ISC2 CC Exam Questions
Security needs to be provided to ____ data. (D5.1, L5.1.1) A)Restricted B)Illegal C)Private D)All
D is the correct answer. All data needs some form of security; even data that is not sensitive (such as data intended for public view) needs protection to ensure availability. A, B and C are incorrect; all data needs some form of security protection.
The organization should keep a copy of every signed Acceptable Use Policy (AUP) on file, and issue a copy to _______. (D5.3, L5.3.1) A)The user who signed it B)The regulators overseeing that industry C)Lawmakers D)The Public Relations office
The AUP is an agreement between the user and the organization, so both parties need to keep a copy of it. A is the correct answer. B, C and D are incorrect; those entities are not party to the agreement, and should therefore not receive a copy.
Which of the following is often associated with DR planning? (D2, L 2.3.1) A)Checklists B)Firewalls C)Motion detectors D)Non-repudiation
A) Both BC and DR activities typically include checklists for the people participating in the effort.
"Wiring _____" is a common term meaning "a place where wires/conduits are often run, and equipment can be placed, in order to facilitate the use of local networks." (D4.3 L4.3.1) A)Shelf B)Closet C)Bracket D)House
"Wiring closet" is the common term used to described small spaces, typically placed on each floor of a building, where IT infrastructure can be placed. A, C and D are incorrect; these are not common terms used in this manner.
A bollard is a post set securely in the ground in order to prevent a vehicle from entering an area or driving past a certain point. Bollards are an example of ______ controls. (D1, L1.3.1) A)Physical B)Administrative C)Drastic D)Technical
A is correct. A bollard is a tangible object that prevents a physical act from occurring; this is a physical control. B and D are incorrect because the bollard is a physical control, not administrative or technical. C is incorrect: "drastic" is not a term commonly used to describe a particular type of security control, and is used here only as a distractor.
All of the following are typically perceived as drawbacks to biometric systems, except: (D3, L3.2.1) A)Lack of accuracy B)Potential privacy concerns C)Retention of physiological data past the point of employment D)Legality
A is correct. Biometric systems can be extremely accurate, especially when compared with other types of access controls. B, C and D are all potential concerns when using biometric data, so those answers are incorrect in this context.
Prachi works as a database administrator for Triffid, Inc. Prachi is allowed to add or delete users, but is not allowed to read or modify the data in the database itself. When Prachi logs onto the system, an access control list (ACL) checks to determine which permissions Prachi has. In this situation, what is the database? (D3, L3.1.1) A)The object B)The rule C)The subject D)The site
A is correct. Prachi is manipulating the database, so the database is the object in the subject-object-rule relationship in this case. B and C are incorrect, because the database is the object in this situation. D is incorrect because "site" has no meaning in this context.
A device typically accessed by multiple users, often intended for a single purpose, such as managing email or web pages. (D4.1 L4.1.1) A)Router B)Switch C)Server D)Laptop
A server typically offers a specific service, such as hosting web pages or managing email, and is often accessed by multiple users. C is the correct answer. A and B are incorrect; routers and switches are used to vector network traffic, not to provide specific services. D is incorrect; a laptop is typically only assigned to a single user.
Data retention periods apply to ____ data. (D5.1, L5.1.1) A)Medical B)Sensitive C)All D)Secret
All data should have specific retention periods (even though retention periods may differ for various types of data). C is the correct answer. A, B and D are incorrect; retention periods affect all data
For biometric security to function properly, an authorized person's physiological data must be ______. (D3, L3.2.1) A)Broadcast B)Stored C)Deleted D)Modified
B is correct. A biometric security system works by capturing and recording a physiological trait of the authorized person and storing it for comparison whenever that person presents the same trait in the future. A is incorrect; access control information should not be broadcast. C is incorrect; if all biometric data is erased, the data cannot be used for comparison purposes to grant access later. D is incorrect; biometric data should not be modified, or it may become useless for comparison purposes.
The Triffid Corporation publishes a policy that states all personnel will act in a manner that protects health and human safety. The security office is tasked with writing a detailed set of processes on how employees should wear protective gear such as hardhats and gloves when in hazardous areas. This detailed set of processes is a _________. (D1, L1.4.1) A)Policy B)Procedure C)Standard D)Law
B is correct. A detailed set of processes used by a specific organization is a procedure. A is incorrect; the policy is the overarching document that requires the procedure be created and implemented. C is incorrect. The procedure is not recognized and implemented throughout the industry; it is used internally. D is incorrect; the procedure was created by Triffid Corporation, not a governmental body.
What is the overall objective of a disaster recovery (DR) effort? (D2, L2.3.1) A)Save money B)Return to normal, full operations C)Preserve critical business functions during a disaster D)Enhance public perception of the organization
B is correct. DR efforts are intended to return the organization to normal, full operations. A is incorrect; DR is often quite expensive, and not a cost-saving measure. C is incorrect; this is the goal of business continuity (BC) efforts. D is incorrect; DR efforts are intended to return the organization to normal, full operations, not enhance public perception.
