ISC2 Certified in Cybersecurity: Pre and Post Course Assessment
The common term for systems that ensure proper temperature and humidity in the data center. (D4.3 L4.3.1) A) RBAC B) HVAC C) MAC
B is correct. VAC stands for "heating, ventilation and air conditioning," and is a common industry term. A is incorrect; RBAC is an access control model. C is incorrect; MAC is the physical address of an IT device.
A VLAN is a _____ method of segmenting networks. (D4.3 L4.3.3) A) Secret B) Physical C) Regulated D) Logical
D is correct. VLANs use logical mechanisms to segment networks. A, B and C are incorrect; VLANs use logical mechanisms to segment networks.
Which of the following probably poses the most risk? (D1, L1.2.1) A) A high-likelihood, high-impact event B) A high-likelihood, low-impact event C) A low-likelihood, high-impact event D) A low-likelihood, low-impact event
A is correct. An event that is has a significant probability of occurring ("high-likelihood") and also has a severe negative consequence ("high-impact") poses the most risk. The other answers all pose less risk, because either the likelihood or impact is described as "low." This is not to say that these risks can be dismissed, only that they are less significant than the risk posed by answer A.
Guillermo logs onto a system and opens a document file. In this example, Guillermo is: (D3, L3.1.1) A) The subject B) The object C) The process D) The software
A is correct. Guillermo is the subject in this example. B is incorrect; in this example, the file is the object. C is incorrect; in this example, the process is logging on and opening the file. D is incorrect; in this example, the application used to open the file is the software.
In risk management concepts, a(n) ___________ is something or someone that poses risk to an organization or asset. (D1, L1.2.1) A) Fear B) Threat C) Control D) Asset
B is correct. A threat is something or someone that poses risk to the organization; this is the definition of a threat. A is incorrect because "fear" is not generally a term associated with risk management. C is incorrect; a control is something used to mitigate risk. D is incorrect; an asset is something of value, which may need protection.
If two people want to use asymmetric communication to conduct a confidential conversation, how many keys do they need? (D5.1, L5.1.2) A) 1 B) 4 C) 8 D) 11
B is correct. In asymmetric encryption, each party needs their own key pair (a public key and a private key) to engage in confidential communication. A, C and D are incorrect; in asymmetric encryption, each party needs their own key pair for confidential communication.
Aphrodite is a member of (ISC)² and a data analyst for Triffid Corporation. While Aphrodite is reviewing user log data, Aphrodite discovers that another Triffid employee is violating the acceptable use policy and watching streaming videos during work hours. What should Aphrodite do? (D1, L1.5.1) A) Inform (ISC)² B) Inform law enforcement C) Inform Triffid management D) Nothing
C is the best answer. Aphrodite is required by the (ISC)² Code of Ethics to "provide diligent and competent service to principals." This includes reporting policy violations to Triffid management (Triffid is the principal, in this case). A policy violation of this type is not a crime, so law enforcement does not need to be involved, and (ISC)² has no authority over Triffid policy enforcement or employees.
Barry wants to upload a series of files to a web-based storage service, so that people Barry has granted authorization can retrieve these files. Which of the following would be Barry's preferred communication protocol if he wanted this activity to be efficient and secure? (D4, L4.1.2) A) SMTP (Simple Mail Transfer Protocol) B) FTP (File Transfer Protocol) C) SFTP (Secure File Transfer Protocol) D) SNMP (Simple Network Management Protocol)
C is the correct answer; SFTP is designed specifically for this purpose. A, B and D are incorrect; these protocols are either not efficient or not secure in Barry's intended use.
The city of Grampon wants to know where all its public vehicles (garbage trucks, police cars, etc.) are at all times, so the city has GPS transmitters installed in all the vehicles. What kind of control is this? (D1, L1.3.1) A) Administrative B) Entrenched C) Physical D) Technical
D is correct. A GPS unit is part of the IT environment, so this is a technical control. A is incorrect. The GPS unit itself is not a rule or a policy or a process; it is part of the IT environment, so D is a better answer. B is incorrect; "entrenched" is not a term commonly used to describe a particular type of security control, and is used here only as a distractor. C is incorrect; while a GPS unit is a tangible object, it is also part of the IT environment, and it does not interact directly with other physical objects in order to prevent action, so "technical" is a better descriptor, and D is a better answer.
Which of the following is a biometric access control mechanism? (D3, L3.2.1) A) A badge reader B) A copper key C) A fence with razor tape on it D) A door locked by a voiceprint identifier
D is correct. A lock that opens according to a person's voice is a type of biometric access control. A, B and C are all access control mechanisms, but none of them are based on unique physiological characteristics of a person, so they are not biometric systems.
A software firewall is an application that runs on a device and prevents specific types of traffic from entering that device. This is a type of ________ control. (D1, L1.3.1) A) Physical B) Administrative C) Passive D) Technical
D is correct. A software firewall is a technical control, because it is a part of the IT environment. A is incorrect; a software firewall is not a tangible object that protects something. B is incorrect; a software firewall is not a rule or process. Without trying to confuse the issue, a software firewall might incorporate an administrative control: the set of rules which the firewall uses to allow or block particular traffic. However, answer D is a much better way to describe a software firewall. C is incorrect; "passive" is not a term commonly used to describe a particular type of security control, and is used here only as a distractor.
Which of these is the most important reason to conduct security instruction for all employees. (D5.4, L5.4.1) A) Reduce liability B) Provide due diligence C) It is a moral imperative D) An informed user is a more secure user
While all the answers are true, D is the single most important reason to conduct security instruction, because it leads to all the others. A, B and C are incorrect; while true, they are not the most important reason(s).
Archiving is typically done when _________. (D5.1, L5.1.1) A) Data is ready to be destroyed B) Data has lost all value C) Data is not needed for regular work purposes D) Data has become illegal
C is correct. Archiving is the action of moving data from the production environment to long-term storage. A, B and C are incorrect. Archived data still has value and is not ready to be destroyed; it is just not used on a regular basis. Illegal data should not be in the environment at all.
Steve is a security practitioner assigned to come up with a protective measure for ensuring cars don't collide with pedestrians. What is probably the most effective type of control for this task? (D1, L1.3.1) A) Administrative B) Technical C) Physical D) Nuanced
C is correct. Physical controls, such as fences, walls and bollards, will be most likely to ensure cars cannot collide with pedestrians by creating actual barriers between cars and pedestrians. A is incorrect; administrative controls (such as signage and written directions) may be helpful in this situation, but not as helpful as physical controls. B is incorrect because technical controls are typically associated with IT environments and less practical for physical interactions; while helpful, technical controls would most likely not be as useful as physical controls in this situation. D is incorrect because "nuanced" is not a common type of security control, and the word is only used here as a distractor.
Cyril wants to ensure all the devices on his company's internal IT environment are properly synchronized. Which of the following protocols would aid in this effort? (D4, L4.1.2) A) FTP (File Transfer Protocol) B) NTP (Network Time Protocol) C) SMTP (Simple Mail Transfer Protocol) D) HTTP (Hypertext Transfer Protocol)
B is the correct answer; this is the purpose of NTP. A, C and D are incorrect; these do not serve the purpose of synchronization.
