Sybex Book

Question 1

Know the three objectives of cybersecurity

Answer 1

Confidentiality ensures that unauthorized individuals are not able to gain access to sensitive information. Integrity ensures that there are no unauthorized modifications to information or systems, either intentionally or unintentionally. Availability ensures that information and systems are ready to meet the needs of legitimate users at the time those users request them.

Question 2

Describe how information security strategies should be aligned with organizational goals and objectives.

Answer 2

As information security managers develop their plans, they should use reliable techniques to assess the current state of the program, such as threat research, SWOT analysis, and gap analysis. They may then identify the initiatives that will move the organization from the current state to its desired state.

Question 3

Explain how security strategies are influenced by internal and external factors

Answer 3

Security strategies must be aligned with the business, but they must also incorporate other influences. Information security managers must remain abreast of emerging technologies, social media, the business environment, the organization’s risk tolerance, regulatory requirements, third-party considerations, and the threat landscape as they develop, monitor, and revise cybersecurity strategies.

Question 4

Know why stakeholder commitment and communication are essential to success

Answer 4

As information security leaders roll out new strategies, they must ensure that they have the support of senior leaders and other stakeholders. They may do this by clearly outlining how information security supports the organization’s broader goals and objectives, identifying the business impact of security initiatives, and identifying clear success criteria.

Question 5

Explain how security controls may be categorized based on their mechanism of action and their intent.

Answer 5

Controls are grouped into the categories of managerial, operational, and technical based on the way that they achieve their objectives. They are divided into the types of preventive, detective, corrective, deterrent, compensating, and physical based on their intended purpose.

Question 6

Describe the diverse impacts of data breaches on organizations

Answer 6

When an organization suffers a data breach, the resulting data loss often results in both direct and indirect damages. The organization suffers immediate financial repercussions due to the costs associated with the incident response, as well as long-term financial consequences due to reputational damage. This reputational damage may be difficult to quantify, but it may also have a lasting impact. In some cases, organizations may suffer operational damage if they experience availability damages, preventing them from accessing their own information.

Question 7

Explain why data must be protected in transit, at rest, and in use.

Answer 7

. Attackers may attempt to eavesdrop on network transmissions containing sensitive information. This information is highly vulnerable when in transit unless protected by encryption technology. Attackers also might attempt to breach data stores, stealing data at rest. Encryption serves to protect stored data as well as data in transit. Data is also vulnerable while in use on a system and should be protected during data processing activities.

Question 8

Know how data loss prevention (DLP) systems block data exfiltration attempts.

Answer 8

DLP technology enforces information handling policies to prevent data loss and theft. DLP systems may function at the host level, using software agents to search systems for the presence of sensitive information. They may also work at the network level, watching for transmissions of unencrypted sensitive information. DLP systems detect sensitive information using pattern-matching technology and/or digital watermarking.

Question 9

Explain how data minimization reduces risk by reducing the amount of sensitive information that we maintain.

Answer 9

In cases where we cannot simply discard unnecessary information, we can protect information through de-identification and data obfuscation. The tools used to achieve these goals include hashing, tokenization, and masking of sensitive fields.

Question 10

Matt is updating the organization’s threat assessment process. What category of control is Matt implementing?

1. Operational
2. Technical
3. Corrective
4. Managerial

Answer 10

D. Managerial controls are procedural mechanisms that focus on the mechanics of the risk management process. Threat assessment is an example of one of these activities.

Question 11

Jade’s organization recently suffered a security breach that affected stored credit card data. Jade’s primary concern is the fact that the organization is subject to sanctions for violating the provisions of the Payment Card Industry Data Security Standard. What category of risk is concerning Jade?

1. Strategic
2. Compliance
3. Operational
4. Financial

Answer 11

B. The breach of credit card information may cause many different impacts on the organization, including compliance, operational, and financial risks. However, in this scenario, Jade’s primary concern is violating PCI DSS, making the concern a compliance risk.

Question 12

Chris is responding to a security incident that compromised one of his organization’s web servers. He believes that the attackers defaced one or more pages on the website. What cybersecurity objective did this attack violate?

1. Confidentiality
2. Nonrepudiation
3. Integrity
4. Availability

Answer 12

C. The defacement of a website alters content without authorization and is, therefore, a violation of the integrity objective. The attackers may also have breached the confidentiality or availability of the website, but the scenario does not provide us with enough information to draw those conclusions.

Question 13

Which one of the following elements is most important to gaining the support of senior leaders for cybersecurity initiatives?

1. Using plain, understandable language
2. Communicating often and in the format desired by the leaders
3. Demonstrating the alignment between business objectives and security needs
4. Adopting emerging technologies

Answer 13

C. The most important consideration when gaining stakeholder support for security initiatives is demonstrating the alignment between a request and the objectives of the business. While managers should certainly use plain language and communicate in the format desired by leaders, these are secondary considerations. Adopting emerging technologies is not necessary to underscore the importance of security initiatives.

Question 14

Tonya is concerned about the risk that an attacker will attempt to gain access to her organization’s database server. She is searching for a control that would discourage the attacker from attempting to gain access. What type of security control is she seeking to implement?

1. Preventive
2. Detective
3. Corrective
4. Deterrent

Answer 14

D. Deterrent controls are designed to prevent an attacker from attempting to violate security policies in the first place. Preventive controls would attempt to block an attack that was about to take place. Corrective controls would remediate the issues that arose during an attack.

Question 15

Which one of the following individuals bears ultimate responsibility for protecting an organization’s data?

1. Data steward
2. End users
3. Data custodian
4. Data owner

Answer 15

D. All individuals within an organization have some responsibility for protecting data. However, the data owner is the senior-most leader who bears ultimate responsibility for this protection. The data owner may delegate some authority and/or responsibility to data stewards, data custodians, and end users, but they still bear ultimate responsibility.

Question 16

Brooke is conducting a SWOT analysis for her organization’s cybersecurity program. She recently learned about a cybersecurity insurance offering that may allow the organization to transfer some financial risk and is considering purchasing a policy. Where would this offering fit in the SWOT analysis?

1. Strength
2. Weakness
3. Opportunity
4. Threat

Answer 16

C. The availability of this cybersecurity insurance offering is an external factor that the organization might exploit to better achieve its objectives and, therefore, should be classified as an opportunity. Strengths and weaknesses are internal characteristics of the organization. Threats are external factors that pose a risk to the organization.

Question 17

Tina is tuning her organization’s intrusion prevention system to prevent false positive alerts. What type of control is Tina implementing?

1. Technical control
2. Physical control
3. Managerial control
4. Operational control

Answer 17

A. Technical controls enforce confidentiality, integrity, and availability in the digital space. Examples of technical security controls include firewall rules, access control lists, intrusion prevention systems, and encryption.

Question 18

Dan is the CISO of an organization and he is spearheading the development of a new security operations center (SOC). He bears responsibility for the success of this initiative. In the RACI matrix entry for this initiative, how would Dan best be labeled?

1. R
2. A
3. C
4. I

Answer 18

B. As the ultimate stakeholder for the initiative, Dan is the accountable individual and should be labeled with an “A” in the RACI matrix. Others who are directly contributing to the effort would be labeled as responsible (“R”). Stakeholders who are not directly working on the SOC implementation would be labeled as either consulted (“C”) or informed (“I”), as appropriate.

Question 19

Tony is reviewing the status of his organization’s defenses against a breach of their file server. He believes that a compromise of the file server could reveal information that would prevent the company from continuing to do business. What term best describes the risk that Tony is considering?

1. Strategic
2. Reputational
3. Financial
4. Operational

Answer 19

A. The risk that Tony is contemplating could fit any one of these categories. However, his primary concern is that the company may no longer be able to do business if the risk materializes. This is a strategic risk.

Question 20

Which one of the following data elements is not commonly associated with identity theft?

1. Social Security number
2. Driver’s license number
3. Frequent flyer number
4. Passport number

Answer 20

C. Although it is possible that a frequent flyer account number, or any other account number for that matter, could be used in identity theft, it is far more likely that identity thieves would use core identity documents. These include driver’s licenses, passports, and Social Security numbers.

Question 21

What term best describes an organization’s desired security state?

1. Control objectives
2. Security priorities
3. Strategic goals
4. Best practices

Answer 21

A. As an organization analyzes its risk environment, technical and business leaders determine the level of protection required to preserve the confidentiality, integrity, and availability of their information and systems. They express these requirements by writing the control objectives that the organization wishes to achieve. These control objectives are statements of a desired security state.

Question 22

Jerry is developing a cybersecurity awareness program for members of his team who have administrative access to sensitive systems. What category best describes the users he is targeting?

1. Privileged users
2. High-risk users
3. End users
4. Data owners

Answer 22

A. It may be true that these individuals fit into more than one, or even all, of these categories. However, the key element in the question is that the users have administrative access to systems. Therefore, they are best described as privileged users.

Question 23

Which one of the following individuals is the least appropriate direct manager of a chief information security officer?

1. Chief information officer
2. Chief risk officer
3. Chief executive officer
4. Senior director for identity and access management

Answer 23

D. The CISO should report to a senior-level decision-maker in the organization and not to the leader of another technology function. Therefore, the senior D director for identity and access management is an inappropriate reporting structure. The CIO, CRO, and CEO would all be appropriate supervisors for a CISO.

Question 24

Greg recently conducted an assessment of his organization’s security controls and discovered a potential gap: the organization does not use full-disk encryption on laptops. What type of control gap exists in this case?

1. Detective
2. Corrective
3. Deterrent
4. Preventive

Answer 24

D. The use of full-disk encryption is intended to prevent a security incident from occurring if a device is lost or stolen. Therefore, this is a preventive control gap.

Question 25

Toni is developing a new goal for her information security program. She has currently written it as “We will acquire and implement a new intrusion prevention system that will reduce successful network intrusions by 50%.” What element of the SMART framework is lacking from this goal?

1. Specific
2. Measurable
3. Achievable
4. Relevant
5. Time-bound

Answer 25

E. This goal is specific in that it describes the implementation of an IPS. It is also measurable since it states a clear objective of reducing intrusions by 50 percent. We do not have enough information about the organization to determine whether it is achievable or relevant. It is definitely not time-bound because it contains no deadline. Toni could remedy this situation by adding a deliverable date to the goal.

Question 26

Nolan is writing an after-action report on a security breach that took place in his organization. The attackers stole thousands of customer records from the organization’s database. What cybersecurity principle was most impacted in this breach?

1. Availability
2. Nonrepudiation
3. Confidentiality
4. Integrity

Answer 26

C. The disclosure of sensitive information to unauthorized individuals is a violation of the principle of confidentiality.

Question 27

Which one of the following objectives is not one of the three main objectives that information security professionals must achieve to protect their organizations against cybersecurity threats?

1. Integrity
2. Nonrepudiation
3. Availability
4. Confidentiality

Answer 27

B. The three primary objectives of cybersecurity professionals are confidentiality, integrity, and availability.

Question 28

What is the most appropriate span of control for a cybersecurity leader?

1. 2
2. 4
3. 7
4. 12

Answer 28

C. The span of control is the number of employees who directly report to a manager. Most organizations consider 5–10 employees to be an appropriate span of control.

Question 29

Brian is conducting a maturity assessment of his organization’s cybersecurity team using Capability Maturity Model Integration (CMMI). He notes that the team does use defined processes but that they develop them in a reactive manner for each project they undertake. What level of maturity would best describe this team?

1. Defined
2. Repeatable
3. Initial
4. Quantitatively managed
5. Managed

Answer 29

E. This is an example of a Managed organization: one that begins to implement organized processes on a per-project basis but is still operating in reactive mode. At the Initial level, the organization has unpredictable processes that are poorly controlled. When an organization achieves Level 3: Defined, it has standard processes that are used organization-wide and are adapted for use within each project. Level 4: Quantitatively Managed organizations build measurement and controls on top of their processes to allow them to quickly identify and remediate deficiencies and address control gaps before issues arise. At the top tier of the CMMI, Level 5: Optimizing organizations use a continuous process improvement approach to adjust and fine-tune the way that they work to achieve peak efficiency and effectiveness.

Question 30

Governance programs guide and direct security efforts

Answer 30

Information security governance efforts should integrate with other corporate governance programs to support both the business’s goals and its security strategy. Organizations should draw on existing governance frameworks, such as COBIT and the ISO standards, to avoid redundant effort and to align with industry best practices.

Question 31

Policy frameworks consist of policies, standards, procedures, and guidelines.

Answer 31

Policies are high-level statements of management intent for the information security program. Standards describe the detailed implementation requirements for policies. Procedures offer step-by-step instructions for carrying out security activities. Compliance with policies, standards, and procedures is mandatory. Guidelines offer optional advice that complements other elements of the policy framework.

Question 32

Organizations often adopt a set of security policies covering different areas of their security programs.

Answer 32

Common policies used in security programs include an information security policy, an acceptable use policy, a data ownership policy, a data retention policy, an account management policy, and a password policy. The specific policies adopted by any organization will depend on that organization’s culture and business needs.

Question 33

Policy documents should include exception processes.

Answer 33

Exception processes should outline the information required to receive an exception to security policy and the approval authority for each exception. The process should also describe the requirements for compensating controls that mitigate risks associated with approved security policy exceptions.

Question 34

Organizations face a variety of security compliance requirements.

Answer 34

Merchants and credit card service providers must comply with the Payment Card Industry Data Security Standard (PCI DSS). Organizations handling the personal information of European Union residents must comply with the EU General Data Protection Regulation (GDPR). All organizations should be familiar with the national, territory, and state laws that affect their operations.

Question 35

Standards frameworks provide an outline for structuring and evaluating cybersecurity programs.

Answer 35

Organizations may choose to base their security programs on a framework, such as the NIST Cybersecurity Framework (CSF) or International Organization for Standardization (ISO) standards. U.S. federal government agencies and contractors should also be familiar with the NIST Risk Management Framework (RMF). These frameworks sometimes include maturity models that allow an organization to assess its progress. Some frameworks also offer certification programs that provide independent assessments of an organization’s progress toward adopting a framework.

Question 36

Audits and assessments monitor compliance with requirements.

Answer 36

Audits are externally commissioned, formal reviews of the capability of an organization to achieve its control objectives. Assessments are less rigorous reviews of security issues, often performed or commissioned by IT staff. Organizations providing services to other entities may wish to conduct a service organization controls (SOC) audit under SSAE 18.

Question 37

Joe is authoring a document that explains to system administrators one way in which they might comply with the organization’s requirement to encrypt all laptops. What type of document is Joe writing?

