CISSP Official ISC2 practice tests (All domains)

Réussis tes devoirs et examens dès maintenant avec Quizwiz!

12. Which one of the following testing methodologies typically works without access to source code? A. Dynamic testing B. Static testing C. White box testing D. Code review

A. Dynamic testing of software typically occurs in a black box environment where the tester does not have access to the source code. Static testing, white box testing, and code review approaches all require access to the source code of the application.

26. Which one of the following is normally used as an authorization tool? A. ACL B. Token C. Username D. Password

A. Access control lists are used for determining a user's authorization level. Usernames are identification tools. Passwords and tokens are authentication tools.

19. Darcy is designing a fault tolerant system and wants to implement RAID-5 for her system. What is the minimum number of physical hard disks she can use to build this system? A. One B. Two C. Three D. Five

C. RAID level 5, disk striping with parity, requires a minimum of three physical hard disks to operate.

19. Alice would also like to digitally sign the message that she sends to Bob. What key should she use to create the digital signature? A. Alice's public key B. Alice's private key C. Bob's public key D. Bob's private key

B. Alice creates the digital signature using her own private key. Then Bob, or any other user, can verify the digital signature using Alice's public key.

93. Which one of the following security programs is designed to provide employees with the knowledge they need to perform their specific work tasks? A. Awareness B. Training C. Education D. Indoctrination

B. Security training is designed to provide employees with the specific knowledge they need to fulfill their job functions. It is usually designed for individuals with similar job functions.

69. NIST SP 800-60 provides a process shown in the following diagram to assess information systems. What process does this diagram show (INPUTS & OUTPUTS with 4 PROCESSES in the middle)? A. Selecting a standard and implementing it B. Categorizing and selecting controls C. Baselining and selecting controls D. Categorizing and sanitizing

B. In the NIST SP 800-60 diagram, the process determines appropriate categorization levels resulting in security categorization and then uses that as an input to determine controls. Standard selection would occur at an organizational level, while baselining occurs when systems are configured to meet a baseline. Sanitization would require the intentional removal of data from machines or media.

33. Angela wants to test a web browser's handling of unexpected data using an automated tool. What tool should she choose? A. Nmap B. zzuf C. Nessus D. Nikto

B. zzuf is the only fuzzer on the list, and zzuf is specifically designed to work with tools like web browsers, image viewers, and similar software by modifying network and file input to application. Nmap is a port scanner, Nessus is a vulnerability scanner, and Nikto is a web server scanner.

54. Which information security goal is impacted when an organisation experiences a DoS or DDoS attack? A. Confidentiality B. Integrity C. Availability D. Denial

C. Denial of service (DoS) and distributed denial of service (DDoS) attacks try to disrupt the availability of information systems and networks by flooding a victim with traffic or otherwise disrupting service.

25. When should a design review take place when following an SDLC approach to software development? A. After the code review B. After user acceptance testing C. After the development of functional requirements D. After the completion of unit testing

C. Design reviews should take place after the development of functional and control specifications but before the creation of code. The code review, unit testing, and functional testing all take place after the creation of code and, therefore, after the design review.

93. What topology correctly describes Ethernet? A. A ring B. A star C. A mesh D. A bus

D. Ethernet uses a bus topology. While devices may be physically connected to a switch in a physical topology that looks like a star, systems using Ethernet can all transmit on the bus simultaneously, possibly leading to collisions.

98. A new law is passed that would result in significant financial harm to your company if the data that it covers was stolen or inadvertently released. What should your organization do about this? A. Select a new security baseline. B. Relabel the data. C. Encrypt all of the data at rest and in transit. D. Review its data classifications and classify the data appropriately.

D. When the value of data changes due to legal, compliance, or business reasons, reviewing classifications and reclassifying the data is an appropriate response. Once the review is complete, data can be reclassified and handled according to its classification level. Simply relabeling the data avoids the classification process and may not result in the data being handled appropriately. Similarly, selecting a new baseline or simply encrypting the data may not handle all of the needs that the changes affecting the data create.

30. John's network begins to experience symptoms of slowness. Upon investigation, he realises that the network is being bombarded with ICMP ECHO REPLY packets and believes that his organisation is the victim of a Smurf attack. What principle of information security is being violated? A. Availability B. Integrity C. Confidentiality D. Denial

A. A Smurf attack is an example of a denial of service attack, which jeopardizes the availability of a targeted network.

69. Becka recently signed a contract with an alternate data processing facility that will provide her company with space in the event of a disaster. The facility includes HVAC, power, and communications circuits but no hardware. What type of facility is Becka using? A. Cold site B. Warm site C. Hot site D. Mobile site

A. A cold site includes the basic capabilities required for data center operations: space, power, HVAC, and communications, but it does not include any of the hardware required to restore operations.

87. In Transport Layer Security, what type of key is used to encrypt the actual content of communications between a web server and a client? A. Ephemeral session key B. Client's public key C. Server's public key D. Server's private key

A. In TLS, both the server and the client first communicate using an ephemeral symmetric session key. They exchange this key using asymmetric cryptography, but all encrypted content is protected using symmetric cryptography.

44. Which one of the following terms is not used to describe a privileged mode of system operation? A. User mode B. Kernel mode C. Supervisory mode D. System mode

A. Kernel mode, supervisory mode, and system mode are all terms used to describe privileged modes of system operation. User mode is an unprivileged mode.

15. Which one of the following control categories does not accurately describe a fence around a facility? A. Physical B. Detective C. Deterrent D. Preventive

B. A fence does not have the ability to detect intrusions. It does, however, have the ability to prevent and deter an intrusion. Fences are an example of a physical control.

66. Who is the ideal person to approve an organisation's business continuity plan? A. Chief information officer B. Chief executive officer C. Chief information security officer D. Chief operating officer

B. Although the CEO will not normally serve on a BCP team, it is best to obtain toplevel management approval for your plan to increase the likelihood of successful adoption.

82. Tom is planning to terminate an employee this afternoon for fraud and expects that the meeting will be somewhat hostile. He is coordinating the meeting with Human Resources and wants to protect the company against damage. Which one of the following steps is most important to coordinate in time with the termination meeting? A. Informing other employees of the termination B. Retrieval of photo ID C. Calculation of final paycheck D. Revocation of electronic access rights

D. Electronic access to company resources must be carefully coordinated. An employee who retains access after being terminated may use that access to take retaliatory action. On the other hand, if access is terminated too early, the employee may figure out that he or she is about to be terminated.

8. Which one of the following provides an authentication mechanism that would be appropriate for pairing with a password to achieve multifactor authentication? A. Username B. PIN C. Security question D. Fingerprint scan

D. A fingerprint scan is an example of a "something you are" factor, which would be appropriate for pairing with a "something you know" password to achieve multifactor authentication. A username is not an authentication factor. PINs and security questions are both "something you know," which would not achieve multifactor authentication when paired with a password because both methods would come from the same category, failing the requirement for multifactor authentication.

67. Neal is working with a DynamoDB database. The database is not structured like a relational database but allows Neal to store data using a key-value store. What type of database is DynamoDB? A. Relational database B. Graph database C. Hierarchical database D. NoSQL database

D. A key-value store is an example of a NoSQL database that does not follow a relational or hierarchical model like traditional databases. A graph database is another example of a NoSQL database, but it uses nodes and edges to store data rather than keys and values.

46. What does using unique user IDs for all users provide when reviewing logs? A. Confidentiality B. Integrity C. Availability D. Accountability

D. Unique user IDs provide accountability when paired with auditable logs to provide that a specific user took any given action. Confidentiality, availability, and integrity can be provided through other means like encryption, systems design, and digital signatures.

92. Which one of the following is the first step in developing an organisation's vital records program? A. Identifying vital records B. Locating vital records C. Archiving vital records D. Preserving vital records

A. An organisation pursuing a vital records management program should begin by identifying all of the documentation that qualifies as a vital business record. This should include all of the records necessary to restart the business in a new location should the organisation invoke its business continuity plan.

92. Which component of the database ACID model ensures that database transactions are an "all or nothing" affair? A. Atomicity B. Consistency C. Isolation D. Durability

A. Atomicity ensures that database transactions either execute completely or not at all. Consistency ensures that all transactions must begin operating in an environment that is consistent with all of the database's rules. The isolation principle requires that transactions operate separately from each other. Durability ensures that database transactions, once committed, are permanent.

31. Vivian would like to hire a software tester to come in and evaluate a new web application from a user's perspective. Which of the following tests best simulates that perspective? A. Black box B. Gray box C. Blue box D. White box

A. Black box testing begins with no prior knowledge of the system implementation, simulating a user perspective. White box and gray box testing provide full and partial knowledge of the system, respectively, in advance of the test. Blue boxes are a phone hacking tool and are not used in software testing.

51. Which one of the following is not normally included in business continuity plan documentation? A. Statement of accounts B. Statement of importance C. Statement of priorities D. Statement of organizational responsibility

A. Business continuity plan documentation normally includes the continuity planning goals, a statement of importance, statement of priorities, statement of organisational responsibility, statement of urgency and timing, risk assessment and risk acceptance and mitigation documentation, a vital records program, emergency response guidelines, and documentation for maintaining and testing the plan.

84. Helen is the owner of a website that provides information for middle and high school students preparing for exams. She is concerned that the activities of her site may fall under the jurisdiction of the Children's Online Privacy Protection Act (COPPA). What is the cutoff age below which parents must give consent in advance of the collection of personal information from their children under COPPA? A. 13 B. 15 C. 17 D. 18

A. COPPA requires that websites obtain advance parental consent for the collection of personal information from children under the age of 13.

94. Mal is eavesdropping on the unencrypted communication between the user of a website and the web server. She manages to intercept the cookies from a request header. What type of attack can she perform with these cookies? A. Session hijacking B. Cross-site scripting C. Cross-site request forgery D. SQL injection

A. Cookies are used to maintain authenticated sessions, even when IP addresses change. Therefore, Mal can use the stolen cookies to conduct a session hijacking attack, taking over an authorized user's session with the website, potentially without the knowledge of the legitimate user.

Juniper Content is a web content development company with 40 employees located in two offices: one in New York and a smaller office in the San Francisco Bay Area. Each office has a local area network protected by a perimeter firewall. The LAN contains modern switch equipment connected to both wired and wireless networks. Each office has its own file server, and the IT team runs software every hour to synchronise files between the two servers, distributing content between the offices. These servers are primarily used to store images and other files related to web content developed by the company. The team also uses a SaaS-based email and document collaboration solution for much of their work. You are the newly appointed IT manager for Juniper Content and you are working to augment existing security controls to improve the organization's security. 49. There are historical records stored on the server that are extremely important to the business and should never be modified. You would like to add an integrity control that allows you to verify on a periodic basis that the files were not modified. What control can you add? A. Hashing B. ACLs C. Read-only attributes D. Firewalls

A. Hashing allows you to computationally verify that a file has not been modified between hash evaluations. ACLs and read-only attributes are useful controls that may help you prevent unauthorized modification, but they cannot verify that files were not modified. Firewalls are network security controls and do not verify file integrity.

62. Tomas discovers a line in his application log that appears to correspond with an attempt to conduct a directory traversal attack. He believes the attack was conducted using URL encoding. The line reads: %252E%252E%252F%252E%252E%252Fetc/passwd What character is represented by the %252E value? A. . B. , C. ; D. /

A. In URL encoding, the. character is replaced by %252E and the / character is replaced by %252F. You can see this in the log entry, where the expected pattern of ../../ is replaced by %252E%252E%252F%252E%252E%252F.

59. Roger is conducting a software test for a tax preparation application developed by his company. End users will access the application over the web, but Roger is conducting his test on the back end, evaluating the source code on the web server. What type of test is Roger conducting? A. White box B. Gray box C. Blue box D. Black box

A. In a white box test, the attacker has access to full implementation details of the system, including source code, prior to beginning the test. In gray box testing, the attacker has partial knowledge. In black box testing, the attacker has no knowledge of the system and tests it from a user perspective. Blue boxes are a phone hacking tool and are not used in software testing.

74. In the diagram shown here, which is an example of a class? A. Account B. Owner C. AddFunds D. None of the above

A. In the diagram, Account is the name of the class. Owner and Balance are attributes of that class. AddFunds and RemoveFunds are methods of the class.

44. Beth is the security administrator for a public school district. She is implementing a new student information system and is testing the code to ensure that students are not able to alter their own grades. What principle of information security is Beth enforcing? A. Integrity B. Availability C. Confidentiality D. Denial

A. Integrity controls, such as the one Beth is implementing in this example, are designed to prevent the unauthorised modification of information.

60. Frank discovers a keylogger hidden on the laptop of his company's chief executive officer. What information security principle is the keylogger most likely designed to disrupt? A. Confidentiality B. Integrity C. Availability D. Denial

A. Keyloggers monitor the keystrokes of an individual and report them back to an attacker. They are designed to steal sensitive information, a disruption of the goal of confidentiality.

22. Which one of the following files is most likely to contain a macro virus? A. projections.doc B. command.com C. command.exe D. loopmaster.exe

A. Macro viruses are most commonly found in office productivity documents, such as Microsoft Word documents that end in the .doc or .docx extension. They are not commonly found in executable files with the .com or .exe extensions.

6. Which one of the following elements of information is not considered personally identifiable information that would trigger most US state data breach laws? A. Student identification number B. Social Security number C. Driver's license number D. Credit card number

A. Most state data breach notification laws are modeled after California's law, which covers Social Security number, driver's license number, state identification card number, credit/debit card numbers, bank account numbers (in conjunction with a PIN or password), medical records, and health insurance information.

21. Keenan Systems recently developed a new manufacturing process for microprocessors. The company wants to license the technology to other companies for use but wishes to prevent unauthorised use of the technology. What type of intellectual property protection is best suited for this situation? A. Patent B. Trade secret C. Copyright D. Trademark

A. Patents and trade secrets can both protect intellectual property related to a manufacturing process. Trade secrets are appropriate only when the details can be tightly controlled within an organisation, so a patent is the appropriate solution in this case.

11. Which one of the following is considered primary storage? A. Memory B. Hard disk C. Flash drive D. DVD

A. Primary storage is a technical term used to refer to the memory that is directly available to the CPU. Nonvolatile storage mechanisms, such as flash drives, DVDs, and hard drives, are classified as secondary storage.

43. Gary is analysing a security incident and, during his investigation, encounters a user who denies having performed an action that Gary believes he did perform. What type of threat has taken place under the STRIDE model? A. Repudiation B. Information disclosure C. Tampering D. Elevation of privilege

A. Repudiation threats allow an attacker to deny having performed an action or activity without the other party being able to prove differently.

61. What is the formula used to determine risk? A. Risk = Threat * Vulnerability B. Risk = Threat / Vulnerability C. Risk = Asset * Threat D. Risk = Asset / Threat

A. Risks exist when there is an intersection of a threat and a vulnerability. This isdescribed using the equation Risk = Threat * Vulnerability.

45. Which one of the following issues is not normally addressed in a service-level agreement (SLA)? A. Confidentiality of customer information B. Failover time C. Uptime D. Maximum consecutive downtime

A. SLAs do not normally address issues of data confidentiality. Those provisions are normally included in a non-disclosure agreement (NDA).

41. What important function do senior managers normally fill on a business continuity planning team? A. Arbitrating disputes about criticality B. Evaluating the legal environment C. Training staff D. Designing failure controls

A. Senior managers play several business continuity planning roles. These include setting priorities, obtaining resources, and arbitrating disputes among team members.

2. An evil twin attack that broadcasts a legitimate SSID for an unauthorised network is an example of what category of threat? A. Spoofing B. Information disclosure C. Repudiation D. Tampering

A. Spoofing attacks use falsified identities. Spoofing attacks may use false IP addresses, email addresses, names, or, in the case of an evil twin attack, SSIDs.

88. Which one of the following principles would not be favored in an Agile approach to software development? A. Processes and tools over individuals and interactions B. Working software over comprehensive documentation C. Customer collaboration over contract negotiations D. Responding to change over following a plan

A. The Agile approach to software development embraces four principles. It values individuals and interactions over processes and tools, working software over comprehensive documentation, customer collaboration over contract negotiation, and responding to change over following a plan.

Robert is a consultant who helps organisations create and develop mature software development practices. He prefers to use the Software Capability Maturity Model (SWCMM) to evaluate the current and future status of organizations using both independent review and self-assessments. He is currently working with two different clients. Acme Widgets is not very well organised with their software development practices. They have a dedicated team of developers who do "whatever it takes" to get software out the door, but they do not have any formal processes. Beta Particles is a company with years of experience developing software using formal, documented software development processes. They use a standard model for software development but do not have a quantitative management of those processes. 19. What phase of the SW-CMM should Robert report as the current status of Beta Particles? A. Defined B. Repeatable C. Optimizing D. Managed

A. The Defined stage of the SW-CMM is marked by the presence of basic life-cycle management processes and reuse of code. It includes the use of requirements management, software project planning, quality assurance, and configuration management practices.

11. Tim's organization recently received a contract to conduct sponsored research as a government contractor. What law now likely applies to the information systems involved in this contract? A. FISMA B. PCI DSS C. HIPAA D. GISRA

A. The Federal Information Security Management Act (FISMA) specifically applies to government contractors. The Government Information Security Reform Act (GISRA) was the precursor to FISMA and expired in November 2002. HIPAA and PCI DSS apply to healthcare and credit card information, respectively.

10. Yolanda is the chief privacy officer for a financial institution and is researching privacy issues related to customer checking accounts. Which one of the following laws is most likely to apply to this situation? A. GLBA B. SOX C. HIPAA D. FERPA

A. The Gramm-Leach-Bliley Act (GLBA) contains provisions regulating the privacy of customer financial information. It applies specifically to financial institutions.

4. FlyAway Travel has offices in both the European Union and the United States and transfers personal information between those offices regularly. Which of the seven requirements for processing personal information states that organizations must inform individuals about how the information they collect is used? A. Notice B. Choice C. Onward Transfer D. Enforcement

A. The Notice principle says that organizations must inform individuals of the information the organization collects about individuals and how the organization will use it. These principles are based upon the Safe Harbor Privacy Principles issued by the US Department of Commerce in 2000 to help US companies comply with EU and Swiss privacy laws when collecting, storing, processing or transmitting data on EU or Swiss citizens.

7. When using the SDLC, which one of these steps should you take before the others? A. Functional requirements determination B. Control specifications development C. Code review D. Design review

A. The SDLC consists of seven phases, in the following order: conceptual definition, functional requirements determination, control specifications development, design review, code review, system test review, and maintenance and change management.

32. What government agency is responsible for the evaluation and registration of trademarks? A. USPTO B. Library of Congress C. TVA D. NIST

A. The United States Patent and Trademark Office (USPTO) bears responsibility for the registration of trademarks.

Henry is the risk manager for Atwood Landing, a resort community in the midwestern United States. The resort's main data centre is located in northern Indiana in an area that is prone to tornados. Henry recently undertook a replacement cost analysis and determined that rebuilding and reconfiguring the data centre would cost $10 million. Henry consulted with tornado experts, data centre specialists, and structural engineers. Together, they determined that a typical tornado would cause approximately $5 million of damage to the facility. The meteorologists determined that Atwood's facility lies in an area where they are likely to experience a tornado once every 200 years. 98. Based upon the information in this scenario, what is the annualised loss expectancy for a tornado at Atwood Landing's data centre? A. $25,000 B. $50,000 C. $250,000 D. $500,000

A. The annualised loss expectancy is calculated by multiplying the single loss expectancy (SLE) by the annualized rate of occurrence (ARO). In this case, the SLE is $5,000,000 and the ARO is 0.005. Multiplying these numbers together gives you the ALE of $25,000.

84. What function can be used to convert a string to a safe value for use in passing from a PHP application to a database? A. bin2hex() B. hex2bin() C. dechex() D. hexdec()

A. The bin2hex() function converts a string to a hexadecimal value that may then be passed to a database safely. The dechex() function performs a similar function but will not work for a string as it only functions on numeric values. The hex2bin() and hexdec() functions work in the reverse manner.

36. Which one of the following individuals is normally responsible for fulfilling the operational data protection responsibilities delegated by senior management, such as validating data integrity, testing backups, and managing security policies? A. Data custodian B. Data owner C. User D. Auditor

A. The data custodian role is assigned to an individual who is responsible for implementing the security controls defined by policy and senior management. The data owner does bear ultimate responsibility for these tasks, but the data owner is typically a senior leader who delegates operational responsibility to a data custodian.

65. Which one of the following components should be included in an organisation's emergency response guidelines? A. List of individuals who should be notified of an emergency incident B. Long-term business continuity protocols C. Activation procedures for the organization's cold sites D. Contact information for ordering equipment

A. The emergency response guidelines should include the immediate steps an organisation should follow in response to an emergency situation. These include immediate response procedures, a list of individuals who should be notified of the emergency and secondary response procedures for first responders. They do not include long-term actions such as activating business continuity protocols, ordering equipment, or activating DR sites.

62. The graphic (*) shows the NIST risk management framework with step 4 missing. What is the missing step? A. Assess security controls B. Determine control gaps C. Remediate control gaps D. Evaluate user activity

A. The fourth step of the NIST risk management framework is assessing security controls.

28. Mary is helping a computer user who sees the following message appear on his computer screen. What type of attack has occurred? A. Availability B. Confidentiality C. Disclosure D. Distributed

A. The message displayed is an example of ransomware, which encrypts the contents of a user's computer to prevent legitimate use. This is an example of an availability attack.

Linda is reviewing posts to a user forum on her company's website and when she browses a certain post, a message pops up in a dialog box on her screen reading "Alert." She reviews the source code for the post and finds the following code snippet: <script>alert('Alert')';</script> 37. What vulnerability definitely exists on Linda's message board? A. Cross-site scripting B. Cross-site request forgery C. SQL injection D. Improper authentication

A. The message forum is clearly susceptible to a cross-site scripting (XSS) attack. The code that Linda discovered in the message is a definitive example of an attempt to conduct cross-site scripting, and the alert box that she received demonstrates that the vulnerability exists. The website may also be vulnerable to cross-site request forgery, SQL injection, improper authentication, and other attacks, but there is no evidence of this provided in the scenario.

79. Which one of the following change management processes is initiated by users rather than developers? A. Request control B. Change control C. Release control D. Design review

A. The request process begins with a user-initiated request for a feature. Change and release control are initiated by developers seeking to implement changes. Design review is a phase of the change approval process initiated by developers when they have a completed design.

81. The Domer Industries risk assessment team recently conducted a qualitative risk assessment and developed a matrix (**). Which quadrant contains the risks that require the most immediate attention? A. I B. II C. III D. IV

A. The risk assessment team should pay the most immediate attention to those risks that appear in quadrant I. These are the risks with a high probability of occurring and a high impact on the organisation if they do occur.

Linda is reviewing posts to a user forum on her company's website and when she browses a certain post, a message pops up in a dialog box on her screen reading "Alert." She reviews the source code for the post and finds the following code snippet: <script>alert('Alert');<\script> 38. What was the likely motivation of the user who posted the message on the forum containing this code? A. Reconnaissance B. Theft of sensitive information C. Credential stealing D. Social engineering

A. The script that Linda discovered merely pops up a message on a user's screen and does not perform any more malicious action. This type of script, using an alert() call, is commonly used to probe websites for cross-site scripting vulnerabilities.

30. What are the two types of covert channels that are commonly exploited by attackers seeking to surreptitiously exfiltrate information? A. Timing and storage B. Timing and firewall C. Storage and memory D. Firewall and storage

A. The two major classifications of covert channels are timing and storage. A covert timing channel conveys information by altering the performance of a system component or modifying a resource's timing in a predictable manner. A covert storage channel conveys information by writing data to a common storage area where another process can read it. There is no such thing as a covert firewall channel. Memory is a type of storage, so a memory-based covert channel would fit into the covert storage channel category.

46. Joan is seeking to protect a piece of computer software that she developed under intellectual property law. Which one of the following avenues of protection would not apply to a piece of software? A. Trademark B. Copyright C. Patent D. Trade secret

A. Trademarks protect words and images that represent a product or service and would not protect computer software.

51. Which one of the following is the most effective control against session hijacking attacks? A. TLS B. Complex session cookies C. SSL D. Expiring cookies frequently

A. Transport Layer Security (TLS) provides the most effective defense against session hijacking because it encrypts all traffic between the client and server, preventing the attacker from stealing session credentials. Secure Sockets Layer (SSL) also encrypts traffic, but it is vulnerable to attacks against its encryption technology. Complex and expiring cookies are a good idea, but they are not sufficient protection against session hijacking.

The healthcare company that Lauren works for handles HIPAA data as well as internal business data, protected health information, and day-to-day business communications. Its internal policy uses the following requirements for securing HIPAA data at rest and in transit. Classification Handling Requirements Confidential (HIPAA) Encrypt at rest and in transit. Full disk encryption required for all workstations. Files can only be sent in encrypted form, and passwords must be transferred under separate cover. Printed documents must be labeled with "HIPAA handling required." Private (PHI) Encrypt at rest and in transit. PHI must be stored on secure servers, and copies should not be kept on local workstations. Printed documents must be labeled with "Private." Sensitive (business confidential) Encryption is recommended but not required. Public Information can be sent unencrypted. 39. What technology could Lauren's employer implement to help prevent confidential data from being emailed out of the organization? A. DLP B. IDS C. A firewall D. UDP

A. A data loss prevention (DLP) system or software is designed to identify labeled data or data that fits specific patterns and descriptions to help prevent it from leaving the organization. An IDS is designed to identify intrusions. Although some IDS systems can detect specific types of sensitive data using pattern matching, they have no ability to stop traffic. A firewall uses rules to control traffic routing, while UDP is a network protocol.

6. How can a data retention policy help to reduce liabilities? A. By ensuring that unneeded data isn't retained B. By ensuring that incriminating data is destroyed C. By ensuring that data is securely wiped so it cannot be restored for legal discovery D. By reducing the cost of data storage required by law

A. A data retention policy can help to ensure that outdated data is purged, removing potential additional costs for discovery. Many organizations have aggressive retention policies to both reduce the cost of storage and limit the amount of data that is kept on hand and discoverable. Data retention policies are not designed to destroy incriminating data, and legal requirements for data retention must still be met.

28. Chris is building an Ethernet network and knows that he needs to span a distance of over 150 meters with his 1000Base-T network. What network technology should he use to help with this? A. Install a repeater or a concentrator before 100 meters. B. Use Category 7 cable, which has better shielding for higher speeds. C. Install a gateway to handle the distance. D. Use STP cable to handle the longer distance at high speeds.

A. A repeater or concentrator will amplify the signal, ensuring that the 100-meter distance limitation of 1000Base-T is not an issue. A gateway would be useful if network protocols were changing, while Cat7 cable is appropriate for a 10Gbps network at much shorter distances. STP cable is limited to 155 Mbps and 100 meters, which would leave Chris with network problems.

12. What network topology is shown in the image below (6 workstations 1 server in a ring)? A. A ring B. A bus C. A star D. A mesh

A. A ring connects all systems like points on a circle. A ring topology was used with Token Ring networks, and a token was passed between systems around the ring to allow each system to communicate. More modern networks may be described as a ring but are only physically a ring and not logically using a ring topology.

69. What type of firewall design is shown in the image below (Internet connected to router connected to firewall connected to private network)? A. Single tier B. Two tier C. Three tier D. Next generation

A. A single-tier firewall deployment is very simple and does not offer useful design options like a DMZ or separate transaction subnets.

62. Which type of firewall can be described as "a device that filters traffic based on its source, destination and the port it is sent from or is going to"? A. A static packet filtering firewall B. An Application layer gateway firewall C. A dynamic packet filtering firewall D. A stateful inspection firewall

A. A static packet filtering firewall is only aware of the information contained in the message header of packets: the source, destination, and port it is sent from and headed to. This means that they're not particularly smart, unlike Application layer firewalls that proxy traffic based on the service they support or stateful inspection firewalls (also known as dynamic packet inspection firewalls) that understand the relationship between systems and their communications.

25. What method is commonly used to assess how well software testing covered the potential uses of a an application? A. A test coverage analysis B. A source code review C. A fuzz analysis D. A code review report

A. A test coverage analysis is often used to provide insight into how well testing covered the set of use cases that an application is being tested for. Source code reviews look at the code of a program for bugs, not necessarily at a use case analysis, whereas fuzzing tests invalid inputs. A code review report might be generated as part of a source code review.

Susan is the lead of a Quality Assurance team at her company. They have been tasked with the testing for a major release of their company's core software product. Use your knowledge of code review and testing to answer the following question. 64. As part of the continued testing of their new application, Susan's quality assurance team has designed a set of test cases for a series of black box tests. These functional tests are then run, and a report is prepared explaining what has occurred. What type of report is typically generated during this testing to indicate test metrics? A. A test coverage report B. A penetration test report C. A code coverage report D. A line coverage report

A. A test coverage report measures how many of the test cases have been completed and is used as a way to provide test metrics when using test cases. A penetration test report is provided when a penetration test is conducted—this is not a penetration test. A code coverage report covers how much of the code has been tested, and a line coverage report is a type of code coverage report.

9. As part of a penetration test, Alex needs to determine if there are web servers that could suffer from the 2014 Heartbleed bug. What type of tool could he use, and what should he check to verify that the tool can identify the problem? A. A vulnerability scanner, to see whether the scanner has a signature or test for the Heartbleed CVE number B. A port scanner, to see whether the scanner properly identifies SSL connections C. A vulnerability scanner, to see whether the vulnerability scanner detects problems with the Apache web server D. A port scanner, to see whether the port scanner supports TLS connections

A. A vulnerability scanner that has a test (sometimes called a signature or plugin) that provides a detection method for CVE-2014-0160, also known as the Heartbleed bug, a vulnerability in OpenSSL will detect and report on the issue on any system it can connect to. Port scanners do not determine whether services are vulnerable, and Heartbleed was not a vulnerability in the Apache web server—but even without knowing this, the CVE number is a better indicator of whether the issue will be found than a generic detect for a service.

42. Adam recently configured permissions on an NTFS filesystem to describe the access that different users may have to a file by listing each user individually. What did Adam create? A. An access control list B. An access control entry C. Role-based access control D. Mandatory access control

A. Adam created a list of individual users that may access the file. This is an access control list, which consists of multiple access control entries. It includes the names of users, so it is not role-based, and Adam was able to modify the list, so it is not mandatory access control.

40. Which one of the following components is used to assign classifications to objects in a mandatory access control system? A. Security label B. Security token C. Security descriptor D. Security capability

A. Administrators and processes may attach security labels to objects that provide information on an object's attributes. Labels are commonly used to apply classifications in a mandatory access control system.

84. What type of token-based authentication system uses a challenge/response process in which the challenge has to be entered on the token? A. Asynchronous B. Smart card C. Synchronous D. RFID

A. Asynchronous tokens use a challenge/response process in which the system sends a challenge and the user responds with a PIN and a calculated response to the challenge. The server performs the same calculations, and if both match, it authenticates the user. Synchronous tokens use a time-based calculation to generate codes. Smart cards are paired with readers and don't need to have challenges entered, and RFID devices are not used for challenge/response tokens.

Ben's organization is adopting biometric authentication for its high-security building's access control system. Using the following chart (PERCENT against SENSITIVITY) 86. At point B, what problem is likely to occur? A. False acceptance will be very high. B. False rejection will be very high. C. False rejection will be very low. D. False acceptance will be very low.

A. At point B, the false acceptance rate, or FAR, is quite high, while the false rejection rate, or FRR, is relatively low. This may be acceptable in some circumstances, but in organizations where a false acceptance can cause a major problem, it is likely that they should instead choose a point to the right of pointA.

78. What type of vulnerability scan accesses configuration information from the systems it is run against as well as information that can be accessed via services available via the network? A. Authenticated scans B. Web application scans C. Unauthenticated scans D. Port scans

A. Authenticated scans use a read-only account to access configuration files, allowing more accurate testing of vulnerabilities. Web application, unauthenticated scans, and port scans don't have access to configuration files unless they are inadvertently exposed. Microsoft's STRIDE threat assessment model places threats into one of six categories: Spoofing—threats that involve user credentials and authentication, or falsifying legitimate communications Tampering—threats that involve the malicious modification of data Repudiation—threats that cause actions to occur that cannot be denied by a user Information disclosure—threats that involve exposure of data to unauthorized individuals Denial of service—threats that deny service to legitimate users Elevation of privilege—threats that provide higher privileges to unauthorized users

25. Biba is what type of access control model? A. MAC B. DAC C. Role BAC D. ABAC

A. Biba uses a lattice to control access and is a form of the mandatory access control (MAC) model. It does not use rules, roles, or attributes, nor does it allow user discretion. Users can create content at their level or lower but cannot decide who gets access, levels are not roles, and attributes are not used to make decisions on access control.

63. A phreaking tool used to manipulate line voltages to steal long-distance service is known as what type of box? A. A black box B. A red box C. A blue box D. A white box

A. Black boxes are designed to steal long-distance service by manipulating line voltages. Red boxes simulate tones of coins being deposited into payphones; blue boxes were tone generators used to simulate the tones used for telephone networks; and white boxes included a dual tone, multifrequency generator to control phone systems.

78. Raj is selecting an encryption algorithm for use in his organization and would like to be able to vary the strength of the encryption with the sensitivity of the information. Which one of the following algorithms allows the use of different key strengths? A. Blowfish B. DES C. Skipjack D. IDEA

A. Blowfish allows the user to select any key length between 32 and 448 bits.

2. COBIT, Control Objectives for Information and Related Technology, is a framework for IT management and governance. Which data management role is most likely to select and apply COBIT to balance the need for security controls against business requirements? A. Business owners B. Data processors C. Data owners D. Data stewards

A. Business owners have to balance the need to provide value with regulatory, security, and other requirements. This makes the adoption of a common framework like COBIT attractive. Data owners are more likely to ask that those responsible for control selection identify a standard to use. Data processors are required to perform specific actions under regulations like the EU DPD. Finally, in many organizations, data stewards are internal roles that oversee how data is used.

57. By default, in what format does OpenLDAP store the value of the userPassword attribute? A. In the clear B. Salted and hashed C. MD5 hashed D. Encrypted using AES256 encryption

A. By default, OpenLDAP stored the userPassword attribute in the clear. This means that ensuring that the password is provided to OpenLDAP in a secure format is the responsibility of the administrator or programmer who builds its provisioning system.

Chris has recently been hired into a new organization. The organization that Chris belongs to uses the following classification process: 1. Criteria are set for classifying data. 2. Data owners are established for each type of data. 3. Data is classified. 4. Required controls are selected for each classification. 5. Baseline security standards are selected for the organization. 6. Controls are scoped and tailored. 7. Controls are applied and enforced. 8. Access is granted and managed. 57. If Chris is one of the data owners for the organization, what steps in this process is he most likely responsible for? A. He is responsible for steps 3, 4, and 5. B. He is responsible for steps 1, 2, and 3. C. He is responsible for steps 5, 6, and 7. D. All of the steps are his direct responsibility.

A. Chris is most likely to be responsible for classifying the data that he owns as well as assisting with or advising the system owners on security requirements and control selection. In an organization with multiple data owners, Chris is unlikely to set criteria for classifying data on his own. As a data owner, Chris will also not typically have direct responsibility for scoping, tailoring, applying, or enforcing those controls.

55. What type of fire extinguisher is useful only against common combustibles? A. Class A B. Class B C. Class C D. Class D

A. Class A fire extinguishers are useful only against common combustible materials. They use water or soda acid as their suppressant. Class B extinguishers are for liquid fires. Class C extinguishers are for flammable gasses, and Class D fire extinguishers are for combustible metals.

34. Which of the following concerns should not be part of the decision when classifying data? A. The cost to classify the data B. The sensitivity of the data C. The amount of harm that exposure of the data could cause D. The value of the data to the organization

A. Classification should be conducted based on the value of the data to the organization, its sensitivity, and the amount of harm that could result from exposure of the data. Cost should be considered when implementing controls and is weighed against the damage that exposure would create.

10. What term is used to describe overwriting media to allow for its reuse in an environment operating at the same sensitivity level? A. Clearing B. Erasing C. Purging D. Sanitization

A. Clearing describes preparing media for reuse. When media is cleared, unclassified data is written over all addressable locations on the media. Once that's completed, the media can be reused. Erasing is the deletion of files or media. Purging is a more intensive form of clearing for reuse in lower security areas, and sanitization is a series of processes that removes data from a system or media while ensuring that the data is unrecoverable by any means.

3. Ralph is designing a physical security infrastructure for a new computing facility that will remain largely unstaffed. He plans to implement motion detectors in the facility but would also like to include a secondary verification control for physical presence. Which one of the following would best meet his needs? A. CCTV B. IPS C. Turnstiles D. Faraday cages

A. Closed circuit television (CCTV) systems act as a secondary verification mechanism for physical presence because they allow security officials to view the interior of the facility when a motion alarm sounds to determine the current occupants and their activities.

89. Timber Industries recently got into a dispute with a customer. During a meeting with his account representative, the customer stood up and declared, "There is no other solution. We will have to take this matter to court." He then left the room. When does Timber Industries have an obligation to begin preserving evidence? A. Immediately B. Upon receipt of a notice of litigation from opposing attorneys C. Upon receipt of a subpoena D. Upon receipt of a court order

A. Companies have an obligation to preserve evidence whenever they believe that the threat of litigation is imminent. The statement made by this customer that "we will have to take this matter to court" is a clear threat of litigation and should trigger the preservation of any related documents and records.

26. How many bits of keying material does the Data Encryption Standard use for encrypting information? A. 56 bits B. 64 bits C. 128 bits D. 256 bits

A. DES uses a 64-bit encryption key but only 56 of those bits are actually used as keying material in the encryption operation. The remaining 8 bits are used to detect tampering or corruption of the key.

91. Jim is implementing a cloud identity solution for his organization. What type of technology is he putting in place? A. Identity as a Service B. Employee ID as a Service C. Cloud-based RADIUS D. OAuth

A. IDaaS, or Identity as a Service, provides an identity platform as a third-party service. This can provide benefits including integration with cloud services and removing overhead for maintenance of traditional on-premise identity systems, but it can also create risk due to third-party control of identity services and reliance on an offsite identity infrastructure.

Ann is a security professional for a mid-sized business and typically handles log analysis and security monitoring tasks for her organization. One of her roles is to monitor alerts originating from the organization's intrusion detection system. The system typically generates several dozen alerts each day, and many of those alerts turn out to be false alarms after her investigation. This morning, the intrusion detection system alerted because the network began to receive an unusually high volume of inbound traffic. Ann received this alert and began looking into the origin of the traffic. 66. Ann continues her investigation and realizes that the traffic generating the alert is abnormally high volumes of inbound UDP traffic on port 53. What service typically uses this port? A. DNS B. SSH/SCP C. SSL/TLS D. HTTP

A. DNS traffic commonly uses port 53 for both TCP and UDP communications. SSH and SCP use TCP port 22. SSL and TLS do not have ports assigned to them but are commonly used for HTTPS traffic on port 443. Unencrypted web traffic over HTTP often uses port 80.

17. What does labeling data allow a DLP system to do? A. The DLP system can detect labels and apply appropriate protections. B. The DLP system can adjust labels based on changes in the classification scheme. C. The DLP system can notify the firewall that traffic should be allowed through. D. The DLP system can delete unlabeled data.

A. Data loss prevention (DLP) systems can use labels on data to determine the appropriate controls to apply to the data. DLP systems won't modify labels in real time and typically don't work directly with firewalls to stop traffic. Deleting unlabeled data would cause big problems for organizations that haven't labeled every piece of data!

64. Data streams occur at what three layers of the OSI model? A. Application, Presentation, and Session B. Presentation, Session, and Transport C. Physical, Data Link, and Network D. Data Link, Network, and Transport

A. Data streams are associated with the Application, Presentation, and Session layers. Once they reach the Transport layer, they become segments (TCP) or datagrams (UDP). From there, they are converted to packets at the Network layer, frames at the Data Link layer, and bits at the Physical layer.

80. Howard is choosing a cryptographic algorithm for his organization and he would like to choose an algorithm that supports the creation of digital signatures. Which one of the following algorithms would meet his requirement? A. RSA B. DES C. AES D. Blowfish

A. Digital signatures are possible only when using an asymmetric encryption algorithm. Of the algorithms listed, only RSA is asymmetric and supports digital signature capabilities.

39. Alan is reviewing a system that has been assigned the EAL1 evaluation assurance level under the Common Criteria. What is the degree of assurance that he may have about the system? A. It has been functionally tested. B. It has been structurally tested. C. It has been formally verified, designed, and tested. D. It has been methodically designed, tested, and reviewed.

A. EAL1 assurance applies when the system in question has been functionally tested. It is the lowest level of assurance under the Common Criteria.

91. Darcy is a computer security specialist who is assisting with the prosecution of a hacker. The prosecutor requests that Darcy give testimony in court about whether, in her opinion, the logs and other records in a case are indicative of a hacking attempt. What type of evidence is Darcy being asked to provide? A. Expert opinion B. Direct evidence C. Real evidence D. Documentary evidence

A. Expert opinion evidence allows individuals to offer their opinion based upon the facts in evidence and their personal knowledge. Expert opinion evidence may be offered only if the court accepts the witness as an expert in a particular field. Direct evidence is when witnesses testify about their direct observations. Real evidence consists of tangible items brought into court as evidence. Documentary evidence consists of written records used as evidence in court.

2. Referring to the figure shown below (stage1:incipient, Stage2:smoke, Stage3:flame, Stage4:heat), what is the earliest stage of a fire where it is possible to use detection technology to identify it? A. Incipient B. Smoke C. Flame D. Heat

A. Fires may be detected as early as the incipient stage. During this stage, air ionization takes place and specialized incipient fire detection systems can identify these changes to provide early warning of a fire.

1. What important factor listed below differentiates Frame Relay from X.25? A. Frame Relay supports multiple PVCs over a single WAN carrier connection. B. Frame Relay is a cell-switching technology instead of a packet-switching technology like X.25. C. Frame Relay does not provide a Committed Information Rate (CIR). D. Frame Relay only requires a DTE on the provider side.

A. Frame Relay supports multiple private virtual circuits (PVCs), unlike X.25. It is a packet-switching technology that provides a Committed Information Rate (CIR), which is a minimum bandwidth guarantee provided by the service provider to customers. Finally, Frame Relay requires a DTE/DCE at each connection point, with the DTE providing access to the Frame Relay network, and a provider-supplied DCE, which transmits the data over the network.

21. Which one of the following is not an attribute of a hashing algorithm? A. They require a cryptographic key. B. They are irreversible. C. It is very difficult to find two messages with the same hash value. D. They take variable-length input.

A. Hash functions do not include any element of secrecy and, therefore, do not require a cryptographic key.

30. Which one of the following is not one of the basic requirements for a cryptographic hash function? A. The function must work on fixed-length input. B. The function must be relatively easy to compute for any input. C. The function must be one way. D. The function must be collision free.

A. Hash functions must be able to work on any variable-length input and produce a fixed-length output from that input, regardless of the length of the input.

76. Warren is designing a physical intrusion detection system for his data center and wants to include technology that issues an alert if the communications lines for the alarm system are unexpectedly cut. What technology would meet this requirement? A. Heartbeat sensor B. Emanation security C. Motion detector D. Faraday cage

A. Heartbeat sensors send periodic status messages from the alarm system to the monitoring center. The monitoring center triggers an alarm if it does not receive a status message for a prolonged period of time, indicating that communications were disrupted.

48. What type of attack is shown in the figure below (3 EXCHANGES OF 'SYN' & 'SYN/ACK')? A. SYN flood B. Ping flood C. Smurf D. Fraggle

A. In a SYN flood attack, the attacker sends a large number of SYN packets to a system but does not respond to the SYN/ACK packets, attempting to overwhelm the attacked system's connection state table with half-open connections.

98. In what type of attack do attackers manage to insert themselves into a connection between a user and a legitimate website? A. Man-in-the-middle B. Fraggle C. Wardriving D. Meet-in-the-middle

A. In a man-in-the-middle attack, attackers manage to insert themselves into a connection between a user and a legitimate website, relaying traffic between the two parties while eavesdropping on the connection. Although similarly named, the meetin- the-middle attack is a cryptographic attack that does not necessarily involve connection tampering. Fraggle is a network-based denial of service attack using UDP packets. Wardriving is a reconnaissance technique for discovering open or weakly secured wireless networks.

6. Which one of the following trusted recovery types does not fail into a secure operating state? A. Manual recovery B. Automated recovery C. Automated recovery without undue loss D. Function recovery

A. In a manual recovery approach, the system does not fail into a secure state but requires an administrator to manually restore operations. In an automated recovery, the system can recover itself against one or more failure types. In an automated recovery without undue loss, the system can recover itself against one or more failure types and also preserve data against loss. In function recovery, the system can restore functional processes automatically.

71. In what type of attack does the attacker replace the legitimate BIOS on a computer with a malicious alternative that allows them to take control of the system? A. Phlashing B. Phreaking C. Phishing D. Phogging

A. In a phlashing attack, the attacker introduces a custom, malicious BIOS that grants the attacker some level of control over the attacked system.

Susan is the lead of a Quality Assurance team at her company. They have been tasked with the testing for a major release of their company's core software product. Use your knowledge of code review and testing to answer the following question. 63. Susan's team of software testers are required to test every code path, including those that will only be used when an error condition occurs. What type of testing environment does her team need to ensure complete code coverage? A. White box B. Gray box C. Black box D. Dynamic

A. In order to fully test code, a white box test is required. Without full visibility of the code, error conditions or other code could be missed, making a gray box or black box test an inappropriate solution. Using dynamic testing that runs against live code could also result in some conditions being missed due to sections of code not being exposed to typical usage.

30. In which cloud computing model does a customer share computing infrastructure with other customers of the cloud vendor where one customer may not know the other's identity? A. Public cloud B. Private cloud C. Community cloud D. Shared cloud

A. In the public cloud computing model, the vendor builds a single platform that is shared among many different customers. This is also known as the shared tenancy model.

7. Harry would like to access a document owned by Sally and stored on a file server. Applying the subject/object model to this scenario, who or what is the subject of the resource request? A. Harry B. Sally C. Server D. Document

A. In the subject/object model of access control, the user or process making the request for a resource is the subject of that request. In this example, Harry is requesting resource access and is, therefore, the subject.

95. LDAP distinguished names (DNs) are made up of comma-separated components called relative distinguished names (RDNs) that have an attribute name and a value. DNs become less specific as they progress from left to right. Which of the following LDAP DN best fits this rule? A. uid=ben,ou=sales,dc=example,dc=com B. uid=ben,dc=com,dc=example C. dc=com,dc=example,ou=sales,uid=ben D. ou=sales,dc=com,dc=example

A. In this example, uid=ben,ou=sales,dc=example,dc=com, the items proceed from most specific to least specific (broadest) from left to right, as required by a DN.

52. During an incident investigation, investigators meet with a system administrator who may have information about the incident but is not a suspect. What type of conversation is taking place during this meeting? A. Interview B. Interrogation C. Both an interview and an interrogation D. Neither an interview nor an interrogation

A. Interviews occur when investigators meet with an individual who may have information relevant to their investigation but is not a suspect. If the individual is a suspect, then the meeting is an interrogation.

97. Kerberos, KryptoKnight, and SESAME are all examples of what type of system? A. SSO B. PKI C. CMS D. Directory

A. Kerberos, KryptoKnight, and SESAME are all single sign-on, or SSO, systems. PKI systems are public key infrastructure systems, CMS systems are content management systems, and LDAP and other directory servers provide information about services, resources, and individuals.

