Sybex Book Review 4 Flashcards

1
Q

Which security principle involves the knowledge and possession of sensitive material as an aspect of one’s occupation?

A. Principle of least privilege
B. Separation of duties
C. Need to know
D. As-needed basis

A

C. The need-to-know policy operates on the basis that any given system user should be granted access only to portions of sensitive information or materials necessary to perform some task. The principle of least privilege ensures that personnel are granted only the permissions they need to perform their job and no more. Separation of duties ensures that no single person has total control over a critical function or system. There isn’t a standard principle called “as-needed basis.”

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

An organization ensures that users are granted access to only the data they need to perform specific work tasks. What principle are they following?

A. Principle of least permission
B. Separation of duties (SoD)
C. Need to know
D. Job rotation

A

C. Need to know is the requirement to have access to, knowledge about, or possession of data to perform specific work tasks, but no more. The principle of least privilege includes both rights and permissions, but the term principle of least permission is not valid within IT security. Separation of duties (SoD) ensures that a single person doesn’t control all the elements of a process. A separation of duties policy ensures that no single person has total control over a critical function. A job rotation policy requires employees to rotate to different jobs periodically.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What concept is used to grants users only the rights and permissions they need to complete their job responsibilities?

A. Need to know
B. Mandatory vacations
C. Least privilege principle
D. Service-level agreement (SLA)

A

C. An organization applies the least privilege principle to ensure employees receive only the access they need to complete their job responsibilities. Need to know refers to permissions only, whereas privileges include both rights and permissions. A mandatory vacation policy requires employees to take a vacation in one- or two-week increments. An SLA identifies performance expectations and can include monetary penalties.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

A large organization using a Microsoft domain wants to limit the amount of time users have elevated privileges. Which of the following security operation concepts can be used to support this goal?

A. Principle of least permission
B. Separation of duties
C. Need to know
D. Privileged account management

A

D. Microsoft domains include a privileged account management solution that grants administrators elevated privileges when they need them but restrict the access using a time-limited ticket. The principle of least privilege includes both rights and permissions, but the term principle of least permission is not valid within IT security. Separation of duties ensures that a single person doesn’t control all the elements of a process or a critical function. Need to know is the requirement to have access to, knowledge about, or possession of data to perform specific work tasks, but no more.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

An administrator is granting permissions to a database. What is the default level of access the administrator should grant to new users in the organization?

A. Read
B. Modify
C. Full access
D. No access

A

D. The default level of access should be no access. The principle of least privilege dictates that users should only be granted the level of access they need for their job, and the question doesn’t indicate that new users need any access to the database. Read access, modify access, and full access grants users some level of access, which violates the principle of least privilege.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

You want to apply the least privilege principle when creating new accounts in the software development department. Which of the following should you do?

A. Create each account with only the rights and permissions needed by the employee to perform their job.
B. Give each account full rights and permissions to the servers in the software development department.
C. Create each account with no rights and permissions.
D. Add the accounts to the local Administrators group on the new employee’s computer.

A

A. Each account should have only the rights and permissions needed to perform their job when following the least privilege policy. New employees would not need full rights and permissions to a server. Employees will need some rights and permissions in order to do their jobs. Regular user accounts should not be added to the Administrators group.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Your organization has divided a high-level auditing function into several individual job tasks. These tasks are divided between three administrators. None of the administrators can perform all of the tasks. What does this describe?

A. Job rotation
B. Mandatory vacation
C. Separation of duties
D. Least privilege

A

C. Separation of duties ensures that no single entity can perform all the tasks for a job or function. A job rotation policy moves employees to different jobs periodically. A mandatory vacation policy requires employees to take vacations. A least privilege policy ensures users have only the privileges they need, and no more.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

A financial organization commonly has employees switch duty responsibilities every 6 months. What security principle are they employing?

A. Job rotation
B. Separation of duties
C. Mandatory vacations
D. Least privilege

A

A. A job rotation policy has employees rotate jobs or job responsibilities and can help detect collusion and fraud. A separation of duties policy ensures that a single person doesn’t control all elements of a specific function. Mandatory vacation policies ensure that employees take an extended time away from their jobs, requiring someone else to perform their job responsibilities, which increases the likelihood of discovering fraud. Least privilege ensures that users have only the permissions they need to perform their jobs and no more.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Which of the following is one of the primary reasons an organization enforces a mandatory vacation policy?

A. To rotate job responsibilities
B. To detect fraud
C. To increase employee productivity
D. To reduce employee stress levels

A

B. Mandatory vacation policies help detect fraud. They require employees to take an extended time away from their jobs, requiring someone else to perform their job responsibilities, which increases the likelihood of discovering fraud. It does not rotate job responsibilities. Although mandatory vacations might help employees reduce their overall stress levels and increase productivity, these are not the primary reasons for mandatory vacation policies.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Your organization has contracted with a third-party provider to host cloud-based servers. Management wants to ensure there are monetary penalties if the third party doesn’t meet their contractual responsibilities related to uptimes and downtimes. Which of the following is the best choice to meet this requirement?

A. MOU
B. ISA
C. SLA
D. SED

A

C. A service-level agreement (SLA) can provide monetary penalties if a third-party provider doesn’t meet its contractual requirements. Neither a memorandum of understanding (MOU) nor an interconnection security agreement (ISA) includes monetary penalties. Separation of duties is sometimes shortened to SED, but this is unrelated to third-party relationships.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Which one of the following is a cloud-based service model that gives an organization the most control and requires the organization to perform all maintenance on operating systems and applications?

A. Infrastructure as a service (IaaS)
B. Platform as a service (PaaS)
C. Software as a service (SaaS)
D. Public

A

A. The IaaS service model provides an organization with the most control compared to the other models, and this model requires the organization to perform all maintenance on operating systems and applications. The SaaS model gives the organization the least control, and the cloud service provider (CSP) is responsible for all maintenance. The PaaS model splits control and maintenance responsibilities between the CSP and the organization.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Which one of the following is a cloud-based service model that allows users to access email via a web browser?

A. Infrastructure as a service (IaaS)
B. Platform as a service (PaaS)
C. Software as a service (SaaS)
D. Public

A

C. The SaaS service model provides services such as email available via a web browser. IaaS provides the infrastructure (such as servers), and PaaS provides a platform (such as an operating system and application installed on a server). Public is a deployment method, not a service model.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

The IT department routinely uses images when deploying new systems. Of the following choices, what is a primary benefit of using images?

A. Provides a baseline for configuration management
B. Improves patch management response times
C. Reduces vulnerabilities from unpatched systems
D. Provides documentation for changes

A

A. When images are used to deploy systems, the systems start with a common baseline, which is important for configuration management. Images don’t necessarily improve the evaluation, approval, deployment, and audits of patches to systems within the network. Although images can include current patches to reduce their vulnerabilities, this is because the image provides a baseline. Change management provides documentation for changes.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

A server administrator recently modified the configuration for a server to improve performance. Unfortunately, when an automated script runs once a week, the modification causes the server to reboot. It took several hours of troubleshooting to ultimately determine the problem wasn’t with the script but instead with the modification. What could have prevented this?

A. Vulnerability management
B. Patch management
C. Change management
D. Blocking all scripts

A

C. An effective change management program helps prevent outages from unauthorized changes. Vulnerability management helps detect weaknesses but wouldn’t block the problems from this modification. Patch management ensures systems are kept up to date. Blocking scripts removes automation, which would increase the overall workload.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Which of the following steps would be included in a change management process? (Choose three.)

A. Immediately implement the change if it will improve performance.
B. Request the change.
C. Create a rollback plan for the change.
D. Document the change.

