Review Questions

Question 1

Josh has discovered that an organized hacking ring in China has been targeting his company’s research and development department. If these hackers have been able to uncover his company’s research finding, this means they probably have access to his company’s intellectual property. Josh thinks that an e-mail server in his company’s DMZ may have been successfully compromised and a rootkit loaded.

Based upon this scenario, what is most likely the biggest risk Josh’s company needs to be concerned with?

A. Market share drop if the attackers are able to bring the specific product to market more quickly than Josh’s company.

B. Confidentiality of e-mail messages. Attackers may post all captured e-mail messages to the Internet.

C. Impact on reputation if the customer base finds out about the attack.

D. Depth of infiltration of attackers. If attackers have compromised other systems, more confidential data could be at risk.

Answer 1

A. While they are all issues to be concerned with, risk is a combination of probability and business impact. The largest business impact out of this list and in this situation is the fact that intellectual property for product development has been lost. If a competitor can produce the product and bring it to market quickly, this can have a long-lasting financial impact on the company.

Question 2

Josh has discovered that an organized hacking ring in China has been targeting his company’s research and development department. If these hackers have been able to uncover his company’s research finding, this means they probably have access to his company’s intellectual property. Josh thinks that an e-mail server in his company’s DMZ may have been successfully compromised and a rootkit loaded.

The attackers in this situation would be seen as which of the following?

A. Vulnerability

B. Threat

C. Risk

D. Threat agent

Answer 2

D. The attackers are the entities that have exploited a vulnerability; thus, they are the threat agent.

Question 3

Josh has discovered that an organized hacking ring in China has been targeting his company’s research and development department. If these hackers have been able to uncover his company’s research finding, this means they probably have access to his company’s intellectual property. Josh thinks that an e-mail server in his company’s DMZ may have been successfully compromised and a rootkit loaded.

If Josh is correct in his assumptions, which of the following best describes the vulnerability, threat, and exposure, respectively?

A. E-mail server is hardened, an entity could exploit programming code flaw, server is compromised and leaking data.

B. E-mail server is not patched, an entity could exploit a vulnerability, server is hardened.

C. E-mail server misconfiguration, an entity could exploit misconfiguration, server is compromised and leaking data.

D. DMZ firewall misconfiguration, an entity could exploit misconfiguration, internal e-mail server is compromised.

Answer 3

C. In this situation the e-mail server most likely is misconfigured or has a programming flaw that can be exploited. Either of these would be considered a vulnerability. The threat is that someone would find out about this vulnerability and exploit it. In this scenario since the server is compromised, it is the item that is providing exposure to the company. This exposure is allowing sensitive data to be accessed in an unauthorized manner.

Question 4

Aaron is a security manager who needs to develop a solution to allow his company’s mobile devices to be authenticated in a standardized and centralized manner using digital certificates. The applications these mobile clients use require a TCP connection. Which of the following is the best solution for Aaron to implement?

A. SESAME using PKI

B. RADIUS using EAP

C. Diameter using EAP

D. RADIUS using TTLS

Answer 4

C. Diameter is a protocol that has been developed to build upon the functionality of RADIUS and to overcome many of its limitations. Diameter is an AAA protocol that provides the same type of functionality as RADIUS and TACACS+ but also provides more flexibility and capabilities, including working with EAP. RADIUS uses UDP, and cannot effectively deal well with remote access, IP mobility, and policy control.

Question 5

Terry is a security manager for a credit card processing company. His company uses internal DNS servers, which are placed within the LAN, and external DNS servers, which are placed in the DMZ. The company also relies upon DNS servers provided by its service provider. Terry has found out that attackers have been able to manipulate several DNS server caches to point employee traffic to malicious websites. Which of the following best describes the solution this company should implement?

A. IPSec

B. PKI

C. DNSSEC

D. MAC-based security

Answer 5

C. DNSSEC (DNS security, which is part of the many current implementations of DNS server software) works within a PKI and uses digital signatures, which allows DNS servers to validate the origin of a message to ensure that it is not spoofed and potentially malicious. If DNSSEC were enabled on server A, then server A would, upon receiving a response, validate the digital signature on the message before accepting the information to make sure that the response is from an authorized DNS server. So even if an attacker sent a message to a DNS server, the DNS server would discard it because the message would not contain a valid digital signature. DNSSEC allows DNS servers to send and receive only authenticated and authorized messages between themselves and thwarts the attacker’s goal of poisoning a DNS cache table.