Gelbi is a Technical Support analyst for Triffid, Inc. Gelbi sometimes is required to install or remove software. Which of the following could be used to describe Gelbi's account? (D3, L3.1.1) A) Privileged B) Internal C) External D) User
A is Correct. This is the description of a privileged account; an account that typically needs greater permissions than a basic user. B and C are incorrect; the question does not specify whether Gelbi connects to the environment from within the network, or from outside. D is incorrect; this is too vague—Gelbi is a user, but has permissions that are typically greater than what basic users have.
A bollard is a post set securely in the ground in order to prevent a vehicle from entering an area or driving past a certain point. Bollards are an example of ______ controls. (D1, L1.3.1) A) Physical B) Administrative C) Drastic D) Technical
A is correct. A bollard is a tangible object that prevents a physical act from occurring; this is a physical control. B and D are incorrect because the bollard is a physical control, not administrative or technical. C is incorrect: "drastic" is not a term commonly used to describe a particular type of security control, and is used here only as a distractor.
The section of the IT environment that is closest to the external world; where we locate IT systems that communicate with the Internet. (D4.3 L4.3.3) A) VLAN B) DMZ C) MAC D) RBAC
B is the correct answer; we often call this portion of the environment the "demilitarized zone." A is incorrect; a VLAN is a way to segment portions of the internal network. C is incorrect; MAC is the physical address of a given networked device. D is incorrect; RBAC is an access control model.
______ is used to ensure that configuration management activities are effective and enforced. (D5.2, L5.2.1) A) Inventory B) Baseline C) Identification D) Verification and audit
D is correct. Verification and audit are methods we use to review the IT environment to ensure that configuration management activities have taken place and are achieving their intended purpose. A, B and C are incorrect; while these are terms related to configuration management, the answer is verification and audit.
Which common cloud service model only offers the customer access to a given application? (D4.3 L4.3.2) A) Lunch as a service (LaaS) B) Infrastructure as a service (IaaS) C) Platform as a service (PaaS) D) Software as a service (SaaS)
D is the correct answer. This is a description of how SaaS works. A is incorrect; this is not a common cloud service model. B is incorrect; IaaS offers much more than just access to a given application. C is incorrect; PaaS offers much more than just access to a given application.
Network traffic originating from outside the organization might be admitted to the internal IT environment or blocked at the perimeter by a ________. (D3, L3.2.1) A) Turnstile B) Fence C) Vacuum D) Firewall
A firewall is a solution used to filter traffic between networks, including between the internal environment and the outside world. D is the correct answer. A and B are incorrect; a turnstile and a fence are physical access control mechanisms. C is incorrect; a vacuum does not affect network traffic, and the term is used here only as a distractor.
A human guard monitoring a hidden camera could be considered a ______ control. (D3, L3.2.1) A) Detective B) Preventive C) Deterrent D) Logical
A is correct. The guard monitoring the camera can identify anomalous or dangerous activity; this is a detective control. B is incorrect; neither the guard nor the camera is actually preventing any activity before it occurs. C is incorrect; because the attacker is unaware of the guard and the camera, there is no deterrent benefit. D is incorrect; the guard is a physical control.
Who dictates policy? (D5.3, L5.3.1) A) The security manager B) The Human Resources office C) Senior management D) Auditors
C is correct. Only senior management has the legal and financial authority to issue policy and accept risk on behalf of the organization. A, B and D are incorrect; only senior management can issue policy.
Which of these is an example of a physical access control mechanism? (D3, L3.2.1) A) Software-based firewall at the perimeter of the network B) A lock on a door C) Network switches that filter according to MAC addresses D) A process that requires two people to act at the same time to perform a function
B is correct. A lock on a door restricts physical access to the area on the other side of the door to only those personnel who have the appropriate entry mechanism (key, badge, etc.). A and C are both technical/logical controls. D is an administrative control.
Which of the following is an example of a "something you know" authentication factor? (D1, L1.1.1) A) User ID B) Password C) Fingerprint D) Iris scan
B is correct. A password is something the user knows and can present as an authentication factor to confirm an identity assertion. A is incorrect because a user ID is an identity assertion, not an authentication factor. C and D are incorrect as they are examples of authentication factors that are something you are, also referred to as "biometrics."
True or False? Business continuity planning is a reactive procedure that restores business operations after a disruption occurs. A) True B) False
B is correct. Business continuity planning is proactive preparation for restoring operations after disruption. Members from across the organizations participate in the planning to ensure all systems, processes and operations are accounted for in the plan. A is incorrect; business continuity planning is a proactive procedure to prepare for the restoration of operations after disruption.
Which of the following is probably most useful at the perimeter of a property? (D3, L3.2.1) A) A safe B) A fence C) A data center D) A centralized log storage facility
B is the best answer. Of the options listed, a fence would be most useful at the perimeter of a property. A, C and D are incorrect, because those contain high-value assets which would be better located away from the perimeter of the property, so they can be protected with multiple security controls of varying types.
Ludwig is a security analyst at Triffid, Inc. Ludwig notices network traffic that might indicate an attack designed to affect the availability of the environment. Which of the following might be the attack Ludwig sees? (D4.2 L4.2.1) A) DDOS (distributed denial of service) B) Spoofing C) Exfiltrating stolen data D) An insider sabotaging the power supply
DDOS is an availability attack, often typified by recognizable network traffic; either too much traffic to be processed normally, or malformed traffic. A is the correct answer. B and C are incorrect, because in both these kinds of attacks, the attacker wants the IT environment to continue working properly—if the attacker shut down the environment, the attacker wouldn't be able to use spoofed credentials or exfiltrate stolen data. D is incorrect, because loss of power is not recognized by network traffic, it is recognized by lack of functionality.
A device typically accessed by multiple users, often intended for a single purpose, such as managing email or web pages. (D4.1 L4.1.1) A) Router B) Switch C) Server D) Laptop
A server typically offers a specific service, such as hosting web pages or managing email, and is often accessed by multiple users. C is the correct answer. A and B are incorrect; routers and switches are used to vector network traffic, not to provide specific services. D is incorrect; a laptop is typically only assigned to a single user.
The European Union (EU) law that grants legal protections to individual human privacy. (D1, L1.1.1) A) The Privacy Human Rights Act B) The General Data Protection Regulation C) The Magna Carta D) The Constitution
B is correct: The GDPR is the EU law that treats privacy as a human right. A is incorrect because there is no Privacy Human Rights Act, which is only used here as a distractor. C is incorrect because the Magna Carta is a British law describing the relationship between the monarchy and the people, and does not mention privacy. D is incorrect because the Constitution is the basis of United States federal law, and does not mention privacy.
Which common cloud service model offers the customer the most control of the cloud environment? (D4.3 L4.3.2) A) Lunch as a service (LaaS) B) Infrastructure as a service (IaaS) C) Platform as a service (PaaS) D) Software as a service (SaaS)
B is correct; IaaS offers the customer the most control of the cloud environment, in terms of common cloud service models. A is incorrect; this is not a common cloud service model. C and D are incorrect; IaaS offers the customer more control than any other common cloud service model.
