C795

A company presents team members with a disaster recovery scenario, asks members to develop an appropriate response, and then tests some of the technical responses without shutting down operations at the primary site. Which type of disaster recovery test is being performed? Read-through Structured walk through Simulation Full-interruption

Simulation

BCP

Sites: cold, warm, hot sites Exercise Environments: Parallel, tabletop, full-implementation

Which two hardening features apply to a host-based IDS? Choose two. Updated definition files Static private IP addresses Reserved scope options Encrypted log files

Updated definition files Encrypted log files

An organization needs to improve the security of the systems it is monitoring. It has determined that the systems need regularly scheduled vulnerability scans. Which action will enable the organization to satisfy this requirement? Use Nessus to perform system scans Use Wireshark to perform system scans Implement an IDS Implement an IPS

Use Nessus to perform system scans

A security analyst observers that an authorized user has logged in to the network and tried to access an application with failed password attempts. Which defense-in-depth tactic should the security analyst use to see other activities this user has attempted? Brute-force attack the application to see if a user can get in Check application logs for events and errors caused by the user Use a packet sniffer to analyze the network traffic Use SIEM to collect logs and look at the aggregate data

Use SIEM to collect logs and look at the aggregate data

A company is concerned about unauthorized programs being used on network devices. Which defense-depth strategy would help eliminate unauthorized software on network devices? Develop an acceptable use policy and update all network device firmware Use application controls tools and update AppLocker group policies Limit administrative access to devices and create DHCP scope options Upgrade to a 64-bit operating system and install an antimalware

Use application controls tools and update AppLocker group policies

Company employees keep taking taking their laptop computers off-site without securing the laptop's contents. Which defense-in-depth tactic should be used by employees to prevent data from being stolen? Contact the security office when taking property off-site Carry laptops close to themselves when going off-site Use forced encryption via a group policy Take laptops home only on weekends

Use forced encryption via a group policy

An employee is transferring data onto removable media. The company wants to reduce the likelihood of fraud, and transferring data onto removable media is limited to special cases. Which security principle should the company execute as a policy to reduce fraud? two person control least privilege need to know job rotation

two person control

In our risk analysis we are looking at the residual risk. What would that comprise of? Threat * vulnerability. Threat + vulnerability. Threat * vulnerability * asset value. (threat * vulnerability * asset value) - countermeasures

(threat * vulnerability * asset value) - countermeasures The residual risk is what is left over after we implement our countermeasures against the total risk. Residual Risk = Total Risk - Countermeasures.

2. Adam recently ran a network port scan of a web server running in his organization. He ran the scan from an external network to get an attacker's perspective on the scan. Which one of the following results is the greatest cause for alarm? 80/open 22/filtered 443/open 1433/open

1433/open Only open ports represent potentially significant security risks. Ports 80 and 443 are expected to be open on a web server. Port 1433 is a database port and should never be exposed to an external network. Port 22 is used for the Secure Shell protocol (SSH), and the filtered status indicates that nmap can't determine whether it is open or closed. This situation does require further investigation, but it is not as alarming as a definitely exposed database server port.

8. What port is typically used to accept administrative connections using the SSH utility? 20 22 25 80

22 The SSH protocol uses port 22 to accept administrative connections to a server.

Jane has suggested we implement full disk encryption on our laptops. Our organization, on average, loses 25 laptops per year, and currently it costs us $10,000 per laptop. The laptop itself costs $1,000, as well as $9,000 in losses from non-encrypted data being exposed. We want to keep using laptops and have our ARO (Annualized Rate of Occurrence) stay the same. How much can the countermeasures we implement cost, for us to break even?​ 250000 2250000 225000 22500

225000 If we implemented full disk encryption, the break even point would be $225,000. We would still lose the 25 laptops per year ($1,000 per), and the cost of that loss is $25,000 per year from that ,regardless of encryption. What we would save is the 25 * $9,000 ($225,000) from the non-encrypted data exposure. This is what we can use for the encryption.

An organization wants to secure a WAP and wants to force users to authenticate to the network before gaining access. Which security encryption protocol should be implemented on the WAP? WEP WPA 802.1i 802.1X

802.1X

6. Which of the following statements about business continuity planning and disaster recovery planning are correct? (Choose all that apply.) Business continuity planning is focused on keeping business functions uninterrupted when a disaster strikes. Organizations can choose whether to develop business continuity planning or disaster recovery planning plans. Business continuity planning picks up where disaster recovery planning leaves off. Disaster recovery planning guides an organization through recovery of normal operations at the primary facility.

A, B, D. The only incorrect statement here is that business continuity planning picks up where disaster recovery planning leaves off. In fact, the opposite is true: disaster recovery planning picks up where business continuity planning leaves off. The other three statements are all accurate reflections of the role of business continuity planning and disaster recovery planning. Business continuity planning is focused on keeping business functions uninterrupted when a disaster strikes. Organizations can choose whether to develop business continuity planning or disaster recovery planning plans, although it is highly recommended that they do so. Disaster recovery planning guides an organization through recovery of normal operations at the primary facility.

4. Which of the following are examples of financially motivated attacks? (Choose all that apply.) Accessing services that you have not purchased Disclosing confidential personal employee information Transferring funds from an unapproved source into your account Selling a botnet for use in a DDoS attack

A, C, D. A financial attack focuses primarily on obtaining services and funds illegally. Accessing services that you have not purchased is an example of obtaining services illegally. Transferring funds from an unapproved source is obtaining funds illegally, as is leasing out a botnet for use in DDoS attacks. Disclosing confidential information is not necessarily financially motivated.

4. Which of the following are basic security controls that can prevent many attacks? (Choose three.) Keep systems and applications up to date. Implement security orchestration, automation, and response (SOAR) technologies. Remove or disable unneeded services or protocols. Use up-to-date antimalware software. Use WAFs at the border.

A, C, D. The three basic security controls listed are 1) keep systems and applications up to date, 2) remove or disable unneeded services or protocols, and 3) use up-to-date antimalware software. SOAR technologies implement advanced methods to detect and automatically respond to incidents. It's appropriate to place a network firewall at the border (between the internet and the internal network), but web application firewalls (WAF) should only filter traffic going to a web server.

3. Which of the following is a true statement in regard to security cameras? (Choose all that apply.) Cameras should be positioned to watch exit and entry points allowing any change in authorization or access level. Cameras are not needed around valuable assets and resources as well as to provide additional protection in public areas such as parking structures and walkways. Cameras should be positioned to have clear sight lines of all exterior walls, entrance and exit points, and interior hallways. Security cameras should only be overt and obvious in order to provide a deterrent benefit. Security cameras have a fixed area of view for recording. Some camera systems include a system on a chip (SoC) or embedded components and may be able to perform various specialty functions, such as time-lapse recording, tracking, facial recognition, object detection, or infrared or color-filtered recording. Motion detection or sensing cameras can always distinguish between humans and animals.

A, C, F. The true statements are option A, cameras should be positioned to watch exit and entry points allowing any change in authorization or access level; option C, cameras should be positioned to have clear sight lines of all exterior walls, entrance and exit points, and interior hallways; and option F, some camera systems include a system on a chip (SoC) or embedded components and may be able to perform various specialty functions, such as time-lapse recording, tracking, facial recognition, object detection, or infrared or color-filtered recording. The remaining answer options are incorrect. The corrected statements for those options are: option B: Cameras should also be used to monitor activities around valuable assets and resources as well as to provide additional protection in public areas such as parking structures and walkways; option D: Security cameras can be overt and obvious in order to provide a deterrent benefit, or hidden and concealed in order to primarily provide a detective benefit; option E: Some cameras are fixed, whereas others support remote control of automated pan, tilt, and zoom (PTZ); and option G: Simple motion recognition or motion-triggered cameras may be fooled by animals, birds, insects, weather, or foliage.

7. What are the primary reasons attackers engage in thrill attacks? (Choose all that apply.) Bragging rights Money from the sale of stolen documents Pride of conquering a secure system Retaliation against a person or organization

A, C. Thrill attacks have no reward other than providing a boost to pride and ego. The thrill of launching the attack comes from the act of participating in the attack (and not getting caught).

5. A recent security audit of your organization's facilities has revealed a few items that need to be addressed. A few of them are related to your main data center. But you think at least one of the findings is a false positive. Which of the following does not need to be true in order to maintain the most efficient and secure server room? It must be optimized for workers. It must include the use of nonwater fire suppressants. The humidity must be kept between 20 and 80 percent. The temperature must be kept between 59 and 89.6 degrees Fahrenheit.

A. A computer room does not need to be optimized for human workers to be efficient and secure. A server room would be more secure with a nonwater fire suppressant system (it would protect against damage caused by water suppressant). A server room should have humidity maintained between 20 and 80 percent relative humidity and maintain a temperature between 59 and 89.6 degrees Fahrenheit.

8. A financial organization commonly has employees switch duty responsibilities every 6 months. What security principle are they employing? Job rotation Separation of duties Mandatory vacations Least privilege

A. A job rotation policy has employees rotate jobs or job responsibilities and can help detect collusion and fraud. A separation of duties policy ensures that a single person doesn't control all elements of a specific function. Mandatory vacation policies ensure that employees take an extended time away from their jobs, requiring someone else to perform their job responsibilities, which increases the likelihood of discovering fraud. Least privilege ensures that users have only the permissions they need to perform their jobs and no more.

18. A security administrator wants to verify the existing systems are up to date with current patches. Of the following choices, what is the best method to ensure systems have the required patches? Patch management system Patch scanner Penetration tester Fuzz tester

A. A patch management system ensures that systems have required patches. In addition to deploying patches, it would also check the systems to verify they accepted the patches. There is no such thing as a patch scanner. A penetration test will attempt to exploit a vulnerability, but it can be intrusive and cause an outage, so it isn't appropriate in this scenario. A fuzz tester sends random data to a system to check for vulnerabilities but doesn't test for patches.

8. You are updating the training manual for security administrators and want to add a description of a zero-day exploit. Which of the following best describes a zero-day exploit? An attack that exploits a vulnerability that doesn't have a patch or fix A newly discovered vulnerability that doesn't have a patch or fix An attack on systems without an available patch Malware that delivers its payload after a user starts an application

A. A zero-day exploit is an attack that exploits a vulnerability that doesn't have a patch or fix. A newly discovered vulnerability is only a vulnerability until someone tries to exploit it. Attacks on unpatched systems aren't zero-day exploits. A virus is a type of malware that delivers its payload after a user launches an application.

3. Which of the following is not a canon of the (ISC)2 Code of Ethics? Protect your colleagues. Provide diligent and competent service to principals. Advance and protect the profession. Protect society

A. The Code of Ethics does not require that you protect your colleagues.

19. What combination of backup strategies provides the fastest backup restoration time? Full backups and differential backups Partial backups and incremental backups Full backups and incremental backups Incremental backups and differential backups

A. Any backup strategy must include full backups at some point in the process. If a combination of full and differential backups is used, a maximum of two backups must be restored. If a combination of full and incremental backups is chosen, the number of required restorations may be large.

17. type of backup involves always storing copies of all files modified since the most recent full backup? Differential backups Partial backup Incremental backups Database backup

A. Differential backups involve always storing copies of all files modified since the most recent full backup, regardless of any incremental or differential backups created during the intervening time period.

6. You want to apply the least privilege principle when creating new accounts in the software development department. Which of the following should you do? Create each account with only the rights and permissions needed by the employee to perform their job. Give each account full rights and permissions to the servers in the software development department. Create each account with no rights and permissions. Add the accounts to the local Administrators group on the new employee's computer.

A. Each account should have only the rights and permissions needed to perform their job when following the least privilege policy. New employees would not need full rights and permissions to a server. Employees will need some rights and permissions in order to do their jobs. Regular user accounts should not be added to the Administrators group.

7. You suspect an attacker has launched a Fraggle attack on a system. You check the logs and filter your search with the protocol used by Fraggle. What protocol would you use in the filter? User Datagram Protocol (UDP) Transmission Control Protocol (TCP) Internet Control Message Protocol (ICMP) Security orchestration, automation, and response (SOAR)

A. Fraggle is a denial of service (DoS) attack that uses UDP. Other attacks, such as a SYN flood attack, use TCP. A smurf attack is similar to a fraggle attack, but it uses ICMP. SOAR is a group of technologies that provide automated responses to common attacks, not a protocol.

16. Gavin is considering altering his organization's log retention policy to delete logs at the end of each day. What is the most important reason that he should avoid this approach? An incident may not be discovered for several days and valuable evidence could be lost. Disk space is cheap, and log files are used frequently. Log files are protected and cannot be altered. Any information in a log file is useless after it is several hours old

A. Log files contain a large volume of generally useless information. However, when you are trying to track down a problem or an incident, log files can be invaluable. Even if an incident is discovered as it is happening, it may have been preceded by other incidents. Log files provide valuable clues and should be protected and archived, often by forwarding log entries to a centralized log management system.

15. Users of a banking application may try to withdraw funds that don't exist from their account. Developers are aware of this threat and implemented code to protect against it. What type of software testing would most likely catch this type of vulnerability if the developers have not already remediated it? Misuse case testing SQL injection testing Fuzzing Code review

A. Misuse case testing identifies known ways that an attacker might exploit a system and tests explicitly to see if those attacks are possible in the proposed code.

