Practice Test 2 Flashcards
James is building a disaster recovery plan for his organization and would like to determine the amount of acceptable data loss after an outage. What variable is James determining?
a. SLA
b. RTO
c. MTD
d. RPO
D. The recovery point objective (RPO) identifies the maximum amount of data, measured in time, that may be lost during a recovery effort. The recovery time objective (RTO) is the amount of time expected to return an IT service or component to operation after a failure. The maximum tolerable downtime (MTD) is the longest amount of time that an IT service or component may be unavailable without causing serious damage to the organization. Service-level agreements (SLAs) are written contracts that document service expectations.
Fred needs to deploy a network device that can connect his network to other networks while controlling traffic on his network. What type of device is Fred’s best choice?
a. A switch
b. A bridge
c. A gateway
d. A router
D. Fred should choose a router. Routers are designed to control traffic on a network while connecting to other similar networks. If the networks were very different, a bridge can help connect them. Gateways are used to connect to networks that use other protocols by transforming traffic to the appropriate protocol or format as it passes through them. Switches are often used to create broadcast domains and to connect endpoint systems or other devices.
Alex is preparing to solicit bids for a penetration test of his company’s network and systems. He wants to maximize the effectiveness of the testing rather than the realism of the test. What type of penetration test should he require in his bidding process?
a. Black box
b. Crystal box
c. Gray box
d. Zero box
B. Crystal box penetration testing, which is also sometimes called white box penetration testing, provides the tester with information about networks, systems, and configurations, allowing highly effective testing. It doesn’t simulate an actual attack like black and gray box testing can, and thus does not have the same realism, and it can lead to attacks succeeding that would fail in a zero- or limited-knowledge attack.
Application banner information is typically recorded during what penetration testing phase?
a. Planning
b. Attack
c. Reporting
d. Discovery
D. The discovery phase includes activities like gathering IP addresses, network ranges, and hostnames, as well as gathering information about employees, locations, systems, and of course, the services those systems provide. Banner information is typically gathered as part of discovery to provide information about what version and type of service is being provided.
What is the default subnet mask for a Class B network?
a. 255.0.0.0
b. 255.255.0.0
c. 255.254.0.0
d. 255.255.255.0
B. A class B network holds 2^16 systems, and its default network mask is 255.255.0.0.
Jim has been asked to individually identify devices that users are bringing to work as part of a new BYOD policy. The devices will not be joined to a central management system like Active Directory, but he still needs to uniquely identify the systems. Which of the following options will provide Jim with the best means of reliably identifying each unique device?
a. Record the MAC address of each system.
b. Require users to fill out a form to register each system.
c. Scan each system using a port scanner.
d. Use device fingerprinting via a web-based registration system.
D. Device fingerprinting via a web portal can require user authentication and can gather data like operating systems, versions, software information, and many other factors that can uniquely identify systems. Using an automated fingerprinting system is preferable to handling manual registration, and pairing user authentication with data gathering provides more detail than a port scan. MAC addresses can be spoofed, and systems may have more than one depending on how many network interfaces they have, which can make unique identification challenging.
David works in an organization that uses a formal data governance program. He is consulting with an employee working on a project that created an entirely new class of data and wants to work with the appropriate individual to assign a classification level to that information. Who is responsible for the assignment of information to a classification level?
a. Data creator
b. Data owner
c. CISO
d. Data custodian
B. The data owner is normally responsible for classifying information at an appropriate level. This role is typically filled by a senior manager or director, who then delegates operational responsibility to a data custodian.
What type of inbound packet is characteristic of a ping flood attack?
a. ICMP echo request
b. ICMP echo reply
c. ICMP destination unreachable
d. ICMP route changed
A. The ping flood attack sends echo requests at a targeted system. These pings use inbound ICMP echo request packets, causing the system to respond with an outbound ICMP echo reply.
Gabe is concerned about the security of passwords used as a cornerstone of his organization’s information security program. Which one of the following controls would provide the greatest improvement in Gabe’s ability to authenticate users?
a. More complex passwords
b. User education against social engineering
c. Multifactor authentication
d. Addition of security questions based on personal knowledge
C. While all of the listed controls would improve authentication security, most simply strengthen the use of knowledge-based authentication. The best way to improve the authentication process would be to add a factor not based on knowledge through the use of multifactor authentication. This may include the use of biometric controls or token-based authentication.
The separation of network infrastructure from the control layer, combined with the ability to centrally program a network design in a vendor-neutral, standards-based implementation, is an example of what important concept?
a. MPLS, a way to replace long network addresses with shorter labels and support a wide range of protocols
b. FCoE, a converged protocol that allows common applications over Ethernet
c. SDN, a converged protocol that allows network virtualization
d. CDN, a converged protocol that makes common network designs accessible
C. Software-defined networking (SDN) is a converged protocol that allows virtualization concepts and practices to be applied to networks. MPLS handles a wide range of protocols like ATM, DSL, and others, but isn’t intended to provide the centralization capabilities that SDN does. Content Distribution Network (CDN) is not a converged protocol, and FCoE is Fiber Channel over Ethernet, a converged protocol for storage.
Susan is preparing to decommission her organization’s archival DVD-ROMs that contain Top Secret data. How should she ensure that the data cannot be exposed?
a. Degauss
b. Zero wipe
c. Pulverize
d. Secure erase
C. The best way to ensure that data on DVDs is fully gone is to destroy them, and pulverizing DVDs is an appropriate means of destruction. DVDs are write-only media, meaning that secure erase and zero wipes won’t work. Degaussing only works on magnetic media and cannot guarantee that there will be zero data remnance.
What is the final stage of the Software Capability Maturity Model (SW-CMM)?
a. Repeatable
b. Defined
c. Managed
d. Optimizing
D. The five stages of the SW-CMM are, in order, Initial, Repeatable, Defined, Managed, and Optimizing. In the Optimizing stage, a process of continuous improvement occurs.
Angie is configuring egress monitoring on her network to provide added security. Which one of the following packet types should Angie allow to leave the network headed for the Internet?
a. Packets with a source address from Angie’s public IP address block
b. Packets with a destination address from Angie’s public IP address block
c. Packets with a source address outside of Angie’s address block
d. Packets with a source address from Angie’s private address block
A. All packets leaving Angie’s network should have a source address from her public IP address block. Packets with a destination address from Angie’s network should not be leaving the network. Packets with source addresses from other networks are likely spoofed and should be blocked by egress filters. Packets with private IP addresses as sources or destinations should never be routed onto the Internet.
Matt is conducting a penetration test against a Linux server and successfully gained access to an administrative account. He would now like to obtain the password hashes for use in a brute-force attack. Where is he likely to find the hashes, assuming the system is configured to modern security standards?
a. /etc/passwd
b. /etc/hash
c. /etc/secure
d. /etc/shadow
D. Security best practices dictate the use of shadowed password files that move the password hashes from the widely accessible /etc/passwdfile to the more restricted /etc/shadow file.
Theresa is implementing a new access control system and wants to ensure that developers do not have the ability to move code from development systems into the production environment. What information security principle is she most directly enforcing?
a. Separation of duties
b. Two-person control
c. Least privilege
d. Job rotation
A. While developers may feel like they have a business need to be able to move code into production, the principle of separation of duties dictates that they should not have the ability to both write code and place it on a production server. The deployment of code is often performed by change management staff.
Which one of the following tools may be used to achieve the goal of nonrepudiation?
a. Digital signature
b. Symmetric encryption
c. Firewall
d. IDS
A. Applying a digital signature to a message allows the sender to achieve the goal of nonrepudiation. This allows the recipient of a message to prove to a third party that the message came from the purported sender. Symmetric encryption does not support nonrepudiation. Firewalls and IDS are network security tools that are not used to provide nonrepudiation.
In the diagram of the TCP three-way handshake here, what should system A send to system B in step 3?
a. ACK
b. SYN
c. FIN
d. RST
A. System A should send an ACK to end the three-way handshake. The TCP three-way handshake is SYN, SYN/ACK, ACK.
What RADIUS alternative is commonly used for Cisco network gear and supports two-factor authentication?
a. RADIUS+
b. TACACS+
c. XTACACS
d. Kerberos
B. TACACS+ is the most modern version of TACACS, the Terminal Access Controller Access-Control System. It is a Cisco proprietary protocol with added features beyond what RADIUS provides, meaning it is commonly used on Cisco networks. XTACACS is an earlier version, Kerberos is a network authentication protocol rather than a remote user authentication protocol, and RADIUS+ is a made-up term.
What two types of attacks are VoIP call managers and VoIP phones most likely to be susceptible to?
a. DoS and malware
b. Worms and Trojans
c. DoS and host OS attacks
d. Host OS attacks and buffer overflows
C. Call managers and VoIP phones can be thought of as servers or appliances and embedded or network devices. That means that the most likely threats that they will face are denial-of-service (DoS) attacks and attacks against the host operating system. Malware and Trojans are less likely to be effective against a server or embedded system that doesn’t browse the Internet or exchange data files; buffer overflows are usually aimed at specific applications or services.
Vivian works for a chain of retail stores and would like to use a software product that restricts the software used on point-of-sale terminals to those packages on a preapproved list. What approach should Vivian use?
a. Antivirus
b. Heuristic
c. Whitelist
d. Blacklist
C. The blacklist approach to application control blocks certain prohibited packages but allows the installation of other software on systems. The whitelist approach uses the reverse philosophy and only allows approved software. Antivirus software would only detect the installation of malicious software after the fact. Heuristic detection is a variant of antivirus software.
Questions 21–23 refer to the following scenario.
Hunter is the facilities manager for DataTech, a large data center management firm. He is evaluating the installation of a flood prevention system at one of DataTech’s facilities. The facility and contents are valued at $100 million. Installing the new flood prevention system would cost $10 million.
Hunter consulted with flood experts and determined that the facility lies within a 200-year flood plain and that, if a flood occurred, it would likely cause $20 million in damage to the facility.
Based on the information in this scenario, what is the exposure factor for the effect of a flood on DataTech’s data center?
a. 2%
b. 20%
c. 100%
d. 200%
B. The exposure factor is the percentage of the facility that risk managers expect will be damaged if a risk materializes. It is calculated by dividing the amount of damage by the asset value. In this case, that is $20 million in damage divided by the $100 million facility value, or 20%.
Questions 21–23 refer to the following scenario.
Hunter is the facilities manager for DataTech, a large data center management firm. He is evaluating the installation of a flood prevention system at one of DataTech’s facilities. The facility and contents are valued at $100 million. Installing the new flood prevention system would cost $10 million.
Hunter consulted with flood experts and determined that the facility lies within a 200-year flood plain and that, if a flood occurred, it would likely cause $20 million in damage to the facility.
Based on the information in this scenario, what is the annualized rate of occurrence for a flood at DataTech’s data center?
a. 0.002
b. 0.005
c. 0.02
d. 0.05
B. The annualized rate of occurrence is the number of times each year that risk analysts expect a risk to happen in any given year. In this case, the analysts expect floods once every 200 years, or 0.005 times per year.
Questions 21–23 refer to the following scenario.
Hunter is the facilities manager for DataTech, a large data center management firm. He is evaluating the installation of a flood prevention system at one of DataTech’s facilities. The facility and contents are valued at $100 million. Installing the new flood prevention system would cost $10 million.
Hunter consulted with flood experts and determined that the facility lies within a 200-year flood plain and that, if a flood occurred, it would likely cause $20 million in damage to the facility.
Based on the information in this scenario, what is the annualized loss expectancy for a flood at DataTech’s data center?
a. $40,000
b. $100,000
c. $400,000
d. $1,000,000
B. The annualized loss expectancy is calculated by multiplying the single loss expectancy (SLE) by the annualized rate of occurrence (ARO). In this case, the SLE is $20 million and the ARO is 0.005. Multiplying these numbers together gives you the ALE of $100,000.
Which accounts are typically assessed during an account management assessment?
a. A random sample
b. Highly privileged accounts
c. Recently generated accounts
d. Accounts that have existed for long periods of time
B. The most frequent target of account management reviews are highly privileged accounts, as they create the greatest risk. Random samples are the second most likely choice. Accounts that have existed for a longer period of time are more likely to have a problem due to privilege creep than recently created accounts, but neither of these choices is likely unless there is a specific organizational reason to choose them.
In the shared responsibility model, under which tier of cloud computing does the customer take responsibility for securing server operating systems?
a. IaaS
b. PaaS
c. SaaS
d. TaaS
A. In an Infrastructure as a Service (IaaS) cloud computing model, the customer retains responsibility for managing operating system security while the vendor manages security at the hypervisor level and below.
What type of error occurs when a valid subject using a biometric authenticator is not authenticated?
a. A Type 1 error
b. A Type 2 error
c. A Type 3 error
d. A Type 4 error
A. Type 1 errors occur when a valid subject is not authenticated. Type 2 errors occur when an invalid subject is incorrectly authenticated. Type 3 and Type 4 errors are not associated with biometric authentication.
Jackie is creating a database that contains the Customers table, shown here. She is designing a new table to contain Orders and plans to use the Company ID in that table to uniquely identify the customer associated with each order. What role does the Company ID field play in the Orders table?
a. Primary key
b. Foreign key
c. Candidate key
d. Referential key
B. The Company ID is a field used to identify the corresponding record in another table. This makes it a foreign key. Each customer may place more than one order, making Company ID unsuitable for use as a primary or candidate key in this table. Referential keys are not a type of database key.
What three types of interfaces are typically tested during software testing?
a. Network, physical, and application interfaces
b. APIs, UIs, and physical interfaces
c. Network interfaces, APIs, and UIs
d. Application, programmatic, and user interfaces
B. Application programming interfaces (APIs), user interfaces (UIs), and physical interfaces are all tested during the software testing process. Network interfaces are not typically tested, and programmatic interfaces is another term for APIs.
George is assisting a prosecutor with a case against a hacker who attempted to break into George’s company’s computer systems. He provides system logs to the prosecutor for use as evidence but the prosecutor insists that George testify in court about how he gathered the logs. What rule of evidence requires George’s testimony?
a. Testimonial evidence rule
b. Parol evidence rule
c. Best evidence rule
d. Hearsay rule
D. The hearsay rule says that a witness cannot testify about what someone else told them, except under very specific exceptions. The courts have applied the hearsay rule to include the concept that attorneys may not introduce logs into evidence unless they are authenticated by the system administrator. The best evidence rule states that copies of documents may not be submitted into evidence if the originals are available. The parol evidence rule states that if two parties enter into a written agreement, that written document is assumed to contain all of the terms of the agreement. Testimonial evidence is a type of evidence, not a rule of evidence.
Which of the following is not a valid use for key risk indicators?
a. Provide warnings before issues occur.
b. Provide real-time incident response information.
c. Provide historical views of past risks.
d. Provide insight into risk tolerance for the organization.
B. While key risk indicators can provide useful information for organizational planning and a deeper understanding of how organizations view risk, KRIs are not a great way to handle a real-time security response. Monitoring and detection systems like IPS, SIEM, and other tools are better suited to handling actual attacks.