Which of the following is probably the main purpose of configuration management? (D5.2, L5.2.1) A) Keeping out intruders B) Ensuring the organization adheres to privacy laws C) Keeping secret material protected D) Ensuring only authorized modifications are made to the IT environment
D is correct. The main purpose of configuration management is to ensure that there is uniformity throughout the IT environment, and that only authorized modifications are made. A, B and C are incorrect; these may be overall security goals, and configuration management may assist for these purposes, but these are not the main goal of configuration management.
Which of the following is not an appropriate control to add to privileged accounts? (D3, L3.1.1) A) Increased logging B) Multifactor authentication C) Increased auditing D) Security deposit
D is correct. We typically do not ask privileged account holders for security deposits. A, B, and C are incorrect; those are appropriate controls to enact for privileged accounts.
Triffid, Inc., has deployed anti-malware solutions across its internal IT environment. What is an additional task necessary to ensure this control will function properly? (D4.2 L4.2.3) A) Pay all employees a bonus for allowing anti-malware solutions to be run on their systems B) Update the anti-malware solution regularly C) Install a monitoring solution to check the anti-malware solution D) Alert the public that this protective measure has been taken
B is the correct answer. Anti-malware solutions typically work with signatures for known malware; without continual updates, these tools lose their efficacy. A, C and D are incorrect; these measures will not aid in the effectiveness of anti-malware solutions.
One of the benefits of computer-based training (CBT): (D5.4, L5.4.1) A) Expensive B) Scalable C) Personal interaction with instructor D) Interacting with other participants
B is the correct answer. CBT is completely scalable, because it can be replicated uniformly for any number of users. A, C and D are incorrect; these are not characteristics of CBT.
What is the most important goal of a business continuity effort? (D2, L2.2.1) A) Ensure all IT systems function during a potential interruption B) Ensure all business activities are preserved during a potential disaster C) Ensure the organization survives a disaster D) Preserve health and human safety
In all security efforts, preserving health and human safety is paramount, so D is the correct answer. A, B and C are incorrect because D takes precedence over any of them.
In risk management concepts, a(n) _________ is something a security practitioner might need to protect. (D1, L1.2.1) A) Vulnerability B) Asset C) Threat D) Likelihood
B is correct. An asset is anything with value, and a security practitioner may need to protect assets. A, C, and D are incorrect because vulnerabilities, threats and likelihood are terms associated with risk concepts, but are not things that a practitioner would protect.
An attacker outside the organization attempts to gain access to the organization's internal files. This is an example of a(n) ______. (D2, L2.1.1) A) Intrusion B) Exploit C) Disclosure D) Publication
A is correct. An intrusion is an attempt (successful or otherwise) to gain unauthorized access. B is incorrect; the question does not mention what specific attack or vulnerability was used. C and D are incorrect; the organization did not grant unauthorized access or release the files.
When data has reached the end of the retention period, it should be _____. (D5.1, L5.1.1) A) Destroyed B) Archived C) Enhanced D) Sold
At the end of the retention period, data should be securely destroyed. A is the correct answer. B, C and D are incorrect; data must be securely destroyed at the end of the retention period.
Triffid Corporation has a policy that all employees must receive security awareness instruction before using email; the company wants to make employees aware of potential phishing attempts that the employees might receive via email. What kind of control is this instruction? (D1, L1.3.1) A) Administrative B) Finite C) Physical D) Technical
A is correct. Both the policy and the instruction are administrative controls; rules and governance are administrative. B is incorrect; "finite" is not a term commonly used to describe a particular type of security control, and is used here only as a distractor. C is incorrect; training is not a tangible object, so this is not a physical control. D is incorrect; training is not part of the IT environment, so it is not a technical control.
Prachi works as a database administrator for Triffid, Inc. Prachi is allowed to add or delete users, but is not allowed to read or modify the data in the database itself. When Prachi logs onto the system, an access control list (ACL) checks to determine which permissions Prachi has. In this situation, what is Prachi? (D3, L3.1.1) A) The subject B) The rule C) The file D) The object
A is correct. In this situation, Prachi is the subject in the subject-object-rule relationship. Prachi manipulates the database; this makes Prachi the subject. B and D are incorrect, because Prachi is the subject in this situation. C is incorrect, because Prachi is not, and never will be, a file.
Prachi works as a database administrator for Triffid, Inc. Prachi is allowed to add or delete users, but is not allowed to read or modify the data in the database itself. When Prachi logs onto the system, an access control list (ACL) checks to determine which permissions Prachi has. In this situation, what is the database? (D3, L3.1.1) A) The object B) The rule C) The subject D) The site
A is correct. Prachi is manipulating the database, so the database is the object in the subject-object-rule relationship in this case. B and C are incorrect, because the database is the object in this situation. D is incorrect because "site" has no meaning in this context.
Triffid Corporation has a rule that all employees working with sensitive hardcopy documents must put the documents into a safe at the end of the workday, where they are locked up until the following workday. What kind of control is the process of putting the documents into the safe? (D1, L1.3.1) A) Administrative B) Tangential C) Physical D) Technical
A is the correct answer. The process itself is an administrative control; rules and practices are administrative. The safe itself is physical, but the question asked specifically about process, not the safe, so C is incorrect. Neither the safe nor the process is part of the IT environment, so this is not a technical control; D is incorrect. B is incorrect; "tangential" is not a term commonly used to describe a particular type of security control, and is used here only as a distractor.
Which type of fire-suppression system is typically the safest for humans? (D4.3 L4.3.1) A) Water B) Dirt C) Oxygen-depletion D) Gaseous
A is correct as it is the safest fire-suppression system listed that is typically used. B is incorrect; dirt is rarely used in fire suppression, and then usually only for forest fires. C is incorrect; humans require oxygen. D is incorrect; gaseous fire-suppression systems typically pose more hazard to humans than water-based systems.
What is the goal of an incident response effort? (D2, L2.1.1) A) No incidents ever happen B) Reduce the impact of incidents on operations C) Punish wrongdoers D) Save money
B is correct. The overall incident response effort is to reduce the impact incidents might have on the organization's operations. A is incorrect; there is no such thing as "zero risk" or "100% security." C is incorrect; security practitioners are neither law enforcers nor superheroes. D is incorrect; incident response efforts may actually cost the organization more money than the impact of a given incident or set of incidents - "impact" can be measured in other ways than monetary results.
A vendor sells a particular operating system (OS). In order to deploy the OS securely on different platforms, the vendor publishes several sets of instructions on how to install it, depending on which platform the customer is using. This is an example of a ________. (D1, L1.4.2) A) Law B) Procedure C) Standard D) Policy
B is correct. This is a set of instructions to perform a particular task, so it is a procedure (several procedures, actually—one for each platform). A is incorrect; the instructions are not a governmental mandate. C is incorrect, because the instructions are particular to a specific product, not accepted throughout the industry. D is incorrect, because the instructions are not particular to a given organization.
Carol is browsing the Web. Which of the following ports is she probably using? (D4, L4.1.2) A) 12 B) 80 C) 247 D) 999
B is the correct answer; port 80 is used for HTTP traffic, and HTTP is a Web-browsing protocol. A, C and D are incorrect; these ports are not used by Web browsers.
