Practice test 4

What is the database used to interpret the details of SNMP communications? A)MIB B)Syslog C)Oracle D)CRL

A Management Information Base (MIB) is the database used to interpret the details of SNMP communications. A typical Simple Network Management Protocol (SNMP) management console will include an MIB. This facilitates communications between source systems and the management console while enabling the display of human readable results.

How is a digital certificate created? A)A subject's public key is signed by a CA's private key. B)A Diffie-Hellman key exchange is performed. C)A random key is encrypted by a recipient's public key. D)A communication exchange of discover, offer, request, and acknowledge occurs.

A digital certificate created by a subject's public key is signed by a CA's private key. A subject will generate a random private key, then derive a correlated public key using the proper asymmetric algorithms. The subject's public key is submitted to the CA (certificate authority). The CA performs an identity verification, then builds the digital certificate. The digital certificate is created by the CA using their private key to sign the subject's public key. Additional details and parameters are defined in an attached text component as defined by the X.509 v3 certificate standard.

What is a directive control? A)A mechanism to record compromising activities B)A substitution of an alternate security solution when the primary solution fails C)A means to communicate instructions, guidelines, or security rules D)A system to block intrusion attempts before they become successful

A directive control is a means to communicate instructions, guidelines, or security rules. The function of a directive control is to provide guidance on how to behave when performing work tasks and how to avoid security violations. Directive controls include written security policies, posted signs, training, and security guards.

What type of event is more likely to trigger the business continuity plan (BCP) rather than the disaster recovery plan (DRP)? A)A security breach of an administrator account B)A port-scanning event against your public servers in the DMZ C)Several users failing to remember their logon credentials D)A level 5 hurricane

A security breach of an administrator account is a type of event which is more likely to trigger the business continuity plan rather than the disaster recovery plan. The compromise of an administrator account can be a serious issue. It can result in lost data and crashed systems. However, such an event is more likely to trigger the business continuity plan rather than the disaster recovery plan because most administrators are compartmentalized and thus do not have enough power to take down mission-critical processes.

Your organization is using Kerberos for private network authentication. How does Kerberos demonstrate to a resource host that the identity of a user is valid? A)A shared credential is issued to each principle in the realm. B)A unique session key is used to encrypt the authentication communications. C)An ST is issued to the user, which is then sent to the resource host. D)A TGT is issued to the resource host.

A session ticket (ST) is issued to the user, which is then sent to the resource host. The resource host can verify the validity of the ST, and thus the user's identity, by checking with the key distribution center (KDC). This technique allows the user to be issued the master ticket-granting ticket (TGT) without exposing it to duplication or impersonation. The KDC issues an ST whenever users need to prove their identity to another principle in the Kerberos realm.

What is the term used to describe an entry in a database describing a violation or exploit which is used to match real-time events in order to detect and record attacks by the continuous monitoring solution? A)Countermeasure B)Threat C)Vulnerability D)Signature

A signature is an entry in a database describing a violation or exploit which is used to match real-time events in order to detect and record attacks by the continuous monitoring solution. A signature or a pattern is used to recognize when a known attack or violation is attempted. Signature-based detection or monitoring tools must be updated regularly to maintain the broadest ability to detect known attacks. However, signature-based detection is not foolproof. If an attack has been modified or customized, it might not match the signature and go undetected. Thus, it is often essential for continuous monitoring solutions to include other forms of detection, such as anomaly, behavioral, and heuristic.

Which type of firewall would be able to discard TCP segments arriving at an open port when they have the header flag of FIN enabled and they are the first packet received from the source? A)Packet filter firewall B)Web application firewall C)Stateful inspection firewall D)Circuit level firewall

A stateful inspection firewall or a stateful packet inspection firewall, also known as an intelligent firewall or a smart firewall, would be able to discard these TCP packets. A stateful inspection firewall is programmed with the parameters of valid communications. When attempting to establish a TCP communication with an open port, the proper initial communication from a source is a segment with a SYN (synchronization) header flag.

What form of alternate processing site may allow for testing prior to a disaster without significant expense or hassle and can be used to support organizations with needs for on-site space for workers and housing of equipment? A)Cold site B)Reciprocal agreement C)Warm site D)Cloud services

A warm site is partially configured to support recovery in the event of a disaster. While a warm site is not as readily able to provide testing prior to a disaster as a hot site or a multi-site, it can be temporarily brought up to hot site capability for testing. This is due to the fact that a warm site by definition is not ready to support business functions without installing updates, setting configuration, and restoring data from backup. Thus, to perform testing, a warm site must be upgraded to a hot site. Additionally, a warm site is a physical location, which should provide on-site space for workers and housing of equipment.

How does a web of trust model provide security since it does not involve a trusted third-party? A)Through the use of randomization in key selection B)Through consistency of serial numbers of self-issued certificates C)By using pre-shared symmetric keys D)By using fourth-party identity verification

A web of trust model provides security through consistency of serial numbers of self-issued certificates without the involvement of a trusted third-party. In a web of trust or peer trust security model, each endpoint directly chooses to trust every other endpoint without a middle man or third party involved. Web of trust therefore does not include a solid authentication mechanism in order to absolutely prove an identity. Instead, claimed identities are maintained over time. Web-of-trust endpoints self-issue digital certificates. As long as those certificates remain valid, their serial numbers remain the same; thus endpoints can at least be confident of communications with the other endpoints as long as those serial numbers remain consistent. The actual identity of an endpoint may be unknown, but knowing that the same endpoint is at the other end of a communication is essential. Within web-of-trust environments, digital signatures and digital envelopes are still used, as the same asymmetric public key cryptography is in use.

Which security rule should be implemented to minimize risk of malware infection of endpoint systems? A)Disable the use of USB storage devices. B)Encrypt all file storage. C)Configure a software firewall. D)Audit user activity.

A)Disable the use of USB storage devices. Disabling the use of USB storage devices is a security rule which should be implemented to minimize risk of malware infection of endpoint systems. USB storage devices, especially small thumb drives, are a common vector of malware infection. By disabling support for USB storage, USB storage devices no longer pose a threat of bringing malware to the endpoint systems. It is important to support users that still need to perform file exchange with a secured file transfer system that is easy to use. Otherwise, they could end up using a plain text transfer system which puts the files at risk as well.

Which level of risk is associated with repeated attempts from a remote unknown entity to guess a user's password which result in the account being locked? A)Elevated B)Normal C)Substantial D)Severe

A)Elevated Elevated is the risk level associated with repeated attempts to guess a user's password that result in the account being locked. The elevated risk level is one of five standard levels of risk alert in relation to incident management. The full five are: Normal - standard benign operations Guarded - accepted or tolerable risk Elevated - detection of potential threat realization (i.e. compromise attempts) Substantial - security violations have occurred, but have not interrupted mission-critical functions Severe - mission-critical functions have been significantly affected or interrupted The attack described in this question is a remote attacker attempting to discover user credentials through guessing. This is a threat or risk which is a detected potential threat realization. Because this attack is an active attempt to comprise a target, it is more than just an accepted and tolerable risk (i.e. guarded), but not at the level of having an actual violation occur (i.e. substantial).

Why is account or identity proofing necessary? A)It verifies that only the authorized person is able to use a specific user account. B)It allows for hiring of individuals with criminal records or sealed histories. C)It checks that users are logging into the assigned workstation at their desk. D)It ensures that privileged accounts are never used across network links.

A)It verifies that only the authorized person is able to use a specific user account. Account or identity proofing is necessary because it verifies that only the authorized person is able to use a specific user account. This can be done through a number of means, including text messaging, pre-arranged security questions, or answering dynamic questions about a user's account or background and history.

What is the term used for the range of values that can be used to control the symmetric encryption function while converting plaintext into ciphertext? A)Key space B)Block size C)Key length D)Rounds

A)Key space Key space is the range of values that can be used to control the symmetric encryption function while converting plaintext into ciphertext. The key space is every value between a key of all zeros and a key of all ones. A key is a binary number used to control the encryption and decryption processes of symmetric encryption. (Note: asymmetric encryption may use key pair sets which are also just binary numbers as well.) Keys should be selected at random, never repeated, and from the full spectrum of the key space.