A

B, C, D. Change management processes include requesting a change, creating a rollback plan for the change, and documenting the change. Changes should not be implemented immediately without evaluating the change.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

A new CIO learned that an organization doesn’t have a change management program. The CIO insists one be implemented immediately. Of the following choices, what is a primary goal of a change management program?

A. Personnel safety
B. Allowing rollback of changes
C. Ensuring that changes do not reduce security
D. Auditing privilege access

A

C. Change management aims to ensure that any change does not result in unintended outages or reduce security. Change management doesn’t affect personnel safety. A change management plan will commonly include a rollback plan, but that isn’t a specific goal of the program. Change management doesn’t perform any type of auditing.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Systems within an organization are configured to receive and apply patches automatically. After receiving a patch, 55 of the systems automatically restarted and booted into a stop error. What could have prevented this problem without sacrificing security?

A. Disable the setting to apply the patches automatically.
B. Implement a patch management program to approve all patches.
C. Ensure systems are routinely audited for patches.
D. Implement a patch management program that tests patches before deploying them.

A

D. An effective patch management program evaluates and tests patches before deploying them and would have prevented this problem. Approving all patches would not prevent this problem because the same patch would be deployed. Systems should be audited after deploying patches, not to test for the impact of new patches.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

A security administrator wants to verify the existing systems are up to date with current patches. Of the following choices, what is the best method to ensure systems have the required patches?

A. Patch management system
B. Patch scanner
C. Penetration tester
D. Fuzz tester

A

A. A patch management system ensures that systems have required patches. In addition to deploying patches, it would also check the systems to verify they accepted the patches. There is no such thing as a patch scanner. A penetration test will attempt to exploit a vulnerability, but it can be intrusive and cause an outage, so it isn’t appropriate in this scenario. A fuzz tester sends random data to a system to check for vulnerabilities but doesn’t test for patches.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

A recent attack on servers within your organization caused an excessive outage. You need to check systems for known issues that attackers may use to exploit other systems in your network. Which of the following is the best choice to meet this need?

A. Versioning tracker
B. Vulnerability scanner
C. Security audit
D. Security review

A

B. Vulnerability scanners are used to check systems for known issues and are part of an overall vulnerability management program. Versioning is used to track software versions and is unrelated to detecting vulnerabilities. Security audits and reviews help ensure that an organization is following its policies but wouldn’t directly check systems for vulnerabilities.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Which one of the following processes is most likely to list all security risks within a system?

A. Configuration management
B. Patch management
C. Hardware inventory
D. Vulnerability scan

A

D. A vulnerability scan will list or enumerate all security risks within a system. None of the other answers will list security risks within a system. Configuration management systems check and modify configuration settings. Patch management systems can deploy patches and verify patches are deployed, but they don’t check for all security risks. Hardware inventories only verify the hardware is still present.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Which of the following are valid incident management steps or phases as listed in the CISSP objectives? (Choose all that apply.)

A. Prevention
B. Detection
C. Reporting
D. Lessons learned
E. Backup

A

B, C, D. Detection, reporting, and lessons learned are valid incident management steps. Prevention is done before an incident. Creating backups can help recover systems, but it isn’t one of the incident management steps. The seven steps (in order) are detection, response, mitigation, reporting, recovery, remediation, and lessons learned.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

You are troubleshooting a problem on a user’s computer. After viewing the host-based intrusion detection system (HIDS) logs, you determine that the computer has been compromised by malware. Of the following choices, what should you do next?

A. Isolate the computer from the network.
B. Review the HIDS logs of neighboring computers.
C. Run an antivirus scan.
D. Analyze the system to discover how it was infected.

A

A. Your next step is to isolate the computer from the network as part of the mitigation phase. You might look at other computers later, but you should try to mitigate the problem first. Similarly, you might run an antivirus scan, but later. The lessons learned phase is last and will analyze an incident to determine the cause.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

In the incident management steps identified by (ISC)2, which of the following occurs first?

A. Response
B. Mitigation
C. Remediation
D. Lessons learned

A

D. The first step is detection. The seven steps (in order) are detection, response, mitigation, reporting, recovery, remediation, and lessons learned.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Which of the following are basic security controls that can prevent many attacks? (Choose three.)

A. Keep systems and applications up to date.
B. Implement security orchestration, automation, and response (SOAR) technologies.
C. Remove or disable unneeded services or protocols.
D. Use up-to-date antimalware software.
E. Use WAFs at the border.

A

A, C, D. The three basic security controls listed are 1) keep systems and applications up to date, 2) remove or disable unneeded services or protocols, and 3) use up-to-date antimalware software. SOAR technologies implement advanced methods to detect and automatically respond to incidents. It’s appropriate to place a network firewall at the border (between the internet and the internal network), but web application firewalls (WAF) should only filter traffic going to a web server.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

Security administrators are reviewing all the data gathered by event logging. Which of the following best describes this body of data?
A. Identification
B. Audit trails
C. Authorization
D. Confidentiality

A

B. Audit trails provide documentation on what happened, when it happened, and who did it. IT personnel create audit trails by examining logs. Authentication of individuals is also needed to ensure that the audit trails provide proof of identities listed in the logs. Identification occurs when an individual claims an identity, but identification without authentication doesn’t provide accountability. Authorization grants individuals access to resources based on their proven identity. Confidentiality ensures that unauthorized entities can’t access sensitive data and is unrelated to this question.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

A file server in your network recently crashed. An investigation showed that logs grew so much that they filled the disk drive. You decide to enable rollover logging to prevent this from happening again. Which of the following should you do first?

A. Configure the logs to overwrite old entries automatically.
B. Copy existing logs to a different drive.
C. Review the logs for any signs of attacks.
D. Delete the oldest log entries.

A

B. The first step should be to copy existing logs to a different drive so that they are not lost. If you enable rollover logging, you are configuring the logs to overwrite old entries. It’s not necessary to review the logs before copying them. If you delete the oldest log entries first, you may delete valuable data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

You suspect an attacker has launched a fraggle attack on a system. You check the logs and filter your search with the protocol used by fraggle. What protocol would you use in the filter?

A. User Datagram Protocol (UDP)
B. Transmission Control Protocol (TCP)
C. Internet Control Message Protocol (ICMP)
D. Security orchestration, automation, and response (SOAR)

A

A. Fraggle is a denial of service (DoS) attack that uses UDP. Other attacks, such as a SYN flood attack, use TCP. A smurf attack is similar to a fraggle attack, but it uses ICMP. SOAR is a group of technologies that provide automated responses to common attacks, not a protocol.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

You are updating the training manual for security administrators and want to add a description of a zero-day exploit. Which of the following best describes a zero-day exploit?

A. An attack that exploits a vulnerability that doesn’t have a patch or fix
B. A newly discovered vulnerability that doesn’t have a patch or fix
C. An attack on systems without an available patch
D. Malware that delivers its payload after a user starts an application

A

A. A zero-day exploit is an attack that exploits a vulnerability that doesn’t have a patch or fix. A newly discovered vulnerability is only a vulnerability until someone tries to exploit it. Attacks on unpatched systems aren’t zero-day exploits. A virus is a type of malware that delivers its payload after a user launches an application.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

Users in an organization complain that they can’t access several websites that are usually available. After troubleshooting the issue, you discover that an intrusion protection system (IPS) is blocking the traffic, but the traffic is not malicious. What does this describe?