The Payment Card Industry (PCI) Council is a committee made up of representatives from major credit card providers (Visa, Mastercard, American Express) in the United States. The PCI Council issues rules that merchants must follow if the merchants choose to accept payment via credit card. These rules describe best practices for securing credit card processing technology, activities for securing credit card information, and how to protect customers' personal data. This set of rules is a _____. (D1, L1.4.2) A) Law B) Policy C) Standard D) Procedure
C is correct. This set of rules is known as the Data Security Standard, and it is accepted throughout the industry. A is incorrect, because this set of rules was not issued by a governmental body. B is incorrect, because the set of rules is not a strategic, internal document published by senior leadership of a single organization. D is incorrect, because the set of rules is not internal to a given organization and is not limited to a single activity.
Which of the following activities is usually part of the configuration management process, but is also extremely helpful in countering potential attacks? (D4.2 L4.2.3) A) Annual budgeting B) Conferences with senior leadership C) Updating and patching systems D) The annual shareholders' meeting
C is the correct answer. Keeping systems up to date is typically part of both the configuration management process and enacting best security practices. A, B and D are incorrect; these activities are neither part of the configuration management process nor a best security practice.
Prina is a database manager. Prina is allowed to add new users to the database, remove current users and create new usage functions for the users. Prina is not allowed to read the data in the fields of the database itself. This is an example of: (D3, L3.3.1) A) Role-based access controls (RBAC) B) Mandatory access controls (MAC) C) Discretionary access controls (DAC) D) Alleviating threat access controls (ATAC)
A is correct. Role-based access controls often function in this manner, where the employee's job responsibilities dictate exactly which kinds of access the employee has. This also enforces the concept of "least privilege." B and C are incorrect; those access control models don't function in the same way as RBAC. D is incorrect; there is no ATAC in this context, and the term is only used here as a distractor.
Sophia is visiting Las Vegas and decides to put a bet on a particular number on a roulette wheel. This is an example of _________. (D1, L1.2.2) A) Acceptance B) Avoidance C) Mitigation D) Transference
A is correct. Sophia is accepting the risk that the money will be lost, even though the likelihood is high; Sophia has decided that the potential benefit (winning the bet), while low in likelihood, is worth the risk. B is incorrect; if Sophia used avoidance, Sophia would not place the bet. C is incorrect; mitigation involves applying a control to reduce the risk. There is no practical (or legal) way to reduce the risk that Sophia will lose the bet. D is incorrect; if Sophia wanted to transfer the risk, Sophia might ask some friends to each put up a portion of the bet, so that they would all share the loss (or winnings) from the bet.
For which of the following assets is integrity probably the most important security aspect? (D1, L1.1.1) A) One frame of a streaming video B) The file that contains passwords used to authenticate users C) The color scheme of a marketing website D) Software that checks the spelling of product descriptions for a retail website
B is correct. If a password file is modified, the impact to the environment could be significant; there is a possibility that all authorized users could be denied access, or that anyone (including unauthorized users) could be granted access. The integrity of the password file is probably the most crucial of the four options listed. A is incorrect because one frame of an entire film, if modified, probably would have little to no effect whatsoever on the value of the film to the viewer; a film has thousands (or tens of thousands, or millions) of frames. C is incorrect because a change in marketing material, while significant, is not as crucial as the integrity of the password file described in Answer B. D is incorrect because a typo in a product description is not likely to be as important as the integrity of the password file described in Answer B.
Suvid works at Triffid, Inc. When Suvid attempts to log in to the production environment, a message appears stating that Suvid has to reset the password. What may have occurred to cause this? A) Suvid broke the law B) Suvid's password has expired C) Suvid made the manager angry D) Someone hacked Suvid's machine
B is correct. Typically, users are required to reset passwords when the password has reached a certain age. Permanent passwords are more likely to be compromised or revealed. A, C and D are incorrect; these are not likely reasons to require password refresh.
Kerpak works in the security office of a medium-sized entertainment company. Kerpak is asked to assess a particular threat, and he suggests that the best way to counter this threat would be to purchase and implement a particular security solution. This is an example of _______. (D1, L1.2.2) A) Acceptance B) Avoidance C) Mitigation D) Transference
C is correct. Applying a security solution (a type of control) is an example of mitigation. A is incorrect; if Kerpak suggested acceptance, then the threat, and the acceptance of the associated risk, only needs to be documented—no other action is necessary. B is incorrect; if Kerpak suggested avoidance, the course of action would be to cease whatever activity was associated with the threat. D is incorrect; if Kerpak suggested transference, this would involve forming some sort of risk-sharing relationship with an external party, such as an insurance underwriter.
At Parvi's place of work, the perimeter of the property is surrounded by a fence; there is a gate with a guard at the entrance. All inner doors only admit personnel with badges, and cameras monitor the hallways. Sensitive data and media are kept in safes when not in use. (D3, L3.1.1) This is an example of: A) Two-person integrity B) Segregation of duties C) Defense in depth D) Penetration testing
C is correct. Defense in depth is the use of multiple different (and different types of) overlapping controls to provide sufficient security. A and B are incorrect; nothing in the question suggested that two-person integrity or segregation of duties are being used in Parvi's workplace. D is incorrect; this is not a description of penetration testing.
Druna is a security practitioner tasked with ensuring that laptops are not stolen from the organization's offices. Which sort of security control would probably be best for this purpose? (D1, L1.3.1) A) Technical B) Obverse C) Physical D) Administrative
C is the best answer. Because laptops are tangible objects, and Druna is trying to ensure that these objects are not moved from a certain place, physical controls are probably best for the purpose. A is incorrect; technical controls might help detect an attempt to steal a laptop, or locate the laptop after it has been stolen, but won't prevent the laptop from being taken. B is incorrect; "obverse" is not a term commonly used to describe a particular type of security control, and is used here only as a distractor. D is incorrect; administrative controls may help reduce theft, such as ensuring that laptops are not left in a place unobserved, but won't prevent the laptop from being taken.
Garfield is a security analyst at Triffid, Inc. Garfield notices that a particular application in the production environment is being copied very quickly, across systems and devices utilized by many users. What kind of attack could this be? (D4.2 L4.2.1) A) Spoofing B) Side channel C) Trojan D) Worm
D is correct. Activity of this type, where an application or file is replicating rapidly across an entire environment, is often indicative of a worm. A is incorrect; spoofing uses captured credentials for the attack, not replication of apps. B is incorrect; a side channel attack is typically entirely passive. C is incorrect; while a Trojan horse method might be used to introduce a worm to the environment, not all Trojans are worms.
What is the goal of Business Continuity efforts? (D2, L2.2.1) A) Save money B) Impress customers C) Ensure all IT systems continue to operate D) Keep critical business functions operational
D is correct. Business Continuity efforts are about sustaining critical business functions during periods of potential interruption, such as emergencies, incidents, and disasters. A is incorrect; Business Continuity efforts often require significant financial expenditures. B is incorrect; Business Continuity efforts are important regardless of whether customers are impressed. C is incorrect; Business Continuity efforts should focus specifically on critical business functions, not the entire IT environment.
