Incorrect

Réussis tes devoirs et examens dès maintenant avec Quizwiz!

Which of the following represents a valid format for a CVE identifier? 22-0123 2022-Vulnerability Name 10.0-AV:N/AC:L/PR:N/UI:N 2022-12345

2022-12345 OBJ: 4.3 - A CVE identifier follows a format of "CVE" followed by a year and a sequence of numbers. 2022-12345 is a correct representation of a CVE identifier. 22-0123 format is incorrect. CVE identifiers start with "CVE-" followed by the year and a sequence of numbers. While 2022-Vulnerability Name contains elements of a CVE identifier, it doesn't follow the standardized format used in the cybersecurity industry. 10.0-AV:N/AC:L/PR:N/UI:N represents a CVSS scoring vector, detailing the metrics of a vulnerability. It is not a CVE identifier.

What is the main danger that comes from Shadow IT? Financial losses Data losses A larger attack vector A large scale service disruption

A larger attack vector OBJ: 2.1 - Shadow IT is a type of threat actor that is the result of unauthorized or unapproved IT systems or devices within an organization. Shadow IT can introduce security risks because the unauthorized system or device may provide attackers with a way to gain access to an otherwise secure system. In most cases, the unapproved system or device will not create any disruption to the services. The unapproved system or device will only lead to data losses if a threat actor can use it to gain access and then leverage the access to exfiltrate data. Therefore, data losses aren't the main danger. An unapproved system or device will only lead to financial losses if a threat actor can use it to gain access and then leverage the access to create financial losses. Therefore, financial losses aren't the main danger.

Which of the following cryptographic techniques uses the same key for both encryption and decryption processes, making it essential that the key remains secret and is shared securely among the involved parties? AES Diffie-Hellman ECC RSA

AES OBJ: 2.5 - AES (Advanced Encryption Standard) is a symmetric encryption algorithm where the same key is used for both the encryption and decryption processes. RSA (Rivest-Shamir-Adleman) is an asymmetric encryption technique that involves two distinct keys - one private and one public, not using the same key for encryption and decryption. In ECC (Elliptic Curve Cryptography), public and private key pairs are generated based on elliptic curve mathematics. The public key is used for encryption, and the corresponding private key is used for decryption. Diffie-Hellman is an asymmetric key exchange method used to securely exchange cryptographic keys over a public channel, not a symmetric encryption method.

As a network administrator responsible for evaluating a company's encryption protocol method for wireless devices, you have discovered that the company is currently utilizing a deprecated encryption protocol that poses a significant security threat. Which of the following is the MOST appropriate encryption protocol to recommend upgrading to? AES TKIP WEP WPA

AES OBJ: 4.1 - AES is currently the most secure and widely adopted encryption protocol for wireless networks. Its strong encryption algorithms and extensive testing demonstrate its effectiveness against various attacks. AES is the recommended choice for ensuring robust security in wireless communication. It is not deprecated. While TKIP was an improvement over an older encryption protocol, it is still considered weak and has known vulnerabilities. Due to its security limitations, using TKIP is not advisable, especially when more secure alternatives like AES are available. It is not a deprecated and is the best choice for devices that are not compatible with AES. WEP is an outdated encryption protocol that has been widely exploited and rendered highly insecure. Its weak key management and static keys make it vulnerable to various attacks, and it can be cracked relatively easily. It should be avoided in modern network environments due to its lack of security. Despite being an enhancement over the previous protocol, WPA has some known vulnerabilities, particularly when using its pre-shared key (PSK) mode. Depending solely on WPA might not provide the level of security required to safeguard modern wireless networks. While older, it is not deprecated.

Which of the following BEST describes the action taken when a file is quarantined during an alert response? File is immediately forwarded to a threat intelligence platform. Access to the original file is denied to the user. File is permanently deleted. Access to all files in the directory is restricted.

Access to the original file is denied to the user. OBJ: 4.4 - When a file is quarantined, it is isolated, ensuring the user, or possibly any user, cannot access it. This can be achieved by encrypting the file or moving it to a designated quarantine zone in the file system. While quarantine can be a preliminary step before deciding to delete a file, they are not synonymous. Quarantine involves isolating the file without removing it completely. Quarantining specifically targets the suspicious or malicious file, not all files in its directory. While some quarantined files may be analyzed further, quarantine in itself doesn't imply immediate forwarding to another platform.

Linaeka, a security analyst, is investigating a malware incident. The logs show that someone made 5 attempts to enter a password and username on each computer in the marketing department between 2:30 and 3:00 am. None of the marketing department employees were working at that time. The attempts all came from the same IP address. Which of the following indicators of malicious activity most likely gave Linaeka the theory that this was an attempt at a brute force or dictionary attack? Missing logs Blocked content Account lockout Concurrent session usage

Account lockout OBJ: 2.4 - Account lockout is an indicator of malicious activity that shows that an attacker or malware has tried to guess or brute force a password for an account, exceeding the maximum number of attempts allowed by the system. The lockout settings allowed 5 incorrect attempts before locking the user out. At that point, the attacker tried the next computer account. Concurrent session usage is an indicator of malicious activity that shows that an attacker or malware has compromised an account and is using it simultaneously with the legitimate user, creating multiple sessions from different locations or devices. The attack came from the same IP address and no legitimate users had sessions running in the scenario above. Missing logs is an indicator of malicious activity that shows that an attacker or malware has tampered with or erased the system's event logs to avoid detection and analysis. There is no indication that any logs were missing. Blocked content is an indicator of malicious activity that shows that an attacker or malware has tried to access or deliver content that is prohibited by the system's security policy, such as malicious websites, files, or emails. There is no indication in the scenario that the attacker was able to send anything.

Which of the following statements BEST explains the function of an Exposure Factor in the context of vulnerability management? An exposure factor evaluates the level of vulnerability in an organization's network infrastructure An exposure factor refers to the time required to detect and respond to a security incident An exposure factor helps organizations assess the monetary impact of a security breach An exposure factor measures the likelihood of a vulnerability being exploited

An exposure factor measures the likelihood of a vulnerability being exploited OBJ: 4.3 - An Exposure Factor measures the likelihood of a vulnerability being exploited, which is essential for organizations to prioritize their remediation efforts based on the risk posed by potential attacks. A higher exposure factor indicates a higher risk of exploitation and may require immediate attention to prevent security breaches. While understanding the financial impact of a security breach is important, Exposure Factor specifically assesses the likelihood of vulnerability exploitation, not monetary losses. While incident response time is crucial for effective cybersecurity, Exposure Factor does not refer to the time required to detect and respond to a security incident. The exposure factor is not about evaluating the level of vulnerability in an organization's network infrastructure but rather measuring the likelihood of a specific vulnerability being exploited. It focuses on specific vulnerabilities, not overall vulnerabilities of a system

In a large multinational corporation, the access control mechanism dynamically evaluates various user features such as job role, department, location, and time of access to determine access rights to specific resources. Which type of access control mechanism is being used in this scenario? Rule-Based Role-Based Discretionary Attribute-Based

Attribute-Based OBJ: 4.6 - In the scenario described, the access control mechanism used in the large multinational corporation is "Attribute-Based access control" (ABAC). In an ABAC system, access permissions are dynamically evaluated based on various user attributes, such as job role, department, location, and time of access. The system combines these attributes to make access control decisions, allowing for more fine-grained and context-aware access control. "Role-Based access control" (RBAC) is a mechanism where access to resources is determined based on the roles or job functions of users. Users are assigned specific roles, and access permissions are associated with those roles. However, in the scenario, the access control mechanism is described as evaluating various attributes, including job role, location, and time of access, rather than being solely based on predefined roles. "Discretionary access control" (DAC) allows individual users to have discretion or control over the access permissions of their resources. In a DAC system, owners of resources can determine who has access and what level of access they are granted based on their own judgment. The scenario does not describe users having this level of discretion over access rights, but rather an automated evaluation of features for access control. "Rule-based access control" is a broad term that can encompass various access control mechanisms. While the scenario mentions the dynamic evaluation of user attributes, access permissions are made based on the combination of various features.

You are a network administrator for a company that has multiple branch offices. You need to ensure that the data transmitted between the offices is secure, reliable, and encrypted. Which of the following connection methods would you use? Cellular Satellite Bluetooth WEP

Cellular OBJ: 4.1 - Cellular connections use GSM (Global System for Mobile Communications) or CDMA (Code Division Multiple Access) technologies to provide wireless communication between devices. Cellular connections are more secure than Wi-Fi or Bluetooth because they use encryption and authentication mechanisms to protect the data. Cellular connections also have a high bandwidth and can support a large number of devices at a time. Therefore, cellular connections are the best choice for secure and reliable communication between branch offices. Bluetooth connections are not designed for long-distance communication. Bluetooth connections use short-range radio waves to connect devices within a few meters of each other. Bluetooth connections also have a low bandwidth and can only support a small number of devices at a time. Therefore, Bluetooth connections are not suitable for secure and reliable communication between branch offices. Wired Equivalent Privacy (WEP), is a very old Wi-Fi standard that uses an RC4 stream cipher for encryption. This encryption method is far too weak and vulnerable to be used any more. It was initially replaced by WPA, but the standard that provides the most security today is WPA3. Therefore, WEP connections are not suitable for secure and reliable communication between branch offices. Satellite connections have higher latency and lower bandwidth than cellular connections. Satellite connections use orbiting satellites to transmit data, which can cause delays and signal loss due to atmospheric conditions and interference. Satellite connections also have a high cost and require specialized equipment to access them. Therefore, satellite connections are not suitable for secure and reliable communication between branch offices.

Which of the following procedures outline the steps for controlling alterations to IT systems within an organization? Change management Incident response Using playbooks Onboarding/offboarding

Change management OBJ: 5.1 - The change management procedure outlines the steps and guidelines for managing changes to IT systems within an organization. It includes processes for requesting, evaluating, approving, implementing, and reviewing changes to minimize the risk of disruptions and ensure that changes are carried out in a controlled and coordinated manner. Onboarding and Offboarding involves the processes and tasks related to welcoming new employees (onboarding) and handling the departure of employees (offboarding) within an organization. While important for managing personnel transitions, it is not directly related to changes in IT systems. Incident response procedure defines the steps for detecting, analyzing, responding to, and recovering from cybersecurity incidents and data breaches. While essential for handling security incidents, it is not directly related to managing changes to IT systems. Playbooks are comprehensive sets of instructions that outline predefined responses to specific situations or events. They are often used in incident response and cybersecurity for guiding actions during security incidents. While valuable for incident management, playbooks are not specifically related to managing changes in IT systems.

Why might an organization be particularly concerned about introducing automation tools that become single points of failure during secure operations? Issues related to system scalability and slow authentication. Compromised availability leading to operational disruptions. Challenges in upholding data confidentiality. Potential gaps in maintaining data integrity.

Compromised availability leading to operational disruptions. OBJ: 4.7 - A single point of failure can jeopardize the entire system's uptime, introducing potential security risks and halting processes. Upholding data confidentiality is a primary security concern, but it isn't directly related to the risks of single points of failure. Data integrity ensures data remains accurate and consistent over its lifecycle, but it doesn't directly link to concerns of single points of failure. Scalability ensures systems can handle growth, but it isn't focused on the immediate availability risks associated with single points of failure.