69. Questions like "What is your pet's name?" are examples of what type of identity proofing? A. Knowledge-based authentication B. Dynamic knowledge-based authentication C. Out-of-band identity proofing D. A Type 3 authentication factor

A. Knowledge-based authentication relies on preset questions "What is your pet's name?" and the answers. It can be susceptible to attacks due to the availability of the answers on social media or other sites. Dynamic knowledge based authentication relies on facts or data that the user already knows which can be used to create questions they can answer on an as needed basis (for example, a previous address, or a school they attended). Out-of-band identity proofing relies on an alternate channel like a phone call or text message. Finally, Type 3 authentication factors are biometric, or "something you are," rather than knowledge based.

91. Lauren has been asked to replace her organization's PPTP implementation with an L2TP implementation for security reasons. What is the primary security reason that L2TP would replace PPTP? A. L2TP can use IPsec. B. L2TP creates a point-to-point tunnel, avoiding multipoint issues. C. PPTP doesn't support EAP. D. PPTP doesn't properly encapsulate PPP packets.

A. L2TP can use IPsec to provide encryption of traffic, ensuring confidentiality of the traffic carried via an L2TP VPN. PPTP sends the initial packets of a session in plaintext, potentially including usernames and hashed passwords. PPTP does support EAP and was designed to encapsulate PPP packets. All VPNs are point to point, and multipoint issues are not a VPN problem.

23. What is the best way to provide accountability for the use of identities? A. Logging B. Authorization C. Digital signatures D. Type 1 authentication

A. Logging systems can provide accountability for identity systems by tracking the actions, changes, and other activities a user or account performs.

18. Lydia is processing access control requests for her organization. She comes across a request where the user does have the required security clearance, but there is no business justification for the access. Lydia denies this request. What security principle is she following? A. Need to know B. Least privilege C. Separation of duties D. Two-person control

A. Lydia is following the need to know principle. While the user may have the appropriate security clearance to access this information, there is no business justification provided, so she does not know that the user has an appropriate need to know the information.

11. What type of security vulnerability are developers most likely to introduce into code when they seek to facilitate their own access, for testing purposes, to software they developed? A. Maintenance hook B. Cross-site scripting C. SQL injection D. Buffer overflow

A. Maintenance hooks, otherwise known as backdoors, provide developers with easy access to a system, bypassing normal security controls. If not removed prior to finalizing code, they pose a significant security vulnerability if an attacker discovers the maintenance hook.

33. Referring to the figure shown below (BOXED ENTRANCE), what is the name of the security control indicated by the arrow? A. Mantrap B. Turnstile C. Intrusion prevention system D. Portal

A. Mantraps use a double set of doors to prevent piggybacking by allowing only a single individual to enter a facility at a time.

56. Gary is concerned about applying consistent security settings to the many mobile devices used throughout his organization. What technology would best assist with this challenge? A. MDM B. IPS C. IDS D. SIEM

A. Mobile Device Management (MDM) products provide a consistent, centralized interface for applying security configuration settings to mobile devices.

60. What common security issue is often overlooked with cordless phones? A. Their signal is rarely encrypted and thus can be easily monitored. B. They use unlicensed frequencies. C. They can allow attackers access to wireless networks. D. They are rarely patched and are vulnerable to malware.

A. Most cordless phones don't use encryption, and even modern phones that use DECT (which does provide encryption) have already been cracked. This means that a determined attacker can almost always eavesdrop on cordless phones, and makes them a security risk if they're used for confidential communication.

22. During a security assessment, Jim discovers that the organization he is working with uses a multilayer protocol to handle SCADA systems and recently connected the SCADA network to the rest of the organization's production network. What concern should he raise about serial data transfers carried via TCP/IP? A. SCADA devices that are now connected to the network can now be attacked over the network. B. Serial data over TCP/IP cannot be encrypted. C. Serial data cannot be carried in TCP packets. D. TCP/IP's throughput can allow for easy denial of service attacks against serial devices.

A. Multilayer protocols like DNP3 allow SCADA and other systems to use TCP/IPbased networks to communicate. Many SCADA devices were never designed to beexposed to a network, and adding them to a potentially insecure network can createsignificant risks. TLS or other encryption can be used on TCP packets, meaning thateven serial data can be protected. Serial data can be carried via TCP packets becauseTCP packets don't care about their content; it is simply another payload. Finally,TCP/IP does not have a specific throughput asdesigned, so issues with throughput are device-level issues.

82. Which NIST document covers the creation of an Information Security Continuous Monitoring (ISCM)? A. NIST SP 800-137 B. NIST SP 800-53a C. NIST SP 800-145 D. NIST SP 800-50

A. NIST SP 800-137 is titled "Information Security Continuous Monitoring (ISCM) for Federal Systems and Organizations" and describes the process of building and maintaining an ISCM. NIST SP 800-145 defines cloud computing, whereas NIST SP 800-53A covers assessing security and privacy controls for federal systems and organizations. NIST SP 800-50 focuses on information security awareness programs.

60. Which of the following best describes a typical process for building and implementing an Information Security Continuous Monitoring program as described by NIST Special Publication 800-137? A. Define, establish, implement, analyze and report, respond, review, and update B. Design, build, operate, analyze, respond, review, revise C. Prepare, detect and analyze, contain, respond, recover, report D. Define, design, build, monitor, analyze, react, revise

A. NIST SP 800-137 outlines the process for organizations that are establishing, implementing, and maintaining an ICSM as define, establish, implement, analyze and report, respond, review, and update. Prepare, detect and analyze, contain, respond, recover, report is an incident response plan, and the others do not match the NIST process.

28. Information maintained about an individual that can be used to distinguish or trace their identity is known as what type of information? A. Personally identifiable information (PII) B. Personal health information (PHI) C. Social Security number (SSN) D. Secure identity information (SII)

A. NIST Special Publication 800-122 defines PII as any information that can be used to distinguish or trace an individual's identity, such as name, Social Security number, date and place of birth, mother's maiden name, biometric records, and other information that is linked or linkable to an individual such as medical, educational, financial, and employment information. PHI is health-related information about a specific person, Social Security numbers are issued to individuals in the United States, and SII is a made-up term.

10. Jim would like to identify compromised systems on his network that may be participating in a botnet. He plans to do this by watching for connections made to known command-and-control servers. Which one of the following techniques would be most likely to provide this information if Jim has access to a list of known servers? A. Netflow records B. IDS logs C. Authentication logs D. RFC logs

A. Netflow records contain an entry for every network communication session that took place on a network and can be compared to a list of known malicious hosts. IDS logs may contain a relevant record but it is less likely because they would only create log entries if the traffic triggers the IDS, as opposed to netflow records, which encompass all communications. Authentication logs and RFC logs would not have records of any network traffic.

70. Nikto, Burp Suite, and Wapiti are all examples of what type of tool? A. Web application vulnerability scanners B. Code review tools C. Vulnerability scanners D. Port scanners

A. Nikto, Burp Suite, and Wapiti are all web application vulnerability scanners, tools designed specifically to scan web servers and applications. While they share some functionality with broader vulnerability scanners and port scanning tools, they have a narrower focus and typically have deeper capabilities than vulnerability scanners.

40. When might an organization using biometrics choose to allow a higher FRR instead of a higher FAR? A. When security is more important than usability B. When false rejection is not a concern due to data quality C. When the CER of the system is not known D. When the CER of the system is very high

A. Organizations that have very strict security requirements that don't have a tolerance for false acceptance want to lower the false acceptance rate, or FAR, to be as near to zero as possible. That often means that the false rejection rate, or FRR, increases. Different biometric technologies or a better registration method can help improve biometric performance, but false rejections due to data quality are not typically a concern with modern biometric systems. In this case, knowing the crossover error rate, or CER, or having a very high CER doesn't help the decision.

35. Why should passive scanning be conducted in addition to implementing wireless security technologies like wireless intrusion detection systems? A. It can help identify rogue devices. B. It can test the security of the wireless network via scripted attacks. C. Their short dwell time on each wireless channel can allow them to capture more packets. D. They can help test wireless IDS or IPS systems.

A. Passive scanning can help identify rogue devices by capturing MAC address vendor IDs that do not match deployed devices, by verifying that systems match inventories of organizationally owned hardware by hardware address, and by monitoring for rogue SSIDs or connections. Scripted attacks are part of active scanning rather than passive scanning, and active scanning is useful for testing IDS or IPS systems, whereas passive scanning will not be detected by detection systems. Finally, a shorter dwell time can actually miss troublesome traffic, so balancing dwell time versus coverage is necessary for passive wireless scanning efforts.

53. Jim configures his LDAP client to connect to an LDAP directory server. According to the configuration guide, his client should connect to the server on port 636. What does this indicate to Jim about the configuration of the LDAP server? A. It requires connections over SSL/TLS. B. It supports only unencrypted connections. C. It provides global catalog services. D. It does not provide global catalog services.

A. Port 636 is the default port for LDAP-S, which provides LDAP over SSL or TLS, thus indicating that the server supports encrypted connections. Since neither port 3268 nor 3269 is mentioned, we do not know if the server provides support for a global catalog.

27. What type of access control is being used in the following permission listing: Storage Device X User1: Can read, write, list User2: Can read, list User3: Can read, write, list, delete User4: Can list A. Resource-based access controls B. Role-based access controls C. Mandatory access controls D. Rule-based access controls

A. Resource-based access controls match permissions to resources like storage volume. Resource-based access controls are becoming increasingly common in cloudbased Infrastructure as a Service environments. The lack of roles, rules, or a classification system indicate that role-based, rule-based, and mandatory access controls are not in use here.

20. Jacob is planning his organization's biometric authentication system and is considering retina scans. What concern may be raised about retina scans by others in his organization? A. Retina scans can reveal information about medical conditions. B. Retina scans are painful because they require a puff of air in the user's eye. C. Retina scanners are the most expensive type of biometric device. D. Retina scanners have a high false positive rate and will cause support issues.

A. Retina scans can reveal additional information, including high blood pressure and pregnancy, causing privacy concerns. Newer retina scans don't require a puff of air, and retina scanners are not the most expensive biometric factor. Their false positive rate can typically be adjusted in software, allowing administrators to adjust their acceptance rate as needed to balance usability and security.

21. Which email security solution provides two major usage modes: (1) signed messages that provide integrity, sender authentication, and nonrepudiation; and (2) an enveloped message mode that provides integrity, sender authentication, and confidentiality? A. S/MIME B. MOSS C. PEM D. DKIM

A. S/MIME supports both signed messages and a secure envelope method. While the functionality of S/MIME can be replicated with other tools, the secure envelope is an S/MIME-specific concept. MOSS, or MIME Object Security Services, and PEM can also both provide authentication, confidentiality, integrity, and nonrepudiation, while DKIM, or Domain Keys Identified Mail, is a domain validation tool.

63. When a computer is removed from service and disposed of, the process that ensures that all storage media has been removed or destroyed is known as what? A. Sanitization B. Purging C. Destruction D. Declassification

A. Sanitization is the combination of processes used to remove data from a system or media. When a PC is disposed of, sanitization includes the removal or destruction of drives, media, and any other storage devices it may have. Purging, destruction, and declassification are all other handling methods.

39. Joe is an investigator with a law enforcement agency. He received a tip that a suspect is communicating sensitive information with a third party via a message board. After obtaining a warrant for the message, he obtained the contents and found that the message only contains the image shown in the figure below (PHOTO of heritage site). If this is the sole content of the communication, what technique could the suspect have used to embed sensitive information in the message? A. Steganography B. Watermarking C. Clipping D. Sampling

A. Steganography is a technique used to hide information in an otherwise innocuous-seeming file. The suspect may have used this technique to embed hidden information in the image file. Watermarking also manipulates images but does so in an attempt to protect intellectual property. Clipping and sampling are techniques used to reduce a large set of data to a small quantity that may be used for analysis.

4. What message logging standard is commonly used by network devices, Linux and Unix systems, and many other enterprise devices? A. Syslog B. Netlog C. Eventlog D. Remote Log Protocol (RLP)

A. Syslog is a widely used protocol for event and message logging. Eventlog, netlog, and Remote Log Protocol are all made-up terms.

22. Tom is responding to a recent security incident and is seeking information on the approval process for a recent modification to a system's security settings. Where would he most likely find this information? A. Change log B. System log C. Security log D. Application log

A. The change log contains information about approved changes and the change management process. While other logs may contain details about the change's effect, the audit trail for change management would be found in the change log.

96. Fred is preparing to send backup tapes off site to a secure third-party storage facility. What steps should Fred take before sending the tapes to that facility? A. Ensure that the tapes are handled the same way the original media would be handled based on their classification. B. Increase the classification level of the tapes because they are leaving the possession of the company. C. Purge the tapes to ensure that classified data is not lost. D. Encrypt the tapes in case they are lost in transit.

A. Tapes are frequently exposed due to theft or loss in transit. That means that tapes that are leaving their normal storage facility should be handled according to the organization's classification schemes and handling requirements. Purging the tapes would cause the loss of data, while increasing the classification level of the tapes or encrypting them may create extra work that isn't required by the classification level of the tapes.

81. Which of the following will be superceded in 2018 by the European Union's General Data Protection Regulation (GDPR) A. The EU Data Protection Directive B. NIST SP 800-12 C. The EU Personal Data Protection Regulation D. COBIT

A. The EU GDPR is slated to replace the EU DPD, with adoption starting in 2015 and 2016 and full enforcement occurring in 2017 and 2018. NIST standards and special publications apply to the United States, while COBIT is an IT management framework. There is no EU Personal Data Protection Regulation.

56. What US government agency oversees compliance with the Safe Harbor framework for organizations wishing to use the personal data of EU citizens? A. The FTC B. The FDA C. The DoD D. The Department of Commerce

A. The Federal Trade Commission, or FTC, is the US government agency that deals with Safe Harbor. The Food and Drug Administration, Department of Defense, and Department of Commerce do not oversee Safe Harbor.

8. Chris is configuring IDS to monitor for unencrypted FTP traffic. What ports should Chris use in his configuration? A. TCP 20 and 21 B. TCP 21 only C. UDP port 69 D. TCP port 21 and UDP port 21

A. The File Transfer Protocol (FTP) operates on TCP ports 20 and 21. UDP port 69 is used for the Trivial File Transfer Protocol, or TFTP, while UDP port 21 is not used for any common file transfer protocol.

37. Which one of the following frameworks focuses on IT service management and includes topics such as change management, configuration management, and servicelevel agreements? A. ITIL B. PMBOK C. PCI DSS D. TOGAF

A. The IT Infrastructure Library (ITIL) framework focuses on IT service management. The Project Management Body of Knowledge (PMBOK) provides a common core of project management expertise. The Payment Card Industry Data Security Standard (PCI DSS) contains regulations for credit card security. The Open Group Architecture Framework (TOGAF) focuses on IT architecture issues.

61. Sherry conducted an inventory of the cryptographic technologies in use within her organization and found the following algorithms and protocols in use. Which one of these technologies should she replace because it is no longer considered secure? A. MD5 B. 3DES C. PGP D. WPA2

A. The MD5 hash algorithm has known collisions and, as of 2005, is no longer considered secure for use in modern environments.

46. Which attack helped drive vendors to move away from SSL toward TLS-only by default? A. POODLE B. Stuxnet C. BEAST D. CRIME

A. The POODLE (or Padding Oracle On Downgraded Legacy Encryption) attack helped force the move from SSL 3.0 to TLS because it allowed attackers to easily access SSL encrypted messages. Stuxnet was a worm aimed at the Iranian nuclear program, while CRIME and BEAST were earlier attacks against SSL.

38. In what state does a processor's scheduler place a process when it is prepared to execute but the CPU is not currently available? A. Ready B. Running C. Waiting D. Stopped

A. The Ready state is used when a process is prepared to execute but the CPU is not available. The Running state is used when a process is executing on the CPU. The Waiting state is used when a process is blocked waiting for an external event. The Stopped state is used when a process terminates.

54. Segmentation, sequencing, and error checking all occur at what layer of the OSI model that is associated with SSL, TLS, and UDP? A. The Transport layer B. The Network layer C. The Session layer D. The Presentation layer

A. The Transport layer provides logical connections between devices, including end-toendtransport services to ensure that data is delivered. Transport layer protocols include TCP, UDP, SSL, and TLS.

20. Which is the proper order from least to most sensitive for US government classifications? A. Confidential, Secret, Top Secret B. Confidential, Classified, Secret C. Top Secret, Secret, Classified, Public, Classified, Top Secret D. Public, Unclassified, Classified, Top Secret

A. The US government's classification levels from least to most sensitive are Confidential, Secret, and Top Secret.

65. What standard governs the creation and validation of digital certificates for use in a public key infrastructure? A. X.509 B. TLS C. SSL D. 802.1x

A. The X.509 standard, developed by the International Telecommunications Union, contains the specification for digital certificates.

75. Grace would like to implement application control technology in her organization. Users often need to install new applications for research and testing purposes, and she does not want to interfere with that process. At the same time, she would like to block the use of known malicious software. What type of application control would be appropriate in this situation? A. Blacklisting B. Greylisting C. Whitelisting D. Bluelisting

A. The blacklisting approach to application control allows users to install any software they wish except for packages specifically identified by the administrator as prohibited. This would be an appropriate approach in a scenario where users should be able to install any nonmalicious software they wish to use.

58. Rhonda is considering the use of new identification cards for physical access control in her organization. She comes across a military system that uses the card shown below (****). What type of card is this? A. Smart card B. Proximity card C. Magnetic stripe card D. Phase three card

A. The card shown in the image has a smart chip underneath the American flag. Therefore, it is an example of a smart card. This is the most secure type of identification card technology.

97. Todd wants to add a certificate to a certificate revocation list. What element of the certificate goes on the list? A. Serial number B. Public key C. Digital signature D. Private key

A. The certificate revocation list contains the serial numbers of digital certificates issued by a certificate authority that have later been revoked.

97. Which of the following does not describe data in motion? A. Data on a backup tape that is being shipped to a storage facility B. Data in a TCP packet C. Data in an e-commerce transaction D. Data in files being copied between locations

A. The correct answer is the tape that is being shipped to a storage facility. You might think that the tape in shipment is "in motion," but the key concept is that the data is not being accessed and is instead in storage. Data in a TCP packet, in an e-commerce transaction, or in local RAM is in motion and is actively being used.

security life cycle diagram (loosely based on the NIST reference architecture), NIST uses a five-step process for risk management. 1. Categorise systems and data 2. Select Security Controls 3. Implement Security Controls 4. Assess Security Controls 5. Monitor Security 86. What data role will own responsibility for step 1, the categorization of information systems, to whom will they delegate step 2, and what data role will be responsible for step 3? A. Data owners, system owners, custodians B. Data processors, custodians, users C. Business owners, administrators, custodians D. System owners, business owners, administrators

A. The data owner bears responsibility for categorizing information systems and delegates selection of controls to system owners, while custodians implement the controls. Users don't perform any of these actions, while business owners are tasked with ensuring that systems are fulfilling their business purpose.

1. Referring to the figure below, what technology is shown that provides fault tolerance for the database servers? A. Failover cluster B. UPS C. Tape backup D. Cold site

A. The illustration shows an example of a failover cluster, where DB1 and DB2 are both configured as database servers. At any given time, only one will function as the active database server, while the other remains ready to assume responsibility if the first one fails. While the environment may use UPS, tape backup, and cold sites as disaster recovery and business continuity controls, they are not shown in the diagram.

82. The Bell-LaPadula and Biba models implement state machines in a fashion that uses what specific state machine model? A. Information flow B. Noninterference C. Cascading D. Feedback

A. The information flow model applies state machines to the flow of information. The Bell-LaPadula model applies the information flow model to confidentiality while the Biba model applies it to integrity.

49. In the ring protection model shown below (4 circles with Ring0 in the centre), what ring contains the operating system's kernel? A. Ring 0 B. Ring 1 C. Ring 2 D. Ring 3

A. The kernel lies within the central ring, Ring 0. Conceptually, Ring 1 contains other operating system components. Ring 2 is used for drivers and protocols. User-level programs and applications run at Ring 3. Rings 0 through 2 run in privileged mode while Ring 3 runs in user mode. It is important to note that many modern operating systems do not fully implement this model.

Gary was recently hired as the first chief information security officer (CISO) for a local government agency. The agency recently suffered a security breach and is attempting to build a new information security program. Gary would like to apply some best practices for security operations as he is designing this program. 12. As Gary designs the program, he uses the matrix shown below (*). What principle of information security does this matrix most directly help enforce? A. Segregation of duties B. Aggregation C. Two-person control D. Defense in depth

A. The matrix shown in the figure is known as a segregation of duties matrix. It is used to ensure that one person does not obtain two privileges that would create a potential conflict. Aggregation is a term used to describe the unintentional accumulation of privileges over time, also known as privilege creep. Two-person control is used when two people must work together to perform a sensitive action. Defense in depth is a general security principle used to describe a philosophy of overlapping security controls.

5. The need to protect sensitive data drives what administrative process? A. Information classification B. Remanence C. Transmitting data D. Clearing

A. The need to protect sensitive data drives information classification. This allows organizations to focus on data that needs to be protected rather than spending effort on less important data. Remanence describes data left on media after an attempt is made to remove the data. Transmitting data isn't a driver for an administrative process to protect sensitive data, and clearing is a technical process for removing data from media.

98. Alison is examining a digital certificate presented to her by her bank's website. Which one of the following requirements is not necessary for her to trust the digital certificate? A. She knows that the server belongs to the bank. B. She trusts the certificate authority. C. She verifies that the certificate is not listed on a CRL. D. She verifies the digital signature on the certificate.

A. The point of the digital certificate is to prove to Alison that the server belongs to the bank, so she does not need to have this trust in advance. To trust the certificate, she must verify the CA's digital signature on the certificate, trust the CA, verify that the certificate is not listed on a CRL, and verify that the certificate contains the name of the bank.

36. Which one of the following types of agreements is the most formal document that contains expectations about availability and other performance parameters between a service provider and a customer? A. Service-level agreement (SLA) B. Operations level agreement (OLA) C. Memorandum of understanding (MOU) D. Statement of work (SOW)

A. The service-level agreement (SLA) is between a service provider and a customer and documents in a formal manner expectations around availability, performance, and other parameters. An MOU may cover the same items but is not as formal a document. An OLA is between internal service organizations and does not involve customers. An SOW is an addendum to a contract describing work to be performed.

39. What is the stored sample of a biometric factor called? A. A reference template B. A token store C. A biometric password D. An enrollment artifact

A. The stored sample of a biometric factor is called a reference profile or a reference template. None of the other answers are common terms used for biometric systems.

34. Which one of the following does not describe a standard physical security requirement for wiring closets? A. Place only in areas monitored by security guards. B. Do not store flammable items in the closet. C. Use sensors on doors to log entries. D. Perform regular inspections of the closet.

A. While it would be ideal to have wiring closets in a location where they are monitored by security staff, this is not feasible in most environments. Wiring closets must be distributed geographically in multiple locations across each building used by an organization.

5. Fran's company is considering purchasing a web-based email service from a vendor and eliminating its own email server environment as a cost-saving measure. What type of cloud computing environment is Fran's company considering? A. SaaS B. IaaS C. CaaS D. PaaS

A. This is an example of a vendor offering a fully functional application as a web-based service. Therefore, it fits under the definition of Software as a Service (SaaS). In Infrastructure as a Service (IaaS), Compute as a Service (CaaS), and Platform as a Service (PaaS) approaches, the customer provides their own software. In this example, the vendor is providing the email software, so none of those choices are appropriate.

87. What type of trust relationship extends beyond the two domains participating in the trust to one or more of their subdomains? A. Transitive trust B. Inheritable trust C. Nontransitive trust D. Noninheritable trust

A. Transitive trusts go beyond the two domains directly involved in the trust relationship and extend to their subdomains.

53. If your organization needs to allow attachments in email to support critical business processes, what are the two best options for helping to avoid security problems caused by attachments? A. Train your users and use anti-malware tools. B. Encrypt your email and use anti-malware tools. C. Train your users and require S/MIME for all email. D. Use S/MIME by default and remove all ZIP (.zip) file attachments.

A. User awareness is one of the most important tools when dealing with attachments. Attachments are often used as a vector for malware, and aware users can help prevent successful attacks by not opening the attachments. Anti-malware tools, including antivirus software, can help detect known threats before users even see the attachments. Encryption, including tools like S/MIME, won't help prevent attachment-based security problems, and removing ZIP file attachments will only stop malware that is sent via those ZIP files.

61. Lauren's organization has deployed VoIP phones on the same switches that the desktop PCs are on. What security issue could this create, and what solution would help? A. VLAN hopping, use physically separate switches. B. VLAN hopping, use encryption. C. Caller ID spoofing, MAC filtering D. Denial of service attacks, use a firewall between networks.

A. VLAN hopping between the voice and computer VLANs can be accomplished when devices share the same switch infrastructure. Using physically separate switches can prevent this attack. Encryption won't help with VLAN hopping because it relies on header data that the switch needs to read (and this is unencrypted), while Caller ID spoofing is an inherent problem with VoIP systems. A denial of service is always a possibility, but it isn't specifically a VoIP issue and a firewall may not stop the problem if it's on a port that must be allowed through.

76. The financial services company that Susan works for provides a web portal for its users. When users need to verify their identity, the company uses information from third-party sources to ask questions based on their past credit reports, such as, "Whichof the following streets did you live on in 2007?" What process is Susan's organization using? A. Identity proofing B. Password verification C. Authenticating with Type 2 authentication factor D. Out-of-band identity proofing

A. Verifying information that an individual should know about themselves using thirdparty factual information (a Type 1 authentication factor) is sometimes known as dynamic knowledge-based authentication and is a type of identity proofing. Out-ofband identity proofing would use another means of contacting the user, like a text message or phone call, and password verification requires a password.

80. In what virtualization model do full guest operating systems run on top of a virtualization platform? A. Virtual machines B. Software-defined networking C. Virtual SAN D. Application virtualization

A. Virtual machines run full guest operating systems on top of a host platform known as the hypervisor.

52. Ben is designing a Wi-Fi network and has been asked to choose the most secure option for the network. Which wireless security standard should he choose? A. WPA2 B. WPA C. WEP D. AES

A. WPA2, the replacement for WPA, does not suffer from the security issues that WEP, the original wireless security protocol, and WPA, its successor, both suffer from. AES is used in WPA2 but is not specifically a wireless security standard.

35. In her role as an information security professional, Susan has been asked to identify areas where her organization's wireless network may be accessible even though it isn't intended to be. What should Susan do to determine where her organization's wireless network is accessible? A. A site survey B. Warwalking C. Wardriving D. A design map

A. Wardriving and warwalking are both processes used to locate wireless networks, but are not typically as detailed and thorough as a site survey, and design map is a made-up term.

22. During a penetration test, Danielle needs to identify systems, but she hasn't gained sufficient access on the system she is using to generate raw packets. What type of scan should she run to verify the most open services? A. A TCP connect scan B. A TCP SYN scan C. A UDP scan D. An ICMP scan

A. When a tester does not have raw packet creation privileges, such as when they have not escalated privileges on a compromised host, a TCP connect scan can be used. TCP SYN scans require elevated privileges on most Linux systems due to the need to write raw packets. A UDP scan will miss most services that are provided via TCP, and an ICMP is merely a ping sweep of systems that respond to pings and won't identify services at all.

64. In a Kerberos environment, when a user needs to access a network resource, what is sent to the TGS? A. A TGT B. An AS C. The SS D. A session key

A. When clients perform a client service authorization, they send a TGT and the ID of the requested service to the TGS, and the TGS responds with a client-to-server ticket and session key back to the client if the request is validated. An AS is an authentication server and the SS is a service server, neither of which can be sent.

40. A US government database contains Secret, Confidential, and Top Secret data. How should it be classified? A. Top Secret B. Confidential C. Secret D. Mixed classification

A. When data is stored in a mixed classification environment, it is typically classified based on the highest classification of data included. In this case, the US government's highest classification is Top Secret. Mixed classification is not a valid classification in this scheme.

100. Which mapping correctly matches data classifications between nongovernment and government classification schemes? A. Top Secret - Confidential/Proprietary Secret - Private - Confidential - Sensitive B. Secret - Business confidential - Classified - Proprietary - Confidential - Business Internal C. Top Secret - Business sensitive - Secret - Business internal - Confidential - Business proprietary D. Secret - Proprietary - Classified - Private - Unclassified - Public

A. While many non-government organizations create their own classification schemes, a common model with levels that align with the U.S. government's classification labels is shown below. In the given options, B and D do not match the US government's Top Secret, Secret, Confidential scheme, and C incorrectly matches business proprietary data with confidential data as well as Top Secret data with business sensitive data. Business internal is often another term for business sensitive, meaning that it is used to match two classifications!

Alex is in charge of SAML integration with a major third-party partner that provides a variety of business productivity services for his organization. Using the following diagram (**) and your knowledge of SAML integrations and security architecture design. 45. What solution can best help address concerns about third parties that control SSO directs as shown in step 2 in the diagram? A. An awareness campaign about trusted third parties B. TLS C. Handling redirects at the local site D. Implementing an IPS to capture SSO redirect attacks

A. While many solutions are technical, if a trusted third party redirects to an unexpected authentication site, awareness is often the best defense. Using TLS would keep the transaction confidential but would not prevent the redirect. Handling redirects locally only works for locally hosted sites, and using a third-party service requires offsite redirects. An IPS might detect an attacker's redirect, but tracking the multitude of load-balanced servers most large providers use can be challenging, if not impossible. In addition, an IPS relies on visibility into the traffic, and SAML integrations should be encrypted for security, which would require a man-in-themiddle type of IPS to be configured.

Ben is an information security professional at an organization that is replacing its physical servers with virtual machines. As the organization builds its virtual environment, it is decreasing the number of physical servers it uses while purchasing more powerful servers to act as the virtualization platforms. 74. Ben is concerned about exploits that allow VM escape. What option should Ben suggest to help limit the impact of VM escape exploits? A. Separate virtual machines onto separate physical hardware based on task or data types. B. Use VM escape detection tools on the underlying hypervisor. C. Restore machines to their original snapshots on a regular basis. D. Use a utility like Tripwire to look for changes in the virtual machines.

A. While virtual machine escape has only been demonstrated in laboratory environments, the threat is best dealt with by limiting what access to the underlying hypervisor can prove to a successful tracker. Segmenting by data types or access levels can limit the potential impact of a hypervisor compromise. If attackers can access the underlying system, restricting the breach to only similar data types or systems will limit the impact. Escape detection tools are not available on the market, restoring machines to their original snapshots will not prevent the exploit from occuring again, and Tripwire detects file changes and is unlikely to catch exploits that escape the virtual machines themselves.

99. What type of virus works by altering the system boot process to redirect the BIOS to load malware before the operating system loads? A. File infector B. MBR C. Polymorphic D. Service injection

B. A master boot record (MBR) virus redirects the boot process to load malware during the operating system loading process. File infector viruses infect one or more normal files stored on the system. Polymorphic viruses alter themselves to avoid detection. Service injection viruses compromise trusted components of the operating system.

20. Which one of the following is an example of an administrative control? A. Intrusion detection system B. Security awareness training C. Firewalls D. Security guards

B. Awareness training is an example of an administrative control. Firewalls and intrusion detection systems are technical controls. Security guards are physical controls.

55. Yolanda is writing a document that will provide configuration information regarding the minimum level of security that every system in the organisation must meet. What type of document is she preparing? A. Policy B. Baseline C. Guideline D. Procedure

B. Baselines provide the minimum level of security that every system throughout the organization must meet.

80. Ben is responsible for the security of payment card information stored in a database. Policy directs that he remove the information from the database, but he cannot do this for operational reasons. He obtained an exception to policy and is seeking an appropriate compensating control to mitigate the risk. What would be his best option? A. Purchasing insurance B. Encrypting the database contents C. Removing the data D. Objecting to the exception

B. Ben should encrypt the data to provide an additional layer of protection as a compensating control. The organisation has already made a policy exception, so he should not react by objecting to the exception or removing the data without authorisation. Purchasing insurance may transfer some of the risk but is not a mitigating control.

55. Which one of the following is not an effective control against SQL injection attacks? A. Escaping B. Client-side input validation C. Parameterization D. Limiting database permissions

B. Client-side input validation is not an effective control against any type of attack because the attacker can easily bypass the validation by altering the code on the client. Escaping restricted characters prevents them from being passed to the database, as does parameterization. Limiting database permissions prevents dangerous code from executing.

1. When designing an object-oriented model, which of the following situations is ideal? A. High cohesion, high coupling B. High cohesion, low coupling C. Low cohesion, low coupling D. Low cohesion, high coupling

B. Coupling is a description of the level of interaction between objects. Cohesion is the strength of the relationship between the purposes of methods within the same class. When you are developing an object-oriented model, it is desirable to have high cohesion and low coupling.

6. Which one of the following attack types attempt to exploit the trust relationship that a user's browser has with other websites by forcing the submission of an authenticated request to a third-party site? A. XSS B. CSRF C. SQL injection D. Session hijacking

B. Cross-site request forgery (XSRF or CSRF) attacks exploit the trust that sites have in a user's browser by attempting to force the submission of authenticated requests to third-party sites. Session hijacking attacks attempt to steal previously authenticated sessions but do not force the browser to submit requests. SQL injection directly attacks a database through a web application. Cross-site scripting uses reflected input to trick a user's browser into executing untrusted code from a trusted site.

58. Which one of the following conditions may make an application most vulnerable to a cross-site scripting (XSS) attack? A. Input validation B. Reflected input C. Unpatched server D. Promiscuous firewall rules

B. Cross-site scripting (XSS) attacks may take advantage of the use of reflected input in a web application where input provided by one user is displayed to another user. Input validation is a control used to prevent XSS attacks. XSS does not require an unpatched server or any firewall rules beyond those permitting access to the web application.

29. Which one of the following organizations would not be automatically subject to the terms of HIPAA if they engage in electronic transactions? A. Healthcare provider B. Health and fitness application developer C. Health information clearinghouse D. Health insurance plan

B. HIPAA regulates three types of entities—healthcare providers, health information clearinghouses, and health insurance plans—as well as the business associates of any of those covered entities.

71. Ben is seeking a control objective framework that is widely accepted around the world and focuses specifically on information security controls. Which one of the following frameworks would best meet his needs? A. ITIL B. ISO 27002 C. CMM D. PMBOK Guide

B. ISO 27002 is an international standard focused on information security and titled "Information technology - Security techniques - Code of practice for information security management." The IT Infrastructure Library (ITIL) does contain security management practices, but it is not the sole focus of the document and the ITIL security section is derived from ISO 27002. The Capability Maturity Model (CMM) is focused on software development, and the Project Management Body of Knowledge (PMBOK) Guide focuses on project management.

86. At which level of the Software Capability Maturity Model (SW-CMM) does an organization introduce basic life-cycle management processes? A. Initial B. Repeatable C. Defined D. Managed

B. In level 2, the Repeatable level of the SW-CMM, an organization introduces basic life-cycle management processes. Reuse of code in an organized fashion begins, and repeatable results are expected from similar projects. The key process areas for this level include Requirements Management, Software Project Planning, Software Project Tracking and Oversight, Software Subcontract Management, Software Quality Assurance, and Software Configuration Management.

69. In the diagram shown here, which is an example of an attribute? A. Account B. Owner C. AddFunds D. None of the above

B. In the diagram, Account is the name of the class. Owner and Balance are attributes of that class. AddFunds and RemoveFunds are methods of the class.

91. Which one of the following is the proper order of steps in the waterfall model of software development? A. Requirements, Design, Testing, Coding, Maintenance B. Requirements, Design, Coding, Testing, Maintenance C. Design, Requirements, Coding, Testing, Maintenance D. Design, Requirements, Testing, Coding, Maintenance

B. In the waterfall model, the software development process follows five sequential steps which are, in order: Requirements, Design, Coding, Testing, and Maintenance.

32. Referring to the database transaction shown, what would happen if no account exists in the Accounts table with account number 1001? BEGIN TRANSACTION UPDATE accounts SET balance equal balance + 250 WHERE account-number equal 1001; UPDATE accounts SET balance equal balance - 250 WHERE account-number equal 2002; END TRANSACTION A. The database would create a new account with this account number and give it a $250 balance. B. The database would ignore that command and still reduce the balance of the second account by $250. C. The database would roll back the transaction, ignoring the results of both commands. D. The database would generate an error message.

B. In this example, the two SQL commands are indeed bundled in a transaction, but it is not an error to issue an update command that does not match any rows. Therefore, the first command would "succeed" in updating zero rows and not generate an error or cause the transaction to rollback. The second command would then execute, reducing the balance of the second account by $250.

75. Gary is designing a database-driven application that relies on the use of aggregate functions. Which one of the following database concurrency issues might occur with aggregate functions and should be one of Gary's top concerns? A. Lost updates B. Incorrect summaries C. SQL injections D. Dirty reads

B. Incorrect summaries occur when one transaction is using an aggregate function to summarize data stored in a database while a second transaction is making modifications to the database, causing the summary to include incorrect information. Dirty reads occur when one transaction reads a value from a database that was written by another transaction that did not commit. Lost updates occur when one transaction writes a value to the database that overwrites a value needed by transactions that have earlier precedence, causing those transactions to read an incorrect value. SQL injection is a web application security flaw, not a database concurrency problem.

13. What concept in object-oriented programming allows a subclass to access methods belonging to a superclass? A. Polymorphism B. Inheritance C. Coupling D. Cohesion

B. Inheritance occurs when a subclass (or child class) is able to use methods belonging to a superclass (or parent class). Polymorphism occurs when different subclasses may have different methods using the same interfaces that respond differently. Coupling is a description of the level of interaction between objects. Cohesion is the strength of the relationship between the purposes of methods within the same class.

43. Which one of the following is not a technique used by virus authors to hide the existence of their virus from antimalware software? A. Stealth B. Multipartitism C. Polymorphism D. Encryption

B. Multipartite viruses use multiple propagation mechanisms to defeat system security controls but do not necessarily include techniques designed to hide the malware from antivirus software. Stealth viruses tamper with the operating system to hide their existence. Polymorphic viruses alter their code on each system they infect to defeat signature detection. Encrypted viruses use a similar technique, employing encryption to alter their appearance and avoid signature detection mechanisms.

100. Which one of the following is an administrative control that can protect the confidentiality of information? A. Encryption B. Non-disclosure agreement C. Firewall D. Fault tolerance

B. Non-disclosure agreements (NDAs) protect the confidentiality of sensitive information by requiring that employees and affiliates not share confidential information with third parties. NDAs normally remain in force after an employee leaves the company.

56. What type of project management tool is shown in the figure? A. WBS chart B. PERT chart C. Gantt chart D. Wireframe diagram

B. PERT charts use nodes to represent milestones or deliverables and then show the estimated time to move between milestones. Gantt charts use a different format with a row for each task and lines showing the expected duration of the task. Work breakdown structures are an earlier deliverable that divides project work into achievable tasks. Wireframe diagrams are used in web design.

36. Greg is battling a malware outbreak in his organization. He used specialized malware analysis tools to capture samples of the malware from three different systems and noticed that the code is changing slightly from infection to infection. Greg believes that this is the reason that antivirus software is having a tough time defeating the outbreak. What type of malware should Greg suspect is responsible for this security incident? A. Stealth virus B. Polymorphic virus C. Multipartite virus D. Encrypted virus

B. Polymorphic viruses mutate each time they infect a system by making adjustments to their code that assists them in evading signature detection mechanisms. Encrypted viruses also mutate from infection to infection but do so by encrypting themselves with different keys on each device.

91. Which type of business impact assessment tool is most appropriate when attempting to evaluate the impact of a failure on customer confidence? A. Quantitative B. Qualitative C. Annualized loss expectancy D. Reduction

B. Qualitative tools are often used in business impact assessment to capture the impact on intangible factors such as customer confidence, employee morale, and reputation.

22. Which one of the following actions might be taken as part of a business continuity plan? A. Restoring from backup tapes B. Implementing RAID C. Relocating to a cold site D. Restarting business operations

B. RAID technology provides fault tolerance for hard drive failures and is an exampleof a business continuity action. Restoring from backup tapes, relocating to a cold site, and restarting business operations are all disaster recovery actions.

78. Which of the following database keys is used by an RDBMS to uniquely identify each row in a database table? A. Foreign key B. Primary key C. Candidate key D. Referential key

B. Relational databases use the primary key to uniquely identify each of the rows in a table. The primary key is selected by the database designer from the set of candidate keys that are able to uniquely identify each row, but the RDBMS only uses the primary key for this purpose. Foreign keys are used to establish relationships between tables. Referential keys are not a type of database key.

70. Which one of the following statements is true about software testing? A. Static testing works on runtime environments. B. Static testing performs code analysis. C. Dynamic testing uses automated tools but static testing does not. D. Static testing is a more important testing technique than dynamic testing.

B. Static testing performs code analysis in an offline fashion, without actually executing the code. Dynamic testing evaluates code in a runtime environment. Both static and dynamic testing may use automated tools, and both are important security testing techniques.

72. Which one of the following laws requires that communications service providers cooperate with law enforcement requests? A. ECPA B. CALEA C. Privacy Act D. HITECH Act

B. The Communications Assistance to Law Enforcement Act (CALEA) requires that all communications carriers make wiretaps possible for law enforcement officials who have an appropriate court order.

34. Which one of the following categories of organisations is most likely to be covered by the provisions of FISMA? A. Banks B. Defense contractors C. School districts D. Hospitals

B. The Federal Information Security Management Act (FISMA) applies to federal government agencies and contractors. Of the entities listed, a defense contractor is the most likely to have government contracts subject to FISMA.

50. What law serves as the basis for privacy rights in the United States? A. Privacy Act of 1974 B. Fourth Amendment C. First Amendment D. Electronic Communications Privacy Act of 1986

B. The Fourth Amendment directly prohibits government agents from searching private property without a warrant and probable cause. The courts have expanded the interpretation of the Fourth Amendment to include protections against other invasions of privacy.

73. Every year, Gary receives privacy notices in the mail from financial institutions where he has accounts. What law requires the institutions to send Gary these notices? A. FERPA B. GLBA C. HIPAA D. HITECH

B. The Gramm-Leach-Bliley Act (GLBA) places strict privacy regulations on financial institutions, including providing written notice of privacy practices to customers.

35. Robert is responsible for securing systems used to process credit card information. What standard should guide his actions? A. HIPAA B. PCI DSS C. SOX D. GLBA

B. The Payment Card Industry Data Security Standard (PCI DSS) governs the storage, processing, and transmission of credit card information.

Robert is a consultant who helps organisations create and develop mature software development practices. He prefers to use the Software Capability Maturity Model (SWCMM) to evaluate the current and future status of organizations using both independent review and self-assessments. He is currently working with two different clients. Acme Widgets is not very well organised with their software development practices. They have a dedicated team of developers who do "whatever it takes" to get software out the door, but they do not have any formal processes. Beta Particles is a company with years of experience developing software using formal, documented software development processes. They use a standard model for software development but do not have a quantitative management of those processes. 18. Robert is working with Acme Widgets on a strategy to advance their software development practices. What SW-CMM stage should be their next target milestone? A. Defined B. Repeatable C. Initial D. Managed

B. The Repeatable stage is the second stage in the SW-CMM, following the Initial stage. It should be the next milestone goal for Acme Widgets. The Repeatable stage is characterized by basic life-cycle management processes.

Henry is the risk manager for Atwood Landing, a resort community in the midwestern United States. The resort's main data centre is located in northern Indiana in an area that is prone to tornados. Henry recently undertook a replacement cost analysis and determined that rebuilding and reconfiguring the data centre would cost $10 million. Henry consulted with tornado experts, data centre specialists, and structural engineers. Together, they determined that a typical tornado would cause approximately $5 million of damage to the facility. The meteorologists determined that Atwood's facility lies in an area where they are likely to experience a tornado once every 200 years. 97. Based upon the information in this scenario, what is the annualised rate of occurrence for a tornado at Atwood Landing's data centre? A. 0.0025 B. 0.005 C. 0.01 D. 0.015

B. The annualised rate of occurrence is the number of times that risk analysts expect a risk to happen in any given year. In this case, the analysts expect tornados once every 200 years, or 0.005 times per year.

15. Which one of the following controls would best protect an application against buffer overflow attacks? A. Encryption B. Input validation C. Firewall D. Intrusion prevention system

B. The best protection against buffer overflow attacks is server-side input validation. This technique limits user input to approved ranges of values that fit within allocated buffers. While firewalls and intrusion prevention systems may contain controls that limit buffer overflows, it would be more effective to perform filtering on the application server. Encryption cannot protect against buffer overflow attacks.

16. Berta is analyzing the logs of the Windows Firewall on one of her servers and comes across the entries shown in this figure. What type of attack do these entries indicate? A. SQL injection B. Port scan C. Teardrop D. Land

B. The log entries show the characteristic pattern of a port scan. The attacking system sends connection attempts to the target system against a series of commonly used ports.

40. Which one of the following individuals would be the most effective organizational owner for an information security program? A. CISSP-certified analyst B. Chief information officer C. Manager of network security D. President and CEO

B. The owner of information security programs may be different from the individuals responsible for implementing the controls. This person should be as senior an individual as possible who is able to focus on the management of the security program. The president and CEO would not be an appropriate choice because an executive at this level is unlikely to have the time necessary to focus on security. Of the remaining choices, the CIO is the most senior position who would be the strongest advocate at the executive level.

59. Which one of the following is not a requirement for an invention to be patentable? A. It must be new. B. It must be invented by an American citizen. C. It must be nonobvious. D. It must be useful.

B. There is no requirement that patents be for inventions made by American citizens. Patentable inventions must, on the other hand, be new, nonobvious, and useful.

49. What type of attack is demonstrated in the C programming language example below? int myarray[10]; myarray[10] equal 8; A. Mismatched data types B. Overflow C. SQL injection D. Covert channel

B. This is an example of a specific type of buffer overflow known as an off-by-one error. The first line of the code defines an array of 10 elements, which would be numbered 0 through 9. The second line of code tries to place a value in the 11th element of the array (remember, array counting begins at 0!), which would cause an overflow.

53. What type of vulnerability does a TOC/TOU attack target? A. Lack of input validation B. Race condition C. Injection flaw D. Lack of encryption

B. Time of check to time of use (TOC/TOU) attacks target situations where there is a race condition, meaning that a dependence on the timing of actions allows impermissible actions to take place.

Juniper Content is a web content development company with 40 employees located in two offices: one in New York and a smaller office in the San Francisco Bay Area. Each office has a local area network protected by a perimeter firewall. The LAN contains modern switch equipment connected to both wired and wireless networks. Each office has its own file server, and the IT team runs software every hour to synchronise files between the two servers, distributing content between the offices. These servers are primarily used to store images and other files related to web content developed by the company. The team also uses a SaaS-based email and document collaboration solution for much of their work. You are the newly appointed IT manager for Juniper Content and you are working to augment existing security controls to improve the organization's security. 47. Users in the two offices would like to access each other's file servers over the Internet. What control would provide confidentiality for those communications? A. Digital signatures B. Virtual private network C. Virtual LAN D. Digital content management

B. Virtual private networks (VPNs) provide secure communications channels over otherwise insecure networks (such as the Internet) using encryption. If you establish a VPN connection between the two offices, users in one office could securely access content located on the other office's server over the Internet. Digital signatures are used to provide nonrepudiation, not confidentiality. Virtual LANs (VLANs) provide network segmentation on local networks but do not cross the Internet. Digital content management solutions are designed to manage web content, not access shared files located on a file server.

