Practice Test 2 Flashcards

Question

In the shared responsibility model, under which tier of cloud computing does the customer take responsibility for securing server operating systems? a. IaaS b. PaaS c. SaaS d. TaaS

Answer 1

A. In an Infrastructure as a Service (IaaS) cloud computing model, the customer retains responsibility for managing operating system security while the vendor manages security at the hypervisor level and below.

Answer 2

A. Type 1 errors occur when a valid subject is not authenticated. Type 2 errors occur when an invalid subject is incorrectly authenticated. Type 3 and Type 4 errors are not associated with biometric authentication.

Answer 3

B. The Company ID is a field used to identify the corresponding record in another table. This makes it a foreign key. Each customer may place more than one order, making Company ID unsuitable for use as a primary or candidate key in this table. Referential keys are not a type of database key.

Answer 4

B. Application programming interfaces (APIs), user interfaces (UIs), and physical interfaces are all tested during the software testing process. Network interfaces are not typically tested, and programmatic interfaces is another term for APIs.

Answer 5

D. The hearsay rule says that a witness cannot testify about what someone else told them, except under very specific exceptions. The courts have applied the hearsay rule to include the concept that attorneys may not introduce logs into evidence unless they are authenticated by the system administrator. The best evidence rule states that copies of documents may not be submitted into evidence if the originals are available. The parol evidence rule states that if two parties enter into a written agreement, that written document is assumed to contain all of the terms of the agreement. Testimonial evidence is a type of evidence, not a rule of evidence.

Answer 6

B. While key risk indicators can provide useful information for organizational planning and a deeper understanding of how organizations view risk, KRIs are not a great way to handle a real-time security response. Monitoring and detection systems like IPS, SIEM, and other tools are better suited to handling actual attacks.

Answer 7

B. Worms have built-in propagation mechanisms that do not require user interaction, such as scanning for systems containing known vulnerabilities and then exploiting those vulnerabilities to gain access. Viruses and Trojan horses typically require user interaction to spread. Logic bombs do not spread from system to system but lie in wait until certain conditions are met, triggering the delivery of their payload.

Answer 8

A. In this scenario, the vendor is providing object-based storage, a core infrastructure service. Therefore, this is an example of Infrastructure as a Service (IaaS).

Answer 9

C. In the community cloud computing model, two or more organizations pool their resources to create a cloud environment that they then share.

Answer 10

A. The Agile approach to software development states that working software is the primary measure of progress, that simplicity is essential, and that business people and developers must work together daily. It also states that the most efficient method of conveying information is face-to-face, not electronic.

Answer 11

C. Encryption, access controls, and firewalls would not be effective in this example because the accountants have legitimate access to the data. Integrity verification software would protect against this attack by identifying unexpected changes in protected data.

Answer 12

C. Class C fire extinguishers use carbon dioxide or halon suppressants and are useful against electrical fires. Water-based extinguishers should never be used against electrical fires due to the risk of electrocution.

Answer 13

A. Frame Relay supports multiple private virtual circuits (PVCs), unlike X.25. It is a packet switching technology that provides a Committed Information Rate, which is a minimum bandwidth guarantee provided by the service provider to customers. Finally, Frame Relay requires a DTE/DCE at each connection point, with the DTE providing access to the Frame Relay network, and a provider supplied DCE which transmits the data over the network.

Answer 14

B. SOC 2 reports are released under NDA to select partners or customers, and can provide detail on the controls and any issues they may have. A SOC 1 report would only provide financial control information, and a SOC 3 report provides less information since it is publicly available.

Answer 15

C. A SOC 2, Type 2 report includes information about a data center’s security, availability, processing integrity, confidentiality, and privacy, and includes an auditor’s opinion on the operational effectiveness of the controls. SOC 3 does not have types, and an SOC 2 Type 1 only requires the organization’s own attestation.

Answer 16

B. SAS 70 was superseded in 2010 by the SSAE 16 standard with three SOC levels for reporting. SAS 70 included Type 2 reports, covered data centers, and used 6-month testing periods for Type 2 reports.

Answer 17

C. Both a logical bus and a logical ring can be implemented as a physical star. Ethernet is commonly deployed as a physical star but placing a switch as the center of a star, but Ethernet still operates as a bus. Similarly, Token Ring deployments using multistation access unit (MAU) were deployed as physical stars, but operated as rings.

Answer 18

C. Bell-LaPadula uses security labels on objects and clearances for subjects, and is therefore a MAC model. It does not use discretionary, rule-based, role-based, or attribute-based access control.

Answer 19

D. The Family Educational Rights and Privacy Act (FERPA) protects the privacy of students in any educational institution that accepts any form of federal funding.

Answer 20

D. The Health Insurance Portability and Accountability Act (HIPAA) mandates the protection of Protected Health Information (PHI). The SAFE Act deals with mortgages, the Graham Leach Bliley Act (GLBA) covers financial institutions, and FERPA deals with student data.

Answer 21

C. Windows system logs include reboots, shutdowns, and service state changes. Application logs record events generated by programs, security logs track events like logins and uses of rights, and setup logs track application setup.

Answer 22

D. Implementations of syslog vary, but most provide a setting for severity level, allowing configuration of a value that determines what messages are sent. Typical severity levels include debug, informational, notice, warning, error, critical, alert, and emergency. The facility code is also supported by syslog, but is associated with which services are being logged. Security level and log priority are not typical syslog settings.

Answer 23

B. In RAID 1, also known as disk mirroring, systems contain two physical disks. Each disk contains copies of the same data, and either one may be used in the event the other disk fails.

Answer 24

B. An application-level gateway firewall uses proxies for each service it filters. Each proxy is designed to analyze traffic for its specific traffic type, allowing it to better understand valid traffic and to prevent attacks. Static packet filters and circuit-level gateways simply look at the source, destination, and ports in use, whereas a stateful packet inspection firewall can track the status of communication and allow or deny traffic based on that understanding.

Answer 25

C. Interviews, surveys, and audits are all useful for assessing awareness. Code quality is best judged by code review, service vulnerabilities are tested using vulnerability scanners and related tools, and the attack surface of an organization requires both technical and administrative review.

Answer 26

B. The Digital Millennium Copyright Act extends common carrier protection to Internet service providers who are not liable for the “transitory activities” of their customers.

Answer 27

C. Tokens are hardware devices (something you have) that generate a one-time password based on time or an algorithm. They are typically combined with another factor like a password to authenticate users. CAC and PIV cards are US government–issued smart cards.

Answer 28

B. A non-disclosure agreement (NDA) is a legal agreement between two parties that specifies what data they will not disclose. NDAs are common in industries that have sensitive or trade secret information they do not want employees to take to new jobs. Encryption would only help in transit or at rest, and Fred will likely have access to the data in unencrypted form as part of his job. An AUP is an acceptable use policy, and a stop-loss order is used on the stock market.

Answer 29

A. Multitasking handles multiple processes on a single processor by switching between them using the operating system. Multiprocessing uses multiple processors to perform multiple processes simultaneously. Multiprogramming requires modifications to the underlying applications. Multithreading runs multiple threads within a single process.

