ISC2 CC
Question: Who are some of the typical threat actors in the context of cybersecurity? Can you list the various categories of threat actors and provide examples of each?
Answer: In the realm of cybersecurity, several categories of threat actors can be identified: 1. Insiders: These are individuals within an organization who may intentionally cause harm, make mistakes, or exhibit negligence. Examples include disgruntled employees, contractors, or even well-intentioned employees who accidentally trigger security breaches. 2. Outside Individuals or Informal Groups: This category comprises individuals or groups that may stumble upon vulnerabilities or actively plan attacks. Examples range from individual hackers to loosely organized hacking groups seeking opportunities for exploitation. 3. Formal Entities - Nonpolitical: This category includes actors with financial or competitive motivations, such as cybercriminals and business competitors aiming to steal sensitive data for monetary gain. 4. Formal Entities - Political: Nation-states, terrorists, and hacktivists fall under this category. They may engage in cyberattacks for political, ideological, or strategic reasons. 5. Intelligence or Information Gatherers: These actors aim to collect valuable information from various sources. They can be any of the above categories, depending on their objectives. 6. Technology: Automated systems like free-running bots or artificial intelligence can also pose threats by exploiting vulnerabilities or engaging in malicious activities. Question:
Tina is an (ISC)² member and is invited to join an online group of IT security enthusiasts. After attending a few online sessions, Tina learns that some participants in the group are sharing malware with each other, in order to use it against other organizations online. What should Tina do? (D1, L1.5.1) Question options: A) Nothing B) Stop participating in the group C) Report the group to law enforcement D) Report the group to (ISC)²
B is the best answer. The (ISC)² Code of Ethics requires that members "protect society, the common good, necessary public trust and confidence, and the infrastructure"; this would include a prohibition against disseminating and deploying malware for offensive purposes. However, the Code does not make (ISC)² members into law enforcement officers; there is no requirement to get involved in legal matters beyond the scope of personal responsibility. Tina should stop participating in the group, and perhaps (for Tina's own protection) document when participation started and stopped, but no other action is necessary on Tina's part.
All visitors to a secure facility should be _______. (D3, L3.2.1) Question options: A) Fingerprinted B) Photographed C) Escorted D) Required to wear protective equipment
C is correct. In a secure facility, visitors should be escorted by an authorized person. A is incorrect; it is not feasible to fingerprint every visitor to a facility. Moreover, it might not be legal, depending on the jurisdiction. B is incorrect; some facilities may be in jurisdictions that restrict the use of photographic surveillance in the workplace. D is incorrect; not all secure facilities require the use of protective equipment.
The senior leadership of Triffid Corporation decides that the best way to minimize liability for the company is to demonstrate the company's commitment to adopting best practices recognized throughout the industry. Triffid management issues a document that explains that Triffid will follow the best practices published by SANS, an industry body that addresses computer and information security. The Triffid document is a ______, and the SANS documents are ________. (D1, L1.4.2) Question options: A) Law, policy B) Policy, standard C) Policy, law D) Procedure, procedure
Hide question 13 feedback B is the correct answer. The Triffid document is a strategic, internal rule published by senior management; this is a policy. The SANS documents are industry best practices recognized globally; these are standards. A and C are incorrect, because neither document was issued by a governmental body, so they are not laws. D is incorrect because neither document is a detailed set of instructions, so they are not procedures.
Gary is unable to log in to the production environment. Gary tries three times and is then locked out of trying again for one hour. Why? (D3, L3.3.1) Question options: A) Gary is being punished B) The network is tired C) Users remember their credentials if they are given time to think about it D) Gary's actions look like an attack
Repeated login attempts can resemble an attack on the network; attackers might try to log in to a user's account multiple times, using different credentials, in a short time period, in an attempt to determine the proper credentials. D is correct. A is incorrect; security policies and processes are not intended to punish employees. B is incorrect; IT systems do not get tired. C is incorrect; the delay is not designed to help users remember credentials.
Risk Acceptance
Risk acceptance is taking no action to reduce the likelihood of a risk occurring. Management may opt for conducting the business function that is associated with the risk without any further action on the part of the organization, either because the impact or likelihood of occurrence is negligible, or because the benefit is more than enough to offset that risk.
While taking the certification exam for this certification, you notice another candidate for the certification cheating. What should you do? (D1, L1.5.1) Question options: A) Nothing—each person is responsible for their own actions. B) Yell at the other candidate for violating test security. C) Report the candidate to (ISC)2. D) Call local law enforcement.
The Preamble to the (ISC)2 Code of Ethics requires that (ISC)2 membership "requires that we adhere, and be seen to adhere, to the highest ethical standards of behavior." Cheating violates this standard. (ISC)2 has enforcement mechanisms for ensuring membership complies with this requirement.
Lower Layer
The lower layer is often referred to as the media or transport layer and is responsible for receiving bits from the physical connection medium and converting them into a frame. Frames are grouped into standardized sizes. Think of frames as a bucket and the bits as water. If the buckets are sized similarly and the water is contained within the buckets, the data can be transported in a controlled manner. Route data is added to the frames of data to create packets. In other words, a destination address is added to the bucket. Once we have the buckets sorted and ready to go, the host layer takes over.
Spoofing
Faking the sending address of a transmission to gain illegal entry into a secure system. CNSSI 4009-2015
Protocols
Protocols A set of rules (formats and procedures) to implement and control some type of association (that is, communication) between systems. NIST SP 800-82 Rev. 2
Oversized Packet Attack
Purposely sending a network packet that is larger than expected or larger than can be handled by the receiving system, causing the receiving system to fail unexpectedly.
Internet Protocol (IPv4)
Standard protocol for transmission of data from source to destinations in packet-switched communications networks and interconnected systems of such networks. CNSSI 4009-2015
Hybrid cloud
A combination of public cloud storage and private cloud storage where some critical data resides in the enterprise's private cloud while other data is stored and accessible from a public cloud storage provider.
Server
A computer that provides* information to other computers.
Firewall
A device that filters network traffic based on a defined set of rules.
Switch
A device that routes traffic to the port of a known device.
Cloud computing
A model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. NIST 800-145
Application programming interface (API)
A set of routines, standards, protocols, and tools for building software applications to access a web-based software application or web tool.
Ethernet
A standard that defines wired communications of networked devices.
VLAN
A virtual local area network (VLAN) is a logical group of workstations, servers, and network devices that appear to be on the same LAN despite their geographical distribution.
Mac Address
Address that denotes the vendor or manufacturer of the physical network interface.
Internet Control Message Protocol (ICMP)
An IP network protocol standardized by the Internet Engineering Task Force (IETF) through RFC 792 to determine if a particular service or host is available.
Glen is an (ISC)² member. Glen receives an email from a company offering a set of answers for an (ISC)² certification exam. What should Glen do? (D1, L1.5.1) Question options: A) Nothing B) Inform (ISC)² C) Inform law enforcement D) Inform Glen's employer
B is correct. The (ISC)² Code of Ethics requires that members "advance and protect the profession"; this includes protecting test security for (ISC)² certification material. (ISC)² (and every (ISC)² member) has a vested interest in protecting test material, and countering any entity that is trying to undermine the validity of the certifications. This is, however, not a matter for law enforcement; if it turns out that law enforcement must be involved, (ISC)² will initiate that activity. Glen's employer has no bearing on this matter.
By far, the most crucial element of any security instruction program. (D5.4, L5.4.1) Question options: A) Protect assets B) Preserve health and human safety C) Ensure availability of IT systems D) Preserve shareholder value
B is correct: This is the paramount rule in all security efforts. A, C and D are incorrect; these are goals of the security instruction program, but all are secondary to B.
Which of the following would be best placed in the DMZ of an IT environment? (D4.3 L4.3.3) Question options: A) User's workplace laptop B) Mail server C) Database engine D) SIEM log storage
B is correct; devices that must often interact with the external environment (such as a mail server) are typically best situated in the DMZ. A, C and D are incorrect; devices that contain sensitive or valuable information are typically best placed well inside the perimeter of the IT environment, away from the external world and the DMZ.
Of the following, which would probably not be considered a threat? (D1, L1.2.1) Question options: A) Natural disaster B) Unintentional damage to the system caused by a user C) A laptop with sensitive data on it D) An external attacker trying to gain unauthorized access to the environment
C is correct. A laptop, and the data on it, are assets, not threats. All the other answers are examples of threats, as they all have the potential to cause adverse impact to the organization and the organization's assets.
Cloud Cloud computing
Cloud computing is usually associated with an internet-based set of computing resources, and typically sold as a service, provided by a cloud service provider (CSP). Cloud computing is very similar to the electrical or power grid. It is provisioned in a geographic location and is sourced using an electrical means that is not necessarily obvious to the consumer. But when you want electricity, it's available to you via a common standard interface and you pay only for what you use. In these ways, cloud computing is very similar. It is a very scalable, elastic and easy-to-use "utility" for the provisioning and deployment of Information Technology (IT) services. There are various definitions of what cloud computing means according to the leading standards, including NIST. This NIST definition is commonly used around the globe, cited by professionals and others alike to clarify what the term "cloud" means: "a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (such as networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction." NIST SP 800-145 This image depicts cloud computing characteristics, service and deployment models, all of which will be covered in this section and by your instructor.
Software
Computer programs and associated data that may be dynamically written or modified during execution. NIST SP 80--37 Rev. 2
Which of the following is not a source of redundant power (D4, L4.3.1): A. HVAC B. Generator C. Utility D. UPS
Correct answer: A. HVAC HVAC is not a source of redundant power, but it is something that needs to be protected by a redundant power supply, which is what the other three options will provide. What happens if the HVAC system breaks and equipment gets too hot? If the temperature in the data center gets too hot, then there is a risk that the server will shut down or fail sooner than expected, which presents a risk that data will be lost. So that is another system that requires redundancy in order to reduce the risk of data loss. But it is not itself a source of redundant power.
A security solution installed on an endpoint in order to detect potentially anomalous activity. (D4.2 L4.2.2) Question options: A) Router B) Host-based intrusion prevention system C) Switch D) Security incident and event management system (SIEM) Hide question 5 feedback
Correct. A HIPS is installed on an endpoint to detect potentially harmful activity.
Which of the following is an example of a "something you are" authentication factor? (D1, L1.1.1) Question options: A) A credit card presented to a cash machine B) Your password and PIN C) A user ID D) A photograph of your face
D is correct. A facial photograph is something you are—your appearance. A is incorrect because a credit card is an example of an authentication factor that is something you have. B is incorrect because passwords and PINs are examples of authentication factors that are something you know. C is incorrect because a user ID is an identity assertion, not an authentication factor.
Defense in Depth
Defense in depth uses multiple types of access controls in literal or theoretical layers to help an organization avoid a monolithic security stance.
A cloud arrangement whereby the provider owns and manages the hardware, operating system, and applications in the cloud, and the customer owns the data. (D4.3 L4.3.2) Question options: A) Infrastructure as a service (IaaS) B) Morphing as a service (MaaS) C) Platform as a service (PaaS) D) Software as a service (SaaS)
Hide question 8 feedback Incorrect. In PaaS, the customer typically owns the applications.
