ITM 450 Domain 7
19. Security administrators are regularly monitoring threat feeds and using that information to check systems within the network. Their goal is to discover any infections or attacks that haven't been detected by existing tools. What does this describe? (ch17) A. Threat hunting B. Threat intelligence C. Implementing the kill chain D. Using artificial intelligence
A. Threat hunting
7. What are the primary reasons attackers engage in thrill attacks? (Choose all that apply.) (ch19) A. Bragging rights B. Money from the sale of stolen documents C. Pride of conquering a secure system D. Retaliation against a person or organization
A. Bragging rights C. Pride of conquering a secure system
89. Darcy is a computer security specialist who is assisting with the prosecution of a hacker. The prosecutor requests that Darcy give testimony in court about whether, in her opinion, the logs and other records in a case are indicative of a hacking attempt. What type of evidence is Darcy being asked to provide? A. Expert opinion B. Direct evidence C. Real evidence D. Documentary evidence
A. Expert opinion
1. Mary is reviewing the availability controls for the system architecture shown here. What technology is shown that provides fault tolerance for the database servers? A. Failover cluster B. UPS C. Tape backup D. Cold site
A. Failover cluster
44. Which one of the following is an example of a computer security incident? (Select all that apply.) A. Failure of a backup to complete properly B. System access recorded in a log C. Unauthorized vulnerbility scan of a file server D. Update of antivirus signatures
A. Failure of a backup to complete properly C. Unauthorized vulnerbility scan of a file server
19. What combination of backup strategies provides the fastest backup restoration time? (ch18) A. Full backups and differential backups B. Partial backups and incremental backups C. Full backups and incremental backups D. Incremental backups and differential backups
A. Full backups and differential backups
24. Which of the following would normally be considered an example of a disaster when performing disaster recovery planning? (Select all that apply.) A. Hacking incident B. Flood C. Fire D. Terrorism
A. Hacking incident B. Flood C. Fire D. Terrorism
36. As the CIO of a large organization, Clara would like to adopt standard processes for managing IT activities. Which one of the following frameworks focuses on IT service management and includes topics such as change management, configuration management, and service-level agreements? A. ITIL B. PMBOK C. PCI DSS D. TOGAF
A. ITIL
87. Timber Industries recently got into a dispute with a customer. During a meeting with his account representative, the customer stood up and declared, "There is no other solution. We will have to take this matter to court." He then left the room. When does Timber Industries have an obligation to begin preserving evidence? A. Immediately B. Upon receipt of a notice of litigation from opposing attorneys C. Upon receipt of a subpoena D. Upon receipt of a court order
A. Immediately
88. Candace is designing a backup strategy for her organization's file server. She would like to perform a backup every weekday that has the smallest possible storage footprint. What type of backup should she perform? A. Incremental backup B. Full backup C. Differential backup D. Transaction log backup
A. Incremental backup
30. Beth is creating a new cybersecurity incident response team (CSIRT) and would like to determine the appropriate team membership. Which of the following groups would she normally include? (Select all that apply.) A. Information security B. Law enforcement C. Senior management D. Public affairs
A. Information security C. Senior management D. Public affairs
11. Which one of the following is a cloud-based service model that gives an organization the most control and requires the organization to perform all maintenance on operating systems and applications? (ch16) A. Infrastructure as a service (IaaS) B. Platform as a service (PaaS) C. Software as a service (SaaS) D. Public
A. Infrastructure as a service (IaaS)
72. Amanda is configuring her organization's firewall to implement egress filtering. Which one of the following traffic types should not be blocked by her organization's egress filtering policy? (Select all that apply.) A. Traffic rapidly scanning many IP addresses on port 22 B. Traffic with a broadcast destination C. Traffic with a source address from an external network D. Traffic with a destination address on an external network
A. Traffic rapidly scanning many IP addresses on port 22 B. Traffic with a broadcast destination C. Traffic with a source address from an external network
18. Lydia is processing access control requests for her organization. She comes across a request where the user does have the required security clearance, but there is no business justification for the access. Lydia denies this request. What security principle is she following? A. Need to know B. Least privilege C. Separation of duties D. Two-person control
A. Need to know
10. Jim would like to identify compromised systems on his network that may be participating in a botnet. He plans to do this by watching for connections made to known command-and control servers. Which one of the following techniques would be most likely to provide this information if Jim has access to a list of known servers? A. NetFlow records B. IDS logs C. Authentication logs D. RFC logs
A. NetFlow records
15. How often should Gary and his team conduct a review of the privileged access that a user has to sensitive systems? (Select all that apply.) A. On a periodic basis B. When a user leaves the organization C. When a user changes roles D. On a daily basis
A. On a periodic basis B. When a user leaves the organization C. When a user changes roles
18. A security administrator wants to verify the existing systems are up to date with current patches. Of the following choices, what is the best method to ensure systems have the required patches? (ch16) A. Patch management system B. Patch scanner C. Penetration tester D. Fuzz tester
A. Patch management system
13. What step of the Electronic Discovery Reference Model ensures that information that may be subject to discovery is not altered? (ch19) A. Preservation B. Production C. Processing D. Presentation
A. Preservation
3. Which of the following is not a canon of the (ISC)2 Code of Ethics? (ch19) A. Protect your colleagues. B. Provide diligent and competent service to principals. C. Advance and protect the profession. D. Protect society.