Question 6

It is important to deal with the issue of “reasonable expectation of privacy” (REP) when it comes to employee monitoring. In the U.S. legal system the expectation of privacy is used when defining the scope of the privacy protections provided by the:

A. Federal Privacy Act

B. PATRIOT Act

C. Fourth Amendment of the Constitution

D. Bill of Rights

Answer 6

C. It is important to deal with the issue of “reasonable expectation of privacy” (REP) when it comes to employee monitoring. In the U.S. legal system the expectation of privacy is used when defining the scope of the privacy protections provided by the Fourth Amendment of the Constitution. If it is not specifically explained to an employee that monitoring is possible and/or probable, when the monitoring takes place he could claim that his privacy rights have been violated and launch a civil suit against a company.

Question 7

Jane is suspicious that an employee is sending sensitive data to one of the company’s competitors. The employee has to use this data for daily activities, thus it is difficult to properly restrict the employee’s access rights. In this scenario, which best describes the company’s vulnerability, threat, risk, and necessary control?

A. Vulnerability is employee access rights, threat is internal entities misusing privileged access, risk is the business impact of data loss, and the necessary control is detailed network traffic monitoring.

B. Vulnerability is lenient access rights, threat is internal entities misusing privileged access, risk is the business impact of data loss, and the necessary control is detailed user monitoring.

C. Vulnerability is employee access rights, threat is internal employees misusing privileged access, risk is the business impact of confidentiality, and the necessary control is multifactor authentication.

D. Vulnerability is employee access rights, threat is internal users misusing privileged access, risk is the business impact of confidentiality, and the necessary control is CCTV.

Answer 7

B. A vulnerability is a lack or weakness of a control. In this situation the access control may be weak in nature, thus exploitable. The vulnerability is that the user, who must be given access to the sensitive data, is not properly monitored to deter and detect a willful breach of security. The threat is that any internal entity might misuse given access. The risk is the business impact of losing sensitive data. One control that could be put into place is monitoring so that access activities can be closely watched.

Question 8

Which of the following best describes what role-based access control offers companies in reducing administrative burdens?

A. It allows entities closer to the resources to make decisions about who can and cannot access resources.

B. It provides a centralized approach for access control, which frees up department managers.

C. User membership in roles can be easily revoked and new ones established as job assignments dictate.

D. It enforces an enterprise-wide security policy, standards, and guidelines.

Answer 8

C. An administrator does not need to revoke and reassign permissions to individual users as they change jobs. Instead, the administrator assigns permissions and rights to a role, and users are plugged into those roles.

Question 9

Mark works for a large corporation operating in multiple countries worldwide. He is reviewing his company’s policies and procedures dealing with data breaches. Which of the following is an issue that he must take into consideration?

A. Each country may or may not have unique notification requirements.

B. All breaches must be announced to affected parties within 24 hours.

C. Breach notification is a “best effort” process and not a guaranteed process.

D. Breach notifications are avoidable if all PII is removed from data stores.

Answer 9

A. Many (but not all) countries have data breach notification requirements, and these vary greatly in their specifics. While some countries have very strict requirements, others have more lax requirement, or lack them altogether. This requires the security professional to ensure compliance in the appropriate territory. Applying the most stringent rules universally (e.g., 24-hour notification) is usually not a good idea from a business perspective. The term “best effort” is not acceptable in countries with strict rules, nor is the notion that personally identifiable information (PII) is the only type of data that would trigger a mandatory notification.

Question 10

A software development company released a product that committed several errors that were not expected once deployed in their customers’ environments. All of the software code went through a long list of tests before being released. The team manager found out that after a small change was made to the code, the program was not tested before it was released. Which of the following tests was most likely not conducted?

A. Unit

B. Compiled

C. Integration

D. Regression

Answer 10

D. Regression testing should take place after a change to a system takes place, retesting to ensure functionality, performance, and protection.

Question 11

All of the following should be considered as part of the supply chain risk management process for a smartphone manufacturer except:

A. Hardware Trojans inserted by downstream partners

B. ISO/IEC 27001

C. Hardware Trojans inserted by upstream partners

D. NIST Special Publication 800-161

Answer 11

B. ISO/IEC 27001 is a standard covering information security management systems, which is a much broader topic than supply chain risk management. The other three options are better answers because they are directly tied to this process: NIST’s Special Publication 800-161 directly addresses supply chain risk, and the insertion of hardware Trojans could happen at any point in the chain.

Question 12

Companies should follow certain steps in selecting and implementing a new computer product. Which of the following sequences is ordered correctly?