13. What step of the Electronic Discovery Reference Model ensures that information that may be subject to discovery is not altered? Preservation Production Processing Presentation

A. Preservation ensures that potentially discoverable information is protected against alteration or deletion. Production places the information into a format that may be shared with others and delivers it to other parties, such as opposing counsel. Processing screens the collected information to perform a "rough cut" of irrelevant information, reducing the amount of information requiring detailed screening. Presentation displays the information to witnesses, the court, and other parties.

18. Your organization has just landed a new contract for a major customer. This will involve increasing production operations at the primary facility, which will entail housing valuable digital and physical assets. You need to ensure that these new assets receive proper protections. Which of the following is not a disadvantage of using security guards? Security guards are usually unaware of the scope of the operations within a facility. Not all environments and facilities support security guards. Not all security guards are themselves reliable. Prescreening, bonding, and training do not guarantee effective and reliable security guards.

A. Security guards are usually unaware of the scope of the operations within a facility and are therefore not thoroughly equipped to know how to respond to every situation. Though this is considered a disadvantage, the lack of knowledge of the scope of the operations within a facility can also be considered an advantage because this supports confidentiality of those operations and thus helps reduce the possibility that a security guard will be involved in the disclosure of confidential information. Thus, even though this answer option is ambiguous, it is still better than the three other options. The other three options are disadvantages of security guards. Not all environments and facilities support security guards. This may be because of actual human incompatibility or the layout, design, location, and construction of the facility. Not all security guards are themselves reliable. Prescreening, bonding, and training do not guarantee that you won't end up with an ineffective or unreliable security guard.

20. Administrators find that they are repeating the same steps to verify intrusion detection system alerts and perform more repetitive steps to mitigate well-known attacks. Of the following choices, what can automate these steps? SOAR SIEM NIDS DLP

A. Security orchestration, automation, and response (SOAR) technologies provide automated responses to common attacks, reducing an administrator's workload. A security information and event management (SIEM) system is a centralized application that monitors log entries from multiple sources. A network-based intrusion detection system (NIDS) raises the alerts. A data loss prevention (DLP) system helps with egress monitoring and is unrelated to this question. (chp 17)

11. Which one of the following is a cloud-based service model that gives an organization the most control and requires the organization to perform all maintenance on operating systems and applications? Infrastructure as a service (IaaS) Platform as a service (PaaS) Software as a service (SaaS) Public

A. The IaaS service model provides an organization with the most control compared to the other models, and this model requires the organization to perform all maintenance on operating systems and applications. The SaaS model gives the organization the least control, and the cloud service provider (CSP) is responsible for all maintenance. The PaaS model splits control and maintenance responsibilities between the CSP and the organization.

19. Darren is concerned about the risk of a serious power outage affecting his organization's data center. He consults the organization's business impact analysis and determines that the ARO of a power outage is 20 percent. He notes that the assessment took place three years ago and no power outage has occurred. What ARO should he use in this year's assessment, assuming that none of the circumstances underlying the analysis have changed? 20 percent 50 percent 75 percent 100 percent

A. The annualized rate of occurrence (ARO) is the likelihood that the risk will materialize in any given year. The fact that a power outage did not occur in any of the past three years doesn't change the probability that one will occur in the upcoming year. Unless other circumstances have changed, the ARO should remain the same.

15. What type of document will help public relations specialists and other individuals who need a high-level summary of disaster recovery efforts while they are under way? Executive summary Technical guides Department-specific plans Checklists

A. The executive summary provides a high-level view of the entire organization's disaster recovery efforts. This document is useful for the managers and leaders of the firm as well as public relations personnel who need a nontechnical perspective on this complex effort.

5. Ryan is assisting with his organization's annual business impact analysis effort. He's been asked to assign quantitative values to assets as part of the priority identification exercise. What unit of measure should he use? Monetary Utility Importance Time

A. The quantitative portion of the priority identification should assign asset values in monetary units. The organization may also choose to assign other values to assets, but non-monetary measures should be part of a qualitative, rather than a quantitative, assessment.

12. You are installing a system that management hopes will reduce incidents in the network. The setup instructions require you to configure it inline with traffic so that all traffic goes through it before reaching the internal network. Which of the following choices best identifies this system? A network-based intrusion prevention system (NIPS) A network-based intrusion detection system (NIDS) A host-based intrusion prevention system (HIPS_) A host-based intrusion detection system (HIDS)

A. This describes an NIPS. It is monitoring network traffic, and it is placed in line with the traffic. An NIDS isn't placed in line with the traffic, so it isn't the best choice. Host-based systems only monitor traffic sent to specific hosts, not network traffic.

10. You are concerned about the risk that a hurricane poses to your corporate headquarters in South Florida. The building itself is valued at $15 million. After consulting with the National Weather Service, you determine that there is a 10 percent likelihood that a hurricane will strike over the course of a year. You hired a team of architects and engineers, who determined that the average hurricane would destroy approximately 50 percent of the building. What is the annualized loss expectancy (ALE)? $750,000 $1.5 million $7.5 million $15 million

A. This problem requires you to compute the ALE, which is the product of the SLE and the ARO. From the scenario, you know that the ARO is 0.10 (or 10 percent). From the scenario presented, you know that the SLE is $7.5 million. This yields an ALE of $750,000.

19. Security administrators are regularly monitoring threat feeds and using that information to check systems within the network. Their goal is to discover any infections or attacks that haven't been detected by existing tools. What does this describe? Threat hunting Threat intelligence Implementing the kill chain Using artificial intelligence

A. Threat hunting is the process of actively searching for infections or attacks within a network. Threat intelligence refers to the actionable intelligence created after analyzing incoming data, such as threat feeds. Threat hunters use threat intelligence to search for specific threats. Additionally, they may use a kill chain model to mitigate these threats. Artificial intelligence (AI) refers to actions by a machine, but the scenario indicates administrators are doing the work.

13. The IT department routinely uses images when deploying new systems. Of the following choices, what is a primary benefit of using images? Provides a baseline for configuration management Improves patch management response times Reduces vulnerabilities from unpatched systems Provides documentation for changes

A. When images are used to deploy systems, the systems start with a common baseline, which is important for configuration management. Images don't necessarily improve the evaluation, approval, deployment, and audits of patches to systems within the network. Although images can include current patches to reduce their vulnerabilities, this is because the image provides a baseline. Change management provides documentation for changes.

2. You are troubleshooting a problem on a user's computer. After viewing the host-based intrusion detection system (HIDS) logs, you determine that the computer has been compromised by malware. Of the following choices, what should you do next? Isolate the computer from the network .Review the HIDS logs of neighboring computers. Run an antivirus scan. Analyze the system to discover how it was infected.

A. Your next step is to isolate the computer from the network as part of the mitigation phase. You might look at other computers later, but you should try to mitigate the problem first. Similarly, you might run an antivirus scan, but later. The lessons learned phase is last and will analyze an incident to determine the cause.

A company's main asset is a physical working prototype stored in the research and development department. The prototype is not currently connected to the company's network. Which privileged user activity should be monitored? Accessing camera logs Adding accounts to the administrator group Running scripts in Powershell Disabling host firewall

Accessing camera logs

A company is terminating several employees with high levels of access. The company wants to protect itself from possible disgruntled employees who could become potential insider threats. Which defense-in-depth practices should be applied? Account revocation and conducting a vulnerability assessment Account revocation and conducting a full backup of critical data A mandatory 90-day password change and conducting a full backup of critical data A mandatory 90-day password change and conducting a vulnerability assessment

Account revocation and conducting a vulnerability assessment

Which concept has a list of privileges obtained over a period of time?

Aggregation

An organization is deploying a number of internet enabled warehouse cameras to assist with loss prevention. A plan is put in place to implement automated patching. Which defense-in-depth measure will ensure that the patch images are as expected? All remotely installed software must be signed Communications must use HTTPS Device authentication must use digital certificates All passwords must be salted and hashed

All remotely installed software must be signed

A company develops a BCP in addition to an emergency communication plan. What should be included in the company's emergency communication plan? Choose two Alternate means of contact Backup people for each role The best time to call each person Employee's phone service providers

Alternate means of contact Backup people for each role

Which Windows Event Log contains information about specific application issues?

Application Logs

12. Badin Industries runs a web application that processes e-commerce orders and handles credit card transactions. As such, it is subject to the Payment Card Industry Data Security Standard (PCI DSS). The company recently performed a web vulnerability scan of the application and it had no unsatisfactory findings. How often must Badin rescan the application? Only if the application changes At least monthly At least annually There is no rescanning requirement

At least annually PCI DSS requires that Badin rescan the application at least annually and after any change in the application.

How often should a BCP be reviewed? At least annually or when changes occur If and when the company gets audited When a disaster occurs Every 5 years or when a law changes

At least annually or when changes occur

A company wants to prevent cybercriminals from gaining easy access into its email server. The company wants to know which user is accessing which resources and to prevent hackers from easily gaining access to the server. Which defense-in-depth strategy should be used? Authenticate users and devices and log events within the network Deploy VLANs for traffic separation and coarse-grained security Place encryption throughout the network to ensure privacy Use stateful firewall technology at the port level and log firewall activity

Authenticate users and devices and log events within the network

9. Which one of the following tests provides the most accurate and detailed information about the security state of a server? Unauthenticated scan Port scan Half-open scan Authenticated scan

Authenticated scan Authenticated scans can read configuration information from the target system and reduce the instances of false positive and false negative reports.

Which strategy requires people to prove who they are?

Authentication

Which strategy defines what rights and permissions a user has been granted?

Authorization

12. Which of the following are benefits of a gas-based fire suppression system? (Choose all that apply.) Can be deployed throughout a company facility Will cause the least damage to computer systems Extinguishes the fire by removing oxygen May be able to extinguish the fire faster than a water discharge system

B, C, D. Benefits of gas-based fire suppression include causing the least damage to computer systems and extinguishing the fire quickly by removing oxygen. Also, gas-based fire suppression may be more effective and faster than a water-based system. A gas-based fire suppression system can only be used where human presence is at a minimum, since it removes oxygen from the air.

15. Which of the following steps would be included in a change management process? (Choose three.) Immediately implement the change if it will improve performance. Request the change .Create a rollback plan for the change. Document the change.

B, C, D. Change management processes include requesting a change, creating a rollback plan for the change, and documenting the change. Changes should not be implemented immediately without evaluating the change.

A combined mail server and calendaring server environment contains no SSL certificate. Which security principle of the CIA triad is affected by the lack of an SSL certificate? Confidentiality Integrity Authentication Availability

Confidentiality

1. Which of the following are valid incident management steps or phases as listed in the CISSP objectives? (Choose all that apply.) Prevention Detection Reporting Lessons learned Backup

B, C, D. Detection, reporting, and lessons learned are valid incident management steps. Prevention is done before an incident. Creating backups can help recover systems, but it isn't one of the incident management steps. The seven steps (in order) are detection, response, mitigation, reporting, recovery, remediation, and lessons learned.

8. You are mapping out the critical paths of network cables throughout the building. Which of the following items do you need to make sure to include and label on your master cabling map as part of crafting the cable plant management policy? (Choose all that apply.) Access control vestibule Entrance facility Equipment room Fire escapes Backbone distribution system Telecommunications room UPSs Horizontal distribution system Loading dock

B, C, E, F, H. The primary elements of a cable plant management policy should include a mapping of the entrance facility (i.e., demarcation point), equipment room, backbone distribution system, telecommunications room, and horizontal distribution system. The other items are not elements of a cable plant. Thus, access control vestibule, fire escapes, UPSs, and the loading dock are not needed elements on a cable map.

15. A network includes a network-based intrusion detection system (NIDS). However, security administrators discovered that an attack entered the network and the NIDS did not raise an alarm. What does this describe? A false positive A false negative A fraggle attack A smurf attack

B. A false negative occurs when there is an attack but the IDS doesn't detect it and raise an alarm. In contrast, a false positive occurs when an IDS incorrectly raises an alarm, even though there isn't an attack. The attack may be a UDP-based fraggle attack or an ICMP-based smurf attack, but the attack is real, and since the IDS doesn't detect it, it is a false negative.

2. What is the main purpose of a military and intelligence attack? To attack the availability of military systems To obtain secret and restricted information from military or law enforcement sources To utilize military or intelligence agency systems to attack other, nonmilitary sites To compromise military systems for use in attacks against other systems

B. A military and intelligence attack targets the classified data that resides on the system. To the attacker, the value of the information justifies the risk associated with such an attack. The information extracted from this type of attack is often used to plan subsequent attacks.

17. Your organization recently implemented a centralized application for monitoring. Which of the following best describes this? SOAR SIEM HIDS Threat feed

B. A security information and event management (SIEM) system is a centralized application that monitors multiple systems. Security orchestration, automation, and response (SOAR) is a group of technologies that provide automated responses to common attacks. A host-based intrusion detection system (HIDS) is decentralized because it is on one system only. A threat feed is a stream of data on current threats.

5. Which one of the following attacker actions is most indicative of a terrorist attack? Altering sensitive trade secret documents Damaging the ability to communicate and respond to a physical attack Stealing unclassified information Transferring funds to other countries

B. A terrorist attack is launched to interfere with a way of life by creating an atmosphere of fear. A computer terrorist attack can reach this goal by reducing the ability to respond to a simultaneous physical attack. Although terrorists may engage in other actions, such as altering information, stealing data, or transferring funds, as part of their attacks, these items alone are not indicators of terrorist activity.

14. You are replacing a failed switch. The configuration documentation for the original switch indicates a specific port needs to be configured as a mirrored port. Which of the following network devices would connect to this port? An intrusion prevention system (IPS) An intrusion detection system (IDS) A honeypot A sandbox

B. An IDS is most likely to connect to a switch port configured as a mirrored port. An IPS is placed in line with traffic, so it is placed before the switch. A honeypot doesn't need to see all traffic going through a switch. A sandbox is an isolated area often used for testing and would not need all traffic from a switch.

