not a type of attack, and indexing is not a denial-of-service attack vector. Directory indexing being turned on is typically either due to misconfiguration or design, or because the server was not properly configured at setup, rather than being a sign of attack.

118
Q

Questions 116–118 refer to the following scenario:

During a web application vulnerability scanning test, Steve runs Nikto against a web server he believes may be vulnerable to attacks. Using the Nikto output shown here, answer the following questions.

Nikto lists OSVDB-877, noting that the system may be vulnerable to XST. What would this type of attack allow an attacker to do?

a. Use cross-site targeting.
b. Steal a user’s cookies.
c. Counter SQL tracing.
d. Modify a user’s TRACE information.

A

B. Cross-site tracing (XST) leverages the HTTP TRACE or TRACK methods, and could be used to steal a user’s cookies via cross-site scripting (XSS). The other options are not industry terms for web application or web server attacks or vulnerabilities.

119
Q

Which one of the following memory types is considered volatile memory?

a. Flash
b. EEPROM
c. EPROM
d. RAM

A

D. The contents of RAM are volatile, meaning that they are only available while power is applied to the memory chips. EPROM, EEPROM, and flash memory are all nonvolatile, meaning that they retain their contents even when powered off.

120
Q

Ursula believes that many individuals in her organization are storing sensitive information on their laptops in a manner that is unsafe and potentially violates the organization’s security policy. What control can she use to identify the presence of these files?

a. Network DLP
b. Network IPS
c. Endpoint DLP
d. Endpoint IPS

A

C. Data loss prevention (DLP) systems specialize in the identification of sensitive information. In this case, Ursula would like to identify the presence of this information on endpoint devices, so she should choose an endpoint DLP control. Network-based DLP would not detect stored information unless the user transmits it over the network. Intrusion prevention systems (IPSs) are designed to detect and block attacks in progress, not necessarily the presence of sensitive information.

121
Q

In what cloud computing model does the customer build a cloud computing environment in his or her own data center or build an environment in another data center that is for the customer’s exclusive use?

a. Public cloud
b. Private cloud
c. Hybrid cloud
d. Shared cloud

A

B. In the private cloud computing model, the cloud computing environment is dedicated to a single organization and does not follow the shared tenancy model. The environment may be built by the company in its own data center or built by a vendor at a co-location site.

122
Q

Which one of the following technologies is designed to prevent a hard drive from becoming a single point of failure in a system?

a. Load balancing
b. Dual-power supplies
c. IPS
d. RAID

A

D. Redundant Arrays of Inexpensive Disks (RAID) is designed to allow a system to continue operating without data loss in the event of a hard drive failure. Load balancing is designed to spread work across multiple servers. Intrusion prevention systems (IPSs) monitor systems and/or networks for potential attacks. Dual-power supplies protect against power supplies becoming a single point of failure.

123
Q

Alice wants to send Bob a message with the confidence that Bob will know the message was not altered while in transit. What goal of cryptography is Alice trying to achieve?

a. Confidentiality
b. Nonrepudiation
c. Authentication
d. Integrity

A

D. Integrity ensures that unauthorized changes are not made to data while stored or in transit.

124
Q

What network topology is shown here?

a. A ring
b. A bus
c. A star
d. A mesh

A

C. A star topology uses a central connection device. Ethernet networks may look like a star, but they are actually a logical bus topology that is sometimes deployed in a physical star.

125
Q

Monica is developing a software application that calculates an individual’s body mass index for use in medical planning. She would like to include a control on the field where the physician enters an individual’s weight to ensure that the weight falls within an expected range. What type of control should Monica use?

a. Fail open
b. Fail secure
c. Limit check
d. Buffer bounds

A

C. Input validation ensures that the data provided to a program as input matches the expected parameters. Limit checks are a special form of input validation that ensure the value remains within an expected range, as is the case described in this scenario. Fail open and fail secure are options when planning for possible system failures. Buffer bounds are not a type of software control.

126
Q

Fred’s data role requires him to maintain system security plans and to ensure that system users and support staff get the training they need about security practices and acceptable use. What is the role that Fred is most likely to hold in the organization?

a. Data owner
b. System owner
c. User
d. Custodian

A

B. NIST SP 800-18 describes system owner responsibilities that include helping to develop system security plans, maintaining the plan, ensuring training, and identifying, implementing, and assessing security controls. A data owner is more likely to delegate these tasks to the system owner. Custodians may be asked to enforce those controls, whereas a user will be directly affected by them.

127
Q

Sally is using IPSec’s ESP component in transport mode. What important information should she be aware of about transport mode?

a. Transport mode provides full encryption of the entire IP packet.
b. Transport mode adds a new, unencrypted header to ensure that packets reach their destination.
c. Transport mode does not encrypt the header of the packet.
d. Transport mode provides no encryption, only tunnel mode provides encryption.

A

C. ESP’s Transport mode encrypts IP packet data but leaves the packet header unencrypted. Tunnel mode encrypts the entire packet and adds a new header to support transmission through the tunnel.

128
Q

Which one of the following is not a key process area for the Repeatable phase of the Software Capability Maturity Model (SW-CMM)?

a. Software Project Planning
b. Software Quality Management
c. Software Project Tracking
d. Software Subcontract Management

A

B. In level 2, the Repeatable level of the SW-CMM, an organization introduces basic life-cycle management processes. Reuse of code in an organized fashion begins and repeatable results are expected from similar projects. The key process areas for this level include Requirements Management, Software Project Planning, Software Project Tracking and Oversight, Software Subcontract Management, Software Quality Assurance and Software Configuration Management. Software Quality Management is a process that occurs during level 4, the Managed stage of the SW-CMM.

129
Q

Ben wants to provide predictive information about his organization’s risk exposure in an automated way as part of an ongoing organizational risk management plan. What should he use to do this?

a. KRIs
b. Quantitative risk assessments
c. KPIs
d. Penetration tests

A

A. Key risk indicators (KRIs) are often used to monitor risk for organizations that establish an ongoing risk management program. Using automated data gathering and tools that allow data to be digested and summarized can provide predictive information about how organizational risks are changing. KPIs are key performance indicators, which are used to assess how an organization is performing. Quantitative risk assessments are good for point-in-time views with detailed valuation and measurement-based risk assessments, whereas a penetration test would provide details of how well an organization’s security controls are working.

130
Q

In the image shown here, what does system B send to system A at step 2 of the three-way TCP handshake?

a. SYN
b. ACK
c. FIN/ACK
d. SYN/ACK

A

D. The three-way handshake is SYN, SYN/ACK, ACK. System B should respond with “Synchronize and Acknowledge” to System A after it receives a SYN.

131
Q

Chris is conducting reconnaissance on a remote target and discovers that pings are allowed through his target’s border firewall. What can he learn by using ping to probe the remote network?

a. Which systems respond to ping, a rough network topology, and potentially the location of additional firewalls
b. A list of all of the systems behind the target’s firewall
c. The hostnames and time to live (TTL) for each pingable system, and the ICMP types allowed through the firewall
d. Router advertisements, echo request responses, and potentially which hosts are tarpitted

A

A. Systems that respond to ping will show the time to live for packets that reach them. Since TTL is decremented at each hop, this can help build a rough network topology map. In addition, some firewalls respond differently to ping than a normal system, which means pinging a network can sometimes reveal the presence of firewalls that would otherwise be invisible. Hostnames are revealed by a DNS lookup, and ICMP types allowed through a firewall are not revealed by only performing a ping. ICMP can be used for router advertisements, but pinging won’t show them!

132
Q

What access management concept defines what rights or privileges a user has?

a. Identification
b. Accountability
c. Authorization
d. Authentication

A

C. Authorization defines what a subject can or can’t do. Identification occurs when a subject claims an identity, accountability is provided by the logs and audit trail that track what occurs on a system, and authorization occurs when that identity is validated.

133
Q

Which one of the following is not a classification level commonly found in commercial data classification schemes?

a. Secret
b. Sensitive
c. Confidential
d. Public

A

A. The commercial classification scheme discussed by (ISC)2 includes four primary classification levels: confidential, private, sensitive, and public. Secret is a part of the military classification scheme.

134
Q

Files, databases, computers, programs, processes, devices, and media are all examples of what?

a. Subjects
b. Objects
c. File stores
d. Users

A

B. All of these are objects. Although some of these items can be subjects, files, databases, and storage media can’t be. Processes and programs aren’t file stores, and of course none of these are users.