What is a significant difference between the secure protocols of TLS-encrypted SMTP and the use of S/MIME for the protection of e-mail communications? A)One provides end-to-end protection of messages, while the other only secures a local link. B)One uses digital certificates, while the other only uses password authentications. C)One is used to create digital signatures, while the other creates digital envelopes. D)One uses symmetric encryption, while the other uses asymmetric encryption.

A)One provides end-to-end protection of messages, while the other only secures a local link. A significant difference between the secure protocols of TLS-encrypted SMTP and the use of S/MIME for the protection of e-mail communications is that S/MIME provides end-to-end protection of messages, while the TLS-encrypted SMTP only secures a local link. S/MIME supports the selection of a random symmetric key which is used to encrypt the massage. The symmetric key is then enveloped using the recipient's public key. This provides end-to-end encryption from the sender to the recipient. TLS-encrypted SMTP negotiates an encrypted link between the client and the local e-mail server. This link provides secure transmission from the client to the email server, but once it is received by the email server it is returned to plain text. Subsequent SMTP connections between the sender's e-mail server and any intermediate or end-point recipient email servers are potentially in plaintext.

What is the term used to refer to anything that can potentially cause harm to an asset? A)Threat B)Exploit C)Risk D)Vulnerability

A)Threat The term threat refers to anything that can potentially cause harm to an asset. In terms of risk management, a threat is anything that can cause harm. A threat can be an intentional action, an automated program, an accident, or a natural event. All sources of threats must be considered when planning a security strategy.

Why would a system display last login notifications to users once they have successfully entered their credentials? A)To alert users of potential account logon violations B)To inform users of their amount of time since their last connection C)To encourage users to visit more often and stay connected longer D)To discourage users from staying away too long

A)To alert users of potential account logon violations A system would display the last login notifications to users once they have successfully entered their credentials to them of potential account logon violations. The last login notifications show the time of the last successful logon and any failed logon attempts to the account since the last successful logon. By reviewing this information, users may become aware that someone logged into their account or someone attempted to log into their account. If a user suspects fraudulent activity, they should report it immediately to the security department.

What form of monitoring involves the injection of packets into communications in order to measure performance of various elements in the network? A)Collaborative monitoring B)Passive monitoring C)Post mortem monitoring D)Active monitoring

Active monitoring is the form of monitoring which involves the injection of packets into communications in order to measure performance of various elements in the network. The concept behind active monitoring is to introduce a known value or container into an active system and monitor the events around the injected element. In the case of general networking, active monitoring is the activity of injecting a standard network packet and monitoring its progress across network devices on its way to the destination. This is similar to how some highway traffic systems judge congestion by watching a pace vehicle pass through various monitoring points along a stretch of road.

What is the difference between the functions of an IDS and an IPS? A)An IDS is a software solution, while an IPS is a hardware appliance. B)An IDS will stop attacks, while an IPS will record details about violations. C)An IDS will interrupt a communication, while an IPS will notify an administrator. D)An IDS notice violations once they are occurring, while an IPS attempts to stop a violation from being successful.

An IDS notice violations once they are occurring, while an IPS attempts to stop a violation from being successful. The tools of IDS (intrusion detection system) and IPS (intrusion prevention system) are important components of an incident response strategy. An IDS is generally considered a more passive technology as it detects violations as they are occurring or after they have been successful. Thus, any response triggered by an IDS will be a reaction. An IPS is generally considered a more active technology as it notices attacks as they are being attempted and attempts to prevent them from becoming successful. Thus, the response of an IPS is proactive.

What is an asset? A)Only those items costing more than $10,000 to purchase B)anything required to complete a business task C)All of the equipment in an organization D)Any data set with tangible value

An asset is anything required to complete a business task. If a business task cannot be completed without a particular item, then it is an asset. It does not matter whether an asset is of high or low cost, is a physical object or a digital element, or whether it is unique and proprietary or common and ubiquitous. The purpose of an organization is to perform its mission-critical processes. Thus, anything needed to support or perform those processes is an asset.

How does an attribute-based access control system determine if a subject can access an object? A)It checks for classification labels. B)It compares the job description. C)It evaluates the ACLs. D)It assesses the characteristics of the subject, object, and/or environment.

An attribute-based access control system assesses the characteristics of the subject, object, and/or environment to determine if a subject can access an object. The characteristics or attributes on subjects, objects, and in the environment are used to assess whether a subject is granted or denied access to an object. The characteristics or attributes that determine access are defined by the organization's security policies.

Which cryptography concept is based on trap-door, one-way functions? A)Hashing B)Symmetric C)Steganography D)Asymmetric

Asymmetric is the cryptography concept that is based on trap-door, one-way functions. Most of asymmetric cryptography is known by the name public-key cryptography. Public-key cryptography is a system based on a key pair set comprised of a public key and a private key. The private key is generated through a random process, and then the public key is derived from the private key. The use of the key pair sets results in a system where when one of the key pair members is used to encrypt data, only the other key in the pair set can decrypt the data. This feature is due to the use of trap-door, one-way mathematical functions in the algorithms. A one-way function is a mathematic process that is easily computed in one direction, but which is very difficult or impossible to reverse. A trap-door, one-way function is a mathematical process which cannot be directly inverted or reversed, but with knowledge and possession of an additional secret, the encryption process can be reversed. The private and public keys in public key cryptography each can be used to perform one-way encryption, while the opposite key serves as the trap-door to provide decryption.

Which term is used to indicate the function of access control or defining which subjects can perform various tasks on specific objects? A)Availability B)Accessibility C)Authentication D)Authorization

Authorization is the term used to indicate the function of access control or defining which subjects can perform various tasks on specific objects. Authorization is the second element referenced by Authentication, Authorization, and Accounting (AAA). Authorization defines and controls what subjects can and cannot do.

How can a vulnerability be reduced or eliminated? A)Through delegation B)By improving the asset C)Through monitoring D)By crafting a response strategy

B)By improving the asset A vulnerability can be reduced or eliminated by improving the asset. The weaknesses in an asset are its vulnerabilities. These weak points can be resolved by implementing patches or upgrades or installing defensive countermeasures, such as firewalls or access control. Thus any improvement or upgrading of the asset may reduce or eliminate its vulnerabilities.

What is the result of an access control management process that adds new capabilities to users as their job tasks change over time, but does not perform a regular reassessment of the assigned authorization? A)Fraud and abuse B)Privilege creep C)Collision D)Collusion

B)Privilege creep Privilege creep is the result of an access control management process that adds new capabilities to users as their job tasks change over time, but does not perform a regular reassessment of the assigned authorization. Privilege creep is the result of failing to maintain the principle of least privilege. It is an essential security management task to reassess all privileges on a regular basis. Any excessive privilege is additional and unnecessary risk to the organization.

When an organization is unable to lose more than a few hours of data without experiencing severe consequences, what means or method of backup is most appropriate? A)Online backup B)Real-time backup C)Incremental backup D)Tape storage of backup

B)Real-time backup Real-time backup is the means or method of backup that is most appropriate for an organization which is unable to lose more than a few hours of data without experiencing severe consequences. A real-time backup makes a duplicate copy of all changed or new data as it occurs. This type of backup ensures minimal data loss in the event of storage device failure or file corruption. To further improve upon the benefits of a real-time backup, it should be stored offsite. Thus, any major disaster striking the primary facility would be unlikely to affect the offsite backup.

How are the access control schemes of MAC and RBAC distinguished from DAC? A)They are based on user identity. B)They are not based on user decisions. C)They are not based on assigned labels. D)They are based on object hosted ACLs.

B)They are not based on user decisions. MAC and RBAC are not based on user decisions. Mandatory access control (MAC) and role-based access control (RBAC) are examples of non-discretionary access control, while DAC stands for discretionary access control.

Why are corrective controls important to the long term success of an organization's security implementation? A)They provide a means to determining what took place and who the perpetrator was. B)They return systems and the environment back to a state of normal security. C)They can cause attackers to rethink their actions before actually performing a violation. D)They effectively prevent damage from occurring when attackers attempt a violation.