Fire Suppression
For server rooms, appropriate fire detection/suppression must be considered based on the size of the room, typical human occupation, egress routes and risk of damage to equipment. For example, water used for fire suppression would cause more harm to servers and other electronic components. Gas-based fire suppression systems are more friendly to the electronics, but can be toxic to humans.
Common network device used to connect networks. (D4.1 L4.1.1) Question options: A) Server B) Endpoint C) Router D) Switch
Hide question 1 feedback Correct. Routers are used to connect networks.
A portion of the organization's network that interfaces directly with the outside world; typically, this exposed area has more security controls and restrictions than the rest of the internal IT environment. (D4.3 L4.3.3) Question options: A) National Institute of Standards and Technology (NIST) B) Demilitarized zone (DMZ) C) Virtual private network (VPN) D) Virtual local area network (VLAN)
Hide question 9 feedback Correct. DMZ is the term we typically use to describe an outward-facing portion of the IT environment owned by an organization.
Hubs
Hubs are used to connect multiple devices in a network. They're less likely to be seen in business or corporate networks than in home networks. Hubs are wired devices and are not as smart as switches or routers.
Transport Control Protocol/Internet Protocol (TCP/IP) Model
Internetworking protocol model created by the IETF, which specifies four layers of functionality: Link layer (physical communications), Internet Layer (network-to-network communication), Transport Layer (basic channels for connections and connectionless exchange of data between hosts), and Application Layer, where other protocols and user applications programs make use of network services.
IP Address
Logical address representing the network interface.
Network Design
Network Design The objective of network design is to satisfy data communication requirements and result in efficient overall performance. Click each tab below to learn about several elements that are considered when planning for security in a network.
Packet
Representation of data at Layer 3 of the Open Systems Interconnection (OSI) model.
Security of the Network
Security of the Network TCP/IP's vulnerabilities are numerous. Improperly implemented TCP/IP stacks in various operating systems are vulnerable to various DoS/DDoS attacks, fragment attacks, oversized packet attacks, spoofing attacks, and man-in-the-middle attacks. TCP/IP (as well as most protocols) is also subject to passive attacks via monitoring or sniffing. Network monitoring, or sniffing, is the act of monitoring traffic patterns to obtain information about a network.
Byte
The byte is a unit of digital information that most commonly consists of eight bits.
Software as a Service (SaaS)
The cloud customer uses the cloud provider's applications running within a cloud infrastructure. The applications are accessible from various client devices through either a thin client interface, such as a web browser or a program interface. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, storage, or even individual application capabilities, with the possible exception of limited user-specific application configuration settings. Derived from NIST 800-145
Zenmap
The graphical user interface (GUI) for the Nmap Security Scanner, an open-source application that scans networks to determine everything that is connected as well as other information
Private cloud
The phrase used to describe a cloud computing platform that is implemented within the corporate firewall, under the control of the IT department. A private cloud is designed to offer the same features and benefits of cloud systems, but removes a number of objections to the cloud computing model, including control over enterprise and customer data, worries about security, and issues connected to regulatory compliance.
Hardware
The physical parts of a computer and related devices.
Denial-of-Service (DoS)
The prevention of authorized access to resources or the delaying of time-critical operations. (Time-critical may be milliseconds or it may be hours, depending upon the service provided.) Source: NIST SP 800-27 Rev A
Payload
The primary action of a malicious code attack.
Encryption
The process and act of converting the message from its plaintext to ciphertext. Sometimes it is also referred to as enciphering. The two terms are sometimes used interchangeably in literature and have similar meanings.
VLANs (Virtual Local Area Network)
VLANs are created by switches to logically segment a network without altering its physical topology.
A VLAN is a _____ method of segmenting networks. (D4.3 L4.3.3) Question options: A) Secret B) Physical C) Regulated D) Logical
VLANs use logical mechanisms to segment networks. D is the correct answer. A, B and C are incorrect; VLANs use logical mechanisms to segment networks.
VPN
VPN A virtual private network (VPN), built on top of existing networks, that can provide a secure communications mechanism for transmission between networks.
Zero Trust
Zero Trust Removing the design belief that the network has any trusted space. Security is managed at each possible level, representing the most granular asset. Microsegmentation of workloads is a tool of the model.
"Wiring _____" is a common term meaning "a place where wires/conduits are often run, and equipment can be placed, in order to facilitate the use of local networks." (D4.3 L4.3.1) Question options: A) Shelf B) Closet C) Bracket D) House
"Wiring closet" is the common term used to described small spaces, typically placed on each floor of a building, where IT infrastructure can be placed. A, C and D are incorrect; these are not common terms used in this manner.
Which of the following probably poses the most risk? (D1, L1.2.1) Question options: A) A high-likelihood, high-impact event B) A high-likelihood, low-impact event C) A low-likelihood, high-impact event D) A low-likelihood, low-impact event
A is correct. An event that is has a significant probability of occurring ("high-likelihood") and also has a severe negative consequence ("high-impact") poses the most risk. The other answers all pose less risk, because either the likelihood or impact is described as "low." This is not to say that these risks can be dismissed, only that they are less significant than the risk posed by answer A.
Triffid, Inc., wants to host streaming video files for the company's remote users, but wants to ensure the data is protected while it's streaming. Which of the following methods are probably best for this purpose? (D5.1, L5.1.3) Question options: A) Symmetric encryption B) Hashing C) Asymmetric encryption D) VLANs
A is the correct answer; symmetric encryption offers confidentiality of data with the least amount of processing overhead, which makes it the preferred means of protecting streaming data. B is incorrect; hashing would not provide confidentiality of the data. C is incorrect; asymmetric encryption requires more processing overhead than symmetric encryption, and is therefore not preferable for streaming purposes. D is incorrect; VLANs are useful for logical segmentation of networks, but do not serve a purpose for streaming data to remote users.
Question: What is meant by the term "Threat Vector"?
Answer: In cybersecurity, a "Threat Vector" refers to the specific means or path by which a threat actor accomplishes their objectives. It encompasses the methods, techniques, and routes used to exploit vulnerabilities and compromise security. Understanding threat vectors is crucial for devising effective countermeasures and safeguards against potential cyberattacks.
Archiving is typically done when _________. (D5.1, L5.1.1) Question options: A) Data is ready to be destroyed B) Data has lost all value C) Data is not needed for regular work purposes D) Data has become illegal
Archiving is the action of moving data from the production environment to long-term storage. C is the correct answer. Archived data still has value and is not ready to be destroyed; it is just not used on a regular basis. Illegal data should not be in the environment at all.
Visitors to a secure facility need to be controlled. Controls useful for managing visitors include all of the following except: (D3, L3.2.1) Question options: A) Sign-in sheet/tracking log B) Fence C) Badges that differ from employee badges D) Receptionist
B is the best answer. A fence is useful for controlling visitors, authorized users and potential intruders. This is the only control listed among the possible answers that is not specific to visitors. A, C and D are all controls that should be used to manage visitors.
The section of the IT environment that is closest to the external world; where we locate IT systems that communicate with the Internet. (D4.3 L4.3.3) Question options: A) VLAN B) DMZ C) MAC D) RBAC
B is the correct answer; we often call this portion of the environment the "demilitarized zone." A is incorrect; a VLAN is a way to segment portions of the internal network. C is incorrect; MAC is the physical address of a given networked device. D is incorrect; RBAC is an access control model.
When a company chooses to ignore a risk and proceed with a risky activity, which treatment is being applied by default? (D1, L1.2.2) A. Mitigation Incorrect. Mitigation involves taking action to remove or lessen the effects of risks. A. Mitigation B. Avoidance C. Acceptance D. Transference
C. Acceptance C is Correct: Acceptance is choosing to ignore a risk and proceed with a risky A. Mitigation Incorrect. Mitigation involves taking action to remove or lessen the effects of risks. B. Avoidance Incorrect. Avoidance is halting the risky activity. C. Acceptance Correct. Acceptance is choosing to ignore a risk and proceed with a risky activity. D. Transference Incorrect. Transference is shifting the risk via legal agreement, usually to another party such as a service or insurance provider. Check Answer
Guillermo is the system administrator for a midsized retail organization. Guillermo has been tasked with writing a document that describes, step-by-step, how to securely install the operating system on a new laptop. This document is an example of a ________. (D1, L1.4.1) Question options: A) Policy B) Standard C) Procedure D) Guideline
Correct. A procedure (sometimes referred to as a "process" document) is a description of how to perform an action. It is usually written by the office/person who performs that action on a regular basis.
The concept of "secrecy" is most related to which foundational aspect of security? (D1, L1.1.1) Question options: A) Confidentiality B) Integrity C) Availability D) Plausibility
Correct. Confidentiality is about limiting access to information/assets and is therefore most similar to secrecy.
Which of the following is NOT one of the four typical ways of managing risk? (D1, L1.2.1) Question options: A) Avoid B) Accept C) Mitigate D) Conflate
Correct. Conflate is not a term used to describe a way to manage risk.
Siobhan is deciding whether to make a purchase online; the vendor wants Siobhan to create a new user account, and is requesting Siobhan's full name, home address, credit card number, phone number, email address, the ability to send marketing messages to Siobhan, and permission to share this data with other vendors. Siobhan decides that the item for sale is not worth the value of Siobhan's personal information, and decides to not make the purchase. What kind of risk management approach did Siobhan make? (D1, L1.2.2) Question options: A) Avoidance B) Acceptance C) Mitigation D) Transfer
Correct. This is an example of avoidance; in order to avoid the risk of unauthorized use of the personal data, Siobhan chose not to engage in the activity.
What is meant by non-repudiation? (D1, L1.1.1) Question options: A) If a user does something, they can't later claim that they didn't do it. B) Controls to protect the organization's reputation from harm due to inappropriate social media postings by employees, even if on their private accounts and personal time. C) It is part of the rules set by administrative controls. D) It is a security feature that prevents session replay attacks.
Correct. To repudiate means to attempt to deny after the fact, to lie about one's actions.
Firewall
Firewalls are essential tools in managing and controlling network traffic and protecting the network. A firewall is a network device used to filter traffic. It is typically deployed between a private network and the internet, but it can also be deployed between departments (segmented networks) within an organization (overall network). Firewalls filter traffic based on a defined set of rules, also called filters or access control lists.
Switch
Rather than using a hub, you might consider using a switch, or what is also known as an intelligent hub. Switches are wired devices that know the addresses of the devices connected to them and route traffic to that port/device rather than retransmitting to all devices. Offering greater efficiency for traffic delivery and improving the overall throughput of data, switches are smarter than hubs, but not as smart as routers. Switches can also create separate broadcast domains when used to create VLANs, which will be discussed later.
Risk Avoidance
Risk avoidance is the decision to attempt to eliminate the risk entirely. This could include ceasing operation for some or all of the activities of the organization that are exposed to a particular risk. Organization leadership may choose risk avoidance when the potential impact of a given risk is too high or if the likelihood of the risk being realized is simply too great.