A. Protect your colleagues.
13. The IT department routinely uses images when deploying new systems. Of the following choices, what is a primary benefit of using images? (ch16) A. Provides a baseline for configuration management B. Improves patch management response times C. Reduces vulnerabilities from unpatched systems D. Provides documentation for changes
A. Provides a baseline for configuration management
40. Anne wants to gather information about security settings as well as build an overall view of her organization's assets by gathering data about a group of Windows 10 workstations spread throughout her company. What Windows tool is best suited to this type of configuration management task? A. SCCM B. Group Policy C. SCOM D. A custom PowerShell script
A. SCCM
20. Administrators find that they are repeating the same steps to verify intrusion detection system alerts and perform more repetitive steps to mitigate well-known attacks. Of the following choices, what can automate these steps? (ch17) A. SOAR B. SIEM C. NIDS D. DLP
A. SOAR
47. Evan detects an attack against a server in his organization and examines the TCP flags on a series of packets, shown in the following diagram. What type of attack most likely took place? A. SYN flood B. Ping flood C. Smurf D. Fraggle
A. SYN flood
12. As Gary designs the program, he uses the matrix shown here. What principle of information security does this matrix most directly help enforce? A. Segregation of duties B. Aggregation C. Two-person control D. Defense in depth
A. Segregation of duties
35. Which one of the following types of agreements is the most formal document that contains expectations about availability and other performance parameters between a service provider and a customer? A. Service-level agreement (SLA) B. Operational-level agreement (OLA) C. Memorandum of understanding (MOU) D. Statement of work (SOW)
A. Service-level agreement (SLA)
7. You suspect an attacker has launched a fraggle attack on a system. You check the logs and filter your search with the protocol used by fraggle. What protocol would you use in the filter? (ch17) A. User Datagram Protocol (UDP) B. Transmission Control Protocol (TCP) C. Internet Control Message Protocol (ICMP) D. Security orchestration, automation, and response (SOAR)
A. User Datagram Protocol (UDP)
99b. Match each of the numbered terms with its correct lettered definition: Terms 2. Honeynet Definitions A. An intentionally designed vulnerability used to lure in an attacker B. A network set up with intentional vulnerabilities C. A system set up with intentional vulnerabilities D. A monitored network without any hosts
B. A network set up with intentional vulnerabilities
11. An administrator is implementing an intrusion detection system. Once installed, it will monitor all traffic and raise alerts when it detects suspicious traffic. Which of the following best describes this system? (ch17) A. A host-based intrusion detection system (HIDS) B. A network-based intrusion detection system (NIDS) C. A honeynet D. A network firewall
B. A network-based intrusion detection system (NIDS)
100a. Match each of the numbered types of recovery capabilities to their correct lettered definition: Terms 1. Hot site Definitions A. An organization that can provide on-site or off-site IT services in the event of a disaster B. A site with dedicated storage and real-time data replication, often with shared equipment that allows restoration of service in a very short time C. A site that relies on shared storage and backups for recovery D. A rented space with power, cooling, and connectivity that can accept equipment as part of a recovery effort
B. A site with dedicated storage and real-time data replication, often with shared equipment that allows restoration of service in a very short time
20. Which of the following actions are considered unacceptable and unethical according to RFC 1087, Ethics and the Internet? (ch19) A. Actions that compromise the privacy of classified information B. Actions that compromise the privacy of users C. Actions that disrupt organizational activities D. Actions in which a computer is used in a manner inconsistent with a stated security policy
B. Actions that compromise the privacy of users
81. Dylan believes that a database server in his environment was compromised using a SQL injection attack. Which one of the following actions would Dylan most likely take during the remediation phase of the attack? A. Rebuilding the database from backups B. Adding input validation to a web application C. Reviewing firewall logs D. Reviewing database logs
B. Adding input validation to a web application
61. Carla has worked for her company for 15 years and has held a variety of different positions. Each time she changed positions, she gained new privileges associated with that position, but no privileges were ever taken away. What concept describes the sets of privileges she has accumulated? A. Entitlement B. Aggregation C. Transitivity D. Isolation
B. Aggregation
16. Management wants to add an intrusion detection system (IDS) that will detect new security threats. Which of the following is the best choice? (ch17) A. A signature-based IDS B. An anomaly detection IDS C. An active IDS D. A network-based IDS
B. An anomaly detection IDS
14. You are replacing a failed switch. The configuration documentation for the original switch indicates a specific port needs to be configured as a mirrored port. Which of the following network devices would connect to this port? (ch17) A. An intrusion prevention system (IPS) B. An intrusion detection system (IDS) C. A honeypot D. A sandbox
B. An intrusion detection system (IDS)
5. Security administrators are reviewing all the data gathered by event logging. Which of the following best describes this body of data? (ch17) A. Identification B. Audit trails C. Authorization D. Confidentiality
B. Audit trails
10. Carl recently completed his organization's annual business continuity plan refresh and is now turning his attention to the disaster recovery plan. What output from the business continuity plan can he use to prepare the business unit prioritization task of disaster recovery planning? (ch18) A. Vulnerability analysis B. Business impact analysis C. Risk management D. Continuity planning
B. Business impact analysis
13. Gary is preparing to create an account for a new user and assign privileges to the HR database. What two elements of information must Gary verify before granting this access? A. Credentials and need to know B. Clearance and need to know C. Password and clearance D. Password and biometric scan
B. Clearance and need to know
6. A file server in your network recently crashed. An investigation showed that logs grew so much that they filled the disk drive. You decide to enable rollover logging to prevent this from happening again. Which of the following should you do first? (ch17) A. Configure the logs to overwrite old entries automatically. B. Copy existing logs to a different drive. C. Review the logs for any signs of attacks. D. Delete the oldest log entries.
B. Copy existing logs to a different drive.
48. Florian is building a disaster recovery plan for his organization and would like to determine the amount of time that a particular IT service may be down without causing serious damage to business operations. What variable is Florian calculating? A. RTO B. MTD C. RPO D. SLA
B. MTD
54. Which one of the following individuals poses the greatest risk to security in most well defended organizations? A. Political activist B. Malicious insider C. Script kiddie D. Thrill attacker
B. Malicious insider
7. Colin is responsible for managing his organization's use of cybersecurity deception technologies. Which one of the following should he use on a honeypot system to consume an attacker's time while alerting administrators? A. Honeynet B. Pseudoflaw C. Warning banner D. Darknet
B. Pseudoflaw
20. Matt wants to ensure that critical network traffic from systems throughout his company is prioritized over web browsing and social media use at this company. What technology can he use to do this? A. VLANs B. QoS C. VPN D. ISDN
B. QoS
4. Adam is reviewing the fault-tolerance controls used by his organization and realizes that they currently have a single point of failure in the disks used to support a critical server. Which one of the following controls can provide fault tolerance for these disks? (ch18) A. Load balancing B. RAID C. Clustering D. HA pairs
B. RAID
15. Which of the following steps would be included in a change management process? (Choose three.) (ch16) A. Immediately implement the change if it will improve performance. B. Request the change. C. Create a rollback plan for the change. D. Document the change.