Which one of the following malware types uses built-in propagation mechanisms that exploit system vulnerabilities to spread?
a. Trojan horse
b. Worm
c. Logic bomb
d. Virus
B. Worms have built-in propagation mechanisms that do not require user interaction, such as scanning for systems containing known vulnerabilities and then exploiting those vulnerabilities to gain access. Viruses and Trojan horses typically require user interaction to spread. Logic bombs do not spread from system to system but lie in wait until certain conditions are met, triggering the delivery of their payload.
Don’s company is considering the use of an object-based storage system where data is placed in a vendor-managed storage environment through the use of API calls. What type of cloud computing service is in use?
a. IaaS
b. PaaS
c. CaaS
d. SaaS
A. In this scenario, the vendor is providing object-based storage, a core infrastructure service. Therefore, this is an example of Infrastructure as a Service (IaaS).
In what model of cloud computing do two or more organizations collaborate to build a shared cloud computing environment that is for their own use?
a. Public cloud
b. Private cloud
c. Community cloud
d. Shared cloud
C. In the community cloud computing model, two or more organizations pool their resources to create a cloud environment that they then share.
Which one of the following is not a principle of the Agile approach to software development?
a. The most efficient method of conveying information is electronic.
b. Working software is the primary measure of progress.
c. Simplicity is essential.
d. Business people and developers must work together daily.
A. The Agile approach to software development states that working software is the primary measure of progress, that simplicity is essential, and that business people and developers must work together daily. It also states that the most efficient method of conveying information is face-to-face, not electronic.
Harry is concerned that accountants within his organization will use data diddling attacks to cover up fraudulent activity in accounts that they normally access. Which one of the following controls would best defend against this type of attack?
a. Encryption
b. Access controls
c. Integrity verification
d. Firewalls
C. Encryption, access controls, and firewalls would not be effective in this example because the accountants have legitimate access to the data. Integrity verification software would protect against this attack by identifying unexpected changes in protected data.
What class of fire extinguisher is capable of fighting electrical fires?
a. Class A
b. Class B
c. Class C
d. Class D
C. Class C fire extinguishers use carbon dioxide or halon suppressants and are useful against electrical fires. Water-based extinguishers should never be used against electrical fires due to the risk of electrocution.
What important factor differentiates Frame Relay from X.25?
a. Frame Relay supports multiple PVCs over a single WAN carrier connection.
b. Frame Relay is a cell switching technology instead of a packet switching technology like X.25.
c. Frame Relay does not provide a Committed Information Rate (CIR).
d. Frame Relay only requires a DTE on the provider side.
A. Frame Relay supports multiple private virtual circuits (PVCs), unlike X.25. It is a packet switching technology that provides a Committed Information Rate, which is a minimum bandwidth guarantee provided by the service provider to customers. Finally, Frame Relay requires a DTE/DCE at each connection point, with the DTE providing access to the Frame Relay network, and a provider supplied DCE which transmits the data over the network.
Using the following table, and your knowledge of the auditing process, answer questions 38–40.
As they prepare to migrate their data center to an Infrastructure as a Service (IaaS) provider, Susan’s company wants to understand the effectiveness of their new provider’s security, integrity, and availability controls. What SOC report would provide them with the most detail?
a. SOC 1
b. SOC 2
c. SOC 3
d. None of the SOC reports are suited to this, and they should request another form of report.
B. SOC 2 reports are released under NDA to select partners or customers, and can provide detail on the controls and any issues they may have. A SOC 1 report would only provide financial control information, and a SOC 3 report provides less information since it is publicly available.
Using the following table, and your knowledge of the auditing process, answer questions 38–40.
Susan wants to ensure that the audit report that her organization requested includes input from an external auditor. What type of report should she request?
a. SOC 2, Type 1
b. SOC 3, Type 1
c. SOC 2, Type 2
d. SOC 3, Type 2
C. A SOC 2, Type 2 report includes information about a data center’s security, availability, processing integrity, confidentiality, and privacy, and includes an auditor’s opinion on the operational effectiveness of the controls. SOC 3 does not have types, and an SOC 2 Type 1 only requires the organization’s own attestation.
Using the following table, and your knowledge of the auditing process, answer questions 38–40.
When Susan requests a SOC2 report, they receive a SAS70 report. What issue should Susan raise?
a. SAS 70 does not include Type 2 reports, so control evaluation is only point in time.
b. SAS 70 has been replaced.
c. SAS 70 is a financial reporting standard and does not cover data centers.
d. SAS 70 only uses a 3-month period for testing.
B. SAS 70 was superseded in 2010 by the SSAE 16 standard with three SOC levels for reporting. SAS 70 included Type 2 reports, covered data centers, and used 6-month testing periods for Type 2 reports.
What two logical network topologies can be physically implemented as a star topology?
a. A bus and a mesh
b. A ring and a mesh
c. A bus and a ring
d. It is not possible to implement other topologies as a star.
C. Both a logical bus and a logical ring can be implemented as a physical star. Ethernet is commonly deployed as a physical star but placing a switch as the center of a star, but Ethernet still operates as a bus. Similarly, Token Ring deployments using multistation access unit (MAU) were deployed as physical stars, but operated as rings.
Bell-LaPadula is an example of what type of access control model?
a. DAC
b. RBAC
c. MAC
d. ABAC
C. Bell-LaPadula uses security labels on objects and clearances for subjects, and is therefore a MAC model. It does not use discretionary, rule-based, role-based, or attribute-based access control.
Martha is the information security officer for a small college and is responsible for safeguarding the privacy of student records. What law most directly applies to her situation?
a. HIPAA
b. HITECH
c. COPPA
d. FERPA
D. The Family Educational Rights and Privacy Act (FERPA) protects the privacy of students in any educational institution that accepts any form of federal funding.
What U.S. law mandates the protection of Protected Health Information?
a. FERPA
b. SAFE Act
c. GLBA
d. HIPAA
D. The Health Insurance Portability and Accountability Act (HIPAA) mandates the protection of Protected Health Information (PHI). The SAFE Act deals with mortgages, the Graham Leach Bliley Act (GLBA) covers financial institutions, and FERPA deals with student data.
What type of Windows audit record describes events like an OS shutdown or a service being stopped?
a. An application log
b. A security log
c. A system log
d. A setup log
C. Windows system logs include reboots, shutdowns, and service state changes. Application logs record events generated by programs, security logs track events like logins and uses of rights, and setup logs track application setup.
Susan is configuring her network devices to use syslog. What should she set to ensure that she is notified about issues but does not receive normal operational issue messages?
a. The facility code
b. The log priority
c. The security level
d. The severity level
D. Implementations of syslog vary, but most provide a setting for severity level, allowing configuration of a value that determines what messages are sent. Typical severity levels include debug, informational, notice, warning, error, critical, alert, and emergency. The facility code is also supported by syslog, but is associated with which services are being logged. Security level and log priority are not typical syslog settings.
What RAID level is also known as disk mirroring?
a. RAID 0
b. RAID 1
c. RAID 3
d. RAID 5
B. In RAID 1, also known as disk mirroring, systems contain two physical disks. Each disk contains copies of the same data, and either one may be used in the event the other disk fails.
What type of firewall uses multiple proxy servers that filter traffic based on analysis of the protocols used for each service?
a. A static packet filtering firewall
b. An application-level gateway firewall
c. A circuit-level gateway firewall
d. A stateful inspection firewall
B. An application-level gateway firewall uses proxies for each service it filters. Each proxy is designed to analyze traffic for its specific traffic type, allowing it to better understand valid traffic and to prevent attacks. Static packet filters and circuit-level gateways simply look at the source, destination, and ports in use, whereas a stateful packet inspection firewall can track the status of communication and allow or deny traffic based on that understanding.
Surveys, interviews, and audits are all examples of ways to measure what important part of an organization’s security posture?
a. Code quality
b. Service vulnerabilities
c. Awareness
d. Attack surface
C. Interviews, surveys, and audits are all useful for assessing awareness. Code quality is best judged by code review, service vulnerabilities are tested using vulnerability scanners and related tools, and the attack surface of an organization requires both technical and administrative review.
Tom is the general counsel for an Internet service provider and he recently received notice of a lawsuit against the firm because of copyrighted content illegally transmitted over the provider’s circuits by a customer. What law protects Tom’s company in this case?
a. Computer Fraud and Abuse Act
b. Digital Millennium Copyright Act
c. Wiretap Act
d. Copyright Code
B. The Digital Millennium Copyright Act extends common carrier protection to Internet service providers who are not liable for the “transitory activities” of their customers.
A Type 2 authentication factor that generates dynamic passwords based on a time- or algorithm-based system is what type of authenticator?
a. A PIV
b. A smart card
c. A token
d. A CAC
C. Tokens are hardware devices (something you have) that generate a one-time password based on time or an algorithm. They are typically combined with another factor like a password to authenticate users. CAC and PIV cards are US government–issued smart cards.
Fred’s new employer has hired him for a position with access to their trade secrets and confidential internal data. What legal tool should they use to help protect their data if he chooses to leave to work at a competitor?
a. A stop-loss order
b. An NDA
c. An AUP
d. Encryption
B. A non-disclosure agreement (NDA) is a legal agreement between two parties that specifies what data they will not disclose. NDAs are common in industries that have sensitive or trade secret information they do not want employees to take to new jobs. Encryption would only help in transit or at rest, and Fred will likely have access to the data in unencrypted form as part of his job. An AUP is an acceptable use policy, and a stop-loss order is used on the stock market.
Which one of the following computing models allows the execution of multiple processes on a single processor by having the operating system switch between them without requiring modification to the applications?
a. Multitasking
b. Multiprocessing
c. Multiprogramming
d. Multithreading
A. Multitasking handles multiple processes on a single processor by switching between them using the operating system. Multiprocessing uses multiple processors to perform multiple processes simultaneously. Multiprogramming requires modifications to the underlying applications. Multithreading runs multiple threads within a single process.
How many possible keys exist when using a cryptographic algorithm that has an 8-bit binary encryption key?
a. 16
b. 128
c. 256
d. 512
C. Binary keyspaces contain a number of keys equal to 2 raised to the power of the number of bits. Two to the eighth power is 256, so an 8-bit keyspace contains 256 possible keys.
What activity is being performed when you apply security controls based on the specific needs of the IT system that they will be applied to?
a. Standardizing
b. Baselining
c. Scoping
d. Tailoring
C. Scoping is the process of reviewing and selecting security controls based on the system that they will be applied to. Tailoring is the process of matching a list of security controls to the mission of an organization. Baselines are used as a base set of security controls, often from a third-party organization that creates them. Standardization isn’t a relevant term here.
During what phase of the electronic discovery process does an organization perform a rough cut of the information gathered to discard irrelevant information?
a. Preservation
b. Identification
c. Collection
d. Processing
D. During the preservation phase, the organization ensures that information related to the matter at hand is protected against intentional or unintentional alteration or deletion. The identification phase locates relevant information but does not preserve it. The collection phase occurs after preservation and gathers responsive information. The processing phase performs a rough cut of the collected information for relevance.
Ben’s job is to ensure that data is labeled with the appropriate sensitivity label. Since Ben works for the US government, he has to apply the labels Unclassified, Confidential, Secret, and Top Secret to systems and media. If Ben is asked to label a system that handles Secret, Confidential, and Unclassified information, how should he label it?
a. Mixed classification
b. Confidential
c. Top Secret
d. Secret
D. Systems and media should be labeled with the highest level of sensitivity that they store or handle. In this case, based on the US government classification scheme, the highest classification level in use on the system is Secret. Mixed classification provides no useful information about the level, whereas Top Secret and Confidential are too high and too low, respectively.
Susan has discovered that the smart card-based locks used to keep the facility she works at secure are not effective because staff members are propping the doors open. She places signs on the doors reminding staff that leaving the door open creates a security issue, and adds alarms that will sound if the doors are left open for more than five minutes. What type of controls has she put into place?
a. Physical
b. Administrative
c. Compensation
d. Recovery
C. She has placed compensation controls in place. Compensation controls are used when controls like the locks in this example are not sufficient. While the alarm is a physical control, the signs she posted are not. Similarly, the alarms are not administrative controls. None of these controls help to recover from an issue and are thus not recovery controls.
Ben is concerned about password cracking attacks against his system. He would like to implement controls that prevent an attacker who has obtained those hashes from easily cracking them. What two controls would best meet this objective?
a. Longer passwords and salting
b. Over-the-wire encryption and use of SHA1 instead of MD5
c. Salting and use of MD5
d. Using shadow passwords and salting
A. Rainbow tables rely on being able to use databases of precomputed hashes to quickly search for matches to known hashes acquired by an attacker. Making passwords longer can greatly increase the size of the rainbow table required to find the matching hash, and adding a salt to the password will make it nearly impossible for the attacker to generate a table that will match unless they can acquire the salt value. MD5 and SHA1 are both poor choices for password hashing compared to modern password hashes, which are designed to make hashing easy and recovery difficult. Rainbow tables are often used against lists of hashes acquired by attacks rather than over-the-wire attacks, so over-the-wire encryption is not particularly useful here. Shadow passwords simply make the traditionally world-readable list of password hashes on Unix and Linux systems available in a location readable only by root. This doesn’t prevent a rainbow table attack once the hashes are obtained.
Which group is best suited to evaluate and report on the effectiveness of administrative controls an organization has put in place to a third party?
a. Internal auditors
b. Penetration testers
c. External auditors
d. Employees who design, implement, and monitor the controls
C. External auditors can provide an unbiased and impartial view of an organization’s controls to third parties. Internal auditors are useful when reporting to senior management of the organization but are typically not asked to report to third parties. Penetration tests test technical controls but are not as well suited to testing many administrative controls. The employees who build and maintain controls are more likely to bring a bias to the testing of those controls and should not be asked to report on them to third parties.
Renee is using encryption to safeguard sensitive business secrets when in transit over the Internet. What risk metric is she attempting to lower?
a. Likelihood
b. RTO
c. MTO
d. Impact
A. Using encryption reduces risk by lowering the likelihood that an eavesdropper will be able to gain access to sensitive information.
As part of hiring a new employee, Kathleen’s identity management team creates a new user object and ensures that the user object is available in the directories and systems where it is needed. What is this process called?
a. Registration
b. Provisioning
c. Population
d. Authenticator loading
B. Provisioning includes the creation, maintenance, and removal of user objects from applications, systems, and directories. Registration occurs when users are enrolled in a biometric system; population and authenticator loading are not common industry terms.
Ricky would like to access a remote file server through a VPN connection. He begins this process by connecting to the VPN and attempting to log in. Applying the subject/object model to this request, what is the subject of Ricky’s login attempt?
a. Ricky
b. VPN
c. Remote file server
d. Files contained on the remote server
A. In the subject/object model of access control, the user or process making the request for a resource is the subject of that request. In this example, Ricky is requesting access to the VPN (the object of the request) and is, therefore, the subject.