1. Policy
2. Guideline
3. Procedure
4. Standard

Answer 37

B. The key term in this scenario is “one way.” This indicates that compliance with the document is not mandatory, so Joe must be authoring a guideline. Policies, standards, and procedures are all mandatory.

Question 38

Victor is designing an information security governance program for his organization. Which one of the following statements about governance programs is not correct?

1. Governance programs should clearly distinguish between governance and management activities.
2. Governance programs should be created once and developed in a manner that does not require future changes.
3. Security governance programs should be aligned with corporate governance programs.
4. Governance programs should cover the enterprise end-to-end.

Answer 38

B. Governance programs should be flexible and dynamic, rather than static. They should adapt to changes in the environment, as needed. They should be tailored to the enterprise’s needs and cover the enterprise end-to-end. They should clearly distinguish between governance and management activities.

Question 39

What law creates privacy obligations for those who handle the personal information of European Union residents?

1. HIPAA
2. FERPA
3. GDPR
4. PCI DSS

Answer 39

C. The General Data Protection Regulation (GDPR) implements privacy requirements for handling the personal information of EU residents. The Health Insurance Portability and Accountability Act (HIPAA) includes security and privacy rules that affect health-care providers, health insurers, and health information clearinghouses. The Family Educational Rights and Privacy Act (FERPA) applies to educational institutions. The Payment Card Industry Data Security Standard (PCI DSS) applies to credit and debit card information.

Question 40

Which one of the following is not one of the five core security functions defined by the NIST Cybersecurity Framework?

1. Identify
2. Contain
3. Respond
4. Recover

Answer 40

B. The five security functions described in the NIST Cybersecurity Framework are identify, protect, detect, respond, and recover.

Question 41

What ISO standard provides guidance on privacy controls?

1. 27002
2. 27001
3. 27701
4. 31000

Answer 41

C. The International Organization for Standardization (ISO) publishes ISO 27701, covering privacy controls. ISO 27001 and 27002 cover cybersecurity, and ISO 31000 covers risk management.

Question 42

Which one of the following documents must normally be approved by the CEO or a similarly high-level executive?

1. Standard
2. Procedure
3. Guideline
4. Policy

Answer 42

D. Policies require approval from the highest level of management, usually the CEO. Other documents may often be approved by other managers, such as the CISO.

Question 43

Greg would like to create an umbrella agreement that provides the security terms and conditions for all future work that his organization does with a vendor. What type of agreement should Greg use?

1. BPA
2. MOU
3. MSA
4. SLA

Answer 43

C. Master service agreements (MSAs) provide an umbrella contract for the work that a vendor does with an organization over an extended period of time. The MSA typically includes detailed security and privacy requirements. Each time the organization enters into a new project with the vendor, they may then create a statement of work (SOW) that contains project-specific details and references the MSA.

Question 44

What organization is known for creating independent security benchmarks covering hardware and software platforms from many different vendors?

1. Microsoft
2. Center for Internet Security
3. Cloud Security Alliance
4. Cisco

Answer 44

B. All of these organizations produce security standards and benchmarks. However, only the Center for Internet Security (CIS) is known for producing independent benchmarks covering a wide variety of software and hardware.

Question 45

In a publicly traded corporation, who is directly responsible for hiring and firing the chief executive officer?

1. Senior executive team
2. Shareholders
3. Board of directors
4. Chief financial officer

Answer 45

C. In the corporate governance model for publicly traded organizations, the shareholders who own the corporation delegate control of the corporation to the elected members of the board of directors. The board is then responsible for selecting the CEO, reviewing the CEO’s performance, and terminating the CEO when necessary.

Question 46

Which one of the following would not normally be found in an organization’s information security policy?

1. Statement of the importance of cybersecurity
2. Requirement to use AES-256 encryption
3. Delegation of authority
4. Designation of responsible executive

Answer 46

B. Security policies do not normally contain prescriptive technical guidance, such as a requirement to use a specific encryption algorithm. This type of detail would normally be found in a security standard.

Question 47

Darren is working with an independent auditor to produce an audit report that he will share with his customers under NDA to demonstrate that he has appropriate security controls in place. The auditor will not be assessing the effectiveness of those controls. What type of audit report should Darren expect?

1. SOC 2 Type 1
2. SOC 2 Type 2
3. SOC 3 Type 1
4. SOC 3 Type 2

Answer 47

A. The fact that the auditor will not be assessing the effectiveness of the controls means that this is a Type 1 report, not a Type 2 report. The fact that it will be shared only under NDA means that it is an SOC 2 assessment.

Question 48

Danielle is developing a business case to support a proposed investment in her organization’s vulnerability management program. Which of the following components would she not normally include in the business case?

1. Cost analysis
2. Implementation plan
3. Rollback plan
4. Strategic context

Answer 48

C. The common elements of a business case include a scope statement, a strategic context, a cost analysis, an evaluation of alternatives, a project plan, and a management plan. Organizations may develop rollback plans for high-risk changes, but those rollback plans are not a standard component of the business case.

Question 49

What compliance obligation applies to merchants and service providers who work with credit card information?

1. FERPA
2. SOX
3. HIPAA
4. PCI DSS

Answer 49

D. The Payment Card Industry Data Security Standard (PCI DSS) provides detailed rules about the storage, processing, and transmission of credit and debit card information. PCI DSS is not a law but rather a contractual obligation that applies to credit card merchants and service providers.

Question 50

Gwen is developing a new security policy for her organization. Which one of the following statements does not reflect best practices for policy development?

1. All stakeholders should agree with the proposed policy.
2. The policy should follow normal corporate policy approval processes.
3. Policies should match the “tone at the top” from senior business leaders.
4. Cybersecurity managers are typically responsible for communicating and implementing approved security policies.

Answer 50

A. Policies should be developed in a manner that obtains input from all relevant stakeholders, but it is not necessary to obtain agreement or approval from all stakeholders. Policies should follow normal corporate policy approval processes and should be written in a manner that fits within the organizational culture and “tone at the top.” Once an information security policy is approved, it commonly falls to the information security manager to communicate and implement the policy.

Question 51

Kevin is developing the business case for a new information security incident response program. Which one of the following statements is true about the costs associated with this initiative?

1. The business case does not need to address costs, since this is done within the budgeting process.
2. The business case should only include the one-time costs that are associated with implementing the new initiative.
3. The business case should only include the new recurring costs that are created by the initiative.
4. The business case should include both one-time and recurring costs associated with the initiative.

Answer 51

D. A complete business case should include all relevant financial and human resources costs for an initiative, including both one-time and recurring costs

Question 52

Which individual in an organization bears ultimate accountability to the board of directors for achieving the organization’s strategic plan?

1. CISO
2. CIO
3. CFO
4. CEO

Answer 52

D. The chief executive officer (CEO) bears ultimate responsibility for the efficiency and effectiveness of the organization in all respects. The chief information officer (CIO), chief information security officer (CISO), and chief financial officer (CFO) are all accountable to the CEO or other senior leader for the areas under their span of control.

Question 53

The board of directors of Kate’s company recently hired an independent firm to review the state of the organization’s security controls and certify those results to the board. What term best describes this engagement?

1. Assessment
2. Control review
3. Gap analysis
4. Audit

Answer 53

D. Any of these terms could reasonably be used to describe this engagement. However, the term audit best describes this effort because of the formal nature of the review and the fact that it was requested by the board.

Question 54

Which one of the following is not an objective domain in the COBIT framework?

1. Secure, Protect, and Defend (SPD)
2. Evaluate, Direct, and Monitor (EDM)
3. Align, Plan, and Organize (APO)
4. Deliver, Service, and Support (DSS)

Answer 54

A. The five COBIT domains are:

Evaluate, Direct, and Monitor (EDM)

Align, Plan, and Organize (APO)

Build, Acquire, and Implement (BAI)

Deliver, Service, and Support (DSS)

Monitor, Evaluate, and Assess (MEA)

Question 55

Which one of the following is not a common use of the NIST Cybersecurity Framework?

1. Describe the current cybersecurity posture of an organization.
2. Describe the target future cybersecurity posture of an organization.
3. Communicate with stakeholders about cybersecurity risk.
4. Create specific technology requirements for an organization.

Answer 55

D. The NIST Cybersecurity Framework is designed to help organizations describe their current cybersecurity posture, describe their target state for cybersecurity, identify and prioritize opportunities for improvement, assess progress, and communicate with stakeholders about risk. It does not create specific technology requirements.

Question 56

Which one of the following items is not normally included in a request for an exception to security policy?

1. Description of a compensating control
2. Description of the risks associated with the exception
3. Proposed revision to the security policy
4. Business justification for the exception

Answer 56

C. Requests for an exception to a security policy would not normally include a proposed revision to the policy. Exceptions are documented variances from the policy because of specific technical and/or business requirements. They do not alter the original policy, which remains in force for systems not covered by the exception.

Question 57

List the COBIT Principles

Answer 57

Evaluate, Direct, and Monitor (EDM)

Align, Plan, and Organize (APO)

Build, Acquire, and Implement (BAI)

Deliver, Service, and Support (DSS)

Monitor, Evaluate, and Assess (MEA)

Question 58

COBIT

Evaluate, Direct, and Monitor (EDM)

Answer 58

Evaluate, Direct, and Monitor (EDM) objectives provide for effective IT governance and the selection and monitoring of strategic goals.

Question 59

COBIT

Align, Plan, and Organize (APO).

Answer 59

Align, Plan, and Organize (APO) objectives describe how the IT function should be organized and how it should structure its work.

Question 60

COBIT

Build, Acquire, and Implement (BAI)

Answer 60

Build, Acquire, and Implement (BAI) objectives describe how the IT organization should create and acquire new information systems and integrate them into the business.

Question 61

COBIT

Deliver, Service, and Support (DSS)

Answer 61

Deliver, Service, and Support (DSS) objectives describe how the organization should manage the operational tasks of information technology.

Question 62

COBIT

Monitor, Evaluate, and Assess (MEA)

Answer 62

Monitor, Evaluate, and Assess (MEA) objectives describe how the organization should measure its effectiveness against performance targets, control objectives, and any external requirements it faces.

Question 63

What are the NIST five objectives

Answer 63

Describe their current cybersecurity posture.

Describe their target state for cybersecurity.

Identify and prioritize opportunities for improvement within the context of a continuous and repeatable process.

Assess progress toward the target state.

Communicate among internal and external stakeholders about cybersecurity risk.

Question 64

NIST Cybersecurity Framework implementation tiers

Tier 1

Answer 64

Question 65

NIST Cybersecurity Framework implementation tiers

Tier 2

Answer 65

Question 66

NIST Cybersecurity Framework implementation tiers

Tier 3

Answer 66

Question 67

NIST Cybersecurity Framework implementation tiers

Tier 4

Answer 67

Question 68

ISO Standards

ISO 27001

Answer 68

ISO 27001 is a standard titled “Information technology—Security techniques—Information security management systems—Requirements.”

Question 69

ISO Standards

ISO 27002

Answer 69

ISO 27002 goes beyond control objectives and describes the actual controls that an organization may implement to meet cybersecurity objectives.

Question 70

ISO Standards

ISO 27004

Answer 70

ISO 27004 helps organizations implement a consistent process for the monitoring, measurement, analysis, and evaluation of its information security management function.

Question 71

ISO Standards

ISO 27701

Answer 71

ISO 27701 contains standard guidance for managing privacy controls.

Question 72

ISO Standards

ISO 31000

Answer 72

ISO 31000 provides guidelines for risk management programs.

Question 73

Describ the Following

SOC 1 engagements

SOC 2 engagements

SOC 3 engagements

Type 1 reports

Type 2 reports

Answer 73

SOC 1 engagements assess the organization’s controls that might impact the accuracy of financial reporting.

SOC 2 engagements assess the organization’s controls that affect the security (confidentiality, integrity, and availability) and privacy of information stored in a system. SOC 2 audit results are confidential and are normally only shared outside the organization under an NDA.

SOC 3 engagements also assess the organization’s controls that affect the security (confidentiality, integrity, and availability) and privacy of information stored in a system. However, SOC 3 audit results are intended for public disclosure.

Type 1 reports provide the auditor’s opinion on the description provided by management and the suitability of the design of the controls as of a specific date.

Type 2 reports go further and also provide the auditor’s opinion on the operating effectiveness of the controls—that is, the auditor actually confirms that the controls are functioning properly over a period of time.

Question 74

SOC 1 engagements

Answer 74

SOC 1 engagements assess the organization’s controls that might impact the accuracy of financial reporting.

Question 75

SOC 2 engagements

Answer 75

SOC 2 engagements assess the organization’s controls that affect the security (confidentiality, integrity, and availability) and privacy of information stored in a system. SOC 2 audit results are confidential and are normally only shared outside the organization under an NDA.

Question 76

SOC 3 engagements

Answer 76

SOC 3 engagements also assess the organization’s controls that affect the security (confidentiality, integrity, and availability) and privacy of information stored in a system. However, SOC 3 audit results are intended for public disclosure.

Question 77

SOC Type 1 reports

Answer 77

Type 1 reports provide the auditor’s opinion on the description provided by management and the suitability of the design of the controls as of a specific date.

Question 78

SOC Type 2 reports

Answer 78

Type 2 reports go further and also provide the auditor’s opinion on the operating effectiveness of the controls—that is, the auditor actually confirms that the controls are functioning properly over a period of time.

Question 79

What are the SMART Framwork Characteristics

Answer 79

The goal is specific. It describes clearly what the organization intends to achieve.

The goal is measurable. It includes clear criteria by which the organization can measure success.

The goal is achievable. The organization can realistically achieve the goal within the specified time period.

The goal is relevant. If achieved, the goal will advance the organization’s strategic objectives.

The goal is time-bound. It includes a specific deadline for achievement.

Question 80

What are the levls of Capability Maturity Model Integration (CMMI)

Answer 80

Level 1: Initial

Level 2: Managed

Level 3: Defined

Level 4: Quantitatively Managed

Level 5: Optimizing

Question 81

Capability Maturity Model Integration (CMMI)

Level 1

Answer 81

Level 1: Initial, the organization has unpredictable processes that are poorly controlled. This level is characterized by reactive management and a “firefighting” approach.

Question 82

Capability Maturity Model Integration (CMMI)

Level 2

Answer 82

Level 2: Managed, it begins to implement organized processes on a per-project basis but is still operating in reactive mode.

Question 83

Capability Maturity Model Integration (CMMI)

Level 3

Answer 83

Level 3: Defined, the organization has standard processes that are used organization wide and are adapted for use within each project. This level marks a shift from reactive to proactive management.