B. Request the change. C. Create a rollback plan for the change. D. Document the change.
12. During an operational investigation, what type of analysis might an organization undertake to prevent similar incidents in the future? (ch19) A. Forensic analysis B. Root cause analysis C. Network traffic analysis D. Fagan analysis
B. Root cause analysis
17. Your organization recently implemented a centralized application for monitoring. Which of the following best describes this? (ch17) A. SOAR B. SIEM C. HIDS D. Threat feed
B. SIEM
38. Joe wants to test a program he suspects may contain malware. What technology can he use to isolate the program while it runs? A. ASLR B. Sandboxing C. Clipping D. Process isolation
B. Sandboxing
83. What technique can application developers use to test applications in an isolated virtualized environment before allowing them on a production network? A. Penetration testing B. Sandboxing C. White-box testing D. Black-box testing
B. Sandboxing
15. You are a law enforcement officer and you need to confiscate a PC from a suspected attacker who does not work for your organization. You are concerned that if you approach the individual, they may destroy evidence. What legal avenue is most appropriate? (ch19) A. Consent agreement signed by employees B. Search warrant C. No legal avenue necessary D. Voluntary consent
B. Search warrant
Ann is a security professional for a midsize business and typically handles log analysis and security monitoring tasks for her organization. One of her roles is to monitor alerts originating from the organization's intrusion detection system. The system typically generates several dozen alerts each day, and many of those alerts turn out to be false alarms after her investigation. This morning, the intrusion detection system alerted because the network began to receive an unusually high volume of inbound traffic. Ann received this alert and began looking into the origin of the traffic. 66. Now that Ann understands that an attack has taken place that violates her organization's security policy, what term best describes what has occurred in Ann's organization? A. Security occurrence B. Security incident C. Security event D. Security intrusion
B. Security incident
56. When designing an access control scheme, Hilda set up roles so that the same person does not have the ability to provision a new user account and assign superuser privileges to an account. What information security principle is Hilda following? A. Least privilege B. Separation of duties C. Job rotation D. Security through obscurity
B. Separation of duties
92. Jerome is conducting a forensic investigation and is reviewing database server logs to investigate query contents for evidence of SQL injection attacks. What type of analysis is he performing? A. Hardware analysis B. Software analysis C. Network analysis D. Media analysis
B. Software analysis
7. Tonya is reviewing the flood risk to her organization and learns that their primary data center resides within a 100-year flood plain. What conclusion can she draw from this information? (ch18) A. The last flood of any kind to hit the area was more than 100 years ago. B. The odds of a flood at this level are 1 in 100 in any given year. C. The area is expected to be safe from flooding for at least 100 years. D. The last significant flood to hit the area was more than 100 years ago.
B. The odds of a flood at this level are 1 in 100 in any given year.
8. Toni responds to the desk of a user who reports slow system activity. Upon checking outbound network connections from that system, Toni notices a large amount of social media traffic originating from the system. The user does not use social media, and when Toni checks the accounts in question, they contain strange messages that appear encrypted. What is the most likely cause of this traffic? A. Other users are relaying social media requests through the user's computer. B. The user's computer is part of a botnet. C. The user is lying about her use of social media. D. Someone else is using the user's computer when she is not present.
B. The user's computer is part of a botnet.
9. Which of the following is one of the primary reasons an organization enforces a mandatory vacation policy? (ch16) A. To rotate job responsibilities B. To detect fraud C. To increase employee productivity D. To reduce employee stress levels
B. To detect fraud
2. What is the main purpose of a military and intelligence attack? (ch19) A. To attack the availability of military systems B. To obtain secret and restricted information from military or law enforcement sources C. To utilize military or intelligence agency systems to attack other, nonmilitary sites D. To compromise military systems for use in attacks against other systems
B. To obtain secret and restricted information from military or law enforcement sources
91. Sally is building a new server for use in her environment and plans to implement RAID level 1 as a storage availability control. What is the minimum number of physical hard disks that she needs to implement this approach? A. One B. Two C. Three D. Five
B. Two
27. Helen is implementing a new security mechanism for granting employees administrative privileges in the accounting system. She designs the process so that both the employee's manager and the accounting manager must approve the request before the access is granted. What information security principle is Helen enforcing? A. Least privilege B. Two-person control C. Job rotation D. Separation of duties
B. Two-person control
22. Staff from Susan's company often travel internationally and require connectivity to corporate systems for their work. Susan believes that these users may be targeted for corporate espionage activities because of the technologies that her company is developing and wants to include advice in the security training provided to international travelers. What practice should Susan recommend that they adopt for connecting to networks while they travel? A. Only connect to public WiFi. B. Use a VPN for all connections. C. Only use websites that support TLS. D. Do not connect to networks while traveling.
B. Use a VPN for all connections.
31. Sam is responsible for backing up his company's primary file server. He configured a backup schedule that performs full backups every Monday evening at 9 p.m. and differential backups on other days of the week at that same time. Files change according to the information shown in the following figure. How many files will be copied in Wednesday's backup? A. 2 B. 3 C. 5 D. 6
C. 5
8. What is the most important rule to follow when collecting evidence? (ch19) A. Do not turn off a computer until you photograph the screen. B. List all people present while collecting evidence. C. Avoid the modification of evidence during the collection process. D. Transfer all equipment to a secure storage location.
C. Avoid the modification of evidence during the collection process.
75. Which one of the following tools helps system administrators by providing a standard, secure template of configuration settings for operating systems and applications? A. Security guidelines B. Security policy C. Baseline configuration D. Running configuration
C. Baseline configuration
9. Bryn runs a corporate website and currently uses a single server, which is capable of handling the site's entire load. She is concerned, however, that an outage on that server could cause the organization to exceed its RTO. What action could she take that would best protect against this risk? (ch18) A. Install dual power supplies in the server. B. Replace the server's hard drives with RAID arrays. C. Deploy multiple servers behind a load balancer. D. Perform regular backups of the server.
C. Deploy multiple servers behind a load balancer.
77. During which phase of the incident response process would an analyst receive an intrusion detection system alert and verify its accuracy? A. Response B. Mitigation C. Detection D. Reporting
C. Detection
10. What type of evidence refers to written documents that are brought into court to prove a fact? (ch19) A. Best evidence B. Parol evidence C. Documentary evidence D. Testimonial evidence
C. Documentary evidence
55. Veronica is considering the implementation of a database recovery mechanism recommended by a consultant. In the recommended approach, an automated process will move database backups from the primary facility to an off-site location each night. What type of database recovery technique is the consultant describing? A. Remote journaling B. Remote mirroring C. Electronic vaulting D. Transaction logging
C. Electronic vaulting
84. Gina is the firewall administrator for a small business and recently installed a new firewall. After seeing signs of unusually heavy network traffic, she checked the intrusion detection system, which reported that a SYN flood attack was underway. What firewall configuration change can Gina make to most effectively prevent this attack? A. Block SYN from known IPs. B. Block SYN from unknown IPs. C. Enable SYN-ACK spoofing at the firewall. D. Disable TCP.4.
C. Enable SYN-ACK spoofing at the firewall.
16. A new CIO learned that an organization doesn't have a change management program. The CIO insists one be implemented immediately. Of the following choices, what is a primary goal of a change management program? (ch16) A. Personnel safety B. Allowing rollback of changes C. Ensuring that changes do not reduce security D. Auditing privilege access
C. Ensuring that changes do not reduce security
98. Brent is reviewing the controls that will protect his organization in the event of a sustained period of power loss. Which one of the following solutions would best meet his needs? A. Redundant servers B. Uninterruptible power supply (UPS) C. Generator D. RAID
C. Generator
3. Tim is configuring a privileged account management solution for his organization. Which one of the following is not a privileged administrative activity that should be automatically sent to a log of superuser actions? A. Purging log entries B. Restoring a system from backup C. Logging into a workstation D. Managing user accounts
C. Logging into a workstation
62. During what phase of the incident response process do administrators take action to limit the effect or scope of an incident? A. Detection B. Response C. Mitigation D. Recovery
C. Mitigation
45. Roland is a physical security specialist in an organization that has a large amount of expensive lab equipment that often moves around the facility. Which one of the following technologies would provide the most automation of an inventory control process in a cost-effective manner? A. IPS B. WiFi C. RFID D. Ethernet
C. RFID
2. Kevin is attempting to determine an appropriate backup frequency for his organization's database server and wants to ensure that any data loss is within the organization's risk appetite. Which one of the following security process metrics would best assist him with this task? (ch18) A. RTO B. MTD C. RPO D. MTBF
C. RPO
95. Gavin is the disaster recovery team leader for his organization, which is currently in the response phase of an incident that has severe customer impact. Gavin just received a phone call from a reporter asking for details on the root cause and an estimated recovery time. Gavin has this information at his fingertips. What should he do? A. Provide the information to the reporter. B. Request a few minutes to gather the information and return the call. C. Refer the matter to the public relations department. D. Refuse to provide any information.