Alice is designing a cryptosystem for use by six users and would like to use a symmetric encryption algorithm. She wants any two users to be able to communicate with each other without worrying about eavesdropping by a third user. How many symmetric encryption keys will she need to generate?
a. 6
b. 12
c. 15
d. 30
C. The formula for determining the number of encryption keys required by a symmetric algorithm is ((n*(n-1))/2). With six users, you will need ((6*5)/2), or 15 keys.
Which one of the following intellectual property protection mechanisms has the shortest duration?
a. Copyright
b. Patent
c. Trademark
d. Trade secret
B. Patents have the shortest duration of the techniques listed: 20 years. Copyrights last for 70 years beyond the death of the author. Trademarks are renewable indefinitely and trade secrets are protected as long as they remain secret.
Gordon is developing a business continuity plan for a manufacturing company’s IT operations. The company is located in North Dakota and they are currently evaluating the risk of earthquake. They choose to pursue a risk acceptance strategy. Which one of the following actions is consistent with that strategy?
a. Purchasing earthquake insurance
b. Relocating the data center to a safer area
c. Documenting the decision-making process
d. Reengineering the facility to withstand the shock of an earthquake
C. In a risk acceptance strategy, the organization chooses to take no action other than documenting the risk. Purchasing insurance would be an example of risk transference. Relocating the data center would be risk avoidance. Reengineering the facility is an example of a risk mitigation strategy.
Carol would like to implement a control that protects her organization from the momentary loss of power to the data center. Which control is most appropriate for her needs?
a. Redundant servers
b. RAID
c. UPS
d. Generator
C. Uninterruptible power supplies (UPSs) provide immediate, battery-driven power for a short period of time to cover momentary losses of power. Generators are capable of providing backup power for a sustained period of time in the event of a power loss, but they take time to activate. RAID and redundant servers are high-availability controls but do not cover power loss scenarios.
Ben has encountered problems with users in his organization reusing passwords, despite a requirement that they change passwords every 30 days. What type of password setting should Ben employ to help prevent this issue?
a. Longer minimum age
b. Increased password complexity
c. Implement password history
d. Implement password length requirements
C. Password histories retain a list of previous passwords (or, preferably, a list of salted hashed for previous passwords) to ensure that users don’t reuse their previous passwords. Longer minimum age can help prevent users from changing their passwords, then changing them back, but won’t prevent a determined user from eventually getting their old password back. Length requirements and complexity requirements tend to drive users to reuse passwords if they’re not paired with tools like single-sign on, password storage systems, or other tools that decrease the difficulty of password management.
Chris is conducting a risk assessment for his organization and determined the amount of damage that a single flood could be expected to cause to his facilities. What metric has Gordon identified?
a. ALE
b. SLE
c. ARO
d. AV
B. The Single Loss Expectancy (SLE) is the amount of damage that a risk is expected to cause each time that it occurs.
The removal of a hard drive from a PC before it is retired and sold as surplus is an example of what type of action?
a. Purging
b. Sanitization
c. Degaussing
d. Destruction
B. Sanitization includes steps like removing the hard drive and other local storage from PCs before they are sold as surplus. Degaussing uses magnetic fields to wipe media; purging is an intense form of clearing used to ensure that data is removed and unrecoverable from media; and removing does not necessarily imply destruction of the drive.
During which phase of the incident response process would an organization determine whether it is required to notify law enforcement officials or other regulators of the incident?
a. Detection
b. Recovery
c. Remediation
d. Reporting
D. During the Reporting phase, incident responders assess their obligations under laws and regulations to report the incident to government agencies and other regulators.
What OASIS standard markup language is used to generate provisioning requests both within organizations and with third parties?
a. SAML
b. SPML
c. XACML
d. SOA
B. Service Provisioning Markup Language (SPML) is an OASIS developed markup language designed to provide service, user, and resource provisioning between organizations. Security Assertion Markup Language (SAML) is used to exchange user authentication and authorization data. Extensible Access Control Markup Language (XACML) is used to describe access controls. Service-oriented architecture (SOA) is not a markup language.
Which of the following storage mechanisms is not considered secondary storage?
a. Magnetic hard disk
b. Solid state drive
c. DVD
d. RAM
D. RAM is a type of primary storage. Secondary storage includes hard drives, solid state disks, and optical drives.
Susan’s SMTP server does not authenticate senders before accepting and relaying email. What is this security configuration issue known as?
a. An email gateway
b. An SMTP relay
c. An X.400-compliant gateway
d. An open relay
D. SMTP servers that don’t authenticate users before relaying their messages are known as open relays. Open relays that are Internet exposed are typically quickly exploited to send email for spammers.
The large business that Jack works for has been using noncentralized logging for years. They have recently started to implement centralized logging, however, and as they reviewed logs they discovered a breach that appeared to have involved a malicious insider. Use this scenario to answer questions 75 through 77 about logging environments.
When the breach was discovered and the logs were reviewed, it was discovered that the attacker had purged the logs on the system that they compromised. How can this be prevented in the future?
a. Encrypt local logs
b. Require administrative access to change logs
c. Enable log rotation
d. Send logs to a bastion host
D. Sending logs to a secure log server, sometimes called a bastion host, is the most effective way to ensure that logs survive a breach. Encrypting local logs won’t stop an attacker from deleting them, and requiring administrative access won’t stop attackers who have breached a machine and acquired escalated privileges. Log rotation archives logs based on time or file size, and can also purge logs after a threshold is hit. Rotation won’t prevent an attacker from purging logs.
The large business that Jack works for has been using noncentralized logging for years. They have recently started to implement centralized logging, however, and as they reviewed logs they discovered a breach that appeared to have involved a malicious insider. Use this scenario to answer questions 75 through 77 about logging environments.
How can Jack detect issues like this using his organization’s new centralized logging?
a. Deploy and use an IDS
b. Send logs to a central logging server
c. Deploy and use a SIEM
d. Use syslog
C. A Security Information and Event Management tool (SIEM) is designed to provide automated analysis and monitoring of logs and security events. A SIEM that receives access to logs can help detect and alert on events like logs being purged or other breach indicators. An IDS can help detect intrusions, but IDSs are not typically designed to handle central logs. A central logging server can receive and store logs, but won’t help with analysis without taking additional actions. Syslog is simply a log format.
The large business that Jack works for has been using noncentralized logging for years. They have recently started to implement centralized logging, however, and as they reviewed logs they discovered a breach that appeared to have involved a malicious insider. Use this scenario to answer questions 75 through 77 about logging environments.
How can Jack best ensure accountability for actions taken on systems in his environment?
a. Log review and require digital signatures for each log.
b. Require authentication for all actions taken and capture logs centrally.
c. Log the use of administrative credentials and encrypt log data in transit.
d. Require authorization and capture logs centrally.
B. Requiring authentication can help provide accountability by ensuring that any action taken can be tracked back to a specific user. Storing logs centrally ensures that users can’t erase the evidence of actions that they have taken. Log review can be useful when identifying issues, but digital signatures are not a typical part of a logging environment. Logging the use of administrative credentials helps for those users but won’t cover all users, and encrypting the logs doesn’t help with accountability. Authorization helps, but being able to specifically identify users through authentication is more important.
Ed’s organization has 5 IP addresses allocated to them by their ISP, but needs to connect over 100 computers and network devices to the Internet. What technology can he use to connect his entire network via the limited set of IP addresses he can use?
a. IPSec
b. PAT
c. SDN
d. IPX
B. Port Address Translation (PAT) is used to allow a network to use any IP address set inside without causing a conflict with the public Internet. PAT is often confused with Network Address Translation (NAT), which maps one internal address to one external address. IPSec is a security protocol suite, Software Defined Networking (SDN) is a method of defining networks programmatically, and IPX is a non-IP network protocol.
What type of attack would the following precautions help prevent?
Requesting proof of identity
Requiring callback authorizations on voice-only requests
Not changing passwords via voice communications
a. DoS attacks
b. Worms
c. Social engineering
d. Shoulder surfing
C. Each of the precautions listed helps to prevent social engineering by helping prevent exploitation of trust. Avoiding voice-only communications is particularly important, since establishing identity over the phone is difficult. The other listed attacks would not be prevented by these techniques.
Fred’s organization needs to use a non-IP protocol on their VPN. Which of the common VPN protocols should he select to natively handle non-IP protocols?
a. PPTP
b. L2F
c. L2TP
d. IPSec
C. L2TP is the only one of the four common VPN protocols that can natively support non-IP protocols. PPTP, L2F, and IPSec are all IP-only protocols.
Residual data is another term for what type of data left after attempts have been made to erase it?
a. Leftover data
b. MBR
c. Bitrot
d. Remnant data
D. Remnant data is data that is left after attempts have been made to remove or erase it. Bitrot is a term used to describe aging media that decays over time. MBR is the master boot record, a boot sector found on hard drives and other media. Leftover data is not an industry term.
Which one of the following disaster recovery test types involves the actual activation of the disaster recovery facility?
a. Simulation test
b. Tabletop exercise
c. Parallel test
d. Checklist review
C. During a parallel test, the team activates the disaster recovery site for testing but the primary site remains operational. A simulation test involves a roleplay of a prepared scenario overseen by a moderator. Responses are assessed to help improve the organization’s response process. The checklist review is the least disruptive type of disaster recovery test. During a checklist review, team members each review the contents of their disaster recovery checklists on their own and suggest any necessary changes. During a tabletop exercise, team members come together and walk through a scenario without making any changes to information systems.
What access control system lets owners decide who has access to the objects they own?
a. Role-based access control
b. Task-based access control
c. Discretionary access control
d. Rule-based access control
C. Discretionary access control gives owners the right to decide who has access to the objects they own. Role-based access control uses administrators to make that decision for roles or groups of people with a role, task-based access control uses lists of tasks for each user, and rule-based access control applies a set of rules to all subjects.
Using a trusted channel and link encryption are both ways to prevent what type of access control attack?
a. Brute force
b. Spoofed login screens
c. Man-in-the-middle attacks
d. Dictionary attacks
C. Trusted paths that secure network traffic from capture and link encryption are both ways to help prevent man-in-the-middle attacks. Brute-force and dictionary attacks can both be prevented using back-off algorithms that slow down repeated attacks. Log analysis tools can also create dynamic firewall rules, or an IPS can block attacks like these in real time. Spoofed login screens can be difficult to prevent, although user awareness training can help.
Which one of the following is not one of the canons of the (ISC)2 Code of Ethics?
a. Protect society, the common good, necessary public trust and confidence, and the infrastructure.
b. Act honorably, honestly, justly, responsibly, and legally.
c. Provide diligent and competent service to principals.
d. Maintain competent records of all investigations and assessments.
D. The four canons of the (ISC)2 code of ethics are to protect society, the common good, necessary public trust and confidence, and the infrastructure; act honorably, honestly, justly, responsibly, and legally; provide diligent and competent service to principals; and advance and protect the profession.
Which one of the following components should be included in an organization’s emergency response guidelines?
a. Immediate response procedures
b. Long-term business continuity protocols
c. Activation procedures for the organization’s cold sites
d. Contact information for ordering equipment
A. The emergency response guidelines should include the immediate steps an organization should follow in response to an emergency situation. These include immediate response procedures, a list of individuals who should be notified of the emergency, and secondary response procedures for first responders. They do not include long-term actions such as activating business continuity protocols, ordering equipment, or activating DR sites.
Ben is working on integrating a federated identity management system and needs to exchange authentication and authorization information for browser-based single sign-on. What technology is his best option?
a. HTML
b. XACML
c. SAML
d. SPML
C. Security Assertion Markup Language (SAML) is the best choice for providing authentication and authorization information, particularly for browser-based SSO. HTML is primarily used for web pages, SPML is used to exchange user information for SSO, and XACML is used for access control policy markup.
What is the minimum interval at which an organization should conduct business continuity plan refresher training for those with specific business continuity roles?
a. Weekly
b. Monthly
c. Semi-annually
d. Annually
D. Individuals with specific business continuity roles should receive training on at least an annual basis.
What is the minimum number of cryptographic keys necessary to achieve strong security when using the 3DES algorithm?
a. 1
b. 2
c. 3
d. 4
B. Triple DES functions by using either two or three encryption keys. When used with only one key, 3DES produces weakly encrypted ciphertext that is the insecure equivalent of DES.
What type of address is 10.11.45.170?
a. A public IP address
b. An RFC 1918 address
c. An APIPA address
d. A loopback address
B. RFC 1918 addresses are in the range 10.0.0.0–10.255.255.255, 172.16.0.0–172.31.255.255, and 192.168.0.0–192.168.255.255. APIPA addresses are assigned between 169.254.0.01 and 169.254.255.254, and 127.0.0.1 is a loopback address (although technically the entire 127.x.x.x network is reserved for loopback). Public IP addresses are the rest of the addresses in the space.
Lauren wants to monitor her LDAP servers to identify what types of queries are causing problems. What type of monitoring should she use if she wants to be able to use the production servers and actual traffic for her testing?
a. Active
b. Real-time
c. Passive
d. Replay
C. Since Lauren wants to monitor her production server she should use passive monitoring by employing a network tap, span port, or other means of copying actual traffic to a monitoring system that can identify performance and other problems. This will avoid introducing potentially problematic traffic on purpose while capturing actual traffic problems. Active monitoring relies on synthetic or previously recorded traffic, and both replay and real time are not common industry terms used to describe types of monitoring.
Steve is developing an input validation routine that will protect the database supporting a web application from SQL injection attack. Where should Steve place the input validation code?
a. JavaScript embedded in the web pages
b. Backend code on the web server
c. Stored procedure on the database
d .Code on the user’s web browser
B. For web applications, input validation should always be performed on the web application server. By the time the input reaches the database, it is already part of a SQL command that is properly formatted and input validation would be far more difficult, if it is even possible. Input validation controls should never reside in the client’s browser, as is the case with JavaScript, because the user may remove or tamper with the validation code.
Ben is selecting an encryption algorithm for use in an organization with 10,000 employees. He must facilitate communication between any two employees within the organization. Which one of the following algorithms would allow him to meet this goal with the least time dedicated to key management?
a. RSA
b. IDEA
c. 3DES
d. Skipjack
A. RSA is an asymmetric encryption algorithm that requires only two keys for each user. IDEA, 3DES, and Skipjack are all symmetric encryption algorithms and would require a key for every unique pair of users in the system.
Grace is considering the use of new identification cards in her organization that will be used for physical access control. She comes across the sample card shown here and is unsure of the technology it uses. What type of card is this?
a. Smart card
b. Phase-two card
c. Proximity card
d. Magnetic stripe card
D. The image clearly shows a black magnetic stripe running across the card, making this an example of a magnetic stripe card.
What type of log file is shown in this figure?
a. Application
b. Web server
c. System
d. Firewall
D. The log entries contained in this example show the allow/deny status for inbound and outbound TCP and UDP sessions. This is, therefore, an example of a firewall log.