Chad is a security practitioner tasked with ensuring that the information on the organization's public website is not changed by anyone outside the organization. This task is an example of ensuring _________. (D1, L1.1.1) A)Confidentiality B)Integrity C)Availability D)Confirmation
B is correct. Preventing unauthorized modification is the definition of integrity. A is incorrect because the website is not meant to be secret; it is open to the public. C is incorrect because Chad is not tasked with ensuring the website is accessible, only that the information on it is not changed. D is incorrect because "confirmation" is not a typical security term, and is used here only as a distractor.
Siobhan is an (ISC)² member who works for Triffid Corporation as a security analyst. Yesterday, Siobhan got a parking ticket while shopping after work. What should Siobhan do? (D1, L1.5.1) A)Inform (ISC)² B)Pay the parking ticket C)Inform supervisors at Triffid D)Resign employment from Triffid
B is the best answer. A parking ticket is not a significant crime, besmirchment of character or moral failing, and has nothing to do with Siobhan's duties for Triffid. Even though the (ISC)² Code of Ethics requires that members act "legally," and "protect the profession," a parking ticket does not reflect poorly on Siobhan, Triffid, (ISC)², or the security profession. Siobhan should, however, pay the ticket.
The senior leadership of Triffid Corporation decides that the best way to minimize liability for the company is to demonstrate the company's commitment to adopting best practices recognized throughout the industry. Triffid management issues a document that explains that Triffid will follow the best practices published by SANS, an industry body that addresses computer and information security. The Triffid document is a ______, and the SANS documents are ________. (D1, L1.4.2) A)Law, policy B)Policy, standard C)Policy, law D)Procedure, procedure
B is the correct answer. The Triffid document is a strategic, internal rule published by senior management; this is a policy. The SANS documents are industry best practices recognized globally; these are standards. A and C are incorrect, because neither document was issued by a governmental body, so they are not laws. D is incorrect because neither document is a detailed set of instructions, so they are not procedures.
Jengi is setting up security for a home network. Jengi decides to configure MAC address filtering on the router, so that only specific devices will be allowed to join the network. This is an example of a(n)_______ control. (D1, L1.3.1) A)Physical B)Administrative C)Substantial D)Technical
D This is a difficult question, because it may seem as if there are two possible answers: the router enforces a set of rules as to which MAC addresses may be included on the network, so that sounds like an administrative control. However, the router is an IT system, so that seems as if it is a technical control. In fact, it is considered the latter. In general, it is best to consider the matter this way: if it has a power cord, or electricity running through it, it's a technical control. So D is the correct answer. A is incorrect; while the router is a tangible object, it does not act on the physical realm, affecting other tangible objects; it's an electronic device that is part of the IT environment. C is incorrect; "substantial" is not a term commonly used to describe a particular type of security control, and is used here only as a distractor.
The city of Grampon wants to know where all its public vehicles (garbage trucks, police cars, etc.) are at all times, so the city has GPS transmitters installed in all the vehicles. What kind of control is this? (D1, L1.3.1) A)Administrative B)Entrenched C)Physical D)Technical
D is correct. A GPS unit is part of the IT environment, so this is a technical control. A is incorrect. The GPS unit itself is not a rule or a policy or a process; it is part of the IT environment, so D is a better answer. B is incorrect; "entrenched" is not a term commonly used to describe a particular type of security control, and is used here only as a distractor. C is incorrect; while a GPS unit is a tangible object, it is also part of the IT environment, and it does not interact directly with other physical objects in order to prevent action, so "technical" is a better descriptor, and D is a better answer.
Prachi works as a database administrator for Triffid, Inc. Prachi is allowed to add or delete users, but is not allowed to read or modify the data in the database itself. When Prachis logs onto the system, an access control list (ACL) checks to determine which permissions Prachi has. Which security concept is being applied in this situation? (D3, L3.1.1) A)Defense in depth B)Layered defense C)Two-person integrity D)Least privilege
D is correct. This is an example of least privilege; Prachi needs to be able to add or delete users from the database in order to perform as a database administrator, but does not need to view or modify the data in the database itself in order to perform the job. A and B are incorrect; "defense in depth" and "layered defense" are two terms that mean the same thing: multiple (and multiple types of) overlapping controls to protect assets. Nothing in the question describes multiple controls. C is incorrect; no second person is involved in Prachi's activity.
Log data should be kept ______. (D5.1, L5.1.2) A)On the device that the log data was captured from B)In an underground bunker C)In airtight containers D)On a device other than where it was captured
D is the correct answer. Log data can often be useful in diagnosing or investigating the device it was captured from; it is therefore useful to store the data away from the device where it was harvested, in case something happens to the source device. A is incorrect; if something happens to the source machine, the log data may be affected if it is stored on the source. B is incorrect; log data may be stored underground, aboveground, underwater, in the sky, or in orbit, as long as it is stored securely. C is incorrect; airtight seals do not affect log data positively or negatively.
When responding to a security incident, your team determines that the vulnerability that was exploited was not widely known to the security community, and that there are no currently known definitions/listings in common vulnerability databases or collections. This vulnerability and exploit might be called ______. (D2, L 2.1.1) A)Malware B)Critical C)Fractal D)Zero-day
D) A zero-day exploit is an attack using a vulnerability that is not widely known in the industry at the time of discovery.
