Information Systems Security - C845

Réussis tes devoirs et examens dès maintenant avec Quizwiz!

disaster level 2

specifies a situation that affects a significant amount of the organization.

Formal briefing

states the overall program, including the current status of the system security manager's responsibilities, actions, and activities.

Briefing paper

states the purpose and actions required in implementing security programs for their unit of responsibility.

Ethernet

supports a number of different media standards such as coaxial, fiber-optic, and shielded and unshielded twisted-pair cables. It is an IEEE 802.3 standard and includes the speed of 100 megabits per second (Mbit/s) to 1,000 Mbit/s over both unshielded twisted-pair and fiber-optic cables.

Subject Labeling

the practice of applying a classification to a system or person requiring access to classified objects or data.

ILM (information life cycle management)

the practice of applying certain policies during the creation and maintenance of information. The organization may have several policies concerning the creation, classification, access, handling, and disposal of information. The security practitioner may be involved at any point during information life cycle management, including the classification and disposal of information as per existing policies.

The government/military data classification levels

top secret secret confidential

Signature-Based Detection

A signature-based monitoring system monitors network traffic based on previously established signatures of typical attacks. Similar to an anti-malware identification system, this type of system might identify different types of attacks through the methods used during the attack. For instance, a SYN flood attack is characterized by an attacker sending a large number of SYN packets with no responding acknowledgment packets. This opens a very large number of communication sessions. Other types of attacks can be identified through a library of signatures, thus triggering a response or action against the attack. Signature libraries must be kept up-to-date for this type of detection to be effective.

Anomaly-Based Detection

An anomaly-based monitoring technique is very similar to a behavior-based monitoring system in that it looks for something completely outside of the ordinary. This type of device is usually more intelligent and learns what normal looks like from the typical traffic flow and activity on the network. Should anything out of the ordinary appear, the device would then take action. An anomaly-based device can be set within established baselines or be set to use automated processes to monitor traffic patterns to determine the baseline.

Which step of the access control process provides strong evidence that an individual or system is actually who they claim to be? A Identification B Authorization C Authentication D Accounting

C Authentication

What is the main advantage of using a qualitative impact analysis? A qualitative impact analysis makes a cost benefit analysis simple. B qualitative impact analysis considers monetary facts and figures. C qualitative impact analysis identifies areas that require immediate improvement. D qualitative impact analysis provides specific measurements of attack impacts.

C It involves talking to people and allows for immediate improvement. Answers B, A, and D are incorrect. A quantitative impact analysis considers monetary facts and figures. It makes a cost benefit analysis simple and provides specific measurements of attack impacts.

What are the two prerequisites for ensuring accountability?

Identification and authentication. This way we can hold users accountable for their actions.

What mode is a network card placed in to ensure it can capture all traffic, even traffic not addressed to it?

Promiscuous

TCP 22

SSH and SCP

How many types of severity levels are there?

8

Question :What device works at Layer 2 and 3 of the OSI model?

Switch. A switch is a network device that routes traffic based on physical MAC addresses. Operating at the Data Link layer (layer 2) of the OSI model, switches switch information based on MAC addresses and are used to assemble virtual local area networks using a star network topology model. More intelligent network switches combine the ability to switch MAC addresses as well as route IP addresses. Because IP addresses are at OSI layer 3, this type of switch is referred to as a layer 3 switch.

UDP 49

TACACS

UDP 69

TFTP

risk appetite

The amount of risk an organization is willing to accept; an arbitrary measure of the aggressive or passive risk posture of an organization.

Standard

represents the criteria that must be met by a policy.

Kerberos steps in order

1. The user sends an authentication request to the Kerberos authentication server. 2. The Kerberos server responds with a secret symmetric key and a ticket-granting ticket, which is time stamped. 3. When the user desires access to a specific application, the user sends the request to a Kerberos ticket-granting server. 4. Upon receiving the ticket granting ticket, the ticket-granting server responds with a ticket for use with the target application. 5. The user presents the time-stamped session ticket to the application. 6. The application server verifies the session ticket by comparing the symmetric key contained in the ticket with the pre-shared key it has stored. If they match the application server, it authenticates the user and the ticket.

Which of the following MAC models prohibits conflict of interest within an organization? A Brewer-Nash B Biba C Bell-LaPadula D Clark-Wilson

A

Which of the following statements defines auditing? A Verifies that the product is in compliance with established performance requirements B Requests and changes proposals and their subsequent approval or disapproval C Displays the system status at any point in time D Processes logs and reports any change to configuration

A

Which type of monitoring continuously listens to the traffic on the network and automatically sends alerts based upon some criteria? A Real-time B SIEM C Passive D Active

A

What is a primary goal of security in an organization? A Enforce and maintain the AIC objectives B Mitigate the possibility of the use of malware C Eliminate risk D Maintain the organizations network operations

A Answer C is incorrect because eliminating risk is only part of a primary goal of security. Answers B and D are incorrect because they are not primary goals of security.

What is the purpose of a source system? A Anything that records or maintains data of interest B The data warehouse were open source code is saved C The original gold version of a computer which is cloned for enterprise deployment D The first computer

A Anything that records or maintains data of interest is a source system. This term, source system, is from the concept of security monitoring, logging, and auditing. It refers to any computer, service, or device which is able to record an event and then provide that recoded event data to a management or monitoring solution, such as a SIEM. A Security Information and Event Management (SIEM) provides real-time logging and analysis of security events. Answer B is incorrect. The data warehouse were open source code is saved is incorrect. The term source system is not related to the concern of open source vs. close source software. A source system is simply any system in an environment which can collect events and provide them to an analysis system. Answer C is incorrect. The original gold version of a computer which is cloned for enterprise deployment is incorrect. The term source system is not related to systems deployment methods. Answer D is incorrect. The first computer is incorrect. The first computer is generally regarded as the ENIAC from 1943. The term source system does not refer to the ancestor of all modern computers, but the idea of any system being able to provide event data for monitoring purposes.

Behavior-Based Detection

A behavior-based monitoring system monitors network traffic behavior, such as unusually high traffic, high-volume traffic destined for a specific port, high-volume traffic destined for specific IP address, and unusual control or request packets. Behavior-based detection is monitoring deviations in behavior from established baseline standards.

Clipping Level

A clipping level is an activity level established above the baseline that, when crossed, sets off an alarm or initiates some activity based upon an increased level of traffic on the network segment (Figure 8.19). A clipping level reduces noise and log entries.

Heuristic-Based Detection

A heuristic-based monitoring technique produces a solution by monitoring network traffic and providing a result based on good enough information. A type of learning system, it uses just enough information to arrive at a solution. Thus, it is very fast, but it is also potentially inaccurate. A heuristic system uses algorithms to analyze traffic passing through a network; the algorithms can be used by themselves or in conjunction with other techniques and information to improve their efficiency and accuracy. Many manufacturers are concentrating their efforts on the development of heuristics and intelligent sensing devices rather than signatures and baseline monitoring. The downside is that the systems are prone to errors if not adjusted correctly.

change control

A methodology and formalized structure of presenting, analyzing, authorizing, and recording changes to systems and applications.

How is a digital certificate created? A) subject's public key is signed by a CA's private key. B) A random key is encrypted by a recipient's public key. C) A communication exchange of discover, offer, request, and acknowledge occurs. D) A Diffie-Hellman key exchange is performed.

A) A digital certificate created by a subject's public key is signed by a CA's private key. A subject will generate a random private key, then derive a correlated public key using the proper asymmetric algorithms. The subject's public key is submitted to the CA (certificate authority). The CA performs an identity verification, then builds the digital certificate. The digital certificate is created by the CA using their private key to sign the subject's public key. Additional details and parameters are defined in an attached text component as defined by the X.509 v3 certificate standard. Answer D is incorrect. A Diffie-Hellman key exchange is performed when exchanging a symmetric key over an insecure communication medium. Answer C is incorrect. A communication exchange of discover, offer, request, and acknowledge is the process of obtaining an IP address lease from a DHCP server. Answer B is incorrect. A random key that is encrypted by a recipient's public key is known as a digital envelope. It is a means of secure symmetric key exchange over an insecure medium.

Why is a continuous monitoring scheme implemented in a typical organization? A To take notice of events of interest B To improve social engineering resistance C To reduce employee resource waste D To deflect denial of service attacks

A. A continuous monitoring scheme is implemented in a typical organization to take notice of events of interest. Each organization will have some variation as to what events are of significant concern as compared to others. Some typical examples of events of interest include multiple successive failed login attempts, port scans, significant increase in protocol load, odd content submitted by visitors, attempting to access sensitive resources, and normal user accounts attempting to perform administrative functions. Events of interest are often indicators of intentional attack or exploit attempts by internal personnel or external entities. It is essential for these events to be noticed and for the security staff to be made aware of them to trigger appropriate incident response and management strategies. Answer C is incorrect. Continuous monitoring is NOT implemented to reduce employee resource waste. Employee resource waste is a modest concern for most organizations. There is always some level of employee resource waste, whether it is time, bandwidth, storage space, or monetary funds. However, generally employee waste is not considered an event of interest at the same level as an intentional intrusion. Answer B is incorrect. Continuous monitoring is NOT implemented to improve social engineering resistance. Events of interest recorded into an audit log may reveal the occurrence of social engineering attacks. However, the act of recording the events of interest does not improve social engineering resistance. Improving social engineering resistance requires an interpretation of the audit logs, designing a response strategy, and implementing that strategy. Answer D is incorrect. Continuous monitoring is NOT implemented to deflect denial of service attacks. Events of interest recorded into an audit log may reveal the occurrence of a denial of service attack. However, the act of recording the events of interest does not deflect denial of service attacks. Deflecting denial of service attacks requires an interpretation of the audit logs, then designing a response strategy, then implementing that strategy.