In risk management concepts, a(n) _________ is something a security practitioner might need to protect. (D1, L1.2.1) Question options: A) Vulnerability B) Asset C) Threat D) Likelihood
Hide question 7 feedback B is correct. An asset is anything with value, and a security practitioner may need to protect assets. A, C, and D are incorrect because vulnerabilities, threats and likelihood are terms associated with risk concepts, but are not things that a practitioner would protect.
Network traffic originating from outside the organization might be admitted to the internal IT environment or blocked at the perimeter by a ________. (D3, L3.2.1) Question options: A) Turnstile B) Fence C) Vacuum D) Firewall
A firewall is a solution used to filter traffic between networks, including between the internal environment and the outside world. D is the correct answer. A and B are incorrect; a turnstile and a fence are physical access control mechanisms. C is incorrect; a vacuum does not affect network traffic, and the term is used here only as a distractor.
Server
A server is a computer that provides information to other computers on a network. Some common servers are web servers, email servers, print servers, database servers and file servers. All of these are, by design, networked and accessed in some way by a client computer. Servers are usually secured differently than workstations to protect the information they contain.
Garfield is a security analyst at Triffid, Inc. Garfield notices that a particular application in the production environment is being copied very quickly, across systems and devices utilized by many users. What kind of attack could this be? (D4.2 L4.2.1) Question options: A) Spoofing B) Side channel C) Trojan D) Worm
Activity of this type, where an application or file is replicating rapidly across an entire environment, is often indicative of a worm. D is correct. A is incorrect; spoofing uses captured credentials for the attack, not replication of apps. B is incorrect; a side channel attack is typically entirely passive. C is incorrect; while a Trojan horse method might be used to introduce a worm to the environment, not all Trojans are worms.
What is the role of security professionals in operational risk management? How do they utilize risk data and communicate findings to stakeholders? Can you explain the meanings of terms like assets, vulnerabilities, threats, and risk in the context of cybersecurity?
Answer: Security professionals play a vital role in operational risk management by leveraging their expertise to assess potential risks. They analyze and interpret risk data to make informed decisions, collaborating across departments to convey actionable insights to relevant stakeholders. In the realm of cybersecurity: • Assets: An asset refers to something that requires safeguarding, often digital resources or sensitive information. • Vulnerabilities: Vulnerabilities are weaknesses or gaps in security measures, leaving assets susceptible to threats. • Threats: Threats encompass entities or circumstances that intend to exploit vulnerabilities, aiming to compromise assets' security. • Risk: Risk arises at the intersection of assets, vulnerabilities, and threats, representing the potential for harm to assets due to existing vulnerabilities and looming threats.
A vendor sells a particular operating system (OS). In order to deploy the OS securely on different platforms, the vendor publishes several sets of instructions on how to install it, depending on which platform the customer is using. This is an example of a ________. (D1, L1.4.2) Question options: A) Law B) Procedure C) Standard D) Policy
B is correct. This is a set of instructions to perform a particular task, so it is a procedure (several procedures, actually—one for each platform). A is incorrect; the instructions are not a governmental mandate. C is incorrect, because the instructions are particular to a specific product, not accepted throughout the industry. D is incorrect, because the instructions are not particular to a given organization.
Data _____ is data left behind on systems/media after normal deletion procedures have been attempted. (D5.1, L5.1.1) Question options: A) Fragments B) Packets C) Remanence D) Residue
C is correct. Data remanence is the term used to describe data left behind on systems/media after normal deletion procedures have been attempted.
The Payment Card Industry (PCI) Council is a committee made up of representatives from major credit card providers (Visa, Mastercard, American Express) in the United States. The PCI Council issues rules that merchants must follow if the merchants choose to accept payment via credit card. These rules describe best practices for securing credit card processing technology, activities for securing credit card information, and how to protect customers' personal data. This set of rules is a _____. (D1, L1.4.2) Question options: A) Law B) Policy C) Standard D) Procedure
C is correct. This set of rules is known as the Data Security Standard, and it is accepted throughout the industry. A is incorrect, because this set of rules was not issued by a governmental body. B is incorrect, because the set of rules is not a strategic, internal document published by senior leadership of a single organization. D is incorrect, because the set of rules is not internal to a given organization and is not limited to a single activity.
The city of Grampon wants to know where all its public vehicles (garbage trucks, police cars, etc.) are at all times, so the city has GPS transmitters installed in all the vehicles. What kind of control is this? (D1, L1.3.1) Question options: A) Administrative B) Entrenched C) Physical D) Technical
D is correct. A GPS unit is part of the IT environment, so this is a technical control. A is incorrect. The GPS unit itself is not a rule or a policy or a process; it is part of the IT environment, so D is a better answer. B is incorrect; "entrenched" is not a term commonly used to describe a particular type of security control, and is used here only as a distractor. C is incorrect; while a GPS unit is a tangible object, it is also part of the IT environment, and it does not interact directly with other physical objects in order to prevent action, so "technical" is a better descriptor, and D is a better answer.
Endpoint
Endpoints are the ends of a network communication link. One end is often at a server where a resource resides, and the other end is often a client making a request to use a network resource. An endpoint can be another server, desktop workstation, laptop, tablet, mobile phone or any other end user device.
If two people want to use asymmetric communication to conduct a confidential conversation, how many keys do they need? (D5.1, L5.1.2) Question options: A) 1 B) 4 C) 8 D) 11
In asymmetric encryption, each party needs their own key pair (a public key and a private key) to engage in confidential communication. B is the correct answer. A, C and D are incorrect; in asymmetric encryption, each party needs their own key pair for confidential communication.
Is it possible to avoid risk? (D1, L1.2.1) Question options: A) Yes B) No C) Sometimes D) Never
Incorrect. Risks can be mitigated successfully by identifying different possible risks, characterizing them and then estimating their potential for disrupting the organization.
Handel is a senior manager at Triffid, Inc., and is in charge of implementing a new access control scheme for the company. Handel wants to ensure that employees who are assigned to new positions in the company do not retain whatever access they had in their old positions. Which method should Handel select? (D3, L3.3.1) Question options: A) Role-based access controls (RBAC) B) Mandatory access controls (MAC) C) Discretionary access controls (DAC) D) Logging
RBAC can aid in reducing "privilege creep," where employees who stay with the company for a long period of time might get excess permissions within the environment. A is the correct answer. B and C are incorrect; MAC and DAC do not offer this type of assurance. D is incorrect; logging will demonstrate user activity, but doesn't aid in reducing excess permissions.
Risk Transference
Risk transference is the practice of passing the risk to another party, who will accept the financial impact of the harm resulting from a risk being realized in exchange for payment. Typically, this is an insurance policy.
Bert wants to add a flashlight capability to a smartphone. Bert searches the internet for a free flashlight app, and downloads it to the phone. The app allows Bert to use the phone as a flashlight, but also steals Bert's contacts list. What kind of app is this? (D4.2 L4.2.1) Question options: A) DDOS B) Trojan C) Side channel D) On-path
This is a textbook example of a Trojan horse application. Bert has intentionally downloaded the application with the intent to get a desired service, but the app also includes a hostile component Bert is unaware of. A is incorrect; DDOS involves multiple attacking machines trying to affect the availability of the target. C is incorrect; a side channel attack is passive and generally only observes operational activity, instead of capturing and exfiltrating specific data. D is incorrect; an on-path attack involves the attackers inserting themselves between communicating parties.
Which of the following is one of the common ways potential attacks are often identified? (D4.2 L4.2.2) Question options: A) The attackers contact the target prior to the attack, in order to threaten and frighten the target B) Victims notice excessive heat coming from their systems C) The power utility company warns customers that the grid will be down and the internet won't be accessible D) Users report unusual systems activity/response to Help Desk or the security office
Users often act as an attack-detection capability (although many user reports might be false-positives). D is the correct answer. A and C are incorrect; unfortunately, we rarely get advance notification of impending threats to the environment. B is incorrect; attacks are not typically identified by physical manifestations.
Prachi works as a database administrator for Triffid, Inc. Prachi is allowed to add or delete users, but is not allowed to read or modify the data in the database itself. When Prachi logs onto the system, an access control list (ACL) checks to determine which permissions Prachi has. In this situation, what is the database? (D3, L3.1.1) Question options: A) The object B) The rule C) The subject D) The site
A is correct. Prachi is manipulating the database, so the database is the object in the subject-object-rule relationship in this case. B and C are incorrect, because the database is the object in this situation. D is incorrect because "site" has no meaning in this context.
In risk management concepts, a(n) ___________ is something or someone that poses risk to an organization or asset. (D1, L1.2.1) Question options: A) Fear B) Threat C) Control D) Asset
B is correct. A threat is something or someone that poses risk to the organization; this is the definition of a threat. A is incorrect because "fear" is not generally a term associated with risk management. C is incorrect; a control is something used to mitigate risk. D is incorrect; an asset is something of value, which may need protection.
Lankesh is the security administrator for a small food-distribution company. A new law is published by the country in which Lankesh's company operates; the law conflicts with the company's policies. Which governance element should Lankesh's company follow? (D1, L1.4.2) Question options: A) The law B) The policy C) Any procedures the company has created for the particular activities affected by the law D) Lankesh should be allowed to use personal and professional judgment to make the determination of how to proceed
Correct. Laws are the explicit authority of the jurisdiction where any organizations operate; laws cannot be violated, regardless of internal company governance. Laws supersede everything else.
Security needs to be provided to ____ data. (D5.1, L5.1.1) Question options: A) Restricted B) Illegal C) Private D) All
D is the correct answer. All data needs some form of security; even data that is not sensitive (such as data intended for public view) needs protection to ensure availability. A, B and C are incorrect; all data needs some form of security protection.
A system that collects transactional information and stores it in a record in order to show which users performed which actions is an example of providing ________. (D1, L1.1.1) Question options: A) Non-repudiation B) Multifactor authentication C) Biometrics D) Privacy
A is correct. Non-repudiation is the concept that users cannot deny they have performed transactions that they did, in fact, conduct. A system that keeps a record of user transactions provides non-repudiation. B and C are incorrect because nothing in the question referred to authentication at all. D is incorrect because non-repudiation does not support privacy (if anything, non-repudiation and privacy are oppositional).
Which of the following is likely to be included in the business continuity plan? (D2, L2.2.1) Question options: A) Alternate work areas for personnel affected by a natural disaster B) The organization's strategic security approach C) Last year's budget information D) Log data from all systems
A is correct. The business continuity plan should include provisions for alternate work sites, if the primary site is affected by an interruption, such as a natural disaster. B is incorrect; the organization's strategic security approach should be included in the organization's security policy. C is incorrect; budgetary information is not typically included in the business continuity plan. D is incorrect; log data is not typically included in the business continuity plan.
Which of the following is an example of a "something you know" authentication factor? (D1, L1.1.1) Question options: A) User ID B) Password C) Fingerprint D) Iris scan
B is correct. A password is something the user knows and can present as an authentication factor to confirm an identity assertion. A is incorrect because a user ID is an identity assertion, not an authentication factor. C and D are incorrect as they are examples of authentication factors that are something you are, also referred to as "biometrics."