135
Q

Danielle is testing tax software, and part of her testing process requires her to input a variety of actual tax forms to verify that the software produces the right answers. What type of testing is Danielle performing?

a. Use case testing
b. Dynamic testing
c. Fuzzing
d. Misuse testing

A

A. Testing for desired functionality is use case testing. Dynamic testing is used to determine how code handles variables that change over time. Misuse testing focuses on how code handles examples of misuse, and fuzzing feeds unexpected data as an input to see how the code responds.

136
Q

What is the standard term of protection for a copyrighted work by a known author?

a. 95 years
b. 120 years
c. 70 years from the death of the author
d. 100 years from the death of the author

A

C. When the author of a work is known, copyright protects that work for 70 years after the death of the author. Works created by a corporate author are protected for 95 years from publication or 120 years from creation, whichever expires first.

137
Q

IP addresses like 10.10.10.10 and 172.19.24.21 are both examples of what type of IP address?

a. Public IP addresses
b. Prohibited IP addresses
c. Private IP addresses
d. Class B IP ranges

A

C. These are examples of private IP addresses. RFC1918 defines a set of private IP addresses for use in internal networks. These private addresses including 10.0.0.0-10.255.255.255, 172.16.0.0-172.31.255.255, and 192.168.0.0-196.168.255.255 should never be routable on the public Internet.

138
Q

What flaw is a concern with preset questions for cognitive passwords?

a. It prevents the use of tokens.
b. The question’s answer may be easy to find on the Internet.
c. Cognitive passwords require users to think to answer the question, and not all users may be able to solve the problems presented.
d. Cognitive passwords don’t support long passwords.

A

B. A cognitive password authenticates users based on a series of facts or answers to questions that they know. Preset questions for cognitive passwords typically rely on common information about a user like their mother’s maiden name, or the name of their pet, and that information can frequently be found on the Internet. The best cognitive password systems let users make up their own questions.

139
Q

In the Clark-Wilson integrity model, what type of process is authorized to modify constrained items?

a. CDI
b. UDI
c. IVP
d. TP

A

D. A transformation procedure (TP) is the only process authorized to modify constrained data items (CDIs) within the Clark-Wilson model.

140
Q

Kay is selecting an application management approach for her organization. Employees need the flexibility to install software on their systems, but Kay wants to prevent them from installing certain prohibited packages. What type of approach should she use?

a. Antivirus
b. Whitelist
c. Blacklist
d. Heuristic

A

C. The blacklist approach to application control blocks certain prohibited packages but allows the installation of other software on systems. The whitelist approach uses the reverse philosophy and only allows approved software. Antivirus software would only detect the installation of malicious software after the fact. Heuristic detection is a variant of antivirus software.

141
Q

Data relating to the past, present, or future payment for the provision of healthcare to an individual is what type of data per HIPAA?

a. PCI
b. Personal billing data
c. PHI
d. Personally identifiable information (PII)

A

C. Personal Health Information (PHI) is specifically defined by HIPAA to include information about an individual’s medical bills. PCI could refer to the payment card industry’s security standard but would only apply in relation to credit cards. PII is a broadly defined term for personally identifiable information, and personal billing data isn’t a broadly used industry term.

142
Q

Yagis, panel, cantennas, and parabolic antennas are all examples of what type of antenna?

a. Omnidirectional
b. Rubber duck or base antenna
c. Signal boosting
d. Directional

A

D. Yagis, panel antennas, cantennas, and parabolic antennas are all types of directional antenna. Omnidirectional antennas radiate in all directions, whereas these types of antennas are not necessarily signal boosting. Finally, rubber duck antennas are a type of omnidirectional pole antenna.

143
Q

Function, statement, branch, and condition are all types of what?

a. Penetration testing methodologies
b. Fuzzing techniques
c. Code coverage measures
d. Synthetic transaction analysis

A

C. Function, statement, branch, and condition are all types of code coverage metrics. Penetration testing methodologies use phases like planning, discovery, scanning, exploit, and reporting. Fuzzing techniques focus on ways to provide unexpected inputs, whereas synthetic transactions are generated test data provided to validate applications and performance.

144
Q

What is the minimum number of people who should be trained on any specific business continuity plan implementation task?

a. 1
b. 2
c. 3
d. 5

A

B. Organizations should train at least two individuals on every business continuity plan task. This provides a backup in the event the primary responder is not available.

145
Q

Cameron is responsible for backing up his company’s primary file server. He configured a backup schedule that performs full backups every Monday evening at 9:00 and incremental backups on other days of the week at that same time. How many files will be copied in Wednesday’s backup?

a. 1
b. 2
c. 5
d. 6

A

B. In this scenario, all of the files on the server will be backed up on Monday evening during the full backup. Tuesday’s incremental backup will include all files changed since Monday’s full backup: files 1, 2, and 5. Wednesday’s incremental backup will then include all files modified since Tuesday’s incremental backup: files 3 and 6.

146
Q

Susan uses a span port to monitor traffic to her production website, and uses a monitoring tool to identify performance issues in real time. What type of monitoring is she conducting?

a. Passive monitoring
b. Active monitoring
c. Synthetic monitoring
d. Signature-based monitoring

A

A. Susan is performing passive monitoring, which uses a network tap or span port to capture traffic to analyze it without impacting the network or devices that it is used to monitor. Synthetic, or active, monitoring uses recorded or generated traffic to test for performance and other issues. Signature based technologies include IDS, IPS, and antimalware systems.

147
Q

The type of access granted to an object, and the actions that you can take on or with the object, are examples of what?

a. Permissions
b. Rights
c. Priviliges
d. Roles

A

A. While the differences between rights, permissions, and roles can be confusing, typically permissions include both the access and actions that you can take on an object. Rights usually refer to the ability to take action on an object, and don’t include the access to it. Privileges combine rights and permissions, and roles describe sets of privileges based on job tasks or other organizational artifacts.

148
Q

Which one of the following would be considered an example of Infrastructure as a Service cloud computing?

a. Payroll system managed by a vendor and delivered over the web
b. Application platform managed by a vendor that runs customer code
c. Servers provisioned by customers on a vendor-managed virtualization platform
d. Web-based email service provided by a vendor

A

C. One of the core capabilities of Infrastructure as a Service is providing servers on a vendor-managed virtualization platform. Web-based payroll and email systems are examples of Software as a Service. An application platform managed by a vendor that runs customer code is an example of Platform as a Service.

149
Q

Questions 149–151 refer to the following scenario.

Darcy is an information security risk analyst for Roscommon Agricultural Products. She is currently trying to decide whether the company should purchase an upgraded fire suppression system for their primary data center. The data center facility has a replacement cost of $2 million.

After consulting with actuaries, data center managers, and fire subject matter experts, Darcy determined that a typical fire would likely require the replacement of all equipment inside the building but not cause significant structural damage. Together, they estimated that recovering from the fire would cost $750,000. They also determined that the company can expect a fire of this magnitude once every 50 years.

Based on the information in this scenario, what is the exposure factor for the effect of a fire on the Roscommon Agricultural Products data center?

a. 7.5%
b. 15.0%
c. 27.5%
d. 37.5%

A

D. The exposure factor is the percentage of the facility that risk managers expect will be damaged if a risk materializes. It is calculated by dividing the amount of damage by the asset value. In this case, that is $750,000 in damage divided by the $2 million facility value, or 37.5%.

150
Q

Questions 149–151 refer to the following scenario.

Darcy is an information security risk analyst for Roscommon Agricultural Products. She is currently trying to decide whether the company should purchase an upgraded fire suppression system for their primary data center. The data center facility has a replacement cost of $2 million.

After consulting with actuaries, data center managers, and fire subject matter experts, Darcy determined that a typical fire would likely require the replacement of all equipment inside the building but not cause significant structural damage. Together, they estimated that recovering from the fire would cost $750,000. They also determined that the company can expect a fire of this magnitude once every 50 years.

Based on the information in this scenario, what is the annualized rate of occurrence for a fire at the Roscommon Agricultural Products data center?

a. 0.002
b. 0.005
c. 0.02
d. 0.05

A

C. The annualized rate of occurrence is the number of times each year that risk analysts expect a risk to happen. In this case, the analysts expect fires will occur once every 50 years, or 0.02 times per year.