Question 84

Capability Maturity Model Integration (CMMI)

Level 4

Answer 84

Level 4: Quantitatively Managed organizations build measurement and controls on top of their processes to allow them to quickly identify and remediate deficiencies and address control gaps before issues arise.

Question 85

Capability Maturity Model Integration (CMMI)

Level 5

Answer 85

Level 5: Optimizing organizations use a continuous process improvement approach to adjust and fine-tune the way that they work to achieve peak efficiency and effectiveness.

Question 86

What are all the RACI matrix roles

Answer 86

Responsible (R) roles are those who actually carry out the work involved. There must be at least one role assigned as responsible for each responsibility, although there may be more than one.

Accountable (A) roles bear ultimate and final responsibility for achieving the objective. Consider this the “buck stops here” role for the responsibility. Each responsibility in the matrix must have one, and only one, accountable role.

Consulted (C) roles are those who provide input that affects the responsibility because of their subject matter expertise.

Informed (I) roles are those who are provided with regular updates on the status of the effort. They may need this information to complete their work, oversee the organization, or perform other tasks, but the key characteristic is that, unlike consulted roles, informed roles receive updates but do not provide input.

Question 87

Know how risk identification and assessment helps organizations prioritize cybersecurity efforts.

Answer 87

Cybersecurity analysts try to identify all of the risks facing their organization and then conduct a business impact analysis to assess the potential degree of risk based on the probability that it will occur and the magnitude of the potential effect on the organization. This work allows security professionals to prioritize risks and communicate risk factors to others in the organization.

Question 88

Know that vendors are a source of external risk.

Answer 88

Organizations should conduct their own systems assessments as part of their risk assessment practices, but they should conduct supply chain assessments as well. Performing vendor due diligence reduces the likelihood that a previously unidentified risk at a vendor will negatively impact the organization. Hardware source authenticity techniques verify that hardware was not tampered with after leaving the vendor’s premises.

Question 89

Be familiar with the risk management strategies that organizations may adopt.

Answer 89

Risk avoidance strategies change business practices to eliminate a risk. Risk mitigation techniques reduce the probability or magnitude of a risk. Risk transference approaches move some of the risk to a third party. Risk acceptance acknowledges the risk and continues normal business operations despite the presence of the risk.

Question 90

Understand how disaster recovery planning builds resiliency.

Answer 90

Disaster recovery plans activate when an organization experiences a natural or human-made disaster that disrupts normal operations. The disaster recovery plan helps the organization quickly recover its information and systems and resume normal operations.

Question 91

Be familiar with the privacy controls that protect personal information.

Answer 91

Organizations handling sensitive personal information should develop privacy programs that protect that information from misuse and unauthorized disclosure. The plan should cover personally identifiable information (PII), protected health information (PHI), financial information, and other records maintained by the organization that might impact personal privacy.

Question 92

Jen identified a missing patch on a Windows server that might allow an attacker to gain remote control of the system. After consulting with her manager, she applied thepatch. From a risk management perspective, what has she done?

1. Removed the threat
2. Reduced the threat
3. Removed the vulnerability
4. Reduced the vulnerability

Answer 92

C. By applying the patch, Jen has removed the vulnerability from her server. This also has the effect of eliminating this particular risk. Jen cannot control the external threat of an attacker attempting to gain access to her server.

Question 93

You notice a high number of SQL injection attacks against a web application run by your organization, so you install a web application firewall to block many of these attacks before they reach the server. How have you altered the severity of this risk?

1. Reduced the magnitude
2. Eliminated the vulnerability
3. Reduced the probability
4. Eliminated the threat

Answer 93

C. Installing a web application firewall reduces the probability that an attack will reach the web server. Vulnerabilities may still exist in the web application, and the threat of an external attack is unchanged. The impact of a successful SQL injection attack is also unchanged by a web application firewall.

Question 94

Aziz is responsible for the administration of an e-commerce website that generates $100,000 per day in revenue for his firm. The website uses a database that contains sensitive information about the firm’s customers. Aziz is assessing the risk of a denial-of-service attack against the database where the attacker would destroy the data contained within the database. He expects that it would cost approximately $500,000 to reconstruct the database from existing records. After consulting threat intelligence, he believes that there is a 5 percent chance of a successful attack in any given year.

What is the asset value (AV)?

1. $5,000
2. $100,000
3. $500,000
4. $600,000

Answer 94

C. The asset at risk in this case is the customer database. Losing control of the database would result in a $500,000 fine, so the asset value (AV) is $500,000.

Question 95

Aziz is responsible for the administration of an e-commerce website that generates $100,000 per day in revenue for his firm. The website uses a database that contains sensitive information about the firm’s customers. Aziz is assessing the risk of a denial-of-service attack against the database where the attacker would destroy the data contained within the database. He expects that it would cost approximately $500,000 to reconstruct the database from existing records. After consulting threat intelligence, he believes that there is a 5 percent chance of a successful attack in any given year.

What is the exposure factor (EF)?

1. 5%
2. 20%
3. 50%
4. 100%

Answer 95

D. The attack would result in the total loss of customer data stored in the database, making the exposure factor (EF) 100 percent.

Question 96

Aziz is responsible for the administration of an e-commerce website that generates $100,000 per day in revenue for his firm. The website uses a database that contains sensitive information about the firm’s customers. Aziz is assessing the risk of a denial-of-service attack against the database where the attacker would destroy the data contained within the database. He expects that it would cost approximately $500,000 to reconstruct the database from existing records. After consulting threat intelligence, he believes that there is a 5 percent chance of a successful attack in any given year.

What is the single loss expectancy (SLE)?

1. $5,000
2. $100,000
3. $500,000
4. $600,000

Answer 96

C. We compute the single loss expectancy (SLE) by multiplying the asset value (AV) ($500,000) and the exposure factor (EF) (100%) to get an SLE of $500,000.

Question 97

Aziz is responsible for the administration of an e-commerce website that generates $100,000 per day in revenue for his firm. The website uses a database that contains sensitive information about the firm’s customers. Aziz is assessing the risk of a denial-of-service attack against the database where the attacker would destroy the data contained within the database. He expects that it would cost approximately $500,000 to reconstruct the database from existing records. After consulting threat intelligence, he believes that there is a 5 percent chance of a successful attack in any given year.

What is the annualized rate of occurrence (ARO)?

1. 0.05
2. 0.20
3. 2.00
4. 5.00

Answer 97

A. Aziz’s threat intelligence research determined that the threat has a 5 percent likelihood of occurrence each year. This is an ARO of 0.05.

Question 98

Aziz is responsible for the administration of an e-commerce website that generates $100,000 per day in revenue for his firm. The website uses a database that contains sensitive information about the firm’s customers. Aziz is assessing the risk of a denial-of-service attack against the database where the attacker would destroy the data contained within the database. He expects that it would cost approximately $500,000 to reconstruct the database from existing records. After consulting threat intelligence, he believes that there is a 5 percent chance of a successful attack in any given year.

What is the annualized loss expectancy (ALE)?

1. $5,000
2. $25,000
3. $100,000
4. $500,000

Answer 98

B. We compute the annualized loss expectancy (ALE) by multiplying the SLE ($500,000) and the ARO (0.05) to get an ALE of $25,000.

Question 99

Grace recently completed a risk assessment of her organization’s exposure to data breaches and determined that there is a high level of risk related to the loss of sensitive personal information. She is considering a variety of approaches to managing this risk.

Grace’s first idea is to add a web application firewall to protect her organization against SQL injection attacks. What risk management strategy does this approach adopt?

1. Risk acceptance
2. Risk avoidance
3. Risk mitigation
4. Risk transference

Answer 99

C. Installing new controls or upgrading existing controls is an effort to reduce the probability or magnitude of a risk. This is an example of a risk mitigation activity.

Question 100

Grace recently completed a risk assessment of her organization’s exposure to data breaches and determined that there is a high level of risk related to the loss of sensitive personal information. She is considering a variety of approaches to managing this risk.

Grace is considering dropping the customer activities that collect and store sensitive personal information. What risk management strategy would Grace’s approach use?

1. Risk acceptance
2. Risk avoidance
3. Risk mitigation
4. Risk transference

Answer 100

B. Changing business processes or activities to eliminate a risk is an example of risk avoidance.

Question 101

Grace recently completed a risk assessment of her organization’s exposure to data breaches and determined that there is a high level of risk related to the loss of sensitive personal information. She is considering a variety of approaches to managing this risk.

Grace’s company decided to install the web application firewall and continue doing business. They are still worried about other risks to the information that were not addressed by the firewall and are considering purchasing an insurance policy to cover those risks. What strategy does this use?

1. Risk acceptance
2. Risk avoidance
3. Risk mitigation
4. Risk transference

Answer 101

D. Insurance policies use a risk transference strategy by shifting some or all of the financial risk from the organization to an insurance company.

Question 102

Grace recently completed a risk assessment of her organization’s exposure to data breaches and determined that there is a high level of risk related to the loss of sensitive personal information. She is considering a variety of approaches to managing this risk.

In the end, Grace found that the insurance policy was too expensive and opted not to purchase it. She is taking no additional action. What risk management strategy is Grace using in this situation?

1. Risk acceptance
2. Risk avoidance
3. Risk mitigation
4. Risk transference

Answer 102

A. When an organization decides to take no further action to address the remaining risk, they are choosing a strategy of risk acceptance.

Question 103

Under the European Union’s GDPR, what term is assigned to the individual who leads an organization’s privacy efforts?

1. Data protection officer
2. Data controller
3. Data steward
4. Data processor

Answer 103

A. Under the General Data Protection Regulation (GDPR), the data protection officer (DPO) is an individual who is assigned the direct responsibility for carrying out an organization’s privacy program.

Question 104

Helen’s organization maintains medical records on behalf of its customers, who are individual physicians. What term best describes the role of Helen’s organization?

1. Data processor
2. Data controller
3. Data owner
4. Data steward

Answer 104

A. In this case, the physicians maintain the data ownership role. They have chosen to outsource data processing to Helen’s organization, making that organization a data processor.

Question 105

Gene recently conducted an assessment and determined that his organization can be without its main transaction database for a maximum of two hours before unacceptable damage occurs to the business. What metric has Gene identified?

1. MTBF
2. MTTR
3. RTO
4. RPO

Answer 105

C. The recovery time objective (RTO) is the amount of time that the organization can tolerate a system being down before it is repaired. That is the metric that Gene has identified in this scenario.

Question 106

Tina works for a hospital system and manages the system’s patient records. What category of personal information best describes the information that is likely to be found in those records?

1. PCI
2. PHI
3. PFI
4. PII

Answer 106

B. This is a tricky question as it is possible to find all of these categories of information in patient records. However, they are most likely to contain protected health information (PHI). PHI could also be described as a subcategory of personally identifiable information (PII), but PHI is a better description. It is also possible that the records might contain payment card information (PCI) or personal financial information (PFI), but that is less likely than PHI.

Question 107

Asa believes that her organization is taking data collected from customers for technical support and using it for marketing without their permission. What principle is most likely being violated?

1. Data minimization
2. Data retention
3. Purpose limitation
4. Data sovereignty

Answer 107

C. Organizations should only use data for the purposes disclosed during the collection of that data. In this case, the organization collected data for technical support purposes and is now using it for marketing purposes. That violates the principle of purpose limitation.

Question 108

Which one of the following U.S. government classification levels requires the highest degree of security control?

1. Secret
2. Confidential
3. Top Secret
4. Unclassified

Answer 108

C. Top Secret is the highest level of classification under the U.S. system and, therefore, requires the highest level of security control.

Question 109

Which of the following data protection techniques is reversible when conducted properly?

1. Tokenization
2. Masking
3. Hashing
4. Shredding

Answer 109

A. Tokenization techniques use a lookup table and are designed to be reversible. Masking and hashing techniques replace the data with values that can’t be reversed back to the original data if performed properly. Shredding, when conducted properly, physically destroys data so that it may not be recovered.

Question 110

What term is given to an individual or organization who determines the reasons for processing personal information?

1. Data steward
2. Data controller
3. Data processor
4. Data custodian

Answer 110

B. Data controllers are the entities who determine the reasons for processing personal information and direct the methods of processing that data. This term is used primarily in European law, and it serves as a substitute for the term data owner to avoid a presumption that anyone who collects data has an ownership interest in that data.

Question 111

Brian recently conducted a risk mitigation exercise and has determined the level of risk that remains after implementing a series of controls. What term best describes this risk?

1. Inherent risk
2. Control risk
3. Risk appetite
4. Residual risk

Answer 111

D. The residual risk is the risk that remains after an organization implements controls designed to mitigate, avoid, and/or transfer the inherent risk.

Question 112

Be able to describe several key attributes in which threat actors differ.

Answer 112

We can classify threat actors using four major criteria. First, threat actors may be internal to the organization, or they may come from external sources. Second, threat actors differ in their level of sophistication and capability. Third, they differ in their available resources and funding. Finally, different threat actors have different motivations and levels of intent.

Question 113

Know the many different sources of threat actors.

Answer 113

Threat actors may be very simplistic in their techniques, such as script kiddies using exploit code written by others, or quite sophisticated, such as the advanced persistent threat posed by nation-state actors and criminal syndicates. Hacktivists may seek to carry out political agendas, whereas competitors may seek financial gain. We can group hackers into white-hat, gray-hat, and black-hat categories based on their motivation and authorization.

Question 114

Be able to explain how attackers exploit different vectors to gain initial access to an organization.

Answer 114

Attackers may attempt to gain initial access to an organization remotely over the Internet, through a wireless connection, or by attempting direct physical access. They may also approach employees over email or social media. Attackers may seek to use removable media to trick employees into unintentionally compromising their networks, or they may seek to spread exploits through cloud services. Sophisticated attackers may attempt to interfere with an organization’s supply chain.

Question 115

Know how threat intelligence provides organizations with valuable insight into the threat landscape.

Answer 115

Security teams may leverage threat intelligence from public and private sources to learn about current threats and vulnerabilities. They may seek out detailed indicators of compromise and perform predictive analytics on their own data. Threat intelligence teams often supplement open source and closed source intelligence that they obtain externally with their own research.

Question 116

Be able to explain why security teams must monitor supply chain risks.

Answer 116

Modern enterprises depend on hardware, software, and cloud service vendors to deliver IT services to their internal and external customers. Vendor management techniques protect the supply chain against attackers seeking to compromise these external links into an organization’s network. Security professionals should pay particular attention to risks posed by outsourced code development, cloud data storage, and integration between external and internal systems.

Question 117

Which of the following measures is not commonly used to assess threat intelligence?