Linda is reviewing posts to a user forum on her company's website and when she browses a certain post, a message pops up in a dialog box on her screen reading "Alert." She reviews the source code for the post and finds the following code snippet: <script>alert('Alert');</script> 39. Linda communicates with the vendor and determines that no patch is available to correct this vulnerability. Which one of the following devices would best help her defend the application against further attack? A. VPN B. WAF C. DLP D. IDS

B. Web application firewalls (WAFs) sit in front of web applications and watch for potentially malicious web attacks, including cross-site scripting. They then block that traffic from reaching the web application. An intrusion detection system (IDS) may detect the attack but is unable to take action to prevent it. DLP and VPN solutions are unable to detect web application attacks.

33. The Acme Widgets Company is putting new controls in place for its accounting department. Management is concerned that a rogue accountant may be able to create a new false vendor and then issue checks to that vendor as payment for services that were never rendered. What security control can best help prevent this situation? A. Mandatory vacation B. Separation of duties C. Defense in depth D. Job rotation

B. When following the separation of duties principle, organisations divide critical tasks into discrete components and ensure that no one individual has the ability to perform both actions. This prevents a single rogue individual from performing that task in an unauthorised manner.

47. In an object-oriented programming language, what does one object invoke in a second object to interact with the second object? A. Instance B. Method C. Behavior D. Class

B. When one object wishes to interact with another object, it does so by invoking one of the second object's methods, including required and, perhaps, optional arguments to that method.

37. Alan works for an e-commerce company that recently had some content stolen by another website and republished without permission. What type of intellectual property protection would best preserve Alan's company's rights? A. Trade secret B. Copyright C. Trademark D. Patent

B. Written works, such as website content, are normally protected by copyright law. Trade secret status would not be appropriate here because the content is online and available outside the company. Patents protect inventions and trademarks protect words and symbols used to represent a brand, neither of which is relevant in this scenario.

97. Which one of the following tools might an attacker use to best identify vulnerabilities in a targeted system? A. nmap B. nessus C. ipconfig D. traceroute

B. nessus is a vulnerability testing tool designed for use by security professionals but also available to attackers. nmap may also assist attackers, but it only shows open ports and has limited capability to identify vulnerabilities. ipconfig displays network configuration information about a system, whereas traceroute identifies the network path between two systems.

58. What is the default subnet mask for a Class B network? A. 255.0.0.0 B. 255.255.0.0 C. 255.254.0.0 D. 255.255.255.0

B. A Class B network holds 2^16 systems, and its default network mask is 255.255.0.0.

88. Beth would like to include technology in a secure area of her data center to protect against unwanted electromagnetic emanations. What technology would assist her with this goal? A. Heartbeat sensor B. Faraday cage C. Piggybacking D. WPA2

B. A Faraday cage is a metal skin that prevents electromagnetic emanations from exiting. It is a rarely used technology because it is unwieldy and expensive, but it is quite effective at blocking unwanted radiation.

44. What term is used to describe a set of common security configurations, often provided by a third party? A. Security policy B. Baseline C. DSS D. SP 800

B. A baseline is a set of security configurations that can be adopted and modified to fit an organization's security needs. A security policy is written to describe an organization's approach to security, while DSS is the second half of the Payment Card Industry Data Security Standard. The NIST SP-800 series of documents address computer security in a variety of areas.

3. What term is used to describe a starting point for a minimum security standard? A. Outline B. Baseline C. Policy D. Configuration guide

B. A baseline is used to ensure a minimum security standard. A policy is the foundation that a standard may point to for authority, and a configuration guide may be built from a baseline to help staff who need to implement it to accomplish their task. An outline is helpful, but outline isn't the term you're looking for here.

10. Callback to a home phone number is an example of what type of factor? A. Type 1 B. Somewhere you are C. Type 3 D. Geographic

B. A callback to a home phone number is an example of a "somewhere you are" factor. This could potentially be spoofed by call forwarding or using a VoIP system. Type 1 factors are "something you know," Type 3 factors are biometric, and geographic factors are typically based on IP addresses or access to a GPS.

24. An attack that causes a service to fail by exhausting all of a system's resources is what type of attack? A. A worm B. A denial of service attack C. A virus D. A smurf attack

B. A denial of service attack is an attack that causes a service to fail or to be unavailable. Exhausting a system's resources to cause a service to fail is a common form of denial of service attack. A worm is a self-replicating form of malware that propagates via a network, a virus is a type of malware that can copy itself to spread, and a Smurf attack is a distributed denial of service attack (DDoS) that spoofs a victim's IP address to systems using an IP broadcast, resulting in traffic from all of those systems to the target.

41. What tool is used to prevent employees who leave from sharing proprietary information with their new employers? A. Encryption B. NDA C. Classification D. Purging

B. A non-disclosure agreement, or NDA, is a legal agreement that prevents employees from sharing proprietary data with their new employers. Purging is used on media, while classification is used on data. Encryption can help secure data, but it doesn't stop employees who can decrypt or copy the data from sharing it.

18. What network tool can be used to protect the identity of clients while providing Internet access by accepting client requests, altering the source addresses of the requests, mapping requests to clients, and sending the modified requests out to their destination? A. A gateway B. A proxy C. A router D. A firewall

B. A proxy is a form of gateway that provide clients with a filtering, caching, or other service that protects their information from remote systems. A router connects networks, while a firewall uses rules to limit traffic permitted through it. A gateway translates between protocols.

7. Which one of the following might a security team use on a honeypot system to consume an attacker's time while alerting administrators? A. Honeynet B. Pseudoflaw C. Warning banner D. Darknet

B. A pseudoflaw is a false vulnerability in a system that may attract an attacker. A honeynet is a network of multiple honeypots that creates a more sophisticated environment for intruders to explore. A darknet is a segment of unused network address space that should have no network activity and, therefore, may be easily used to monitor for illicit activity. A warning banner is a legal tool used to notify intruders that they are not authorized to access a system.

87. A denial of service (DoS) attack that sends fragmented TCP packets is known as what kind of attack? A. Christmas tree B. Teardrop C. Stack killer D. Frag grenade

B. A teardrop attack uses fragmented packets to target a flaw in how the TCP stack on a system handles fragment reassembly. If the attack is successful, the TCP stack fails, resulting in a denial of service. Christmas tree attacks set all of the possible TCP flags on a packet, thus "lighting it up like a Christmas tree." Stack killer and frag grenade attacks are made-up answers.

79. What type of firewall design does the image below show (Internet connected to router connected to firewall connected to private network & DMZ)? A. A single-tier firewall B. A two-tier firewall C. A three-tier firewall D. A fully protected DMZ firewall

B. A two-tier firewall uses a firewall with multiple interfaces or multiple firewalls in series. This image shows a firewall with two protected interfaces, with one used for a DMZ and one used for a protected network. This allows traffic to be filtered between each of the zones (Internet, DMZ, and private network).

Your organization regularly handles three types of data: information that it shares with customers, information that it uses internally to conduct business, and trade secret information that offers the organization significant competitive advantages. Information shared with customers is used and stored on web servers, while both the internal business data and the trade secret information are stored on internal file servers and employee workstations. 16. What type of encryption should you use on the file servers for the proprietary data, and how might you secure the data when it is in motion? A. TLS at rest and AES in motion B. AES at rest and TLS in motion C. VPN at rest and TLS in motion D. DES at rest and AES in motion

B. AES is a strong modern symmetric encryption algorithm that is appropriate for encrypting data at rest. TLS is frequently used to secure data when it is in transit. A virtual private network is not necessarily an encrypted connection and would be used for data in motion, while DES is an outdated algorithm and should not be used for data that needs strong security.

26. The Address Resolution Protocol (ARP) and the Reverse Address Resolution Protocol (RARP) operate at what layer of the OSI model? A. Layer 1 B. Layer 2 C. Layer 3 D. Layer 4

B. ARP and RARP operate at the Data Link layer, the second layer of the OSI model. Both protocols deal with physical hardware addresses, which are used above the Physical layer (layer 1) and below the Network layer (layer 3), thus falling at the Data Link layer.

37. One of Susan's attacks during a penetration test involves inserting false ARP data into a system's ARP cache. When the system attempts to send traffic to the address it believes belongs to a legitimate system, it will instead send that traffic to a system she controls. What is this attack called? A. RARP Flooding B. ARP cache poisoning C. A denial of ARP attack D. ARP buffer blasting

B. ARP cache poisoning occurs when false ARP data is inserted into a system's ARP cache, allowing the attacker to modify its behavior. RARP flooding, denial of ARP attacks, and ARP buffer blasting are all made-up terms.

96. Object-oriented programming languages use a black box approach to development, where users of an object do not necessarily need to know the object's implementation details. What term is used to describe this concept? A. Layering B. Abstraction C. Data hiding D. Process isolation

B. Abstraction uses a black box approach to hide the implementation details of an object from the users of that object.

95. What term is used to describe the formal declaration by a designated approving authority (DAA) that an IT system is approved to operate in a specific environment? A. Certification B. Accreditation C. Evaluation D. Approval

B. Accreditation is the formal approval by a DAA that an IT system may operate in a described risk environment.

55. Microsoft's Active Directory Domain Services is based on which of the following technologies? A. RADIUS B. LDAP C. SSO D. PKI

B. Active Directory Domain Services is based on LDAP, the Lightweight Directory Access Protocol. Active Directory also uses Kerberos for authentication.

90. What danger is created by allowing the OpenID relying party to control the connection to the OpenID provider? A. It may cause incorrect selection of the proper OpenID provider. B. It creates the possibility of a phishing attack by sending data to a fake OpenID provider. C. The relying party may be able to steal the client's username and password. D. The relying party may not send a signed assertion.

B. Allowing the relying party to provide the redirect to the OpenID provider could allow a phishing attack by directing clients to a fake OpenID provider that can capture valid credentials. Since the OpenID provider URL is provided by the client, the relying party cannot select the wrong provider. The relying party never receives the user's password, which means that they can't steal it. Finally, the relying party receives the signed assertion but does not send one.

7. NIST Special Publication 800-53A describes four major types of assessment objects that can be used to identify items being assessed. If the assessment covers IPS devices, which of the types of assessment objects is being assessed? A. A specification B. A mechanism C. An activity D. An individual

B. An IPS is an example of a mechanism like a hardware-, software-, or firmware based control or system. Specifications are document-based artifacts like policies or designs, activities are actions that support an information system that involves people, and an individual is one or more people applying specifications, mechanisms, or activities.

47. Which of the following is not an interface that is typically tested during the software testing process? A. APIs B. Network interfaces C. UIs D. Physical interfaces

B. Application programming interfaces (APIs), user interfaces (UIs), and physical interfaces are all important to test when performing software testing. Network interfaces are not a part of the typical list of interfaces tested in software testing.

83. What type of firewall is known as a second-generation firewall? A. Static packet filtering firewalls B. Application-level gateway firewalls C. Stateful inspection firewalls D. Unified Threat Management

B. Application-level gateway firewalls are known as second-generation firewalls. Static packet filtering firewalls are known as first-generation firewalls, and stateful packet inspection firewalls are known as third-generation firewalls. UTM, or Unified Threat Management is a concept used in next generation firewalls.

24. Jim has worked in human relations, payroll, and customer service roles in his company over the past few years. What type of process should his company perform to ensure that he has appropriate rights? A. Re-provisioning B. Account review C. Privilege creep D. Account revocation

B. As an employee's role changes, they often experience privilege creep, which is the accumulation of old rights and roles. Account review is the process of reviewing accounts and ensuring that their rights match their owners' role and job requirements. Account revocation removes accounts, while re-provisioning might occur if an employee was terminated and returned or took a leave of absence and returned.

Gary was recently hired as the first chief information security officer (CISO) for a local government agency. The agency recently suffered a security breach and is attempting to build a new information security program. Gary would like to apply some best practices for security operations as he is designing this program. 13. Gary is preparing to create an account for a new user and assign privileges to the HR database. What two elements of information must Gary verify before granting this access? A. Credentials and need to know B. Clearance and need to know C. Password and clearance D. Password and biometric scan

B. Before granting access, Gary should verify that the user has a valid security clearance and a business need to know the information. Gary is performing an authorization task, so he does not need to verify the user's credentials, such as a password or biometric scan.

53. Beth is selecting a disaster recovery facility for her organization. She would like to choose a facility that has appropriate environmental controls and power for her operations but wants to minimize costs. She is willing to accept a lengthy recovery time. What type of facility should she choose? A. Hot site B. Cold site C. Warm site D. Service bureau

B. Beth should choose a cold site. This type of facility meets her requirements for environmental controls and power but, does not have the equipment or data found in a warm site, hot site, or service bureau. However, it does have the lowest cost of the four options.

42. Which pair of the following factors are key for user acceptance of biometric identification systems? A. The FAR B. The throughput rate and the time required to enroll C. The CER and the ERR D. How often users must reenroll and the reference profile requirements

B. Biometric systems can face major usability challenges if the time to enroll is long (over a couple of minutes) and if the speed at which the biometric system is able to scan and accept or reject the user is too slow. FAR and FRR may be important in the design decisions made by administrators or designers, but they aren't typically visible to users. CER and ERR are the same and are the point where FAR and FRR meet. Reference profile requirements are a system requirement, not a user requirement.

Ben's organization is adopting biometric authentication for its high-security building's access control system. Using the following chart (PERCENT against SENSITIVITY) 87. What should Ben do if the FAR and FRR shown in this diagram does not provide an acceptable performance level for his organization's needs? A. Adjust the sensitivity of the biometric devices. B. Assess other biometric systems to compare them. C. Move the CER. D. Adjust the FRR settings in software.

B. CER is a standard used to assess biometric devices. If the CER for this device does not fit the needs of the organization, Ben should assess other biometric systems to find one with a lower CER. Sensitivity is already accounted for in CER charts, and moving the CER isn't something Ben can do. FRR is not a setting in software, so Ben can't use that as an option either.

63. Carla has worked for her company for 15 years and has held a variety of different positions. Each time she changed positions, she gained new privileges associated with that position, but no privileges were ever taken away. What concept describes the sets of privileges she has accumulated? A. Entitlement B. Aggregation C. Transitivity D. Isolation

B. Carla's account has experienced aggregation, where privileges accumulated over time. This condition is also known as privilege creep and likely constitutes a violation of the least privilege principle.

95. What speed is Category 3 UTP cable rated for? A. 5 Mbps B. 10 Mbps C. 100 Mbps D. 1000 Mbps

B. Category 3 UTP cable is primarily used for phone cables and was also used for early Ethernet networks where it provided 10 Mbps of throughput. Cat 5 cable provides 100 Mbps (and 1000 Mbps if it is Cat 5e). Cat 6 cable can also provide 1000 Mbps.

90. Rick is an application developer who works primarily in Python. He recently decided to evaluate a new service where he provides his Python code to a vendor who then executes it on their server environment. What type of cloud computing environment is this service? A. SaaS B. PaaS C. IaaS D. CaaS

B. Cloud computing systems where the customer only provides application code for execution on a vendor-supplied computing platform are examples of Platform as a Service (PaaS) computing.

44. What four types of coverage criteria are commonly used when validating the work of a code testing suite? A. Input, statement, branch, and condition coverage B. Function, statement, branch, and condition coverage C. API, branch, bounds, and condition coverage D. Bounds, branch, loop, and condition coverage

B. Code coverage testing most frequently requires that every function has been called, that each statement has been executed, that all branches have been fully explored, and that each condition has been evaluated for all possibilities. API, input, and loop testing are not common types of code coverage testing measures.

96. What issue occurs when data transmitted over one set of wires is picked up by another set of wires? A. Magnetic interference B. Crosstalk C. Transmission absorption D. Amplitude modulation

B. Crosstalk occurs when data transmitted on one set of wires is picked up on another set of wires. Interference like this is electromagnetic rather than simply magnetic, transmission absorption is a made-up term, and amplitude modulation is how AM radio works.

Ben is an information security professional at an organization that is replacing its physical servers with virtual machines. As the organization builds its virtual environment, it is decreasing the number of physical servers it uses while purchasing more powerful servers to act as the virtualization platforms. 73. The VM administrators recommend enabling cut and paste between virtual machines. What security concern should Ben raise about this practice? A. It can cause a denial of service condition. B. It can serve as a covert channel. C. It can allow viruses to spread. D. It can bypass authentication controls.

B. Cut and paste between virtual machines can bypass normal network-based data loss prevention tools and monitoring tools like an IDS or IPS. Thus, it can act as a covert channel, allowing the transport of data between security zones. So far, cut and paste has not been used as a method for malware spread in virtual environments and has not been associated with denial of service attacks. Cut and paste requires users to be logged in and does not bypass authentication requirements.

19. During troubleshooting, Chris uses the nslookup command to check the IP address of a host he is attempting to connect to. The IP he sees in the response is not the IP that should resolve when the lookup is done. What type of attack has likely been conducted? A. DNS spoofing B. DNS poisoning C. ARP spoofing D. A Cain attack

B. DNS poisoning occurs when an attacker changes the domain name to IP address mappings of a system to redirect traffic to alternate systems. DNS spoofing occurs when an attacker sends false replies to a requesting system, beating valid replies from the actual DNS server. ARP spoofing provides a false hardware address in response to queries about an IP, and Cain & Abel is a powerful Windows hacking tool, but a Cain attack is not a specific type of attack.

66. Data stored in RAM is best characterized as what type of data? A. Data at rest B. Data in use C. Data in transit D. Data at large

B. Data in use is data that is in a temporary storage location while an application or process is using it. Thus, data in memory is best described as data in use or ephemeral data. Data at rest is in storage, while data in transit is traveling over a network or other channel. Data at large is a made-up term.

13. What term describes data that remains after attempts have been made to remove the data? A. Residual bytes B. Data remanence C. Slack space D. Zero fill

B. Data remanence is a term used to describe data left after attempts to erase or remove data. Slack space describes unused space in a disk cluster, zero fill is a wiping methodology that replaces all data bits with zeroes, and residual bytes is a made-up term.

9. What major issue often results from decentralized access control? A. Access outages may occur. B. Control is not consistent. C. Control is too granular. D. Training costs are high.

B. Decentralized access control can result in less consistency because the individuals tasked with control may interpret policies and requirements differently and may perform their roles in different ways. Access outages, overly granular control, and training costs may occur, depending on specific implementations, but they are not commonly identified issues with decentralized access control.

50. What method uses a strong magnetic field to erase media? A. Magwipe B. Degaussing C. Sanitization D. Purging

B. Degaussing uses strong magnetic fields to erase magnetic media. Magwipe is a made-up term. Sanitization is a combination of processes used to remove data from a system or media to ensure that it cannot be recovered. Purging is a form of clearing used on media that will be reused in a lower classification or lower security environment.

17. Ben has configured his network to not broadcast a SSID. Why might Ben disable SSID broadcast, and how could his SSID be discovered? A. Disabling SSID broadcast prevents attackers from discovering the encryption key. The SSID can be recovered from decrypted packets. B. Disabling SSID broadcast hides networks from unauthorized personnel. The SSID can be discovered using a wireless sniffer. C. Disabling SSID broadcast prevents issues with beacon frames. The SSID can be recovered by reconstructing the BSSID. D. Disabling SSID broadcast helps avoid SSID conflicts. The SSID can be discovered by attempting to connect to the network.

B. Disabling SSID broadcast can help prevent unauthorized personnel from attempting to connect to the network. Since the SSID is still active, it can be discovered by using a wireless sniffer. Encryption keys are not related to SSID broadcast, beacon frames are used to broadcast the SSID, and it is possible to have multiple networks with the same SSID.

46. Susan has been asked to recommend whether her organization should use a mandatory access control scheme or a discretionary access control scheme. If flexibility and scalability is an important requirement for implementing access controls, which scheme should she recommend and why? A. MAC, because it provides greater scalability and flexibility because you can simply add more labels as needed B. DAC, because allowing individual administrators to make choices about the objects they control provides scalability and flexibility C. MAC, because compartmentalization is well suited to flexibility and adding compartments will allow it to scale well D. DAC, because a central decision process allows quick responses and will provide scalability by reducing the number of decisions required and flexibility by moving those decisions to a central authority

B. Discretionary access control (DAC) can provide greater scalability by leveraging many administrators, and those administrators can add flexibility by making decisions about access to their objects without fitting into an inflexible mandatory access control system (MAC). MAC is more secure due to the strong set of controls it provides, but it does not scale as well as DAC and is relatively inflexible in comparison.

33. Fred's organization allows downgrading of systems for reuse after projects have been finished and the systems have been purged. What concern should Fred raise about the reuse of the systems from his Top Secret classified project for a future project classified as Secret? A. The Top Secret data may be commingled with the Secret data, resulting in a need to relabel the system. B. The cost of the sanitization process may exceed the cost of new equipment. C. The data may be exposed as part of the sanitization process. D. The organization's DLP system may flag the new system due to the difference in data labels.

B. Downgrading systems and media is rare due to the difficulty of ensuring that sanitization is complete. The need to completely wipe (or destroy) the media that systems use means that the cost of reuse is often significant and may exceed the cost of purchasing a new system or media. The goal of purging is to ensure that no data remains, so commingling data should not be a concern, nor should the exposure of the data; only staff with the proper clearance should handle the systems! Finally, a DLP system should flag data based on labels, not on the system it comes from.

92. RAID-5 is an example of what type of control? A. Administrative B. Recovery C. Compensation D. Logical

B. Drives in a RAID-5 array are intended to handle failure of a drive. This is an example of a recovery control, which is used to return operations to normal function after a failure. Administrative controls are policies and procedures. Compensation controls help cover for issues with primary controls or improve them. Logical controls are software and hardware mechanisms used to protect resources and systems.

78. What type of disaster recovery test activates the alternate processing facility and uses it to conduct transactions but leaves the primary site up and running? A. Full interruption test B. Parallel test C. Checklist review D. Tabletop exercise

B. During a parallel test, the team actually activates the disaster recovery site for testing but the primary site remains operational. During a full interruption test, the team takes down the primary site and confirms that the disaster recovery site is capable of handling regular operations. The full interruption test is the most thorough test but also the most disruptive. The checklist review is the least disruptive type of disaster recovery test. During a checklist review, team members each review the contents of their disaster recovery checklists on their own and suggest any necessary changes. During a tabletop exercise, team members come together and walk through a scenario without making any changes to information systems.

Alice and Bob would like to use an asymmetric cryptosystem to communicate with each other. They are located in different parts of the country but have exchanged encryption keys by using digital certificates signed by a mutually trusted certificate authority. 18. Which one of the following keys would Bob not possess in this scenario? A. Alice's public key B. Alice's private key C. Bob's public key D. Bob's private key

B. Each user retains their private key as secret information. In this scenario, Bob would only have access to his own private key and would not have access to the private key of Alice or any other user.

30. Emily builds a script that sends data to a web application that she is testing. Each time the script runs, it sends a series of transactions with data that fits the expected requirements of the web application to verify that it responds to typical customer behavior. What type of transactions is she using, and what type of test is this? A. Synthetic, passive monitoring B. Synthetic, use case testing C. Actual, dynamic monitoring D. Actual, fuzzing

B. Emily is using synthetic transactions, which can use recorded or generated transactions, and is conducting use case testing to verify that the application responds properly to actual use cases. Neither actual data nor dynamic monitoring is an industry term. Fuzzing involves sending unexpected inputs to a program to see how it responds. Passive monitoring uses a network tap or other capture technology to allow monitoring of actual traffic to a system or application.

62. What action can you take to prevent accidental data disclosure due to wear leveling on an SSD device before reusing the drive? A. Reformatting B. Disk encryption C. Degaussing D. Physical destruction

B. Encrypting data on SSD drives does protect against wear leveling. Disk formatting does not effectively remove data from any device. Degaussing is only effective for magnetic media. Physically destroying the drive would not permit reuse.

30. Full disk encryption like Microsoft's BitLocker is used to protect data in what state? A. Data in transit B. Data at rest C. Unlabeled data D. Labeled data

B. Full disk encryption only protects data at rest. Since it encrypts the full disk, it does not distinguish between labeled and unlabeled data.

80. What challenge is most common for endpoint security system deployments? A. Compromises B. The volume of data C. Monitoring encrypted traffic on the network D. Handling non-TCP protocols

B. Endpoint security solutions face challenges due to the sheer volume of data that they can create. When each workstation is generating data about events, this can be a massive amount of data. Endpoint security solutions should reduce the number of ompromises when properly implemented, and they can also help by monitoring traffic after it is decrypted on the local host. Finally, non-TCP protocols are relatively uncommon on modern networks, making this a relatively rare concern for endpoint security system implementations.

76. When a host on an Ethernet network detects a collision and transmits a jam signal, what happens next? A. The host that transmitted the jam signal is allowed to retransmit while all other hosts pause until that transmission is received successfully. B. All hosts stop transmitting and each host waits a random period of time before attempting to transmit again. C. All hosts stop transmitting and each host waits a period of time based on how recently it successfully transmitted. D. Hosts wait for the token to be passed and then resume transmitting data as they pass the token.

B. Ethernet networks use Carrier-Sense Multiple Access with Collision Detection (CSMA/CD) technology. When a collision is detected and a jam signal is sent, hosts wait a random period of time before attempting retransmission

26. What problem with FTP and Telnet makes using SFTP and SSH better alternatives? A. FTP and Telnet aren't installed on many systems. B. FTP and Telnet do not encrypt data. C. FTP and Telnet have known bugs and are no longer maintained. D. FTP and Telnet are difficult to use, making SFTP and SSH the preferred solution.

B. FTP and Telnet do not provide encryption for the data they transmit and should not be used if they can be avoided. SFTP and SSH provide encryption to protect both the data they send and the credentials that are used to log in via both utilities.

67. Kathleen is reviewing the code for an application. She first plans the review, conducts an overview session with the reviewers and assigns roles, and then works with the reviewers to review materials and prepare for their roles. Next, she intends to review the code, rework it, and ensure that all defects found have been corrected. What type of review is Kathleen conducting? A. A dynamic test B. Fagan inspection C. Fuzzing D. A Roth-Parker review

B. Fagan testing is a detailed code review that steps through planning, overview, preparation, inspection, rework, and follow-up phases. Dynamic tests test the code in a real runtime environment, whereas fuzzing is a type of dynamic testing that feeds invalid inputs to software to test its exception-handling capabilities. Roth-Parker reviews were made up for this question.

84. Steve has been tasked with implementing a network storage protocol over an IP network. What storage-centric converged protocol is he likely to use in his implementation? A. MPLS B. FCoE C. SDN D. VoIP

B. Fiber Channel over Ethernet allows Fiber Channel communications over Ethernet networks, allowing existing high-speed networks to be used to carry storage traffic. This avoids the cost of a custom cable plant for a Fiber Channel implementation. MPLS, or Multiprotocol label Switching, is used for high performance networking; VoIP is Voice over IP; and SDN is Software-Defined Networking.

83. Which of the following is not an issue when using fuzzing to find program faults? A. They often find only simple faults. B. Fuzz testing bugs are often severe. C. Fuzzers may not fully cover the code. D. Fuzzers can't reproduce errors.

B. Finding severe bugs is not a fault—in fact, fuzzing often finds important issues that would otherwise have been exploitable. Fuzzers can reproduce errors, but typically don't fully cover the code—code coverage tools are usually paired with fuzzers to validate how much coverage was possible. Fuzzers are often limited to simple errors because they won't handle business logic or attacks that require knowledge from the application user.

59. What type of access control is typically used by firewalls? A. Discretionary access controls B. Rule-based access controls C. Task-based access control D. Mandatory access controls

B. Firewalls use rule-based access control, or Rule-BAC, in their access control lists and apply rules created by administrators to all traffic that pass through them. DAC, or discretionary access control, allows owners to determine who can access objects they control, while task-based access control lists tasks for users. MAC, or mandatory access control, uses classifications to determine access.

16. Saria wants to log and review traffic information between parts of her network. What type of network logging should she enable on her routers to allow her to perform this analysis? A. Audit logging B. Flow logging C. Trace logging D. Route logging

B. Flows, also often called network flows, are captured to provide insight into network traffic for security, troubleshooting, and performance management. Audit logging provides information about events on the routers, route logging is not a common network logging function, and trace logs are used in troubleshooting specific software packages as they perform their functions.

86. Gina is the firewall administrator for a small business and recently installed a new firewall. After seeing signs of unusually heavy network traffic, she checked the intrusion detection system, which reported that a fraggle attack was underway. What firewall configuration change can Gina make to most effectively prevent this attack? A. Block ICMP echo reply packets from entering the network. B. Block UDP port 7 and 9 traffic from entering the network. C. Block the source address of the attack. D. Block the destination address of the attack.

B. Fraggle attacks use a distributed attack approach to send UDP traffic at a targeted system from many different source addresses on ports 7 and 9. The most effective way to block this attack would be to block inbound UDP traffic on those ports. Blocking the source addresses is not feasible because the attacker would likely simply change thesource addresses. Blocking destination addresses would likely disrupt normal activity. The fraggle attack does not use ICMP, so blocking that traffic would have no effect.

9. FHSS, DSSS, and OFDM all use what wireless communication method that occurs over multiple frequencies simultaneously? A. Wi-Fi B. Spread Spectrum C. Multiplexing D. Orthogonal modulation

B. Frequency Hopping Spread Spectrum (FHSS), Direct Sequence Spread Spectrum (DSSS), and Orthogonal Frequency-Division Multiplexing (OFDM) all use spread spectrum techniques to transmit on more than one frequency at the same time. Neither FHSS nor DHSS uses orthogonal modulation, while multiplexing describes combining multiple signals over a shared medium of any sort. Wi-Fi may receive interference from FHSS systems but doesn't use it.

Gary was recently hired as the first chief information security officer (CISO) for a local government agency. The agency recently suffered a security breach and is attempting to build a new information security program. Gary would like to apply some best practices for security operations as he is designing this program. 11. As Gary decides what access permissions he should grant to each user, what principle should guide his decisions about default permissions? A. Separation of duties B. Least privilege C. Aggregation D. Separation of privileges

B. Gary should follow the least privilege principle and assign users only the permissions they need to perform their job responsibilities. Aggregation is a term used to describe the unintentional accumulation of privileges over time, also known as privilege creep. Separation of duties and separation of privileges are principles used to secure sensitive processes.

41. Chris uses the standard penetration testing methodology shown here (Planning, Information gathering & discovery, Vulnerability scanning, Exploitation, Reporting). Use this methodology and your knowledge of penetration testing to answer the following questions about tool usage during a penetration test. What task is the most important during Phase 1, Planning? A. Building a test lab B. Getting authorization C. Gathering appropriate tools D. Determining if the test is white, black, or gray box

B. Getting authorization is the most critical element in the planning phase. Permission, and the "get out of jail free card" that demonstrates that organizational leadership is aware of the issues that a penetration test could cause, is the first step in any penetration test. Gathering tools and building a lab, as well as determining what type of test will be conducted, are all important, but nothing should happen without permission.

50. Google's identity integration with a variety of organizations and applications across domains is an example of which of the following? A. PKI B. Federation C. Single sign-on D. Provisioning

B. Google's federation with other applications and organizations allows single-sign on as well as management of their electronic identity and its related attributes. While this is an example of SSO, it goes beyond simple single-sign on. Provisioning provides accounts and rights, and a public key infrastructure is used for certificate management.

The company that Jennifer works for has implemented a central logging infrastructure, as shown in the following image (CORPORTATE NETWORK that has WiFi access point and Windows desktop systems [FIREWALL] DATA CENTRE to SIEM appliance, Linux Database server & Linux Web server). Use this diagram and your knowledge of logging systems to answer the following question. 19. Jennifer needs to ensure that all Windows systems provide identical logging information to the SIEM. How can she best ensure that all Windows desktops have the same log settings? A. Perform periodic configuration audits. B. Use Group Policy. C. Use Local Policy. D. Deploy a Windows syslog client.

B. Group Policy enforced by Active Directory can ensure consistent logging settings and can provide regular enforcement of policy on systems. Periodic configuration audits won't catch changes made between audits, and local policies can drift due to local changes or differences in deployments. A Windows syslog client will enable the Windows systems to send syslog to the SIEM appliance but won't ensure consistent logging of events.

43. Chris is responsible for his organization's security standards and has guided the selection and implementation of a security baseline for Windows PCs in his organization. How can Chris most effectively make sure that the workstations he is responsible for are being checked for compliance and that settings are being applied as necessary? A. Assign users to spot-check baseline compliance. B. Use Microsoft Group Policy. C. Create startup scripts to apply policy at system start. D. Periodically review the baselines with the data owner and system owners.

B. Group Policy provides the ability to monitor and apply settings in a security baseline. Manual checks by users or using startup scripts provide fewer reviews and may be prone to failure, while periodic review of the baseline won't result in compliance being checked.

58. When designing an access control scheme, Hilda set up roles so that the same person does not have the ability to provision a new user account and assign superuser privileges to an account. What information security principle is Hilda following? A. Least privilege B. Separation of duties C. Job rotation D. Security through obscurity

B. Hilda's design follows the principle of separation of duties. Giving one user the ability to both create new accounts and grant administrative privileges combines two actions that would result in a significant security change that should be divided among two users.

68. Cable modems, ISDN, and DSL are all examples of what type of technology? A. Baseband B. Broadband C. Digital D. Broadcast

B. ISDN, cable modems, DSL, and T1 and T3 lines are all examples of broadband technology that can support multiple simultaneous signals. They are analog, not digital, and are not broadcast technologies.

Lauren's organization has used a popular instant messaging service for a number of years. Recently, concerns have been raised about the use of instant messaging.(Internet via -A- to Firewall then router then switch then (a) workstation with IM traffic via TCP 80 & (c) workstation, Workstation (b) receives from Internet IM traffic via TCP 80) 31. How could Lauren's company best address a desire for secure instant messaging for users of internal systems A and C? A. Use a 3rd party instant messaging service. B. Implement and use a locally hosted IM service. C. Use HTTPS. D. Discontinue use of IM and instead use email, which is more secure.

B. If a business need requires instant messaging, using a local instant messaging server is the best option. This prevents traffic from traveling to a third-party server and can offer additional benefits such as logging, archiving, and control of security options like the use of encryption.

69. In a Software as a Service cloud computing environment, who is normally responsible for ensuring that appropriate firewall controls are in place? A. Customer's security team B. Vendor C. Customer's networking team D. Customer's infrastructure management team

B. In a Software as a service environment, the customer has no access to any underlying infrastructure, so firewall management is a vendor responsibility under the cloud computing shared responsibility model.

54. Which NIST special publication covers the assessment of security and privacy controls? A. 800-12 B. 800-53A C. 800-34 D. 800-86

B. NIST SP 800-53A is titled "Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans," and covers methods for assessing and measuring controls. NIST 800-12 is an introduction to computer security, 800-34 covers contingency planning, and 800-86 is the "Guide to Integrating Forensic Techniques into Incident Response."

64. A hacker recently violated the integrity of data in James's company by modifying a file using a precise timing attack. The attacker waited until James verified the integrity of a file's contents using a hash value and then modified the file between the time that James verified the integrity and read the contents of the file. What type of attack took place? A. Social engineering B. TOCTOU C. Data diddling D. Parameter checking

B. In a Time of Check/Time of Use (TOCTOU) attack, the attacker exploits the difference in time between when a security control is verified and the data protected by the control is actually used.

77. John and Gary are negotiating a business transaction and John must demonstrate to Gary that he has access to a system. He engages in an electronic version of the "magic door" scenario shown below (*****). What technique is John using? A. Split-knowledge proof B. Zero-knowledge proof C. Logical proof D. Mathematical proof

B. In a zero-knowledge proof, one individual demonstrates to another that they can achieve a result that requires sensitive information without actually disclosing the sensitive information.

4. Harry would like to retrieve a lost encryption key from a database that uses m of n control with m = 4 and n = 8. What is the minimum number of escrow agents required to retrieve the key? A. 2 B. 4 C. 8 D. 12

B. In an m of n control system, at least m of n possible escrow agents must collaborate to retrieve an encryption key from the escrow database.

37. What is the minimum number of independent parties necessary to implement the Fair Cryptosystems approach to key escrow? A. 1 B. 2 C. 3 D. 4

B. In the Fair Cryptosystem approach to key escrow, the secret keys used in communications are divided into two or more pieces, each of which is given to an independent third party.

28. Helen is implementing a new security mechanism for granting employees administrative privileges in the accounting system. She designs the process so that both the employee's manager and the accounting manager must approve the request before the access is granted. What information security principle is Helen enforcing? A. Least privilege B. Two-person control C. Job rotation D. Separation of duties

B. In this scenario, Helen designed a process that requires the concurrence of two people to perform a sensitive action. This is an example of two-person control.

Alex is in charge of SAML integration with a major third-party partner that provides a variety of business productivity services for his organization. Using the following diagram (**) and your knowledge of SAML integrations and security architecture design. 44. If Alex's organization is one that is primarily made up of offsite, traveling users, what availability risk does integration of critical business applications to onsite authentication create and how could he solve it? A. Third-party integration may not be trustworthy; use SSL and digital signatures. B. If the home organization is offline, traveling users won't be able to access thirdparty applications; implement a hybrid cloud/local authentication system. C. Local users may not be properly redirected to the third-party services; implement a local gateway. D. Browsers may not properly redirect; use host files to ensure that issues with redirects are resolved.

B. Integration with cloud-based third parties that rely on local authentication can fail if the local organization's Internet connectivity or servers are offline. Adopting a hybrid cloud and local authentication system can ensure that Internet or server outages are handled, allowing authentication to work regardless of where the user is or if their home organization is online. Using encrypted and signed communication does not address availability, redirects are a configuration issue with the third party, and a local gateway won't handle remote users. Also, host files don't help with availability issues with services other than DNS.

32. Earlier this year, the information security team at Jim's employer identified a vulnerability in the web server that Jim is responsible for maintaining. He immediately applied the patch and is sure that it installed properly, but the vulnerability scanner has continued to flag the system as vulnerable even though Jim is sure the patch is installed. Which of the following options is Jim's best choice to deal with the issue? A. Uninstall and reinstall the patch. B. Ask the information security team to flag the system as patched and not vulnerable. C. Update the version information in the web server's configuration. D. Review the vulnerability report and use alternate remediation instructions if they are provided.

B. Jim should ask the information security team to flag the issue as resolved if he is sure the patch was installed. Many vulnerability scanners rely on version information or banner information, and may flag patched versions if the software provider does not update the information they see. Uninstalling and reinstalling the patch will not change this. Changing the version information may not change all of the details that are being flagged by the scanner, and may cause issues at a later date. Reviewing the vulnerability information for a workaround may be a good idea but should not be necessary if the proper patch is installed; it can create maintenance issues later.

23. During a port scan using nmap, Joseph discovers that a system shows two ports open that cause him immediate worry: 21/open 23/open What services are likely running on those ports? A. SSH and FTP B. FTP and Telnet C. SMTP and Telnet D. POP3 and SMTP

B. Joseph may be surprised to discover FTP (TCP port 21) and Telnet (TCP port 23) open on his network since both services are unencrypted and have been largely replaced by SSH, and SCP or SFTP. SSH uses port 22, SMTP uses port 25, and POP3 uses port 110.

18. Karen's organization has been performing system backups for years but has not used the backups frequently. During a recent system outage, when administrators tried to restore from backups they found that the backups had errors and could not be restored. Which of the following options should Karen avoid when selecting ways to ensure that her organization's backups will work next time? A. Log review B. MTD verification C. Hashing D. Periodic testing

B. Karen can't use MTD verification because MTD is the Maximum Tolerable Downtime. Verifying it will only tell her how long systems can be offline without significant business impact. Reviewing logs, using hashing to verify that the logs are intact, and performing periodic tests are all valid ways to verify that the backups are working properly.

32. What cryptographic principle stands behind the idea that cryptographic algorithms should be open to public inspection? A. Security through obscurity B. Kerchoff principle C. Defense in depth D. Heisenburg principle

B. Kerchoff's principle says that a cryptographic system should be secure even if everything about the system, except the key, is public knowledge.

2. During a security assessment of a wireless network, Jim discovers that LEAP is in use on a network using WPA. What recommendation should Jim make? A. Continue to use LEAP. It provides better security than TKIP for WPA networks. B. Use an alternate protocol like PEAP or EAP-TLS and implement WPA2 if supported. C. Continue to use LEAP to avoid authentication issues, but move to WPA2. D. Use an alternate protocol like PEAP or EAP-TLS, and implement Wired Equivalent Privacy to avoid wireless security issues.

B. LEAP, the Lightweight Extensible Authentication Protocol. is a Cisco proprietary protocol designed to handle problems with TKIP. Unfortunately, LEAP has significant security issues as well and should not be used. Any modern hardware should support WPA2 and technologies like PEAP or EAP-TLS. Using WEP, the predecessor to WPA and WPA2, would be a major step back in security for any network.

61. Lauren's team conducts regression testing on each patch that they release. What key performance measure should they maintain to measure the effectiveness of their testing? A. Time to remediate vulnerabilities B. A measure of the rate of defect recurrence C. A weighted risk trend D. A measure of the specific coverage of their testing

B. Lauren's team is using regression testing, which is intended to prevent the recurrence of issues. This means that measuring the rate of defect recurrence is an appropriate measure for their work. Time to remediate vulnerabilities is associated with activities like patching, rather than preparing the patch, whereas a weighted risk trend is used to measure risk over time to an organization. Finally, specific coverage may be useful to determine if they are fully testing their effort, but regression testing is more specifically covered by defect recurrence rates.

98. Which of the following types of access controls do not describe a lock? A. Physical B. Directive C. Preventative D. Deterrent

B. Locks can be preventative access controls by stopping unwanted access, can deter potential intruders by making access difficult, and are physical access controls. They are not directive controls because they don't control the actions of subjects.

55. The Windows ip config command displays the following information: BC-5F-F4-7B-4B-7D What term describes this, and what information can be gathered from it? A. The IP address, the network location of the system B. The MAC address, the network interface card's manufacturer C. The MAC address, the media type in use D. The IPv6 client ID, the network interface card's manufacturer

B. Machine Access Control (MAC) addresses are the hardware address the machine uses for layer 2 communications. The MAC addresses include an organizationally unique identifier (OUI), which identifies the manufacturer. MAC addresses can be changed, so this is not a guarantee of accuracy, but under normal circumstances you can tell what manufacturer made the device by using the MAC address.

27. The government defense contractor that Saria works for has recently shut down a major research project and is planning on reusing the hundreds of thousands of dollars of systems and data storage tapes used for the project for other purposes. When Saria reviews the company's internal processes, she finds that she can't reuse the tapes and that the manual says they should be destroyed. Why isn't Saria allowed to degauss and then reuse the tapes to save her employer money? A. Data permanence may be an issue. B. Data remanence is a concern. C. The tapes may suffer from bitrot. D. Data from tapes can't be erased by degaussing.

B. Many organizations require the destruction of media that contains data at higher levels of classification. Often the cost of the media is lower than the potential costs of data exposure, and it is difficult to guarantee that reused media doesn't contain remnant data. Tapes can be erased by degaussing, but degaussing is not always fully effective. Bitrot describes the slow loss of data on aging media, while data permanence is a term sometimes used to describe the life span of data and media.

4. When media is labeled based on the classification of the data it contains, what rule is typically applied regarding labels? A. The data is labeled based on its integrity requirements. B. The media is labeled based on the highest classification level of the data it contains. C. The media is labeled with all levels of classification of the data it contains. D. The media is labeled with the lowest level of classification of the data it contains.

B. Media is typically labeled with the highest classification level of data it contains. This prevents the data from being handled or accessible at a lower classification level. Data integrity requirements may be part of a classification process but don't independently drive labeling in a classification scheme.

6. Which of the following items are not commonly associated with restricted interfaces? A. Shells B. Keyboards C. Menus D. Database views

B. Menus, shells, and database views are all commonly used for constrained interfaces. A keyboard is not typically a constrained interface, although physically constrained interfaces like those found on ATMs, card readers, and other devices are common.

57. Jim is working with a penetration testing contractor who proposes using Metasploit as part of her penetration testing effort. What should Jim expect to occur when Metasploit is used? A. Systems will be scanned for vulnerabilities. B. Systems will have known vulnerabilities exploited. C. Services will be probed for buffer overflow and other unknown flaws. D. Systems will be tested for zero-day exploits.

B. Metasploit is an exploitation package that is designed to assist penetration testers. A tester using Metasploit can exploit known vulnerabilities for which an exploit has been created or can create their own exploits using the tool. While Metasploit provides built-in access to some vulnerability scanning functionality, a tester using Metasploit should primarily be expected to perform actual tests of exploitable vulnerabilities. Similarly, Metasploit supports creating buffer overflow attacks, but it is not a purpose built buffer overflow testing tool, and of course testing systems for zero-day exploits doesn't work unless they have been released.

32. Which of the following drawbacks is a concern when multilayer protocols are allowed? A. A range of protocols may be used at higher layers. B. Covert channels are allowed. C. Filters cannot be bypassed. D. Encryption can't be incorporated at multiple layers.

B. Multilayer protocols create three primary concerns for security practitioners: They can conceal covert channels (and thus covert channels are allowed), filters can be bypassed by traffic concealed in layered protocols, and the logical boundaries put in place by network segments can be bypassed under some circumstances. Multilayer protocols allow encryption at various layers and support a range of protocols at higher layers.

76. You are performing an investigation into a potential bot infection on your network and wish to perform a forensic analysis of the information that passed between different systems on your network and those on the Internet. You believe that the information was likely encrypted. You are beginning your investigation after the activity concluded. What would be the best and easiest way to obtain the source of this information? A. Packet captures B. Netflow data C. Intrusion detection system logs D. Centralized authentication records

B. Netflow data contains information on the source, destination, and size of all network communications and is routinely saved as a matter of normal activity. Packet capture data would provide relevant information, but it must be captured during the suspicious activity and cannot be re-created after the fact unless the organization is already conducting 100 percent packet capture, which is very rare. Additionally, the use of encryption limits the effectiveness of packet capture. Intrusion detection system logs would not likely contain relevant information because the encrypted traffic would probably not match intrusion signatures. Centralized authentication records would not contain information about network traffic.

The company that Jennifer works for has implemented a central logging infrastructure, as shown in the following image (CORPORTATE NETWORK that has WiFi access point and Windows desktop systems [FIREWALL] DATA CENTRE to SIEM appliance, Linux Database server & Linux Web server). Use this diagram and your knowledge of logging systems to answer the following question. 21. What technology should an organization use for each of the devices shown in the diagram to ensure that logs can be time sequenced across the entire infrastructure? A. Syslog B. NTP C. Logsync D. SNAP

B. Network Time Protocol (NTP) can ensure that systems are using the same time, allowing time sequencing for logs throughout a centralized logging infrastructure. Syslog is a way for systems to send logs to a logging server and won't address time sequencing. Neither logsync nor SNAP is an industry term.

71. During an nmap scan, what three potential statuses are provided for a port? A. Open, unknown, closed B. Open, closed, and filtered C. Available, denied, unknown D. Available, unavailable, filtered

B. Nmap reports one of three statuses: Open, which means that the port is open and that an application responds; Closed, which means that the port is accessible but there is no application response; and Filtered, which means that a firewall is not allowing nmap to determine if the port is open or closed.