11. An administrator is implementing an intrusion detection system. Once installed, it will monitor all traffic and raise alerts when it detects suspicious traffic. Which of the following best describes this system? A host-based intrusion detection system (HIDS) A network-based intrusion detection system (NIDS) A honeynet A network firewall

B. An NIDS will monitor all traffic and raise alerts when it detects suspicious traffic. A HIDS only monitors a single system. A honeynet is a network of honeypots used to lure attackers away from live networks. A network firewall filters traffic, but it doesn't raise alerts on suspicious traffic.

16. Management wants to add an intrusion detection system (IDS) that will detect new security threats. Which of the following is the best choice? A signature-based IDS An anomaly detection IDS An active IDS A network-based IDS

B. An anomaly-based IDS (also known as a behavior-based IDS) can detect new security threats. A signature-based IDS only detects attacks from known threats. An active IDS identifies the response after a threat is detected. A network-based IDS can be both signature based and anomaly based.

1. James was recently asked by his organization's CIO to lead a core team of four experts through a business continuity planning process for his organization. What is the first step that this core team should undertake? BCP team selection Business organization analysis Resource requirements analysis Legal and regulatory assessment

B. As the first step of the process, the business organization analysis helps guide the remainder of the work. James and his core team should conduct this analysis and use the results to aid in the selection of team members and the design of the BCP process.

5. Security administrators are reviewing all the data gathered by event logging. Which of the following best describes this body of data? Identification Audit trails Authorization Confidentiality

B. Audit trails provide documentation on what happened, when it happened, and who did it. IT personnel create audit trails by examining logs. Authentication of individuals is also needed to ensure that the audit trails provide proof of identities listed in the logs. Identification occurs when an individual claims an identity, but identification without authentication doesn't provide accountability. Authorization grants individuals access to resources based on their proven identity. Confidentiality ensures that unauthorized entities can't access sensitive data and is unrelated to this question.

2. What method is a systematic effort to identify relationships between mission-critical applications, processes, and operations and all the necessary supporting elements when evaluating the security of a facility or designing a new facility? Log file audit Critical path analysis Risk analysis Taking inventory

B. Critical path analysis is a systematic effort to identify relationships between mission-critical applications, processes, and operations and all the necessary supporting elements when evaluating the security of a facility or designing a new facility. Log file audit can help detect violations to hold users accountable, but it is not a security facility design element. Risk analysis is often involved in facility design, but it is the evaluation of threats against assets in regard to rate of occurrence and levels of consequence. Taking inventory is an important part of facility and equipment management, but it is not an element in overall facility design.

17. During what type of penetration test does the tester always have access to system configuration information? Black-box penetration test White-box penetration test Gray-box penetration test Red-box penetration test

B. During a white-box penetration test, the testers have access to detailed configuration information about the system being tested.

10. Carl recently completed his organization's annual business continuity plan refresh and is now turning his attention to the disaster recovery plan. What output from the business continuity plan can he use to prepare the business unit prioritization task of disaster recovery planning? Vulnerability analysis Business impact analysis Risk management Continuity planning

B. During the business impact analysis phase, you must identify the business priorities of your organization to assist with the allocation of BCP resources. You can use this same information to drive the disaster recovery planning business unit prioritization.

15. You are a law enforcement officer and you need to confiscate a PC from a suspected attacker who does not work for your organization. You are concerned that if you approach the individual, they may destroy evidence. What legal avenue is most appropriate? Consent agreement signed by employees Search warrant No legal avenue necessary Voluntary consent

B. In this case, you need a search warrant to confiscate equipment without giving the suspect time to destroy evidence. If the suspect worked for your organization and you had all employees sign consent agreements, you could simply confiscate the equipment.

9. Which of the following is one of the primary reasons an organization enforces a mandatory vacation policy? To rotate job responsibilities To detect fraud To increase employee productivity To reduce employee stress levels

B. Mandatory vacation policies help detect fraud. They require employees to take an extended time away from their jobs, requiring someone else to perform their job responsibilities, which increases the likelihood of discovering fraud. It does not rotate job responsibilities. Although mandatory vacations might help employees reduce their overall stress levels and increase productivity, these are not the primary reasons for mandatory vacation policies.

20. What type of disaster recovery plan test fully evaluates operations at the backup facility but does not shift primary operations responsibility from the main site? Structured walk-through Parallel test Full-interruption test Simulation test

B. Parallel tests involve moving personnel to the recovery site and gearing up operations, but responsibility for conducting day-to-day operations of the business remains at the primary operations center. (chp 18)

18. You operate a grain processing business and are developing your restoration priorities. Which one of the following systems would likely be your highest priority? Order-processing system Fire suppression system Payroll system Website

B. People should always be your highest priority in business continuity planning. As life safety systems, fire suppression systems should always receive high prioritization.

20. Which of the following actions are considered unacceptable and unethical according to RFC 1087, Ethics and the Internet? Actions that compromise the privacy of classified information Actions that compromise the privacy of users Actions that disrupt organizational activities Actions in which a computer is used in a manner inconsistent with a stated

B. RFC 1087 does not specifically address the statements in option A, C, or D. Although each type of activity listed is unacceptable, only "actions that compromise the privacy of users" are explicitly identified in RFC 1087.

4. Adam is reviewing the fault-tolerance controls used by his organization and realizes that they currently have a single point of failure in the disks used to support a critical server. Which one of the following controls can provide fault tolerance for these disks? Load balancing RAID Clustering HA pairs

B. Redundant arrays of inexpensive disks (RAID) are a fault-tolerance control that allow an organization's storage service to withstand the loss of one or more individual disks. Load balancing, clustering, and high-availability (HA) pairs are all fault-tolerance services designed for server compute capacity, not storage.

12. During an operational investigation, what type of analysis might an organization undertake to prevent similar incidents in the future? Forensic analysis Root cause analysis Network traffic analysis Fagan analysis

B. Root cause analysis seeks to identify the reason that an operational issue occurred. The root cause analysis often highlights issues that require remediation to prevent similar incidents in the future. Forensic analysis is used to obtain evidence from digital systems. Network traffic analysis is an example of a forensic analysis category. Fagan inspection is a software testing technique.

14. Gary is a system administrator and is testifying in court about a cybercrime incident. He brings server logs to support his testimony. What type of evidence are the server logs? Real evidence Documentary evidence Parol evidence Testimonial evidence

B. Server logs are an example of documentary evidence. Gary may ask that they be introduced in court and will then be asked to offer testimonial evidence about how he collected and preserved the evidence. This testimonial evidence authenticates the documentary evidence.

Which recovery strategy has servers and workstations?

Hot site

What is the principle of least privilege?

Setting permissions so an employee can perform specific tasks

20. What information security management task ensures that the organization's data protection requirements are met effectively? Account management Backup verification Log review Key performance indicators

B. The backup verification process ensures that backups are running properly and thus meeting the organization's data protection objectives.

13. When designing physical security for an environment, it is important to focus on the functional order in which controls should be used. Which of the following is the correct order of the six common physical security control mechanisms? Decide, Delay, Deny, Detect, Deter, Determine Deter, Deny, Detect, Delay, Determine, Decide Deny, Deter, Delay, Detect, Decide, Determine Decide, Detect, Deny, Determine, Deter, Delay

B. The correct order of the six common physical security control mechanisms is Deter, Deny, Detect, Delay, Determine, Decide. The other options are incorrect.

6. A file server in your network recently crashed. An investigation showed that logs grew so much that they filled the disk drive. You decide to enable rollover logging to prevent this from happening again. Which of the following should you do first? Configure the logs to overwrite old entries automatically. Copy existing logs to a different drive. Review the logs for any signs of attacks. Delete the oldest log entries.

B. The first step should be to copy existing logs to a different drive so that they are not lost. If you enable rollover logging, you are configuring the logs to overwrite old entries. It's not necessary to review the logs before copying them. If you delete the oldest log entries first, you may delete valuable data.

7. The company's server room has been updated with raised floors and MFA door locks. You want to ensure that the updated facility is able to maintain optimal operational efficiency. What is the ideal humidity range for a server room? 20-40 percent 20-80 percent 80-89.6 percent 70-95 percent

B. The humidity in a computer room should ideally be from 20 to 80 percent. Humidity above 80 percent can result in condensation, which causes corrosion. Humidity below 20 percent can result in increased static electricity buildup. However, this does require managing temperature properly as well. The other number ranges are not the relative humidity ranges recommended for a data center.

10. Your company has a yearly fire detection and suppression system inspection performed by the local authorities. You start up a conversation with the lead inspector and they ask you, "What is the most common cause of a false positive for a water-based fire suppression system?" So, what do you answer? Water shortage People Ionization detectors Placement of detectors in drop ceilings

B. The most common cause of a false positive for a water-based system is human error. If you turn off the water source after a fire and forget to turn it back on, you'll be in trouble for the future. Also, pulling an alarm when there is no fire will trigger damaging water release throughout the office. Water shortage would be a problem, but it is not a cause for a false positive event. Ionization detectors are highly reliable, so they are usually not the cause of a false positive event. Detectors can be placed in drop ceilings in order to monitor that air space; this would only be a problem if another detector was not placed in the main area of the room. If there are only detectors in the drop ceiling, then that could result in a false negative event.

19. According to the (ISC)2 Code of Ethics, how are CISSPs expected to act? Honestly, diligently, responsibly, and legally Honorably, honestly, justly, responsibly, and legally Upholding the security policy and protecting the organization Trustworthy, loyally, friendly, courteously

B. The second canon of the (ISC)2 Code of Ethics states how a CISSP should act, which is honorably, honestly, justly, responsibly, and legally.

14. Lighter than Air Industries expects that it would lose $10 million if a tornado struck its aircraft operations facility. It expects that a tornado might strike the facility once every 100 years. What is the single loss expectancy for this scenario? 0.01 $10 million $100,000 0.10

B. The single loss expectancy (SLE) is the amount of damage that would be caused by a single occurrence of the risk. In this case, the SLE is $10 million, the expected damage from one tornado. The fact that a tornado occurs only once every 100 years is not reflected in the SLE but would be reflected in the annualized loss expectancy (ALE).

8. You are concerned about the risk that an avalanche poses to your $3 million shipping facility. Based on expert opinion, you determine that there is a 5 percent chance that an avalanche will occur each year. Experts advise you that an avalanche would completely destroy your building and require you to rebuild on the same land. Ninety percent of the $3 million value of the facility is attributed to the building, and 10 percent is attributed to the land itself. What is the single loss expectancy (SLE) of your shipping facility to avalanches? $3 million $2,700,000 $270,000 $135,000

B. The single loss expectancy (SLE) is the product of the asset value (AV) and the exposure factor (EF). From the scenario, you know that the AV is $3 million and the EF is 90 percent; based on that the same land can be used to rebuild the facility. This yields an SLE of $2,700,000.

7. Tonya is reviewing the flood risk to her organization and learns that their primary data center resides within a 100-year flood plain. What conclusion can she draw from this information? The last flood of any kind to hit the area was more than 100 years ago. The odds of a flood at this level are 1 in 100 in any given year. The area is expected to be safe from flooding for at least 100 years. The last significant flood to hit the area was more than 100 years ago.

B. The term 100-year flood plain is used to describe an area where flooding is expected once every 100 years. It is, however, more mathematically correct to say that this label indicates a 1 percent probability of flooding in any given year.

19. Robert recently completed a SOC engagement for a customer and is preparing a report that describes his firm's opinion on the suitability and effectiveness of security controls after evaluating them over a six-month period. What type of report is he preparing? Type I Type II Type III Type IV

B. There are only two types of SOC report: Type I and Type II. Both reports provide information on the suitability of the design of security controls. Only a Type II report also provides an opinion on the operating effectiveness of those controls over an extended period of time.

18. What port is typically open on a system that runs an unencrypted HTTP server? 22 80 143 443

B. Unencrypted HTTP communications take place over TCP port 80 by default.

16. What type of interface testing would identify flaws in a program's command-line interface? Application programming interface testing User interface testing Physical interface testing Security interface testing

B. User interface testing includes assessments of both graphical user interfaces (GUIs) and command-line interfaces (CLIs) for a software program.

19. A recent attack on servers within your organization caused an excessive outage. You need to check systems for known issues that attackers may use to exploit other systems in your network. Which of the following is the best choice to meet this need? Versioning tracker Vulnerability scanner Security audit Security review

B. Vulnerability scanners are used to check systems for known issues and are part of an overall vulnerability management program. Versioning is used to track software versions and is unrelated to detecting vulnerabilities. Security audits and reviews help ensure that an organization is following its policies but wouldn't directly check systems for vulnerabilities.

Which data recovery strategy should be used to mitigate the risk of a natural disaster? Perform a full local backup store tapes in a secure room Hold backups on a shared drive Back up data to a remote cloud provider

Back up data to a remote cloud provider

How can professionals honorably, honestly, justly, responsibly, and legally act according to the (ISC)2 Code of Ethics Canons?

By completing their duties with integrity at all times

How do professionals advance and protect their profession according to the (ISC)2 Code of Ethics Canons?

By ensuring their knowledge remains current

How do professional protect society according to the (ISC)2 Code of Ethics Canons?

By performing actions to protect the common good

How do professional provide diligent and competent service according to the (ISC)2 Code of Ethics Canons?