C. Refer the matter to the public relations department.
33. Scott is responsible for disposing of disk drives that have been pulled from his company's SAN as they are retired. Which of the following options should he avoid if the data on the SAN is considered highly sensitive by his organization? A. Destroy them physically. B. Sign a contract with the SAN vendor that requires appropriate disposal and provides a certification process. C. Reformat each drive before it leaves the organization. D. Use a secure wipe tool like DBAN.
C. Reformat each drive before it leaves the organization.
78. Kevin is developing a continuous security monitoring strategy for his organization. Which one of the following is not normally used when determining assessment and monitoring frequency? A. Threat intelligence B. System categorization/impact level C. Security control operational burden D. Organizational risk tolerance
C. Security control operational burden
43. Tim is a forensic analyst who is attempting to retrieve information from a hard drive. It appears that the user attempted to erase the data, and Tim is trying to reconstruct it. What type of forensic analysis is Tim performing? A. Software analysis B. Media analysis C. Embedded device analysis D. Network analysis
B. Media analysis
26. Which one of the following is not an example of a backup tape rotation scheme? A. Grandfather/Father/Son B. Meet in the middle C. Tower of Hanoi D. Six Cartridge Weekly
B. Meet in the middle
74. You are performing an investigation into a potential bot infection on your network and want to perform a forensic analysis of the information that passed between different systems on your network and those on the internet. You believe that the information was likely encrypted. You are beginning your investigation after the activity concluded. What would be the best and easiest way to obtain the source of this information? A. Packet captures B. NetFlow data C. Intrusion detection system logs D. Centralized authentication records
B. NetFlow data
20. What type of disaster recovery plan test fully evaluates operations at the backup facility but does not shift primary operations responsibility from the main site? (ch18) A. Structured walk-through B. Parallel test C. Full-interruption test D. Simulation test
B. Parallel test
76. What type of disaster recovery test activates the alternate processing facility and uses it to conduct transactions but leaves the primary site up and running? A. Full interruption test B. Parallel test C. Checklist review D. Tabletop exercise
B. Parallel test
60. Brandon observes that an authorized user of a system on his network recently misused his account to exploit a system vulnerability against a shared server that allowed him to gain root access to that server. What type of attack took place? A. Denial-of-service B. Privilege escalation C. Reconnaissance D. Brute-force
B. Privilege escalation
53. You are working to evaluate the risk of flood to an area as part of a business continuity planning (BCP) effort. You consult the flood maps from the Federal Emergency Management Agency (FEMA). According to those maps, the area lies within a 200-year flood plain. What is the annualized rate of occurrence (ARO) of a flood in that region? A. 200 B. 0.01 C. 0.02 D. 0.005
D. 0.005
18. After a recent attack, management decided to implement an egress monitoring system that will prevent data exfiltration. Which of the following is the best choice? (ch17) A. An NIDS B. An NIPS C. A firewall D. A DLP system
D. A DLP system
13. After installing an application on a user's system, your supervisor told you to remove it because it is consuming most of the system's resources. Which of the following prevention systems did you most likely install? (ch17) A. A network-based intrusion detection system (NIDS) B. A web application firewall (WAF) C. A security information and event management (SIEM) system D. A host-based intrusion detection system (HIDS)
D. A host-based intrusion detection system (HIDS)
99d. Match each of the numbered terms with its correct lettered definition: Terms 4. Darknet Definitions A. An intentionally designed vulnerability used to lure in an attacker B. A network set up with intentional vulnerabilities C. A system set up with intentional vulnerabilities D. A monitored network without any hosts
D. A monitored network without any hosts
100b. Match each of the numbered types of recovery capabilities to their correct lettered definition: Terms 2. Cold site Definitions A. An organization that can provide on-site or off-site IT services in the event of a disaster B. A site with dedicated storage and real-time data replication, often with shared equipment that allows restoration of service in a very short time C. A site that relies on shared storage and backups for recovery D. A rented space with power, cooling, and connectivity that can accept equipment as part of a recovery effort
D. A rented space with power, cooling, and connectivity that can accept equipment as part of a recovery effort
10. You are installing a new intrusion detection system (IDS). It requires you to create a baseline before fully implementing it. Which of the following best describes this IDS? (ch17) A. A pattern-matching IDS B. A knowledge-based IDS C. A signature-based IDS D. An anomaly-based IDS
D. An anomaly-based IDS
23. Ricky is seeking a list of information security vulnerabilities in applications, devices, and operating systems. Which one of the following threat intelligence sources would be most useful to him? A. OWASP B. Bugtraq C. Microsoft Security Bulletins D. CVE
D. CVE
25. Glenda would like to conduct a disaster recovery test and is seeking a test that will allow a review of the plan with no disruption to normal information system activities and as minimal a commitment of time as possible. What type of test should she choose? A. Tabletop exercise B. Parallel test C. Full interruption test D. Checklist review
D. Checklist review
67. Frank is seeking to introduce a hacker's laptop in court as evidence against the hacker. The laptop does contain logs that indicate the hacker committed the crime, but the court ruled that the search of the apartment that resulted in police finding the laptop was unconstitutional. What admissibility criteria prevents Frank from introducing the laptop as evidence? A. Materiality B. Relevance C. Hearsay D. Competence
D. Competence
42. Which one of the following is not a basic preventative measure that you can take to protect your systems and applications against attack? A. Implement intrusion detection and prevention systems. B. Maintain current patch levels on all operating systems and applications. C. Remove unnecessary accounts and services. D. Conduct forensic imaging of all systems.