For which of the following systems would the security concept of availability probably be most important? (D1, L1.1.1) A) Medical systems that store patient data B) Retail records of past transactions C) Online streaming of camera feeds that display historical works of art in museums around the world D) Medical systems that monitor patient condition in an intensive care unit
D is correct. Information that reflects patient condition is data that necessarily must be kept available in real time, because that data is directly linked to the patients' well-being (and possibly their life). This is, by far, the most important of the options listed. A is incorrect because stored data, while important, is not as critical to patient health as the monitoring function listed in answer D. B is incorrect because retail transactions do not constitute a risk to health and human safety. C is incorrect because displaying artwork does not reflect a risk to health and human safety; also because the loss of online streaming does not actually affect the asset (the artwork in the museum) in any way—the art will still be in the museum, regardless of whether the camera is functioning.
Prachi works as a database administrator for Triffid, Inc. Prachi is allowed to add or delete users, but is not allowed to read or modify the data in the database itself. When Prachis logs onto the system, an access control list (ACL) checks to determine which permissions Prachi has. Which security concept is being applied in this situation? (D3, L3.1.1) A) Defense in depth B) Layered defense C) Two-person integrity D) Least privilege
D is correct. This is an example of least privilege; Prachi needs to be able to add or delete users from the database in order to perform as a database administrator, but does not need to view or modify the data in the database itself in order to perform the job. A and B are incorrect; "defense in depth" and "layered defense" are two terms that mean the same thing: multiple (and multiple types of) overlapping controls to protect assets. Nothing in the question describes multiple controls. C is incorrect; no second person is involved in Prachi's activity.
Which of the following is one of the common ways potential attacks are often identified? (D4.2 L4.2.2) A) The attackers contact the target prior to the attack, in order to threaten and frighten the target B) Victims notice excessive heat coming from their systems C) The power utility company warns customers that the grid will be down and the internet won't be accessible D) Users report unusual systems activity/response to Help Desk or the security office
Users often act as an attack-detection capability (although many user reports might be false-positives). D is the correct answer. A and C are incorrect; unfortunately, we rarely get advance notification of impending threats to the environment. B is incorrect; attacks are not typically identified by physical manifestations.
The Triffid Corporation publishes a policy that states all personnel will act in a manner that protects health and human safety. The security office is tasked with writing a detailed set of processes on how employees should wear protective gear such as hardhats and gloves when in hazardous areas. This detailed set of processes is a _________. (D1, L1.4.1) A) Policy B) Procedure C) Standard D) Law
B is correct. A detailed set of processes used by a specific organization is a procedure. A is incorrect; the policy is the overarching document that requires the procedure be created and implemented. C is incorrect. The procedure is not recognized and implemented throughout the industry; it is used internally. D is incorrect; the procedure was created by Triffid Corporation, not a governmental body.
Glen is an (ISC)² member. Glen receives an email from a company offering a set of answers for an (ISC)² certification exam. What should Glen do? (D1, L1.5.1) A) Nothing B) Inform (ISC)² C) Inform law enforcement D) Inform Glen's employer
B is correct. The (ISC)² Code of Ethics requires that members "advance and protect the profession"; this includes protecting test security for (ISC)² certification material. (ISC)² (and every (ISC)² member) has a vested interest in protecting test material, and countering any entity that is trying to undermine the validity of the certifications. This is, however, not a matter for law enforcement; if it turns out that law enforcement must be involved, (ISC)² will initiate that activity. Glen's employer has no bearing on this matter.
The logical address of a device connected to the network or Internet. (D4.1 L4.1.1) A) Media access control (MAC) address B) Internet Protocol (IP) address C) Geophysical address D) Terminal address
B is correct. The IP address is the logical address assigned to a device connected to a network or the Internet. A is incorrect; the MAC address of a device is its physical address. C is incorrect; the geophysical address is typically the postal address assigned to a building, not an IT device. D is incorrect; "terminal address" has no meaning in this context, and is only used here as a distractor.
Siobhan is an (ISC)² member who works for Triffid Corporation as a security analyst. Yesterday, Siobhan got a parking ticket while shopping after work. What should Siobhan do? (D1, L1.5.1) A) Inform (ISC)² B) Pay the parking ticket C) Inform supervisors at Triffid D) Resign employment from Triffid
B is the best answer. A parking ticket is not a significant crime, besmirchment of character or moral failing, and has nothing to do with Siobhan's duties for Triffid. Even though the (ISC)² Code of Ethics requires that members act "legally," and "protect the profession," a parking ticket does not reflect poorly on Siobhan, Triffid, (ISC)², or the security profession. Siobhan should, however, pay the ticket.
Inbound traffic from an external source seems to indicate much higher rates of communication than normal, to the point where the internal systems might be overwhelmed. Which security solution can often identify and potentially counter this risk? (D4.2 L4.2.2) A) Firewall B) Turnstile C) Anti-malware D) Badge system
A is correct. Firewalls can often identify hostile inbound traffic, and potentially counter it. B and D are incorrect; these are physical controls and aren't effective in identifying/countering communications attacks. C is incorrect; anti-malware is not typically useful in countering attacks that employ excess traffic as an attack mechanism.
The output of any given hashing algorithm is always _____. (D5.1, L5.1.3) A) The same length B) The same characters C) The same language D) Different for the same inputs
A is correct. Hashing algorithms create output of a fixed length. B is incorrect; the characters in the output will change depending on the input. C is incorrect; hashing algorithms do not create output in any particular language—usually, the output is a mix of alphanumeric characters. D is incorrect; hash outputs should be the same when the same input is used.
Which of the following is likely to be included in the business continuity plan? (D2, L2.2.1) A) Alternate work areas for personnel affected by a natural disaster B) The organization's strategic security approach C) Last year's budget information D) Log data from all systems
A is correct. The business continuity plan should include provisions for alternate work sites, if the primary site is affected by an interruption, such as a natural disaster. B is incorrect; the organization's strategic security approach should be included in the organization's security policy. C is incorrect; budgetary information is not typically included in the business continuity plan. D is incorrect; log data is not typically included in the business continuity plan.
Who approves the incident response policy? (D2, L2.1.1) A) (ISC)² B) Senior management C) The security manager D) Investors
B is correct. The organization's senior management are the only entities authorized to accept risk on behalf of the organization, and therefore all organizational policies must be approved by senior management. A is incorrect; (ISC)² has no authority over individual organizations. C is incorrect; the security manager will likely be involved in crafting and implementing the policy, but only senior management can approve it. D is incorrect; investors leave policy review and approval to senior management.
Preenka works at an airport. There are red lines painted on the ground next to the runway; Preenka has been instructed that nobody can step or drive across a red line unless they request, and get specific permission from, the control tower. This is an example of a(n)______ control. (D1, L1.3.1) A) Physical B) Administrative C) Critical D) Technical
B is correct. The process of requesting and getting permission, and the painted signage, are examples of administrative controls. A is incorrect; while the line is painted on the ground (and the ground is a tangible object), the line does not actually act to prevent or control anything—the line is a symbol and indicator; Preenka could easily walk across the line, if Preenka chose to do so. C is incorrect; "critical" is not a term commonly used to describe a particular type of security control, and is used here only as a distractor. D is incorrect; a painted line is not an IT system or part of the IT environment.