Which one of the following activities transforms a zero-day vulnerability into a less dangerous attack vector?
a. Discovery of the vulnerability
b. Implementation of transport-layer encryption
c. Reconfiguration of a firewall
d. Release of a security patch
D. Zero-day vulnerabilities remain in the dangerous zero-day category until the release of a patch that corrects the vulnerability. At that time, it becomes the responsibility of IT professionals to protect their systems by applying the patch. Implementation of other security controls, such as encryption or firewalls, does not change the nature of the zero-day vulnerability.
Which one of the following is an example of a hardening provision that might strengthen an organization’s existing physical facilities and avoid implementation of a business continuity plan?
a. Patching a leaky roof
b. Reviewing and updating firewall access control lists
c. Upgrading operating systems
d. Deploying a network intrusion detection system
A. All of the techniques listed are hardening methods, but only patching the leaky roof is an example of physical infrastructure hardening.
Susan wants to monitor traffic between systems in a VMWare environment. What solution would be her best option to monitor that traffic?
a. Use a traditional hardware-based IPS.
b. Install Wireshark on each virtual system.
c. Set up a virtual span port and capture data using a VM IDS.
d. Use netcat to capture all traffic sent between VMs.
C. Using a virtual machine to monitor a virtual span port allows the same type of visibility that it would in a physical network if implemented properly. Installing Wireshark would allow monitoring on each system but doesn’t scale well. A physical appliance would require all traffic to be sent out of the VM environment, losing many of the benefits of the design. Finally, netcat is a network tool used to send or receive data, but it isn’t a tool that allows packet capture of traffic between systems.
Questions 99–102 refer to the following scenario.
Matthew and Richard are friends located in different physical locations who would like to begin communicating with each other using cryptography to protect the confidentiality of their communications. They exchange digital certificates to begin this process and plan to use an asymmetric encryption algorithm for the secure exchange of email messages.
When Matthew sends Richard a message, what key should he use to encrypt the message?
a. Matthew’s public key
b. Matthew’s private key
c. Richard’s public key
d. Richard’s private key
C. The sender of a message encrypts the message using the public key of the message recipient.
Questions 99–102 refer to the following scenario.
Matthew and Richard are friends located in different physical locations who would like to begin communicating with each other using cryptography to protect the confidentiality of their communications. They exchange digital certificates to begin this process and plan to use an asymmetric encryption algorithm for the secure exchange of email messages.
When Richard receives the message from Matthew, what key should he use to decrypt the message?
a. Matthew’s public key
b. Matthew’s private key
c. Richard’s public key
d. Richard’s private key
D. The recipient of a message uses his or her own private key to decrypt messages that were encrypted with the recipient’s public key. This ensures that nobody other than the intended recipient can decrypt the message.
Questions 99–102 refer to the following scenario.
Matthew and Richard are friends located in different physical locations who would like to begin communicating with each other using cryptography to protect the confidentiality of their communications. They exchange digital certificates to begin this process and plan to use an asymmetric encryption algorithm for the secure exchange of email messages.
Matthew would like to enhance the security of his communication by adding a digital signature to the message. What goal of cryptography are digital signatures intended to enforce?
a. Secrecy
b. Availability
c. Confidentiality
d .Nonrepudiation
D. Digital signatures enforce nonrepudiation. They prevent an individual from denying that he or she was the actual originator of the message.
Questions 99–102 refer to the following scenario.
Matthew and Richard are friends located in different physical locations who would like to begin communicating with each other using cryptography to protect the confidentiality of their communications. They exchange digital certificates to begin this process and plan to use an asymmetric encryption algorithm for the secure exchange of email messages.
When Matthew goes to add the digital signature to the message, what encryption key does he use to create the digital signature?
a. Matthew’s public key
b. Matthew’s private key
c. Richard’s public key
d. Richard’s private key
B. An individual creates a digital signature by encrypting the message digest with his or her own private key.
When Jim logs into a system, his password is compared to a hashed value stored in a database. What is this process?
a. Identification
b. Hashing
c. Tokenization
d. Authentication
D. The comparison of a factor to validate an identity is known as authorization. Identification would occur when Jim presented his user ID. Tokenization is a process that converts a sensitive data element to a nonsensitive representation of that element. Hashing transforms a string of characters into a fixed-length value or key that represents the original string.
What is the primary advantage of decentralized access control?
a. It provides better redundancy.
b. It provides control of access to people closer to the resources.
c. It is less expensive.
d. It provides more granular control of access.
B. Decentralized access control empowers people closer to the resources to control access but does not provide consistent control. It does not provide redundancy, since it merely moves control points, the cost of access control depends on its implementation and methods, and granularity can be achieved in both centralized and decentralized models.
Which of the following types of controls does not describe a mantrap?
a. Deterrent
b. Preventive
c. Compensating
d. Physical
C. A mantrap, which is composed of a pair of doors with an access mechanism that allows only one door to open at a time, is an example of a preventive access control because it can stop unwanted access by keeping intruders from accessing a facility due to an opened door or following legitimate staff in. It can serve as a deterrent by discouraging intruders who would be trapped in it without proper access, and of course, doors with locks are an example of a physical control. A compensating control attempts to make up for problems with an existing control or to add additional controls to improve a primary control.
Sally’s organization needs to be able to prove that certain staff members sent emails, and she wants to adopt a technology that will provide that capability without changing their existing email system. What is the technical term for the capability Sally needs to implement as the owner of the email system, and what tool could she use to do it?
a. Integrity; IMAP
b. Repudiation; encryption
c. Nonrepudiation; digital signatures
d. Authentication; DKIM
C. Sally needs to provide nonrepudiation, the ability to provably associate a given email with a sender. Digital signatures can provide nonrepudiation and are her best option. IMAP is a mail protocol, encryption can provide confidentiality, and DKIM is a tool for identifying domains that send email.
Which one of the following background checks is not normally performed during normal pre-hire activities?
a. Credit check
b. Reference verification
c. Criminal records check
d. Medical records check
D. In most situations, employers may not access medical information due to healthcare privacy laws. Reference checks, criminal records checks, and credit history reports are all typically found during pre-employment background checks.
Margot is investigating suspicious activity on her network and uses a protocol analyzer to sniff inbound and outbound traffic. She notices an unusual packet that has identical source and destination IP addresses. What type of attack uses this packet type?
a. Fraggle
b. Smurf
c. Land
d. Teardrop
C. In a land attack, the attacker sends a packet that has identical source and destination IP addresses in an attempt to crash systems that are not able to handle this out-of-specification traffic.
Jim wants to perform an audit that will generate an industry recognized report on the design and suitability of his organization’s controls as they stand at the time of the report. If this is his only goal, what type of report should he provide?
a. An SSAE-16 Type I
b. An SAS70 Type I
c. An SSAE-16 Type II
d. An SAS-70 Type II
A. An SSAE-16 Type I report covers controls and design of controls at the time of the report. A Type II report adds a historical element, covering controls over time. SAS-70 is outdated and should not be used.
In the OSI model, when a packet changes from a datastream to a segment or a datagram, what layer has it traversed?
a. The Transport layer
b. The Application layer
c. The Data Link layer
d. The Physical layer
A. When a data stream is converted into a segment (TCP) or a datagram (UDP) it transitions from the Session layer to the Transport layer. This change from a message sent to an encoded segment allows it to then traverse the network layer.
Tommy handles access control requests for his organization. A user approaches him and explains that he needs access to the human resources database in order to complete a headcount analysis requested by the CFO. What has the user demonstrated successfully to Tommy?
a. Clearance
b. Separation of duties
c. Need to know
d. Isolation
C. The user has successfully explained a valid need to know the data—completing the report requested by the CFO requires this access. However, the user has not yet demonstrated that he or she has appropriate clearance to access the information. A note from the CFO would meet this requirement.
Kathleen wants to set up a service to provide information about her organization’s users and services using a central, open, vendor-neutral, standards-based system that can be easily queried. Which of the following technologies is her best choice?
a. RADIUS
b. LDAP
c. Kerberos
d. Active Directory
B. Kathleen’s needs point to a directory service, and the Lightweight Directory Access Protocol (LDAP) would meet her needs. LDAP is an open, industry standard and vendor-neutral protocol for directory services. Kerberos and RADIUS are both authentication protocols, and Active Directory is a Microsoft product and is not vendor neutral, although it does support a number of open standards.
What type of firewall is capable of inspecting traffic at layer 7 and performing protocol-specific analysis for malicious traffic?
a. Application firewall
b. Stateful inspection firewall
c. Packet filtering firewall
d. Bastion host
A. Application firewalls add Layer 7 functionality to other firewall solutions. This includes the ability to inspect application-layer details such as analyzing HTTP, DNS, FTP, and other application protocols.
Alice would like to add another object to a security model and grant herself rights to that object. Which one of the rules in the Take-Grant protection model would allow her to complete this operation?
a. Take rule
b. Grant rule
c. Create rule
d. Remove rule
C. The create rule allows a subject to create new objects and also creates an edge from the subject to that object, granting rights on the new object.
Which of the following concerns should not be on Lauren’s list of potential issues when penetration testers suggest using Metasploit during their testing?
a. Metasploit can only test vulnerabilities it has plug-ins for.
b. Penetration testing only covers a point-in-time view of the organization’s security.
c. Tools like Metasploit can cause denial-of-service issues.
d. Penetration testing cannot test process and policy.
A. Metasploit provides an extensible framework, allowing penetration testers to create their own exploits in addition to those that are built into the tool. Unfortunately, penetration testing can only cover the point in time when it is conducted. When conducting a penetration test, the potential to cause a denial of service due to a fragile service always exists, but it can test process and policy through social engineering and operational testing that validates how those processes and policies work.
Colin is reviewing a system that has been assigned the EAL7 evaluation assurance level under the Common Criteria. What is the highest level of assurance that he may have about the system?
a. It has been functionally tested.
b. It has been methodically tested and checked.
c. It has been methodically designed, tested, and reviewed.
d. It has been formally verified, designed, and tested.
D. EAL7 is the highest level of assurance under the Common Criteria. It applies when a system has been formally verified, designed, and tested.
Which ITU-T standard should Alex expect to see in use when he uses his smart card to provide a certificate to an upstream authentication service?
a. X.500
b. SPML
c. X.509
d. SAML
C. X.509 defines standards for public key certificates like those used with many smart cards. X.500 is a series of standards defining directory services. The Service Provisioning Markup Language (SPML) and the Security Assertion Markup Language (SAML) aren’t standards that Alex should expect to see when using a smart card to authenticate.
What type of websites are regulated under the terms of COPPA?
a. Financial websites not run by financial institutions
b. Healthcare websites that collect personal information
c. Websites that collect information from children
d. Financial websites run by financial institutions
C. The Children’s Online Privacy Protection Act (COPPA) regulates websites that cater to children or knowingly collect information from children under the age of 13.
Tracy recently accepted an IT compliance position at a federal government agency that works very closely with the Defense Department on classified government matters. Which one of the following laws is least likely to pertain to Tracy’s agency?
a. HIPAA
b. FISMA
c. HSA
d. CFAA
A. The Health Insurance Portability and Accountability Act (HIPAA) applies to healthcare information and is unlikely to apply in this situation. The Federal Information Security Management Act (FISMA) and Government Information Security Reform Act regulate the activities of all government agencies. The Homeland Security Act (HSA) created the US Department of Homeland Security, and more importantly for this question included the Cyber Security Enhancement Act of 2002 and the Critical Infrastructure Information Act of 2002. The Computer Fraud and Abuse Act (CFAA) provides specific protections for systems operated by government agencies.
Referring to the figure shown here, what is the name of the security control indicated by the arrow?
a. Mantrap
b. Intrusion prevention system
c. Turnstile
d. Portal
C. Turnstiles are unidirectional gates that prevent more than a single person from entering a facility at a time.
What two important factors does accountability for access control rely on?
a. Identification and authorization
b. Authentication and authorization
c. Identification and authentication
d. Accountability and authentication
C. Access control systems rely on identification and authentication to provide accountability. Effective authorization systems are desirable, but not required, since logs can provide information about who accessed what resources, even if access to those resources are not managed well. Of course, poor authorization management can create many other problems.
What key assumption made by EAP can be remedied by using PEAP?
a. EAP assumes that LEAP will replace TKIP, ensuring authentication will occur.
b. EAP originally assumed the use of physically isolated channels and is usually not encrypted.
c. There are no TLS implementations available using EAP.
d. EAP does not allow additional authentication methods, and PEAP adds additional methods.
B. EAP was originally intended to be used on physically isolated network channels and did not include encryption. Fortunately, it was designed to be extensible, and PEAP can provide TLS encryption. EAP isn’t limited to PEAP as an option as EAP-TLS also exists, providing an EAP TLS implementation, and the same extensibility allows a multitude of other authentication methods.
Scott’s organization has configured their external IP address to be 192.168.1.25. When traffic is sent to their ISP, it never reaches its destination. What problem is Scott’s organization encountering?
a. BGP is not set up properly.
b. They have not registered their IP with their ISP.
c. The IP address is a private, non-routable address.
d. 192.168.1.25 is a reserved address for home routers.
C. The 192.168.0.0-192.168.255.255 address range is one of the ranges defined by RFC 1918 as private, non-routable IP ranges. Scott’s ISP (and any other organization with a properly configured router) will not route traffic from these addresses over the public Internet.
Jennifer needs to measure the effectiveness of her information security program as she works toward her organization’s long-term goals. What type of measures should she select?
a. Metrics
b. KPIs
c. SLAs
d. OKRs
B. She should use a KPI (Key Performance Indicator). KPIs are used to measure success, typically in relation to an organization’s long-term goals. Metrics are measures, and although a KPI can be a metric, metrics are not all KPIs. SLAs are service-level agreements, and metrics can help determine whether they are being met. Objectives and key results (OKRs) are used to connect employee performance to results using subjective measures for objectives and quantitative measures for key results.
Sue’s organization recently failed a security assessment because their network was a single flat broadcast domain, and sniffing traffic was possible between different functional groups. What solution should she recommend to help prevent the issues that were identified?
a. Use VLANs.
b. Change the subnet mask for all systems.
c. Deploy gateways.
d. Turn on port security.
A. A well-designed set of VLANs based on functional groupings will logically separate segments of the network, making it difficult to have data exposure issues between VLANs. Changing the subnet mask will only modify the broadcast domain and will not fix issues with packet sniffing. Gateways would be appropriate if network protocols were different on different segments. Port security is designed to limit which systems can connect to a given port.
Susan is setting up the network for a local coffee house and wants to ensure that users have to authenticate using an email address and agree to the coffee house’s acceptable use policy before being allowed on the network. What technology should she use to do this?
a. 802.11
b. NAC
c. A captive portal
d. A wireless gateway
C. Captive portals are designed to show a page that can require actions like accepting an agreement or recording an email address before connecting clients to the Internet. NAC is designed to verify whether clients meet a security profile, which doesn’t match the needs of most coffee shops. A wireless gateway is a tool to access a cellular or other network, rather than a way to interact with users before they connect, and 802.11 is the family of IEEE wireless standards.