74. Jim is designing his organization's log management systems and knows that he needs to carefully plan to handle the organization's log data. Which of the following is not a factor that Jim should be concerned with? A. The volume of log data B. A lack of sufficient log sources C. Data storage security requirements D. Network bandwidth

B. Not having enough log sources is not a key consideration in log management system design, although it may be a worry for security managers who can't capture the data they need. Log management system designs must take into account the volume of log data and the network bandwidth it consumes, the security of the data, and the amount of effort required to analyze the data.

14. Which of the following is not a potential problem with active wireless scanning? A. Accidently scanning apparent rogue devices that actually belong to guests B. Causing alarms on the organization's wireless IPS C. Scanning devices that belong to nearby organizations D. Misidentifying rogue devices

B. Not only should active scanning be expected to cause wireless IPS alarms, but they may actually be desired if the test is done to test responses. Accidently scanning guests, neighbors, or misidentifying devices belonging to third parties are all potential problems with active scanning and require the security assessor to carefully verify the systems that she is scanning.

Ann is a security professional for a mid-sized business and typically handles log analysis and security monitoring tasks for her organization. One of her roles is to monitor alerts originating from the organization's intrusion detection system. The system typically generates several dozen alerts each day, and many of those alerts turn out to be false alarms after her investigation. This morning, the intrusion detection system alerted because the network began to receive an unusually high volume of inbound traffic. Ann received this alert and began looking into the origin of the traffic. 68. At this point in the incident response process, what term best describes what has occurred in Ann's organization? A. Security occurrence B. Security incident C. Security event D. Security intrusion

B. Now that Ann suspects an attack against her organization, she has sufficient evidence to declare a security incident. The attack underway seems to have undermined the availability of her network, meeting one of the criteria for a security incident. This is an escalation beyond a security event but does not reach the level of an intrusion because there is no evidence that the attacker has even attempted to gain access to systems on Ann's network. Security occurrence is not a term commonly used in incident handling.

73. Jim wants to allow cloud-based applications to act on his behalf to access information from other sites. Which of the following tools can allow that? A. Kerberos B. OAuth C. OpenID D. LDAP

B. OAuth provides the ability to access resources from another service and would meet Jim's needs. OpenID would allow him to use an account from another service with his application, and Kerberos and LDAP are used more frequently for in-house services.

NIST Special Publication 800-115, the Technical Guide to Information Security Testing and Assessment, provides NIST's process for penetration testing. Using this image as well as your knowledge of penetration testing, (Planning, Information gathering & discovery, Vulnerability scanning, Exploitation, Reporting) answer the following question. 99. NIST specifies four attack phase steps: gaining access, escalating privileges, system browsing, and installing additional tools. Once attackers install additional tools, what phase will a penetration tester typically return to? A. Discovery B. Gaining access C. Escalating privileges D. System browsing

B. Once additional tools have been installed, penetration testers will typically use them to gain additional access. From there they can further escalate privileges, search for new targets or data, and once again, install more tools to allow them to pivot further into infrastructure or systems.

93. What is the minimum number of disks required to implement RAID level 1? A. One B. Two C. Three D. Five

B. RAID level 1, also known as disk mirroring, uses two disks that contain identical information. If one disk fails, the other contains the data needed for the system to continue operation.

31. Sue's employer has asked her to use an IPsec VPN to connect to its network. When Sue connects, what does the IPsec VPN allow her to do? A. Send decrypted data over a public network and act like she is on her employer's internal network. B. Create a private encrypted network carried via a public network and act like she is on her employer's internal network. C. Create a virtual private network using TLS while on her employer's internal network. D. Create a tunneled network that connects her employer's network to her internal home network.

B. One way to use an IPsec VPN is to create a private, encrypted network (or tunnel) via a public network, allowing users to be a virtual part of their employer's internal network. IPsec is distinct from TLS, provides encryption for confidentiality and integrity, and of course, in this scenario Sue is connecting to her employer's network rather than the employer connecting to hers.

41. What type of software program exposes the code to anyone who wishes to inspect it? A. Closed source B. Open-source C. Fixed source D. Unrestricted source

B. Open-source software exposes the source code to public inspection and modification. The open-source community includes major software packages, including the Linux operating system.

6. Susan needs to scan a system for vulnerabilities, and she wants to use an open source tool to test the system remotely. Which of the following tools will meet her requirements and allow vulnerability scanning? A. Nmap B. OpenVAS C. MBSA D. Nessus

B. OpenVAS is an open source vulnerability scanning tool that will provide Susan with a report of the vulnerabilities that it can identify from a remote, network-based scan. Nmap is an open source port scanner. Both the Microsoft Baseline Security Analyzer (MBSA) and Nessus are closed source tools, although Nessus was originally open source.

security life cycle diagram (loosely based on the NIST reference architecture), NIST uses a five-step process for risk management. 1. Categorise systems and data 2. Select Security Controls 3. Implement Security Controls 4. Assess Security Controls 5. Monitor Security 87. If the systems that are being assessed all handle credit card information (and no other sensitive data), at what step would the PCI DSS first play an important role? A. Step 1 B. Step 2 C. Step 3 D. Step 4

B. PCI DSS provides a set of required security controls and standards. Step 2 would be guided by the requirements of PCI DSS. PCI DSS will not greatly influence step 1 because all of the systems handle credit card information, making PCI DSS apply to all systems covered. Steps 3 and 4 will be conducted after PCI DSS has guided the decisions in step 2.

38. Susan's organization is updating its password policy and wants to use the strongest possible passwords. What password requirement will have the highest impact in preventing brute force attacks? A. Change maximum age from 1 year to 180 days. B. Increase the minimum password length from 8 characters to 16 characters. C. Increase the password complexity so that at least three character classes (such as uppercase, lowercase, numbers, and symbols) are required. D. Retain a password history of at least four passwords to prevent reuse.

B. Password complexity is driven by length, and a longer password will be more effective against brute force attacks than a shorter password. Each character of additional length increases the difficulty by the size of the potential character set (for example, a single lowercase character makes the passwords 26 times more difficult to crack). While each of the other settings is useful for a strong password policy, they won't have the same impact on brute force attacks.

43. Chris uses the standard penetration testing methodology shown here (Planning, Information gathering & discovery, Vulnerability scanning, Exploitation, Reporting). Use this methodology and your knowledge of penetration testing to answer the following questions about tool usage during a penetration test. Which of these concerns is the most important to address during planning to ensure the reporting phase does not cause problems? A. Which CVE format to use B. How the vulnerability data will be stored and sent C. Which targets are off limits D. How long the report should be

B. Penetration test reports often include information that could result in additional exposure if they were accidently released or stolen. Therefore, determining how vulnerability data should be stored and sent is critical. Problems with off-limits targets are more likely to result in issues during the vulnerability assessment and exploitation phase, and reports should not be limited in length but should be as long as they need to be to accomplish the goals of the test.

100. Which of the following is not a typical part of a penetration test report? A. A list of identified vulnerabilities B. All sensitive data that was gathered during the test C. Risk ratings for each issue discovered D. Mitigation guidance for issues identified

B. Penetration testing reports often do not include the specific data captured during the assessment, as the readers of the report may not be authorized to access all of the data, and exposure of the report could result in additional problems for the organization. A listing of the issues discovered, risk ratings, and remediation guidance are all common parts of a penetration test report.

32. Which of the following is not a common threat to access control mechanisms? A. Fake login pages B. Phishing C. Dictionary attacks D. Man-in-the-middle attacks

B. Phishing is not an attack against an access control mechanism. While phishing can result in stolen credentials, the attack itself is not against the control system and is instead against the person being phished. Dictionary attacks and man-in-the-middle attacks both target access control systems.

82. Which of the following is not an access control layer? A. Physical B. Policy C. Administrative D. Technical

B. Policy is a subset of the administrative layer of access controls. Administrative, technical, and physical access controls all play an important role in security.

82. What type of health information is the Health Insurance Portability and Accountability Act required to protect? A. PII B. PHI C. SHI D. HPHI

B. Protected health information, or PHI, includes a variety of data in multiple formats, including oral and recorded data, such as that created or received by healthcare providers, employers, and life insurance providers. PHI must be protected by HIPAA. PII is personally identifiable information. SHI and HPHI are both made-up acronyms.

81. What level of RAID is also known as disk mirroring? A. RAID-0 B. RAID-1 C. RAID-5 D. RAID-10

B. RAID level 1 is also known as disk mirroring. RAID-0 is called disk striping. RAID-5 is called disk striping with parity. RAID-10 is known as a stripe of mirrors.

33. What term properly describes what occurs when two or more processes require access to the same resource and must complete their tasks in the proper order for normal function? A. Collisions B. Race conditions C. Determinism D. Out-of-order execution

B. Race conditions occur when two or more processes need to access the same resource in the right order. If an attacker can disrupt this order, they may be able to affect the normal operations of the system and gain unauthorized access or improper rights. Collisions occur when two different files produce the same result from a hashing operation, out-of-order execution is a CPU architecture feature that allows the use of otherwise unused cycles, and determinism is a philosophical term rather than something you should see on the CISSP exam!

31. What passive monitoring technique records all user interaction with an application or website to ensure quality and performance? A. Client/server testing B. Real user monitoring C. Synthetic user monitoring D. Passive user recording

B. Real user monitoring (RUM) is a passive monitoring technique that records user interaction with an application or system to ensure performance and proper application behavior. RUM is often used as part of a pre-deployment process using the actual user interface. The other answers are all made up—synthetic monitoring uses simulated behavior, but synthetic user monitoring is not a testing method. Similarly, passive monitoring monitors actual traffic, but passive user recording is not an industry term or technique. Client/server testing merely describes one possible architecture.

52. When Chris verifies an individual's identity and adds a unique identifier like a user ID to an identity system, what process has occurred? A. Identity proofing B. Registration C. Directory management D. Session management

B. Registration is the process of adding a user to an identity management system. This includes creating their unique identifier and adding any attribute information that is associated with their identity. Proofing occurs when the user provides information to prove who they are. Directories are managed to maintain lists of users, services, and other items. Session management tracks application and user sessions.

15. Marcy would like to continue using some old DES encryption equipment to avoid throwing it away. She understands that running DES multiple times improves the security of the algorithm. What is the minimum number of times she must run DES on the same data to achieve security that is cryptographically strong by modern standards? A. 2 B. 3 C. 4 D. 12

B. Running DES three times produces a strong encryption standard known as Triple DES, or 3DES. In order for this to provide additional security, DES must also be run using at least two different keys. NIST recommends use of three independent keys for the strongest version.

85. What technique can application developers use to test applications in an isolated virtualized environment before allowing them on a production network? A. Penetration testing B. Sandboxing C. White box testing D. Black box testing

B. Sandboxing is a technique where application developers (or the recipients of an untrusted application) may test the code in a virtualized environment that is isolated from production systems. White box testing, black box testing, and penetration testing are all common software testing techniques but do not require the use of an isolated system.

The Center for Internet Security (CIS) works with subject matter experts from a variety of industries to create lists of security controls for operating systems, mobile devices, server software, and network devices. Your organization has decided to use the CIS benchmarks for your systems. Answer the following questions based on this decision. 24. Adjusting the CIS benchmarks to your organization's mission and your specific IT systems would involve what two processes? A. Scoping and selection B. Scoping and tailoring C. Baselining and tailoring D. Tailoring and selection

B. Scoping involves selecting only the controls that are appropriate for your IT systems, while tailoring matches your organization's mission and the controls from a selected baseline. Baselining is the process of configuring a system or software to match a baseline, or building a baseline itself. Selection isn't a technical term used for any of these processes.

20. A remote access tool that copies what is displayed on a desktop PC to a remote computer is an example of what type of technology? A. Remote node operation B. Screen scraping C. Remote control D. RDP

B. Screen scrapers copy the actual screen displayed and display it at a remote location. RDP provides terminal sessions without doing screen scraping, remote node operation is the same as dial-up access, and remote control is a means of controlling a remote system (screen scraping is a specialized subset of remote control).

49. Misconfiguration, logical and functional flaws, and poor programming practices are all causes of what type of issue? A. Fuzzing B. Security vulnerabilities C. Buffer overflows D. Race conditions

B. Security vulnerabilities can be created by misconfiguration, logical or functional design, or implementation issues, or poor programming practices. Fuzzing is a method of software testing and is not a type of issue. Buffer overflows and race conditions are both caused by logical or programming flaws, but they are not typically caused by misconfiguration or functional issues.

[USER WORKSTATION -A- COMMUNICATES TO INTERNET -C- VIA -B- CONNECTS TO SERVER -E- VIA -F- INTERNET AND SERVER COMMUNICATED VIA -D-] Trianlge 72. What is the best way to secure files that are sent from workstation A via the Internet service (C) to remote server E? A. Use AES at rest at point A, and TLS in transit via B and D. B. Encrypt the data files and send them. C. Use 3DES and TLS to provide double security. D. Use full disk encryption at A and E, and use SSL at B and D.

B. Sending a file that is encrypted before it leaves means that exposure of the file in transit will not result in a confidentiality breach and the file will remain secure until decrypted at location E. Since answers A, C, and D do not provide any information about what happens at point C, they should be considered insecure, as the file may be at rest at point C in an unencrypted form.

13. Tom is responsible for maintaining the security of systems used to control industrial processes located within a power plant. What term is used to describe these systems? A. POWER B. SCADA C. HAVAL D. COBOL

B. Supervisory control and data acquisition (SCADA) systems are used to control and gather data from industrial processes. They are commonly found in power plants and other industrial environments.

5. If Susan's organization requires her to log in with her username, a PIN, a password, and a retina scan, how many distinct types of factor has she used? A. One B. Two C. Three D. Four

B. Susan has used two distinct types of factors: the PIN and password are both Type 1 factors, and the retina scan is a Type 3 factor. Her username is not a factor.

67. Jim's organization uses fax machines to receive sensitive data. Since the fax machine is located in a public area, what actions should Jim take to deal with issues related to faxes his organization receives? A. Encrypt the faxes and purge local memory. B. Disable automatic printing and purge local memory. C. Encrypt faxes and disable automatic printing. D. Use link encryption and enable automatic printing.

B. Sensitive information contained in faxes should not be left in a public area. Disabling automatic printing will help prevent unintended viewing of the faxes. Purging local memory after the faxes are printed will ensure that unauthorized individuals can't make additional copies of faxes. Encryption would help keep the fax secure during transmission but won't help with the public location and accessibility of the fax machine itself, and of course, enabling automatic printing will only make casual access easier.

82. Susan is writing a best practices statement for her organizational users who need to use Bluetooth. She knows that there are many potential security issues with Bluetooth and wants to provide the best advice she can. Which of the following sets of guidance should Susan include? A. Use Bluetooth's built-in strong encryption, change the default PIN on your device, turn off discovery mode, and turn off Bluetooth when it's not in active use. B. Use Bluetooth only for those activities that are not confidential, change the default PIN on your device, turn off discovery mode, and turn off Bluetooth when it's not in active use. C. Use Bluetooth's built-in strong encryption, use extended (8 digit or longer) Bluetooth PINs, turn off discovery mode, and turn off Bluetooth when it's not in active use. D. Use Bluetooth only for those activities that are not confidential, use extended (8 digit or longer) Bluetooth PINs, turn off discovery mode, and turn off Bluetooth when it's not in active use.

B. Since Bluetooth doesn't provide strong encryption, it should only be used for activities that are not confidential. Bluetooth PINs are four-digit codes that often default to 0000. Turning it off and ensuring that your devices are not in discovery mode can help prevent Bluetooth attacks.

2. Jim's organization-wide implementation of IDaaS offers broad support for cloudbased applications. The existing infrastructure for Jim's company does not use centralized identity services but uses Active Directory for AAA services. Which of the following choices is the best option to recommend to handle the company's onsite identity needs? A. Integrate onsite systems using OAuth. B. Use an on-premise third-party identity service. C. Integrate onsite systems using SAML. D. Design an in-house solution to handle the organization's unique needs.

B. Since Jim's organization is using a cloud-based Identity as a Service solution, a third party, on-premise identity service can provide the ability to integrate with the IDaaS solution, and the company's use of Active Directory is widely supported by third-party vendors. OAuth is used to log into third-party websites using existing credentials and would not meet the needs described. SAML is a markup language and would not meet the full set of AAA needs. Since the organization is using Active Directory, a custom in-house solution is unlikely to be as effective as a preexisting third-party solution and may take far more time and expense to implement.

74. Ben's organization has had an issue with unauthorized access to applications and workstations during the lunch hour when employees aren't at their desk. What are the best type of session management solutions for Ben to recommend to help prevent this type of access? A. Use session IDs for all access and verify system IP addresses of all workstations. B. Set session time-outs for applications and use password protected screensavers with inactivity time-outs on workstations. C. Use session IDs for all applications, and use password protected screensavers with inactivity time-outs on workstations. D. Set session time-outs for applications and verify system IP addresses of all workstations.

B. Since physical access to the workstations is part of the problem, setting application time-outs and password-protected screensavers with relatively short inactivity timeouts can help prevent unauthorized access. Using session IDs for all applications and verifying system IP addresses would be helpful for online attacks against applications.

8. Toni responds to the desk of a user who reports slow system activity. Upon checking outbound network connections from that system, Toni notices a large amount of social media traffic originating from the system. The user does not use social media, and when Toni checks the accounts in question, they contain strange messages that appear encrypted. What is the most likely cause of this traffic? A. Other users are relaying social media requests through Toni's computer. B. Toni's computer is part of a botnet. C. Toni is lying about her use of social media. D. Someone else is using Toni's computer when she is not present.

B. Social media is commonly used as a command-and-control system for botnet activity. The most likely scenario here is that Toni's computer was infected with malware and joined to a botnet. This accounts for both the unusual social media traffic and the slow system activity.

79. Referring to the fire triangle shown below (CHEMICAL REACTION in the centre of equal triangle HEAT, OXYGEN, FUEL), which one of the following suppression materials attacks a fire by removing the fuel source? A. Water B. Soda acid C. Carbon dioxide D. Halon

B. Soda acid and other dry powder extinguishers work to remove the fuel supply. Water suppresses temperature, while halon and carbon dioxide remove the oxygen supply from a fire.

71. Which one of the following tools provides an organization with the greatest level of protection against a software vendor going out of business? A. Service-level agreement B. Escrow agreeement C. Mutual assistance agreement D. PCI DSS compliance agreement

B. Software escrow agreements place a copy of the source code for a software package in the hands of an independent third party who will turn the code over to the customer if the vendor ceases business operations. Service-level agreements, mutual assistance agreements, and compliance agreements all lose some or all of their effectiveness if the vendor goes out of business.

47. Gary intercepts a communication between two individuals and suspects that they are exchanging secret messages. The content of the communication appears to be the image shown below. What type of technique may the individuals use to hide messages inside this image (PHOTO of beach)? A. Visual cryptography B. Steganography C. Cryptographic hashing D. Transport layer security

B. Steganography is the art of using cryptographic techniques to embed secret messages within other content. Some steganographic algorithms work by making alterations to the least significant bits of the many bits that make up image files.

89. Susan's organization performs a zero fill on hard drives before they are sent to a third party organization to be shredded. What issue is her organization attempting to avoid? A. Data remanence while at the third-party site B. Mishandling of drives by the third party C. Classification mistakes D. Data permanence

B. Susan's organization is limiting its risk by sending drives that have been sanitized before they are destroyed. This limits the possibility of a data breach if drives are mishandled by the third party, allowing them to be stolen, resold, or simply copied. The destruction of the drives will handle any issues with data remanence, while classification mistakes are not important if the drives have been destroyed. Data permanence and the life span of the data are not important on a destroyed drive.

93. What type of encryption is typically used for data at rest? A. Asymmetric encryption B. Symmetric encryption C. DES D. OTP

B. Symmetric encryption like AES is typically used for data at rest. Asymmetric encryption is often used during transactions or communications when the ability to have public and private keys is necessary. DES is an outdated encryption standard, and OTP is the acronym for one-time password.

27. What type of monitoring uses simulated traffic to a website to monitor performance? A. Log analysis B. Synthetic monitoring C. Passive monitoring D. Simulated transaction analysis

B. Synthetic monitoring uses emulated or recorded transactions to monitor for performance changes in response time, functionality, or other performance monitors. Passive monitoring uses a span port or other method to copy traffic and monitor it in real time. Log analysis is typically performed against actual log data but can be performed on simulated traffic to identify issues. Simulated transaction analysis is not an industry term.

12. Which of the following AAA protocols is the most commonly used? A. TACACS B. TACACS+ C. XTACACS D. Super TACACS

B. TACACS+ is the only modern protocol on the list. It provides advantages of both TACACS and XTACACS as well as some benefits over RADIUS, including encryption of all authentication information. Super TACACS is not an actual protocol.

Lauren's organization has used a popular instant messaging service for a number of years. Recently, concerns have been raised about the use of instant messaging. (Internet via -A- to Firewall then router then switch then (a) workstation with IM traffic via TCP 80 & (c) workstation, Workstation (b) receives from Internet IM traffic via TCP 80) 29. What protocol is the instant messaging traffic most likely to use based on the diagram? A. AOL B. HTTP C. SMTP D. HTTPS

B. TCP 80 is typically HTTP.

1. During a port scan, Susan discovers a system running services on TCP and UDP 137-139 and TCP 445, as well as TCP 1433. What type of system is she likely to find if she connects to the machine? A. A Linux email server B. A Windows SQL server C. A Linux file server D. A Windows workstation

B. TCP and UDP ports 137-139 are used for NetBIOS services, whereas 445 is used for Active Directory. TCP 1433 is the default port for Microsoft SQL, indicating that this is probably a Windows server providing SQL services.

3. During a port scan, Lauren found TCP port 443 open on a system. Which tool is best suited to scanning the service that is most likely running on that port? A. zzuf B. Nikto C. Metasploit D. sqlmap

B. TCP port 443 normally indicates an HTTPS server. Nikto is useful for vulnerability scanning web servers and applications and is the best choice listed for a web server. Metasploit includes some scanning functionality but is not a purpose-built tool for vulnerability scanning. zzuf is a fuzzing tool and isn't relevant for vulnerability scans, whereas sqlmap is a SQL injection testing tool.

95. Which California law requires conspicuously posted privacy policies on commercial websites that collect the personal information of California residents? A. The Personal Information Protection and Electronic Documents Act B. The California Online Privacy Protection Act C. California Online Web Privacy Act D. California Civil Code 1798.82

B. The California Online Privacy Protection Act (COPPA) requires that operators of commercial websites and services post a prominently displayed privacy policy if they collect personal information on California residents. The Personal Information Protection and Electronic Documents Act is a Canadian privacy law, while California Civil Code 1798.82 is part of the set of California codes that requires breach notification. The California Online Web Privacy Act does not exist.

10. Which authentication protocol commonly used for PPP links encrypts both the username and password and uses a challenge/response dialog that cannot be replayed and periodically re-authenticates remote systems throughout its use in a session? A. PAP B. CHAP C. EAP D. LEAP

B. The Challenge-Handshake Authentication Protocol, or CHAP, is used by PPP servers to authenticate remote clients. It encrypts both the username and password and performs periodic reauthentication while connected using techniques to prevent replay attacks. LEAP provides reauthentication but was designed for WEP, while PAP sends passwords unencrypted. EAP is extensible and was used for PPP connections, but it doesn't directly address the listed items.

74. The European Union (EU) Data Protection Directive's seven principles do not include which of the following key elements? A. The need to inform subjects when their data is being collected B. The need to set a limit on how long data is retained C. The need to keep the data secure D. The need to allow data subjects to be able to access and correct their data

B. The Data Protection Directive's principles do not address data retention time periods. The seven principles are notice, purpose, consent, security, disclosure, access, and accountability.

28. Florian and Tobias would like to begin communicating using a symmetric cryptosystem but they have no prearranged secret and are not able to meet in person to exchange keys. What algorithm can they use to securely exchange the secret key? A. IDEA B. Diffie-Hellman C. RSA D. MD5

B. The Diffie-Hellman algorithm allows for the secure exchange of symmetric encryption keys over a public network.

6. Bob is a security administrator with the federal government and wishes to choose a digital signature approach that is an approved part of the federal Digital Signature Standard under FIPS 186-4. Which one of the following encryption algorithms is not an acceptable choice for use in digital signatures? A. DSA B. HAVAL C. RSA D. ECDSA

B. The Digital Signature Standard approves three encryption algorithms for use in digital signatures: the Digital Signature Algorithm (DSA); the Rivest, Shamir, Adleman (RSA) algorithm; and the Elliptic Curve DSA (ECDSA) algorithm. HAVAL is a hash function, not an encryption algorithm. While hash functions are used as part of the digital signature process, they do not provide encryption.

23. Susan would like to configure IPsec in a manner that provides confidentiality for the content of packets. What component of IPsec provides this capability? A. AH B. ESP C. IKE D. ISAKMP

B. The Encapsulating Security Payload (ESP) protocol provides confidentiality and integrity for packet contents. It encrypts packet payloads and provides limited authentication and protection against replay attacks.

60. Which of the following is not a part of the European Union's Data Protection principles? A. Notice B. Reason C. Security D. Access

B. The European Data Protection Directive has seven primary tenets: Notice Choice Onward transfer Security Data integrity Access Enforcement Reason is not included in this list.

90. What legal protection prevents law enforcement agencies from searching a facility or electronic system without either probable cause or consent? A. First Amendment B. Fourth Amendment C. Fifth Amendment D. Fifteenth Amendment

B. The Fourth Amendment states, in part, that "the right of the people to be secure in their persons, houses, papers and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized." The First Amendment contains protections related to freedom of speech. The Fifth Amendment ensures that no person will be required to serve as witnesses against themselves. The Fifteenth Amendment protects the voting rights of citizens.

27. Which one of the following is not an example of a backup tape rotation scheme? A. Grandfather/Father/Son B. Meet in the middle C. Tower of Hanoi D. Six Cartridge Weekly

B. The Grandfather/Father/Son, Tower of Hanoi, and Six Cartridge Weekly schemes are all different approaches to rotating backup media that balance reuse of media with data retention concerns. Meet-in-the-middle is a cryptographic attack against 2DES encryption.

88. What LDAP authentication mode can provide secure authentication? A. Anonymous B. SASL C. Simple D. S-LDAP

B. The Simple Authentication and Security Layer (SASL) for LDAP provides support for a range of authentication types, including secure methods. Anonymous authentication does not require or provide security, and simple authentication can be tunneled over SSL or TLS but does not provide security by itself. S-LDAP is not an LDAP protocol.

12. In the figure shown below(*), Sally is blocked from reading the file due to the Biba integrity model. Sally has a Secret security clearance and the file has a Confidential classification. What principle of the Biba model is being enforced? A. Simple Security Property B. Simple Integrity Property C. *-Security Property D. *-Integrity Property

B. The Simple Integrity Property states that an individual may not read a file classified at a lower security level than the individual's security clearance.

60. In the diagram shown below (USER SPACE has 3 processes & KERNEL with XXX and Reference Monitor inside) of security boundaries within a computer system, what component's name has been replaced with XXX? A. Kernel B. TCB C. Security perimeter D. User execution

B. The Trusted Computing Base (TCB) is a small subset of the system contained within the kernel that carries out critical system activities.

14. Sonia recently removed an encrypted hard drive from a laptop and moved it to a new device because of a hardware failure. She is having difficulty accessing encrypted content on the drive despite the fact that she knows the user's password. What hardware security feature is likely causing this problem? A. TCB B. TPM C. NIACAP D. RSA

B. The Trusted Platform Module (TPM) is a hardware security technique that stores an encryption key on a chip on the motherboard and prevents someone from accessing an encrypted drive by installing it in another computer.

94. Jerome is conducting a forensic investigation and is reviewing database server logs to investigate query contents for evidence of SQL injection attacks. What type of analysis is he performing? A. Hardware analysis B. Software analysis C. Network analysis D. Media analysis

B. The analysis of application logs is one of the core tasks of software analysis because SQL injection attacks are application attacks.

Chris is the identity architect for a growing e-commerce website that wants to leverage social identity. To do this, he and his team intend to allow users to use their existing Google accounts as their primary accounts when using the e-commerce site. This means that when a new user initially connects to the e-commerce platform, they are given the choice between using their Google+ account using OAuth 2.0, or creating a new account on the platform using their own email address and a password of their choice. Using this information and the following diagram of an example authentication flow (***) 68. What type of attack is the creation and exchange of state tokens intended to prevent? A. XSS B. CSRF C. SQL injection D. XACML

B. The anti-forgery state token exchanged during OAuth sessions is intended to prevent cross-site request forgery. This makes sure that the unique session token with the authentication response from Google's OAuth service is available to verify that the user, not an attacker, is making a request. XSS attacks focus on scripting and would have script tags involved, SQL injection would have SQL code included, and XACML is the eXtensible Access Control Markup Language, not a type of attack.

29. What is the primary information security risk to data at rest? A. Improper classification B. Data breach C. Decryption D. Loss of data integrity

B. The biggest threat to data at rest is typically a data breach. Data at rest with a high level of sensitivity is often encrypted to help prevent this. Decryption is not as significant of a threat if strong encryption is used and encryption keys are well secured. Data integrity issues could occur, but proper backups can help prevent this, and of course data could be improperly classified, but this is not the primary threat to the data.

Using your knowledge of the Kerberos logon process and the following diagram (CLIENT WORKSTATION TO KDC via -A-, KDC to WORKSTATION via -B-, CLIENT WORKSTATION TO CLOUD SERVICES via -C-) 19. What tasks must the client perform before it can use the TGT? A. It must generate a hash of the TGT and decrypt the symmetric key. B. It must install the TGT and decrypt the symmetric key. C. It must decrypt the TGT and the symmetric key. D. It must send a valid response using the symmetric key to the KDC and must install the TGT.

B. The client needs to install the TGT for use until it expires, and must also decrypt the symmetric key using a hash of the user's password.

41. Susan is working to improve the strength of her organization's passwords by changing the password policy. The password system that she is using allows upper- and lowercase letters as well as numbers but no other characters. How much additional complexity does adding a single character to the minimum length of passwords for her organization create? A. 26 times more complex B. 62 times more complex C. 36 times more complex D. 2^62 times more complex

B. The complexity of brute forcing a password increases based on both the number of potential characters and the number of letters added. In this case, there are 26 lowercase letters, 26 uppercase letters, and 10 possible digits. That creates 62 possibilities. Since we added only a single letter of length, we get 62^1, or 62 possibilities, and thus, the new passwords would be 62 times harder to brute force on average.

The Center for Internet Security (CIS) works with subject matter experts from a variety of industries to create lists of security controls for operating systems, mobile devices, server software, and network devices. Your organization has decided to use the CIS benchmarks for your systems. Answer the following questions based on this decision. 25. How should you determine what controls from the baseline a given system or software package should receive? A. Consult the custodians of the data. B. Select based on the data classification of the data it stores or handles. C. Apply the same controls to all systems. D. Consult the business owner of the process the system or data supports.

B. The controls implemented from a security baseline should match the data classification of the data used or stored on the system. Custodians are trusted to ensure the day-to-day security of the data and should do so by ensuring that the baseline is met and maintained. Business owners often have a conflict of interest between functionality and data security, and of course, applying the same controls everywhere is expensive and may not meet business needs or be a responsible use of resources.

77. Which of the following tasks are not performed by a system owner per NIST SP 800-18? A. Develops a system security plan B. Establishes rules for appropriate use and protection of data C. Identifies and implements security controls D. Ensures that system users receive appropriate security training

B. The data owner sets the rules for use and protection of data. The remaining options all describe tasks for the system owner, including implementation of security controls.

91. A software company developed two systems that share information. System A provides information to the input of System B, which then reciprocates by providing information back to System A as input. What type of composition theory best describes this practice? A. Cascading B. Feedback C. Hookup D. Elementary

B. The feedback model of composition theory occurs when one system provides input for a second system and then the second system provides input for the first system. This is a specialized case of the cascading model, so the feedback model is the most appropriate answer.

Chris is designing layered network security for his organization. Using the diagram below (Internet via -A- to Firewall then router then switch then 5 workstations, Web server connected to firewall via -B-, VPN concentrator connected to router via -C-) 13. What type of firewall design is shown in the diagram? A. A single-tier firewall B. A two-tier firewall C. A three-tier firewall D. A four-tier firewall

B. The firewall in the diagram has two protected zones behind it, making it a two-tier firewall design.

51. Which one of the following is not a canon of the (ISC)2 code of ethics? A. Protect society, the common good, necessary public trust and confidence, and the infrastructure. B. Promptly report security vulnerabilities to relevant authorities. C. Act honorably, honestly, justly, responsibly, and legally. D. Provide diligent and competent service to principals.

B. The four canons of the (ISC)2 code of ethics are to protect society, the common good, necessary public trust and confidence and the infrastructure; act honorably, honestly, justly, responsibly and legally; provide diligent and competent service to principals; and advance and protect the profession.

89. In a virtualized computing environment, what component is responsible for enforcing separation between guest machines? A. Guest operating system B. Hypervisor C. Kernel D. Protection manager

B. The hypervisor is responsible for coordinating access to physical hardware and enforcing isolation between different virtual machines running on the same physical platform.

51. Which one of the following is an example of a code, not a cipher? A. Data Encryption Standard B. "One if by land; two if by sea" C. Shifting letters by three D. Word scramble

B. The major difference between a code and a cipher is that ciphers alter messages at the character or bit level, not at the word level. DES, shift ciphers, and word scrambles all work at the character or bit level and are ciphers. "One if by land; two if by sea" is a message with hidden meaning in the words and is an example of a code.

49. Florian is building a disaster recovery plan for his organization and would like to determine the amount of time that a particular IT service may be down without causing serious damage to business operations. What variable is Florian calculating? A. RTO B. MTD C. RPO D. SLA

B. The maximum tolerable downtime (MTD) is the longest amount of time that an IT service or component may be unavailable without causing serious damage to the organization. The recovery time objective (RTO) is the amount of time expected to return an IT service or component to operation after a failure. The recovery point objective (RPO) identifies the maximum amount of data, measured in time that may be lost during a recovery effort. Service-level agreements (SLAs) are written contracts that document service expectations.

54. Harold is assessing the susceptibility of his environment to hardware failures and would like to identify the expected lifetime of a piece of hardware. What measure should he use for this? A. MTTR B. MTTF C. RTO D. MTO

B. The mean time to failure (MTTF) provides the average amount of time before a device of that particular specification fails.

84. Lauren's multinational company wants to ensure compliance with the EU Data Protection Directive. If she allows data to be used against the requirements of the notice principle and against what users selected in the choice principle, what principle has her organization violated? A. Onward transfer B. Data integrity C. Enforcement D. Access

B. The principle of data integrity states that data should be reliable and that information should not be used for purposes other than those that users are made aware of by notice and that they have accepted through choice. Enforcement is aimed at ensuring that compliance with principles is assured. Access allows individuals to correct, change, or delete their information, while onward transfer limits transfers to other organizations that comply with the principles of notice and choice.

42. Javier is verifying that only IT system administrators have the ability to log on to servers used for administrative purposes. What principle of information security is he enforcing? A. Need to know B. Least privilege C. Two-person control D. Transitive trust

B. The principle of least privilege says that an individual should only have the privileges necessary to complete their job functions. Removing administrative privileges from nonadministrative users is an example of least privilege.

36. When a subject claims an identity, what process is occurring? A. Login B. Identification C. Authorization D. Token presentation

B. The process of a subject claiming or professing an identity is known as identification. Authorization verifies the identity of a subject by checking a factor like a password. Logins typically include both identification and authorization, and token presentation is a type of authentication.

20. What name is given to the random value added to a password in an attempt to defeat rainbow table attacks? A. Hash B. Salt C. Extender D. Rebar

B. The salt is a random value added to a password before it is hashed by the operating system. The salt is then stored in a password file with the hashed password. This increases the complexity of cryptanalytic attacks by negating the usefulness of attacks that use pre-computed hash values, such as rainbow tables.

62. Brandon observes that an authorized user of a system on his network recently misused his account to exploit a system vulnerability against a shared server that allowed him to gain root access to that server. What type of attack took place? A. Denial of service B. Privilege escalation C. Reconaissance D. Brute force

B. The scenario describes a privilege escalation attack where a malicious insider with authorized access to a system misused that access to gain privileged credentials.

44. Tim is a forensic analyst who is attempting to retrieve information from a hard drive. It appears that the user attempted to erase the data, and Tim is trying to reconstruct it. What type of forensic analysis is Tim performing? A. Software analysis B. Media analysis C. Embedded device analysis D. Network analysis

B. The scrutiny of hard drives for forensic purposes is an example of media analysis. Embedded device analysis looks at the computers included in other large systems, such as automobiles or security systems. Software analysis analyzes applications and their logs. Network analysis looks at network traffic and logs.

Chris has recently been hired into a new organization. The organization that Chris belongs to uses the following classification process: 1. Criteria are set for classifying data. 2. Data owners are established for each type of data. 3. Data is classified. 4. Required controls are selected for each classification. 5. Baseline security standards are selected for the organization. 6. Controls are scoped and tailored. 7. Controls are applied and enforced. 8. Access is granted and managed. 58. Chris manages a team of system administrators. What data role are they fulfilling if they conduct steps 6, 7, and 8 of the classification process? A. They are system owners and administrators. B. They are administrators and custodians. C. They are data owners and administrators. D. They are custodians and users.

B. The system administrators are acting in the roles of data administrators who grant access and will also act as custodians who are tasked with the day-to-day application of security controls. They are not acting as data owners who own the data itself. Typically, system administrators are delegated authority by system owners, such as a department head, and of course they are tasked with providing access to users.

During a port scan, Ben uses nmap's default settings and sees the following results. Nmap scan report for 192.168.184.130 Host is up (1.0s latency). Not shown: 977 closed ports PORT - STATE - SERVICE 21/tcp - open - ftp 22/tcp - open - ssh 23/tcp - open - telnet 25/tcp - open -smtp 53/tcp - open -domain 80/tcp - open -http 111/tcp - open -rpcbind 139/tcp - open -netbios-ssn 445/tcp - open -microsoft-ds 512/tcp - open -exec 513/tcp - open -login 514/tcp - open -shell 1099/tcp - open -rmiregistry 1524/tcp - open -ingreslock 2049/tcp - open -nfs 2121/tcp - open -ccproxy-ftp 3306/tcp - open -mysql 5432/tcp - open -postgresql 5900/tcp - open -vnc 6000/tcp - open -X11 6667/tcp - open -irc 8009/tcp - open -ajp13 8081/tcp - open -unknown 86. Based on the scan results, what OS was the system that was scanned most likely running? A. Windows Desktop B. Linux C. Network device D. Windows Server

B. The system is likely a Linux system. The system shows X11, as well as login, shell, and nfs ports, all of which are more commonly found on Linux systems than Windows systems or network devices. This system is also very poorly secured; many of the services running on it should not be exposed in a modern secure network.

18. Why is it cost effective to purchase high-quality media to contain sensitive data? A. Expensive media is less likely to fail. B. The value of the data often far exceeds the cost of the media. C. Expensive media is easier to encrypt. D. More expensive media typically improves data integrity.

B. The value of the data contained on media often exceeds the cost of the media, making more expensive media that may have a longer life span or additional capabilities like encryption support a good choice. While expensive media may be less likely to fail, the reason it makes sense is the value of the data, not just that it is less likely to fail. In general, the cost of the media doesn't have anything to do with the ease of encryption, and data integrity isn't ensured by better media.

45. As part of his role as a security manager, Jacob provides the following chart to his organization's management team (TIME TO REMEDIATE IN DAYS vs NUMBER OF VUNNERABILITIES). What type of measurement is he providing for them? A. A coverage rate measure B. A key performance indicator C. A time to live metric D. A business criticality indicator

B. Time to remediate a vulnerability is a commonly used key performance indicator for security teams. Time to live measures how long a packet can exist in hops, business criticality is a measure used to determine how important a service or system is to an organization, and coverage rates are used to measure how effective code testing is.

80. The security administrators at the company that Susan works for have configured the workstation she uses to allow her to log in only during her work hours. What type of access control best describes this limitation? A. Constrained interface B. Context-dependent control C. Content-dependent control D. Least privilege

B. Time-based controls are an example of context-dependent controls. A constrained interface would limit what Susan was able to do in an application or system interface, while content-dependent control would limit her access to content based on her role or rights. Least privilege is used to ensure that subjects only receive the rights they need to perform their role.

92. Tommy is planning to implement a power conditioning UPS for a rack of servers in his data center. Which one of the following conditions will the UPS be unable to protect against if it persists for more than a few minutes? A. Fault B. Blackout C. Sag D. Noise

B. UPSes are designed to protect against short-term power losses, such as power faults. When they conduct power conditioning, they are also able to protect against sags and noise. UPSes have limited-life batteries and are not able to maintain continuous operating during a sustained blackout.

61. Ben's company, which is based in the EU, hires a third-party organization that processes data for it. Who has responsibility to protect the privacy of the data and ensure that it isn't used for anything other than its intended purpose? A. Ben's company is responsible. B. The third-party data processor is responsible. C. The data controller is responsible. D. Both organizations bear equal responsibility.

B. Under the EU's DPD, data processors like the third-party company in this question bear responsibility for ensuring that the data is not used for anything other than the purpose for which it is intended. Ben's company is the data controller, while the third party is the data processor, leaving the third party with that role.

Ben's organization has begun to use STRIDE to assess their software, and has identified threat agents and the business impacts that these threats could have. Now they are working to identify appropriate controls for the issues they have identified. Use the STRIDE model to answer the following question. 79. Ben's development team needs to address an authorization issue, resulting in an elevation of privilege threat. Which of the following controls is most appropriate to this type of issue? A. Auditing and logging is enabled. B. RBAC is used for specific operations. C. Data type and format checks are enabled. D. User input is tested against a whitelist.

B. Using role-based access controls (RBACs) for specific operations will help to ensure that users cannot perform actions that they should not be able to. Auditing and logging can help detect abuse but won't prevent it, and data type, format checks, and whitelisting are all useful for preventing attacks like SQL injection and buffer overflow attacks but are not as directly aimed at authorization issues.

98. Chris is setting up a hotel network, and needs to ensure that systems in each room or suite can connect to each other, but systems in other suites or rooms cannot. At the same time, he needs to ensure that all systems in the hotel can reach the Internet. What solution should he recommend as the most effective business solution? A. Per-room VPNs B. VLANs C. Port security D. Firewalls

B. VLANs can be used to logically separate groups of network ports while still providing access to an uplink. Per-room VPNs would create significant overhead for support as well as create additional expenses. Port security is used to limit what systems can connect to ports, but it doesn't provide network security between systems. Finally, while firewalls might work, they would add additional expense and complexity without adding any benefits over a VLAN solution.

97. What two key issues with the implementation of RC4 make Wired Equivalent Privacy (WEP) even weaker than it might otherwise be? A. Its use of a static common key and client-set encryption algorithms B. Its use of a static common key and a limited number of initialization vectors C. Its use of weak asymmetric keys and a limited number of initialization vectors D. Its use of a weak asymmetric key and client-set encryption algorithms

B. WEP's implementation of RC4 is weakened by its use of a static common key and a limited number of initialization vectors. It does not use asymmetric encryption, and clients do not select encryption algorithms.

11. During a wireless network penetration test, Susan runs aircrack-ng against the network using a password file. What might cause her to fail in her password-cracking efforts? A. Use of WPA2 encryption B. Running WPA2 in Enterprise mode C. Use of WEP encryption D. Running WPA2 in PSK mode

B. WPA2 enterprise uses RADIUS authentication for users rather than a preshared key. This means a password attack is more likely to fail as password attempts for a given user may result in account lock-out. WPA2 encryption will not stop a password attack, and WPA2's preshared key mode is specifically targeted by password attacks that attempt to find the key. Not only is WEP encryption outdated, but it can also frequently be cracked quickly by tools like aircracking.

53. Process _______________ ensures that any behavior will affect only the memory and resources associated with a process. A. Restriction B. Isolation C. Limitation D. Parameters

B. When a process is confined within certain access bounds, that process runs in isolation. Isolation protects the operating environment, the operating system kernel, and other processes running on the system.

34. Chris uses a cellular hot spot (modem) to provide Internet access when he is traveling. If he leaves the hot spot connected to his PC while his PC is on his organization's corporate network, what security issue might he cause? A. Traffic may not be routed properly, exposing sensitive data. B. His system may act as a bridge from the Internet to the local network. C. His system may be a portal for a reflected DDoS attack. D. Security administrators may not be able to determine his IP address if a security issue occurs.

B. When a workstation or other device is connected simultaneously to both a secure and a nonsecure network like the Internet, it may act as a bridge, bypassing the security protections located at the edge of a corporate network. It is unlikely that traffic will be routed improperly leading to the exposure of sensitive data, as traffic headed to internal systems and networks is unlikely to be routed to the external network. Reflected DDoS attacks are used to hide identities rather than to connect through to an internal network, and security administrators of managed systems should be able to determine both the local and wireless IP addresses his system uses.

56. Which one of the following individuals poses the greatest risk to security in most welldefended organizations? A. Political activist B. Malicious insider C. Script kiddie D. Thrill attacker

B. While all hackers with malicious intent pose a risk to the organization, the malicious insider poses the greatest risk to security because they likely have legitimate access to sensitive systems that may be used as a launching point for an attack. Other attackers do not begin with this advantage.

64. Susan is working with the management team in her company to classify data in an attempt to apply extra security controls that will limit the likelihood of a data breach. What principle of information security is Susan trying to enforce? A. Availability B. Denial C. Confidentiality D. Integrity

C. Confidentiality controls prevent the disclosure of sensitive information to unauthorised individuals. Limiting the likelihood of a data breach is an attempt to prevent unauthorised disclosure.

89. One of the findings that Jim made when performing a security audit was the use of non-IP protocols in a private network. What issue should Jim point out that may result from the use of these non-IP protocols? A. They are outdated and cannot be used on modern PCs. B. They may not be able to be filtered by firewall devices. C. They may allow Christmas tree attacks. D. IPX extends on the IP protocol and may not be supported by all TCP stacks.

B. While non-IP protocols like IPX/SPX, NetBEUI, and AppleTalk are rare in modern networks, they can present a challenge because many firewalls are not capable of filtering them. This can create risks when they are necessary for an application or system's function because they may have to be passed without any inspection. Christmas tree attacks set all of the possible flags on a TCP packet (and are thus related to an IP protocol), IPX is not an IP-based protocol, and while these protocols are outdated, there are ways to make even modern PCs understand them.

The company that Jennifer works for has implemented a central logging infrastructure, as shown in the following image (CORPORTATE NETWORK that has WiFi access point and Windows desktop systems [FIREWALL] DATA CENTRE to SIEM appliance, Linux Database server & Linux Web server). Use this diagram and your knowledge of logging systems to answer the following question. 20. During normal operations, Jennifer's team uses the SIEM appliance to monitor for exceptions received via syslog. What system shown does not natively have support for syslog events? A. Enterprise wireless access points B. Windows desktop systems C. Linux web servers D. Enterprise firewall devices

B. Windows systems generate logs in the Windows native logging format. To send syslog events, Windows systems require a helper application or tool. Enterprise wireless access points, firewalls, and Linux systems all typically support syslog.

99. What authentication protocol does Windows use by default for Active Directory systems? A. RADIUS B. Kerberos C. OAuth D. TACACS+

B. Windows uses Kerberos for authentication. RADIUS is typically used for wireless networks, modems, and network devices, while OAuth is primarily used for web applications. TACACS+ is used for network devices.