Answer 30

C. Binary keyspaces contain a number of keys equal to 2 raised to the power of the number of bits. Two to the eighth power is 256, so an 8-bit keyspace contains 256 possible keys.

Answer 31

C. Scoping is the process of reviewing and selecting security controls based on the system that they will be applied to. Tailoring is the process of matching a list of security controls to the mission of an organization. Baselines are used as a base set of security controls, often from a third-party organization that creates them. Standardization isn’t a relevant term here.

Answer 32

D. During the preservation phase, the organization ensures that information related to the matter at hand is protected against intentional or unintentional alteration or deletion. The identification phase locates relevant information but does not preserve it. The collection phase occurs after preservation and gathers responsive information. The processing phase performs a rough cut of the collected information for relevance.

Answer 33

D. Systems and media should be labeled with the highest level of sensitivity that they store or handle. In this case, based on the US government classification scheme, the highest classification level in use on the system is Secret. Mixed classification provides no useful information about the level, whereas Top Secret and Confidential are too high and too low, respectively.

Answer 34

C. She has placed compensation controls in place. Compensation controls are used when controls like the locks in this example are not sufficient. While the alarm is a physical control, the signs she posted are not. Similarly, the alarms are not administrative controls. None of these controls help to recover from an issue and are thus not recovery controls.

Answer 35

A. Rainbow tables rely on being able to use databases of precomputed hashes to quickly search for matches to known hashes acquired by an attacker. Making passwords longer can greatly increase the size of the rainbow table required to find the matching hash, and adding a salt to the password will make it nearly impossible for the attacker to generate a table that will match unless they can acquire the salt value. MD5 and SHA1 are both poor choices for password hashing compared to modern password hashes, which are designed to make hashing easy and recovery difficult. Rainbow tables are often used against lists of hashes acquired by attacks rather than over-the-wire attacks, so over-the-wire encryption is not particularly useful here. Shadow passwords simply make the traditionally world-readable list of password hashes on Unix and Linux systems available in a location readable only by root. This doesn’t prevent a rainbow table attack once the hashes are obtained.

Answer 36

C. External auditors can provide an unbiased and impartial view of an organization’s controls to third parties. Internal auditors are useful when reporting to senior management of the organization but are typically not asked to report to third parties. Penetration tests test technical controls but are not as well suited to testing many administrative controls. The employees who build and maintain controls are more likely to bring a bias to the testing of those controls and should not be asked to report on them to third parties.

Answer 37

A. Using encryption reduces risk by lowering the likelihood that an eavesdropper will be able to gain access to sensitive information.

Answer 38

B. Provisioning includes the creation, maintenance, and removal of user objects from applications, systems, and directories. Registration occurs when users are enrolled in a biometric system; population and authenticator loading are not common industry terms.

Answer 39

A. In the subject/object model of access control, the user or process making the request for a resource is the subject of that request. In this example, Ricky is requesting access to the VPN (the object of the request) and is, therefore, the subject.

Answer 40

C. The formula for determining the number of encryption keys required by a symmetric algorithm is ((n\*(n-1))/2). With six users, you will need ((6\*5)/2), or 15 keys.

Answer 41

B. Patents have the shortest duration of the techniques listed: 20 years. Copyrights last for 70 years beyond the death of the author. Trademarks are renewable indefinitely and trade secrets are protected as long as they remain secret.

Answer 42

C. In a risk acceptance strategy, the organization chooses to take no action other than documenting the risk. Purchasing insurance would be an example of risk transference. Relocating the data center would be risk avoidance. Reengineering the facility is an example of a risk mitigation strategy.

Answer 43

C. Uninterruptible power supplies (UPSs) provide immediate, battery-driven power for a short period of time to cover momentary losses of power. Generators are capable of providing backup power for a sustained period of time in the event of a power loss, but they take time to activate. RAID and redundant servers are high-availability controls but do not cover power loss scenarios.

Answer 44

C. Password histories retain a list of previous passwords (or, preferably, a list of salted hashed for previous passwords) to ensure that users don’t reuse their previous passwords. Longer minimum age can help prevent users from changing their passwords, then changing them back, but won’t prevent a determined user from eventually getting their old password back. Length requirements and complexity requirements tend to drive users to reuse passwords if they’re not paired with tools like single-sign on, password storage systems, or other tools that decrease the difficulty of password management.

Answer 45

B. The Single Loss Expectancy (SLE) is the amount of damage that a risk is expected to cause each time that it occurs.

Answer 46

B. Sanitization includes steps like removing the hard drive and other local storage from PCs before they are sold as surplus. Degaussing uses magnetic fields to wipe media; purging is an intense form of clearing used to ensure that data is removed and unrecoverable from media; and removing does not necessarily imply destruction of the drive.

Answer 47

D. During the Reporting phase, incident responders assess their obligations under laws and regulations to report the incident to government agencies and other regulators.

Answer 48

B. Service Provisioning Markup Language (SPML) is an OASIS developed markup language designed to provide service, user, and resource provisioning between organizations. Security Assertion Markup Language (SAML) is used to exchange user authentication and authorization data. Extensible Access Control Markup Language (XACML) is used to describe access controls. Service-oriented architecture (SOA) is not a markup language.

Answer 49

D. RAM is a type of primary storage. Secondary storage includes hard drives, solid state disks, and optical drives.

Answer 50

D. SMTP servers that don’t authenticate users before relaying their messages are known as open relays. Open relays that are Internet exposed are typically quickly exploited to send email for spammers.

Answer 51

D. Sending logs to a secure log server, sometimes called a bastion host, is the most effective way to ensure that logs survive a breach. Encrypting local logs won’t stop an attacker from deleting them, and requiring administrative access won’t stop attackers who have breached a machine and acquired escalated privileges. Log rotation archives logs based on time or file size, and can also purge logs after a threshold is hit. Rotation won’t prevent an attacker from purging logs.

Answer 52

C. A Security Information and Event Management tool (SIEM) is designed to provide automated analysis and monitoring of logs and security events. A SIEM that receives access to logs can help detect and alert on events like logs being purged or other breach indicators. An IDS can help detect intrusions, but IDSs are not typically designed to handle central logs. A central logging server can receive and store logs, but won’t help with analysis without taking additional actions. Syslog is simply a log format.

Answer 53

B. Requiring authentication can help provide accountability by ensuring that any action taken can be tracked back to a specific user. Storing logs centrally ensures that users can’t erase the evidence of actions that they have taken. Log review can be useful when identifying issues, but digital signatures are not a typical part of a logging environment. Logging the use of administrative credentials helps for those users but won’t cover all users, and encrypting the logs doesn’t help with accountability. Authorization helps, but being able to specifically identify users through authentication is more important.

Answer 54

B. Port Address Translation (PAT) is used to allow a network to use any IP address set inside without causing a conflict with the public Internet. PAT is often confused with Network Address Translation (NAT), which maps one internal address to one external address. IPSec is a security protocol suite, Software Defined Networking (SDN) is a method of defining networks programmatically, and IPX is a non-IP network protocol.