What is a primary record used to maintain a record of risks? A Register B Record C Transaction Log D Documentary

A. A risk register is a primary document used to maintain a record of risks. It is a direct output of the risk assessment process. A risk register includes a detailed description of each risk that is listed.

Why is a security impact assessment performed as part of a change management process? A To determine the likelihood of downtime or security reduction caused by a potential change B To review the level of security against the efforts involved in testing change C To find out if sufficient funds have been allocated to the security function D To assess compliance with regulations

A. A security impact assessment is performed as part of a change management process to determine the likelihood of downtime or security reduction caused by a potential change. The security impact assessment determines what effects a change will have, which systems will be affected by the change, and how significant the change's impact is on overall organizational security. This information is used by the Change Control Board (CCB) or Change Approval Board (CAB) to decide whether or not to implement a change or if additional research or mitigation efforts are required. Answer D is incorrect. A security impact assessment is NOT done to assess compliance with regulations. The CCB or CAB will take into consideration how the change will affect regulations compliance, but it is a distinct element of change management. Answer C is incorrect. A security impact assessment is NOT done to find out if sufficient funds have been allocated to the security function. The CCB or CAB will consider cost as part of change management. Answer B is incorrect. A security impact assessment is NOT done to review the level of security against the efforts involved in testing change. The CCB or CAB will consider the effort and cost of evaluating a change, but in most cases they will approve whatever level of evaluation is necessary to accomplish the task. The goal is to avoid reduction in organizational security while still allowing approved changes to take place.

What is the type of access control in the default access control method found in Microsoft Windows which allows users to share files? A Discretionary access control B Sensitivity-based access control C Rule-based access control D Mandatory access control

A. Answers D, C, and B are access controls, but they do not allow users to share files at their discretion.

Which of the following types of activities is NOT commonly performed in preparation for a security assessment? A Apply patches. B Analyze the change management procedures. C Review the security policies. D Collect host configuration documentation.

A. Applying patches is not an activity commonly performed in preparation for a security assessment. Applying patches is often part of the remediation actions taken after the security assessment. The security assessment will determine where security is lax or where improvements to security can be made. This may then require remediation activities such as removing equipment, changing configuration, altering business processes, and applying patches. Answer D is incorrect. Collecting host configuration documentation is a common activity performed preparation for a security assessment. Answer C is incorrect. Reviewing the security policies is a common activity performed preparation for a security assessment. Answer B is incorrect. Analyzing the change management procedures is a common activity performed preparation for a security assessment.

Which choice is not a common means of gathering information when performing a risk analysis? A Interviewing fired employees B Utilizing automated risk poling tools C Distributing a multi-page form D Reviewing existing policy documents

A. As interviewing terminated employees is not a common information-gathering technique for risk analysis. Answers C, B, and D are incorrect because they are common techniques.

Which of the following is part of a business continuity plan? A The recovery point objective B The maximum tolerable downtime C The recovery time objective D Disaster recovery planning

A. Business continuity planning includes set of responsibilities, procedures, or processes followed when any incident or disaster occurs, which helps to maintain business operations after the occurrence of an incident or disaster. The recovery point objective (RPO) is part of a business continuity plan. The recovery point objective is the date or time of the last known good data that can be used as a backup to restore systems. Answer C is incorrect. The recovery time objective (RTO) is used to determine the maximum time a data recovery process will take. Answer D is incorrect. Disaster recovery planning is a documented set of procedures used to recover and restore IT infrastructure, data, applications, and business communications after a disaster event. Answer B is incorrect. Maximum tolerable downtime (MTD) is the longest period of time a business can be inoperable without causing the business to fail irrecoverably.

Which of the following is referred to as a Type I error? A False rejection rate B Crossover error rate C False acceptance rate

A. False Acceptance Rate (FAR): FAR is also referred to as a Type II error.

How can a user be given the power to set privileges on an object for other users when within a DAC operating system? A Grant the user full control over the object. B Remove special permissions for the user on the object. C Issue an administrative job label to the user. D Give the user the modify privilege on the object.

A. Granting the user full control over the object will provide a user with the power to set privileges on an object for other users when within a DAC operating system. Three other methods within a DAC environment to accomplish this are to 1) have the user be an owner of the object, 2) grant the user the change permissions special permission, or 3) be a member of the administrators group. Any user who creates a new object is automatically the owner of that object, but administrators can either take ownership or grant ownership to other users. Administrators can take ownership in order to gain full access over an object. Answer D is incorrect. Giving the user the modify privilege on the object is incorrect. The modify privilege is the ability to edit or delete an object. It does not grant the change permissions permission to the user. In a DAC operating system (OS), the user would need to be granted full control, take ownership, or be an administrator to set privileges for other users. Answer B is incorrect. Removing special permissions for the user on the object is incorrect. In a DAC OS, a special permission exists to grant only the set permissions ability to a user. It is called the change permissions permission. Removing special permissions would prevent a user from setting privileges for others, so this is the opposite of what is needed. Answer C is incorrect. Issuing an administrative job label to the user is incorrect. DAC does not use job labels. RBAC (role-based access control) uses job labels.

Why is it important to evaluate intangible assets while performing a risk assessment? A Not all assets are tangible. B Only tangible assets have value. C Intangible assets cannot be harmed by threats. D They can be sold for operating funds.

A. It is important to evaluate intangible assets while performing a risk assessment because not all assets are tangible. Many assets are intangible, such as trade secrets, intellectual property, proprietary data, customer databases, contracts, agreements, public opinion, market share, customer loyalty, and any and all data storage. Generally, an intangible asset is one that is not a physical item. However, intangible assets can be very valuable and thus need protection. Evaluating the risks to intangible assets is an early step towards implementing proper security measures. Answer B is incorrect. Both tangible and intangible assets have value. Answer C is incorrect. Intangible assets can be harmed by attacks or accidents. It is important to provide adequate security protections for both tangible and intangible assets. Answer D is incorrect. While some intangible assets can be sold, such as a customer database, other cannot, such as public opinion and customer loyalty. Regardless, the reason to evaluate intangible assets while performing a risk assessment is because they need security protection, not because they can be sold for cash.

How is granular control of objects and resources implemented within a mandatory access control environment? A Need to know B ACLs on objects C Job label D Logical location assessment

A. Need to know is the means by which granular control of objects and resources implement within a mandatory access control environment. In most MAC environments, there are only a few levels of classification. To provide more granular control over object access, objects of unique value, special use, or sensitive content are restricted by need to know. A subject with the proper clearance for a specific classification label does not gain access to all objects and resources in that level automatically. Instead, subjects are assigned need to know permissions on those objects which are necessary for the completion of assigned work responsibilities. Answer C is incorrect. Job labels or role labels are used in role-based access control (RBAC). Job labels are not used in MAC. MAC uses clearance labels. Answer B is incorrect. ACLs are used in discretionary access control (DAC). ACLs are not used in MAC. MAC uses clearance labels. Answer D is incorrect. Logical location assessment is incorrect. Logical location-based access control may check IP address, MAC address, OS version, patch level, subnet membership, VLAN membership, or routed path to determine whether to grant or restrict access. Logical location is not used in MAC. MAC uses clearance labels.

Which of the following best describes privileged users? A They are super-users or administrators B They are anonymous users C By default have access to everything on the network D They all must work in the IT department

A. Privileged users are also known as super-users or administrators.

Which of the following best describes a threat exploiting a vulnerability? A Risk B Brute force C Power supply brownout D A hurricane

A. Risk is the probability for likelihood that a threat will exploit the vulnerability.

Organization policies are generally created in response to the requirement to meet certain criteria. Which of the following best details these requirements? A Standards B Baselines C Policy Requirements Document (PRD) D Procedures

A. Standards are the part of a policy that lists the criteria that must be met by the organization.

What must every policy possess in order to be successfully implemented? A Senior executive endorsement B Scope and statements from stakeholders C An enforcement provision D Controls and procedures statement

A. The policy will be doomed to failure if it does not have senior executive endorsement or a mandate from senior management.

What is the primary benefit of a security camera for physical security? A Detective B Corrective C Directive D Preventative

A. The primary benefit of a security camera for physical security is detective. A security camera is a recording device and is a physical activity auditing system. Anything that takes place in view of a camera can be recorded. Thus, the camera serves as a detective security mechanism for physical security. A security camera can also be considered a deterrent as well. Answer C is incorrect. A security camera does not provide directive security control. A directive control gives instruction on how to act or behave, such as a sign, policy, or verbal statement from a security guard. Answer D is incorrect. A security camera does not provide preventative security control. A preventative control attempts to stop a violation from occurring, such as locks on doors, mantraps, and turnstiles. Answer B is incorrect. A security camera does not provide corrective security control. A corrective control attempts to restore a mechanism back to its desired, normal, and secure state. Examples include a spring on a door, a daylight sensor on a light, and a security guard who can lock a door.

What is the purpose of sharing threat intelligence? A Equip other organizations to handle a looming security concern. B Prevent lawsuits based on retaining proprietary information. C Misdirect attackers into thinking their exploit is universally blocked. D Remove all private ownership of intellectual property.

A. The purpose of sharing threat intelligence is to equip other organizations to handle a looming security concern. Only through sharing of known security problems are they typically resolved. This is due to the public demand to repair a problem once it is known, as well as keeping the vendor aware of an issue that needs to be addressed. If one organization is compromised by a new attack, when information about the new attack is distributed, other organizations can take steps to protect their assets. Answer D is incorrect. The sharing of threat intelligence is not intended to remove all private ownership of intellectual property, including disclosing trade secrets, intellectual property, or personnel data. Answer C is incorrect. Sharing threat intelligence is NOT done to misdirect attackers into thinking that their exploit is universally blocked. Just because an attack is widely known does not mean that everyone with knowledge of the attack has protected themselves against it. There are many exploits that have been known for a decade which are still being used to harm organizations that have failed to implement the proper defenses. Answer B is incorrect. Sharing threat intelligence does NOT prevent lawsuits based on retaining proprietary information. The sharing of threat intelligence might have some effect in reducing lawsuits based on an organization's retention of information that should have been disclosed. However, that is not the purpose of sharing threat intelligence.