D. Conduct forensic imaging of all systems.
13. Which one of the following items is a characteristic of hot sites but not a characteristic of warm sites? (ch18) A. Communications circuits B. Workstations C. Servers D. Current data
D. Current data
14. Harry is conducting a disaster recovery test. He moved a group of personnel to the alternate recovery site, where they are mimicking the operations of the primary site but do not have operational responsibility. What type of disaster recovery test is he performing? (ch18) A. Checklist test B. Structured walk-through C. Simulation test D. Parallel test
D. Parallel test
96. Pauline is reviewing her organization's emergency management plans. What should be the highest priority when creating these plans? A. Protection of mission-critical data B. Preservation of operational systems C. Collection of evidence D. Preservation of safety
D. Preservation of safety
4. A large organization using a Microsoft domain wants to limit the amount of time users have elevated privileges. Which of the following security operation concepts can be used to support this goal? (ch16) A. Principle of least permission B. Separation of duties C. Need to know D. Privileged account management
D. Privileged account management
50. Grant is collecting records as part of the preparation for a possible lawsuit and is worried that his team may be spending too much time collecting information that may be irrelevant. What concept from the Federal Rules of Civil Procedure (FCRP) helps to ensure that additional time and expense are not incurred as part of electronic discovery when the benefits do not outweigh the costs? A. Tool-assisted review B. Cooperation C. Spoilation D. Proportionality
D. Proportionality
5. Jordan is preparing to bring evidence into court after a cybersecurity incident investigation. He is responsible for preparing the physical artifacts, including affected servers and mobile devices. What type of evidence consists entirely of tangible items that may be brought into a court of law? A. Documentary evidence B. Parol evidence C. Testimonial evidence D. Real evidence
D. Real evidence
90. Which one of the following techniques is not commonly used to remove unwanted remnant data from magnetic tapes? A. Physical destruction B. Degaussing C. Overwriting D. Reformatting
D. Reformatting
8. Randi is designing a disaster recovery mechanism for her organization's critical business databases. She selects a strategy where an exact, up-to-date copy of the database is maintained at an alternative location. What term describes this approach? (ch18) A. Transaction logging B. Remote journaling C. Electronic vaulting D. Remote mirroring
D. Remote mirroring
39. Which one of the following is an example of a non-natural disaster? A. Hurricane B. Flood C. Mudslide D. Transformer explosion
D. Transformer explosion
14. Gary is preparing to develop controls around access to root encryption keys and would like to apply a principle of security designed specifically for very sensitive operations. Which principle should he apply? A. Least privilege B. Defense in depth C. Security through obscurity D. Two-person control
D. Two-person control
79. Hunter is reviewing his organization's monitoring strategy and identifying new technologies that they might deploy. His assessment reveals that the firm is not doing enough to monitor employee activity on endpoint devices. Which one of the following technologies would best meet his needs? A. EDR B. IPS C. IDS D. UEBA
D. UEBA
6. Which of the following would not be a primary goal of a grudge attack? (ch19) A. Disclosing embarrassing personal information B. Launching a virus on an organization's system C. Sending inappropriate email with a spoofed origination address of the victim organization D. Using automated tools to scan the organization's systems for vulnerable ports
D. Using automated tools to scan the organization's systems for vulnerable ports
9. What would be a valid argument for not immediately removing power from a machine when an incident is discovered? (ch19) A. All of the damage has been done. Turning the machine off would not stop additional damage. B. There is no other system that can replace this one if it is turned off. C. Too many users are logged in and using the system. D. Valuable evidence in memory will be lost.
D. Valuable evidence in memory will be lost.
20. Which one of the following processes is most likely to list all security risks within a system? (ch16) A. Configuration management B. Patch management C. Hardware inventory D. Vulnerability scan
D. Vulnerability scan
52. What technique has been used to protect the intellectual property in the following image? A. Steganography B. Clipping C. Sampling D. Watermarking
D. Watermarking
82. Roger recently accepted a new position as a security professional at a company that runs its entire IT infrastructure within an IaaS environment. Which one of the following would most likely be the responsibility of Roger's firm? A. Configuring the network firewall B. Applying hypervisor updates C. Patching operating systems D. Wiping drives prior to disposal
D. Wiping drives prior to disposal
9. John deploys his website to multiple regions using load balancers around the world through his cloud infrastructure as a service provider. What availability concept is he using? A. Multiple processing sites B. Warm sites C. Cold sites D. A honeynet
A. Multiple processing sites
29. Harold recently completed leading the postmortem review of a security incident. What documentation should he prepare next? A. A lessons learned document B. A risk assessment C. A remediation list D. A mitigation checklist
A. A lessons learned document
12. You are installing a system that management hopes will reduce incidents in the network. The setup instructions require you to configure it inline with traffic so that all traffic goes through it before reaching the internal network. Which of the following choices best identifies this system? (ch17) A. A network-based intrusion prevention system (NIPS) B. A network-based intrusion detection system (NIDS) C. A host-based intrusion prevention system (HIPS) D. A host-based intrusion detection system (HIDS)S)
A. A network-based intrusion prevention system (NIPS)
4. Which of the following are examples of financially motivated attacks? (Choose all that apply.) (ch19) A. Accessing services that you have not purchased B. Disclosing confidential personal employee information C. Transferring funds from an unapproved source into your account D. Selling a botnet for use in a DDoS attack
A. Accessing services that you have not purchased C. Transferring funds from an unapproved source into your account D. Selling a botnet for use in a DDoS attack
8. You are updating the training manual for security administrators and want to add a description of a zero-day exploit. Which of the following best describes a zero-day exploit? (ch17) A. An attack that exploits a vulnerability that doesn't have a patch or fix B. A newly discovered vulnerability that doesn't have a patch or fix C. An attack on systems without an available patch D. Malware that delivers its payload after a user starts an application
A. An attack that exploits a vulnerability that doesn't have a patch or fix
71. Which of the following events would constitute a security incident? (Select all that apply.) A. An attempted network intrusion B. A successful database intrusion C. A malware infection D. A successful attempt to access a file E. A violation of a confidentiality policy F. An unsuccessful attempt to remove information from a secured area
A. An attempted network intrusion B. A successful database intrusion C. A malware infection E. A violation of a confidentiality policy F. An unsuccessful attempt to remove information from a secured area
16. Gavin is considering altering his organization's log retention policy to delete logs at the end of each day. What is the most important reason that he should avoid this approach? (ch19) A. An incident may not be discovered for several days and valuable evidence could be lost. B. Disk space is cheap, and log files are used frequently. C. Log files are protected and cannot be altered. D. Any information in a log file is useless after it is several hours old.