By protecting the infrastructure of those who hired them

1. Devin is revising the policies and procedures used by his organization to conduct investigations and would like to include a definition of computer crime. Which one of the following definitions would best meet his needs? Any attack specifically listed in your security policy Any illegal attack that compromises a protected computer Any violation of a law or regulation that involves a computer Failure to practice due diligence in computer security

C. A crime is any violation of a law or regulation. The violation stipulation defines the action as a crime. It is a computer crime if the violation involves a computer, either as the target or as a tool. Computer crimes may not be defined in an organization's policy, since crimes are only defined in law. Illegal attacks are indeed crimes, but this is too narrow a definition. The failure to practice due diligence may be a liability but, in most cases, is not a criminal action.

3. The board of directors of Clashmore Circuits conducts an annual review of the business continuity planning process to ensure that adequate measures are in place to minimize the effect of a disaster on the organization's continued viability. What obligation are they satisfying by this review? Corporate responsibility Disaster requirement Due diligence Going concern responsibility

C. A firm's officers and directors are legally bound to exercise due diligence in conducting their activities. This concept creates a fiduciary responsibility on their part to ensure that adequate business continuity plans are in place. This is an element of corporate responsibility, but that term is vague and not commonly used to describe a board's responsibilities. Disaster requirement and going concern responsibilities are also not risk management terms.

9. What is the best type of water-based fire suppression system for a computer facility? Wet pipe system Dry pipe system Preaction system Deluge system

C. A preaction system is the best type of water-based fire suppression system for a computer facility because it provides the opportunity to prevent the release of water in the event of a false alarm or false initial trigger. The other options of wet pipe, dry pipe, and deluge system use only a single trigger mechanism without the ability to prevent accidental water release.

10. Your organization has contracted with a third-party provider to host cloud-based servers. Management wants to ensure there are monetary penalties if the third party doesn't meet their contractual responsibilities related to uptimes and downtimes. Which of the following is the best choice to meet this requirement? MOU ISA SLA SED

C. A service-level agreement (SLA) can provide monetary penalties if a third-party provider doesn't meet its contractual requirements. Neither a memorandum of understanding (MOU) nor an interconnection security agreement (ISA) includes monetary penalties. Separation of duties is sometimes shortened to SED, but this is unrelated to third-party relationships.

9. Bryn runs a corporate website and currently uses a single server, which is capable of handling the site's entire load. She is concerned, however, that an outage on that server could cause the organization to exceed its RTO. What action could she take that would best protect against this risk? Install dual power supplies in the server. Replace the server's hard drives with RAID arrays. Deploy multiple servers behind a load balancer. Perform regular backups of the server.

C. All of these are good practices that could help improve the quality of service that Bryn provides from her website. Installing dual power supplies or deploying RAID arrays could reduce the likelihood of a server failure, but these measures only protect against a single risk each. Deploying multiple servers behind a load balancer is the best option because it protects against any type of risk that would cause a server failure. Backups are an important control for recovering operations after a disaster and different backup strategies could indeed alter the RTO, but it is even better if Bryn can design a web architecture that lowers the risk of the outage occurring in the first place.

8. What is the most important rule to follow when collecting evidence? Do not turn off a computer until you photograph the screen. List all people present while collecting evidence. Avoid the modification of evidence during the collection process. Transfer all equipment to a secure storage location.

C. Although the other options have some merit in individual cases, the most important rule is to never modify, or taint, evidence. If you modify evidence, it becomes inadmissible in court.

16. While reviewing the facility design blueprints, you notice several indications of a physical security mechanism being deployed directly into the building's construction. Which of the following is a double set of doors that is often protected by a guard and is used to contain a subject until their identity and authentication are verified? Gate Turnstile Access control vestibule Proximity detector

C. An access control vestibule is a double set of doors that is often protected by a guard and used to contain a subject until their identity and authentication is verified. A gate is a doorway used to traverse through a fence line. A turnstile is an ingress or egress point that allows travel only in one direction and by one person at a time. A proximity detector determines whether a proximity device is nearby and whether the bearer is authorized to access the area being protected.

14. A server administrator recently modified the configuration for a server to improve performance. Unfortunately, when an automated script runs once a week, the modification causes the server to reboot. It took several hours of troubleshooting to ultimately determine the problem wasn't with the script but instead with the modification. What could have prevented this? Vulnerability management Patch management Change management Blocking all scripts

C. An effective change management program helps prevent outages from unauthorized changes. Vulnerability management helps detect weaknesses but wouldn't block the problems from this modification. Patch management ensures systems are kept up to date. Blocking scripts removes automation, which would increase the overall workload.

3. What concept is used to grants users only the rights and permissions they need to complete their job responsibilities? Need to know Mandatory vacations Least privilege principle Service-level agreement (SLA)

C. An organization applies the least privilege principle to ensure employees receive only the access they need to complete their job responsibilities. Need to know refers to permissions only, whereas privileges include both rights and permissions. A mandatory vacation policy requires employees to take a vacation in one- or two-week increments. An SLA identifies performance expectations and can include monetary penalties.

16. A new CIO learned that an organization doesn't have a change management program. The CIO insists one be implemented immediately. Of the following choices, what is a primary goal of a change management program? Personnel safety Allowing rollback of changes Ensuring that changes do not reduce security Auditing privilege access

C. Change management aims to ensure that any change does not result in unintended outages or reduce security. Change management doesn't affect personnel safety. A change management plan will commonly include a rollback plan, but that isn't a specific goal of the program. Change management doesn't perform any type of auditing.

14. Paul would like to test his application against slightly modified versions of previously used input. What type of test does Paul intend to perform? Code review Application vulnerability review Mutation fuzzing Generational fuzzing

C. Mutation fuzzing uses bit flipping and other techniques to slightly modify previous inputs to a program in an attempt to detect software flaws.

Which Windows Event Log contains information about the installation of the operating system?

Setup Logs

5. Brad is helping to design a disaster recovery strategy for his organization and is analyzing possible storage locations for backup data. He is not certain where the organization will recover operations in the event of a disaster and would like to choose an option that allows them the flexibility to easily retrieve data from any DR site. Which one of the following storage locations provides the best option for Brad? Primary data center Field office Cloud computing IT manager's home

C. Cloud computing services provide an excellent location for backup storage because they are accessible from any location. The primary data center is a poor choice, since it may be damaged during a disaster. A field office is reasonable, but it is in a specific location and is not as flexible as a cloud-based approach. The IT manager's home is a poor choice—the IT manager may leave the organization or may not have appropriate environmental and physical security controls in place.

11. Which one of the following investigation types has the highest standard of evidence? Administrative Civil Criminal Regulatory

C. Criminal investigations may result in the imprisonment of individuals and, therefore, have the highest standard of evidence to protect the rights of the accused.

18. Helen is working on her organization's resilience plans, and her manager asks her whether the organization has sufficient technical controls in place to recover operations after a disruption. What type of plan would address the technical controls associated with alternate processing facilities, backups, and fault tolerance? Business continuity plan Business impact analysis Disaster recovery plan Vulnerability assessment

C. Disaster recovery plans pick up where business continuity plans leave off. After a disaster strikes and the business is interrupted, the disaster recovery plan guides response teams in their efforts to quickly restore business operations to normal levels.

6. A recent security policy update has restricted the use of portable storage devices when they are brought in from outside. As a compensation, a media storage management process has been implemented. Which of the following is not a typical security measure implemented in relation to a media storage facility containing reusable removable media? Employing a media librarian or custodian Using a check-in/check-out process Hashing Using sanitization tools on returned media

C. Hashing is not a typical security measure implemented in relation to a media storage facility containing reusable removable media. Hashing is used when it is necessary to verify the integrity of a dataset, whereas data on reusable removable media should be removed and not retained. Usually the security features for a media storage facility include using a media librarian or custodian, using a check-in/check-out process, and using sanitization tools on returned media.

15. You have been placed on the facility security planning team. You've been tasked to create a priority list of issues to address during the initial design phase. What is the most important goal of all security solutions? Prevention of disclosure Maintaining integrity Human safety Sustaining availability

C. Human safety is the most important goal of all security solutions. The top priority of security should always be the protection of the lives and safety of personnel. The protection of CIA (confidentiality, integrity, and availability) of company data and other assets is the second priority after human life and safety.

16. In which business continuity planning task would you actually design procedures and mechanisms to mitigate risks deemed unacceptable by the BCP team? Strategy development Business impact analysis Provisions and processes Resource prioritization

C. In the provisions and processes phase, the BCP team designs the procedures and mechanisms to mitigate risks that were deemed unacceptable during the strategy development phase.

13. Ricky is conducting the quantitative portion of his organization's business impact analysis. Which one of the following concerns is least suitable for quantitative measurement during this assessment? Loss of a plant Damage to a vehicle Negative publicity Power outage

C. It is difficult to put a dollar figure on the business lost because of negative publicity. Therefore, this type of concern is better evaluated through a qualitative analysis. The other items listed here are all more easily quantifiable.

19. While designing the security plan for a proposed facility, you are informed that the budget was just reduced by 30 percent. However, they did not adjust or reduce the security requirements. What is the most common and inexpensive form of physical access control device for both interior and exterior use? Lighting Security guard Key locks Fences

C. Key locks are the most common and inexpensive form of physical access control device for both interior and exterior use. Lighting, security guards, and fences are all much more costly. Fences are also mostly used outdoors.

14. Equipment failure is a common cause of a loss of availability. When deciding on strategies to maintain availability, it is often important to understand the criticality of each asset and business process as well as the organization's capacity to weather adverse conditions. Match the term to the definition. MTTF MTTR MTBF SLA Clearly defines the response time a vendor will provide in the event of an equipment failure emergency An estimation of the time between the first and any subsequent failures The expected typical functional lifetime of the device given a specific operating environment The average length of time required to perform a repair on the device I - 1, II - 2, III - 4, IV - 3 I - 4, II - 3, III - 1, IV - 2 I - 3, II - 4, III - 2, IV - 1 I - 2, II - 1, III - 3, IV - 4

C. Mean time to failure (MTTF) is the expected typical functional lifetime of the device given a specific operating environment. Mean time to repair (MTTR) is the average length of time required to perform a repair on the device. Mean time between failures (MTBF) is an estimation of the time between the first and any subsequent failures. A service level agreement (SLA) clearly defines the response time a vendor will provide in the event of an equipment failure emergency.

1. Your organization is planning on building a new facility to house a majority of on-site workers. The current facility has had numerous security issues, such as loitering, theft, graffiti, and even a few physical altercations between employees and nonemployees. The CEO has asked you to assist in developing the facility plan to reduce these security concerns. While researching options you discover the concepts of CPTED. Which of the following is not one of its core strategies? Natural territorial reinforcement Natural access control Natural training and enrichment Natural surveillance

C. Natural training and enrichment is not a core strategy of CPTED. Crime Prevention Through Environmental Design (CPTED) has three main strategies: natural access control, natural surveillance, and natural territorial reinforcement. Natural access control is the subtle guidance of those entering and leaving a building through placement of entranceways, use of fences and bollards, and placement of lights. Natural surveillance is any means to make criminals feel uneasy through the increasing of opportunities for them to be observed. Natural territorial reinforcement is the attempt to make the area feel like an inclusive, caring community.

2. An organization ensures that users are granted access to only the data they need to perform specific work tasks. What principle are they following? Principle of least permission Separation of duties (SoD) Need to know Job rotation

C. Need to know is the requirement to have access to, knowledge about, or possession of data to perform specific work tasks, but no more. The principle of least privilege includes both rights and permissions, but the term principle of least permission is not valid within IT security. Separation of duties (SoD) ensures that a single person doesn't control all the elements of a process. A separation of duties policy ensures that no single person has total control over a critical function. A job rotation policy requires employees to rotate to different jobs periodically.

1. James is working with his organization's leadership to help them understand the role that disaster recovery plays in their cybersecurity strategy. The leaders are confused about the differences between disaster recovery and business continuity. What is the end goal of disaster recovery planning? Preventing business interruption Setting up temporary business operations Restoring normal business activity Minimizing the impact of a disaster

C. Once a disaster interrupts the business operations, the goal of DRP is to restore regular business activity as quickly as possible. Thus, disaster recovery planning picks up where business continuity planning leaves off. Preventing business interruption is the goal of business continuity, not disaster recovery programs. Although disaster recovery programs are involved in restoring normal activity and minimizing the impact of disasters, this is not their end goal.

11. Chris is completing the risk acceptance documentation for his organization's business continuity plan. Which one of the following items is Chris least likely to include in this documentation? Listing of risks deemed acceptable Listing of future events that might warrant reconsideration of risk acceptance decisions Risk mitigation controls put in place to address acceptable risks Rationale for determining that risks were acceptable

C. Risk mitigation controls to address acceptable risks would not be in the BCP. The risk acceptance documentation should contain a thorough review of the risks facing the organization, including the determination as to which risks should be considered acceptable and unacceptable. For acceptable risks, the documentation should include a rationale for that decision and a list of potential future events that might warrant a reconsideration of that determination. The documentation should include a list of controls used to mitigate unacceptable risks, but it would not include controls used to mitigate acceptable risks, since acceptable risks do not require mitigation.

7. Your organization has divided a high-level auditing function into several individual job tasks. These tasks are divided between three administrators. None of the administrators can perform all of the tasks. What does this describe? Job rotation Mandatory vacation Separation of duties Least privilege

C. Separation of duties ensures that no single entity can perform all the tasks for a job or function. A job rotation policy moves employees to different jobs periodically. A mandatory vacation policy requires employees to take vacations. A least privilege policy ensures users have only the privileges they need, and no more.