Why should the risks of an organization be reported as defined by enterprise risk management (ERM)? A It helps with internal transparency, risk assessment, risk response, and risk monitoring. B It assists with strategic planning, compliance, and training. C It is a means to predict loss, select countermeasures, and reduce downtime. D It is a government regulation.

A. The risks of an organization should be reported as defined by enterprise risk management (ERM) because it helps with internal transparency, risk assessment, risk response, and risk monitoring. Risk reporting creates and maintains an inventory of risks. Everyone in the organization should report all security concerns to the security staff. Those on the risk management team will review each reported risk and add it to the risk register. The risk register is the centralized reporting and management tool of ERM used to facilitate proper risk handling. Once a risk is reported, it is now visible and known to all other decision makers in the organization, thus proving internal transparency. Once a risk is known, the processes of assessment, response crafting, and monitoring can take place. Answer B is incorrect. ERM's purpose is NOT to assist with strategic planning, compliance, and training. According to ERM, the purpose of risk reporting is to assist with internal transparency, risk assessment, risk response, and risk monitoring. The concept of strategic planning is part of ERM, but not as part risk reporting. Typically the concept of strategic planning is used in the context of security policy construction; thus it would apply throughout the organization. Compliance is an important part of security management, but not necessarily a primary component of ERM. Some standards may require reporting; but without that, risk reporting is not directly tied to compliance. Any changes to the organization implemented in order to address a risk must be evaluated in regards to compliance. Training is also essential to security management, but not directly related to risk reporting. Answer D is incorrect. ERM is NOT a government regulation. There is not a universal government regulation requiring risk reporting. Risk reporting is, however, an important part of a properly implemented ERM. Answer C is incorrect. ERM is NOT a means to predict loss, select countermeasures, and reduce downtime. These items are not directly related to risk reporting. Loss prediction and countermeasure selection is part of risk assessment. Downtime reduction is an overall goal of ERM.

How is the total amount of potential risk calculated for a single asset and a specific threat? A Accumulate residual risk B SLE x EF C AV x CCM - EF D AV x EF x ARO

AV x EF x ARO is the formula used to calculate the total amount of potential risk calculated for a single asset and a specific threat. This formula is based on three values: AV, EF, and ARO. Asset value (AV) is a value based on both tangible and intangible value of an asset to the organization. Exposure factor (EF) is a prediction as to the percentage of loss that would be experienced if a specific threat is realized against a specific asset. Annualized rate of occurrence (ARO) is a prediction as to the number of times in the next year that the threat could be realized. When these three values are multiplied together they produce the annualized loss expectancy (ALE). The full formula is thus: ALE = AV x EF x ARO.For example, an asset could be a file server which has an AV = $1,000,000; a threat could be a fire which could have an EF = 75%; and the ARO of the firewall is .1 per year, thus the ALE would be $1,000,000 x 75% x .1 = $75,000. Answer A is incorrect. Accumulate residual risk is incorrect. The remaining risk after countermeasures and other risk mitigation strategies are applied to an organization is known as residual risk. The means to assess residual risk is: total initial risk - countermeasure benefit = residual risk. However, this concept and formula are not the means to calculate the potential risk of a single asset and a specific threat. Answer C is incorrect. AV x CCM - EF is the wrong formula for calculating the ALE or total amount of potential risk calculated for a single asset and a specific threat. CCM is part of the cost benefit equation, which is: [ALE1 - ALE2] - CCM = benefit. In this equation, ALE1 is the calculation of ALE prior to the countermeasure and ALE2 is the reduced ALE based on the countermeasure being implemented. CCM stands for cost of the countermeasure. Since any security measure will cost something, such as purchasing, licensing, downtime, training, management, and implementation. This must be subtracted from the benefit otherwise provided by the countermeasure. If the benefit calculated by this equation is larger than any other considered countermeasure, then it would likely be the best security choice to implement. Let's look at an example of the use of the cost/benefit equation to determine a countermeasures benefit. Suppose that the ALE calculated for a database at risk of remote access exploitation might be ALE1 = $10,000,000, the proposed firewall countermeasure would cost $20,000 per year to implement (thus CCM = $20,000), and the ALE would be reduced to ALE2=$2,000,000 if the firewall was installed. With these values, the [ALE1 - ALE2] - CCM would be [$10,000,000 - $2,000,000] - $20,000 = $7,980,000. Thus, the benefit of the firewall for this database against the risk of remote access exploitation is $7,980,000. Answer B is incorrect. Single loss expectancy (SLE) is sometimes used as a step in the process of calculating ALE. The SLE equation is: SLE = AV x EF. For example, an asset could be a file server which has an AV = $1,000,000 and a threat could be a fire which could have an EF = 75%; thus the SLE would be $1,000,000 x 75% = $750,000. This answer is incorrect because it is an incomplete formula for calculating the ALE or total amount of potential risk calculated for a single asset and a specific threat. It is also incorrect as it would use the EF element twice in the calculation, i.e. AV x EF x EF.

Network monitors can have two modes. What are they?

Active, Passive

802.11a

Amendment a provides wireless bandwidth up to 54 Mbit/s using the 5 GHz frequency spectrum.

802.11b

Amendment b provides wireless bandwidth of up to 11 Mbit/s using the 2.4 GHz frequency spectrum. The specification also includes the ability to scale back to transmission rates of 5.5, and 2 Mbit/s for slower devices. Originally referred to as 802.11 high-rate, this was the original standard selected by the Wi-Fi alliance to be denoted as Wi-Fi.

802.11g

Amendment g provides wireless bandwidth of up to 54 Mbit/s using the 2.4 GHz frequency spectrum.

802.11i

Amendment i provides for security enhancements to the wireless standard and is referred to as WPA2 that uses the AES encryption algorithm.

802.11n

Amendment n provides for wireless bandwidth in a range from 54 Mbit/s to 600 Mbps and can operate at both 5 GHz and 2.4 GHz. This amendment offers the greatest flexibility with the least amount of interference.

Object Classification

An object is the data being accessed by a subject. During the process of object classification, an object such as a document is labeled (classified) in some manner to illustrate the status of the information. For instance, it may be labeled company confidential, sensitive, or unclassified.

Which of the following is designed to change the risk culture from reactive to proactive and accurately forecast and mitigate the risk on any key programs? A SIEM B ERM C RMF D EF

B.

Question :What are the two categories of Logical Access controls? A Hardware B Software C Virtual D Permissions

Answers A and B are correct. Logical controls are usually established to protect the data, applications, hardware, and network devices from hackers, malware, intruders, and simply mistakes users can make. These types of controls are usually grouped into two categories with much overlap. The categories are hardware and software.

Which of the following enables individuals to review the continuity plan or disaster recovery plan? A Tabletop test B Checklist test C Parallel test D Simulation test

B

Which was originally programmed for UNIX systems by Massachusetts Institute of Technology (MIT)? A Single sign-on B Kerberos C Federated access D Centralized authentication

B

Select the items below which are techniques used to gather information relevant to an asset? A Penetration Tests B Onsite Reviews C Questionnaires D Scanning Tools

B, C, D. A questionnaire may ask for identification of all hardware and software items within a department. Onsite interviews might be deemed much more effective than attempting to retrieve questionnaires that were previously sent to individuals. A wide variety of scanning tools are available that scanned for potential vulnerabilities on both networks and host devices.

A business asset is best described by which of the following? A Controls put in place that reduce the effects of threats B Competitive advantage, capability, credibility, or goodwill C Personnel, compensation, and retirement programs D An asset loss that could cause a financial or operational impact to the organization

B. Answer D is incorrect because it describes an incident that could negatively impact the organization. Answer A is incorrect because procedures are not assets. Answer C is incorrect because compensation and retirement programs are not assets.

What is the database used to interpret the details of SNMP communications? A Oracle B MIB C CRL D Syslog

B. A Management Information Base (MIB) is the database used to interpret the details of SNMP communications. A typical SNMP management console will include an MIB. This facilitates communications between source systems and the management console while enabling the display of human readable results. Answer C is incorrect. A certificate revocation list (CRL) is the list of revoked certificates which have been canceled by the issuing certificate authority (CA). Answer D is incorrect. The syslog is a centralized logging solution which is used to make real-time duplicate copies of logs from the primary source systems to a dedicated log warehouse server. Answer A is incorrect. Oracle is a DBMS or database management system. While Oracle is a database, it is not the standard MIB database used in the interpretation of SNMP communications.

Which of the following is an example of compensating control? A A padlock on a gate B A chain on the hotel room door C A red bucket of sand with the word, "Fire" D An insurance policy

B. A compensating control is a secondary control placed into use if the first or primary control is disabled or no longer usable. In this case, a hotel room door has a lock; the chain is a secondary or compensating control.

Which of the following is not a control category? A Physical B Preventative C Technical D Administrative

B. Although there are preventative controls, it is not one of the three major categories. Answers D, A, and C are incorrect because they are the three major control categories.