68. In the transaction shown here, what would happen if the database failed in between the first and second update statement? [BEGIN TRANSACTION UPDATE accounts SET balance equal balance + 250 WHERE account_number equal 1001; UPDATE accounts SET balance equal balance - 250 WHERE account_number equals 2002; COMMIT TRANSACTION] A. The database would credit the first account with $250 in funds but then not reduce the balance of the second account. B. The database would ignore the first command and only reduce the balance of the second account by $250. C. The database would roll back the transaction, ignoring the results of both commands. D. The database would successfully execute both commands.

C. A database failure in the middle of a transaction causes the rollback of the entire transaction. In this scenario, the database would not execute either command.

34. Kim is troubleshooting an application firewall that serves as a supplement to the organization's network and host firewalls and intrusion prevention system, providing added protection against web-based attacks. The issue the organization is experiencing is that the firewall technology suffers somewhat frequent restarts that render it unavailable for 10 minutes at a time. What configuration might Kim consider to maintain availability during that period at the lowest cost to the company? A. High availability cluster B. Failover device C. Fail open D. Redundant disks

C. A fail open configuration may be appropriate in this case. In this configuration, the firewall would continue to pass traffic without inspection while it is restarting. This would minimize downtime, and the traffic would still be protected by the other security controls described in the scenario. Failover devices and high availability clusters would indeed increase availability, but at potentially significant expense. Redundant disks would not help in this scenario because no disk failure is described.

89. What technique do API developers most commonly use to limit access to an API to authorized individuals and applications? A. Encryption B. Input validation C. API keys D. IP filters

C. API developers commonly use API keys to limit access to authorized users and applications. Encryption provides for confidentiality of information exchanged using an API but does not provide authentication. Input validation is an application security technique used to protect against malicious input. IP filters may be used to limit access to an API, but they are not commonly used because it is difficult to deploy an API with IP filters since the filters require constant modification and maintenance as endpoints change.

Robert is a consultant who helps organisations create and develop mature software development practices. He prefers to use the Software Capability Maturity Model (SWCMM) to evaluate the current and future status of organizations using both independent review and self-assessments. He is currently working with two different clients. Acme Widgets is not very well organised with their software development practices. They have a dedicated team of developers who do "whatever it takes" to get software out the door, but they do not have any formal processes. Beta Particles is a company with years of experience developing software using formal, documented software development processes. They use a standard model for software development but do not have a quantitative management of those processes. 17. What phase of the SW-CMM should Robert report as the current status of Acme Widgets? A. Defined B. Repeatable C. Initial D. Managed

C. Acme Widgets is clearly in the initial stage of the SW-CMM. This stage is characterized by the absence of formal process. The company may still produce working code, but they do so in a disorganized fashion.

23. When developing a business impact analysis, the team should first create a list of assets. What should happen next? A. Identify vulnerabilities in each asset. B. Determine the risks facing the asset. C. Develop a value for each asset. D. Identify threats facing each asset.

C. After developing a list of assets, the business impact analysis team should assign values to each asset.

14. Bobby is investigating how an authorized database user is gaining access to information outside his normal clearance level. Bobby believes that the user is making use of a type of function that summarizes data. What term describes this type of function? A. Inference B. Polymorphic C. Aggregate D. Modular

C. Aggregate functions summarize large amounts of data and provide only summary information as a result. When carefully crafted, aggregate functions may unintentionally reveal sensitive information.

63. An attacker posted a message to a public discussion forum that contains an embedded malicious script that is not displayed to the user but executes on the user's system when read. What type of attack is this? A. Persistent XSRF B. Nonpersistent XSRF C. Persistent XSS D. Nonpersistent XSS

C. Attacks where the malicious user tricks the victim's web browser into executing a script through the use of a third-party site are known as cross-site scripting (XSS) attacks. This particular attack is a persistent XSS attack because it remains on the discussion forum until an administrator discovers and deletes it, giving it the ability to affect many users.

3. Which one of the following statements is not true about code review? A. Code review should be a peer-driven process that includes multiple developers. B. Code review may be automated. C. Code review occurs during the design phase. D. Code reviewers may expect to review several hundred lines of code per hour.

C. Code review takes place after code has been developed, which occurs after the design phase of the system's development life cycle (SDLC). Code review may use a combination of manual and automated techniques, or rely solely on one or the other. It should be a peer-driven process that includes developers who did not write the code. Developers should expect to complete the review of around 300 lines per hour, on average.

78. What principle of information security states that an organisation should implement overlapping security controls whenever possible? A. Least privilege B. Separation of duties C. Defense in depth D. Security through obscurity

C. Defense in depth states that organizations should have overlapping security controls designed to meet the same security objectives whenever possible. This approach provides security in the event of a single control failure.

41. What property of relational databases ensures that once a database transaction is committed to the database, it is preserved? A. Atomicity B. Consistency C. Durability D. Isolation

C. Durability requires that once a transaction is committed to the database it must be preserved. Atomicity ensures that if any part of a database transaction fails, the entire transaction must be rolled back as if it never occurred. Consistency ensures that all transactions are consistent with the logical rules of the database, such as having a primary key. Isolation requires that transactions operate separately from each other.

53. Which one of the following is not normally considered a business continuity task? A. Business impact assessment B. Emergency response guidelines C. Electronic vaulting D. Vital records program

C. Electronic vaulting is a data backup task that is part of disaster recovery, not business continuity, efforts.

56. Who should receive initial business continuity plan training in an organisation? A. Senior executives B. Those with specific business continuity roles C. Everyone in the organisation D. First responders

C. Everyone in the organisation should receive a basic awareness training for the business continuity program. Those with specific roles, such as first responders and senior executives, should also receive detailed, role-specific training.

60. Which of the following statements is true about heuristic-based antimalware software? A. It has a lower false positive rate than signature detection. B. It requires frequent definition updates to detect new malware. C. It has a higher likelihood of detecting zero-day exploits than signature detection. D. It monitors systems for files with content known to be viruses.

C. Heuristic-based anti-malware software has a higher likelihood of detecting a zeroday exploit than signature-based methods. Heuristic-based software does not require frequent signature updates because it does not rely upon monitoring systems for the presence of known malware. The trade-off with this approach is that it has a higher false positive rate than signature detection methods.

57. James is conducting a risk assessment for his organisation and is attempting to assign an asset value to the servers in his data centre. The organisation's primary concern is ensuring that it has sufficient funds available to rebuild the data centre in the event it is damaged or destroyed. Which one of the following asset valuation methods would be most appropriate in this situation? A. Purchase cost B. Depreciated cost C. Replacement cost D. Opportunity cost

C. If the organisation's primary concern is the cost of rebuilding the data centre, James should use the replacement cost method to determine the current market price for equivalent servers.

87. Alan is performing threat modeling and decides that it would be useful to decompose the system into the key elements (IMAGE). What tool is he using? A. Vulnerability assessment B. Fuzzing C. Reduction analsis D. Data modeling

C. In reduction analysis, the security professional breaks the system down into five key elements: trust boundaries, data flow paths, input points, privileged operations, and details about security controls.

10. In the diagram shown here, which is an example of a method? A. Account B. Owner C. AddFunds D. None of the above

C. In the diagram, Account is the name of the class. Owner and Balance are attributes of that class. AddFunds and RemoveFunds are methods of the class.

99. John is analysing an attack against his company in which the attacker found comments embedded in HTML code that provided the clues needed to exploit a software vulnerability. Using the STRIDE model, what type of attack did he uncover? A. Spoofing B. Repudiation C. Information disclosure D. Elevation of privilege

C. Information disclosure attacks rely upon the revelation of private, confidential, or controlled information. Programming comments embedded in HTML code are an example of this type of attack.

Linda is reviewing posts to a user forum on her company's website and when she browses a certain post, a message pops up in a dialog box on her screen reading "Alert." She reviews the source code for the post and finds the following code snippet: <script>alert('Alert');</script> 40. In further discussions with the vendor, Linda finds that they are willing to correct the issue but do not know how to update their software. What technique would be most effective in mitigating the vulnerability of the application to this type of attack? A. Bounds checking B. Peer review C. Input validation D. OS patching

C. Input validation verifies that user-supplied input does not violate security conditions and is the most effective defense against cross-site scripting attacks. Bounds checking is a form of input validation, but it is used to ensure that numeric input falls within an acceptable range and is not applicable against cross-site scripting attacks. Peer review and OS patching are both good security practices but are unlikely to be effective against a cross-site scripting attack.

50. Which one of the following database issues occurs when one transaction writes a value to the database that overwrites a value that was needed by transactions with earlier precedence? A. Dirty read B. Incorrect summary C. Lost update D. SQL injection

C. Lost updates occur when one transaction writes a value to the database that overwrites a value needed by transactions that have earlier precedence, causing those transactions to read an incorrect value. Dirty reads occur when one transaction reads a value from a database that was written by another transaction that did not commit. Incorrect summaries occur when one transaction is using an aggregate function to summarize data stored in a database while a second transaction is making modifications to the database, causing the summary to include incorrect information. SQL injection is a web application security flaw, not a database concurrency problem.

100. What type of virus is characterized by the use of two or more different propagation mechanisms to improve its likelihood of spreading between systems? A. Stealth virus B. Polymorphic virus C. Multipartite virus D. Encrypted virus

C. Multipartite viruses use multiple propagation mechanisms to spread between systems. This improves their likelihood of successfully infecting a system because it provides alternative infection mechanisms that may be successful against systems that are not vulnerable to the primary infection mechanism.

74. Which one of the following agreements typically requires that a vendor not disclose confidential information learned during the scope of an engagement? A. NCA B. SLA C. NDA D. RTO

C. Non-disclosure agreements (NDAs) typically require either mutual or one-way confidentiality in a business relationship. Service-level agreements (SLAs) specify service uptime and other performance measures. Non-compete agreements (NCAs) limit the future employment possibilities of employees. Recovery time objectives (RTOs) are used in business continuity planning.

5. Which process is responsible for ensuring that changes to software include acceptance testing? A. Request control B. Change control C. Release control D. Configuration control

C. One of the responsibilities of the release control process is ensuring that the process includes acceptance testing that confirms that any alterations to end-user work tasks are understood and functional prior to code release. The request control, change control, and configuration control processes do not include acceptance testing.

80. Which one of the following techniques is an effective countermeasure against some inference attacks? A. Input validation B. Parameterization C. Polyinstantiation D. Server-side validation

C. Polyinstantiation allows the storage of multiple different pieces of information in a database at different classification levels to prevent attackers from inferring anything about the absence of information. Input validation, server-side validation, and parameterization are all techniques used to prevent web application attacks and are not effective against inference attacks.

Juniper Content is a web content development company with 40 employees located in two offices: one in New York and a smaller office in the San Francisco Bay Area. Each office has a local area network protected by a perimeter firewall. The LAN contains modern switch equipment connected to both wired and wireless networks. Each office has its own file server, and the IT team runs software every hour to synchronise files between the two servers, distributing content between the offices. These servers are primarily used to store images and other files related to web content developed by the company. The team also uses a SaaS-based email and document collaboration solution for much of their work. You are the newly appointed IT manager for Juniper Content and you are working to augment existing security controls to improve the organisation's security. 48. You are also concerned about the availability of data stored on each office's server. You would like to add technology that would enable continued access to files located on the server even if a hard drive in a server fails. What integrity control allows you to add robustness without adding additional servers? A. Server clustering B. Load balancing C. RAID D. Scheduled backups

C. Redundant Array of Inexpensive Disks (RAID) uses additional hard drives to protect the server against the failure of a single device. Load balancing and server clustering do add robustness but require the addition of a server. Scheduled backups protect against data loss but do not provide immediate access to data in the event of a hard drive failure.

21. Which one of the following database keys is used to enforce referential integrity relationships between tables? A. Primary key B. Candidate key C. Foreign key D. Master key

C. Referential integrity ensures that records exist in a secondary table when they are referenced with a foreign key from another table. Foreign keys are the mechanism used to enforce referential integrity.

26. Tracy is preparing to apply a patch to her organisation's enterprise resource planning system. She is concerned that the patch may introduce flaws that did not exist in prior versions, so she plans to conduct a test that will compare previous responses to input with those produced by the newly patched application. What type of testing is Tracy planning? A. Unit testing B. Acceptance testing C. Regression testing D. Vulnerability testing

C. Regression testing is software testing that runs a set of known inputs against an application and then compares the results to those produced by an earlier version of the software. It is designed to capture unanticipated consequences of deploying new code versions prior to introducing them into a production environment.

24. Mike recently implemented an intrusion prevention system designed to block common network attacks from affecting his organization. What type of risk management strategy is Mike pursuing? A. Risk acceptance B. Risk avoidance C. Risk mitigation D. Risk transference

C. Risk mitigation strategies attempt to lower the probability and/or impact of a risk occurring. Intrusion prevention systems attempt to reduce the probability of a successful attack and are, therefore, examples of risk mitigation.

95. Ryan is a security risk analyst for an insurance company. He is currently examining a scenario in which a hacker might use a SQL injection attack to deface a web server due to a missing patch in the company's web application. In this scenario, what is the threat? A. Unpatched web application B. Web defacement C. Hacker D. Operating system

C. Risks are the combination of a threat and a vulnerability. Threats are the external forces seeking to undermine security, such as the hacker in this case. Vulnerabilities are the internal weaknesses that might allow a threat to succeed. In this case, the missing patch is the vulnerability. In this scenario, if the hacker (threat) attempts a SQL injection attack against the unpatched server (vulnerability), the result is website defacement.

90. Which one of the following statements about malware is correct? A. Malware authors do not target Macintosh or Linux systems. B. The most reliable way to detect known malware is watching for unusual system activity. C. Signature detection is the most effective technique to combat known malware. D. APT attackers typically use malware designed to exploit vulnerabilities identified in security bulletins.

C. Signature detection is extremely effective against known strains of malware because it uses a very reliable pattern matching technique to identify known malware. Signature detection is, therefore, the most reliable way to detect known malware. This technique is not, however, effective against the zero-day malware typically used by advanced persistent threats (APTs) that does not exploit vulnerabilities identified in security bulletins. While malware authors once almost exclusively targeted Windows systems, malware now exists for all major platforms.

7. In 1991, the federal sentencing guidelines formalized a rule that requires senior executives to take personal responsibility for information security matters. What is the name of this rule? A. Due diligence rule B. Personal liability rule C. Prudent man rule D. Due process rule

C. The prudent man rule requires that senior executives take personal responsibility for ensuring the due care that ordinary, prudent individuals would exercise in the same situation. The rule originally applied to financial matters, but the Federal Sentencing Guidelines applied them to information security matters in 1991.

64. Which one of the following is not a principle of the Agile software development process? A. Welcome changing requirements, even late in the development process. B. Maximizing the amount of work not done is essential. C. Clear documentation is the primary measure of progress. D. Build projects around motivated individuals.

C. The Agile Manifesto includes 12 principles for software development. Three of those are listed as answer choices: maximizing the amount of work not done is essential, build projects around motivated individuals, and welcome changing requirements throughout the development process. Agile does not, however, consider clear documentation the primary measure of progress. Instead, working software is the primary measure of progress.

38. Florian receives a flyer from a federal agency announcing that a new administrative law will affect his business operations. Where should he go to find the text of the law? A. United States Code B. Supreme Court rulings C. Code of Federal Regulations D. Compendium of Laws

C. The Code of Federal Regulations (CFR) contains the text of all administrative laws promulgated by federal agencies. The United States Code contains criminal and civil law. Supreme Court rulings contain interpretations of law and are not laws themselves. The Compendium of Laws does not exist.

70. What is the threshold for malicious damage to a federal computer system that triggers the Computer Fraud and Abuse Act? A. $500 B. $2,500 C. $5,000 D. $10,000

C. The Computer Fraud and Abuse Act (CFAA) makes it a federal crime to maliciously cause damage in excess of $5,000 to a federal computer system during any one-year period.

3. Under the Digital Millennium Copyright Act (DMCA), what type of offenses do not require prompt action by an Internet service provider after it receives a notification of infringement claim from a copyright holder? A. Storage of information by a customer on a provider's server B. Caching of information by the provider C. Transmission of information over the provider's network by a customer D. Caching of information in a provider search engine

C. The DMCA states that providers are not responsible for the transitory activities of their users. Transmission of information over a network would qualify for this exemption. The other activities listed are all nontransitory actions that require remediation by the provider.

96. What approach to technology management integrates the three components of technology management shown in this illustration? Image A. Agile B. Lean C. DevOps D. ITIL

C. The DevOps approach to technology management seeks to integrate software development, operations, and quality assurance in a seamless approach that builds collaboration between the three disciplines.

46. Which of the following organizations is widely considered as the definitive source for information on web-based attack vectors? A. (ISC)2 B. ISACA C. OWASP D. Mozilla Foundation

C. The Open Web Application Security Project (OWASP) is widely considered as the most authoritative source on web application security issues. They publish the OWASP Top Ten list that publicizes the most critical web application security issues.

28. Victor recently took a new position at an online dating website and is responsible for leading a team of developers. He realized quickly that the developers are having issues with production code because they are working on different projects that result in conflicting modifications to the production code. What process should Victor invest in improving? A. Request control B. Release control C. Change control D. Configuration control

C. The change control process is responsible for providing an organized framework within which multiple developers can create and test a solution prior to rolling it out in a production environment. Request control provides a framework for user requests. Release control manages the deployment of code into production. Configuration control ensures that changes to software versions are made in accordance with the change and configuration management policies.

23. Victor created a database table that contains information on his organization's employees. The table contains the employee's user ID, three different telephone number fields (home, work, and mobile), the employee's office location, and the employee's job title. There are 16 records in the table. What is the degree of this table? A. 3 B. 4 C. 6 D. 16

C. The degree of a database table is the number of attributes in the table. Victor's table has six attributes: the employee's user ID, home telephone, office telephone, mobile telephone, office location, and job title.

18. Which one of the following principles imposes a standard of care upon an individual that is broad and equivalent to what one would expect from a reasonable person under the circumstances? A. Due diligence B. Separation of duties C. Due care D. Least privilege

C. The due care principle states that an individual should react in a situation using the same level of care that would be expected from any reasonable person. It is a very broad standard. The due diligence principle is a more specific component of due care that states that an individual assigned a responsibility should exercise due care to complete it accurately and in a timely manner.

Henry is the risk manager for Atwood Landing, a resort community in the midwestern United States. The resort's main data centre is located in northern Indiana in an area that is prone to tornados. Henry recently undertook a replacement cost analysis and determined that rebuilding and reconfiguring the data centre would cost $10 million. Henry consulted with tornado experts, data centre specialists, and structural engineers. Together, they determined that a typical tornado would cause approximately $5 million of damage to the facility. The meteorologists determined that Atwood's facility lies in an area where they are likely to experience a tornado once every 200 years. 96. Based upon the information in this scenario, what is the exposure factor for the effect of a tornado on Atwood Landing's data centre? A. 10% B. 25% C. 50% D. 75%

C. The exposure factor is the percentage of the facility that risk managers expect will be damaged if a risk materialises. It is calculated by dividing the amount of damage by the asset value. In this case, that is $5 million in damage divided by the $10 million facility value, or 50%.

87. Lucas runs the accounting systems for his company. The morning after a key employee was fired, systems began mysteriously losing information. Lucas suspects that the fired employee tampered with the systems prior to his departure. What type of attack should Lucas suspect? A. Privilege escalation B. SQL injection C. Logic bomb D. Remote code execution

C. The key to this question is that Lucas suspects the tampering took place before the employee departed. This is the signature of a logic bomb: malicious code that lies dormant until certain conditions are met. The other attack types listed here: privilege escalation, SQL injection, and remote code execution would more likely take place in real time.

54. While evaluating a potential security incident, Harry comes across a log entry from a web server request showing that a user entered the following input into a form field: CARROT'&1equal1,-- What type of attack was attempted? A. Buffer overflow B. Cross-site scripting C. SQL injection D. Cross-site request forgery

C. The single quotation mark in the input field is a telltale sign that this is a SQL injection attack. The quotation mark is used to escape outside of the SQL code's input field, and the text following is used to directly manipulate the SQL command sent from the web application to the database.

24. Carrie is analysing the application logs for her web-based application and comes across the following string: ../ .. /.. / .. / .. / etc / passwd What type of attack was likely attempted against Carrie's application? A. Command injection B. Session hijacking C. Directory traversal D. Brute force

C. The string shown in the logs is characteristic of a directory traversal attack where the attacker attempts to force the web application to navigate up the file hierarchy and retrieve a file that should not normally be provided to a web user, such as the password file. The series of "double dots" is indicative of a directory traversal attack because it is the character string used to reference the directory one level up in a hierarchy.

65. Samantha is responsible for the development of three new code modules that will form part of a complex system that her company is developing. She is prepared to publish her code and runs a series of tests against each module to verify that it works as intended. What type of testing is Samantha conducting? A. Regression testing B. Integration testing C. Unit testing D. System testing

C. Unit testing works on individual system components, such as code modules. Regression testing is used to validate updates to code by comparing the output of the new version with previous versions. Samantha is developing new modules, so regression testing is not relevant. Integration and system testing require a broader scope than individual modules.

44. Which one of the following types of software testing usually occurs last and is executed against test scenarios? A. Unit testing B. Integration testing C. User acceptance testing D. System testing

C. User acceptance testing (UAT) is typically the last phase of the testing process. It verifies that the solution developed meets user requirements and validates it against use cases. Unit testing, integration testing, and system testing are all conducted earlier in the process leading up to UAT.

90. Which one of the following tools is most often used for identification purposes and is not suitable for use as an authenticator? A. Password B. Retinal scan C. Username D. Token

C. Usernames are an identification tool. They are not secret, so they are not suitable for use as a password.

52. Faith is looking at the \etc\passwd file on a system configured to use shadowed passwords. When she examines a line in the file for a user with interactive login permissions, what should she expect to see in the password field? A. Plaintext password B. Hashed password C. x D. *

C. When a system uses shadowed passwords, the hashed password value is stored in /etc/shadow instead of /etc/passwd. The /etc/passwd file would not contain the password in plaintext or hashed form. Instead, it would contain an x to indicate that the password hash is in the shadow file. The * character is normally used to disable interactive logins to an account.

81. Ursula is a government web developer who recently created a public application that offers property records. She would like to make it available for other developers to integrate into their applications. What can Ursula create to make it easiest for developers to call her code directly and integrate the output into their applications? A. Object model B. Data dictionary C. API D. Primary key

C. While Ursula may certainly use an object model, data dictionary, and primary key in her development effort, external developers cannot directly use them to access her code. An application programming interface (API) allows other developers to call Ursula's code from within their own without knowing the details of Ursula's implementation.

76. Which one of the following stakeholders is not typically included on a business continuity planning team? A. Core business function leaders B. Information technology staff C. CEO D. Support departments

C. While senior management should be represented on the BCP team, it would be highly unusual for the CEO to fill this role personally.

82. During what phase of the IDEAL model do organizations develop a specific plan of action for implementing change? A. Initiating B. Diagnosing C. Establishing D. Acting

C. In the Establishing phase of the IDEAL model, the organization takes the general recommendations from the Diagnosing phase and develops a specific plan of action that achieves those changes.

25. What speed and frequency range is used by 802.11n? A. 54 Mbps, 5 GHz B. 200+ Mbps, 5GHz C. 200+ Mbps, 2.4 and 5 GHz D. 1 Gbps, 5 GHz

C. 802.11n can operate at speeds over 200 Mbps, and it can operate on both the 2.4 and 5 GHz frequency range. 802.11g operates at 54 Mbps using the 2.4 GHz frequency range, and 802.11ac is capable of 1 Gbps using the 5 GHz range. 802.11a and b are both outdated and are unlikely to be encountered in modern network installations.

78. What is the speed of a T3 line? A. 128 kbps B. 1.544 Mbps C. 44.736 Mbps D. 155 Mbps

C. A T3 (DS-3) line is capable of 44.736 Mbps. This is often referred to as 45 Mbps. A T1 is 1.544 Mbps, ATM is 155 Mbps, and ISDN is often 64 or 128 Mbps.

93. During a penetration test of her organization, Kathleen's IPS detects a port scan that has the URG, FIN, and PSH flags set and produces an alarm. What type of scan is the penetration tester attempting? A. A SYN scan B. A TCP flag scan C. An Xmas scan D. An ACK scan

C. A TCP scan that sets all or most of the possible TCP flags is called a Christmas tree, or Xmas, scan since it is said to "light up like a Christmas tree" with the flags. A SYN scan would attempt to open TCP connections, whereas an ACK scan sends packets with the ACK flag set. There is no such type of scan known as a TCP flag scan.

81. When Lauren uses a fingerprint scanner to access her bank account, what type of authentication factor is she using? A. Type 1 B. Type 2 C. Type 3 D. Type 4

C. A Type 3 authentication factor is: something you are: like a biometric identifier. AType 1 authentication factor is "something you know." A Type 2 factor is "something you have," like a smart card or hardware token. There is not a Type 4 authentication factor.

[USER WORKSTATION -A- COMMUNICATES TO INTERNET -C- VIA -B- CONNECTS TO SERVER -E- VIA -F- INTERNET AND SERVER COMMUNICATED VIA -D-] Trianlge 70. Which letters should be associated with data at rest? A. A, B, and C B. C and E C. A and E D. B, D, and F

C. A and E can both be expected to have data at rest. C, the Internet, is an unknown, and the data can't be guaranteed to be at rest. B, D, and F are all data in transit across network links.

33. What network topology is shown in the image below (workstations on both sides of cable)? A. A ring B. A star C. A bus D. A mesh

C. A bus can be linear or tree-shaped and connects each system to trunk or backbone cable. Ethernet networks operate on a bus topology.

4. Lauren's and Nick's PCs simultaneously send traffic by transmitting at the same time. What network term describes the range of systems on a network that could be affected by this same issue? A. The subnet B. The supernet C. A collision domain D. A broadcast domain

C. A collision domain is the set of systems that could cause a collision if they transmitted at the same time. Systems outside of a collision domain cannot cause a collision if they send at the same time. This is important, as the number of systems in a collision domain increases the likelihood of network congestion due to an increase in collisions. A broadcast domain is the set of systems that can receive a broadcast from each other. A subnet is a logical division of a network, while a supernet is made up of two or more networks.

90. Embedded data used to help identify the owner of a file is an example of what type of label? A. Copyright notice B. DLP C. Digital watermark D. Steganography

C. A digital watermark is used to identify the owner of a file or to otherwise label it. A copyright notice provides information about the copyright asserted on the file, while data loss prevention (DLP) is a solution designed to prevent data loss. Steganography is the science of hiding information, often in images or files.

17. Which one of the following tasks is performed by a forensic disk controller? A. Masking error conditions reported by the storage device B. Transmitting write commands to the storage device C. Intercepting and modifying or discarding commands sent to the storage device D. Preventing data from being returned by a read operation sent to the device

C. A forensic disk controller performs four functions. One of those, write blocking, intercepts write commands sent to the device and prevents them from modifying data on the device. The other three functions include returning data requested by a read operation, returning access-significant information from the device, and reporting errors from the device back to the forensic host.

92. Jim is building a research computing system that benefits from being part of a full mesh topology between systems. In a five-node full mesh topology design, how many connections will an individual node have? A. Two B. Three C. Four D. Five

C. A full mesh topology directly connects each machine to every other machine on the network. For five systems, this means four connections per system.

61. Melanie suspects that someone is using malicious software to steal computing cycles from her company. Which one of the following security tools would be in the best position to detect this type of incident? A. NIDS B. Firewall C. HIDS D. DLP

C. A host-based intrusion detection system (HIDS) may be able to detect unauthorized processes running on a system. The other controls mentioned, network intrusion detection systems (NIDSs), firewalls, and DLP systems, are network-based and may not notice rogue processes.

89. Saria needs to write a request for proposal for code review and wants to ensure that the reviewers take the business logic behind her organization's applications into account. What type of code review should she specify in the RFP? A. Static B. Fuzzing C. Manual D. Dynamic

C. A manual code review, which is performed by humans who review code line by line, is the best option when it is important to understand the context and business logic in the code. Fuzzing, dynamic, and static code review can all find bugs that manual code review might not, but won't take the intent of the programmers into account.

65. Chris needs to design a firewall architecture that can support separately a DMZ, a database, and a private internal network. What type of design should he use, and how many firewalls does he need? A. A four-tier firewall design with two firewalls B. A two-tier firewall design with three firewalls C. A three-tier firewall design with at least one firewall D. A single-tier firewall design with three firewalls

C. A three-tier design separates three distinct protected zones and can be accomplished with a single firewall that has multiple interfaces. Single- and two-tier designs don't support the number of protected networks needed in this scenario, while a four-tier design would provide a tier that isn't needed.

Your organization regularly handles three types of data: information that it shares with customers, information that it uses internally to conduct business, and trade secret information that offers the organization significant competitive advantages. Information shared with customers is used and stored on web servers, while both the internal business data and the trade secret information are stored on internal file servers and employee workstations. 15. What technique could you use to mark your trade secret information in case it was released or stolen and you need to identify it? A. Classification B. Symmetric encryption C. Watermarks D. Metadata

C. A watermark is used to digitally label data and can be used to indicate ownership. Encryption would have prevented the data from being accessed if it was lost, while classification is part of the set of security practices that can help make sure the right controls are in place. Finally, metadata is used to label data and might help a data loss prevention system flag it before it leaves your organization.

83. What encryption algorithm would provide strong protection for data stored on a USB thumb drive? A. TLS B. SHA1 C. AES D. DES

C. AES is a strong symmetric cipher that is appropriate for use with data at rest. SHA1 is a cryptographic hash, while TLS is appropriate for data in motion. DES is an outdated and insecure symmetric encryption method.

[USER WORKSTATION -A- COMMUNICATES TO INTERNET -C- VIA -B- CONNECTS TO SERVER -E- VIA -F- INTERNET AND SERVER COMMUNICATED VIA -D-] Trianlge 71. What would be the best way to secure data at points B, D, and F? A. AES256 B. SSL C. TLS D. 3DES

C. B, D, and F all show network links. Of the answers provided, Transport Layer Security (TLS) provides the best security for data in motion. AES256 and 3DES are both symmetric ciphers and are more likely to be used for data at rest. SSL has been replaced with TLS and should not be a preferred solution.

Chris has recently been hired into a new organization. The organization that Chris belongs to uses the following classification process: 1. Criteria are set for classifying data. 2. Data owners are established for each type of data. 3. Data is classified. 4. Required controls are selected for each classification. 5. Baseline security standards are selected for the organization. 6. Controls are scoped and tailored. 7. Controls are applied and enforced. 8. Access is granted and managed. 59. If Chris's company operates in the European Union and has been contracted to handle the data for a third party, what role is his company operating in when it uses this process to classify and handle data? A. Business owners B. Mission owners C. Data processors D. Data administrators

C. According to the European Union's Data Protection Directive, third-party organizations that process personal data on behalf of a data controller are known as data processors. The organization that they are contracting with would act in the role of the business or mission owners, and others within Chris's organization would have the role of data administrators, granting access as needed to the data based on their operational procedures and data classification.

During a port scan, Ben uses nmap's default settings and sees the following results. Nmap scan report for 192.168.184.130 Host is up (1.0s latency). Not shown: 977 closed ports PORT - STATE - SERVICE 21/tcp - open - ftp 22/tcp - open - ssh 23/tcp - open - telnet 25/tcp - open -smtp 53/tcp - open -domain 80/tcp - open -http 111/tcp - open -rpcbind 139/tcp - open -netbios-ssn 445/tcp - open -microsoft-ds 512/tcp - open -exec 513/tcp - open -login 514/tcp - open -shell 1099/tcp - open -rmiregistry 1524/tcp - open -ingreslock 2049/tcp - open -nfs 2121/tcp - open -ccproxy-ftp 3306/tcp - open -mysql 5432/tcp - open -postgresql 5900/tcp - open -vnc 6000/tcp - open -X11 6667/tcp - open -irc 8009/tcp - open -ajp13 8081/tcp - open -unknown Nmap done: 1 IP address (1 host up) scanning in 54.69 seconds 85. If Ben is conducting a penetration test, what should his next step be after receiving these results? A. Connect to the web server using a web browser. B. Connect via Telnet to test for vulnerable accounts. C. Identify interesting ports for further scanning. D. Use sqlmap against the open databases.

C. After scanning for open ports using a port scanning tool like nmap, penetration testers will identify interesting ports and then conduct vulnerability scans to determine what services may be vulnerable. This will perform many of the same activities that connecting via a web server will, and will typically be more useful than trying to manually test for vulnerable accounts via Telnet. sqlmap would typically be used after a vulnerability scanner identifies additional information about services, and the vulnerability scanner will normally provide a wider range of useful information.

70. Lauren builds a table that includes assigned privileges, objects, and subjects to manage access control for the systems she is responsible for. Each time a subject attempts to access an object, the systems check the table to ensure that the subject has the appropriate rights to the objects. What type of access control system is Lauren using? A. A capability table B. An access control list C. An access control matrix D. A subject/object rights management system

C. An access control matrix is a table that lists objects, subjects, and their privileges. Access control lists focus on objects and which subjects can access them. Capability tables list subjects and what objects they can access. Subject/object rights management systems are not based on an access control model.

47. Connor's company recently experienced a denial of service attack that Connor believes came from an inside source. If true, what type of event has the company experienced? A. Espionage B. Confidentiality breach C. Sabotage D. Integrity breach

C. An attack committed against an organization by an insider, such as an employee, is known as sabotage. Espionage and confidentiality breaches involve the theft of sensitive information, which is not alleged to have occurred in this case. Integrity breaches involve the unauthorized modification of information, which is not described in this scenario.

34. STRIDE, which stands for Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege, is useful in what part of application threat modeling? A. Vulnerability assessment B. Misuse case testing C. Threat categorization D. Penetration test planning

C. An important part of application threat modeling is threat categorization. It helps to assess attacker goals that influence the controls that should be put in place. The other answers all involve topics that are not directly part of application threat modeling.

Chris is designing layered network security for his organization. Using the diagram below 15. If Chris wants to stop cross-site scripting attacks against the web server, what is the best device for this purpose, and where should he put it? A. A firewall, location A B. An IDS, location A C. An IPS, location B D. A WAF, location C

C. An intrusion protection system can scan traffic and stop both known and unknown attacks. A web application firewall, or WAF, is also a suitable technology, but placing it at location C would only protect from attacks via the organization's VPN, which should only be used by trusted users. A firewall typically won't have the ability to identify and stop cross-site scripting attacks, and IDS systems only monitor and don't stop attacks.

94. Chris is designing a cryptographic system for use within his company. The company has 1,000 employees, and they plan to use an asymmetric encryption system. How many total keys will they need? A. 500 B. 1,000 C. 2,000 D. 4,950

C. Asymmetric cryptosystems use a pair of keys for each user. In this case, with 1,000 users, the system will require 2,000 keys.

Ann is a security professional for a mid-sized business and typically handles log analysis and security monitoring tasks for her organization. One of her roles is to monitor alerts originating from the organization's intrusion detection system. The system typically generates several dozen alerts each day, and many of those alerts turn out to be false alarms after her investigation. This morning, the intrusion detection system alerted because the network began to receive an unusually high volume of inbound traffic. Ann received this alert and began looking into the origin of the traffic. 65. At this point in the incident response process, what term best describes what has occurred in Ann's organization? A. Security occurrence B. Security incident C. Security event D. Security intrusion

C. At this point in the process, Ann has no reason to believe that any actual security compromise or policy violation took place, so this situation does not meet the criteria for a security incident or intrusion. Rather, the alert generated by the intrusion detection system is simply a security event requiring further investigation. Security occurrence is not a term commonly used in incident handling.

77. Which one of the following tools helps system administrators by providing a standard, secure template of configuration settings for operating systems and applications? A. Security guidelines B. Security policy C. Baseline configuration D. Running configuration

C. Baseline configurations serve as the starting point for configuring secure systems and applications. They contain the security settings necessary to comply with an organization's security policy and may then be customized to meet the specific needs of an implementation. While security policies and guidelines may contain information needed to secure a system, they do not contain a set of configuration settings that may be applied to a system. The running configuration of a system is the set of currently applied settings, which may or may not be secure.

3. Ben has connected his laptop to his tablet PC using an 802.11g connection. What wireless network mode has he used to connect these devices? A. Infrastructure mode B. Wired extension mode C. Ad hoc mode D. Stand-alone mode

C. Ben is using ad hoc mode, which directly connects two clients. It can be easy to confuse this with stand-alone mode, which connects clients using a wireless access point, but not to wired resources like a central network. Infrastructure mode connects endpoints to a central network, not directly to each other. Finally, wired extension mode uses a wireless access point to link wireless clients to a wired network.

31. How many possible keys exist for a cipher that uses a key containing 5 bits? A. 10 B. 16 C. 32 D. 64

C. Binary keyspaces contain a number of keys equal to two raised to the power of the number of bits. Two to the fifth power is 32, so a 5-bit keyspace contains 32 possible keys.

79. During which phase of the incident response process would an analyst receive an intrusion detection system alert and verify its accuracy? A. Response B. Mitigation C. Detection D. Reporting

C. Both the receipt of alerts and the verification of their accuracy occurs during the Detection phase of the incident response process.

42. What encryption algorithm is used by both BitLocker and Microsoft's Encrypting File System? A. Blowfish B. Serpent C. AES D. 3DES

C. By default, BitLocker and Microsoft's Encrypting File System (EFS) both use AES (Advanced Encryption Standard), which is the NIST-approved replacement for DES (Data Encryption Standard). Serpent was a competitor of AES, and 3DES was created as a possible replacement for DES.

28. Angela uses a sniffer to monitor traffic from a RADIUS server configured with default settings. What protocol should she monitor and what traffic will she be able to read? A. UDP, none. All RADIUS traffic is encrypted. B. TCP, all traffic but the passwords, which are encrypted C. UDP, all traffic but the passwords, which are encrypted D. TCP, none. All RADIUS traffic is encrypted.

C. By default, RADIUS uses UDP and only encrypts passwords. RADIUS supports TCP and TLS, but this is not a default setting.

1. Which of the following is best described as an access control model that focuses on subjects and identifies the objects that each subject can access? A. An access control list B. An implicit denial list C. A capability table D. A rights management matrix

C. Capability tables list the privileges assigned to subjects and identify the objects that subjects can access. Access control lists are object-focused rather than subjectfocused. Implicit deny is a principle that states that anything that is not explicitly allowed is denied, and a rights management matrix is not an access control model.

84. What type of motion detector senses changes in the electromagnetic fields in monitored areas? A. Infrared B. Wave pattern C. Capacitance D. Photoelectric

C. Capacitance motion detectors monitor the electromagnetic field in a monitored area, sensing disturbances that correspond to motion.

36. Which one of the following security controls is least often required in Bring Your Own Device (BYOD) environments? A. Remote wiping B. Passcodes C. Application control D. Device encryption

C. Companies with BYOD environments often require nonintrusive security controls, such as remote wiping capability, device passcodes, and full device encryption. They do not normally use application control to restrict applications because users object to the use of this technology to personally owned devices.

99. Which one of the following is an example of a covert timing channel when used to exfiltrate information from an organization? A. Sending an electronic mail message B. Posting a file on a peer-to-peer file sharing service C. Typing with the rhythm of Morse code D. Writing data to a shared memory space

C. Covert channels use surreptitious communications' paths. Covert timing channels alter the use of a resource in a measurable fashion to exfiltrate information. If a user types using a specific rhythm of Morse code, this is an example of a covert timing channel. Someone watching or listening to the keystrokes could receive a secret message with no trace of the message left in logs.

security life cycle diagram (loosely based on the NIST reference architecture), NIST uses a five-step process for risk management. 1. Categorise systems and data 2. Select Security Controls 3. Implement Security Controls 4. Assess Security Controls 5. Monitor Security 88. What data security role is primarily responsible for step 5? A. Data owners B. Data processors C. Custodians D. Users

C. Custodians are tasked with the day-to-day monitoring of the integrity and security of data. Step 5 requires monitoring, which is a custodial task. A data owner may grant rights to custodians but will not be responsible for conducting monitoring. Data processors process data on behalf of the data controller, and a user simply uses the data via a computing system.

21. What scenario describes data at rest? A. Data in an IPsec tunnel B. Data in an e-commerce transaction C. Data stored on a hard drive D. Data stored in RAM

C. Data at rest is inactive data that is physically stored. Data in an IPsec tunnel or part of an e-commerce transaction is data in motion. Data in RAM is ephemeral and is not inactive

35. Which of the following is the least effective method of removing data from media? A. Degaussing B. Purging C. Erasing D. Clearing

C. Erasing, which describes a typical deletion process in many operating systems, typically removes only the link to the file, and leaves the data that makes up the file itself. The data will remain in place but not indexed until the space is needed and it is overwritten. Degaussing works only on magnetic media, but it can be quite effective on it. Purging and clearing both describe more elaborate removal processes.

96. Carolyn is concerned that users on her network may be storing sensitive information, such as Social Security numbers, on their hard drives without proper authorization or security controls. What technology can she use to best detect this activity? A. IDS B. IDP C. DLP D. TLS

C. Data loss prevention (DLP) systems may identify sensitive information stored on endpoint systems or in transit over a network. This is their primary purpose. Intrusion detection and prevention systems (IDS/IDP) may be used to identify some sensitive information using signatures built for that purpose, but this is not the primary role of those tools and they would not be as effective as DLP systems at this task. TLS is a network encryption protocol that may be used to protect sensitive information, but it does not have any ability to identify sensitive information.

7. During a log review, Saria discovers a series of logs that show login failures as shown here: Jan 31 11:39:12 ip-10-0-0-2 sshd[29092]: Invalid user admin from remotehost passwd=orange Jan 31 11:39:20 ip-10-0-0-2 sshd[29098]: Invalid user admin from remotehost passwd=Orang3 Jan 31 11:39:23 ip-10-0-0-2 sshd[29100]: Invalid user admin from remotehost passwd=Orange93 Jan 31 11:39:31 ip-10-0-0-2 sshd[29106]: Invalid user admin from remotehost passwd=Orangutan1 Jan 31 20:40:53 ip-10-0-0-254 sshd[30520]: Invalid user admin from remotehost passwd=Orangemonkey What type of attack has Saria discovered? A. A brute force attack B. A man-in-the-middle attack C. A dictionary attack D. A rainbow table attack

C. Dictionary attacks use a dictionary or list of common passwords as well as variations of those words to attempt to log in as an authorized user. This attack shows a variety of passwords based on a similar base word, which is often a good indicator of a dictionary attack. A brute force attack will typically show simple iteration of passwords, while a man-in-the-middle attack would not be visible in the authentication log. A rainbow table attack is used when attackers already have password hashes in their possession and would also not show up in logs.

22. Which of the following is not a type of attack used against access controls? A. Dictionary attack B. Brute force attack C. Teardrop D. Man-in-the-middle attack

C. Dictionary, brute force, and man-in-the-middle attacks are all types of attacks that are frequently aimed at access controls. Teardrop attacks are a type of denial of service attack.

42. Chris uses the standard penetration testing methodology shown here (Planning, Information gathering & discovery, Vulnerability scanning, Exploitation, Reporting). Use this methodology and your knowledge of penetration testing to answer the following questions about tool usage during a penetration test. Which of the following tools is most likely to be used during discovery? A. Nessus B. john C. Nmap D. Nikto

C. Discovery can include both active and passive discovery. Port scanning is commonly done during discovery to assess what services the target provides, and nmap is one of the most popular tools used for this purpose. Nessus and Nikto might be used during the vulnerability scanning phase, and john, a password cracker, can be used to recover passwords during the exploitation phase.

100. Ben knows that his organization wants to be able to validate the identity of other organizations based on their domain name when receiving and sending email. What tool should Ben recommend? A. PEM B. S/MIME C. DKIM D. MOSS

C. Domain Keys Identified Mail, or DKIM, is designed to allow assertions of domain identity to validate email. S/MIME, PEM, and MOSS are all solutions that can provide authentication, integrity, nonrepudiation, and confidentiality, depending on how they are used.

57. Ben is troubleshooting a network and discovers that the NAT router he is connected to has the 192.168.x.x subnet as its internal network and that its external IP is 192.168.1.40. What problem is he encountering? A. 192.168.x.x is a non-routable network and will not be carried to the Internet. B. 192.168.1.40 is not a valid address because it is reserved by RFC 1918. C. Double NATing is not possible using the same IP range. D. The upstream system is unable to de-encapsulate his packets and he needs to use PAT instead.

C. Double NATing isn't possible with the same IP range; the same IP addresses cannot appear inside and outside of a NAT router. RFC 1918 addresses are reserved, but only so they are not used and routable on the Internet, and changing to PAT would not fix the issue.

85. What is the best method to sanitize a solid-state drive (SSD)? A. Clearing B. Zero fill C. Disintegration D. Degaussing

C. Due to problems with remnant data, the US National Security Agency requires physical destruction of SSDs. This process, known as disintegration, results in very small fragments via a shredding process. Zero fill wipes a drive by replacing data with zeros, degaussing uses magnets to wipe magnetic media, and clearing is the process of preparing media for reuse.

78. Susan needs to provide a set of minimum security requirements for email. What steps should she recommend for her organization to ensure that the email remains secure? A. All email should be encrypted. B. All email should be encrypted and labeled. C. Sensitive email should be encrypted and labeled. D. Only highly sensitive email should be encrypted.

C. Encrypting and labeling sensitive email will ensure that it remains confidential and can be identified. Performing these actions only on sensitive email will reduce the cost and effort of encrypting all email, allowing only sensitive email to be the focus of the organization's efforts. Only encrypting highly sensitive email not only skips labeling but might expose other classifications of email that shouldn't be exposed.

1. Angela is an information security architect at a bank and has been assigned to ensure that transactions are secure as they traverse the network. She recommends that all transactions use TLS. What threat is she most likely attempting to stop, and what method is she using to protect against it? A. Man-in-the-middle, VPN B. Packet injection, encryption C. Sniffing, encryption D. Sniffing, TEMPEST

C. Encryption is often used to protect traffic like bank transactions from sniffing. While packet injection and man-in-the-middle attacks are possible, they are far less likely to occur, and if a VPN were used, it would be used to provide encryption. TEMPEST is a specification for techniques used to prevent spying using electromagnetic emissions and wouldn't be used to stop attacks at any normal bank.

68. Why is declassification rarely chosen as an option for media reuse? A. Purging is sufficient for sensitive data. B. Sanitization is the preferred method of data removal. C. It is more expensive than new media and may still fail. D. Clearing is required first.

C. Ensuring that data cannot be recovered is difficult, and the time and effort required to securely and completely wipe media as part of declassification can exceed the cost of new media. Sanitization, purging, and clearing may be part of declassification, but they are not reasons that it is not frequently chosen as an option for organizations with data security concerns.

29. Which one of the following is not a requirement for evidence to be admissible in court? A. The evidence must be relevant. B. The evidence must be material. C. The evidence must be tangible. D. The evidence must be competent.

C. Evidence provided in court must be relevant to determining a fact in question, material to the case at hand, and competently obtained. Evidence does not need to be tangible. Witness testimony is an example of intangible evidence that may be offered in court.

50. What network technology is best described as a token-passing network that uses a pair of rings with traffic flowing in opposite directions? A. A ring topology B. Token Ring C. FDDI D. SONET

C. FDDI, or Fiber Distributed Data Interface, is a token-passing network that uses a pair of rings with traffic flowing in opposite directions. It can bypass broken segments by dropping the broken point and using the second, unbroken ring to continue to function. Token Ring also uses tokens, but it does not use a dual loop. SONET is a protocol for sending multiple optical streams over fiber, and a ring topology is a design, not a technology.