Which US act requires federal agencies to develop security policies for computer systems that process confidential information? GLBA SOX Computer Security Act (1987) GDPR

Computer Security Act (1987) OBJ: 5.1 - This act specifically requires federal agencies to develop policies to secure computer systems that process sensitive or confidential information. GDPR (General Data Protection Regulation) is a European Union regulation that deals with the protection of personal data, and it doesn't pertain to US federal agencies' computer systems. GLBA (Gramm-Leach-Bliley Act) is focused primarily on financial institutions and requires them to ensure the security and confidentiality of customer data. While SOX (Sarbanes-Oxley Act) does emphasize transparency and accountability in financial reporting, it doesn't specifically target federal agencies' computer systems for confidential data.

A security analyst is investigating a malware incident and finds that the malware has compromised an account and is using it simultaneously with the legitimate user, creating multiple sessions from different locations or devices. Which of the following indicators of malicious activity is BEST demonstrated by this finding? Impossible travel Blocked content Resource consumption Concurrent session usage

Concurrent session usage OBJ: 2.4 - Concurrent session usage is an indicator of malicious activity that shows that an attacker or malware has compromised an account and is using it simultaneously with the legitimate user, creating multiple sessions from different locations or devices. Impossible travel is an indicator of malicious activity that shows that an attacker or malware has used an account from two different locations or devices within a short time span, indicating a possible compromise or impersonation. Resource consumption is an indicator of malicious activity that shows that an attacker or malware has used a lot of system resources, such as CPU, memory, disk space, or bandwidth, affecting the performance or availability of the system. Blocked content is an indicator of malicious activity that shows that an attacker or malware has tried to access or deliver content that is prohibited by the system's security policy, such as malicious websites, files, or emails.

Which of the following statements is NOT true about the importance of continuous integration in relation to secure operations? Continuous integration can increase software quality by catching and fixing bugs quickly. Continuous integration automates the building and testing of code, which enhances developer productivity. Continuous integration enables early detection of issues, making it easier to address them before they escalate. Continuous integration may slow down the development process but it provides far more secure systems overall.

Continuous integration may slow down the development process but it provides far more secure systems overall. OBJ: 4.7 - In fact, continuous integration speeds up the development process. By integrating the work often, problems are discovered early and can be fixed immediately, preventing them from slowing down the project in the later stages. The practice of making frequent commits and running automated tests means that errors are detected sooner. This early detection allows for quick fixes, thereby improving software quality. Continuous integration involves automated processes like building and testing of code, thus relieving developers from manual, repetitive tasks and enabling them to focus on other aspects of their work. This consequently enhances their productivity. Continuous integration allows for the immediate detection of issues because code is integrated frequently. This immediate feedback makes it easier to address problems as they can be caught and fixed before further progress is made, improving overall security.

Kelsi is browsing an online shopping website that sells various products. She adds some items to her shopping cart and proceeds to checkout. She enters her credit card information, double checks that the credit card information is correct, then clicks on the confirm button. She then receives an email from her bank that informs that her credit card has been charged, but the amount she is charged is more than she expected. She checks her online banking account and sees that there are several transactions that she did not authorize. What type of web-based vulnerability has she likely encountered? Structured Query Language injection (SQLi) Cross-site scripting (XSS) Malicious update Buffer overflow

Cross-site scripting (XSS) OBJ: 2.3 - XSS is a web-based vulnerability that occurs when an attacker injects malicious code into a web page that is then executed by the browser of a user who visits the page. The code can steal cookies, session tokens, or other sensitive information from the user or the web server. Kelsi has likely encountered an XSS vulnerability that allowed the attacker to steal her credit card information and make unauthorized transactions. Malicious update is an application-based attack that involves replacing a legitimate update for a program with a malicious one. The attacker can compromise the program, steal data, or perform other malicious actions. Kelsi has not encountered a malicious update, as she did not update any program, but rather entered her credit card information on a web page. Buffer overflow is an application-based vulnerability that occurs when a program does not properly check the size of the input data and tries to store more data than the memory allocated to it can hold. The excess data can overwrite the adjacent memory and cause the program to crash or execute arbitrary code. It isn't likely that Kelsi has encountered a buffer overflow vulnerability, as she checked the information she entered and it was correct. SQLi is a web-based vulnerability that occurs when an attacker injects malicious SQL statements into a database query that is then executed by the database server. The statements can manipulate or extract data from the database, or execute commands on the server. Kelsi has not encountered an SQLi vulnerability, as she did not enter any information in SQ

Kelly Innovations LLC has recently faced a series of phishing attacks where attackers are sending emails that appear to be from the company's domain. After an internal investigation, they discover that these emails are not originating from their servers. To cryptographically ensure that an email was actually sent from their domain, which of the following is the BEST mechanism should they implement? SPF DKIM SMTP DMARC

DKIM OBJ: 4.5 - By implementing DKIM (DomainKeys Identified Mail), Kelly Innovations LLC can sign emails originating from their domain cryptographically. This allows receivers to verify that an email claiming to be from the domain genuinely is. While SPF (Sender Policy Framework) is valuable in identifying which servers are authorized to send emails on behalf of a domain, it doesn't cryptographically sign the emails for this assurance. DMARC (Domain-based Message Authentication, Reporting, and Conformance) uses the results of DKIM and SPF checks, but on its own, it doesn't cryptographically sign emails. SMTP (Simple Mail Transfer Protocol) is the standard for sending emails, but it doesn't inherently provide a cryptographic signing mechanism for email authenticity.

Who is chiefly responsible for determining the purposes and means of processing personal data within an organization? Data Controller Data Owner Data Broker Data User

Data Controller OBJ: 5.1 - The data controller is the entity that determines the purposes, conditions, and means of processing personal data. They make decisions about how and why data is processed. A data broker collects and sells data to other organizations, but they do not typically decide the purposes and means of data processing for another organization. Data users access and use the data but typically don't decide on its processing purposes and means. While data owners are responsible for the data's classification and ensuring it meets organizational policies, they do not typically decide on the purposes and means of data processing.

An organization is looking to protect sensitive financial data stored in spreadsheets. Which of the following methods would be the MOST effective in ensuring the data's confidentiality and integrity? Password protection and read-only access Network monitoring and firewall Version control and backup Data encryption and digital watermarking

Data encryption and digital watermarking OBJ: 3.3 - Data encryption and digital watermarking the spreadsheet ensures unauthorized parties cannot view its content, and digital watermarking embeds a hidden mark to track and verify the document's authenticity and integrity. While version control and backup are crucial for maintaining data history and recovery, neither directly ensures the spreadsheet's confidentiality or verifies its integrity. While network monitoring and firewall protect against unauthorized access and attacks, they don't directly ensure the confidentiality or integrity of specific spreadsheet data. Password protection restricts access, and read-only access prevents modifications, but neither ensures data confidentiality from unauthorized decryption or verifies its integrity against all forms of tampering.

Which of the following statements regarding data retention in the disposal process is NOT true? Formal data retention policies help organizations decide when data assets should be backed up, archived, or purged. Data retention is a critical governance factor that organizations need to adhere to while managing their information systems and data assets. Data retention periods should account for business needs as well as any legal, regulatory, or contractual requirements. Data retention implies storing all data indefinitely as it might be needed at some point.

Data retention implies storing all data indefinitely as it might be needed at some point. OBJ: 4.2 - Indefinite storage is not the purpose of data retention. Instead, data retention policies establish specific time frames to retain data, after which it should be safely destroyed or sanitized to protect sensitive information and optimize system performance. Adherence to data retention requirements is indeed a critical governance factor in managing information systems and data assets. Data retention periods should consider business, legal, regulatory, and contractual requirements to ensure the availability of necessary data and compliance with all obligations. Formal data retention policies guide decisions about backup, archiving, and purging data assets.

Which of the following statements BEST describes the Control Plane in the Zero Trust model? Limits potential damage zones in a network. Employs security decisions based on user behavior. Decides on access based on policies and threats. Ensures efficient transmission of approved data.

Decides on access based on policies and threats. OBJ: 1.2 - The Control Plane within the Zero Trust model is fundamentally responsible for deciding on access based on policies and threats, which is a dynamic and multifaceted task. While it does consider user behavior as part of its decision-making process, employing security decisions based on user behavior is only one aspect of its function. Although the Control Plane's decisions can indirectly limit potential damage zones by enforcing segmented access to network resources, its primary role should not be confused with the outcomes of its policy enforcement. The Control Plane does not directly ensure the efficient transmission of data — this is a misconception, as that is the role of the Data Plane.

Which of the following cryptographic algorithms is primarily used for digital signatures and key exchanges, rather than direct encryption of data? SHA-256 ECC Twofish DES

ECC OBJ: 2.5 - ECC (Elliptic Curve Cryptography) is a form of public key cryptography based on the algebraic structure of elliptic curves over finite fields primarily used for digital signatures and key exchanges. SHA-256 (Secure Hash Algorithm 256-bit) is a cryptographic hash function, not primarily used for digital signatures or key exchanges. DES (Data Encryption Standard) is an older symmetric-key method of data encryption which was largely replaced due to vulnerabilities, focusing primarily on data encryption. Twofish is a symmetric block cipher which, like AES, encrypts data in blocks using the same key for encryption and decryption.

Which of the following statements BEST explains the importance of employee retention in securing an organization? Employee retention helps to maintain institutional knowledge and expertise in managing security automation. Employee retention reduces the likelihood of social engineering attacks because long term employees get more training to spot and avoid such attacks. Employee retention reduces the need for automation and orchestration, leading to a more stable workforce. High employee retention promotes a deeper understanding of automated security processes, improving response times.

Employee retention helps to maintain institutional knowledge and expertise in managing security automation. OBJ: 4.7 - Employee retention means that the organization can retain experienced staff who have gained valuable institutional knowledge and expertise in managing security automation and orchestration. This accumulated knowledge helps ensure the smooth functioning and effective utilization of these processes. There is no evidence that retaining employees has an impact on avoiding social engineering attacks. Employee retention provides institutional knowledge which makes managing security automation easier. High employee retention means that employees have been with the organization for a longer time, and they would have had more exposure and experience with the automated security processes. This can lead to a deeper understanding, which in turn can improve response times in handling security incidents. Employee retention is not directly related to the need for automation and orchestration. Regardless of the employee retention rate, the benefits of automation and orchestration in secure operations remain valid.

Which of the following terms emphasizes the mathematical structure used to scramble data so that only a specific key can unscramble it? Cipher block Hash function Encryption algorithm Digital signature

Encryption algorithm OBJ: 1.4 - An encryption algorithm provides a structured method for converting plaintext into ciphertext. A good algorithm ensures data remains confidential and secure from unauthorized access. Digital signatures validate the authenticity and integrity of a message or document, ensuring it hasn't been tampered with since being signed. A cipher block refers to a fixed-size portion of data that an encryption algorithm processes. It doesn't define the mathematical method itself. A hash function takes input and returns a fixed-size string, typically used for verifying data integrity, but it does not encrypt data for the purpose of confidentiality.

