ISC2 Domain Review Questions

D8 10. All of the following are types of alternate operating sites except which one? A. Full interruption B. A mobile site C. The cloud D. A joint operating agreement (JOA)

A. Full interruption Full interruption is a type of BCDR exercise; a mobile site is a portable facility mounted on or carried in a vehicle. A joint operation agreement (JOA) or memorandum of understanding (MOU) is a contractual agreement for sharing operating locations. Module reference: 6

D9 9. An NDA (Non-Disclosure Agreement) is a legally binding contract that restricts the sharing of information. What type of NDA applies in situations where there are three or more parties? A. Multilateral B. Bilateral C. Unilateral D. Omnilateral

A. Multilateral In a unilateral NDA, only one party discloses information to another party. In a bilateral or two-way, both parties share information with each other. There is no omnilateral NDA. Module reference: 6

D1 8. What is the role of the data custodian? A. The data custodian oversees how data is stored, combined (aggregated) and used, i.e., the technical elements. B. The data custodian focuses on the quality of the data and what is contained within the data fields. C. The data custodian determines how data is processed. D. The data custodian decides who has access rights to the data including its use and modification.

A. The data custodian oversees how data is stored, combined (aggregated) and used, i.e., the technical elements. Answer B is the role of the data steward. Answer C is the role of the data controller, and answer D is the role of the data owner.

D8 7. Which of the following backup methods requires the greatest number of data versions to conduct a complete restoration? A. Full B. Incremental C. Differential D. Composite

B. Incremental Incremental backups copy all data changed since the last full or incremental backup; this would, on average, require more versions for a complete restoration than full backup (requires one version) and differential which requires the last full and the last differential (so just two). There is no such thing as composite backup. Module reference: 6

D1 6. Which of the following is not an Organization for Economic Co-operation and Development (OECD) principle of privacy protection? A. Collection Limitation Principle B. Right to be Forgotten Principle C. Use Limitation Principle D. Accountability Principle

B. Right to be Forgotten Principle The right to be forgotten principle is not a principle addressed in the OECD guidelines for privacy protection. It has been introduced and is part of privacy legislation in Europe and Argentina since 2006 and is part of the new General Data Protection Regulation (GDPR).

D7 2. What report would be good for attracting additional clients yet unknown to your business? A. SOC 5 Type II B. SOC 3 C. SOC 5 Type II New Client D. SOC 5 Type I Existing Client

B. SOC 3 SOC 3 is an executive summary that can be used as a web seal to advertise a summary opinion of technical controls. The summary can be posted to a website to advertise for potential customers. There are no SOC 5 reports. Module reference: 1

D9 4. Security controls can be grouped by how they take effect. What type of control category includes fire suppression and intrusion prevention systems? A. Preventative B. Recovery C. Corrective D. Compensating

C. Corrective Corrective controls react to a situation in order to perform remediation or restoration. Preventative controls prohibit certain actions. Recovery controls are designed to restore operation, e.g., backup. Compensating controls are used to mitigate the risk of a primary control failure. Module reference: 7

D2 1. In an environment where asset classification has been implemented to address the requirements of privacy protection, who in the following list is considered the "owner" and, therefore, has the accountability to ensure that the requirements for protection and compliance are addressed properly? A. Data processor B. Data subject C. Data controller D. Data steward

C. Data controller In specific privacy legislation, the roles for accountability of protection of a subject's personal privacy information are assigned to the data controller. They act as the "owner" and, therefore, have the accountability to protect based on legislative and legal requirements.

D8 5. NIST Special Publication 800-61, Computer Security Incident Handling Guide, structures incident response activities in a four-phase lifecycle. Which of the following is not part of the activities? A. Preparation B. Detection C. Prevention D. Post-incident activities

C. Prevention Incident response is just that, "response." The preparation phase will include identifying potential incidents, selection and training of responders, etc., and the deployment of solutions to detect incidents. Steps necessary to contain the incident, include the eradication and recovery phases and the debrief or post-incident activities, which may include the acquisition of new technologies, changes in team members or training, etc. Other solutions will be deployed to prevent incidents from occurring such as access control systems, CCTV, guards (and many, many more). Module reference: 3

D9 1. OECD, PMF and GDPR are examples of what type of frameworks? A. Risk B. Change management C. Privacy D. Software development

C. Privacy The Organization for Economic Co-operation and Development (OECD), the Privacy Management Framework (PMF) and the General Data Protection Regulations (GDPR) are all focused on privacy protection. Module reference: 2