1. Timeliness
2. Detail
3. Accuracy
4. Relevance

Answer 117

B. Although higher levels of detail can be useful, they aren’t a common measure used to assess threat intelligence. Instead, the timeliness, accuracy, and relevance of the information are considered critical to determining whether you should use the threat information.

Question 118

What language is STIX based on?

1. PHP
2. HTML
3. XML
4. Python

Answer 118

C. STIX is an XML-based language, allowing it to be easily extended and modified while also using standard XML-based editors, readers, and other tools.

Question 119

Kolin is a penetration tester who works for a cybersecurity company. His firm was hired to conduct a penetration test against a health-care system, and Kolin is working to gain access to the systems belonging to a hospital in that system. What term best describes Kolin’s work?

1. White hat
2. Gray hat
3. Green hat
4. Black hat

Answer 119

A. Attacks that are conducted as part of an authorized penetration test are white-hat hacking attacks, regardless of whether they are conducted by internal employees or an external firm. Kolin is, therefore, engaged in white-hat hacking. If he were acting on his own, without authorization, his status would depend on his intent. If he had malicious intent, his activity would be considered black-hat hacking. If he simply intended to report vulnerabilities to the hospital, his attack would be considered gray hat. Green hat is not a commonly used category of attacker.

Question 120

Which one of the following attackers is most likely to be associated with an APT?

1. Nation-state actor
2. Hacktivist
3. Script kiddie
4. Insider

Answer 120

A. Advanced persistent threats (APTs) are most commonly associated with nation-state actors. It is unlikely that an APT group would leverage the unsophisticated services of a script kiddie. It is also unlikely that a hacktivist would have access to APT resources. Although APTs may take advantage of insider access, they are most commonly associated with nation-state actors.

Question 121

What organizations did the U.S. government help create to share knowledge between organizations in specific verticals?

1. DHS
2. SANS
3. CERTS
4. ISACs

Answer 121

D. The U.S. government created the Information Sharing and Analysis Centers (ISACs). ISACs help infrastructure owners and operators share threat information, and they provide tools and assistance to their members.

Question 122

Which of the following threat actors typically has the greatest access to resources?

1. Nation-state actors
2. Organized crime
3. Hacktivists
4. Insider threats

Answer 122

A. Nation-state actors are government-sponsored, and they typically have the greatest access to resources, including tools, money, and talent.

Question 123

Of the threat vectors shown here, which one is most commonly exploited by attackers who are at a distant location?

1. Email
2. Direct access
3. Wireless
4. Removable media

Answer 123

A. Email is the most common threat vector exploited by attackers who use phishing and other social engineering tactics to gain access to an organization. The other vectors listed here—direct access, wireless, and removable media—all require physical proximity to an organization and are not easily executed from a remote location.

Question 124

Which one of the following is the best example of a hacktivist group?

1. Chinese military
2. U.S. government
3. Russian mafia
4. Anonymous

Answer 124

D. The Chinese military and U.S. government are examples of nation-state actors and advanced persistent threats (APTs). The Russian mafia is an example of a criminal syndicate. Anonymous is the world’s most prominent hacktivist group.

Question 125

What type of assessment is particularly useful for identifying insider threats?

1. Behavioral
2. Instinctual
3. Habitual
4. IOCs

Answer 125

A. Behavioral assessments are very useful when you are attempting to identify insider threats. Since insider threats are often hard to distinguish from normal behavior, the context of the actions performed—such as after-hours logins, misuse of credentials, logins from abnormal locations, or abnormal patterns—and other behavioral indicators are often used.

Question 126

Cindy wants to send threat information via a standardized protocol specifically designed to exchange cyberthreat information. What should she choose?

1. STIX 1.0
2. OpenIOC
3. STIX 2.0
4. TAXII

Answer 126

D. TAXII, the Trusted Automated Exchange of Intelligence Information protocol, is specifically designed to communicate cyberthreat information at the application layer. OpenIOC is a compromise indicator framework, and STIX is a threat description language.

Question 127

Greg believes that an attacker may have installed malicious firmware in a network device before it was provided to his organization by the supplier. What type of threat vector best describes this attack?

1. Supply chain
2. Removable media
3. Cloud
4. Direct access

Answer 127

A. Tampering with equipment before it reaches the intended user is an example of a supply chain threat. It is also possible to describe this attack as a direct access attack because it involved physical access to the device, but supply chain is a more relevant answer. You should be prepared to select the best possible choice from several possible correct answers when you take the exam. Exam questions often use this type of misdirection.

Question 128

Ken is conducting threat research on Transport Layer Security (TLS) and would like to consult the authoritative reference for the protocol’s technical specification. What resource would best meet his needs?

1. Academic journal
2. Internet RFCs
3. Subject matter experts
4. Textbooks

Answer 128

B. All of these resources might contain information about the technical details of TLS, but Internet Request for Comments (RFC) documents are the definitive technical standards for Internet protocols. Consulting the RFCs would be Ken’s best option.

Question 129

Wendy is scanning cloud-based repositories for sensitive information. Which one of the following should concern her most if discovered in a public repository?

1. Product manuals
2. Source code
3. API keys
4. Open source data

Answer 129

C. All of these items could be concerning, depending on the circumstances. However, API keys should never be found in public repositories because they may grant unauthorized individuals access to information and resources.

Question 130

Which one of the following threat research tools is used to visually display information about the location of threat actors?

1. Threat map
2. Predictive analysis
3. Vulnerability feed
4. STIX

Answer 130

A. Threat maps are graphical tools that display information about the geographic locations of attackers and their targets. These tools are most often used as interesting marketing gimmicks, but they can also help identify possible threat sources.

Question 131

Vince recently received the hash values of malicious software that several other firms in his industry found installed on their systems after a compromise. What term best describes this information?

1. Vulnerability feed
2. IoC
3. TTP
4. RFC

Answer 131

B. Specific details of attacks that may be used to identify compromises are known as indicators of compromise (IoCs). This data may also be described as an adversary tactic, technique, or procedure (TTP), but the fact that it is a set of file signatures makes it more closely match the definition of an IoC.

Question 132

Ursula recently discovered that a group of developers are sharing information over a messaging tool provided by a cloud vendor but not sanctioned by her organization. What term best describes this use of technology?

1. Shadow IT
2. System integration
3. Vendor management
4. Data exfiltration

Answer 132

A. The developers in question are using unapproved technology for business purposes. This is the classic definition of shadow IT. It is possible to describe this as data exfiltration, but there is no indication that the data security has been compromised, so shadow IT is a better description here. Remember, you will often be asked to choose the best answer from multiple correct answers on the exam.

Question 133

Tom’s organization recently learned that his vendor is discontinuing support for their customer relationship management (CRM) system. What should concern Tom the most from a security perspective?

1. Unavailability of future patches
2. Lack of technical support
3. Theft of customer information
4. Increased costs

Answer 133

A. Tom’s greatest concern should be that running unsupported software exposes his organization to the risk of new, unpatchable vulnerabilities. It is certainly true that Tom will no longer receive technical support, but this is a less important issue from a security perspective. There is no indication in this scenario that discontinuing the product will result in the theft of customer information or increased costs.

Question 134

Which one of the following information sources would not be considered an OSINT source?

1. DNS lookup
2. Search engine research
3. Port scans
4. WHOIS queries

Answer 134

C. Port scans are an active reconnaissance technique that probe target systems and would not be considered open source intelligence (OSINT). Search engine research, DNS lookups, and WHOIS queries are all open source resources.

Question 135

Edward Snowden was a government contractor who disclosed sensitive government documents to journalists to uncover what he believed were unethical activities. Which two of the following terms best describe Snowden’s activities? (Choose two.)

1. Insider
2. State actor
3. Hacktivist
4. APT
5. Organized crime

Answer 135

A, C. As a government contractor, Snowden had authorized access to classified information and exploited this access to make an unauthorized disclosure of that information. This clearly makes him fit into the category of an insider. He did so with political motivations, making him fit the category of hacktivist as well.

Question 136

Renee is a cybersecurity hobbyist. She receives an email about a new web-based grading system being used by her son’s school and she visits the site. She notices that the URL for the site looks like this:

https://www.myschool.edu/grades.php&studentID=1023425

She realizes that 1023425 is her son’s student ID number and then attempts to access the following similar URLs:

https: //www.myschool.edu/grades.php&studentID=1023423
https: //www.myschool.edu/grades.php&studentID=1023424
https: //www.myschool.edu/grades.php&studentID=1023426
https: //www.myschool.edu/grades.php&studentID=1023427

When she does so, she accesses the records of other students. She closes the records and immediately informs the school principal of the vulnerability. What term best describes Renee’s work?

1. White-hat hacking
2. Green-hat hacking
3. Gray-hat hacking
4. Black-hat hacking

Answer 136

C. Renee was not authorized to perform this security testing, so her work does not fit into the category of white-hat hacking. However, she also does not have malicious intent, so her work cannot be categorized as a black-hat attack. Instead, it fits somewhere in between the two extremes and would best be described as gray-hat hacking.

Question 137

Know how metrics are used to assess the efficiency and effectiveness of the information security program.

Answer 137

Key performance indicators (KPIs) are metrics that demonstrate the success of the security program in achieving its objectives. KPIs look at historical performance. Key goal indicators (KGIs) measure progress toward defined goals. Key risk indicators (KRIs) try to quantify the security risk facing an organization. KRIs look forward at future potential risks.

Question 138

Be able to explain how security training and awareness ensures that individuals understand their responsibilities.

Answer 138

Security training programs impart new knowledge to employees and other stakeholders. They should be tailored to meet the specific requirements of an individual’s role in the organization. Security awareness programs seek to remind users of the information they have already learned, keeping their security responsibilities top-of-mind

Question 139

Know that security managers are people managers.

Answer 139

Security managers lead a team of professionals and are responsible for the motivation, development, and management of those team members. This includes providing training that helps employees keep their skills current and certifications that help employees validate their skills.

Question 140

Know that security managers are financial managers.

Answer 140

Security managers bear responsibility for managing a budget allocated to the information security program. They must understand how the fiscal year used by their organization affects funds availability and how to work within the budgeting and accounting processes used by their organization.

Question 141

Be able to explain how information security must work closely with other business functions.

Answer 141

Security managers should cultivate relationships with other business leaders to ensure that security is well integrated with other business functions. This includes integrating with the human resources function for employee hiring, transfers, and termination. It also includes aligning with procurement and accounting functions for product and service acquisitions. Security leaders should also work carefully with other information technology leaders and the organization’s auditors.

Question 142

Which one of the following elements is least likely to be found in an information security program charter?

1. Scope statement
2. Project schedule
3. Roles and responsibilities
4. Governance structure

Answer 142

B. Information security program charters commonly contain high-level organizational items, such as a scope statement, statement of roles and responsibilities, and description of the governance structure. A project schedule is a more tactical document that would not normally be included in a program-level charter due to its changing nature.

Question 143

Victoria’s organization has a disconnect between the human resources function and the information security function. As a result, employee transfers are not being properly handled. What is the greatest security risk resulting from this situation?

1. Privilege escalation
2. Separation of duties
3. Privilege creep
4. Two-person control

Answer 143

C. Privilege creep occurs when an employee transfers within the organization and does not have their old privileges revoked. Privilege creep may occur when transfers are not properly processed and, if left unchecked, violates the principle of least privilege.

Question 144

Leo is responsible for managing his organization’s information security budget. Which one of the following circumstances is the most preferred situation?

1. Expenses greatly exceed budget.
2. Expenses slightly exceed budget.
3. Expenses are slightly under budget.
4. Expenses are greatly under budget.

Answer 144

C. The best-case scenario is that expenses are close to the budgeted amount but do not exceed the actual budget. Budget overages are difficult because funds may not be available to cover all expenses. When expenses are significantly under budget, the organization suffers an opportunity cost because those funds could have been used for other purposes or returned to shareholders as profit.

Question 145

Andrew is concerned that his security program is not well aligned with business goals and would like to convene a group to help guide his work. What type of group would best meet his needs?

1. Change advisory board (CAB)
2. Senior leadership
3. Board
4. Steering committee

Answer 145

D. Steering committees help facilitate alignment between security and business objectives. The security manager can convene a group that represents business units and get their input in the development of security plans. The change advisory board (CAB) is designed to manage change requests, not to provide input on security activities. Senior leadership teams and the board operate at an executive level and would not likely have the time or expertise to participate in this effort.

Question 146

Norma is developing a new information security standard for her organization and would like to ensure that the policy has appropriate authority and goes through an appropriate approval process. Where should she look to verify this is the case?

1. Scope statement
2. RFC
3. NDA
4. Charter

Answer 146

D. The information security program charter should contain program documentation procedures that formalize how the organization will establish, communicate, and maintain information security standards and other documents. This would not be found in a short scope statement, a request for change (RFC), or a nondisclosure agreement (NDA).

Question 147

Dan would like to add a new element to his organization’s information security awareness program. Which one of the following tools would be most appropriate?

1. End user training
2. Certification
3. Capture the flag
4. Posters

Answer 147

D. Awareness efforts are not designed to impart new knowledge but simply to remind employees of security information they have already learned. Of the techniques listed here, only posters are an awareness mechanism. All of the other techniques are training tools designed to impart new knowledge.

Question 148

Alexis is working to develop standard language for use with vendors that will ensure that her organization retains ownership of data handled by the vendor. Where would be the best location to include this language?

1. Contract
2. NDA
3. MOU
4. SOW

Answer 148

A. Data ownership language should be legally binding and part of the master agreement with the vendor. As it is such an important topic, it should be included in the formal contract with the vendor. It is not appropriate subject matter for a nondisclosure agreement (NDA) that focuses on confidentiality or a less formal vehicle, such as a memorandum of understanding (MOU) or statement of work (SOW).

Question 149

Bob is developing a set of measures designed to evaluate how well the information security program in his organization is functioning. He will provide monthly reporting on these metrics, looking back at the program’s functioning over the past month. What term best describes these metrics?

1. KMIs
2. KGIs
3. KRIs
4. KPIs

Answer 149

D. Key performance indicators (KPIs) are metrics that demonstrate the success of the security program in achieving its objectives. KPIs are mutually agreed-upon measures that evaluate whether a security program is meeting its defined goals. Generally speaking, KPIs are a look back at historical performance, providing a measuring stick to evaluate the past success of the program. Key goal indicators (KGIs) are similar to KPIs but measure progress toward defined goals. For example, if an organization has a goal to eliminate all stored Social Security numbers (SSNs), a KGI might track the percentage of SSNs removed. Key risk indicators (KRIs) are measures that seek to quantify the security risk facing an organization. KRIs, unlike KPIs and KGIs, are a look forward. They attempt to show how much risk exists that may jeopardize the future security of the organization. KMIs are not a standard metric for cybersecurity programs.