Which standard defines the methods and protocols used for controlling algorithms used for data in transit? Access control standard Password standard Encryption standard Physical security standard

Encryption standard OBJ: 5.1 - The encryption standard defines the methods and protocols for encrypting sensitive data to protect it from unauthorized access. Encryption transforms data into an unreadable format using cryptographic algorithms, and it can only be decrypted with the appropriate encryption key. These are used to protect data in transit The physical security standard outlines the measures and procedures to protect physical assets, facilities, and equipment from unauthorized access, theft, and damage. It includes security measures such as access controls, surveillance systems, and security personnel to safeguard physical resources. The access control standard defines the rules and procedures for managing user access to systems, applications, and data within an organization. It involves identifying users, authenticating their identity, and determining the level of access they should have based on their roles and responsibilities. The password standard outlines the requirements and best practices for creating and managing passwords. It includes guidelines such as password complexity, minimum length, and expiration policies to ensure that passwords are strong and secure.

Which of the following MOST accurately describes a primary consideration for implementing a data retention policy? Enhancing system performance by regular data deletion. Speeding up data recovery processes by allowing faster incremental and differential backups. Ensuring compliance with legal and regulatory requirements. Reducing storage costs over time by ensuring that too much data isn't kept.

Ensuring compliance with legal and regulatory requirements. OBJ: 4.2 - A proper data retention policy helps organizations maintain and dispose of data in accordance with laws, regulations, and industry standards, preventing potential legal consequences. Data retention policies may streamline data structures, but the primary goal isn't necessarily to speed up recovery processes. While removing extraneous data can enhance system efficiency, it isn't the most relevant choice among the given alternatives. While a data retention policy can lead to cost savings by disposing of unnecessary data, its primary purpose is not usually financial.

Given that cloud architecture provides dynamic resource allocation, which of the following security considerations is MOST critical when dealing with the compute component? Ensuring isolation between different instances. Limiting the number of virtual machines. Implementing strong user authentication. Frequent backup of workload data.

Ensuring isolation between different instances. OBJ: 3.1 - As the cloud provides resources abstracted from physical hardware, maintaining strict isolation between different workload instances ensures that one instance's vulnerabilities or threats don't compromise another. Breaching this isolation could allow lateral movement within the cloud environment. While essential for security, user authentication is more about controlling access than directly dealing with the compute resource's dynamic allocation in the cloud. Backup strategies are crucial for data integrity and recovery, but they don't address the specific security concerns introduced by the dynamic resource allocation of compute components. Restricting the number of VMs might conserve resources, but it doesn't directly address the inherent security implications of on-demand compute allocation in a cloud environment.

Sasha, an IT manager at Dion Training, has taken the recently formulated security policies and started conducting training sessions for the employees. She's also distributed awareness materials and set up monitoring tools to gauge the program's effectiveness. Which phase of security awareness practices is Sasha in? Initiation Optimization Execution Feedback

Execution OBJ: 5.6 - The Execution phase is where security awareness policies and procedures are put into operation, encompassing actions like user training, dissemination of awareness resources, and monitoring the efficacy of the awareness initiative. Optimization is a post-execution phase, concentrating on refining and enhancing the security awareness programs based on outcomes and feedback, without direct involvement in its active implementation. The Feedback phase involves gathering reactions and responses from users after the introduction of security policies, not necessarily involving active training or distribution of resources. Initiation is the initial phase where potential security threats are recognized, but no policies or procedures have been formulated or implemented yet.

Which of the following statements is NOT true about the Exposure Factor? Exposure factor is typically expressed as a percentage or a ratio of exposure. An exposure factor of 100% implies that an asset becomes completely useless after a particular security incident or threat event. Exposure factor refers to the proportion of an asset's value likely to be destroyed or degraded if a particular security incident or threat event occurs. Exposure factor is calculated by multiplying the asset's total value by the yearly rate of occurrence.

Exposure factor is calculated by multiplying the asset's total value by the yearly rate of occurrence. OBJ: 4.3 - The exposure factor is not calculated by multiplying the asset's total value by the yearly rate of occurrence. It is an estimate of the potential damage to an asset if a given threat exploits a vulnerability, and it is not directly connected to the asset's total value or frequency of threat events. An exposure factor of 100% suggests that a security incident or threat event would render the asset entirely unusable or worthless. The exposure factor is the proportion of an asset's value estimated to be affected or jeopardized during a particular security incident or threat event. Exposure factor is usually expressed as a percentage representing the portion of the asset's value likely to be lost in an incident.

Kelly Innovations LLC has implemented a firewall to secure its mission-critical financial system. Which failure mode should the firewall be set to if the company prioritizes avoiding substantial financial losses due to downtime? Passive mode Fail-open Rate-based filtering Fail-closed

Fail-open OBJ: 3.2 - In the event of a malfunction, a fail-open mode would allow traffic to pass through without being checked, ensuring that the financial system remains accessible. While this may introduce some security risks, it prevents downtime which is deemed a greater threat in this context. In passive mode, the firewall monitors traffic without actively blocking or allowing it. This can be useful for observing traffic patterns but wouldn't be ideal for a mission-critical system where active protection is essential. In a fail-closed mode, a malfunctioning firewall would block all traffic. This can protect against potential threats but would render the financial system inaccessible, leading to significant financial implications. Rate-based filtering involves limiting traffic based on a predefined rate. While it can help in preventing denial-of-service attacks, it doesn't directly address how a firewall should behave during a malfunction.

What kind of protective measures are based on where the data is stored? Obfuscation Segmentation Geographic restrictions Public

Geographic restrictions OBJ: 3.3 - Geographic restrictions pertain to policies that limit where data can be stored or accessed based on geography. Segmentation refers to dividing a network into smaller parts but it does not specifically deal with limiting access based on specific locations. Public data classification refers to information that is open for public access. It does not describe protections based on specific locations. Obfuscation is the hiding or camouflaging of information to prevent access to it. It doesn't deal with where the data is stored.

As part of their expansion, Kelly Innovations LLC decided to break their monolithic application into microservices. While this provides scalability, which of the following security implications should the organization be MOST concerned with? Granular access controls requirements. Singular deployment cadence. Consolidation of data storage. Reduced monitoring endpoints.

Granular access controls requirements. OBJ: 3.1 - As applications are broken down into microservices, each service might need specific access controls, potentially complicating the permissions landscape. Microservices often distribute data storage needs across services, rather than consolidating them, making this option less relevant. Microservices allow for independent deployments, moving away from a singular deployment cadence which is more associated with monolithic structures. Microservices can actually increase the number of endpoints that need to be monitored, rather than reducing them.

Kelly Financial Solutions processes thousands of credit card transactions daily. To enhance security, the IT department wants to ensure that sensitive data, such as credit card numbers, remains protected even while being actively processed in the system's memory. Which technology would be MOST effective in safeguarding data-in-use in this scenario? Virtual private network (VPN) Homomorphic encryption Full disk encryption (FDE) Data loss prevention (DLP)

Homomorphic encryption OBJ: 3.3 - Homomorphic encryption allows data to be processed without being decrypted, effectively securing data-in-use. Computations can be performed on the encrypted data directly, and the results, when decrypted, match as if the operations were done on the plaintext. A VPN encrypts network traffic between two points, ensuring data-in-transit security. It doesn't focus on safeguarding data actively being processed in a system's memory. DLP solutions monitor and control data transfers, helping to prevent data breaches. However, they don't provide specific protection for data being actively processed in memory. While FDE is effective for protecting data at rest, especially on hard drives or SSDs, it doesn't specifically secure data-in-use.

You are a system administrator for a small business that uses several laptops and desktops for its daily operations. Recently, some of your employees' devices have been used to open ports on your servers. You suspect an attacker has done this. Although the employees have the ability to open ports as part of their jobs, the ports were opened when the employees were not at their computers. The open ports were used to exfiltrate data and your boss is not happy. Which of the following mitigation techniques can help you prevent this from happening again? Host-based intrusion prevention system (HIPS) Access control through Permissions Patching Disabling Ports and Protocols

Host-based intrusion prevention system (HIPS) OBJ: 2.5 - Using a Host-based Intrusion Prevention System (HIPS) is a hardening technique that can help prevent attacks from occurring. It is software that is installed on a system or device to detect and prevent unauthorized actions like file modifications and registry changes. HIPS will be able to detect the intrusion of attackers and prevent changes to ports. Disabling ports and protocols is a hardening technique that can help reduce exposure to potential attacks. This can be done on firewalls, switches, routers, and hosts to close or block any network ports or protocols that aren't needed for the normal operation of the systems and devices. Ports are numerical identifiers that specify the destination or source of network traffic, and protocols are rules or standards that define how network traffic is formatted or transmitted. The issue isn't that ports aren't closed, it is that the ports were closed and then were opened by the attacker. Closing or disabling them will not prevent an attacker from opening them again. Patching is a mitigation technique that can help prevent exploitation of known vulnerabilities on systems and devices by updating them with the latest security fixes and enhancements.

A business needs a full-scale, duplicate of its primary IT facility that can be quickly activated in the event of a system failure. Which of the following site considerations would BEST meet this requirement? Onsite backup Clustering Hot People

Hot OBJ: 3.4 - A hot site would be ideal as it is a full-scale replication of the primary IT setup that can be activated immediately in the event of a system failure. Considering people is vital in capacity planning, but it doesn't provide a direct solution to the requirements of immediate system recovery. Clustering can improve system redundancy by linking multiple servers, but it is not an immediate full-scale stand-in for the main facility. Onsite backup shares the same premises as the primary system and, while essential, doesn't provide the required geographic redundancy.

You are working on a project that requires you to use a software application that is not installed on your system. You find a website that offers a free download of the application and you click on the download button. However, instead of downloading the application, you download an PNG file which may contain malicious code. If it is malicious, what type of attack vector was used to deliver the code? Image-based Pretexting File-based Removable device

Image-based OBJ: 2.2 - Image-based Image-based attacks use malicious images, such as JPEGs, PNGs, or GIFs, to exploit vulnerabilities in image processing software or embed malicious code in the image metadata. Pretexting uses a story to create a sense of trust with the victim. It makes it more likely that the victim will do what the attacker wants them to do. In the scenario, there is no fake story used. Removable device attacks use devices such as USB drives, CDs, or DVDs to infect systems with malware or perform other malicious actions. File-based attacks use malicious files, such as executables, documents, or archives, to infect systems with malware or perform other malicious actions.

During a digital investigation, which activity is MOST closely associated with the acquisition phase? Searching through electronic records to identify relevant emails for a court case. Imaging a hard drive to create an exact byte-for-byte copy for analysis. Reviewing a detailed log of who handled the evidence and when. Determining if cryptographic methods need to be employed to protect data during storage.

Imaging a hard drive to create an exact byte-for-byte copy for analysis. OBJ: 4.8 - During the acquisition phase, the goal is to obtain data in a way that doesn't alter the original evidence. Imaging a hard drive is a standard practice to achieve this. While safeguarding data is crucial, this activity is more relevant to the preservation stage. Reviewing a detailed log of who handled the evidence and when relates to maintaining the chain of custody, which ensures the integrity and authenticity of digital evidence. Searching through electronic records to identify relevant emails for a court case is more aligned with e-discovery, where the aim is to locate specific electronic evidence.