Bert wants to add a flashlight capability to a smartphone. Bert searches the internet for a free flashlight app, and downloads it to the phone. The app allows Bert to use the phone as a flashlight, but also steals Bert's contacts list. What kind of app is this? (D4.2 L4.2.1) A) DDOS B) Trojan C) Side channel D) On-path
B is correct. This is a textbook example of a Trojan horse application. Bert has intentionally downloaded the application with the intent to get a desired service, but the app also includes a hostile component Bert is unaware of. A is incorrect; DDOS involves multiple attacking machines trying to affect the availability of the target. C is incorrect; a side channel attack is passive and generally only observes operational activity, instead of capturing and exfiltrating specific data. D is incorrect; an on-path attack involves the attackers inserting themselves between communicating parties.
A means to allow remote users to have secure access to the internal IT environment. (D4.3 L4.3.3) A) Internet B) VLAN C) MAC D) VPN
D is correct; a virtual private network protects communication traffic over untrusted media. A is incorrect; the internet is an untrusted medium. B is incorrect; VLANs are used to segment portions of the internal environment. C is incorrect; MAC is the physical address of a given networked device.
Which of the following would be considered a logical access control? A) An iris reader that allows an employee to enter a controlled area B) A fingerprint reader that allows an employee to enter a controlled area C) A fingerprint reader that allows an employee to access a laptop computer D) A chain attached to a laptop computer that connects it to furniture so it cannot be taken
Logical access controls limit who can gain user access to a device/system. C is the correct answer. A, B and D are all physical controls, as they limit physical access to areas and assets.
Gary is unable to log in to the production environment. Gary tries three times and is then locked out of trying again for one hour. Why? (D3, L3.3.1) A) Gary is being punished B) The network is tired C) Users remember their credentials if they are given time to think about it D) Gary's actions look like an attack
Repeated login attempts can resemble an attack on the network; attackers might try to log in to a user's account multiple times, using different credentials, in a short time period, in an attempt to determine the proper credentials. D is correct. A is incorrect; security policies and processes are not intended to punish employees. B is incorrect; IT systems do not get tired. C is incorrect; the delay is not designed to help users remember credentials.
A tool that monitors local devices to reduce potential threats from hostile software. (D4.2 L4.2.3) A) NIDS (network-based intrusion-detection systems) B) Anti-malware C) DLP (data loss prevention) D) Firewall
B is correct; this is the purpose of anti-malware solutions. A, C and D are incorrect; these solutions are not typically designed to identify and counter malware.
Visitors to a secure facility need to be controlled. Controls useful for managing visitors include all of the following except: (D3, L3.2.1) A) Sign-in sheet/tracking log B) Fence C) Badges that differ from employee badges D) Receptionist
B is the best answer. A fence is useful for controlling visitors, authorized users and potential intruders. This is the only control listed among the possible answers that is not specific to visitors. A, C and D are all controls that should be used to manage visitors.
If two people want to use symmetric encryption to conduct a confidential conversation, how many keys do they need? (D5.1, L5.1.3) A) 1 B) 3 C) 8 D) none
A is correct. In symmetric cryptography, confidential communication is achieved through the use of one, shared key. B, C and D are incorrect; symmetric encryption uses one shared key between parties for confidential communication.
What is the risk associated with resuming full normal operations too soon after a DR effort? (D2, L2.3.1) A) The danger posed by the disaster might still be present B) Investors might be upset C) Regulators might disapprove D) The organization could save money
A is correct. Resuming full normal operations too soon after a disaster might mean personnel are put in danger by whatever effects the disaster caused. B and C are incorrect because the feelings of investors and regulators are not the primary concern of DR efforts. D is incorrect; saving money is not a risk, it is a benefit.
In order for a biometric security to function properly, an authorized person's physiological data must be ______. (D3, L3.2.1) A) Broadcast B) Stored C) Deleted D) Modified
B is correct. A biometric security system works by capturing and recording a physiological trait of the authorized person and storing it for comparison whenever that person presents the same trait in the future. A is incorrect; access control information should not be broadcast. C is incorrect; if all biometric data is erased, the data cannot be used for comparison purposes to grant access later. D is incorrect; biometric data should not be modified, or it may become useless for comparison purposes.
Proper alignment of security policy and business goals within the organization is important because: (D5.3, L5.3.1) A) Security should always be as strict as possible B) Security policy that conflicts with business goals can inhibit productivity C) Bad security policy can be illegal D) Security is more important than business
B is correct. Security is a support function in most organizations, not a business function; therefore, security policy must conform to business needs to avoid inhibiting productivity. A is incorrect; security that is too strict can cause the organization to fail in its business purpose—the right balance has to be created. C is incorrect; while it is true that policies might violate the law if improperly crafted, that is not a reason to align the policy to the business goals (business goals should not violate the law, either). D is incorrect; business goals are typically more important than security.
Trina is a security practitioner at Triffid, Inc. Trina has been tasked with selecting a new product to serve as a security control in the environment. After doing some research, Trina selects a particular product. Before that product can be purchased, a manager must review Trina's selection and determine whether to approve the purchase. This is a description of: (D3, L3.1.1) A) Two-person integrity B) Segregation of duties C) Software D) Defense in depth
B is correct. Segregation of duties, also called separation of duties, is used to reduce the potential for corruption or fraud within the organization. More than one person must be involved in a given process in order to complete that process. A is incorrect; Trina and the manager are not both required to be present for the transaction. C is incorrect; software is a term used to describe programs and applications. D is incorrect; defense in depth is the use of multiple (and multiple types of) overlapping security controls to protect assets.
Which of the following is not a typical benefit of cloud computing services? (D4.3 L4.3.2) A) Reduced cost of ownership/investment B) Metered usage C) Scalability D) Freedom from legal constraints
D is correct. Moving data/operations into the cloud does not relieve the customer from legal constraints (and may even increase them). A, B and C are all common benefits of cloud services, and are therefore incorrect answers.
Which of the following are not typically involved in incident detection? (D2, L2.1.1) A) Users B) Security analysts C) Automated tools D) Regulators
D is correct. Typically, regulators do not detect incidents, nor alert organizations to the existence of incidents. All the other answers are often involved in incident detection.
Phrenal is selling a used laptop in an online auction. Phrenal has estimated the value of the laptop to be $100, but has seen other laptops of similar type and quality sell for both more and less than that amount. Phrenal hopes that the laptop will sell for $100 or more, but is prepared to take less for it if nobody bids that amount. This is an example of ___________. (D1, L1.2.2) A) Risk tolerance B) Risk inversion C) Threat D) Vulnerability
A is correct. Phrenal has decided there is an acceptable level of risk associated with the online sale of the laptop; this is within Phrenal's risk tolerance. B is incorrect; "risk inversion" is a term with no actual meaning, and is used here only as a distractor. C is incorrect; a threat is something or someone that poses risk—the sale of the laptop does not pose risk to Phrenal, only a lesser or greater benefit. D is incorrect; the sale of the laptop is not an avenue of attack against Phrenal.