A. Evaluation, accreditation, certification

B. Evaluation, certification, accreditation

C. Certification, evaluation, accreditation

D. Certification, accreditation, evaluation

Answer 12

B. The first step is evaluation. Evaluation involves reviewing the product’s protection functionality and assurance ratings. The next phase is certification. Certification involves testing the newly purchased product within the company’s environment. The final stage is accreditation, which is management’s formal approval.

Question 13

Jack has just been hired as the security officer for a large hospital. The organization develops some of its own proprietary applications. The organization does not have as many layers of controls when it comes to the data processed by these applications, since it is assumed that external entities will not understand the internal logic of the applications. One of the first things that Jack wants to carry out is a risk assessment to determine the organization’s current risk profile. He also tells his boss that the hospital should become ISO certified to bolster its customers’ and partners’ confidence.

Which of the following approaches has been implemented in this scenario?

A. Defense-in-depth

B. Security through obscurity

C. Information security management system

D. BS 17799

Answer 13

B. Security through obscurity is depending upon complexity or secrecy as a protection method. Some organizations feel that since their proprietary code is not standards based, outsiders will not know how to compromise its components. This is an insecure approach. Defense-in-depth is a better approach with the assumption that anyone can figure out how something works.

Question 14

Jack has just been hired as the security officer for a large hospital. The organization develops some of its own proprietary applications. The organization does not have as many layers of controls when it comes to the data processed by these applications, since it is assumed that external entities will not understand the internal logic of the applications. One of the first things that Jack wants to carry out is a risk assessment to determine the organization’s current risk profile. He also tells his boss that the hospital should become ISO certified to bolster its customers’ and partners’ confidence.

Which ISO/IEC standard would be best for Jack to follow to meet his goals?

A. ISO/IEC 27002

B. ISO/IEC 27004

C. ISO/IEC 27005

D. ISO/IEC 27006

Answer 14

C. ISO/IEC 27005 is the international standard for risk assessments and analysis.

Question 15

Jack has just been hired as the security officer for a large hospital. The organization develops some of its own proprietary applications. The organization does not have as many layers of controls when it comes to the data processed by these applications, since it is assumed that external entities will not understand the internal logic of the applications. One of the first things that Jack wants to carry out is a risk assessment to determine the organization’s current risk profile. He also tells his boss that the hospital should become ISO certified to bolster its customers’ and partners’ confidence.

Which standard should Jack suggest to his boss for compliance?

A. BS 17799

B. ISO/IEC 27004

C. ISO/IEC 27799

D. BS 7799:2011

Answer 15

C. The ISO/IEC 27799 is a guideline for information security management in health organizations. It deals with how organizations that store and process sensitive medical information should protect it.

Question 16

An operating system maintains several processes in memory at the same time. The processes can only interact with the CPU during their assigned time slices since there is only one CPU and many processes. Each process is assigned an interrupt value to allow for this type of time slicing to take place. Which of the following best describes the difference between maskable and non-maskable interrupts?

A. A maskable interrupt is assigned to a critical process, and a nonmaskable interrupt is assigned to a noncritical process.

B. A maskable interrupt is assigned to a process in ring 0, and a nonmaskable interrupt is assigned to a process in ring 3.

C. A maskable interrupt is assigned to a process in ring 3, and a nonmaskable interrupt is assigned to a process in ring 4.

D. A maskable interrupt is assigned to a noncritical process, and a nonmaskable interrupt is assigned to a critical process.

Answer 16

D. A maskable interrupt is assigned to an event that may not be overly important, and the programmer can indicate that if that interrupt calls, the program does not stop what it is doing. This means the interrupt is ignored. Nonmaskable interrupts can never be overridden by an application because the event that has this type of interrupt assigned to it is critical.

Question 17

The confidentiality of sensitive data is protected in different ways depending on the state of the data. Which of the following is the best approach to protecting data in transit?

A. SSL

B. VPN

C. IEEE 802.1x

D. Whole-disk encryption

Answer 17

B. A virtual private network (VPN) provides confidentiality for data being exchanged between two endpoints. While the use of VPNs may not be sufficient in every case, it is the only answer among those provided that addresses the question. The use of Secure Sockets Layer (SSL) is not considered secure. IEEE 802.1x is an authentication protocol that does not protect data in transit. Finally, whole-disk encryption may be a good approach to protecting sensitive data, but only while it is at rest.