151
Q

Questions 149–151 refer to the following scenario.

Darcy is an information security risk analyst for Roscommon Agricultural Products. She is currently trying to decide whether the company should purchase an upgraded fire suppression system for their primary data center. The data center facility has a replacement cost of $2 million.

After consulting with actuaries, data center managers, and fire subject matter experts, Darcy determined that a typical fire would likely require the replacement of all equipment inside the building but not cause significant structural damage. Together, they estimated that recovering from the fire would cost $750,000. They also determined that the company can expect a fire of this magnitude once every 50 years.

Based on the information in this scenario, what is the annualized loss expectancy for a tornado at the Roscommon Agricultural Products data center?

a. $15,000
b. $25,000
c. $75,000
d. $750,000

A

A. The annualized loss expectancy is calculated by multiplying the single loss expectancy (SLE) by the annualized rate of occurrence (ARO). In this case, the SLE is $750,000 and the ARO is 0.02. Multiplying these numbers together gives you the ALE of $15,000.

152
Q

Two TCP header flags are rarely used. Which two are you unlikely to see in use in a modern network?

a. CWR and ECE
b. URG and FIN
c. ECE and RST
d. CWR and URG

A

A. Congestion Window Reduced (CWR) and ECN-Echo (ECE) are used to manage transmission over congested links, and are rarely seen in modern TCP networks.

153
Q

Which one of the following is not a tape rotation strategy commonly used in disaster recovery plans?

a. Tower of Hanoi
b. Key Rotation
c. Grandfather, Father, Son
d. First In, First Out

A

B. The Tower of Hanoi; Grandfather, Father, Son; and First In, First Out backup rotation strategies are all used to rotate backup tapes and other media. Key rotation is a cryptographic concept not related to disaster recovery media.

154
Q

Fran is a web developer who works for an online retailer. Her boss asked her to create a way that customers can easily integrate themselves with Fran’s company’s site. They need to be able to check inventory in real time, place orders, and check order status programatically without having to access the web page. What can Fran create to most directly facilitate this interaction?

a. API
b. Web scraper
c. Data dictionary
d. Call center

A

A. An application programming interface (API) allows external users to directly call routines within Fran’s code. They can embed API calls within scripts and other programs to automate interactions with Fran’s company. A web scraper or call center might facilitate the same tasks, but they do not do so in a direct integration. Data dictionaries might provide useful information but they also do not allow direct integration.

155
Q

What type of power issue occurs when a facility experiences a momentary loss of power?

a. Fault
b. Blackout
c. Sag
d. Brownout

A

A. A fault is a momentary loss of power. Blackouts are sustained complete losses of power. Sags and brownouts are not complete power disruptions but rather periods of low voltage conditions.

156
Q

Lauren’s team of system administrators each deal with hundreds of systems with varying levels of security requirements and find it difficult to handle the multitude of usernames and passwords they each have. What type of solution should she recommend to ensure that passwords are properly handled and that features like logging and password rotation occur?

a. A credential management system
b. A strong password policy
c. Separation of duties
d. Single sign-on

A

A. Lauren’s team would benefit from a credential management system. Credential management systems offer features like password management, multifactor authentication to retrieve passwords, logging, audit, and password rotation capabilities. A strong password policy would only make maintenance of passwords for many systems a more difficult task if done manually. Single sign-on would help if all of the systems had the same sensitivity levels, but different credentials are normally required for higher sensitivity systems.

157
Q

Ed’s Windows system can’t connect to the network and ipconfig shows the following:

What has occurred on the system?

a. The system has been assigned in invalid IP address by its DHCP server.
b. The system has a manually assigned IP address.
c. The system has failed to get a DHCP address and has assigned itself an address.
d. The subnet mask is set incorrectly and the system cannot communicate with the gateway.

A

C. Windows systems will assign themselves an APIPA address between 169.254.0.1 and 169.254.255.254 if they cannot contact a DHCP server.

158
Q

What term is commonly used to describe initial creation of a user account in the provisioning process?

a. Enrollment
b. Clearance verification
c. Background checks
d. Initialization

A

A. Enrollment, or registration, is the initial creation of a user account in the provisioning process. Clearance verification and background checks are sometimes part of the process that ensures that the identity of the person being enrolled matches who they claim to be. Initialization is not used to describe the provisioning process.

159
Q

As part of her ongoing duties related to her company’s security program, Susan’s reports to management include the number of repeated audit findings. This information is an example of what type of useful measure?

a. Key risk indicator
b. Safeguard metrics
c. Key performance indicator
d. Audit tracking indicators

A

C. Repeated audit findings indicate a performance issue, making this a key performance indicator for Susan’s organization. Audit findings may demonstrate risk, but are not guaranteed to do so. Safeguard metrics and audit tracking metrics are not common industry terms.

160
Q

There is a significant conflict between the drive for profit and the security requirements that Olivia’s organization has standardized. Olivia’s role means that decreased usability and loss of profit due to her staff’s inability to use the system is her major concern. What is the most likely role that Olivia plays in her organization?

a. Business manager
b. Information security analyst
c. Data processor
d. Mission owner

A

D. The business or mission owner’s role is responsible for making sure systems provide value. When controls decrease the value that an organization gets, the business owner bears responsibility for championing the issue to those involved. There is not a business manager or information security analyst role in the list of NIST-defined data security roles. A data processor is defined but acts as a third-party data handler, and would not have to represent this issue in Olivia’s organization.

161
Q

Tom believes that a customer of his Internet service provider has been exploiting a vulnerability in his system to read the email messages of other customers. If true, what law did the customer most likely violate?

a. ECPA
b. CALEA
c. HITECH
d. Privacy Act

A

A. The Electronic Communications Privacy Act (ECPA) makes it a crime to invade the electronic privacy of an individual. It prohibits the unauthorized monitoring of email and voicemail communications.

162
Q

In the ring protection model shown here, what ring contains user programs and applications?

a. Ring 0
b. Ring 1
c. Ring 2
d. Ring 3

A

D. The kernel lies within the central ring, Ring 0. Ring 1 contains other operating system components. Ring 2 is used for drivers and protocols. User-level programs and applications run at Ring 3. Rings 0–2 run in privileged mode whereas Ring 3 runs in user mode.

163
Q

Metrics like the attack vector, complexity, exploit maturity, and how much user interaction is required are all found in what scoring system?

a. CVE
b. CVSS
c. CNA
d. NVD

A

B. The Common Vulnerability Scoring System (CVSS) uses measures such as attack vector, complexity, exploit maturity, and how much user interaction is required as well as measures suited to local concerns. CVE is the Common Vulnerabilities and Exposures dictionary, CNA is the CVE Numbering Authority, and NVD is the National Vulnerability Database.

164
Q

In which of the following circumstances does an individual not have a reasonable expectation of privacy?

a. Placing a telephone call on your cell phone
b. Sending a letter through the U.S. mail
c. Sending an email at work
d. Retrieving your personal voicemail

A

C. An individual does not have a reasonable expectation of privacy when any communication takes place using employer-owned communications equipment or accounts.

165
Q

During which of the following disaster recovery tests does the team sit together and discuss the response to a scenario but not actually activate any disaster recovery controls?

a. Checklist review
b. Full interruption test
c. Parallel test
d. Tabletop exercise

A

D. During a tabletop exercise, team members come together and walk through a scenario without making any changes to information systems. The checklist review is the least disruptive type of disaster recovery test. During a checklist review, team members each review the contents of their disaster recovery checklists on their own and suggest any necessary changes. During a parallel test, the team actually activates the disaster recovery site for testing but the primary site remains operational. During a full interruption test, the team takes down the primary site and confirms that the disaster recovery site is capable of handling regular operations. The full interruption test is the most thorough test but also the most disruptive.

166
Q

Susan wants to integrate her website to allow users to use accounts from sites like Google. What technology should she adopt?

a. Kerberos
b. LDAP
c. OpenID
d. SESAME

A

C. OpenID is a widely supported standard that allows a user to use a single account to log into multiple sites, and Google accounts are frequently used with OpenID.

167
Q

Tom is conducting a business continuity planning effort for Orange Blossoms, a fruit orchard located in Central Florida. During the assessment process, the committee determined that there is a small risk of snow in the region but that the cost of implementing controls to reduce the impact of that risk is not warranted. They elect to not take any specific action in response to the risk. What risk management strategy is Orange Blossoms pursuing?

a. Risk mitigation
b. Risk transference
c. Risk avoidance
d. Risk acceptance

A

D. Risk acceptance occurs when an organization determines that the costs involved in pursuing other risk management strategies are not justified and they choose not to pursue any action.