A. An incident may not be discovered for several days and valuable evidence could be lost.
99c. Match each of the numbered terms with its correct lettered definition: Terms 3. Pseudoflaw Definitions A. An intentionally designed vulnerability used to lure in an attacker B. A network set up with intentional vulnerabilities C. A system set up with intentional vulnerabilities D. A monitored network without any term-105hosts
A. An intentionally designed vulnerability used to lure in an attacker
100d. Match each of the numbered types of recovery capabilities to their correct lettered definition: Terms 4. Service bureau Definitions A. An organization that can provide on-site or off-site IT services in the event of a disaster B. A site with dedicated storage and real-time data replication, often with shared equipment that allows restoration of service in a very short time C. A site that relies on shared storage and backups for recovery D. A rented space with power, cooling, and connectivity that can accept equipment as part of a recovery effort
A. An organization that can provide on-site or off-site IT services in the event of a disaster
85. Nancy is leading an effort to modernize her organization's antimalware protection and would like to add endpoint detection and response (EDR) capabilities. Which of the following actions are normally supported by EDR systems? (Select all that apply.) A. Analyzing endpoint memory, filesystem, and network activity for signs of malicious activity B. Automatically isolating possible malicious activity to contain the potential damage C. Conducting simulated phishing campaigns D. Integration with threat intelligence sources
A. Analyzing endpoint memory, filesystem, and network activity for signs of malicious activity B. Automatically isolating possible malicious activity to contain the potential damage D. Integration with threat intelligence sources
6. Which of the following statements about business continuity planning and disaster recovery planning are correct? (Choose all that apply.) (ch18) A. Business continuity planning is focused on keeping business functions uninterrupted when a disaster strikes. B. Organizations can choose whether to develop business continuity planning or disaster recovery planning plans. C. Business continuity planning picks up where disaster recovery planning leaves off. D. Disaster recovery planning guides an organization through recovery of normal operations at the primary facility.
A. Business continuity planning is focused on keeping business functions uninterrupted when a disaster strikes. B. Organizations can choose whether to develop business continuity planning or disaster recovery planning plans. D. Disaster recovery planning guides an organization through recovery of normal operations at the primary facility.
21. Tom is responding to a recent security incident and is seeking information on the approval process for a recent modification to a system's security settings. Where would he most likely find this information? A. Change log B. System log C. Security log D. Application log
A. Change log
6. You want to apply the least privilege principle when creating new accounts in the software development department. Which of the following should you do? (ch16) A. Create each account with only the rights and permissions needed by the employee to perform their job. B. Give each account full rights and permissions to the servers in the software development department. C. Create each account with no rights and permissions. D. Add the accounts to the local Administrators group on the new employee's computer.
A. Create each account with only the rights and permissions needed by the employee to perform their job.
Ann is a security professional for a midsize business and typically handles log analysis and security monitoring tasks for her organization. One of her roles is to monitor alerts originating from the organization's intrusion detection system. The system typically generates several dozen alerts each day, and many of those alerts turn out to be false alarms after her investigation. This morning, the intrusion detection system alerted because the network began to receive an unusually high volume of inbound traffic. Ann received this alert and began looking into the origin of the traffic. 64. Ann continues her investigation and realizes that the traffic generating the alert is abnormally high volumes of inbound UDP traffic on port 53. What service typically uses this port? A. DNS B. SSH/SCP C. SSL/TLS D. HTTP
A. DNS
17. What type of backup involves always storing copies of all files modified since the most recent full backup? (ch18) A. Differential backups B. Partial backup C. Incremental backups D. Database backup
A. Differential backups
15. What type of document will help public relations specialists and other individuals who need a high-level summary of disaster recovery efforts while they are under way? (ch18) A. Executive summary B. Technical guides C. Department-specific plans D. Checklists
A. Executive summary
51. During an incident investigation, investigators meet with a system administrator who may have information about the incident but is not a suspect. What type of conversation is taking place during this meeting? A. Interview B. Interrogation C. Both an interview and an interrogation D. Neither an interview nor an interrogation
A. Interview
86. Alan is assessing the potential for using machine learning and artificial intelligence in his cybersecurity program. Which of the following activities is most likely to benefit from this technology? A. Intrusion detection B. Account provisioning C. Firewall rule modification D. Media sanitization
A. Intrusion detection
2. You are troubleshooting a problem on a user's computer. After viewing the host-based intrusion detection system (HIDS) logs, you determine that the computer has been compromised by malware. Of the following choices, what should you do next? (ch17) A. Isolate the computer from the network. B. Review the HIDS logs of neighboring computers. C. Run an antivirus scan. D. Analyze the system to discover how it was infected.
A. Isolate the computer from the network.
8. A financial organization commonly has employees switch duty responsibilities every 6 months. What security principle are they employing? (ch16) A. Job rotation B. Separation of duties C. Mandatory vacations D. Least privilege
A. Job rotation
4. Which of the following are basic security controls that can prevent many attacks? (Choose three.) (ch17) A. Keep systems and applications up to date. B. Implement security orchestration, automation, and response (SOAR) technologies. C. Remove or disable unneeded services or protocols. D. Use up-to-date antimalware software. E. Use WAFs at the border.
A. Keep systems and applications up to date. C. Remove or disable unneeded services or protocols. D. Use up-to-date antimalware software.
15. A network includes a network-based intrusion detection system (NIDS). However, security administrators discovered that an attack entered the network and the NIDS did not raise an alarm. What does this describe? (ch17) A. A false positive B. A false negative C. A fraggle attack D. A smurf attack
B. A false negative
5. Which one of the following attacker actions is most indicative of a terrorist attack? (ch19) A. Altering sensitive trade secret documents B. Damaging the ability to communicate and respond to a physical attack C. Stealing unclassified information D. Transferring funds to other countries
B. Damaging the ability to communicate and respond to a physical attack
1. Which of the following are valid incident management steps or phases as listed in the CISSP objectives? (Choose all that apply.) (ch17) A. Prevention B. Detection C. Reporting D. Lessons learned E. Backup
B. Detection C. Reporting D. Lessons learned
14. Gary is a system administrator and is testifying in court about a cybercrime incident. He brings server logs to support his testimony. What type of evidence are the server logs? (ch19) A. Real evidence B. Documentary evidence C. Parol evidence D. Testimonial evidence
B. Documentary evidence