What is another term for active monitoring?
a. Synthetic
b. Passive
c. Reactive
d. Span-based
A. Active monitoring is also known as synthetic monitoring and relies on prerecorded or generated traffic to test systems for performance and other issues. Passive monitoring uses span ports, network taps, or similar technologies to capture actual traffic for analysis. Reactive monitoring is not a commonly used industry term.
The TCP header is made up of elements such as the source port, destination port, sequence number, and others. How many bytes long is the TCP header?
a. 8 bytes
b. 20–60 bytes
c. 64 bytes
d. 64–128 bytes
B. TCP headers can be 20 to 60 bytes long depending on options that are set.
The company that Fred works for is reviewing the security of their company issued cell phones. They issue 4G capable smartphones running Android and iOS, and use a mobile device management solution to deploy company software to the phones. The mobile device management software also allows the company to remotely wipe the phones if they are lost. Use this information, as well as your knowledge of cellular technology, to answer questions 129–131.
What security considerations should Fred’s company require for sending sensitive data over the cellular network?
a. They should use the same requirements as data over any public network.
b. Cellular provider networks are private networks and should not require special consideration.
c. Encrypt all traffic to ensure confidentiality.
d. Require the use of WAP for all data sent from the phone.
A. Cellular networks have the same issues that any public network does. Encryption requirements should match those that the organization selects for other public networks like hotels, conference Wi-Fi, and similar scenarios. Encrypting all data is difficult, and adds overhead, so it should not be the default answer unless the company specifically requires it. WAP is a dated wireless application protocol and is not in broad use; requiring it would be difficult. WAP does provide TLS, which would help when in use.
The company that Fred works for is reviewing the security of their company issued cell phones. They issue 4G capable smartphones running Android and iOS, and use a mobile device management solution to deploy company software to the phones. The mobile device management software also allows the company to remotely wipe the phones if they are lost. Use this information, as well as your knowledge of cellular technology, to answer questions 129–131.
Fred intends to attend a major hacker conference this year. What should he do when connecting to his cellular provider’s 4G network while at the conference?
a. Continue normal usage.
b. Discontinue all usage; towers can be spoofed.
c. Only use trusted Wi-Fi networks.
d. Connect to his company’s encrypted VPN service.
D. Fred’s best option is to use an encrypted, trusted VPN service to tunnel all of his data usage. Trusted Wi-Fi networks are unlikely to exist at a hacker conference, normal usage is dangerous due to the proliferation of technology that allows fake towers to be set up, and discontinuing all usage won’t support Fred’s business needs.
The company that Fred works for is reviewing the security of their company issued cell phones. They issue 4G capable smartphones running Android and iOS, and use a mobile device management solution to deploy company software to the phones. The mobile device management software also allows the company to remotely wipe the phones if they are lost. Use this information, as well as your knowledge of cellular technology, to answer questions 129–131.
What are the most likely circumstances that would cause a remote wipe of a mobile phone to fail?
a. The phone has a passcode on it.
b. The phone cannot contact a network.
c. The provider has not unlocked the phone.
d. The phone is in use.
B. Remote wipe tools are a useful solution, but they only work if the phone can access either a cellular or Wi-Fi network. Remote wipe solutions are designed to wipe data from the phone regardless of whether it is in use or has a passcode. Providers unlock phones for use on other cellular networks rather than for wiping or other feature support.
Elaine is developing a business continuity plan for her organization. What value should she seek to minimize?
a. AV
b. SSL
c. RTO
d. MTO
C. The goal of business continuity planning exercises is to reduce the amount of time required to restore operations. This is done by minimizing the recovery time objective (RTO)
NIST Special Publication 800-53, revision 4, describes two measures of assurance. Which measure of developmental assurance is best described as measuring “the rigor, level of detail, and formality of the artifacts produced during the design and development of the hardware, software, and firmware components of information systems (e.g., functional specifications, high-level design, low-level design, source code)”?
a. Coverage
b. Suitability
c. Affirmation
d. Depth
D. NIST Special Publication 800-53 describes depth and coverage. These terms describe depth, specifying the level of detail. Coverage measures breadth by using multiple assessment types and ensuring that each line of code is covered. If you encounter a question like this and are not familiar with the details of a standard like NIST 800-53, or may not remember them, focus on the meanings of each word and the details of the question. We can easily rule out affirmation, which isn’t a measure. Suitability is a possibility, but depth fits better than suitability or coverage.
Which one of the following disaster recovery test types does not involve the actual use of any technical disaster recovery controls?
a. Simulation test
b. Parallel test
c. Structured walk-through
d. Full interruption test
C. A structured walk-through uses only role-playing to test a disaster recovery plan. It does not involve the use of any technical controls. Simulation tests, parallel tests, and full interruption tests actually use some or all of the disaster recovery controls.
Chris is experiencing issues with the quality of network service on his organization’s network. The primary symptom is that packets are becoming corrupted as they travel from their source to their destination. What term describes the issue Chris is facing?
a. Latency
b. Jitter
c. Interference
d. Packet loss
C. Interference is electrical noise or other disruptions that corrupt the contents of packets. Latency is a delay in the delivery of packets from their source to their destination. Jitter is a variation in the latency for different packets. Packet loss is the disappearance of packets in transit that requires retransmission.
Kathleen has been asked to choose a highly formalized code review process for her software quality assurance team to use. Which of the following software testing processes is the most rigorous and formal?
a. Fagan
b. Fuzzing
c. Over the shoulder
d. Pair programming
A. Fagan inspections follow a rigorous, highly structured process to perform code review, using a planning, overview, preparation, inspection, rework, and follow-up cycle. Fuzzing feeds unexpected input to programs, while over-the-shoulder code review is simply a review by having another developer meet with them to review code using a walk-through. Pair programming uses a pair of developers, one of whom writes code while both talk through the coding and development process.
Frank is attempting to protect his web application against cross-site scripting attacks. Users do not need to provide input containing scripts, so he decided the most effective way to filter would be to write a filter on the server that watches for the tag and removes it. What is the issue with Frank’s approach?
a. Validation should always be performed on the client side.
b. Attackers may use XSS filter evasion techniques against this approach.
c. Server-side validation requires removing all HTML tags, not just the tag.
d. There is no problem with Frank’s approach.
B. While removing the tag from user input, it is not sufficient, as a user may easily evade this filter by encoding the tag with an XSS filter evasion technique. Frank was correct to perform validation on the server rather than at the client, but he should use validation that limits user input to allowed values, rather than filtering out one potentially malicious tag.
Which one of the following is not an object-oriented programming language?
a. C++
b. Java
c. Fortran
d. C#
C. Fortran is a functional programming language. Java, C++, and C# are all object-oriented languages, meaning that they use the object model and approach programming as describing the interactions between objects.
Uptown Records Management recently entered into a contract with a hospital for the secure storage of medical records. The hospital is a HIPAA-covered entity. What type of agreement must the two organizations sign to remain compliant with HIPAA?
a. NDA
b. NCA
c. BAA
d. SLA
C. HIPAA requires that anyone working with personal health information on behalf of a HIPAA-covered entity be subject to the terms of a business associates agreement (BAA).
Norm would like to conduct a disaster recovery test for his organization and wants to choose the most thorough type of test, recognizing that it may be quite disruptive. What type of test should Norm choose?
a. Full interruption test
b. Parallel test
c. Tabletop exercise
d. Checklist review
A. During a full interruption test, the team takes down the primary site and confirms that the disaster recovery site is capable of handling regular operations. The full interruption test is the most thorough test but also the most disruptive. During a parallel test, the team actually activates the disaster recovery site for testing but the primary site remains operational. The checklist review is the least disruptive type of disaster recovery test. During a checklist review, team members each review the contents of their disaster recovery checklists on their own and suggest any necessary changes. During a tabletop exercise, team members come together and walk through a scenario without making any changes to information systems.
Ed is building a network that supports IPv6 but needs to connect it to an IPv4 network. What type of device should Ed place between the networks?
a. A switch
b. A router
c. A bridge
d. A gateway
D. Ed’s best option is to install an IPv6 to IPv4 gateway that can translate traffic between the networks. A bridge would be appropriate for different types of networks, whereas a router would make sense if the networks were similar. A modern switch might be able to carry both types of traffic but wouldn’t be much help translating between the two protocols.
What encryption standard won the competition for certification as the Advanced Encryption Standard?
a. Blowfish
b. Twofish
c. Rijndael
d. Skipjack
C. The Rijndael block cipher was selected as the winner and is the cryptographic algorithm underlying the Advanced Encryption Standard (AES).
Which law can be summarized through these seven key principles: notice, choice, onward transfer, security, data integrity, access, enforcement?
a. COPA
b. NY SAFE Act
c. The EU Data Protection Directive
d. FISMA
C. The International Safe Harbor Privacy Principles listed here are part of the Safe Harbor provisions intended to address the European Union’s Data Privacy Directive. The DPD provides seven slightly different key principles to ensure data security and privacy. The Children’s Online Privacy Act (COPA), the NY SAFE Act is not an information security or privacy law, and the Federal Information Security Modernization Act (FISMA) is a key part of the US federal government’s security posture.
Which one of the following actions is not required under the EU Data Protection Directive?
a. Organizations must allow individuals to opt out of information sharing.
b. Organizations must provide individuals with lists of employees with access to information.
c. Organizations must use proper mechanisms to protect data against unauthorized disclosure.
d. Organizations must have a dispute resolution process for privacy issues.
B. The EU Data Protection Directive does not require that organizations provide individuals with employee lists.
Tammy is selecting a disaster recovery facility for her organization. She would like to choose a facility that balances the time required to recover operations with the cost involved. What type of facility should she choose?
a. Hot site
b. Warm site
c. Cold site
d. Red site
B. Tammy should choose a warm site. This type of facility meets her requirements for a good balance between cost and recovery time. It is less expensive than a hot site but facilitates faster recovery than a cold site. A red site is not a type of disaster recovery facility.
What layer of the OSI model is associated with datagrams?
a. Session
b. Transport
c. Network
d. Data Link
B. When data reaches the Transport layer, it is sent as segments (TCP) or datagrams (UDP). Above the Transport layer, data becomes a data stream, while below the Transport layer they are converted to packets at the Network layer, frames at the Data Link layer, and bits at the Physical layer.
Which one of the following is not a valid key length for the Advanced Encryption Standard?
a. 128 bits
b. 192 bits
c. 256 bits
d. 384 bits
D. The Advanced Encryption Standard supports encryption with 128-bit keys, 192-bit keys, and 256-bit keys.
Which one of the following technologies provides a function interface that allows developers to directly interact with systems without knowing the implementation details of that system?
a. Data dictionary
b. Object model
c. Source code
d. API
D. An application programming interface (API) allows developers to create a direct method for other users to interact with their systems through an abstraction that does not require knowledge of the implementation details. Access to object models, source code, and data dictionaries also indirectly facilitate interaction but do so in a manner that provides other developers with implementation details.
What email encryption technique is illustrated in this figure?
a. MD5
b. Thunderbird
c. S/MIME
d. PGP
D. The PGP email system, invented by Phil Zimmerman, uses the “web of trust” approach to secure email. The commercial version uses RSA for key exchange, IDEA for encryption/decryption, and MD5 for message digest production. The freeware version uses Diffie-Hellman key exchange, the Carlisle Adams/Stafford Tavares (CAST) encryption/decryption, and SHA hashing.
When Ben lists the files on a Linux system, he sees a set of attributes as shown in the following image.
This letters rwx indicate different levels of what?
a. Identification
b. Authorization
c. Authentication
d. Accountability
B. The permissions granted on files in Linux designate what authorized users can do with those files—read, write, or execute. In the image shown, all users can read, write, and execute index.html, whereas the owner can read, write, and execute example.txt, the group cannot, and everyone can write and execute it.
What type of access control is intended to discover unwanted or unauthorized activity by providing information after the event has occurred?
a. Preventive
b. Corrective
c. Detective
d. Directive
C. Detective access controls operate after the fact and are intended to detect or discover unwanted access or activity. Preventive access controls are designed to prevent the activity from occurring, whereas corrective controls return an environment to its original status after an issue occurs. Directive access controls limit or direct the actions of subjects to ensure compliance with policies.
Which one of the following presents the most complex decoy environment for an attacker to explore during an intrusion attempt?
a. Honeypot
b. Darknet
c. Honeynet
d. Pseudo flaw
C. A honeypot is a decoy computer system used to bait intruders into attacking. A honeynet is a network of multiple honeypots that creates a more sophisticated environment for intruders to explore. A pseudo flaw is a false vulnerability in a system that may attract an attacker. A darknet is a segment of unused network address space that should have no network activity and, therefore, may be easily used to monitor for illicit activity.
Ben’s organization is adopting biometric authentication for their high-security building’s access control system. Using this chart, answer questions 153–155 about their adoption of the technology.
Ben’s company is considering configuring their systems to work at the level shown by point A on the diagram. What level are they setting the sensitivity to?
a. The FRR crossover
b. The FAR point
c. The CER
d. The CFR
C. The CER is the point where FAR and FRR cross over, and it is a standard assessment used to compare the accuracy of biometric devices.
Ben’s organization is adopting biometric authentication for their high-security building’s access control system. Using this chart, answer questions 153–155 about their adoption of the technology.
At point B, what problem is likely to occur?
a. False acceptance will be very high.
b. False rejection will be very high.
c. False rejection will be very low.
d. False acceptance will be very low.
A. At point B, the false acceptance rate (FAR) is quite high, whereas the false rejection rate (FRR) is relatively low. This may be acceptable in some circumstances, but in organizations where a false acceptance can cause a major problem, it is likely that they should instead choose a point to the right of point A.
Ben’s organization is adopting biometric authentication for their high-security building’s access control system. Using this chart, answer questions 153–155 about their adoption of the technology.
What should Ben do if the FAR and FRR shown in this diagram does not provide an acceptable performance level for his organization’s needs?
a. Adjust the sensitivity of the biometric devices.
b. Assess other biometric systems to compare them.
c. Move the CER.
d. Adjust the FRR settings in software.
B. CER is a standard used to assess biometric devices. If the CER for this device does not fit the needs of the organization, Ben should assess other biometric systems to find one with a lower CER. Sensitivity is already accounted for in CER charts, and moving the CER isn’t something Ben can do. FRR is not a setting in software, so Ben can’t use that as an option either.
Ed is tasked with protecting information about his organization’s customers, including their name, Social Security number, birthdate and place of birth, as well as a variety of other information. What is this information known as?
a. PHI
b. PII
c. Personal Protected Data
d. PID
B. Personally Identifiable Information (PII) can be used to distinguish a person’s identity. Personal Health Information (PHI ) includes data like medical history, lab results, insurance information, and other details about a patient. Personal Protected Data is a made-up term, and PID is an acronym for process ID, the number associated with a running program or process.
What software development life-cycle model is shown in the following illustration?\
a. Spiral
b. Agile
c. Boehm
d. Waterfall
D. The figure shows the waterfall model, developed by Winston Royce. The key characteristic of this model is a series of sequential steps that include a feedback loop that allows the process to return one step prior to the current step when necessary.