168
Q

Fred needs to run a network cable for over a kilometer. What wiring option should he choose to ensure that he doesn’t encounter issues?

a. 10Base5
b. 10BaseT
c. STP
d. Fiber optic

A

D. Fred should choose a fiber-optic cable. Copper cable types like 10Base2, 5, and 10BaseT, as well as 100Base-T and 1000BaseT, fall far short of the distance required, whereas fiber-optic cable can run for miles.

169
Q

Jack’s organization is a multinational nonprofit that has small offices in many developing countries throughout the world. They need to implement an access control system that allows flexibility and which can work despite poor Internet connectivity at their locations. What is the best type of access control design for Jack’s organization?

a. Centralized access control
b. Mandatory access control
c. Decentralized access control
d. Rule-based access control

A

C. Decentralized access control makes sense because it allows local control over access. When network connectivity to a central control point is a problem, or if rules and regulations may vary significantly from location to location, centralized control can be less desirable than decentralized control despite its challenges with consistency. Since the problem does not describe specific control needs, mandatory access control and rule-based access controls could fit the need but aren’t the best answer.

170
Q

What U.S. government classification label is applied to information that, if disclosed, could cause serious damage to national security, and also requires that the damage that would be caused is able to be described or identified by the classification authority?

a. Classified
b. Secret
c. Confidential
d. Top Secret

A

B. The U.S. government classifies data that could reasonably be expected to cause damage to national security if disclosed, and for which the damage can be identified or described, as Secret. The U.S. government does not use Classified in its formal four levels of classification. Top Secret data could cause exceptionally grave damage, whereas Confidential data could be expected to cause damage.

171
Q

Questions 171–174 refer to the following scenario.

Mike and Renee would like to use an asymmetric cryptosystem to communicate with each other. They are located in different parts of the country but have exchanged encryption keys by using digital certificates signed by a mutually trusted certificate authority.

When the certificate authority (CA) created Renee’s digital certificate, what key was contained within the body of the certificate?

a. Renee’s public key
b. Renee’s private key
c. CA’s public key
d. CA’s private key

A

A. The purpose of a digital certificate is to provide the general public with an authenticated copy of the certificate subject’s public key.

172
Q

Questions 171–174 refer to the following scenario.

Mike and Renee would like to use an asymmetric cryptosystem to communicate with each other. They are located in different parts of the country but have exchanged encryption keys by using digital certificates signed by a mutually trusted certificate authority.

When the certificate authority created Renee’s digital certificate, what key did it use to digitally sign the completed certificate?

a. Renee’s public key
b. Renee’s private key
c. CA’s public key
d. CA’s private key

A

D. The last step of the certificate creation process is the digital signature. During this step, the certificate authority signs the certificate using its own private key.

173
Q

Questions 171–174 refer to the following scenario.

Mike and Renee would like to use an asymmetric cryptosystem to communicate with each other. They are located in different parts of the country but have exchanged encryption keys by using digital certificates signed by a mutually trusted certificate authority.

When Mike receives Renee’s digital certificate, what key does he use to verify the authenticity of the certificate?

a. Renee’s public key
b. Renee’s private key
c. CA’s public key
d. CA’s private key

A

C. When an individual receives a copy of a digital certificate, he or she verifies the authenticity of that certificate by using the CA’s public key to validate the digital signature contained on the certificate.

174
Q

Questions 171–174 refer to the following scenario.

Mike and Renee would like to use an asymmetric cryptosystem to communicate with each other. They are located in different parts of the country but have exchanged encryption keys by using digital certificates signed by a mutually trusted certificate authority.

Mike would like to send Renee a private message using the information gained during this exchange. What key should he use to encrypt the message?

a. Renee’s public key
b. Renee’s private key
c. CA’s public key
d. CA’s private key

A

A. Mike uses the public key that he extracted from Renee’s digital certificate to encrypt the message that he would like to send to Renee.

175
Q

Which one of the following tools may be used to directly violate the confidentiality of communications on an unencrypted VoIP network?

a. Nmap
b. Nessus
c. Wireshark
d. Nikto

A

C. Wireshark is a network monitoring tool that can capture and replay communications sent over a data network, including Voice over IP (VoIP) communications. Nmap, Nessus, and Nikto are all security tools that may identify security flaws in the network, but they do not directly undermine confidentiality because they do not have the ability to capture communications.

176
Q

How does single sign-on increase security?

a. It decreases the number of accounts required for a subject.
b. It helps decrease the likelihood users will write down their passwords.
c. It provides logging for each system that it is connected to.
d. It provides better encryption for authentication data.

A

B. Studies consistently show that users are more likely to write down passwords if they have more accounts. Central control of a single account is also easier to shut off if something does go wrong. Simply decreasing the number of accounts required for a subject doesn’t increase security by itself, and SSO does not guarantee individual system logging, although it should provide central logging of SSO activity. Since a SSO system was not specified, there is no way of determining whether a given SSO system provides better or worse encryption for authentication data.

177
Q

Which one of the following cryptographic algorithms supports the goal of nonrepudiation?

a. Blowfish
b. DES
c. AES
d. RSA

A

D. Nonrepudiation is only possible with an asymmetric encryption algorithm. RSA is an asymmetric algorithm. AES, DES, and Blowfish are all symmetric encryption algorithms that do not provide nonrepudiation.

178
Q

Microsoft’s STRIDE threat assessment framework uses six categories for threats: Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege. If a penetration tester is able to modify audit logs, what STRIDE categories best describe this issue?

a. Tampering and information disclosure
b. Elevation of privilege and tampering
c. Repudiation and denial of service
d. Repudiation and tampering

A

D. Modification of audit logs will prevent repudiation because the data cannot be trusted, and thus actions cannot be provably denied. The modification of the logs is also a direct example of tampering. It might initially be tempting to answer elevation of privileges and tampering, as the attacker made changes to files that should be protected, but this is an unknown without more information. Similarly, the attacker may have accessed the files, resulting in information disclosure in addition to tampering, but again, this is not specified in the question. Finally, this did not cause a denial of service, and thus that answer can be ignored.

179
Q

RIP, OSPF, and BGP are all examples of protocols associated with what type of network device?

a. Switches
b. Bridges
c. Routers
d. Gateways

A

C. Routing Information Protocol (RIP), Open Shortest Path First (OSPF), and Border Gateway Protocol (BGP) are all routing protocols and are associated with routers.

180
Q

AES-based CCMP and 802.1x replaced what security protocol that was designed as part of WPA to help fix the significant security issues found in WEP?

a. TLS
b. TKIP
c. EAP
d. PEAP

A

B. The Temporal Key Integrity Protocol (TKIP) was used with WPA on existing hardware to replace WEP. TKIP has been replaced by CCMP and 802.1x since 2012. PEAP and EAP are both authentication protocols. Transport Layer Security (TLS) is used to secure web transactions and other network communications.

181
Q

The government agency that Ben works at installed a new access control system. The system uses information such as Ben’s identity, department, normal working hours, job category, and location to make authorization What type of access control system did Ben’s employer adopt?

a. Role-based access control
b. Attribute-based access control
c. Administrative access control
d. System discretionary access control

A

B. Each of the attributes linked to Ben’s access provides information for an attribute-based information control system. Attribute-based information controls like those described in NIST SP 800-162 can take many details about the user, actions, and objects into consideration before allowing access to occur. A role-based access control would simply consider Ben’s role, whereas both administrative and system discretionary access controls are not commonly used terms to describe access controls.

182
Q

The Low Orbit Ion Cannon (LOIC) attack tool used by Anonymous leverages a multitude of home PCs to attack its chosen targets. This is an example of what type of network attack?

a. DDoS
b. Ionization
c. Zombie horde
d. Teardrop

A

A. LOIC is an example of a distributed denial-of-service attack. It uses many systems to attack targets, combining their bandwidth and making it difficult to shut down the attack because of the number and variety of attackers. Ionization and Zombie horde attacks are both made-up answers. Teardrop attacks are an older type of attack that sends fragmented packets as a denial-of-service attack.