D4 1. Which NIST publication addresses the engineering-driven actions for defensible systems? A. SP800-181 Rev.1 B. SP800-207 C. SP800-160 D. SP800-210

C. SP800-160 The correct answer is C. SP800-181 Rev. 1 discusses the National Initiative for Cybersecurity Education (NICE). SP800-207 discusses zero-trust architecture and SP800-210 discusses access control guidance for cloud systems. Module reference: 1

D7 7. What type of web application test relies on the use of scripts rather than "live" actions? A. Vulnerability B. Penetration C. Synthetic D. Conformity

C. Synthetic Synthetic transactions, or synthetic performance monitoring, involves having external agents run scripted transactions against a web application. These scripts are meant to follow the steps a typical user might follow. All the others forms of testing are conducted with the use of live (real) agents running banks of tests. Module reference: 3

D1 5. Sarbanes-Oxley applies to? A. Publicly traded companies only B. Privately traded companies only C. Some publicly and all privately traded companies D. All publicly and all privately traded companies

D. All publicly and all privately traded companies There is a widely perceived misconception that SOX only applies to publicly traded companies but this is incorrect. While not all of the provisions apply, there are some core requirements which do. For example: Intentionally destroying, altering or falsifying records is an offense under the act.

D8 6. Which of the following statements is true about digital evidence? A. Evidence is useless if the original version has been changed in any way. B. Evidence can expire. C. Electronic evidence is inadmissible. D. Evidence should be believable.

D. Evidence should be believable. Evidence is material used to support a theory and argument concerning the events of an alleged crime. It must be presented in a format that is understandable to the intended audience (perhaps a jury) who must believe in the veracity of said evidence. While crimes might have a lifespan (a statute of limitations), evidence typically does not. Evidence that has been changed may be admissible, if the changes have been documented to a court's satisfaction. Electronic evidence is admissible. Module reference: 3

D7 8. When considering a BC/DR (business continuity/disaster recovery) testing program, a building evacuation (fire evacuation) would be what form of test? A. Walk-through B. Parallel C. Tabletop D. Simulation

D. Simulation A simulation test is a disaster event simulated outside the production environment. A walk-through uses desk manuals and has DR teams explain their roles and activities. In a parallel test, a disaster event is simulated while production activities are ongoing in two different locations. In a tabletop, team leaders across the organization are presented with a disaster scenario and discuss their response. Module reference: 3

D8 1. IDS/IPS systems can detect malicious activities in a number of ways. Which method compares actual activities to a baseline? A. Deviation B. Signature C. Heuristic D. Temporal

A. Deviation The IDS/IPS can learn a standard activity baseline normal to the organization; deviations from this baseline of expected behavior are deemed suspect. Using signature: The IDS/IPS can recognize known attack patterns in traffic and activity. Using heuristic: Machine-learning algorithms in the IDS/IPS can acquire more information about the environment as the tools operate, beyond a simple baseline. This is an advanced form of deviation analysis. Temporal matching is not a feature of IDS/IPS systems. Module reference: 1

D7 10. What statement is true of key risk indicators (KRIs)? A. KRIs monitor emerging risks. B. KRIs show whether goals have been met. C. KRIs shed light on performance metrics. D. KRIs alert when team metrics haven't been met.

A. KRIs monitor emerging risks. KRIs are designed to monitor risk to take proactive action. Answers B, C, and D are all key performance indicator (KPI) markers. Module reference: 4

D1 4. Susan is the security manager for an online retailer. To protect the customer data they are entrusted with, she requires all personnel to attend security training sessions regularly. Susan documents and tracks which personnel have attended training, and she suspends account access for those personnel who have missed training. Which of the following does this process describe? A. Due care B. Due diligence C. Corporate responsibility D. Reasonable expectation

B. Due Diligence Due care is the legal duty owed to the customers; in this scenario that would be "don't allow unauthorized disclosures of customer privacy data." Due diligence is any action that supports this duty. Corporate responsibility (C) relates to maintaining accountability to shareholders, customers and employees. Reasonable expectation (D) is what the customer should have when they take part in the transaction; in this situation that would be, "my personal information will be protected."