Encapsulation is the core concept that enables what type of protocol?
a. Bridging
b. Multilayer
c. Hashing
d. Storage
B. Encapsulation creates both the benefits and potential issues with multilayer protocols. Bridging can use various protocols but does not rely on encapsulation. Hashing and storage protocols typically do not rely on encapsulation as a core part of their functionality.
Which one of the following is not a key principle of the COBIT framework for IT security control objectives?
a. Meeting stakeholder needs
b. Performing exhaustive analysis
c. Covering the enterprise end-to-end
d. Separating governance from management
B. The five COBIT principles are meeting stakeholder needs, covering the enterprise end-to-end, applying a single integrated framework, enabling a holistic approach, and separating governance from management.
Roscommon Enterprises is an Irish company that handles personal information. They exchange information with many other countries. Which of the following countries would trigger the onward transfer provisions of the International Safe Harbor Privacy Principles?
a. United States
b. United Kingdom
c. Italy
d. Germany
A. The onward transfer principle requires that organizations only exchange personal information with other organizations bound by the EU Data Protection Directive’s privacy principles. The United Kingdom, Italy, and Germany, as EU member states, are all bound by those principles. The United States does not have a comprehensive privacy law codifying those principles, so the onward transfer requirement applies.
What important protocol is responsible for providing human-readable addresses instead of numerical IP addresses?
a. TCP
b. IP
c. DNS
d. ARP
C. The Domain Name System (DNS) provides human-friendly domain names that resolve to IP addresses, making it possible to easily remember websites and hostnames. ARP is used to resolve IP addresses into MAC addresses, whereas TCP is used to control the network traffic that travels between systems.
NIST Special Publication 800-53A describes four types of objects that can be assessed. If Ben is reviewing a password standard, which of the four types of objects is he assessing?
a. A mechanism
b. A specification
c. An activity
d. An individual
B. Ben is assessing a specification. Specifications are document-based artifacts like policies or designs. Activities are actions that support an information system that involves people. Mechanisms are the hardware-, software-, or firmware-based controls or systems in an information system, and an individual is one or more people applying specifications, mechanisms, or activities.
What process is typically used to ensure data security for workstations that are being removed from service, but which will be resold or otherwise reused?
a. Destruction
b. Erasing
c. Sanitization
d. Clearing
C. When done properly, a sanitization process fully ensures that data is not remnant on the system before it is reused. Clearing and erasing can both be failure prone, and of course destruction wouldn’t leave a machine or device to reuse.
Colleen is conducting a software test that is evaluating code for both security flaws and usability issues. She is working with the application from an end-user perspective and referencing the source code as she works her way through the product. What type of testing is Colleen conducting?
a. White box
b. Blue box
c. Gray box
d. Black box
C. In a gray box test, the tester evaluates the software from a user perspective but has access to the source code as the test is conducted. White box tests also have access to the source code but perform testing from a developer’s perspective. Black box tests work from a user’s perspective but do not have access to source code. Blue boxes are a telephone hacking tool and not a software testing technique.
Harold is looking for a software development methodology that will help with a major issue he is seeing in his organization. Currently, developers and operations staff do not work together and are often seen as taking problems and “throwing them over the fence” to the other team. What technology management approach is designed to alleviate this problem?
a. ITIL
b. Lean
c. ITSM
d. DevOps
D. The DevOps approach to technology management seeks to integrate software development, operations, and quality assurance in a cohesive effort. It specifically attempts to eliminate the issue of “throwing problems over the fence” by building collaborative relationships between members of the IT team.
NIST Special Publication 800-92, the Guide to Computer Security Log Management, describes four types of common challenges to log management:
Many log sources
Inconsistent log content
Inconsistent timestamps
Inconsistent log formats
Which of the following solutions is best suited to solving these issues?
a. Implement SNMP for all logging devices.
b. Implement a SIEM.
c. Standardize on the Windows event log format for all devices and use NTP.
d. Ensure logging is enabled on all endpoints using their native logging formats and set their local time correctly.
B. A Security Information and Event Management (SIEM) tool is designed to centralize logs from many locations in many formats, and to ensure that logs are read and analyzed despite differences between different systems and devices. The Simple Network Management Protocol (SNMP) is used for some log messaging but is not a solution that solves all of these problems. Most non-Windows devices, including network devices among others, are not designed to use the Windows event log format, although using NTP for time synchronization is a good idea. Finally, local logging is useful, but setting clocks individually will result in drift over time and won’t solve the issue with many log sources.
Mike has a flash memory card that he would like to reuse. The card contains sensitive information. What technique can he use to securely remove data from the card and allow its reuse?
a. Degaussing
b. Physical destruction
c. Overwriting
d. Reformatting
C. Mike should use overwriting to protect this device. While degaussing is a valid secure data removal technique, it would not be effective in this case, since degaussing only works on magnetic media. Physical destruction would prevent the reuse of the device. Reformatting is not a valid secure data removal technique.
Carlos is investigating the compromise of sensitive information in his organization. He believes that attackers managed to retrieve personnel information on all employees from the database and finds the following user-supplied input in a log entry for a web-based personnel management system:
Collins’&1=1;––
What type of attack took place?
a. SQL injection
b. Buffer overflow
c. Cross-site scripting
d. Cross-site request forgery
A. The single quotation mark in the input field is a telltale sign that this is a SQL injection attack. The quotation mark is used to escape outside the SQL code’s input field and the text that follows is used to directly manipulate the SQL command sent from the web application to the database.
Which one of the following is a detailed, step-by-step document that describes the exact actions that individuals must complete?
a. Policy
b. Standard
c. Guideline
d. Procedure
D. Procedures are formal, mandatory documents that provide detailed, step-by-step actions required from individuals performing a task.
What principle of relational databases ensures the permanency of transactions that have successfully completed?
a. Atomicity
b. Consistency
c. Isolation
d. Durability
D. Durability requires that once a transaction is committed to the database it must be preserved. Atomicity ensures that if any part of a database transaction fails, the entire transaction must be rolled back as if it never occurred. Consistency ensures that all transactions are consistent with the logical rules of the database, such as having a primary key. Isolation requires that transactions operate separately from each other.
Bryan has a set of sensitive documents that he would like to protect from public disclosure. He would like to use a control that, if the documents appear in a public forum, may be used to trace the leak back to the person who was originally given the document copy. What security control would best fulfill this purpose?
a. Digital signature
b. Document staining
c. Hashing
d. Watermarking
D. Watermarking alters a digital object to embed information about the source, either in a visible or hidden form. Digital signatures may identify the source of a document but they are easily removed. Hashing would not provide any indication of the document source, since anyone could compute a hash value. Document staining is not a security control.
Carlos is planning a design for a data center that will be constructed within a new four-story corporate headquarters. The building consists of a basement and three above-ground floors. What is the best location for the data center?
a. Basement
b. First floor
c. Second floor
d. Third floor
C. Data centers should be located in the core of a building. Locating it on lower floors makes it susceptible to flooding and physical break-ins. Locating it on the top floor makes it vulnerable to wind and roof damage.
Chris is an information security professional for a major corporation and, as he is walking into the building, he notices that the door to a secure area has been left ajar. Physical security does not fall under his responsibility, but he takes immediate action by closing the door and informing the physical security team of his action. What principle is Chris demonstrating?
a. Due care
b. Due diligence
c. Separation of duties
d. Informed consent
A. The due care principle states that an individual should react in a situation using the same level of care that would be expected from any reasonable person. It is a very broad standard. The due diligence principle is a more specific component of due care that states an individual assigned a responsibility should exercise due care to complete it accurately and in a timely manner.
Which one of the following investigation types always uses the beyond a reasonable doubt standard of proof?
a. Civil investigation
b. Criminal investigation
c. Operational investigation
d. Regulatory investigation
B. Criminal investigations have high stakes with severe punishment for the offender that may include incarceration. Therefore, they use the strictest standard of evidence of all investigations: beyond a reasonable doubt. Civil investigations use a preponderance of the evidence standard. Regulatory investigations may use whatever standard is appropriate for the venue where the evidence will be heard. This may include the beyond-a-reasonable-doubt standard, but it is not always used in regulatory investigations. Operational investigations do not use a standard of evidence.
Which one of the following backup types does not alter the status of the archive bit on a file?
a. Full backup
b. Incremental backup
c. Partial backup
d. Differential backup
D. Differential backups do not alter the archive bit on a file, whereas incremental and full backups reset the archive bit to 0 after the backup completes. Partial backups are not a backup type.
What type of alternate processing facility contains the hardware necessary to restore operations but does not have a current copy of data?
a. Hot site
b. Warm site
c. Cold site
d. Mobile site
B. Warm sites contain the hardware necessary to restore operations but do not have a current copy of data.
Which one of the following terms describes a period of momentary high voltage?
a. Sag
b. Brownout
c. Spike
d. Surge
C. A power spike is a momentary period of high voltage. A surge is a prolonged period of high voltage. Sags and brownouts are periods of low voltage.
A web application accesses information in a database to retrieve user information. What is the web application acting as?
a. A subject
b. An object
c. A user
d. A token
A. Subjects are active entities that can access a passive object to retrieve information from or about an object. Subjects can also make changes to objects when they are properly authorized. Users are often subjects, but not all subjects are users.
The Open Shortest Path First (OSPF) protocol is a routing protocol that keeps a map of all connected remote networks and uses that map to select the shortest path to a remote destination. What type of routing protocol is OSPF?
a. Link state
b. Shortest path first
c. Link mapping
d. Distance vector
A. OSPF is a link state protocol. Link state protocols maintain a topographical map of all connected networks and preferentially select the shortest path to remote networks for traffic. A distance vector protocol would map the direction and distance in hops to a remote network, whereas shortest path first and link mapping are not types of routing protocols.
Which one of the following categories consists of first-generation programming languages?
a. Machine languages
b. Assembly languages
c. Compiled languages
d. Natural language
A. Machine languages are examples of first-generation programming languages. Second-generation languages include assembly languages. Third-generation languages include compiled languages. Fourth- and fifth-generation languages go beyond standard compiled languages to include natural languages and declarative approaches to programming.
Questions 181–185 refer to the following scenario.
Concho Controls is a mid-sized business focusing on building automation systems. They host a set of local file servers in their on-premises data center that store customer proposals, building plans, product information, and other data that is critical to their business operations.
Tara works in the Concho Controls IT department and is responsible for designing and implementing the organization’s backup strategy, among other tasks. She currently conducts full backups every Sunday evening at 8 p.m. and differential backups on Monday through Friday at noon.
Concho experiences a server failure at 3 p.m. on Wednesday. Tara rebuilds the server and wants to restore data from the backups.
What backup should Tara apply to the server first?
a. Sunday’s full backup
b. Monday’s differential backup
c. Tuesday’s differential backup
d. Wednesday’s differential backup
A. Tara first must achieve a system baseline. She does this by applying the most recent full backup to the new system. This is Sunday’s full backup. Once Tara establishes this baseline, she may then proceed to apply differential backups to bring the system back to a more recent state.
Questions 181–185 refer to the following scenario.
Concho Controls is a mid-sized business focusing on building automation systems. They host a set of local file servers in their on-premises data center that store customer proposals, building plans, product information, and other data that is critical to their business operations.
Tara works in the Concho Controls IT department and is responsible for designing and implementing the organization’s backup strategy, among other tasks. She currently conducts full backups every Sunday evening at 8 p.m. and differential backups on Monday through Friday at noon.
Concho experiences a server failure at 3 p.m. on Wednesday. Tara rebuilds the server and wants to restore data from the backups.
How many backups in total must Tara apply to the system to make the data it contains as current as possible?
a. 1
b. 2
c. 3
d. 4
B. To restore the system to as current a state as possible, Tara must first apply Sunday’s full backup. She may then apply the most recent differential backup, from Tuesday evening. Differential backups include all files that have changed since the most recent full backup, so the contents of Tuesday’s backup contain all of the data that would be contained in Monday’s backup, making the Monday backup irrelevant for this scenario.
Questions 181–185 refer to the following scenario.
Concho Controls is a mid-sized business focusing on building automation systems. They host a set of local file servers in their on-premises data center that store customer proposals, building plans, product information, and other data that is critical to their business operations.
Tara works in the Concho Controls IT department and is responsible for designing and implementing the organization’s backup strategy, among other tasks. She currently conducts full backups every Sunday evening at 8 p.m. and differential backups on Monday through Friday at noon.
Concho experiences a server failure at 3 p.m. on Wednesday. Tara rebuilds the server and wants to restore data from the backups.
In this backup approach, some data may be irretrievably lost. How long is the time period where any changes made will have been lost?
a. 3 hours
b. 5 hours
c. 8 hours
d. No data will be lost.
A. In this scenario, the differential backup was made at noon and the server failed at 3 p.m. Therefore, any data modified or created between noon and 3 p.m. will not be contained on any backup and will be irretrievably lost.
Questions 181–185 refer to the following scenario.
Concho Controls is a mid-sized business focusing on building automation systems. They host a set of local file servers in their on-premises data center that store customer proposals, building plans, product information, and other data that is critical to their business operations.
Tara works in the Concho Controls IT department and is responsible for designing and implementing the organization’s backup strategy, among other tasks. She currently conducts full backups every Sunday evening at 8 p.m. and differential backups on Monday through Friday at noon.
Concho experiences a server failure at 3 p.m. on Wednesday. Tara rebuilds the server and wants to restore data from the backups.
If Tara followed the same schedule but switched the differential backups to incremental backups, how many backups in total would she need to apply to the system to make the data it contains as current as possible?
a. 1
b. 2
c. 3
d. 4
D. By switching from differential to incremental backups, Tara’s weekday backups will only contain the information changed since the previous day. Therefore, she must apply all of the available incremental backups. She would begin by restoring the Sunday full backup and then apply the Monday, Tuesday, and Wednesday incremental backups.
Questions 181–185 refer to the following scenario.
Concho Controls is a mid-sized business focusing on building automation systems. They host a set of local file servers in their on-premises data center that store customer proposals, building plans, product information, and other data that is critical to their business operations.
Tara works in the Concho Controls IT department and is responsible for designing and implementing the organization’s backup strategy, among other tasks. She currently conducts full backups every Sunday evening at 8 p.m. and differential backups on Monday through Friday at noon.
Concho experiences a server failure at 3 p.m. on Wednesday. Tara rebuilds the server and wants to restore data from the backups.
If Tara made the change from differential to incremental backups and we assume that the same amount of information changes each day, which one of the following files would be the largest?
a. Monday’s incremental backup
b. Tuesday’s incremental backup
c. Wednesday’s incremental backup
d. All three will be the same size.
D. Each incremental backup contains only the information changed since the most recent full or incremental backup. If we assume that the same amount of information changes every day, each of the incremental backups would be roughly the same size.