B)They return systems and the environment back to a state of normal security. Corrective controls are important to the long term success of an organization's security implementation because they are used to return systems and the environment back to a state of normal security. The purpose of a corrective control is to quickly remedy a violation or a change into an unwanted or abnormal state by restoring a system or returning the environment back to a normal secure state. Examples of corrective controls include automated reboots after system failure and the mechanism on a door to reclose and relock it after an employee walks through.

How can an attacker implement a man-in-the-middle attack in a wireless network? A)By cloning client MAC addresses B)Through deployment of a rogue base station C)Through transmission of de-authorization packets D)By eavesdropping on traffic content

B)Through deployment of a rogue base station An attacker can implement a man-in-the-middle attack in a wireless network through the deployment of a rogue base station. An attacker's rogue base station can be configured to duplicate the Service Set identifier (SSID) or network name of the original valid base station. If necessary, the rogue base station can also spoof its MAC address to appear to be that of the original base station. These tactics may fool valid devices into automatically connecting, or may fool users into selecting to connect to the rogue base station rather than the valid one.

What is the purpose or benefit of an after-action report in an incident response strategy? A)To have law enforcement provide guidance on handling security breaches B)To learn from events in order to improve future incident handling C)To increase the sensitivity of incident detectors D)To gain sufficient support from senior management

B)To learn from events in order to improve future incident handling The purpose or benefit of an after-action report in an incident response strategy is to learn from events in order to improve future incident handling. The after-action report is also known as a post-mortem review, a post-incident report, or a feedback loop. Incident response policies are crafted based on knowledge from prior security breaches. Each time a new security violation occurs, something new is learned. This new information can be used to improve the incident response procedures in the future. An after-action report is intended as a learning and improvement mechanism. Only by addressing deficiencies or mistakes can incremental improvement be gained. It is the after-action report that allows a benefit to be derived from each breach—namely, learning of new attacks, weaknesses, or exploit approaches which can be detected and defended against in the future.

What is the purpose of a business continuity plan (BCP)? A)To train replacement personnel in the event of a senior executive leaving the organization B)To maintain the ability to perform mission-critical work tasks while dealing with harmful events C)To restore mission-critical tasks D)To define performance requirements and consequences if providers fail to meet quality expectations

B)To maintain the ability to perform mission-critical work tasks while dealing with harmful events The purpose of a business continuity plan (BCP) is to maintain the ability to perform mission-critical work tasks while dealing with harmful events. A BCP is designed to handle minor to moderately damaging events. Any interference or affecting situation that does not result in the full and total loss of mission-critical operations is addressed by the BCP. If mission-critical processes are fully interrupted, then the disaster recovery plan (DRP) is triggered. Organizations should have both BCP and DRP in order to be well prepared to handle any breach or incident that may occur.

Which means of authentication is NOT supported by IPSec? A)Static password B)Digital certificate C)NTLM D)Biometrics

Biometrics is a means of authentication NOT supported by IPSec. Specifically, during the setup and session establishment phase of IPSec, biometric-based authentication is NOT supported. IPSec does support static password, NTLM, and digital certificate-based authentication during the session establishment phase. The authentication at this stage of the connection is used to prove or verify the endpoint devices, rather than the user or applications that will be taking advantage of the secure communications link once established. Once IPSec is established, user authentication to services and resource hosts can take place using any authentication factors, including biometrics.

Which of the following is not considered an example of a non-discretionary access control system? A)MAC B)RBAC C)ACL D)ABAC

C)ACL An access control list (ACL) is not considered an example of a non-discretionary access control system. ACLs are used by discretionary access control (DAC) systems. An ACL is placed on an object to define which subjects have been explicitly granted or denied access to that object.

You are the security practitioner for your company. Management has asked you to implement several security standards as defined by international organizations by adopting new security policies. These standards include both de facto and de jure standards. Which standards should you implement? A)Adopt the de facto standards only. B)Adopt the de jure standards only. C)Adopt security policies that implement both de facto and de jure standards. If the two standards contradict each other, adopt the de jure standard. D)Adopt security policies that implement both de facto and de jure standards. If the two standards contradict each other, adopt the de facto standard.

C)Adopt security policies that implement both de facto and de jure standards. If the two standards contradict each other, adopt the de jure standard. You would adopt security policies that implement both de facto and de jure standards. If the two standards contradict each other, adopt the de jure standard. De facto standards are those that are widely accepted but have not been formally adopted. De jure standards are those that are based on laws or regulations and have been adopted by international standards organizations. De jure standards should take precedence over de facto standards. Other standard terms that you need to understand for the SSCP exam include: Open standards - Standards that are open to the general public with various associated rights of use. Adherence to standards - Organizations may opt to adhere entirely to adopted standards. However, some may choose to adopt only selected parts of standards, depending on the industry. Remember that an organization should fully review any standard and analyze how its adoption will affect the organization. Competing standards - Competing standards most often come into effect between competing vendors. For example, Microsoft often establishes their standards for authentication. Many times, their standards are based on an industry standard with slight modifications to suit Microsoft's needs. Always compare competing standards to determine which standard best suits your organization's needs. Lack of standards - In some areas, particularly when new technology has been developed, standards will not be formulated yet. Do not let a lack of formal standards prevent you from providing the best security controls for your organization. If you can find similar technology that has formal adopted standards, test the viability of those standards for your solution. In addition, you may want to solicit input from subject matter experts (SMEs).

How is a baseline used in compliance management? A)By reducing risk B)By defining the hardware and software to be present on a new system C)By comparing the current configuration of a system with the required configuration D)By protecting user privacy

C)By comparing the current configuration of a system with the required configuration A baseline is used in compliance management by comparing the current configuration of a system with the required configuration. With the existence of the baseline, which dictates the hardware and software requirements of the organization, it is possible to assess whether a system is in compliance or has fallen out of compliance. Once any gaps are known, remedies can be applied to bring a system back into compliance.

What version of AES is used by WPA-2? A)TLS B)RSA C)CCMP D)DHCP

C)CCMP The version of Advanced Encryption Standard (AES) that is used by WPA-2 is Counter Mode Cipher Block Chaining Message Authentication Code Protocol (CCMP). AES is a block cipher, which means it is appropriate for use to encrypt data-at-rest, i.e. data being stored. Wireless is a communications mechanism that requires an encryption algorithm suitable for encrypting data-in-transit. The CCMP version of AES was created for use by WPA-2, and is effectively a stream cipher.

How can a user be assured that a file downloaded from a vendor's Web site is free from malicious code? A)Check for system compatibility. B)Read reviews about the product. C)Check the file's signature and hash calculation. D)Check the file size.

C)Check the file's signature and hash calculation. The best method for a user to be assured that a file downloaded from a vendor's Web site is free from malicious code is to check the file's signature and hash calculation. A trustworthy vendor will offer a signed downloadable file as well as a hash calculation of the file being offered for download. The signed file verifies that it is the file offered by the vendor and not a file replaced by an attacker. Only the vendor should have access to their digital certificate's private key in order to generate the signature of the file. The hash of the file indicates the identity of the file being offered. By comparing the hash of the downloaded file to the hash from the download site, users can be assured that they downloaded exactly the file being offered if the hashes are an exact match.

What are the three main components of a smart lock or an electronic access control (EAC) lock? A)Thick metal plating, time based lock, security cameras B)Proximity reader, light sensor, locking mechanism C)Credential reader, locking mechanism, door closed sensor D)Biometric reader, timer, fire suppression system

C)Credential reader, locking mechanism, door closed sensor The typical three main components of a smart lock or an electronic access control (EAC) lock are a credential reader, the locking mechanism, and a door closed sensor. The credential reader might accept push-pin codes, smart cards, or biometrics. When proper credentials are provided, the locking mechanism unlocks the door. Once the door opens, the door closed sensor monitors for the door closing. If it takes too long for the door to close, a warning buzzer may sound. It the door continues to stay open, an alarm is usually triggered. If the door closes, then the locking mechanism is reengaged.