A. A false negative
B. A honeynet
C. A false positive
D. Sandboxing

A

C. This is a false positive. The IPS falsely identified normal web traffic as an attack and blocked it. A false negative occurs when a system doesn’t detect an actual attack. A honeynet is a group of honeypots used to lure attackers. Sandboxing provides an isolated environment for testing and is unrelated to this question.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

You are installing a new intrusion detection system (IDS). It requires you to create a baseline before fully implementing it. Which of the following best describes this IDS?

A. A pattern-matching IDS
B. A knowledge-based IDS
C. A signature-based IDS
D. An anomaly-based IDS

A

D. An anomaly-based IDS requires a baseline, and it then monitors traffic for any anomalies or changes when compared to the baseline. It’s also called behavior based and heuristics based. Pattern-based detection (also known as knowledge-based detection and signature-based detection) uses known signatures to detect attacks.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

An administrator is implementing an intrusion detection system. Once installed, it will monitor all traffic and raise alerts when it detects suspicious traffic. Which of the following best describes this system?

A. A host-based intrusion detection system (HIDS)
B. A network-based intrusion detection system (NIDS)
C. A honeynet
D. A network firewall

A

B. An NIDS will monitor all traffic and raise alerts when it detects suspicious traffic. A HIDS only monitors a single system. A honeynet is a network of honeypots used to lure attackers away from live networks. A network firewall filters traffic, but it doesn’t raise alerts on suspicious traffic.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

You are installing a system that management hopes will reduce incidents in the network. The setup instructions require you to configure it inline with traffic so that all traffic goes through it before reaching the internal network. Which of the following choices best identifies this system?

A. A network-based intrusion prevention system (NIPS)
B. A network-based intrusion detection system (NIDS)
C. A host-based intrusion prevention system (HIPS)
D. A host-based intrusion detection system (HIDS)

A

A. This describes an NIPS. It is monitoring network traffic, and it is placed in line with the traffic. An NIDS isn’t placed in line with the traffic, so it isn’t the best choice. Host-based systems only monitor traffic sent to specific hosts, not network traffic.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

After installing an application on a user’s system, your supervisor told you to remove it because it is consuming most of the system’s resources. Which of the following prevention systems did you most likely install?

A. A network-based intrusion detection system (NIDS)
B. A web application firewall (WAF)
C. A security information and event management (SIEM) system
D. A host-based intrusion detection system (HIDS)

A

D. A drawback of some HIDSs is that they interfere with a single system’s normal operation by consuming too many resources. The other options refer to applications that aren’t installed on user systems.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

You are replacing a failed switch. The configuration documentation for the original switch indicates a specific port needs to be configured as a mirrored port. Which of the following network devices would connect to this port?

A. An intrusion prevention system (IPS)
B. An intrusion detection system (IDS)
C. A honeypot
D. A sandbox

A

B. An IDS is most likely to connect to a switch port configured as a mirrored port. An IPS is placed in line with traffic, so it is placed before the switch. A honeypot doesn’t need to see all traffic going through a switch. A sandbox is an isolated area often used for testing and would not need all traffic from a switch.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

A network includes a network-based intrusion detection system (NIDS). However, security administrators discovered that an attack entered the network and the NIDS did not raise an alarm. What does this describe?

A. A false positive
B. A false negative
C. A fraggle attack
D. A smurf attack

A

B. A false negative occurs when there is an attack but the IDS doesn’t detect it and raise an alarm. In contrast, a false positive occurs when an IDS incorrectly raises an alarm, even though there isn’t an attack. The attack may be a UDP-based fraggle attack or an ICMP-based smurf attack, but the attack is real, and since the IDS doesn’t detect it, it is a false negative.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

Management wants to add an intrusion detection system (IDS) that will detect new security threats. Which of the following is the best choice?

A. A signature-based IDS
B. An anomaly detection IDS
C. An active IDS
D. A network-based IDS

A

B. An anomaly-based IDS (also known as a behavior-based IDS) can detect new security threats. A signature-based IDS only detects attacks from known threats. An active IDS identifies the response after a threat is detected. A network-based IDS can be both signature based and anomaly based.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q

Your organization recently implemented a centralized application for monitoring. Which of the following best describes this?

A. SOAR
B. SIEM
C. HIDS
D. Threat feed

A

B. A security information and event management (SIEM) system is a centralized application that monitors multiple systems. Security orchestration, automation, and response (SOAR) is a group of technologies that provide automated responses to common attacks. A host-based intrusion detection system (HIDS) is decentralized because it is on one system only. A threat feed is a stream of data on current threats.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
38
Q

After a recent attack, management decided to implement an egress monitoring system that will prevent data exfiltration. Which of the following is the best choice?

A. An NIDS
B. An NIPS
C. A firewall
D. A DLP system

A

D. A network-based data loss prevention (DLP) system monitors outgoing traffic (egress monitoring) and can thwart data exfiltration attempts. Network-based intrusion detection systems (NIDSs) and intrusion protection systems (IPSs) primarily monitor incoming traffic for threats. Firewalls can block traffic or allow traffic based on rules in an access control list (ACL), but they can’t detect unauthorized data exfiltration attacks.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
39
Q

Security administrators are regularly monitoring threat feeds and using that information to check systems within the network. Their goal is to discover any infections or attacks that haven’t been detected by existing tools. What does this describe?

A. Threat hunting
B. Threat intelligence
C. Implementing the kill chain
D. Using artificial intelligence

A

A. Threat hunting is the process of actively searching for infections or attacks within a network. Threat intelligence refers to the actionable intelligence created after analyzing incoming data, such as threat feeds. Threat hunters use threat intelligence to search for specific threats. Additionally, they may use a kill chain model to mitigate these threats. Artificial intelligence (AI) refers to actions by a machine, but the scenario indicates administrators are doing the work.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
40
Q

Administrators find that they are repeating the same steps to verify intrusion detection system alerts and perform more repetitive steps to mitigate well-known attacks. Of the following choices, what can automate these steps?

A. SOAR
B. SIEM
C. NIDS
D. DLP

A

A. Security orchestration, automation, and response (SOAR) technologies provide automated responses to common attacks, reducing an administrator’s workload. A security information and event management (SIEM) system is a centralized application that monitors log entries from multiple sources. A network-based intrusion detection system (NIDS) raises the alerts. A data loss prevention (DLP) system helps with egress monitoring and is unrelated to this question.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
41
Q

James is working with his organization’s leadership to help them understand the role that disaster recovery plays in their cybersecurity strategy. The leaders are confused about the differences between disaster recovery and business continuity. What is the end goal of disaster recovery planning?

A. Preventing business interruption
B. Setting up temporary business operations
C. Restoring normal business activity
D. Minimizing the impact of a disaster

A

C. Once a disaster interrupts the business operations, the goal of DRP is to restore regular business activity as quickly as possible. Thus, disaster recovery planning picks up where business continuity planning leaves off. Preventing business interruption is the goal of business continuity, not disaster recovery programs. Although disaster recovery programs are involved in restoring normal activity and minimizing the impact of disasters, this is not their end goal.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
42
Q

Kevin is attempting to determine an appropriate backup frequency for his organization’s database server and wants to ensure that any data loss is within the organization’s risk appetite. Which one of the following security process metrics would best assist him with this task?

A. RTO
B. MTD
C. RPO
D. MTBF

A

C. The recovery point objective (RPO) specifies the maximum amount of data that may be lost during a disaster and should be used to guide backup strategies. The maximum tolerable downtime (MTD) and recovery time objective (RTO) are related to the duration of an outage, rather than the amount of data lost. The mean time between failures (MTBF) is related to the frequency of failure events.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
43
Q

Brian’s organization recently suffered a disaster and wants to improve their disaster recovery program based on their experience. Which one of the following activities will best assist with this task?