Which of these components is very likely to be instrumental to any disaster recovery (DR) effort? (D2, L2.3.1) A)Routers B)Laptops C)Firewalls D)Backups
D) Backups are often crucial in DR efforts, so that the normal production environment can be restored.
A device that filters network traffic in order to enhance overall security/performance. (D4.1 L4.1.1) A)Endpoint B)Laptop C)MAC (media access control) D)Firewall
Firewalls filter traffic in order to enhance the overall security or performance of the network, or both. D is the correct answer. A is incorrect; "endpoint" is the term used to describe a device involved in a networked communication, at either "end" of a conversation. B is incorrect; laptops are not typically employed to filter network traffic. C is incorrect; MAC is the physical address of a device on a network.
Triffid, Inc., has many remote workers who use their own IT devices to process Triffid's information. The Triffid security team wants to deploy some sort of sensor on user devices in order to recognize and identify potential security issues. Which of the following is probably most appropriate for this specific purpose? (D4.2 L4.2.2) A)HIDS (host-based intrusion-detection systems) B)NIDS (network-based intrusion-detection systems) C)LIDS (logistical intrusion-detection systems) D)Firewalls
Host-based intrusion-detection systems are expressly designed for this purpose; each HIDS is installed on each endpoint machine. A is the correct answer. B is incorrect; NIDS are useful for monitoring internal traffic, but a HIDS would be better for distributed users/devices. C is incorrect; LIDS is not a term standard within our industry, and was just made up and used here as a distractor. D is incorrect; firewalls limit traffic, and can be used to identify potential threats, but a HIDS is specifically intended for this purpose.
An IoT (Internet of Things) device is typified by its effect on or use of the _____ environment. (D4.3 L4.3.3) A)Philosophical B)Remote C)Internal D)Physical
IoT devices typically have some interaction with the physical realm, either by having some physical effect (a vacuum cleaner, refrigerator, light) or by monitoring the physical environment itself (a camera, sensor, etc.). A, B and C are incorrect; IoT is typified by effects on or use of the physical environment.
Every document owned by Triffid, Inc., whether hardcopy or electronic, has a clear, 24-point word at the top and bottom. Only three words can be used: "Sensitive," "Proprietary" and "Public." This is an example of _____. (D5.1, L5.1.1) A)Secrecy B)Privacy C)Inverting D)Labeling
Labeling is the practice of annotating assets with classification markings. D is the correct answer. A is incorrect; "secrecy" is too broad a term in this context, and not accurate—the markings are visible. B is incorrect; privacy is associated with information that identifies a specific person (or specific people). C is incorrect; this term has no meaning in this context, and is used here only as a distractor.
Gary is unable to log in to the production environment. Gary tries three times and is then locked out of trying again for one hour. Why? (D3, L3.3.1) A)Gary is being punished B)The network is tired C)Users remember their credentials if they are given time to think about it D)Gary's actions look like an attack
Repeated login attempts can resemble an attack on the network; attackers might try to log in to a user's account multiple times, using different credentials, in a short time period, in an attempt to determine the proper credentials. D is correct. A is incorrect; security policies and processes are not intended to punish employees. B is incorrect; IT systems do not get tired. C is incorrect; the delay is not designed to help users remember credentials.
Which of the following statements is true? (D3, L3.3.1) A)Logical access controls can protect the IT environment perfectly; there is no reason to deploy any other controls B)Physical access controls can protect the IT environment perfectly; there is no reason to deploy any other controls C)Administrative access controls can protect the IT environment perfectly; there is no reason to deploy any other controls D)It is best to use a blend of controls in order to provide optimum security
The use of multiple types of controls enhances overall security. D is correct. A, B and C are all incorrect, because no single type of control can provide adequate protection of an environment.
Gary is an attacker. Gary is able to get access to the communication wire between Dauphine's machine and Linda's machine and can then surveil the traffic between the two when they're communicating. What kind of attack is this? (D4.2 L4.2.1) A)Side channel B)DDOS C)On-path D)Physical
This is a textbook example of an on-path attack, where the attackers insert themselves between communicating parties. C is the correct answer. A is incorrect; a side channel attack is entirely passive, and typically does not include surveilling actual data (it instead surveils operational activity, such as changes in power usage, emissions and so forth). B is incorrect; a DDOS attack involves multiple machines flooding the target to overwhelm the target; Gary is neither shutting down the target nor using multiple devices in the attack. D is incorrect; a physical attack involves tangible materials. An example of a physical attack would be Gary cutting the wire between Linda and Dauphine, so that they could not communicate.
Gelbi is a Technical Support analyst for Triffid, Inc. Gelbi sometimes is required to install or remove software. Which of the following could be used to describe Gelbi's account? (D3, L3.1.1) A)Privileged B)Internal C)External D)User
A is Correct. This is the description of a privileged account; an account that typically needs greater permissions than a basic user. B and C are incorrect; the question does not specify whether Gelbi connects to the environment from within the network, or from outside. D is incorrect; this is too vague—Gelbi is a user, but has permissions that are typically greater than what basic users have.