Answer 55

C. Each of the precautions listed helps to prevent social engineering by helping prevent exploitation of trust. Avoiding voice-only communications is particularly important, since establishing identity over the phone is difficult. The other listed attacks would not be prevented by these techniques.

Answer 56

C. L2TP is the only one of the four common VPN protocols that can natively support non-IP protocols. PPTP, L2F, and IPSec are all IP-only protocols.

Answer 57

D. Remnant data is data that is left after attempts have been made to remove or erase it. Bitrot is a term used to describe aging media that decays over time. MBR is the master boot record, a boot sector found on hard drives and other media. Leftover data is not an industry term.

Answer 58

C. During a parallel test, the team activates the disaster recovery site for testing but the primary site remains operational. A simulation test involves a roleplay of a prepared scenario overseen by a moderator. Responses are assessed to help improve the organization’s response process. The checklist review is the least disruptive type of disaster recovery test. During a checklist review, team members each review the contents of their disaster recovery checklists on their own and suggest any necessary changes. During a tabletop exercise, team members come together and walk through a scenario without making any changes to information systems.

Answer 59

C. Discretionary access control gives owners the right to decide who has access to the objects they own. Role-based access control uses administrators to make that decision for roles or groups of people with a role, task-based access control uses lists of tasks for each user, and rule-based access control applies a set of rules to all subjects.

Answer 60

C. Trusted paths that secure network traffic from capture and link encryption are both ways to help prevent man-in-the-middle attacks. Brute-force and dictionary attacks can both be prevented using back-off algorithms that slow down repeated attacks. Log analysis tools can also create dynamic firewall rules, or an IPS can block attacks like these in real time. Spoofed login screens can be difficult to prevent, although user awareness training can help.

Answer 61

D. The four canons of the (ISC)2 code of ethics are to protect society, the common good, necessary public trust and confidence, and the infrastructure; act honorably, honestly, justly, responsibly, and legally; provide diligent and competent service to principals; and advance and protect the profession.

Answer 62

A. The emergency response guidelines should include the immediate steps an organization should follow in response to an emergency situation. These include immediate response procedures, a list of individuals who should be notified of the emergency, and secondary response procedures for first responders. They do not include long-term actions such as activating business continuity protocols, ordering equipment, or activating DR sites.

Answer 63

C. Security Assertion Markup Language (SAML) is the best choice for providing authentication and authorization information, particularly for browser-based SSO. HTML is primarily used for web pages, SPML is used to exchange user information for SSO, and XACML is used for access control policy markup.

Answer 64

D. Individuals with specific business continuity roles should receive training on at least an annual basis.

Answer 65

B. Triple DES functions by using either two or three encryption keys. When used with only one key, 3DES produces weakly encrypted ciphertext that is the insecure equivalent of DES.

Answer 66

B. RFC 1918 addresses are in the range 10.0.0.0–10.255.255.255, 172.16.0.0–172.31.255.255, and 192.168.0.0–192.168.255.255. APIPA addresses are assigned between 169.254.0.01 and 169.254.255.254, and 127.0.0.1 is a loopback address (although technically the entire 127.x.x.x network is reserved for loopback). Public IP addresses are the rest of the addresses in the space.

Answer 67

C. Since Lauren wants to monitor her production server she should use passive monitoring by employing a network tap, span port, or other means of copying actual traffic to a monitoring system that can identify performance and other problems. This will avoid introducing potentially problematic traffic on purpose while capturing actual traffic problems. Active monitoring relies on synthetic or previously recorded traffic, and both replay and real time are not common industry terms used to describe types of monitoring.

Answer 68

B. For web applications, input validation should always be performed on the web application server. By the time the input reaches the database, it is already part of a SQL command that is properly formatted and input validation would be far more difficult, if it is even possible. Input validation controls should never reside in the client’s browser, as is the case with JavaScript, because the user may remove or tamper with the validation code.

Answer 69

A. RSA is an asymmetric encryption algorithm that requires only two keys for each user. IDEA, 3DES, and Skipjack are all symmetric encryption algorithms and would require a key for every unique pair of users in the system.

Answer 70

D. The image clearly shows a black magnetic stripe running across the card, making this an example of a magnetic stripe card.

Answer 71

D. The log entries contained in this example show the allow/deny status for inbound and outbound TCP and UDP sessions. This is, therefore, an example of a firewall log.

Answer 72

D. Zero-day vulnerabilities remain in the dangerous zero-day category until the release of a patch that corrects the vulnerability. At that time, it becomes the responsibility of IT professionals to protect their systems by applying the patch. Implementation of other security controls, such as encryption or firewalls, does not change the nature of the zero-day vulnerability.

Answer 73

A. All of the techniques listed are hardening methods, but only patching the leaky roof is an example of physical infrastructure hardening.

Answer 74

C. Using a virtual machine to monitor a virtual span port allows the same type of visibility that it would in a physical network if implemented properly. Installing Wireshark would allow monitoring on each system but doesn’t scale well. A physical appliance would require all traffic to be sent out of the VM environment, losing many of the benefits of the design. Finally, netcat is a network tool used to send or receive data, but it isn’t a tool that allows packet capture of traffic between systems.

Answer 75

C. The sender of a message encrypts the message using the public key of the message recipient.

Answer 76

D. The recipient of a message uses his or her own private key to decrypt messages that were encrypted with the recipient’s public key. This ensures that nobody other than the intended recipient can decrypt the message.

Answer 77

D. Digital signatures enforce nonrepudiation. They prevent an individual from denying that he or she was the actual originator of the message.

Answer 78

B. An individual creates a digital signature by encrypting the message digest with his or her own private key.

Answer 79

D. The comparison of a factor to validate an identity is known as authorization. Identification would occur when Jim presented his user ID. Tokenization is a process that converts a sensitive data element to a nonsensitive representation of that element. Hashing transforms a string of characters into a fixed-length value or key that represents the original string.

Answer 80

B. Decentralized access control empowers people closer to the resources to control access but does not provide consistent control. It does not provide redundancy, since it merely moves control points, the cost of access control depends on its implementation and methods, and granularity can be achieved in both centralized and decentralized models.

Answer 81

C. A mantrap, which is composed of a pair of doors with an access mechanism that allows only one door to open at a time, is an example of a preventive access control because it can stop unwanted access by keeping intruders from accessing a facility due to an opened door or following legitimate staff in. It can serve as a deterrent by discouraging intruders who would be trapped in it without proper access, and of course, doors with locks are an example of a physical control. A compensating control attempts to make up for problems with an existing control or to add additional controls to improve a primary control.

Answer 82

C. Sally needs to provide nonrepudiation, the ability to provably associate a given email with a sender. Digital signatures can provide nonrepudiation and are her best option. IMAP is a mail protocol, encryption can provide confidentiality, and DKIM is a tool for identifying domains that send email.

Answer 83

D. In most situations, employers may not access medical information due to healthcare privacy laws. Reference checks, criminal records checks, and credit history reports are all typically found during pre-employment background checks.