A. Training programs
B. Awareness efforts
C. BIA review
D. Lessons learned

A

D. The lessons learned session captures discoveries made during the disaster recovery process and facilitates continuous improvement. It may identify deficiencies in training and awareness or in the business impact analysis.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
44
Q

Adam is reviewing the fault-tolerance controls used by his organization and realizes that they currently have a single point of failure in the disks used to support a critical server. Which one of the following controls can provide fault tolerance for these disks?

A. Load balancing
B. RAID
C. Clustering
D. HA pairs

A

B. Redundant arrays of inexpensive disks (RAID) are a fault-tolerance control that allow an organization’s storage service to withstand the loss of one or more individual disks. Load balancing, clustering, and high-availability (HA) pairs are all fault-tolerance services designed for server compute capacity, not storage.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
45
Q

Brad is helping to design a disaster recovery strategy for his organization and is analyzing possible storage locations for backup data. He is not certain where the organization will recover operations in the event of a disaster and would like to choose an option that allows them the flexibility to easily retrieve data from any DR site. Which one of the following storage locations provides the best option for Brad?

A. Primary data center
B. Field office
C. Cloud computing
D. IT manager’s home

A

C. Cloud computing services provide an excellent location for backup storage because they are accessible from any location. The primary data center is a poor choice, since it may be damaged during a disaster. A field office is reasonable, but it is in a specific location and is not as flexible as a cloud-based approach. The IT manager’s home is a poor choice—the IT manager may leave the organization or may not have appropriate environmental and physical security controls in place.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
46
Q

Which of the following statements about business continuity planning and disaster recovery planning are correct? (Choose all that apply.)

A. Business continuity planning is focused on keeping business functions uninterrupted when a disaster strikes.
B. Organizations can choose whether to develop business continuity planning or disaster recovery planning plans.
C. Business continuity planning picks up where disaster recovery planning leaves off.
D. Disaster recovery planning guides an organization through recovery of normal operations at the primary facility.

A

A, B, D. The only incorrect statement here is that business continuity planning picks up where disaster recovery planning leaves off. In fact, the opposite is true: disaster recovery planning picks up where business continuity planning leaves off. The other three statements are all accurate reflections of the role of business continuity planning and disaster recovery planning. Business continuity planning is focused on keeping business functions uninterrupted when a disaster strikes. Organizations can choose whether to develop business continuity planning or disaster recovery planning plans, although it is highly recommended that they do so. Disaster recovery planning guides an organization through recovery of normal operations at the primary facility.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
47
Q

Tonya is reviewing the flood risk to her organization and learns that their primary data center resides within a 100-year flood plain. What conclusion can she draw from this information?

A. The last flood of any kind to hit the area was more than 100 years ago.
B. The odds of a flood at this level are 1 in 100 in any given year.
C. The area is expected to be safe from flooding for at least 100 years.
D. The last significant flood to hit the area was more than 100 years ago.

A

B. The term 100-year flood plain is used to describe an area where flooding is expected once every 100 years. It is, however, more mathematically correct to say that this label indicates a 1 percent probability of flooding in any given year.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
48
Q

Randi is designing a disaster recovery mechanism for her organization’s critical business databases. She selects a strategy where an exact, up-to-date copy of the database is maintained at an alternative location. What term describes this approach?

A. Transaction logging
B. Remote journaling
C. Electronic vaulting
D. Remote mirroring

A

D. When you use remote mirroring, an exact copy of the database is maintained at an alternative location. You keep the remote copy up to date by executing all transactions on both the primary and remote sites at the same time. Electronic vaulting follows a similar process of storing all data at the remote location, but it does not do so in real time. Transaction logging and remote journaling options send logs, rather than full data replicas, to the remote location.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
49
Q

Bryn runs a corporate website and currently uses a single server, which is capable of handling the site’s entire load. She is concerned, however, that an outage on that server could cause the organization to exceed its RTO. What action could she take that would best protect against this risk?

A. Install dual power supplies in the server.
B. Replace the server’s hard drives with RAID arrays.
C. Deploy multiple servers behind a load balancer.
D. Perform regular backups of the server.

A

C. All of these are good practices that could help improve the quality of service that Bryn provides from her website. Installing dual power supplies or deploying RAID arrays could reduce the likelihood of a server failure, but these measures only protect against a single risk each. Deploying multiple servers behind a load balancer is the best option because it protects against any type of risk that would cause a server failure. Backups are an important control for recovering operations after a disaster and different backup strategies could indeed alter the RTO, but it is even better if Bryn can design a web architecture that lowers the risk of the outage occurring in the first place.

50
Q

Carl recently completed his organization’s annual business continuity plan refresh and is now turning his attention to the disaster recovery plan. What output from the business continuity plan can he use to prepare the business unit prioritization task of disaster recovery planning?

A. Vulnerability analysis
B. Business impact analysis
C. Risk management
D. Continuity planning

A

B. During the business impact analysis phase, you must identify the business priorities of your organization to assist with the allocation of BCP resources. You can use this same information to drive the disaster recovery planning business unit prioritization.

51
Q

Nolan is considering the use of several different types of alternate processing facility for his organization’s data center. Which one of the following alternative processing sites takes the longest time to activate but has the lowest cost to implement?

A. Hot site
B. Mobile site
C. Cold site
D. Warm site

A

C. The cold site contains none of the equipment necessary to restore operations. All of the equipment must be brought in and configured and data must be restored to it before operations can commence. This process often takes weeks, but cold sites also have the lowest cost to implement. Hot sites, warm sites, and mobile sites all have quicker recovery times.

52
Q

Ingrid is concerned that one of her organization’s data centers has been experiencing a series of momentary power outages. Which one of the following controls would best preserve their operating status?

A. Generator
B. Dual power supplies
C. UPS
D. Redundant network links

A

C. Uninterruptible power supplies (UPSs) provide a battery-backed source of power that is capable of preserving operations in the event of brief power outages. Generators take a significant amount of time to start and are more suitable for longer-term outages. Dual power supplies protect against power supply failures and not power outages. Redundant network links are a network continuity control and do not provide power.

53
Q

Which one of the following items is a characteristic of hot sites but not a characteristic of warm sites?

A. Communications circuits
B. Workstations
C. Servers
D. Current data

A

D. Warm sites and hot sites both contain workstations, servers, and the communications circuits necessary to achieve operational status. The main difference between the two alternatives is the fact that hot sites contain near-real-time copies of the operational data and warm sites require the restoration of data from backup.

54
Q

Harry is conducting a disaster recovery test. He moved a group of personnel to the alternate recovery site, where they are mimicking the operations of the primary site but do not have operational responsibility. What type of disaster recovery test is he performing?

A. Checklist test
B. Structured walk-through
C. Simulation test
D. Parallel test

A

D. The parallel test involves relocating personnel to the alternate recovery site and implementing site activation procedures. Checklist tests, structured walk-throughs, and simulations are all test types that do not involve actually activating the alternate site.

55
Q

What type of document will help public relations specialists and other individuals who need a high-level summary of disaster recovery efforts while they are under way?

A. Executive summary
B. Technical guides
C. Department-specific plans
D. Checklists

A

A. The executive summary provides a high-level view of the entire organization’s disaster recovery efforts. This document is useful for the managers and leaders of the firm as well as public relations personnel who need a nontechnical perspective on this complex effort.

56
Q

What disaster recovery planning tool can be used to protect an organization against the failure of a critical software firm to provide appropriate support for their products?

A. Differential backups
B. Business impact analysis
C. Incremental backups
D. Software escrow agreement

A

D. Software escrow agreements place the application source code in the hands of an independent third party, thus providing firms with a “safety net” in the event a developer goes out of business or fails to honor the terms of a service agreement.