D9 5. You have been tasked with performing a risk assessment using the "loss expectancy" model on the organization's laptop computers as there seems to be a high failure rate. Using the formula ALE (Annual Loss Expectancy) = SLE (Single Loss Expectancy) x ARO (Annual Rate of Occurrence), with the SLE being calculated by multiplying the AV (Asset Value) by the EF (exposure factor). After consultation with the various stakeholders, it seems that besides a problem with the CPU (Central Processing Unit) the laptops are reliable and robust. Working with the following figures, what is the SLE for each laptop? AV — $1,250.00 EF — 33% (the cost to replace the CPU) ARO — CPU burnout every 9 months A. $400.50 B. $405.50 C. $412.50 D. $415.50

C. $412.50 A single incident would cost: AV * 33% = $412.50

D8 8. Heating, Ventilation and Air Conditions (HVAC) control is an important aspect of facilities management. The American Society of Heating, Refrigerating and Air-Conditioning Engineers (ASHRAE) Standard 90.4-2019 recommends setting the temperature ranges for maximum uptime and hardware life as between which of the following? A. 50º and 81º F B. 64º and 70º F C. 64º and 81º F D. 50º and 70º F

C. 64º and 81º F The ANSI/ASHRAE Standard 90.4-2019, Energy Standard for Data Centers defines the maximum mechanical load component (MLC) and electrical loss component (ELC) values. These values were lowered in the second version of the standard. This range has become widely accepted as an industry best practice. Module reference: 8

D7 9. One of the most commonly used Continual Process Improvement (CPI) models is the PDCA. This approach is composed of four steps, and which one is not one of them? A. Plan B. Do C. Calculate D. Act

C. Calculate The correct step is Check. The PDCA cycle is Plan: Decide what needs to be done and prepare a plan. Do: Execute the plan. Check: Evaluate the results. Act: Adjust based upon the results generated in the Do and Check phases. Module reference: 3

D7 4. For the potential client to understand the probability that your department of 50 developers remain properly compensated and incentivized to continue to support the security-as-a-service that they wish to consume, what report might they consider? A. SOC 2 Type II B. SOC 2 Type I C. SOC 1 Type II D. SOC 1 Type I

C. SOC 1 Type II A SOC 1 Type II report would be appropriate since it would reflect what the effectiveness of the internal controls over financial reporting is. Special attention could be associated with benefits management. SOC 1 is for reviewing financial controls. Type II proves design effectiveness of the financial control. SOC 1 Type I is proof of the design of the financial control alone. SOC 2 Type II and I are reports on technology security controls within an organization. Module reference: 1

D9 10. What type of Business Continuity and Disaster Recovery (BCDR) test involves participants moving to each of the locations they will need to visit for response activities? A. Full interruption B. Parallel C. Walk-through D. Tabletop

C. Walk-through A tabletop exercise requires that only the participants who have a role in BCDR activities are included, and they respond to a scripted situation. A parallel test entails mobilizing personnel and resources for the alternate site and conducting operations from the alternate location. Parallel exercises are for those organizations that utilize alternate operating sites as part of their BCDR plan. A full interruption involves the entire organization in a scripted situation that mimics an actual contingency event. All BCDR resources, personnel, and activities are involved and perform the actions they would take during an unscheduled situation. Module reference: 6

D8 3. Referred to as "Change Enablement," the Information Technology Infrastructure Library (ITIL) version 4, is one of the more widely adopted practices used in change management. ITIL defines three levels based on urgency, but which of the following is not one of them? A. Standard B. Emergency C. Zero-Day D. Normal

C. Zero-Day The change management process encompasses all elements of change and is not restricted to software alone. ITIL defines these levels as the following: Standard changes which are relatively low-risk and follow established procedures; emergency changes, which are those which must be implemented immediately; and normal changes, which do not fall into either of the other two levels. Zero-day vulnerabilities, typically software related, might be an example of an emergency level but it is not one of ITIL's classifications. Module reference: 2

D9 7. Consider the scenario from questions 5 and 6. Given the four methods that can be applied to risk, which might be the best option? A. Avoid B. Reduce (mitigate) C. Transfer D. Accept

D. Accept When the numbers are in, and remembering that this is an estimated failure rate, it is probably best to just accept the risk. Given that the organization needs laptops, the risk can't really be avoided or reduced except by changing either the supplier or the make or model of the laptops being purchased. The maintenance contract is a form of transference. While the contract will not prevent the CPU from failing, it will transfer the financial impact to the organization. Module reference: 7

D8 4. What is a configuration item? A. A version of software source code B. Desktop configurations C. Data sets D. All of the above

D. All of the above Configuration management (CM) is a formal process for defining, documenting and enforcing the minimum-security controls within an organization. CM requires that the organization identify its configuration items, which are the assets under its security scope. Module reference: 2

D1 7. What is meant by data portability? A. It describes how data is moved within a corporate network. B. It describes how data is moved between corporations. C. It describes how data is moved on the internet. D. It describes the rights of a data subject to move personal data from one data controller to another.

