CISSP 2020 SYBEX TEST PREP 475 QUESTIONS
Bell-LaPadula is an example of what type of access control model? A. DAC B. RBAC C. MAC D. ABAC
C
What type of code review is best suited to identifying business logic flaws? A. Mutational fuzzing B. Manual C. Generational fuzzing D. Interface testing
B
Which of the following is not a type of structural coverage in a code review process? A. Statement B. Trace C. Loop D. Data flow
B
Which of the following is not one of the three components of the DevOps model? A. Software development B. Change management C. Quality assurance D. Operations
B
Which one of the following controls would be most effective in detecting zero-day attack attempts? A. Signature-based intrusion detection B. Anomaly-based intrusion detection C. Strong patch management D. Full-disk encryption
B
Which one of the following is an example of risk transference? A. Building a guard shack B. Purchasing insurance C. Erecting fences D. Relocating facilities
B
Which one of the following is not a key principle of the COBIT framework for IT security control objectives? A. Meeting stakeholder needs B. Performing exhaustive analysis C. Covering the enterprise end-to-end D. Separating governance from management
B
Which one of the following malware types uses built-in propagation mechanisms that exploit system vulnerabilities to spread? A. Trojan horse B. Worm C. Logic bomb D. Virus
B
How does single sign-on increase security? A. It decreases the number of accounts required for a subject. B. It helps decrease the likelihood that users will write down their passwords. C. It provides logging for each system that it is connected to. D. It provides better encryption for authentication data.
B
Howard is a security analyst working with an experienced computer forensics investigator. The investigator asks him to retrieve a forensic drive controller, but Howard cannot locate a device in the storage room with this name. What is another name for a forensic drive controller? A. RAID controller B. Write blocker C. SCSI terminator D. Forensic device analyzer
B
What term is commonly used to describe initial creation of a user account in the provisioning process? A. Enrollment B. Clearance verification C. Background checks D. Initialization
A
What type of alternate processing facility includes all of the hardware and data necessary to restore operations in a matter of minutes or seconds? A. Hot site B. Warm site C. Cold site D. Mobile site
A
What type of power issue occurs when a facility experiences a momentary loss of power? A. Fault B. Blackout C. Sag D. Brownout
A
Which of the following is not one of the four canons of the (ISC)2 code of ethics? A. Avoid conflicts of interest that may jeopardize impartiality. B. Protect society, the common good, necessary public trust and confidence, and the infrastructure. C. Act honorably, honestly, justly, responsibly, and legally. D. Provide diligent and competent service to principals.
A
Which of the following is used only to encrypt data in transit over a network and cannot be used to encrypt data at rest? A. TKIP B. AES C. 3DES D. RSA
A
Which one of the following categories consists of first-generation programming languages? A. Machine languages B. Assembly languages C. Compiled languages D. Natural language
A
TCP and UDP both operate at what layer of the OSI model? A. Layer 2 B. Layer 3 C. Layer 4 D. Layer 5
C
Which one of the following fire suppression systems poses the greatest risk of accidental discharge that damages equipment in a data center? A. Closed head B. Dry pipe C. Deluge D. Preaction
A
CVE and the NVD both provide information about what? A. Vulnerabilities B. Markup languages C. Vulnerability assessment tools D. Penetration testing methodologies
A
. Ben wants to interface with the National Vulnerability Database using a standardized protocol. What option should he use to ensure that the tools he builds work with the data contained in the NVD? A. XACML B. SCML C. VSML D. SCAP
D
The removal of a hard drive from a PC before it is retired and sold as surplus is an example of what type of action? A. Purging B. Sanitization C. Degaussing D. Destruction
B
Vivian works for a chain of retail stores and would like to use a software product that restricts the software used on point-of-sale terminals to those packages on a preapproved list. What approach should Vivian use? A. Antivirus B. Heuristic C. Whitelist D. Blacklist
C
What class of fire extinguisher is capable of fighting electrical fires? A. Class A B. Class B C. Class C D. Class D
C
What encryption standard won the competition for certification as the Advanced Encryption Standard? A. Blowfish B. Twofish C. Rijndael D. Skipjack
C
What should be true for salts used in password hashes? A. A single salt should be set so passwords can be de-hashed as needed. B. A single salt should be used so the original salt can be used to check passwords against their hash. C. Unique salts should be stored for each user. D. Unique salts should be created every time a user logs in.
C
What type of policy describes how long data is kept before destruction? A. Classification B. Audit C. Record retention D. Availability
C
Which one of the following tools is most often used for identification purposes and is not suitable for use as an authenticator? A. Password B. Retinal scan C. Username D. Token
C
The large business that Jack works for has been using noncentralized logging for years. They have recently started to implement centralized logging, however, and as they reviewed logs, they discovered a breach that appeared to have involved a malicious insider. How can Jack detect issues like this using his organization's new centralized logging? A. Deploy and use an IDS B. Send logs to a central logging server C. Deploy and use a SIEM D. Use syslog
C
What type of websites are regulated under the terms of COPPA? A. Financial websites not run by financial institutions B. Healthcare websites that collect personal information C. Websites that collect information from children D. Financial websites run by financial institutions
C
Susan uses a span port to monitor traffic to her production website and uses a monitoring tool to identify performance issues in real time. What type of monitoring is she conducting? A. Passive monitoring B. Active monitoring C. Synthetic monitoring D. Signature-based monitoring
A
Test coverage is computed using which of the following formulas? A. Number of use cases tested/total number of use cases B. Number of lines of code tested/total number of lines of code C. Number of functions tested/total number of functions D. Number of conditional branches tested/Total number of testable branches
A
The IP address 201.19.7.45 is what type of address? A. A public IP address B. An RFC 1918 address C. An APIPA address D. A loopback address
A
The Low Orbit Ion Cannon (LOIC) attack tool used by Anonymous leverages a multitude of home PCs to attack its chosen targets. This is an example of what type of network attack? A. DDoS B. Ionization C. Zombie horde D. Teardrop
A
Tom believes that a customer of his Internet service provider has been exploiting a vulnerability in his system to read the email messages of other customers. If true, what law did the customer most likely violate? A. ECPA B. CALEA C. HITECH D. Privacy Act
A
Tracy recently accepted an IT compliance position at a federal government agency that works very closely with the Defense Department on classified government matters. Which one of the following laws is least likely to pertain to Tracy's agency? A. HIPAA B. FISMA C. HSA D. CFAA
A
Two TCP header flags are rarely used. Which two are you unlikely to see in use in a modern network? A. CWR and ECE B. URG and FIN C. ECE and RST D. CWR and URG
A
What LDAP operation includes authentication to the LDAP server? A. Bind B. Auth C. StartLDAP D. AuthDN
A
Which one of the following attack types depends on precise timing? A. TOCTOU B. SQL injection C. Pass the hash D. Cross-site scripting
A
Which one of the following components should be included in an organization's emergency response guidelines? A. Immediate response procedures B. Long-term business continuity protocols C. Activation procedures for the organization's cold sites D. Contact information for ordering equipment
A
Which one of the following components should be included in an organization's emergency response guidelines? A. Secondary response procedures for first responders B. Long-term business continuity protocols C. Activation procedures for the organization's cold sites D. Contact information for ordering equipment
A
Which one of the following is an example of a hardening provision that might strengthen an organization's existing physical facilities and avoid implementation of a business continuity plan? A. Patching a leaky roof B. Reviewing and updating firewall access control lists C. Upgrading operating systems D. Deploying a network intrusion detection system
A
Which one of the following is not a classification level commonly found in commercial data classification schemes? A. Secret B. Sensitive C. Confidential D. Public
A
Which one of the following is not a principle of the Agile approach to software development? A. The most efficient method of conveying information is electronic. B. Working software is the primary measure of progress. C. Simplicity is essential. D. Businesspeople and developers must work together daily
A
What key assumption made by EAP can be remedied by using PEAP? A. EAP assumes that LEAP will replace TKIP, ensuring that authentication will occur. B. EAP originally assumed the use of physically isolated channels and is usually not encrypted. C. There are no TLS implementations available using EAP. D. EAP does not allow additional authentication methods, and PEAP adds additional methods.
B
What law prevents the removal of protection mechanisms placed on a copyrighted work by the copyright holder? A. HIPAA B. DMCA C. GLBA D. ECPA
B
What layer of the OSI model is associated with datagrams? A. Session B. Transport C. Network D. Data Link
B
What three types of interfaces are typically tested during software testing? A. Network, physical, and application interfaces B. APIs, UIs, and physical interfaces C. Network interfaces, APIs, and UIs D. Application, programmatic, and user interfaces
B
Which of the following multifactor authentication technologies provides both low management overhead and flexibility? A. Biometrics B. Software tokens C. Synchronous hardware tokens D. Asynchronous hardware tokens
B
Which one of the following actions is not required under the EU General Data Protection Regulation? A. Organizations must allow individuals to opt out of information sharing. B. Organizations must provide individuals with lists of employees with access to information. C. Organizations must use proper mechanisms to protect data against unauthorized disclosure. D. Organizations must have a dispute resolution process for privacy issues.
B
Carlos is planning a design for a data center that will be constructed within a new fourstory corporate headquarters. The building consists of a basement and three above-ground floors. What is the best location for the data center? A. Basement B. First floor C. Second floor D. Third floor
C
Lauren wants to monitor her LDAP servers to identify what types of queries are causing problems. What type of monitoring should she use if she wants to be able to use the production servers and actual traffic for her testing? A. Active B. Real-time C. Passive D. Replay
C
Margot is investigating suspicious activity on her network and uses a protocol analyzer to sniff inbound and outbound traffic. She notices an unusual packet that has identical source and destination IP addresses. What type of attack uses this packet type? A. Fraggle B. Smurf C. Land D. Teardrop
C
Mark is planning a disaster recovery test for his organization. He would like to perform a live test of the disaster recovery facility but does not want to disrupt operations at the primary facility. What type of test should Mark choose? A. Full interruption test B. Checklist review C. Parallel test D. Tabletop exercise
C
Matthew, Richard, and Christopher would like to exchange messages with each other using symmetric cryptography. They want to ensure that each individual can privately send a message to another individual without the third person being able to read the message. How many keys do they need? A. 1 B. 2 C. 3 D. 6
C
SYN floods rely on implementations of what protocol to cause denial of service conditions? A. IGMP B. UDP C. TCP D. ICMP
C
Surveys, interviews, and audits are all examples of ways to measure what important part of an organization's security posture? A. Code quality B. Service vulnerabilities C. Awareness D. Attack surface
C
Tommy handles access control requests for his organization. A user approaches him and explains that he needs access to the human resources database in order to complete a headcount analysis requested by the CFO. What has the user demonstrated successfully to Tommy? A. Clearance B. Separation of duties C. Need to know D. Isolation
C
Uptown Records Management recently entered into a contract with a hospital for the secure storage of medical records. The hospital is a HIPAA-covered entity. What type of agreement must the two organizations sign to remain compliant with HIPAA? A. NDA B. NCA C. BAA D. SLA
C
Ursula believes that many individuals in her organization are storing sensitive information on their laptops in a manner that is unsafe and potentially violates the organization's security policy. What control can she use to identify the presence of these files? A. Network DLP B. Network IPS C. Endpoint DLP D. Endpoint IPS
C
Using a trusted channel and link encryption are both ways to prevent what type of access control attack? A. Brute force B. Spoofed login screens C. Man-in-the-middle attacks D. Dictionary attacks
C
What access control system lets owners decide who has access to the objects they own? A. Role-based access control B. Task-based access control C. Discretionary access control D. Rule-based access control
C
What access management concept defines what rights or privileges a user has? A. Identification B. Accountability C. Authorization D. Authentication
C
What activity is being performed when you apply security controls based on the specific needs of the IT system that they will be applied to? A. Standardizing B. Baselining C. Scoping D. Tailoring
C
What two types of attacks are VoIP call managers and VoIP phones most likely to be susceptible to? A. DoS and malware B. Worms and Trojans C. DoS and host OS attacks D. Host OS attacks and buffer overflows
C
What type of Windows audit record describes events like an OS shutdown or a service being stopped? A. An application log B. A security log C. A system log D. A setup log
C
What type of access control is intended to discover unwanted or unauthorized activity by providing information after the event has occurred? A. Preventive B. Corrective C. Detective D. Directive
C
What type of communications rely on a timing mechanism using either an independent clock or a time stamp embedded in the communications? A. Analog B. Digital C. Synchronous D. Asynchronous
C
Amanda is considering the implementation of a database recovery mechanism recommended by a consultant. In the recommended approach, an automated process will move records of transactions from the primary site to a backup site on an hourly basis. What type of database recovery technique is the consultant describing? A. Electronic vaulting B. Transaction logging C. Remote mirroring D. Remote journaling
D
Ben's company has recently retired their fleet of multifunction printers. Their information security team has expressed concerns that the printers contain hard drives and that they may still have data from scans and print jobs. What is the technical term for this issue? A. Data pooling B. Failed clearing C. Data permanence D. Data remanence
D
Bryan has a set of sensitive documents that he would like to protect from public disclosure. He would like to use a control that, if the documents appear in a public forum, may be used to trace the leak back to the person who was originally given the document copy. What security control would best fulfill this purpose? A. Digital signature B. Document staining C. Hashing D. Watermarking
D
The company Chris works for has notifications posted at each door reminding employees to be careful to not allow people to enter when they do. Which type of controls best describes this? A. Detective B. Physical C. Preventive D. Directive
D
There is a significant conflict between the drive for profit and the security requirements that Olivia's organization has standardized. Olivia's role means that decreased usability and loss of profit due to her staff's inability to use the system is her major concern. What is the most likely role that Olivia plays in her organization? A. Business manager B. Information security analyst C. Data processor D. Mission owner
D
What is the final stage of the Software Capability Maturity Model (SW-CMM)? A. Repeatable B. Defined C. Managed D. Optimizing
D
What technology ensures that an operating system allocates separate memory spaces used by each application on a system? A. Abstraction B. Layering C. Data hiding D. Process isolation
D
What type of assessment methods are associated with mechanisms and activities based on the recommendations of NIST SP800-53A, the Guide for Assessing Security Controls in Federal Information Systems? A. Examine and interview B. Test and assess C. Test and interview D. Examine and test
D
What type of penetration testing provides detail on the scope of a penetration test— including items like what systems would be targeted—but does not provide full visibility into the configuration or other details of the systems or networks the penetration tester must test? A. Crystal box B. White box C. Black box D. Gray box
D
What type of risk assessment uses tools such as the one shown with 4 boxes of risk using probability and level of impact as variables? A. Quantitative B. Loss expectancy C. Financial D. Qualitative
D
When Jim enters his organization's data center, he has to use a smart card and code to enter and is allowed through one set of doors. The first set of doors closes, and he must then use his card again to get through a second set, which locks behind him. What type of control is this, and what is it called? A. A physical control; a one-way trapdoor B. A logical control; a dual-swipe authorization C. A directive control; a one-way access corridor D. A preventive access control; a mantrap
D
When Jim logs into a system, his password is compared to a hashed value stored in a database. What is this process? A. Identification B. Hashing C. Tokenization D. Authentication
D
When a vendor develops a product that they wish to submit for Common Criteria evaluation, what do they complete to describe the claims of security for their product? A. PP B. ITSEC C. TCSEC D. ST
D
Which component of IPsec provides authentication, integrity, and nonrepudiation? A. L2TP B. Encapsulating Security Payload C. Encryption Security Header D. Authentication Header
D
Which of the following is an industry standard for data security? A. FERPA B. HIPAA C. SOX D. PCI DSS
D
Which one of the following is a detailed, step-by-step document that describes the exact actions that individuals must complete? A. Policy B. Standard C. Guideline D. Procedure
D
Which one of the following principles is not included in the seven EU-U.S. Privacy Shield provisions? A. Access B. Security C. Recourse D. Nonrepudiation
D
In the database table shown here, which column would be the best candidate for a primary key? 1 2 3 234 Main Street 1024 Sample Street 913 Sorin Street MD FL IN 21040 33131 46556 (301) 555-1212 (305) 555-1995 (574) 555-5863 14 14 26 Columbia Miami South Bend Acme Widgets Abrams Consulting Dome Widgets Company ID Company Name Address City State ZIP Code Telephone Sales Rep A. Company ID B. Company Name C. ZIP Code D. Sales Rep
A
In the diagram shown here of security boundaries within a computer system, what component's name has been replaced with XXX? User Space Process Process Reference Monitor TCB XXX Process A. Kernel B. Privileged core C. User monitor D. Security perimeter
A
Alice would like to have read permissions on an object and knows that Bob already has those rights and would like to give them to herself. Which one of the rules in the TakeGrant protection model would allow her to complete this operation if the relationship exists between Alice and Bob? A. Take rule B. Grant rule C. Create rule D. Remote rule
A
Alex works for the United States (U.S.) federal government and is required to ensure that the devices and components he acquires are not compromised. What program will he participate in to help ensure this? A. TEMPEST B. Trusted foundry C. GovBuy D. MITRE
B
Alex is the system owner for the HR system at a major university. According to NIST SP 800-18, what action should he take when a significant change occurs in the system? A. He should develop a data confidentiality plan. B. He should update the system security plan. C. He should classify the data the system contains. D. He should select custodians to handle day-to-day operational tasks.