How can a user avoid being seriously harmed by ransomware? A)Avoid becoming infected. B)Use Linux. C)Have an offline backup. D)Pay the required ransom fee.

C)Have an offline backup. A user can avoid being seriously harmed by ransomware by having an offline backup. Ransomware is a malware attack that encrypts user files and then displays a demand notice requiring payment to unlock your files. Usually, payment must be made using the untraceable digital currency of Bitcoin. Ransomware has become a popular attack with many criminal groups as it is a way to obtain money from victims without exposing themselves to bank transaction tracking. Most ransomware uses solidly implemented cryptography, which has no easy work-around or exploit to restore files. Paying the ransom usually results in access to personal files being restored - otherwise word would get around that paying the ransom was worthless, and then other victims would not pay. If you are properly prepared before being hit by ransomware, you can avoid paying the ransom. You must have a reliable and current offline backup. An offline backup is any backup which is not a local, USB-attached, or network-attached storage device, as all of these could be encrypted by ransomware. It is also a backup which is not mapped to a drive letter or a mount point. It must be a backup which cannot be encrypted by a local encryption operation (such as what ransomware implements). Only with such a backup can you restore your data after cleaning up the infected system. Generally, cleanup requires formatting the drive, reinstalling software from trusted sources, and then restoring your backup.

Which procedure is NOT a valid mechanism for performing account proofing when users are attempting to log into their account? A)Send a text message to the user's phone. B)Have the user click a hyperlink in an email message. C)Have the user type in the username and password a second time. D)Ask the user three security questions based upon facts that only the user is likely to know.

C)Have the user type in the username and password a second time. Having the user type in the username and password a second time is NOT a valid mechanism for performing account proofing. This activity would provide no security benefit, especially if the credentials were already entered properly. A valid account proofing mechanism will perform either an in-band or out-of-band exchange of information so that only the valid user would know or receive the information. Any invalid user would be unable to provide the correct response to the process, and thus, be rejected from the system. The following options are valid means for performing account proofing, and thus, are incorrect answers for this question: Send a text message to the user's phone. Have the user click a hyperlink in an email message. Ask the user three security questions based upon facts that only the user is likely to know.

A company is concerned about unauthorized entities attacking their wireless network. The company has chosen to disable SSID broadcast in order to hide their base station and prevent unauthorized connections. Which of the following statements are correct of this scenario? )It does not resolve the issue because the wireless signal is still present and detectable. B)It resolves the issue because without the SSID, connections to the base station are not possible. C)It does not resolve the issue because the SSID is still present in most other management frames. D)It resolves the issue does because it prevents the SSID from being discovered by unauthorized entities.

C)It does not resolve the issue because the SSID is still present in most other management frames. It does not resolve the issue because the Service Set Identifier (SSID) is still present in most other management frames. Thus, the disable SSID feature does not actually hide the network from detection, does not prevent unauthorized connections, and does not prevent attacks. All an attacker needs to do is operate a generic wireless sniffer to collect all packets from the network. In this collection will be numerous management frames which will still have the SSID present and in plaintext. Only the beacon frame is affected by the disable SSID broadcast setting. This feature is a false security item because it only prevents ignorant and innocent wireless clients from connecting to your network. It does nothing to prevent attackers from discovering and attacking the wireless network.

If an organization experiences a disaster level event that damages its ability to perform mission-critical operations, what form of emergency response plan will provide a reliable means to ensure the least amount of downtime? A)Reciprocal agreement B)Cold site C)Multi-site D)Warm site

C)Multi-site If an organization experiences a disaster level event that damages its ability to perform mission-critical operations, a multisite-based emergency response plan will ensure the least amount of downtime. A multi-site alternative processing plan ensures that an organization is split and divided amongst multiple physical locations instead of being housed in a single facility. In the event of a disaster, the members of the non-affected sites can absorb the work load and personnel from the damaged site while it is being repaired. This has the benefit of having minimal downtime.

Why are the audit findings presented to senior management? A)The bottom-up business structure approach requires it. B)RFC1918 requires it. C)Only with approval can a response plan be implemented. D)No one else in the organization has the expertise to read the report.

C)Only with approval can a response plan be implemented. Audit findings are presented to senior management because a response plan can only be implemented with their approval. It is the responsibility of senior leadership to make the primary business management decisions. This includes reviewing the results of risk analysis and risk assessment, which are the audit findings, and make decisions based on the recommendations of the risk auditing/assessment team. Only with senior management approval can the risk response strategies be implemented and only with senior management support and backing is such an endeavor able to succeed.

How can someone new to the concept of virtualization quickly get a working guest OS running within a hypervisor? A)Replace the host OS with a bare metal hypervisor. B)Clone an existing OS into a guest OS image. C)Use an appliance. D)Perform a complete new OS install into a virtual machine.

C)Use an appliance. The most efficient way for someone new to the concept of virtualization to quickly get a working guest OS running within a hypervisor is to use an appliance. An appliance or a virtual appliance is a pre-configured, pre-installed, ready-to-use guest OS. This is the best way for someone new to virtualization to get up and running quickly with minimal difficulty.

How long should event logs be retained? A)1 year B)30-60 days C)as defined by company policy D)indefinitely

C)as defined by company policy Event logs should be retained as defined by company policy. The reasons for maintaining logs vary. They include mandates from government regulations, industry guidelines, and others. Such regulations may define a specific length of time to maintain logs, ranging for 30 days to indefinitely. The regulations may also indicate various events or circumstances which may dictate a need to retain logs for a longer period of time, such as due to an investigation. Some regulations prohibit indefinite storage of logs and thus require a destruction deadline. Some contractual obligations may dictate the length of time to retain event logs. In other cases, organizations may adopt industry-based best-business-practices or adopt their own aspirations for record retentions. These and other affecting conditions should be integrated into the company's written security policy which defines the actually implemented retention parameters.

How is account provisioning commonly accomplished? A)Grant each user full spectrum privileges. B)Assign all users a random number-based name. C)Compartmentalize users into their own individual area of assignment. D)Create user groups based on assigned company department or job responsibility.

Creating user groups based on assigned company department or job responsibility is how account provisioning is commonly accomplished. The process ensures that users are granted privileges and access appropriate to their job responsibilities. The provisioning process is typically detailed in user management, identity management security policies, or both.

When a storage device is taken in as evidence, what is the first step performed by the forensic personnel after starting the chain of custody form and writing out the evidence collection form? A)Make a hash calculation of the contents. B)Create a bit-stream image copy. C)Write an evidence header file to the storage device. D)Connect the device to a write blocker.

D)Connect the device to a write blocker. When a storage device is taken in as evidence, the first step performed by the forensic personnel after starting the chain of custody form and writing out the evidence collection form is to connect the device to a write blocker. The purpose of a write blocker is to physically block the signals from a computer to the storage device that would cause a change to the data on that storage device. A physical write blocker does not have the electronic pathways connected that would send write signals to the drive, only ready requests are sent to the storage device. A write blocker is used as additional insurance against accidental evidence corruption.

What is the name of the phase or step of an incident response policy that has the goal of preventing further damage to the organization from a known incident? A)Recovery B)Eradication C)Detection D)Containment

D)Containment Containment is the phase or step of an incident response policy that has the goal of preventing further damage to the organization from a known incident. Containment can include disconnecting affected systems, disabling software or hardware, disconnecting the Internet link, and removing a suspect from the environment.

Which security plan is used to restore normal operations in the event of the full interruption of mission-critical business functions? A)Incident response plan B)Preventive policy C)Acceptable use policy D)Disaster recovery plan

D)Disaster recovery plan The disaster recovery plan (DRP) is the security plan used to restore normal operations in the event of the full interruption of mission-critical business functions. The DRP is triggered when mission-critical business functions are completely lost due to some event. Thus, the ability to perform core business functions needs to be restored. The DRP is designed to address the most severe situations and provides a response plan to return to normal operations.