57
Q

What type of backup involves always storing copies of all files modified since the most recent full backup?

A. Differential backups
B. Partial backup
C. Incremental backups
D. Database backup

A

A. Differential backups involve always storing copies of all files modified since the most recent full backup, regardless of any incremental or differential backups created during the intervening time period.

58
Q

You operate a grain processing business and are developing your restoration priorities. Which one of the following systems would likely be your highest priority?

A. Order-processing system
B. Fire suppression system
C. Payroll system
D. Website

A

B. People should always be your highest priority in business continuity planning. As life safety systems, fire suppression systems should always receive high prioritization.

59
Q

What combination of backup strategies provides the fastest backup restoration time?

A. Full backups and differential backups
B. Partial backups and incremental backups
C. Full backups and incremental backups
D. Incremental backups and differential backups

A

A. Any backup strategy must include full backups at some point in the process. If a combination of full and differential backups is used, a maximum of two backups must be restored. If a combination of full and incremental backups is chosen, the number of required restorations may be large.

60
Q

What type of disaster recovery plan test fully evaluates operations at the backup facility but does not shift primary operations responsibility from the main site?

A. Structured walk-through
B. Parallel test
C. Full-interruption test
D. Simulation test

A

B. Parallel tests involve moving personnel to the recovery site and gearing up operations, but responsibility for conducting day-to-day operations of the business remains at the primary operations center.

61
Q

Devin is revising the policies and procedures used by his organization to conduct investigations and would like to include a definition of computer crime. Which one of the following definitions would best meet his needs?

A. Any attack specifically listed in your security policy
B. Any illegal attack that compromises a protected computer
C. Any violation of a law or regulation that involves a computer
D. Failure to practice due diligence in computer security

A

C. A crime is any violation of a law or regulation. The violation stipulation defines the action as a crime. It is a computer crime if the violation involves a computer, either as the target or as a tool. Computer crimes may not be defined in an organization’s policy, since crimes are only defined in law. Illegal attacks are indeed crimes, but this is too narrow a definition. The failure to practice due diligence may be a liability but, in most cases, is not a criminal action.

62
Q

What is the main purpose of a military and intelligence attack?

A. To attack the availability of military systems
B. To obtain secret and restricted information from military or law enforcement sources
C. To utilize military or intelligence agency systems to attack other, nonmilitary sites
D. To compromise military systems for use in attacks against other systems

A

B. A military and intelligence attack targets the classified data that resides on the system. To the attacker, the value of the information justifies the risk associated with such an attack. The information extracted from this type of attack is often used to plan subsequent attacks.

63
Q

Which of the following is not a canon of the (ISC)2 Code of Ethics?

A. Protect your colleagues.
B. Provide diligent and competent service to principals.
C. Advance and protect the profession.
D. Protect society.

A

A. The Code of Ethics does not require that you protect your colleagues.

64
Q

Which of the following are examples of financially motivated attacks? (Choose all that apply.)

A. Accessing services that you have not purchased
B. Disclosing confidential personal employee information
C. Transferring funds from an unapproved source into your account
D. Selling a botnet for use in a DDoS attack

A

A, C, D. A financial attack focuses primarily on obtaining services and funds illegally. Accessing services that you have not purchased is an example of obtaining services illegally. Transferring funds from an unapproved source is obtaining funds illegally, as is leasing out a botnet for use in DDoS attacks. Disclosing confidential information is not necessarily financially motivated.

65
Q

Which one of the following attacker actions is most indicative of a terrorist attack?

A. Altering sensitive trade secret documents
B. Damaging the ability to communicate and respond to a physical attack
C. Stealing unclassified information
D. Transferring funds to other countries

A

B. A terrorist attack is launched to interfere with a way of life by creating an atmosphere of fear. A computer terrorist attack can reach this goal by reducing the ability to respond to a simultaneous physical attack. Although terrorists may engage in other actions, such as altering information, stealing data, or transferring funds, as part of their attacks, these items alone are not indicators of terrorist activity.

66
Q

Which of the following would not be a primary goal of a grudge attack?

A. Disclosing embarrassing personal information
B. Launching a virus on an organization’s system
C. Sending inappropriate email with a spoofed origination address of the victim organization
D. Using automated tools to scan the organization’s systems for vulnerable ports

A

D. Any action that can harm a person or organization, either directly or through embarrassment, would be a valid goal of a grudge attack. The purpose of such an attack is to “get back” at someone.

67
Q

What are the primary reasons attackers engage in thrill attacks? (Choose all that apply.)

A. Bragging rights
B. Money from the sale of stolen documents
C. Pride of conquering a secure system
D. Retaliation against a person or organization

A

A, C. Thrill attacks have no reward other than providing a boost to pride and ego. The thrill of launching the attack comes from the act of participating in the attack (and not getting caught).

68
Q

What is the most important rule to follow when collecting evidence?

A. Do not turn off a computer until you photograph the screen.
B. List all people present while collecting evidence.
C. Avoid the modification of evidence during the collection process.
D. Transfer all equipment to a secure storage location.

A

C. Although the other options have some merit in individual cases, the most important rule is to never modify, or taint, evidence. If you modify evidence, it becomes inadmissible in court.

69
Q

What would be a valid argument for not immediately removing power from a machine when an incident is discovered?

A. All of the damage has been done. Turning the machine off would not stop additional damage.
B. There is no other system that can replace this one if it is turned off.
C. Too many users are logged in and using the system.
D. Valuable evidence in memory will be lost.

A

D. The most compelling reason for not removing power from a machine is that you will lose the contents of memory. Carefully consider the pros and cons of removing power. After all is considered, it may be the best choice.

70
Q

What type of evidence refers to written documents that are brought into court to prove a fact?

A. Best evidence
B. Parol evidence
C. Documentary evidence
D. Testimonial evidence

A

C. Written documents brought into court to prove the facts of a case are referred to as documentary evidence. The best evidence rule states that when a document is used as evidence in a court proceeding, the original document must be introduced. The parol evidence rule states that when an agreement between parties is put into written form, the written document is assumed to contain all the terms of the agreement, and no verbal agreements may modify the written agreement. Testimonial evidence is evidence consisting of the testimony of a witness, either verbal testimony in court or written testimony in a recorded deposition.

71
Q

Which one of the following investigation types has the highest standard of evidence?

A. Administrative
B. Civil
C. Criminal
D. Regulatory

A

C. Criminal investigations may result in the imprisonment of individuals and, therefore, have the highest standard of evidence to protect the rights of the accused.

72
Q

During an operational investigation, what type of analysis might an organization undertake to prevent similar incidents in the future?

A. Forensic analysis
B. Root cause analysis
C. Network traffic analysis
D. Fagan analysis

A

B. Root cause analysis seeks to identify the reason that an operational issue occurred. The root cause analysis often highlights issues that require remediation to prevent similar incidents in the future. Forensic analysis is used to obtain evidence from digital systems. Network traffic analysis is an example of a forensic analysis category. Fagan inspection is a software testing technique.

73
Q

What step of the Electronic Discovery Reference Model ensures that information that may be subject to discovery is not altered?

A. Preservation
B. Production
C. Processing
D. Presentation

A

A. Preservation ensures that potentially discoverable information is protected against alteration or deletion. Production places the information into a format that may be shared with others and delivers it to other parties, such as opposing counsel. Processing screens the collected information to perform a “rough cut” of irrelevant information, reducing the amount of information requiring detailed screening. Presentation displays the information to witnesses, the court, and other parties.