D. It describes the rights of a data subject to move personal data from one data controller to another. The U.S. Health Insurance Portability and Accountability Act (HIPAA), General Data Protection Regulation (GDPR) and other comparable frameworks define the circumstances in which a data subject has the right to request that data be made available in a form that lets the subject transfer that data to another controller for use, e.g., healthcare providers. The other answers relate to data transfer and may be governed by legislation, regulatory, or policies.

D7 3. What is the difference between a Type I and a Type II SOC report? A. Type I is developed over a time period; Type II is a snapshot. B. There are no Type I or II reports. C. Type I is a longer report than Type II. D. Type I is concerned with control design; Type II is concerned with control effectiveness.

D. Type I is concerned with control design; Type II is concerned with control effectiveness.

D3 9. What error type presents an organization with higher risk impacts? A. Type 1 B. Type 2 C. Type 3 D. All of them

The correct answer is B. A Type 2 error is a false acceptance that falsely identifies someone as being a legitimate user and thus grants them access. A Type 1, or false rejection, denies access to legitimate users. There is no type 3 error. Module reference: 4

D6 4. What is the difference between source code and object code? A. Source code consists of human-readable statements. Object code is the binary machine language executed by the CPU (Central Processing Unit). B. Source code expresses a program's required function. Object code is the binary machine language executed by the CPU (Central Processing Unit). C. Object code consists of human-readable statements. Source code is the binary machine language executed by the CPU (Central Processing Unit). D. Source code consists of human-readable statements. Object code expresses a program's required function.

The correct answer is A. Answers B and D are actually introducing the concept of intermediate code. Sitting, as its name suggests, between source and object code (also known as executable code), it is commonly used to provide machine independence and code portability. Module reference: 2

D5 8. Ports are associated with services. Microsoft SQL server uses ports 1433 and 1434. Which group does this fall into? A. Well-known B. Registered C. Dynamic D. Private

The correct answer is A. Answers B, C and D are how a firewall creates separation boundaries. Answer A is a form of an access control device, and it is what a firewall does. Module reference: 5

D6 9. What is the difference between continuous integration and continuous delivery? A. Continuous integration requires changes to code are frequently updated to a code repository and tested using an automated process. Continuous delivery focuses on moving the changes into production. B. Continuous delivery requires changes to code are frequently updated to a code repository and tested using an automated process. Continuous integration is moving the changes into production. C. Continuous integration is a purely manual process whereby changes to code are fed directly back into existing code without prior testing. Continuous delivery focuses on quickly responding to the customer's needs. D. Continuous delivery is a purely manual process whereby changes to code are fed directly back into existing code without prior testing. Continuous integration focuses on quickly responding to the customer's needs.

The correct answer is A. Continuous integration can reduce the number of bugs in code by detecting problems quickly. This becomes necessary since changes and testing are being performed much more frequently (potentially many times a day), and automated testing is being utilized. This makes early bug detection possible and reduces follow-on testing workload. Continuous delivery can reduce both cost and risk and produce higher quality applications. Module reference: 7

D6 8. What is the difference between DevOps and DevSecOps? A. As DevOps focuses primarily on rapid delivery of new and updated code into operational use, it relies on other processes to address security considerations. DevSecOps integrates security review and assessment into the total design, development, and deployment workflow. B. DevSecOps integrates security testing and assessment into the operational use of software, while DevOps performs security testing and assessment activities throughout the lifecycle. C. Very little. Originally, DevOps did not explicitly consider security activities in its rapid development and release to operational use of new and modified software. Market pressure, and the creation of the competing DevSecOps model, has caused these two models to become more similar than different. D. DevOps emphasizes the use of IDEs and configuration management tools, while DevSecOps emphasizes the use of continuous integration and continuous deployment processes.