Answer 84

C. In a land attack, the attacker sends a packet that has identical source and destination IP addresses in an attempt to crash systems that are not able to handle this out-of-specification traffic.

Answer 85

A. An SSAE-16 Type I report covers controls and design of controls at the time of the report. A Type II report adds a historical element, covering controls over time. SAS-70 is outdated and should not be used.

Answer 86

A. When a data stream is converted into a segment (TCP) or a datagram (UDP) it transitions from the Session layer to the Transport layer. This change from a message sent to an encoded segment allows it to then traverse the network layer.

Answer 87

C. The user has successfully explained a valid need to know the data—completing the report requested by the CFO requires this access. However, the user has not yet demonstrated that he or she has appropriate clearance to access the information. A note from the CFO would meet this requirement.

Answer 88

B. Kathleen’s needs point to a directory service, and the Lightweight Directory Access Protocol (LDAP) would meet her needs. LDAP is an open, industry standard and vendor-neutral protocol for directory services. Kerberos and RADIUS are both authentication protocols, and Active Directory is a Microsoft product and is not vendor neutral, although it does support a number of open standards.

Answer 89

A. Application firewalls add Layer 7 functionality to other firewall solutions. This includes the ability to inspect application-layer details such as analyzing HTTP, DNS, FTP, and other application protocols.

Answer 90

C. The create rule allows a subject to create new objects and also creates an edge from the subject to that object, granting rights on the new object.

Answer 91

A. Metasploit provides an extensible framework, allowing penetration testers to create their own exploits in addition to those that are built into the tool. Unfortunately, penetration testing can only cover the point in time when it is conducted. When conducting a penetration test, the potential to cause a denial of service due to a fragile service always exists, but it can test process and policy through social engineering and operational testing that validates how those processes and policies work.

Answer 92

D. EAL7 is the highest level of assurance under the Common Criteria. It applies when a system has been formally verified, designed, and tested.

Answer 93

C. X.509 defines standards for public key certificates like those used with many smart cards. X.500 is a series of standards defining directory services. The Service Provisioning Markup Language (SPML) and the Security Assertion Markup Language (SAML) aren’t standards that Alex should expect to see when using a smart card to authenticate.

Answer 94

C. The Children’s Online Privacy Protection Act (COPPA) regulates websites that cater to children or knowingly collect information from children under the age of 13.

Answer 95

A. The Health Insurance Portability and Accountability Act (HIPAA) applies to healthcare information and is unlikely to apply in this situation. The Federal Information Security Management Act (FISMA) and Government Information Security Reform Act regulate the activities of all government agencies. The Homeland Security Act (HSA) created the US Department of Homeland Security, and more importantly for this question included the Cyber Security Enhancement Act of 2002 and the Critical Infrastructure Information Act of 2002. The Computer Fraud and Abuse Act (CFAA) provides specific protections for systems operated by government agencies.

Answer 96

C. Turnstiles are unidirectional gates that prevent more than a single person from entering a facility at a time.

Answer 97

C. Access control systems rely on identification and authentication to provide accountability. Effective authorization systems are desirable, but not required, since logs can provide information about who accessed what resources, even if access to those resources are not managed well. Of course, poor authorization management can create many other problems.

Answer 98

B. EAP was originally intended to be used on physically isolated network channels and did not include encryption. Fortunately, it was designed to be extensible, and PEAP can provide TLS encryption. EAP isn’t limited to PEAP as an option as EAP-TLS also exists, providing an EAP TLS implementation, and the same extensibility allows a multitude of other authentication methods.

Answer 99

C. The 192.168.0.0-192.168.255.255 address range is one of the ranges defined by RFC 1918 as private, non-routable IP ranges. Scott’s ISP (and any other organization with a properly configured router) will not route traffic from these addresses over the public Internet.

Answer 100

B. She should use a KPI (Key Performance Indicator). KPIs are used to measure success, typically in relation to an organization’s long-term goals. Metrics are measures, and although a KPI can be a metric, metrics are not all KPIs. SLAs are service-level agreements, and metrics can help determine whether they are being met. Objectives and key results (OKRs) are used to connect employee performance to results using subjective measures for objectives and quantitative measures for key results.

Answer 101

A. A well-designed set of VLANs based on functional groupings will logically separate segments of the network, making it difficult to have data exposure issues between VLANs. Changing the subnet mask will only modify the broadcast domain and will not fix issues with packet sniffing. Gateways would be appropriate if network protocols were different on different segments. Port security is designed to limit which systems can connect to a given port.

Answer 102

C. Captive portals are designed to show a page that can require actions like accepting an agreement or recording an email address before connecting clients to the Internet. NAC is designed to verify whether clients meet a security profile, which doesn’t match the needs of most coffee shops. A wireless gateway is a tool to access a cellular or other network, rather than a way to interact with users before they connect, and 802.11 is the family of IEEE wireless standards.

Answer 103

A. Active monitoring is also known as synthetic monitoring and relies on prerecorded or generated traffic to test systems for performance and other issues. Passive monitoring uses span ports, network taps, or similar technologies to capture actual traffic for analysis. Reactive monitoring is not a commonly used industry term.

Answer 104

B. TCP headers can be 20 to 60 bytes long depending on options that are set.

Answer 105

A. Cellular networks have the same issues that any public network does. Encryption requirements should match those that the organization selects for other public networks like hotels, conference Wi-Fi, and similar scenarios. Encrypting all data is difficult, and adds overhead, so it should not be the default answer unless the company specifically requires it. WAP is a dated wireless application protocol and is not in broad use; requiring it would be difficult. WAP does provide TLS, which would help when in use.

Answer 106

D. Fred’s best option is to use an encrypted, trusted VPN service to tunnel all of his data usage. Trusted Wi-Fi networks are unlikely to exist at a hacker conference, normal usage is dangerous due to the proliferation of technology that allows fake towers to be set up, and discontinuing all usage won’t support Fred’s business needs.

Answer 107

B. Remote wipe tools are a useful solution, but they only work if the phone can access either a cellular or Wi-Fi network. Remote wipe solutions are designed to wipe data from the phone regardless of whether it is in use or has a passcode. Providers unlock phones for use on other cellular networks rather than for wiping or other feature support.

Answer 108

C. The goal of business continuity planning exercises is to reduce the amount of time required to restore operations. This is done by minimizing the recovery time objective (RTO)

Answer 109

D. NIST Special Publication 800-53 describes depth and coverage. These terms describe depth, specifying the level of detail. Coverage measures breadth by using multiple assessment types and ensuring that each line of code is covered. If you encounter a question like this and are not familiar with the details of a standard like NIST 800-53, or may not remember them, focus on the meanings of each word and the details of the question. We can easily rule out affirmation, which isn’t a measure. Suitability is a possibility, but depth fits better than suitability or coverage.

Answer 110

C. A structured walk-through uses only role-playing to test a disaster recovery plan. It does not involve the use of any technical controls. Simulation tests, parallel tests, and full interruption tests actually use some or all of the disaster recovery controls.