Question 150

Tanya is hiring a new incident analyst to help supplement the capabilities of her team. She is identifying the line item in her budget that will cover the salary and benefits for this new employee. What term best describes this expense?

1. One-time
2. Capital
3. Unbudgeted
4. Operational

Answer 150

D. This is an operational expense, since it is a payroll expenditure, rather than a large purchase of capital equipment. The cost of hiring an employee is a recurring cost, rather than a one-time cost. The scenario does not identify whether the expense was budgeted or unbudgeted.

Question 151

Gary’s organization uses a fiscal year budgeting system, with the fiscal year beginning on January 1. He is planning for an expense that will occur in June 2024. During what fiscal and calendar year will this expense occur?

1. CY24 and FY24
2. CY24 and FY25
3. CY24 and FY23
4. CY25 and FY24

Answer 151

A. Gary’s organization uses a fiscal year beginning on January 1. This means that the fiscal year and calendar year are aligned and they will always be the same. June 2024 is a month during the calendar year 2024 and, because the fiscal year is aligned with the calendar year, it is also the fiscal year 2024.

Question 152

The Acme Widgets Company is putting new controls in place for its accounting department. Management is concerned that a rogue accountant may be able to create a new false vendor and then issue checks to that vendor as payment for services that were never rendered. What security control can best help prevent this situation?

1. Mandatory vacation
2. Separation of duties
3. Defense in depth
4. Job rotation

Answer 152

B. When following the separation of duties principle, organizations divide critical tasks into discrete components and ensure that no one individual has the ability to perform both actions. This prevents a single rogue individual from performing that task in an unauthorized manner.

Question 153

An accounting employee at Doolittle Industries was recently arrested for participation in an embezzlement scheme. The employee transferred money to a personal account and then shifted funds around between other accounts every day to disguise the fraud for months. Which one of the following controls might have best allowed the earlier detection of this fraud?

1. Separation of duties
2. Least privilege
3. Defense in depth
4. Mandatory vacation

Answer 153

D. Mandatory vacation programs require that employees take continuous periods of time off each year and revoke their system privileges during that time. The purpose of these required vacation periods is to disrupt any attempt to engage in the cover-up actions necessary to hide fraud and result in exposing the threat. Separation of duties, least privilege, and defense-in-depth controls all may help prevent the fraud in the first place but are unlikely to speed the detection of fraud that has already occurred.

Question 154

After completing the first year of his security awareness program, Charles reviews the data about how many personnel completed training compared to how many were assigned the training to determine whether he hit the 95 percent completion rate he was aiming for. What is this type of measure called?

1. A KPI
2. A metric
3. An awareness control
4. A return on investment rate

Answer 154

A. Charles is tracking a key performance indicator (KPI). A KPI is used to measure performance (and success). Without a definition of success, this would simply be a metric, but Charles is working toward a known goal and can measure against it. There is not a return investment calculation in this problem, and the measure is not a control.

Question 155

Which one of the following efforts allows security professionals to validate their knowledge to current and potential employers?

1. Training
2. Certification
3. Awareness
4. Accreditation

Answer 155

B. Certifications help employees validate their skills and are an important recruiting and retention tool. Training programs help employees keep their skills current and develop skills in new areas of cybersecurity. Awareness efforts are meant to reinforce security knowledge. Accreditation processes are used to formally certify systems in government and military applications.

Question 156

Which one of the following statements about change management programs is correct?

1. All changes must be approved by the change advisory board (CAB).
2. Minor changes do not require an RFC.
3. Some RFCs may be immediately approved on an automated basis.
4. The primary purpose of change management is to create a paper trail to support audits.

Answer 156

C. In a formal change management program, all changes require an RFC, no matter how minor. However, some routine changes have preapproved status and may be made as soon as the RFC is submitted. RFCs for these changes are automatically approved. Once someone submits an RFC for review, it must be approved by a relevant authority. For minor changes, this may simply be the person’s manager. In the case of major changes, the organization’s CAB may review and approve the change. The primary purpose of change management is to minimize the probability and impact of disruptions to IT services due to changes. Change management does support audits, but this is not the primary purpose of the function.

Question 157

Wendy is designing a pre-employment screening program for her organization. Which one of the following screening techniques is commonly omitted due to legal and privacy concerns?

1. Credit checks
2. Criminal background checks
3. Reference checks
4. Education verification

Answer 157

A. Background screening often includes criminal background checks, sex offender registry lookups, reference checks, and employment/education verification. In some cases, organizations may perform credit checks to further investigate an employee’s background, although obtaining and using this information requires written consent and is heavily regulated, so many organizations skip this part of checks.

Question 158

Elliott is evaluating a new content management system that an outside service provider will host for his organization. What is the most appropriate minimum security standard for him to require of possible vendors?

1. Handling information in the same manner the organization would
2. Compliance with the vendor’s own policies
3. Compliance with all laws and regulations
4. Elimination of all identified security risks

Answer 158

A. The most appropriate standard to use as a baseline when evaluating vendors is to determine whether the vendor’s security controls meet the organization’s own standards. Compliance with laws and regulations should be included in that requirement and are a necessary, but not sufficient, condition for working with the vendor. Vendor compliance with their own policies also fits into the category of necessary, but not sufficient, controls, since the vendor’s policy may be weaker than the organization’s own requirements. The elimination of all identified security risks is an impossible requirement for a potential vendor to meet.

Question 159

Abe works for an organization that has several subsidiaries that operate independently. Those subsidiaries report to different leaders and have their own independent security programs. If the governance model does not change, what would be the appropriate way for Abe’s security program to address this situation?

1. Limit the objectives of his program.
2. Limit the scope of his program.
3. Include the subsidiaries in his program.
4. Replace the subsidiary programs with his own.

Answer 159

B. The current governance structure allows these subsidiaries to remain independent. Therefore, it is not appropriate to include them in the parent organization’s program or replace their programs. Instead, Abe should limit the portion of the organization included in his program, which is a limitation of scope.

Question 160

Sally is developing a set of metrics that will help her organization assess changes in the threat environment and adjust their security program accordingly. What type of metrics is she developing?

1. KMIs
2. KGIs
3. KRIs
4. KPIs

Answer 160

C. Key risk indicators (KRIs) are measures that seek to quantify the security risk facing an organization. KRIs, unlike KPIs and KGIs, are a look forward. They attempt to show how much risk exists that may jeopardize the future security of the organization. Key performance indicators (KPIs) are metrics that demonstrate the success of the security program in achieving its objectives. KPIs are mutually agreed-upon measures that evaluate whether a security program is meeting its defined goals. Generally speaking, KPIs are a look back at historical performance, providing a measuring stick to evaluate the past success of the program. Key goal indicators (KGIs) are similar to KPIs but measure progress toward defined goals. For example, if an organization has a goal to eliminate all stored Social Security numbers (SSNs), a KGI might track the percentage of SSNs removed. KMIs are not a standard metric for cybersecurity programs.

Question 161

Tia recently created a set of high-level security metrics for senior leaders who need to understand the effectiveness of the security program. What would be the best way for her to communicate these metrics?

1. Continue to post them on a dashboard that is available to stakeholders to peruse at their convenience.
2. Provide stakeholders with access to a web page that contains detailed security metrics.
3. Email a copy of the dashboard to stakeholders periodically.
4. Provide reporting to stakeholders that contextualizes these metrics.

Answer 161

D. One common mistake made by information security managers is to develop a dashboard or web page with updated metrics and then simply inform stakeholders that they may view those metrics whenever they like. This approach has two major drawbacks. First, stakeholders who are not involved in security on a day-to-day basis are unlikely to revisit the site unless prompted to do so periodically. Second, providing metrics is only one piece of the picture. Security managers should also provide context for those metrics to explain changes and update stakeholders on the progress of the program.

Question 162

Be able to list the vulnerabilities that exist in modern computing environments.

Answer 162

Cybersecurity professionals should remain aware of the risks posed by vulnerabilities both on-premises and in the cloud. Improper or weak patch management can be the source of many of these vulnerabilities, providing attackers with a path to exploit operating systems, applications, and firmware. Weak configuration settings that create vulnerabilities include open permissions, unsecured root accounts, errors, weak encryption settings, insecure protocol use, default settings, and open ports and services. When a scan detects a vulnerability that does not exist, the report is known as a false positive. When a scan does not detect a vulnerability that actually exists, the report is known as a false negative.

Question 163

Know the purpose of threat hunting.

Answer 163

Threat hunting activities presume that an organization is already compromised and search for indicators of those compromises. Threat hunting efforts include the use of advisories, bulletins, and threat intelligence feeds in an intelligence fusion program. They search for signs that attackers gained initial access to a network and then conducted maneuver activities on that network.

Question 164

Know the purpose of vulnerability scans.

Answer 164

Vulnerability scans leverage application, network, and web application testing to check for known issues. These scans may be conducted in a credentialed or noncredentialed fashion and may be intrusive or nonintrusive, depending on the organization’s needs. Analysts reviewing scans should also review logs and configurations for additional context.

Question 165

Describe how penetration testing places security professionals in the role of attackers.

Answer 165

Penetration tests may be conducted in a manner that provides the testers with full access to information before the test (white box), no information at all (black box), or somewhere in between those two extremes (gray box). Testers conduct tests within the rules of engagement and normally begin with reconnaissance efforts, including war driving, war flying, footprinting, and open source intelligence (OSINT). They use this information to gain initial access to a system. From there, they seek to conduct privilege escalation to increase their level of access and lateral movement/pivoting to expand their access to other systems. They seek to achieve persistence to allow continued access after the vulnerability they initially exploited is patched. At the conclusion of the test, they conduct cleanup activities to restore systems to normal working order and remove traces of their activity.

Question 166

Describe how bug bounty programs incentivize vulnerability reporting.

Answer 166

Bug bounty programs allow external security professionals to probe the security of an organization’s public-facing systems. Testers who discover vulnerabilities are provided with financial rewards for their participation. This approach is a good way to motivate hackers to work for good, rather than using discovered vulnerabilities against a target.

Question 167

Know how to use cybersecurity exercises to ensure that teams are prepared for security incidents.

Answer 167

Exercises are designed to test the skills of security professionals. Blue teams are responsible for managing the organization’s defenses. Offensive hacking is used by red teams as they attempt to gain access to systems on the target network. White teams serve as the neutral moderators of the exercise. Purple teaming is conducted after an exercise to bring together the red and blue teams for knowledge sharing.

Question 168

Which one of the following security assessment techniques assumes that an organization has already been compromised and searches for evidence of that compromise?

1. Vulnerability scanning
2. Penetration testing
3. Threat hunting
4. War driving

Answer 168

C. Threat hunting is an assessment technique that makes an assumption of compromise and then searches the organization for indicators of compromise that confirm the assumption. Vulnerability scanning, penetration testing, and war driving are all assessment techniques that probe for vulnerabilities but do not assume that a compromise has already taken place.

Question 169

Renee is configuring her vulnerability management solution to perform credentialed scans of servers on her network. What type of account should she provide to the scanner?

1. Domain administrator
2. Local administrator
3. Root
4. Read-only

Answer 169

D. Credentialed scans require only read-only access to target servers. Renee should follow the principle of least privilege and limit the access available to the scanner.

Question 170

Ryan is planning to conduct a vulnerability scan of a business-critical system using dangerous plug-ins. What would be the best approach for the initial scan?

1. Run the scan against production systems to achieve the most realistic results possible.
2. Run the scan during business hours.
3. Run the scan in a test environment.
4. Do not run the scan to avoid disrupting the business.

Answer 170

C. Ryan should first run his scan against a test environment to identify likely vulnerabilities and assess whether the scan itself might disrupt business activities.

Question 171

Tina is searching for potential gaps in her organization’s incident response plan and gathers the team together for an exercise. They do not use any actual IT systems (production or test) in their work but simply discuss how they would respond to a scenario. What term best describes this test?

1. Red team exercise
2. Blue team exercise
3. Tabletop exercise
4. Purple team exercise

Answer 171

C. The scenario does not provide us with enough information to determine whether this exercise involved red team, blue team, or purple team tactics, and in fact, those exercises typically involve live access to systems. Tabletop exercises, on the other hand, are designed to walk teams through a scenario, and that is what Tina is doing in this instance.

Question 172

Tara recently analyzed the results of a vulnerability scan report and found that a vulnerability reported by the scanner did not exist because the system was actually patched as specified. What type of error occurred?

1. False positive
2. False negative
3. True positive
4. True negative

Answer 172

A. A false positive error occurs when the vulnerability scanner reports a vulnerability that does not actually exist.

Question 173

Brian ran a penetration test against a school’s grading system and discovered a flaw that would allow students to alter their grades by exploiting a SQL injection vulnerability. What type of control should he recommend to the school’s cybersecurity team to prevent students from engaging in this type of activity?

1. Confidentiality
2. Integrity
3. Alteration
4. Availability

Answer 173

B. By allowing students to change their own grades, this vulnerability provides a pathway to unauthorized alteration of information. Brian should recommend that the school deploy integrity controls that prevent unauthorized modifications.

Question 174

Which one of the following is least likely to affect the type and frequency of vulnerability scans run by an organization?

1. Technical constraints
2. License limitations
3. Regulatory Requirements
4. Holidays

Answer 174

D. There is no reason that an organization can’t run vulnerability scans on weekends or holidays. On the other hand, vulnerability scan possibilities may be limited by technical constraints, regulatory requirements, and license limitations.

Question 175

During a vulnerability scan, Brian discovered that a system on his network contained this vulnerability:

What security control, if deployed, would likely have addressed this issue?

1. Patch management
2. File integrity monitoring
3. Intrusion detection
4. Threat hunting

Answer 175

A. This vulnerability is corrected by a patch that was released by Microsoft in 2017. A strong patch management program would have identified and remediated the missing patch.

Question 176

Which one of the following tools is most likely to detect an XSS vulnerability?

1. Static application test
2. Web application vulnerability scanner
3. Intrusion detection system
4. Network vulnerability scanner

Answer 176

B. Intrusion detection systems do not detect vulnerabilities; they detect attacks. The remaining three tools could all possibly discover a cross-site scripting (XSS) vulnerability, but a web application vulnerability scanner is the most likely to detect it because it is specifically designed to test web applications.

Question 177

During a penetration test, Patrick deploys a toolkit on a compromised system and uses it to gain access to other systems on the same network. What term best describes this activity?