Handel is a senior manager at Triffid, Inc., and is in charge of implementing a new access control scheme for the company. Handel wants to ensure that employees who are assigned to new positions in the company do not retain whatever access they had in their old positions. Which method should Handel select? (D3, L3.3.1) A) Role-based access controls (RBAC) B) Mandatory access controls (MAC) C) Discretionary access controls (DAC) D) Logging
A is correct. RBAC can aid in reducing "privilege creep," where employees who stay with the company for a long period of time might get excess permissions within the environment. B and C are incorrect; MAC and DAC do not offer this type of assurance. D is incorrect; logging will demonstrate user activity, but doesn't aid in reducing excess permissions.
Grampon municipal code requires that all companies that operate within city limits will have a set of processes to ensure employees are safe while working with hazardous materials. Triffid Corporation creates a checklist of activities employees must follow while working with hazardous materials inside Grampon city limits. The municipal code is a ______, and the Triffid checklist is a ________. (D1, L1.4.2) A) Law, procedure B) Standard, law C) Law, standard D) Policy, law
A is correct. The municipal code was created by a governmental body and is a legal mandate; this is a law. The Triffid checklist is a detailed set of actions which must be used by Triffid employees in specific circumstances; this is a procedure. B and C are incorrect; neither document is recognized throughout the industry, so neither is a standard. D is incorrect; neither document is a strategic internal overview issued by senior management, so neither is a policy.
Triffid, Inc., wants to host streaming video files for the company's remote users, but wants to ensure the data is protected while it's streaming. Which of the following methods are probably best for this purpose? (D5.1, L5.1.3) A) Symmetric encryption B) Hashing C) Asymmetric encryption D) VLANs
A is the correct answer; symmetric encryption offers confidentiality of data with the least amount of processing overhead, which makes it the preferred means of protecting streaming data. B is incorrect; hashing would not provide confidentiality of the data. C is incorrect; asymmetric encryption requires more processing overhead than symmetric encryption, and is therefore not preferable for streaming purposes. D is incorrect; VLANs are useful for logical segmentation of networks, but do not serve a purpose for streaming data to remote users.
You are reviewing log data from a router; there is an entry that shows a user sent traffic through the router at 11:45 am, local time, yesterday. This is an example of a(n) _______. (D2, L2.1.1) incide A) Incident B) Event C) Attack D) Threat
An event is any observable occurrence within the IT environment. (Any observable occurrence in a network or system. (Source: NIST SP 800-61 Rev 2) While an event might be part of an incident, attack, or threat, no other information about the event was given in the question, so B is the correct answer.
All visitors to a secure facility should be _______. (D3, L3.2.1) A) Fingerprinted B) Photographed C) Escorted D) Required to wear protective equipment
C is correct. In a secure facility, visitors should be escorted by an authorized person. A is incorrect; it is not feasible to fingerprint every visitor to a facility. Moreover, it might not be legal, depending on the jurisdiction. B is incorrect; some facilities may be in jurisdictions that restrict the use of photographic surveillance in the workplace. D is incorrect; not all secure facilities require the use of protective equipment.
Handel is a senior manager at Triffid, Inc., and is in charge of implementing a new access control scheme for the company. Handel wants to ensure that operational managers have the utmost personal choice in determining which employees get access to which systems/data. Which method should Handel select? (D3, L3.3.1) A) Role-based access controls (RBAC) B) Mandatory access controls (MAC) C) Discretionary access controls (DAC) D) Security policy
DAC gives managers the most choice in determining which employees get access to which assets. C is the correct answer. A and B are incorrect; RBAC and MAC do not offer the same kind of flexibility that DAC does. D is incorrect; "security policy" is too broad and vague to be applicable; C is the better answer.
Dieter wants to send a message to Lupa and wants to be sure that Lupa knows the message has not been modified in transit. What technique/tool could Dieter use to assist in this effort? (D5.1, L5.1.3) A) Hashing B) Clockwise rotation C) Symmetric encryption D) Asymmetric encryption
Hashing is a means to provide an integrity check. A is the correct answer. B is incorrect; this term is meaningless, and used here only as a distractor. C and D are incorrect; neither symmetric encryption nor asymmetric encryption provides message integrity.
Hashing is often used to provide _______. (D5.1, L5.1.3) A) Confidentiality B) Integrity C) Availability D) Value
Hashing is used for integrity checks. B is the correct answer. A, C and D are incorrect; hashing only provides integrity.
When Pritha started working for Triffid, Inc., Pritha had to sign a policy that described how Pritha would be allowed to use Triffid's IT equipment. What policy was this? (D5.3, L5.3.1) A) The organizational security policy B) The acceptable use policy (AUP) C) The bring-your-own-device (BYOD) policy D) The workplace attire policy
The AUP describes how users will be permitted to use the organization's IT assets. B is the correct answer. A, C and D are incorrect; while these are all common policies, they do not serve the same function as the AUP.
Triffid, Inc., has many remote workers who use their own IT devices to process Triffid's information. The Triffid security team wants to deploy some sort of sensor on user devices in order to recognize and identify potential security issues. Which of the following is probably most appropriate for this specific purpose? (D4.2 L4.2.2) A) HIDS (host-based intrusion-detection systems) B) NIDS (network-based intrusion-detection systems) C) LIDS (logistical intrusion-detection systems) D) Firewalls
A is correct. Host-based intrusion-detection systems are expressly designed for this purpose; each HIDS is installed on each endpoint machine. B is incorrect; NIDS are useful for monitoring internal traffic, but a HIDS would be better for distributed users/devices. C is incorrect; LIDS is not a term standard within our industry, and was just made up and used here as a distractor. D is incorrect; firewalls limit traffic, and can be used to identify potential threats, but a HIDS is specifically intended for this purpose.
The organization should keep a copy of every signed Acceptable Use Policy (AUP) on file, and issue a copy to _______. (D5.3, L5.3.1) A) The user who signed it B) The regulators overseeing that industry C) Lawmakers D) The Public Relations office
A is correct. The AUP is an agreement between the user and the organization, so both parties need to keep a copy of it. B, C and D are incorrect; those entities are not party to the agreement, and should therefore not receive a copy.
Tekila works for a government agency. All data in the agency is assigned a particular sensitivity level, called a "classification." Every person in the agency is assigned a "clearance" level, which determines the classification of data each person can access. What is the access control model being implemented in Tekila's agency? (D3, L3.3.1) A) MAC (mandatory access control) B) DAC (discretionary access control) C) RBAC (role-based access control) D) FAC (formal access control)
A is correct. This is an example of how MAC can be implemented. B is incorrect; in discretionary access control, operational managers are granted authority to determine which personnel have access to assets the manager controls. C is incorrect; in RBAC, personnel might not have clearance levels, and assets might not have classifications. D is incorrect; FAC is not a term used in this context, and is only included here as a distractor.