74
Q

Gary is a system administrator and is testifying in court about a cybercrime incident. He brings server logs to support his testimony. What type of evidence are the server logs?

A. Real evidence
B. Documentary evidence
C. Parol evidence
D. Testimonial evidence

A

B. Server logs are an example of documentary evidence. Gary may ask that they be introduced in court and will then be asked to offer testimonial evidence about how he collected and preserved the evidence. This testimonial evidence authenticates the documentary evidence.

75
Q

You are a law enforcement officer and you need to confiscate a PC from a suspected attacker who does not work for your organization. You are concerned that if you approach the individual, they may destroy evidence. What legal avenue is most appropriate?

A. Consent agreement signed by employees
B. Search warrant
C. No legal avenue necessary
D. Voluntary consent

A

B. In this case, you need a search warrant to confiscate equipment without giving the suspect time to destroy evidence. If the suspect worked for your organization and you had all employees sign consent agreements, you could simply confiscate the equipment.

76
Q

Gavin is considering altering his organization’s log retention policy to delete logs at the end of each day. What is the most important reason that he should avoid this approach?

A. An incident may not be discovered for several days and valuable evidence could be lost.
B. Disk space is cheap, and log files are used frequently.
C. Log files are protected and cannot be altered.
D. Any information in a log file is useless after it is several hours old.

A

A. Log files contain a large volume of generally useless information. However, when you are trying to track down a problem or an incident, log files can be invaluable. Even if an incident is discovered as it is happening, it may have been preceded by other incidents. Log files provide valuable clues and should be protected and archived, often by forwarding log entries to a centralized log management system.

77
Q

What phase of the Electronic Discovery Reference Model examines information to remove information subject to attorney-client privilege?

A. Identification
B. Collection
C. Processing
D. Review

A

D. Review examines the information resulting from the Processing phase to determine what information is responsive to the request and remove any information protected by attorney-client privilege. Identification locates the information that may be responsive to a discovery request when the organization believes that litigation is likely. Collection gathers the relevant information centrally for use in the eDiscovery process. Processing screens the collected information to perform a “rough cut” of irrelevant information, reducing the amount of information requiring detailed screening.

78
Q

What are ethics?

A. Mandatory actions required to fulfill job requirements
B. Laws of professional conduct
C. Regulations set forth by a professional organization
D. Rules of personal behavior

A

D. Ethics are simply rules of personal behavior. Many professional organizations establish formal codes of ethics to govern their members, but ethics are personal rules individuals use to guide their lives.

79
Q

According to the (ISC)2 Code of Ethics, how are CISSPs expected to act?

A. Honestly, diligently, responsibly, and legally
B. Honorably, honestly, justly, responsibly, and legally
C. Upholding the security policy and protecting the organization
D. Trustworthy, loyally, friendly, courteously

A

B. The second canon of the (ISC)2 Code of Ethics states how a CISSP should act, which is honorably, honestly, justly, responsibly, and legally.

80
Q

Which of the following actions are considered unacceptable and unethical according to RFC 1087, Ethics and the Internet?

A. Actions that compromise the privacy of classified information
B. Actions that compromise the privacy of users
C. Actions that disrupt organizational activities
D. Actions in which a computer is used in a manner inconsistent with a stated security policy

A

B. RFC 1087 does not specifically address the statements in option A, C, or D. Although each type of activity listed is unacceptable, only “actions that compromise the privacy of users” are explicitly identified in RFC 1087.

81
Q

Christine is helping her organization implement a DevOps approach to deploying code. Which one of the following is not a component of the DevOps model?

A. Information security
B. Software development
C. Quality assurance
D. IT operations

A

A. The three elements of the DevOps model are software development, quality assurance, and IT operations. Information security is only introduced in the DevSecOps model.

82
Q

Bob is developing a software application and has a field where users may enter a date. He wants to ensure that the values provided by the users are accurate dates to prevent security issues. What technique should Bob use?

A. Polyinstantiation
B. Input validation
C. Contamination
D. Screening

A

B. Input validation ensures that the input provided by users matches the design parameters. Polyinstantiation includes additional records in a database for presentation to users with differing security levels as a defense against inference attacks. Contamination is the mixing of data from a higher classification level and/or need-to-know requirement with data from a lower classification level and/or need-to-know requirement. Screening is a generic term and does not represent any specific security technique in this context.

83
Q

Vincent is a software developer who is working through a backlog of change tasks. He is not sure which tasks should have the highest priority. What portion of the change management process would help him to prioritize tasks?

A. Release control
B. Configuration control
C. Request control
D. Change audit

A

C. Request control provides users with a framework to request changes and developers with the opportunity to prioritize those requests. Configuration control ensures that changes to software versions are made in accordance with the change and configuration management policies. Request control provides an organized framework for users to request modifications. Change auditing is used to ensure that the production environment is consistent with the change accounting records.

84
Q

Frank is conducting a risk analysis of his software development environment and, as a mitigation measure, would like to introduce an approach to failure management that places the system in a high level of security in the event of a failure. What approach should he use?

A. Fail-open
B. Fail mitigation
C. Fail-secure
D. Fail clear

A

C. In a fail-secure state, the system remains in a high level of security until an administrator intervenes. In a fail-open state, the system defaults to a low level of security, disabling controls until the failure is resolved. Failure mitigation seeks to reduce the impact of a failure. Fail clear is not a valid approach.

85
Q

What software development model uses a seven-stage approach with a feedback loop that allows progress one step backward?

A. Boyce-Codd
B. Iterative waterfall
C. Spiral
D. Agile

A

B. The iterative waterfall model uses a seven-stage approach to software development and includes a feedback loop that allows development to return to the previous phase to correct defects discovered during the subsequent phase.

86
Q

Jane is conducting a threat assessment using threat modeling techniques as she develops security requirements for a software package her team is developing. Which business function is she engaging in under the Software Assurance Maturity Model (SAMM)?

A. Governance
B. Design
C. Implementation
D. Verification

A

B. The activities of threat assessment, threat modeling, and security requirements are all part of the Design function under SAMM.

87
Q

Which one of the following key types is used to enforce referential integrity between database tables?

A. Candidate key
B. Primary key
C. Foreign key
D. Alternate key

A

C. Foreign keys are used to enforce referential integrity constraints between tables that participate in a relationship. Candidate keys are sets of fields that may potentially serve as the primary key, the key used to uniquely identify database records. Alternate keys are candidate keys that are not selected as the primary key.

88
Q

Richard believes that a database user is misusing his privileges to gain information about the company’s overall business trends by issuing queries that combine data from a large number of records. What process is the database user taking advantage of?

A. Inference
B. Contamination
C. Polyinstantiation
D. Aggregation

A

D. In this case, the process the database user is taking advantage of is aggregation. Aggregation attacks involve the use of specialized database functions to combine information from a large number of database records to reveal information that may be more sensitive than the information in individual records would reveal. Inference attacks use deductive reasoning to reach conclusions from existing data. Contamination is the mixing of data from a higher classification level and/or need-to-know requirement with data from a lower classification level and/or need-to-know requirement. Polyinstantiation is the creation of different database records for users of differing security levels.

89
Q

What database technique can be used to prevent unauthorized users from determining classified information by noticing the absence of information normally available to them?

A. Inference
B. Manipulation
C. Polyinstantiation
D. Aggregation

A

C. Polyinstantiation allows the insertion of multiple records that appear to have the same primary key values into a database at different classification levels. Aggregation attacks involve the use of specialized database functions to combine information from a large number of database records to reveal information that may be more sensitive than the information in individual records would reveal. Inference attacks use deductive reasoning to reach conclusions from existing data. Manipulation is the authorized or unauthorized alteration of data in a database.