Which of the following roles does not typically require privileged account access? (D3, L3.1.1) Question options: A) Security administrator B) Data entry professional C) System administrator D) Help Desk technician
B is correct. Data entry professionals do not usually need privileged access. A, C and D are all incorrect; those are roles that typically need privileged access
Which of the following will have the most impact on determining the duration of log retention? (D3, L3.2.1) Question options: A) Personal preference B) Applicable laws C) Industry standards D) Type of storage media
B is correct. Laws will have the most impact on policies, including log retention periods, because laws cannot be contravened. All the other answers may have some impact on retention periods, but they will never have as much impact as applicable laws.
Barry wants to upload a series of files to a web-based storage service, so that people Barry has granted authorization can retrieve these files. Which of the following would be Barry's preferred communication protocol if he wanted this activity to be efficient and secure? (D4, L4.1.2) Question options: A) SMTP (Simple Mail Transfer Protocol) B) FTP (File Transfer Protocol) C) SFTP (Secure File Transfer Protocol) D) SNMP (Simple Network Management Protocol)
C is the correct answer; SFTP is designed specifically for this purpose. A, B and D are incorrect; these protocols are either not efficient or not secure in Barry's intended use.
What is the risk associated with delaying resumption of full normal operations after a disaster? (D2, L2.3.1) Question options: A) People might be put in danger B) The impact of running alternate operations for extended periods C) A new disaster might emerge D) Competition
B is correct. Alternate operations are typically more costly than normal operations, in terms of impact to the organization; extended alternate operations could harm the organization as much as a disaster. A is incorrect; typically, alternate operations are safer than normal operations. C is incorrect; this would actually be an argument for delaying alternate operations, but it doesn't make much sense. D is incorrect; competition is always a risk, but doesn't have anything to do with DR efforts.
True or False? Business continuity planning is a reactive procedure that restores business operations after a disruption occurs. (D2, L2.2.1) Question options:A) TrueB) False
B is correct. Business continuity planning is proactive preparation for restoring operations after disruption. Members from across the organizations participate in the planning to ensure all systems, processes and operations are accounted for in the plan. A is incorrect; business continuity planning is a proactive procedure to prepare for the restoration of operations after disruption.
What is the overall objective of a disaster recovery (DR) effort? (D2, L2.3.1) Question options: A) Save money B) Return to normal, full operations C) Preserve critical business functions during a disaster D) Enhance public perception of the organization
B is correct. DR efforts are intended to return the organization to normal, full operations. A is incorrect; DR is often quite expensive, and not a cost-saving measure. C is incorrect; this is the goal of business continuity (BC) efforts. D is incorrect; DR efforts are intended to return the organization to normal, full operations, not enhance public perception.
Chad is a security practitioner tasked with ensuring that the information on the organization's public website is not changed by anyone outside the organization. This task is an example of ensuring _________. (D1, L1.1.1) A) Confidentiality B) Integrity C) Availability D) Confirmation
B is correct. Preventing unauthorized modification is the definition of integrity. A is incorrect because the website is not meant to be secret; it is open to the public. C is incorrect because Chad is not tasked with ensuring the website is accessible, only that the information on it is not changed. D is incorrect because "confirmation" is not a typical security term, and is used here only as a distractor.
A tool that filters inbound traffic to reduce potential threats. (D4.2 L4.2.3) Question options: A) NIDS (network-based intrusion-detection systems) B) Anti-malware C) DLP (data loss prevention) D) Firewall
Firewalls typically filter traffic originating from outside the organization's IT environment. D is the correct answer. A is incorrect; NIDS typically monitor traffic within the production environment. B is incorrect; anti-malware solutions typically identify hostile software. C is incorrect; DLP solutions typically monitor outbound traffic.
Every document owned by Triffid, Inc., whether hardcopy or electronic, has a clear, 24-point word at the top and bottom. Only three words can be used: "Sensitive," "Proprietary" and "Public." This is an example of _____. (D5.1, L5.1.1) Question options: A) Secrecy B) Privacy C) Inverting D) Labeling
Labeling is the practice of annotating assets with classification markings. D is the correct answer. A is incorrect; "secrecy" is too broad a term in this context, and not accurate—the markings are visible. B is incorrect; privacy is associated with information that identifies a specific person (or specific people). C is incorrect; this term has no meaning in this context, and is used here only as a distractor.
Security controls on log data should reflect ________. (D5.1, L5.1.2) Question options: A) The organization's commitment to customer service B) The local culture where the log data is stored C) The price of the storage device D) The sensitivity of the source device
Log data should be protected with security as high, or higher, than the security level of the systems or devices that log was captured from. D is the correct answer. A, B and C are incorrect; these are not qualities that dictate security level of protection on log data.
A chief information security officer (CISO) at a large organization documented a policy that establishes the acceptable use of cloud environments for all staff. This is an example of a: (D1, L1.3.1) Question options: A) Management/Administrative control B) Technical control C) Physical control D) Cloud control Hide question 1 feedback
Correct. Policies, standards, processes, procedures and guidelines set by corporate administrative entities (e.g., executive- and/or mid-level management) are management/administrative controls.
Logs should be reviewed ______. (D5.1, L5.1.2) Question options: A) Every Thursday B) Continually C) Once per calendar year D) Once per fiscal year
Hide question 64 feedback Log review should happen continually, in order to ensure detection efforts are optimized. B is the correct answer. A, C and D are incorrect; logs need to be reviewed on a continual basis.
If two people want to use symmetric encryption to conduct a confidential conversation, how many keys do they need? (D5.1, L5.1.3) Question options: A) 1 B) 3 C) 8 D) none
In symmetric cryptography, confidential communication is achieved through the use of one, shared key. A is the correct answer. B, C and D are incorrect; symmetric encryption uses one shared key between parties for confidential communication.
When Pritha started working for Triffid, Inc., Pritha had to sign a policy that described how Pritha would be allowed to use Triffid's IT equipment. What policy was this? (D5.3, L5.3.1) Question options: A) The organizational security policy B) The acceptable use policy (AUP) C) The bring-your-own-device (BYOD) policy D) The workplace attire policy
The AUP describes how users will be permitted to use the organization's IT assets. B is the correct answer. A, C and D are incorrect; while these are all common policies, they do not serve the same function as the AUP.
Which common cloud deployment model typically features only a single customer's data/functionality stored on specific systems/hardware? (D4.3 L4.3.2) Question options: A) Public B) Private C) Community D) Hybrid
B is correct; this is the defining feature of private cloud. A is incorrect; in public cloud, multiple customers (or "tenants") typically share the underlying systems. C is incorrect; in community cloud, multiple customers from a shared affinity group/industry typically share access to the underlying infrastructure. D is incorrect; in hybrid cloud, more than one customer may use underlying infrastructure.
Druna is a security practitioner tasked with ensuring that laptops are not stolen from the organization's offices. Which sort of security control would probably be best for this purpose? (D1, L1.3.1) Question options: A) Technical B) Obverse C) Physical D) Administrative
C is the best answer. Because laptops are tangible objects, and Druna is trying to ensure that these objects are not moved from a certain place, physical controls are probably best for the purpose. A is incorrect; technical controls might help detect an attempt to steal a laptop, or locate the laptop after it has been stolen, but won't prevent the laptop from being taken. B is incorrect; "obverse" is not a term commonly used to describe a particular type of security control, and is used here only as a distractor. D is incorrect; administrative controls may help reduce theft, such as ensuring that laptops are not left in a place unobserved, but won't prevent the laptop from being taken.
Gelbi is a Technical Support analyst for Triffid, Inc. Gelbi sometimes is required to install or remove software. Which of the following could be used to describe Gelbi's account? (D3, L3.1.1) Question options: A) Privileged B) Internal C) External D) User
A is Correct. This is the description of a privileged account; an account that typically needs greater permissions than a basic user. B and C are incorrect; the question does not specify whether Gelbi connects to the environment from within the network, or from outside. D is incorrect; this is too vague—Gelbi is a user, but has permissions that are typically greater than what basic users have.
Community cloud
A system in which the cloud infrastructure is provisioned for exclusive use by a specific community of consumers from organizations that have shared concerns (e.g., mission, security requirements, policy and compliance considerations). It may be owned, managed and operated by one or more of the organizations in the community, a third party or some combination of them, and it may exist on or off premises. NIST 800-145
VPN (Virtual Private Network)
A virtual private network (VPN) is a communication tunnel that provides point-to-point transmission of both authentication and data traffic over an untrusted network.
WLAN
A wireless area network (WLAN) is a group of computers and devices that are located in the same vicinity, forming a network based on radio transmissions rather than wired connections. A Wi-Fi network is a type of WLAN.
Man-in-the-Middle
An attack where the adversary positions himself in between the user and the system so that he can intercept and alter data traveling between them. Source: NISTIR 7711
Payment Card Industry Data Security Standard (PCI DSS)
An information security standard administered by the Payment Card Industry Security Standards Council that applies to merchants and service providers who process credit or debit card transactions.
Preenka works at an airport. There are red lines painted on the ground next to the runway; Preenka has been instructed that nobody can step or drive across a red line unless they request, and get specific permission from, the control tower. This is an example of a(n)______ control. (D1, L1.3.1) Question options: A) Physical B) Administrative C) Critical D) Technical
B is correct. The process of requesting and getting permission, and the painted signage, are examples of administrative controls. A is incorrect; while the line is painted on the ground (and the ground is a tangible object), the line does not actually act to prevent or control anything—the line is a symbol and indicator; Preenka could easily walk across the line, if Preenka chose to do so. C is incorrect; "critical" is not a term commonly used to describe a particular type of security control, and is used here only as a distractor. D is incorrect; a painted line is not an IT system or part of the IT environment.
Cyril wants to ensure all the devices on his company's internal IT environment are properly synchronized. Which of the following protocols would aid in this effort? (D4, L4.1.2) Question options: A) FTP (File Transfer Protocol) B) NTP (Network Time Protocol) C) SMTP (Simple Mail Transfer Protocol) D) HTTP (Hypertext Transfer Protocol)
B is the correct answer; this is the purpose of NTP. A, C and D are incorrect; these do not serve the purpose of synchronization.
Broadcast
Broadcast transmission is a one-to-many (one-to-everyone) form of sending internet traffic.
When should a business continuity plan (BCP) be activated? (D2, L2.2.1) Question options: A) As soon as possible B) At the very beginning of a disaster C) When senior management decides D) When instructed to do so by regulators
C is correct. A senior manager with the proper authority must initiate the BCP. A is incorrect; this answer has no context—there is no way to know when "as soon as possible" would be. B is incorrect; typically, it is impossible to determine the "beginning" of a disaster. D is incorrect; not all organizations are in regulated industries, and regulators do not supervise disaster response.
(ISC)² publishes a Common Body of Knowledge (CBK) that IT security practitioners should be familiar with; this is recognized throughout the industry as a set of material that is useful for practitioners to refer to. Certifications can be issued for demonstrating expertise in this Common Body of Knowledge. What kind of document is the Common Body of Knowledge? (D1, L1.4.1) Question options: A) Policy B) Procedure C) Standard D) Law
C is correct. The Common Body of Knowledge is used throughout the industry, recognized among many people, countries and organizations. This is a standard. A is incorrect; the CBK is not a set of internal rules used for a particular organization; it is used throughout the industry. B is incorrect. The CBK is not a process that is followed; it is a set of information. D is incorrect; the CBK is not mandated by a governmental body.