Question 18

There are different categories for evidence depending upon what form it is in and possibly how it was collected. Which of the following is considered supporting evidence?

A. Best evidence

B. Corroborative evidence

C. Conclusive evidence

D. Direct evidence

Answer 18

B. Corroborative evidence cannot stand alone, but instead is used as supporting information in a trial. It is often testimony indirectly related to the case but offers enough correlation to supplement the lawyer’s argument. The other choices are all types of evidence that can stand alone.

Question 19

A(n) ________________ is the graphical representation of data commonly used on websites. It is a skewed representation of characteristics a person must enter to prove that the subject is a human and not an automated tool, as in a software robot.

A. anti-spoofing symbol

B. CAPTCHA

C. spam anti-spoofing symbol

D. CAPCHAT

Answer 19

B. A CAPTCHA is a skewed representation of characteristics a person must enter to prove that the subject is a human and not an automated tool, as in a software robot. It is the graphical representation of data.

Question 20

Mark has been asked to interview individuals to fulfill a new position in his company, chief privacy officer (CPO). What is the function of this type of position?

A. Ensuring that company financial information is correct and secure

B. Ensuring that customer, company, and employee data is protected

C. Ensuring that security policies are defined and enforced

D. Ensuring that partner information is kept safe

Answer 20

B. The CPO is a newer position, created mainly because of the increasing demands on organizations to protect a long laundry list of different types of data. This role is responsible for ensuring that customer, company, and employee data is secure and kept secret, which keeps the company out of criminal and civil courts and hopefully out of the headlines.

Question 21

A risk management program must be developed properly and in the right sequence. Which of the following provides the correct sequence for the steps listed?

i. Develop a risk management team.
ii. Calculate the value of each asset.
iii. Identify the vulnerabilities and threats that can affect the identified assets.
iv. Identify company assets to be assessed.

A. i, iii, ii, iv
B. ii, i, iv, iii
C. iii, i, iv, ii
D. i, iv, ii, iii

Answer 21

D. The correct steps for setting up a risk management program are as follows:

i. Develop a risk management team.
ii. Identify company assets to be assessed.
iii. Calculate the value of each asset.
iv. Identify the vulnerabilities and threats that can affect the identified assets.

Question 22

Jack needs to assess the performance of a critical web application that his company recently upgraded. Some of the new features are very profitable, but not frequently used. He wants to ensure that the user experience is positive, but doesn’t want to wait for the users to report problems. Which of the following techniques should Jack use?

A. Real user monitoring

B. Synthetic transactions

C. Log reviews

D. Management review

Answer 22

B. Synthetic transactions are scripted events that mimic the behaviors of real users and allow security professionals to systematically test the performance of critical services. They are the best approach, because they can detect problems before users notice them. Real user monitoring would rely on users encountering the problem, whereupon the system would automatically report it.

Question 23

Which of the following best describes a technical control for dealing with the risks presented by data remanence?

A. Encryption

B. Data retention policies

C. File deletion

D. Using solid-state drives (SSD)

Answer 23

A. Data remanence refers to the persistence of data on storage media after it has been deleted. Encrypting this data is the best of the listed choices because the recoverable data will be meaningless to an adversary. Retention policies are important, but are considered administrative controls that don’t deal with remanence directly. Simply deleting the file will not normally render the data unrecoverable, nor will the use of SSDs even though these devices will sometimes (though not always) make it difficult to recover the deleted data.

Question 24

George is the security manager of a large bank, which provides online banking and other online services to its customers. George has recently found out that some of the bank’s customers have complained about changes to their bank accounts that they did not make. George worked with the security team and found out that all changes took place after proper authentication steps were completed. Which of the following describes what most likely took place in this situation?

A. Web servers were compromised through cross-scripting attacks.

B. TLS connections were decrypted through a man-in-the-middle attack.

C. Personal computers were compromised with Trojan horses that installed keyloggers.

D. Web servers were compromised and masquerading attacks were carried out.

Answer 24

C. While all of these situations could have taken place, the most likely attack type in this scenario is the use of a keylogger. Attackers commonly compromise personal computers by tricking the users into installing Trojan horses that have the capability to install keystroke loggers. The keystroke logger can capture authentication data that the attacker can use to authenticate as a legitimate user and carry out malicious activities.

Question 25

Internet Protocol Security (IPSec) is actually a suite of protocols. Each protocol within the suite provides different functionality. Which of the following is not a function or characteristic of IPSec?