Ben's organization has begun to use STRIDE to assess their software, and has identified threat agents and the business impacts that these threats could have. Now they are working to identify appropriate controls for the issues they have identified. Use the STRIDE model to answer the following question. 81. Ben wants to prevent or detect tampering with data. Which of the following is not an appropriate solution? A. Hashes B. Digital signatures C. Filtering D. Authorization controls

C. Filtering is useful for preventing denial of service attacks but won't prevent tampering with data. Hashes and digital signatures can both be used to verify the integrity of data, and authorization controls can help ensure that only those with the proper rights can modify the data.

75. Lauren is an information security analyst tasked with deploying technical access controls for her organization. Which of the following is not a logical or technical access control? A. Passwords B. Firewalls C. RAID arrays D. Routers

C. Firewalls, routers, and passwords are all examples of technical access controls and are software or hardware systems used to manage and protect access. RAID-5 is an example of a recovery control. If you're questioning why routers are a technical access control, remember that router access control lists (ACLs) are quite often used to control network access or traffic flows.

46. Kyle is being granted access to a military computer system that uses System High mode. What is not true about Kyle's security clearance requirements? A. Kyle must have a clearance for the highest level of classification processed by the system, regardless of his access. B. Kyle must have access approval for all information processed by the system. C. Kyle must have a valid need to know for all information processed by the system. D. Kyle must have a valid security clearance.

C. For systems running in System High mode, the user must have a valid security clearance for all information processed by the system, access approval for all information processed by the system, and a valid need to know for some, but not necessarily all, information processed by the system.

5. Alex wants to use an automated tool to fill web application forms to test for format string vulnerabilities. What type of tool should he use? A. A black box B. A brute-force tool C. A fuzzer D. A static analysis tool

C. Fuzzers are tools that are designed to provide invalid or unexpected input to applications, testing for vulnerabilities like format string vulnerabilities, buffer-overflow issues, and other problems. A static analysis relies on examining code without running the application or code, and thus would not fill forms as part of a web application. Brute-force tools attempt to bypass security by trying every possible combination for passwords or other values. A black box is a type of penetration test where the testers do not know anything about the environment.

15. Ben uses a fuzzing tool that develops data models and creates fuzzed data based on information about how the application uses data to test the application. What type of fuzzing is Ben doing? A. Mutation B. Parametric C. Generational D. Derivative

C. Generational fuzzing relies on models for application input and conducts fuzzing attacks based on that information. Mutation based fuzzers are sometimes called "dumb" fuzzers because they simply mutate or modify existing data samples to create new test samples. Neither parametric nor derivative is a term used to describe types of fuzzers.

100. Which one of the following controls protects an organization in the event of a sustained period of power loss? A. Redundant servers B. Uninterruptible power supply (UPS) C. Generator D. RAID

C. Generators are capable of providing backup power for a sustained period of time in the event of a power loss, but they take time to activate. Uninterruptible power supplies (UPS) provide immediate, battery-driven power for a short period of time to cover momentary losses of power, which would not cover a sustained period of power loss. RAID and redundant servers are high availability controls but do not cover power loss scenarios.

83. Ben uses a software-based token, which changes its code every minute. What type of token is he using? A. Asynchronous B. Smart card C. Synchronous D. Static

C. Google Authenticator's constantly changing codes are part of a synchronous token that uses a time-based algorithm to generate codes. Asynchronous tokens typically require a challenge to be entered on the token to allow it to calculate a response, which the server compares to the response it expects. Smart cards typically present a certificate but may have other token capabilities built in. Static tokens are physical devices that can contain credentials and include smart cards and memory cards.

70. Gordon suspects that a hacker has penetrated a system belonging to his company. The system does not contain any regulated information and Gordon wishes to conduct an investigation on behalf of his company. He has permission from his supervisor to conduct the investigation. Which of the following statements is true? A. Gordon is legally required to contact law enforcement before beginning the investigation. B. Gordon may not conduct his own investigation. C. Gordon's investigation may include examining the contents of hard disks, network traffic, and any other systems or information belonging to the company. D. Gordon may ethically perform "hack back" activities after identifying the perpetrator.

C. Gordon may conduct his investigation as he wishes and use any information that is legally available to him, including information and systems belonging to his employer. There is no obligation to contact law enforcement. However, Gordon may not perform "hack back" activities because those may constitute violations of the law and/or (ISC)2 Code of Ethics.

Lauren's organization has used a popular instant messaging service for a number of years. Recently, concerns have been raised about the use of instant messaging.(Internet via -A- to Firewall then router then switch then (a) workstation with IM traffic via TCP 80 & (c) workstation, Workstation (b) receives from Internet IM traffic via TCP 80) 30. What security concern does sending internal communications from A to B cause? A. The firewall does not protect system B. B. System C can see the broadcast traffic from system A to B. C. It is traveling via an unencrypted protocol. D. IM does not provide nonrepudation.

C. HTTP traffic is typically sent via TCP 80. Unencrypted HTTP traffic can be easily captured at any point between A and B, meaning that the instant messaging solution chosen does not provide confidentiality for the organization's corporate communications.

6. Gary is deploying a wireless network and wants to deploy the fastest possible wireless technology. Of the 802.11 standards listed below, which is the fastest 2.4 GHz option he has? A. 802.11a B. 802.11g C. 802.11n D. 802.11ac

C. He should choose 802.11n, which supports 200+ Mbps in the 2.4 GHz or the 5 GHz frequency range. 802.11a and 802.11ac are both 5 GHz only, while 802.11g is only capable of 54 Mbps.

71. ICMP, RIP, and network address translation all occur at what layer of the OSI model? A. Layer 1 B. Layer 2 C. Layer 3 D. Layer 4

C. ICMP, RIP, and network address translation all occur at layer 3, the Network layer.

77. IPX, AppleTalk, and NetBEUI are all examples of what? A. Routing protocols B. UDP protocols C. Non-IP protocols D. TCP protocols

C. IPX, AppleTalk, and NetBEUI are all examples of non-IP protocols. TCP and UDP are both IP protocols, while routing protocols are used to send information about how traffic should be routed through networks.

59. Jim is helping his organization decide on audit standards for use throughout their international organization. Which of the following is not an IT standard that Jim's organization is likely to use as part of its audits? A. COBIT B. SSAE-16 C. ITIL D. ISO27002

C. ITIL, which originally stood for IT Infrastructure Library, is a set of practices for IT service management, and is not typically used for auditing. COBIT, or the Control Objectives for Information and Related Technology, ISO 27002, and SSAE-16, or the Statement on Standards for Attestation Engagements number 16, are all used for auditing.

56. Lauren is responsible for building a banking website. She needs proof of the identity of the users who register for the site. How should she validate user identities? A. Require users to create unique questions that only they will know. B. Require new users to bring their driver's license or passport in person to the bank. C. Use information that both the bank and the user have such as questions pulled from their credit report. D. Call the user on their registered phone number to verify that they are who they claim to be.

C. Identity proofing can be done by comparing user information that the organization already has, like account numbers or personal information. Requiring users to createunique questions can help with future support by providing a way for them to do password resets. Using a phone call only verifies that the individual who created the account has the phone that they registered and won't prove their identity. In-person verification would not fit the business needs of most websites.

76. Charles has been asked to downgrade the media used for storage of private data for his organization. What process should Charles follow? A. Degauss the drives, and then relabel them with a lower classification level. B. Pulverize the drives, and then reclassify them based on the data they contain. C. Follow the organization's purging process, and then downgrade and replace labels. D. Relabel the media, and then follow the organization's purging process to ensure that the media matches the label.

C. If an organization allows media to be downgraded, the purging process should be followed, and then the media should be relabeled. Degaussing may be used for magnetic media but won't handle all types of media. Pulverizing would destroy the media, preventing reuse, while relabeling first could lead to mistakes that result in media that hasn't been purged entering use.

88. Renee is a software developer who writes code in Node.js for her organization. The company is considering moving from a self-hosted Node.js environment to one where Renee will run her code on application servers managed by a cloud vendor. What type of cloud solution is Renee's company considering? A. IaaS B. CaaS C. PaaS D. SaaS

C. In a Platform as a Service solution, the customer supplies application code that the vendor then executes on its own infrastructure.

63. Tom is a cryptanalyst and is working on breaking a cryptographic algorithm's secret key. He has a copy of an intercepted message that is encrypted and he also has a copy of the decrypted version of that message. He wants to use both the encrypted message and its decrypted plaintext to retrieve the secret key for use in decrypting other messages. What type of attack is Tom engaging in? A. Chosen ciphertext B. Chosen plaintext C. Known plaintext D. Brute force

C. In a known plaintext attack, the attacker has a copy of the encrypted message along with the plaintext message used to generate that ciphertext.

65. Which objects and subjects have a label in a MAC model? A. Objects and subjects that are classified as Confidential, Secret, or Top Secret have a label. B. All objects have a label, and all subjects have a compartment. C. All objects and subjects have a label. D. All subjects have a label and all objects have a compartment.

C. In a mandatory access control system, all subjects and objects have a label. Compartments may or may not be used, but there is not a specific requirement for either subjects or objects to be compartmentalized. The specific labels of Confidential, Secret, and Top Secret are not required by MAC.

79. Jim has Secret clearance and is accessing files that use a mandatory access control scheme to apply the Top Secret, Secret, Confidential, and Unclassified label scheme. If his rights include the ability to access all data of his clearance level or lower, what classification levels of data can he access? A. Top Secret and Secret B. Secret, Confidential, and Unclassified C. Secret data only D. Secret and Unclassified

C. In a mandatory access control system, classifications do not have to include rights to lower levels. This means that the only label we can be sure Jim has rights to is Secret. Despite the fact that it is unclassified, Unclassified data remains a different label, and Jim may not be authorized to access it.

84. Roger recently accepted a new position as a security professional at a company that runs its entire IT infrastructure within an IaaS environment. Which one of the following would most likely be the responsibility of Roger's firm? A. Configuring the network firewall B. Applying hypervisor updates C. Patching operating systems D. Wiping drives prior to disposal

C. In an Infrastructure as a Service environment, the vendor is responsible for hardware- and network-related responsibilities. These include configuring network firewalls, maintaining the hypervisor, and managing physical equipment. The customer retains responsibility for patching operating systems on its virtual machine instances.

67. Johnson Widgets strictly limits access to total sales volume information, classifying it as a competitive secret. However, shipping clerks have unrestricted access to order records to facilitate transaction completion. A shipping clerk recently pulled all of the individual sales records for a quarter and totaled them up to determine the total sales volume. What type of attack occurred? A. Social engineering B. Inference C. Aggregation D. Data diddling

C. In an aggregation attack, individual(s) use their access to specific pieces of information to piece together a larger picture that they are not authorized to access.

Alice and Bob would like to use an asymmetric cryptosystem to communicate with each other. They are located in different parts of the country but have exchanged encryption keys by using digital certificates signed by a mutually trusted certificate authority. 16. If Alice wishes to send Bob an encrypted message, what key does she use to encrypt the message? A. Alice's public key B. Alice's private key C. Bob's public key D. Bob's private key

C. In an asymmetric cryptosystem, the sender of a message always encrypts the message using the recipient's public key.

57. Veronica is considering the implementation of a database recovery mechanism recommended by a consultant. In the recommended approach, an automated process will move database backups from the primary facility to an offsite location each night. What type of database recovery technique is the consultant describing? A. Remote journaling B. Remote mirroring C. Electronic vaulting D. Transaction logging

C. In an electronic vaulting approach, automated technology moves database backups from the primary database server to a remote site on a scheduled basis, typically daily. Transaction logging is not a recovery technique alone; it is a process for generating the logs used in remote journaling. Remote journaling transfers transaction logs to a remote site on a more frequent basis than electronic vaulting, typically hourly. Remote mirroring maintains a live database server at the backup site and mirrors all transactions at the primary site on the server at the backup site.

32. Sam is responsible for backing up his company's primary file server. He configured a backup schedule that performs full backups every Monday evening at 9 p.m. and differential backups on other days of the week at that same time. Files change according to the information shown in the figure below. How many files will be copied in Wednesday's backup? A. 2 B. 3 C. 5 D. 6

C. In this scenario, all of the files on the server will be backed up on Monday evening during the full backup. The differential backup on Wednesday will then copy all files modified since the last full backup. These include files 1, 2, 3, 5, and 6: a total of five files.

77. During a review of access logs, Alex notices that Danielle logged into her workstation in New York at 8 a.m. daily, but that she was recorded as logging into her department's main web application shortly after 3 a.m. daily. What common logging issue has Alex likely encountered? A. Inconsistent log formatting B. Modified logs C. Inconsistent timestamps D. Multiple log sources

C. Inconsistent timestamps are a common problem, often caused by improperly set time zones or due to differences in how system clocks are set. In this case, a consistent time difference often indicates that one system uses local time, and the other is using Greenwich Mean Time (GMT). Logs from multiple sources tend to cause problems with centralization and collection, whereas different log formats can create challenges in parsing log data. Finally, modified logs are often a sign of intrusion or malicious intent.

Your organization regularly handles three types of data: information that it shares with customers, information that it uses internally to conduct business, and trade secret information that offers the organization significant competitive advantages. Information shared with customers is used and stored on web servers, while both the internal business data and the trade secret information are stored on internal file servers and employee workstations. 14. What civilian data classifications best fit this data? A. Unclassified, confidential, top secret B. Public, sensitive, private C. Public, sensitive, proprietary D. Public, confidential, private

C. Information shared with customers is public, internal business could be sensitive or private, and trade secrets are proprietary. Thus public, sensitive, proprietary matches this most closely. Confidential is a military classification, which removes two of the remaining options, and trade secrets are more damaging to lose than a private classification would allow.

14. As seen in the following image (*), a user on a Windows system is not able to use the"Send Message" functionality. What access control model best describes this type of limitation? A. Least privilege B. Need to know C. Constrained interface D. Separation of duties

C. Interface restrictions based on user privileges is an example of a constrained interface. Least privilege describes the idea of providing users with only the rights they need to accomplish their job, while need to know limits access based on whether a subject needs to know the information to accomplish an assigned task. Separation of duties focuses on preventing fraud or mistakes by splitting tasks between multiple subjects.

13. What type of testing is used to ensure that separately developed software modules properly exchange data? A. Fuzzing B. Dynamic testing C. Interface testing D. API checksums

C. Interface testing is used to ensure that software modules properly meet interface specifications and thus will properly exchange data. Dynamic testing tests software in a running environment, whereas fuzzing is a type of dynamic testing that feeds invalid input to running software to test error and input handling. API checksums are not a testing technique.

33. Which one of the following security tools is not capable of generating an active response to a security event? A. IPS B. Firewall C. IDS D. Antivirus software

C. Intrusion detection systems (IDSs) provide only passive responses, such as alerting administrators to a suspected attack. Intrusion prevention systems and firewalls, on the other hand, may take action to block an attack attempt. Antivirus software also may engage in active response by quarantining suspect files.

8. Jim has been contracted to perform a penetration test of a bank's primary branch. In order to make the test as real as possible, he has not been given any information about the bank other than its name and address. What type of penetration test has Jim agreed to perform? A. A crystal box penetration test B. A gray box penetration test C. A black box penetration test D. A white box penetration test

C. Jim has agreed to a black box penetration test, which provides no information about the organization, its systems, or its defenses. A crystal or white box penetration test provides all of the information an attacker needs, whereas a gray box penetration test provides some, but not all, information.

75. Jim has contracted with a software testing organization that uses automated testing tools to validate software. He is concerned that they may not completely test all statements in his software. What measurement should he ask for in their report to provide information about this? A. A use case count B. A test coverage report C. A code coverage report D. A code review report

C. Jim should ask for a code coverage report, which provides information on the functions, statements, branches, and conditions or other elements that were covered in the testing. Use cases are used as part of a test coverage calculation that divides the tested use cases by the total use cases, but use cases may not cover all possible functions or branches. A code review report would be generated if the organization was manually reviewing the application's source code.

20. Which one of the following mechanisms is not commonly seen as a deterrent to fraud? A. Job rotation B. Mandatory vacations C. Incident response D. Two-person control

C. Job rotation and mandatory vacations deter fraud by increasing the likelihood that it will be detected. Two-person control deters fraud by requiring collusion between two employees. Incident response does not normally serve as a deterrent mechanism.

61. Kathleen works for a data center hosting facility that provides physical dat a center space for individuals and organizations. Until recently, each client was given a magnetic-strip-based keycard to access the section of the facility where their servers are located, and they were also given a key to access the cage or rack where their servers reside. In the past month, a number of servers have been stolen, but the logs for the passcards show only valid IDs. What is Kathleen's best option to make sure that the users of the passcards are who they are supposed to be? A. Add a reader that requires a PIN for passcard users. B. Add a camera system to the facility to observe who are accessing servers. C. Add a biometric factor. D. Replace the magnetic stripe keycards with smart cards.

C. Kathleen should implement a biometric factor. The cards and keys are an example of a Type 2 factor, or "something you have." Using a smart card replaces this with another Type 2 factor, but the cards could still be loaned out or stolen. Adding a PIN suffers from the same problem: A PIN can be stolen. Adding cameras doesn't prevent access to the facility and thus doesn't solve the immediate problem (but it is a good idea!).

3. Which of the following is not a weakness in Kerberos? A. The KDC is a single point of failure. B. Compromise of the KDC would allow attackers to impersonate any user. C. Authentication information is not encrypted. D. It is susceptible to password guessing.

C. Kerberos encrypts messages using secret keys, providing protection for authentication traffic. The KDC is both a single point of failure and can cause problems if compromised because keys are stored on the KDC that would allow attackers to impersonate any user. Like many authentication methods, Kerberos can be susceptible to password guessing.

39. Susan needs to predict high-risk areas for her organization and wants to use metrics to assess risk trends as they occur. What should she do to handle this? A. Perform yearly risk assessments. B. Hire a penetration testing company to regularly test organizational security. C. Identify and track key risk indicators. D. Monitor logs and events using a SIEM device.

C. Key risk indicators are used to tell those in charge of risk management how risky an activity is and how much impact changes are having on that risk profile. Identifying key risk indicators and monitoring them can help to identify high-risk areas earlier in their life cycle. Yearly risk assessments may be a good idea, but only provide a point in time view, whereas penetration tests may miss out on risks that are not directly security related. Monitoring logs and events using a SIEM device can help detect issues as they occur but won't necessarily show trends in risk.

35. Which of the following is not a valid LDAP DN (distinguished name)? A. cn=ben+ou=sales B. ou=example C. cn=ben,ou=example; D. ou=example,dc=example,dc=com+dc=org

C. LDAP distinguished names are made up of zero or more comma-separate components known as relative distinguished names. cn=ben,ou=example; ends with a semicolon and is not a valid DN. It is possible to have additional values in the same RDN by using a plus sign between then.

47. Which of the following options includes standards or protocols that exist in layer 6 of the OSI model? A. NFS, SQL, and RPC B. TCP, UDP, and TLS C. JPEG, ASCII, and MIDI D. HTTP, FTP, SMTP

C. Layer 6, the Presentation layer, transforms data from the Application layer into formats that other systems can understand by formatting and standardizing the data. That means that standards like JPEG, ASCII, and MIDI are used at the Presentation layer for data. TCP, UDP, and TLS are used at the Transport layer; NFS, SQL, and RPC operate at the Session layer; and HTTP, FTP, and SMTP are Application layer protocols.

21. Mandatory access control is based on what type of model? A. Discretionary B. Group based C. Lattice based D. Rule based

C. Mandatory access control systems are based on a lattice-based model. Lattice-based models use a matrix of classification labels to compartmentalize data. Discretionary access models allow object owners to determine access to the objects they control, role-based access controls are often group based, and rule-based access controls like firewall ACLs apply rules to all subjects they apply to.

34. What type of access control scheme is shown in the following table? Highly Sensitive - Red - Blue - Green Confidential - Purple - Orange - Yellow Internal Use - Black - Gray - White Public - Clear - Clear - Clear A. RBAC B. DAC C. MAC D. TBAC

C. Mandatory access controls use a lattice to describe how classification labels relate to each other. In this image, classification levels are set for each of the labels shown. A discretionary access control (DAC) system would show how the owner of the objects allows access. RBAC could be either rule- or role-based access control and would either use system-wide rules or roles. Task-based access control (TBAC) would list tasks for users.

8. Michael is responsible for forensic investigations and is investigating a medium severity security incident that involved the defacement of a corporate website. The web server in question ran on a virtualization platform, and the marketing team would like to get the website up and running as quickly as possible. What would be the most reasonable next step for Michael to take? A. Keep the website offline until the investigation is complete. B. Take the virtualization platform offline as evidence. C. Take a snapshot of the compromised system and use that for the investigation. D. Ignore the incident and focus on quickly restoring the website.

C. Michael should conduct his investigation, but there is a pressing business need to bring the website back online. The most reasonable course of action would be to take a snapshot of the compromised system and use the snapshot for the investigation, restoring the website to operation as quickly as possible while using the results of the investigation to improve the security of the site.

90. What type of diagram used in application threat modeling includes malicious users as well as descriptions like mitigates and threatens? A. Threat trees B. STRIDE charts C. Misuse case diagrams D. DREAD diagrams

C. Misuse case diagrams use language beyond typical use case diagrams, including threatens and mitigates. Threat trees are used to map threats but don't use specialized languages like threatens and mitigates. STRIDE is a mnemonic and model used in threat modeling, and DREAD is a risk assessment model.

72. Fran is considering new human resources policies for her bank that will deter fraud. She plans to implement a mandatory vacation policy. What is typically considered the shortest effective length of a mandatory vacation? A. Two days B. Four days C. One week D. One month

C. Most security professionals recommend at least one, and preferably two, weeks of vacation to deter fraud. The idea is that fraudulent schemes will be uncovered during the time that the employee is away and does not have the access required to perpetuate a cover-up.

57. Alice sent a message to Bob. Bob would like to demonstrate to Charlie that the message he received definitely came from Alice. What goal of cryptography is Bob attempting to achieve? A. Authentication B. Confidentiality C. Nonrepudiation D. Integrity

C. Nonrepudiation occurs when the recipient of a message is able to demonstrate to a third party that the message came from the purported sender.

90. Angela needs to choose between EAP, PEAP, and LEAP for secure authentication. Which authentication protocol should she choose and why? A. EAP, because it provides strong encryption by default B. LEAP, because it provides frequent re-authentication and changing of WEP keys C. PEAP, because it provides encryption and doesn't suffer from the same vulnerabilities that LEAP does D. None of these options can provide secure authentication, and an alternate solution should be chosen.

C. Of the three answers, PEAP is the best solution. It encapsulates EAP in a TLS tunnel, providing strong encryption. LEAP is a Cisco proprietary protocol that was originally designed to help deal with problems in WEP. LEAP's protections have been defeated, making it a poor choice.

52. Alex works for a government agency that is required to meet US federal government requirements for data security. To meet these requirements, Alex has been tasked with making sure data is identifiable by its classification level. What should Alex do to the data? A. Classify the data. B. Encrypt the data. C. Label the data. D. Apply DRM to the data.

C. One of the most important parts of labeling the data is ensuring that it receives a mark or label that provides the classification of the data. Digital rights management (DRM) tools provide ways to control how data is used, while encrypting it can help maintain the confidentiality and integrity of the data. Classifying the data is necessary to label it, but it doesn't automatically place a label on the data.

Ben is an information security professional at an organization that is replacing its physical servers with virtual machines. As the organization builds its virtual environment, it is decreasing the number of physical servers it uses while purchasing more powerful servers to act as the virtualization platforms. 72. The IDS Ben is responsible for is used to monitor communications in the data center using a mirrored port on the data center switch. What traffic will Ben see once the majority of servers in the data center have been virtualized? A. The same traffic he currently sees B. All inter-VM traffic C. Only traffic sent outside of the VM environment D. All inter-hypervisor traffic

C. One of the visibility risks of virtualization is that communication between servers and systems using virtual interfaces can occur "inside" of the virtual environment. This means that visibility into traffic in the virtualization environment has to be purpose built as part of its design. Option D is correct but incomplete because interhypervisor traffic isn't the only traffic the IDS will see.

78. What authentication technology can be paired with OAuth to perform identity verification and obtain user profile information using a RESTful API? A. SAML B. Shibboleth C. OpenID Connect D. Higgins

C. OpenID Connect is a RESTful, JSON-based authentication protocol that, when paired with OAuth, can provide identity verification and basic profile information. SAML is the Security Assertion Markup Language, Shibboleth is a federated identity solution designed to allow web-based SSO, and Higgins is an open-source project designed to provide users with control over the release of their identity information.

22. If you are selecting a security standard for a Windows 10 system that processes credit cards, what security standard is your best choice? A. Microsoft's Windows 10 security baseline B. The CIS Windows 10 baseline C. PCI DSS D. The NSA Windows 10 baseline

C. PCI DSS, the Payment Card Industry Data Security Standard, provides the set of requirements for credit card processing systems. The Microsoft, NSA, and CIS baseline are all useful for building a Windows 10 security standard, but they aren't as good of an answer as the PCI DSS standard itself.

99. Ed has been asked to send data that his organization classifies as confidential and proprietary via email. What encryption technology would be appropriate to ensure that the contents of the files attached to the email remain confidential as they traverse the Internet? A. SSL B. TLS C. PGP D. VPN

C. PGP, or Pretty Good Privacy (or its open-source alternative, GPG) provide strong encryption of files, which can then be sent via email. Email traverses multiple servers and will be unencrypted at rest at multiple points along its path as it is stored and forwarded to its destination.

49. There are four common VPN protocols. Which group of four below contains all of the common VPN protocols? A. PPTP, LTP, L2TP, IPsec B. PPP, L2TP, IPsec, VNC C. PPTP, L2F, L2TP, IPsec D. PPTP, L2TP, IPsec, SPAP

C. PPTp, L2F, L2TP, and IPsec are the most common VPN protocols. TLS is also used for an increasingly large percentage of VPN connections and may appear at some point in the CISSP exam. PPP is a dial-up protocol, LTP is not a protocol, and SPAP is the Shiva Password Authentication Protocol sometimes used with PPTP.

44. Jim's remote site has only ISDN as an option for connectivity. What type of ISDN should he look for to get the maximum speed possible? A. BRI B. BPRI C. PRI D. D channel

C. PRI, or Primary Rate Interface, can use between 2 and 23 64 Kbps channels, with a maximum potential bandwidth of 1.544 Mbps. Actual speeds will be lower due to the D channel, which can't be used for actual data transmission, but PRI beats BRI's two B channels paired with a D channel for 144 Kbps of bandwidth.

89. Which of the following Type 3 authenticators is appropriate to use by itself rather than in combination with other biometric factors? A. Voice pattern recognition B. Hand geometry C. Palm scans D. Heart/pulse patterns

C. Palm scans compare the vein patterns in the palm to a database to authenticate a user. Vein patterns are unique, and this method is a better single-factor authentication method than voice pattern recognition, hand geometry, and pulse patterns, each of which can be more difficult to uniquely identify between individuals or can be fooled more easily.

43. Betty is concerned about the use of buffer overflow attacks against a custom application developed for use in her organization. What security control would provide the strongest defense against these attacks? A. Firewall B. Intrusion detection system C. Parameter checking D. Vulnerability scanning

C. Parameter checking, or input validation, is used to ensure that input provided by users to an application matches the expected parameters for the application. Developers may use parameter checking to ensure that input does not exceed the expected length, preventing a buffer overflow attack.

40. What major difference separates synthetic and passive monitoring? A. Synthetic monitoring only works after problems have occurred. B. Passive monitoring cannot detect functionality issues. C. Passive monitoring only works after problems have occurred. D. Synthetic monitoring cannot detect functionality issues.

C. Passive monitoring only works after issues have occurred because it requires actual traffic. Synthetic monitoring uses simulated or recorded traffic, and thus can be used to proactively identify problems. Both synthetic and passive monitoring can be used to detect functionality issues.

28. Which of the following vulnerabilities is unlikely to be found by a web vulnerability scanner? A. Path disclosure B. Local file inclusion C. Race condition D. Buffer overflow

C. Path disclosures, local file inclusions, and buffer overflows are all vulnerabilities that may be found by a web vulnerability scanner, but race conditions that take advantage of timing issues tend to be found either by code analysis or using automated tools that specifically test for race conditions as part of software testing.

53. Which of the following is not a hazard associated with penetration testing? A. Application crashes B. Denial of service C. Exploitation of vulnerabilities D. Data corruption

C. Penetration tests are intended to help identify vulnerabilities, and exploiting them is part of the process rather than a hazard. Application crashes; denial of service due to system, network, or application failures; and even data corruption can all be hazards of penetration tests.

The healthcare company that Lauren works for handles HIPAA data as well as internal business data, protected health information, and day-to-day business communications. Its internal policy uses the following requirements for securing HIPAA data at rest and in transit. Classification Handling Requirements Confidential (HIPAA) Encrypt at rest and in transit. Full disk encryption required for all workstations. Files can only be sent in encrypted form, and passwords must be transferred under separate cover. Printed documents must be labeled with "HIPAA handling required." Private (PHI) Encrypt at rest and in transit. PHI must be stored on secure servers, and copies should not be kept on local workstations. Printed documents must be labeled with "Private." Sensitive (business confidential) Encryption is recommended but not required. Public Information can be sent unencrypted. 38. Lauren's employer asks Lauren to classify patient X-ray data that has an internal patient identifier associated with it but does not have any way to directly identify a patient. The company's data owner believes that exposure of the data could cause damage (but not exceptional damage) to the organization. How should Lauren classify the data? A. Public B. Sensitive C. Private D. Confidential

C. Private data is typically considered data that could cause damage. Loss of confidential data is normally classified as able to cause exceptionally grave damage, while exposure of private data could cause serious damage. As you'd expect, public data exposure won't cause damage.

31. Alex has been employed by his company for over a decade and has held a number of positions in the company. During an audit, it is discovered that he has access to shared folders and applications due to his former roles. What issue has Alex's company encountered? A. Excessive provisioning B. Unauthorized access C. Privilege creep D. Account review

C. Privilege creep occurs when users retain from roles they held previously rights they do not need to accomplish their current job. Unauthorized access occurs when an unauthorized user accesses files. Excessive provisioning is not a term used to describe permissions issues, and account review would help find issues like this.

29. Under the Common Criteria, what element describes the security requirements for a product? A. TCSEC B. ITSEC C. PP D. ST

C. Protection Profiles (PPs) specify the security requirements and protections that must be in place for a product to be accepted under the Common Criteria.

95. Quantum Computing regularly ships tapes of backup data across the country to a secondary facility. These tapes contain confidential information. What is the most important security control that Quantum can use to protect these tapes? A. Locked shipping containers B. Private couriers C. Data encryption D. Media rotation

C. Quantum may choose to use any or all of these security controls, but data encryption is, by far, the most important control. It protects the confidentiality of data stored on the tapes, which are most vulnerable to theft while in transit between two secure locations.

26. Which of the following is a client/server protocol designed to allow network access servers to authenticate remote users by sending access request messages to a central server? A. Kerberos B. EAP C. RADIUS D. OAuth

C. RADIUS is an AAA protocol used to provide authentication and authorization; it's often used for modems, wireless networks, and network devices. It uses network access servers to send access requests to central RADIUS servers. Kerberos is a ticketbased authentication protocol; OAuth is an open standard for authentication allowing the use of credentials from one site on third-party sites; and EAP is the Extensible Authentication Protocol, an authentication framework often used for wireless networks.

72. Brian's large organization has used RADIUS for AAA services for its network devices for years and has recently become aware of security issues with the unencrypted information transferred during authentication. How should Brian implement encryption for RADIUS? A. Use the built-in encryption in RADIUS. B. Implement RADIUS over its native UDP using TLS for protection. C. Implement RADIUS over TCP using TLS for protection. D. Use an AES256 pre-shared cipher between devices.

C. RADIUS supports TLS over TCP. RADIUS does not have a supported TLS mode over UDP. AES pre-shared symmetric ciphers are not a supported solution and would be very difficult to both implement and maintain in a large environment, and the built-in encryption in RADIUS only protects passwords.

46. Which one of the following technologies would provide the most automation of an inventory control process in a cost-effective manner? A. IPS B. Wi-Fi C. RFID D. Ethernet

C. Radio Frequency IDentification (RFID) technology is a cost-effective way to track items around a facility. While Wi-Fi could be used for the same purpose, it would be much more expensive to implement.

49. During a penetration test, Chris recovers a file containing hashed passwords for the system he is attempting to access. What type of attack is most likely to succeed against the hashed passwords? A. A brute force attack B. A pass-the-hash attack C. A rainbow table attack D. A salt recovery attack

C. Rainbow tables are databases of prehashed passwords paired with high-speed lookup functions. Since they can quickly compare known hashes against those in a file, using rainbow tables is the fastest way to quickly determine passwords from hashes. A brute force attack may eventually succeed but will be very slow against most hashes. Pass-the-hash attacks rely on sniffed or otherwise acquired NTLM or LanMan hashes being sent to a system to avoid the need to know a user's password. Salts are data added to a hash to avoid the use of tools like rainbow tables. A salt added to a password means the hash won't match a rainbow table generated without the same salt.

76. When a Windows system is rebooted, what type of log is generated? A. Error B. Warning C. Information D. Failure audit

C. Rebooting a Windows machine results in an information log entry. Windows defines five types of events: errors, which indicate a significant problem; warnings, which may indicate future problems; information, which describes successful operation; success audits, which record successful security accesses; and failure audits, which record failed security access attempts.

45. What type of policy describes how long data is retained and maintained before destruction? A. Classification B. Audit C. Record retention D. Availability

C. Record retention policies describe how long an organization should retain data and may also specify how and when destruction should occur. Classification policies describe how and why classification should occur and who is responsible, while availability and audit policies may be created for specific purposes.

4. Which one of the following individuals is most likely to lead a regulatory investigation? A. CISO B. CIO C. Government agent D. Private detective

C. Regulatory investigations attempt to uncover whether an individual or organization has violated administrative law. These investigations are almost always conducted by government agents.

65. Susan works in an organization that labels all removable media with the classification level of the data it contains, including public data. Why would Susan's employer label all media instead of labeling only the media that contains data that could cause harm if it was exposed? A. It is cheaper to order all prelabeled media. B. It prevents sensitive media from not being marked by mistake. C. It prevents reuse of public media for sensitive data. D. Labeling all media is required by HIPAA.

C. Requiring all media to have a label means that when unlabeled media is found, it should immediately be considered suspicious. This helps to prevent mistakes that might leave sensitive data un-labeled. Pre-labeled media is not necessarily cheaper (nor may it make sense to buy!), while reusing public media simply means that it must be classified based on the data it now contains. HIPAA does not have specific media labeling requirements.

56. Lauren is performing a review of a third-party service organization and wants to determine if the organization's policies and procedures are effectively enforced over a period of time. What type of industry standard assessment report should she request? A. SSAE 16 SOC 1 Type I B. SAS 70 Type I C. SSAE 16 SOC 1 Type II D. SAS 70 Type II

C. SOC 1 reports are prepared according to the Statement on Standards for Attestation Engagements, or SSAE number 16 (typically shortened to SSAE-16). An SOC 1 Type I report validates policies and procedures at a point in time, whereas SOC 1 Type II reports cover a period of time of at least six months. SOC 1 reports replaced SAS 70 reports in 2011, meaning that a current report should be an SSAE-16 SOC 1 report.

12. Which type of SOC report is best suited to provide assurance to users about an organization's security, availability, and the integrity of their service operations? A. An SOC 1 Type 2 report B. An SOC 2 report C. An SOC 3 report D. An SOC 1 Type 1 report

C. SOC 3 reports are intended to be shared with a broad community, often with a website seal, and support the organization's claims about their ability to provide integrity, availability, and confidentiality. SOC 1 reports report on controls over financial reporting, whereas SOC 2 reports cover security, availability, integrity, and privacy for business partners, regulators, and other similar organizations in detail that would not typically be provided to a broad audience.

45. SPIT attacks target what technology? A. Virtualization platforms B. Web services C. VoIP systems D. Secure Process Internal Transfers

C. SPIT stands for Spam over Internet Telephony and targets VoIP systems.

82. Bruce is seeing quite a bit of suspicious activity on his network. It appears that an moutside entity is attempting to connect to all of his systems using a TCP connection on port 22. What type of scanning is the outsider likely engaging in? A. FTP scanning B. Telnet scanning C. SSH scanning D. HTTP scanning

C. SSH uses TCP port 22, so this attack is likely an attempt to scan for open or weakly secured SSH servers. FTP uses ports 20 and 21. Telnet uses port 23, and HTTP uses port 80.

11. Which of the following options is not a common best practice for securing a wireless network? A. Turn on WPA2. B. Enable MAC filtering if used for a relatively small group of clients. C. Enable SSID broadcast. D. Separate the access point from the wired network using a firewall, thus treating it as external access.

C. SSID broadcast is typically disabled for secure networks. While this won't stop a determined attacker, it will stop casual attempts to connect. Separating the network from other wired networks, turning on the highest level of encryption supported (like WPA2), and using MAC filtering for small groups of clients that can reasonably be managed by hand are all common best practices for wireless networks.

19. Chris is responsible for workstations throughout his company and knows that some of the company's workstations are used to handle proprietary information. Which option best describes what should happen at the end of their lifecycle for workstations he is responsible for? A. Erasing B. Clearing C. Sanitization D. Destruction

C. Sanitization is a combination of processes that ensure that data from a system cannot be recovered by any means. Erasing and clearing are both prone to mistakes and technical problems that can result in remnant data and don't make sense for systems that handled proprietary information. Destruction is the most complete method of ensuring that data cannot be exposed, and some organizations opt to destroy the entire workstation, but that is not a typical solution due to the cost involved.

51. During a penetration test Saria calls her target's help desk claiming to be the senior assistance to an officer of the company. She requests that the help desk reset the officer's password because of an issue with his laptop while traveling and persuades them to do so. What type of attack has she successfully completed? A. Zero knowledge B. Help desk spoofing C. Social engineering D. Black box

C. Saria's social-engineering attack succeeded in persuading a staff member at the help desk to change a password for someone who they not only couldn't see, but who they couldn't verify actually needed their password reset. Black box and zero knowledge are both terms describing penetration tests without information about the organization or system, and help desk spoofing is not an industry term.

84. What term describes an evaluation of the effectiveness of security controls performed by a third party? A. A security assessment B. A penetration test C. A security audit D. A security test

C. Security audits are security assessments performed by third parties and are intended to evaluate the effectiveness of security controls. Security assessments are conducted by internal staff, and security tests are used to verify that a control is functioning effectively. Penetration tests can be conducted by internal or external staff and test systems by using actual exploitation techniques.

9. Ben has been tasked with identifying security controls for systems covered by his organization's information classification system. Why might Ben choose to use a security baseline? A. It applies in all circumstances, allowing consistent security controls. B. They are approved by industry standards bodies, preventing liability. C. They provide a good starting point that can be tailored to organizational needs. D. They ensure that systems are always in a secure state.

C. Security baselines provide a starting point to scope and tailor security controls to your organization's needs. They aren't always appropriate to specific organizational needs, they cannot ensure that systems are always in a secure state, nor do they prevent liability.

45. Which one of the following is an example of a computer security incident? A. Completion of a backup schedule B. System access recorded in a log C. Unauthorized vulnerability scan of a file server D. Update of antivirus signatures

C. Security incidents negatively affect the confidentiality, integrity, or availability of information or assets and/or violate a security policy. The unauthorized vulnerability scan of a server does violate security policy and may negatively affect the security of that system, so it qualifies as a security incident. The completion of a backup schedule, logging of system access, and update of antivirus signatures are all routine actions that do not violate policy or jeopardize security, so they are all events rather than incidents.

71. During a review of support incidents, Ben's organization discovered that password changes accounted for more than a quarter of its help desk's cases. Which of the following options would be most likely to decrease that number significantly? A. Two-factor authentication B. Biometric authentication C. Self-service password reset D. Passphrases

C. Self-service password reset tools typically have a significant impact on the number of password reset contacts that a help desk has. Two-factor and biometric authentication both add additional complexity and may actually increase the number of contacts. Passphrases can be easier to remember than traditional complex passwords and may decrease calls, but they don't have the same impact that a selfservice system does.

100. Which one of the following would be a reasonable application for the use of selfsigned digital certificates? A. E-commerce website B. Banking application C. Internal scheduling application D. Customer portal

C. Self-signed digital certificates should only be used for internal-facing applications, where the user base trusts the internally generated digital certificate.

10. In a response to a Request for Proposal, Susan receives a SAS-70 Type 1 report. If she wants a report that includes operating effectiveness detail, what should Susan ask for as follow up and why? A. An SAS-70 Type II, because Type I only covers a single point in time B. An SOC Type 1, because Type II does not cover operating effectiveness C. An SOC Type 2, because Type I does not cover operating effectiveness D. An SAC-70 type 3, because Types 1 and 2 are outdated and no longer accepted

C. Service Organization Control (SOC) reports replaced SAS-70 reports in 2010. A Type 1 report only covers a point in time, so Susan needs an SOC Type 2 report to have the information she requires to make a design and operating effectiveness decision based on the report.

48. Lauren needs to send information about services she is provisioning to a third-party organization. What standards-based markup language should she choose to build the interface? A. SAML B. SOAP C. SPML D. XACML

C. Service Provisioning Markup Language, or SPML is an XML-based language designed to allow platforms to generate and respond to provisioning requests. SAML is used to make authorization and authentication data, while XACML is used to describe access controls. SOAP, or Simple Object Access Protocol, is a messaging protocol and could be used for any XML messaging, but is not a markup language itself.

50. Which of the following strategies should not be used to handle a vulnerability identified by a vulnerability scanner? A. Install a patch. B. Use a workaround fix. C. Update the banner or version number. D. Use an application layer firewall or IPS to prevent attacks against the identified vulnerability.

C. Simply updating the version that an application provides may stop the vulnerability scanner from flagging it, but it won't fix the underlying issue. Patching, using workarounds, or installing an application layer firewall or IPS can all help to remediate or limit the impact of the vulnerability.

66. Lauren's networking team has been asked to identify a technology that will allow them to dynamically change the organization's network by treating the network like code. What type of architecture should she recommend? A. A network that follows the 5-4-3 rule B. A converged network C. A software-defined network D. A hypervisor-based network

C. Software-defined networking provides a network architecture than can be defined and configured as code or software. This will allow Lauren's team to quickly change the network based on organizational requirements. The 5-4-3 rule is an old design rule for networks that relied on repeaters or hubs. A converged network carries multiple types of traffic like voice, video, and data. A hypervisor-based network may be software defined, but it could also use traditional network devices running as virtual machines.

88. What technique relies on reviewing code without running it? A. Fuzzing B. Black box analysis C. Static analysis D. Gray box analysis

C. Static analysis is the process of reviewing code without running it. It relies on techniques like data flow analysis to review what the code does if it was run with a given set of inputs. Black and gray box analyses are not types of code review, although black box and gray box both describe types of penetration testing. Fuzzing provides unexpected or invalid data inputs to test how software responds.

62. Which of the following types of code review is not typically performed by a human? A. Software inspections B. Code review C. Static program analysis D. Software walkthroughs

C. Static program reviews are typically performed by an automated tool. Program understanding, program comprehension, code review, software inspections and software walkthroughs are all human-centric methods for reviewing code.

80. What data role does a system that is used to process data have? A. Mission owner B. Data owner C. Data processor D. Custodian

C. Systems used to process data are data processors. Data owners are typically CEOs or other very senior staff, custodians are granted rights to perform day-to-day tasks when handling data, and mission owners are typically program or information system owners.

55. What type of port scanning is known as "half open" scanning? A. TCP Connect B. TCP ACK C. TCP SYN D. Xmas

C. TCP SYN scans only open a connection halfway; they do not complete the TCP connection with an ACK, thus leaving the connection open. TCP Connect scans complete the connection, whereas TCP ACK scans attempt to appear like an open connection. Xmas, or Christmas tree, scans set the FIN, PSH, and URG flags, thereby "lighting up" the TCP packet.

The healthcare company that Lauren works for handles HIPAA data as well as internal business data, protected health information, and day-to-day business communications. Its internal policy uses the following requirements for securing HIPAA data at rest and in transit. Classification Handling Requirements Confidential (HIPAA) Encrypt at rest and in transit. Full disk encryption required for all workstations. Files can only be sent in encrypted form, and passwords must be transferred under separate cover. Printed documents must be labeled with "HIPAA handling required." Private (PHI) Encrypt at rest and in transit. PHI must be stored on secure servers, and copies should not be kept on local workstations. Printed documents must be labeled with "Private." Sensitive (business confidential) Encryption is recommended but not required. Public Information can be sent unencrypted. 37. What type of encryption would be appropriate for HIPAA documents in transit? A. AES256 B. DES C. TLS D. SSL

C. TLS is a modern encryption method used to encrypt and protect data in transit. AES256 is a symmetric cipher often used to protect data at rest. DES and SSL are both outdated encryption methods and should not be used for data that requires high levels of security.

Alex is in charge of SAML integration with a major third-party partner that provides a variety of business productivity services for his organization. Using the following diagram (**) and your knowledge of SAML integrations and security architecture design. 43. Alex is concerned about eavesdropping on the SAML traffic and also wants to ensure that forged assertions will not be successful. What should he do to prevent these potential attacks? A. Use SAML's secure mode to provide secure authentication. B. Implement TLS using a strong cipher suite, which will protect against both types of attacks. C. Implement TLS using a strong cipher suite and use digital signatures. D. Implement TLS using a strong cipher suite and message hashing.

C. TLS provides message confidentiality and integrity, which can prevent eavesdropping. When paired with digital signatures, which provide integrity and authentication, forged assertions can also be defeated. SAML does not have a security mode and relies on TLS and digital signatures to ensure security if needed. Message hashing without a signature would help prevent modification of the message but won't necessarily provide authentication.

26. Testing that is focused on functions that a system should not allow are an example of what type of testing? A. Use case testing B. Manual testing C. Misuse case testing D. Dynamic testing

C. Testing how a system could be misused, or misuse testing, focuses on behaviors that are not what the organization desires or that are counter to the proper function of a system or application. Use case testing is used to verify whether a desired functionality works. Dynamic testing is used to determine how code handles variables that change over time, whereas manual testing is just what it implies: testing code by hand.

41. Which of the following is not true about the (ISC)2 code of ethics? A. Adherence to the code is a condition of certification. B. Failure to comply with the code may result in revocation of certification. C. The code applies to all members of the information security profession. D. Members who observe a breach of the code are required to report the possible violation.

C. The (ISC)2 code of ethics applies only to information security professionals who are members of (ISC)2. Adherence to the code is a condition of certification, and individuals found in violation of the code may have their certifications revoked. (ISC)2 members who observe a breach of the code are required to report the possible violation by following the ethics complaint procedures.

27. In the figure shown below (**), Harry's request to write to the data file is blocked. Harry has a Secret security clearance and the data file has a Confidential classification. What principle of the Bell-LaPadula model blocked this request? A. Simple Security Property B. Simple Integrity Property C. *-Security Property D. Discretionary Security Property

C. The *-Security Property states that an individual may not write to a file at a lower classification level than that of the individual. This is also known as the confinement property.

48. Which one of the following terms accurately describes the Caesar cipher? A. Transposition cipher B. Block cipher C. Shift cipher D. Strong cipher

C. The Caesar cipher is a shift cipher that works on a stream of text and is also a substitution cipher. It is not a block cipher or a transposition cipher. It is extremely weak as a cryptographic algorithm.