Susan is conducting a STRIDE threat assessment by placing threats into one or more of the following categories: Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege. As part of her assessment, she has discovered an issue that allows transactions to be modified between a web browser and the application server that it accesses. What STRIDE categorization(s) best fit this issue?
a. Tampering and Information Disclosure
b. Spoofing and Tampering
c. Tampering and Repudiation
d. Information Disclosure and Elevation of Privilege
A. Information that is modifiable between a client and a server also means that it is accessible, pointing to both tampering and information disclosure. Spoofing in STRIDE is aimed at credentials and authentication, and there is no mention of this in the question. Repudiation would require that proving who performed an action was important, and elevation of privilege would come into play if privilege levels were involved.
Bob has been tasked with writing a policy that describes how long data should be kept and when it should be purged. What concept does this policy deal with?
a. Data remanence
b. Record retention
c. Data redaction
d. Audit logging
B. Record retention ensures that data is kept and maintained as long as it is needed, and that it is purged when it is no longer necessary. Data remanence occurs when data is left behind after an attempt is made to remove it, whereas data redaction is not a technical term used to describe this effort. Finally, audit logging may be part of the records retained but doesn’t describe the life cycle of data.
Which component of IPSec provides authentication, integrity, and nonrepudiation?
a. L2TP
b. Encapsulating Security Payload
c. Encryption Security Header
d. Authentication Header
D. The Authentication Header provides authentication, integrity, and nonrepudiation for IPSec connections. The Encapsulating Security Payload provides encryption and thus provides confidentiality. It can also provide limited authentication. L2TP is an independent VPN protocol, and Encryption Security Header is a made-up term.
Renee notices that a system on her network recently received connection attempts on all 65,536 TCP ports from a single system during a short period of time. What type of attack did Renee most likely experience?
a. Denial of service
b. Reconnaissance
c. Malicious insider
d. Compromise
B. The attack described in the scenario is a classic example of TCP scanning, a network reconnaissance technique that may precede other attacks. There is no evidence that the attack disrupted system availability, which would characterize a denial-of-service attack, that it was waged by a malicious insider, or that the attack resulted in the compromise of a system.
Which one of the following techniques can an attacker use to exploit a TOC/TOU vulnerability?
a. File locking
b. Exception handling
c. Algorithmic complexity
d. Concurrency control
C. Attackers may use algorithmic complexity as a tool to exploit a TOC/TOU race condition. By varying the workload on the CPU, attackers may exploit the amount of time required to process requests and use that variance to effectively schedule the exploit’s execution. File locking, exception handling, and concurrency controls are all methods used to defend against TOC/TOU attacks.
In the ring protection model shown here, what ring does not run in privileged mode?
a. Ring 0
b. Ring 1
c. Ring 2
d. Ring 3
D. The kernel lies within the central ring, Ring 0. Ring 1 contains other operating system components. Ring 2 is used for drivers and protocols. User-level programs and applications run at Ring 3. Rings 0-2 run in privileged mode, whereas Ring 3 runs in user mode.
What level of RAID is also known as disk striping?
a. RAID 0
b. RAID 1
c. RAID 5
d. RAID 10
A. RAID level 0 is also known as disk striping. RAID 1 is called disk mirroring. RAID 5 is called disk striping with parity. RAID 10 is known as a stripe of mirrors.
Jacob executes an attack against a system using a valid but low privilege user account by accessing a file pointer that the account has access to. After the access check, but before the file is opened, he quickly switches the file pointer to point to a file that the user account does not have access to. What type of attack is this?
a. TOC/TOU
b. Permissions creep
c. Impersonation
d. Link swap
A. This is an example of a time of check/time of use, or TOC/TOU attack. It exploits the difference between the times when a system checks for permission to perform an action and when the action is actually performed. Permissions creep would occur if the account had gained additional rights over time as the other’s role or job changed. Impersonation occurs when an attacker pretends to be a valid user, and link swap is not a type of attack.
What is the minimum number of disks required to implement RAID level 0?
a. 1
b. 2
c. 3
d. 5
B. RAID 0, or disk striping, requires at least two disks to implement. It improves performance of the storage system but does not provide fault tolerance.
Fred’s company wants to ensure the integrity of email messages sent via their central email servers. If the confidentiality of the messages is not critical, what solution should Fred suggest?
a. Digitally sign and encrypt all messages to ensure integrity.
b. Digitally sign but don’t encrypt all messages.
c. Use TLS to protect messages, ensuring their integrity.
d. Use a hashing algorithm to provide a hash in each message to prove that it hasn’t changed.
B. Fred’s company needs to protect integrity, which can be accomplished by digitally signing messages. Any change will cause the signature to be invalid. Encrypting isn’t necessary because the company does not want to protect confidentiality. TLS can provide in-transit protection but won’t protect integrity of the messages, and of course a hash used without a way to verify that the hash wasn’t changed won’t ensure integrity either.
The leadership at Susan’s company has asked her to implement an access control system that can support rule declarations like “Only allow access to salespeople from managed devices on the wireless network between 8 a.m. and 6 p.m.” What type of access control system would be Susan’s best choice?
a. ABAC
b. RBAC
c. DAC
d. MAC
A. An attribute-based access control (ABAC) system will allow Susan to specify details about subjects, objects, and access, allowing granular control. Although a rule-based access control system (RBAC) might allow this, the attribute-based access control system can be more specific and thus is more flexible. Discretionary access control (DAC) would allow object owners to make decisions, and mandatory access controls (MACs) would use classifications; neither of these capabilities was described in the requirements.
What type of communications rely on a timing mechanism using either an independent clock or a time stamp embedded in the communications?
a. Analog
b. Digital
c. Synchronous
d. Asynchronous
C. Synchronous communications use a timing or clock mechanism to control the data stream. This can permit very fast communication.
Chris is deploying a gigabit Ethernet network using Category 6 cable between two buildings. What is the maximum distance he can run the cable according to the Category 6 standard?
a. 50 meters
b. 100 meters
c. 200 meters
d. 300 meters
B. The maximum allowed length of a Cat 6 cable is 100 meters, or 328 feet. Long distances are typically handled by a fiber run or by using network devices like switches or repeaters.
Howard is a security analyst working with an experienced computer forensics investigator. The investigator asks him to retrieve a forensic drive controller, but Howard cannot locate a device in the storage room with this name. What is another name for a forensic drive controller?
a. RAID controller
b. Write blocker
c. SCSI terminator
d. Forensic device analyzer
B. One of the main functions of a forensic drive controller is preventing any command sent to a device from modifying data stored on the device. For this reason, forensic drive controllers are also often referred to as write blockers.
The web application that Saria’s development team is working on needs to provide secure session management that can prevent hijacking of sessions using the cookies that the application relies on. Which of the following techniques would be the best for her to recommend to prevent this?
a. Set the Secure attribute for the cookies, thus forcing TLS.
b. Set the Domain cookie attribute to example.com to limit cookie access to servers in the same domain.
c. Set the Expires cookie attribute to less than a week.
d. Set the HTTPOnly attribute to require only unencrypted sessions.
A. Setting the Secure cookie will only allow cookies to be sent via HTTPS TLS or SSL sessions, preventing man-in-the-middle attacks that target cookies. The rest of the settings are problematic: Cookies are vulnerable to DNS spoofing. Domain cookies should usually have the narrowest possible scope, which is actually accomplished by not setting the Domain cookie. This allows only the originating server to access the cookie. Cookies without the Expires or Max-age attributes are ephemeral and will only be kept for the session, making them less vulnerable than stored cookies. Normally, the HTTPOnly attribute is a good idea, but it prevents scripting rather than requiring unencrypted HTTP sessions.
Ben’s company has recently retired their fleet of multifunction printers. Their information security team has expressed concerns that the printers contain hard drives and that they may still have data from scans and print jobs. What is the technical term for this issue?
a. Data pooling
b. Failed clearing
c. Data permanence
d. Data remanence
D. Data remanence describes data that is still on media after an attempt has been made to remove it. Failed clearing and data pooling are not technical terms, and data permanence describes how long data lasts.
What access control scheme labels subjects and objects, and allows subjects to access objects when the labels match?
a. DAC
b. MAC
c. Rule BAC
d. Role BAC
B. Mandatory access control (MAC) applies labels to subjects and objects and allows subjects to access objects when their labels match. Discretionary access control (DAC) is controlled by the owner of objects, rule-based access control applies rules throughout a system, and role-based access control bases rights on roles, which are often handled as groups of users.
A cloud-based service that provides account provisioning, management, authentication, authorization, reporting, and monitoring capabilities is known as what type of service?
a. PaaS
b. IDaaS
c. IaaS
d. SaaS
B. Identity as a Service (IDaaS) provides capabilities such as account provisioning, management, authentication, authorization, reporting, and monitoring. PaaS is Platform as a Service, IaaS is Infrastructure as a Service, and SaaS is Software as a Service.
Sally wants to secure her organization’s VOIP systems. Which of the following attacks is one that she shouldn’t have to worry about?
a. Eavesdropping
b. Denial of service
c. Blackboxing
d. Caller ID spoofing
C. Eavesdropping, denial-of-service attacks, and caller ID spoofing are all common VoIP attacks. Blackboxing is a made-up answer, although various types of colored boxes were associated with phone phreaking.
Marty discovers that the access restrictions in his organization allow any user to log into the workstation assigned to any other user, even if they are from completely different departments. This type of access most directly violates which information security principle?
a. Separation of duties
b. Two-person control
c. Need to know
d. Least privilege
D. This broad access may indirectly violate all of the listed security principles, but it is most directly a violation of least privilege because it grants users privileges that they do not need for their job functions.
Fred needs to transfer files between two servers on an untrusted network. Since he knows the network isn’t trusted, he needs to select an encrypted protocol that can ensure his data remains secure. What protocol should he choose?
a. SSH
b. TCP
c. SFTP
d. IPSec
C. The Secure File Transfer Protocol (SFTP) is specifically designed for encrypted file transfer. SSH is used for secure command-line access, whereas TCP is one of the bundles of Internet protocols commonly used to transmit data across a network. IPSec could be used to create a tunnel to transfer the data but is not specifically designed for file transfer.
Chris uses a packet sniffer to capture traffic from a TACACS+ server. What protocol should he monitor, and what data should he expect to be readable?
a. UDP; none—TACACS+ encrypts the full session
b. TCP; none—TACACS+ encrypts the full session
c. UDP; all but the username and password, which are encrypted
d. TCP; all but the username and password, which are encrypted
B. TACACS+ uses TCP, and encrypts the entire session, unlike RADIUS, which only encrypts the password and operates via UDP.
Use your knowledge of Kerberos authentication and authorization as well as the following diagram to answer questions 208–210.
If the client has already authenticated to the KDC, what does the client workstation send to the KDC at point A when it wants to access a resource?
a. It re-sends the password.
b. . A TGR
c. Its TGT
d. A service ticket
C. The client sends its existing valid TGT to the KDC and requests access to the resource.
Use your knowledge of Kerberos authentication and authorization as well as the following diagram to answer questions 208–210.
What occurs between steps A and B?
a. The KDC verifies the validity of the TGT and whether the user has the right privileges for the requested resource.
b. The KDC updates its access control list based on the data in the TGT.
c. The KDC checks its service listing and prepares an updated TGT based on the service request.
d. The KDC generates a service ticket to issue to the client.
A. The KDC must verify that the TGT is valid and whether the user has the right privileges to access the service it is requesting access to. If it does, it generates a service ticket and sends it to the client (step B).
Use your knowledge of Kerberos authentication and authorization as well as the following diagram to answer questions 208–210.
What system or systems does the service that is being accessed use to validate the ticket?
a. The KDC
b. The client workstation and the KDC
c. The client workstation supplies it in the form of a client-to-server ticket and an authenticator.
d. The KVS
C. The server or service that is being accessed receives all of the data it needs in the service ticket. To do so, the client uses a client-to-server ticket received from the Ticket Granting Service.
What does a service ticket (ST) provide in Kerberos authentication?
a. It serves as the authentication host.
b. It provides proof that the subject is authorized to access an object.
c. It provides proof that a subject has authenticated through a KDC and can request tickets to access other objects.
d. It provides ticket granting services.
B. The service ticket in Kerberos authentication provides proof that a subject is authorized to access an object. Ticket granting services are provided by the TGS. Proof that a subject has authenticated and can request tickets to other objects, uses ticket granting tickets, and authentication host is a made-up term.
A password that requires users to answer a series of questions like “What is your mother’s maiden name?” or “What is your favorite color?” is known as what type of password?
a. A passphrase
b. Multifactor passwords
c. Cognitive passwords
d. Password reset questions
C. A series of questions that the user has previously provided the answer to or which the user knows the answers to like the questions listed is known as a cognitive password. A passphrase consists of a phrase or series of words, whereas multifactor authentication consists of two or more authenticators, like a password and a biometric factor or a one-time token-based code.
CDMA, GSM, and IDEN are all examples of what generation of cellular technology?
a. 1G
b. 2G
c. 3G
d. 4G
B. CDMA, GSM, and IDEN are all 2G technologies. EDGE, DECT, and UTMS are all examples of 3G technologies, whereas 4G technologies include WiMax, LTE, and IEE 802.20 mobile broadband.
Which one of the following fire suppression systems poses the greatest risk of accidental discharge that damages equipment in a data center?
a. Closed head
b. Dry pipe
c. Deluge
d. Preaction
A. Dry pipe, deluge, and preaction systems all use pipes that remain empty until the system detects signs of a fire. Closed-head systems use pipes filled with water that may damage equipment if there is damage to a pipe.
Lauren’s healthcare provider maintains such data as details about her health, treatments, and medical billing. What type of data is this?
a. Protected Health Information
b. Personally Identifiable Information
c. Protected Health Insurance
d. Individual Protected Data
A. Protected Health Information (PHI) is defined by HIPAA to include health information used by healthcare providers, like medical treatment, history, and billing. Personally Identifiable Information is information that can be used to identify an individual, which may be included in the PHI but isn’t specifically this type of data. Protected Health Insurance and Individual Protected Data are both made-up terms.
What type of code review is best suited to identifying business logic flaws?
a. Mutational fuzzing
b. Manual
c. Generational fuzzing
d. Interface testing
B. Manual testing uses human understanding of business logic to assess program flow and responses. Mutation or generational fuzzing will help determine how the program responds to expected inputs but does not test the business logic. Interface testing ensures that data exchange between modules works properly but does not focus on the logic of the program or application.
Something you know is an example of what type of authentication factor?
a. Type 1
b. Type 2
c. Type 3
d. Type 4
A. A Type 1 authentication factor is something you know. A Type 2 is something you have, like a smart card or hardware token. A Type 3 authentication factor is something you are, like a biometric identifier. There is no such thing as a Type 4 authentication factor.
Saria is the system owner for a healthcare organization. What responsibilities does she have related to the data that resides on or is processed by the systems she owns?
a. She has to classify the data.
b. She has to make sure that appropriate security controls are in place to protect the data.
c. She has to grant appropriate access to personnel.
d. She bears sole responsibility for ensuring that data is protected at rest, in transit, and in use.
B. System owners have to ensure that the systems they are responsible for are properly labeled based on the highest level of data that their system processes, and they have to ensure that appropriate security controls are in place on those systems. System owners also share responsibility for data protection with data owners. Administrators grant appropriate access, whereas data owners own the classification process.