183
Q

Andrew believes that a digital certificate belonging to his organization was compromised and would like to add it to a Certificate Revocation List. Who must add the certificate to the CRL?

a. Andrew
b. The root authority for the top-level domain
c. The CA that issued the certificate
d. The revocation authority for the top-level domain

A

C. Certificates may only be added to a Certificate Revocation List by the certificate authority that created the digital certificate.

184
Q

Amanda is considering the implementation of a database recovery mechanism recommended by a consultant. In the recommended approach, an automated process will move records of transactions from the primary site to a backup site on an hourly basis. What type of database recovery technique is the consultant describing?

a. Electronic vaulting
b. Transaction logging
c. Remote mirroring
d. Remote journaling

A

D. Remote journaling transfers transaction logs to a remote site on a more frequent basis than electronic vaulting, typically hourly. Transaction logging is not a recovery technique alone; it is a process for generating the logs used in remote journaling. In an electronic vaulting approach, automated technology moves database backups from the primary database server to a remote site on a scheduled basis, typically daily. Remote mirroring maintains a live database server at the backup site and mirrors all transactions at the primary site on the server at the backup site.

185
Q

A process on a system needs access to a file that is currently in use by another process. What state will the process scheduler place this process in until the file becomes available?

a. Running
b. Ready
c. Waiting
d. Stopped

A

C. The Waiting state is used when a process is blocked waiting for an external event. The Running state is used when a process is executing on the CPU. The Ready state is used when a process is prepared to execute, but the CPU is not available. The Stopped state is used when a process terminates.

186
Q

Which one of the following investigation types has the loosest standards for the collection and preservation of information?

a. Civil investigation
b. Operational investigation
c. Criminal investigation
d. Regulatory investigation

A

B. Operational investigations are performed by internal teams to troubleshoot performance or other technical issues. They are not intended to produce evidence for use in court and, therefore, do not have the rigid collection standards of criminal, civil, or regulatory investigations.

187
Q

Sue was required to sign an NDA when she took a job at her new company. Why did the company require her to sign it?

a. To protect the confidentiality of their data
b. To ensure that Sue did not delete their data
c. To prevent Sue from directly competing with them in the future
d. To require Sue to ensure the availability for their data as part of her job

A

A. Non-disclosure agreements (NDAs) are designed to protect the confidentiality of an organization’s data, including trade secrets during and after the person’s employment. NDAs do not protect against deletion or availability issues, and non-compete agreements would be required to stop competition.

188
Q

Susan is concerned about the FAR associated with her biometric technology. What is the best method to deal with the FAR?

a. Adjust the CER.
b. Change the sensitivity of the system to lower the FRR.
c. Add a second factor.
d. Replace the biometric system.

A

C. Adding a second factor can ensure that users who might be incorrectly accepted are not given access due to a higher than desired false acceptance rate (FAR) from accessing a system. The CER is the crossover between the false acceptance and false rejection rate (FRR), and is used as a way to measure the accuracy of biometric systems. Changing the sensitivity to lower the FRR may actually increase the FAR, and replacing a biometric system can be time consuming and expensive in terms of time and cost.

189
Q

What length of time does an SOC 2 report typically cover?

a. Point in time
b. 6 months
c. 12 months
d. 3 months

A

B. SOC 2 reports typically cover 6 months of operations. SOC 1 reports cover a point in time.

190
Q

Which of the following is not a code review process?

a. Email pass-around
b. Over the shoulder
c. Pair programming
d. IDE forcing

A

D. Over-the-shoulder reviews require the original developer to explain her code to a peer while walking through it. Email pass-around code reviews are done by sending code for review to peers. Pair programming requires two developers, only one of whom writes code while both collaborate. IDE forcing is not a type of code review; an IDE is an integrated development environment.

191
Q

Which one of the following attack types depends on precise timing?

a. TOC/TOU
b. SQL injection
c. Pass the hash
d. Cross-site scripting

A

A. The Time of Check to Time of Use (TOC/TOU) attack exploits timing differences between when a system verifies authorization and software uses that authorization to perform an action. It is an example of a race condition attack. The other three attacks mentioned do not depend on precise timing.

192
Q

What process adds a header and a footer to data received at each layer of the OSI model?

a. Attribution
b. Encapsulation
c. TCP wrapping
d. Data hiding

A

B. Encapsulation is a process that adds a header and possibly a footer to data received at each layer before handoff to the next layer. TCP wrappers are a host-based network access control system, attribution is determining who or what performed an action or sent data, and data hiding is a term from object-oriented programming that is not relevant here.

193
Q

Attackers who compromise websites often acquire databases of hashed passwords. What technique can best protect these passwords against automated password cracking attacks that use precomputed values?

a. Using the MD5 hashing algorithm
b. Using the SHA-1 hashing algorithm
c. Salting
d. Double-hashing

A

C. Salting adds random text to the password before hashing in an attempt to defeat automated password cracking attacks that use precomputed values. MD5 and SHA-1 are both common hashing algorithms, so using them does not add any security. Double-hashing would only be a minor inconvenience for an attacker and would not be as effective as the use of salting.

194
Q

Jim starts a new job as a system engineer and his boss provides him with a document entitled “Forensic Response Guidelines.” Which one of the following statements is not true?

a. Jim must comply with the information in this document.
b. The document contains information about forensic examinations.
c. Jim should read the document thoroughly.
d. The document is likely based on industry best practices.

A

A. Guidelines provide advice based on best practices developed throughout industry and organizations, but they are not compulsory. Compliance with guidelines is optional.

195
Q

Which one of the following tools is most often used for identification purposes and is not suitable for use as an authenticator?

a. Password
b. Retinal scan
c. Username
d. Token

A

C. Usernames are an identification tool. They are not secret, so they are not suitable for use as a password.

196
Q

Ben needs to verify that the most recent patch for his organization’s critical application did not introduce issues elsewhere. What type of testing does Ben need to conduct to ensure this?

a. Unit testing
b. White box
c. Regression testing
d. Black box

A

C. Regression testing ensures proper functionality of an application or system after it has been changed. Unit testing focuses on testing each module of a program instead of against its previous functional state. White and black box testing both describe the amount of knowledge about a system or application, rather than a specific type or intent for testing.

197
Q

Tamara recently decided to purchase cyberliability insurance to cover her company’s costs in the event of a data breach. What risk management strategy is she pursuing?

a. Risk acceptance
b. Risk mitigation
c. Risk transference
d. Risk avoidance

A

C. Risk transference involves shifting the impact of a potential risk from the organization incurring the risk to another organization. Insurance is a common example of risk transference.

198
Q

Which of the following is not one of the four canons of the (ISC)2 code of ethics?

a. Avoid conflicts of interest that may jeopardize impartiality.
b. Protect society, the common good, necessary public trust and confidence, and the infrastructure.
c. Act honorably, honestly, justly, responsibly, and legally.
d. Provide diligent and competent service to principals.

A

A. The four canons of the (ISC)2 code of ethics are to protect society, the common good, necessary public trust and confidence, and the infrastructure; act honorably, honestly, justly, responsibly, and legally; provide diligent and competent service to principals; and advance and protect the profession.

199
Q

Jim wants to allow a partner organization’s Active Directory forest (B) to access his domain forest’s (A)’s resources but doesn’t want to allow users in his domain to access B’s resources. He also does not want the trust to flow upward through the domain tree as it is formed. What should he do?

a. Set up a two-way transitive trust.
b. Set up a one-way transitive trust.
c. Set up a one-way nontransitive trust.
d. Set up a two-way nontransitive trust.

A

C. A trust that allows one forest to access another’s resources without the reverse being possible is an example of a one-way trust. Since Jim doesn’t want the trust path to flow as the domain tree is formed, this trust has to be nontransitive.

200
Q

Susan’s team is performing code analysis by manually reviewing the code for flaws. What type of analysis are they performing?

a. Gray box
b. Static
c. Dynamic
d. Fuzzing

A

B. Susan’s team is performing static analysis, which analyzes nonrunning code. Dynamic analysis uses running code, whereas gray box assessments are a type of assessment done without full knowledge. Fuzzing feeds unexpected inputs to a program as part of dynamic analysis.