Triffid Corporation has a policy that all employees must receive security awareness instruction before using email; the company wants to make employees aware of potential phishing attempts that the employees might receive via email. What kind of control is this instruction? (D1, L1.3.1) A)Administrative B)Finite C)Physical D)Technical
A is correct. Both the policy and the instruction are administrative controls; rules and governance are administrative. B is incorrect; "finite" is not a term commonly used to describe a particular type of security control, and is used here only as a distractor. C is incorrect; training is not a tangible object, so this is not a physical control. D is incorrect; training is not part of the IT environment, so it is not a technical control.
Guillermo logs onto a system and opens a document file. In this example, Guillermo is: (D3, L3.1.1) A)The subject B)The object C)The process D)The software
A is correct. Guillermo is the subject in this example. B is incorrect; in this example, the file is the object. C is incorrect; in this example, the process is logging on and opening the file. D is incorrect; in this example, the application used to open the file is the software.
Prachi works as a database administrator for Triffid, Inc. Prachi is allowed to add or delete users, but is not allowed to read or modify the data in the database itself. When Prachi logs onto the system, an access control list (ACL) checks to determine which permissions Prachi has. In this situation, what is Prachi? (D3, L3.1.1) A)The subject B)The rule C)The file D)The object
A is correct. In this situation, Prachi is the subject in the subject-object-rule relationship. Prachi manipulates the database; this makes Prachi the subject. B and D are incorrect, because Prachi is the subject in this situation. C is incorrect, because Prachi is not, and never will be, a file.
A system that collects transactional information and stores it in a record in order to show which users performed which actions is an example of providing ________. (D1, L1.1.1) A)Non-repudiation B)Multifactor authentication C)Biometrics D)Privacy
A is correct. Non-repudiation is the concept that users cannot deny they have performed transactions that they did, in fact, conduct. A system that keeps a record of user transactions provides non-repudiation. B and C are incorrect because nothing in the question referred to authentication at all. D is incorrect because non-repudiation does not support privacy (if anything, non-repudiation and privacy are oppositional).
Phrenal is selling a used laptop in an online auction. Phrenal has estimated the value of the laptop to be $100, but has seen other laptops of similar type and quality sell for both more and less than that amount. Phrenal hopes that the laptop will sell for $100 or more, but is prepared to take less for it if nobody bids that amount. This is an example of ___________. (D1, L1.2.2) A)Risk tolerance B)Risk inversion C)Threat D)Vulnerability
A is correct. Phrenal has decided there is an acceptable level of risk associated with the online sale of the laptop; this is within Phrenal's risk tolerance. B is incorrect; "risk inversion" is a term with no actual meaning, and is used here only as a distractor. C is incorrect; a threat is something or someone that poses risk—the sale of the laptop does not pose risk to Phrenal, only a lesser or greater benefit. D is incorrect; the sale of the laptop is not an avenue of attack against Phrenal.
What is the risk associated with resuming full normal operations too soon after a DR effort? (D2, L2.3.1) A)The danger posed by the disaster might still be present B)Investors might be upset C)Regulators might disapprove D)The organization could save money
A is correct. Resuming full normal operations too soon after a disaster might mean personnel are put in danger by whatever effects the disaster caused. B and C are incorrect because the feelings of investors and regulators are not the primary concern of DR efforts. D is incorrect; saving money is not a risk, it is a benefit.
Sophia is visiting Las Vegas and decides to put a bet on a particular number on a roulette wheel. This is an example of _________. (D1, L1.2.2) A)Acceptance B)Avoidance C)Mitigation D)Transference
A is correct. Sophia is accepting the risk that the money will be lost, even though the likelihood is high; Sophia has decided that the potential benefit (winning the bet), while low in likelihood, is worth the risk. B is incorrect; if Sophia used avoidance, Sophia would not place the bet. C is incorrect; mitigation involves applying a control to reduce the risk. There is no practical (or legal) way to reduce the risk that Sophia will lose the bet. D is incorrect; if Sophia wanted to transfer the risk, Sophia might ask some friends to each put up a portion of the bet, so that they would all share the loss (or winnings) from the bet.
Which of the following is likely to be included in the business continuity plan? (D2, L2.2.1) A)Alternate work areas for personnel affected by a natural disaster B)The organization's strategic security approach C)Last year's budget information D)Log data from all systems
A is correct. The business continuity plan should include provisions for alternate work sites, if the primary site is affected by an interruption, such as a natural disaster. B is incorrect; the organization's strategic security approach should be included in the organization's security policy. C is incorrect; budgetary information is not typically included in the business continuity plan. D is incorrect; log data is not typically included in the business continuity plan.
Olaf is a member of (ISC)² and a security analyst for Triffid Corporation. During an audit, Olaf is asked whether Triffid is currently following a particular security practice. Olaf knows that Triffid is not adhering to that standard in that particular situation, but that saying this to the auditors will reflect poorly on Triffid. What should Olaf do? (D1, L1.5.1) A)Tell the auditors the truth B)Ask supervisors for guidance C)Ask (ISC)² for guidance D)Lie to the auditors
A is the best answer. The (ISC)² Code of Ethics requires that members "act honorably, honestly, justly, responsibly" and also "advance and protect the profession." Both requirements dictate that Olaf should tell the truth to the auditors. While the Code also says that Olaf should "provide diligent and competent service to principals," and Olaf's principal is Triffid in this case, lying does not serve Triffid's best long-term interests, even if the truth has some negative impact in the short term.