A. Encryption

B. Link layer protection

C. Authentication

D. Protection of packet payloads and the headers

Answer 25

B. IPSec is a protocol used to provide VPNs that use strong encryption and authentication functionality. It can work in two different modes: tunnel mode (payload and headers are protected) or transport mode (payload protection only). IPSec works at the network layer, not the data link layer.

Question 26

In what order would a typical PKI infrastructure perform the following transactions?

i. Receiver decrypts and obtains session key.
ii. Sender requests receiver’s public key.
iii. Public key is sent from a public directory.
iv. Sender sends a session key encrypted with receiver’s public key.

A. iv, iii, ii, i
B. ii, i, iii, iv
C. ii, iii, iv, i
D. ii, iv, iii, i

Answer 26

C. The sender would need to first obtain the receiver’s public key, which could be from the receiver or a public directory. The sender needs to protect the symmetric session key as it is being sent, so she encrypts it with the receiver’s public key. The receiver decrypts the session key with his private key.

Question 27

Tim is the CISO for a large distributed financial investment organization. The company’s network is made up of different network devices and software applications, which generate their own proprietary logs and audit data. Tim and his security team have become overwhelmed with trying to review all of the log files when attempting to identify if anything suspicious is taking place within the network. Another issue Tim’s team needs to deal with is that many of the network devices have automated IPv6-to-IPv4 tunneling enabled by default.

Which of the following is the best solution for this company to implement as it pertains to the first issue addressed in the scenario?

A. Event correlation tools

B. Intrusion detection systems

C. Security information and event management

D. Security event correlation management tools

Answer 27

C. Today, more organizations are implementing security event management (SEM) systems, also called security information and event management (SIEM) systems. These products gather logs from various devices (servers, firewalls, routers, etc.) and attempt to correlate the log data and provide analysis capabilities. We also have different types of systems on a network (routers, firewalls, IDS, IPS, servers, gateways, proxies) collecting logs in various proprietary formats, which requires centralization, standardization, and normalization. Log formats are different per product type and vendor.

Question 28

Tim is the CISO for a large distributed financial investment organization. The company’s network is made up of different network devices and software applications, which generate their own proprietary logs and audit data. Tim and his security team have become overwhelmed with trying to review all of the log files when attempting to identify if anything suspicious is taking place within the network. Another issue Tim’s team needs to deal with is that many of the network devices have automated IPv6-to-IPv4 tunneling enabled by default.

Which of the following best describes why Tim should be concerned about the second issue addressed in the scenario?

A. Software and devices that are scanning traffic for suspicious activity may only be configured to evaluate one system type.

B. Software and devices that are monitoring traffic for illegal activity may only be configured to evaluate one service type.

C. Software and devices that are monitoring traffic for illegal activity may only be configured to evaluate two protocol types.

D. Software and devices that are monitoring traffic for suspicious activity may only be configured to evaluate one traffic type.

Answer 28

D. While many of these automatic tunneling techniques reduce administration overhead because network administrators do not have to configure each and every system and network device with two different IP addresses, there are security risks that need to be understood. Many times users and network administrators do not know that automatic tunneling capabilities are enabled, and thus they do not ensure that these different tunnels are secured and/or are being monitored. If you are an administrator of a network and have IDS, IPS, and firewalls that are only configured to monitor and restrict IPv4 traffic, then all IPv6 traffic could be traversing your network insecurely. Attackers use these protocol tunnels and misconfigurations to get past these types of security devices so that malicious activities can take place unnoticed. Products and software may need to be updated to address both traffic types, proxies may need to be deployed to manage traffic communication securely, IPv6 should be disabled if not needed, and security appliances need to be configured to monitor all traffic types.

Question 29

Which of the following is not a concern of a security professional considering adoption of Internet of Things (IoT) devices?

A. Weak or nonexistent authentication mechanisms

B. Vulnerability of data at rest and data in motion

C. Difficulty of deploying patches and updates

D. High costs associated with connectivity

Answer 29

D. IoT devices run the gamut of cost, from the very cheap to the very expensive. Cost, among the listed options, is the least likely to be a direct concern for a security professional. Lack of authentication, encryption, and update mechanisms are much more likely to be significant issues in any IoT adoption plan.

Question 30

What type of rating system is used within the Common Criteria structure?

A. PP

B. EPL

C. EAL

D. A–D

Answer 30

C. The Common Criteria uses a different assurance rating system than the previously used criteria. It has packages of specifications that must be met for a product to obtain the corresponding rating. These ratings and packages are called Evaluation Assurance Levels (EALs).