Which of the following is not considered an example of a non-discretionary access control system? A MAC B ACL C ABAC D RBAC

B. An access control list (ACL) is not considered an example of a non-discretionary access control system. ACLs are used by discretionary access control (DAC) systems. An ACL is placed on an object to define which subjects have been explicitly granted or denied access to that object. Answer A is incorrect. Mandatory access control (MAC) is an example of a non-discretionary access control system. MAC is based on the assignment of classification labels to subjects and objects. Answer D is incorrect. Role-based access control (RBAC) is an example of a non-discretionary access control system. RBAC is based on the assignment of a job role label to subjects. Answer C is incorrect. Attributed-based access control (ABAC) is an example of a non-discretionary access control system. ABAC is based on an attributed set on the subject and object, along with environmental conditions and specific policies.

How does an attribute-based access control system determine if a subject can access an object? A It evaluates the ACLs. B It assesses the characteristics of the subject, object, and/or environment. C It checks for classification labels. D It compares the job description.

B. An attribute-based access control system assesses the characteristics of the subject, object, and/or environment to determine if a subject can access an object. The characteristics or attributes on subjects, objects, and in the environment are used to assess whether a subject is granted or denied access to an object. The characteristics or attributes that determine access are defined by the organization's security policies. Answer C is incorrect. Attribute-based access control does NOT check for classification labels. Classification labels are used by mandatory access control (MAC), not attribute-based access control. Answer D is incorrect. Attribute-based access control does NOT compare the job description. Job descriptions or job labels are used by role-based access control RBAC), not attributed-based access control. Answer A is incorrect. Attribute-based access control does NOT evaluate the ACLs. ACLs are used by discretionary access control (DAC) not attribute-based access control.

How does discretionary access control determine whether a subject has valid permission to access an object? A Evaluate the attributes of the subject and object. B Check for the user identity in the object's ACL. C Compare the classification labels of the subject and object. D Assess the user's role.

B. Checking for the user identity in the object's ACL is the means by which discretionary access control (DAC) determines whether a subject has valid permission to access an object. DAC is based on assigning privileges to subjects through object-based access control lists (ACLs). An ACL is a list of subjects' identities or group identities and the privilege granted or denied to that entity. Any subject that is a member of a group which has assigned privileges inherits those privileges from the group. Answer D is incorrect. Assessing the user's role is incorrect. Role-based access control (RBAC) assesses the user's role or job label to determine access. Answer A is incorrect. Evaluating the attributes of the subject and object is incorrect. Attribute-based access control evaluates the attributes of the subject and object to determine access. Answer C is incorrect. Comparing the classification labels of the subject and object is incorrect. Mandatory access control (MAC) compares the classification labels of the subject and object to determine access.

What is the most important consideration in regards to communicating findings from a security monitoring system? A Informing the public of each security violation B Speed of presentation C Linking each violation to a standard vulnerability reference, such as the CVE D Having the presentation include all details related to an event

B. From this list of options, the speed of presentation is the most important consideration in regards to communicating findings from a security monitoring system. Maybe second only to accuracy, the speed at which responsible entities are made aware of a security concern is of utmost importance. The faster notification occurs, the faster a response can be initiated to contain the compromise or prevent further exploitation. Answer D is incorrect. Having the presentation include all details related to an event is incorrect. The speed of notification is the most important consideration for a security monitoring service from this list of options. Once a security operative receives the notification and starts their investigation of the incident, then complete details about the event will be required. The initial notification need only be a summary or a reference code to a type of security violation rather than the complete details. Answer A is incorrect. Informing the public of each security violation is incorrect. No organizational security monitoring system should ever trigger a public announcement of a security violation. Information about security breaches is of a sensitive nature and dissemination should be strictly controlled and limited to entities within the organization with remediation responsibilities or who have decision making powers. Answer C is incorrect. Linking each violation to a standard vulnerability reference, such as the CVE, is incorrect. Not every security violation detected by security monitoring systems will be directly related to a standard vulnerability reference. This is especially true when a company policy is violated. CVE or common vulnerabilities and exposures database is one of the more widely used exploitation references databases. The CVE is maintained by the MITRE organization at cve.mitre.org.

Which of the following provides a catchall and prevents an action from being taken after everything else has allowed through on a network? A Deny any B Implicit deny C Global deny D Explicit deny

B. Implicit deny is built into most routers and the catchall that prohibits the passage of anything that has not been ethically or explicitly authorized. Explicit deny may be any one of dozens of router rules that the administrator creates to allow specific traffic. Deny any might be part of an explicit rule. Global deny is a distractor.

To prevent any one person from having too much control or power, or performing fraudulent acts, which of the following solutions should not be implemented? A M of N control B Job rotation C Multiple key pairs D Separation of duties

B. Job rotation isn't appropriate because one person is still in charge of a particular position. M of N control, multiple key pairs, and separation of duties should be used to prevent a single person from compromising an entire system.

If subjects receive a clearance, what do objects receive? A Access point B Classification C Data Tag D Mandatory Access Control label

B. Objects within the U.S. military or government agencies may be issued a classification, classified top secret.

How can operational controls be used to improve security compliance? A Require M-of-N controls and place administrators into compartmented areas. B Set procedures for work tasks and provide training. C Implement encryption and multifactor authentication. D Track activities with auditing and review the audit logs.

B. Operational controls can be used to improve security compliance by setting procedures for work tasks and providing training. Operational controls are security mechanisms that are implemented and operated by personnel rather than by hardware or software. Operational controls include physical protection, training, hiring practices, supervisory review, incident response, media protection, configuration and change management, and termination practices. Most operational controls have the goal or focus of establishing or improving security compliance. Answer D is incorrect. Tracking activities with auditing and reviewing the audit logs is a technical control, not an operational control. Reviewing audit logs can be performed by an intrusion detection system (IDS) or security analysis data mining tool, and thus, would be a technical control. If the audit logs were reviewed by a person, then it would be an operational control. Because this is not a fully operational set of controls, this answer is incorrect for this question. Answer A is incorrect. Requiring M-of-N controls is a technical control, while placing administrators into compartmented areas is an operational control. Because these are not a fully operational set of controls, this answer is incorrect for this question. Answer C is incorrect. Implementing encryption and multifactor authentication is incorrect. Encryption and multifactor authentication are logical or technical controls.

When should security be implemented or included in the asset life cycle? A During the maintaining phase B As early as possible C Once the asset is being used in daily operations D Before implementation

B. Security should be implemented or included in the asset life cycle as early as possible. Security should be an essential element of all aspects of an organization, especially in relation to assets. Whenever possible, security should be included in the initial design and architecture of an asset. If that is not possible because the asset is obtained from outside sources, then including or implementing security as early as possible after procurement is essential. If security is added late in the asset life cycle, it will cost more and be less effective than when it is implemented earlier. Answer A is incorrect. Security may be implemented during the maintaining phase, but this is not the best answer. The maintenance phase is often the longest phase, as that is the phase of ongoing use and management once an asset is deployed. Security should have been implemented much earlier in the asset life cycle in order to increase its effectiveness and reliability. Answer D is incorrect. Security may be included before implementation, but this is not the best answer. For those assets which are crafted or constructed on premises, security should be implemented in the design phase. For externally procured assets, security integration may be forced to occur at the point of implementation. But this is not the general concept to follow. The concept is to implement security as early in the asset life cycle as possible. Answer C is incorrect. Security may be implemented once the asset is being used in daily operations, but this is not the best answer. Security should have been implemented much earlier in the asset life cycle in order to increase its effectiveness and reliability.

How is separation of duties typically implemented? A Assign each user a unique user account and require multifactor authentication. B Segment administrative tasks into compartments, and then assign one or more distinct administrators into each compartment. C Assign users the minimal privileges necessary to complete work tasks. D Verify that a sender sent a message and prevent that sender from denying having sent the message.

B. Separation of duties is typically implemented by segmenting administrative tasks into compartments, and then assigning one or more distinct administrators into each compartment. The risk of failing to implement separation of duties is to have administrators with full privileges across the entire environment. This places the organization at extreme risk to the administrators making mistakes, performing intentional malicious attacks, or having their accounts used by a hacker. Answer C is incorrect. Assigning users the minimal privileges necessary to complete work tasks is not how separation of duties is typically implemented. This is the definition of the principle of least privilege. Answer D is incorrect. Verifying that a sender sent a message and preventing that sender from denying having sent the message is not how separation of duties is typically implemented. This is the definition of non-repudiation. Answer A is incorrect. Assigning each user a unique user account and requiring multifactor authentication is not how separation of duties is typically implemented. This is the concept of user account creation, also known as enrollment or on-boarding.

Which of the following best describes a federated relationship? A HIPAA patient privacy requirements for healthcare providers B Third-party companies and their networks share customer data based upon a single sign-on to a primary organization C Numerous franchises in a geographical area D The airline industry

B. The Federation consists of third-party companies that share data based upon a one-time authentication of an individual.

What is the purpose of a baseline in relation to security monitoring? A Keeps configurations consistent B Notices trends away from normal C Evaluates purchasing requirements D Defines job task procedures

B. The purpose of a baseline in relation to security monitoring is to notice trends away from normal. Most of security monitoring is about detecting when activities and events are not normal. A key element in this activity is to know what is normal in order to be able to see when something is different than normal. The baseline provides that recorded or defined and established normal as a point of comparison. Baselines can be established by recording events and activities across a standard work period (such as an eight-hour shift or 24-hour day) or by writing out rules that dictate what actual or desired normal should be. In either case, the baseline should be revised or recreated whenever a significant but valid, authorized, and benign shift of normal takes place. Additionally, if no perceived shifting of normal has occurred, the baseline should be revised on a periodic basis, at least once a year, perhaps as frequently as once a quarter. Answer A is incorrect. Keeping configurations consistent is incorrect. A security monitoring baseline is used to detect when events occur that are different than normal. In other contexts, such as security configuration or systems management, a baseline may be used to establish consistent configurations. Answer D is incorrect. Defining job task procedures is incorrect. A security monitoring baseline is used to detect when events occur that are different than normal. Job tasks are defined in the procedures documents of the security policy. Answer C is incorrect. Evaluating purchasing requirements is incorrect. A security monitoring baseline is used to detect when events occur that are different than normal. Some security evaluation systems, such as the Common Criteria and ISO/IEC 15408, include a means to compare the offerings from the vendor's product to the security requirements of the organization. But this concept is not called a baseline. Instead the security requirement is called a Protection Profile and the vendor's product security specifications is known as the Security Target.