201
Q

The IP address 201.19.7.45 is what type of address?

a. A public IP address
b. An RFC 1918 address
c. An APIPA address
d. A loopback address

A

A. 201.19.7.45 is a public IP address. RFC 1918 addresses are in the ranges 10.0.0.0–0.255.255.255, 172.16.0.0–172.31.255.255, and 192.168.0.0–192.168.255.255. APIPA addresses are assigned between 169.254.0.0 to 169.254.255.254, and 127.0.0.1 is a loopback address (although technically the entire 127.x.x.x network is reserved for loopback).

202
Q

Sam is a security risk analyst for an insurance company. He is currently examining a scenario where a hacker might use a SQL injection attack to deface a web server due to a missing patch in the company’s web application. In this scenario, what is the vulnerability?

a. Unpatched web application
b. Web defacement
c. Hacker
d. Operating system

A

A. Risks are the combination of a threat and a vulnerability. Threats are the external forces seeking to undermine security, such as the hacker in this case. Vulnerabilities are the internal weaknesses that might allow a threat to succeed. In this case the missing patch is the vulnerability. In this scenario, if the hacker attempts a SQL injection attack (threat) against the unpatched server (vulnerability), the result is website defacement.

203
Q

Which one of the following categories of secure data removal techniques would include degaussing?

a. Clear
b. Shrink
c. Purge
d. Destroy

A

C. The three categories of data destruction are clear (overwriting with nonsensitive data), purge (removing all data), and destroy (physical destruction of the media). Degaussing is an example of a purging technique.

204
Q

What type of alternate processing facility includes all of the hardware and data necessary to restore operations in a matter of minutes or seconds?

a. Hot site
b. Warm site
c. Cold site
d. Mobile site

A

A. Hot sites contain all of the hardware and data necessary to restore operations and may be activated very quickly.

205
Q

What UDP port is typically used by the syslog service?

a. 443
b. 514
c. 515
d. 445

A

B. Syslog uses UDP port 514. TCP-based implementations of syslog typically use port 6514. The other ports may look familiar because they are commonly used TCP ports: 443 is HTTPS, 515 is the LPD print service, and 445 is used for Windows SMB.

206
Q

Fred finds a packet that his protocol analyzer shows with both PSH and URG set. What type of packet is he looking at, and what do the flags mean?

a. A UDP packet; PSH and URG are used to indicate that the data should be sent at high speed
b. A TCP packet; PSH and URG are used to clear the buffer and indicate that the data is urgent
c. A TCP packet; PSH and URG are used to preset the header and indicate that the speed of the network is unregulated
d. A UDP packet; PSH and URG are used to indicate that the UDP buffer should be cleared and that the data is urgent

A

B. PSH is a TCP flag used to clear the buffer, resulting in immediately sending data, and URG is the TCP urgent flag. These flags are not present in UDP headers.

207
Q

What code review process is shown here?

a. Static inspection
b. Fagan inspection
c. Dynamic inspectiom
d. Interface testing

A

B. Fagan inspection is a highly formalized review and testing process that uses planning, overview, preparation, inspection, rework, and follow-up steps. Static inspection looks at code without running it, dynamic inspection uses live programs, and interface testing tests where code modules interact.

208
Q

During a log review, Karen discovers that the system she needs to gather logs from has the log setting shown here. What problem is Karen likely to encounter?

a. Too much log data will be stored on the system.
b. The system is automatically purging archived logs.
c. The logs will not contain the information needed.
d. The logs will only contain the most recent 20 MB of log data.

A

D. The system is set to overwrite the logs and will replace the oldest log entries with new log entries when the file reaches 20 MB. The system is not purging archived logs because it is not archiving logs. Since there can only be 20 MB of logs, this system will not have stored too much log data, and the question does not provide enough information to know if there will be an issue with not having the information needed.

209
Q

The ESP component of IPSec provides what two functions?

a. Authentication and integrity
b. Confidentiality and authentication
c. Nonrepudiation and authentication
d. Confidentiality and availability

A

B. Encapsulating Security Payload (ESP) provides the ability to encrypt and thus provides confidentiality, as well as limited authentication capabilities. It does not provide availability, nonrepudiation, or integrity validation.

210
Q

Questions 210–213 refer to the following scenario.

Alejandro is an incident response analyst for a large corporation. He is on the midnight shift when an intrusion detection system alerts him to a potential brute-force password attack against one of the company’s critical information systems. He performs an initial triage of the event before taking any additional action.

What stage of the incident response process is Alejandro currently conducting?

a. Detection
b. Response
c. Recovery
d. Mitigation

A

A. Alejandro is in the first stage of the incident response process, detection. During this stage, the intrusion detection system provides the initial alert, and Alejandro performs preliminary triaging to determine if an intrusion is actually taking place and whether the scenario fits the criteria for activating further steps of the incident response process (which include response, mitigation, reporting, recovery, remediation, and lessons learned).

211
Q

Questions 210–213 refer to the following scenario.

Alejandro is an incident response analyst for a large corporation. He is on the midnight shift when an intrusion detection system alerts him to a potential brute-force password attack against one of the company’s critical information systems. He performs an initial triage of the event before taking any additional action.

If Alejandro’s initial investigation determines that a security incident is likely taking place, what should be his next step?

a. Investigate the root cause.
b. File a written report.
c. Activate the incident response team.
d. Attempt to restore the system to normal operations.

A

C. After detection of a security incident, the next step in the process is response, which should follow the organization’s formal incident response procedure. The first step of this procedure is activating the appropriate teams, including the organization’s computer security incident response team (CSIRT).

212
Q

Questions 210–213 refer to the following scenario.

Alejandro is an incident response analyst for a large corporation. He is on the midnight shift when an intrusion detection system alerts him to a potential brute-force password attack against one of the company’s critical information systems. He performs an initial triage of the event before taking any additional action.

As the incident response progresses, during which stage should the team conduct a root cause analysis?

a. Response
b. Reporting
c. Remediation
d. Lessons Learned

A

C. The root cause analysis examines the incident to determine what allowed it to happen and provides critical information for repairing systems so that the incident does not recur. This is a component of the remediation step of the incident response process because the root cause analysis output is necessary to fully remediate affected systems and processes.

213
Q

Questions 210–213 refer to the following scenario.

Alejandro is an incident response analyst for a large corporation. He is on the midnight shift when an intrusion detection system alerts him to a potential brute-force password attack against one of the company’s critical information systems. He performs an initial triage of the event before taking any additional action.

Barry recently received a message from Melody that Melody encrypted using symmetric cryptography. What key should Barry use to decrypt the message?

a. Barry’s public key
b. Barry’s private key
c. Melody’s public key
d. Shared secret key

A

D. When using symmetric cryptography, the sender encrypts a message using a shared secret key and the recipient then decrypts the message with that same key. Only asymmetric cryptography uses the concept of public and private key pairs.

214
Q

After you do automated functional testing with 100 percent coverage of an application, what type of error is most likely to remain?

a. Business logic errors
b. Input validation errors
c. Runtime errors
d. Error handling errors

A

A. Business logic errors are most likely to be missed by automated functional testing. If a complete coverage code test was conducted, runtime, input validation, and error handling issues are likely to have been discovered by automated testing. Any automated system is more likely to miss business logic errors, because humans are typically necessary to understand business logic issues.

215
Q

During what phase of the incident response process would security professionals analyze the process itself to determine whether any improvements are warranted?

a. Lessons Learned
b. Remediation
c. Recovery
d. Reporting

A

A. During the Lessons Learned phase, analysts close out an incident by conducting a review of the entire incident response process. This may include making recommendations for improvements to the process that will streamline the efficiency and effectiveness of future incident response efforts.

216
Q

What law prevents the removal of protection mechanisms placed on a copyrighted work by the copyright holder?

a. HIPAA
b. DMCA
c. GLBA
d. ECPA

A

B. The Digital Millennium Copyright Act (DMCA) prohibits attempts to circumvent copyright protection mechanisms placed on a protected work by the copyright holder.

217
Q

Linda is selecting a disaster recovery facility for her organization, and she wishes to retain independence from other organizations as much as possible. She would like to choose a facility that balances cost and recovery time, allowing activation in about one week after a disaster is declared. What type of facility should she choose?

a. Cold site
b. Warm site
c. Mutual assistance agreement
d. Hot site

A

B. Linda should choose a warm site. This approach balances cost and recovery time. Cold sites take a very long time to activate, measured in weeks or months. Hot sites activate immediately but are quite expensive. Mutual assistance agreements depend on the support of another organization.