12. Which one of the following is a cloud-based service model that allows users to access email via a web browser? Infrastructure as a service (IaaS) Platform as a service (PaaS) Software as a service (SaaS )Public

C. The SaaS service model provides services such as email available via a web browser. IaaS provides the infrastructure (such as servers), and PaaS provides a platform (such as an operating system and application installed on a server). Public is a deployment method, not a service model.

15. Referring to the scenario in question 14, what is the annualized loss expectancy? 0.01 $10 million $100,000 0.10

C. The annualized loss expectancy (ALE) is computed by taking the product of the single loss expectancy (SLE), which was $10 million in this scenario, and the annualized rate of occurrence (ARO), which was 0.01 in this example. These figures yield an ALE of $100,000.

6. Renee is reporting the results of her organization's BIA to senior leaders. They express frustration at all of the detail, and one of them says, "Look, we just need to know how much we should expect these risks to cost us each year." What measure could Renee provide to best answer this question? ARO SLE ALE EF

C. The annualized loss expectancy (ALE) represents the amount of money a business expects to lose to a given risk each year. This figure is quite useful when performing a quantitative prioritization of business continuity resource allocation

11. Nolan is considering the use of several different types of alternate processing facility for his organization's data center. Which one of the following alternative processing sites takes the longest time to activate but has the lowest cost to implement? Hot site Mobile site Cold site Warm site

C. The cold site contains none of the equipment necessary to restore operations. All of the equipment must be brought in and configured and data must be restored to it before operations can commence. This process often takes weeks, but cold sites also have the lowest cost to implement. Hot sites, warm sites, and mobile sites all have quicker recovery times.

7. Jake is conducting a business impact analysis for his organization. As part of the process, he asks leaders from different units to provide input on how long the enterprise resource planning (ERP) system could be unavailable without causing irreparable harm to the organization. What measure is he seeking to determine? SLE EF MTD ARO

C. The maximum tolerable downtime (MTD) represents the longest period a business function can be unavailable before causing irreparable harm to the business. This figure is useful when determining the level of business continuity resources to assign to a particular function.

1. Which security principle involves the knowledge and possession of sensitive material as an aspect of one's occupation? Principle of least privilege Separation of duties Need to know As-needed basis

C. The need-to-know policy operates on the basis that any given system user should be granted access only to portions of sensitive information or materials necessary to perform some task. The principle of least privilege ensures that personnel are granted only the permissions they need to perform their job and no more. Separation of duties ensures that no single person has total control over a critical function or system. There isn't a standard principle called "as-needed basis."

2. Kevin is attempting to determine an appropriate backup frequency for his organization's database server and wants to ensure that any data loss is within the organization's risk appetite. Which one of the following security process metrics would best assist him with this task? RTO MTD RPO MTBF

C. The recovery point objective (RPO) specifies the maximum amount of data that may be lost during a disaster and should be used to guide backup strategies. The maximum tolerable downtime (MTD) and recovery time objective (RTO) are related to the duration of an outage, rather than the amount of data lost. The mean time between failures (MTBF) is related to the frequency of failure events.

9. Users in an organization complain that they can't access several websites that are usually available. After troubleshooting the issue, you discover that an intrusion protection system (IPS) is blocking the traffic, but the traffic is not malicious. What does this describe? A false negative A honeynet A false positive Sandboxing

C. This is a false positive. The IPS falsely identified normal web traffic as an attack and blocked it. A false negative occurs when a system doesn't detect an actual attack. A honeynet is a group of honeypots used to lure attackers. Sandboxing provides an isolated environment for testing and is unrelated to this question.

2. Tracy is preparing for her organization's annual business continuity exercise and encounters resistance from some managers who don't see the exercise as important and feel that it is a waste of resources. She has already told the managers that it will only take half a day for their employees to participate. What argument could Tracy make to best address these concerns? The exercise is required by policy. The exercise is already scheduled and canceling it would be difficult. The exercise is crucial to ensuring that the organization is prepared for emergencies. The exercise will not be very time-consuming.

C. This question requires that you exercise some judgment, as do many questions on the CISSP exam. All of these answers are plausible things that Tracy could bring up, but we're looking for the best answer. In this case, that is ensuring that the organization is ready for an emergency—a mission-critical goal. Telling managers that the exercise is already scheduled or required by policy doesn't address their concerns that it is a waste of time. Telling them that it won't be time-consuming is not likely to be an effective argument because they are already raising concerns about the amount of time requested.

12. Ingrid is concerned that one of her organization's data centers has been experiencing a series of momentary power outages. Which one of the following controls would best preserve their operating status? Generator Dual power supplies UPS Redundant network links

C. Uninterruptible power supplies (UPSs) provide a battery-backed source of power that is capable of preserving operations in the event of brief power outages. Generators take a significant amount of time to start and are more suitable for longer-term outages. Dual power supplies protect against power supply failures and not power outages. Redundant network links are a network continuity control and do not provide power.

10. What type of evidence refers to written documents that are brought into court to prove a fact? Best evidence Parol evidence Documentary evidence Testimonial evidence

C. Written documents brought into court to prove the facts of a case are referred to as documentary evidence. The best evidence rule states that when a document is used as evidence in a court proceeding, the original document must be introduced. The parol evidence rule states that when an agreement between parties is put into written form, the written document is assumed to contain all the terms of the agreement, and no verbal agreements may modify the written agreement. Testimonial evidence is evidence consisting of the testimony of a witness, either verbal testimony in court or written testimony in a recorded deposition.

20. Of the individuals listed, who would provide the best endorsement for a business continuity plan's statement of importance? Vice president of business operations Chief information officer Chief executive officer

C. You should strive to have the highest-ranking person possible sign the BCP's statement of importance. Of the choices given, the chief executive officer (CEO) has the highest ranking.

We are implementing governance standard and control frameworks focused on goals for the entire organization. Which of these would be something we would consider? FRAP COSO. COBIT. ITIL.

COSO (Committee Of Sponsoring Organizations) focuses on goals for the entire organization.

A company's vulnerability management policy requires assessing a vulnerability based on its severity. Which standard should this company use to prioritize vulnerabilities? CVSS CVE CCE OVAL

CVSS

Which document should IT personnel use during critical disaster recovery to guide their actions?

Checklists

The IT department of a large company uses a secure baseline image to deploy operating systems. Which type of management action is being implemented by using a secure baseline image? Patch Configuration Change Operations

Configuration

The IT department of a large company uses a secure baseline image to deploy operating systems. Which type of management action is being implemented by using a secure baseline image? Patch Configuration Change Operations

Configuration

A security professional for a midsize company is tasked with helping the organization write new corporate security procedures. One of the policies includes the use of multi-factor authentication. Which defense-in-depth practice should the security professional apply?

Create a unique admin account for each person and configure a security token that provides a passcode every 60 seconds

20. While implementing a motion detection system to monitor unauthorized access into a secured area of the building, you realize that the current infrared detectors are causing numerous false positives. You need to replace them with another option. What type of motion detector senses changes in the electrical or magnetic field surrounding a monitored object? Wave Photoelectric Heat

D. A capacitance motion detector senses changes in the electrical or magnetic field surrounding a monitored object. A wave pattern motion detector transmits a consistent low ultrasonic or high microwave frequency signal into a monitored area and monitors for significant or meaningful changes or disturbances in the reflected pattern. A photoelectric motion detector senses changes in visible light levels for the monitored area. Photoelectric motion detectors are usually deployed in internal rooms that have no windows and are kept dark. An infrared PIR (passive infrared) or heat-based motion detector monitors for significant or meaningful changes in the heat levels and patterns in a monitored area.

13. After installing an application on a user's system, your supervisor told you to remove it because it is consuming most of the system's resources. Which of the following prevention systems did you most likely install? A network-based intrusion detection system (NIDS) A web application firewall (WAF) A security information and event management (SIEM) system A host-based intrusion detection system (HIDS)

D. A drawback of some HIDSs is that they interfere with a single system's normal operation by consuming too many resources. The other options refer to applications that aren't installed on user systems.

18. After a recent attack, management decided to implement an egress monitoring system that will prevent data exfiltration. Which of the following is the best choice? An NIDS An NIPS A firewall A DLP system

D. A network-based data loss prevention (DLP) system monitors outgoing traffic (egress monitoring) and can thwart data exfiltration attempts. Network-based intrusion detection systems (NIDSs) and intrusion protection systems (IPSs) primarily monitor incoming traffic for threats. Firewalls can block traffic or allow traffic based on rules in an access control list (ACL), but they can't detect unauthorized data exfiltration attacks.

20. Which one of the following processes is most likely to list all security risks within a system? Configuration management Patch management Hardware inventory Vulnerability scan

D. A vulnerability scan will list or enumerate all security risks within a system. None of the other answers will list security risks within a system. Configuration management systems check and modify configuration settings. Patch management systems can deploy patches and verify patches are deployed, but they don't check for all security risks. Hardware inventories only verify the hardware is still present. (chp 16)

10. You are installing a new intrusion detection system (IDS). It requires you to create a baseline before fully implementing it. Which of the following best describes this IDS? A pattern-matching IDS A knowledge-based IDS A signature-based IDS An anomaly-based IDS

D. An anomaly-based IDS requires a baseline, and it then monitors traffic for any anomalies or changes when compared to the baseline. It's also called behavior based and heuristics based. Pattern-based detection (also known as knowledge-based detection and signature-based detection) uses known signatures to detect attacks.

17. Systems within an organization are configured to receive and apply patches automatically. After receiving a patch, 55 of the systems automatically restarted and booted into a stop error. What could have prevented this problem without sacrificing security? Disable the setting to apply the patches automatically. Implement a patch management program to approve all patches. Ensure systems are routinely audited for patches. Implement a patch management program that tests patches before deploying them.

D. An effective patch management program evaluates and tests patches before deploying them and would have prevented this problem. Approving all patches would not prevent this problem because the same patch would be deployed. Systems should be audited after deploying patches, not to test for the impact of new patches.

6. Which of the following would not be a primary goal of a grudge attack? Disclosing embarrassing personal information Launching a virus on an organization's system Sending inappropriate emails with a spoofed origination address of the victim organization Using automated tools to scan the organization's systems for vulnerable ports

D. Any action that can harm a person or organization, either directly or through embarrassment, would be a valid goal of a grudge attack. The purpose of such an attack is to "get back" at someone.

A company is concerned that disgruntled employees are sending sensitive data to its competitors. Which defense-in-depth practices assist a company in identifying an insider threat? DLP and audit logs Antivirus and IDS DLP and IDS Antivirus and audit logs

DLP and audit logs

4. Darcy is leading the BCP effort for her organization and is currently in the project scope and planning phase. What should she expect will be the major resource consumed by the BCP process during this phase? Hardware Software Processing time Personnel

D. During the planning phase, the most significant resource utilization will be the time dedicated by members of the BCP team to the planning process. This represents a significant use of business resources and is another reason that buy-in from senior management is essential.

4. Your organization is planning on building a new primary headquarters in a new town. You have been asked to contribute to the design process, so you have been given copies of the proposed blueprints to review. Which of the following is not a security-focused design element of a facility or site? Separation of work and visitor areas Restricted access to areas with higher value or importance Confidential assets located in the heart or center of a facility Equal access to all locations within a facility

D. Equal access to all locations within a facility is not a security-focused design element. Each area containing assets or resources of different importance, value, and confidentiality should have a corresponding level of security restriction placed on it. A secure facility should have a separation between work and visitor areas and should restrict access to areas with higher value or importance, and confidential assets should be located in the heart or center of a facility.

18. What are ethics? Mandatory actions required to fulfill job requirements Laws of professional conduct Regulations set forth by a professional organization Rules of personal behavior

D. Ethics are simply rules of personal behavior. Many professional organizations establish formal codes of ethics to govern their members, but ethics are personal rules individuals use to guide their lives.

17. Due to a recent building intrusion, facility security has become a top priority. You are on the proposal committee that will be making recommendations on how to improve the organization's physical security stance. What is the most common form of perimeter security devices or mechanisms? Security guards Fences CCTV Lighting

D. Lighting is often claimed to be the most commonly deployed physical security mechanism. However, lighting is only a deterrent and not a strong deterrent. It should not be used as the primary or sole protection mechanism except in areas with a low threat level. Your entire site, inside and out, should be well lit. This provides for easy identification of personnel and makes it easier to notice intrusions. Security guards are not as common as lighting, but they are more flexible in terms of security benefits. Fences are not as common as lighting, but they serve as a preventive control. CCTV is not as common as lighting but serves as a detection control.

4. A large organization using a Microsoft domain wants to limit the amount of time users have elevated privileges. Which of the following security operation concepts can be used to support this goal? Principle of least permission Separation of duties Need to know Privileged account management

D. Microsoft domains include a privileged account management solution that grants administrators elevated privileges when they need them but restrict the access using a time-limited ticket. The principle of least privilege includes both rights and permissions, but the term principle of least permission is not valid within IT security. Separation of duties ensures that a single person doesn't control all the elements of a process or a critical function. Need to know is the requirement to have access to, knowledge about, or possession of data to perform specific work tasks, but no more.

17. What phase of the Electronic Discovery Reference Model examines information to remove information subject to attorney-client privilege? Identification Collection Processing Review

D. Review examines the information resulting from the Processing phase to determine what information is responsive to the request and remove any information protected by attorney-client privilege. Identification locates the information that may be responsive to a discovery request when the organization believes that litigation is likely. Collection gathers the relevant information centrally for use in the eDiscovery process. Processing screens the collected information to perform a "rough cut" of irrelevant information, reducing the amount of information requiring detailed screening.