Triffid Corporation has a rule that all employees working with sensitive hardcopy documents must put the documents into a safe at the end of the workday, where they are locked up until the following workday. What kind of control is the process of putting the documents into the safe? (D1, L1.3.1) A) Administrative B) Tangential C) Physical D) Technical
A is the correct answer. The process itself is an administrative control; rules and practices are administrative. The safe itself is physical, but the question asked specifically about process, not the safe, so C is incorrect. Neither the safe nor the process is part of the IT environment, so this is not a technical control; D is incorrect. B is incorrect; "tangential" is not a term commonly used to describe a particular type of security control, and is used here only as a distractor.
The Business Continuity effort for an organization is a way to ensure critical ______ functions are maintained during a disaster, emergency, or interruption to the production environment. (D2, L 2.2.1) A)Business B)Technical C)IT D)Financial
A) The Business Continuity effort is designed to ensure critical business functions continue during periods of potential interruption.
Which common cloud service model offers the customer the most control of the cloud environment? (D4.3 L4.3.2) A)Lunch as a service (LaaS) B)Infrastructure as a service (IaaS) C)Platform as a service (PaaS) D)Software as a service (SaaS)
B is correct; IaaS offers the customer the most control of the cloud environment, in terms of common cloud service models. A is incorrect; this is not a common cloud service model. C and D are incorrect; IaaS offers the customer more control than any other common cloud service model.
Archiving is typically done when _________. (D5.1, L5.1.1) A)Data is ready to be destroyed B)Data has lost all value C)Data is not needed for regular work purposes D)Data has become illegal
Archiving is the action of moving data from the production environment to long-term storage. C is the correct answer. A, B and C are incorrect. Archived data still has value and is not ready to be destroyed; it is just not used on a regular basis. Illegal data should not be in the environment at all.
In risk management concepts, a(n) ___________ is something or someone that poses risk to an organization or asset. (D1, L1.2.1) A)Fear B)Threat C)Control D)Asset
B is correct. A threat is something or someone that poses risk to the organization; this is the definition of a threat. A is incorrect because "fear" is not generally a term associated with risk management. C is incorrect; a control is something used to mitigate risk. D is incorrect; an asset is something of value, which may need protection.
True or False? Business continuity planning is a reactive procedure that restores business operations after a disruption occurs. A) True B) False
B is correct. Business continuity planning is proactive preparation for restoring operations after disruption. Members from across the organizations participate in the planning to ensure all systems, processes and operations are accounted for in the plan. A is incorrect; business continuity planning is a proactive procedure to prepare for the restoration of operations after disruption.
Trina is a security practitioner at Triffid, Inc. Trina has been tasked with selecting a new product to serve as a security control in the environment. After doing some research, Trina selects a particular product. Before that product can be purchased, a manager must review Trina's selection and determine whether to approve the purchase. This is a description of: (D3, L3.1.1) A)Two-person integrity B)Segregation of duties C)Software D)Defense in depth
B is correct. Segregation of duties, also called separation of duties, is used to reduce the potential for corruption or fraud within the organization. More than one person must be involved in a given process in order to complete that process. A is incorrect; Trina and the manager are not both required to be present for the transaction. C is incorrect; software is a term used to describe programs and applications. D is incorrect; defense in depth is the use of multiple (and multiple types of) overlapping security controls to protect assets.
Who approves the incident response policy? (D2, L2.1.1) A)(ISC)² B)Senior management C)The security manager D)Investors
B is correct. The organization's senior management are the only entities authorized to accept risk on behalf of the organization, and therefore all organizational policies must be approved by senior management. A is incorrect; (ISC)² has no authority over individual organizations. C is incorrect; the security manager will likely be involved in crafting and implementing the policy, but only senior management can approve it. D is incorrect; investors leave policy review and approval to senior management.
What is the goal of an incident response effort? (D2, L2.1.1) A)No incidents ever happen B)Reduce the impact of incidents on operations C)Punish wrongdoers D)Save money
B is correct. The overall incident response effort is to reduce the impact incidents might have on the organization's operations. A is incorrect; there is no such thing as "zero risk" or "100% security." C is incorrect; security practitioners are neither law enforcers nor superheroes. D is incorrect; incident response efforts may actually cost the organization more money than the impact of a given incident or set of incidents - "impact" can be measured in other ways than monetary results.
A vendor sells a particular operating system (OS). In order to deploy the OS securely on different platforms, the vendor publishes several sets of instructions on how to install it, depending on which platform the customer is using. This is an example of a ________. (D1, L1.4.2) A)Law B)Procedure C)Standard D)Policy
B is correct. This is a set of instructions to perform a particular task, so it is a procedure (several procedures, actually—one for each platform). A is incorrect; the instructions are not a governmental mandate. C is incorrect, because the instructions are particular to a specific product, not accepted throughout the industry. D is incorrect, because the instructions are not particular to a given organization.
Which of the following would be best placed in the DMZ of an IT environment? (D4.3 L4.3.3) A)User's workplace laptop B)Mail server C)Database engine D)SIEM log storage
B is correct; devices that must often interact with the external environment (such as a mail server) are typically best situated in the DMZ. A, C and D are incorrect; devices that contain sensitive or valuable information are typically best placed well inside the perimeter of the IT environment, away from the external world and the DMZ.