When an organization has a properly implemented enterprise risk management (ERM), what is the tool used to list and categorize each discovered or encountered risk? A Threat model B Risk register C Delphi technique D Cost/benefit equation

B. The risk register lists and categorizes each discovered or encountered risk within a properly implemented enterprise risk management (ERM). The risk register is the master list of all risks of the organization. It serves as a tracking document as well as a call to action. Each listed item on the risk register needs to be evaluated and responded to. The risk register is a key tool in the management and response systems implemented under an ERM. Answer A is incorrect. A threat model is an evaluation of threats which could be used to take advantage of an asset's vulnerabilities in order to cause harm. Answer D is incorrect. The cost/benefit equation is an evaluation of the benefit of a countermeasure to a specific risk of an asset in comparison to the cost of implementing that countermeasure. The cost/benefit equation is often written as [ALE1 - ALE2] - CCM = benefit. In this equation, ALE stands for annualized loss expectancy, which is the value of the asset multiplied by the percentage of loss of a specific threat multiplied by the number of times in a year that the threat could be realized (a.k.a. AV x EF x ARO). ALE1 is the calculation of ALE prior to the countermeasure, and ALE2 is the reduced ALE based on the countermeasure being implemented. In this equation, CCM stands for cost of the countermeasure. Because any security measure will cost something, such as purchasing, licensing, downtime, training, management, and implementation, this must be subtracted from the benefit, otherwise provided by the countermeasure. If the benefit calculated by this equation is larger than any other considered countermeasure, then it would likely be the best security choice to implement. Let's look at an example of the use of the cost/benefit equation to determine a countermeasures benefit. Suppose that the ALE calculated for a database at risk of remote access exploitation might be ALE1 = $10,000,000 and a proposed firewall countermeasure would cost $20,000 per year to implement (thus CCM = $20,000), and the ALE would be reduced to ALE2=$2,000,000 if the firewall was installed. With these values, the [ALE1-ALE2]-CCM would be [$10,000,000 - $2,000,000] - $20,000 = $7,980,000. Thus, the benefit of the firewall for this database against the risk of remote access exploitation is $7,980,000. Answer C is incorrect. The Delphi technique is a tool used in quantitative risk assessment. It is a means for a group to reach an anonymous consensus. It is similar to the method used by United States citizens when they vote. A group would hold a meeting. A team leader would present the information to be considered. Input from the attendees is requested. Any input is provided anonymously. Once a decision point is reached, anonymous voting takes place. The purpose of the Delphi technique is to avoid social issues, job status, seniority, and other biases from interfering with the free exchange of ideas in relation to security management.

How can an equivalent to RBAC be implemented in a DAC operating system? A Assign users classification labels. B Create groups with the names of jobs, assign privileges to the groups, and place users into named groups. C Assign users job labels. D Use filter lists to control access, set time restrictions, and block access based on logical address.

B. To create an equivalent role-based access control (RBAC) solution in a discretionary access control (DAC) operating system, an administrator should create groups with the names of jobs, assign privileges to the groups, and then place users into named groups. Thus, users will be members of job role named groups and inherit the privileges assigned to that group. This will result in users being able to perform their work tasks assigned to them. This is the same result as in a true RBAC system where a job label is created, privileges are assigned to the label, and then the label is assigned to or placed onto a user. Answer C is incorrect. Assigning job labels is just RBAC, not an equivalent of RBAC in DAC. Furthermore, DAC does not offer job labels, only access control via access control lists (ACLs) on objects. Answer A is incorrect. Mandatory access control (MAC) uses the assigning of classification labels. RBAC and DAC do not use classification labels. Answer D is incorrect. Filter lists, time restrictions, and logical address control are all valid means of access control, just not relevant to this scenario.

How can integrity be enforced or assessed across an entire computer system? A Check that the latest version of software updates has been applied. B Compare a baseline of hardware settings and software configuration against a live system. C View the available free space. D Take a hash calculation of all system files.

B. To enforce or assess integrity across an entire computer system, compare a baseline of hardware settings and software configuration against a live system. This activity is used to ensure that the integrity of an entire computer system has been retained. It is checking to see that a system is still in compliance with prescribed security policy and that user activities have not caused any unauthorized software to be installed or invalid settings to be applied. Answer D is incorrect. There are many more files on a computer than just those of the system itself, including third-party applications and user files. If hash calculations were to be used as a means to enforce or assess integrity across an entire computer system, then all of the files must be included, not just the system files. Answer C is incorrect. The amount of free space is not a direct indication of whether or not integrity is maintained on a system. Keeping track of free space may be a part of overall system monitoring, but it is not directly related to integrity management. Answer A is incorrect. This process is an element of system management and security management, but not integrity management.

In which of the following could a person gain too much control or power, and perform fraud? A M of N control B Job rotation C Multiple key pairs D Separation of duties

B. With job rotation, only one person performs the job function. Although people may be rotated in and out of the position, the position still maintains power and control. It is primarily used as a fraud prevention mechanism, rotating individuals between positions provides not only for cross training but also for the capability of cross-checking individuals' work. Answers A, D, and C are incorrect. M of N controls, multiple key pairs, and separation of duties should be used to prevent a single person from compromising the entire system.

Which of the following is valid regarding change management and the need for interoperability? A You should be able to run the same program on multiple systems simultaneously. B You should be able to exchange data based on common formats, day types, file formats, and/or protocols. C You should be able to manage a system remotely from any Internet connection. D You should be able to run the same binary code on any platform

B. You should be able to exchange data based on common formats, day types, file formats, and/or protocols regarding change management and the need for interoperability. This is the basic definition of interoperability. Change management needs to ensure that any pre-existing interoperability capabilities are maintained or re-established after a change is implemented, especially if that interoperability is used as part of a core business function. Answer D is incorrect. You should NOT be able to run the same binary code on any platform regarding change management and the need for interoperability. Interoperability is about the exchange of data, not the ability to execute a specific binary code on multiple platforms. Different operating systems or applications do not have to be using the same programming code in order to be able to exchange data. Answer A is incorrect. You should NOT be able to run the same program on multiple systems simultaneously regarding change management and the need for interoperability. This is almost the definition of clustering. Clustering is when two or more systems work together to support a single resource, such as a database or a file sharing service. All the members of the cluster run the same program in a shared interactive manner. While interoperability is a key element in clustering, the concept of running the same code on multiple systems at the same time is not the definition of interoperability. Answer C is incorrect. You should NOT be able to manage a system remotely from any Internet connection regarding change management and the need for interoperability. This is the definition of remote management or remote administration. It might also be used loosely in relation to cloud computing when managing a hosted resource remotely. In any case, it is not a valid statement in regards to interoperability.

Broadband Transmission Method

Broadband transmission, which is popular with cable television and networking providers, is used to multiplex a very large number of signals on a single media

What defines the amount of loss that might be experienced by an asset during a risk event? A Annualized loss expectancy B Single loss expectancy C Exposure factor D Annualized rate of occurrence

C

Which of the following allows users to be identified and authenticated to multiple networks or systems? A Single sign-on B Centralized authentication C Federated access D Decentralized authentication

C

Which of the following best describes the time that it takes to register with a biometric system, by providing samples of a personal characteristic? A Setup time B Throughput time C Enrollment time D Login time

C

Which of the following policies describes access controls for the privacy and security of corporate assets? A Retention B Physical security C Outsourcing D Network security

C

Which term refers to an in-house or third-party provided location where ongoing monitoring of the logical and physical security mechanisms of an organization is performed to provide a real-time situational awareness of the state of security? A Continuity of Operations Plan (COOP) B Intrusion Prevention System (IPS) C Security Operations Center (SOC) D Registration Authority (RA)

C. A security operations center (SOC) is an in-house or third-party provided location where ongoing monitoring of the logical and physical security mechanisms of an organization is performed to provide a real-time situational awareness of the state of security. A SOC is often an important component of security monitoring as it provides a centralized location for the collection, analysis, and coordinated response of security concerns. A SOC is sometimes defined as focusing more on physical security, while an information security operations center (ISOC) is focused on IT security concerns. However, the term SOC is used frequently to refer to either type of centralized security oversight. Answer D is incorrect. A registration authority (RA) is an element in a digital certificate hierarchy. An RA is used to collect use data and inform subjects of the validity or revocation status of certificates. An RA is not able to issue new certificates or revokes existing ones. Answer B is incorrect. An intrusion prevention system (IPS) is a tool used to deflect or counter attempted exploitation and intrusion attempts. It is often one of the many sources of information collected by a SOC to maintain situational awareness of the security state of an organization. Answer A is incorrect. A continuity of operations plan (COOP) is a business continuity document describing the responses and recovery efforts to implement in the event of a minor or major disaster that affects or disrupts core business functions.

Which of the following best describes a security policy? A Lists potential risk targets within the organization B It describes the requirement for shareholder satisfaction C Completely aligns with the mission, objectives, culture, and nature of the business D Makes extensive use of baselines and guidelines

C. A security policy must be in alignment with the mission, objectives, nature, and culture of a business. Organizational policies are not based on best practices.