The correct answer is A. Different organizations implement these models differently, but in general terms, DevSecOps focuses management attention on security as being part of every step in the software lifecycle. Answer B has these reversed; answer C is false. Answer D is also false, since CI/CD is a way of automating the services that IDEs and other tools such as configuration management and control systems provide. Module reference: 6

Your organization develops security-as-a-service software that is consumed via your private cloud. You employ 50 developers that practice agile discipline in releasing tools to market. A potential client approaches your organization with the intent to acquire your services. Before the potential client commits to a contractual agreement, they have informed your organization that they need to be provided with the highest degree of assurance possible that risks to your operational effectiveness are well contained or mitigated, and they will receive your services delivered in the same operable form they were created in without being changed. D7 Question 1 1. What report would be most appropriate to answer the needs of the potential client? A. SOC 2 Type II B. SOC 2 Type I C. SOC 1 Type II D. SOC 1 Type I

The correct answer is A. SOC 2 Type II is a report on technology security controls within an organization. Type II proves design effectiveness. SOC 2 Type I would only confirm the design. SOC 1 is for reviewing financial controls. Module reference: 1

D2 8. Which of the following is not an objective of baseline security control use in protecting assets? A. Specific steps that must be executed B. Minimum levels of security controls C. May be associated with specific architectures and systems D. A consistent reference point

The correct answer is A. Specific steps that must be executed are examples of procedures, not baselines. A baseline is the minimum level of security that must be achieved so that it can be consistently referenced and may be specific to certain architectures and systems.

D4 9. From the descriptions, why might an organization use a checksum rather than a hash to validate credit card information? A. A checksum is used to identify an error when information is created or transferred and creates a unique fingerprint. B. A hash creates a representation of a message and is used to verify the integrity of a message. C. A checksum creates a representation of a message and is used to verify the integrity of a message. D. A hash is used to identify an error when information is created or transferred and creates a unique fingerprint.

The correct answer is A. The Luhn algorithm, for example, is used when a credit card is entered into a system to produce a check digit (16 digits). Any error, such as an incorrectly entered card number, would quickly be identified. A hashing process could be used but the computational overheads are higher, which might introduce latency. Module reference: 2

D5 2. What is the purpose of the Clear to Send message? A. It tells a node that it can transmit in a wireless network. B. It tells all nodes that a collision has now been cleared. C. It tells a node that it can transmit in a ring network. D. It tells a node that it can transmit in a mesh network.

The correct answer is A. Used in the Institute of Electrical and Electronics Engineers (IEEE) 802.11 (wireless) standard, it is used by carrier sense multiple access/collision avoidance (CSMA/CA) to advise other connected nodes to stay off a given frequency and thus helps avoid collisions. In collision-prone topologies such as bus and mesh, all nodes are notified if a collision has occurred but not that it has cleared. Collisions don't occur within a ring network because of the use of the token. Module reference: 2

D3 2. In the identity management process flow, an individual can make a request to access resources such as data. Who is responsible for the approval of that request? A. The data processor B. The data owner C. The data custodian D. Only senior managers

The correct answer is B. Access is always approved by the data owner; this may be a senior manager but that is not always the case. The request is then passed to the data custodian. The data processor is an entity that is working with (processing) data on behalf of the data controller. The data custodian manages the data on a day-to-day basis for the data controller. Module reference: 1

D3 4. One security model includes a set of rules that can dynamically restrict access to information based upon information that a subject has already accessed in order to prevent any potential conflict of interest. What is the name of this model? A. Biba B. Brewer and Nash C. Graham-Denning D. Harrison, Ruzzo, Ullman (HRU)

The correct answer is B. Answers A, C, and D are models that describe an information system's rules for operation, but those rules are applied universally. The Brewer and Nash model is the only model that explicitly addresses conflicts of interest. Module reference: 2

D6 5. Of these programming languages, which is considered to be the lowest-level language? A. Compiled B. Assembly C. Interpreted D. None of the above

The correct answer is B. Assemblers convert one statement into one function and produce binary instructions. Compilers convert one statement into multiple binary instructions. Interpreters convert one statement into multiple operating instructions and produce intermediate code in real-time. Note that assemblers deal with assembly languages, while compilers are used for compiled languages. Module reference: 2

D4 5. Cloud computing has many advantages but can introduce latency; to reduce this, the use of Edge and Fog computing architectures can be used. Which statement best describes the difference between Edge and Fog computing architectures? A. Fog computing occurs closest to the sensor-attached devices. B. Edge computing occurs closest to the sensor-attached devices. C. Edge computing decouples hardware and applications. D. Essentially, they are the same.