A man-in-the-middle (MITM) attack occurs when a victim, typically a client, is fooled by a modified resolution process into initiating a connection with a third-party attacker rather than directly to their intended resource host. Which of the following is NOT a technique that can be used to initiate an MITM attack? A)DNS spoofing B)ARP poisoning C)Proxy manipulation D)Password guessing

D)Password guessing

What is a primary goal of a forensic investigator while collecting evidence? A)Collect sufficient evidence. B)Locate evidence to support a pre-determined outcome. C)Prove that a specific suspect committed the crime. D)Preserve evidence integrity.

D)Preserve evidence integrity. One of the primary goals of a forensic investigator while collecting evidence is to preserve evidence integrity. Without evidence integrity, the evidence is of no value and is not admissible in court. Preservation of integrity is one of the requirements of the rules of evidence which determines whether evidence is admissible or not. Forensic investigators should follow standard forensics practices to locate and collect evidence. This includes taking hash calculations of evidence in order to check and verify integrity over time.

What is user entitlement? A)The default level of access given to users by the operating system B)The level of privilege assigned to administrative accounts C)The privileges inherited by a user D)The rights and privileges assigned to a user

D)The rights and privileges assigned to a user User entitlement is the rights and privileges assigned to a user. An entitlement is what is assigned or given to someone; thus, user entitlement is the abilities and access capabilities allocated to a user. User entitlements should be controlled by company policy and restricted based on the concept of the principle of least privilege.

Why would an organization choose to accept risk? A)To reduce liability B)To save money C)No risks can be eliminated fully. D)The risk is of a tolerable level.

D)The risk is of a tolerable level. An organization may choose to accept risk if it is of a tolerable level. This is known as either risk tolerance or risk acceptance. It is the act of choosing to leave a risk as is without implementing any countermeasures. This may be done with the overall remaining risk of an organization has been reduced to a reasonably acceptable level. An acceptable level of risk occurs when the remaining risks are small enough that any damage caused by them would be relatively small and something the organization is willing to absorb. It is also possible that any countermeasures used to address such risks are unavailable or are too expensive for the benefit they would provide. For risk to be legitimately labeled as tolerable or acceptable, it must be formally written out. A risk acceptance document should define the risk and the reason the risk is left as is, and must be signed by senior management.

Why are initialization vectors used as common components of encryption algorithms? A)They start the encryption process at a common point. B)They determine the range of values into which a block can resolve. C)They set the speed of the encryption process. D)They increase the chaos in encrypted output.

D)They increase the chaos in encrypted output. Initialization vectors (IV) are used as common components of encryption algorithms because they increase the chaos in encrypted output. An IV is a random number, or at least a function call in an encryption algorithm that calls upon a random number, to be produced which is then used to complete the processing of the algorithm. The addition of randomness into encryption improves the security of the resulting ciphertext. Anyone attempting to break the security of an encrypted data set would have to guess both the key and the IV to decrypt the content.

Which type of secure implementation of client devices has brought back a concept from the mainframe era where systems on a worker's desk have minimal storage and computational capacity? A)Mobile devices B)All-in-one PCs C)Distributed architecture D)Thin clients

D)Thin clients Thin clients are a type of secure implementation of client devices that has brought back a concept from the mainframe era where systems on a worker's desk have minimal storage and computational capacity. A thin client is little more than a display, monitor, and mouse. A thin client has a minimal firmware-based operating system, granting it just enough capacity to access a central server to obtain its streamed or live transferred main operating system. However, even when fully booted, a thin client is simply an interface to remote virtual systems hosted on central server. A thin client will have no user-accessible local storage and will have minimal processor and RAM. This requires that all storage and processing take place on a central server. A thin client implementation is secure because it prevents the transfer of files to a user accessible local storage device, and it also prevents users from locally installing unapproved software.

What is the purpose of continuous monitoring? A)To track uptime B)To consume as much storage space as possible C)To discover new technologies D)To record all events that may be related to a violation

D)To record all events that may be related to a violation The purpose of continuous monitoring is to record all events that may be related to a violation. If monitoring is not implemented in a consistent manner, then events will be missed and not recorded into the audit log. It is invalid to manually re-create events after the fact if the monitoring mechanisms failed to catch the event and make a record of it in the audit log. Thus, organizations should implement a continuous monitoring solution which is always recording all events to an audit log. This will provide the most complete perspective on the occurrences within the organization.

Why should forensic investigators give collection priority to the most volatile evidence? A)Volatile evidence is considered hearsay evidence in US courts. B)Volatile evidence is the most persuasive evidence in a court of law. C)Volatile evidence is stored as binary information. D)Volatile evidence has the highest risk of being lost or changes due to the passing of time

D)Volatile evidence has the highest risk of being lost or changes due to the passing of time Volatile evidence has the highest risk of being lost or changes due to the passing of time. Thus, forensic investigators should prioritize collecting the most volatile evidence. Forensic investigators will always consider the potential types of evidence that are available to collect and will focus on the most likely relevant items to collect. Within the relevant items, the most volatile should be collected first.

A disaster recovery plan (DRP) should focus on restoring mission-critical services. Part of the DRP is to ensure that recent data is available for processing once mission-critical services are restored. How is data loss addressed in DRP? A)Through understanding the RPO B)By minimizing recovery time with a small RTO C)By implementing redundancies D)By avoiding failure with RAID

Data loss is addressed in DRP through understanding the recovery point objective (RPO). RPO is the amount of data loss than can be experienced before the loss is too great to survive as an organization. It is a type of maximum tolerable downtime (MTD) but in terms of data instead of mission-critical process downtime. RPO is still measured in time, such as a loss of 3 hours, 3 days, or 3 weeks of data. Whatever the organization's RPO is, a backup and recovery scheme should be designed and implemented to ensure that recovery efforts can restore data to a point less than the RPO.

How can a symmetric key be securely exchanged over an insecure communication medium when both sides of the communication do not have key pair sets? A)Digital signatures B)RSA C)Diffie-Hellmann D)Digital envelopes

Diffie-Hellmann is a means by which a symmetric key is securely exchanged over an insecure communication medium when both sides of the communication do not have key pair sets. Diffie-Hellman is based on a series of one-way operations that prevent any middle-man eavesdropping attacks from being able to predict the resultant exchanged symmetric key. Diffie-Hellmann remains the foundation of many key generation and exchange solutions. Diffie-Hellmann ephemeral (DHE) ensures that keys do not repeat, which was a potential outcome of the original Diffie-Hellmann. Elliptical curve Diffie-Hellmann ephemeral (ECDHE) adds the new field of elliptical curve mathematics to further improve the reliability and randomness of symmetric keys generated and exchanged by Diffie-Hellmann implementations.

What is the primary method of authentication used in a typical PKI deployment? A)Smart cards B)Passwords C)Biometrics D)Digital certificates

Digital certificates are used as the primary method of authentication in a typical PKI deployment. Digital certificates are a key element of PKI because secure operations of data storage and transmission depend upon reliable authentication. PKI (public key infrastructure) can be implemented based on either a public/external or a private/internal certificate authority (CA).

An intrusion prevention system (IPS) is considered a more active security product than that of an intrusion detection system (IDS). Which of the following is an active response? A)Trigger additional logging B)Notify administrators C)Disconnect a session D)Launch analysis engines

Disconnecting a session is an example of an active response that an IPS or IDS may trigger. Other examples of active responses include blocking an IP address, closing a port, shutting down a service or an entire server, disabling a user account, resetting a session, and cancelling an authentication cookie/token/certificate.

Which of the following is any department or division of the US government required to follow? A)802.1x B)PKCS C)FIPS D)X.509 v3

Federal Information Processing Standard (FIPS) includes cryptography regulations that any department or division of the US government is required to follow. FIPS includes a wide range of publicly announced standards set or defined by the US government. Examples include FIPS 140-2 which is "Security Requirements for Cryptographic Modules" and FIPS 197 which is "Advanced Encryption Standard (AES)".

How does hashing detect integrity violations? A)The length of the hash is checked. B)The bit length of the hash must be divisible by three. C)The content of the hash is verified against the standard. D)A before and after hash value is compared.