B
MAC models use three types of environments. Which of the following is not a mandatory access control design? A. Hierarchical B. Bracketed C. Compartmentalized D. Hybrid
B
How should samples be generated when assessing account management practices? A. They should be generated by administrators. B. The last 180 days of accounts should be validated. C. Sampling should be conducted randomly. D. Sampling is not effective, and all accounts should be audited.
C
A process on a system needs access to a file that is currently in use by another process. What state will the process scheduler place this process in until the file becomes available? A. Running B. Ready C. Waiting D. Stopped
C
Ben's job is to ensure that data is labeled with the appropriate sensitivity label. Since Ben works for the US government, he has to apply the labels Unclassified, Confidential, Secret, and Top Secret to systems and media. If Ben is asked to label a system that handles Secret, Confidential, and Unclassified information, how should he label it? A. Mixed classification B. Confidential C. Top Secret D. Secret
D
Bob is configuring egress filtering on his network, examining traffic destined for the Internet. His organization uses the public address range 12.8.195.0/24. Packets with which one of the following destination addresses should Bob permit to leave the network? A. 12.8.195.15 B. 10.8.15.9 C. 192.168.109.55 D. 129.53.44.124
D
Fran is a web developer who works for an online retailer. Her boss asked her to create a way that customers can easily integrate themselves with Fran's company's site. They need to be able to check inventory in real time, place orders, and check order status programmatically without having to access the web page. What can Fran create to most directly facilitate this interaction? A. API B. Web scraper C. Data dictionary D. Call center
A
Doug is choosing a software development life-cycle model for use in a project he is leading to develop a new business application. He has very clearly defined requirements and would like to choose an approach that places an early emphasis on developing comprehensive documentation. He does not have a need for the production of rapid prototypes or iterative improvement. Which model is most appropriate for this scenario? A. Agile B. Waterfall C. Spiral D. DevOps
B
Alex would like to ask all of his staff to sign an agreement that they will not share his organization's intellectual property with unauthorized individuals. What type of agreement should Alex ask employees to sign? A. SLA B. NDA C. OLA D. DLP
B
Cable modems, ISDN, and DSL are all examples of what type of technology? A. Baseband B. Broadband C. Digital D. Broadcast
B
When an attacker calls an organization's help desk and persuades them to reset a password for them due to the help desk employee's trust and willingness to help, what type of attack succeeded? A. A human Trojan B. Social engineering C. Phishing D. Whaling
B
Brenda is analyzing the web server logs after a successful compromise of her organization's web-based order processing application. She finds an entry in the log file showing that a user entered the following information as his last name when placing an order: Smith';DROP TABLE orders;-- What type of attack was attempted? A. Buffer overflow B. Cross-site scripting C. Cross-site request forgery D. SQL injection
D
During a log review, Karen discovers that the system she needs to gather logs from has the log setting shown here. What problem is Karen likely to encounter? A. Too much log data will be stored on the system. B. The system is automatically purging archived logs. C. The logs will not contain the information needed. D. The logs will only contain the most recent 20 MB of log data.
D
During which of the following disaster recovery tests does the team sit together and discuss the response to a scenario but not actually activate any disaster recovery controls? A. Checklist review B. Full interruption test C. Parallel test D. Tabletop exercise
D
Alan is installing a fire suppression system that will kick in after a fire breaks out and protect the equipment in the data center from extensive damage. What metric is Alan attempting to lower? A. Likelihood B. RTO C. RPO D. Impact
D
Chris is conducting reconnaissance on a remote target and discovers that pings are allowed through his target's border firewall. What can he learn by using ping to probe the remote network? A. Which systems respond to ping, a rough network topology, and potentially the location of additional firewalls B. A list of all of the systems behind the target's firewall C. The hostnames and time to live (TTL) for each pingable system, and the ICMP types allowed through the firewall D. Router advertisements, echo request responses, and potentially which hosts are tarpitted
A
What advantage do iris scans have over most other types of biometric factors? A. Iris scanners are harder to deceive. B. Irises don't change as much as other factors. C. Iris scanners are cheaper than other factors. D. Iris scans cannot be easily replicated.
B
What code review process is shown here? Planning Overview Preparation Inspection Rework Follow-up A. Static inspection B. Fagan inspection C. Dynamic inspection D. Interface testing
B
What RADIUS alternative is commonly used for Cisco network gear and supports twofactor authentication? A. RADIUS+ B. TACACS+ C. XTACACS D. Kerberos
B
Residual data is another term for what type of data left after attempts have been made to erase it? A. Leftover data B. MBR C. Bitrot D. Remnant data
D
What is the difference in SOC reports?
1. SOC 1, Type 1: D. A report that provides the auditor's opinions of financial statements about controls at the service organization and that includes a report on the opinion on the presentation of the service organization's system as well as suitability of the controls. 2. SOC 1, Type 2: C. A report that provides an assessment of the risk of material misstatement of financial statement assertions affected by the service organization's processing and that includes a description of the service auditor's tests of the controls and the results of the tests and their effectiveness. 3. SOC 2: B. A report that provides predefined, standard benchmarks for controls involving confidentiality, availability, integrity, and privacy of a system and the information it contains, generally for restricted use. 4. SOC 3: A. A general use report that reports on controls related to compliance and/or operations.
A cloud-based service that provides account provisioning, management, authentication, authorization, reporting, and monitoring capabilities is known as what type of service? A. PaaS B. IDaaS C. IaaS D. SaaS
B
AES-based CCMP and 802.1x replaced what security protocol that was designed as part of WPA to help fix the significant security issues found in WEP? A. TLS B. TKIP C. EAP D. PEAP
B
Bob has been tasked with writing a policy that describes how long data should be kept and when it should be purged. What concept does this policy deal with? A. Data remanence B. Record retention C. Data redaction D. Audit logging
B
CDMA, GSM, and IDEN are all examples of what generation of cellular technology? A. 1G B. 2G C. 3G D. 4G
B
What technology is likely to be involved when Ben's organization needs to provide authentication and authorization assertions to their cloud e-commerce application? A. Active Directory B. SAML C. RADIUS D. SPML
B
What type of alternate processing facility contains the hardware necessary to restore operations but does not have a current copy of data? A. Hot site B. Warm site C. Cold site D. Mobile site
B
What type of fire extinguisher is useful against liquid-based fires? A. Class A B. Class B C. Class C D. Class D
B
After 10 years working in her organization, Cassandra is moving into her fourth role, this time as a manager in the accounting department. What issue is likely to show up during an account review if her organization does not have strong account maintenance practices? A. An issue with least privilege B. Privilege creep C. Account creep D. Account termination
B
Alan is considering the use of new identification cards in his organization that will be used for physical access control. He comes across a sample card and is unsure of the technology. He breaks it open and sees the following internal construction. What type of card is this? A. Smart card B. Proximity card C. Magnetic stripe D. Phase-two card
B
Kathleen is implementing an access control system for her organization and builds the following array: Reviewers: update files, delete files Submitters: upload files Editors: upload files, update files Archivists: delete files What type of access control system has Kathleen implemented? A. Role-based access control B. Task-based access control C. Rule-based access control D. Discretionary access control
A
Which of the following statements about SSAE-18 is not true? A. It mandates a specific control set. B. It is an attestation standard. C. It is used for external audits. D. It uses a framework, including SOC 1, SOC 2, and SOC 3 reports.
A
Which of the following tools is best suited to the information gathering phase of a penetration test? A. Whois B. zzuf C. Nessus D. Metasploit
A
A password that requires users to answer a series of questions like "What is your mother's maiden name?" or "What is your favorite color?" is known as what type of password? A. A passphrase B. Multifactor passwords C. Cognitive passwords D. Password reset questions
C
Which one of the following computing models allows the execution of multiple processes on a single processor by having the operating system switch between them without requiring modification to the applications? A. Multitasking B. Multiprocessing C. Multiprogramming D. Multithreading
A
Which one of the following is not an example of criminal law? A. Gramm-Leach-Bliley Act B. Computer Fraud and Abuse Act C. Electronic Communications Privacy Act D. Identity Theft and Assumption Deterrence Act
A
Which one of the following is typically considered a business continuity task? A. Business impact assessment B. Alternate facility selection C. Activation of cold sites D. Restoration of data from backup
A
Which one of the following technologies is designed to prevent a web server going offline from becoming a single point of failure in a web application architecture? A. Load balancing B. Dual-power supplies C. IPS D. RAID
A
Which one of the following tools may be used to achieve the goal of nonrepudiation? A. Digital signature B. Symmetric encryption C. Firewall D. IDS
A
While traveling, James is held at knifepoint and forced to log into his laptop. What is this called? A. Duress B. Antisocial engineering C. Distress D. Knifepoint hacking
A
Alex is preparing to solicit bids for a penetration test of his company's network and systems. He wants to maximize the effectiveness of the testing rather than the realism of the test. What type of penetration test should he require in his bidding process? A. Black box B. Crystal box C. Gray box D. Zero box
B
As part of hiring a new employee, Kathleen's identity management team creates a new user object and ensures that the user object is available in the directories and systems where it is needed. What is this process called? A. Registration B. Provisioning C. Population D. Authenticator loading
B
Ben has built an access control list that lists the objects that his users are allowed to access. When users attempt to access an object that they don't have rights to, they are denied access, even though there isn't a specific rule that prevents it. What access control principle is key to this behavior? A. Least privilege B. Implicit deny C. Explicit deny D. Final rule fall-through
B
A web application accesses information in a database to retrieve user information. What is the web application acting as? A. A subject B. An object C. A user D. A token
A
After you do automated functional testing with 100 percent coverage of an application, what type of error is most likely to remain? A. Business logic errors B. Input validation errors C. Runtime errors D. Error handling errors
A
Alejandro is an incident response analyst for a large corporation. He is on the midnight shift when an intrusion detection system alerts him to a potential brute-force password attack against one of the company's critical information systems. He performs an initial triage of the event before taking any additional action. What stage of the incident response process is Alejandro currently conducting? A. Detection B. Response C. Recovery D. Mitigation
A
Alice sends a message to Bob and wants to ensure that Mal, a third party, does not read the contents of the message while in transit. What goal of cryptography is Alice attempting to achieve? A. Confidentiality B. Integrity C. Authentication D. Nonrepudiation
A
Angie is configuring egress monitoring on her network to provide added security. Which one of the following packet types should Angie allow to leave the network headed for the Internet? A. Packets with a source address from Angie's public IP address block B. Packets with a destination address from Angie's public IP address block C. Packets with a source address outside Angie's address block D. Packets with a source address from Angie's private address block
A
Ben is concerned about password cracking attacks against his system. He would like to implement controls that prevent an attacker who has obtained those hashes from easily cracking them. What two controls would best meet this objective? A. Longer passwords and salting B. Over-the-wire encryption and use of SHA1 instead of MD5 C. Salting and use of MD5 D. Using shadow passwords and salting
A
Ben is selecting an encryption algorithm for use in an organization with 10,000 employees. He must facilitate communication between any two employees within the organization. Which one of the following algorithms would allow him to meet this goal with the least time dedicated to key management? A. RSA B. IDEA C. 3DES D. Skipjack
A
Ben wants to provide predictive information about his organization's risk exposure in an automated way as part of an ongoing organizational risk management plan. What should he use to do this? A. KRIs B. Quantitative risk assessments C. KPIs D. Penetration tests
A
Bethany received an email from one of her colleagues with an unusual attachment named smime.p7s. She does not recognize the attachment and is unsure what to do. What is the most likely scenario? A. This is an encrypted email message. B. This is a phishing attack. C. This is embedded malware. D. This is a spoofing attack.