16. What disaster recovery planning tool can be used to protect an organization against the failure of a critical software firm to provide appropriate support for their products? Differential backups Business impact analysis Incremental backups Software escrow agreement

D. Software escrow agreements place the application source code in the hands of an independent third party, thus providing firms with a "safety net" in the event a developer goes out of business or fails to honor the terms of a service agreement.

11. A data center has had repeated hardware failures. An auditor notices that systems are stacked together in dense groupings with no clear organization. What should be implemented to address this issue? Visitor logs Industrial camouflage Gas-based fire suppression Hot aisles and cold aisles

D. The cause of the hardware failures is implied by the lack of organization of the equipment, which is heat buildup. This could be addressed by better management of temperature and airflow, which would involve implementing hot aisles and cold aisles in the data center. A data center should have few if any actual visitors (such as outsiders), but anyone entering and leaving a data center should be tracked and recorded in a log. However, whether or not a visitor log is present has little to do with system failure due to poor heat management. Industrial camouflage is not relevant here since it is about hiding the purpose of a facility from outside observers. A gas-based fire suppression system is more appropriate for a data center than a water-based system, but neither would cause heat problems due to poor system organization.

5. An administrator is granting permissions to a database. What is the default level of access the administrator should grant to new users in the organization? Read Modify Full access No access

D. The default level of access should be no access. The principle of least privilege dictates that users should only be granted the level of access they need for their job, and the question doesn't indicate that new users need any access to the database. Read access, modify access, and full access grants users some level of access, which violates the principle of least privilege.

3. In the incident management steps identified by (ISC)2, which of the following occurs first? Response Mitigation Remediation Detection

D. The first step is detection. The seven steps (in order) are detection, response, mitigation, reporting, recovery, remediation, and lessons learned.

3. Brian's organization recently suffered a disaster and wants to improve their disaster recovery program based on their experience. Which one of the following activities will best assist with this task? Training programs Awareness efforts BIA review Lessons learned

D. The lessons learned session captures discoveries made during the disaster recovery process and facilitates continuous improvement. It may identify deficiencies in training and awareness or in the business impact analysis.

9. What would be a valid argument for not immediately removing power from a machine when an incident is discovered? All of the damage has been done. Turning the machine off would not stop additional damage. There is no other system that can replace this one if it is turned off. Too many users are logged in and using the system. Valuable evidence in memory will be lost.

D. The most compelling reason for not removing power from a machine is that you will lose the contents of memory. Carefully consider the pros and cons of removing power. After all is considered, it may be the best choice.

14. Harry is conducting a disaster recovery test. He moved a group of personnel to the alternate recovery site, where they are mimicking the operations of the primary site but do not have operational responsibility. What type of disaster recovery test is he performing? Checklist test Structured walk-through Simulation test Parallel test

D. The parallel test involves relocating personnel to the alternate recovery site and implementing site activation procedures. Checklist tests, structured walk-throughs, and simulations are all test types that do not involve actually activating the alternate site.

12. Brian is developing continuity plan provisions and processes for his organization. What resource should he protect as the highest priority in those plans? Physical plant Infrastructure Financial People

D. The safety of human life must always be the paramount concern in business continuity planning. Be sure that your plan reflects this priority, especially in the written documentation that is disseminated to your organization's employees!

17. Matt is supervising the installation of redundant communications links in response to a finding during his organization's BIA. What type of mitigation provision is Matt overseeing? Hardening systems Defining systems Reducing systems Alternative systems

D. This is an example of alternative systems. Redundant communications circuits provide backup links that may be used when the primary circuits are unavailable.

9. Referring to the scenario in question 8, what is the annualized loss expectancy? $3 million $2,700,000 $270,000 $135,000

D. This problem requires you to compute the annualized loss expectancy (ALE), which is the product of the single loss expectancy (SLE) and the annualized rate of occurrence (ARO). From the scenario, you know that the ARO is 0.05 (or 5 percent). From question 8, you know that the SLE is $2,700,000. This yields an ALE of $135,000.

13. Which one of the following items is a characteristic of hot sites but not a characteristic of warm sites? Communications circuits Workstations Servers Current data

D. Warm sites and hot sites both contain workstations, servers, and the communications circuits necessary to achieve operational status. The main difference between the two alternatives is the fact that hot sites contain near-real-time copies of the operational data and warm sites require the restoration of data from backup.

8.. Randi is designing a disaster recovery mechanism for her organization's critical business databases. She selects a strategy where an exact, up-to-date copy of the database is maintained at an alternative location. What term describes this approach? Transaction logging Remote journaling Electronic vaulting Remote mirroring

D. When you use remote mirroring, an exact copy of the database is maintained at an alternative location. You keep the remote copy up to date by executing all transactions on both the primary and remote sites at the same time. Electronic vaulting follows a similar process of storing all data at the remote location, but it does not do so in real time. Transaction logging and remote journaling options send logs, rather than full data replicas, to the remote location.

We are seeing attacks on one of our servers. The attack is using zombies. Which type of an attack is it? Distributed Denial Of Service (DDOS). Trojans. Worms. Viruses.

DDOS Botnets is a C&C (Command and Control) network, controlled by people (bot-herders, they can control thousands or even hundreds of thousands of bots (also called zombies) in a botnet.

Which of these would be COMMON attacks focused on compromising our availability? all of these social engineering viruses DDOS

DDOS For data availability we use: IPS/IDS. Patch Management. Redundancy on Hardware Power (Multiple Power Supplies/UPS'/Generators), Disks (Redundant Array of Independent Disks (RAID)), Traffic paths (Network Design), HVAC, Staff, HA (high availability) and much more. SLAs - How high uptime to we want (99.9%?) - (ROI) Threats: Malicious attacks Distributed Denial Of Service (DDOS) ,physical, system compromise, staff, wireless jamming). Application failures (errors in the code). Component failure (hardware).

A technician notifies her supervisor that the nightly backup of a critical system failed during the previous night's run. Because the system is critical to the organization, the technician raised the issue in order to make management aware of the missing backup. The technician is looking for guidance on whether additional actions should be taken on the single backup failure. Which role is responsible for making the final decision on how to handle the incomplete backup? Senior management Data owner Supervisor Application administrator

Data owner

A company has user credentials compromised through a phishing attack. Which defense-in-depth will reduce the likelihood of misuse of the user's credentials? Configure firewall rules Deploy multifactor authentication Deploy RADIUS authentication Configure encryption protocols

Deploy multifactor authentication

3. Which one of the following factors should not be taken into consideration when planning a security testing schedule for a particular system? Sensitivity of the information stored on the system Difficulty of performing the test Desire to experiment with new testing tools Desirability of the system to attackers

Desire to experiment The sensitivity of information stored on the system, difficulty of performing the test, and likelihood of an attacker targeting the system are all valid considerations when planning a security testing schedule. The desire to experiment with new testing tools should not influence the production testing schedule.

Which incident response step takes place when the incident is first discovered?

Detection

During a security incident you see something that is usable in court. This constitutes which type of evidence? Direct evidence. Secondary evidence. Real evidence. Circumstantial evidence.

Direct Direct Evidence: Testimony from a first hand witness, what they experienced with their 5 senses.

A company is concerned about securing its corporate network, including its wireless network, to limit security risks. Which defense-in-depth practice represents an application of least privilege? Implement mutual multifactor authentication Configure Wi-Fi Protected Access for encrypted communication Disable wireless access to users who do not need it Implement an intrusion detection system

Disable wireless access to users who do not deed it

Which type of backup solution should be incorporated in an organization that has high-capacity backup data requirements in the terabytes? Disk-to-disk Tape Optical media High-capacity CD-RW

Disk-to-disk

A company is moving its database backups from an off-site location to an alternate processing site warehouse using bulk transfers. Which type of database recovery is this company employing? Electronic vaulting Remote journaling Remote mirroring Mutual assistance

Electronic vaulting A storage scenario in which database backups are transferred to a remote site in a bulk transfer fashion. The remote location may be a dedicated alternative recovery site (such as a hot site) or simply an offsite location managed within the company or by a contractor for the purpose of maintaining backup data.

A government agency is at risk of attack from malicious nation-state actors. Which defense should the agency put on the boundary of its network to stop attacks? Deploy a honeypot Employ an intrusion detection system Use an internal security information and event manager Employ an intrusion prevention system

Employ an intrusion prevention system

It is suspected that someone is connecting to an organization's WAPs and capturing data. Which boundary-defense method should be applied to reduce eavesdropping attacks? Enable 802.1x to require network authentication Disconnect unused LAN drops within the building Install a network monitor on the WAP Add a whitelist for all traffic coming from ISP

Enable 802.1X to require network authentication

A hacker is sitting between a corporate user and the email server that the user is currently accessing. The hacker is trying to intercept and capture any data the user is sending through the email application. How should a system administrator protect the company's email server from this attack? Encrypt network traffic with VPNs Add antimalware to the email server Implement a firewall Whitelist the sites the are trusted

Encrypt network traffic with VPNs

A company hires several contractors each year to augment its IT workforce. The contractors are granted access to the internal corporate network, but they are not provided laptops containing the corporate image. Instead, they are required to bring their own equipment. Which defense-in-depth practice should be required for contractor laptops to ensure that contractors do not connect infected laptops to the internal corporate network? Enable command-line audit logging on contractor laptops Configure devices to not autorun content Configure antimalware scanning of removable devices Ensure antimalware software and signatures are updated

Ensure antimalware software and signatures are updated

Which concept grants privileges to an account when the account is first provisioned based on the need-to-know security control?

Entitlement

A company's business operations are disrupted due to a flash flood. Which consequences to business continuity should be addressed in the DRP? Evaluation of risk from possible flood damage Identify essential personnel and decision makers Provide flood-response training to the disaster recovery team Provision additional backup power sources

Evaluation of risk from possible flood damage

A company's business operations are disrupted due to a flash flood. Which consequences to business continuity should be addressed in the disaster recovery plan? Evaluation of risk from possible flood damage Identify essential personnel and decision makers Provide flood-response training to the disaster recovery team Provision additional backup power sources

Evaluation of risk from possible flood damage

Which auditor do not directly report to internal staff?

External auditors

Which two data recovery components will back up a file and change the archive bit to 0? Choose two. Full Backup Differential Backup Incremental Backup Copy backup

Full Backup Incremental Backup

Which two data recovery components will back up a file and change the archive bit to 0? Choose two. Full backup Differential backup Incremental backup Copy backup

Full backup Incremental backup

Health care systems in the US must be HIPAA compliant. What is HIPAA an abbreviation of?

Health Insurance Portability and Accountability Act

A penetration tester identifies a SQL injection vulnerability in a business-critical web application. The security administrator discusses this finding with the application developer, and the developer insists that the issue would take two months to remediate. Which defense-in-depth practice should the security administrator use to prevent an attacker from exploiting this weakness before the developer can implement a fix? Perform daily vulnerability scans Implement a web-application firewall Submit an urgent change control ticket Deploy an antimalware agent to the web server

Implement a web-application firewall

A company needs to improve its ability to detect and investigate rogue WAPs Which defense-in-depth practice should be used? Configure a captive portal to request information Configure MAC address filtering to control access Install a wireless IDS to monitor irregular behavior Install a stateful firewall to black network connections

Install a wireless IDS to monitor irregular behavior

When an attacker has altered our data, which leg of the CIA triad is MOSTLY affected? Confidentiality. Authentication. Integrity. Availability.

Integrity Alteration is the opposite of integrity our data has been changed.

Why should an organization avoid an internal audit?

Internal auditors have a conflict of interest within the organization Internal auditors directly report to internal staff, which can be a conflict of interest

A company has signed a contract with third party vendor to use the vendor's inventory management system hosted in a cloud. For convince, the vendor set up the application to use LDAP queries but did not enable secure LDAP queries or implement a SSL on the application's web server. The vendor does not have the ability to secure the system, and company management insists on using the application. Which defense-in-depth practices should the company implement to minimize the likelihood of an account compromise due to insecure setup by the vendor? Location-based access control and multifactor authentication IPS and honeypot systems Antivirus and IDS Password hashing and authentication encryption

Location-based access control and multifactor authentication

An attacker compromises the credentials that a system admin uses for managing a user directory. The attacker uses the credentials to create a rogue admin account. Which defense-in-depth practice would have helped a security admin identify this compromise? Enforce two-factor authentication on VPN portals for admin accounts Log and alert when changes to admin group membership take place Document admin password complexity requirements in corporate policy Require the use of dedicated admin accounts

Log and alert when changes to admin group membership take place

5. Who is the intended audience for a security assessment report? Management Security auditor Security professional Customers

Management Security assessment reports should be addressed to the organization's management. For this reason, they should be written in plain English and avoid technical jargon.

What describes the amount of time an organization can persist without a service before it will be forced to cease all of its operations?

Maximum tolerable downtime

13. Grace is performing a penetration test against a client's network and would like to use a tool to assist in automatically executing common exploits. Which one of the following security tools will best meet her needs? nmap Metasploit Framework OpenVAS Nikto

Metasploit Framework Metasploit Framework is an automated exploit tool that allows attackers to easily execute common attack techniques. Nmap is a port scanning tool. OpenVAS is a network vulnerability scanner and Nikto is a web application scanner. While these other tools might identify potential vulnerabilities, they do not go as far as to exploit them.