A _____ is a record of something that has occurred. (D3, L3.2.1) Question options: A) Biometric B) Law C) Log D) Firewall
C is correct. This is a description of a log. A is incorrect; "biometrics" is a term used to describe access control systems that use physiological traits of individuals in order to grant/deny access. B is incorrect; laws are legal mandates. D is incorrect; a firewall is a device for filtering traffic.
Cloud Characteristics
Cloud Characteristics Cloud-based assets include any resources that an organization accesses using cloud computing. Cloud computing refers to on-demand access to computing resources available from almost anywhere, and cloud computing resources are highly available and easily scalable. Organizations typically lease cloud-based resources from outside the organization. Cloud computing has many benefits for organizations, which include but are not limited to: Usage is metered and priced according to units (or instances) consumed. This can also be billed back to specific departments or functions. Reduced cost of ownership. There is no need to buy any assets for everyday use, no loss of asset value over time and a reduction of other related costs of maintenance and support. Reduced energy and cooling costs, along with "green IT" environment effect with optimum use of IT resources and systems. Allows an enterprise to scale up new software or data-based services/solutions through cloud systems quickly and without having to install massive hardware locally.
A common network device used to filter traffic. (D4.1 L4.1.1) Question options: A) Server B) Endpoint C) Ethernet D) Firewall
Correct. This is the purpose of a firewall.
Power
Data centers and information systems in general consume a tremendous amount of electrical power, which needs to be delivered both constantly and consistently. Wide fluctuations in the quality of power affect system lifespan, while disruptions in supply completely stop system operations. Power at the site is always an integral part of data center operations. Regardless of fuel source, backup generators must be sized to provide for the critical load (the computing resources) and the supporting infrastructure. Similarly, battery backups must be properly sized to carry the critical load until generators start and stabilize. As with data backups, testing is necessary to ensure the failover to alternate power works properly.
Deployment Models
Deployment Models There are four cloud deployment models. The cloud deployment model also affects the breakdown of responsibilities of the cloud-based assets. The four cloud models available are public, private, hybrid and community . Select each plus sign hotspot to learn more about each topic.
Encapsulation
Enforcement of data hiding and code hiding during all phases of software development and operational use. Bundling together data and methods is the process of encapsulation; its opposite process may be called unpacking, revealing, or using other terms. Also used to refer to taking any set of data and packaging it or hiding it in another data structure, as is common in network protocols and encryption.
Which of the following tools can be used to grant remote users access to the internal IT environment? (D 4.3 L4.3.3) Question options: A) VLAN (virtual local area network) B) VPN (virtual private network) C) DDOS (distributed denial-of-service) D) MAC (media access control)
Hide question 10 feedback Correct. A VPN allows external users to gain access to the internal environment in a secure manner.
endpoint <------> Web server Which port number is associated with the protocol typically used in this connection? (D 4.1 L4.1.2) Question options: A) 21 B) 53 C) 80 D) 161
Hide question 3 feedback Correct. This is the port for the HTTP protocol, commonly used for Web traffic.
An attack against the availability of a network/system; typically uses many attacking machines to direct traffic against a given target. (D4.2 L4.2.1) Question options: A) Worm B) Virus C) Stealth D) Distributed-denial-of-service (DDOS)
Hide question 4 feedback Correct. This is the description of a DDOS attack.
A security solution that detects, identifies and often quarantines potentially hostile software. (D4.2, L4.2.2) Question options: A) Firewall B) Guard C) Camera D) Anti-malware
Hide question 6 feedback Correct. This is the definition of an anti-malware solution.
The common term used to describe the mechanisms that control the temperature and humidity in a data center. (D4.3 L4.3.1) Question options: A) VLAN (virtual local area network) B) HVAC (heating, ventilation and air conditioning) C) STAT (system temperature and timing) D) TAWC (temperature and water control)
Hide question 7 feedback Correct. This is a common term in the industry.
Fragment attack
In a fragment attack, an attacker fragments traffic in such a way that a system is unable to put data packets back together.
Infrastructure as a Service (IaaS)
Infrastructure as a Service (IaaS): A cloud provides network access to traditional computing resources such as processing power and storage. IaaS models provide basic computing resources to consumers. This includes servers, storage, and in some cases, networking resources. Consumers install operating systems and applications and perform all required maintenance on the operating systems and applications. Although the consumer has use of the related equipment, the cloud service provider retains ownership and is ultimately responsible for hosting, running and maintenance of the hardware. IaaS is also referred to as hardware as a service by some customers and providers. IaaS has a number of benefits for organizations, which include but are not limited to: Ability to scale up and down infrastructure services based on actual usage. This is particularly useful and beneficial where there are significant spikes and dips within the usage curve for infrastructure. Retain system control at the operating system level.
Logical Ports {Ports and Protocols (Applications/Services)}
Logical Ports When a communication connection is established between two systems, it is done using ports. A logical port (also called a socket) is little more than an address number that both ends of the communication link agree to use when transferring data. Ports allow a single IP address to be able to support multiple simultaneous communications, each using a different port number. In the Application Layer of the TCP/IP model (which includes the Session, Presentation, and Application Layers of the OSI model) reside numerous application- or service-specific protocols. Data types are mapped using port numbers associated with services. For example, web traffic (or HTTP) is port 80. Secure web traffic (or HTTPS) is port 443. Table 5.4 highlights some of these protocols and their customary or assigned ports. You'll note that in several cases a service (or protocol) may have two ports assigned, one secure and one insecure. When in doubt, systems should be implemented using the most secure version as possible of a protocol and its services. Well-known ports (0-1023): These ports are related to the common protocols that are at the core of the Transport Control Protocol/Internet Protocol (TCP/IP) model, Domain Name Service (DNS), Simple Mail Transfer Protocol (SMTP), etc. Registered ports (1024-49151): These ports are often associated with proprietary applications from vendors and developers. While they are officially approved by the Internet Assigned Numbers Authority (IANA), in practice many vendors simply implement a port of their choosing. Examples include Remote Authentication Dial-In User Service (RADIUS) authentication (1812), Microsoft SQL Server (1433/1434) and the Docker REST API (2375/2376). Dynamic or private ports (49152-65535): Whenever a service is requested that is associated with well-known or registered ports, those services will respond with a dynamic port that is used for that session and then released.
Managed Service Provider (MSP)
Managed Service Provider (MSP) A managed service provider (MSP) is a company that manages information technology assets for another company. Small- and medium-sized businesses commonly outsource part or all of their information technology functions to an MSP to manage day-to-day operations or to provide expertise in areas the company does not have. Organizations may also use an MSP to provide network and security monitoring and patching services. Today, many MSPs offer cloud-based services augmenting SaaS solutions with active incident investigation and response activities. One such example is a managed detection and response (MDR) service, where a vendor monitors firewall and other security tools to provide expertise in triaging events. Some other common MSP implementations are: Augment in-house staff for projects Utilize expertise for implementation of a product or service Provide payroll services Provide Help Desk service management Monitor and respond to security incidents Manage all in-house IT infrastructure
Network access control (NAC)
Network access control (NAC) is a concept of controlling access to an environment through strict adherence to and implementation of security policy.
Network segmentation
Network segmentation involves controlling traffic among networked devices. Complete or physical network segmentation occurs when a network is isolated from all outside communications, so transactions can only occur between devices within the segmented network
Microsegmentation
Part of a zero-trust strategy that breaks LANs into very small, highly localized zones using firewalls or similar technologies. At the limit, this places firewall at every connection point.
Physical Ports {Ports and Protocols (Applications/Services)}
Physical Ports Physical ports are the ports on the routers, switches, servers, computers, etc. that you connect the wires, e.g., fiber optic cables, Cat5 cables, etc., to create a network.
Risk Mitigation
Risk mitigation is the most common type of risk management and includes taking actions to prevent or reduce the possibility of a risk event or its impact. Mitigation can involve remediation measures, or controls, such as security controls, establishing policies, procedures, and standards to minimize adverse risk. Risk cannot always be mitigated, but mitigations such as safety measures should always be in place.
Service-Level Agreement (SLA)
Service-Level Agreement (SLA) The cloud computing service-level agreement (cloud SLA) is an agreement between a cloud service provider and a cloud service customer based on a taxonomy of cloud computing- specific terms to set the quality of the cloud services delivered. It characterizes quality of the cloud services delivered in terms of a set of measurable properties specific to cloud computing (business and technical) and a given set of cloud computing roles (cloud service customer, cloud service provider, and related sub-roles). Think of a rule book and legal contract—that combination is what you have in a service-level agreement (SLA). Let us not underestimate or downplay the importance of this document/ agreement. In it, the minimum level of service, availability, security, controls, processes, communications, support and many other crucial business elements are stated and agreed to by both parties. The purpose of an SLA is to document specific parameters, minimum service levels and remedies for any failure to meet the specified requirements. It should also affirm data ownership and specify data return and destruction details. Other important SLA points to consider include the following: Cloud system infrastructure details and security standards Customer right to audit legal and regulatory compliance by the CSP Rights and costs associated with continuing and discontinuing service use Service availability Service performance Data security and privacy Disaster recovery processes Data location Data access Data portability Problem identification and resolution expectations Change management processes Dispute mediation processes Exit strategy
Kristal is the security administrator for a large online service provider. Kristal learns that the company is harvesting personal data of its customers and sharing the data with local governments where the company operates, without the knowledge of the users, to allow the governments to persecute users on the basis of their political and philosophical beliefs. The published user agreement states that the company will not share personal user data with any entities without the users' explicit permission. According to the (ISC)2 Code of Ethics, to whom does Kristal ultimately owe a duty in this situation? (D1, L1.5.1) Question options: A) The governments of the countries where the company operates B) The company Kristal works for C) The users D) (ISC)2
The (ISC)2 Code of Ethics Canons are listed in order of primacy; that is, the most important comes first, and the rest are in order of priority. Kristal owes a duty to each of the entities listed in the answers; however, the users are the most important entity in order of the Code hierarchy, as the users are described in the first Canon: "society," "the common good," and "public."
The logical address of a device connected to the network or Internet. (D4.1 L4.1.1) Question options: A) Media access control (MAC) address B) Internet Protocol (IP) address C) Geophysical address D) Terminal address
The IP address is the logical address assigned to a device connected to a network or the Internet. B is the correct answer. A is incorrect; the MAC address of a device is its physical address. C is incorrect; the geophysical address is typically the postal address assigned to a building, not an IT device. D is incorrect; "terminal address" has no meaning in this context, and is only used here as a distractor.
Public cloud
The cloud infrastructure is provisioned for open use by the general public. It may be owned, managed, and operated by a business, academic, or government organization, or some combination of them. It exists on the premises of the cloud provider. NIST SP 800-145
File Transfer Protocol (FTP)
The internet protocol (and program) used to transfer files between hosts.
Bit
The most essential representation of data (zero or one) at Layer 1 of the Open Systems Interconnection (OSI) model.