1. Lateral movement
2. Privilege escalation
3. Footprinting
4. OSINT

Answer 177

A. Moving from one compromised system to other systems on the same network is known as lateral movement. Privilege escalation attacks increase the level of access that an attacker has to an already compromised system. Footprinting and OSINT are reconnaissance techniques.

Question 178

Kevin is participating in a security exercise for his organization. His role in the exercise is to use hacking techniques to attempt to gain access to the organization’s systems. What role is Kevin playing in this exercise?

1. Red team
2. Blue team
3. Purple team
4. White team

Answer 178

A. Offensive hacking is used by red teams as they attempt to gain access to systems on the target network. Blue teams are responsible for managing the organization’s defenses. White teams serve as the neutral moderators of the exercise. Purple teaming is conducted after an exercise to bring together the red and blue teams for knowledge sharing.

Question 179

Which one of the following assessment techniques is designed to solicit participation from external security experts and reward them for discovering vulnerabilities?

1. Threat hunting
2. Penetration testing
3. Bug bounty
4. Vulnerability scanning

Answer 179

C. Bug bounty programs are designed to allow external security experts to test systems and uncover previously unknown vulnerabilities. Bug bounty programs offer successful testers financial rewards to incentivize their participation.

Question 180

Kyle is conducting a penetration test. After gaining access to an organization’s database server, he installs a backdoor on the server to grant himself access in the future. What term best describes this action?

1. Privilege escalation
2. Lateral movement
3. Maneuver
4. Persistence

Answer 180

D. Backdoors are a persistence tool, designed to make sure that the attacker’s access persists after the original vulnerability is remediated. Kyle can use this backdoor to gain access to the system in the future, even if the original exploit that he used to gain access is no longer effective.

Question 181

Which one of the following techniques would be considered passive reconnaissance?

1. Port scans
2. Vulnerability scans
3. WHOIS lookups
4. Footprinting

Answer 181

C. WHOIS lookups use external registries and are an example of open source intelligence (OSINT), which is a passive reconnaissance technique. Port scans, vulnerability scans, and footprinting all require active engagement with the target and are, therefore, active reconnaissance.

Question 182

Brandon is conducting a penetration test to detect gaps in his organization’s security controls. While conducting the test, Brandon should adopt which of the following mindsets?

1. Defender’s mindset
2. Manager’s mindset
3. Executive’s mindset
4. Attacker’s mindset

Answer 182

D. Penetration testers must take a very different approach in their thinking. Instead of trying to defend against all possible threats, they only need to find a single vulnerability that they might exploit to achieve their goals. To find these flaws, they must think like the adversary who might attack the system in the real world. This approach is commonly known as adopting the hacker mindset.

Question 183

Bruce is conducting a penetration test for a client. The client provided him with details of their systems in advance. What type of test is Bruce conducting?

1. Gray-box test
2. Blue-box test
3. White-box test
4. Black-box test

Answer 183

C. White-box tests are performed with full knowledge of the underlying technology, configurations, and settings that make up the target. Black-box tests are intended to replicate what an attacker would encounter. Testers are not provided with access to or information about an environment, but instead, they must gather information, discover vulnerabilities, and make their way through an infrastructure or systems as an attacker would. Gray-box tests are a blend of black-box and white-box testing. Blue-box tests are not a type of penetration test.

Question 184

Lila is working on a penetration testing team and she is unsure whether she is allowed to conduct social engineering as part of the test. What document should she consult to find this information?

1. Contract
2. Statement of work
3. Rules of engagement
4. Lessons learned report

Answer 184

C. The rules of engagement provide technical details on the parameters of the test. This level of detail would not normally be found in a contract or statement of work. The lessons learned report is not produced until after the test.

Question 185

Grace would like to determine the operating system running on a system that she is targeting in a penetration test. Which one of the following techniques will most directly provide her with this information?

1. Port scanning
2. Footprinting
3. Vulnerability scanning
4. Packet capture

Answer 185

B. All of these techniques might provide Grace with information about the operating system running on a device. However, footprinting is a technique specifically designed to elicit this information.

Question 186

Phil is conducting a penetration test and has gained access to a target system. The account he has on that system is a standard user account, and Phil is installing a tool that will allow him to gain root access. What term best describes this activity?

1. Privilege escalation
2. Lateral movement
3. Pivoting
4. Persistence

Answer 186

A. Privilege escalation is the act of increasing the level of access that an attacker has to a system. It is a common exploit to launch after gaining initial access to a system in an attempt to gain administrative access (otherwise known as root or superuser access).

Question 187

Jen is conducting a penetration test for a client. The client did not provide her with any details about their systems in advance of the test and Jen is determining this information using reconnaissance techniques. What type of test is Jen performing?

1. Black box
2. White box
3. Gray box
4. Blue box

Answer 187

A. Black-box tests are intended to replicate what an attacker would encounter. Testers are not provided with access to or information about an environment, and instead, they must gather information, discover vulnerabilities, and make their way through an infrastructure or systems like an attacker would. White-box tests are performed with full knowledge of the underlying technology, configurations, and settings that make up the target. Gray-box tests are a blend of black-box and white-box testing. Blue-box tests are not a type of penetration test.

Question 188

Know the role of endpoint security technologies in an enterprise cybersecurity program

Answer 188

Antimalware software protects endpoint devices from many different threats. Antimalware software uses signature detection and heuristic detection to prevent malware infections. Endpoint detection and response (EDR) platforms manage the detection, containment, investigation, and remediation of endpoint security incidents. Data loss prevention (DLP) systems prevent the unauthorized exfiltration of sensitive data. Change and configuration management systems maintain secure system configurations, whereas patch management ensures that security updates are consistently applied. System hardening techniques close holes that might be exploited by an attacker.

Question 189

Explain the role of network segmentation.

Answer 189

Network segmentation techniques place systems and users of different security levels on different network segments, containing the damage caused by a potential security incident. Firewalls provide segmentation of networks into security zones, whereas VLANs group users and devices by function.

Question 190

Understand the security requirements for routers, switches, and other network devices.

Answer 190

Routers and switches must be protected against unauthorized physical access to avoid compromise. Switch security techniques include VLAN pruning, the prevention of VLAN hopping, and port security. Router security techniques include the use of access control lists to filter traffic and quality of service controls to prioritize important network use.

Question 191

Explain the three major cloud service models.

Answer 191

In the anything-as-a-service (XaaS) approach to computing, there are three major cloud service models. Infrastructure-as-a-service (IaaS) offerings allow customers to purchase and interact with the basic building blocks of a technology infrastructure. Software-as-a-service (SaaS) offerings provide customers with access to a fully managed application running in the cloud. Platform-as-a-service (PaaS) offerings provide a platform where customers may run applications that they have developed themselves.

Question 192

Describe the four major cloud deployment models.

Answer 192

Public cloud service providers deploy infrastructure and then make it accessible to any customers who wish to take advantage of it in a multitenant model. The term private cloud is used to describe any cloud infrastructure that is provisioned for use by a single customer. A community cloud service shares characteristics of both the public and private models. Community cloud services do run in a multitenant environment, but the tenants are limited to members of a specifically designed community. Hybrid cloud is a catch-all term used to describe cloud deployments that blend public, private, and/or community cloud services together.

Question 193

Understand the shared responsibility model of cloud security.

Answer 193

Under the shared responsibility model of cloud security, cloud customers must divide responsibilities between one or more service providers and the customers’ own cybersecurity teams. In an IaaS environment, the cloud provider takes on the most responsibility, providing security for everything below the operating system layer. In PaaS, the cloud provider takes over added responsibility for the security of the operating system itself. In SaaS, the cloud provider is responsible for the security of the entire environment, except for the configuration of access controls within the application and the choice of data to store in the service.

Question 194

Understand secure software development concepts.

Answer 194

Software should be created using a standardized software development lifecycle that moves software through development, test, staging, and production environments. Developers should understand the issues associated with code reuse and software diversity. Web applications should be developed in alignment with industry-standard principles such as those developed by the Open Web Application Security Project (OWASP).

Question 195

Explain secure code deployment and automation concepts.

Answer 195

Code repositories serve as a version control mechanism and centralized authority for the secure provisioning and deprovisioning of code. Developers and operations teams should work together on developing automated courses of action as they implement a DevOps approach to creating and deploying software. Software applications should be designed to support both scalability and elasticity.

Question 196

Understand the goals of cryptography.

Answer 196

The four goals of cryptography are confidentiality, integrity, authentication, and nonrepudiation. Confidentiality is the use of encryption to protect sensitive information from prying eyes. Integrity is the use of cryptography to ensure that data is not maliciously or unintentionally altered. Authentication refers to the uses of encryption to validate the identity of individuals. Nonrepudiation ensures that individuals can prove to a third party that a message came from its purported sender.

Question 197

Explain the differences between symmetric and asymmetric encryption.

Answer 197

Symmetric encryption uses the same shared secret key to encrypt and decrypt information. Users must have some mechanism to exchange these shared secret keys. Asymmetric encryption provides each user with a pair of keys: a public key, which is freely shared, and a private key, which is kept secret. Anything encrypted with one key from the pair may be decrypted with the other key from the same pair.

Question 198

Explain how digital signatures provide nonrepudiation.

Answer 198

Digital signatures provide nonrepudiation by allowing a third party to verify the authenticity of a message. Senders create digital signatures by using a hash function to generate a message digest and then encrypting that digest with their own private key. Others may verify the digital signature by decrypting it with the sender’s public key and comparing this decrypted message digest to one that they compute themselves using the hash function on the message.

Question 199

Understand the purpose and use of digital certificates.

Answer 199

Digital certificates provide a trusted mechanism for sharing public keys with other individuals. Users and organizations obtain digital certificates from certificate authorities (CAs), who demonstrate their trust in the certificate by applying their digital signature. Recipients of the digital certificate can rely on the public key it contains if they trust the issuing CA and verify the CA’s digital signature.

Question 200

Explain the major components of an identity and access management program.

Answer 200

Identity and access management systems perform three major functions: identification, authentication, and authorization. Identification is the process of a user making a claim of identity, such as by providing a username. Authentication allows the user to prove their identity. Authentication may be done using something you know, something you have, or something you are. Multifactor authentication combines different authentication techniques to provide stronger security. Authorization ensures that authenticated users may only perform actions necessary to carry out their assigned responsibilities.

Question 201

In which cloud security model does the cloud service provider bear the most responsibility for implementing security controls?

1. IaaS
2. FaaS
3. PaaS
4. SaaS

Answer 201

D. The cloud service provider bears the most responsibility for implementing security controls in an SaaS environment and the least responsibility in an IaaS environment. This is due to the division of responsibilities under the cloud computing shared responsibility model.

Question 202

Adam is conducting software testing by reviewing the source code of the application. What type of code testing is Adam conducting?

1. Mutation testing
2. Static code analysis
3. Dynamic code analysis
4. Fuzzing

Answer 202

B. Adam is conducting static code analysis by reviewing the source code. Dynamic code analysis requires running the program, and both mutation testing and fuzzing are types of dynamic analysis.

Question 203

Helen would like to configure her organization’s switches so that they do not allow systems connected to a switch to spoof MAC addresses. Which one of the following features would be helpful in this configuration?

1. Loop protection
2. Port security
3. Flood guard
4. Traffic encryption

Answer 203

B. Port security restricts the number of unique MAC addresses that may originate from a single switch port. It is commonly used to prevent someone from unplugging an authorized device from the network and connecting an unauthorized device but may also be used to prevent existing devices from spoofing MAC addresses of other devices.

Question 204

Tim is working on a change to a web application used by his organization to fix a known bug. What environment should he be working in?

1. Test
2. Development
3. Staging
4. Production

Answer 204

B. Developers working on active changes to code should always work in the development environment. The test environment is where the software or systems can be tested without impacting the production environment. The staging environment is a transition environment for code that has successfully cleared testing and is waiting to be deployed into production. The production environment is the live system. Software, patches, and other changes that have been tested and approved move to production.

Question 205

Which one of the following statements about cloud computing is incorrect?

1. Cloud computing offers ubiquitous, convenient access.
2. Cloud computing customers store data on hardware that is shared with other customers.
3. Cloud computing customers provision resources through the service provider’s sales team.
4. Cloud computing resources are accessed over a network.

Answer 205

C. One of the important characteristics of cloud computing is that customers can access resources on-demand with minimal service provider interaction. Cloud customers do not need to contact a sales representative each time they wish to provision a resource but can normally do so on a self-service basis.

Question 206

Patricia is using a computer at a hotel business center, and she is concerned that the operating system on the device may be compromised. What is the best way for her to use this computer in a secure fashion?

1. Use live boot media
2. Connect to a VPN
3. Run a malware scan
4. Only access secure websites

Answer 206

A. If Patricia’s major concern is a compromised operating system, she can bypass the operating system on the device by booting it from live boot media and running her own operating system on the hardware. Running a malware scan may provide her with some information but may not detect all compromises, and Patricia likely does not have the necessary permissions to correct any issues. Using a VPN or accessing secure sites would not protect her against a compromised operating system, as the operating system would be able to view the contents of her communication prior to encryption.

Question 207

Karim is investigating an alert generated by his organization’s NIDS. The system alerted to a distributed denial-of-service attack, and Karim’s investigation revealed that this type of attack did take place. What type of report has the system generated?

1. False positive
2. True negative
3. True positive
4. False negative

Answer 207

C. In a true positive report, the system reports an attack when an attack actually exists. A false positive report occurs when the system reports an attack that did not take place. A true negative report occurs when the system reports no attack and no attack took place. A false negative report occurs when the system does not report an attack that did take place.

Question 208

What type of security solution provides a hardware platform for the storage and management of encryption keys?

1. HSM
2. IPS
3. SIEM
4. SOAR

Answer 208

A. Hardware security modules (HSMs) provide an effective way to manage encryption keys. These hardware devices store and manage encryption keys in a secure manner that prevents humans from ever needing to work directly with the keys.

Question 209

Ryan is investigating a security incident. He believes that the incident is originating from a single system on the Internet and targeting multiple systems on his network. What control could he put in place to stop the incident as quickly as possible?

1. DDoS mitigation
2. Host firewall rule
3. Operating system update
4. Network firewall rule

Answer 209

D. The attack in question could be most quickly stopped with a network firewall rule blocking all traffic from the origin system. Host firewall rules would also address the issue but would be more time-consuming to create on every system. An operating system update would not stop attack traffic. There is also no indication that a DDoS attack is underway, so a DDoS mitigation service would not be helpful.

Question 210

Kevin discovered that his web server was being overwhelmed by traffic, causing a CPU bottleneck. Using the interface offered by his cloud service provider, he added another CPU to the server. What term best describes Kevin’s action?