Angel, a system administrator, notices that a user account has been locked out due to multiple failed login attempts in a short span of time. She also observes that the source IP addresses for these attempts are from various countries. Which indicator of malicious activity is MOST likely present in this scenario? Impossible travel Account lockout Concurrent session usage Blocked content

Impossible travel OBJ: 2.4 - Impossible travel is an indicator of malicious activity that involves detecting login attempts from locations that are geographically inconsistent or implausible, suggesting that an attacker has compromised the user credentials. Account lockout is an indicator of malicious activity that involves detecting multiple failed login attempts for a user account, suggesting that an attacker is trying to guess the password. While this is the basic problem, the additional information that the attempts have come from different countries indicates that the problem is more complex than just account lockout. Blocked content is an indicator of malicious activity that involves detecting attempts to access restricted or malicious websites or files, suggesting that an attacker is trying to compromise the system. Concurrent session usage is an indicator of malicious activity that involves detecting multiple active sessions for a user account, suggesting that an attacker has gained access to the account. In this case, the logins failed, so it isn't a concurrent session.

Which of the following strategies is MOST effective for organizations aiming to mitigate the risk of widespread disruptions due to a localized issue in their infrastructure? Infrastructure diversification Permission restrictions Data masking Geographic restrictions

Infrastructure diversification OBJ: 3.4 - Diversifying infrastructure ensures that organizations are not overly reliant on a single data center, network, or platform. By distributing their assets and systems across multiple locations or platforms, they can significantly reduce the risk of total service disruption if one component fails. Setting permission restrictions is crucial for controlling who can access specific resources. However, it doesn't offer a solution against the vulnerabilities of a single-point infrastructure failure. While data masking is an essential strategy for obfuscating sensitive information, it doesn't address the risk associated with centralized infrastructure or help in maintaining continuity during disruptions. Geographic restrictions primarily deal with ensuring data resides or is accessible only in certain locations due to legal or regulatory reasons. While it dictates where data can be, it doesn't inherently diversify infrastructure for resilience against disruptions.

Which category of data includes information such as trade secrets and patents? Legal information Intellectual property Regulated Human-readable

Intellectual property OBJ: 3.3 - Intellectual property refers to creations of the mind like inventions, literature & artistic works, designs, symbols, and names and images used in commerce, which includes things like trade secrets and patents. Regulated data is any data that falls under regulatory laws and guidelines. While it could involve intellectual property, it does not specifically pertain to trade secrets or patents. Human-readable refers to information that can be understood by a human without using a device, it is not a type of data classification like intellectual property. While legal information might involve intellectual property, it is a broader category of data and does not specifically pertain to trade secrets and patents.

Which of the following BEST highlights the significance of inventory in managing hardware, software, and data assets effectively? Inventory enables organizations to maintain up-to-date records. Inventory facilitates the physical organization of assets. Inventory documentation helps in tracking the financial value of assets. Inventory identifies individuals responsible for asset handling.

Inventory enables organizations to maintain up-to-date records. OBJ: 4.2 - Inventory enables organizations to maintain up-to-date records of hardware, software, and data assets. This facilitates timely patch management, as administrators can easily identify assets that require updates or patches. Timely patching is crucial for mitigating security risks and reducing the possibility of exploitation through unpatched vulnerabilities. Proper inventory documentation may aid in financial tracking and budget allocation, but it is not the primary focus when discussing inventory's importance in the asset tracking process for security implications. The primary concern with inventory is maintaining accurate records of assets for security monitoring and management. Inventory does not specifically focus on the physical organization of assets for audits and investigations. While physical organization is relevant for efficient asset management, the primary purpose of inventory is to maintain accurate and up-to-date records for security monitoring and tracking. While maintaining inventory records can help identify individuals responsible for assets, this does not primarily address the importance of inventory in the monitoring/asset tracking process for security implications. Accountability is important but not the main focus when discussing inventory in the context of security.

Which of the following mitigation techniques can help prevent malware from spreading from one system or process to another by limiting their interaction and communication? Isolation Permissions Segmentation Hardening

Isolation OBJ: 2.5 - Isolation is a mitigation technique that can help prevent malware from spreading from one system or process to another by limiting their interaction and communication. Isolation involves sandboxing or simply disconnecting an infected system. This prevents potentially malicious programs or scripts from accessing the rest of the system or network. Hardening is a technique that can help reduce the exposure of systems and devices to potential attacks by disabling unused features and services. Hardening involves removing unnecessary features and services, changing default settings, and applying security configurations to systems and devices. Hardening is preventative and takes place before malware is on the system. Isolation is most important when malware is on the system. Segmentation is a mitigation technique that involves dividing a network into smaller segments. Each has its own security policies and controls. Segmentation can limit the scope of an attack by preventing the attacker from gaining access to an entire network because it will help isolate the compromised segment. Segmentation is preventative and takes place before malware is on the system. Isolation is most important when malware is on the system. Access control through permissions is a mitigation technique that can help prevent unauthorized execution of programs or scripts on a system or device. This is achieved by defining permissions through policies and applying those policies to resources such as programs, scripts, files, folders, and databases. Users without the correct permissions, can't access the resources. While this prevents unauthorized use of resources, it doesn't prevent malware from spreading from one system or process to another.

Which of the following BEST describes the Software Development Life Cycle (SDLC) in application security? It only considers security during the testing and creation phases of software development. It primarily focuses on the speed of software delivery over security. It emphasizes the integration of security in software creation and maintenance. It replaces the need for regular software updates and patches.

It emphasizes the integration of security in software creation and maintenance. OBJ: 5.1 - An SDLC ensures that security is a focal point in all stages of software development, from design to maintenance. While certain SDLC models, like Agile, prioritize quick deliveries, they don't overlook security. SDLC integrates security throughout its phases, not just during testing. Even with a robust SDLC, software may still require updates and patches post-deployment.

Which of the following statements BEST explains the importance of package monitoring in the context of vulnerability management? It allows organizations to track the physical location and status of hardware packages. It ensures that all software packages are up to date with the latest features and enhancements. It involves tracking the dependencies of software packages to ensure that all required components are up to date and compatible. It helps identify and address vulnerabilities in software packages.

It helps identify and address vulnerabilities in software packages. OBJ: 4.3 - Package monitoring involves keeping track of software package versions and security patches, which helps identify potential vulnerabilities and ensures that appropriate actions are taken to mitigate risks. By promptly addressing vulnerabilities, organizations can reduce the risk of potential exploits and maintain a more secure environment. The purpose of package monitoring which is keeping track of software package versions and security patches, not tracking software package dependencies. Tracking the physical location and status of hardware packages, is not the intended purpose of package monitoring. While updating software packages is essential for performance and functionality, package monitoring, in the context of vulnerability management, is not focused on general updates.

Which of the following BEST describes the significance of key length in encryption standards? It sets a maximum key length It sets the duration of key's validity It sets complexity for key It sets a minimum for key length

It sets a minimum for key length OBJ: 1.4 - Key length in encryption determines the minimum length that an encryption key can be to ensure a strong level of security. While length will impact the key's complexity, the key length doesn't set other factors beyond the minimum length.

Which of the following backup methods involves real-time replication of every transaction made within a system? Journaling Differential Backup Incremental Backup Full Backup

Journaling OBJ: 3.4 - Journaling is a form of backup that involves recording all transactions in a system which can be used to restore the system to a previous state. A full backup involves making a complete copy of all data in the system. While comprehensive, it's typically scheduled to occur at regular intervals (e.g., nightly or weekly) and does not provide real-time replication of each transaction. Differential backups capture all changes made since the last full backup. Like incremental backups, differential backups are not done in real-time but at specific intervals, and they accumulate changes since the last full backup. Incremental backups save only the changes made since the last backup, whether that was a full or another incremental backup. This method doesn't replicate transactions in real-time, but rather at scheduled intervals.

Dion Training Solutions implemented a new authentication system for their internal applications. The system ensures that authentication data can only be used for a single session and requires both the client and server to prove their identity by using a unique ticketing system. Which of the following authentication mechanisms is Dion Training Solutions MOST likely using to prevent credential replay attacks? OAuth SAML LDAP Kerberos

Kerberos OBJ: 2.4 - Kerberos is an authentication protocol that uses tickets to prevent eavesdropping and replay attacks. It relies on a trusted third-party, the Key Distribution Center (KDC), to facilitate mutual authentication between clients and services. LDAP is a protocol used to access and manage directory information over a network. While it can be used for authentication, it does not inherently prevent credential replay. OAuth is an open standard for access delegation. It allows third-party services to use account information without exposing user passwords. However, it doesn't use a ticketing. SAML is an XML-based standard for exchanging authentication and authorization data between parties. It's focused more on Single Sign-On (SSO) and doesn't use the Kerberos ticketing mechanism.

In what type of penetration testing are the testers given usernames, passwords, and other information that would normally be gathered in the first phase? Reconnaissance Unknown environment Known environment Partially known environment

Known environment OBJ: 5.5 - Penetration testing in a known environment means that a significant amount of information has been given to the tester. This can include passwords, usernames, and other information. Partially known environment penetration testing occurs in an environment where some information about the target systems is available to the tester, but not all details are known. It is likely that a tester in this environment would still need to complete the reconnaissance phase. Reconnaissance is the initial phase of a penetration test, where information gathering and data collection occur without directly engaging the target. It is not a type of penetration testing, but rather a preparatory phase. Penetration testing in an unknown environment means that the tester is not given any information, so they must begin with reconnaissance.

Kelly Innovations LLC wants to implement a network appliance that focuses on filtering traffic based on source and destination IP addresses, and port numbers. Which layer of the OSI model is this appliance primarily operating at? Layer 5 Layer 4 Layer 3 Layer 2

Layer 4 OBJ: 3.2 - Layer 4, or the transport layer, deals with protocols like TCP and UDP and is concerned with port numbers and connection-oriented communication. Network appliances operating at this layer filter and manage traffic based on source and destination IP addresses, as well as port numbers. Layer 3, the network layer, is primarily focused on routing data and IP addressing. Devices at this layer, like routers, aren't primarily concerned with port numbers. Layer 5, the session layer, establishes, maintains, and terminates connections between applications on different devices. It doesn't handle filtering based on IP addresses and port numbers. Layer 2, the data link layer, deals with frames and MAC addresses. Switches typically operate at this layer.

To improve security at their law firm, Norah, a security analyst wants to implement a system that will selectively block or allow traffic based on the nature of the communication. Which firewall type would be MOST effective for this purpose? Layer 7 Firewall Layer 4 Firewall VPN 802.1x

Layer 7 Firewall OBJ: 3.2 - A Layer 7 firewall operates at the application layer and can make more granular decisions about the traffic based on the application-payload, which makes it the most effective choice in this scenario. 802.1x is a standard developed by the IEEE to govern port-based network access. When used with a RADIUS based authentication server it provides authentication services, checking user credentials to ensure that the user is a legitimate part of the organization and granting access to only those areas of the system that the user is allowed to access. A Layer 4 Firewall operates at the transport layer which provides less granularity for blocking or allowing traffic based on the application-payload. A VPN provides a secure method for remote operations by creating an encrypted connection over the internet. It establishes a secure tunnel so that data can be securely transferred even over insecure networks.