De-encapsulation
The opposite process of encapsulation, in which bundles of data are unpacked or revealed.
Infrastructure as a Service (IaaS)
The provider of the core computing, storage and network hardware and software that is the foundation upon which organizations can build and then deploy applications. IaaS is popular in the data center where software and servers are purchased as a fully outsourced service and usually billed on usage and how much of the resource is used.
Upper Layer
The upper layer, also known as the host or application layer, is responsible for managing the integrity of a connection and controlling the session as well as establishing, maintaining and terminating communication sessions between two computers. It is also responsible for transforming data received from the Application Layer into a format that any system can understand. And finally, it allows applications to communicate and determines whether a remote communication partner is available and accessible.
Platform as a Service (PaaS)
The web-authoring or application development middleware environment that allows applications to be built in the cloud before they're deployed as SaaS assets.
Domain Name Service (DNS)
This acronym can be applied to three interrelated elements: a service, a physical server and a network protocol.
Virtual Local Area Network (VLAN)
Virtual Local Area Network (VLAN) Virtual local area networks (VLANs) allow network administrators to use switches to create software-based LAN segments, which can segregate or consolidate traffic across multiple switch ports. Devices that share a VLAN communicate through switches as if they were on the same Layer 2 network. This image shows different VLANs — red, green and blue — connecting separate sets of ports together, while sharing the same network segment (consisting of the two switches and their connection). Since VLANs act as discrete networks, communications between VLANs must be enabled. Broadcast traffic is limited to the VLAN, reducing congestion and reducing the effectiveness of some attacks. Administration of the environment is simplified, as the VLANs can be reconfigured when individuals change their physical location or need access to different services. VLANs can be configured based on switch port, IP subnet, MAC address and protocols. VLANs do not guarantee a network's security. At first glance, it may seem that traffic cannot be intercepted because communication within a VLAN is restricted to member devices. However, there are attacks that allow a malicious user to see traffic from other VLANs (so-called VLAN hopping). The VLAN technology is only one tool that can improve the overall security of the network environment.
A bollard is a post set securely in the ground in order to prevent a vehicle from entering an area or driving past a certain point. Bollards are an example of ______ controls. (D1, L1.3.1) Question options: A) Physical B) Administrative C) Drastic D) Technical
A is correct. A bollard is a tangible object that prevents a physical act from occurring; this is a physical control. B and D are incorrect because the bollard is a physical control, not administrative or technical. C is incorrect: "drastic" is not a term commonly used to describe a particular type of security control, and is used here only as a distractor.
Which common cloud service model offers the customer the most control of the cloud environment? (D4.3 L4.3.2) Question options: A) Lunch as a service (LaaS) B) Infrastructure as a service (IaaS) C) Platform as a service (PaaS) D) Software as a service (SaaS)
B is correct; IaaS offers the customer the most control of the cloud environment, in terms of common cloud service models. A is incorrect; this is not a common cloud service model. C and D are incorrect; IaaS offers the customer more control than any other common cloud service model.
Which of the following is probably most useful at the perimeter of a property? (D3, L3.2.1) Question options: A) A safe B) A fence C) A data center D) A centralized log storage facility
B is the best answer. Of the options listed, a fence would be most useful at the perimeter of a property. A, C and D are incorrect, because those contain high-value assets which would be better located away from the perimeter of the property, so they can be protected with multiple security controls of varying types.
One of the benefits of computer-based training (CBT): (D5.4, L5.4.1) Question options: A) Expensive B) Scalable C) Personal interaction with instructor D) Interacting with other participants
B is the correct answer. CBT is completely scalable, because it can be replicated uniformly for any number of users. A, C and D are incorrect; these are not characteristics of CBT.
Carol is browsing the Web. Which of the following ports is she probably using? (D4, L4.1.2) Question options: A) 12 B) 80 C) 247 D) 999
B is the correct answer; port 80 is used for HTTP traffic, and HTTP is a Web-browsing protocol. A, C and D are incorrect; these ports are not used by Web browsers.
Larry and Fern both work in the data center. In order to enter the data center to begin their workday, they must both present their own keys (which are different) to the key reader, before the door to the data center opens. Which security concept is being applied in this situation? (D3, L3.1.1) Question options: A) Defense in depth B) Segregation of duties C) Least privilege D) Dual control
D is correct. This is an example of dual control, where two people, each with distinct authentication factors, must be present to perform a function. A is incorrect; defense in depth requires multiple controls protecting assets—there is no description of multiple controls in this situation. B is incorrect; in segregation of duties, the parts of a given transaction are split among multiple people, and the task cannot be completed unless each of them takes part. Typically, in segregation of duties, the people involved do not have to take part simultaneously; their actions can be spread over time and distance. This differs from dual control, where both people must be present at the same time. C is incorrect; the situation described in the question does not reduce the permissions of either person involved or limit their capabilities to their job function.
Who dictates policy? (D5.3, L5.3.1) Question options: A) The security manager B) The Human Resources office C) Senior management D) Auditors
Only senior management has the legal and financial authority to issue policy and accept risk on behalf of the organization. C is the correct answer. A, B and D are incorrect; only senior management can issue policy.
DMZ (demilitarized zone)
A DMZ is a network area that is designed to be accessed by outside visitors but is still isolated from the private network of the organization. The DMZ is often the host of public web, email, file and other resource servers.
An attacker outside the organization attempts to gain access to the organization's internal files. This is an example of a(n) ______. (D2, L2.1.1) Question options: A) Intrusion B) Exploit C) Disclosure D) Publication
A is correct. An intrusion is an attempt (successful or otherwise) to gain unauthorized access. B is incorrect; the question does not mention what specific attack or vulnerability was used. C and D are incorrect; the organization did not grant unauthorized access or release the files.
Which of the following examples is a correctly shortened version of the address 2001:0db8:0000:0000:0000:ffff:0000:0001? A. 2001:db8::ffff:0000:1 Incorrect. The 0000 can be shortened to just 0. B. 2001:0db8:0:ffff::1 Incorrect. The multiple octets of 0000 are shortened to :: and the single octet of 0 is shortened to just 0. C. 2001:0db8::ffff:0:0001 Incorrect. The final octet can be shortened from 0001 to 1. D. 2001:db8::ffff:0:1 Correct. This is the shortened version of the address.
A. 2001:db8::ffff:0000:1 Incorrect. The 0000 can be shortened to just 0. B. 2001:0db8:0:ffff::1 Incorrect. The multiple octets of 0000 are shortened to :: and the single octet of 0 is shortened to just 0. C. 2001:0db8::ffff:0:0001 Incorrect. The final octet can be shortened from 0001 to 1. D. 2001:db8::ffff:0:1 Correct. This is the shortened version of the address.
Matching Ports with Their Secure Counterparts Which of the following protocols is a secure alternative to using telnet? (D4, L4.1.2) A. HTTPS B. LDAPS C. SFTP D. SSHCheck Answer
Correct Answer: D. SSH Correct. Secure Shell (SSH) is the secure alternative to telnet as it encrypts all traffic between the host and remote user. ========================================================== A. HTTPS Incorrect. HyperText Transfer Protocol Secure is the secure alternative for HTTP and uses SSL/TLS for securing website communications. B. LDAPS Incorrect. Lightweight Directory Access Protocol Secure (LDAPS) is the secure alternative for Lightweight Directory Access Protocol (LDAP) and is used to exchange directory information in a secured protocol. C. SFTP Incorrect. Secure File Transfer Protocol (SFTP) is the secure alternative to FTP and is used to transfer files.
Defense in Depth
Defense in Depth Defense in depth uses a layered approach when designing the security posture of an organization. Think about a castle that holds the crown jewels. The jewels will be placed in a vaulted chamber in a central location guarded by security guards. The castle is built around the vault with additional layers of security—soldiers, walls, a moat. The same approach is true when designing the logical security of a facility or system. Using layers of security will deter many attackers and encourage them to focus on other, easier targets. Defense in depth provides more of a starting point for considering all types of controls—administrative, technological, and physical—that empower insiders and operators to work together to protect their organization and its systems. Here are some examples that further explain the concept of defense in depth: Data: Controls that protect the actual data with technologies such as encryption, data leak prevention, identity and access management and data controls. Application: Controls that protect the application itself with technologies such as data leak prevention, application firewalls and database monitors. Host: Every control that is placed at the endpoint level, such as antivirus, endpoint firewall, configuration and patch management. Internal network: Controls that are in place to protect uncontrolled data flow and user access across the organizational network. Relevant technologies include intrusion detection systems, intrusion prevention systems, internal firewalls and network access controls. Perimeter: Controls that protect against unauthorized access to the network. This level includes the use of technologies such as gateway firewalls, honeypots, malware analysis and secure demilitarized zones (DMZs). Physical: Controls that provide a physical barrier, such as locks, walls or access control. Policies, procedures and awareness: Administrative controls that reduce insider threats (intentional and unintentional) and identify risks as soon as they appear.
All of the following are important ways to practice an organization disaster recovery (DR) effort; which one is the most important? (D2, L2.3.1) Question options: A) Practice restoring data from backups B) Facility evacuation drills C) Desktop/tabletop testing of the plan D) Running the alternate operating site to determine if it could handle critical functions in times of emergency
Hide question 26 feedback B is the only answer that directly addresses health and human safety, which is the paramount concern of all security efforts. All the other answers are good exercises to perform as DR preparation, but B is the correct answer.
Heating, Ventilation and Air Conditioning (HVAC) / Environmental
High-density equipment and equipment within enclosed spaces requires adequate cooling and airflow. Well-established standards for the operation of computer equipment exist, and equipment is tested against these standards. For example, the recommended range for optimized maximum uptime and hardware life is from 64° to 81°F (18° to 27°C), and it is recommended that a rack have three temperature sensors, positioned at the top, middle and bottom of the rack, to measure the actual operating temperature of the environment. Proper management of data center temperatures, including cooling, is essential. Cooling is not the only issue with airflow: Contaminants like dust and noxious fumes require appropriate controls to minimize their impact on equipment. Monitoring for water or gas leaks, sewer overflow or HVAC failure should be integrated into the building control environment, with appropriate alarms to signal to organizational staff. Contingency planning to respond to the warnings should prioritize the systems in the building, so the impact of a major system failure on people, operations or other infrastructure can be minimized.
Trina and Doug both work at Triffid, Inc. Doug is having trouble logging into the network. Trina offers to log in for Doug, using Trina's credentials, so that Doug can get some work done. What is the problem with this? (D3, L3.3.1) Question options: A) Doug is a bad person B) If Trina logs in for Doug, then Doug will never be encouraged to remember credentials without assistance C) Anything either of them do will be attributed to Trina D) It is against the law
If two users are sharing one set of credentials, then the actions of both users will be attributed to that single account; the organization will be unable to discern exactly who performed which action, which can be troublesome if either user does something negligent or wrong. C is the correct answer. A is incorrect; we don't know enough about Doug from the question. B is incorrect; while true, getting Doug to remember credentials shouldn't be the priority of the situation. D is incorrect; regardless of whether sharing credentials is against the law (and it might or might not be, depending on the jurisdiction), the important point is that both users' actions must be distinct.