1. Elasticity
2. Horizontal scaling
3. Vertical scaling
4. High availability

Answer 210

C. This is an example of adding additional capacity to an existing server, which is also known as vertical scaling. Kevin could also have used horizontal scaling by adding additional web servers. Elasticity involves the ability to both add and remove capacity on demand, and though it does describe this scenario, it’s not as good a description as vertical scaling. There is no mention of increasing the server’s availability.

Question 211

Every time Susan checks code into her organization’s code repository, it is tested, validated, and then if accepted is immediately put into production. What is the term for this?

1. Continuous integration
2. Continuous delivery
3. A security nightmare
4. Agile development

Answer 211

B. Although this example includes continuous integration, the important thing to notice is that the code is then deployed into production. This means that Susan is operating in a continuous deployment environment, where code is both continually integrated and deployed. Agile is a development methodology that often uses CI/CD, but we cannot determine if Susan is using an Agile methodology.

Question 212

Tom is building a multifactor authentication system that requires users to enter a passcode and then verifies that their face matches a photo stored in the system. What two factors is this system using?

1. Something you know and something you have
2. Something you have and something you know
3. Something you have and something you are
4. Something you know and something you are

Answer 212

D. Facial recognition technology is an example of a biometric authentication technique, or “something you are.” A passcode is an example of a knowledge-based authentication technique, or “something you know.”

Question 213

Frank is evaluating the effectiveness of a biometric system. Which one of the following metrics would provide him with the best measure of the system’s effectiveness?

1. IRR
2. CER
3. FAR
4. FRR

Answer 213

B. The false rejection rate (FRR) identifies the number of times that an individual who should be allowed access to a facility is rejected. The false acceptance rate (FAR) identifies the number of times that an individual who should not be allowed access to a facility is admitted. Both the FAR and FRR may be manipulated by changing system settings. The crossover error rate (CER) is the rate at which the FRR and FAR are equal and is less prone to manipulation. Therefore, the CER is the best measure for Fred to use. IRR is not a measure of biometric system effectiveness.

Question 214

Gary is logging into a system and providing his fingerprint to gain access. What step of the IAM process is he performing?

1. Identification
2. Authorization
3. Authentication
4. Accounting

Answer 214

C. Gary is proving his identity with his fingerprint, a biometric mechanism. Steps that prove your identity are examples of authentication techniques.

Question 215

John is designing a system that will allow users from Acme Corporation, one of his organization’s vendors, to access John’s accounts payable system using the accounts provided by Acme Corporation. What type of authentication system is John attempting to design?

1. Single sign-on
2. Federated authentication
3. Transitive trust
4. Multifactor authentication

Answer 215

B. This type of authentication, where one domain trusts users from another domain, is called federation. Federation may involve transitive trusts, where the trusts may be followed through a series of domains, but this scenario only describes the use of two domains. And it also only describes the use of credentials for a single system and not for a multiple-system scenario where single sign-on would be relevant. There is no requirement described for the use of multifactor authentication, which would require the use of two or more diverse authentication techniques.

Question 216

Howard is assessing the legal risks to his organization based on its handling of PII. The organization is based in the United States, handles the data of customers located in Europe, and stores information in Japanese data centers. What law would be most important to Howard during his assessment?

1. Japanese law
2. European Union law
3. U.S. law
4. All should have equal weight.

Answer 216

D. The principle of data sovereignty states that data is subject to the legal restrictions of any jurisdiction where it is collected, stored, or processed. In this case, Howard needs to assess the laws of all three jurisdictions.

Question 217

David would like to send Mike a message using an asymmetric encryption algorithm to provide confidentiality. What key should he use to encrypt the message?

1. David’s public key
2. David’s private key
3. Mike’s public key
4. Mike’s private key

Answer 217

C. When encrypting a confidential message using an asymmetric encryption algorithm, the person performing the encryption does so using the recipient’s public key.

Question 218

When Mike receives the message that David encrypted for him in Question 17, what key should he use to decrypt the message?

1. David’s public key
2. David’s private key
3. Mike’s public key
4. Mike’s private key

Answer 218

D. In an asymmetric encryption algorithm, the recipient of a confidential message uses their own private key to decrypt messages that they receive.

Question 219

If David wishes to digitally sign the message that he is sending Mike, what key would he use to create the digital signature?

1. David’s public key
2. David’s private key
3. Mike’s public key
4. Mike’s private key

Answer 219

B. The sender of a message may digitally sign the message by encrypting a message digest with the sender’s own private key.

Question 220

When Mike receives the digitally signed message from David, what key should he use to verify the digital signature?

1. David’s public key
2. David’s private key
3. Mike’s public key
4. Mike’s private key

Answer 220

A. The recipient of a digitally signed message may verify the digital signature by decrypting it with the public key of the individual who signed the message.

Question 221

Security events are occurrences that may escalate into a security incident.

Answer 221

An event is any observable occurrence in a system or network. A security event includes any observable occurrence that relates to a security function. A security incident is a violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices. Every incident consists of one or more events, but every event is not an incident.

Question 222

The cybersecurity incident response process has four phases.

Answer 222

The four phases of incident response are preparation; detection and analysis; containment, eradication, and recovery; and post-incident activities. The process is not a simple progression of steps from start to finish. Instead, it includes loops that allow responders to return to prior phases as needed during the response.

Question 223

Security event indicators include alerts, logs, publicly available information, and people.

Answer 223

Alerts originate from intrusion detection and prevention systems, security information and event management systems, antivirus software, file integrity checking software, and third-party monitoring services. Logs are generated by operating systems, services, applications, network devices, and network flows. Publicly available information exists about new vulnerabilities and exploits detected “in the wild” or in a controlled laboratory environment. People from inside the organization or external sources report suspicious activity that may indicate that a security incident is in progress.

Question 224

Policies, procedures, and playbooks guide incident response efforts.

Answer 224

The incident response policy serves as the cornerstone of an organization’s incident response program. This policy should be written to guide efforts at a high level and provide the authority for incident response. Procedures provide the detailed, tactical information that CSIRT members need when responding to an incident. CSIRTs often develop playbooks that describe the specific procedures that they will follow in the event of a specific type of cybersecurity incident.

Question 225

Incident response teams should represent diverse stakeholders.

Answer 225

The core incident response team normally consists of cybersecurity professionals with specific expertise in incident response. In addition to the core team members, the CSIRT may include representation from technical subject matter experts, IT support staff, legal counsel, human resources staff, and public relations and marketing teams.

Question 226

Incidents may be classified according to the attack vector where they originate.

Answer 226

Common attack vectors for security incidents include external/removable media, attrition, the web, email, impersonation, improper usage, loss or theft of equipment, and other/unknown sources.

Question 227

Response teams classify the severity of an incident.

Answer 227

The functional impact of an incident is the degree of impairment that it causes to the organization. The economic impact is the amount of financial loss that the organization incurs. In addition to measuring the functional and economic impact of a security incident, organizations should measure the time that services will be unavailable and the recoverability effort. Finally, the nature of the data involved in an incident also contributes to the severity of the information impact.

Question 228

Which one of the following is an example of a computer security incident?

1. User accesses a secure file
2. Administrator changes a file’s permission settings
3. Intruder breaks into a building
4. Former employee crashes a server

Answer 228

D. A former employee crashing a server is an example of a computer security incident because it is an actual violation of the availability of that system. An intruder breaking into a building may be a security event, but it is not necessarily a computer security event unless they perform some action affecting a computer system. A user accessing a secure file and an administrator changing a file permission settings are examples of security events but are not security incidents.

Question 229

During which phase of the incident response process would an organization implement defenses designed to reduce the likelihood of a security incident?

1. Preparation
2. Detection and analysis
3. Containment, eradication, and recovery
4. Post-incident activity

Answer 229

A. Organizations should build solid, defense-in-depth approaches to cybersecurity during the preparation phase of the incident response process. The controls built during this phase serve to reduce the likelihood and impact of future incidents.

Question 230

Alan is responsible for developing his organization’s detection and analysis capabilities. He would like to purchase a system that can combine log records from multiple sources to detect potential security incidents. What type of system is best suited to meet Alan’s security objective?

1. IPS
2. IDS
3. SIEM
4. Firewall

Answer 230

C. A security information and event management (SIEM) system correlates log entries from multiple sources and attempts to identify potential security incidents.

Question 231

Ben is working to classify the functional impact of an incident. The incident has disabled email service for approximately 30 percent of his organization’s staff. How should Ben classify the functional impact of this incident according to the NIST scale?

1. None
2. Low
3. Medium
4. High

Answer 231

C. The definition of a medium functional impact is that the organization has lost the ability to provide a critical service to a subset of system users. That accurately describes the situation that Ben finds himself in. Assigning a low functional impact is only done when the organization can provide all critical services to all users at diminished efficiency. Assigning a high functional impact is only done if a critical service is not available to all users.

Question 232

Which phase of the incident response process would include measures designed to limit the damage caused by an ongoing breach?

1. Preparation
2. Detection and analysis
3. Containment, eradication, and recovery
4. Post-incident activity

Answer 232

C. The containment protocols included in the containment, eradication, and recovery phases are designed to limit the damage caused by an ongoing security incident.

Question 233

Grace is the CSIRT leader for a business unit within NASA, a federal agency. What is the minimum amount of time that Grace must retain incident handling records?

1. Six months
2. One year
3. Two years
4. Three years

Answer 233

D. National Archives General Records Schedule (GRS) 24 requires that all U.S. federal agencies retain incident handling records for at least three years.

Question 234

Karen is responding to a security incident that resulted from an intruder stealing files from a U.S. federal government agency. Those files contained unencrypted information about protected critical infrastructure. How should Karen rate the information impact of this loss?

1. None
2. Privacy breach
3. Proprietary breach
4. Integrity loss

Answer 234

C. In a proprietary breach, unclassified proprietary information is accessed or exfiltrated. Protected critical infrastructure information (PCII) is an example of unclassified proprietary information.

Question 235

Matt is concerned about the fact that log records from his organization contain conflicting timestamps due to unsynchronized clocks. What protocol can he use to synchronize clocks throughout the enterprise?

1. NTP
2. FTP
3. ARP
4. SSH

Answer 235

A. The Network Time Protocol (NTP) provides a common source of time information that allows the synchronizing of clocks throughout an enterprise.

Question 236

Which one of the following document types would outline the authority of a CSIRT responding to a security incident?

1. Policy
2. Procedure
3. Playbook
4. Baseline

Answer 236

A. An organization’s incident response policy should contain a clear description of the authority assigned to the CSIRT while responding to an active security incident.

Question 237

A cross-site scripting attack is an example of what type of threat vector?

1. Impersonation
2. Email
3. Attrition
4. Web

Answer 237

D. A web attack is an attack executed from a website or web-based application—for example, a cross-site scripting attack used to steal credentials or redirect to a site that exploits a browser vulnerability and installs malware.

Question 238

Which one of the following parties is not commonly the target of periodic external communications during an incident involving the theft of sensitive product development plans?

1. The perpetrator
2. Law enforcement
3. Vendors
4. Information sharing partners

Answer 238

A. CSIRT members do not normally communicate directly with the perpetrator of a cybersecurity incident. Although team members may have contact with the perpetrator in the case of ransomware attacks, this would not normally be the case during an incident involving the theft of information. It is far more likely that the CSIRT would be in routine contact with vendors, law enforcement, and information sharing partners as the incident unfolds.

Question 239

Robert is finishing a draft of a proposed incident response policy for his organization. Who would be the most appropriate person to sign the policy?

1. CEO
2. Director of security
3. CIO
4. CSIRT leader

Answer 239

A. The incident response policy provides the CSIRT with the authority needed to do their job. Therefore, it should be approved by the highest possible level of authority within the organization, preferably the CEO.

Question 240

Which one of the following is not an objective of the containment, eradication, and recovery phase of incident response?

1. Detect an incident in progress
2. Implement a containment strategy
3. Identify the attackers
4. Eradicate the effects of the incident

Answer 240

A. Detection of a potential incident occurs during the detection and analysis phase of incident response. The other activities listed might all be objectives of the containment, eradication, and recovery phase.

Question 241

Renee is responding to a security incident that resulted in the unavailability of a website critical to her company’s operations. She is unsure of the amount of time and effort that it will take to recover the website. How should Renee classify the recoverability effort?

1. Regular
2. Supplemented
3. Extended
4. Not recoverable

Answer 241

C. Extended recoverability effort occurs when the time to recovery is unpredictable. In those cases, additional resources and outside help are typically needed

Question 242

Which one of the following is an example of an attrition attack?

1. SQL injection
2. Theft of a laptop
3. User installs file-sharing software
4. Brute-force password attack

Answer 242

D. An attrition attack employs brute-force methods to compromise, degrade, or destroy systems, networks, or services—for example, a DDoS attack intended to impair or deny access to a service or application or a brute-force attack against an authentication mechanism.

Question 243

Who is the best facilitator for a post-incident lessons-learned session?

1. CEO
2. CSIRT leader
3. Independent facilitator
4. First responder

Answer 243

C. Lessons learned sessions are most effective when facilitated by an independent party who was not involved in the incident response effort.

Question 244

Which one of the following elements is not normally found in an incident response policy?

1. Performance measures for the CSIRT
2. Definition of cybersecurity incidents
3. Definition of roles, responsibilities, and levels of authority
4. Procedures for rebuilding systems

Answer 244

D. Procedures for rebuilding systems are highly technical and would normally be included in a playbook or procedure document rather than an incident response policy.

Question 245

An on-path attack is an example of what type of threat vector?

1. Attrition
2. Impersonation
3. Web
4. Email

Answer 245

B. An impersonation attack involves the replacement of something benign with something malicious—spoofing, on-path attacks, rogue wireless access points, and SQL injection attacks all involve impersonation

Question 246

Tommy is the CSIRT leader for his organization and is responding to a newly discovered security incident. What document is most likely to contain step-by-step instructions that he might follow in the early hours of the response effort?

1. Policy
2. Baseline
3. Playbook
4. Textbook

Answer 246

C. Incident response playbooks contain detailed step-by-step instructions that guide the early response to a cybersecurity incident. Organizations typically have playbooks prepared for high-severity and frequently occurring incident types.

Question 247

Hank is responding to a security event where the CEO of his company had her laptop stolen. The laptop was encrypted but contained sensitive information about the company’s employees. How should Hank classify the information impact of this security event?

1. None
2. Privacy breach
3. Proprietary breach
4. Integrity loss

Answer 247

A. The event described in this scenario would not qualify as a security incident with measurable information impact. Although the laptop did contain information that might cause a privacy breach, that breach was avoided by the use of encryption to protect the contents of the laptop.