What is a security procedure? A Specific criteria that must be met by implementation B Suggested practices C Detailed steps for performing specific tasks D Minimum hardware and software requirements

C. A security procedure is a document containing detailed steps for performing specific tasks. Procedures are the "how to" components of a security policy. All of the aspects of the policy itself, standards, baselines, and guidelines, are distilled into an organized process to perform specific tasks, such as installing new software, setting up firewalls, establishing secure communications, using encryption on mobile devices, and destroying sensitive documentation. Answer B is incorrect. Guidelines are the security policy document that contains suggested practices. Guidelines are to be used when a specific procedure does not exist. Generally, the guideline is used to craft a procedure document for the new task.Answer D is incorrect. Minimum hardware and software requirements are a baseline. A baseline is the security policy document that contains minimum hardware and software requirements or performance requirements. Answer A is incorrect. A standard is the security policy document that contains specific criteria that must be met by implementation.

An Acceptable Use Policy (AUP) is what type of control? A Detective B Corrective C Administrative D Compensating

C. Acceptable behavior of individuals within any organization is put forth in the acceptable use policy. This includes the use of facilities and equipment as well as a large number of other behavioral considerations. The acceptable use policy is an administrative control.

Physical, logical, and administrative are the three standard means of which the following? A Primary security B Mandatory access control C Access control D Intrusion detection system packet inspection

C. Access controls include mechanisms based upon policies, procedures, and user identification that control or determine what a user or subject may access and what permissions they have to read, write, or modify any information on a system. Physical, logical, and administrative are three types of access control.

What form of monitoring involves the injection of packets into communications in order to measure performance of various elements in the network? A Collaborative monitoring B Passive monitoring C Active monitoring D Post mortem monitoring

C. Active monitoring is the form of monitoring which involves the injection of packets into communications in order to measure performance of various elements in the network. The concept behind active monitoring is to introduce a known value or container into an active system and monitor the events around the injected element. In the case of general networking, active monitoring is the activity of injecting a standard network packet and monitoring its progress across network devices on its way to the destination. This is similar to how some highway traffic systems judge congestion by watching a pace vehicle pass through various monitoring points along a stretch of road. Answer B is incorrect. Passive monitoring collects data about objects, events, and packets that are natively present in the environment, rather than injecting new elements. Answer A is incorrect. Collaborative monitoring occurs when two or more entities, such as business partners or service providers, participate in overseeing the activities of a shared or common network or environment. Answer D is incorrect. Post mortem monitoring is a fictitious concept used in this question as a distracter

How are alterations to mission critical servers approved before implementation when a change management process is involved? A By providing a rollback option B By showing a less than 10% chance of failure C By being assessed by a Change Control Board D By documenting all changes that will take place

C. Alterations to mission critical servers are approved before implementation by being assessed by a Change Control Board. The Change Control Board (CCB) or Change Approval Board (CAB) is the individual or group of individuals assigned the responsibility to review the tested modifications. Their purpose is to determine if the risk of downtime or security reduction is minimal, and if not, what mitigations could be implemented to reduce the risk further. Only when the CCB/CAB is satisfied that a change will improve the organization in some way while minimizing downtime or other losses will a change be approved for implementation. Answer B is incorrect. Alterations are not approved by showing a less than 10% chance of failure. The CCB/CAB is responsible for determining if the benefit of a change outweighs the associated risks. There is no fixed level of risk that is used to make the approval determination. It is instead a subjective assessment based on a wide range of factors that are different for each and every evaluated change. Answer A is incorrect. Alterations are not approved by providing a rollback option. The CCB/CAB is responsible for determining if the benefit of a change outweighs the associated risks. Some risks can be reduced or eliminated through various implementation assistance mechanisms, such as disconnecting all network access before installation, rebooting before installation, verifying the installation files' hash values, and establishing a rollback option. A rollback option is the ability to return back to (i.e., roll back) a previous state of function. This is often accomplished with a backup, image backup, storage device cloning, or virtual machine snapshot. Answer D is incorrect. Alterations are not approved by documenting all changes that will take place. The CCB/CAB is responsible for determining if the benefit of a change outweighs the associated risks. Part of the change assessment process involves documenting all changes that will take place. This document is used by the CCB/CAB as part of their decision making process.

Why is an enterprise risk management (ERM) program implemented? A To reduce costs associated with security assessments B To promote decision makers from any sector of the organization C To establish a proactive risk response strategy D To provide public transparency to security operations

C. An enterprise risk management (ERM) program should be implemented to establish a proactive risk response strategy. Only with properly managed risk is any organization able to get ahead of the attack-react cycle. Through a well-designed and properly implemented ERM, an organization will become more aware of their risks. As a result, security measures to reduce risk will be implemented, reducing the likelihood of compromise and preparing responses for when compromises occur. Answer A is incorrect. ERM is NOT implemented to reduce costs associated with security assessments. ERM is used to reduce the cost of operating in an attack-react cycle. In such a condition, organizations often spend considerable effort and funds in repairing damage, in addition to addressing the exploited vulnerability. A security assessment is used to test or verify the security implementation of an organization. The cost of a security assessment is dependent upon the size of the organization, the depth of the test, and the time allotted to perform the evaluation. It is not controlled by the ERM program. Answer D is incorrect. ERM is NOT implemented to provide public transparency to security operations. ERM is not related to public transparency, but to the implementation of a proactive stance against security violations. Public transparency is not a standard part of security efforts in most organizations. There are some industries where regulations require certain aspects of an organization to be transparent to the public or to a governing body. Organizations should be publicly transparent to a point of providing sufficient details for trust and assurance of their customers and clients, but not to the point of revealing proprietary information or trade secrets. Answer B is incorrect. ERM is NOT implemented to promote decision makers from any sector of the organization. ERM is not related to personnel promotion. The decision makers of the organization should implement ERM.

Which of the following best describes an endpoint device? A Bridge B Router C Computer printer D Switch

C. Any device that terminates a network connection may be classified as an endpoint device. In this case, a computer printer is an endpoint device because nothing follows it on the network. Answer B is incorrect. A router is a networking device which enables a path between networks for connectivity. Routers operate at Layer 3 of the OSI model. Answer D is incorrect. A switch is a network device that links different network devices. Switches operate at Layer 2 of the OSI model. Answer A is incorrect. Bridge connects two local area networks and creates a single network. This function is called network bridging. Bridges also operate at Layer 2 of the OSI model.

Which of the following is any department or division of the US government required to follow? A X.509 v3 B PKCS C FIPS D 802.1x

C. Federal Information Processing Standard (FIPS) includes cryptography regulations that any department or division of the US government is required to follow. FIPS includes a wide range of publicly announced standards set or defined by the US government. Examples include FIPS 140-2 which is "Security Requirements for Cryptographic Modules" and FIPS 197 which is "Advanced Encryption Standard (AES)". Answer A is incorrect. X.509 v3 is the certificate standard used by most public certificate authorities. It is not a FIPS standard, although some of the requirements of FIPS standards are based on X.509 v3 certificates. Answer D is incorrect. IEEE 802.1x is the standard known as port authentication. It defines a means by which authentication can be leveraged or proxied for use by other local network devices or systems. It is not a FIPS standard, although some of the requirements of FIPS standards references IEEE 802.1x. Answer B is incorrect. Public Key Cryptography Standard (PKCS) is a set of public-key cryptography focused guidelines as defined by RSA Security Inc. These are not industry standards, as they are controlled by a private company, but they are widely adopted. Some PKCS elements are referenced in FIPS documentation.

Which trust architecture or model is based on the concept of an individual top level entity that all other entities trust and with entities organized in levels or layers below the top level? A Web trust B Transitive trust C Hierarchical trust D Peer trust

C. Hierarchical trust is the trust architecture or model that is based on the concept of an individual top level entity that all other entities trust with entities organized in levels or layers below the top level. A hierarchical trust model is commonly used in certificate authority (CA) configurations. The top entity in a hierarchical trust model is known as the root, an entity on a level below the root is known as an intermediary or subordinate, and an entity on the bottom level is known as a leaf. Answers D and A are incorrect. Peer trust is incorrect. A peer trust, also known as a web trust, is a trust between equals rather than to a top root. Answer B is incorrect. Transitive trust is incorrect. A transitive trust is used to allow a trust relationship to span across intermediary nodes. For example, if A trusts B, and B trusts C, and those trusts are transitive, then A also trusts C by way of B.

Which of the following is a practice of applying certain policies during the creation and maintenance of information? A NAC B BIA C ILM D SIEM

C. ILM. Information life cycle management.

Which of the following is the third canon of the (ISC)2 Code of Ethics? A Ensure the safety of society B Act honorably C Provide competent and diligent service D Meet all CEU requirements for this certification

C. Provide competent and diligent service to principles is the third canon of the (ISC)2 Code of Ethics.

Which of the following provides the best description of risk reduction? A Allows a third party to assume all risk for the enterprise B Pays all costs associated with risks with internal budgets C Alters elements of the enterprise in response to a risk analysis D Mitigates risk to the enterprise at any cost

C. Risk reduction alters elements throughout the enterprise to minimize the ability of a threat to exploit a vulnerability. It is the process of mitigating risks by placing controls in place. Answer D is incorrect because it is impossible to remove all risks. Risks are always present, and no risk can be reduced to zero. That's why only various controls can reduce risks to an acceptable level. No matter how hard someone try, there is always some level of risk on everything that you attempt. Answer A is incorrect because allowing a third party to assume all risk for the enterprise is one of four potential treatments for risk. The four treatments for risk are acceptance, transference, avoidance, and reduction. Answer B is incorrect because an organization accepts all the possible risks. Risk acceptance happens when the occurring risk is ignored, or its existence is kept uninformed.

You have been asked to help design the security awareness and training program for your company. Which of the following statements is NOT true regarding this program? A Management training should focus on protecting company assets. B The security training policy should state which department is responsible with end-user security training. C Specialized technical training should be provided for executives. D End-user training should focus on understanding security threats and social engineering.