218
Q

What term is used to describe two-way communications in which only one direction can send at a time?

a. Duplex
b. Half-duplex
c. Simplex
d. Suplex

A

B. Half-duplex communications allow only one side to send at a time. Full-duplex communications allow both parties to send simultaneously, whereas simplex communications describe one-way communications. A suplex would be a bad idea for most communications—it is a wrestling move!

219
Q

What type of penetration testing provides detail on the scope of a penetration test—including items like what systems would be targeted—but does not provide full visibility into the configuration or other details of the systems or networks the penetration tester must test?

a. Crystal box
b. White box
c. Black box
d. Gray box

A

D. Gray box testing is a blend of crystal (or white) box testing that provides full information about a target, and black box testing, which provides little or no knowledge about the target.

220
Q

Test coverage is computed using which of the following formulas?

a. Number of use cases tested/total number of use cases
b. Number of lines of code tested/total number of lines of code
c. Number of functions tested/total number of functions
d. Number of conditional branches tested/Total number of testable branches

A

A. Test coverage is computed using the formula test coverage = number of use cases tested/total number of use cases. Code coverage is assessed by the other formulas, including function, conditional, and total code coverage.

221
Q

TCP and UDP both operate at what layer of the OSI model?

a. Layer 2
b. Layer 3
c. Layer 4
d. Layer 5

A

C. TCP, UDP, and other transport layer protocols like SSL and TLS operate at the Transport layer.

222
Q

Which one of the following goals of physical security environments occurs first in the functional order of controls?

a. Delay
b. Detection
c. Deterrence
d. Denial

A

C. Deterrence is the first functional goal of physical security mechanisms. If a physical security control presents a formidable challenge to a potential attacker, they may not attempt the attack in the first place.

223
Q

In what type of trusted recovery process does the system recover against one or more failure types without administrator intervention with potential data loss?

a. Automated recovery
b. Manual recovery
c. Automated recovery without undue data loss
d. Function recovery

A

A. In an automated recovery, the system can recover itself against one or more failure types. In a manual recovery approach, the system does not fail into a secure state but requires an administrator to manually restore operations. In an automated recovery without undue loss, the system can recover itself against one or more failure types and also preserve data against loss. In function recovery, the system can restore functional processes automatically.

224
Q

Skip needs to transfer files from his PC to a remote server. What protocol should he use instead of FTP?

a. SCP
b. SSH
c. HTTP
d. Telnet

A

A. Skip should use SCP—Secure Copy is a secure file transfer method. SSH is a secure command-line and login protocol, whereas HTTP is used for unencrypted web traffic. Telnet is an unencrypted command-line and login protocol.

225
Q

Ben’s New York–based commercial web service collects personal information from California residents. What does the California Online Privacy Protection Act require Ben to do to be compliant?

a. Ben must encrypt all personal data he receives.
b. Ben must comply with the EU DPD.
c. Ben must have a conspicuously posted privacy policy on his site.
d. Ben must provide notice and choice for users of his website.

A

C. The California Online Privacy Protection Act requires that commercial websites that collect personal information from users in California conspicuously post a privacy policy. The Act does not require compliance with the EU DPD, nor does it use the DPD concepts of notice or choice, and it does not require encryption of all personal data.

226
Q

What process is used to verify that a dial-up user is connecting from the phone number they are preauthorized to use in a way that avoids spoofing?

a. CallerID
b. Callback
c. CHAP
d. PPP

A

B. Callback disconnects a remote user after their initial connection, and then calls them back at a preauthorized number. CallerID can help with this but can be spoofed, making callback a better solution. CHAP is an authentication protocol, and PPP is a dial-up protocol. Neither will verify a phone number.

227
Q

In the diagram shown here of security boundaries within a computer system, what component’s name has been replaced with XXX?

a. Reference monitor
b. Privileged core
c. Security perimeter
d. User kernel

A

A. The reference monitor is a component of the Trusted Computing Base (TCB) that validates access to resources.

228
Q

Why are iris scans preferable to most other types of biometric factors?

a. Iris scanners are harder to deceive.
b. Irises don’t change as much as other factors.
c. Iris scanners are cheaper than other factors.
d. Iris scans cannot be easily replicated.

A

B. Iris scans have a longer useful life than many other types of biometric factors because they don’t change throughout a person’s lifespan (unless the eye itself is damaged). Iris scanners can be fooled in some cases by high-resolution images of an eye, and iris scanners are not significantly cheaper than other scanners.

229
Q

Alex has ensured that all of his staff have signed nondisclosure agreements to help protect his organization’s intellectual property and data. What potential issue is Alex working to deal with?

a. Data exfiltration
b. Personnel retention
c. Data breach
d. Nonproprietary data sharing

A

B. Personnel retention deals with what happens when employees leave and share proprietary data. A data breach occurs when data is stolen or lost, and data exfiltration occurs when attackers or insiders extract data from an organization. Finally, nonproprietary data sharing should result in very little harm.

230
Q

Matthew, Richard, and Christopher would like to exchange messages with each other using symmetric cryptography. They want to ensure that each individual can privately send a message to another individual without the third person being able to read the message. How many keys do they need?

a. 1
b. 2
c. 3
d. 6

A

C. They need a key for every possible pair of users in the cryptosystem. The first key would allow communication between Matthew and Richard. The second key would allow communication between Richard and Christopher. The third key would allow communication between Christopher and Matthew.

231
Q

Which one of the following is not an example of criminal law?

a. Gramm Leach Bliley Act
b. Computer Fraud and Abuse Act
c. Electronic Communications Privacy Act
d. Identity Theft and Assumption Deterrence Act

A

A. The Gramm Leach Bliley Act is an example of civil law. The Computer Fraud and Abuse Act, Electronic Communications Privacy Act, and Identity Theft and Assumption Deterrence Act are all examples of criminal law.

232
Q

What is the best way to ensure email confidentiality in motion?

a. Use TLS between the client and server.
b. Use SSL between the client and server.
c. Encrypt the email content.
d. Use a digital signature.

A

C. The SMTP protocol does not guarantee confidentiality between servers, making TLS or SSL between the client and server only a partial measure. Encrypting the email content can provide confidentiality; digital signatures can provide nonrepudiation.

233
Q

Brenda is analyzing the web server logs after a successful compromise of her organization’s web-based order processing application. She finds an entry in the log file showing that a user entered the following information as his last name when placing an order:

Smith’;DROP TABLE orders;–

What type of attack was attempted?

a. Buffer overflow
b. Cross-site scripting
c. Cross-site request forgery
d. SQL injection

A

D. The single quotation mark in the input field is a telltale sign that this is a SQL injection attack. The quotation mark is used to escape outside of the SQL code’s input field, and the text following is used to directly manipulate the SQL command sent from the web application to the database.

234
Q

What type of policy describes how long data is kept before destruction?

a. Classification
b. Audit
c. Record retention
d. Availability

A

C. Record retention policies describe how long the organization should retain data and may also specify how and when destruction should occur. Classification policies describe how and why classification should occur and who is responsible, whereas availability and audit policies may be created for specific purposes.

235
Q

What is the goal of the BCP process?

a. RTO
b. MTD
c. RPO
d. MTD

A

A. The goal of the business continuity planning process is to ensure that your recovery time objectives are all less than your maximum tolerable downtimes.

236
Q

During which phase of the incident response process would administrators design new security controls intended to prevent a recurrence of the incident?

a. Reporting
b. Recovery
c. Remediation
d. Lessons Learned

A

C. The Remediation phase of incident handling focuses on conducting a root cause analysis to identify the factors contributing to an incident and implementing new security controls, as needed.

237
Q

Bethany received an email from one of her colleagues with an unusual attachment named smime.p7s. She does not recognize the attachment and is unsure what to do. What is the most likely scenario?

a. This is an encrypted email message.
b. This is a phishing attack.
c. This is embedded malware.
d. This is a spoofing attack.

A

A. The S/MIME secure email format uses the P7S format for encrypted email messages. If the recipient does not have a mail reader that supports S/MIME, the message will appear with an attachment named smime.p7s.

238
Q

Questions 238–241 refer to the following scenario.

Kim is the database security administrator for Aircraft Systems, Inc. (ASI). ASI is a military contractor engaged in the design and analysis of aircraft avionics systems and regularly handles classified information on behalf of the government and other government contractors. Kim is concerned about ensuring the security of information stored in ASI databases.