The correct answer is B. Edge computing moves the data processing to fixed locations, which provides a direct transmission service. Fog computing runs applications in a multi-layer architecture that decouples the hardware and software functions and then meshes them together, allowing dynamic re-configuration. Module reference: 1

D3 10. At which Identity Assurance Level (IAL) do organizations like Facebook, LinkedIn, or Gmail function when allowing users to create accounts with their services? A. IAL1 B. IAL2 C. IAL3 D. IAL1 and IAL2

The correct answer is B. IAL2 is either remote or in person. When obtaining a certificate from a certificate authority (CA), the registration authority (RA) will take steps to verify the user's identity. This might come in the form of a phone call, email or a request for a unique ID such as a copy of a passport. IAL1 is self-assertion meaning that the user is not required to present anything that confirms their claim to an identity. IAL3 requires identities must be verified in person by a credential service provider. Creating a bank account would be an example of this approach as the bank will require the user to produce a passport or driver's license together with proof of residence. Module reference: 5

D2 4. What is defensible destruction? A. The destruction of assets using defense-approved methods. B. The destruction of assets using a controlled, legally defensible and compliant way. C. The destruction of assets so that the recovery of the asset is not possible. D. The destruction of assets using a method that may not allow attackers to recover data.

The correct answer is B. The perfect definition of legally defensible destruction of assets, which should end the asset lifecycle, is eliminating data using a controlled, legally defensible and regulatory compliant way.

D4 6. Which statement is true? A. Encryption converts plaintext to cyphertext using a common (publicly) known system and requires a key(s). B. Encoding converts plaintext to another commonly (publicly) known format. C. Enciphering converts plaintext to cyphertext using a common (publicly) known system and requires a key(s). D. Steganography converts plaintext to cyphertext using a common (publicly) known system.

The correct answer is B. The terms encryption and encoding are often used as if the two processes are the same. Encoding, however, uses a publicly known system or process and is not intended to provide confidentiality (a translator converting English to Spanish, for example). Encryption and enciphering are the same process and can be used interchangeably; both require the use of a key(s) and do provide message protection (confidentiality). Steganography is the process of hiding plain text within something else (a picture or audio stream, for example). Module reference: 2

D6 2. Threat modeling includes a series of steps. Which of the following is not one of those steps? A. Analyzing B. Mitigation C. Categorization D. Identification

The correct answer is B. Threat modeling is not about threat mitigation but rather it is an abstraction process used to identify boundaries between the system, subsystem elements and the environment. Module reference: 1

D9 6. Consider the scenario from question 5. Your laptop supplier is offering a support and maintenance contract for $600 per annum, per laptop, which includes parts and labor. Calculate the ALE. Is the support contract cost effective? A. Given the ALE and assuming a single failure yes, it is. B. Given the ALE and assuming a single failure no, it is not. C. Given the ALE and assuming multiple failures yes, it is. D. Given the ALE and assuming multiple failures no, it is not.

The correct answer is B. To calculate the ALE we would need to take the SLE $412.50 and multiply it by the projected failure rate of once every nine months or .75% (the ARO). This gives us an ALE of $309.75, as the support contract will cost the organization $600. Given the information, we have to say this is the correct answer. Of course, the support contract is, in effect, an insurance policy and this calculation is a best estimate. Module reference: 7

D5 10. Which of the following provides Layer 2 services? A. Internet Protocol (IP) B. Transmission Control Protocol (TCP) C. Point-to-Point Tunneling Protocol (PPTP) D. User Datagram Protocol (UDP)

The correct answer is C. A Point-to-Point Tunneling Protocol (PPTP) provides services at the Data Link Layer, which is Layer 2. Internet Protocol (IP) operates at Layer 3, the Network Layer. Both Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) operate at Layer 4, the Transport Layer. Module reference: 5

D6 10. Databases require lock controls to maintain the internal integrity of the data. But there is another set of requirements in a database environment. These requirements are known as the ACID test. Which of these four tests ensure transactions are invisible to other users? A. Atomicity B. Consistence C. Isolation D. Durability

The correct answer is C. Atomicity requires that all transactions are either completed or are all rolled back. Consistency requires that all transactions meet the internal integrity constraints. Durability ensures that when a transaction is completed it is permanent and can survive system failures. Module reference: 7

D4 10. The X509 v3 standard introduced support for extensions. What is one use for extensions? A. The public key owner B. The X500 name C. A designation at the end of a file D. The unique identifier

The correct answer is C. Extensions were introduced to provide a file designation, ".crl," for example, and is used to identify a revoked certificate. The owner of the public key is contained in that subject's name field. The X500 name field contains the issuer's name, and the unique identifier field is optional and used where the CA (certificate authority) uses more than one X500 name. Module reference: 3

D9 8. In the STRIDE risk assessment methodology, what does the "R" relate to? A. It is where an attacker poses as an authorized user. B. It is where an attacker successfully gains access and elevates the privilege level. C. It occurs when an attacker can hide or deny involvement in an attack. D. It is a method that attackers might employ to restrict or remove legitimate access.