A
Carlos is investigating the compromise of sensitive information in his organization. He believes that attackers managed to retrieve personnel information on all employees from the database and finds the following user-supplied input in a log entry for a web-based personnel management system: Collins'&1=1;-- What type of attack took place? A. SQL injection B. Buffer overflow C. Cross-site scripting D. Cross-site request forgery
A
Chris is an information security professional for a major corporation and, as he is walking into the building, he notices that the door to a secure area has been left ajar. Physical security does not fall under his responsibility, but he takes immediate action by closing the door and informing the physical security team of his action. What principle is Chris demonstrating? A. Due care B. Due diligence C. Separation of duties D. Informed consent
A
Danielle is testing tax software, and part of her testing process requires her to input a variety of actual tax forms to verify that the software produces the right answers. What type of testing is Danielle performing? A. Use case testing B. Dynamic testing C. Fuzzing D. Misuse testing
A
Cameron is responsible for backing up his company's primary file server. He configured a backup schedule that performs full backups every Monday evening at 9 p.m. and incremental backups on other days of the week at that same time. How many files will be copied in Wednesday's backup? A. 1 B. 2 C. 5 D. 6
B
Darcy is an information security risk analyst for Roscommon Agricultural Products. She is currently trying to decide whether the company should purchase an upgraded fire suppression system for their primary data center. The data center facility has a replacement cost of $2 million. After consulting with actuaries, data center managers, and fire subject matter experts, Darcy determined that a typical fire would likely require the replacement of all equipment inside the building but not cause significant structural damage. Together, they estimated that recovering from the fire would cost $750,000. They also determined that the company can expect a fire of this magnitude once every 50 years. Based on the information in this scenario, what is the annualized loss expectancy for a fire at the Roscommon Agricultural Products data center? A. $15,000 B. $25,000 C. $75,000 D. $750,000
A
Don's company is considering the use of an object-based storage system where data is placed in a vendor-managed storage environment through the use of API calls. What type of cloud computing service is in use? A. IaaS B. PaaS C. CaaS D. SaaS
A
During software testing, Jack diagrams how a hacker might approach the application he is reviewing and determines what requirements the hacker might have. He then tests how the system would respond to the attacker's likely behavior. What type of testing is Jack conducting? A. Misuse case testing B. Use case testing C. Hacker use case testing D. Static code analysis
A
During what phase of the incident response process would security professionals analyze the process itself to determine whether any improvements are warranted? A. Lessons Learned B. Remediation C. Recovery D. Reporting
A
Harry's request to read the data file is blocked. Harry has a Secret security clearance, and the data file has a Top Secret classification. What principle of the Bell-LaPadula model blocked this request? A. Simple Security Property B. Simple Integrity Property C. *-Security Property D. Discretionary Security Property
A
In the OSI model, when a packet changes from a datastream to a segment or a datagram, what layer has it traversed? A. The Transport layer B. The Application layer C. The Data Link layer D. The Physical layer
A
In the diagram shown here, Harry is prevented from reading a file at a higher classification level than his security clearance. What security model prevents this behavior? Harry Read Request Data File A. Bell-LaPadula B. Biba C. Clark-Wilson D. Brewer-Nash
A
In this diagram of the TCP three-way handshake, what should system A send to system B in step 3? A. ACK B. SYN C. FIN D. RST
A
In what type of trusted recovery process is the system able to recover without administrator intervention but the system may suffer some loss of data? A. Automated recovery B. Manual recovery C. Automated recovery without undue data loss D. Function recovery
A
Jacob executes an attack against a system using a valid but low-privilege user account by accessing a file pointer that the account has access to. After the access check, but before the file is opened, he quickly switches the file pointer to point to a file that the user account does not have access to. What type of attack is this? A. TOCTOU B. Permissions creep C. Impersonation D. Link swap
A
Jasper Diamonds is a jewelry manufacturer that markets and sells custom jewelry through their website. Bethany is the manager of Jasper's software development organization, and she is working to bring the company into line with industry standard practices. She is developing a new change management process for the organization and wishes to follow commonly accepted approaches. Bethany noticed that some problems arise when system administrators update libraries without informing developers. What change management process can assist with this problem? A. Configuration control B. Change control C. Release control D. Request control
A
Jim starts a new job as a system engineer, and his boss provides him with a document entitled "Forensic Response Guidelines." Which one of the following statements is not true? A. Jim must comply with the information in this document. B. The document contains information about forensic examinations. C. Jim should read the document thoroughly. D. The document is likely based on industry best practices.
A
Kathleen has been asked to choose a highly formalized code review process for her software quality assurance team to use. Which of the following software testing processes is the most rigorous and formal? A. Fagan B. Fuzzing C. Over the shoulder D. Pair programming
A
Kim is the database security administrator for Aircraft Systems, Inc. (ASI). ASI is a military contractor engaged in the design and analysis of aircraft avionics systems and regularly handles classified information on behalf of the government and other government contractors. Kim is concerned about ensuring the security of information stored in ASI databases. Kim's database is a multilevel security database, and different ASI employees have different security clearances. The database contains information on the location of military aircraft containing ASI systems to allow ASI staff to monitor those systems. Kim learned that the military is planning a classified mission that involves some ASI aircraft. She is concerned that employees not cleared for the mission may learn of it by noticing the movement of many aircraft to the region. Individual employees are cleared to know about the movement of an individual aircraft, but they are not cleared to know about the overall mission. What type of attack is Kim concerned about? A. Aggregation B. SQL injection C. Inference D. Multilevel security
A
Lauren's healthcare provider maintains such data as details about her health, treatments, and medical billing. What type of data is this? A. Protected Health Information B. Personally Identifiable Information C. Protected Health Insurance D. Individual Protected Data
A
Lauren's team of system administrators each deal with hundreds of systems with varying levels of security requirements and find it difficult to handle the multitude of usernames and passwords they each have. What type of solution should she recommend to ensure that passwords are properly handled and that features like logging and password rotation occur? A. A credential management system B. A strong password policy C. Separation of duties D. Single sign-on
A
Mike and Renee would like to use an asymmetric cryptosystem to communicate with each other. They are located in different parts of the country but have exchanged encryption keys by using digital certificates signed by a mutually trusted certificate authority. Mike would like to send Renee a private message using the information gained during this exchange. What key should he use to encrypt the message? A. Renee's public key B. Renee's private key C. CA's public key D. CA's private key
A
Mike and Renee would like to use an asymmetric cryptosystem to communicate with each other. They are located in different parts of the country but have exchanged encryption keys by using digital certificates signed by a mutually trusted certificate authority. When the certificate authority (CA) created Renee's digital certificate, what key was contained within the body of the certificate? A. Renee's public key B. Renee's private key C. CA's public key D. CA's private key
A
Norm would like to conduct a disaster recovery test for his organization and wants to choose the most thorough type of test, recognizing that it may be quite disruptive. What type of test should Norm choose? A. Full interruption test B. Parallel test C. Tabletop exercise D. Checklist review
A
Purchasing insurance is a form of what type of risk response? A. Transfer B. Avoid C. Mitigate D. Accept
A
Renee is using encryption to safeguard sensitive business secrets when in transit over the Internet. What risk metric is she attempting to lower? A. Likelihood B. RTO C. MTO D. Impact
A
Ricky would like to access a remote file server through a VPN connection. He begins this process by connecting to the VPN and attempting to log in. Applying the subject/object model to this request, what is the subject of Ricky's login attempt? A. Ricky B. VPN C. Remote file server D. Files contained on the remote server
A
Roscommon Enterprises is an Irish company that handles personal information. They exchange information with many other countries. Which of the following countries would trigger the onward transfer provisions of the EU-U.S. Privacy Shield? A. United States B. France C. Italy D. Germany
A
Sam is a security risk analyst for an insurance company. He is currently examining a scenario where a hacker might use a SQL injection attack to deface a web server due to a missing patch in the company's web application. In this scenario, what is the vulnerability? A. Unpatched web application B. Web defacement C. Hacker D. Operating system
A
Skip needs to transfer files from his PC to a remote server. What protocol should he use instead of FTP? A. SCP B. SSH C. HTTP D. Telnet
A
Something you know is an example of what type of authentication factor? A. Type 1 B. Type 2 C. Type 3 D. Type 4
A
Sue was required to sign an NDA when she took a job at her new company. Why did the company require her to sign it? A. To protect the confidentiality of their data B. To ensure that Sue did not delete their data C. To prevent Sue from directly competing with them in the future D. To require Sue to ensure the availability for their data as part of her job
A
Sue's organization recently failed a security assessment because their network was a single flat broadcast domain, and sniffing traffic was possible between different functional groups. What solution should she recommend to help prevent the issues that were identified? A. Use VLANs. B. Change the subnet mask for all systems. C. Deploy gateways. D. Turn on port security.
A
Susan is conducting a STRIDE threat assessment by placing threats into one or more of the following categories: Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege. As part of her assessment, she has discovered an issue that allows transactions to be modified between a web browser and the application server that it accesses. What STRIDE categorization(s) best fit this issue? A. Tampering and Information Disclosure B. Spoofing and Tampering C. Tampering and Repudiation D. Information Disclosure and Elevation of Privilege
A
The Open Shortest Path First (OSPF) protocol is a routing protocol that keeps a map of all connected remote networks and uses that map to select the shortest path to a remote destination. What type of routing protocol is OSPF? A. Link state B. Shortest path first C. Link mapping D. Distance vector
A
The company that Fred works for is reviewing the security of their company-issued cell phones. They issue 4G-capable smartphones running Android and iOS and use a mobile device management solution to deploy company software to the phones. The mobile device management software also allows the company to remotely wipe the phones if they are lost. What security considerations should Fred's company require for sending sensitive data over the cellular network? A. They should use the same requirements as data over any public network. B. Cellular provider networks are private networks and should not require special consideration. C. Encrypt all traffic to ensure confidentiality. D. Require the use of WAP for all data sent from the phone.
A
The leadership at Susan's company has asked her to implement an access control system that can support rule declarations like "Only allow access to salespeople from managed devices on the wireless network between 8 a.m. and 6 p.m." What type of access control system would be Susan's best choice? A. ABAC B. RBAC C. DAC D. MAC
A
The type of access granted to an object and the actions that you can take on or with the object are examples of what? A. Permissions B. Rights C. Privileges D. Roles
A
The web application that Saria's development team is working on needs to provide secure session management that can prevent hijacking of sessions using the cookies that the application relies on. Which of the following techniques would be the best for her to recommend to prevent this? A. Set the Secure attribute for the cookies, thus forcing TLS. B. Set the Domain cookie attribute to example.com to limit cookie access to servers in the same domain. C. Set the Expires cookie attribute to less than a week. D. Set the HTTPOnly attribute to require only unencrypted sessions.
A
Theresa is implementing a new access control system and wants to ensure that developers do not have the ability to move code from development systems into the production environment. What information security principle is she most directly enforcing? A. Separation of duties B. Two-person control C. Least privilege D. Job rotation
A
Val is attempting to review security logs but is overwhelmed by the sheer volume of records maintained in her organization's central log repository. What technique can she use to select a representative set of records for further review? A. Statistical sampling. B. Clipping. C. Choose the first 5% of records from each day. D. Choose 5% of records from the middle of the day
A
What important factor differentiates Frame Relay from X.25? A. Frame Relay supports multiple PVCs over a single WAN carrier connection. B. Frame Relay is a cell switching technology instead of a packet switching technology like X.25. C. Frame Relay does not provide a Committed Information Rate (CIR). D. Frame Relay only requires a DTE on the provider side.
A
What is another term for active monitoring? A. Synthetic B. Passive C. Reactive D. Span-based
A
What is the goal of the BCP process? A. RTO < MTD B. MTD < RTO C. RPO < MTD D. MTD < RPO
A
What is the maximum penalty that may be imposed by an (ISC)2 peer review board when considering a potential ethics violation? A. Revocation of certification B. Termination of employment C. Financial penalty D. Suspension of certification
A
What level of RAID is also known as disk striping? A. RAID 0 B. RAID 1 C. RAID 5 D. RAID 10
A
What occurs between steps A and B? A. The KDC verifies the validity of the TGT and whether the user has the right privileges for the requested resource. B. The KDC updates its access control list based on the data in the TGT. C. The KDC checks its service listing and prepares an updated TGT based on the service request. D. The KDC generates a service ticket to issue to the client.