Carol is browsing the Web. Which of the following ports is she probably using? (D4, L4.1.2) A)12 B)80 C)247 D)999
B is the correct answer; port 80 is used for HTTP traffic, and HTTP is a Web-browsing protocol. A, C and D are incorrect; these ports are not used by Web browsers.
The section of the IT environment that is closest to the external world; where we locate IT systems that communicate with the Internet. (D4.3 L4.3.3) A)VLAN B)DMZ C)MAC D)RBAC
B is the correct answer; we often call this portion of the environment the "demilitarized zone." A is incorrect; a VLAN is a way to segment portions of the internal network. C is incorrect; MAC is the physical address of a given networked device. D is incorrect; RBAC is an access control model.
An external entity has tried to gain access to your organization's IT environment without proper authorization. This is an example of a(n) _________. (D2, L2.1.1) A)Exploit B)Intrusion C)Event D)Malware
B) An intrusion is an attempt, successful or otherwise, to gain unauthorized access.
True or False? The IT department is responsible for creating the organization's business continuity plan. (D2, L2.2.1) A) True B) False
B) Correct. Members from across the organization, not just IT, should participate in creating the BCP to ensure that all systems, processes and operations are accounted for in the plan.
Which of the following is very likely to be used in a disaster recovery (DR) effort? (D2, L 2.3.1) A)Guard dogs B)Data backups C)Contract personnel D)Anti-malware solutions
B) Restoring from backups is often very useful during a DR effort.
You are working in your organization's security office. You receive a call from a user who has tried to log in to the network several times with the correct credentials, with no success. This is an example of a(n)_______. (D2, L2.1.1) Question options: A)Emergency B)Event C)Policy D)Disaster
B) The user has reported that something measurable has occurred; at this point, we are not sure what it might be (if it is a normal occurrence, or something that poses adverse impact), so the best description is "event."
You are working in your organization's security office. You receive a call from a user who has tried to log in to the network several times with the correct credentials, with no success. After a brief investigation, you determine that the user's account has been compromised. This is an example of a(n)_______. (D2, L2.1.1) A)Risk management B)Incident detection C)Malware D)Disaster
B) The user's report and the subsequent identification of the problem constitute incident detection.
Of the following, which would probably not be considered a threat? (D1, L1.2.1) A)Natural disaster B)Unintentional damage to the system caused by a user C)A laptop with sensitive data on it D)An external attacker trying to gain unauthorized access to the environment
C is correct. A laptop, and the data on it, are assets, not threats. All the other answers are examples of threats, as they all have the potential to cause adverse impact to the organization and the organization's assets.
When should a business continuity plan (BCP) be activated? (D2, L2.2.1) A)As soon as possible B)At the very beginning of a disaster C)When senior management decides D)When instructed to do so by regulators
C is correct. A senior manager with the proper authority must initiate the BCP. A is incorrect; this answer has no context—there is no way to know when "as soon as possible" would be. B is incorrect; typically, it is impossible to determine the "beginning" of a disaster. D is incorrect; not all organizations are in regulated industries, and regulators do not supervise disaster response.
Kerpak works in the security office of a medium-sized entertainment company. Kerpak is asked to assess a particular threat, and he suggests that the best way to counter this threat would be to purchase and implement a particular security solution. This is an example of _______. (D1, L1.2.2) A)Acceptance B)Avoidance C)Mitigation D)Transference
C is correct. Applying a security solution (a type of control) is an example of mitigation. A is incorrect; if Kerpak suggested acceptance, then the threat, and the acceptance of the associated risk, only needs to be documented—no other action is necessary. B is incorrect; if Kerpak suggested avoidance, the course of action would be to cease whatever activity was associated with the threat. D is incorrect; if Kerpak suggested transference, this would involve forming some sort of risk-sharing relationship with an external party, such as an insurance underwriter.
To adequately ensure availability for a data center, it is best to plan for both resilience and _______ of the elements in the facility. (D4.3 L4.3.1) A)Uniqueness B)Destruction C)Redundancy D)Hue
C is correct. Availability is enhanced by ensuring that elements of the data center are replicated, in case any given individual element fails. A is incorrect; this is the opposite of redundancy—is any single element is unique, that could become a single point of failure and affect the overall operation. B is incorrect; while secure destruction is worth planning for, that will come at the end of the system life cycle and is not part of ensuring availability. D is incorrect; we generally don't care what color the elements of a data center are.
Data _____ is data left behind on systems/media after normal deletion procedures have been attempted. (D5.1, L5.1.1) A)Fragments B)Packets C)Remanence D)Residue
C is correct. Data remanence is the term used to describe data left behind on systems/media after normal deletion procedures have been attempted.
Prachi works as a database administrator for Triffid, Inc. Prachi is allowed to add or delete users, but is not allowed to read or modify the data in the database itself. When Prachi logs onto the system, an access control list (ACL) checks to determine which permissions Prachi has. In this situation, what is the ACL? (D3, L3.1.1) A)The subject B)The object C)The rule D)The firmware
C is correct. The ACL, in this case, acts as the rule in the subject-object-rule relationship. It determines what Prachi is allowed to do, and what Prachi is not permitted to do. A and B are incorrect, because the ACL is the rule in this case. D is incorrect, because firmware is not typically part of the subject-object-rule relationship, and the ACL is not firmware in any case.