Microsegmentation
Microsegmentation The toolsets of current adversaries are polymorphic in nature and allow threats to bypass static security controls. Modern cyberattacks take advantage of traditional security models to move easily between systems within a data center. Microsegmentation aids in protecting against these threats. A fundamental design requirement of microsegmentation is to understand the protection requirements for traffic within a data center and traffic to and from the internet traffic flows. When organizations avoid infrastructure-centric design paradigms, they are more likely to become more efficient at service delivery in the data center and become apt at detecting and preventing advanced persistent threats.
Network Access Control (NAC)
Network Access Control (NAC) An organization's network is perhaps one of its most critical assets. As such, it is vital that we both know and control access to it, both from insiders (e.g., employees, contractors) and outsiders (e.g., customers, corporate partners, vendors). We need to be able to see who and what is attempting to make a network connection. At one time, network access was limited to internal devices. Gradually, that was extended to remote connections, although initially those were the exceptions rather than the norm. This started to change with the concepts of bring your own device (BYOD) and Internet of Things (IoT). Considering just IoT for a moment, it is important to understand the range of devices that might be found within an organization. They include heating, ventilation and air conditioning (HVAC) systems that monitor the ambient temperature and adjust the heating or cooling levels automatically or air monitoring systems, through security systems, sensors and cameras, right down to vending and coffee machines. Look around your own environment and you will quickly see the scale of their use. Having identified the need for a NAC solution, we need to identify what capabilities a solution may provide. As we know, everything begins with a policy. The organization's access control policies and associated security policies should be enforced via the NAC device(s). Remember, of course, that an access control device only enforces a policy and doesn't create one. The NAC device will provide the network visibility needed for access security and may later be used for incident response. Aside from identifying connections, it should also be able to provide isolation for noncompliant devices within a quarantined network and provide a mechanism to "fix" the noncompliant elements, such as turning on endpoint protection. In short, the goal is to ensure that all devices wishing to join the network do so only when they comply with the requirements laid out in the organization policies. This visibility will encompass internal users as well as any temporary users such as guests or contractors, etc., and any devices they may bring with them into the organization. Let's consider some possible use cases for
Network Segmentation (Demilitarized Zone (DMZ))
Network segmentation is also an effective way to achieve defense in depth for distributed or multi-tiered applications. The use of a demilitarized zone (DMZ), for example, is a common practice in security architecture. With a DMZ, host systems that are accessible through the firewall are physically separated from the internal network by means of secured switches or by using an additional firewall to control traffic between the web server and the internal network. Application DMZs (or semi-trusted networks) are frequently used today to limit access to application servers to those networks or systems that have a legitimate need to connect.
Prina is a database manager. Prina is allowed to add new users to the database, remove current users and create new usage functions for the users. Prina is not allowed to read the data in the fields of the database itself. This is an example of: (D3, L3.3.1) Question options: A) Role-based access controls (RBAC) B) Mandatory access controls (MAC) C) Discretionary access controls (DAC) D) Alleviating threat access controls (ATAC)
Role-based access controls often function in this manner, where the employee's job responsibilities dictate exactly which kinds of access the employee has. This also enforces the concept of "least privilege." A is the correct answer. B and C are incorrect; those access control models don't function in the same way as RBAC. D is incorrect; there is no ATAC in this context, and the term is only used here a
Router
Routers are used to control traffic flow on networks and are often used to connect similar networks and control traffic flow between them. Routers can be wired or wireless and can connect multiple switches. Smarter than hubs and switches, routers determine the most efficient "route" for the traffic to flow across the network.
Segmentation for Embedded Systems and IoT
Segmentation for Embedded Systems and IoT An embedded system is a computer implemented as part of a larger system. The embedded system is typically designed around a limited set of specific functions in relation to the larger product of which it is a component. Examples of embedded systems include network-attached printers, smart TVs, HVAC controls, smart appliances, smart thermostats and medical devices. Network-enabled devices are any type of portable or nonportable device that has native network capabilities. This generally assumes the network in question is a wireless type of network, typically provided by a mobile telecommunications company. Network-enabled devices include smartphones, mobile phones, tablets, smart TVs or streaming media players (such as a Roku Player, Amazon Fire TV, or Google Android TV/Chromecast), network-attached printers, game systems, and much more. The Internet of Things (IoT) is the collection of devices that can communicate over the internet with one another or with a control console in order to affect and monitor the real world. IoT devices might be labeled as smart devices or smart-home equipment. Many of the ideas of industrial environmental control found in office buildings are finding their way into more consumer-available solutions for small offices or personal homes. Embedded systems and network-enabled devices that communicate with the internet are considered IoT devices and need special attention to ensure that communication is not used in a malicious manner. Because an embedded system is often in control of a mechanism in the physical world, a security breach could cause harm to people and property. Since many of these devices have multiple access routes, such as ethernet, wireless, Bluetooth, etc., special care should be taken to isolate them from other devices on the network. You can impose logical network segmentation with switches using VLANs, or through other traffic-control means, including MAC addresses, IP addresses, physical ports, protocols, or application filtering, routing, and access control management. Network segmentation can be used to isolate IoT environments.
Service Models
Some cloud-based services only provide data storage and access. When storing data in the cloud, organizations must ensure that security controls are in place to prevent unauthorized access to the data. There are varying levels of responsibility for assets depending on the service model. This includes maintaining the assets, ensuring they remain functional, and keeping the systems and applications up to date with current patches. In some cases, the cloud service provider is responsible for these steps. In other cases, the consumer is responsible for these steps. Types of cloud computing service models include Software as a Service (SaaS) , Platform as a Service (PaaS) and Infrastructure as a Service (IaaS). Select each plus sign hotspot to learn more about each topic.
Memorandum of Understanding (MOU)/Memorandum of Agreement (MOA)
Some organizations seeking to minimize downtime and enhance BC (Business Continuity) and DR (Disaster Recovery) capabilities will create agreements with other, similar organizations. They agree that if one of the parties experiences an emergency and cannot operate within their own facility, the other party will share its resources and let them operate within theirs in order to maintain critical functions. These agreements often even include competitors, because their facilities and resources meet the needs of their particular industry. For example, Hospital A and Hospital B are competitors in the same city. The hospitals create an agreement with each other: if something bad happens to Hospital A (a fire, flood, bomb threat, loss of power, etc.), that hospital can temporarily send personnel and systems to work inside Hospital B in order to stay in business during the interruption (and Hospital B can relocate to Hospital A, if Hospital B has a similar problem). The hospitals have decided that they are not going to compete based on safety and security—they are going to compete on service, price and customer loyalty. This way, they protect themselves and the healthcare industry as a whole. These agreements are called joint operating agreements (JOA) or memoranda of understanding (MOU) or memoranda of agreement (MOA). Sometimes these agreements are mandated by regulatory requirements, or they might just be part of the administrative safeguards instituted by an entity within the guidelines of its industry. The difference between an MOA or MOU and an SLA is that a Memorandum of Understanding is more directly related to what can be done with a system or the information. The service level agreement goes down to the granular level. For example, if I'm outsourcing the IT services, then I will need to have two full-time technicians readily available, at least from Monday through Friday from eight to five. With cloud computing, I need to have access to the information in my backup systems within 10 minutes. An SLA specifies the more intricate aspects of the services. We must be very cautious when outsourcing with cloud-based services, because we have to make sure that we understand exactly what we are agreeing to. If the
en Systems Interconnection (OSI) Model
The OSI Model was developed to establish a common way to describe the communication structure for interconnected computer systems. The OSI model serves as an abstract framework, or theoretical model, for how protocols should function in an ideal world, on ideal hardware. Thus, the OSI model has become a common conceptual reference that is used to understand the communication of various hierarchical components from software interfaces to physical hardware. The OSI model divides networking tasks into seven distinct layers. Each layer is responsible for performing specific tasks or operations with the goal of supporting data exchange (in other words, network communication) between two computers. The layers are interchangeably referenced by name or layer number. For example, Layer 3 is also known as the Network Layer. The layers are ordered specifically to indicate how information flows through the various levels of communication. Each layer communicates directly with the layer above and the layer below it. For example, Layer 3 communicates with both the Data Link (2) and Transport (4) layers. The Application, Presentation, and Session Layers (5-7) are commonly referred to simply as data. However, each layer has the potential to perform encapsulation. Encapsulation is the addition of header and possibly a footer (trailer) data by a protocol used at that layer of the OSI model. Encapsulation is particularly important when discussing Transport, Network and Data Link layers (2-4), which all generally include some form of header. At the Physical Layer (1), the data unit is converted into binary, i.e., 01010111, and sent across physical wires such as an ethernet cable. It's worth mapping some common networking terminology to the OSI Model so you can see the value in the conceptual model. Consider the following examples: When someone references an image file like a JPEG or PNG, we are talking about the Presentation Layer (6). When discussing logical ports such as NetBIOS, we are discussing the Session Layer (5). When discussing TCP/UDP, we are discussing the Transport Layer (4). When discussing routers sending packets, we are discussing the Network Layer (3). When discussing switches, bridges or WAPs sending frames, we
Data Center/Closets
The facility wiring infrastructure is integral to overall information system security and reliability. Protecting access to the physical layer of the network is important in minimizing intentional or unintentional damage. Proper protection of the physical site must address these sorts of security challenges. Data centers and wiring closets may include the following: Phone, network, special connections ISP or telecommunications provider equipment Servers Wiring and/or switch components
Simple Mail Transport Protocol (SMTP)
The standard communication protocol for sending and receiving emails between senders and receivers.
TCP/IP
Transmission Control Protocol/Internet Protocol (TCP/IP) The OSI model wasn't the first or only attempt to streamline networking protocols or establish a common communications standard. In fact, the most widely used protocol today, TCP/IP, was developed in the early 1970s. The OSI model was not developed until the late 1970s. The TCP/IP protocol stack focuses on the core functions of networking. TCP/IP Protocol Architecture Layers Application Layer Defines the protocols for the transport layer. Transport Layer Permits data to move among devices. Internet Layer Creates/inserts packets. Network Interface Layer How data moves through the network. The most widely used protocol suite is TCP/IP, but it is not just a single protocol; rather, it is a protocol stack comprising dozens of individual protocols. TCP/IP is a platform-independent protocol based on open standards. However, this is both a benefit and a drawback. TCP/IP can be found in just about every available operating system, but it consumes a significant amount of resources and is relatively easy to hack into because it was designed for ease of use rather than for security.
Virtual Private Network (VPN)
Virtual Private Network (VPN) A virtual private network (VPN) is not necessarily an encrypted tunnel. It is simply a point-to-point connection between two hosts that allows them to communicate. Secure communications can, of course, be provided by the VPN, but only if the security protocols have been selected and correctly configured to provide a trusted path over an untrusted network, such as the internet. Remote users employ VPNs to access their organization's network, and depending on the VPN's implementation, they may have most of the same resources available to them as if they were physically at the office. As an alternative to expensive dedicated point-to-point connections, organizations use gateway-to-gateway VPNs to securely transmit information over the internet between sites or even with business partners.