Hashing is used to detect integrity violations by comparing a before and after hash value. The before and after can be across a period of time or a transmission of data. The before and after hashes are compared by performing an XOR operation. If all the bits of the two hashes are the same, then every bit position will become a zero. Thus the two hashes are exactly the same and the data from which the hashes were generated did not change across the time or transfer event. If they are not the same, then something about the data changed which caused the after hash to not be exactly the same as the before hash.

What is the component of IPSec that handles key generation and distribution? A)Authentication Header B)IP Compression C)Encapsulating Security Payload D)Internet Key Exchange

Internet Key Exchange (IKE) is the component of IPSec that handles key generation and distribution. IKE is comprised of three components: Oakley, Secure Key Exchange Mechanism (SKEME), and Internet Security Association Key Management Protocol (ISAKMP). Oakley assists with key generation, SKEME is a mechanism to exchange keys securely, and ISAKMP maintains unique security associations for each IPSec VPN.

When is it appropriate to contact law enforcement when an organization experiences a security breach? A)If a tolerable or accepted risk is realized B)If a violation is more severe than just breaking company policy rules C)If a breach of security occurs D)If an insider uses another employee's credentials

It is appropriate to contact law enforcement when an organization experiences a security breach if a violation is more severe than just breaking company policy rules. If a security violation is a violation of a law, then contacting law enforcement is necessary. It is a good business practice to report all crimes, no matter how significant in the eyes of the victim organization. Not every crime will be thoroughly investigated, especially if there is little digital and physical evidence, the breach was caused by an international entity, or little actual damage was caused to the victim. However, reporting crimes is still important. Reported crimes are often data mined to look for similarities, causations, or other relationships. A particular security breach may be a common predecessor to a larger attack. A single attack experienced by one organization may be an attack repeated against many different victims. This information is used by law enforcement to decide whether or not investigate on a cursory or in-depth basis.

Why is it important to thoroughly test every business continuity plan (BCP) and disaster recovery plan (DRP)? A)To keep costs to a minimum B)To train personnel on response procedures C)To compare the value of countermeasures D)To discover deficiencies and assess sufficiency

It is important to thoroughly test every business continuity plan (BCP) and disaster recovery plan (DRP) to discover deficiencies and assess sufficiency. Only by testing a plan is it possible to know whether or not the plan will actually work. BCP and DRP plan testing is an essential part of plan development and maintenance. It is foolish, possibly negligent, to design BCP and DRP strategies for the protection of the vitality of an organization but fail to test to confirm that they are sufficient to recover from damage and disasters.

How does mandatory access control determine which objects a subject can access? A)Through the use of classification labels B)By referencing the physical location of the workstation C)Based on the job role of the user D)By checking ACLs

Mandatory access control (MAC) determines which objects a subject can access through the use of classification labels. Each subject and object is assigned a classification level, which is then indicated by a label placed on the subject or object. At the time of attempted access, the labels of each are compared. If the subject has equal or superior classification to that of the object, access is granted. If the subject has inferior classification to that of the object, then access is denied.

Why is mutual authentication preferred over single-sided authentication? A)Mutual authentication does not use open source solutions. B)Mutual authentication requires both entities to prove themselves to each other simultaneously. C)Impersonation is impossible when using mutual authentication. D)Single-sided authentication does not support multifactor authentication.

Mutual authentication requires both entities to prove themselves to each other simultaneously. This makes mutual authentication preferred over single-sided authentication. This form of authentication minimizes the chance of connecting to a false site or accepting a false user. If both entities do not prove genuine, the connection is refused.

How is granular control of objects and resources implemented within a mandatory access control environment? A)Job label B)Logical location assessment C)ACLs on objects D)Need to know

Need to know is the means by which granular control of objects and resources implement within a mandatory access control environment. In most MAC environments, there are only a few levels of classification. To provide more granular control over object access, objects of unique value, special use, or sensitive content are restricted by need to know. A subject with the proper clearance for a specific classification label does not gain access to all objects and resources in that level automatically. Instead, subjects are assigned need to know permissions on those objects which are necessary for the completion of assigned work responsibilities.

Once an attacker gains remote control access over a system, they want to retain this illicit access. Some attackers will block the system update service to prevent new updates from fixing vulnerabilities that are needed to maintain remote control over the compromised system. To prevent such a compromised system from allowing the attacker to access resources on the network, what security mechanism should be implemented? A)Network access control B)Complex password authentication C)Intrusion detection system D)A Web security gateway

Network access control (NAC) is the security mechanism that should be implemented in this scenario. NAC will quarantine any system that is out of compliance with the baseline established for the network. Thus, even if an attacker is able to block updates, the system will be placed into quarantine once it is no longer in compliance with required settings and updates. The action of quarantining will not only place the device in a restricted subnet in order to support remediation; it will also likely result in disconnecting the remote attacker, because the victim system will likely have its IP addresses altered to be placed into the restricted remediation subnet.

In what phase of incident response are new countermeasures implemented? A)Eradication B)Detection C)Recovery D)Containment

New countermeasures are implemented during the recovery phase of incident response. A typical incident response policy involves several key steps, including preparation, detection, notification, containment, eradication, recovery, and feedback review. The goal of the recovery phase is to return the environment back to normal operating conditions. It also includes the installation of new countermeasures to prevent the re-occurrence of the violation. A typical incident response policy involves several key steps, including preparation, detection, notification, containment, eradication, recovery, and feedback review.

Which term refers to the security concept that proves a specific individual performed a task and prevents that individual from being able to claim that they did not perform that task? A)Revocation B)Non-repudiation C)Authentication D)Authorization

Non-repudiation is the security concept that proves a specific individual performed a task and prevents that individual from being able to claim that they did not perform that task. Non-repudiation is typically provided as part of a digital signature. The digital signature is the sender's private key encrypted hash of the message. The message is sent along with the digital signature. A recipient will need to obtain the sender's public key in order to decrypt or open the digital signature to extract the sender's original hash digest. The recipient then hashes the received data and compares the before and after hash digests. If the before and after hash digest are the same, then the integrity of the message is verified, which in turn means the correct sender's public key was used. This proves the identity of the sender, which in turn proves that the sender's private key was used to create the signature, which provides for non-repudiation.

What type of access control is typically the first line of defense? A)Administrative B)Logical C)Technical D)Physical

Physical access control is typically the first line of defense. In a layered defense security configuration, the center of the infrastructure contains assets. Around the assets are layers of security protections. These protection layers are organized so that the first or innermost layer is administrative, the next is logical/technical, and the final or exterior layer is physical. Thus physical protections are the first line of defense while personnel are the last line of defense.

According to NIST SP 800-30 Revision 1, what is the first major step in risk assessment? A)Communicate B)Preparation C)Maintain D)Conduct

Preparation is defined as the first major step in risk assessment according to NIST SP 800-30 Revision 1. The purpose of this initial step is to lay a solid foundation for the remainder of the risk assessment processes. The subsequent steps of conduct, communicate, and maintain require solid preparation in order to be completed in a manner supporting an organization's security goals. This preparation would include setting risk goals, selecting assessment methodologies, identify assumptions, select a risk model, and evaluating assessment constraints and limitations.

What is the primary concern for any situation involving the triggering of a disaster recovery plan (DRP)? A)Preservation of human life B)Reducing asset loss C)Avoiding downtime D)Minimizing costs

Preservation of human life is always the primary concern for any situation involving the triggering of a disaster recovery plan (BRP). This is often one of the overlooked elements of DRP because of the breadth and depth of response planning. However, protecting the safety of personnel is always a top priority. Anyone on a business continuity plan (BRP) or DRP development team should remind themselves and the group of the initial task of preserving human life. This helps to keep proper perspective on the other activities involved responding to breaches, violations, and disasters.

Why are preventive controls important? A)They discourage the attacker from performing the violation. B)They instruct the attacker to only perform benign activities. C)They attempt to stop the violation from being possible. D)They record the occurrence of the violation.