A _____ is a record of something that has occurred. (D3, L3.2.1) A)Biometric B)Law C)Log D)Firewall
C is correct. This is a description of a log. A is incorrect; "biometrics" is a term used to describe access control systems that use physiological traits of individuals in order to grant/deny access. B is incorrect; laws are legal mandates. D is incorrect; a firewall is a device for filtering traffic.
The Payment Card Industry (PCI) Council is a committee made up of representatives from major credit card providers (Visa, Mastercard, American Express) in the United States. The PCI Council issues rules that merchants must follow if the merchants choose to accept payment via credit card. These rules describe best practices for securing credit card processing technology, activities for securing credit card information, and how to protect customers' personal data. This set of rules is a _____. (D1, L1.4.2) A)Law B)Policy C)Standard D)Procedure
C is correct. This set of rules is known as the Data Security Standard, and it is accepted throughout the industry. A is incorrect, because this set of rules was not issued by a governmental body. B is incorrect, because the set of rules is not a strategic, internal document published by senior leadership of a single organization. D is incorrect, because the set of rules is not internal to a given organization and is not limited to a single activity.
Which of the following is an example of a "something you are" authentication factor? (D1, L1.1.1) A)A credit card presented to a cash machine B)Your password and PIN C)A user ID D)A photograph of your face
D is correct. A facial photograph is something you are—your appearance. A is incorrect because a credit card is an example of an authentication factor that is something you have. B is incorrect because passwords and PINs are examples of authentication factors that are something you know. C is incorrect because a user ID is an identity assertion, not an authentication factor.
Which of the following is a biometric access control mechanism? (D3, L3.2.1) A)A badge reader B)A copper key C)A fence with razor tape on it D)A door locked by a voiceprint identifier
D is correct. A lock that opens according to a person's voice is a type of biometric access control. A, B and C are all access control mechanisms, but none of them are based on unique physiological characteristics of a person, so they are not biometric systems.
A software firewall is an application that runs on a device and prevents specific types of traffic from entering that device. This is a type of ________ control. (D1, L1.3.1) A)Physical B)Administrative C)Passive D)Technical
D is correct. A software firewall is a technical control, because it is a part of the IT environment. A is incorrect; a software firewall is not a tangible object that protects something. B is incorrect; a software firewall is not a rule or process. Without trying to confuse the issue, a software firewall might incorporate an administrative control: the set of rules which the firewall uses to allow or block particular traffic. However, answer D is a much better way to describe a software firewall. C is incorrect; "passive" is not a term commonly used to describe a particular type of security control, and is used here only as a distractor.
Larry and Fern both work in the data center. In order to enter the data center to begin their workday, they must both present their own keys (which are different) to the key reader, before the door to the data center opens. Which security concept is being applied in this situation? (D3, L3.1.1) A)Defense in depth B)Segregation of duties C)Least privilege D)Dual control
D is correct. This is an example of dual control, where two people, each with distinct authentication factors, must be present to perform a function. A is incorrect; defense in depth requires multiple controls protecting assets—there is no description of multiple controls in this situation. B is incorrect; in segregation of duties, the parts of a given transaction are split among multiple people, and the task cannot be completed unless each of them takes part. Typically, in segregation of duties, the people involved do not have to take part simultaneously; their actions can be spread over time and distance. This differs from dual control, where both people must be present at the same time. C is incorrect; the situation described in the question does not reduce the permissions of either person involved or limit their capabilities to their job function.
Which of the following is not an appropriate control to add to privileged accounts? (D3, L3.1.1) A)Increased logging B)Multifactor authentication C)Increased auditing D)Security deposit
D is correct. We typically do not ask privileged account holders for security deposits. A, B, and C are incorrect; those are appropriate controls to enact for privileged accounts.
Cheryl is browsing the Web. Which of the following protocols is she probably using? (D4, L4.1.2) A)SNMP (Simple Network Management Protocol) B)FTP (File Transfer Protocol) C)TFTP (Trivial File Transfer Protocol) D)HTTP (Hypertext Transfer Protocol)
D is correct; HTTP is designed for Web browsing. A, B and C are incorrect; these are not protocols designed to handle Web browsing.
A means to allow remote users to have secure access to the internal IT environment. (D4.3 L4.3.3) A)Internet B)VLAN C)MAC D)VPN
D is correct; a virtual private network protects communication traffic over untrusted media. A is incorrect; the internet is an untrusted medium. B is incorrect; VLANs are used to segment portions of the internal environment. C is incorrect; MAC is the physical address of a given networked device.
Ludwig is a security analyst at Triffid, Inc. Ludwig notices network traffic that might indicate an attack designed to affect the availability of the environment. Which of the following might be the attack Ludwig sees? (D4.2 L4.2.1) A)DDOS (distributed denial of service) B)Spoofing C)Exfiltrating stolen data D)An insider sabotaging the power supply
DDOS is an availability attack, often typified by recognizable network traffic; either too much traffic to be processed normally, or malformed traffic. A is the correct answer. B and C are incorrect, because in both these kinds of attacks, the attacker wants the IT environment to continue working properly—if the attacker shut down the environment, the attacker wouldn't be able to use spoofed credentials or exfiltrate stolen data. D is incorrect, because loss of power is not recognized by network traffic, it is recognized by lack of functionality.