Answer 111

C. Interference is electrical noise or other disruptions that corrupt the contents of packets. Latency is a delay in the delivery of packets from their source to their destination. Jitter is a variation in the latency for different packets. Packet loss is the disappearance of packets in transit that requires retransmission.

Answer 112

A. Fagan inspections follow a rigorous, highly structured process to perform code review, using a planning, overview, preparation, inspection, rework, and follow-up cycle. Fuzzing feeds unexpected input to programs, while over-the-shoulder code review is simply a review by having another developer meet with them to review code using a walk-through. Pair programming uses a pair of developers, one of whom writes code while both talk through the coding and development process.

Answer 113

B. While removing the tag from user input, it is not sufficient, as a user may easily evade this filter by encoding the tag with an XSS filter evasion technique. Frank was correct to perform validation on the server rather than at the client, but he should use validation that limits user input to allowed values, rather than filtering out one potentially malicious tag.

Answer 114

C. Fortran is a functional programming language. Java, C++, and C# are all object-oriented languages, meaning that they use the object model and approach programming as describing the interactions between objects.

Answer 115

C. HIPAA requires that anyone working with personal health information on behalf of a HIPAA-covered entity be subject to the terms of a business associates agreement (BAA).

Answer 116

A. During a full interruption test, the team takes down the primary site and confirms that the disaster recovery site is capable of handling regular operations. The full interruption test is the most thorough test but also the most disruptive. During a parallel test, the team actually activates the disaster recovery site for testing but the primary site remains operational. The checklist review is the least disruptive type of disaster recovery test. During a checklist review, team members each review the contents of their disaster recovery checklists on their own and suggest any necessary changes. During a tabletop exercise, team members come together and walk through a scenario without making any changes to information systems.

Answer 117

D. Ed’s best option is to install an IPv6 to IPv4 gateway that can translate traffic between the networks. A bridge would be appropriate for different types of networks, whereas a router would make sense if the networks were similar. A modern switch might be able to carry both types of traffic but wouldn’t be much help translating between the two protocols.

Answer 118

C. The Rijndael block cipher was selected as the winner and is the cryptographic algorithm underlying the Advanced Encryption Standard (AES).

Answer 119

C. The International Safe Harbor Privacy Principles listed here are part of the Safe Harbor provisions intended to address the European Union’s Data Privacy Directive. The DPD provides seven slightly different key principles to ensure data security and privacy. The Children’s Online Privacy Act (COPA), the NY SAFE Act is not an information security or privacy law, and the Federal Information Security Modernization Act (FISMA) is a key part of the US federal government’s security posture.

Answer 120

B. The EU Data Protection Directive does not require that organizations provide individuals with employee lists.

Answer 121

B. Tammy should choose a warm site. This type of facility meets her requirements for a good balance between cost and recovery time. It is less expensive than a hot site but facilitates faster recovery than a cold site. A red site is not a type of disaster recovery facility.

Answer 122

B. When data reaches the Transport layer, it is sent as segments (TCP) or datagrams (UDP). Above the Transport layer, data becomes a data stream, while below the Transport layer they are converted to packets at the Network layer, frames at the Data Link layer, and bits at the Physical layer.

Answer 123

D. The Advanced Encryption Standard supports encryption with 128-bit keys, 192-bit keys, and 256-bit keys.

Answer 124

D. An application programming interface (API) allows developers to create a direct method for other users to interact with their systems through an abstraction that does not require knowledge of the implementation details. Access to object models, source code, and data dictionaries also indirectly facilitate interaction but do so in a manner that provides other developers with implementation details.

Answer 125

D. The PGP email system, invented by Phil Zimmerman, uses the “web of trust” approach to secure email. The commercial version uses RSA for key exchange, IDEA for encryption/decryption, and MD5 for message digest production. The freeware version uses Diffie-Hellman key exchange, the Carlisle Adams/Stafford Tavares (CAST) encryption/decryption, and SHA hashing.

Answer 126

B. The permissions granted on files in Linux designate what authorized users can do with those files—read, write, or execute. In the image shown, all users can read, write, and execute index.html, whereas the owner can read, write, and execute example.txt, the group cannot, and everyone can write and execute it.

Answer 127

C. Detective access controls operate after the fact and are intended to detect or discover unwanted access or activity. Preventive access controls are designed to prevent the activity from occurring, whereas corrective controls return an environment to its original status after an issue occurs. Directive access controls limit or direct the actions of subjects to ensure compliance with policies.

Answer 128

C. A honeypot is a decoy computer system used to bait intruders into attacking. A honeynet is a network of multiple honeypots that creates a more sophisticated environment for intruders to explore. A pseudo flaw is a false vulnerability in a system that may attract an attacker. A darknet is a segment of unused network address space that should have no network activity and, therefore, may be easily used to monitor for illicit activity.

Answer 129

C. The CER is the point where FAR and FRR cross over, and it is a standard assessment used to compare the accuracy of biometric devices.

Answer 130

A. At point B, the false acceptance rate (FAR) is quite high, whereas the false rejection rate (FRR) is relatively low. This may be acceptable in some circumstances, but in organizations where a false acceptance can cause a major problem, it is likely that they should instead choose a point to the right of point A.

Answer 131

B. CER is a standard used to assess biometric devices. If the CER for this device does not fit the needs of the organization, Ben should assess other biometric systems to find one with a lower CER. Sensitivity is already accounted for in CER charts, and moving the CER isn’t something Ben can do. FRR is not a setting in software, so Ben can’t use that as an option either.

Answer 132

B. Personally Identifiable Information (PII) can be used to distinguish a person’s identity. Personal Health Information (PHI ) includes data like medical history, lab results, insurance information, and other details about a patient. Personal Protected Data is a made-up term, and PID is an acronym for process ID, the number associated with a running program or process.

Answer 133

D. The figure shows the waterfall model, developed by Winston Royce. The key characteristic of this model is a series of sequential steps that include a feedback loop that allows the process to return one step prior to the current step when necessary.

Answer 134

B. Encapsulation creates both the benefits and potential issues with multilayer protocols. Bridging can use various protocols but does not rely on encapsulation. Hashing and storage protocols typically do not rely on encapsulation as a core part of their functionality.

Answer 135

B. The five COBIT principles are meeting stakeholder needs, covering the enterprise end-to-end, applying a single integrated framework, enabling a holistic approach, and separating governance from management.

Answer 136

A. The onward transfer principle requires that organizations only exchange personal information with other organizations bound by the EU Data Protection Directive’s privacy principles. The United Kingdom, Italy, and Germany, as EU member states, are all bound by those principles. The United States does not have a comprehensive privacy law codifying those principles, so the onward transfer requirement applies.

Answer 137

C. The Domain Name System (DNS) provides human-friendly domain names that resolve to IP addresses, making it possible to easily remember websites and hostnames. ARP is used to resolve IP addresses into MAC addresses, whereas TCP is used to control the network traffic that travels between systems.

Answer 138

B. Ben is assessing a specification. Specifications are document-based artifacts like policies or designs. Activities are actions that support an information system that involves people. Mechanisms are the hardware-, software-, or firmware-based controls or systems in an information system, and an individual is one or more people applying specifications, mechanisms, or activities.