96. MITRE's CVE database provides what type of information? A. Current versions of software B. Patching information for applications C. Vulnerability information D. A list of costs versus effort required for common processes

C. The Common Vulnerabilities and Exposures (CVE) dictionary provides a central repository of security vulnerabilities and issues. Patching information for applications and software versions are sometimes managed using central patch management tools, but a single central database is not available for free or public use. Costs versus effort is also not what CVE stands for.

36. The DARPA TCP/IP model's Application layer matches up to what three OSI model layers? A. Application, Presentation, and Transport B. Presentation, Session, and Transport C. Application, Presentation, and Session D. There is not a direct match. The TCP model was created before the OSI model.

C. The DARPA TCP/IP model was used to create the OSI model, and the designers of the OSI model made sure to map the OSI model layers to it. The Application layer of the TCP model maps to the Application, Presentation, and Session layers, while the TCP and OSI models both have a distinct Transport layer.

Using your knowledge of the Kerberos logon process and the following diagram (CLIENT WORKSTATION TO KDC via -A-, KDC to WORKSTATION via -B-, CLIENT WORKSTATION TO CLOUD SERVICES via -C-) 18. At point B in the diagram, what two important elements does the KDC send to the client after verifying that the username is valid? A. An encrypted TGT and a public key B. An access ticket and a public key C. An encrypted, time-stamped TGT and a symmetric key encrypted with a hash of the user's password D. An encrypted, time-stamped TGT and an access token

C. The KDC uses the user's password to generate a hash and then uses that hash to encrypt a symmetric key. It transmits both the encrypted symmetric key and an encrypted time-stamped TGT to the client.

64. During what phase of the incident response process do administrators take action to limit the effect or scope of an incident? A. Detection B. Response C. Mitigation D. Recovery

C. The Mitigation phase of incident response focuses on actions that can contain the damage incurred during an incident. This includes limiting the scope and or effectiveness of the incident.

81. Laura is responsible for securing her company's web-based applications and wishes to conduct an educational program for developers on common web application security vulnerabilities. Where can she turn for a concise listing of the most common web application issues? A. CVE B. NSA C. OWASP D. CSA

C. The Open Web Application Security Project (OWASP) produces an annual list of the top ten web application security issues that developers and security professionals around the world rely upon for education and training purposes. The OWASP vulnerabilities form the basis for many web application security testing products.

51. Which OSI layer includes electrical specifications, protocols, and interface standards? A. The Transport layer B. The Device layer C. The Physical layer D. The Data Link layer

C. The Physical Layer includes electrical specifications, protocols, and standards that allow control of throughput, handling line noise, and a variety of other electrical interface and signaling requirements. The OSI layer doesn't have a Device layer. The Transport layer connects the Network and Session layers, and the Data Link layer packages packets from the network layer for transmission and receipt by devices operating on the Physical layer.

48. What protocol is used to handle vulnerability management data? A. VML B. SVML C. SCAP D. VSCAP

C. The Security Content Automation Protocol (SCAP) is a community sourced specification for security flaw and security configuration information and is defined in NIST SP 800-126. SVML, VSCAP, and VML are not information security-related terms.

11. Which of the following classification levels is the US government's classification label for data that could cause damage but wouldn't cause serious or grave damage? A. Top Secret B. Secret C. Confidential D. Classified

C. The US government uses the label Confidential for data that could cause damage if it was disclosed without authorization. Exposure of Top Secret data is considered to potentially cause grave damage, while Secret data could cause serious damage. Classified is not a level in the US government classification scheme.

77. The US government CAC is an example of what form of Type 2 authentication factor? A. A token B. A biometric identifier C. A smart card D. A PIV

C. The US government's Common Access Card is a smart card. The US government also issues PIV cards, or personal identity verification cards.

95. What type of vulnerabilities will not be found by a vulnerability scanner? A. Local vulnerabilities B. Service vulnerabilities C. Zero-day vulnerabilities D. Vulnerabilities that require authentication

C. Vulnerability scanners cannot detect vulnerabilities for which they do not have a test, plug-in, or signature. Signatures often include version numbers, service fingerprints, or configuration data. They can detect local vulnerabilities as well as those that require authentication if they are provided with credentials, and of course, they can detect service vulnerabilities.

58. During a third-party audit, Jim's company receives a finding that states, "The administrator should review backup success and failure logs on a daily basis, and take action in a timely manner to resolve reported exceptions." What is the biggest issue that is likely to result if Jim's IT staff need to restore from a backup? A. They will not know if the backups succeeded or failed. B. The backups may not be properly logged. C. The backups may not be usable. D. The backup logs may not be properly reviewed.

C. The audit finding indicates that the backup administrator may not be monitoring backup logs and taking appropriate action based on what they report, thus resulting in potentially unusable backups. Issues with review, logging, or being aware of the success or failure of backups are less important than not having usable backups.

Susan is the lead of a Quality Assurance team at her company. They have been tasked with the testing for a major release of their company's core software product. Use your knowledge of code review and testing to answer the following question. 65. As part of their code coverage testing, Susan's team runs the analysis in a nonproduction environment using logging and tracing tools. Which of the following types of code issues is most likely to be missed during testing due to this change in the operating environment? A. Improper bounds checking B. Input validation C. A race condition D. Pointer manipulation

C. The changes from a testing environment with instrumentation inserted into the code and the production environment for the code can mask timing-related issues like race conditions. Bounds checking, input validation, and pointer manipulation are all related to coding issues rather than environmental issues and are more likely to be discoverable in a test environment.

92. Which of the following activities is not a consideration during data classification? A. Who can access the data B. What the impact would be if the data was lost or breached C. How much the data cost to create D. What protection regulations may be required for the data

C. The cost of the data is not directly included in the classification process. Instead, the impact to the organization if the data were exposed or breached is considered. Who can access the data and what regulatory or compliance requirements cover the data are also important considerations.

Ben's organization is adopting biometric authentication for its high-security building's access control system. Using the following chart (PERCENT against SENSITIVITY) 85. Ben's company is considering configuring its systems to work at the level shown by point A on the diagram. To what level is it setting the sensitivity? A. The FRR crossover B. The FAR point C. The CER D. The CFR

C. The crossover error rate is the point where false acceptance rate and false rejection rate cross over and is a standard assessment used to compare the accuracy of biometric devices.

55. Which data role is described as the person who has ultimate organizational responsibility for data? A. System owners B. Business owners C. Data owners D. Mission owners

C. The data owner has ultimate responsibility for data belonging to an organization and is typically the CEO, president, or another senior employee. Business and mission owners typically own processes or programs. System owners own a system that processes sensitive data.

100. Alex configures his LDAP server to provide services on 636 and 3269. What type of LDAP services has he configured based on LDAP's default ports? A. Unsecure LDAP and unsecure global directory B. Unsecure LDAP and secure global directory C. Secure LDAP and secure global directory D. Secure LDAP and unsecure global directory

C. The default ports for SSL/TLS LDAP directory information and global catalog services are 636 and 3269, respectively. Unsecure LDAP uses 389, and unsecure global directory services use 3268.

60. Which one of the following events marks the completion of a disaster recovery process? A. Securing property and life safety B. Restoring operations in an alternate facility C. Restoring operations in the primary facility D. Standing down first responders

C. The end goal of the disaster recovery process is restoring normal business operations in the primary facility. All of the other actions listed may take place during the disaster recovery process but the process is not complete until the organization is once again functioning normally in its primary facilities.

25. What logical operation is described by the truth table below? Input1: 0 0 1 1 Input 2: 0 1 0 1 Input 3: 0 1 1 0 A. OR B. AND C. XOR D. NOR

C. The exclusive or (XOR) operation is true when one and only one of the input values is true.

70. Alice has read permissions on an object and she would like Bob to have those same rights. Which one of the rules in the Take-Grant protection model would allow her to complete this operation? A. Create rule B. Remove rule C. Grant rule D. Take rule

C. The grant rule allows a subject to grant rights that it possesses on an object to another subject.

91. What is the first step that should occur before a penetration test is performed? A. Data gathering B. Port scanning C. Getting permission D. Planning

C. The most important first step for a penetration test is getting permission. Once permission has been received, planning, data gathering, and then elements of the actual test like port scanning can commence.

83. The historic ping of death attack is most similar to which of the following modern attack types? A. SQL injection B. Cross-site scripting C. Buffer overflow D. Brute force password cracking

C. The ping of death attack placed more data than allowed by the specification in the payload of an ICMP echo request packet. This is similar to the modern-day buffer overflow attack where attackers attempt to place more data in a targeted system's memory that consumes more space than is allocated for that data.

38. Sue modifies her MAC address to one that is allowed on a network that uses MAC filtering to provide security. What is the technique Sue used, and what non-security issue could her actions cause? A. Broadcast domain exploit, address conflict B. Spoofing, token loss C. Spoofing, address conflict D. Sham EUI creation, token loss

C. The process of using a fake MAC (Media Access Control) address is called spoofing, and spoofing a MAC address already in use on the network can lead to an address collision, preventing traffic from reaching one or both systems. Tokens are used in token ring networks, which are outdated, and EUI refers to an Extended Unique Identifier, another term for MAC address, but token loss is still not the key issue. Broadcast domains refers to the set of machines a host can send traffic to via a broadcast message.

75. Allie is responsible for reviewing authentication logs on her organization's network. She does not have the time to review all logs, so she decides to choose only records where there have been four or more invalid authentication attempts. What technique is Allie using to reduce the size of the pool? A. Sampling B. Random selection C. Clipping D. Statistical analysis

C. The two main methods of choosing records from a large pool for further analysis are sampling and clipping. Sampling uses statistical techniques to choose a sample that is representative of the entire pool, while clipping uses threshold values to select those records that exceed a predefined threshold because they may be of most interest to analysts.

99. Which one of the following techniques uses statistical methods to select a small number of records from a large pool for further analysis with the goal of choosing a set of records that is representative of the entire pool? A. Clipping B. Randomization C. Sampling D. Selection

C. The two main methods of choosing records from a large pool for further analysis are sampling and clipping. Sampling uses statistical techniques to choose a sample that is representative of the entire pool, while clipping uses threshold values to select those records that exceed a predefined threshold because they may be of most interest to analysts.

9. Helen is a software engineer and is developing code that she would like to restrict to running within an isolated sandbox for security purposes. What software development technique is Helen using? A. Bounds B. Input validation C. Confinement D. TCB

C. The use of a sandbox is an example of confinement, where the system restricts the access of a particular process to limit its ability to affect other processes running on the same system.

52. Which one of the following systems assurance processes provides an independent third-party evaluation of a system's controls that may be trusted by many different organizations? A. Certification B. Definition C. Verification D. Accreditation

C. The verification process is similar to the certification process in that it validates security controls. Verification may go a step further by involving a third-party testing service and compiling results that may be trusted by many different organizations. Accreditation is the act of management formally accepting an evaluating system, not evaluating the system itself.

7. What common applications are associated with each of the following TCP ports: 23, 25, 143, and 515? A. Telnet, SFTP, NetBIOS, and LPD B. SSH, SMTP, POP3, and ICMP C. Telnet, SMTP, IMAP, and LPD D. Telnet, SMTP, POP3, and X Windows

C. These common ports are important to know, although some of the protocols are becoming less common. TCP 23 is used for Telnet; TCP 25 is used for SMTP (the Simple Mail Transfer Protocol); 143 is used for IMAP, the Internet Message Access Protocol; and 515 is associated with LPD, the Line Printer Daemon protocol used to send print jobs to printers. POP3 operates on TCP 110, SSH operates on TCP 22 (and SFTP operates over SSH), and X Windows operates on a range of ports between 6000 and 6063.

73. Alan intercepts an encrypted message and wants to determine what type of algorithm was used to create the message. He first performs a frequency analysis and notes that the frequency of letters in the message closely matches the distribution of letters in the English language. What type of cipher was most likely used to create this message? A. Substitution cipher B. AES C. Transposition cipher D. 3DES

C. This message was most likely encrypted with a transposition cipher. The use of a substitution cipher, a category that includes AES and 3DES, would change the frequency distribution so that it did not mirror that of the English language.

59. Jim's organization uses a traditional PBX for voice communication. What is the most common security issue that its internal communications are likely to face, and what should he recommend to prevent it? A. Eavesdropping, encryption B. Man-in-the-middle attacks, end-to-end encryption C. Eavesdropping, physical security D. Wardialing, deploy an IPS

C. Traditional private branch exchange (PBX) systems are vulnerable to eavesdropping because voice communications are carried directly over copper wires. Since standard telephones don't provide encryption (and you're unlikely to add encrypted phones unless you're the NSA), physically securing access to the lines and central connection points is the best strategy available.

58. A new customer at a bank that uses fingerprint scanners to authenticate its users is surprised when he scans his fingerprint and is logged in to another customer's account. What type of biometric factor error occurred? A. A registration error B. A Type 1 error C. A Type 2 error D. A time of use, method of use error

C. Type 2 errors occur in biometric systems when an invalid subject is incorrectly authenticated as a valid user. In this case, nobody except the actual customer should be validated when fingerprints are scanned. Type 1 errors occur when a valid subject is not authenticated; if the existing customer was rejected, it would be a Type 1 error. Registration is the process of adding users, but registration errors and time of use, method of use errors are not specific biometric authentication terms.

72. Which of the following is not a method of synthetic transaction monitoring? A. Database monitoring B. Traffic capture and analysis C. User session monitoring D. Website performance monitoring

C. User session monitoring is not a means of conducting synthetic performance monitoring. Synthetic performance monitoring uses scripted or recorded data, not actual user sessions. Traffic capture, database performance monitoring, and website performance monitoring can all be used during synthetic performance monitoring efforts.

67. What issue is the validation portion of the NIST SP 800-88 sample certificate of sanitization intended to help prevent? A. Destruction B. Reuse C. Data remanence D. Attribution

C. Validation processes are conducted to ensure that the sanitization process was completed, avoiding data remanence. A form like this one helps to ensure that each device has been checked and that it was properly wiped, purged, or sanitized. This can allow reuse, does not prevent destruction, and does not help with attribution, which is a concept used with encryption to prove who created or sent a file.

4. Voice pattern recognition is what type of authentication factor? A. Type 1 B. Type 2 C. Type 3 D. Type 4

C. Voice pattern recognition is "something you are," a Type 3 authentication factor. Type 1 factors are "something you know," and Type 2 factors are "something you have." Type 4 is made up and is not a valid type of authentication factor.

29. Jim uses a tool that scans a system for available services, then connects to them to collect banner information to determine what version of the service is running. It then provides a report detailing what it gathers, basing results on service fingerprinting, banner information, and similar details it gathers combined with CVE information. What type of tool is Jim using? A. A port scanner B. A service validator C. A vulnerability scanner D. A patch management tool

C. Vulnerability scanners that do not have administrative rights to access a machine or that are not using an agent scan remote machines to gather information, including fingerprints from responses to queries and connections, banner information from services, and related data. CVE information is Common Vulnerability and Exposure information, or vulnerability information. A port scanner gathers information about what service ports are open, although some port scanners blur the line between port and vulnerability scanners. Patch management tools typically run as an agent on a system to allow them to both monitor patch levels and update the system as needed. Service validation typically involves testing the functionality of a service, not its banner and response patterns.

23. What type of key does WEP use to encrypt wireless communications? A. An asymmetric key B. Unique key sets for each host C. A predefined shared static key D. Unique asymmetric keys for each host

C. WEP has a very weak security model that relies on a single, predefined, shared static key. This means that modern attacks can break WEP encryption in less than a minute.

75. WPA2's Counter Mode Ciper Block Chaining Message Authentication Mode Protocol (CCMP) is based on which common encryption scheme? A. DES B. 3DES C. AES D. TLS

C. WPA2's CCMP encryption scheme is based on AES. As of the writing of this book, there have not been any practical real-world attacks against WPA2. DES has been successfully broken, and neither 3DES nor TLS is used for WPA2.

Chris is the identity architect for a growing e-commerce website that wants to leverage social identity. To do this, he and his team intend to allow users to use their existing Google accounts as their primary accounts when using the e-commerce site. This means that when a new user initially connects to the e-commerce platform, they are given the choice between using their Google+ account using OAuth 2.0, or creating a new account on the platform using their own email address and a password of their choice. Using this information and the following diagram of an example authentication flow (***) 67. Which system or systems is/are responsible for user authentication for Google+ users? A. The e-commerce application B. Both the e-commerce application and Google servers C. Google servers D. The diagram does not provide enough information to determine this.

C. When a third-party site integrates via OAuth 2.0, authentication is handled by the service provider's servers. In this case, Google is acting as the service provider for user authentication. Authentication for local users who create their own accounts would occur in the e-commerce application (or a related server), but that is not the question that is asked here.

60. When you input a user ID and password, you are performing what important identity and access management activity? A. Authorization B. Validation C. Authentication D. Login

C. When you input a username and password, you are authenticating yourself by providing a unique identifier and a verification that you are the person who should have that identifier (the password). Authorization is the process of determining what a user is allowed to do. Validation and login both describe elements of what is happening in the process; however, they aren't the most important identity and access management activity.

3. Which one of the following is not a privileged administrative activity that should be automatically sent to a log of super-user actions? A. Purging log entries B. Restoring a system from backup C. Logging into a workstation D. Managing user accounts

C. While most organizations would want to log attempts to log in to a workstation, this is not considered a privileged administrative activity and would go through normal logging processes.

47. Which of the following tools is not typically used to verify that a provisioning process was followed in a way that ensures that the organization's security policy is being followed? A. Log review B. Manual review of permissions C. Signature-based detection D. Review the audit trail

C. While signature-based detection is used to detect attacks, review of provisioning processes typically involves checking logs, reviewing the audit trail, or performing a manual review of permissions granted during the provisioning process.

50. Which one of the following statements best describes a zero-day vulnerability? A. An attacker that is new to the world of hacking B. A database attack that places the date 00/00/0000 in data tables in an attempt to exploit flaws in business logic C. An attack previously unknown to the security community D. An attack that sets the operating system date and time to 00/00/0000 and 00:00:00

C. Zero-day attacks are those that are previously unknown to the security community and, therefore, have no available patch. These are especially dangerous attacks because they may be highly effective until a solution becomes available.

4. Harold's company has a strong password policy that requires a minimum length of 12 characters and the use of both alphanumeric characters and symbols. What technique would be the most effective way for an attacker to compromise passwords in Harold's organization? A. Brute-force attack B. Dictionary attack C. Rainbow table attack D. Social engineering attack

D. A social engineering attack may trick a user into revealing their password to the attacker. Other attacks that depend on guessing passwords, such as brute-force attacks, rainbow table attacks, and dictionary attacks, are unlikely to be successful in light of the organization's strong password policy.

29. What type of database security issue exists when a collection of facts has a higher classification than the classification of any of those facts standing alone? A. Inference B. SQL injection C. Multilevel security D. Aggregation

D. Aggregation is a security issue that arises when a collection of facts has a higher classification than the classification of any of those facts standing alone. An inference problem occurs when an attacker can pull together pieces of less sensitive information and use them to derive information of greater sensitivity. SQL injection is a web application exploit. Multilevel security is a system control that allows the simultaneous processing of information at different classification levels.

35. What type of security issue arises when an attacker can deduce a more sensitive piece of information by analyzing several pieces of information classified at a lower level? A. SQL injection B. Multilevel security C. Aggregation D. Inference

D. An inference problem occurs when an attacker can pull together pieces of less sensitive information and use them to derive information of greater sensitivity. Aggregation is a security issue that arises when a collection of facts has a higher classification than the classification of any of those facts standing alone. SQL injection is a web application exploit. Multilevel security is a system control that allows the simultaneous processing of information at different classification levels.

27. What term is used to describe the level of confidence that software is free from vulnerabilities, either intentionally designed into the software or accidentally inserted at any time during its life cycle, and that the software functions in the intended manner? A. Validation B. Accreditation C. Confidence interval D. Assurance

D. Assurance, when it comes to software, is the level of confidence that software is free from vulnerabilities, either intentionally designed into the software or accidentally inserted at any time during its life cycle, and that the software functions in the intended manner. It is a term typically used in military and defense environments.

94. Which one of the following security programs is designed to establish a minimum standard common denominator of security understanding? A. Training B. Education C. Indoctrination D. Awareness

D. Awareness establishes a minimum standard of information security understanding. It is designed to accommodate all personnel in an organisation, regardless of their assigned tasks.

2. Which of the following is a common way that attackers leverage botnets? A. Sending spam messages B. Conducting brute-force attacks C. Scanning for vulnerable systems D. All of the above

D. Botnets are used for a wide variety of malicious purposes, including scanning the network for vulnerable systems, conducting brute-force attacks against other systems, and sending out spam messages.

98. Which one of the following database concurrency issues occurs when one transaction reads information that was written to a database by a second transaction that never committed? A. Lost update B. SQL injection C. Incorrect summary D. Dirty read

D. Dirty reads occur when one transaction reads a value from a database that was written by another transaction that did not commit. Lost updates occur when one transaction writes a value to the database that overwrites a value needed by transactions that have earlier precedence, causing those transactions to read an incorrect value. Incorrect summaries occur when one transaction is using an aggregate function to summarize data stored in a database while a second transaction is making modifications to the database, causing the summary to include incorrect information. SQL injection is a web application security flaw, not a database concurrency problem.

25. Which one of the following is an example of physical infrastructure hardening? A. Antivirus software B. Hardware-based network firewall C. Two-factor authentication D. Fire suppression system

D. Fire suppression systems protect infrastructure from physical damage. Along with uninterruptible power supplies, fire suppression systems are good examples of technology used to harden physical infrastructure. Antivirus software, hardware firewalls, and two-factor authentication are all examples of logical controls.

45. What type of requirement specifies what software must do by describing the inputs, behavior, and outputs of software? A. Derived requirements B. Structural requirements C. Behavioral requirements D. Functional requirements

D. Functional requirements specify the inputs, behavior, and outputs of software. Derived requirements are requirements developed from other requirement definitions. Structural and behavioral requirements focus on the overall structure of a system and the behaviors it displays.

63. HAL Systems recently decided to stop offering public NTP services because of a fear that its NTP servers would be used in amplification DDoS attacks. What type of risk management strategy did HAL pursue with respect to its NTP services? A. Risk mitigation B. Risk acceptance C. Risk transference D. Risk avoidance

D. HAL Systems decided to stop offering the service because of the risk. This is an example of a risk avoidance strategy. The company altered its operations in a manner that eliminates the risk of NTP misuse.

72. Barry is a software tester who is working with a new gaming application developed by his company. He is playing the game on a smartphone to conduct his testing in an environment that best simulates a normal end user, but he is referencing the source code as he conducts his test. What type of test is Barry conducting? A. White box B. Black box C. Blue box D. Gray box

D. In a gray box test, the tester evaluates the software from a user perspective but has access to the source code as the test is conducted. White box tests also have access to the source code but perform testing from a developer's perspective. Black box tests work from a user's perspective but do not have access to source code. Blue boxes are a telephone hacking tool and not a software testing technique.

83. Rolando is a risk manager with a large-scale enterprise. The firm recently evaluated the risk of California mudslides on its operations in the region and determined that the cost of responding outweighed the benefits of any controls it could implement. The company chose to take no action at this time. What risk management strategy did Rolando's organisation pursue? A. Risk avoidance B. Risk mitigation C. Risk transference D. Risk acceptance

D. In a risk acceptance strategy, the organisation decides that taking no action is the most beneficial route to managing a risk.

13. Bobbi is investigating a security incident and discovers that an attacker began with a normal user account but managed to exploit a system vulnerability to provide that account with administrative rights. What type of attack took place under the STRIDE model? A. Spoofing B. Repudiation C. Tampering D. Elevation of privilege

D. In an elevation of privilege attack, the attacker transforms a limited user account into an account with greater privileges, powers, and/or access to the system. Spoofing attacks falsify an identity, while repudiation attacks attempt to deny accountability for an action. Tampering attacks attempt to violate the integrity of information or resources.

93. Tom is writing a software program that calculates the sales tax for online orders placed from various jurisdictions. The application includes a user-defined field that allows the entry of the total sale amount. Tom would like to ensure that the data entered in this field is a properly formatted dollar amount. What technique should he use? A. Limit check B. Fail open C. Fail secure D. Input validation

D. Input validation ensures that the data provided to a program as input matches the expected parameters. Limit checks are a special form of input validation that ensure the value remains within an expected range, but there was no range specified in this scenario. Fail open and fail secure are options when planning for possible system failures.

39. Tom is installing a next-generation firewall (NGFW) in his data centre that is designed to block many types of application attacks. When viewed from a risk management perspective, what metric is Tom attempting to lower? A. Impact B. RPO C. MTO D. Likelihood

D. Installing a device that will block attacks is an attempt to lower risk by reducing the likelihood of a successful application attack.

31. Renee is designing the long-term security plan for her organisation and has a 3-5 year planning horizon. What type of plan is she developing? A. Operational B. Tactical C. Summary D. Strategic

D. Strategic plans have a long-term planning horizon of up to five years in most cases. Operational and tactical plans have shorter horizons of a year or less.

48. Lisa is attempting to prevent her network from being targeted by IP spoofing attacks as well as preventing her network from being the source of those attacks. Which one of the following rules is not a best practice that Lisa can configure at her network border? A. Block packets with internal source addresses from entering the network. B. Block packets with external source addresses from leaving the network. C. Block packets with private IP addresses from exiting the network. D. Block packets with public IP addresses from entering the network.

D. It is perfectly normal for packets with public IP addresses to enter the network from external locations. However, packets with internal addresses should never originate from the outside and should be blocked as spoofed traffic. Similarly, traffic leaving the network should have an internal source address. In no case should packets with private IP addresses cross the network border.

68. Gary is implementing a new RAID-based disk system designed to keep a server up and running even in the event of a single disk failure. What principle of information security is Gary seeking to enforce? A. Denial B. Confidentiality C. Integrity D. Availability

D. Keeping a server up and running is an example of an availability control because it increases the likelihood that a server will remain available to answer user requests.

52. An accounting employee at Doolitte Industries was recently arrested for participation in an embezzlement scheme. The employee transferred money to a personal account and then shifted funds around between other accounts every day to disguise the fraud for months. Which one of the following controls might have best allowed the earlier detection of this fraud? A. Separation of duties B. Least privilege C. Defense in depth D. Mandatory vacation

D. Mandatory vacation programs require that employees take continuous periods of time off each year and revoke their system privileges during that time. This will hopefully disrupt any attempt to engage in the cover-up actions necessary to hide fraud and result in exposing the threat. Separation of duties, least privilege, and defense in depth controls all may help prevent the fraud in the first place but are unlikely to speed the detection of fraud that has already occurred.

85. Which one of the following types of artificial intelligence attempts to use complex computations to replicate the partial function of the human mind? A. Decision support systems B. Expert systems C. Knowledge bank D. Neural networks

D. Neural networks attempt to use complex computational techniques to model the behavior of the human mind. Knowledge banks are a component of expert systems, which are designed to capture and reapply human knowledge. Decision support systems are designed to provide advice to those carrying out standard procedures and are often driven by expert systems.

77. Ben is designing a messaging system for a bank and would like to include a feature that allows the recipient of a message to prove to a third party that the message did indeed come from the purported originator. What goal is Ben trying to achieve? A. Authentication B. Authorization C. Integrity D. Nonrepudiation

D. Nonrepudiation allows a recipient to prove to a third party that a message came from a purported source. Authentication would provide proof to Ben that the sender was authentic, but Ben would not be able to prove this to a third party.

89. Craig is selecting the site for a new data centre and must choose a location somewhere within the United States. He obtained the earthquake risk (IMAGE) from the United States Geological Survey. Which of the following would be the safest location to build his facility if he were primarily concerned with earthquake risk? A. New York B. North Carolina C. Indiana D. Florida

D. Of the states listed, Florida is the only one that is not shaded to indicate a serious risk of a major earthquake.

61. Martin is inspecting a system where the user reported unusual activity, including disk activity when the system is idle and abnormal CPU and network usage. He suspects that the machine is infected by a virus but scans come up clean. What malware technique might be in use here that would explain the clean scan results? A. File infector virus B. MBR virus C. Service injection virus D. Stealth virus

D. One possibility for the clean scan results is that the virus is using stealth techniques, such as intercepting read requests from the antivirus software and returning a correct-looking version of the infected file. The system may also be the victim of a zero-day attack, using a virus that is not yet included in the signature definition files provided by the antivirus vendor.

95. Which of the following vulnerabilities might be discovered during a penetration test of a web-based application? A. Cross-site scripting B. Cross-site request forgery C. SQL injection D. All of the above

D. Penetration tests of web-based systems may detect any possible web application security flaw, including cross-site request forgery (XSRF), cross-site scripting (XSS), and SQL injection vulnerabilities.

57. In what software testing technique does the evaluator retest a large number of scenarios each time that the software changes to verify that the results are consistent with a standard baseline? A. Orthogonal array testing B. Pattern testing C. Matrix testing D. Regression testing

D. Regression testing is performed after developers make changes to an application. It reruns a number of test cases and compares the results to baseline results. Orthogonal array testing is a method for generating test cases based on statistical analysis. Pattern testing uses records of past software bugs to inform the analysis. Matrix testing develops a matrix of all possible inputs and outputs to inform the test plan.

75. Which one of the following is not an example of a technical control? A. Router ACL B. Firewall rule C. Encryption D. Data classification

D. Router ACLs, encryption, and firewall rules are all examples of technical controls. Data classification is an administrative control.

9. Which one of the following is not a goal of software threat modeling? A. To reduce the number of security-related design flaws B. To reduce the number of security-related coding flaws C. To reduce the severity of non-security-related flaws D. To reduce the number of threat vectors

D. Software threat modeling is designed to reduce the number of security-related design and coding flaws as well as the severity of other flaws. The developer or evaluator of software has no control over the threat environment, because it is external to the organization.

79. Which one of the following is not a goal of a formal change management program? A. Implement change in an orderly fashion. B. Test changes prior to implementation. C. Provide rollback plans for changes. D. Inform stakeholders of changes after they occur.

D. Stakeholders should be informed of changes before, not after, they occur. The other items listed are goals of change management programs.

58. The Computer Security Act of 1987 gave a federal agency responsibility for developing computer security standards and guidelines for federal computer systems. What agency did the act give this responsibility to? A. National Security Agency B. Federal Communications Commission C. Department of Defense D. National Institute of Standards and Technology

D. The Computer Security Act of 1987 gave the National Institute of Standards and Technology (NIST) responsibility for developing standards and guidelines for federal computer systems. For this purpose, NIST draws upon the technical advice and assistance of the National Security Agency where appropriate.

17. What law provides intellectual property protection to the holders of trade secrets? A. Copyright Law B. Lanham Act C. Glass-Steagall Act D. Economic Espionage Act

D. The Economic Espionage Act imposes fines and jail sentences on anyone found guilty of stealing trade secrets from a US corporation. It gives true teeth to the intellectual property rights of trade secret owners.

Robert is a consultant who helps organisations create and develop mature software development practices. He prefers to use the Software Capability Maturity Model (SWCMM) to evaluate the current and future status of organizations using both independent review and self-assessments. He is currently working with two different clients. Acme Widgets is not very well organised with their software development practices. They have a dedicated team of developers who do "whatever it takes" to get software out the door, but they do not have any formal processes. Beta Particles is a company with years of experience developing software using formal, documented software development processes. They use a standard model for software development but do not have a quantitative management of those processes. 20. Robert is also working with Beta Particles on a strategy to advance their software development practices. What SW-CMM stage should be their next target milestone? A. Defined B. Repeatable C. Optimizing D. Managed

D. The Managed stage is the fourth stage in the SW-CMM, following the Defined stage. It should be the next milestone goal for Beta Particles. The Repeatable stage is characterized by the use of quantitative software development measures.

88. What law governs the handling of information related to the financial statements of publicly traded companies? A. GLBA B. PCI DSS C. HIPAA D. SOX

D. The Sarbanes-Oxley Act (SOX) governs the financial reporting of publicly traded companies and includes requirements for security controls that ensure the integrity of that information.

42. You are the CISO for a major hospital system and are preparing to sign a contract with a Software-as-a-Service (SaaS) email vendor and want to ensure that its business continuity planning measures are reasonable. What type of audit might you request to meet this goal? A. SOC-1 B. FISMA C. PCI DSS D. SOC-2

D. The Service Organizations Control audit program includes business continuity controls in a Type 2, but not Type 1, audit. Although FISMA and PCI DSS may audit business continuity, they would not apply to an email service used by a hospital.

73. Miguel recently completed a penetration test of the applications that his organization uses to handle sensitive information. During his testing, he discovered a condition where an attacker can exploit a timing condition to manipulate software into allowing him to perform an unauthorized action. Which one of the following attack types fits this scenario? A. SQL injection B. Cross-site scripting C. Pass the hash D. TOC/TOU

D. The Time of Check to Time of Use (TOC/TOU) attack exploits timing differences between when a system verifies authorization and software uses that authorization to perform an action. It is an example of a race condition attack. The other three attacks mentioned do not depend on precise timing.

9. What United States government agency is responsible for administering the terms of safe harbor agreements between the European Union and the United States under the EU Data Protection Directive? A. Department of Defense B. Department of the Treasury C. State Department D. Department of Commerce

D. The US Department of Commerce is responsible for implementing the EU-US Safe Harbor agreement. The validity of this agreement was in legal question in the wake of the NSA surveillance disclosures.

85. Tom is considering locating a business in the downtown area of Miami, Florida. He consults the FEMA flood plain map for the region, shown below, and determines that the area he is considering lies within a 100-year flood plain. What is the ARO of a flood in this area? A. 100 B. 1 C. 0.1 D. 0.01

D. The annualized rate of occurrence (ARO) is the frequency at which you should expect a risk to materialize each year. In a 100-year flood plain, risk analysts expect a flood to occur once every 100 years, or 0.01 times per year.

71. David is working on developing a project schedule for a software development effort, and he comes across the chart shown here. What type of chart is this? [image showing WBS activities in sequences with start and finish times and % of completion] A. Work breakdown structure B. Functional requirements C. PERT chart D. Gantt chart

D. The chart shown in the figure is a Gantt chart, showing the proposed start and end dates for different activities. It is developed based on the work breakdown structure (WBS), which is developed based on functional requirements. Program Evaluation Review Technique (PERT) charts show the project schedule as a series of numbered nodes.

8. Jaime is a technical support analyst and is asked to visit a user whose computer is displaying the error message (blue screen - white text). What state has this computer entered? A. Fail open B. Irrecoverable error C. Memory exhaustion D. Fail secure

D. The error message shown in the figure is the infamous "Blue Screen of Death" that occurs when a Windows system experiences a dangerous failure and enters a fail secure state. If the system had "failed open," it would have continued operation. The error described is a memory fault that is likely recoverable by rebooting the system. There is no indication that the system has run out of usable memory.

12. Chris is advising travelers from his organization who will be visiting many different countries overseas. He is concerned about compliance with export control laws. Which of the following technologies is most likely to trigger these regulations? A. Memory chips B. Office productivity applications C. Hard drives D. Encryption software

D. The export of encryption software to certain countries is regulated under US export control laws.

64. Linux systems that use bcrypt are using a tool based on what DES alternative encryption scheme? A. 3DES B. AES C. Diffie-Hellman D. Blowfish

D. Bcrypt is based on Blowfish (the b is a key hint here). AES and 3DES are both replacements for DES, while Diffie-Hellman is a protocol for key exchange.

76. Which one of the following approaches to failure management is the most conservative from a security perspective? A. Fail open B. Fail mitigation C. Fail clear D. Fail closed

D. The fail closed approach prevents any activity from taking place during a system security failure and is the most conservative approach to failure management. Fail open takes the opposite philosophy, allowing all activity in the event of a security control failure. Fail clear and fail mitigation are not failure management approaches.

1. What is the final step of a quantitative risk analysis? A. Determine asset value. B. Assess the annualized rate of occurrence. C. Derive the annualized loss expectancy. D. Conduct a cost.benefit analysis.

D. The final step of a quantitative risk analysis is conducting a cost/benefit analysis to determine whether the organisation should implement proposed countermeasure(s).

77. What software development model is shown in the figure? Image A. Waterfall B. Agile C. Lean D. Spiral

D. The illustration shows the spiral model of software development. In this approach, developers use multiple iterations of a waterfall-style software development process. This becomes a "loop" of iterations through similar processes. The waterfall approach does not iterate through the entire process repeatedly but rather only allows movement backward and forward one stage. The agile approach to software development focuses on iterative improvement and does not follow a rigorous SDLC model. Lean is a process improvement methodology and not a software development model.

67. Which one of the following actions is not normally part of the project scope and planning phase of business continuity planning? A. Structured analysis of the organization B. Review of the legal and regulatory landscape C. Creation of a BCP team D. Documentation of the plan

D. The project scope and planning phase includes four actions: a structured analysis of the organization, the creation of a BCP team, an assessment of available resources, and an analysis of the legal and regulatory landscape.

5. Which one of the following is not one of the three common threat modeling techniques? A. Focused on assets B. Focused on attackers C. Focused on software D. Focused on social engineering

D. The three common threat modeling techniques are focused on attackers, software, and assets. Social engineering is a subset of attackers.

16. Tony is developing a business continuity plan and is having difficulty prioritizing resources because of the difficulty of combining information about tangible and intangible assets. What would be the most effective risk assessment approach for him to use? A. Quantitative risk assessment B. Qualitative risk assessment C. Neither quantitative nor qualitative risk assessment D. Combination of quantitative and qualitative risk assessment

D. Tony would see the best results by combining elements of quantitative and qualitative risk assessment. Quantitative risk assessment excels at analyzing financial risk, while qualitative risk assessment is a good tool for intangible risks. Combining the two techniques provides a well-rounded risk picture.

27. The International Information Systems Security Certification Consortium uses the logo (ISC2) to represent itself online and in a variety of forums. What type of intellectual property protection may it use to protect its rights in this logo? A. Copyright B. Patent C. Trade secret D. Trademark

D. Trademark protection extends to words and symbols used to represent an organisation, product, or service in the marketplace.

14. You are completing your business continuity planning effort and have decided that you wish to accept one of the risks. What should you do next? A. Implement new security controls to reduce the risk level. B. Design a disaster recovery plan. C. Repeat the business impact assessment. D. Document your decision-making process.

D. Whenever you choose to accept a risk, you should maintain detailed documentation of the risk acceptance process to satisfy auditors in the future. This should happen before implementing security controls, designing a disaster recovery plan, or repeating the business impact analysis (BIA).

86. You discover that a user on your network has been using the Wireshark tool (***). Further investigation revealed that he was using it for illicit purposes. What pillar of information security has most likely been violated? A. Integrity B. Denial C. Availability D. Confidentiality

D. Wireshark is a protocol analyzer and may be used to eavesdrop on network connections. Eavesdropping is an attack against confidentiality.

33. What type of malware is characterized by spreading from system to system under its own power by exploiting vulnerabilities that do not require user intervention? A. Trojan horse B. Virus C. Logic bomb D. Worm

D. Worms have built-in propagation mechanisms that do not require user interaction, such as scanning for systems containing known vulnerabilities and then exploiting those vulnerabilities to gain access. Viruses and Trojan horses typically require user interaction to spread. Logic bombs do not spread from system to system but lie in wait until certain conditions are met, triggering the delivery of their payload.

83. TJ is inspecting a system where the user reported a strange error message and the inability to access files. He sees the window shown in this figure. What type of malware should TJ suspect? A. Service injection B. Encrypted virus C. SQL injection D. Ransomware

D. Messages similar to the one shown in the figure are indicative of a ransomware attack. The attacker encrypts files on a user's hard drive and then demands a ransom, normally paid in Bitcoin, for the decryption key required to restore access to the original content. Encrypted viruses, on the other hand, use encryption to hide themselves from antivirus mechanisms and do not alter other contents on the system.

43. Ben has deployed a 1000Base-T 1 gigabit network and needs to run a cable to another building. If Ben is running his link directly from a switch to another switch in that building, what is the maximum distance Ben can cover according to the 1000Base-T specification? A. 2 kilometers B. 500 meters C. 185 meters D. 100 meters

D. 1000Base-T is capable of a 100 meter run according to its specifications. For longer distances, a fiber-optic cable is typically used in modern networks.

42. Lauren wants to provide port-based authentication on her network to ensure that clients must authenticate before using the network. What technology is an appropriate solution for this requirement? A. 802.11a B. 802.3 C. 802.15.1 D. 802.1x

D. 802.1x provides port-based authentication and can be used with technologies like EAP, the Extensible Authentication Protocol. 802.11a is a wireless standard, 802.3 is the standard for Ethernet, and 802.15.1 was the original Bluetooth IEEE standard.

19. Which one of the following security tools consists of an unused network address space that may detect unauthorized activity? A. Honeypot B. Honeynet C. Psuedoflaw D. Darknet

D. A darknet is a segment of unused network address space that should have no network activity and, therefore, may be easily used to monitor for illicit activity. A honeypot is a decoy computer system used to bait intruders into attacking. A honeynet is a network of multiple honeypots that creates a more sophisticated environment for intruders to explore. A pseudoflaw is a false vulnerability in a system that may attract an attacker.

25. Which of the following would normally be considered an example of a disaster when performing disaster recovery planning? I. Hacking incident II. Flood III. Fire IV. Terrorism A. II and III only B. I and IV only C. II, III, and IV only D. I, II, III, and IV

D. A disaster is any event that can disrupt normal IT operations and can be either natural or manmade. Hacking and terrorism are examples of manmade disasters, while flooding and fire are examples of natural disasters.

29. Which of the following is not part of a Kerberos authentication system? A. KDC B. TGT C. AS D. TS

D. A key distribution center (KDC) provides authentication services, and ticketgranting tickets (TGTs) provide proof that a subject has authenticated and can request tickets to access objects. Authentication services (ASs) are part of the KDC. There is no TS in a Kerberos infrastructure.

85. What type of network device modulates between an analog carrier signal and digital information for computer communications? A. A bridge B. A router C. A brouter D. A modem

D. A modem (MOdulator/DEModulator) modulates between an analog carrier like a phone line and digital communications like those used between computers. While modems aren't in heavy use in most areas, they are still in place for system control and remote system contact and in areas where phone lines are available but other forms of communication are too expensive or not available.

22. What type of fire suppression system fills with water when the initial stages of a fire are detected and then requires sprinkler head heat activation before dispensing water? A. Wet pipe B. Dry pipe C. Deluge D. Preaction

D. A preaction fire suppression system activates in two steps. The pipes fill with water once the early signs of a fire are detected. The system does not dispense water until heat sensors on the sprinkler heads trigger the second phase.

40. Which one of the following is an example of a manmade disaster? A. Hurricane B. Flood C. Mudslide D. Transformer failure

D. A transformer failure is a failure of a manmade electrical component. Flooding, mudslides, and hurricanes are all examples of natural disasters.

94. What type of attack is most likely to occur after a successful ARP spoofing attempt? A. A DoS attack B. A Trojan C. A replay attack D. A man-in-the-middle attack

D. ARP spoofing is often done to replace a target's cache entry for a destination IP, allowing the attacker to conduct a man-in-the-middle attack. A denial of service attack would be aimed at disrupting services rather than spoofing an ARP response, a replay attack will involve existing sessions, and a Trojan is malware that is disguised in a way that makes it look harmless.

63. What type of access control is composed of policies and procedures that support regulations, requirements, and the organization's own policies? A. Corrective B. Logical C. Compensating D. Administrative

D. Administrative access controls are procedures and the policies from which they derive. They are based on regulations, requirements, and the organization's own policies. Corrective access controls return an environment to its original status after an issue, while logical controls are technical access controls that rely on hardware or software to protect systems and data. Compensating controls are used in addition to or as an alternative to other controls.

94. Which data role is tasked with granting appropriate access to staff members? A. Data processors B. Business owners C. Custodians D. Administrators

D. Administrators have the rights to assign permissions to access and handle data. Custodians are trusted to handle day-to-day data handling tasks. Business owners are typically system or project owners, and data processors are systems used to process data.

59. Reggie recently received a letter from his company's internal auditors scheduling the kickoff meeting for an assessment of his group. Which of the following should Reggie not expect to learn during that meeting? A. Scope of the audit B. Purpose of the audit C. Expected timeframe D. Expected findings

D. An audit kickoff meeting should clearly describe the scope and purpose of the audit as well as the expected timeframe. Auditors should never approach an audit with any expectations about what they will discover because the findings should only be developed based upon the results of audit examinations.

73. Which of the following events would constitute a security incident? 1. An attempted network intrusion 2. A successful database intrusion 3. A malware infection 4. A violation of a confidentiality policy 5. An unsuccessful attempt to remove information from a secured area A. 2, 3, and 4 B. 1, 2, and 3 C. 4 and 5 D. All of the above

D. Any attempt to undermine the security of an organization or violation of a security policy is a security incident. Each of the events described meets this definition and should be treated as an incident.

40. SMTP, HTTP, and SNMP all occur at what layer of the OSI model? A. Layer 4 B. Layer 5 C. Layer 6 D. Layer 7

D. Application-specific protocols are handled at layer 7, the Application layer of the OSI model.

10. What concept describes the degree of confidence that an organization has that its controls satisfy security requirements? A. Trust B. Credentialing C. Verification D. Assurance

D. Assurance is the degree of confidence that an organization has that its security controls are correctly implemented. It must be continually monitored and re-verified.

30. When an application or system allows a logged-in user to perform specific actions, it is an example of what? A. Roles B. Group management C. Logins D. Authorization

D. Authorization provides a user with capabilities or rights. Roles and group management are both methods that could be used to match users with rights. Logins are used to validate a user.

24. Saria's team is working to persuade their management that their network has extensive vulnerabilities that attackers could exploit. If she wants to conduct a realistic attack as part of a penetration test, what type of penetration test should she conduct? A. Crystal box B. Gray box C. White box D. Black box

D. Black box testing is the most realistic type of penetration test because it does not provide the penetration tester with inside information about the configuration or design of systems, software, or networks. A gray box test provides some information, whereas a white or crystal box test provides significant or full detail.

46. What does a blue-snarfing attack target? A. Data on IBM systems B. An outbound phone call via Bluetooth C. 802.11b networks D. Data from a Bluetooth-enabled device

D. Bluesnarfing targets the data or information on Bluetooth-enabled devices. Bluejacking occurs when attackers send unsolicited messages via Bluetooth.

36. During a penetration test, Lauren is asked to test the organization's Bluetooth security. Which of the following is not a concern she should explain to her employers? A. Bluetooth scanning can be time consuming. B. Many devices that may be scanned are likely to be personal devices. C. Bluetooth passive scans may require multiple visits at different times to identify all targets. D. Bluetooth active scans can't evaluate the security mode of Bluetooth devices.

D. Bluetooth active scans can determine both the strength of the PIN and what security mode the device is operating in. Unfortunately, Bluetooth scans can be challenging due to the limited range of Bluetooth and the prevalence of personally owned Bluetooth enabled devices. Passive Bluetooth scanning only detects active connections and typically requires multiple visits to have a chance of identifying all devices.

31. Which of the following organizations would be likely to have a representative on a CSIRT? I. Information security II. Legal counsel III. Senior management IV. Engineering A. I, III, and IV B. I, II, and III C. I, II, and IV D. All of the above

D. CSIRT representation normally includes at least representatives of senior management, information security professionals, legal representatives, public affairs staff, and engineering/technical staff.