4. When one of the employees of Alice's company calls in for support, she uses a code word that the company agreed to use if employees were being forced to perform an action. What is this scenario called? A. Social engineering B. Duress C. Force majeure D. Stockholm syndrome
B. Duress
69. Which one of the following tools provides an organization with the greatest level of protection against a software vendor going out of business? A. Service-level agreement B. Escrow agreement C. Mutual assistance agreement D. PCI DSS compliance agreement
B. Escrow agreement
18. You operate a grain processing business and are developing your restoration priorities. Which one of the following systems would likely be your highest priority? (ch18) A. Order-processing system B. Fire suppression system C. Payroll system D. Website
B. Fire suppression system
19. According to the (ISC)2 Code of Ethics, how are CISSPs expected to act? (ch19) A. Honestly, diligently, responsibly, and legally B. Honorably, honestly, justly, responsibly, and legally C. Upholding the security policy and protecting the organization D. Trustworthy, loyally, friendly, courteously
B. Honorably, honestly, justly, responsibly, and legally
11. As Gary decides what access permissions he should grant to each user, what principle should guide his decisions about default permissions? A. Separation of duties B. Least privilege C. Aggregation D. Separation of privileges
B. Least privilege
41. Javier is verifying that only IT system administrators have the ability to log on to servers used for administrative purposes. What principle of information security is he enforcing? A. Need to know B. Least privilege C. Two-person control D. Transitive trust
B. Least privilege
19. A recent attack on servers within your organization caused an excessive outage. You need to check systems for known issues that attackers may use to exploit other systems in your network. Which of the following is the best choice to meet this need? (ch16) A. Versioning tracker B. Vulnerability scanner C. Security audit D. Security review
B. Vulnerability scanner
9. Users in an organization complain that they can't access several websites that are usually available. After troubleshooting the issue, you discover that an intrusion protection system (IPS) is blocking the traffic, but the traffic is not malicious. What does this describe? (ch17) A. A false negative B. A honeynet C. A false positive D. Sandboxing
C. A false positive
100c. Match each of the numbered types of recovery capabilities to their correct lettered definition: Terms 3. Warm site Definitions A. An organization that can provide on-site or off-site IT services in the event of a disaster B. A site with dedicated storage and real-time data replication, often with shared equipment that allows restoration of service in a very short time C. A site that relies on shared storage and backups for recovery D. A rented space with power, cooling, and connectivity that can accept equipment as part of a recovery effort
C. A site that relies on shared storage and backups for recovery
99a. Match each of the numbered terms with its correct lettered definition: Terms 1. Honeypot Definitions A. An intentionally designed vulnerability used to lure in an attacker B. A network set up with intentional vulnerabilities C. A system set up with intentional vulnerabilities D. A monitored network without any hosts
C. A system set up with intentional vulnerabilities
49. Which of the following would normally be classified as zero-day attacks? (Select all that apply.) A. An attacker who is new to the world of hacking B. A database attack that places the date 00/00/0000 in data tables in an attempt to exploit flaws in business logic C. An attack previously unknown to the security community D. An attack that sets the operating system date and time to 00/00/0000 and 00:00:00
C. An attack previously unknown to the security community
1. Devin is revising the policies and procedures used by his organization to conduct investigations and would like to include a definition of computer crime. Which one of the following definitions would best meet his needs? (ch19) A. Any attack specifically listed in your security policy B. Any illegal attack that compromises a protected computer C. Any violation of a law or regulation that involves a computer D. Failure to practice due diligence in computer security
C. Any violation of a law or regulation that involves a computer
57. Patrick was charged with implementing a threat hunting program for his organization. Which one of the following is the basic assumption of a threat hunting program that he should use as he plans his work? A. Security controls were designed using a defense-in-depth strategy. B. Audits may uncover control deficiencies. C. Attackers may already be present on the network. D. Defense mechanisms may contain unpatched vulnerabilities.
C. Attackers may already be present on the network.
14. A server administrator recently modified the configuration for a server to improve performance. Unfortunately, when an automated script runs once a week, the modification causes the server to reboot. It took several hours of troubleshooting to ultimately determine the problem wasn't with the script but instead with the modification. What could have prevented this? (ch16) A. Vulnerability management B. Patch management C. Change management D. Blocking all scripts
C. Change management
73. Allie is responsible for reviewing authentication logs on her organization's network. She does not have the time to review all logs, so she decides to choose only records where there have been four or more invalid authentication attempts. What technique is Allie using to reduce the size of the pool? A. Sampling B. Random selection C. Clipping D. Statistical analysis
C. Clipping
5. Brad is helping to design a disaster recovery strategy for his organization and is analyzing possible storage locations for backup data. He is not certain where the organization will recover operations in the event of a disaster and would like to choose an option that allows them the flexibility to easily retrieve data from any DR site. Which one of the following storage locations provides the best option for Brad? (ch18) A. Primary data center B. Field office C. Cloud computing D. IT manager's home
C. Cloud computing
11. Nolan is considering the use of several different types of alternate processing facility for his organization's data center. Which one of the following alternative processing sites takes the longest time to activate but has the lowest cost to implement? (ch18) A. Hot site B. Mobile site C. Cold site D. Warm site
C. Cold site
11. Which one of the following investigation types has the highest standard of evidence? (ch19) A. Administrative B. Civil C. Criminal D. Regulatory
C. Criminal
94. Carolyn is concerned that users on her network may be storing sensitive information, such as Social Security numbers, on their hard drives without proper authorization or security controls. What third-party security service can she implement to best detect this activity? A. IDS B. IPS C. DLP D. TLS
C. DLP
93. Quigley Computing regularly ships tapes of backup data across the country to a secondary facility. These tapes contain confidential information. What is the most important security control that Quigley can use to protect these tapes? A. Locked shipping containers B. Private couriers C. Data encryption D. Media rotation
C. Data encryption
68. Gordon suspects that a hacker has penetrated a system belonging to his company. The system does not contain any regulated information, and Gordon wants to conduct an investigation on behalf of his company. He has permission from his supervisor to conduct the investigation. Which of the following statements is true? A. Gordon is legally required to contact law enforcement before beginning the investigation. B. Gordon may not conduct his own investigation. C. Gordon's investigation may include examining the contents of hard disks, network traffic, and any other systems or information belonging to the company. D. Gordon may ethically perform "hack back" activities after identifying the perpetrator.
C. Gordon's investigation may include examining the contents of hard disks, network traffic, and any other systems or information belonging to the company.