Answer 139

C. When done properly, a sanitization process fully ensures that data is not remnant on the system before it is reused. Clearing and erasing can both be failure prone, and of course destruction wouldn’t leave a machine or device to reuse.

Answer 140

C. In a gray box test, the tester evaluates the software from a user perspective but has access to the source code as the test is conducted. White box tests also have access to the source code but perform testing from a developer’s perspective. Black box tests work from a user’s perspective but do not have access to source code. Blue boxes are a telephone hacking tool and not a software testing technique.

Answer 141

D. The DevOps approach to technology management seeks to integrate software development, operations, and quality assurance in a cohesive effort. It specifically attempts to eliminate the issue of “throwing problems over the fence” by building collaborative relationships between members of the IT team.

Answer 142

B. A Security Information and Event Management (SIEM) tool is designed to centralize logs from many locations in many formats, and to ensure that logs are read and analyzed despite differences between different systems and devices. The Simple Network Management Protocol (SNMP) is used for some log messaging but is not a solution that solves all of these problems. Most non-Windows devices, including network devices among others, are not designed to use the Windows event log format, although using NTP for time synchronization is a good idea. Finally, local logging is useful, but setting clocks individually will result in drift over time and won’t solve the issue with many log sources.

Answer 143

C. Mike should use overwriting to protect this device. While degaussing is a valid secure data removal technique, it would not be effective in this case, since degaussing only works on magnetic media. Physical destruction would prevent the reuse of the device. Reformatting is not a valid secure data removal technique.

Answer 144

A. The single quotation mark in the input field is a telltale sign that this is a SQL injection attack. The quotation mark is used to escape outside the SQL code’s input field and the text that follows is used to directly manipulate the SQL command sent from the web application to the database.

Answer 145

D. Procedures are formal, mandatory documents that provide detailed, step-by-step actions required from individuals performing a task.

Answer 146

D. Durability requires that once a transaction is committed to the database it must be preserved. Atomicity ensures that if any part of a database transaction fails, the entire transaction must be rolled back as if it never occurred. Consistency ensures that all transactions are consistent with the logical rules of the database, such as having a primary key. Isolation requires that transactions operate separately from each other.

Answer 147

D. Watermarking alters a digital object to embed information about the source, either in a visible or hidden form. Digital signatures may identify the source of a document but they are easily removed. Hashing would not provide any indication of the document source, since anyone could compute a hash value. Document staining is not a security control.

Answer 148

C. Data centers should be located in the core of a building. Locating it on lower floors makes it susceptible to flooding and physical break-ins. Locating it on the top floor makes it vulnerable to wind and roof damage.

Answer 149

A. The due care principle states that an individual should react in a situation using the same level of care that would be expected from any reasonable person. It is a very broad standard. The due diligence principle is a more specific component of due care that states an individual assigned a responsibility should exercise due care to complete it accurately and in a timely manner.

Answer 150

B. Criminal investigations have high stakes with severe punishment for the offender that may include incarceration. Therefore, they use the strictest standard of evidence of all investigations: beyond a reasonable doubt. Civil investigations use a preponderance of the evidence standard. Regulatory investigations may use whatever standard is appropriate for the venue where the evidence will be heard. This may include the beyond-a-reasonable-doubt standard, but it is not always used in regulatory investigations. Operational investigations do not use a standard of evidence.

Answer 151

D. Differential backups do not alter the archive bit on a file, whereas incremental and full backups reset the archive bit to 0 after the backup completes. Partial backups are not a backup type.

Answer 152

B. Warm sites contain the hardware necessary to restore operations but do not have a current copy of data.

Answer 153

C. A power spike is a momentary period of high voltage. A surge is a prolonged period of high voltage. Sags and brownouts are periods of low voltage.

Answer 154

A. Subjects are active entities that can access a passive object to retrieve information from or about an object. Subjects can also make changes to objects when they are properly authorized. Users are often subjects, but not all subjects are users.

Answer 155

A. OSPF is a link state protocol. Link state protocols maintain a topographical map of all connected networks and preferentially select the shortest path to remote networks for traffic. A distance vector protocol would map the direction and distance in hops to a remote network, whereas shortest path first and link mapping are not types of routing protocols.

Answer 156

A. Machine languages are examples of first-generation programming languages. Second-generation languages include assembly languages. Third-generation languages include compiled languages. Fourth- and fifth-generation languages go beyond standard compiled languages to include natural languages and declarative approaches to programming.

Answer 157

A. Tara first must achieve a system baseline. She does this by applying the most recent full backup to the new system. This is Sunday’s full backup. Once Tara establishes this baseline, she may then proceed to apply differential backups to bring the system back to a more recent state.

Answer 158

B. To restore the system to as current a state as possible, Tara must first apply Sunday’s full backup. She may then apply the most recent differential backup, from Tuesday evening. Differential backups include all files that have changed since the most recent full backup, so the contents of Tuesday’s backup contain all of the data that would be contained in Monday’s backup, making the Monday backup irrelevant for this scenario.

Answer 159

A. In this scenario, the differential backup was made at noon and the server failed at 3 p.m. Therefore, any data modified or created between noon and 3 p.m. will not be contained on any backup and will be irretrievably lost.

Answer 160

D. By switching from differential to incremental backups, Tara’s weekday backups will only contain the information changed since the previous day. Therefore, she must apply all of the available incremental backups. She would begin by restoring the Sunday full backup and then apply the Monday, Tuesday, and Wednesday incremental backups.

Answer 161

D. Each incremental backup contains only the information changed since the most recent full or incremental backup. If we assume that the same amount of information changes every day, each of the incremental backups would be roughly the same size.

Answer 162

A. Information that is modifiable between a client and a server also means that it is accessible, pointing to both tampering and information disclosure. Spoofing in STRIDE is aimed at credentials and authentication, and there is no mention of this in the question. Repudiation would require that proving who performed an action was important, and elevation of privilege would come into play if privilege levels were involved.

Answer 163

B. Record retention ensures that data is kept and maintained as long as it is needed, and that it is purged when it is no longer necessary. Data remanence occurs when data is left behind after an attempt is made to remove it, whereas data redaction is not a technical term used to describe this effort. Finally, audit logging may be part of the records retained but doesn’t describe the life cycle of data.

Answer 164

D. The Authentication Header provides authentication, integrity, and nonrepudiation for IPSec connections. The Encapsulating Security Payload provides encryption and thus provides confidentiality. It can also provide limited authentication. L2TP is an independent VPN protocol, and Encryption Security Header is a made-up term.

Answer 165

B. The attack described in the scenario is a classic example of TCP scanning, a network reconnaissance technique that may precede other attacks. There is no evidence that the attack disrupted system availability, which would characterize a denial-of-service attack, that it was waged by a malicious insider, or that the attack resulted in the compromise of a system.

Answer 166

C. Attackers may use algorithmic complexity as a tool to exploit a TOC/TOU race condition. By varying the workload on the CPU, attackers may exploit the amount of time required to process requests and use that variance to effectively schedule the exploit’s execution. File locking, exception handling, and concurrency controls are all methods used to defend against TOC/TOU attacks.