A
What three important items should be considered if you are attempting to control the strength of signal for a wireless network as well as where it is accessible? A. Antenna placement, antenna type, antenna power levels B. Antenna design, power levels, use of a captive portal C. Antenna placement, antenna design, use of a captive portal D. Power levels, antenna placement, FCC minimum strength requirements
A
What type of error occurs when a valid subject using a biometric authenticator is not authenticated? A. A Type 1 error B. A Type 2 error C. A Type 3 error D. A Type 4 error
A
What type of firewall is capable of inspecting traffic at layer 7 and performing protocolspecific analysis for malicious traffic? A. Application firewall B. Stateful inspection firewall C. Packet filtering firewall D. Bastion host
A
What type of inbound packet is characteristic of a ping flood attack? A. ICMP echo request B. ICMP echo reply C. ICMP destination unreachable D. ICMP route changed
A
Which individual bears the ultimate responsibility for data protection tasks? A. Data owner B. Data custodian C. User D. Auditor
A
Which of the following concerns should not be on Lauren's list of potential issues when penetration testers suggest using Metasploit during their testing? A. Metasploit can only test vulnerabilities it has plug-ins for. B. Penetration testing only covers a point-in-time view of the organization's security. C. Tools like Metasploit can cause denial of service issues. D. Penetration testing cannot test process and policy.
A
Chris is conducting a risk assessment for his organization and has determined the amount of damage that a single flood could be expected to cause to his facilities. What metric has Chris identified? A. ALE B. SLE C. ARO D. AV
B
Chris is deploying a gigabit Ethernet network using Category 6 cable between two buildings. What is the maximum distance he can run the cable according to the Category 6 standard? A. 50 meters B. 100 meters C. 200 meters D. 300 meters
B
Mary is a security risk analyst for an insurance company. She is currently examining a scenario where a hacker might use a SQL injection attack to deface a web server due to a missing patch in the company's web application. In this scenario, what is the risk? A. Unpatched web application B. Web defacement C. Hacker D. Operating system
B
Chris uses a packet sniffer to capture traffic from a TACACS+ server. What protocol should he monitor, and what data should he expect to be readable? A. UDP; none—TACACS+ encrypts the full session B. TCP; none—TACACS+ encrypts the full session C. UDP; all but the username and password, which are encrypted D. TCP; all but the username and password, which are encrypted
B
Ben has written the password hashing system for the web application he is building. His hashing code function for passwords results in the following process for a series of passwords: hash (password1 + 07C98BFE4CF67B0BFE2643B5B22E2D7D) = 10B222970537B97919DB36EC757370D2 hash (password2 + 07C98BFE4CF67B0BFE2643B5B22E2D7D) = F1F16683F3E0208131B46D37A79C8921 What flaw has Ben introduced with his hashing implementation? A. Plaintext salting B. Salt reuse C. Use of a short salt D. Poor salt algorithm selection
B
David works in an organization that uses a formal data governance program. He is consulting with an employee working on a project that created an entirely new class of data and wants to work with the appropriate individual to assign a classification level to that information. Who is responsible for the assignment of information to a classification level? A. Data creator B. Data owner C. CISO D. Data custodian
B
Ed is tasked with protecting information about his organization's customers, including their name, Social Security number, birthdate, and place of birth, as well as a variety of other information. What is this information known as? A. PHI B. PII C. Personal Protected Data D. PID
B
Ed's organization has 5 IP addresses allocated to them by their ISP but needs to connect over 100 computers and network devices to the Internet. What technology can he use to connect his entire network via the limited set of IP addresses he can use? A. IPsec B. PAT C. SDN D. IPX
B
Encapsulation is the core concept that enables what type of protocol? A. Bridging B. Multilayer C. Hashing D. Storage
B
Files, databases, computers, programs, processes, devices, and media are all examples of what? A. Subjects B. Objects C. File stores D. Users
B
Fred finds a packet that his protocol analyzer shows with both PSH and URG set. What type of packet is he looking at, and what do the flags mean? A. A UDP packet; PSH and URG are used to indicate that the data should be sent at high speed B. A TCP packet; PSH and URG are used to clear the buffer and indicate that the data is urgent C. A TCP packet; PSH and URG are used to preset the header and indicate that the speed of the network is unregulated D. A UDP packet; PSH and URG are used to indicate that the UDP buffer should be cleared and that the data is urgent
B
Fred's company wants to ensure the integrity of email messages sent via their central email servers. If the confidentiality of the messages is not critical, what solution should Fred suggest? A. Digitally sign and encrypt all messages to ensure integrity. B. Digitally sign but don't encrypt all messages. C. Use TLS to protect messages, ensuring their integrity. D. Use a hashing algorithm to provide a hash in each message to prove that it hasn't changed.
B
Fred's data role requires him to maintain system security plans and to ensure that system users and support staff get the training they need about security practices and acceptable use. What is the role that Fred is most likely to hold in the organization? A. Data owner B. System owner C. User D. Custodian
B
Fred's new employer has hired him for a position with access to their trade secrets and confidential internal data. What legal tool should they use to help protect their data if he chooses to leave to work at a competitor? A. A stop-loss order B. An NDA C. An AUP D. Encryption
B
Hunter is the facilities manager for DataTech, a large data center management firm. He is evaluating the installation of a flood prevention system at one of DataTech's facilities. The facility and contents are valued at $100 million. Installing the new flood prevention system would cost $10 million. Hunter consulted with flood experts and determined that the facility lies within a 200- year flood plain and that, if a flood occurred, it would likely cause $20 million in damage to the facility. Based on the information in this scenario, what is the annualized loss expectancy for a flood at DataTech's data center? A. $40,000 B. $100,000 C. $400,000 D. $1,000,000
B
Hunter is the facilities manager for DataTech, a large data center management firm. He is evaluating the installation of a flood prevention system at one of DataTech's facilities. The facility and contents are valued at $100 million. Installing the new flood prevention system would cost $10 million. Hunter consulted with flood experts and determined that the facility lies within a 200- year flood plain and that, if a flood occurred, it would likely cause $20 million in damage to the facility. Based on the information in this scenario, what is the annualized rate of occurrence for a flood at DataTech's data center? A. 0.002 B. 0.005 C. 0.02 D. 0.05
B
What security control may be used to implement a concept known as two-person control? A. Mandatory vacation B. Separation of duties C. Least privilege D. Defense in depth
B
Hunter is the facilities manager for DataTech, a large data center management firm. He is evaluating the installation of a flood prevention system at one of DataTech's facilities. The facility and contents are valued at $100 million. Installing the new flood prevention system would cost $10 million. Hunter consulted with flood experts and determined that the facility lies within a 200- year flood plain and that, if a flood occurred, it would likely cause $20 million in damage to the facility. Based on the information in this scenario, what is the exposure factor for the effect of a flood on DataTech's data center? A. 2% B. 20% C. 100% D. 200%
B
In what cloud computing model does the customer build a cloud computing environment in his or her own data center or build an environment in another data center that is for the customer's exclusive use? A. Public cloud B. Private cloud C. Hybrid cloud D. Shared cloud
B
Jackie is creating a database that contains the Customers table, shown here. She is designing a new table to contain Orders and plans to use the Company ID in that table to uniquely identify the customer associated with each order. What role does the Company ID field play in the Orders table? 1 2 3 234 Main Street 1024 Sample Street 913 Sorin Street MD FL IN 21040 33131 46556 (301) 555-1212 (305) 555-1995 (574) 555-5863 14 14 26 Columbia Miami South Bend Acme Widgets Abrams Consulting Dome Widgets Company ID Company Name Address City State ZIP Code Telephone Sales Rep A. Primary key B. Foreign key C. Candidate key D. Referential key
B
James has opted to implement a NAC solution that uses a post-admission philosophy for its control of network connectivity. What type of issues can't a strictly post-admission policy handle? A. Out-of-band monitoring B. Preventing an unpatched laptop from being exploited immediately after connecting to the network C. Denying access when user behavior doesn't match an authorization matrix D. Allowing user access when user behavior is allowed based on an authorization matrix
B
Jasper Diamonds is a jewelry manufacturer that markets and sells custom jewelry through their website. Bethany is the manager of Jasper's software development organization, and she is working to bring the company into line with industry standard practices. She is developing a new change management process for the organization and wishes to follow commonly accepted approaches. Bethany would also like to create a process that helps multiple developers work on code at the same time. What change management process facilitates this? A. Configuration control B. Change control C. Release control D. Request control
B
Jennifer needs to measure the effectiveness of her information security program as she works toward her organization's long-term goals. What type of measures should she select? A. Metrics B. KPIs C. SLAs D. OKRs
B
Kathleen wants to set up a service to provide information about her organization's users and services using a central, open, vendor-neutral, standards-based system that can be easily queried. Which of the following technologies is her best choice? A. RADIUS B. LDAP C. Kerberos D. Active Directory
B
Kim is the database security administrator for Aircraft Systems, Inc. (ASI). ASI is a military contractor engaged in the design and analysis of aircraft avionics systems and regularly handles classified information on behalf of the government and other government contractors. Kim is concerned about ensuring the security of information stored in ASI databases. Kim's database is a multilevel security database, and different ASI employees have different security clearances. The database contains information on the location of military aircraft containing ASI systems to allow ASI staff to monitor those systems. Kim would like to create a key that enforces referential integrity for the database. What type of key does she need to create? A. Primary key B. Foreign key C. Candidate key D. Master key
B
Kim is the database security administrator for Aircraft Systems, Inc. (ASI). ASI is a military contractor engaged in the design and analysis of aircraft avionics systems and regularly handles classified information on behalf of the government and other government contractors. Kim is concerned about ensuring the security of information stored in ASI databases. Kim's database is a multilevel security database, and different ASI employees have different security clearances. The database contains information on the location of military aircraft containing ASI systems to allow ASI staff to monitor those systems. Kim's database uniquely identifies aircraft by using their tail number. Which one of the following terms would not necessarily accurately describe the tail number? A. Database field B. Foreign key C. Primary key D. Candidate key
B
Kim is the database security administrator for Aircraft Systems, Inc. (ASI). ASI is a military contractor engaged in the design and analysis of aircraft avionics systems and regularly handles classified information on behalf of the government and other government contractors. Kim is concerned about ensuring the security of information stored in ASI databases. Kim's database is a multilevel security database, and different ASI employees have different security clearances. The database contains information on the location of military aircraft containing ASI systems to allow ASI staff to monitor those systems. What technique can Kim employ to prevent employees not cleared for the mission from learning the true location of the aircraft? A. Input validation B. Polyinstantiation C. Parameterization D. Server-side validation
B
Kolin is searching for a network security solution that will allow him to help reduce zeroday attacks while using identities to enforce a security policy on systems before they connect to the network. What type of solution should Kolin implement? A. A firewall B. A NAC system C. An intrusion detection system D. Port security
B
Linda is selecting a disaster recovery facility for her organization, and she wishes to retain independence from other organizations as much as possible. She would like to choose a facility that balances cost and recovery time, allowing activation in about one week after a disaster is declared. What type of facility should she choose? A. Cold site B. Warm site C. Mutual assistance agreement D. Hot site
B
Matthew and Richard are friends located in different physical locations who would like to begin communicating with each other using cryptography to protect the confidentiality of their communications. They exchange digital certificates to begin this process and plan to use an asymmetric encryption algorithm for the secure exchange of email messages. When Matthew goes to add the digital signature to the message, what encryption key does he use to create the digital signature? A. Matthew's public key B. Matthew's private key C. Richard's public key D. Richard's private key
B
Megan needs to create a forensic copy of a hard drive that will be used in an investigation. Which of the following tools is best suited to her work? A. xcopy B. dd C. DBAN D. ImageMagik
B
Metrics like the attack vector, complexity, exploit maturity, and how much user interaction is required are all found in what scoring system? A. CVE B. CVSS C. CNA D. NVD
B
Michelle is in charge of her organization's mobile device management efforts and handles lost and stolen devices. Which of the following recommendations will provide the most assurance to her organization that data will not be lost if a device is stolen? A. Mandatory passcodes and application management B. Full device encryption and mandatory passcodes C. Remote wipe and GPS tracking D. Enabling GPS tracking and full device encryption
B
NIST Special Publication 800-53A describes four types of objects that can be assessed. If Ben is reviewing a password standard, which of the four types of objects is he assessing? A. A mechanism B. A specification C. An activity D. An individual
B
NIST Special Publication 800-92, the Guide to Computer Security Log Management, describes four types of common challenges to log management: ■ Many log sources ■ Inconsistent log content ■ Inconsistent timestamps ■ Inconsistent log formats Which of the following solutions is best suited to solving these issues? A. Implement SNMP for all logging devices. B. Implement a SIEM. C. Standardize on the Windows event log format for all devices and use NTP. D. Ensure that logging is enabled on all endpoints using their native logging formats and set their local time correctly.
B
Norm is starting a new software project with a vendor that uses an SDLC approach to development. When he arrives on the job, he receives a document that has the sections shown here. What type of planning document is this? Executive Summary section with a high-level schedule of key activities and milestones Detailed project tasks for the applicable SDLC phases Special interest areas tracked outside the SDLC phase areas as required A. Functional requirements B. Work breakdown structure C. Test analysis report D. Project plan
B
Renee notices that a system on her network recently received connection attempts on all 65,536 TCP ports from a single system during a short period of time. What type of attack did Renee most likely experience? A. Denial of service B. Reconnaissance C. Malicious insider D. Compromise
B
Report Content Internal controls for financial reporting Users and auditors Auditors, regulators, management, partners, and others under NDA Publicly available, often used for a website seal Confidentiality, integrity, availability, security, and privacy controls Confidentiality, integrity, availability, security, and privacy controls SOC 1 SOC 2 SOC 3 Audience As they prepare to migrate their data center to an infrastructure as a service (IaaS) provider, Susan's company wants to understand the effectiveness of their new provider's security, integrity, and availability controls. What SOC report would provide them with the most detail, including input from the auditor on the effectiveness of controls at the IaaS provider? A. SOC 1. B. SOC 2. C. SOC 3. D. None of the SOC reports are suited to this, and they should request another form of report
B
Saria is the system owner for a healthcare organization. What responsibilities does she have related to the data that resides on or is processed by the systems she owns? A. She has to classify the data. B. She has to make sure that appropriate security controls are in place to protect the data. C. She has to grant appropriate access to personnel. D. She bears sole responsibility for ensuring that data is protected at rest, in transit, and in use.