Which incident response step takes place when the incident is contained to prevent further damage?

Mitigate

4. Which one of the following is not normally included in a security assessment? Vulnerability scan Risk assessment Mitigation of vulnerabilities Threat assessment

Mitigation of vulnerabilities Security assessments include many types of tests designed to identify vulnerabilities, and the assessment report normally includes recommendations for mitigation. The assessment does not, however, include actual mitigation of those vulnerabilities.

Which kind of disaster recovery site typically consists of self-contained trailers? Mobile Hot Warm Cold

Mobile

An agreement in which two organizations pledge to assist each other in the event of a disaster by sharing computing facilities or other technological resources. AKA: reciprocal agreement

Mutual Assistance Agreement (MAA)

an organization needs to control the flow of traffic through intranet borders by looking for attacks and evidence of compromised machines. What should be implemented to enhance boundary protection so unwanted intranet traffic can be detected and prevented? HIDS HIPS NIDS NIPS

NIPS

A web server is at near 100% utilization and it is suggested that several web servers run the same site, sharing traffic from the internet. Which system resilience method would this be? Network load balancing Failover clustering Electronic vaulting Remote journaling

Network load balancing

A web server is at near 100% utilization, and it is suggested that several web servers run the same site, sharing traffic from the internet. Which system resilience method would this be? Network load balancing Failover clustering Electronic vaulting Remote journaling

Network load balancing

Laws, regulations, and standards should not be confused. Which of these are not a law? HIPAA PCI-DSS Gramm-Leach-Bliley act Homeland security act

PCI-DSS Payment Card Industry Data Security Standard (PCI-DSS) - Technically not a law. Created by the payment card industry. The standard applies to cardholder data for both credit and debit cards. Requires merchants and others to meet a minimum set of security requirements. Mandates security policy, devices, control techniques, and monitoring.

A company is concerned about unneeded network protocols being available on the network. Which two defense-in-depth practices should the company implement to detect whether FTP is being used? Choose 2. Install BIOS firmware updates Perform automated packet scanning Implement application firewalls Physically segment the network

Perform automated packet scanning Implement application firewalls

When someone is typo squatting, what are they doing? Potentially illegal legal always illegal never profitable

Potentially illegal Typo squatting - Buying an URL that is VERY close to real website name (Can be illegal in certain circumstances).

A company's main asset is its client list stored in the company database, which is accessible to only specific users. The client list contains HIPAA protected data. Which user activity should be monitored? Privilege escalation Changing system time Using database recovery tools Configuring interfaces

Privilege escalation

A company does not have a DRP and suffers a multiday power outage. Which provisioning should the company perform to provide stable power for a long period of time? Purchase generators Purchase additional servers Create a RAID array Create a failover cluster

Purchase generators

Which RAID array performs striping and uses mirroring for fault tolerance? RAID 0 RAID 1 RAID 5 RAID 10

RAID 10

Which RAID array configuration is known as striping with parity and requires the use of three or more disks that spread the parity across all drives? RAID 0 RAID 1 RAID 5 RAID 10

RAID 5

What describes the amount of information an organization is willing to lose during a disaster?

Recovery point objective max amount of data measured by time

What represents the amount of time an organization is willing to wait before their services are operational?

Recovery time objective

What is the process of recording the product of a computer application in a distant data storage environment, concurrently with the normal recording of the product in the primary environment?

Remote Journaling

Maintaining a live database server at the backup site. It is the most advanced database backup solution.

Remote Mirroring

Which database disaster recovery strategy transfers copies of database transaction logs to another location? Electronic vaulting Remote journaling Disk Mirroring Floating parity

Remote journaling

Which incident response step takes place when details of the incident are provided to management?

Report

Which incident response step takes place when the first responder begins to analyze the incident?

Response

A CIO recently read an article involving a similar company that was hit with ransomware due to ineffective patch-management practices. The CIO tasks a security professional with gathering metrics on the effectiveness of the company's patch-management program to avoid a similar incident. Which method enables the security professional to gather current, accurate metrics? Review authenticated vulnerability scan reports Review reports from Window Update Review patch history on nonproduction systems Review patch tickets in the change control system

Review authenticated vulnerability scan reports

We are looking at our risk responses. We are choosing to ignore an identified risk. What type of response would that be? Risk avoidance. Risk transference. Risk rejection. Risk mitigation.

Risk Rejection - You know the risk is there, but you are ignoring it. This is never acceptable. (You are liable).

Which defense-in-depth practices allow an organization to locate an intruder on its internal network? Whitelisting applications and blacklisting processes Antivirus and IPS SIEM and IDS Sandboxing applications and penetration testing

SIEM and IDS

We need to ensure we are compliant with all the laws and regulations of all the states, territories, and countries we operate in. How are the security breach notification laws in the US handled? handled by the individual states federal handled by the individual organizations mandatory for states to have

Security Breach Notification Laws. NOT Federal. 48 states have individual laws. Know the one for your state (none in Alabama and South Dakota). They normally require organizations to inform anyone who had their PII compromised. Many states have an encryption clause where lost encrypted data may not require disclosure.

A company relies exclusively on a system for critical functions. An audit is performed, and the report notes that there is no log review performed on the system. Management has been tasked with selecting the appropriate person to perform the log reviews in order to correct the deficiency. Which role is responsible for reviewing and auditing logs in order to detect any malicious behavior? Security Administrator System user Database administrator Senior Management

Security administrator

What could be a security concern we would need to address in a procurement situation? all of these who gets the IT infrastructure? how do we ensure their security standards are high enough? Security is part of the SLA

Security is part of the SLA Procurement: When we buy products or services from a 3rd party, security part of the SLA.

Which Windows Event Log contains information about attempts to access a file or folder?

Security logs

Which concept limits the privileges an account has?

Segregation

A company is hit with a number of ransomeware attacks. These attacks are causing a significant amount of downtime and data loss since users with access to sensitive company documents are being targeted. These attacks have prompted management to invest in new technical controls to prevent ransomware. Which defense-in-depth practices should this company implement? Password resets and a log review Mandatory vacations and job rotation Spam filtering and antimalware Encryption and an internal firewall

Spam filtering and antimalware

Disaster recovery team members are requested to do more than just review the disaster recovery plan but not actually test the individual parts of the plan. Which type of test would suit this request? Read through Structured walk through Parallel Full interruption

Structured walk through

Disaster recovery team members are requested to do more than just review the disaster recovery plan but not actually test the individual parts of the plan. Which type of test would suit this request? Read-through Structured walk-through Parallel Full-interruption

Structured walk-through

Which Windows Event Log contains information about services starting and stopping?

System Logs

What is defined as the ability to maintain an acceptable level of operational status during events such as hardware failures or DoS attacks? Fault tolerance System resilience Trusted recovery Quality of Service

System resilience

10. What type of network discovery scan only uses the first two steps of the TCP handshake? TCP connect scan Xmas scan TCP SYN scan TCP ACK scan

TCP SYN scan The TCP SYN scan sends a SYN packet and receives a SYN ACK packet in response, but it does not send the final ACK required to complete the three-way handshake.

Which document should IT personnel use to get alternate sites up and running?

Technical guide

Jane is doing quantitative risk analysis for our senior management team. They want to know what a data center flooding will cost us. The data center is valued at $10,000,000. We would lose 10% of our infrastructure and the flooding happens on average every 4 years. How much would the annualized loss expectancy be? 2500000 100000 1000000 250000

The data center is valued at $10,000,000, we would lose 10% per incident and it happens every 4 years. $10,000,000 * 0.1 (10%) * 0.25 (happens every 4 years, we need to know the chance per year) = $250,000.

What needs to be protected first during an incident according to the (ISC)2 Code of Ethics Preamble?

The safety and welfare of society and the common good

6. Wendy is considering the use of a vulnerability scanner in her organization. What is the proper role of a vulnerability scanner? They actively scan for intrusion attempts They serve as a form of enticement They locate known security holes They automatically reconfigure a system to a more secured state.

They locate known security holes Vulnerability scanners are used to test a system for known security vulnerabilities and weaknesses. They are not active detection tools for intrusion, they offer no form of enticement, and they do not configure system security. In addition to testing a system for security weaknesses, they produce evaluation reports and make recommendations.

A company wants to monitor the inbound and outbound flow of packets and not the content. Which defense-in-depth strategy should be implemented? The organization should use egress filtering on the network Traffic and trend analyses should be installed on the router The administrator should configure network data loss prevention RADIUS authentication should be used on the bastion host

Traffic and trend analyses should be installed on the router

Which concept is a characteristic of a trust between two domains?

Transitive trust

A company's database administrator requires access to a database server to perform maintenance. The director of information technology will provide the database administrator access to the database server but will not provide the database administrator access to all the data within the server's database. Which defense-in-depth practice enhances the company's need-to-know data access strategy? Using compartmented mode systems and least privilege Using compartmented mode systems and two-person control Using dedicated mode systems and least privilege Using dedicated mode systems and two-person control

Using compartmented mode systems and least privilege

Which wireless encryption protocol is the least secure? WEP WPA CCMP PEAP

WEP

Which recovery strategy uses remote locations and has some required network components installed but needs servers and data imported?

Warm site

A company's vulnerability management policy requires internet facing applications to be scanned weekly. Which vulnerability scanning technique meets this policy requirement? Discovery Network Web Connect

Web

7. Alan ran a nmap scan against a server and determined that port 80 is open on the server. What tool would likely provide him the best additional information about the server's purpose and the identity of the server's operator? SSH Web browser Telnet Ping

Web browser The server is likely running a website on port 80. Using a web browser to access the site may provide important information about the site's purpose.

11. Matthew would like to test systems on his network for SQL injection vulnerabilities. Which one of the following tools would be best suited to this task? Port scanner Network vulnerability scanner Network discovery scanner Web vulnerability scanner

Web vulnerability scanner SQL injection attacks are web vulnerabilities, and Matthew would be best served by a web vulnerability scanner. A network vulnerability scanner might also pick up this vulnerability, but the web vulnerability scanner is specifically designed for the task and more likely to be successful.

When should formal change management be used to manage updates to a DRP?

When the IT infrastructure changes, all related disaster recovery documentation should be changed to match the environment

A company is implementing a defense-in-depth approach that includes capturing audit logs. The audit logs need to be written in a manner that provides integrity. Which defense in depth strategy should be applied? Write the data to a write-once,read-many (WORM) drive Write the data to an encrypted hard drive Write the data to an encrypted flash drive Write the data to an SD card and store the SD card in a safe

Write the data to a WORM drive

John has installed a backdoor to your system and he is using it to send spam emails to thousands of people. He is using a C&C structure. What is your system? A botnet. A bot in a botnet. A bot herder in a botnet. A standalone bot.

a bot in a botnet Bots and botnets (short for robot): Bots are a system with malware controlled by a botnet. The system is compromised by an attack or the user installing a Remote Access Trojan (game or application with a hidden payload). They often use IRC, HTTP or HTTPS. Some are dormant until activated. Others are actively sending data from the system (Credit card/bank information for instance). Active bots can also can be used to send spam emails. Botnets is a C&C (Command and Control) network, controlled by people (bot-herders). There can often be 1,000's or even 100,000's of bots in a botnet.

An organization is deploying a number of internet-enabled warehouse cameras to assist with loss prevention. A plan is put in place to implement automated patching. Which defence-in-depth measure will ensure that the patch images are as expected? all remotely installed software must be signed communications must use HTTPS device authentication must use digital certificates all passwords must be salted and hashed

all remotely installed software must be signed

An organization is creating a security policy that will be able to audit the use of administrative credentials. The company has decided to use multifactor authentication to allow for the accountability of administrative actions. Which multifactor authentication policy should be applied?

assign administrators individual accounts that require a password and a physical smart card

An organization is creating a security policy that will be able to audit the use of admin credentials. The company has decided to use multifactor authentication to allow for the accountability of admin actions. Which multifactor authentication policy should be applied? force admins to have 2 accounts, one for normal tasks and one for elevated privileges assign admins individual accounts that require a password and a physical smart card have all admins use a different admin account on each server in the network change the default password on all service accounts and on all admin accounts

assign admins individual accounts that require a password and a physical smartcard

In our identity and access management, we are talking about the IAAA model. Which of these is NOT one of the A's of that model? Authentication. Availability. Authorization. Auditing.

availability IAAA is Identification and Authentication, Authorization and Accountability (also called auditing). Availability is part of the CIA triad not IAAA.

An organization wants to secure WAPS is developing deployment procedure guidelines. Which wi-fi security procedures should be included in the guidelines? change the admin password enable ssid broadcasting disable MAC filtering keep the default ssid

change the admin password

What is the principle of aggregation?

combining data from multiple data sources to exfiltrate information

A combined mail server and calendaring server environment contains no SSL certificate. Which security principle of the CIA triad is affected by the lack of an SSL certificate? Confidentiality Integrity Authentication Availability

confidentiality

When an attacker is attacking our encryption, they are MOSTLY targeting which leg of the CIA triad? Availability. Authentication. Confidentiality. Integrity.

confidentiality To ensure confidentiality we use encryption for data at rest (for instance AES256), full disk encryption. Secure transport protocols for data in motion. (SSL, TLS or IPSEC). There are many attacks against encryption, it is almost always easier to steal the key than breaking it, this is done with cryptanalysis.

For access control management, which of these is considered something you have? fingerprint cookie on computer MAC address PIN

cookie on computer Things in your possession, not things you know (knowledge factor) or something you are (biometrics).