A device that is commonly useful to have on the perimeter between two networks. (D4.3 L4.3.3) A)User laptop B)IoT C)Camera D)Firewall
Firewalls are often useful to monitor/filter traffic between two networks. D is correct. A and B are incorrect; these are typically located inside the perimeter of the internal environment. C is incorrect; cameras do not offer much benefit in monitoring communications traffic.
Inbound traffic from an external source seems to indicate much higher rates of communication than normal, to the point where the internal systems might be overwhelmed. Which security solution can often identify and potentially counter this risk? (D4.2 L4.2.2) A)Firewall B)Turnstile C)Anti-malware D)Badge system
Firewalls can often identify hostile inbound traffic, and potentially counter it. A is the correct answer. B and D are incorrect; these are physical controls and aren't effective in identifying/countering communications attacks. C is incorrect; anti-malware is not typically useful in countering attacks that employ excess traffic as an attack mechanism.
A tool that filters inbound traffic to reduce potential threats. (D4.2 L4.2.3) A)NIDS (network-based intrusion-detection systems) B)Anti-malware C)DLP (data loss prevention) D)Firewall
Firewalls typically filter traffic originating from outside the organization's IT environment. D is the correct answer. A is incorrect; NIDS typically monitor traffic within the production environment. B is incorrect; anti-malware solutions typically identify hostile software. C is incorrect; DLP solutions typically monitor outbound traffic.
The output of any given hashing algorithm is always _____. (D5.1, L5.1.3) A)The same length B)The same characters C)The same language D)Different for the same inputs
Hashing algorithms create output of a fixed length. A is the correct answer. B is incorrect; the characters in the output will change depending on the input. C is incorrect; hashing algorithms do not create output in any particular language—usually, the output is a mix of alphanumeric characters. D is incorrect; hash outputs should be the same when the same input is used.
Hashing is often used to provide _______. (D5.1, L5.1.3) A)Confidentiality B)Integrity C)Availability D)Value
Hashing is used for integrity checks. B is the correct answer. A, C and D are incorrect; hashing only provides integrity.
Security controls on log data should reflect ________. (D5.1, L5.1.2) A)The organization's commitment to customer service B)The local culture where the log data is stored C)The price of the storage device D)The sensitivity of the source device
Log data should be protected with security as high, or higher, than the security level of the systems or devices that log was captured from. D is the correct answer. A, B and C are incorrect; these are not qualities that dictate security level of protection on log data.
Logs should be reviewed ______. (D5.1, L5.1.2) A)Every Thursday B)Continually C)Once per calendar year D)Once per fiscal year
Log review should happen continually, in order to ensure detection efforts are optimized. B is the correct answer. A, C and D are incorrect; logs need to be reviewed on a continual basis.
Who dictates policy? (D5.3, L5.3.1) A)The security manager B)The Human Resources office C)Senior management D)Auditors
Only senior management has the legal and financial authority to issue policy and accept risk on behalf of the organization. C is the correct answer. A, B and D are incorrect; only senior management can issue policy.
Tekila works for a government agency. All data in the agency is assigned a particular sensitivity level, called a "classification." Every person in the agency is assigned a "clearance" level, which determines the classification of data each person can access. What is the access control model being implemented in Tekila's agency? (D3, L3.3.1) A)MAC (mandatory access control) B)DAC (discretionary access control) C)RBAC (role-based access control) D)FAC (formal access control)
This is an example of how MAC can be implemented. A is the correct answer. B is incorrect; in discretionary access control, operational managers are granted authority to determine which personnel have access to assets the manager controls. C is incorrect; in RBAC, personnel might not have clearance levels, and assets might not have classifications. D is incorrect; FAC is not a term used in this context, and is only included here as a distractor.
Suvid works at Triffid, Inc. When Suvid attempts to log in to the production environment, a message appears stating that Suvid has to reset the password. What may have occurred to cause this? A)Suvid broke the law B)Suvid's password has expired C)Suvid made the manager angry D)Someone hacked Suvid's machine
Typically, users are required to reset passwords when the password has reached a certain age. Permanent passwords are more likely to be compromised or revealed. B is the correct answer. A, C and D are incorrect; these are not likely reasons to require password refresh.
A VLAN is a _____ method of segmenting networks. (D4.3 L4.3.3) A)Secret B)Physical C)Regulated D)Logical
VLANs use logical mechanisms to segment networks. D is the correct answer. A, B and C are incorrect; VLANs use logical mechanisms to segment networks.
______ is used to ensure that configuration management activities are effective and enforced. (D5.2, L5.2.1) A)Inventory B)Baseline C)Identification D)Verification and audit
Verification and audit are methods we use to review the IT environment to ensure that configuration management activities have taken place and are achieving their intended purpose. D is the correct answer. A, B and C are incorrect; while these are terms related to configuration management, the answer is verification and audit.