During software testing, Jack diagrams how a hacker might approach the application he is reviewing and determines what requirements the hacker might have. He then tests how the system would respond to the attacker’s likely behavior. What type of testing is Jack conducting?
a. Misuse case testing
b. Use case testing
c. Hacker use case testing
d. Static code analysis
A. Jack is performing misuse case analysis, a process that tests code based on how it would perform if it was misused instead of used properly. Use case testing tests valid use cases, whereas static code analysis involves reviewing the code itself for flaws rather than testing the live software. Hacker use case testing isn’t an industry term for a type of testing.
When a vendor develops a product that they wish to submit for Common Criteria evaluation, what do they complete to describe the claims of security for their product?
a. PP
b. ITSEC
c. TCSEC
d. ST
D. Vendors complete security targets (STs) to describe the controls that exist within their product. During the review process, reviewers compare those STs to the entity’s Protection Profile (PP) to determine whether the product meets the required security controls.
Chris has been assigned to scan a system on all of its possible TCP and UDP ports. How many ports of each type must he scan to complete his assignment?
a. 65,536 TCP ports and 32,768 UDP ports
b. 1024 common TCP ports and 32,768 ephemeral UDP ports
c. 65,536 TCP and 65,536 UDP ports
d. 16,384 TCP ports, and 16,384 UDP ports
C. Both TCP and UDP port numbers are a 16-digit binary number, which means there can be 216 ports, or 65,536 ports, numbered from 0 to 65,535.
CVE and the NVD both provide information about what?
a. Vulnerabilities
b. Markup languages
c. Vulnerability assessment tools
d. Penetration testing methodologies
A. MITRE’s Common Vulnerabilities and Exploits (CVE) dictionary and NIST’s National Vulnerability Database (NVD) both provide information about vulnerabilities.
What is the highest level of the military classification scheme?
a. Secret
b. Confidential
c. SBU
d. Top Secret
D. The military classification scheme contains three major levels. They are, in descending order of sensitivity: Top Secret, Secret, and Confidential. Unclassified is a default, and not a classification, whereas Sensitive But Unclassified (SBU) has been replaced with Controlled Unclassified Information (CUI).
In what type of trusted recovery process does the system recover against one or more failure types without administrator intervention while protecting itself against data loss?
a. Automated recovery
b. Manual recovery
c. Function recovery
d. Automated recovery without undue data loss
D. In an automated recovery, the system can recover itself against one or more failure types. In an automated recovery without undue loss, the system can recover itself against one or more failure types and also preserve data against loss. In function recovery, the system can restore functional processes automatically. In a manual recovery approach, the system does not fail into a secure state but requires an administrator to manually restore operations.
What three important items should be considered if you are attempting to control the strength of signal for a wireless network as well as where it is accessible?
a. Antenna placement, antenna type, and antenna power levels
b. Antenna design, power levels, use of a captive portal
c. Antenna placement, antenna design, use of a captive portal
d. Power levels, antenna placement, FCC minimum strength requirements
A. Antenna placement, antenna design, and power level control are the three important factors in determining where a signal can be accessed and how usable it is. A captive portal can be used to control user logins, and antenna design is part of antenna types. The FCC does provide maximum broadcast power guidelines but does not require a minimum power level.
What is the best way to ensure that data is unrecoverable from a SSD?
a. Use the built-in erase commands
b. Use a random pattern wipe of 1s and 0s
c. Physically destroy the drive
d. Degauss the drive
C. Physically destroying the drive is the best way to ensure that there is no remnant data on the drive. SSDs are flash media, which means that you can’t degauss them, whereas both random pattern writes and the built-in erase commands have been shown to be problematic due to the wear leveling built into SSDs as well as differences in how they handle erase commands.
Alice sends a message to Bob and wants to ensure that Mal, a third party, does not read the contents of the message while in transit. What goal of cryptography is Alice attempting to achieve?
a. Confidentiality
b. Integrity
c. Authentication
d. Nonrepudiation
A. Confidentiality ensures that data cannot be read by unauthorized individuals while stored or in transit.
Which one of the following metrics specifies the amount of time that business continuity planners believe it will take to restore a service when it goes down?
a. MTD
b. RTO
c. RPO
d. MTO
B. The recovery time objective (RTO) is the amount of time that a business believes it will take to restore a function in the event of a disruption.
Gary would like to examine the text of a criminal law on computer fraud to determine whether it applies to a recent act of hacking against his company. Where should he go to read the text of the law?
a. Code of Federal Regulations
b. Supreme Court rulings
c. Compendium of Laws
d. United States Code
D. The United States Code (USC) contains the text of all federal criminal and civil laws passed by the legislative branch and signed by the President (or where the President’s veto was overruled by Congress).
James has opted to implement an NAC solution that uses a post-admission philosophy for its control of network connectivity. What type of issues can’t a strictly post-admission policy handle?
a. Out-of-band monitoring
b. Preventing an unpatched laptop from being exploited immediately after connecting to the network
c. Denying access when user behavior doesn’t match an authorization matrix
d. Allowing user access when user behavior is allowed based on an authorization matrix
B. A post-admission philosophy allows or denies access based on user activity after connection. Since this doesn’t check the status of a machine before it connects, it can’t prevent the exploit of the system immediately after connection. This doesn’t preclude out-of-band or in-band monitoring, but it does mean that a strictly post-admission policy won’t handle system checks before the systems are admitted to the network.
Ben has built an access control list that lists the objects that his users are allowed to access. When users attempt to access an object that they don’t have rights to, they are denied access, even though there isn’t a specific rule that allows it. What access control principle is key to this behavior?
a. Least privilege
b. Implicit deny
c. Explicit deny
d. Final rule fall-through
B. The principle of implicit denial states that any action that is not explicitly allowed is denied. This is an important concept for firewall rules and other access control systems. Implementing least privilege ensures that subjects have only the rights they need to accomplish their job. While explicit deny and final rule fall-through may sound like important access control concepts, neither is.
Mary is a security risk analyst for an insurance company. She is currently examining a scenario where a hacker might use a SQL injection attack to deface a web server due to a missing patch in the company’s web application. In this scenario, what is the risk?
a. Unpatched web application
b. Web defacement
c. Hacker
d. Operating system
B. Risks are the combination of a threat and a vulnerability. Threats are the external forces seeking to undermine security, such as the hacker in this case. Vulnerabilities are the internal weaknesses that might allow a threat to succeed. In this case, web defacement is the risk. In this scenario, if the hacker attempts a SQL injection attack (threat) against the unpatched server (vulnerability), the result is website defacement (risk).
In the diagram shown here of security boundaries within a computer system, what component’s name has been replaced with XXX?
a. Kernel
b. Privileged core
c. User monitor
d. Security perimeter
A. The kernel of an operating system is the collection of components that work together to implement a secure, reliable operating system. The kernel contains both the Trusted Computing Base (TCB) and the reference monitor.
Val is attempting to review security logs but is overwhelmed by the sheer volume of records maintained in her organization’s central log repository. What technique can she use to select a representative set of records for further review?
a. Statistical sampling
b. Clipping
c. Choose the first 5% of records from each day.
d. Choose 5% of records from the middle of the day.
A. Val can use statistical sampling techniques to choose a set of records for review that are representative of the entire day’s data. Clipping chooses only records that exceed a set threshold so it is not a representative sample. Choosing records based on the time they are recorded may not produce a representative sample because it may capture events that occur at the same time each day and miss many events that simply don’t occur during the chosen time period.
In Jen’s job as the network administrator for an industrial production facility, she is tasked with ensuring that the network is not susceptible to electromagnetic interference due to the large motors and other devices running on the production floor. What type of network cabling should she choose if this concern is more important than cost and difficulty of installation?
a. 10Base2
b. 100BaseT
c. 1000BaseT
d. Fiber-optic
D. Fiber-optic cable is more expensive and can be much harder to install than stranded copper cable or coaxial cable, but it isn’t susceptible to electromagnetic interference (EMI). That makes it a great solution for Jen’s problem, especially if she is deploying EMI-hardened systems to go with her EMI-resistant network cables.
Questions 236–239 refer to the following scenario.
Jasper Diamonds is a jewelry manufacturer that markets and sells custom jewelry through their website. Bethany is the manager of Jasper’s software development organization, and she is working to bring the company into line with industry standard practices. She is developing a new change management process for the organization and wishes to follow commonly accepted approaches.
Bethany would like to put in place controls that provide an organized framework for company employees to suggest new website features that her team will develop. What change management process facilitates this?
a. Configuration control
b. Change control
c. Release control
d. Request control
D. The request control process provides an organized framework within which users can request modifications, managers can conduct cost/benefit analyses, and developers can prioritize tasks.
Questions 236–239 refer to the following scenario.
Jasper Diamonds is a jewelry manufacturer that markets and sells custom jewelry through their website. Bethany is the manager of Jasper’s software development organization, and she is working to bring the company into line with industry standard practices. She is developing a new change management process for the organization and wishes to follow commonly accepted approaches.
Bethany would also like to create a process that helps multiple developers work on code at the same time. What change management process facilitates this?
a. Configuration control
b. Change control
c. Release control
d. Request control
B. Change control provides an organized framework within which multiple developers can create and test solutions prior to rolling them out into a production environment.
Questions 236–239 refer to the following scenario.
Jasper Diamonds is a jewelry manufacturer that markets and sells custom jewelry through their website. Bethany is the manager of Jasper’s software development organization, and she is working to bring the company into line with industry standard practices. She is developing a new change management process for the organization and wishes to follow commonly accepted approaches.
Bethany is working with her colleagues to conduct user acceptance testing. What change management process includes this task?
a. Configuration control
b. Change control
c. Release control
d. Request control
C. Release control ensures that any code inserted as a programming aid during the change process is removed before releasing the new software to production. It also includes acceptance testing to ensure that any alterations to end-user work tasks are understood and functional.
Questions 236–239 refer to the following scenario.
Jasper Diamonds is a jewelry manufacturer that markets and sells custom jewelry through their website. Bethany is the manager of Jasper’s software development organization, and she is working to bring the company into line with industry standard practices. She is developing a new change management process for the organization and wishes to follow commonly accepted approaches.
Bethany noticed that some problems arise when system administrators update libraries without informing developers. What change management process can assist with this problem?
a. Configuration control
b. Change control
c. Release control
d. Request control
A. Configuration control ensures that changes to software versions are made in accordance with the change control and configuration management process. Updates can be made only from authorized distributions in accordance with those policies.
Ben has written the password hashing system for the web application he is building. His hashing code function for passwords results in the following process for a series of passwords:
hash (password1 + 07C98BFE4CF67B0BFE2643B5B22E2D7D) = 10B222970537B97919DB36EC757370D2 hash (password2 + 07C98BFE4CF67B0BFE2643B5B22E2D7D) = F1F16683F3E0208131B46D37A79C8921
What flaw has Ben introduced with his hashing implementation?
a. Plaintext salting
b. Salt reuse
c. Use of a short salt
d. Poor salt algorithm selection
B. Ben is reusing his salt. When the same salt is used for each hash, all users with the same password will have the same hash, and the attack can either attempt to steal the salt or may attempt to guess the salt by targeting the most frequent hash occurrences based on commonly used passwords. Short salts are an issue, but the salts used here are 32 bytes (256 bits) long. There is no salting algorithm used or mentioned here; salt is an added value for a hash, and plaintext salting is a made-up term.
Which one of the following is an example of risk transference?
a. Building a guard shack
b. Purchasing insurance
c. Erecting fences
d. Relocating facilities
B. Risk transference involves actions that shift risk from one party to another. Purchasing insurance is an example of risk transference because it moves risk from the insured to the insurance company.
What protocol takes the place of certificate revocation lists and adds real-time status verification?
a. RTCP
b. RTVP
c. OCSP
d. CSRTP
C. The Online Certificate Status Protocol (OCSP) eliminates the latency inherent in the use of certificate revocation lists by providing a means for real-time certificate verification.
Jim performs both lexical analysis on a program and produces control flow graphs. What type of software testing is he performing?
a. Dynamic
b. Fuzzing
c. Manual
d. Static
D. Static code analysis uses techniques like control flow graphs, lexical analysis, and data flow analysis to assess code without running it. Dynamic code analysis runs code on a real or virtual processor and uses actual inputs for testing. Fuzzing provides unexpected or invalid input to test how programs handle input outside of the norm. Manual analysis is performed by reading code line by line to identify bugs or other issues.
What process makes TCP a connection-oriented protocol?
a. It works via network connections.
b. It uses a handshake.
c. It monitors for dropped connections.
d. It uses a complex header.
B. TCP’s use of a handshake process to establish communications makes it a connection-oriented protocol. TCP does not monitor for dropped connections. nor does the fact that it works via network connections make it connection-oriented.
What LDAP operation includes authentication to the LDAP server?
a. Bind
b. Auth
c. StartLDAP
d. AuthDN
A. The LDAP bind operation authenticates and specifies the LDAP protocol version. Auth, StartLDAP, and AuthDN operations do not exist in the LDAP protocol.
You are conducting a qualitative risk assessment for your organization. The two important risk elements that should weigh most heavily in your analysis of risk are probability and ________________.
a. Likelihood
b. History
c. Impact
d. Cost
C. The two most important elements of a qualitative risk assessment are determining the probability and impact of each risk upon the organization. Likelihood is another word for probability. Cost should be taken into account but is only one element of impact, which also includes reputational damage, operational disruption, and other ill effects.
Using the OSI model, what format does the Data link Layer use to format messages received from higher up the stack?
a. A datastream
b. A frame
c. A segment
d. A datagram
B. When a message reaches the Data Link layer, it is called a frame. Data streams exist at the application, presentation, and session layers, whereas segments and datagrams exist at the transport layer (for TCP and UDP, respectively).
What is the maximum penalty that may be imposed by an (ISC)2 peer review board when considering a potential ethics violation?
a. Revocation of certification
b. Termination of employment
c. Financial penalty
d. Suspension of certification
A. If the (ISC)2 peer review board finds that a certified individual has violated the (ISC)2 code of ethics, the board may revoke their certification. The board is not able to terminate an individual’s employment or assess financial penalties.
Which one of the following statements about the SDLC is correct?
a. The SDLC requires the use of an iterative approach to software development.
b. The SDLC requires the use of a sequential approach to software development.
c. The SDLC does not include training for end users and support staff.
d. The waterfall methodology is compatible with the SDLC.
D. SDLC approaches include steps to provide operational training for support staff as well as end-user training. The SDLC may use one of many development models, including the waterfall and spiral models. The SDLC does not mandate the use of an iterative or sequential approach; it allows for either approach.
In the scenario shown here, Harry is prevented from reading a file at a higher classification level than his security clearance. What security model prevents this behavior?
a. Bell-LaPadula
b. Biba
c. Clark-Wilson
d. Brewer-Nash
A. The Bell-LaPadula model includes the Simple Security Property, which prevents an individual from reading information that is classified at a level higher than the individual’s security clearance.