B
Steve is developing an input validation routine that will protect the database supporting a web application from SQL injection attack. Where should Steve place the input validation code? A. JavaScript embedded in the web pages B. Backend code on the web server C. Stored procedure on the database D. Code on the user's web browser
B
Susan's team is performing code analysis by manually reviewing the code for flaws. What type of analysis are they performing? A. Gray box B. Static C. Dynamic D. Fuzzing
B
Tammy is selecting a disaster recovery facility for her organization. She would like to choose a facility that balances the time required to recover operations with the cost involved. What type of facility should she choose? A. Hot site B. Warm site C. Cold site D. Red site
B
The TCP header is made up of elements such as the source port, destination port, sequence number, and others. How many bytes long is the TCP header? A. 8 bytes B. 20-60 bytes C. 64 bytes D. 64-128 bytes
B
The ability to store and generate passwords, provide logging and auditing capabilities, and allow password check-in and check-out are all features of what type of system? A. AAA B. Credential management C. Two-factor authentication D. Kerberos
B
The company that Fred works for is reviewing the security of their company-issued cell phones. They issue 4G-capable smartphones running Android and iOS and use a mobile device management solution to deploy company software to the phones. The mobile device management software also allows the company to remotely wipe the phones if they are lost. What are the most likely circumstances that would cause a remote wipe of a mobile phone to fail? A. The phone has a passcode on it. B. The phone cannot contact a network. C. The provider has not unlocked the phone. D. The phone is in use.
B
The government agency that Ben works at installed a new access control system. The system uses information such as Ben's identity, department, normal working hours, job category, and location to make authorization. What type of access control system did Ben's employer adopt? A. Role-based access control B. Attribute-based access control C. Administrative access control D. System discretionary access control
B
The large business that Jack works for has been using noncentralized logging for years. They have recently started to implement centralized logging, however, and as they reviewed logs, they discovered a breach that appeared to have involved a malicious insider. How can Jack best ensure accountability for actions taken on systems in his environment? A. Log review and require digital signatures for each log. B. Require authentication for all actions taken and capture logs centrally. C. Log the use of administrative credentials and encrypt log data in transit. D. Require authorization and capture logs centrally.
B
Tom is the general counsel for an Internet service provider, and he recently received notice of a lawsuit against the firm because of copyrighted content illegally transmitted over the provider's circuits by a customer. What law protects Tom's company in this case? A. Computer Fraud and Abuse Act B. Digital Millennium Copyright Act C. Wiretap Act D. Copyright Code
B
Using the OSI model, what format does the Data Link layer use to format messages received from higher up the stack? A. A datastream B. A frame C. A segment D. A datagram
B
What OASIS standard markup language is used to generate provisioning requests both within organizations and with third parties? A. SAML B. SPML C. XACML D. SOA
B
What RAID level is also known as disk mirroring? A. RAID 0 B. RAID 1 C. RAID 3 D. RAID 5
B
What UDP port is typically used by the syslog service? A. 443 B. 514 C. 515 D. 445
B
What US government classification label is applied to information that, if disclosed, could cause serious damage to national security and also requires that the damage that would be caused is able to be described or identified by the classification authority? A. Classified B. Secret C. Confidential D. Top Secret
B
What access control scheme labels subjects and objects, and allows subjects to access objects when the labels match? A. DAC B. MAC C. Rule-based access control (RBAC) D. Role-based access control (RBAC)
B
What does a service ticket (ST) provide in Kerberos authentication? A. It serves as the authentication host. B. It provides proof that the subject is authorized to access an object. C. It provides proof that a subject has authenticated through a KDC and can request tickets to access other objects. D. It provides ticket granting services.
B
What flaw is a concern with preset questions for cognitive passwords? A. It prevents the use of tokens. B. The question's answer may be easy to find on the Internet. C. Cognitive passwords require users to think to answer the question, and not all users may be able to solve the problems presented. D. Cognitive passwords don't support long passwords.
B
What is the default subnet mask for a Class B network? A. 255.0.0.0 B. 255.255.0.0 C. 255.254.0.0 D. 255.255.255.0
B
What is the minimum number of cryptographic keys necessary to achieve strong security when using the 3DES algorithm? A. 1 B. 2 C. 3 D. 4
B
What is the minimum number of disks required to implement RAID level 0? A. 1 B. 2 C. 3 D. 5
B
What is the minimum number of people who should be trained on any specific business continuity plan implementation task? A. 1 B. 2 C. 3 D. 5
B
What is the primary advantage of decentralized access control? A. It provides better redundancy. B. It provides control of access to people closer to the resources. C. It is less expensive. D. It provides more granular control of access.
B
What process adds a header and a footer to data received at each layer of the OSI model? A. Attribution B. Encapsulation C. TCP wrapping D. Data hiding
B
What process is used to verify that a dial-up user is connecting from the phone number they are preauthorized to use in a way that avoids spoofing? A. CallerID B. Callback C. CHAP D. PPP
B
What process makes TCP a connection-oriented protocol? A. It works via network connections. B. It uses a handshake. C. It monitors for dropped connections. D. It uses a complex header
B
What type of firewall uses multiple proxy servers that filter traffic based on analysis of the protocols used for each service? A. A static packet filtering firewall B. An application-level gateway firewall C. A circuit-level gateway firewall D. A stateful inspection firewall
B
What type of forensic investigation typically has the highest evidentiary standards? A. Administrative B. Criminal C. Civil D. Industry
B
When Ben lists the files on a Linux system, he sees a set of attributes as shown in the following image. The letters rwx indicate different levels of what? A. Identification B. Authorization C. Authentication D. Accountability
B
When Susan requests a SOC 2 report, she receives a SAS 70 report. What issue should Susan raise? A. SAS 70 does not include Type 2 reports, so control evaluation is only point in time. B. SAS 70 has been replaced. C. SAS 70 is a financial reporting standard and does not cover data centers. D. SAS 70 only uses a 3-month period for testing
B
Which accounts are typically assessed during an account management assessment? A. A random sample B. Highly privileged accounts C. Recently generated accounts D. Accounts that have existed for long periods of time
B
Which of the following is not a valid use for key risk indicators? A. Provide warnings before issues occur. B. Provide real-time incident response information. C. Provide historical views of past risks. D. Provide insight into risk tolerance for the organization.
B
Which one of the following intellectual property protection mechanisms has the shortest duration? A. Copyright B. Patent C. Trademark D. Trade secret
B
Which one of the following investigation types always uses the beyond-a-reasonable-doubt standard of proof? A. Civil investigation B. Criminal investigation C. Operational investigation D. Regulatory investigation
B
Which one of the following investigation types has the loosest standards for the collection and preservation of information? A. Civil investigation B. Operational investigation C. Criminal investigation D. Regulatory investigation
B
Which one of the following is not a key process area for the Repeatable phase of the Software Capability Maturity Model (SW-CMM)? A. Software Project Planning B. Software Quality Management C. Software Project Tracking D. Software Subcontract Management
B
Which one of the following metrics specifies the amount of time that business continuity planners find acceptable for the restoration of service after a disaster? A. MTD B. RTO C. RPO D. MTO
B
Cloud computing uses a shared responsibility model for security, where the vendor and customer each bear some responsibility for security. The division of responsibility depends upon the type of service used. Place the cloud service offerings listed here in order from the case where the customer bears the least responsibility to where the customer bears the most responsibility. (Order these from LEAST to GREATEST Responsibility for the Customer) A. IaaS B. SaaS C. PaaS D. TaaS
B, C, A
. In which of the following circumstances does an individual not have a reasonable expectation of privacy? A. Placing a telephone call on your cell phone B. Sending a letter through the US mail C. Sending an email at work D. Retrieving your personal voicemail
C
A Type 2 authentication factor that generates dynamic passwords based on a time- or algorithm-based system is what type of authenticator? A. A PIV B. A smart card C. A token D. A CAC
C
Alejandro is an incident response analyst for a large corporation. He is on the midnight shift when an intrusion detection system alerts him to a potential brute-force password attack against one of the company's critical information systems. He performs an initial triage of the event before taking any additional action. As the incident response progresses, during which stage should the team conduct a root cause analysis? A. Response B. Reporting C. Remediation D. Lessons Learned
C
Alejandro is an incident response analyst for a large corporation. He is on the midnight shift when an intrusion detection system alerts him to a potential brute-force password attack against one of the company's critical information systems. He performs an initial triage of the event before taking any additional action. If Alejandro's initial investigation determines that a security incident is likely taking place, what should be his next step? A. Investigate the root cause. B. File a written report. C. Activate the incident response team. D. Attempt to restore the system to normal operations.
C
Alice is designing a cryptosystem for use by six users and would like to use a symmetric encryption algorithm. She wants any two users to be able to communicate with each other without worrying about eavesdropping by a third user. How many symmetric encryption keys will she need to generate? A. 6 B. 12 C. 15 D. 30
C
Alice would like to add another object to a security model and grant herself rights to that object. Which one of the rules in the Take-Grant protection model would allow her to complete this operation? A. Take rule B. Grant rule C. Create rule D. Remove rule
C
Andrew believes that a digital certificate belonging to his organization was compromised and would like to add it to a Certificate Revocation List. Who must add the certificate to the CRL? A. Andrew B. The root authority for the top-level domain C. The CA that issued the certificate D. The revocation authority for the top-level domain
C
Attackers who compromise websites often acquire databases of hashed passwords. What technique can best protect these passwords against automated password cracking attacks that use precomputed values? A. Using the MD5 hashing algorithm B. Using the SHA-1 hashing algorithm C. Salting D. Double-hashing
C
Ben has encountered problems with users in his organization reusing passwords, despite a requirement that they change passwords every 30 days. What type of password setting should Ben employ to help prevent this issue? A. Longer minimum age B. Increased password complexity C. Implement password history D. Implement password length requirements
C
Ben is working on integrating a federated identity management system and needs to exchange authentication and authorization information for browser-based single sign-on. What technology is his best option? A. HTML B. XACML C. SAML D. SPML
C
Ben needs to verify that the most recent patch for his organization's critical application did not introduce issues elsewhere. What type of testing does Ben need to conduct to ensure this? A. Unit testing B. White box C. Regression testing D. Black box
C
Ben's New York-based commercial web service collects personal information from California residents. What does the California Online Privacy Protection Act require Ben to do to be compliant? A. Ben must encrypt all personal data he receives. B. Ben must comply with the EU GDPR. C. Ben must have a conspicuously posted privacy policy on his site. D. Ben must provide notice and choice for users of his website.
C
Carol would like to implement a control that protects her organization from the momentary loss of power to the data center. Which control is most appropriate for her needs? A. Redundant servers B. RAID C. UPS D. Generator
C
Chris has been assigned to scan a system on all of its possible TCP and UDP ports. How many ports of each type must he scan to complete his assignment? A. 65,536 TCP ports and 32,768 UDP ports B. 1024 common TCP ports and 32,768 ephemeral UDP ports C. 65,536 TCP and 65,536 UDP ports D. 16,384 TCP ports, and 16,384 UDP ports
C
Chris is experiencing issues with the quality of network service on his organization's network. The primary symptom is that packets are becoming corrupted as they travel from their source to their destination. What term describes the issue Chris is facing? A. Latency B. Jitter C. Interference D. Packet loss
C
Colleen is conducting a software test that is evaluating code for both security flaws and usability issues. She is working with the application from an end-user perspective and referencing the source code as she works her way through the product. What type of testing is Colleen conducting? A. White box B. Blue box C. Gray box D. Black box
C
Darcy is an information security risk analyst for Roscommon Agricultural Products. She is currently trying to decide whether the company should purchase an upgraded fire suppression system for their primary data center. The data center facility has a replacement cost of $2 million. After consulting with actuaries, data center managers, and fire subject matter experts, Darcy determined that a typical fire would likely require the replacement of all equipment inside the building but not cause significant structural damage. Together, they estimated that recovering from the fire would cost $750,000. They also determined that the company can expect a fire of this magnitude once every 50 years. Based on the information in this scenario, what is the annualized rate of occurrence for a fire at the Roscommon Agricultural Products data center? A. 0.002 B. 0.005 C. 0.02 D. 0.05
C
Data relating to the past, present, or future payment for the provision of healthcare to an individual is what type of data per HIPAA? A. PCI B. Personal billing data C. PHI D. Personally identifiable information (PII)
C
During which phase of the incident response process would administrators design new security controls intended to prevent a recurrence of the incident? A. Reporting B. Recovery C. Remediation D. Lessons Learned
C
Ed's Windows system can't connect to the network and ipconfig shows the following: What has occurred on the system? A. The system has been assigned an invalid IP address by its DHCP server. B. The system has a manually assigned IP address. C. The system has failed to get a DHCP address and has assigned itself an address. D. The subnet mask is set incorrectly and the system cannot communicate with the gateway.