32. What is the primary purpose of data classification? A. It quantifies the cost of a data breach. B. It prioritizes IT expenditures. C. It allows compliance with breach notification laws. D. It identifies the value of the data to the organization.

D. Classification identifies the value of data to an organization. This can often help drive IT expenditure prioritization and could help with rough cost estimates if a breach occurred, but that's not the primary purpose. Finally, most breach laws call out specific data types for notification rather than requiring organizations to classify data themselves.

7. Staff in an IT department who are delegated responsibility for day-to-day tasks hold what data role? A. Business owner B. User C. Data processor D. Custodian

D. Custodians are delegated the role of handling day-to-day tasks by managing and overseeing how data is handled, stored, and protected. Data processors are systems used to process data. Business owners are typically project or system owners who are tasked with making sure systems provide value to their users or customers.

93. Which one of the following humidity values is within the acceptable range for a data center operation? A. 0% B. 10% C. 25% D. 40%

D. Data center humidity should be maintained between 40% and 60%. Values below this range increase the risk of static electricity, while values above this range may generate moisture that damages equipment.

54. What methods are often used to protect data in transit? A. Telnet, ISDN, UDP B. Encrypted storage media C. AES, Serpent, IDEA D. TLS, VPN, IPsec

D. Data in transit is data that is traversing a network or is otherwise in motion. TLS, VPNs, and IPsec tunnels are all techniques used to protect data in transit. AES, Serpent, and IDEA are all symmetric algorithms, while Telnet, ISDN, and UDP are all protocols. Encrypting your storage media before it is transported is a good practice, but transporting media isn't the type of transit that is meant by the phrase.

73. Incineration, crushing, shredding, and disintegration all describe what stage in the life cycle of media? A. Sanitization B. Degaussing C. Purging D. Destruction

D. Destruction is the final stage in the life cycle of media and can be done via disintegration, incineration, or a variety of other methods that result in the media and data being non-recoverable. Sanitization is a combination of processes used when data is being removed from a system or media. Purging is an intense form of clearing, and degaussing uses strong magnetic fields to wipe data from magnetic media.

94. What open protocol was designed to replace RADIUS—including support for additional commands and protocols, replacing UDP traffic with TCP, and providing for extensible commands—but does not preserve backward compatibility with RADIUS? A. TACACS B. RADIUS-NG C. Kerberos D. Diameter

D. Diameter was designed to provide enhanced, modern features to replace RADIUS. Diameter provides better reliability and a broad range of improved functionality. RADIUS-NG does not exist, Kerberos is not a direct competitor for RADIUS, and TACACS is not an open protocol.

39. Jim's audit of a large organization's traditional PBX showed that Direct Inward System Access (DISA) was being abused by third parties. What issue is most likely to lead to this problem? A. The PBX was not fully patched. B. The dial-in modem lines use unpublished numbers. C. DISA is set up to only allow local calls. D. One or more users' access codes have been compromised.

D. Direct Inward System Access uses access codes assigned to users to add a control layer for external access and control of the PBX. If the codes are compromised, attackers can make calls through the PBX or even control it. Not updating a PBX can lead to a range of issues, but this question is looking for a DISA issue. Allowing only local calls and using unpublished numbers are both security controls and might help keep the PBX more secure.

16. Susan is deploying a routing protocol that maintains a list of destination networks with metrics that include the distance in hops to them and the direction traffic should be sent to them. What type of protocol is she using? A. A link-state protocol B. A link-distance protocol C. A destination metric protocol D. A distance-vector protocol

D. Distance-vector protocols use metrics including the direction and distance in hops to remote networks to make decisions. A link-state routing protocol considers the shortest distance to a remote network. Destination metric and link-distance protocols don't exist.

37. Dogs, guards, and fences are all common examples of what type of control? A. Detective B. Recovery C. Administrative D. Physical

D. Dogs, guards, and fences are all examples of physical controls. While dogs and guards might detect a problem, fences cannot, so they are not all examples of detective controls. None of these controls would help repair or restore functionality after an issue, and thus none are recovery controls, nor are they administrative controls that involve policy or procedures, although the guards might refer to them when performing their duties.

83. The _________ of a process consist(s) of the limits set on the memory addresses and resources that the process may access. A. Perimeter B. Confinement limits C. Metes D. Bounds

D. Each process that runs on a system is assigned certain physical or logical bounds for resource access, such as memory.

74. Which one of the following traffic types should not be blocked by an organization's egress filtering policy? A. Traffic destined to a private IP address B. Traffic with a broadcast destination C. Traffic with a source address from an external network D. Traffic with a destination address on a external network

D. Egress filtering scans outbound traffic for potential security policy violations. This includes traffic with a private IP address as the destination, traffic with a broadcast address as the destination, and traffic that has a falsified source address not belonging to the organization.

48. Joe works at a major pharmaceutical research and development company and has been tasked with writing his organization's data retention policy. As part of its legal requirements, the organization must comply with the US Food and Drug Administration's Code of Federal Regulations Title 21. To do so, it is required to retain records with electronic signatures. Why would a signature be part of a retention requirement? A. It ensures that someone has reviewed the data. B. It provides confidentiality. C. It ensures that the data has not been changed. D. It validates who approved the data.

D. Electronic signatures, as used in this rule, prove that the signature was rovided by the intended signer. Electronic signatures as part of the FDA code are intended to ensure that electronic records are "trustworthy, reliable, and generally equivalent to paper records and handwritten signatures executed on paper." Signatures cannot provide confidentiality, or integrity, and don't ensure that someone has reviewed the data.

35. What term is used to describe the default set of privileges assigned to a user when a new account is created? A. Aggregation B. Transitivity C. Baseline D. Entitlement

D. Entitlement refers to the privileges granted to users when an account is first provisioned.

66. What are the two components of an expert system? A. Decision support system and neural network B. Inference engine and neural network C. Neural network and knowledge bank D. Knowledge bank and inference engine

D. Expert systems have two components: a knowledge bank that contains the collected wisdom of human experts and an inference engine that allows the expert systems to draw conclusions about new situations based on the information contained within the knowledge bank.

66. What is the minimum fence height that makes a fence difficult to climb easily, deterring most intruders? A. 3 feet B. 4 feet C. 5 feet D. 6 feet

D. Fences designed to deter more than the casual intruder should be at least 6 feet high. If a physical security system is designed to deter even determined intruders, it should be at least 8 feet high and topped with three strands of barbed wire.

48. What network topology is shown below (4 workstation all connected to each other)? A. A ring B. A bus C. A star D. A mesh

D. Fully connected mesh networks provide each system with a direct physical link to every other system in the mesh. This is very expensive but can provide performance advantages for specific types of computational work.

Gary was recently hired as the first chief information security officer (CISO) for a local government agency. The agency recently suffered a security breach and is attempting to build a new information security program. Gary would like to apply some best practices for security operations as he is designing this program. 14. Gary is preparing to develop controls around access to root encryption keys and would like to apply a principle of security designed specifically for very sensitive operations. Which principle should he apply? A. Least privilege B. Defense in depth C. Security through obscurity D. Two-person control

D. Gary should follow the principle of two-person control by requiring simultaneous action by two separate authorized individuals to gain access to the encryption keys. He should also apply the principles of least privilege and defense in depth, but these principles apply to all operations and are not specific to sensitive operations. Gary should avoid the security through obscurity principle, the reliance upon the secrecy of security mechanisms to provide security for a system or process.

85. Which one of the following fire suppression systems uses a suppressant that is no longer manufactured due to environmental concerns? A. FM-200 B. Argon C. Inergen D. Halon

D. Halon fire suppression systems use a chlorofluorocarbon (CFC) suppressant material that was banned in the Montreal Protocol because it depletes the ozone layer.

16. Which one of the following terms is often used to describe a collection of unrelated patches released in a large collection? A. Hotfix B. Update C. Security fix D. Service pack

D. Hotfixes, updates, and security fixes are all synonyms for single patches designed to correct a single problem. Service packs are collections of many different updates that serve as a major update to an operating system or application.

97. Under what type of software license does the recipient of software have an unlimited right to copy, modify, distribute, or resell a software package? A. GNU Public License B. Freeware C. Open source D. Public domain

D. If software is released into the public domain, anyone may use it for any purpose, without restriction. All other license types contain at least some level of restriction.

23. Mark is considering replacing his organization's customer relationship management (CRM) solution with a new product that is available in the cloud. This new solution is completely managed by the vendor and Mark's company will not have to write any code or manage any physical resources. What type of cloud solution is Mark considering? A. IaaS B. CaaS C. PaaS D. SaaS

D. In a Software as a Service solution, the vendor manages both the physical infrastructure and the complete application stack, providing the customer with access to a fully managed application.

50. In an Infrastructure as a Service (IaaS) environment where a vendor supplies a customer with access to storage services, who is normally responsible for removing sensitive data from drives that are taken out of service? A. Customer's security team B. Customer's storage team C. Customer's vendor management team D. Vendor

D. In an Infrastructure as a Service environment, security duties follow a shared responsibility model. Since the vendor is responsible for managing the storage hardware, the vendor would retain responsibility for destroying or wiping drives as they are taken out of service. However, it is still the customer's responsibility to validate that the vendor's sanitization procedures meet their requirements prior to utilizing the vendor's storage services.

97. A zero-day vulnerability is announced for the popular Apache web server in the middle of a workday. In Jacob's role as an information security analyst, he needs to quickly scan his network to determine what servers are vulnerable to the issue. What is Jacob's best route to quickly identify vulnerable systems? A. Immediately run Nessus against all of the servers to identify which systems are vulnerable. B. Review the CVE database to find the vulnerability information and patch information. C. Create a custom IDS or IPS signature. D. Identify affected versions and check systems for that version number using an automated scanner.

D. In many cases when an exploit is initially reported, there are no prebuilt signatures or detections for vulnerability scanners, and the CVE database may not have information about the attack immediately. Jacob's best option is to quickly gather information and review potentially vulnerable servers based on their current configuration. As more information becomes available, signatures and CVE information are likely to be published. Unfortunately for Jacob, IDS and IPS signatures will only detect attacks, and won't detect whether systems are vulnerable unless he sees the systems being exploited.

42. Which one of the following programming languages does not make use of a compiler? A. Java B. C++ C. C D. JavaScript

D. JavaScript is an interpreted language that does not make use of a compiler to transform code into an executable state. Java, C, and C++ are all compiled languages.

62. Which of the following is a ticket-based authentication protocol designed to provide secure communication? A. RADIUS B. OAuth C. SAML D. Kerberos

D. Kerberos is an authentication protocol that uses tickets, and provides secure communications between the client, key distribution center (KDC), ticket-granting service (TGS), authentication server (AS), and endpoint services. RADIUS does not provide the same level of security by default, SAML is a markup language, and OAuth is designed to allow third-party websites to rely on credentials from other sites like Google or Microsoft.

96. Susan is troubleshooting Kerberos authentication problems with symptoms including TGTs that are not accepted as valid and an inability to receive new tickets. If the system she is troubleshooting is properly configured for Kerberos authentication, her username and password are correct, and her network connection is functioning, what is the most likely issue? A. The Kerberos server is offline. B. There is a protocol mismatch. C. The client's TGTs have been marked as compromised and de-authorized. D. The Kerberos server and the local client's time clocks are not synchronized.

D. Kerberos relies on properly synchronized time on each end of a connection to function. If the local system time is more than 5 minutes out of sync, otherwise valid TGTs will be invalid and the system won't receive any new tickets.

11. Kathleen needs to set up an Active Directory trust to allow authentication with an existing Kerberos K5 domain. What type of trust does she need to create? A. A shortcut trust B. A forest trust C. An external trust D. A realm trust

D. Kerberos uses realms, and the proper type of trust to set up for an Active Directory environment that needs to connect to a K5 domain is a realm trust. A shortcut trust is a transitive trust between parts of a domain tree or forest that shortens the trust path, a forest trust is a transitive trust between two forest root domains, and an external trust is a non-transitive trust between AD domains in separate forests.

13. Which of the following is not a single sign-on implementation? A. Kerberos B. ADFS C. CAS D. RADIUS

D. Kerberos, Active Directory Federation Services (ADFS), and Central Authentication Services (CAS) are all SSO implementations. RADIUS is not a single-sign on implementation, although some vendors use it behind the scenes to provide authentication for proprietary SSO

38. Richard is experiencing issues with the quality of network service on his organization's network. The primary symptom is that packets are consistently taking too long to travel from their source to their destination. What term describes the issue Richard is facing? A. Jitter B. Packet loss C. Interference D. Latency

D. Latency is a delay in the delivery of packets from their source to their destination. Jitter is a variation in the latency for different packets. Packet loss is the disappearance of packets in transit that requires retransmission. Interference is electrical noise or other disruptions that corrupt the contents of packets.

99. During a forensic investigation, Charles is able to determine the Media Access Control address of a system that was connected to a compromised network. Charles knows that MAC addresses are tied back to a manufacturer or vendor and are part of the fingerprint of the system. To which OSI layer does a MAC address belong? A. The Application layer B. The Session layer C. The Physical layer D. The Data Link layer

D. MAC addresses and their organizationally unique identifiers are used at the Data Link layer to identify systems on a network. The Application and Session layers don't care about physical addresses, while the Physical layer involves electrical connectivity and handling physical interfaces rather than addressing.

45. James is working with a Department of Defense system that is authorized to simultaneously handle information classified at the Secret and Top Secret levels. What type of system is he using? A. Single state B. Unclassified C. Compartmented D. Multistate

D. Multistate systems are certified to handle data from different security classifications simultaneously by implementing protection mechanisms that segregate data appropriately.

72. Which one of the following computing models allows the execution of multiple concurrent tasks within a single process? A. Multitasking B. Multiprocessing C. Multiprogramming D. Multithreading

D. Multithreading permits multiple tasks to execute concurrently within a single process. These tasks are known as threads and may be alternated between without switching processes.

2. Which of the following is a method used to design new software tests and to ensure the quality of tests? A. Code auditing B. Static code analysis C. Regression testing D. Mutation testing

D. Mutation testing modifies a program in small ways, and then tests that mutant to determine if it behaves as it should or if it fails. This technique is used to design and test software tests through mutation. Static code analysis and regression testing are both means of testing code, whereas code auditing is an analysis of source code rather than a means of designing and testing software tests.

16. Alex's job requires him to see personal health information (PHI) to ensure proper treatment of patients. His access to their medical records does not provide access to patient addresses or billing information. What access control concept best describes this control? A. Separation of duties B. Constrained interfaces C. Context-dependent control D. Need to know

D. Need to know is applied when subjects like Alex have access to only the data they need to accomplish their job. Separation of duties is used to limit fraud and abuse by having multiple employees perform parts of a task. Constrained interfaces restrict what a user can see or do and would be a reasonable answer if need to know did not describe his access more completely in this scenario. Context-dependent control relies on the activity being performed to apply controls, and this question does not specify a workflow or process.

70. During a review of her organization's network, Angela discovered that it was suffering from broadcast storms and that contractors, guests, and organizational administrative staff were on the same network segment. What design change should Angela recommend? A. Require encryption for all users. B. Install a firewall at the network border. C. Enable spanning tree loop detection. D. Segment the network based on functional requirements.

D. Network segmentation can reduce issues with performance as well as diminish the chance of broadcast storms by limiting the number of systems in a segment. This decreases broadcast traffic visible to each system and can reduce congestion. Segmentation can also help provide security by separating functional groups who don't need to be able to access each other's systems. Installing a firewall at the border would only help with inbound and outbound traffic, not cross-network traffic. Spanning tree loop prevention helps prevent loops in Ethernet networks (for example, when you plug a switch into a switch via two ports on each), but it won't solve broadcast storms that aren't caused by a loop or security issues. Encryption might help prevent some problems between functional groups, but it won't stop them from scanning other systems, and it definitely won't stop a broadcast storm!

69. During a port scan of his network, Alex finds that a number of hosts respond on TCP ports 80, 443, 515, and 9100 in offices throughout his organization. What type of devices is Alex likely discovering? A. Web servers B. File servers C. Wireless access points D. Printers

D. Network-enabled printers often provided services via TCP 515 and 9100, and have both nonsecure and secure web-enabled management interfaces on TCP 80 and 443. Web servers, access points, and file servers would not typically provide service on the LPR and LPD ports (515 and 9100).

94. Nmap is an example of what type of tool? A. Vulnerability scanner B. Web application fuzzer C. Network design and layout D. Port scanner

D. Nmap is a very popular open source port scanner. Nmap is not a vulnerability scanner, nor is it a web application fuzzer. While port scanners can be used to partially map a network, and its name stands for Network Mapper, it is not a network design tool.

During a port scan, Ben uses nmap's default settings and sees the following results. Nmap scan report for 192.168.184.130 Host is up (1.0s latency). Not shown: 977 closed ports PORT - STATE - SERVICE 21/tcp - open - ftp 22/tcp - open - ssh 23/tcp - open - telnet 25/tcp - open -smtp 53/tcp - open -domain 80/tcp - open -http 111/tcp - open -rpcbind 139/tcp - open -netbios-ssn 445/tcp - open -microsoft-ds 512/tcp - open -exec 513/tcp - open -login 514/tcp - open -shell 1099/tcp - open -rmiregistry 1524/tcp - open -ingreslock 2049/tcp - open -nfs 2121/tcp - open -ccproxy-ftp 3306/tcp - open -mysql 5432/tcp - open -postgresql 5900/tcp - open -vnc 6000/tcp - open -X11 6667/tcp - open -irc 8009/tcp - open -ajp13 8081/tcp - open -unknown 87. Ben's manager expresses concern about the coverage of his scan. Why might his manager have this concern? A. Ben did not test UDP services. B. Ben did not discover ports outside the "well-known ports." C. Ben did not perform OS fingerprinting. D. Ben tested only a limited number of ports.

D. Nmap only scans 1000 TCP and UDP ports by default, including ports outside of the 0-1024 range of "well-known" ports. By using the defaults for nmap, Ben missed 64,535 ports. OS fingerprinting won't cover more ports but would have provided a best guess of the OS running on the scanned system.

38. Which of the tools cannot identify a target's operating system for a penetration tester? A. Nmap B. Nessus C. Nikto D. sqlmap

D. Nmap, Nessus, and Nikto all have OS fingerprinting or other operating system identification capabilities. sqlmap is designed to perform automated detection and testing of SQL injection flaws, and does not provide OS detection.

66. What step should occur after a vulnerability scan finds a critical vulnerability on a system? A. Patching B. Reporting C. Remediation D. Validation

D. Once a vulnerability scanner identifies a potential problem, validation is necessary to verify that the issue exists. Reporting, patching, or other remediation actions can be conducted once the vulnerability has been confirmed.

56. Chris has been asked to choose between implementing PEAP and LEAP for wireless authentication. What should he choose, and why? A. LEAP, because it fixes problems with TKIP, resulting in stronger security B. PEAP, because it implements CCMP for security C. LEAP, because it implements EAP-TLS for end-to-end session encryption D. PEAP, because it can provide a TLS tunnel that encapsulates EAP methods, protecting the entire session

D. PEAP provides encryption for EAP methods and can provide authentication. It does not implement CCMP, which was included in the WPA2 standard. LEAP is dangerously insecure and should not be used due to attack tools that have been available since the early 2000s.

8. Susan works for an American company that conducts business with customers in the European Union. What is she likely to have to do if she is responsible for handling PII from those customers? A. Encrypt the data at all times. B. Label and classify the data according to HIPAA. C. Conduct yearly assessments to the EU DPD baseline. D. Comply with the US-EU Safe Harbor requirements.

D. Safe Harbor compliance helps US companies meet the EU Data Protection Directive. Yearly assessments may be useful, but they aren't required. HIPAA is a US law that applies specifically to healthcare and related organizations, and encrypting all data all the time is impossible (at least if you want to use the data!).

Chris is the identity architect for a growing e-commerce website that wants to leverage social identity. To do this, he and his team intend to allow users to use their existing Google accounts as their primary accounts when using the e-commerce site. This means that when a new user initially connects to the e-commerce platform, they are given the choice between using their Google+ account using OAuth 2.0, or creating a new account on the platform using their own email address and a password of their choice. Using this information and the following diagram of an example authentication flow (***) 66. When the e-commerce application creates an account for a Google+ user, where should that user's password be stored? A. The password is stored in the e-commerce application's database. B. The password is stored in memory on the e-commerce application's server. C. The password is stored in Google's account management system. D. The password is never stored; instead, a salted hash is stored in Google's account management system.

D. Passwords are never stored for web applications in a well-designed environment. Instead, salted hashes are stored and compared to passwords after they are salted and hashed. If the hashes match, the user is authenticated.

51. What primary issue does personnel retention deal with? A. Employees quitting B. Employees not moving on to new positions C. Knowledge gained after employment D. Knowledge gained during employment

D. Personnel retention deals with the knowledge that employees gain while employed. Issues related to the knowledge they may leave with and share are often handled with non-disclosure agreements. Knowledge gained after employment, as well as how soon (or how late) employees leave the organization, is not central to this issue.

41. Lauren uses the ping utility to check whether a remote system is up as part of a penetration testing exercise. If she wants to filter ping out by protocol, what protocol should she filter out from her packet sniffer's logs? A. UDP B. TCP C. IP D. ICMP

D. Ping uses ICMP, the Internet Control Message Protocol, to determine whether a system responds and how many hops there are between the originating system and the remote system. Lauren simply needs to filter out ICMP to not see her pings.

NIST Special Publication 800-115, the Technical Guide to Information Security Testing and Assessment, provides NIST's process for penetration testing. Using this image as well as your knowledge of penetration testing, (Planning, Information gathering & discovery, Vulnerability scanning, Exploitation, Reporting) answer the following question. 98. Which of the following is not a part of the discovery phase? A. Hostname and IP address information gathering B. Service information capture C. Dumpster diving D. Privilege escalation

D. Privilege escalation occurs during the attack phase of a penetration test. Host and service information gathering, as well as activities like dumpster diving that can provide information about the organization, its systems, and security, are all part of the discovery phase.

15. When should an organization conduct a review of the privileged access that a user has to sensitive systems? A. On a periodic basis B. When a user leaves the organization C. When a user changes roles D. All of the above

D. Privileged access reviews are one of the most critical components of an organization's security program because they ensure that only authorized users have access to perform the most sensitive operations. They should take place whenever a user with privileged access leaves the organization or changes roles as well as on a regular, recurring basis.

5. What type of evidence consists entirely of tangible items that may be brought into a court of law? A. Documentary evidence B. Parol evidence C. Testimonial evidence D. Real evidence

D. Real evidence consists of things that may actually be brought into a courtroom as evidence. For example, real evidence includes hard disks, weapons, and items containing fingerprints. Documentary evidence consists of written items that may or may not be in tangible form. Testimonial evidence is verbal testimony given by witnesses with relevant information. The parol evidence rule says that when an agreement is put into written form, the written document is assumed to contain all the terms of the agreement.

91. Retaining and maintaining information for as long as it is needed is known as what? A. Data storage policy B. Data storage C. Asset maintenance D. Record retention

D. Record retention is the process of retaining and maintaining information for as long as it is needed. A data storage policy describes how and why data is stored, while data storage is the process of actually keeping the data. Asset maintenance is a non.information- security-related process for maintaining physical assets.

37. What term describes software testing that is intended to uncover new bugs introduced by patches or configuration changes? A. Non-regression testing B. Evolution testing C. Smoke testing D. Regression testing

D. Regression testing, which is a type of functional or unit testing, tests to ensure that changes have not introduced new issues. Non-regression testing checks to see if a change has had the effect it was supposed to, smoke testing focuses on simple problems with impact on critical functionality, and evolution testing is not a software testing technique.

Chris is designing layered network security for his organization. Using the diagram below 14. If the VPN grants remote users the same access to network and system resources as local workstations have, what security issue should Chris raise? A. VPN users will not be able to access the web server. B. There is no additional security issue; the VPN concentrator's logical network location matches the logical network location of the workstations. C. VPN bypasses the firewall, creating additional risks. D. VPN users should only connect from managed PCs.

D. Remote PCs that connect to a protected network need to comply with securitybsettings and standards that match those required for the internal network. The VPN concentrator logically places remote users in the protected zone behind the firewall, but that means that user workstations (and users) must be trusted in the same way that local workstations are.

92. What international framework was SSAE-16 based on? A. ISO27001 B. SAS70 C. SOX D. ISAE 3402

D. SSAE-16 is based on ISAE 3402, the International Standard on Assurance Engagements. It differs in a number of ways, including how it handles purposeful acts by service organizational personnel as well as anomalies, but the two share many elements. SAS-70 has been replaced by SSAE-16, whereas ISO27001 is a formal specification for an information security management system (ISMS). SOX is the Sarbanes-Oxley Act, a U.S. law that impacts accounting and investor protection.

36. Safe Harbor is part of a US program to meet what European Union law? A. The EU CyberSafe Act B. The Network and Information Security (NIS) directives C. The General Data Protection Regulation (GDPR) D. The EU Data Protection Directive

D. Safe Harbor is a framework intended to bridge the different privacy protection laws between the United States and the European Union and is run by the US Department of Commerce. At the time of this writing, Safe Harbor had been declared "invalid" by the European Court of Justice, although the US Department of Commerce has stated that it will continue the Safe Harbor program. Both the GDPR and NIS are pending EU regulations, and there is no EU CyberSafe Act.

79. What term describes the process of reviewing baseline security controls and selecting only the controls that are appropriate for the IT system you are trying to protect? A. Standard creation B. CIS benchmarking C. Baselining D. Scoping

D. Scoping is performed when you match baseline controls to the IT system you're working to secure. Creation of standards is part of the configuration process and may involve the use of baselines. Baselining can mean the process of creating a security baseline or configuring systems to meet the baseline. CIS, the Center for Internet Security, provides a variety of security baselines.

49. What protocol is preferred over Telnet for remote server administration via the command line? A. SCP B. SFTP C. WDS D. SSH

D. Secure Shell (SSH) is an encrypted protocol for remote login and command-line access. SCP and SFTP are both secure file transfer protocols, while WDS is the acronym for Windows Deployment Services, which provides remote installation capabilities for Windows operating systems.

Ben's organization has begun to use STRIDE to assess their software, and has identified threat agents and the business impacts that these threats could have. Now they are working to identify appropriate controls for the issues they have identified. Use the STRIDE model to answer the following question. 80. Ben's team is attempting to categorize a transaction identification issue that is caused by use of a symmetric key shared by multiple servers. What STRIDE category should this fall into? A. Information disclosure B. Denial of service C. Tampering D. Repudiation

D. Since a shared symmetric key could be used by any of the servers, transaction identification problems caused by a shared key are likely to involve a repudiation issue. If encrypted transactions cannot be uniquely identified by server, they cannot be proved to have come from a specific server.

9. Under what virtualization model does the virtualization platform separate the network control plane from the data plane and replace complex network devices with simpler devices that simply receive instructions from the controller? A. Virtual machines B. VSAN C. VLAN D. SDN

D. Software-defined networking separates the control plane from the data plane. Network devices then do not contain complex logic themselves but receive instructions from the SDN.

12. What issue is common to spare sectors and bad sectors on hard drives as well as overprovisioned space on modern SSDs? A. They can be used to hide data. B. They can only be degaussed. C. They are not addressable, resulting in data remanence. D. They may not be cleared, resulting in data remanence.

D. Spare sectors, bad sectors, and space provided for wear leveling on SSDs (over-provisioned space) may all contain data that was written to the space that will not be cleared when the drive is wiped. Most wiping utilities only deal with currently addressable space on the drive. SSDs cannot be degaussed, and wear-leveling space cannot be reliably used to hide data. These spaces are still addressable by the drive, although they may not be seen by the operating system.

73. Susan needs to ensure that the interactions between the components of her ecommerce application are all handled properly. She intends to verify communications, error handling, and session management capabilities throughout her infrastructure. What type of testing is she planning to conduct? A. Misuse case testing B. Fuzzing C. Regression testing D. Interface testing

D. Susan is conducting interface testing. Interface testing involves testing system or application components to ensure that they work properly together. Misuse case testing focuses on how an attacker might misuse the application and would not test normal cases. Fuzzing attempts to send unexpected input and might be involved in interface testing, but it won't cover the full set of concerns. Regression testing is conducted when testing changes and is used to ensure that the application or system functions as it did before the update or change.

35. In the figure shown below (***), Sally is blocked from writing to the data file by the Biba integrity model. Sally has a Secret security clearance and the file is classified Top Secret. What principle is preventing her from writing to the file? A. Simple Security Property B. Simple Integrity Property C. *-Security Property D. *-Integrity Property

D. The *-Integrity Property states that a subject cannot modify an object at a higher security level than that possessed by the subject.

86. Which one of the following statements is correct about the Biba model of access control? A. It addresses confidentiality and integrity. B. It addresses integrity and availability. C. It prevents covert channel attacks. D. It focuses on protecting objects from external threats.

D. The Biba model focuses only on protecting integrity and does not provide protection against confidentiality or availability threats. It also does not provide protection against covert channel attacks. The Biba model focuses on external threats and assumes that internal threats are addressed programatically.

1. Matthew is the security administrator for a consulting firm and must enforce access controls that restrict users' access based upon their previous activity. For example, once a consultant accesses data belonging to Acme Cola, a consulting client, they may no longer access data belonging to any of Acme's competitors. What security model best fits Matthew's needs? A. Clark-Wilson B. Biba C. Bell-LaPadula D. Brewer-Nash

D. The Brewer-Nash model allows access controls to change dynamically based upon a user's actions. It is often used in environments like Matthew's to implement a "Chinese wall" between data belonging to different clients.

5. Sarah is manually reviewing a packet capture of TCP traffic and finds that a system is setting the RST flag in the TCP packets it sends repeatedly during a short period of time. What does this flag mean in the TCP packet header? A. RST flags mean "Rest." The server needs traffic to briefly pause. B. RST flags mean "Relay-set." The packets will be forwarded to the address set in the packet. C. RST flags mean "Resume Standard." Communications will resume in their normal format. D. RST means "Reset." The TCP session will be disconnected.

D. The RST flag is used to reset or disconnect a session. It can be resumed by restarting the connection via a new three-way handshake.

The Center for Internet Security (CIS) works with subject matter experts from a variety of industries to create lists of security controls for operating systems, mobile devices, server software, and network devices. Your organization has decided to use the CIS benchmarks for your systems. Answer the following questions based on this decision. 23. The CIS benchmarks are an example of what practice? A. Conducting a risk assessment B. Implementing data labeling C. Proper system ownership D. Using security baselines

D. The CIS benchmarks are an example of a security baseline. A risk assessment would help identify which controls were needed, and proper system ownership is an important part of making sure baselines are implemented and maintained. Data labeling can help ensure that controls are applied to the right systems and data.

8. What type of attack can be prevented by using a trusted path? A. Dictionary attacks B. Brute force attacks C. Man-in-the-middle attacks D. Login spoofing

D. The Common Criteria defines trusted paths as a way to protect data between users and a security component. This includes attacks like replacing login windows for systems and is the reason Windows uses Ctrl+Alt_Del as a login sequence. Man-inthe- middle attacks can be prevented by using a trusted channel, which is often implemented with encryption and certificates. Brute force and dictionary attacks are often discouraged by using a back-off algorithm to slow down or prevent attacks.

68. Danielle wants to compare vulnerabilities she has discovered in her data center based on how exploitable they are, if exploit code exists, as well as how hard they are to remediate. What scoring system should she use to compare vulnerability metrics like these? A. CSV B. NVD C. VSS D. CVSS

D. The Common Vulnerability Scoring System (CVSS) includes metrics and calculation tools for exploitability, impact, how mature exploit code is, and how vulnerabilities can be remediated, as well as a means to score vulnerabilities against users' unique requirements. NVD is the National Vulnerability Database, CSV is short for Comma-Separated Values, and VSS is a made-up term.

24. Which one of the following information sources is useful to security administrators seeking a list of information security vulnerabilities in applications, devices, and operating systems? A. OWASP B. Bugtraq C. Microsoft Security Bulletins D. CVE

D. The Common Vulnerability and Exposures (CVE) dictionary contains standardized information on many different security issues. The Open Web Application Security Project (OWASP) contains general guidance on web application security issues but does not track specific vulnerabilities or go beyond web applications. The Bugtraq mailing list and Microsoft Security Bulletins are good sources of vulnerability information but are not comprehensive databases of known issues.

81. What type of address is 127.0.0.1? A. A public IP address B. An RFC 1918 address C. An APIPA address D. A loopback address

D. The IP address 127.0.0.1 is a loopback address and will resolve to the local machine. Public addresses are non-RFC 1918, non-reserved addresses. RFC 1918 addresses are reserved and include ranges like 10.x.x.x. An APIPA address is a self-assigned address used when a DHCP server cannot be found.

17. Jim has been contracted to conduct a gray box penetration test, and his clients have provided him with the following information about their networks so that he can scan them. Data center: 10.10.10.0/24 Sales: 10.10.11.0/24 Billing: 10.10.12.0/24 Wireless: 192.168.0.0/16 What problem will Jim encounter if he is contracted to conduct a scan from offsite? A. The IP ranges are too large to scan efficiently. B. The IP addresses provided cannot be scanned. C. The IP ranges overlap and will cause scanning issues. D. The IP addresses provided are RFC 1918 addresses.

D. The IP addresses that his clients have provided are RFC 1918 non-routable IP addresses, and Jim will not be able to scan them from offsite. To succeed in his penetration test, he will either have to first penetrate their network border or place a machine inside their network to scan from the inside. IP addresses overlapping is not a real concern for scanning, and the ranges can easily be handled by current scanning systems.

93. When Alex sets the permissions shown: $ chmod 731 alex.txt $ ls -la total 12 drwxr-xr-x 2 alex root 4096 Feb 27 19:26 . drwxr-xr-x 3 root root 4096 Feb 27 19:25 .. -rwx-wr--x 1 alex alex 15 Feb 27 19:26 alex.txt as one of many users on a Linux server, what type of access control model is he leveraging? A. Role-based access control B. Rule-based access control C. Mandatory access control D. Discretionary access control

D. The Linux filesystem allows the owners of objects to determine the access rights that subjects have to them. This means that it is a discretionary access control. If the system enforced a role-based access control, Alex wouldn't set the controls; they would be set based on the roles assigned to each subject. A rule-based access control system would apply rules throughout the system, and a mandatory access control system uses classification labels.

53. Ben is following the NIST Special Publication 800-88 guidelines for sanitization and disposition as shown in the following diagram (FLOWCHART). He is handling information that his organization classified as sensitive, which is a moderate security categorization in the NIST model. If the media is going to be sold as surplus, what process does Ben need to follow? A. Destroy, validate, document B. Clear, purge, document C. Purge, document, validate D. Purge, validate, document

D. The NIST SP 800-88 process for sanitization and disposition shows that media that will be reused and was classified at a moderate level should be purged and then that purge should be validated. Finally, it should be documented.

86. Which list presents the layers of the OSI model in the correct order? A. Presentation, Application, Session, Transport, Network, Data Link, Physical B. Application, Presentation, Session, Network, Transport, Data Link, Physical C. Presentation, Application, Session, Transport, Data Link, Network, Physical D. Application, Presentation, Session, Transport, Network, Data Link, Physical

D. The OSI layers in order are Application, Presentation, Session, Transport, Network, Data Link, and Physical.

88. Modern dial-up connections use what dial-up protocol? A. SLIP B. SLAP C. PPTP D. PPP

D. The Point-to-Point Protocol (PPP) is used for dial-up connections for modems, IDSN, Frame Relay, and other technologies. It replaced SLIP in almost all cases. PPTP is the Point-to-Point Tunneling Protocol used for VPNs, and SLAP is not protocol at all!

59. Gordon is concerned about the possibility that hackers may be able to use the Van Eck radiation phenomenon to remotely read the contents of computer monitors in his facility. What technology would protect against this type of attack? A. TCSEC B. SCSI C. GHOST D. TEMPEST

D. The TEMPEST program creates technology that is not susceptible to Van Eck phreaking attacks because it reduces or suppresses natural electromagnetic emanations.

62. Major Hunter, a member of the US armed forces, has been entrusted with information that, if exposed, could cause serious damage to national security. Under US government classification standards, how should this data be classified? A. Unclassified B. Top Secret C. Confidential D. Secret

D. The US government specifies Secret as the classification level for information that, if disclosed, could cause serious harm to national security. Top Secret is reserved for information that could cause exceptionally grave harm, while confidential data could be expected to cause less harm. Unclassified is not an actual classification but only indicates that the data may be released to unclassified individuals. Organizations may still restrict access to unclassified information.

54. The X.500 standards cover what type of important identity systems? A. Kerberos B. Provisioning services C. Biometric authentication systems D. Directory services

D. The X.500 series of standards covers directory services. Kerberos is described in RFCs; biometric systems are covered by a variety of standards, including ISO standards; and provisioning standards include SCIM, SPML, and others.

55. You are working to evaluate the risk of flood to an area and consult the flood maps from the Federal Emergency Management Agency (FEMA). According to those maps, the area lies within a 200-year flood plain. What is the annualized rate of occurrence (ARO) of a flood in that region? A. 200 B. 0.01 C. 0.02 D. 0.005

D. The annualized rate of occurrence (ARO) is the expected number of times an incident will occur each year. In the case of a 200-year flood plain, planners should expect a flood once every 200 years. This is equivalent to a 1/200 chance of a flood in any given year, or 0.005 floods per year.

Ann is a security professional for a mid-sized business and typically handles log analysis and security monitoring tasks for her organization. One of her roles is to monitor alerts originating from the organization's intrusion detection system. The system typically generates several dozen alerts each day, and many of those alerts turn out to be false alarms after her investigation. This morning, the intrusion detection system alerted because the network began to receive an unusually high volume of inbound traffic. Ann received this alert and began looking into the origin of the traffic. 67. As Ann analyzes the traffic further, she realizes that the traffic is coming from many different sources and has overwhelmed the network, preventing legitimate uses. The inbound packets are responses to queries that she does not see in outbound traffic. The responses are abnormally large for their type. What type of attack should Ann suspect? A. Reconnaissance B. Malicious code C. System penetration D. Denial of service

D. The attack described in this scenario has all of the hallmarks of a denial of service attack. More specifically, Ann's organization is likely experiencing a DNS amplification attack where an attacker sends false requests to third-party DNS servers with a forged source IP address belonging to the targeted system. Because the attack uses UDP requests, there is no three-way handshake. The attack packets are carefully crafted to elicit a lengthy response from a short query. The purpose of these queries is to generate responses headed to the target system that are sufficiently large and numerous enough to overwhelm the targeted network or system.

26. Glenda would like to conduct a disaster recovery test and is seeking a test that will allow a review of the plan with no disruption to normal information system activities and as minimal a commitment of time as possible. What type of test should she choose? A. Tabletop exercise B. Parallel test C. Full interruption test D. Checklist review

D. The checklist review is the least disruptive type of disaster recovery test. During a checklist review, team members each review the contents of their disaster recovery checklists on their own and suggest any necessary changes. During a tabletop exercise, team members come together and walk through a scenario without making any changes to information systems. During a parallel test, the team actually activates the disaster recovery site for testing, but the primary site remains operational. During a full interruption test, the team takes down the primary site and confirms that the disaster recovery site is capable of handling regular operations. The full interruption test is the most thorough test but also the most disruptive.

Using your knowledge of the Kerberos logon process and the following diagram (CLIENT WORKSTATION TO KDC via -A-, KDC to WORKSTATION via -B-, CLIENT WORKSTATION TO CLOUD SERVICES via -C-) 17. At point A in the diagram, the client sends the username and password to the KDC. How is the username and password protected? A. 3DES encryption B. TLS encryption C. SSL encryption D. AES encryption

D. The client in Kerberos logins uses AES to encrypt the username and password prior to sending it to the KDC.

24. Which one of the following cryptographic goals protects against the risks posed when a device is lost or stolen? A. Nonrepudiation B. Authentication C. Integrity D. Confidentiality

D. The greatest risk when a device is lost or stolen is that sensitive data contained on the device will fall into the wrong hands. Confidentiality protects against this risk.

34. In virtualization platforms, what name is given to the module that is responsible for controlling access to physical resources by virtual resources? A. Guest machine B. SDN C. Kernel D. Hypervisor

D. The hypervisor runs within the virtualization platform and serves as the moderator between virtual resources and physical resources.

54. What technique has been used to protect the intellectual property in the image shown below (**)? A. Steganography B. Clipping C. Sampling D. Watermarking

D. The image clearly contains the watermark of the US Geological Survey (USGS), which ensures that anyone seeing the image knows its origin. It is not possible to tell from looking at the image whether steganography was used. Sampling and clipping are data analysis techniques and are not used to protect images.

74. The Double DES (2DES) encryption algorithm was never used as a viable alternative to the original DES algorithm. What attack is 2DES vulnerable to that does not exist for the DES or 3DES approach? A. Chosen ciphertext B. Brute force C. Man in the middle D. Meet in the middle

D. The meet-in-the-middle attack uses a known plaintext message and uses both encryption of the plaintext and decryption of the ciphertext simultaneously in a brute force manner to identify the encryption key in approximately double the time of a brute force attack against the basic DES algorithm.

52. In this image (*), what issue may occur due to the log handling settings? A. Log data may be lost when the log is archived. B. Log data may be overwritten. C. Log data may not include needed information. D. Log data may fill the system disk.

D. The menu shown will archive logs when they reach the maximum size allowed (20 MB). These archives will be retained, which could fill the disk. Log data will not be overwritten, and log data should not be lost when the data is archived. The question does not include enough information to determine if needed information may not be logged.

2. Joe is the security administrator for an ERP system. He is preparing to create accounts for several new employees. What default access should he give to all of the new employees as he creates the accounts? A. Read only B. Editor C. Administrator D. No access

D. The principle of least privilege should guide Joe in this case. He should apply no access permissions by default and then give each user the necessary permissions to perform their job responsibilities. Read only, editor, and administrator permissions may be necessary for one or more of these users, but those permissions should be assigned based upon business need and not by default.

21. Brian recently joined an organization that runs the majority of its services on a virtualization platform located in its own data center but also leverages an IaaS provider for hosting its web services and a SaaS email system. What term best describes the type of cloud environment this organization uses? A. Public cloud B. Dedicated cloud C. Private cloud D. Hybrid cloud

D. The scenario describes a mix of public cloud and private cloud services. This is an example of a hybrid cloud environment.

92. Which one of the following techniques is not commonly used to remove unwanted remnant data from magnetic tapes? A. Physical destruction B. Degaussing C. Overwriting D. Reformatting

D. The standard methods for clearing magnetic tapes, according to the NIST Guidelines for Media Sanitization are overwriting the tape with nonsensitive data, degaussing, and physical destruction via shredding or incineration. Reformatting a tape does not remove remnant data.

43. Which one of the following is not a basic preventative measure that you can take to protect your systems and applications against attack? A. Implement intrusion detection and prevention systems. B. Maintain current patch levels on all operating systems and applications. C. Remove unnecessary accounts and services. D. Conduct forensic imaging of all systems.

D. There is no need to conduct forensic imaging as a preventative measure. Rather, forensic imaging should be used during the incident response process. Maintaining patch levels, implementing intrusion detection/prevention, and removing unnecessary services and accounts are all basic preventative measures.

69. Frank is seeking to introduce a hacker's laptop in court as evidence against the hacker. The laptop does contain logs that indicate the hacker committed the crime, but the court ruled that the search of the apartment that resulted in police finding the laptop was unconstitutional. What admissibility criteria prevents Frank from introducing the laptop as evidence? A. Materiality B. Relevance C. Hearsay D. Competence

D. To be admissible, evidence must be relevant, material, and competent. The laptop in this case is clearly material because it contains logs related to the crime in question. It is also relevant because it provides evidence that ties the hacker to the crime. It is not competent because the evidence was not legally obtained.

47. What security measure can provide an additional security control in the event that backup tapes are stolen or lost? A. Keep multiple copies of the tapes. B. Replace tape media with hard drives. C. Use appropriate security labels. D. Use AES256 encryption.

D. Using strong encryption, like AES256, can help ensure that loss of removable media like tapes doesn't result in a data breach. Security labels may help with handling processes, but they won't help once the media is stolen or lost. Having multiple copies will ensure that you can still access the data but won't increase the security of the media. Finally, using hard drives instead of tape only changes the media type and not the risk from theft or loss.

75. Why might an organization use unique screen backgrounds or designs on workstations that deal with data of different classification levels? A. To indicate the software version in use B. To promote a corporate message C. To promote availability D. To indicate the classification level of the data or system

D. Visual indicators like a distinctive screen background can help employees remember what level of classification they are dealing with and thus the handling requirements that they are expected to follow.

Alice and Bob would like to use an asymmetric cryptosystem to communicate with each other. They are located in different parts of the country but have exchanged encryption keys by using digital certificates signed by a mutually trusted certificate authority. 17. When Bob receives the encrypted message from Alice, what key does he use to decrypt the message? A. Alice's public key B. Alice's private key C. Bob's public key D. Bob's private key

D. When Bob receives the message, he uses his own private key to decrypt it. Since he is the only one with his private key, he is theB.

15. What type of access controls allow the owner of a file to grant other users access to it using an access control list? A. Role based B. Non-discretionary C. Rule based D. Discretionary

D. When the owner of a file makes the decisions about who has rights or access privileges to it, they are using discretionary access control. Role-based access controls would grant accessed based on a subject's role, while rule-based controls would base the decision on a set of rules or requirements. Non-discretionary access controls apply a fixed set of rules to an environment to manage access. Non-discretionary access controls include rule-, role-, and lattice-based access controls.

51. Lauren starts at her new job and finds that she has access to a variety of systems that she does not need access to to accomplish her job. What problem has she encountered? A. Privilege creep B. Rights collision C. Least privilege D. Excessive privileges

D. When users have more rights than they need to accomplish their job, they have excessive privileges. This is a violation of the concept of least privilege. Unlike creeping privileges, this is a provisioning or rights management issue rather than a problem of retention of rights the user needed but no longer requires. Rights collision is a made-up term, and thus is not an issue here.

68. What physical security control broadcasts false emanations constantly to mask the presence of true electromagnetic emanations from computing equipment? A. Faraday cage B. Copper-infused windows C. Shielded cabling D. White noise

D. While all of the controls mentioned protect against unwanted electromagnetic emanations, only white noise is an active control. White noise generates false emanations that effectively "jam" the true emanations from electronic equipment.

27. Which of the following is a converged protocol that allows storage mounts over TCP, and which is frequently used as a lower-cost alternative to Fibre Channel? A. MPLS B. SDN C. VoIP D. iSCSI

D. iSCSI is a converged protocol that allows location-independent file services over traditional network technologies. It costs less than traditional Fibre Channel. VoIP is Voice over IP, SDN is Software-defined networking, and MPLS is Multiprotocol Label Switching, a technology that uses path labels instead of network addresses.


Ensembles d'études connexes

Chapter 16 Outcome Identification and Planning

View Set

الكيمياء للصف الثالث الثانوي - علل

View Set

Engineering and Technology Project Management Quiz #2

View Set

Anticoagulant, Antiplatelet & Thrombolytic Drugs

View Set

Chapter 7: The Nursing Process and Standards of Care

View Set

75 Free NCLEX Questions - c/o BrilliantNurse.com

View Set

CHEM 305 Chapter 5, 6, and 7 Exam

View Set

Chapter 4 exam- Network Protocols and Services

View Set

One minute nurse: anticoagulant vs Antiplatelet vs Thrombolytic

View Set