The correct answer is C. Repudiation (R). Answer A would be Spoofing (S), answer B would be Elevation of Privilege (E) and answer D would be a Denial of Service (D). The "T" in STRIDE is where an attacker successfully tampers with data in an unauthorized manner and the "I" is Information Disclosure. Module reference: 7

D5 1. Which network topology is deterministic? A. Bus B. Star C. Ring D. Mesh

The correct answer is C. Ring is a closed loop technology and deploys a token to determine which node transmits next. By using tokens, it is possible to predict the maximum time that a node must wait before it can transmit. A bus consists of nodes connected to a central cable or bus. A star consists of a central device, such as a hub or switch, to which all nodes are attached. A mesh is an extension of the star concept where all nodes are connected to every other node and provide high availability. Module reference: 2

D4 8. Which asymmetrical encryption has the highest strength per bit of key length? A. Diffie-Hellman-Merkle B. ElGamal C. ECC (Elliptical Curve Cryptography) D. RSA (Rivest-Shamir-Adleman)

The correct answer is C. The ability to use shorter keys reduces computational overheads and makes ECC better suited for use with smart cards and wireless devices. Diffie-Hellman-Merkle is used for key negotiation and does not provide message confidentiality. ElGamal builds on Diffie-Hellman-Merkle and includes message confidentiality and digital signing services. RSA provides message confidentially, digital signing and non-repudiation services. Module reference: 2

D6 1. Using visualization to identify patterns of information within a database is known as: A. Data mining in databases B. Data discovery in databases C. Knowledge discovery in databases D. Data extrapolation in databases

The correct answer is C. While data mining is the process of trawling through the data contained within a database, knowledge discovery in databases uses mathematical, statistical and visualization to produce usable information which in turn helps drive business decisions. Answers B and D are not valid terms associated with the use of databases. Module reference: 3

D5 4. What network-based attack allows an attacker to pose as an intermediate system? A. Man-in-the-middle B. Teardrop C. Route poisoning D. Address Resolution Protocol (ARP) spoofing

The correct answer is D. Address Resolution Protocol (ARP) is used to resolve an IP to MAC address. If successful, an ARP spoofing attack allows all of a victim's traffic to be sent through the attacker. The result of ARP spoofing does create a man-in-the-middle (MITM) situation, but this is a general term for an attack in which an attacker places themselves in the middle of a communication. A teardrop attack is a Denial of Service (DoS) and involves sending fragmented packets, which the receiver can't reassemble correctly. Route poisoning is not an attack but a mechanism used in Routing Information Protocol (RIP) to shut down traffic along a path that is no longer valid. Module reference: 3

D5 3. Operating at Layer 2 of the Open Systems Interconnect (OSI) model, what is the function of the Address Resolution Protocol (ARP)? A. It resolves a NetBIOS name to an IP address. B. It resolves a FQDN to an IP address. C. It resolves a NetBEUI name to an IP address. D. It resolves a physical address to a logical address.

The correct answer is D. An IP address is considered logical as it can change, and a datagram packet needs to have a fixed address to be able to make the actual delivery. The fixed address is the Media Access Control (MAC) address, which is hard-encoded on the Network Interface Card (NIC). The Fully Qualified Domain Name (FQDN) is used with Domain Name Service (DNS) and specifies an absolute address of a node within the DNS hierarchy. Network Basic Extended User Interface (NetBEUI) and Network Basic Input Output System (NetBIOS) were used primarily within Microsoft solutions and are used to provide friendly names rather than the numbers to nodes. NetBEUI/NetBIOS are not networking protocols. Module reference: 3

D6 7. What is a "between-the-lines" attack? A. A hidden mechanism used to bypass access control protection B. A condition where the output of an operation is dependent upon the timing of uncontrolled events C. A condition that occurs where temporary storage is subjected to excess data input D. A condition in which telecommunication lines are tapped and false data is inserted into a transmission

The correct answer is D. Answer A is an example of a backdoor attack. Answer B is an example of a race condition failure and answer C is an example of a buffer overflow attack. Module reference: 2

D1 9. What is meant by "zero trust"? A. It is a security model that requires all contractors and temporary users are continually authenticated and authorized when connecting to a network before access is granted. B. It is a security model that requires all customers (external users) are continually authenticated and authorized when connecting to a network before access is granted. C. It is a security model that requires all vendors are continually authenticated and authorized when connecting to a network before access is granted. D. It is a security model that requires users, both inside and out, are continually authenticated and authorized when connecting to a network before access is granted.