You are a network engineer for a large hospital that has a complex network with many applications and many employees. You are most concerned with protecting the privacy of patients, so you will need to prevent unauthorized people from seeing data. Which of the following mitigation techniques can help you achieve this goal? Monitoring Isolation Least Privilege Application allow list

Least Privilege OBJ: 2.5 - Least privilege is a mitigation technique that limits users to the level of access and privilege they need to do their work. This can limit the extent of an attack by limiting the attacker's access and privilege to those of the compromised user. Least privilege involves applying predefined rules and permissions, such as roles, groups, and functions and enforcing the rules and permissions through mechanisms such as passwords, tokens, and biometrics. Using least privilege, employees will have access to the patient data they need, but not to the data of other patients

Which of the following mitigation techniques can help limit the damage caused by malicious or compromised users by setting a level of access to users that corresponds to their assigned tasks? Segmentation Access Control Lists Least privilege Patching

Least privilege OBJ: 2.5 - Least privilege is a mitigation technique that limits users to the level of access and privilege they need to do their work. This can limit the extent of an attack by limiting the attacker's access and privilege to those of the compromised user. Least privilege involves applying predefined rules and permissions, such as roles, groups, and functions and enforcing the rules and permissions through mechanisms such as passwords, tokens, and biometrics. Patching is a mitigation technique that can help prevent exploitation of known vulnerabilities on systems and devices by updating them with the latest security fixes and enhancements. Patching involves applying patches or updates to software and systems. It does not limit users' access or privileges. Access control lists (ACL) are a mitigation technique that involves using a list of rules to limiting access to resources on a network. ACLs can restrict access based on various criteria, such as IP addresses, port numbers, applications, and protocols. While ACLs do restrict access, the limits are applied to applications, protocols, and other features of devices, not to the users of the devices. Segmentation is a mitigation technique that involves dividing a network into smaller segments. Each has its own security policies and controls. Segmentation can limit the scope of an attack by preventing the attacker from gaining access to an entire network because it will help isolate the compromised segment. It limits movement from one part of the network to another, but doesn't limit access based on a user's job.

A water treatment facility relies on SCADA systems for automation. This environment can introduce which of the following security vulnerabilities? Legacy protocols without encryption. Built for multicore processing. Over-reliance on sandboxing. Frequent OS patching.

Legacy protocols without encryption. OBJ: 3.1 - Many SCADA systems utilize legacy communication protocols that lack modern security features, making them vulnerable to unauthorized interception or tampering. While multicore processing can improve performance, it's not a direct security concern linked to SCADA. Sandboxing is a method to run untrusted codes. This concern isn't directly associated with the innate vulnerabilities in SCADA systems. SCADA systems tend to have infrequent updates, not frequent OS patching.

Which of the following terms describes the qualitative frequency of a risk occurring within a specified period? Risk frequency Probability Likelihood ARO

Likelihood OBJ: 5.2 - Likelihood measures how probable it is that a risk will occur, which is crucial for risk analysis and management. Risk frequency could be seen as similar to likelihood but is less specifically defined in risk management terminology. While ARO (Annualized rate of occurrence) is a measurement of how often a risk event is expected to happen annually, it doesn't describe the general probability or frequency as broadly as the term likelihood does. Probability also indicates the chance of a risk occurring but does not necessarily tie it to a specific time frame as likelihood does within the context of risk assessment.

Which statement BEST captures the role of the Policy Administrator within the Zero Trust paradigm? Ensures data is transferred securely across the network. Oversees the actual enforcement of policies on the network. Manages and updates security policies for access control. Adapts access decisions based on ongoing user actions.

Manages and updates security policies for access control. OBJ: 1.2 - The Policy Administrator in a Zero Trust model takes on the responsibility of maintaining and updating the policies that govern access control. They ensure that policies stay relevant, align with organizational security postures, and meet compliance requirements, making this option the correct one. Securing data during transmission is fundamentally about implementing secure communication protocols and doesn't fall under the Policy Administrator's primary responsibilities of managing and adjusting access policies. Adapting access decisions in real-time based on ongoing user actions points towards adaptive policy enforcement or potentially an adaptive identity approach, which continuously assesses risk and behavior. It doesn't define the Policy Administrator's role, which is to manage and update the policies, not to enforce them adaptively. Overseeing the actual enforcement of policies on the network implies a role that actively engages in the application of policies during network interactions, which leans more towards a Policy Enforcement Point (PEP) in the Zero Trust model. It does not align with the Policy Administrator's role, which revolves around policy management rather than enforcement.

Which of the following statements BEST explains the importance of considering single points of failure? Single points of failure represent an entry point into a system so being aware of them will prevent more failures throughout the system. Mitigating single points of failure is crucial to maintain the availability and reliability of automated security operations. Identifying single points of failure helps in centralizing control of security systems for better orchestration. Addressing single points of failure ensures that automated security processes do not replace human decision-making.

Mitigating single points of failure is crucial to maintain the availability and reliability of automated security operations. OBJ: 4.7 - Single points of failure can lead to system outages and compromise the availability and reliability of automated security operations. By identifying and mitigating these single points of failure, organizations can enhance the resilience of their automated systems, ensuring continuous and reliable security operations. Single points of failure are vulnerabilities that can disrupt the entire system if they fail, and their existence has nothing to do with whether human decision-making is replaced or not. Single points of failure can exist in both traditional and automated security models. They are a concern in any system where the failure of a critical component could lead to widespread disruption or compromise. The concept of single points of failure is about identifying critical components or processes that, if disrupted, can cause the entire system to fail. It is not about centralizing control for better orchestration.

Enrique at Dion Training is tasked with ensuring that the company's latest project data is securely backed up. Considering that they only update this project once a week and that the office is located in an area prone to natural disasters, which backup method would be the MOST suitable for their needs? Offsite backups Hybrid backups Cloud backups Onsite backups

Offsite backups OBJ: 3.4 - Offsite backups ensure that the backup is physically separated from the original data. Given the risk of natural disasters, offsite backups would offer Dion Training better protection for their project data. While providing fast recovery times, onsite backups may not protect Dion Training's project data if a natural disaster damages their office. Although they provide flexibility and scalability, relying solely on cloud backups might present challenges if there are internet connectivity issues during a disaster. While hybrid backups combine onsite and cloud backups, the primary concern of natural disasters damaging onsite data remains.

What is the purpose of the audit committee? Overseeing an organization's internal controls and financial reporting Completing external auditing of security controls for organizations Give approval to the audits completed by the CEO Confirm the CEO's hunches about weak areas of security

Overseeing an organization's internal controls and financial reporting OBJ: 5.5 - The audit committee is responsible for overseeing and evaluating an organization's internal controls, financial reporting, and compliance processes. This includes assessing the effectiveness of security controls and regulatory compliance. Audit committees are internal to an organization. External auditing is conducted by external, third-party entities. Audit committees are independent entities within an organization. Their job is to evaluate and oversee internal controls from an objective, unbiased viewpoint. While their conclusions may confirm someone's hunches about weaknesses, the conclusions should be reached independently, not as directed by the CEO or anyone else. Audit committees act independently and produce audits. They do not approve audits produced by the CEO or another governance organization.

Bluebird Technologies has hired a penetration tester. In the test she will attempt to enter the building by using a fake ID and by piggybacking at the entrance. What type of penetration testing will she be doing? Integrated Partially known environment Physical Known environment

Physical OBJ: 5.5 - Physical penetration testing involves evaluating an organization's physical security measures, such as access controls, surveillance systems, and security protocols, to identify vulnerabilities and potential breaches. Penetration testing in a partially known environment means that a some information has been given to the tester. There is no indication in the scenario that the tester has been given information Penetration testing in a known environment means that a significant amount of information has been given to the tester. This can include passwords, usernames, and other information. There is no indication in the scenario that the tester has been given information Integrated penetration testing refers to a comprehensive approach that combines different types of penetration tests to assess an organization's overall security posture. While physical security may be part of the assessment, it is not the main focus of this type of testing.

Mary is concerned about the security of her online accounts. She reads about a device she can carry with her, which when inserted or tapped on her computer or phone, provides a higher level of authentication assurance. Which of the following BEST describes what she is considering? Physical security keys Software-based certificates QR code scanners Biometric cards

Physical security keys OBJ: 4.6 - Physical security keys are hardware devices, often in the form of USB sticks or NFC devices, that provide strong two-factor authentication. Biometric cards use a person's unique biological characteristics for access but are not typically inserted or tapped on devices. While QR codes can be used for authentication, they don't involve inserting or tapping a device. While software-based certificates can enhance security, they are digital certificates stored on devices and not physical keys.

Geneve has a well paid job with the government of Arus and has authorized access to sensitive data. She thinks the government is corrupt. Recently, she has been approached by an agent for the country of Erastein. The agent offers to pay her a lot of money to exfiltrate data from her government. She was told that Erastein will be negotiating a treaty with Arus and the documents will help Erastein get land they have long wanted. Which of the following BEST describes Geneve's motivation for the data exfiltration? Financial gain Political Espionage Service disruption

Political OBJ: 2.1 - Political motivations are based on an attacker's view that an organization's actions are unjust or contrary to the attacker's political beliefs. In this case, Geneve's view that the government is corrupt allows her to justify her actions. Service disruption is the act of interrupting or degrading the availability or performance of a system or network. An insider threat actor may conduct service disruption as part of their cyberattacks, but it doesn't usually achieve their goals. There is no indication that Geneve wants to disrupt service in this scenario. Financial gain is the motivation that drives a threat actor to conduct cyberattacks for profit. An insider threat actor may be motivated by financial gain, and usually target financial institutions, businesses, or individuals for fraud, theft, ransomware, etc. In this case, Geneve is well paid, so financial gain is less likely to be a motivation for her actions Espionage is the act of obtaining secret or confidential information without the permission of the holder of the information. An attacker may use espionage to support their other motivations, such as sabotage, cyberwarfare, revenge, blackmail, etc. While the government of Erastein is interested in gaining a competitive advantage, Geneve is motivated by her perception that the government is corrupt

Sarah, a junior developer, has been given access to the development environment. However, she finds that she doesn't have the ability to make changes in the production environment. The company's IT policy allows only senior developers and administrators to make changes in production to minimize risks. Which of the following BEST describes the security principle the company is adhering to? Mandatory access control (MAC) Discretionary access control (DAC) Role-based access control (RBAC) Principle of least privilege

Principle of least privilege OBJ: 4.6 - The principle of least privilege ensures that users are given the minimum levels of access necessary to perform their job functions, thereby limiting potential damage from errors or malicious actions. Under DAC (Discretionary Access Control), the data owner specifies who can access specific resources, primarily based on user discretion rather than the job function. Mandatory Access Control (MAC) restricts access based on sensitivity labels assigned to objects and the level of clearance of users. While RBAC (Role-Based Access Control) is about assigning system access to users based on their role within an organization, it doesn't necessarily restrict users to the minimum necessary permissions.

What term refers to the expected frequency of occurrence of a specific risk within a given time frame? Probability ARO Exposure factor Likelihood

Probability OBJ: 5.2 - Probability refers to the expected frequency of occurrence of a specific risk within a given time frame. Likelihood is a qualitative term used to express the chance of a risk occurring, typically described in terms of low, medium, or high. The exposure factor represents the percentage of asset loss that would occur if a specific risk is realized. It is a quantitative risk analysis metric. The annualized rate of occurrence (ARO) is a quantitative risk analysis metric that represents the expected number of times a specific risk occurs in a year.