C. Specialized technical training should be provided for users that must handle sensitive or confidential data--not executives. IT personnel should also obtain specialized technical training. Executive training should focus on the protection of business assets and the role that executives play in the overall security program. Answers A, D, and B are incorrect. Management training should focus on protecting company assets. End-user training should focus on understanding security threats and social engineering. The security training policy should state which department is responsible for end-user security training.

How is the chosen risk response strategy of risk acceptance proven and supported in a court of law? A By not applying countermeasures B Through the results of a qualitative analysis C With a document signed by senior management D Through storyboarding

C. The chosen risk response strategy of risk acceptance is proven and supported in a court of law with a document signed by senior management. This written proof of risk assessment, evaluation, consideration, and specifically choosing to accept or tolerate the risk is the valid means to support this decision in a court of law. Without a written document of this nature, the risk will be seen as being ignored. Ignoring risk is often considered negligent in the eyes of the court. Answer A is incorrect. When countermeasures are not applied, this could be either ignoring risk or risk acceptance. To an outside observer, both concepts look the same. However, the distinction is that under risk acceptance a formal written document defining the acceptance has been signed by senior management. Without that document, the risk has been ignored. Answer B is incorrect. An organization may make the decision to accept risk based upon the findings of a qualitative or quantitative analysis. However, the results and/or reports of qualitative (or quantitative) analysis are not sufficient in the eyes of the court as proof of choosing to accept risk. Only a senior management signed document is valid proof of the decision to accept risk. Answer D is incorrect. Storyboarding is a potential tool used in qualitative risk analysis. Storyboarding can be used to visually display complex threats to employees in order to improve their understanding of the risk and obtain from them useful response and opinions. An organization may make the decision to accept risk based upon the findings of a qualitative or quantitative analysis. However, the results and/or reports of qualitative (or quantitative) analysis are not sufficient in the eyes of the court as proof of choosing to accept risk. Only a senior management signed document is valid proof of the decision to accept risk.

What is the definition of risk? A A weakness in an asset B An entity that can cause harm to an asset C The probability or likelihood that an asset will be harmed D Anything used in a business task

C. The definition of risk is the probability or likelihood that an asset will be harmed. Risk can be calculated or assessed in many ways. One method is to combine the threat with the vulnerability with the chance that harm will occur within a given time frame, such as a year. This can be expressed by: risk = threat & vulnerability & likelihood. It is also possible to perform more specific calculations under a quantitative analysis approach. Quantitative risk analysis starts with creating an inventory of business assets. Then a list of potential threats is generated for each asset. For each asset-threat pair, calculations of asset value (AV) and exposure factor (EF) are determined. Asset value (AV) is a value based on both tangible and intangible value of an asset to the organization. Exposure factor (EF) is a prediction as to the percentage of loss that would be experienced if a specific threat is realized against a specific asset. Then, the rate at which a threat may cause harm to an asset is calculated, i.e. ARO. The Annualized rate of occurrence (ARO) is a prediction as to the number of times in the next year that the threat could be realized. When these three values are multiplied together they produce the annualized loss expectancy (ALE). The full formula is thus: ALE = AV x EF x ARO. Quantitative risk analysis uses the ALEs to prioritize risk response strategies and evaluate the benefit of countermeasures. Answer B is incorrect. A threat is an entity that can cause harm to an asset is incorrect. Answer D is incorrect. An asset is anything used in a business task. Answer A is incorrect. A vulnerability is a weakness in an asset.

Which of the following is a typical method of communicating a policy or policy change? A Instagram announcement B Handouts C Intranet announcement D Phone e-mailed blast

C. The organization's intranet is often the preferred method of communicating policy or policy changes. Social media and informal methods of communication such as including handouts and telephone calls should not be used to announce policy directives or policy changes.

What is user entitlement? A The default level of access given to users by the operating system B The level of privilege assigned to administrative accounts C The rights and privileges assigned to a user D The privileges inherited by a user

C. User entitlement is the rights and privileges assigned to a user. An entitlement is what is assigned or given to someone; thus, user entitlement is the abilities and access capabilities allocated to a user. User entitlements should be controlled by company policy and restricted based on the concept of the principle of least privilege. Answer D is incorrect. The privileges inherited by a user are not user entitlement. Inheritance is when benefits or access is provided to a member of a group or container. For example, if printer access is assigned to the group SalesForce, and a user is made a member of the SalesForce group, then the user inherits printer access. Answer A is incorrect. The default level of access given to users by the operating system is not user entitlement. The default level of access given to users is no access or denied access. This can also be called default deny or implicit deny. Answer B is incorrect. The level of privilege assigned to administrative accounts is not user entitlement. The permissions assigned to an administrative account are special privileges.

When an organization has limited visibility of their risk, in addition to how risk affects daily operations, in what state or condition is the organization? A Preventative state B Processing state C Reactive state D Proactive state

C. When an organization has limited visibility of their risk and on how risk affects daily operations, they are in a reactive state. A reactive state or condition occurs when an organization is only equipped to respond to compromises as they occur. This is a condition of always being behind and being pushed by security violations into taking actions, often without planning or consideration. Organizations should strive to break out of the reactive state in order to become proactive. By implementing a risk management and response strategy, an organization can become more aware of their ongoing and operational risks. They can take efforts to plan for potential compromises and how to response appropriately. By implementing a sound security strategy, risk can be managed rather than being only reacted to. Answer B is incorrect. A processing state is usually a term associated with a CPU when it is actively processing data or solving a problem. This is not usually a term used in risk management. However, it could be perceived as a risk management state when risk and compromise is addressed as it happens and would be similar to the correct answer of reactive. Thus, because this is not the standard term for this concept, this is not the correct answer. Answer A is incorrect. The term preventative is most often used in the context of types of security controls. An example is a preventative security control that attempts to make a violation not possible. It is not typically employed as a term in risk management. Answer D is incorrect. A proactive state is when an organization plans ahead by using solid security strategies to predict likely compromises and prepare appropriate responses for them. This technique of risk management aims at reducing the likelihood of compromise while being prepared to respond if a compromise does occur.

Coaxial Cable

Coaxial cable, or coax, is constructed as a large copper central conductor encased in a nonconductive dielectric material that is then encased within a braided copper shield. The entire assembly is then covered with a plastic casing. Coaxial cable is much less resistant to interference and cross talk. Also, due to the size of the central conductor, coaxial cable is capable of handling much greater current loads and is therefore ideal for radio antenna lead cables. Coaxial cable is much more expensive than twisted pair and requires a much wider bend radius.

List the severity levels in order.

Code 0 (Emergency): This is the highest alert, possibly affecting major sections of the network or applications. Code 1 (Alert): This indicates a major problem, such as the loss of a central application or communication method. Code 2 (Critical): This represents the loss of a backup or secondary device. Code 3 (Error): When detected, this means that the failure of an application or system was not critical in nature. Code 4 (Warning): Warnings are usually set to indicate that a threshold is near. For instance, server utilization is at 90 percent. Code 5 (Notice): These messages indicate potential problems that should be investigated. Code 6 (Information): These are status messages and no action is usually required. Code 7 (Debug): Debug messages are utilized by developers and programmers.

mobile code

Computer instructions, applications, or information that transfers automatically between devices without user intervention or sometimes knowledge.

business/private sector data classification

Confidential Private Sensitive Public

Which most accurately describes a safeguard? A Potential for a source to exploit a categorized vulnerability B A control designed to warn of an attack C Weakness in internal controls that could be exploited by a threat or a threat agent D Controls put in place to provide some amount of protection for an asset

D Answer A is incorrect because a safeguard does not exploit a vulnerability. Answer C is incorrect because weaknesses are defined as a vulnerability. Answer B is incorrect because safeguards do not warn of an attack.

Which choice is not a description of a control? A Controls reduce the effect of an attack. B Controls perform as the countermeasures for threats. C Detective controls uncover attacks and prompt the action of preventative or corrective controls. D Corrective controls always reduce the likelihood of a premeditated attack.

D. A corrective control stops an existing attack.

Which of the following is the best example of a threat agent? A A poor configuration in the authentication system B A zero-day attack C A flaw in the source code of a firewall D A disgruntled employee

D. A disgruntled employee is the best example of a threat agent from this list of four options. A threat agent is any entity which can initiate or control an attack against a target. A threat agent is typically a person, but can also be a natural event or an automated exploit. Under risk analysis, threat, threat agent, threat action, and threat vector are all closely related. A threat is something which can cause harm to an asset. A threat agent is the entity that can control or initiate an attack. A threat action is the attack or event of harm itself. A threat vector is the means or pathway by which a threat agent was able to gain access to an asset in order to realize the threat to perform the threat action resulting in damage. Answer B is incorrect. While a zero-day attack could be a threat agent if it was an automated tool, an exploit is labeled as a threat, generally speaking. Answer C is incorrect. A flaw in code is a vulnerability which can be harmed by a threat or taken advantage of by a threat agent. Answer A is incorrect. Poor configuration settings are similar to a flaw in code, thus it is a vulnerability which can be harmed by a threat or taken advantage of by a threat agent.

Your organization is using Kerberos for private network authentication. How does Kerberos demonstrate to a resource host that the identity of a user is valid? A A shared credential is issued to each principle in the realm. B A unique session key is used to encrypt the authentication communications. C A TGT is issued to the resource host. D An ST is issued to the user, which is then sent to the resource host.