90
Q

Which one of the following is not a principle of Agile development?

A. Satisfy the customer through early and continuous delivery.
B. Businesspeople and developers work together.
C. Pay continuous attention to technical excellence.
D. Prioritize security over other requirements.

A

D. In Agile, the highest priority is to satisfy the customer through early and continuous delivery of valuable software. It is not to prioritize security over other requirements. The Agile principles also include satisfying the customer through early and continuous delivery, businesspeople and developers working together, and paying continuous attention to technical excellence.

91
Q

What type of information is used to form the basis of an expert system’s decision-making process?

A. A series of weighted layered computations
B. Combined input from a number of human experts, weighted according to past performance
C. A series of “if/then” rules codified in a knowledge base
D. A biological decision-making process that simulates the reasoning process used by the human mind

A

C. Expert systems use a knowledge base consisting of a series of “if/then” statements to form decisions based on the previous experience of human experts.

92
Q

In which phase of the SW-CMM does an organization use quantitative measures to gain a detailed understanding of the development process?

A. Initial
B. Repeatable
C. Defined
D. Managed

A

D. In the Managed phase, level 4 of the SW-CMM, the organization uses quantitative measures to gain a detailed understanding of the development process.

93
Q

Which of the following acts as a proxy between an application and a database to support interaction and simplify the work of programmers?

A. SDLC
B. ODBC
C. PCI DSS
D. Abstraction

A

B. Open Database Connectivity (ODBC) acts as a proxy between applications and the back-end DBMS. The software development lifecycle (SDLC) is a model for the software development process that incorporates all necessary activities. The Payment Card Industry Data Security Standard (PCI DSS) is a regulatory framework for credit card processing. Abstraction is a software development concept that generalizes common behaviors of software objects into more abstract classes.

94
Q

In what type of software testing does the tester have access to the underlying source code?

A. Static testing
B. Dynamic testing
C. Cross-site scripting testing
D. Black-box testing

A

A. In order to conduct a static test, the tester must have access to the underlying source code. Black-box testing does not require access to source code. Dynamic testing is an example of black-box testing. Cross-site scripting is a specific type of vulnerability, and it may be discovered using both static and dynamic techniques, with or without access to the source code.

95
Q

What type of chart provides a graphical illustration of a schedule that helps to plan, coordinate, and track project tasks?

A. Gantt
B. Venn
C. Bar
D. PERT

A

A. A Gantt chart is a type of bar chart that shows the interrelationships over time between projects and schedules. It provides a graphical illustration of a schedule that helps to plan, coordinate, and track specific tasks in a project. A PERT chart focuses on the interrelationships between tasks rather than the specific details of the schedule. Bar charts are used to present data, and Venn diagrams are used to show the relationships between sets.

96
Q

Which database security risk occurs when data from a higher classification level is mixed with data from a lower classification level?

A. Aggregation
B. Inference
C. Contamination
D. Polyinstantiation

A

C. Contamination is the mixing of data from a higher classification level and/or need-to-know requirement with data from a lower classification level and/or need-to-know requirement. Aggregation attacks involve the use of specialized database functions to combine information from a large number of database records to reveal information that may be more sensitive than the information in individual records would reveal. Inference attacks use deductive reasoning to reach conclusions from existing data. Polyinstantiation includes additional records in a database for presentation to users with differing security levels as a defense against inference attacks.

97
Q

Tonya is performing a risk assessment of a third-party software package for use within her organization. She plans to purchase a product from a vendor that is very popular in her industry. What term best describes this software?

A. Open source
B. Custom-developed
C. ERP
D. COTS

A

D. Tonya is purchasing the software, so it is not open source. It is used widely in her industry, so it is not custom developed for her organization. There is no indication in the question that the software is an enterprise resource planning (ERP) system. The best answer here is commercial-off-the-shelf software (COTS).

98
Q

Which one of the following is not part of the change management process?

A. Request control
B. Release control
C. Configuration audit
D. Change control

A

C. Configuration audit is part of the configuration management process rather than the change control process. Request control, release control, and change control are all components of the configuration management process.

99
Q

What transaction management principle ensures that two transactions do not interfere with each other as they operate on the same data?

A. Atomicity
B. Consistency
C. Isolation
D. Durability

A

C. The isolation principle states that two transactions operating on the same data must be temporarily separated from each other so that one does not interfere with the other. The atomicity principle says that if any part of the transaction fails, the entire transaction must be rolled back. The consistency principle says that the database must always be in a state that complies with the database model’s rules. The durability principle says that transactions committed to the database must be preserved.

100
Q

Tom built a database table consisting of the names, telephone numbers, and customer IDs for his business. The table contains information on 30 customers. What is the degree of this table?

A. Two
B. Three
C. Thirty
D. Undefined

A

B. The cardinality of a table refers to the number of rows in the table, whereas the degree of a table is the number of columns. In this case, the table has three columns (name, telephone number, and customer ID), so it has a degree of three.

101
Q

Dylan is reviewing the security controls currently used by his organization and realizes that he lacks a tool that might identify abnormal actions taken by an end user. What type of tool would best meet this need?

A. EDR
B. Integrity monitoring
C. Signature detection
D. UEBA

A

D. User and entity behavior analytics (UEBA) tools develop profiles of individual behavior and then monitor users for deviations from those profiles that may indicate malicious activity and/or compromised accounts. This type of tool would meet Dylan’s requirements. Endpoint detection and response (EDR) tools watch for unusual endpoint behavior but do not analyze user activity. Integrity monitoring is used to identify unauthorized system/file changes. Signature detection is a malware detection technique.

102
Q

Tim is working to improve his organization’s antimalware defenses and would also like to reduce the operational burden on his security team. Which one of the following solutions would best meet his needs?

A. UEBA
B. MDR
C. EDR
D. NGEP

A

B. All of these technologies are able to play important roles in defending against malware and other endpoint threats. User and entity behavior analysis (UEBA) looks for behavioral anomalies. Endpoint detection and response (EDR) and next-generation endpoint protection (NGEP) identify and respond to malware infections. However, only managed detection and response (MDR) combines antimalware capabilities with a managed service that reduces the burden on the IT team.

103
Q

Carl works for a government agency that has suffered a ransomware attack and has lost access to critical data but does have access to backups. Which one of the following actions would best restore this access while minimizing the risk facing the organization?

A. Pay the ransom
B. Rebuild systems from scratch
C. Restore backups
D. Install antivirus software

A

C. If Carl has backups available, that would be his best option to recover operations. He could also pay the ransom, but this would expose his organization to legal risks and incur unnecessary costs. Rebuilding the systems from scratch would not restore his data. Installing antivirus software would be helpful in preventing future compromises, but these packages would not likely be able to decrypt the missing data.

104
Q

What attack technique is often leveraged by advanced persistent threat groups but not commonly available to other attackers, such as script kiddies and hacktivists?

A. Zero-day exploit
B. Social engineering
C. Trojan horse
D. SQL injection

A

A. Although an advanced persistent threat (APT) may leverage any of these attacks, they are most closely associated with zero-day attacks due to the cost and complexity of the research required to discover or purchase them. Social engineering, Trojans (and other malware), and SQL injection attacks are often attempted by many different types of attackers.

105
Q

John found a vulnerability in his code where an attacker can enter too much input and then force the system running the code to execute targeted commands. What type of vulnerability has John discovered?