Preventive controls are important because they attempt to stop the violation from being possible. Preventive controls include requiring authentication, setting authorization, using encryption for storage and transmission, locking doors and cabinets, using cable locks on portable equipment, using strong construction materials, and installing fencing. The purpose of a preventive control is to make the violation impossible. It is important to realize that no security mechanism is perfect, so even preventive controls can and do fail. Thus, preventive controls must be combined with other controls, including detective, deterrent, corrective, and directive controls, for a complete security solution.

Which of the following clearance levels or classification labels is not generally used in a government- or military-based MAC scheme? A)Top Secret B)Confidential C)Unclassified D)Proprietary

Proprietary is not a classification label used in a government- or military-based MAC scheme. Proprietary may be a label used in a private sector business-based MAC scheme. The typical classification labels in a government- or military-based MAC scheme are: Unclassified, Confidential, Secret, and Top Secret.

What type of information or data is the basis of most forms of modern cryptography, making modern cryptography possible and encryption cracking significantly more difficult? A)128-bit block sizes B)Static keys C)Randomness D)Key triplet usage

Randomness is the basis of most forms of cryptography. Without randomness, most forms of modern cryptography would not be possible and cracking encryption would be significantly simpler. The use of randomness increases the complexity of the ciphertext output. Thus it makes the act of cryptanalysis or cryptography cracking significantly more difficult. Without randomness, cryptography would be more predictable and thus much easier to break.

To avoid downtime and the need to trigger a business continuity plan (BCP), what preventive technique can be used to avoid single points of failure? A)Update repair documentation B)Thorough security policy C)Performance monitoring D)Redundancy

Redundancy is the preventive technique which can be used to avoid single points of failure. Redundancy is a key element in any strategy to avoid downtime and maintain availability. Redundancy can be implemented as a simultaneous solution or a fail-over solution. Simultaneous redundancy is the implementation of two or more systems supporting a single resource. This increases capacity and avoids the issue of a single system failing, thereby causing the entire service to become inaccessible. Fail-over redundancy is the implementation of a secondary system which remains offline or dormant while the primary system serves the network. When the primary fails, the secondary system takes over. The act of switching from the failed primary to the waiting secondary is the fail-over. This can be configured to occur automatically or require manual administrator action.

What standards-based technology is supported on most platforms and is used as a remote authentication service? A)NTLM B)Kerberos C)TACACS+ D)RADIUS

Remote Authentication Dial-In User Service (RADIUS) is a standards-based technology that is supported on most platforms and is used as a remote authentication service. RADIUS has been updated to address many forms of remote connectivity beyond only dial-up. RADIUS operates over UDP port 1812.

What form of social engineering tricks a victim into contacting the attacker to ask for technical support? A)Reverse social engineering B)MAC spoofing C)Impersonation D)Scarcity

Reverse social engineering is the form of social engineering which tricks a victim into contacting the attacker to ask for technical support. The concept of reverse social engineering is that it involves three steps or phases: advertisement, sabotage, and support. The advertisement is to inform the victim that the attacker is the person to contact when tech support is needed. This could be accomplished by meeting victims in the company parking lot as they leave work, and then the attacker would introduce himself as the technical support manager. The attacker would claim that the tech support system has been overlooking support requests and to contact him directly with on a personal phone number. If victims believe this false story, then when they need technical support, they would contact the attacker thinking he is the real technical support manager. The attacker then either waits for the victim to need technical support assistance or performs an act of sabotage to force the need for assistance.

What is the term used to describe the event of a certificate authority canceling an issued digital certificate? A)Revocation B)Expiration C)Termination D)Destruction

Revocation is the term used to describe the event of a certificate authority (CA) canceling an issued digital certificate. Reasons for revocation include that the certificate was used in a crime, the user violated the terms of service, or the user changed some aspect of their identity which was being verified by the certificate. The terms of revocation are established and maintained by each CA and published in a document known as the certificate practices statement (CPS). A CA publishes the collection of revoked certificates in a document known as the certificate revocation list (CRL). However, instead of accessing this list directly, most end-point devices use a query-based revocation checking system known as online certificate status protocol (OCSP) to get real-time information from a CA about revocation and validity status of certificates.

An organizational security policy defines the requirements of implementing and managing security. Many of the elements of a security policy are dictated to the organization by many entities, while others are adopted based on other factors. The document type known as a standard clarifies and prioritizes these elements. Which of the following is UNLIKELY to be used as a source for a company's standards? A)Contractual obligations B)Monetary expediency evaluations C)Government regulations D)Industry best practices

Standards should generally NOT be based on monetary expediency evaluations. Selecting security mechanisms based on what is cheapest or easiest to implement is a poor foundation for reliable security. Standards should be based on regulations, contractual obligations, and/or best practices.

What is the benefit of endpoint device encryption for communications? A)It checks for data integrity. B)It avoids system flaw exploitation. C)It prevents denial of service attacks. D)It provides confidentiality of network traffic.

The benefit of endpoint device encryption for communications is that it provides the confidentiality of network traffic. Encryption can provide various security services, including confidentiality, authentication, and non-repudiation. The only benefit included in this list of options is confidentiality. Encryption provides confidentiality protection through the use of symmetric encryption. Authentication is provided by asymmetric cryptography. It either is used to ensure that only the intended recipient receives a secure transmission or it is used to verify the identity of the sender. Non-repudiation is provided by asymmetric public-key cryptography through a digital signature. A digital signature is created by a sender using a private key to encrypt the hash of a message. The recipient verifies the signature which, in turn, proves that the sender used a private key; thus, the sender cannot deny having sent the message.

What is the bit-length, hash-digest output of the SHA-1 hashing algorithm? A)64 B)224 C)160 D)128

The bit-length, hash-digest output of the SHA-1 hashing algorithm is 160 bits.

Why is it important to perform a physical security assessment after a fire, chemical release, or bomb false alarm? A)It gives your organization the opportunity to further train your personnel. B)The assessment might reveal the identity of the perpetrator. C)It is a legal requirement to do so after emergency response personnel have been contacted. D)The event could have been triggered as a distraction to alter physical security mechanisms.

The event could have been triggered as a distraction to alter physical security mechanisms. The event could have been triggered as a distraction to alter physical security mechanisms. For example, if your organization has emergency doorways that only have handles on the inside, an attacker could modify the lock mechanism while it is open, allowing personnel to exit the building. Thus, when the door re-closes, it might look closed and secure; but it is actually a means of entry for a future attack. It is essential to perform a thorough physical security assessment after each real or false incident. Additionally, it is also good security management practice to perform a physical security assessment on a periodic basis.

What is the main benefit or distinction of symmetric encryption? A)It can provide secure key exchange over an insecure medium. B)A key pair set is used to provide confidentiality. C)It is a fully scalable encryption scheme. D)A single shared key can perform both encryption and decryption operations.

The main benefit or distinction of symmetric encryption is that a single shared key can perform both encryption and decryption operations. The key concept of symmetric encryption is that of same or sameness. The key that encrypts must be the key that decrypts. Thus, a single shared key between participants is required to support secured communications. A symmetric key can be generated by one side, then exchanged using an asymmetric cryptography digital envelope, or both sides of a communication can participate in the key generation through the use of asymmetric generation and exchange solutions, such as Diffie-Hellman.

What is the most important technology to deploy when implementing a BYOD policy? A)Firewall B)IPS C)DLP D)MDM

The most important technology to deploy when implementing a bring your own device (BYOD) policy is mobile device management (MDM). A BYOD policy allows people to use their personal devices in the business environment. The MDM configures these devices to comply with the organization's security policies.

What is the primary benefit of COPE? A)Granting organizations the ability to track their workers at all times. B)Locking down devices so they only perform approved business tasks. C)Preventing the abuse of personal data stored on devices. D)Giving businesses more control over mobile device security and administration.

The primary benefit of a corporate-owned, personally enabled (COPE) mobile device policy is giving businesses more control over mobile device security and administration. COPE helps a business ensure that the devices that are connected to its internal network or are used by its employees in general meet minimum security capabilities and standards. This avoids the problems with a bring your own device (BYOD) policy, which allows for any device, new or old, secure and insecure, to be used for company interactions. Even when paired with mobile device management (MDM) solutions, a BYOD policy can still expose an organization to exploitation if workers use devices that lack essential security components. COPE gives workers an approved and secure device, which workers can use as if it was a personally provided device.