Jeremy, the CEO of Hooli, wants to gauge the financial implications of specific risks tied to the company's IT infrastructure. He has directed his team to create a list of possible incidents that could occur. Then he directed them to look at both the likelihood that an incident will occur and the potential economic, business, and resource fallout if the incident occurs to create a numerical score for each. Which of the following risk assessment methods has Jeremy directed his team to use? Annualized loss expectancy (ALE) Qualitative risk analysis Quantitative risk analysis Single loss expectancy (SLE)

Quantitative risk analysis OBJ: 5.2 - Quantitative risk analysis involves calculating the financial impact of specific risk events by considering both the probability of occurrence and the potential loss in monetary terms. Qualitative risk analysis involves assigning subjective values to risks based on descriptive terms such as "high," "medium," or "low" without precise financial figures. ALE is the expected financial loss that an organization may experience annually due to a specific risk, considering the SLE and the annual rate of occurrence (ARO). SLE is the measure of the potential financial loss associated with a specific risk event.

What is the term for a type of open service port that is commonly used for remote access servers and can be used to perform on-path attacks on a Windows computer, but not on computers using other operating systems? RDP Telnet VNC SSH

RDP OBJ: 2.2 - Remote Desktop Protocol (RDP) port is a type of open service port that is commonly used for remote desktop servers and can be exploited by attackers to perform screen capture, keystroke logging, or malware delivery attacks. It is the default port for RDP, the protocol used to remotely control a Windows based system's desktop. Secure Shell (SSH) port is a type of open service port that is commonly used for remote access servers and can be exploited by attackers to perform on-path attacks, such as session hijacking or replay. It is the default port for SSH, the protocol used to securely access remote systems. SSH is cross-platform, not Windows based. Virtual Network Computing (VNC) port is a type of open service port that is commonly used for remote desktop servers and can be exploited by attackers to perform screen capture, keystroke logging, or malware delivery attacks. It is the default port for VNC, the protocol used to remotely view and interact with a system's desktop. It is not specific to Windows-based systems. Telnet port is a type of open service port that is commonly used for remote access servers and can be exploited by attackers to perform eavesdropping, data theft, or brute force attacks. It is the default port for Telnet, the protocol used to access remote systems without encryption. Telnet is cross-platform, not Windows based.

Which of the following terms specifically represents the target duration for recovering IT and business operations after a disruptive event? RPO RTO MTTR BCP

RTO OBJ: 5.2 - RTO (Recovery time objective) sets the goal for the time taken to recover business operations after an outage, essential for continuity planning. BCP (Business continuity planning) is the overarching process that includes recovery time objectives, but it is not a time-specific recovery target. MTTR (Mean time to repair) is the average repair time for a failed system or component, not the timeframe for full business recovery. RPO (Recovery point objective) assesses the maximum tolerable data age for recovery purposes, unrelated to the duration for restoring operations.

Every month, Sasha from Kelly Innovations LLC reviews the company's firewall logs, intrusion detection system outputs, and other security tool logs. She compiles a document detailing trends, potential threats, and recommended actions, which she presents to the senior management. Which of the following types of reports BEST describes the one Sasha producing for the senior management? Threat intelligence briefing Recurring report Policy review Incident report

Recurring report OBJ: 5.6 - A recurring report is a report generated at regular intervals, such as weekly, monthly, or quarterly, to keep stakeholders updated on ongoing security metrics, trends, and concerns. A policy review is a periodic assessment of the organization's security policies to ensure they remain current and effective. A threat intelligence briefing is a specialized report highlighting current and emerging threats, often sourced from external threat intelligence providers. An incident report is a detailed account of a specific security breach or event, outlining what occurred, its impact, and the steps taken in response.

A company wants to ensure that its employees use its resources in an acceptable manner. Which of the following would be an example of a directive control that the company could implement to address this concern? Requiring that all employees read and sign an AUP Implementing multi-factor authentication when single-factor authentication fails Reviewing log files for signs of unauthorized access Conducting regular security awareness training for employees

Requiring that all employees read and sign an AUP OBJ: 1.1 - An Acceptable Use Policy (AUP) is an example of a directive control because it helps direct employee behavior by specifying what actions are allowed and not allowed when using company resources. Reviewing log files for signs of unauthorized access is an example of a detective control, which is used to detect security incidents. Conducting regular security awareness training for employees is an example of a preventive control, which is used to prevent security incidents from occurring. Implementing multi-factor authentication when single-factor authentication fails is an example of a compensating control, which provides additional security when another control fails.

Members of the Risk Management Team at Eclipse, an awning manufacturer, are discussing the organization's approach to risk management. They are considering the level of risk they are willing to accept to achieve the aggressive set of goals the CEO has created. What is the term for what they are considering? Risk acceptance Risk appetite Risk tolerance Risk deterrence

Risk appetite OBJ: 5.2 - Risk appetite refers to an organization's willingness to take on risk in pursuit of its business objectives. It reflects the organization's strategic approach to risk and how much risk it is willing to undertake to achieve specific goals. Risk tolerance is the extent to which an organization is comfortable with the level of risk it is willing to take. It represents the organization's ability to withstand potential losses or disruptions. Risk acceptance means that an organization understands the level of risk that in involved in an activity and is willing to accept the outcomes of taking the risk. The risk is either accepted or not, there aren't levels of risk acceptance. In this case they are not making a decision about a level of risk for a specific activity. Risk deterrence involves taking measures to reduce or mitigate the impact of an event. In this case, they aren't evaluating the impact or taking measures to reduce the likelihood of a specific event.

Lexicon, an AI company, wants to implement a security measure to identify and evaluate potential threats to their systems and networks. Which of the following is an example of a managerial security control that the company could implement? Intrusion detection system Security guards Risk assessments Firewall

Risk assessments OBJ: 1.1 - Periodic evaluations, like risk assessments, are a managerial security control that involves regularly evaluating the threats to systems and networks. This can help the company identify potential threats and take steps to mitigate them. Security guards are considered operational controls, not managerial controls. Firewall is a technical security control that monitors and controls incoming and outgoing network traffic based on predetermined security rules. Intrusion detection system is a technical security control that monitors network traffic for signs of security threats.

What is the first step in the risk management process that involves determining what potential threats and vulnerabilities exist within an organization's environment? Risk identification Risk analysis Risk register Risk assessment

Risk identification OBJ: 5.2 - Risk identification is the first step in the risk management process. It involves identifying potential threats and vulnerabilities that could pose a risk to an organization's assets or operations. Risk assessment is not the first step in the risk management process. It comes after risk identification and involves evaluating the identified risks to determine their potential impact and likelihood. Risk analysis is a subsequent step that follows risk identification. It involves evaluating the identified risks and their potential impact on an organization. A risk register is a tool used in the risk management process to document and track identified risks, but it is not the first step in the process. It comes after risk identification and analysis.

Which of the following terms BEST describes the process of detecting and documenting potential threats, such as malware, insider threats, or inadequate policies, to inform an organization's risk management strategies? Threat intelligence Risk identification Policy review Vulnerability assessment

Risk identification OBJ: 5.2 - Risk identification is the proactive process of recognizing and recording potential threats that could adversely affect an organization. Policy review is an activity that may be part of risk identification but does not encompass the entire scope of identifying a range of potential risks. A vulnerability assessment is a specific method used within risk identification to determine the weaknesses within an organization's IT infrastructure. Threat intelligence involves the collection and analysis of information about current and potential attacks that threaten the security of an organization but does not directly refer to the broader process of risk identification.

The executive team at a software development firm decides that any project with a potential financial impact greater than $500,000 due to a security incident will require an immediate review and intervention. This financial impact figure represents which of the following in risk management? Risk threshold Risk level Risk tolerance Risk limit

Risk threshold OBJ: 5.2 - The $500,000 financial impact figure is an example of a risk threshold, as it is the specific point at which the company must act to mitigate risk. While risk limit is not a standard term, it could colloquially be used to describe a risk threshold, but in this context, the correct term is "risk threshold." Risk level pertains to the severity of risk and does not describe the actionable limit set by the company. Risk tolerance refers to the general level of risk the firm is willing to accept, not the precise financial impact threshold for action.

Which of the following email security techniques specifically utilizes email certificates to authenticate and safeguard email content? DMARC S/MIME TLS SPF

S/MIME OBJ: 2.2 - S/MIME (Secure Multipart Internet Message Extensions) leverages email certificates to both sign and encrypt email content, ensuring both authenticity and confidentiality. Transport Layer Security primarily encrypts the communication path between servers, but it doesn't use individual email certificates for signing and encrypting content within the email. Domain-based Message Authentication, Reporting & Conformance (DMARC) focuses primarily on the authenticity of the domain from which emails originate, rather than on using certificates to sign and encrypt the email content itself. Sender Policy Framework verifies the legitimacy of the sender's IP against a list of approved IPs for the domain, but doesn't use email certificates for content encryption or signature.

Kelly Innovations LLC is searching for a comprehensive cloud-based solution that combines both network security and WAN capabilities. They want a solution that seamlessly integrates these aspects, especially for users or devices located outside their primary office. Which of the following technologies should they consider adopting? Tunnel mode of IPSec SD-WAN ESP SASE

SASE OBJ: 3.2 - SASE (Secure access service edge) combines network security and WAN capabilities in a single cloud-based service, making it an ideal solution for ensuring secure and reliable access to data and applications irrespective of user/device location. The tunnel mode in IPSec is used for communications between VPN gateways across an insecure network. Although it encrypts the whole IP packet, it doesn't combine comprehensive network security and WAN functionalities. While ESP (Encapsulation security payload) is a part of IPSec that provides confidentiality and/or authentication and integrity, it doesn't integrate network security and WAN capabilities. SD-WAN (Software-defined wide area network) optimizes network performance and centralizes network management. While it enhances WAN connections, it doesn't inherently combine network security and WAN capabilities.

Which of the following statements about the importance of the Security Content Automation Protocol (SCAP) is NOT true? SCAP provides a common language for security content. SCAP encrypts all data before it is sent to be securely stored. SCAP aids in automating the process of detecting vulnerabilities and managing configurations in a system. SCAP ensures that an organization's security infrastructure is compliant with regulatory standards and guidelines.

SCAP encrypts all data before it is sent to be securely stored. OBJ: 4.4 - SCAP is not used data encryption. Its main functionality lies in strengthening the security of systems via a standardized approach to maintaining system security, aiding in automating the process of detecting vulnerabilities, managing configurations, and maintaining compliance with regulatory standards. SCAP aids in automating vulnerability management and configuration settings in a system. It allows security teams to perform tasks effectively and efficiently. SCAP provides a standardized, consistent approach to maintaining system security, including a common language for expressing security content in a clear and consistent manner. SCAP does help in ensuring compliance with security guidelines and regulations. It provides a way for organizations to demonstrate that their systems adhere to certain security standards.

Which of the following is NOT true about the importance of Security Information and Event Management (SIEM)? SIEM systems provide real-time analysis of security alerts generated by applications and network hardware. SIEM systems provide a unified view of an organization's IT security by collecting and aggregating log data. SIEM systems can create and maintain a database of an organization's IT equipment. SIEM systems can aid in the procurement and asset management of secure software systems.