A. TOCTTOU
B. Buffer overflow
C. XSS
D. XSRF

A

B. Buffer overflow vulnerabilities exist when a developer does not properly validate user input to ensure that it is of an appropriate size. Input that is too large can “overflow” a data structure to affect other data stored in the computer’s memory. Time-of-check to time-of-use (TOCTTOU) attacks exploit timing differences that lead to race conditions. Cross-site scripting (XSS) attacks force the execution of malicious scripts in the user’s browser. Cross-site request forgery (XSRF) attacks exploit authentication trust between browser tabs.

106
Q

Mary identified a vulnerability in her code where it fails to check during a session to determine whether a user’s permission has been revoked. What type of vulnerability is this?

A. Backdoor
B. TOC/TOU
C. Buffer overflow
D. SQL injection

A

B. TOC/TOU is a type of timing vulnerability that occurs when a program checks access permissions too far in advance of a resource request. Backdoors are code that allows those with knowledge of the backdoor to bypass authentication mechanisms. Buffer overflow vulnerabilities exist when a developer does not properly validate user input to ensure that it is of an appropriate size. Input that is too large can “overflow” a data structure to affect other data stored in the computer’s memory. SQL injection attacks include SQL code in user input in the hopes that it will be passed to and executed by the backend database.

107
Q

What programming language construct is commonly used to perform error handling?

A. If…then
B. Case…when
C. Do…while
D. Try…catch

A

D. The try…catch clause is used to attempt to evaluate code contained in the try clause and then handle errors with the code located in the catch clause. The other constructs listed here (if…then, case…when, and do…while) are all used for control flow.

108
Q

Fred is reviewing the logs from his web server for malicious activity and finds this request: http://www.mycompany.com/../../../etc/passwd. What type of attack was most likely attempted?

A. SQL injection
B. Session hijacking
C. Directory traversal
D. File upload

A

C. In this case, the .. operators are the telltale giveaway that the attacker was attempting to conduct a directory traversal attack. This particular attack sought to break out of the web server’s root directory and access the /etc/passwd file on the server. SQL injection attacks would contain SQL code. File upload attacks seek to upload a file to the server. Session hijacking attacks require the theft of authentication tokens or other credentials.

109
Q

A developer added a subroutine to a web application that checks to see whether the date is April 1 and, if it is, randomly changes user account balances. What type of malicious code is this?

A. Logic bomb
B. Worm
C. Trojan horse
D. Virus

A

A. Logic bombs wait until certain conditions are met before delivering their malicious payloads. Worms are malicious code objects that move between systems under their own power, whereas viruses require some type of human intervention. Trojan horses masquerade as useful software but then carry out malicious functions after installation.

110
Q

Francis is reviewing the source code for a database-driven web application that his company is planning to deploy. He is paying particular attention to the use of input validation within that application. Of the characters listed here, which is most commonly used in SQL injection attacks?

A. !
B. &
C. *
D. ‘

A

D. The single quote character (‘) is used in SQL queries and must be handled carefully on web forms to protect against SQL injection attacks.

111
Q

Katie is concerned about the potential for SQL injection attacks against her organization. She has already put a web application firewall in place and conducted a review of the organization’s web application source code. She would like to add an additional control at the database level. What database technology could further limit the potential for SQL injection attacks?

A. Triggers
B. Parameterized queries
C. Column encryption
D. Concurrency control

A

B. Developers of web applications should leverage parameterized queries to limit the application’s ability to execute arbitrary code. With stored procedures, the SQL statement resides on the database server and may only be modified by database developers or administrators. With parameterized queries, the SQL statement is defined within the application and variables are bound to that statement in a safe manner.

112
Q

What type of malicious software is specifically used to leverage stolen computing power for the attacker’s financial gain?

A. RAT
B. PUP
C. Cryptomalware
D. Worm

A

C. Although any malware may be leveraged for financial gain, depending on its payload, cryptomalware is specifically designed for this purpose. It steals computing power and uses it to mine cryptocurrency. Remote access Trojans (RATs) are designed to grant attackers remote administrative access to systems. Potentially unwanted programs (PUPs) are any type of software that is initially approved by the user but then performs undesirable actions. Worms are malicious code objects that move between systems under their own power.

113
Q

David is responsible for reviewing a series of web applications for vulnerabilities to cross-site scripting attacks. What characteristic should he watch out for that would indicate a high susceptibility to this type of attack?

A. Reflected input
B. Database-driven content
C. .NET technology
D. CGI scripts

A

A. Cross-site scripting attacks are often successful against web applications that include reflected input. This is one of the two main categories of XSS attack. In a reflected attack, the attacker can embed the attack within the URL so that it is reflected to users who follow a link.

114
Q

You are the IT security manager for a retail merchant organization that is just going online with an ecommerce website. You hired several programmers to craft the code that is the backbone of your new web sales system. However, you are concerned that although the new code functions well, it might not be secure. You begin to review the code to track down issues and concerns. Which of the following do you hope to find in order to prevent or protect against XSS? (Choose all that apply.)

A. Input validation
B. Defensive coding
C. Allowing script input
D. Escaping metacharacters

A

A, B, D. A programmer can implement the most effective way to prevent XSS by validating input, coding defensively, escaping metacharacters, and rejecting all script-like input.

115
Q

Sharon believes that a web application developed by her organization contains a cross-site scripting vulnerability, and she would like to correct the issue. Which of the following is the most effective defense that Sharon can use against cross-site scripting attacks?

A. Limiting account privileges
B. Input validation
C. User authentication
D. Encryption

A

B. Input validation prevents cross-site scripting attacks by limiting user input to a predefined range. This prevents the attacker from including the HTML

 tag in the input.
116
Q

Beth is looking through web server logs and finds form input that looks like this:

<script>
alert('Enter your password')
</script>

What type of attack has she likely discovered?

A. XSS
B. SQL injection
C. XSRF
D. TOCTTOU

A

A. The use of the

 tag is a telltale sign of a cross-site scripting (XSS) attack.
117
Q

Ben’s system was infected by malicious code that modified the operating system to allow the malicious code author to gain access to his files. What type of exploit did this attacker engage in?

A. Privilege escalation
B. Backdoor
C. Rootkit
D. Buffer overflow

A

B. Backdoors are undocumented command sequences that allow individuals with knowledge of the backdoor to bypass normal access restrictions. Privilege escalation attacks, such as those carried out by rootkits, seek to upgrade normal user accounts to administrative access rights. Buffer overflows place excess input in a field in an attempt to execute attacker-supplied code.

118
Q

Karen would like to configure a new application so that it automatically adds and releases resources as demand rises and falls. What term best describes her goal?

A. Scalability
B. Load balancing
C. Fault tolerance
D. Elasticity

A

D. Elasticity provides for automatic provisioning and deprovisioning of resources to meet demand. Scalability only requires the ability to increase (but not decrease) available resources. Load balancing is the ability to share application load across multiple servers, and fault tolerance is the resilience of a system in the face of failures.

119
Q

What HTML tag is often used as part of a cross-site scripting (XSS) attack?

A. <H1>
B. <HEAD>
C. <XSS>
D.

</XSS>
A

D. The

 tag is used to indicate the beginning of an executable client-side script and is used in reflected input to create a cross-site scripting attack.
120
Q

Recently, a piece of malicious code was distributed over the internet in the form of software claiming to allow users to play Xbox games on their PCs. The software actually launched the malicious code on the machines of use implemented by one partyrs who attempted to execute it. What type of malicious code does this describe?

A. Logic bomb
B. Virus
C. Trojan horse
D. Worm

A

C. Trojan horses masquerade as useful programs (such as a game) but really contain malicious code that runs in the background. Logic bombs contain malicious code that is executed if certain specified conditions are met. Worms are malicious code objects that spread under their own power, while viruses spread through some human intervention.