Jane is working on strengthening our preventative controls. What could she look at to do that? drug tests patches backups IDS

drug tests Preventative: Prevents action from happening - Least Privilege, Drug Tests, IPS, Firewalls, Encryption.

a company wants to reduce the risk of an employee with internal knowledge committing an act of sabotage once that employee is no longer with the company. Which control should the company implement to mitigate the risk? deploy an intrustion detection system monitor email for blackmail attempts perform annual employee credit checks enable an access termination procedure

enable an access termination procedure

A malicious employee installs a network protocol scanner on a computer and is attempting to capture coworkers' credentials. Which policy, procedure, standard, or guideline would solve this issue? encrypt all sensitive information in transit encrypt sensitive information at rest require long passwords with special characters establish a process for revoking access

encrypt all sensitive information in transit

An executive is using a personal cell phone to view sensitive data. Which control would protect the sensitive data stored on the phone from being exposed due to loss or theft? encryption antimalware antivirus backups

encryption

a company is concerned about loss of data on removable media when media are lost or stolen. WHich standard should this company implement on all flash drives? max password age encryption awareness training layer 2 tunneling protocol

encryption

Why should an organization choose an external audit? The cost of an external audit is lower for the organization External auditors lack previous knowledge of the organization The time needed for an external audit is shorter for the organization External auditors avoid a conflict of interest within the organization

external auditors avoid a conflict of interest within the organization

A company is concerned about unauthorized network traffic. Which procedure should the company implement to block FTP traffic? Install a packet sniffer Update the DNS Filter ports 20 and 21 at the firewall Decrease the network bandwidth

filter ports 20 and 21 at the firewall

What is the principle of need-to-know?

gives access to only the resources an employee needs to do their job

Which type of hacker would publicize a vulnerability if we do NOT make a patch to fix the issue? red hat black hat gray hat white hat

gray hat Gray/Grey Hat hackers: They are somewhere between the white and black hats, they go looking for vulnerable code, systems or products. They often just publicize the vulnerability (which can lead to black hats using it before a patch is developed). Gray hats sometimes also approach the company with the vulnerability and ask them to fix it and if nothing happens they publish.

Which of these would be a security concern we need to address in an acquisition? all of these how do we ensure their security standards are high enough? who gets the IT infrastructure? security is part of the SLA

how do we ensure their security standards are high enough? Acquisitions: Your organization has acquired another. How do you ensure their security standards are high enough? How do you ensure data availability in the transition?

Which of these are COMMON attacks on trade secrets? someone using your protected design in their products counterfeiting software piracy industrial espionage, trade secrets are security through obscurity, if discovered nothing can be done

industrial espionage, trade secrets are security through obscurity, if discovered nothing can be done Trade Secrets. While a organization can do nothing if their Trade Secret is discovered, how it is done can be illegal. You tell no one about your formula, your secret sauce. If discovered anyone can use it; you are not protected.

A company performs a data audit on its critical information every six months. Company policy states that the audit cannot be conducted by the same employee within a two-year timeframe. Which principle is this company following? Job rotation two-person control least privilege need to know

job rotation

A company performs a data audit on its critical information every six months. Company policy states that the audit cannot be conducted by the same employee within two year timeframe. Which principle is this company following? Job rotation two person control least privilege need to know

job rotation

Defense in Depth Strategies

job rotation account lockout need-to-know least privilege

A company has signed a contract with a third-party vendor to use the vendor's inventory management system hosted in a cloud. For convenience, the vendor set up the application to use Lightweight Directory Access Protocol (LDAP) queries but did not enable secure LDAP queries or implement a secure sockets layer (SSL) on the application's web server. The vendor does not have the ability to secure the system, and company management insists on using the application. Which defense-in-depth practices should the company implement to minimize the likelihood of an account compromise due to insecure setup by the vendor? location based access control and multifactor authentication IPS and honeypot systems Antivirus and IDS Password hashing and authentication encryption

location based access control and multifactor authentication

An attacker compromises the credentials that a sys admin uses for managing a user directory. The attacker uses these credentials to create a rogue admin account. Which defense-in-depth practice would have helped a security admin identify this compromise? Enforce 2-factor authentication on VPN portals for admin accounts Log and alert when changes to admin group membership take place Document admin password complexity requirements in corporate policy require the use of dedicated admin accounts

log and alert when changes to admin group membership take place

Which technique helps ensure user identity nonrepudiation? multifactor authentication intrusion detection sensors strong passwords role-based access controls

multifactor authentication

a user is granted access to restricted and classified information but is supplied only with the information for a current assignment. Which type of authorization mechanism is being applied in this scenario? need-to-know constrained interface duty separation access control list

need-to-know

1. Which one of the following tools is used primarily to perform network discovery scans? Nmap OpenVAS Metasploit Framework lsof

nmap Nmap is a network discovery scanning tool that reports the open ports on a remote system and the firewall status of those ports. OpenVAS is a network vulnerability scanning tool. Metasploit Framework is an exploitation framework used in penetration testing. lsof is a Linux command used to list open files on a system.

What is the principle of separation of duties?

no single person can perform every task in a critical system

Who in our organization should approve the deployment of honeypots and honeynets? a judge our legal team the engineer deploying it Our HR and payroll team

our legal team Get approval from senior management and your legal department before deploying honeypots or honey nets, legal would know the legal ramifications and senior management are ultimately liable. Both can pose legal and practical risks.

As part of improving the security posture of our organization we have added multifactor authentication. Which of these pairs does NOT constitute multifactor authentication? password and username PIN and credit card username and smartcard fingerprint and PIN

password and username Multifactor authentication uses authentication from more than one factor (something you know, are or have). Passwords and usernames are not multifactor, they are both knowledge factors.

a member of a sales team receives a phone call from someone pretending to be a member of the IT department. The salesperson provides security information to the caller. Later, the salesperson's user account is compromised. Which strategy should be used by the company to mitigate accounts being compromised in the future? Provide training to all users on social engineering threats report the employee to appropriate management send an email to management detailing the attack document the details of the attack for future reference

provide training to all users on social engineering threats

A company notices an automated attempt to access its system using different passwords and usernames, What can help mitigate the success of this attack? require a CAPTCHA Block the IP address of the user Use user sessions after authentication Use cookie authentication

require a captcha

We are discussing our risk responses and we are considering not issuing our employees laptops. What type of risk response would that be? risk avoidance risk mitigation risk transference risk rejection

risk avoidance Risk Avoidance - We don't issue employees laptops (if possible) or we build the Data Center in an area that doesn't flood. (Most often done before launching new projects - this could be the Data Center build).

In our risk analysis, we know there is a risk, but we do not analyze how bad an impact would be. Which type of risk response is that an example of? risk mitigation risk avoidance risk transfernece risk rejection

risk rejection Risk Rejection - You know the risk is there, but you are ignoring it. This is never acceptable. (You are liable).

After a security incident, our legal counsel presents the logs from the time of the attack in court. They constitute which type of evidence? direct real circumstantial secondary

secondary Secondary Evidence - This is common in cases involving IT. Logs and documents from the systems are considered secondary evidence.

Healthcare insurers, providers and clearing house agencies must comply with HIPAA (Health Insurance Portability and Accountability Act) if they operate in the United States. Which of these are rules they MUST follow? (Select all that apply) Security rule. Breach notification rule. Disclosure rule. Privacy rule. Encryption rule.

security rule breach notification rule privacy rule Puts strict privacy and security rules on how Protected Health Information (PHI) is handled by health insurers, providers and clearing house agencies (Claims). Health Insurance Portability and Accountability Act (HIPAA) has 3 rules - Privacy rule, Security rule and Breach Notification rule. The rules mandate Administrative, Physical and Technical safeguards. Security Breach Notification Laws. NOT Federal, 48 states have individual laws, know the one for your state (none in Alabama and South Dakota). They normally require organizations to inform anyone who had their PII compromised. Many have an encryption clause. Lost encrypted data may not require disclosure.

Who would determine the risk appetite of our organization? the users middle management senior management the IT leadership team

senior management Governance - This is C-level Executives they determine our risk appetite - Aggressive, neutral, adverse. Stakeholder needs, conditions and options are evaluated to define: Balanced agreed-upon enterprise objectives to be achieved. Setting direction through prioritization and decision making. Monitoring performance and compliance against agreed-upon direction and objectives.

As part of a management level training class we are teaching all staff with manager or director in their title about basic IT Security. We are covering the CIA triad, which of these attacks focuses on compromising our confidentiality? Social engineering. Malware. All of these Wireless jamming.

social engineering Confidentiality we use: Encryption for data at rest (for instance AES256), full disk encryption. Secure transport protocols for data in motion. (SSL, TLS or IPSEC). Best practices for data in use - clean desk, no shoulder surfing, screen view angle protector, PC locking (automatic and when leaving).Strong passwords, multi factor authentication, masking, access control, need-to-know, least privilege. Threats: Attacks on your encryption (cryptanalysis). Social engineering. Keyloggers (software/hardware), cameras, Steganography. Man-in-the-middle attacks.

A company is hit with a number of ransomware attacks. These attacks are causing a significant amount of downtime and data loss since users with access to sensitive company documents are being targeted. These attacks have prompted management to invest in new technical controls to prevent ransomware.Which defense-in-depth practices should this company implement? Password resets and a log review mandatory vacations and job rotation spam filtering and antimalware encryption and an internal firewall

spam filtering and antimalware

we are in a court of law and we are presenting real evidence. what constitutes real evidence? logs, audit trails, and other data from the time of the attack something you personally saw or witnessed the data on our hard drives tangible and physical objects

tangible and physical objects Real Evidence is tangible and physical objects, in IT Security it is things like hard disks, USB drives and not the data on them.

We have had a major security breach. We lost 10,000 credit card files from a stolen laptop. We are in a state in the US that has a security breach notification law. What could allow us legally to NOT disclose the breach? the laptop being backed up senior management's decision to not disclose the laptop being encrypted the impact it would have on our revenue

the laptop being encrypted US Security Breach Notification Laws. This is not federal; 48 states have individual laws. Know the one for your state (none in Alabama and South Dakota). They normally require organizations to inform anyone who had their PII compromised. Many have an encryption clause where lost encrypted data may not require disclosure.

Who would be allowed to act in exigent circumstances? lawyers those operating under the color of law our legal team our IT security team

those operating under the color of law Exigent circumstances apply if there is an immediate threat to human life or of evidence destruction. This will later be decided by a court if it was justified. Only applies to law enforcement and those operating under the "color of law" - Title 18. U.S.C. Section 242 - Deprivation of Rights Under the Color of Law.

In our risk analysis, we are looking at the risk. What would that comprise of? Threat x Vulnerability (threat*vulnerability*asset value)-countermeasures threat+vulnerability threat*vulnerability*asset value

threat x vulnerability

What was the intent of the US Electronic Communications Privacy Act of 1986 (ECPA)? To protect electronic communication against warrantless wiretapping. To allow search and seizure without immediate disclosure. To allow law enforcement to use wiretaps without a warrant or oversight. To protect electronic communication by mandating service providers to use strong encryption.

to protect electronic communication against warrantless wiretapping Electronic Communications Privacy Act (ECPA) was designed for protection of electronic communications against warrantless wiretapping, but it was very weakened by the Patriot Act.

Senior executives report they are receiving emails about a legal issue that include a hyperlink. If the executives click the link, they are instructed to install a browser add-on to read the legal documents. It is late discovered that the add-on includes malicious code that captures executives' passwords. which practice should be used to make the executives aware of mitigating future threats? train the appropriate personnel on whaling attacks block emails with hyperlinks from entering the company send an email to the entire company detailing the attack document the details of the attack for future reference

train the appropriate personnel on whaling attacks

Which two hardening features apply to a host-based intrusion detection system (HIDS)?Choose 2 answers. updated definition files static private ip addresses reserved scope options encrypted log files

updated definition files encrypted log files

A company is concerned about unauthorized programs being used on network devices. Which defense-in-depth strategy would help eliminate unauthorized software on network devices? Develop an acceptable use policy and update all network device firmware Use application controls tools and update AppLocker group policies Limit administrative access to devices and create DHCP scope options Upgrade to a 64-bit operating system and install an antimalware application

use application controls tools and update AppLocker group policies

A company has identified a massive security breach in its healthcare records department. Over 50% of customers' PII has been stolen. The customers are aware of the breach, and the company is taking actions to protect customer assets through the personal security policy, which addresses PII data. Which preventive measure should the company pursue to protect against future attacks? require cognitive passwords employ password tokens use network-based and host-based firewalls install auditing tools

use network-based and host-based firewalls

a security analyst observes that an unauthorized user has logged in to the network and tried to access an application with failed password attempts. Which defense-in-depth tactic should the security analyst use to see other activities this user has attempted? brute force attack the application to see if a user can get in check application logs for events and errors caused by the user use a packet sniffer to analyze the network traffic use SIEM to collect logs and look at the aggregate data

use siem to collect log and look at aggregate data

In quantitative risk analysis, what does the ALE tell us? what it will cost us per year if we do nothing how often that asset type is compromised per year how much of the asset is lost per incident the value of the asset

what it will cost us per year if we do nothing Annualized Loss Expectancy (ALE) - This is what it cost per year if we do nothing.

What would be one of the security concerns we would need to address in a divestiture? all of these how do we ensure their security standards are high enough? security is part of the SLA who gets the IT infrastructure?

who gets the IT infrastructure Divestitures: Your organization is being split up. How do you ensure no data crosses boundaries it shouldn't? Who gets the IT Infrastructure?