C
Elaine is developing a business continuity plan for her organization. What value should she seek to minimize? A. AV B. SSL C. RTO D. MTO
C
Fred needs to transfer files between two servers on an untrusted network. Since he knows the network isn't trusted, he needs to select an encrypted protocol that can ensure that his data remains secure. What protocol should he choose? A. SSH B. TCP C. SFTP D. IPsec
C
Fred's organization needs to use a non-IP protocol on their VPN. Which of the common VPN protocols should he select to natively handle non-IP protocols? A. PPTP B. L2F C. L2TP D. IPsec
C
Gabe is concerned about the security of passwords used as a cornerstone of his organization's information security program. Which one of the following controls would provide the greatest improvement in Gabe's ability to authenticate users? A. More complex passwords B. User education against social engineering C. Multifactor authentication D. Addition of security questions based on personal knowledge
C
Gordon is developing a business continuity plan for a manufacturing company's IT operations. The company is located in North Dakota and currently evaluating the risk of earthquake. They choose to pursue a risk acceptance strategy. Which one of the following actions is consistent with that strategy? A. Purchasing earthquake insurance B. Relocating the data center to a safer area C. Documenting the decision-making process D. Reengineering the facility to withstand the shock of an earthquake
C
Gwen comes across an application that is running under a service account on a web server. The service account has full administrative rights to the server. What principle of information security does this violate? A. Need to know B. Separation of duties C. Least privilege D. Job rotation
C
Harry is concerned that accountants within his organization will use data diddling attacks to cover up fraudulent activity in accounts that they normally access. Which one of the following controls would best defend against this type of attack? A. Encryption B. Access controls C. Integrity verification D. Firewalls
C
How many possible keys exist when using a cryptographic algorithm that has an 8-bit binary encryption key? A. 16 B. 128 C. 256 D. 512
C
IP addresses like 10.10.10.10 and 172.19.24.21 are both examples of what type of IP address? A. Public IP addresses B. Prohibited IP addresses C. Private IP addresses D. Class B IP ranges
C
If the client has already authenticated to the KDC, what does the client workstation send to the KDC at point A when it wants to access a resource? A. It re-sends the password. B. A TGR C. Its TGT D. A service ticket
C
In what model of cloud computing do two or more organizations collaborate to build a shared cloud computing environment that is for their own use? A. Public cloud B. Private cloud C. Community cloud D. Shared cloud
C
Jack's organization is a multinational nonprofit that has small offices in many developing countries throughout the world. They need to implement an access control system that allows flexibility and that can work despite poor Internet connectivity at their locations. What is the best type of access control design for Jack's organization? A. Centralized access control B. Mandatory access control C. Decentralized access control D. Rule-based access control
C
Jasper Diamonds is a jewelry manufacturer that markets and sells custom jewelry through their website. Bethany is the manager of Jasper's software development organization, and she is working to bring the company into line with industry standard practices. She is developing a new change management process for the organization and wishes to follow commonly accepted approaches. Bethany is working with her colleagues to conduct user acceptance testing. What change management process includes this task? A. Configuration control B. Change control C. Release control D. Request control
C
Susan is setting up the network for a local coffee house and wants to ensure that users have to authenticate using an email address and agree to the coffee house's acceptable use policy before being allowed on the network. What technology should she use to do this? A. 802.11 B. NAC C. A captive portal D. A wireless gateway
C
Jim wants to allow a partner organization's Active Directory forest (B) to access his domain forest's (A)'s resources but doesn't want to allow users in his domain to access B's resources. He also does not want the trust to flow upward through the domain tree as it is formed. What should he do? A. Set up a two-way transitive trust. B. Set up a one-way transitive trust. C. Set up a one-way nontransitive trust. D. Set up a two-way nontransitive trust.
C
Kay is selecting an application management approach for her organization. Employees need the flexibility to install software on their systems, but Kay wants to prevent them from installing certain prohibited packages. What type of approach should she use? A. Antivirus B. Whitelist C. Blacklist D. Heuristic
C
Matthew and Richard are friends located in different physical locations who would like to begin communicating with each other using cryptography to protect the confidentiality of their communications. They exchange digital certificates to begin this process and plan to use an asymmetric encryption algorithm for the secure exchange of email messages. When Matthew sends Richard a message, what key should he use to encrypt the message? A. Matthew's public key B. Matthew's private key C. Richard's public key D. Richard's private key
C
Mike and Renee would like to use an asymmetric cryptosystem to communicate with each other. They are located in different parts of the country but have exchanged encryption keys by using digital certificates signed by a mutually trusted certificate authority. When Mike receives Renee's digital certificate, what key does he use to verify the authenticity of the certificate? A. Renee's public key B. Renee's private key C. CA's public key D. CA's private key
C
Mike has a flash memory card that he would like to reuse. The card contains sensitive information. What technique can he use to securely remove data from the card and allow its reuse? A. Degaussing B. Physical destruction C. Overwriting D. Reformatting
C
Mike wants to ensure that third-party users of his service's API can be tracked to prevent abuse of the API. What should he implement to help with this? A. Session IDs B. An API firewall C. API keys D. An API buffer
C
Monica is developing a software application that calculates an individual's body mass index for use in medical planning. She would like to include a control on the field where the physician enters an individual's weight to ensure that the weight falls within an expected range. What type of control should Monica use? A. Fail open B. Fail secure C. Limit check D. Buffer bounds
C
RIP, OSPF, and BGP are all examples of protocols associated with what type of network device? A. Switches B. Bridges C. Routers D. Gateways
C
Referring to the figure shown here, what is the name of the security control indicated by the arrow? A. Mantrap B. Intrusion prevention system C. Turnstile D. Portal
C
Sally is using IPsec's ESP component in transport mode. What important information should she be aware of about transport mode? A. Transport mode provides full encryption of the entire IP packet. B. Transport mode adds a new, unencrypted header to ensure that packets reach their destination. C. Transport mode does not encrypt the header of the packet. D. Transport mode provides no encryption; only tunnel mode provides encryption.
C
Sally wants to secure her organization's VoIP systems. Which of the following attacks is one that she shouldn't have to worry about? A. Eavesdropping B. Denial of service C. Blackboxing D. Caller ID spoofing
C
Sally's organization needs to be able to prove that certain staff members sent emails, and she wants to adopt a technology that will provide that capability without changing their existing email system. What is the technical term for the capability Sally needs to implement as the owner of the email system, and what tool could she use to do it? A. Integrity; IMAP B. Repudiation; encryption C. Nonrepudiation; digital signatures D. Authentication; DKIM
C
Scott's organization has configured their external IP address to be 192.168.1.25. When traffic is sent to their ISP, it never reaches its destination. What problem is Scott's organization encountering? A. BGP is not set up properly. B. They have not registered their IP with their ISP. C. The IP address is a private, nonroutable address. D. 192.168.1.25 is a reserved address for home routers.
C
Susan has discovered that the smart card-based locks used to keep the facility she works at secure are not effective because staff members are propping the doors open. She places signs on the doors reminding staff that leaving the door open creates a security issue, and she adds alarms that will sound if the doors are left open for more than five minutes. What type of controls has she put into place? A. Physical B. Administrative C. Compensation D. Recovery
C
Susan is concerned about the FAR associated with her biometric technology. What is the best method to deal with the FAR? A. Adjust the CER. B. Change the sensitivity of the system to lower the FRR. C. Add a second factor. D. Replace the biometric system.
C
Susan is preparing to decommission her organization's archival DVD-ROMs that contain Top Secret data. How should she ensure that the data cannot be exposed? A. Degauss B. Zero wipe C. Pulverize D. Secure erase
C
Susan wants to ensure that the audit report that her organization requested includes input from an external auditor. What type of report should she request? A. SOC 2, Type 1 B. SOC 3, Type 1 C. SOC 2, Type 2 D. SOC 3, Type 2
C
Susan wants to integrate her website to allow users to use accounts from sites like Google. What technology should she adopt? A. Kerberos B. LDAP C. OpenID D. SESAME
C
Susan wants to monitor traffic between systems in a VMWare environment. What solution would be her best option to monitor that traffic? A. Use a traditional hardware-based IPS. B. Install Wireshark on each virtual system. C. Set up a virtual span port and capture data using a VM IDS. D. Use netcat to capture all traffic sent between VMs
C
Tamara recently decided to purchase cyber-liability insurance to cover her company's costs in the event of a data breach. What risk management strategy is she pursuing? A. Risk acceptance B. Risk mitigation C. Risk transference D. Risk avoidance
C
The separation of network infrastructure from the control layer, combined with the ability to centrally program a network design in a vendor-neutral, standards-based implementation, is an example of what important concept? A. MPLS, a way to replace long network addresses with shorter labels and support a wide range of protocols B. FCoE, a converged protocol that allows common applications over Ethernet C. SDN, a converged protocol that allows network virtualization D. CDN, a converged protocol that makes common network designs accessible
C
What is the best way to ensure email confidentiality in motion? A. Use TLS between the client and server. B. Use SSL between the client and server. C. Encrypt the email content. D. Use a digital signature.
C
What is the best way to ensure that data is unrecoverable from a SSD? A. Use the built-in erase commands B. Use a random pattern wipe of 1s and 0s C. Physically destroy the drive D. Degauss the drive
C
What process is typically used to ensure data security for workstations that are being removed from service but that will be resold or otherwise reused? A. Destruction B. Erasing C. Sanitization D. Clearing
C
What protocol takes the place of certificate revocation lists and adds real-time status verification? A. RTCP B. RTVP C. OCSP D. CSRTP
C
What system or systems does the service that is being accessed use to validate the ticket? A. The KDC B. The client workstation and the KDC C. The client workstation supplies it in the form of a client-to-server ticket and an authenticator. D. The KVS
C
What two important factors does accountability for access control rely on? A. Identification and authorization B. Authentication and authorization C. Identification and authentication D. Accountability and authentication
C
What two logical network topologies can be physically implemented as a star topology? A. A bus and a mesh. B. A ring and a mesh. C. A bus and a ring. D. It is not possible to implement other topologies as a star.
C
What type of attack would the following precautions help prevent? ■ Requesting proof of identity ■ Requiring callback authorizations on voice-only requests ■ Not changing passwords via voice communications A. DoS attacks B. Worms C. Social engineering D. Shoulder surfing
C
Which ITU-T standard should Alex expect to see in use when he uses his smart card to provide a certificate to an upstream authentication service? A. X.500 B. SPML C. X.509 D. SAML
C
Which group is best suited to evaluate and report on the effectiveness of administrative controls an organization has put in place to a third party? A. Internal auditors B. Penetration testers C. External auditors D. Employees who design, implement, and monitor the controls
C
Which of the following types of controls does NOT describe a mantrap? A. Deterrent B. Preventive C. Compensating D. Physical
C
Which one of the following categories of secure data removal techniques would include degaussing? A. Clear B. Shrink C. Purge D. Destroy
C
Which one of the following disaster recovery test types involves the actual activation of the disaster recovery facility? A. Simulation test B. Tabletop exercise C. Parallel test D. Checklist review
C
Which one of the following goals of physical security environments occurs first in the functional order of controls? A. Delay B. Detection C. Deterrence D. Denial
C
Which one of the following is not an object-oriented programming language? A. C++ B. Java C. Fortran D. C#
C
Which one of the following presents the most complex decoy environment for an attacker to explore during an intrusion attempt? A. Honeypot B. Darknet C. Honeynet D. Pseudo flaw
C
Which one of the following techniques can an attacker use to exploit a TOC/TOU vulnerability? A. File locking B. Exception handling C. Algorithmic complexity D. Concurrency control
C
Which one of the following terms describes a period of momentary high voltage? A. Sag B. Brownout C. Spike D. Surge
C
Which one of the following tools may be used to directly violate the confidentiality of communications on an unencrypted VoIP network? A. Nmap B. Nessus C. Wireshark D. Nikto
C
Which one of the following would be considered an example of infrastructure as a service cloud computing? A. Payroll system managed by a vendor and delivered over the web B. Application platform managed by a vendor that runs customer code C. Servers provisioned by customers on a vendor-managed virtualization platform D. Web-based email service provided by a vendor
C
You are conducting a qualitative risk assessment for your organization. The two important risk elements that should weigh most heavily in your analysis of risk are probability and . A. Likelihood B. History C. Impact D. Cost
C
'The Meltdown bug announced in early 2018 exposed kernel data to user application space. What two rings are these referred to as for x86 PCs? A. Rings 0 and 1 B. Rings 1 and 2 C. Rings 1 and 3 D. Rings 0 and 3
D
Alan's Wrenches recently developed a new manufacturing process for its product. They plan to use this technology internally and not share it with others. They would like it to remain protected for as long as possible. What type of intellectual property protection is best suited for this situation? A. Patent B. Copyright C. Trademark D. Trade secret
D
Alice wants to send Bob a message with the confidence that Bob will know the message was not altered while in transit. What goal of cryptography is Alice trying to achieve? A. Confidentiality B. Nonrepudiation C. Authentication D. Integrity
D
Application banner information is typically recorded during what penetration testing phase? A. Planning B. Attack C. Reporting D. Discovery
D
Barry recently received a message from Melody that Melody encrypted using symmetric cryptography. What key should Barry use to decrypt the message? A. Barry's public key B. Barry's private key C. Melody's public key D. Shared secret key
D
Colin is reviewing a system that has been assigned the EAL7 evaluation assurance level under the Common Criteria. What is the highest level of assurance that he may have about the system? A. It has been functionally tested. B. It has been methodically tested and checked. C. It has been methodically designed, tested, and reviewed. D. It has been formally verified, designed, and tested.