The correct answer is D. Answers A, B and C are all valid examples of good security practices; however, the level of trust given to insiders, i.e., employees, is often relaxed. Employees are often considered to be trustworthy; after all, the employer has already verified their backgrounds and credentials prior to employment, and that ought to be enough (or so they presume). Zero trust employs the concept from the old Russian proverb: Trust, but verify.

D2 2. How can an asset classification program improve an organization's ability to achieve its goals and objectives? A. By meeting the requirements imposed by the audit function. B. By controlling changes to production environments. C. By enhancing ownership principles. D. By specifying controls to protect valuable assets.

The correct answer is D. Asset classification is implemented to allow the organization to protect assets based on the value of those assets, which is categorized by its classification level. Protection of assets, including information, is always done based on value and therefore not only portrays its value, but also defines the protection requirements.

D6 6. Java, C++, Python and Delphi are a few examples of object oriented programming (OOP). This programming concept focuses on objects as opposed to actions. Which of the following is used to prevent inferences being drawn in OOP? A. Inheritance B. Encapsulation C. Polymorphism D. Polyinstantiation

The correct answer is D. By creating new versions of an object, containing different values, the different versions of the same information can exist at different classification levels. Inheritance is the concept whereby subclasses of an object can be defined by a parent class by using the fields and properties of the parent. Encapsulation, data hiding, occurs when a class of an object defines only the data it needs. Polymorphism allows an object to take different forms that are based on how the object is being used. Module reference: 2

D4 3. When comparing the NIST and ISO cloud characteristics, the ISO/IEC 17788 adds an additional essential cloud characteristic that NIST doesn't list. Which one of these does ISO include? A. Measured service B. Pooling C. Network access D. Multi-tenancy

The correct answer is D. Multi-tenancy is when physical or virtual resources are allocated in such a way that multiple tenants and their computations and data are isolated from and inaccessible to one another. Measured service automatically controls and optimizes resources. Pooling (or resource pooling) occurs when computing resources are pooled to serve multiple consumers using a multi-tenant mode. Network access (or broad network access) is when the service provider's capabilities are available over the network and accessed through standard mechanisms. The NIST definition of cloud computing includes five essential characteristics: on-demand self-service, broad network access, resource pooling, rapid elasticity or expansion, and measured service. Module reference: 1

D2 3. What is the correct set of phases or activities in the IT asset management lifecycle phases? A. Create, use, share, store, archive, destroy B. Identify, align, categorize, manage, retire C. Create, read, update, delete, archive D. Plan, identify, align, decide to manage, assign security needs, acquire, deploy, manage, retire

The correct answer is D. The IT asset management lifecycle starts either with plan (for new assets) or identify (for existing ones); it then focuses on various activities, which are often executed in different orders based on organizational needs. Ultimately, the last step would be retirement of the asset.

D4 7. In a symmetric key system where an organization has 20,000 users, how many keys would need to be generated? A. 20,000 B. 40,000 C. 200,000 D. 199,990,000

The correct answer is D. Using the formula n(n-1)/2 where n is the number of users, the answer is D. Using the formula n*2 (used to calculate key numbers in an asymmetrical system), the answer would be B, 40,000. Module reference: 2

D7 5. All of the major control frameworks emphasize the importance of organizational logging practice. Which of the following does not stipulate the need for log management and review? A. NIST SP 800-92 B. Gramm-Leach-Bliley Act (GLBA) C. Sarbanes-Oxley Act (SOX) D. They all do

The correct answer is D. While all of the examples relate to different areas or organizations, they all place an emphasis on the importance of effective and timely log management. Remember one of the five critical tenets from the Center for Internet Security (CIS): Offense informs defense. By knowing what is happening and what has happened, an organization is able to take the appropriate actions. Module reference: 2

D5 7. Which protocol provides a connectionless data transfer with no error detection or correction? A. Internet Group Management Protocol (IGMP) B. Internet Control Message Protocol (ICMP) C. Transmission Control Protocol (TCP) D. User Datagram Protocol (UDP)

The correct answer is D. User Datagram Protocol (UDP), a faster and less reliable transport protocol, is used for message exchange and primarily when speed of transmission is an important factor, but it does not provide protection. Internet Group Management Protocol (IGMP) creates and manages multicast groups. Internet Control Message Protocol (ICMP) is supportive and used by devices to send error messages. Transmission Control Protocol (TCP) provides reliable delivery of a datagram. Module reference: 5