59. Melanie suspects that someone is using malicious software to steal computing cycles from her company. Which one of the following security tools would be in the best position to detect this type of incident? A. NIDS B. Firewall C. HIDS D. DLP
C. HIDS
32. Which one of the following security tools is not capable of generating an active response to a security event? A. IPS B. Firewall C. IDS D. Antivirus software
C. IDS
19. Helen is tasked with implementing security controls in her organization that might be used to deter fraudulent insider activity. Which one of the following mechanisms would be LEAST useful to her work? A. Job rotation B. Mandatory vacations C. Incident response D. Two-person control
C. Incident response
17. Tonya is collecting evidence from a series of systems that were involved in a cybersecurity incident. A colleague suggests that she use a forensic disk controller for the collection process. What is the function of this device? A. Masking error conditions reported by the storage device B. Transmitting write commands to the storage device C. Intercepting and modifying or discarding commands sent to the storage device D. Preventing data from being returned by a read operation sent to the device
C. Intercepting and modifying or discarding commands sent to the storage device
3. What concept is used to grants users only the rights and permissions they need to complete their job responsibilities? (ch16) A. Need to know B. Mandatory vacations C. Least privilege principle D. Service-level agreement (SLA)
C. Least privilege principle
1. Which security principle involves the knowledge and possession of sensitive material as an aspect of one's occupation? (ch16) A. Principle of least privilege B. Separation of duties C. Need to know D. As-needed basis
C. Need to know
2. An organization ensures that users are granted access to only the data they need to perform specific work tasks. What principle are they following? (ch16) A. Principle of least permission B. Separation of duties (SoD) C. Need to know D. Job rotation
C. Need to know
70. Fran is considering new human resources policies for her bank that will deter fraud. Sheplans to implement a mandatory vacation policy. What is typically considered the shortest effective length of a mandatory vacation? A. Two days B. Four days C. One week D. One month
C. One week
1. James is working with his organization's leadership to help them understand the role that disaster recovery plays in their cybersecurity strategy. The leaders are confused about the differences between disaster recovery and business continuity. What is the end goal of disaster recovery planning? (ch18) A. Preventing business interruption B. Setting up temporary business operations C. Restoring normal business activity D. Minimizing the impact of a disaster
C. Restoring normal business activity
58. Brian is developing the training program for his organization's disaster recovery program and would like to make sure that participants understand when disaster activity concludes. Which one of the following events marks the completion of a disaster recovery process? A. Securing property and life safety B. Restoring operations in an alternate facility C. Restoring operations in the primary facility D. Standing down first responders
C. Restoring operations in the primary facility
10. Your organization has contracted with a third-party provider to host cloud-based servers. Management wants to ensure there are monetary penalties if the third party doesn't meet their contractual responsibilities related to uptimes and downtimes. Which of the following is the best choice to meet this requirement? (ch16) A. MOU B. ISA C. SLA D. SED
C. SLA
80. Bruce is seeing quite a bit of suspicious activity on his network. After consulting records in his SIEM, it appears that an outside entity is attempting to connect to all of his systems using a TCP connection on port 22. What type of scanning is the outsider likely engaging in? A. FTP scanning B. Telnet scanning C. SSH scanning D. HTTP scanning
C. SSH scanning
46. Connor's company recently experienced a denial-of-service attack that Connor believes came from an inside source. If true, what type of event has the company experienced? A. Espionage B. Confidentiality breach C. Sabotage D. Integrity breach
C. Sabotage
Ann is a security professional for a midsize business and typically handles log analysis and security monitoring tasks for her organization. One of her roles is to monitor alerts originating from the organization's intrusion detection system. The system typically generates several dozen alerts each day, and many of those alerts turn out to be false alarms after her investigation. This morning, the intrusion detection system alerted because the network began to receive an unusually high volume of inbound traffic. Ann received this alert and began looking into the origin of the traffic. 63. At this point in the incident response process, what term best describes what has occurred in Ann's organization? A. Security occurrence B. Security incident C. Security event D. Security intrusion
C. Security event
7. Your organization has divided a high-level auditing function into several individual job tasks. These tasks are divided between three administrators. None of the administrators can perform all of the tasks. What does this describe? (ch16) A. Job rotation B. Mandatory vacation C. Separation of duties D. Least privilege
C. Separation of duties
12. Which one of the following is a cloud-based service model that allows users to access email via a web browser? (ch16) A. Infrastructure as a service (IaaS) B. Platform as a service (PaaS) C. Software as a service (SaaS) D. Public
C. Software as a service (SaaS)
28. Frank is considering the use of different types of evidence in an upcoming criminal matter. Which one of the following is not a requirement for evidence to be admissible in court? A. The evidence must be relevant. B. The evidence must be material. C. The evidence must be tangible.e evidence must be competently acquired. D. The evidence must be competenely aquired
C. The evidence must be tangible.e evidence must be competently acquired.
12. Ingrid is concerned that one of her organization's data centers has been experiencing a series of momentary power outages. Which one of the following controls would best preserve their operating status? (ch18) A. Generator B. Dual power supplies C. UPS D. Redundant network links
C. UPS
6. Lauren wants to ensure that her users only run software that her organization has approved. What technology should she deploy? A. Blacklisting B. Configuration management C. Whitelisting D. Graylisting
C. Whitelisting
Ann is a security professional for a midsize business and typically handles log analysis and security monitoring tasks for her organization. One of her roles is to monitor alerts originating from the organization's intrusion detection system. The system typically generates several dozen alerts each day, and many of those alerts turn out to be false alarms after her investigation. This morning, the intrusion detection system alerted because the network began to receive an unusually high volume of inbound traffic. Ann received this alert and began looking into the origin of the traffic. 65. As Ann analyzes the traffic further, she realizes that the traffic is coming from many different sources and has overwhelmed the network, preventing legitimate uses. The inbound packets are responses to queries that she does not see in outbound traffic. The responses are abnormally large for their type. What type of attack should Ann suspect? A. Reconnaissance B. Malicious code C. System penetration D. Denial-of-service
D. Denial-of-service
34. What term is used to describe the default set of privileges assigned to a user when a new account is created? A. Aggregation B. Transitivity C. Baseline D. Entitlement
D. Entitlement
97. Barry is the CIO of an organization that recently suffered a serious operational issue that required activation of the disaster recovery plan. He would like to conduct a lessons learned session to review the incident. Who would be the best facilitator for this session? A. Barry, as chief information officer B. Chief information security officer C. Disaster recovery team leader D. External consultant
D. External consultant
17. Systems within an organization are configured to receive and apply patches automatically. After receiving a patch, 55 of the systems automatically restarted and booted into a stop error. What could have prevented this problem without sacrificing security? (ch16) A. Disable the setting to apply the patches automatically. B. Implement a patch management program to approve all patches. C. Ensure systems are routinely audited for patches. D. Implement a patch management program that tests patches before deploying them.
D. Implement a patch management program that tests patches before deploying them.
37. Richard is experiencing issues with the quality of network service on his organization's network. The primary symptom is that packets are consistently taking too long to travel from their source to their destination. What term describes the issue Richard is facing? A. Jitter B. Packet loss C. Interference D. Latency
D. Latency
3. Brian's organization recently suffered a disaster and wants to improve their disaster recovery program based on their experience. Which one of the following activities will best assist with this task? (ch18) A. Training programs B. Awareness efforts C. BIA review D. Lessons learned
D. Lessons learned
3. In the incident management steps identified by (ISC)2, which of the following occurs first? (ch17) A. Response B. Mitigation C. Remediation D. Lessons learned
D. Lessons learned
2. Joe is the security administrator for an ERP system. He is preparing to create accounts for several new employees. What default access should he give to all of the new employees as he creates the accounts? A. Read only B. Editor C. Administrator D. No access
D. No access
5. An administrator is granting permissions to a database. What is the default level of access the administrator should grant to new users in the organization? (ch16) A. Read B. Modify C. Full access D. No access
D. No access
17. What phase of the Electronic Discovery Reference Model examines information to remove information subject to attorney-client privilege? (ch19) A. Identification B. Collection C. Processing D. Review
D. Review
18. What are ethics? (ch19) A. Mandatory actions required to fulfill job requirements B. Laws of professional conduct C. Regulations set forth by a professional organization D. Rules of personal behavior
D. Rules of personal behavior
16. Which one of the following terms is often used to describe a collection of unrelated patches released in a large collection? A. Hotfix B. Update C. Security fix D. Service pack
D. Service pack
16. What disaster recovery planning tool can be used to protect an organization against the failure of a critical software firm to provide appropriate support for their products? (ch18) A. Differential backups B. Business impact analysis C. Incremental backups D. Software escrow agreement
D. Software escrow agreement