D
Darcy is an information security risk analyst for Roscommon Agricultural Products. She is currently trying to decide whether the company should purchase an upgraded fire suppression system for their primary data center. The data center facility has a replacement cost of $2 million. After consulting with actuaries, data center managers, and fire subject matter experts, Darcy determined that a typical fire would likely require the replacement of all equipment inside the building but not cause significant structural damage. Together, they estimated that recovering from the fire would cost $750,000. They also determined that the company can expect a fire of this magnitude once every 50 years. Based on the information in this scenario, what is the exposure factor for the effect of a fire on the Roscommon Agricultural Products data center? A. 7.5% B. 15.0% C. 27.5% D. 37.5%
D
During what phase of the electronic discovery process does an organization perform a rough cut of the information gathered to discard irrelevant information? A. Preservation B. Identification C. Collection D. Processing
D
During which phase of the incident response process would an organization determine whether it is required to notify law enforcement officials or other regulators of the incident? A. Detection B. Recovery C. Remediation D. Reporting
D
Ed is building a network that supports IPv6 but needs to connect it to an IPv4 network. What type of device should Ed place between the networks? A. A switch B. A router C. A bridge D. A gateway
D
Fred needs to deploy a network device that can connect his network to other networks while controlling traffic on his network. What type of device is Fred's best choice? A. A switch B. A bridge C. A gateway D. A router
D
Gary would like to examine the text of a criminal law on computer fraud to determine whether it applies to a recent act of hacking against his company. Where should he go to read the text of the law? A. Code of Federal Regulations B. Supreme Court rulings C. Compendium of Laws D. United States Code
D
George is assisting a prosecutor with a case against a hacker who attempted to break into the computer systems at George's company. He provides system logs to the prosecutor for use as evidence, but the prosecutor insists that George testify in court about how he gathered the logs. What rule of evidence requires George's testimony? A. Testimonial evidence rule B. Parol evidence rule C. Best evidence rule D. Hearsay rule
D
Grace is considering the use of new identification cards in her organization that will be used for physical access control. She comes across the sample card shown here and is unsure of the technology it uses. What type of card is this? A. Smart card B. Phase-two card C. Proximity card D. Magnetic stripe card
D
Harold is looking for a software development methodology that will help with a major issue he is seeing in his organization. Currently, developers and operations staff do not work together and are often seen as taking problems and "throwing them over the fence" to the other team. What technology management approach is designed to alleviate this problem? A. ITIL B. Lean C. ITSM D. DevOps
D
In Jen's job as the network administrator for an industrial production facility, she is tasked with ensuring that the network is not susceptible to electromagnetic interference due to the large motors and other devices running on the production floor. What type of network cabling should she choose if this concern is more important than cost and difficulty of installation? A. 10Base2 B. 100BaseT C. 1000BaseT D. Fiber-optic
D
In the image shown here, what does system B send to system A at step 2 of the three-way TCP handshake? A. SYN B. ACK C. FIN/ACK D. SYN/ACK
D
In the ring protection model shown here, what ring contains user programs and applications? A. Ring 0 B. Ring 1 C. Ring 2 D. Ring 3
D
In the ring protection model shown here, what ring does not run in privileged mode? Ring 0 Ring 1 Ring 2 Ring 3 A. Ring 0 B. Ring 1 C. Ring 2 D. Ring 3
D
In what type of trusted recovery process does the system recover against one or more failure types without administrator intervention while protecting itself against data loss? A. Automated recovery B. Manual recovery C. Function recovery D. Automated recovery without undue data loss
D
James is building a disaster recovery plan for his organization and would like to determine the amount of acceptable data loss after an outage. What variable is James determining? A. SLA B. RTO C. MTD D. RPO
D
Jasper Diamonds is a jewelry manufacturer that markets and sells custom jewelry through their website. Bethany is the manager of Jasper's software development organization, and she is working to bring the company into line with industry standard practices. She is developing a new change management process for the organization and wishes to follow commonly accepted approaches. Bethany would like to put in place controls that provide an organized framework for company employees to suggest new website features that her team will develop. What change management process facilitates this? A. Configuration control B. Change control C. Release control D. Request control
D
Jim has been asked to individually identify devices that users are bringing to work as part of a new BYOD policy. The devices will not be joined to a central management system like Active Directory, but he still needs to uniquely identify the systems. Which of the following options will provide Jim with the best means of reliably identifying each unique device? A. Record the MAC address of each system. B. Require users to fill out a form to register each system. C. Scan each system using a port scanner. D. Use device fingerprinting via a web-based registration system.
D
Jim performs lexical analysis on a program and produces control flow graphs. What type of software testing is he performing? A. Dynamic B. Fuzzing C. Manual D. Static
D
Martha is the information security officer for a small college and is responsible for safeguarding the privacy of student records. What law most directly applies to her situation? A. HIPAA B. HITECH C. COPPA D. FERPA
D
Marty discovers that the access restrictions in his organization allow any user to log into the workstation assigned to any other user, even if they are from completely different departments. This type of access most directly violates which information security principle? A. Separation of duties B. Two-person control C. Need to know D. Least privilege
D
Matt is conducting a penetration test against a Linux server and successfully gained access to an administrative account. He would now like to obtain the password hashes for use in a brute-force attack. Where is he likely to find the hashes, assuming the system is configured to modern security standards? A. /etc/passwd B. /etc/hash C. /etc/secure D. /etc/shadow
D
Matthew and Richard are friends located in different physical locations who would like to begin communicating with each other using cryptography to protect the confidentiality of their communications. They exchange digital certificates to begin this process and plan to use an asymmetric encryption algorithm for the secure exchange of email messages. Matthew would like to enhance the security of his communication by adding a digital signature to the message. What goal of cryptography are digital signatures intended to enforce? A. Secrecy B. Availability C. Confidentiality D. Nonrepudiation
D
Matthew and Richard are friends located in different physical locations who would like to begin communicating with each other using cryptography to protect the confidentiality of their communications. They exchange digital certificates to begin this process and plan to use an asymmetric encryption algorithm for the secure exchange of email messages. When Richard receives the message from Matthew, what key should he use to decrypt the message? A. Matthew's public key B. Matthew's private key C. Richard's public key D. Richard's private key
D
Microsoft's STRIDE threat assessment framework uses six categories for threats: Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege. If a penetration tester is able to modify audit logs, what STRIDE categories best describe this issue? A. Tampering and information disclosure B. Elevation of privilege and tampering C. Repudiation and denial of service D. Repudiation and tampering
D
Mike and Renee would like to use an asymmetric cryptosystem to communicate with each other. They are located in different parts of the country but have exchanged encryption keys by using digital certificates signed by a mutually trusted certificate authority. When the certificate authority created Renee's digital certificate, what key did it use to digitally sign the completed certificate? A. Renee's public key B. Renee's private key C. CA's public key D. CA's private key
D
NIST Special Publication 800-53, revision 4, describes two measures of assurance. Which measure of developmental assurance is best described as measuring "the rigor, level of detail, and formality of the artifacts produced during the design and development of the hardware, software, and firmware components of information systems (e.g., functional specifications, high-level design, low-level design, source code)"? A. Coverage B. Suitability C. Affirmation D. Depth
D
Susan is configuring her network devices to use syslog. What should she set to ensure that she is notified about issues but does not receive normal operational issue messages? A. The facility code B. The log priority C. The security level D. The severity level
D
Susan's SMTP server does not authenticate senders before accepting and relaying email. What is this security configuration issue known as? A. An email gateway B. An SMTP relay C. An X.400-compliant gateway D. An open relay
D
The company that Fred works for is reviewing the security of their company-issued cell phones. They issue 4G-capable smartphones running Android and iOS and use a mobile device management solution to deploy company software to the phones. The mobile device management software also allows the company to remotely wipe the phones if they are lost. Fred intends to attend a major hacker conference this year. What should he do when connecting to his cellular provider's 4G network while at the conference? A. Continue normal usage. B. Discontinue all usage; towers can be spoofed. C. Only use trusted Wi-Fi networks. D. Connect to his company's encrypted VPN service.
D
The large business that Jack works for has been using noncentralized logging for years. They have recently started to implement centralized logging, however, and as they reviewed logs, they discovered a breach that appeared to have involved a malicious insider. When the breach was discovered and the logs were reviewed, it was discovered that the attacker had purged the logs on the system that they compromised. How can this be prevented in the future? A. Encrypt local logs B. Require administrative access to change logs C. Enable log rotation D. Send logs to a bastion host
D
Tom is conducting a business continuity planning effort for Orange Blossoms, a fruit orchard located in Central Florida. During the assessment process, the committee determined that there is a small risk of snow in the region but that the cost of implementing controls to reduce the impact of that risk is not warranted. They elect to not take any specific action in response to the risk. What risk management strategy is Orange Blossoms pursuing? A. Risk mitigation B. Risk transference C. Risk avoidance D. Risk acceptance
D
What US law mandates the protection of protected health information? A. FERPA B. SAFE Act C. GLBA D. HIPAA
D
What email encryption technique is illustrated in this figure? A. MD5 B. Thunderbird C. S/MIME D. PGP
D
What is the highest level of the military classification scheme? A. Secret B. Confidential C. SBU D. Top Secret
D
What is the minimum interval at which an organization should conduct business continuity plan refresher training for those with specific business continuity roles? A. Weekly B. Monthly C. Semiannually D. Annually
D
What principle of relational databases ensures the permanency of transactions that have successfully completed? A. Atomicity B. Consistency C. Isolation D. Durability
D
What software development life-cycle model is shown in the following illustration? System Requirements Software Requirements Preliminary Design Detailed Design Code and Debug Testing Operations and Maintenance A. Spiral B. Agile C. Boehm D. Waterfall
D
What type of log file is shown in this figure? A. Application B. Web server C. System D. Firewall
D
Which of the following is not a code review process? A. Email pass-around B. Over the shoulder C. Pair programming D. IDE forcing
D
Which one of the following activities transforms a zero-day vulnerability into a less dangerous attack vector? A. Discovery of the vulnerability B. Implementation of transport-layer encryption C. Reconfiguration of a firewall D. Release of a security patch
D
Which one of the following background checks is not normally performed during normal pre-hire activities? A. Credit check B. Reference verification C. Criminal records check D. Medical records check
D
Which one of the following backup types does not alter the status of the archive bit on a file? A. Full backup B. Incremental backup C. Partial backup D. Differential backup
D
Which one of the following cryptographic algorithms supports the goal of nonrepudiation? A. Blowfish B. DES C. AES D. RSA
D
Which one of the following is not a valid key length for the Advanced Encryption Standard? A. 128 bits B. 192 bits C. 256 bits D. 384 bits
D
Which one of the following is not one of the canons of the (ISC)2 Code of Ethics? A. Protect society, the common good, necessary public trust and confidence, and the infrastructure. B. Act honorably, honestly, justly, responsibly, and legally. C. Provide diligent and competent service to principals. D. Maintain competent records of all investigations and assessments
D
Which one of the following statements about the SDLC is correct? A. The SDLC requires the use of an iterative approach to software development. B. The SDLC requires the use of a sequential approach to software development. C. The SDLC does not include training for end users and support staff. D. The waterfall methodology is compatible with the SDLC.
D
Which one of the following technologies provides a function interface that allows developers to directly interact with systems without knowing the implementation details of that system? A. Data dictionary B. Object model C. Source code D. API
D
While investigating a widespread distributed denial of service attack, Matt types in the IP address of one of the attacking systems into his browser and sees the following page. What type of devices is the botnet likely composed of? A. SCADA B. Cloud infrastructure C. Web servers D. IoT
D
Yagis, panel, cantennas, and parabolic antennas are all examples of what type of antenna? A. Omnidirectional B. Rubber duck or base antenna C. Signal boosting D. Directional
D
Which one of the following is not a mode of operation for the Data Encryption Standard? A. CBC B. CFB C. OFB D. AES
D
Ben owns a coffeehouse and wants to provide wireless Internet service for his customers. Ben's network is simple and uses a single consumer-grade wireless router and a cable modem connected via a commercial cable data contract. Ben intends to run an open (unencrypted) wireless network. How should he connect his business devices? A. Run WPA2 on the same SSID. B. Set up a separate SSID using WPA2. C. Run the open network in Enterprise mode. D. Set up a separate wireless network using WEP.
B
Which Kerberos service generates a new ticket and session keys and sends them to the client? A. KDC B. TGT C. AS D. TGS
D
Bert is considering the use of an infrastructure as a service cloud computing partner to provide virtual servers. Which one of the following would be a vendor responsibility in this scenario? A. Maintaining the hypervisor B. Managing operating system security settings C. Maintaining the host firewall D. Configuring server access control
A
Colleen is conducting a business impact assessment for her organization. What metric provides important information about the amount of time that the organization may be without a service before causing irreparable harm? A. MTD B. ALE C. RPO D. RTO
A
Gordon is conducting a risk assessment for his organization and determined the amount of damage that flooding is expected to cause to his facilities each year. What metric has Gordon identified? A. ALE B. ARO C. SLE D. EF
A
Jim is implementing an IDaaS solution for his organization. What type of technology is he putting in place? A. Identity as a service B. Employee ID as a service C. Intrusion detection as a service D. OAuth
A
Lisa wants to integrate with a cloud identity provider that uses OAuth 2.0, and she wants to select an appropriate authentication framework. Which of the following best suits her needs? A. OpenID Connect B. SAML C. RADIUS D. Kerberos
A
While Lauren is monitoring traffic on two ends of a network connection, she sees traffic that is inbound to a public IP address show up inside the production network bound for an internal host that uses an RFC 1918 reserved address. What technology should she expect is in use at the network border? A. NAT B. VLANs C. S/NAT D. BGP
A
Ben owns a coffeehouse and wants to provide wireless Internet service for his customers. Ben's network is simple and uses a single consumer-grade wireless router and a cable modem connected via a commercial cable data contract. How can Ben provide access control for his customers without having to provision user IDs before they connect while also gathering useful contact information for his business purposes? A. WPA2 PSK B. A captive portal C. Require customers to use a publicly posted password like "BensCoffee." D. Port security
B
Dave is responsible for password security in his organization and would like to strengthen the security of password files. He would like to defend his organization against the use of rainbow tables. Which one of the following techniques is specifically designed to frustrate the use of rainbow tables? A. Password expiration policies B. Salting C. User education D. Password complexity policies
B
Kim is the system administrator for a small business network that is experiencing security problems. She is in the office in the evening working on the problem, and nobody else is there. As she is watching, she can see that systems on the other side of the office that were previously behaving normally are now exhibiting signs of infection. What type of malware is Kim likely dealing with? A. Virus B. Worm C. Trojan horse D. Logic bomb
B
Matthew is experiencing issues with the quality of network service on his organization's network. The primary symptom is that packets are occasionally taking too long to travel from their source to their destination. The length of this delay changes for individual packets. What term describes the issue Matthew is facing? A. Latency B. Jitter C. Packet loss D. Interference
B
The EU-U.S. Privacy Shield Framework relies on seven principles. Which of the following correctly lists all seven? A. Awareness, selection, control, security, data integrity, access, recourse and enforcement B. Notice, choice, accountability for onward transfer, security, data integrity and purpose limitation, access, recourse and enforcement C. Privacy, security, control, notification, data integrity and purpose, access, enforcement D. Submission, editing, updates, confidential, integrity, security, access
B
When Ben records data and then replays it against his test website to verify how it performs based on a real production workload, what type of performance monitoring is he undertaking? A. Passive B. Proactive C. Reactive D. Replay
B
Which one of the following is not a principle of the Agile approach to software development? A. The best architecture, requirements, and designs emerge from self-organizing teams. B. Deliver working software infrequently, with an emphasis on creating accurate code over longer timelines. C. Welcome changing requirements, even late in the development process. D. Simplicity is essential.