Answer 167

D. The kernel lies within the central ring, Ring 0. Ring 1 contains other operating system components. Ring 2 is used for drivers and protocols. User-level programs and applications run at Ring 3. Rings 0-2 run in privileged mode, whereas Ring 3 runs in user mode.

Answer 168

A. RAID level 0 is also known as disk striping. RAID 1 is called disk mirroring. RAID 5 is called disk striping with parity. RAID 10 is known as a stripe of mirrors.

Answer 169

A. This is an example of a time of check/time of use, or TOC/TOU attack. It exploits the difference between the times when a system checks for permission to perform an action and when the action is actually performed. Permissions creep would occur if the account had gained additional rights over time as the other’s role or job changed. Impersonation occurs when an attacker pretends to be a valid user, and link swap is not a type of attack.

Answer 170

B. RAID 0, or disk striping, requires at least two disks to implement. It improves performance of the storage system but does not provide fault tolerance.

Answer 171

B. Fred’s company needs to protect integrity, which can be accomplished by digitally signing messages. Any change will cause the signature to be invalid. Encrypting isn’t necessary because the company does not want to protect confidentiality. TLS can provide in-transit protection but won’t protect integrity of the messages, and of course a hash used without a way to verify that the hash wasn’t changed won’t ensure integrity either.

Answer 172

A. An attribute-based access control (ABAC) system will allow Susan to specify details about subjects, objects, and access, allowing granular control. Although a rule-based access control system (RBAC) might allow this, the attribute-based access control system can be more specific and thus is more flexible. Discretionary access control (DAC) would allow object owners to make decisions, and mandatory access controls (MACs) would use classifications; neither of these capabilities was described in the requirements.

Answer 173

C. Synchronous communications use a timing or clock mechanism to control the data stream. This can permit very fast communication.

Answer 174

B. The maximum allowed length of a Cat 6 cable is 100 meters, or 328 feet. Long distances are typically handled by a fiber run or by using network devices like switches or repeaters.

Answer 175

B. One of the main functions of a forensic drive controller is preventing any command sent to a device from modifying data stored on the device. For this reason, forensic drive controllers are also often referred to as write blockers.

Answer 176

A. Setting the Secure cookie will only allow cookies to be sent via HTTPS TLS or SSL sessions, preventing man-in-the-middle attacks that target cookies. The rest of the settings are problematic: Cookies are vulnerable to DNS spoofing. Domain cookies should usually have the narrowest possible scope, which is actually accomplished by not setting the Domain cookie. This allows only the originating server to access the cookie. Cookies without the Expires or Max-age attributes are ephemeral and will only be kept for the session, making them less vulnerable than stored cookies. Normally, the HTTPOnly attribute is a good idea, but it prevents scripting rather than requiring unencrypted HTTP sessions.

Answer 177

D. Data remanence describes data that is still on media after an attempt has been made to remove it. Failed clearing and data pooling are not technical terms, and data permanence describes how long data lasts.

Answer 178

B. Mandatory access control (MAC) applies labels to subjects and objects and allows subjects to access objects when their labels match. Discretionary access control (DAC) is controlled by the owner of objects, rule-based access control applies rules throughout a system, and role-based access control bases rights on roles, which are often handled as groups of users.

Answer 179

B. Identity as a Service (IDaaS) provides capabilities such as account provisioning, management, authentication, authorization, reporting, and monitoring. PaaS is Platform as a Service, IaaS is Infrastructure as a Service, and SaaS is Software as a Service.

Answer 180

C. Eavesdropping, denial-of-service attacks, and caller ID spoofing are all common VoIP attacks. Blackboxing is a made-up answer, although various types of colored boxes were associated with phone phreaking.

Answer 181

D. This broad access may indirectly violate all of the listed security principles, but it is most directly a violation of least privilege because it grants users privileges that they do not need for their job functions.

Answer 182

C. The Secure File Transfer Protocol (SFTP) is specifically designed for encrypted file transfer. SSH is used for secure command-line access, whereas TCP is one of the bundles of Internet protocols commonly used to transmit data across a network. IPSec could be used to create a tunnel to transfer the data but is not specifically designed for file transfer.

Answer 183

B. TACACS+ uses TCP, and encrypts the entire session, unlike RADIUS, which only encrypts the password and operates via UDP.

Answer 184

C. The client sends its existing valid TGT to the KDC and requests access to the resource.

Answer 185

A. The KDC must verify that the TGT is valid and whether the user has the right privileges to access the service it is requesting access to. If it does, it generates a service ticket and sends it to the client (step B).

Answer 186

C. The server or service that is being accessed receives all of the data it needs in the service ticket. To do so, the client uses a client-to-server ticket received from the Ticket Granting Service.

Answer 187

B. The service ticket in Kerberos authentication provides proof that a subject is authorized to access an object. Ticket granting services are provided by the TGS. Proof that a subject has authenticated and can request tickets to other objects, uses ticket granting tickets, and authentication host is a made-up term.

Answer 188

C. A series of questions that the user has previously provided the answer to or which the user knows the answers to like the questions listed is known as a cognitive password. A passphrase consists of a phrase or series of words, whereas multifactor authentication consists of two or more authenticators, like a password and a biometric factor or a one-time token-based code.

Answer 189

B. CDMA, GSM, and IDEN are all 2G technologies. EDGE, DECT, and UTMS are all examples of 3G technologies, whereas 4G technologies include WiMax, LTE, and IEE 802.20 mobile broadband.

Answer 190

A. Dry pipe, deluge, and preaction systems all use pipes that remain empty until the system detects signs of a fire. Closed-head systems use pipes filled with water that may damage equipment if there is damage to a pipe.

Answer 191

A. Protected Health Information (PHI) is defined by HIPAA to include health information used by healthcare providers, like medical treatment, history, and billing. Personally Identifiable Information is information that can be used to identify an individual, which may be included in the PHI but isn’t specifically this type of data. Protected Health Insurance and Individual Protected Data are both made-up terms.

Answer 192

B. Manual testing uses human understanding of business logic to assess program flow and responses. Mutation or generational fuzzing will help determine how the program responds to expected inputs but does not test the business logic. Interface testing ensures that data exchange between modules works properly but does not focus on the logic of the program or application.

Answer 193

A. A Type 1 authentication factor is something you know. A Type 2 is something you have, like a smart card or hardware token. A Type 3 authentication factor is something you are, like a biometric identifier. There is no such thing as a Type 4 authentication factor.

Answer 194

B. System owners have to ensure that the systems they are responsible for are properly labeled based on the highest level of data that their system processes, and they have to ensure that appropriate security controls are in place on those systems. System owners also share responsibility for data protection with data owners. Administrators grant appropriate access, whereas data owners own the classification process.

Answer 195

A. Jack is performing misuse case analysis, a process that tests code based on how it would perform if it was misused instead of used properly. Use case testing tests valid use cases, whereas static code analysis involves reviewing the code itself for flaws rather than testing the live software. Hacker use case testing isn’t an industry term for a type of testing.