SIEM systems can aid in the procurement and asset management of secure software systems. OBJ: 4.4 - SIEM systems are not primarily used for software procurement or asset management. Their primary purpose is to provide real-time analysis of security alerts and to offer a holistic view of an organization's security scenario. They are not involved in tasks such as procurement and management of hardware. SIEM systems can indeed create and maintain a record of an organization's IT equipment as a part of their comprehensive data collection. One of the critical roles of SIEM is the real-time monitoring and analysis of security alerts across an organization's network. SIEM systems collect and aggregate log data from an array of sources within an organization's IT infrastructure, providing a centralized view of the security landscape.

Magnetic Island Networking is in the process of finalizing a contract with a new vendor to provide IT services. To ensure clear expectations, Magnetic Island wants to define the measurements of quality and performance they want from the vendor. Which of the following documents will they draw up for the vendor? MOU SOW MSA SLA

SLA OBJ: 5.3 - The Service-Level Agreement (SLA) is the document that precisely defines the agreed-upon service levels and performance metrics that the vendor is expected to meet. It outlines the specific services to be provided, performance expectations, response times, and remedies for not meeting the agreed-upon levels. The Memorandum of Understanding (MOU) outlines the terms of a partnership between two organizations and how they will collaborate on specific projects or initiatives. While it may establish the overall collaboration, it does not include service levels and performance metrics. The Master Service Agreement is a comprehensive document that establishes the overall framework for a long-term business relationship between Magnetic Island and the vendor. It outlines the general terms and conditions, but it does not specifically detail the service levels and performance metrics. The Work Order (WO) or Statement of Work (SOW) is a document that provides detailed instructions and requirements for specific tasks or projects to be carried out by the vendor. It may include information on deliverables, timelines, and costs, but it does not focus on service levels and performance metrics.

Which of the following statements is NOT true concerning the significance of Simple Network Management Protocol (SNMP)? SNMP assists in collecting information from various network devices to ensure proper functioning and security. SNMP allows network administrators to monitor network performance, find and solve network problems, and plan for network growth. SNMP makes it possible to manage network performance, control network configuration, and store data about network components. SNMP ensures secure communication among software applications and allows security analysts to monitor these communications.

SNMP ensures secure communication among software applications and allows security analysts to monitor these communications. OBJ: 4.4 - SNMP's main main purpose is the managing and monitoring network devices. It doesn't monitor communications among software applications. SNMP does actually provide capabilities to handle network performance, control network configurations, and store data related to various network components, so this statement is true. SNMP does indeed allow network administrators to monitor performance, troubleshoot issues, as well as plan for future network growth. SNMP does aid in collecting data from different network devices to maintain proper functionality and security, making this statement true.

Dark Sky Technologies has hired a vendor to develop a custom software solution for their accounting department. They need a document that provides detailed instructions and requirements for the software development project that will include features the software should have, when the work must finished, and other essential details. Which document would best meet Dark Sky's needs? BPA SOW SLA MSA

SOW OBJ: 5.3 - A Work Order (WO) or Statement of Work (SOW) is the correct document for the ABC Company's needs. It provides detailed instructions and requirements for specific tasks or projects to be carried out by a vendor, making it suitable for the software development project. A Service-level Agreement (SLA) typically outlines specific performance metrics, service levels, and responsibilities for ongoing services, but it does not provide detailed instructions and requirements for specific tasks or projects like software development. A Master Service Agreement (MSA) establishes the overall framework for a long-term business relationship between an organization and a vendor. While it may touch on project details, it does not provide the detailed instructions and requirements needed for a specific software development project. A Business Partners Agreement (BPA) is a type of agreement that outlines the terms and conditions of a partnership between two organizations, not the specific instructions and requirements for a particular project.

What is the primary difference between sanitization and destruction in the disposal process? Sanitization concerns the reuse of assets in an organization, and destruction involves transferring those assets to a different department. Sanitization and destruction are synonyms and refer to the same process. Sanitization involves erasing data so it cannot be recovered; destruction is total physical demolition of the asset. Sanitization refers to physically damaging the asset to render it unusable, while destruction involves completely eliminating all residual data.

Sanitization involves erasing data so it cannot be recovered; destruction is total physical demolition of the asset. OBJ: 4.6 - Sanitization involves the process of permanently erasing or de-identifying data on a device so it cannot be recovered, while destruction is about physically demolishing the asset, ensuring no data can be extracted from it. Sanitization does not refer to physically damaging the asset; instead, it has to do with removing or de-identifying data so it cannot be recovered. Destruction involves physical destruction of the asset itself. Sanitization and destruction refer to two different types of procedures in the disposal process and are not synonyms. Sanitization and destruction involve methods of removing or totally destroying data or assets rather than internal asset redistribution in an organization.

Which of the following architecture models involves creating multiple instances of a system to handle increased demand? Ease of Deployment Containerization Responsiveness Scalability

Scalability OBJ: 3.1 - Scalability is an architecture model that involves creating multiple instances of a system or service to handle increased demand or workload. Scalability allows for greater performance, availability, and responsiveness of a system or service. Responsiveness is an architecture model that involves ensuring that a system or service responds quickly and efficiently to user requests or inputs. Responsiveness does not refer to the creation of multiple instances of a system or service, but rather to the optimization of latency and throughput. Ease of deployment refers to the simplicity and speed of launching a system or service into production, which is an important consideration for designing and deploying applications and systems. Some factors that can affect ease of deployment are automation, configuration management, testing, and documentation. Containerization is a method that involves packaging an application and its dependencies into a lightweight and portable unit, which can run on any platform that supports containers. Containerization can improve performance, scalability, and security of applications, but it's purpose isn't specifically to deal with increasing or decreasing demand.

Which of the following tools is MOST known for agentless security monitoring/alerting? Antivirus software Intrusion detection system (IDS) Security Information and Event Management (SIEM) Web application firewall (WAF)

Security Information and Event Management (SIEM) OBJ: 4.4 - SIEM tools are essential for consolidating and analyzing logs and alerts from various sources within an environment. These tools are known for their agentless capabilities, where they can collect and process logs without needing a dedicated agent on the source system, providing flexibility in diverse infrastructure setups While an IDS can detect malicious activities, it typically requires agents or sensors to capture traffic or system activities A WAF is designed to filter and monitor HTTP traffic to and from a web application, preventing web-based attacks. It doesn't specifically provide agentless monitoring/alerting at a better capacity of the options that are available. Antivirus software is geared towards detecting and removing malicious software from a system and typically requires an agent for operation.

Kelly Innovations LLC is using a certificate within their internal testing environment. Due to the lack of inherent trust from external systems, they avoid using this certificate publicly. Which type of certificate is Kelly Innovations LLC likely using? Self-signed certificate CSR Third-party certificate Wildcard certificate

Self-signed certificate OBJ: 1.4 - The company is using a self-signed certificate, which is generated and signed by the same entity. It's not backed by a trusted certificate authority, making it more suited for internal uses and not recommended for external environments due to the potential lack of trust. A CSR (Certificate Signing Request) is a formal message sent to a certificate authority to request a digital identity certificate. It is not a type of certificate in itself. A wildcard certificate is used to secure multiple subdomains under a single domain. It doesn't necessarily indicate internal use or a lack of trust. A third-party certificate is signed and verified by an external certificate authority and is generally used in public and external environments due to the inherent trust it carries.

A company's systems were compromised and sensitive data is stolen. Upon investigation, it is discovered that attackers gained access through a Trojan that was installed on one employee's mobile device. The Trojan was installed on the device when the employee installed a piece of software from a website instead of the official app store. Which of the following describes the source of the problem? Zero-day vulnerability Jailbreaking Side loading Mobile device management (MDM) failure

Side loading OBJ: 2.3 - Side loading is the process of installing applications on a mobile device from sources other than the official app store, which can allow unauthorized applications to be installed. A zero-day vulnerability is a vulnerability that is unknown to the vendor and can be exploited by attackers, but it does not directly relate to installing unauthorized applications from sources other than the official app store. Mobile device management (MDM) failure can leave mobile devices vulnerable to unauthorized access or manipulation, but it does not directly relate to installing unauthorized applications from sources other than the official app store. Jailbreaking is the process of bypassing the security restrictions on a mobile device, which can allow unauthorized applications to be installed, but it is not the only way to install unauthorized applications.

Dion Training is deploying a new application for remote employees. They want to ensure that users can securely log in without needing a physical device other than their smartphones. The system would generate a temporary numeric code on the user's device, which would then be used as a second form of authentication. Which of the following solutions BEST fulfills this requirement? Network location-based authentication Biometric authentication Static password Software authentication tokens

Software authentication tokens OBJ: 4.6 - Software authentication tokens generate time-sensitive codes on devices like smartphones, providing an added layer of security without the need for a physical device other than the user's own device. A static password is a fixed set of characters used for authentication and does not provide the dynamic, temporary nature of the described solution. Biometric authentication leverages unique biological characteristics, such as fingerprints or facial recognition, but does not involve generating temporary codes. Network location-based authentication validates users based on their network's location, not a temporary numeric code.

In a business process analysis (BPA), which factor encompasses the human resources and additional support needed to carry out a mission essential function? Outputs Inputs Process flow Staff

Staff OBJ: 5.3 - Staff is a component of a BPA identifies the personnel and various supports that are essential for the execution of a critical function. Though process flow describes the operational steps in detail, it does not specifically focus on the personnel and support resources. Outputs concern the data or products generated by the function, not the resources that support the function. Inputs define the required information for a process and the implications of their timing, not the human and support resources.

Which of the following terms BEST describes a situation in which a company avoids addressing known system inefficiencies or shortcuts due to time constraints, potentially leading to future rework and vulnerabilities? Technical debt Cost Single point of failure Complexity

Technical debt OBJ: 4.7 - Technical debt represents the future cost of rectifying present-day shortcuts or less optimal solutions. It can arise when known inefficiencies aren't addressed due to various constraints, like time. While complexity might become a result in this situation, it primarily denotes the intricacy of a system or process. Single point of failure refers to a vulnerable component whose failure can disrupt an entire system, not the consequence of avoiding known system inefficiencies. While accumulating technical debt can lead to increased costs later on, the term 'cost' generally pertains to the financial considerations of a decision or action, not the implications of deferring system improvements.

Which of the following statements BEST explains the importance of the Bug Bounty program in the context of vulnerability management? The bug bounty program encourages ethical hackers to identify and report security vulnerabilities The bug bounty program primarily involves discovery and reporting of worms and viruses that can infect systems The bug bounty program helps organizations track and manage hardware and software assets The bug bounty program is responsible for conducting regular penetration testing on an organization's network to identify and remediate security weaknesses

The bug bounty program encourages ethical hackers to identify and report security vulnerabilities OBJ: 4.3 - A bug bounty program encourages ethical hackers and security researchers to actively search for and responsibly report security vulnerabilities in an organization's systems and software. By doing so, organizations can proactively address potential threats before they can be exploited by malicious actors, ultimately enhancing their overall security posture. While bug bounties can reveal worms and viruses, their primary use is to discover vulnerabilities in systems and software that malicious actors can exploit. While tracking and managing hardware and software assets is essential, the bug bounty program's primary focus is on security vulnerability identification and management. While penetration testing is important for identifying and remediating security weaknesses, it is not synonymous with a bug bounty program.