B
Which one of the following technologies is NOT normally a capability of mobile device management (MDM) solutions? A. Remotely wiping the contents of a mobile device B. Assuming control of a nonregistered BYOD mobile device C. Enforcing the use of device encryption D. Managing device backups
B
Tom is tuning his security monitoring tools in an attempt to reduce the number of alerts received by administrators without missing important security events. He decides to configure the system to only report failed login attempts if there are five failed attempts to access the same account within a one-hour period of time. What term best describes the technique that Tom is using? A. Thresholding B. Sampling C. Account lockout D. Clipping
D
What principle states that an individual should make every effort to complete his or her responsibilities in an accurate and timely manner? A. Least privilege B. Separation of duties C. Due care D. Due diligence
D
What problem drives the recommendation to physically destroy SSD drives to prevent data leaks when they are retired? A. Degaussing only partially wipes the data on SSDs. B. SSDs don't have data remanence. C. SSDs are unable to perform a zero fill. D. The built-in erase commands are not completely effective on some SSDs.
D
Which one of the following is not a function of a forensic disk controller? A. Preventing the modification of data on a storage device B. Returning data requested from the device C. Reporting errors sent by the device to the forensic host D. Blocking read commands sent to the device
D
Adam is processing an access request for an end user. What two items should he verify before granting the access? A. Separation and need to know B. Clearance and endorsement C. Clearance and need to know D. Second factor and clearance
C
NIST SP800-53 discusses a set of security controls as what type of security tool? A. A configuration list B. A threat management strategy C. A baseline D. The CIS standard
C
Owen recently designed a security access control structure that prevents a single user from simultaneously holding the role required to create a new vendor and the role required to issue a check. What principle is Owen enforcing? A. Two-person control B. Least privilege C. Separation of duties D. Job rotation
C
Sean suspects that an individual in his company is smuggling out secret information despite his company's careful use of data loss prevention systems. He discovers that the suspect is posting photos, including the one shown here, to public Internet message boards. What type of technique may the individuals be using to hide messages inside this image? A. Watermarking B. VPN C. Steganography D. Covert timing channel
C
Susan sets up a firewall that keeps track of the status of the communication between two systems and allows a remote system to respond to a local system after the local system starts communication. What type of firewall is Susan using? A. A static packet filtering firewall B. An application-level gateway firewall C. A stateful packet inspection firewall D. A circuit-level gateway firewall
C
What business process typically requires sign-off from a manager before modifications are made to a system? A. SDN B. Release management C. Change management D. Versioning
C
What group is eligible to receive safe harbor protection under the terms of the Digital Millennium Copyright Act (DMCA)? A. Music producers B. Book publishers C. Internet service providers D. Banks
C
What is the process that occurs when the Session layer removes the header from data sent by the Transport layer? A. Encapsulation B. Packet unwrapping C. De-encapsulation D. Payloading
C
What level of RAID is also called disk striping with parity? A. RAID 0 B. RAID 1 C. RAID 5 D. RAID 10
C
What markup language uses the concepts of a Requesting Authority, a Provisioning Service Point, and a Provisioning Service Target to handle its core functionality? A. SAML B. SAMPL C. SPML D. XACML
C
What penetration testing technique can best help assess training and awareness issues? A. Port scanning B. Discovery C. Social engineering D. Vulnerability scanning
C
An attack that changes a symlink on a Linux system between the time that an account's rights to the file are verified and the file is accessed is an example of what type of attack? A. Unlinking B. Tick/tock C. setuid D. TOCTOU
D
What term best describes an attack that relies on stolen or falsified authentication credentials to bypass an authentication mechanism? A. Spoofing B. Replay C. Masquerading D. Modification
C
What type of fuzzing is known as intelligent fuzzing? A. Zzuf B. Mutation C. Generational D. Code based
C
What type of motion detector uses high microwave frequency signal transmissions to identify potential intruders? A. Infrared B. Heat-based C. Wave pattern D. Capacitance
C
Gina recently took the CISSP certification exam and then wrote a blog post that included the text of many of the exam questions that she experienced. What aspect of the (ISC)2 code of ethics is most directly violated in this situation? A. Advance and protect the profession. B. Act honorably, honestly, justly, responsibly, and legally. C. Protect society, the common good, necessary public trust and confidence, and the infrastructure. D. Provide diligent and competent service to principals
A
An authentication factor that is "something you have," and that typically includes a microprocessor and one or more certificates, is what type of authenticator? A. A smart card B. A token C. A Type I validator D. A Type III authenticator
A
Frank is the security administrator for a web server that provides news and information to people located around the world. His server received an unusually high volume of traffic that it could not handle and was forced to reject requests. Frank traced the source of the traffic back to a botnet. What type of attack took place? A. Denial of service B. Reconaissance C. Compromise D. Malicious insider
A
GAD Systems is concerned about the risk of hackers stealing sensitive information stored on a file server. They choose to pursue a risk mitigation strategy. Which one of the following actions would support that strategy? A. Encrypting the files B. Deleting the files C. Purchasing cyber-liability insurance D. Taking no action
A
Roger is concerned that a third-party firm hired to develop code for an internal application will embed a backdoor in the code. The developer retains rights to the intellectual property and will only deliver the software in its final form. Which one of the following languages would be least susceptible to this type of attack because it would provide Roger with code that is human-readable in its final form? A. JavaScript B. C C. C++ D. Java
A
Bill implemented RAID level 5 on a server that he operates using a total of three disks. How many disks may fail without the loss of data? A. 0 B. 1 C. 2 D. 3
B
During a log review, Danielle discovers a series of logs that show login failures: Jan 31 11:39:12 ip-10-0-0-2 sshd[29092]: Invalid user admin from remotehost passwd=aaaaaaaa Jan 31 11:39:20 ip-10-0-0-2 sshd[29098]: Invalid user admin from remotehost passwd=aaaaaaab Jan 31 11:39:23 ip-10-0-0-2 sshd[29100]: Invalid user admin from remotehost passwd=aaaaaaac Jan 31 11:39:31 ip-10-0-0-2 sshd[29106]: Invalid user admin from remotehost passwd=aaaaaaad Jan 31 20:40:53 ip-10-0-0-254 sshd[30520]: Invalid user admin from remotehost passwd=aaaaaaae What type of attack has Danielle discovered? A. A pass-the-hash attack B. A brute-force attack C. A man-in-the-middle attack D. A dictionary attack
B
During a security audit, Susan discovers that the organization is using hand geometry scanners as the access control mechanism for their secure data center. What recommendation should Susan make about the use of hand geometry scanners? A. They have a high FRR and should be replaced. B. A second factor should be added because they are not a good way to reliably distinguish individuals. C. The hand geometry scanners provide appropriate security for the data center and should be considered for other high-security areas. D. They may create accessibility concerns, and an alternate biometric system should be considered.
B
During what phase of the electronic discovery reference model does an organization ensure that potentially discoverable information is protected against alteration or deletion? A. Identification B. Preservation C. Collection D. Production
B
Ed has been tasked with identifying a service that will provide a low-latency, highperformance, and high-availability way to host content for his employer. What type of solution should he seek out to ensure that his employer's customers around the world can access their content quickly, easily, and reliably? A. A hot site B. A CDN C. Redundant servers D. A P2P CDN
B
Greg is building a disaster recovery plan for his organization and would like to determine the amount of time that it should take to restore a particular IT service after an outage. What variable is Greg calculating? A. MTD B. RTO C. RPO D. SLA
B
Mike is building a fault-tolerant server and wishes to implement RAID 1. How many physical disks are required to build this solution? A. 1 B. 2 C. 3 D. 5
B
Robert is reviewing a system that has been assigned the EAL2 evaluation assurance level under the Common Criteria. What is the highest level of assurance that he may have about the system? A. It has been functionally tested. B. It has been structurally tested. C. It has been formally verified, designed, and tested. D. It has been semiformally designed and tested.
B
Sally has been tasked with deploying an authentication, authorization, and accounting server for wireless network services in her organization and needs to avoid using proprietary technology. What technology should she select? A. OAuth B. RADIUS C. XTACACS D. TACACS+
B
Sally is wiring a gigabit Ethernet network. What cabling choices should she make to ensure she can use her network at the full 1000 Mbps she wants to provide to her users? A. Cat 5 and Cat 6 B. Cat 5e and Cat 6 C. Cat 4e and Cat 5e D. Cat 6 and Cat 7
B
What property of a relational database ensures that two executing transactions do not affect each other by storing interim results in the database? A. Atomicity B. Isolation C. Consistency D. Durability
B
What type of testing would validate support for all the web browsers that are supported by a web application? A. Regression testing B. Interface testing C. Fuzzing D. White box testing
B
An accounting clerk for Christopher's Cheesecakes does not have access to the salary information for individual employees but wanted to know the salary of a new hire. He pulled total payroll expenses for the pay period before the new person was hired and then pulled the same expenses for the following pay period. He computed the difference between those two amounts to determine the individual's salary. What type of attack occurred? A. Aggregation B. Data diddling C. Inference D. Social engineering
C
Denise is preparing for a trial relating to a contract dispute between her company and a software vendor. The vendor is claiming that Denise made a verbal agreement that amended their written contract. What rule of evidence should Denise raise in her defense? A. Real evidence rule B. Best evidence rule C. Parol evidence rule D. Testimonial evidence rule
C
Greg would like to implement application control technology in his organization. He would like to limit users to installing only approved software on their systems. What type of application control would be appropriate in this situation? A. Blacklisting B. Graylisting C. Whitelisting D. Bluelisting
C
If Alex hires a new employee and the employee's account is provisioned after HR manually inputs information into the provisioning system based on data Alex provides via a series of forms, what type of provisioning has occurred? A. Discretionary account provisioning B. Workflow-based account provisioning C. Automated account provisioning D. Self-service account provisioning
C
If Ben needs to share identity information with the business partner shown, what should he investigate? A. Single sign-on B. Multifactor authentication C. Federation D. IDaaS
C
If availability of authentication services is the organization's biggest priority, what type of identity platform should Ben recommend? A. Onsite B. Cloud based C. Hybrid D. Outsourced
C
Information about an individual like their name, Social Security number, date and place of birth, or their mother's maiden name is an example of what type of protected information? A. PHI B. Proprietary data C. PII D. EDI
C
When Alex changes roles, what should occur? A. He should be de-provisioned and a new account should be created. B. He should have his new rights added to his existing account. C. He should be provisioned for only the rights that match his role. D. He should have his rights set to match those of the person he is replacing.
C
When a user attempts to log into their online account, Google sends a text message with a code to their cell phone. What type of verification is this? A. Knowledge-based authentication B. Dynamic knowledge-based authentication C. Out-of-band identity proofing D. Risk-based identity proofing
C
When evaluating biometric devices, what is another term used to describe the equal error rate? A. FAR B. FRR C. CER D. ERR
C
Which of the following sequences properly describes the TCP three-way handshake? A. SYN, ACK, SYN/ACK B. PSH, RST, ACK C. SYN, SYN/ACK, ACK D. SYN, RST, FIN
C
Which of the following tools is best suited to testing known exploits against a system? A. Nikto B. Ettercap C. Metasploit D. THC Hydra
C
Which one of the following is a single system designed to attract attackers because it seemingly contains sensitive information or other attractive resources? A. Honeynet B. Darknet C. Honeypot D. Pseudoflaw
C
Which one of the following types of firewalls does not have the ability to track connection status between different packets? A. Stateful inspection B. Application proxy C. Packet filter D. Next generation
C
Ben owns a coffeehouse and wants to provide wireless Internet service for his customers. Ben's network is simple and uses a single consumer-grade wireless router and a cable modem connected via a commercial cable data contract. After implementing the solution from the first question, Ben receives a complaint about users in his cafe hijacking other customers' web traffic, including using their usernames and passwords. How is this possible? A. The password is shared by all users, making traffic vulnerable. B. A malicious user has installed a Trojan on the router. C. A user has ARP spoofed the router, making all traffic broadcast to all users. D. Open networks are unencrypted, making traffic easily sniffable.
D
Communication systems that rely on start and stop flags or bits to manage data transmission are known as what type of communication? A. Analog B. Digital C. Synchronous D. Asynchronous
D
Data is sent as bits at what layer of the OSI model? A. Transport B. Network C. Data Link D. Physical
D
Harry would like to access a document owned by Sally stored on a file server. Applying the subject/object model to this scenario, who or what is the object of the resource request? A. Harry B. Sally C. File server D. Document
D
How many possible keys exist in a cryptographic algorithm that uses 6-bit encryption keys? A. 12 B. 16 C. 32 D. 64
D
Jesse is looking at the /etc/passwd file on a system configured to use shadowed passwords. What should she expect to see in the password field of this file? A. Plaintext passwords B. Encrypted passwords C. Hashed passwords D. x
D
Nessus, OpenVAS, and SAINT are all examples of what type of tool? A. Port scanners B. Patch management suites C. Port mappers D. Vulnerability scanners
D
Robert is the network administrator for a small business and recently installed a new firewall. After seeing signs of unusually heavy network traffic, he checked his intrusion detection system, which reported that a smurf attack was under way. What firewall configuration change can Robert make to most effectively prevent this attack? A. Block the source IP address of the attack. B. Block inbound UDP traffic. C. Block the destination IP address of the attack. D. Block inbound ICMP traffic
D
What does a constrained user interface do? A. It prevents unauthorized users from logging in. B. It limits the data visible in an interface based on the content. C. It limits the access a user is provided based on what activity they are performing. D. It limits what users can do or see based on privileges.
D