What is the purpose of a baseline in relation to security monitoring? A)Defines job task procedures B)Evaluates purchasing requirements C)Keeps configurations consistent D)Notices trends away from normal

The purpose of a baseline for security monitoring is to notice trends away from normal. Most of security monitoring is about detecting when activities and events are not normal. It is key to know what is normal in order to detect something different from normal. The baseline provides that recorded or defined and established normal as a point of comparison.

Which routing protocol makes routing and forwarding decisions based on a metric derived from the number of other routes than must be crossed to reach a destination? A)ISIS B)BGP C)RIP D)OSPF

The routing protocol that makes routing and forwarding decisions based on a metric derived from the number of other routes than must be crossed to reach a destination is Routing Information Protocol (RIP), a distance-vector routing protocol. Other examples of distance-vector routing protocols include Interior Gateway Routing Protocol (IGRP), Enhanced Interior Gateway Routing Protocol (EIGRP), and Babel. Distance-vector protocols can be effective routing mechanisms. However, they do not take into account other parameters and conditions that can affect the efficiency and reliability of a chosen pathway.

What is the term used to refer to an activity, occurrence, or event which could cause damage or harm to an organization? A)Baseline B)Clipping level C)Incident D)Alarm

The term incident refers to an activity, occurrence, or event which could cause damage or harm to an organization. For an organization to be prepared to respond to incidents, they need to craft an incident response policy. This policy defines what events are considered incidents, which level of incidents requires a response, and what type of response the organization can perform. An incident can be defined as any violation of company policy or law. However, not all company policy violations are illegal actions. Also, not all company policy violations warrant a specific response by the incident response team. Every incident should be recorded into audit records and included in regular analysis reports.

What is the purpose of the user account maintenance mechanism known as account lockout? A)To prevent password-guessing attacks from being successful B)To grant the ability to pass through a mantrap C)To remove an account that was used in a system breach D)To turn off accounts for people no longer employed by the organization

To prevent password-guessing attacks from being successful

A certificate authority (CA) system is used to verify the identity of its customers. The CA system allows general Internet users to access online resources and have some level of knowledge about who the entities are that are hosting online content. For example, a user can be confident in the identity of an online shopping site while making a purchase. How is the CA provide the benefit of verified identity? A)Independent assignment of trust B)Trusted third-party C)Peer trust D)Transitive trust

Trusted third-party is the means by which a certificate authority (CA) system is able to provide the benefit of verified identity. The system acts as a third party between the end user, who is the first party, and the server or resource host, which is the second party. On their own, the user and server may not be able to trust the identity of each other, so they employ the service of a trusted third party, the CA. The CA verifies the identity of its customers, such as the server, and issues a digital certificate to the customer—in this case, a server. The digital certificate is then sent to the visitors of the customer, such as the end user. If the end user trusts in the reputation of the CA that issued the digital certificate, then the user can be assured of the identity of that server, at least to the level the CA is itself trustworthy and the effort to which the CA verified the identity.

What is a means to ensure that endpoint devices can interact with the Internet while minimizing risk of system compromise? A)Only use encrypted communication protocols. B)Implement a weekly backup. C)Use strong authentication. D)Use a virtualized OS.

Use a virtualized OS to ensure than endpoint devices can interact with the Internet while minimizing risk of system compromise. A virtualized OS can be configured to reject any changes made during an operating session and revert to a fixed trusted image version each time the system is used. This tactic would allow for the risky activity of Internet access without placing the system at high risk of system compromise. Even if the virtual OS was breached by malware, the next session launch would revert back to a trusted and safe configuration.

Which of the following is an example of a single-factor authentication being used to gain access to a computer system? A)Using an RSA SecurID token device and entering a private code B)Using a smart card and entering a secret password C)Using a username and a 16-character password D)Using a biometric scan of a fingerprint and entering a PIN

Using a username and a 16-character password is an example of a single-factor authentication being used to gain access to a computer system. Entering a username is an identification activity, and only the password is an authentication factor in this scenario. Both factors are something you know. The activity of entering only a single authentication factor is often a simpler form of gaining access to a system than using a multifactor authentication process. However, it is much less secure. Single-factor authentication can be overcome by a single successful authentication attack, such as guessing, keystroke recording, network intercept, social engineering, or password cracking. Whenever possible, use two or more authentication factors to keep your account more secure.

When using asymmetric cryptography, what is the purpose of using the recipient's public key to perform an encryption function on a data set before sending it to the recipient? A)To support non-repudiation B)To restrict delivery C)To verify integrity D)To prove the identity of the sender

When using asymmetric cryptography, the purpose of using the recipient's public key to perform an encryption function on a data set before sending it to the recipient is to restrict delivery. The mechanism that starts off using the recipient's public key can be called a digital envelope. It is a means to ensure that a communication can only be opened by the intended recipient. Anyone can obtain and use someone's public key. But once that encryption takes place, no-one can decrypt the result except the owner of the corresponding private key.

Which wireless configuration protocol can use either RC4 or TKIP for communication encryption? A)SKA B)OSA C)WPA D)WEP

Wi-Fi Protected Access (WPA) is a wireless configuration protocol that can use either Rivest Cipher #4 (RC4) or Temporal Key Integrity Protocol (TKIP) for communication encryption. WPA was released by the WiFi Alliance as an intermediary mechanism to provide secure wireless communications in the expectation that forthcoming WPA-2 would be too complex to implement in smaller environments. WPA, whether using RC4 or TKIP, is vulnerable to exploitation due to increased computational capacity today. WPA should generally be avoided in favor of WPA-2.

Which of the following is valid regarding change management and the need for interoperability? A)You should be able to run the same binary code on any platform. B)You should be able to manage a system remotely from any Internet connection. C)You should be able to exchange data based on common formats, day types, file formats, and/or protocols. D)You should be able to run the same program on multiple systems simultaneously.

You should be able to exchange data based on common formats, day types, file formats, and/or protocols regarding change management and the need for interoperability. This is the basic definition of interoperability. Change management needs to ensure that any pre-existing interoperability capabilities are maintained or re-established after a change is implemented, especially if that interoperability is used as part of a core business function.

Many businesses craft an ethical guidance policy as part of their overall security policy. In the event that there is a conflict between your employer's ethical policy and your own personal ethical views, how should you handle this conflict? A)Contact a lawyer to have the company policy changed. B)Discuss the issue internally with your manager and IT security administrator. C)Post your disagreements with the issue on your social network account. D)Protest the concern by picketing outside of your employer's building.

You should discuss the issue internally with your manager and IT security administrator. A code of ethics is not the law. Thus, your organization can make adjustments to the company policy for everyone, or can make an exception for just you to the specific tenant of the company's ethics policy that you have a conflict with. Open and honest discussion of the conflict internally with the persons of authority is the best approach to address any disagreements with the ethics policy. Discussing ethical concerns internally does not guarantee that the company will make a change in your favor, but it is the first and best option to begin dealing with the issue before it becomes a problem.

Your company is partnering with Verigon to produce a new suite of services for the financial industry. To create and support these new services, both organizations will need to share content and perform collaborative work. The new services are to be offered only to pre-selected and invited clients, rather than being sold openly. How can this new service be configured without significantly increasing the risk to either company's private networks? A)Create a DMZ to host the service, and provide company interaction. B)Configure the service on an internal server, and configure port forwarding. C)Set up the new service in an extranet and provide VPN credentials to Verigon and invited clients. D)Host the new service in a public SaaS cloud.

You should set up the new service in an extranet and provide VPN credentials to Verigon and invited clients. This will protect the private networks of both companies because shared data and resources will be hosted in the extranet. An extranet is a distinct network, run by a private organization, but for the purpose of hosting resources for a specific group of outsiders, such as business partners or high-end clients. Furthermore, access to an extranet is typically controlled by use of a VPN. Thus, only those with valid VPN credentials can connect into the extranet.