In Dion Training's data management framework, Scherazade determines the why and how data will be collected. She then directs Sahra what should be done with the data that is collected. Which of the following BEST describes the roles that Scherazade and Sahra have? The data controller and the data processor. The data owner and data custodian. The data owner and the data processor. The data custodian and the data controller.

The data controller and the data processor. OBJ: 5.4 - Scherazade is the data controller because the data controller determines how and why the data is collected and used. Sahra is the data processor because the data processor follows the data controller's directions for using the data that is collected. The data owner is the person who is ultimately responsible for the confidentiality, integrity, and availability of the data. The data custodian handles the management of the system used to store and collect the data. The data owner is the person who is ultimately responsible for the confidentiality, integrity, and availability of the data.

As a security analyst, you are investigating a suspicious file activity incident. While examining metadata associated with different files, which of the following pieces of information is NOT typically presented in metadata? File's creator File size Date and time of last modification The file extension of the file

The file extension of the file OBJ: 4.9 - Metadata does NOT normally include the file's extension. The name of the user who created the file is often included as part of the file's metadata. This is crucial information during an investigation of unauthorized file access or alteration. File size is a common piece of metadata. This could potentially be useful in an investigation if, for example, a file's size significantly changes without a clear reason. Date and time of last modification is an integral part of metadata. This can help establish timelines of activity and identify any unexpected changes, which is crucial during an investigation.

In digital forensics, which of the following is MOST crucial to consider when determining the requirements for an investigative report? The software tools used in the investigation. The geographical location of the incident. The personal preferences of the forensic analyst. The intended audience of the report.

The intended audience of the report. OBJ: 4.8 - Understanding the audience, whether it's legal professionals, executives, or technical teams, determines the report's depth, language, and emphasis. An objective, standardized approach is favored in digital forensics over individual preferences in reporting. While the location might influence some elements of a case, it doesn't typically dictate the structure or content of the report itself. While important for internal records and repeatability, the specific tools used don't typically define reporting requirements.

Why are CVE identifiers important for cybersecurity professionals? They offer a standardized way to share vulnerability data. They assign severity scores to vulnerabilities. They provide mitigation techniques for vulnerabilities. They track software versions and updates.

They offer a standardized way to share vulnerability data. OBJ: 4.3 - CVEs allow cybersecurity professionals to talk about vulnerabilities in a consistent manner, ensuring everyone is on the same page. While CVEs detail vulnerabilities, they don't typically prescribe specific mitigation methods. Those come from other sources like vendor advisories. Severity scores, like those from CVSS, evaluate the risk of vulnerabilities, whereas CVEs simply identify them. CVEs identify vulnerabilities but don't serve as a versioning or software update system.

Which of the following objectives is primarily fulfilled by using questionnaires during vendor assessments? To facilitate a comparative analysis of the financial aspects of vendor proposals. To establish the groundwork for future contractual negotiations. To obtain detailed insights into the vendor's security posture and risk management. To assess the effectiveness of a vendor's marketing and promotional tactics.

To obtain detailed insights into the vendor's security posture and risk management. OBJ: 5.3 - Contract negotiations indeed require understanding of a vendor's practices, but questionnaires are specifically employed to gain a comprehensive understanding of their security and risk management, not as a basis for contract terms. While financial considerations are important in vendor assessments, the questionnaires are tailored to extract security-related information rather than to compare costs directly. Evaluating marketing strategies is not the purpose of security questionnaires; these tools are meant to delve into the vendor's security controls and procedures to manage and mitigate risks. To obtain detailed insights into the vendor's security posture and risk management is the primary goal of a questionnaire in the vendor assessment process, ensuring that the organization can ascertain the vendor's adherence to security policies, disaster recovery plans, and compliance with regulations.

What is the primary purpose of internal compliance reporting? To prove to third party auditors that a company is complying with its internal processes To request additional information from agencies that are in charge of compliance To provide compliance updates to the organization's management To report compliance status to the public

To provide compliance updates to the organization's management OBJ: 5.3 - The primary purpose of internal compliance reporting is to provide updates on compliance status, identify potential issues, and inform the organization's management about its adherence to regulatory requirements and policies. Internal compliance reporting provides information about what exists to a company's managers. It doesn't involve requesting information. Internal compliance reporting is for the use of the company itself and is not meant to be shown to third party auditors. External compliance reporting would provide information to third party auditors. Internal compliance reporting is not intended for public disclosure; it is focused on internal communications within the organization.

Tara, a database specialist, is planning out the way in which data will be stored. She has decided to substitute the sensitive data with non-sensitive representations. The sensitive data and non-sensitive representation will be stored in a separate database. Which data security technique is likely being used? Non-human readable Hashing Obfuscation Tokenization

Tokenization OBJ: 3.3 - Tokenization is the process of substituting a sensitive data element with a non-sensitive equivalent, referred to as a token. The token and the data it substitutes are stored in a secure database. If the original data is needed, it can be accessed using the token and querying the database. The token will be a different size and have a different structure than the original data so the token can't be used to decipher the original data. Hashing is the process of converting an input of any length into a fixed size string of text, using a mathematical function. The process explained above doesn't indicate that a mathematical function is being used. Non-human readable data refers to a form of data that needs a computer or special software to interpret. In the case above both sets of data are human readable. Obfuscation is the hiding or camouflaging of information to prevent access to it. Obfuscation doesn't involve an additional database of linked sensitive and non-sensitive data.

The Frozen Dish, a home food delivery service, is reviewing their security systems. Royston, an IT manager, has explained the PKI system to his boss. His boss is alarmed by the idea of public keys and wants to purchase a storage device to save symmetric and asymmetric keys. Royston has explained that the Windows-based devices they use have this type of storage embedded in the motherboards. What is the name of the device that Royston is referring to? Key management system Secure enclave Trusted Platform Module (TPM) Hardware security module (HSM)

Trusted Platform Module (TPM) OBJ: 1.4 -TPM is a hardware-based storage system that contains keys, digital certificates, hashed passwords, and many other types of information used for authentication. It is embedded on device motherboards that use Windows operating systems. A secure enclave is a chip that is used only to secure encryption keys, hashes, and other important data. It is embedded in Apple and Android devices. An HSM is a physical computing device that safeguards and manages digital keys for strong authentication. It can be a external device or on an expansion card, but it is not embedded on the motherboard. A key management system is a process used to ensure that keys are kept secure by establishing standards of security. It is a set of policy decisions, not a device such as TPM or HSM.

Dizzy Crows, has experienced a series of sophisticated cyberattacks targeting their endpoints. To improve security, the company has decided to implement Endpoint Detection and Response (EDR). Which of the following choices BEST explains the main advantage Dizzy Crows would gain after installing and configuring Endpoint Detection and Response (EDR) in the given scenario? Using EDR provides advanced behavioral analysis and threat intelligence to detect and respond to cyber threats on endpoints. EDR provides comprehensive authentication and encryption on host devices, limiting unauthorized users from viewing company data. EDR provides real-time monitoring and reporting of network traffic, enabling administrators to track data usage and bandwidth consumption. Implementing EDR allows the organization to enforce security policies and controls on all endpoints, reducing the risk of unauthorized access.

Using EDR provides advanced behavioral analysis and threat intelligence to detect and respond to cyber threats on endpoints. OBJ: 4.5 - The main significance of implementing Endpoint Detection and Response (EDR) in the given scenario is its ability to use advanced behavioral analysis and threat intelligence to detect and respond to sophisticated cyber threats on endpoints. EDR helps identify suspicious activities and potential breaches, enabling proactive responses to protect against advanced threats. While Endpoint Detection and Response (EDR) may provide some network monitoring capabilities, its primary focus is on monitoring and detecting security-related events and activities on endpoints, not specifically on network traffic monitoring. While Endpoint Detection and Response (EDR) may assist in enforcing security policies on endpoints, its primary purpose is to detect and respond to advanced threats, which is more relevant to the scenario. Endpoint Detection and Response (EDR) identifies suspicious activity and potential breaches, but it doesn't provide authentication and encryption tools.

Which of the following technologies allows creating multiple isolated environments on a single physical device? Software-defined networking Industrial control systems Virtualization Containerization

Virtualization OBJ: 3.1 - Virtualization is a technology that allows creating multiple isolated environments on a single physical device. It can offer benefits such as resource optimization, isolation, flexibility, and security. Industrial control systems (ICS) are systems that are designed to monitor and control physical processes in industrial environments, such as power plants, factories, or water treatment facilities, not creating multiple isolated environments on a single physical device. Containerization is a technology that allows running applications in isolated environments called containers, not creating multiple isolated environments on a single physical device. Software-defined networking (SDN) is a network technology that involves dynamically configuring and managing network devices and services through software, not creating multiple isolated environments on a single physical device.

Which of the following statements BEST explains the importance of the workforce multiplier? Workforce multiplier enables organizations to rapidly scale their security capabilities using a combination of human and automated resources. Leveraging the workforce multiplier allows organizations to replace manual security tasks with automated processes, improving efficiency. The workforce multiplier reduces the need for highly skilled and credentialed cybersecurity professionals, resulting in cost savings for the organization. The workforce multiplier limits the scope of security incidents by rapidly deploying virtual firewalls, preventing them from affecting a large number of users.

Workforce multiplier enables organizations to rapidly scale their security capabilities using a combination of human and automated resources. OBJ: 4.7 - The workforce multiplier refers to the ability to scale and amplify the effectiveness of the security team by combining the efforts of human professionals with automation and orchestration. This combination allows the organization to handle a larger volume of security tasks and incidents, thus enhancing their security capabilities. The workforce multiplier does involve automating certain security tasks, which can lead to improved efficiency. However, it is not just about replacing manual tasks but also about leveraging automation to enhance the overall capabilities of the security team. The workforce multiplier is not about reducing the need for skilled cybersecurity professionals. Instead, it is focused on augmenting the capabilities of the existing workforce with automation and orchestration, allowing them to accomplish more tasks efficiently. The workforce multiplier is not about limiting the scope of security incidents or deploying virtual firewalls.

A security researcher discovers a new vulnerability in an operating system that allows an attacker to execute arbitrary code with elevated privileges. He reports the vulnerability to the vendor and the vendor releases a patch. What type of vulnerability is did the researcher find? Misconfiguration Cryptographic Zero-day Supply chain

Zero-day OBJ: 2.3 - A zero-day vulnerability in a system or software is unknown until it is discovered. This means that it won't be patched or fixed by the vendor until they know it exists. The security researcher has found a zero-day vulnerability. A misconfiguration vulnerability exploits an error or weakness in how a system or software is configured or set up. The security researcher is not exploiting a misconfiguration, but rather a flaw in the design or implementation of the operating system. A cryptographic vulnerability is a weakness in how data is encrypted, decrypted, hashed, signed, or verified. The security researcher has not found a cryptographic weakness, but rather a flaw in the operating system. A supply chain vulnerability is a weakness in one of the components or providers involved in delivering a product or service to the end user. The security researcher found a weakness in the supply chain, but rather a flaw in the operating system itself.


Ensembles d'études connexes

POL 104 — California Politics Midterm Study Guide

View Set

Chapter 10 Infancy and Childhood

View Set

Human Biology Chapter 15 (Senses)

View Set

Micro 2060 Chapter 16 Review Questions

View Set