Which of the following cloud service models provides the most suitable environment for customers to build and operate their own software? (D4. L4.3.3) A. SaaS B. IaaS C. PaaS D. SLACheck Answer
Which of the following cloud service models provides the most suitable environment for customers to build and operate their own software? (D4. L4.3.3) A. SaaS Incorrect. SaaS provides access to software applications but not the equipment necessary for customers to build and operate their own software. B. IaaS Incorrect. IaaS provides use of hardware and related equipment that is retained by the provider but does not allow customers to build and operate their own software in the most suitable way, since it would also require them to manage the operating systems as well. C. PaaS Correct. PaaS typically provides a set of software building blocks and development tools, such as programming languages and supporting a run-time environment, that facilitate the construction of high-quality, scalable applications. D. SLA Incorrect. SLA is a service-level agreement and is not a cloud service deployment model. Check Answer
What is WiFi?
Wireless networking is a popular method of connecting corporate and home systems because of the ease of deployment and relatively low cost. It has made networking more versatile than ever before. Workstations and portable systems are no longer tied to a cable but can roam freely within the signal range of the deployed wireless access points. However, with this freedom comes additional vulnerabilities. Wi-Fi range is generally wide enough for most homes or small offices, and range extenders may be placed strategically to extend the signal for larger campuses or homes. Over time the Wi-Fi standard has evolved, with each updated version faster than the last. In a LAN, threat actors need to enter the physical space or immediate vicinity of the physical media itself. For wired networks, this can be done by placing sniffer taps onto cables, plugging in USB devices, or using other tools that require physical access to the network. By contrast, wireless media intrusions can happen at a distance.
Zero Trust
Zero Trust Zero trust networks are often microsegmented networks, with firewalls at nearly every connecting point. Zero trust encapsulates information assets, the services that apply to them and their security properties. This concept recognizes that once inside a trust-but-verify environment, a user has perhaps unlimited capabilities to roam around, identify assets and systems and potentially find exploitable vulnerabilities. Placing a greater number of firewalls or other security boundary control devices throughout the network increases the number of opportunities to detect a troublemaker before harm is done. Many enterprise architectures are pushing this to the extreme of microsegmenting their internal networks, which enforces frequent re-authentication of a user ID, as depicted in this image. Consider a rock music concert. By traditional perimeter controls, such as firewalls, you would show your ticket at the gate and have free access to the venue, including backstage where the real rock stars are. In a zero-trust environment, additional checkpoints are added. Your identity (ticket) is validated to access the floor level seats, and again to access the backstage area. Your credentials must be valid at all 3 levels to meet the stars of the show. Zero trust is an evolving design approach which recognizes that even the most robust access control systems have their weaknesses. It adds defenses at the user, asset and data level, rather than relying on perimeter defense. In the extreme, it insists that every process or action a user attempts to take must be authenticated and authorized; the window of trust becomes vanishingly small. While microsegmentation adds internal perimeters, zero trust places the focus on the assets, or data, rather than the perimeter. Zero trust builds more effective gates to protect the assets directly rather than building additional or higher walls.
Platform as a Service (PaaS)
× Platform as a Service (PaaS): A cloud provides an environment for customers to use to build and operate their own software. PaaS is a way for customers to rent hardware, operating systems, storage and network capacity over the internet from a cloud service provider. The service delivery model allows customers to rent virtualized servers and associated services for running existing applications or developing and testing new ones. The consumer does not manage or control the underlying cloud infrastructure, including network, servers, operating systems or storage, but has control over the deployed applications and possibly application-hosting environment configurations. A PaaS cloud provides a toolkit for conveniently developing, deploying and administering application software that is structured to support large numbers of consumers, process very large quantities of data and potentially be accessed from any point on the internet. PaaS clouds will typically provide a set of software building blocks and a set of development tools such as programming languages and supporting run-time environments that facilitate the construction of high-quality, scalable applications. Additionally, PaaS clouds will typically provide tools that assist with the deployment of new applications. In some cases, deploying a new software application in a PaaS cloud is not much more difficult than uploading a file to a web server. PaaS clouds will also generally provide and maintain the computing resources (e.g., processing, storage and networking) that consumer applications need to operate. PaaS clouds provide many benefits for developers, including that the operating system can be changed and upgraded frequently, along with associated features and system services.
Software as a Service (SaaS)
× Software as a Service (SaaS): A cloud provides access to software applications such as email or office productivity tools. SaaS is a distributed model where software applications are hosted by a vendor or cloud service provider and made available to customers over network resources. SaaS is a widely used and adopted form of cloud computing, with users most often needing an internet connection and access credentials to have full use of the cloud service, application and data. SaaS has many benefits for organizations, which include but are not limited to: Ease of use and limited/minimal administration. Automatic updates and patch management. The user will always be running the latest version and most up-to-date deployment of the software release, as well as any relevant security updates, with no manual patching required. Standardization and compatibility. All users will have the same version of the software release.
Prachi works as a database administrator for Triffid, Inc. Prachi is allowed to add or delete users, but is not allowed to read or modify the data in the database itself. When Prachi logs onto the system, an access control list (ACL) checks to determine which permissions Prachi has. In this situation, what is Prachi? (D3, L3.1.1) Question options: A) The subject B) The rule C) The file D) The object
A is correct. In this situation, Prachi is the subject in the subject-object-rule relationship. Prachi manipulates the database; this makes Prachi the subject. B and D are incorrect, because Prachi is the subject in this situation. C is incorrect, because Prachi is not, and never will be, a file.
A device typically accessed by multiple users, often intended for a single purpose, such as managing email or web pages. (D4.1 L4.1.1) Question options: A) Router B) Switch C) Server D) Laptop
A server typically offers a specific service, such as hosting web pages or managing email, and is often accessed by multiple users. C is the correct answer. A and B are incorrect; routers and switches are used to vector network traffic, not to provide specific services. D is incorrect; a laptop is typically only assigned to a single user.
Prachi works as a database administrator for Triffid, Inc. Prachi is allowed to add or delete users, but is not allowed to read or modify the data in the database itself. When Prachis logs onto the system, an access control list (ACL) checks to determine which permissions Prachi has. Which security concept is being applied in this situation? (D3, L3.1.1) Question options: A) Defense in depth B) Layered defense C) Two-person integrity D) Least privilege
D is correct. This is an example of least privilege; Prachi needs to be able to add or delete users from the database in order to perform as a database administrator, but does not need to view or modify the data in the database itself in order to perform the job. A and B are incorrect; "defense in depth" and "layered defense" are two terms that mean the same thing: multiple (and multiple types of) overlapping controls to protect assets. Nothing in the question describes multiple controls. C is incorrect; no second person is involved in Prachi's activity.
Handel is a senior manager at Triffid, Inc., and is in charge of implementing a new access control scheme for the company. Handel wants to ensure that operational managers have the utmost personal choice in determining which employees get access to which systems/data. Which method should Handel select? (D3, L3.3.1) Question options: A) Role-based access controls (RBAC) B) Mandatory access controls (MAC) C) Discretionary access controls (DAC) D) Security policy
DAC gives managers the most choice in determining which employees get access to which assets. C is the correct answer. A and B are incorrect; RBAC and MAC do not offer the same kind of flexibility that DAC does. D is incorrect; "security policy" is too broad and vague to be applicable; C is the better answer.
Ludwig is a security analyst at Triffid, Inc. Ludwig notices network traffic that might indicate an attack designed to affect the availability of the environment. Which of the following might be the attack Ludwig sees? (D4.2 L4.2.1) Question options: A) DDOS (distributed denial of service) B) Spoofing C) Exfiltrating stolen data D) An insider sabotaging the power supply
DDOS is an availability attack, often typified by recognizable network traffic; either too much traffic to be processed normally, or malformed traffic. A is the correct answer. B and C are incorrect, because in both these kinds of attacks, the attacker wants the IT environment to continue working properly—if the attacker shut down the environment, the attacker wouldn't be able to use spoofed credentials or exfiltrate stolen data. D is incorrect, because loss of power is not recognized by network traffic, it is recognized by lack of functionality.
Inbound traffic from an external source seems to indicate much higher rates of communication than normal, to the point where the internal systems might be overwhelmed. Which security solution can often identify and potentially counter this risk? (D4.2 L4.2.2) Question options: A) Firewall B) Turnstile C) Anti-malware D) Badge system
Firewalls can often identify hostile inbound traffic, and potentially counter it. A is the correct answer. B and D are incorrect; these are physical controls and aren't effective in identifying/countering communications attacks. C is incorrect; anti-malware is not typically useful in countering attacks that employ excess traffic as an attack mechanism.
Gary is an attacker. Gary is able to get access to the communication wire between Dauphine's machine and Linda's machine and can then surveil the traffic between the two when they're communicating. What kind of attack is this? (D4.2 L4.2.1) Question options: A) Side channel B) DDOS C) On-path D) Physical
This is a textbook example of an on-path attack, where the attackers insert themselves between communicating parties. C is the correct answer. A is incorrect; a side channel attack is entirely passive, and typically does not include surveilling actual data (it instead surveils operational activity, such as changes in power usage, emissions and so forth). B is incorrect; a DDOS attack involves multiple machines flooding the target to overwhelm the target; Gary is neither shutting down the target nor using multiple devices in the attack. D is incorrect; a physical attack involves tangible materials. An example of a physical attack would be Gary cutting the wire between Linda and Dauphine, so that they could not communicate.
Phrenal is selling a used laptop in an online auction. Phrenal has estimated the value of the laptop to be $100, but has seen other laptops of similar type and quality sell for both more and less than that amount. Phrenal hopes that the laptop will sell for $100 or more, but is prepared to take less for it if nobody bids that amount. This is an example of ___________. (D1, L1.2.2) Question options: A) Risk tolerance B) Risk inversion C) Threat D) Vulnerability
A is correct. Phrenal has decided there is an acceptable level of risk associated with the online sale of the laptop; this is within Phrenal's risk tolerance. B is incorrect; "risk inversion" is a term with no actual meaning, and is used here only as a distractor. C is incorrect; a threat is something or someone that poses risk—the sale of the laptop does not pose risk to Phrenal, only a lesser or greater benefit. D is incorrect; the sale of the laptop is not an avenue of attack against Phrenal.
Hoshi is an (ISC)2 member who works for the Triffid Corporation as a data manager. Triffid needs a new firewall solution, and Hoshi is asked to recommend a product for Triffid to acquire and implement. Hoshi's cousin works for a firewall vendor; that vendor happens to make the best firewall available. What should Hoshi do? (D1, L1.5.1) Question options: A) recommend a different vendor/product B) recommend the cousin's product C) Hoshi should ask to be recused from the task D) disclose the relationship, but recommend the vendor/product
D is the best answer. According to the third Canon of the ISC2 Code of Ethics, members are required to "provide diligent and competent service to principals." Hoshi's principal here is Triffid, Hoshi's employer. It would be inappropriate for Hoshi to select the cousin's product solely based upon the family relationship; however, if the cousin's product is, in fact, the best choice for Triffid, then Hoshi should recommend that product. In order to avoid any appearance of impropriety or favoritism, Hoshi needs to declare the relationship when making the recommendation.