Question 248

Understand the four steps of the business continuity planning process.

Answer 248

Business continuity planning involves four distinct phases: project scope and planning, business impact analysis, continuity planning, and approval and implementation. Each task contributes to the overall goal of ensuring that business operations continue uninterrupted in the face of an emergency.

Question 249

Describe how to perform the business organization analysis.

Answer 249

In the business organization analysis, the individuals responsible for leading the BCP process determine which departments and individuals have a stake in the business continuity plan. This analysis serves as the foundation for BCP team selection and, after validation by the BCP team, is used to guide the next stages of BCP development.

Question 250

List the necessary members of the business continuity planning team.

Answer 250

The BCP team should contain, at a minimum, representatives from each of the operational and support departments; technical experts from the IT department; physical and IT security personnel with BCP skills; legal representatives familiar with corporate legal, regulatory, and contractual responsibilities; and representatives from senior management. Additional team members depend on the structure and nature of the organization.

Question 251

Know the legal and regulatory requirements that face business continuity planners.

Answer 251

Business leaders must exercise due diligence to ensure that shareholders’ interests are protected in the event disaster strikes. Some industries are also subject to federal, state, and local regulations that mandate specific BCP procedures. Many businesses also have contractual obligations to their clients that they must meet before, during, and after a disaster.

Question 252

Explain the steps of the business impact analysis process.

Answer 252

he five stages of the business impact analysis process are the identification of priorities, risk identification, likelihood assessment, impact analysis, and resource prioritization.

Question 253

Describe the process used to develop a continuity strategy.

Answer 253

During the strategy development phase, the BCP team determines which risks they will mitigate. In the provisions and processes phase, the team designs mechanisms and procedures that will mitigate identified risks. The plan must then be approved by senior management and implemented. Personnel must also receive training on their roles in the BCP process.

Question 254

Explain the importance of comprehensively documenting an organization’s business continuity and disaster recovery plans.

Answer 254

Committing the plan to writing provides the organization with a written record of the procedures to follow when disaster strikes. It prevents the “it’s in my head” syndrome and ensures the orderly progress of events in an emergency.

Question 255

Be familiar with the common types of recovery facilities.

Answer 255

The common types of recovery facilities are cold sites, warm sites, hot sites, mobile sites, and multiple sites. Be sure you understand the benefits and drawbacks for each such facility.

Question 256

Understand the technologies that may assist with database backup.

Answer 256

Databases benefit from three backup technologies. Electronic vaulting is used to transfer database backups to a remote site as part of a bulk transfer. In remote journaling, data transfers occur on a more frequent basis. With remote mirroring technology, database transactions are mirrored at the backup site in real time.

Question 257

Explain the common processes used in disaster recovery programs

Answer 257

These programs should take a comprehensive approach to planning and include considerations related to the initial response effort, personnel involved, communication among the team and with internal and external entities, assessment of response efforts, and restoration of services. DR programs should also include training and awareness efforts to ensure personnel understand their responsibilities and lessons learned sessions to continuously improve the program.

Question 258

Know the five types of disaster recovery plan tests and the impact each has on normal business operations.

Answer 258

The five types of disaster recovery plan tests are: read-through tests, structured walk-throughs, simulation tests, parallel tests, and full-interruption tests. Checklist tests are purely paperwork exercises, whereas structured walk-throughs involve a project team meeting. Neither has an impact on business operations. Simulation tests may shut down noncritical business units. Parallel tests involve relocating personnel but do not affect day-to-day operations. Full-interruption tests involve shutting down primary systems and shifting responsibility to the recovery facility.

Question 259

Tracy is preparing for her organization’s annual business continuity exercise, but she encounters resistance from some managers who don’t see the exercise as important and feel that it is a waste of resources. She has already told the managers that it will only take half a day for their employees to participate. What argument could Tracy make to best address these concerns?

1. The exercise is required by policy.
2. The exercise is already scheduled, and canceling it would be difficult.
3. The exercise is crucial to ensuring that the organization is prepared for emergencies.
4. The exercise will not be very time-consuming.

Answer 259

C. This question requires that you exercise some judgment, as do many questions on the CISM exam. All of these answers are plausible things that Tracy could bring up, but we’re looking for the best answer. In this case, that is ensuring that the organization is ready for an emergency—a mission-critical goal. Telling managers that the exercise is already scheduled or required by policy doesn’t address their concerns that it is a waste of time. Telling them that it won’t be time-consuming is not likely to be an effective argument because they are already raising concerns about the amount of time requested

Question 260

The board of directors of Clashmore Circuits is conducting an annual review of the business continuity planning process to ensure that adequate measures are in place to minimize the effect of a disaster on the organization’s continued viability. What obligation are they satisfying with this review?

1. Corporate responsibility
2. Disaster requirement
3. Due diligence
4. Going concern responsibility

Answer 260

C. A firm’s officers and directors are legally bound to exercise due diligence in conducting their activities. This concept creates a fiduciary responsibility on their part to ensure that adequate business continuity plans are in place. This is an element of corporate responsibility, but that term is vague and not commonly used to describe a board’s responsibilities. Disaster requirement and going concern responsibilities are also not risk management terms.

Question 261

Renee is reporting the results of her organization’s BIA to senior leaders. They express frustration at all of the details, and one of them says, “Look, we just need to know how much we should expect these risks to cost us each year.” What measure could Renee provide to best answer this question?

1. ARO
2. SLE
3. ALE
4. EF

Answer 261

C. The annualized loss expectancy (ALE) represents the amount of money a business expects to lose to a given risk each year. This figure is quite useful when performing a quantitative prioritization of business continuity resource allocation.

Question 262

Jake is conducting a business impact analysis for his organization. As part of the process, he asks leaders from different units to provide input on how long the enterprise resource planning (ERP) system could be unavailable without causing irreparable harm to the organization. What measure is he seeking to determine?

1. SLE
2. EF
3. MTD
4. ARO

Answer 262

C. The maximum tolerable downtime (MTD) represents the longest period a business function can be unavailable before causing irreparable harm to the business. This figure is useful when determining the level of business continuity resources to assign to a particular function.

Question 263

You are concerned about the risk that an avalanche poses to your $3 million shipping facility. Based on expert opinion, you determine that there is a 5 percent chance that an avalanche will occur each year. Experts advise you that an avalanche would completely destroy your building and require you to rebuild on the same land. Ninety percent of the $3 million value of the facility is attributed to the building, and 10 percent is attributed to the land itself. What is the single loss expectancy (SLE) of your shipping facility to avalanches?

1. $3 million
2. $2,700,000
3. $270,000
4. $135,000

Answer 263

B. The single loss expectancy (SLE) is the product of the asset value (AV) and the exposure factor (EF). From the scenario, you know that the AV is $3 million and the EF is 90 percent, based on that the same land can be used to rebuild the facility. This yields an SLE of $2,700,000

Question 264

You are concerned about the risk that a hurricane poses to your corporate headquarters in South Florida. The building itself is valued at $15 million. After consulting with the National Weather Service, you determine that there is a 10 percent likelihood that a hurricane will strike over the course of a year. You hire a team of architects and engineers who determine that the average hurricane would destroy approximately 50 percent of the building. What is the annualized loss expectancy (ALE)?

1. $750,000
2. $1.5 million
3. $7.5 million
4. $15 million

Answer 264

A. This problem requires you to compute the ALE, which is the product of the SLE and ARO. From the scenario, you know that the ARO is 0.10 (or 10 percent). From the scenario presented, you know that the SLE is $7.5 million. This yields an ALE of $750,000.

Question 265

Brian is developing continuity plan provisions and processes for his organization. What resource should he protect as the highest priority in those plans?

1. Physical plant
2. Infrastructure
3. Financial
4. People

Answer 265

D. The safety of human life must always be the paramount concern in business continuity planning. Be sure that your plan reflects this priority, especially in the written documentation that is disseminated to your organization’s employees!

Question 266

Ricky is conducting the quantitative portion of his organization’s business impact analysis. Which one of the following concerns is least suitable for quantitative measurement during this assessment?

1. Loss of a plant
2. Damage to a vehicle
3. Negative publicity
4. Power outage

Answer 266

C. It is difficult to put a dollar figure on the business lost because of negative publicity. Therefore, this type of concern is better evaluated through qualitative analysis. The other items listed here are all more easily quantifiable.

Question 267

Darren is concerned about the risk of a serious power outage affecting his organization’s data center. He consults the organization’s business impact analysis and determines that the ARO of a power outage is 20 percent. He notes that the assessment took place three years ago and no power outage has occurred. What ARO should he use in this year’s assessment, assuming that none of the circumstances underlying the analysis have changed?

1. 20 percent
2. 50 percent
3. 75 percent
4. 100 percent

Answer 267

A. The annualized rate of occurrence (ARO) is the likelihood that the risk will materialize in any given year. The fact that a power outage did not occur in any of the past three years doesn’t change the probability that one will occur in the upcoming year. Unless other circumstances have changed, the ARO should remain the same.

Question 268

Of the individuals listed, who would provide the best endorsement for a business continuity plan’s statement of importance?

1. Vice president of business operations
2. Chief information officer
3. Chief executive officer
4. Business continuity manager

Answer 268

C. You should strive to have the highest-ranking person possible sign the BCP’s statement of importance. Of the choices given, the chief executive officer (CEO) is the highest ranking

Question 269

Kevin is attempting to determine an appropriate backup frequency for his organization’s database server and wants to ensure that any data loss is within the organization’s risk appetite. Which one of the following security process metrics would best assist him with this task?

1. RTO
2. MTD
3. RPO
4. MTBF

Answer 269

C. The recovery point objective (RPO) specifies the maximum amount of data that may be lost during a disaster and should be used to guide backup strategies. The maximum tolerable downtime (MTD) and recovery time objective (RTO) are related to the duration of an outage, rather than the amount of data lost. The mean time between failures (MTBF) is related to the frequency of failure events.

Question 270

Brian’s organization recently suffered a disaster and wants to improve their disaster recovery program based on their experience. Which one of the following activities will best assist with this task?

1. Training programs
2. Awareness efforts
3. BIA review
4. Lessons learned

Answer 270

D. The lessons learned session captures discoveries made during the disaster recovery process and facilitates continuous improvement. It may identify deficiencies in training and awareness or the BIA.

Question 271

Adam is reviewing the fault tolerance controls used by his organization and realizes that they currently have a single point of failure in the disks used to support a critical server. Which one of the following controls can provide fault tolerance for these disks?

1. Load balancing
2. RAID
3. Clustering
4. HA pairs

Answer 271

B. Redundant arrays of inexpensive disks (RAID) are a fault tolerance control that allows an organization’s storage service to withstand the loss of one or more individual disks. Load balancing, clustering, and HA pairs are all fault-tolerance services designed for server compute capacity, not storage.

Question 272

Brad is helping to design a disaster recovery strategy for his organization and is analyzing possible storage locations for backup data. He is not certain where the organization will recover operations in the event of a disaster and would like to choose an option that allows them the flexibility to easily retrieve data from any DR site. Which one of the following storage locations provides the best option for Brad?

1. Primary data center
2. Field office
3. Cloud computing
4. IT manager’s home

Answer 272

C. Cloud computing services provide an excellent location for backup storage because they are accessible from any location. The primary data center is a poor choice, as it may be damaged during a disaster. A field office is reasonable, but it is in a specific location and is not as flexible as a cloud-based approach. The IT manager’s home is a poor choice, as the IT manager may leave the organization or may not have appropriate environmental and physical security controls in place.

Question 273

Tonya is reviewing the flood risk to her organization and learns that their primary data center resides within a 100-year flood plain. What conclusion can she draw from this information?

1. The last flood of any kind to hit the area was more than 100 years ago.
2. The odds of a flood at this level are 1 in 100 in any given year.
3. The area is expected to be safe from flooding for at least 100 years.
4. The last significant flood to hit the area was more than 100 years ago

Answer 273

B. The term 100-year flood plain is used to describe an area where flooding is expected once every 100 years. It is, however, more mathematically correct to say that this label indicates a 1 percent probability of flooding in any given year.

Question 274

Bryn runs a corporate website and currently uses a single server, which is capable of handling the site’s entire load. She is concerned, however, that an outage on that server could cause the organization to exceed its RTO. What action could she take that would best protect against this risk?

1. Install dual power supplies in the server
2. Replace the server’s hard drives with RAID arrays
3. Deploy multiple servers behind a load balancer
4. Perform regular backups of the server

Answer 274

C. All of these are good practices that could help improve the quality of service that Bryn provides from her website. Installing dual power supplies or deploying RAID arrays could reduce the likelihood of a server failure, but these measures only protect against a single risk each. Deploying multiple servers behind a load balancer is the best option because it protects against any type of risk that would cause a server failure. Backups are an important control for recovering operations after a disaster and different backup strategies could indeed alter the RTO, but it is even better if Bryn can design a web architecture that lowers the risk of the outage occurring in the first place.

Question 275

Nolan is considering the use of several different types of alternate processing facilities for his organization’s data center. Which one of the following alternative processing sites takes the longest time to activate but has the lowest cost to implement?

1. Hot site
2. Mobile site
3. Cold site
4. Warm site

Answer 275

C. The cold site contains none of the equipment necessary to restore operations. All of the equipment must be brought in and configured and data must be restored to it before operations can commence. This often takes weeks, but cold sites also have the lowest cost to implement. Hot sites, warm sites, and mobile sites all have quicker recovery times.

Question 276

Harry is conducting a disaster recovery test. He moved a group of personnel to the alternate recovery site where they are mimicking the operations of the primary site but do not have operational responsibility. What type of disaster recovery test is he performing?

1. Checklist test
2. Structured walkthrough
3. Simulation test
4. Parallel test

Answer 276

D. The parallel test involves relocating personnel to the alternate recovery site and implementing site activation procedures. Checklist tests, structured walkthroughs, and simulations are all test types that do not involve actually activating the alternate site.

Question 277

What type of backup involves always storing copies of all files modified since the most recent full backup?

1. Differential backups
2. Partial backup
3. Incremental backups
4. Database backup

Answer 277

A. Differential backups involve always storing copies of all files modified since the most recent full backup regardless of any incremental or differential backups created during the intervening time period.

Question 278

You operate a grain processing business and are developing your restoration priorities. Which one of the following systems would likely be your highest priority?

1. Order-processing system
2. Fire suppression system
3. Payroll system
4. Website

Answer 278

B. People should always be your highest priority in business continuity planning. As a life safety system, fire suppression systems should always receive high prioritization.