Olaf is a member of (ISC)² and a security analyst for Triffid Corporation. During an audit, Olaf is asked whether Triffid is currently following a particular security practice. Olaf knows that Triffid is not adhering to that standard in that particular situation, but that saying this to the auditors will reflect poorly on Triffid. What should Olaf do? (D1, L1.5.1) A) Tell the auditors the truth B) Ask supervisors for guidance C) Ask (ISC)² for guidance D) Lie to the auditors
A is the best answer. The (ISC)² Code of Ethics requires that members "act honorably, honestly, justly, responsibly" and also "advance and protect the profession." Both requirements dictate that Olaf should tell the truth to the auditors. While the Code also says that Olaf should "provide diligent and competent service to principals," and Olaf's principal is Triffid in this case, lying does not serve Triffid's best long-term interests, even if the truth has some negative impact in the short term.
Which of the following roles does not typically require privileged account access? (D3, L3.1.1) A) Security administrator B) Data entry professional C) System administrator D) Help Desk technician
B is correct. Data entry professionals do not usually need privileged access. A, C and D are all incorrect; those are roles that typically need privileged access.
Tina is an (ISC)² member and is invited to join an online group of IT security enthusiasts. After attending a few online sessions, Tina learns that some participants in the group are sharing malware with each other, in order to use it against other organizations online. What should Tina do? (D1, L1.5.1) A) Nothing B) Stop participating in the group C) Report the group to law enforcement D) Report the group to (ISC)²
B is the best answer. The (ISC)² Code of Ethics requires that members "protect society, the common good, necessary public trust and confidence, and the infrastructure"; this would include a prohibition against disseminating and deploying malware for offensive purposes. However, the Code does not make (ISC)² members into law enforcement officers; there is no requirement to get involved in legal matters beyond the scope of personal responsibility. Tina should stop participating in the group, and perhaps (for Tina's own protection) document when participation started and stopped, but no other action is necessary on Tina's part.
Data _____ is data left behind on systems/media after normal deletion procedures have been attempted. (D5.1, L5.1.1) A) Fragments B) Packets C) Remanence D) Residue
C is correct. Data remanence is the term used to describe data left behind on systems/media after normal deletion procedures have been attempted.
Trina and Doug both work at Triffid, Inc. Doug is having trouble logging into the network. Trina offers to log in for Doug, using Trina's credentials, so that Doug can get some work done. What is the problem with this? (D3, L3.3.1) A) Doug is a bad person B) If Trina logs in for Doug, then Doug will never be encouraged to remember credentials without assistance C) Anything either of them do will be attributed to Trina D) It is against the law
C is correct. If two users are sharing one set of credentials, then the actions of both users will be attributed to that single account; the organization will be unable to discern exactly who performed which action, which can be troublesome if either user does something negligent or wrong. A is incorrect; we don't know enough about Doug from the question. B is incorrect; while true, getting Doug to remember credentials shouldn't be the priority of the situation. D is incorrect; regardless of whether sharing credentials is against the law (and it might or might not be, depending on the jurisdiction), the important point is that both users' actions must be distinct.
Prachi works as a database administrator for Triffid, Inc. Prachi is allowed to add or delete users, but is not allowed to read or modify the data in the database itself. When Prachi logs onto the system, an access control list (ACL) checks to determine which permissions Prachi has. In this situation, what is the ACL? (D3, L3.1.1) A) The subject B) The object C) The rule D) The firmware
C is correct. The ACL, in this case, acts as the rule in the subject-object-rule relationship. It determines what Prachi is allowed to do, and what Prachi is not permitted to do. A and B are incorrect, because the ACL is the rule in this case. D is incorrect, because firmware is not typically part of the subject-object-rule relationship, and the ACL is not firmware in any case.
Which of the following is an example of a "something you are" authentication factor? (D1, L1.1.1) A) A credit card presented to a cash machine B) Your password and PIN C) A user ID D) A photograph of your face
D is correct. A facial photograph is something you are—your appearance. A is incorrect because a credit card is an example of an authentication factor that is something you have. B is incorrect because passwords and PINs are examples of authentication factors that are something you know. C is incorrect because a user ID is an identity assertion, not an authentication factor.
A tool that filters inbound traffic to reduce potential threats. (D4.2 L4.2.3) A) NIDS (network-based intrusion-detection systems) B) Anti-malware C) DLP (data loss prevention) D) Firewall
D is correct. Firewalls typically filter traffic originating from outside the organization's IT environment. A is incorrect; NIDS typically monitor traffic within the production environment. B is incorrect; anti-malware solutions typically identify hostile software. C is incorrect; DLP solutions typically monitor outbound traffic.
An IoT (Internet of Things) device is typified by its effect on or use of the _____ environment. (D4.3 L4.3.3) A) Philosophical B) Remote C) Internal D) Physical
D is correct. IoT devices typically have some interaction with the physical realm, either by having some physical effect (a vacuum cleaner, refrigerator, light) or by monitoring the physical environment itself (a camera, sensor, etc.). A, B and C are incorrect; IoT is typified by effects on or use of the physical environment.
Security controls on log data should reflect ________. (D5.1, L5.1.2) A) The organization's commitment to customer service B) The local culture where the log data is stored C) The price of the storage device D) The sensitivity of the source device
D is correct. Log data should be protected with security as high, or higher, than the security level of the systems or devices that log was captured from. A, B and C are incorrect; these are not qualities that dictate security level of protection on log data.
The city of Grampon wants to ensure that all of its citizens are protected from malware, so the city council creates a rule that anyone caught creating and launching malware within the city limits will receive a fine and go to jail. What kind of rule is this? (D1, L1.4.1) A) Policy B) Procedure C) Standard D) Law
D is correct. The city council is a governmental body making a legal mandate; this is a law. A is incorrect; the rule is not a policy used by a specific organization, but instead applies to anyone within the jurisdiction of the Grampon city council. B is incorrect; this rule is not a process to follow. C is incorrect; this rule is not recognized outside the jurisdiction of the Grampon city council.
Log data should be kept ______. (D5.1, L5.1.2) A) On the device that the log data was captured from B) In an underground bunker C) In airtight containers D) On a device other than where it was captured
D is the correct answer. Log data can often be useful in diagnosing or investigating the device it was captured from; it is therefore useful to store the data away from the device where it was harvested, in case something happens to the source device. A is incorrect; if something happens to the source machine, the log data may be affected if it is stored on the source. B is incorrect; log data may be stored underground, aboveground, underwater, in the sky, or in orbit, as long as it is stored securely. C is incorrect; airtight seals do not affect log data positively or negatively.
Bruce is the branch manager of a bank. Bruce wants to determine which personnel at the branch can get access to systems, and under which conditions they can get access. Which access control methodology would allow Bruce to make this determination? (D3, L3.3.1) A) MAC (mandatory access control) B) DAC (discretionary access control) C) RBAC (role-based access control) D) Defense-in-depth
Discretionary access control is a model wherein permissions are granted by operational managers, allowing them to make the determination of which personnel can get specific access to particular assets controlled by the manager. B is the correct answer. A is incorrect; in mandatory access control, managers do not have the authority (discretion) to determine who gets access to specific assets. C is incorrect; in role-based access control, managers do not have the authority to determine who gets access to particular assets. D is incorrect; defense in depth is not an access control model, it's a security philosophy.