Kim’s database is a multilevel security database, and different ASI employees have different security clearances. The database contains information on the location of military aircraft containing ASI systems to allow ASI staff to monitor those systems.

Kim learned that the military is planning a classified mission that involves some ASI aircraft. She is concerned that employees not cleared for the mission may learn of it by noticing the movement of many aircraft to the region. What type of attack is Kim concerned about?

a. Aggregation
b. SQL injection
c. Inference
d. Multilevel security

A

A. Aggregation is a security issue that arises when a collection of facts has a higher classification than the classification of any of those facts standing alone. An inference problem occurs when an attacker can pull together pieces of less sensitive information from multiple sources and use them to derive information of greater sensitivity. In this case, only a single source was used. SQL injection is a web application exploit. Multilevel security is a system control that allows the simultaneous processing of information at different classification levels.

239
Q

Questions 238–241 refer to the following scenario.

Kim is the database security administrator for Aircraft Systems, Inc. (ASI). ASI is a military contractor engaged in the design and analysis of aircraft avionics systems and regularly handles classified information on behalf of the government and other government contractors. Kim is concerned about ensuring the security of information stored in ASI databases.

Kim’s database is a multilevel security database, and different ASI employees have different security clearances. The database contains information on the location of military aircraft containing ASI systems to allow ASI staff to monitor those systems.

What technique can Kim employ to prevent employees not cleared for the mission from learning the true location of the aircraft?

a. Input validation
b. Polyinstantiation
c. Parameterization
d. Server-side validation

A

B. Polyinstantiation allows the storage of multiple different pieces of information in a database at different classification levels to prevent attackers from conducting aggregation or inference attacks. Kim could store incorrect location information in the database at lower classification levels to prevent the aggregation attack in this scenario. Input validation, server-side validation, and parameterization are all techniques used to prevent web application attacks and are not effective against inference attacks.

240
Q

Questions 238–241 refer to the following scenario.

Kim is the database security administrator for Aircraft Systems, Inc. (ASI). ASI is a military contractor engaged in the design and analysis of aircraft avionics systems and regularly handles classified information on behalf of the government and other government contractors. Kim is concerned about ensuring the security of information stored in ASI databases.

Kim’s database is a multilevel security database, and different ASI employees have different security clearances. The database contains information on the location of military aircraft containing ASI systems to allow ASI staff to monitor those systems.

Kim’s database uniquely identifies aircraft by using their tail number. Which one of the following terms would not necessarily accurately describe the tail number?

a. Database field
b. Foreign key
c. Primary key
d. Candidate key

A

B. The tail number is a database field because it is stored in the database. It is also a primary key because the question states that the database uniquely identifies aircraft using this field. Any primary key is, by definition, also a candidate key. There is no information provided that the tail number is a foreign key used to reference a different database table.

241
Q

Questions 238–241 refer to the following scenario.

Kim is the database security administrator for Aircraft Systems, Inc. (ASI). ASI is a military contractor engaged in the design and analysis of aircraft avionics systems and regularly handles classified information on behalf of the government and other government contractors. Kim is concerned about ensuring the security of information stored in ASI databases.

Kim’s database is a multilevel security database, and different ASI employees have different security clearances. The database contains information on the location of military aircraft containing ASI systems to allow ASI staff to monitor those systems.

Kim would like to create a key that enforces referential integrity for the database. What type of key does she need to create?

a. Primary key
b. Foreign key
c. Candidate key
d. Master key

A

B. Foreign keys are used to create relationships between tables in a database. The database enforces referential integrity by ensuring that the foreign key used in a table has a corresponding record with that value as the primary key in the referenced table.

242
Q

Doug is choosing a software development life-cycle model for use in a project he is leading to develop a new business application. He has very clearly defined requirements and would like to choose an approach that places an early emphasis on developing comprehensive documentation. He does not have a need for the production of rapid prototypes or iterative improvement. Which model is most appropriate for this scenario?

a. Agile
b. Waterfall
c. Spiral
d. DevOps

A

B. The waterfall model uses an approach that develops software sequentially, spending quite a bit of time up front on the development and documentation of requirements and design. The spiral and agile models focus on iterative development and are appropriate when requirements are not well understood or iterative development is preferred. DevOps is an approach to integrating development and operations activities and is not an SDLC model.

243
Q

Which individual bears the ultimate responsibility for data protection tasks?

a. Data owner
b. Data custodian
c. User
d. Auditor

A

A. The data owner is a senior manager who bears ultimate responsibility for data protection tasks. The data owner typically delegates this responsibility to one or more data custodians.

244
Q

What should be true for salts used in password hashes?

a. A single salt should be set so passwords can be de-hashed as needed.
b. A single salt should be used so the original salt can be used to check passwords against their hash.
c. Unique salts should be stored for each user.
d. Unique salts should be created every time a user logs in.

A

C. A unique salt should be created for each user using a secure generation method and stored in that user’s record. Since attacks against hashes rely on building tables to compare the hashes against, unique salts for each user make building tables for an entire database essentially impossible—the work to recover a single user account may be feasible, but large scale recovery requires complete regeneration of the table each time. A single salt allows rainbow tables to be generated if the salt is stolen or can be guessed based on frequently used passwords. Creating a unique salt each time a user logs in does not allow a match against a known salted hashed password.

245
Q

What type of assessment methods are associated with mechanisms and activities based on the recommendations of NIST SP800-53A, the Guide for Assessing Security Controls in Federal Information Systems?

a. Examine and interview
b. Test and assess
c. Test and interview
d. Examine and test

A

D. NIST SP800-53 describes three processes:

Examination, which is reviewing or analyzing assessment objects like specifications, mechanisms, or activities

Interviews, which are conducted with individuals or groups of individuals

Testing, which involves evaluating activities or mechanisms for expected behavior when used or exercised

Knowing the details of a given NIST document in depth can be challenging. To address a question like this, first eliminate responses that do not make sense; here, a mechanism cannot be interviewed, and test and assess both mean the same thing. This leaves only one correct answer.

246
Q

Which one of the following controls would be most effective in detecting zero-day attack attempts?

a. Signature-based intrusion detection
b. Anomaly-based intrusion detection
c. Strong patch management
d. Full-disk encryption

A

B. Anomaly-based intrusion detection systems may identify a zero-day vulnerability because it deviates from normal patterns of activity. Signature-based detection methods would not be effective because there are no signatures for zero-day vulnerabilities. Strong patch management would not be helpful because, by definition, zero-day vulnerabilities do not have patches available. Full-disk encryption would not detect an attack because it is not a detective control.

247
Q

The ability to store and generate passwords, provide logging and auditing capabilities, and allow password check-in and check-out are all features of what type of system?

a. AAA
b. Credential management
c. Two-factor authentication
d. Kerberos

A

B. Credential management systems provide features designed to make using and storing credentials in a secure and controllable way. AAA systems are authorization, authentication, and accounting systems. Two-factor authentication and Kerberos are examples of protocols.

248
Q

Which one of the following components should be included in an organization’s emergency response guidelines?

a. Secondary response procedures for first responders
b. Long-term business continuity protocols
c. Activation procedures for the organization’s cold sites
d. Contact information for ordering equipment

A

A. The emergency response guidelines should include the immediate steps an organization should follow in response to an emergency situation. These include immediate response procedures, a list of individuals who should be notified of the emergency, and secondary response procedures for first responders. They do not include long-term actions such as activating business continuity protocols, ordering equipment, or activating disaster recovery sites.

249
Q

When Jim enters his organization’s data center, he has to use a smart card and code to enter, and is allowed through one set of doors. The first set of doors closes, and he must then use his card again to get through a second set, which locks behind him. What type of control is this, and what is it called?

a. A physical control; a one-way trapdoor
b. A logical control; dual-swipe authorization
c. A directive control; one-way access corridor
d. A preventive access control; a mantrap

A

D. A mantrap uses two sets of doors, only one of which can open at a time. A mantrap is a type of preventive access control, although its implementation is a physical control.

250
Q

What security control may be used to implement a concept known as two-person control?

a. Mandatory vacation
b. Separation of duties
c. Least privilege
d. Defense in depth

A

B. When following the separation-of-duties principle, organizations divide critical tasks into discrete components and ensure that no one individual has the ability to perform both actions. This prevents a single rogue individual from performing that task in an unauthorized manner and is also known as two-person control.