Answer 196

D. Vendors complete security targets (STs) to describe the controls that exist within their product. During the review process, reviewers compare those STs to the entity’s Protection Profile (PP) to determine whether the product meets the required security controls.

Answer 197

C. Both TCP and UDP port numbers are a 16-digit binary number, which means there can be 216 ports, or 65,536 ports, numbered from 0 to 65,535.

Answer 198

A. MITRE’s Common Vulnerabilities and Exploits (CVE) dictionary and NIST’s National Vulnerability Database (NVD) both provide information about vulnerabilities.

Answer 199

D. The military classification scheme contains three major levels. They are, in descending order of sensitivity: Top Secret, Secret, and Confidential. Unclassified is a default, and not a classification, whereas Sensitive But Unclassified (SBU) has been replaced with Controlled Unclassified Information (CUI).

Answer 200

D. In an automated recovery, the system can recover itself against one or more failure types. In an automated recovery without undue loss, the system can recover itself against one or more failure types and also preserve data against loss. In function recovery, the system can restore functional processes automatically. In a manual recovery approach, the system does not fail into a secure state but requires an administrator to manually restore operations.

Answer 201

A. Antenna placement, antenna design, and power level control are the three important factors in determining where a signal can be accessed and how usable it is. A captive portal can be used to control user logins, and antenna design is part of antenna types. The FCC does provide maximum broadcast power guidelines but does not require a minimum power level.

Answer 202

C. Physically destroying the drive is the best way to ensure that there is no remnant data on the drive. SSDs are flash media, which means that you can’t degauss them, whereas both random pattern writes and the built-in erase commands have been shown to be problematic due to the wear leveling built into SSDs as well as differences in how they handle erase commands.

Answer 203

A. Confidentiality ensures that data cannot be read by unauthorized individuals while stored or in transit.

Answer 204

B. The recovery time objective (RTO) is the amount of time that a business believes it will take to restore a function in the event of a disruption.

Answer 205

D. The United States Code (USC) contains the text of all federal criminal and civil laws passed by the legislative branch and signed by the President (or where the President’s veto was overruled by Congress).

Answer 206

B. A post-admission philosophy allows or denies access based on user activity after connection. Since this doesn’t check the status of a machine before it connects, it can’t prevent the exploit of the system immediately after connection. This doesn’t preclude out-of-band or in-band monitoring, but it does mean that a strictly post-admission policy won’t handle system checks before the systems are admitted to the network.

Answer 207

B. The principle of implicit denial states that any action that is not explicitly allowed is denied. This is an important concept for firewall rules and other access control systems. Implementing least privilege ensures that subjects have only the rights they need to accomplish their job. While explicit deny and final rule fall-through may sound like important access control concepts, neither is.

Answer 208

B. Risks are the combination of a threat and a vulnerability. Threats are the external forces seeking to undermine security, such as the hacker in this case. Vulnerabilities are the internal weaknesses that might allow a threat to succeed. In this case, web defacement is the risk. In this scenario, if the hacker attempts a SQL injection attack (threat) against the unpatched server (vulnerability), the result is website defacement (risk).

Answer 209

A. The kernel of an operating system is the collection of components that work together to implement a secure, reliable operating system. The kernel contains both the Trusted Computing Base (TCB) and the reference monitor.

Answer 210

A. Val can use statistical sampling techniques to choose a set of records for review that are representative of the entire day’s data. Clipping chooses only records that exceed a set threshold so it is not a representative sample. Choosing records based on the time they are recorded may not produce a representative sample because it may capture events that occur at the same time each day and miss many events that simply don’t occur during the chosen time period.

Answer 211

D. Fiber-optic cable is more expensive and can be much harder to install than stranded copper cable or coaxial cable, but it isn’t susceptible to electromagnetic interference (EMI). That makes it a great solution for Jen’s problem, especially if she is deploying EMI-hardened systems to go with her EMI-resistant network cables.

Answer 212

D. The request control process provides an organized framework within which users can request modifications, managers can conduct cost/benefit analyses, and developers can prioritize tasks.

Answer 213

B. Change control provides an organized framework within which multiple developers can create and test solutions prior to rolling them out into a production environment.

Answer 214

C. Release control ensures that any code inserted as a programming aid during the change process is removed before releasing the new software to production. It also includes acceptance testing to ensure that any alterations to end-user work tasks are understood and functional.

Answer 215

A. Configuration control ensures that changes to software versions are made in accordance with the change control and configuration management process. Updates can be made only from authorized distributions in accordance with those policies.

Answer 216

B. Ben is reusing his salt. When the same salt is used for each hash, all users with the same password will have the same hash, and the attack can either attempt to steal the salt or may attempt to guess the salt by targeting the most frequent hash occurrences based on commonly used passwords. Short salts are an issue, but the salts used here are 32 bytes (256 bits) long. There is no salting algorithm used or mentioned here; salt is an added value for a hash, and plaintext salting is a made-up term.

Answer 217

B. Risk transference involves actions that shift risk from one party to another. Purchasing insurance is an example of risk transference because it moves risk from the insured to the insurance company.

Answer 218

C. The Online Certificate Status Protocol (OCSP) eliminates the latency inherent in the use of certificate revocation lists by providing a means for real-time certificate verification.

Answer 219

D. Static code analysis uses techniques like control flow graphs, lexical analysis, and data flow analysis to assess code without running it. Dynamic code analysis runs code on a real or virtual processor and uses actual inputs for testing. Fuzzing provides unexpected or invalid input to test how programs handle input outside of the norm. Manual analysis is performed by reading code line by line to identify bugs or other issues.

Answer 220

B. TCP’s use of a handshake process to establish communications makes it a connection-oriented protocol. TCP does not monitor for dropped connections. nor does the fact that it works via network connections make it connection-oriented.

Answer 221

A. The LDAP bind operation authenticates and specifies the LDAP protocol version. Auth, StartLDAP, and AuthDN operations do not exist in the LDAP protocol.

Answer 222

C. The two most important elements of a qualitative risk assessment are determining the probability and impact of each risk upon the organization. Likelihood is another word for probability. Cost should be taken into account but is only one element of impact, which also includes reputational damage, operational disruption, and other ill effects.

Answer 223

B. When a message reaches the Data Link layer, it is called a frame. Data streams exist at the application, presentation, and session layers, whereas segments and datagrams exist at the transport layer (for TCP and UDP, respectively).

Answer 224

A. If the (ISC)2 peer review board finds that a certified individual has violated the (ISC)2 code of ethics, the board may revoke their certification. The board is not able to terminate an individual’s employment or assess financial penalties.

Answer 225

D. SDLC approaches include steps to provide operational training for support staff as well as end-user training. The SDLC may use one of many development models, including the waterfall and spiral models. The SDLC does not mandate the use of an iterative or sequential approach; it allows for either approach.

Answer 226

A. The Bell-LaPadula model includes the Simple Security Property, which prevents an individual from reading information that is classified at a level higher than the individual’s security clearance.