D. A session ticket (ST) is issued to the user, which is then sent to the resource host. The resource host can verify the validity of the ST, and thus the user's identity, by checking with the key distribution center (KDC). This technique allows the user to be issued the master ticket-granting ticket (TGT) without exposing it to duplication or impersonation. The KDC issues an ST whenever users need to prove their identity to another principle in the Kerberos realm. Answer C is incorrect. The option that states a TGT is issued to the resource host does not demonstrate to a resource host that the identity of a user is valid. The TGT is issued to the user after successful authentication. This is the primary means of proof of the identity of the user. However, because it is a data file, it cannot be shown to or shared with any other system other than the KDC that issued it. Users must obtain an ST to prove their identity to a resource host. Answer A is incorrect. The option that states a shared credential is issued to each principle in the realm does not demonstrate to a resource host that the identity of a user is valid. The shared credential is a symmetric, pre-shared key given to all devices in the Kerberos realm. A Kerberos realm is the collection of devices authenticated by the same KDC. It is the same idea as a domain. The shared credential encrypts the unique session key crafted for a communication, but it is not directly responsible for proving the identity of a user as that is the function of the ST. Answer B is incorrect. The option that states a unique session key is used to encrypt the authentication communications does not demonstrate to a resource host that the identity of a user is valid. The unique session key is used to encrypt communications between the KDC and any member of the realm. Each communication uses a random symmetric key as the unique session key. The unique session key is essential to the security and protection of authentication traffic under Kerberos, but it is not directly responsible for proving the identity of a user as that is the function of the ST.

How does a typical SIEM or systems management console retrieve event details from a source system? A SMTP B IPSec C OVAL D SNMP

D. A typical SIEM or systems management console retrieves event details from a source system via Simple Network Management Protocol (SNMP). SNMP is used to exchange management information between source systems and management consoles. SNMP is defined by RFC1157 and operates over UDP ports 161 and 162. Answer A is incorrect. Simple Mail Transfer Protocol (SMTP) is not used to transfer event details between a source system and a management console. SMTP is used to transfer e-mail messages to the recipient. Answer C is incorrect. Open Vulnerability Assessment Language (OVAL) is not used to transfer event details between a source system and a management console. OVAL is a standardized vulnerability referencing language employed by vulnerability scanners. Answer B is incorrect. Internet Protocol Security (IPSec) is not used to transfer event details between a source system and a management console. IPSec are the native encryption features of IPv6 made into an add-on for IPv4. IPSec is used to encrypt IP communications. Some SNMP traffic will be protected by IPSec encryption, but IPSec is not essential to the transference of event data by SNMP.

During an access system audit, a number of active accounts were discovered from employees who had left the company over the past two years. What are these accounts called? A Long-term accounts B Ghost accounts C Pseudo-active accounts D Orphaned accounts

D. Accounts that no longer belong to any active employees were called orphan accounts. These accounts should be discovered during a rights and privileges audit and should be immediately closed. Answers A and C are incorrect. Long-term accounts and pseudo-active accounts do not exist.Answer B is incorrect. Ghost account sounds plausible but is not the correct answer.

What is a restriction placed on users that denies them access to resources on the weekends? A Time-based accounting B Temporal differential C Time of week restriction D Time of day restriction

D. Answer B is incorrect because it might be something out of a sci-fi movie.

How can the burden of handling a specific security risk be transferred to the shoulders of another organization? A Decommissioning equipment B Implementing market leading countermeasure C More thorough user training D Outsourcing

D. Outsourcing is one method which can be used to transfer the burden of handling a specific security risk to the shoulders of another organization. This concept is known as risk transference or risk assignment. Risk transference does not remove the risk. It simply places the responsibility on someone else. This is commonly accomplished through outsourcing or through the purchasing of insurance. For some risks, risk transference is the best possible mitigation strategy. Leveraging the skills and abilities of another organization can be a smart security decision. However, risk transference is not the best course of action for every security concern. Each organization needs to evaluate its specific risks and available responses to determine the most effective solution. Answer A is incorrect. Decommissioning equipment is a form of risk avoidance or risk removal rather than risk transference. Removing equipment that is the target of a specific attack can eliminate the risk from the organization. One example of this would be the removal of modems from all company computers in order to eliminate the risk of war dialing. War dialing is the activity of dialing phone numbers looking for answering modems. Answer C is incorrect. While improving user training is always an improvement to overall security, it is not a form of risk transference. User training is often classified as risk mitigation or risk reduction. In some cases it might also be considered risk avoidance. Answer B is incorrect. Implementing marking leading countermeasures is a form of risk mitigation or risk reductions, not risk transference.

John works in an organization. He is trying to insert a password to log in his account on the organization's login website. Which of the following best describes the use of passwords for access control? A Identification B Auditing C Authorization D Authentication

D. Passwords are the most common form of authentication. Authentication includes factors that are unique to the user or the system and provides confirmation that the identity of the person is true and actual. Answer C is incorrect. Authorization is the third step of the access process which assigns privileges and limits to the user of the resources or data according to the user's identity. Answer B is incorrect. Auditing is done after the accounting step. In this, the data is reviewed and monitored. Answer A is incorrect. Identification is the first step of the access process in which every user, application, or system is identified by comparing their details provided with that present in the database.

Which of the following is a valid definition for privacy? A Using encryption to protect the content of a transaction B Tracking the activity of a Web browser while performing online shopping or banking C Preventing the saving of modifications to a user profile D Providing a means of control of distribution of the information about an individual

D. Privacy is providing a means of control of distribution of the information about an individual. Privacy is focused on controlling information about individuals, specifically giving the control to the person about whom the information is focused. Often, means of confidentiality are used to assist in the enforcement and protection of privacy, but confidentiality and privacy are not the same. Answer C is incorrect. Preventing the saving of modifications to a user profile is incorrect. This is a potential implementation of integrity. Some organizations do not want users to make any changes to the operating environment. Thus, they may prohibit the saving of any changes attempted by users. Answer B is incorrect. Tracking the activity of a Web browser while performing online shopping or banking is incorrect. When information is being gathered about users' actions and activities, their privacy may be breached. It would depend upon whether the tracking was disclosed and consented. Covert tracking is absolutely a violation of privacy. Answer A is incorrect. Using encryption to protect the content of a transaction is incorrect. The use of encryption to protect the content of a transaction is confidentiality, not privacy. Confidentiality focuses on the protection of data, while privacy focuses on the control of personally related information.

Baseband Transmission Method

Data transmitted using baseband transmission occupies the entire frequency range of the media. No other data is transmitted concurrently

Why is it important to perform a physical security assessment after a fire, chemical release, or bomb false alarm? A It gives your organization the opportunity to further train your personnel. B It is a legal requirement to do so after emergency response personnel have been contacted. C The assessment might reveal the identity of the perpetrator. D The event could have been triggered as a distraction to alter physical security mechanisms.

D. The event could have been triggered as a distraction to alter physical security mechanisms. For example, if your organization has emergency doorways that only have handles on the inside, an attacker could modify the lock mechanism while it is open, allowing personnel to exit the building. Thus, when the door re-closes, it might look closed and secure; but it is actually a means of entry for a future attack. It is essential to perform a thorough physical security assessment after each real or false incident. Additionally, it is also good security management practice to perform a physical security assessment on a periodic basis. Answer C is incorrect. A physical security assessment is unlikely to identify the perpetrator of a false alarm. A forensic investigation would need to be performed to potentially achieve the goal of identifying a perpetrator. Answer B is incorrect. While there are a few industries where there is a regulation for reporting both false and real security incidents, this is not a universal regulation. Thus, this is not the best answer for this question. Answer A is incorrect. Every incident is an opportunity to further training, but that is not the important reason to perform a post incident physical security assessment. The important reason is to detect physical security manipulations.

What is the goal of event data analysis? A Discover the identity of perpetrators. B Reduce the vulnerabilities of an organization. C Locate new exploitations. D Interpret collected events, and take appropriate action.

D. The goal of event data analysis is to interpret collected events and take appropriate action. The gathered event details from source systems are raw data. This event data needs to be collected, processed, and analyzed in order to reveal meaningful information. Once a management console has performed initial event analysis, an interpretation of the initial data is displayed to the security staff. This information helps to determine the best course of action to take in response to discovered events. Answer C is incorrect. Locate new exploitations is incorrect. The purpose of event data analysis is to interpret collected events and take appropriate action. During this process a side result may be the discovery of new exploitations; however, that is not the primary purpose of the activity of event data analysis. Answer A is incorrect. Discover the identity of perpetrators is incorrect. The purpose of event data analysis is to interpret collected events and take appropriate action. During this process, a side result may be the identification of perpetrators, however that is not the primary purpose of the activity of event data analysis. Answer B is incorrect. Reduce the vulnerabilities of an organization is incorrect. The purpose of event data analysis is to interpret collected events and take appropriate action. The end result of taking appropriate action may be the mitigation of risks and reduction of vulnerabilities; however, that is not the primary purpose of the activity of event data analysis.

Which of the following options describes integrity? A Accountability of responsible individuals B Prevention of the modification of information by unauthorized users C Prevention of the unauthorized disclosure of information D Preservation of internal and external consistency

D. The preservation of internal and external consistencies means that the data has not changed either in transit or between the original source and the internal storage location, such as a database. Answer A is incorrect. Accountability is holding individuals responsible for their actions. Answer C is incorrect. Confidentiality refers to prevention of the unauthorized disclosure of information. Answer B is incorrect. Integrity does not prevent the changing of information.

Why are the audit findings presented to senior management? A RFC1918 requires it. B No one else in the organization has the expertise to read the report. C The bottom-up business structure approach requires it. D Only with approval can a response plan be implemented.

D. The reason that audit findings are presented to senior management is that only with approval can a response plan be implemented. It is the responsibility of senior leadership to make the primary business management decisions. This includes reviewing the results of risk analysis and risk assessment, which are the audit findings, and make decisions based on the recommendations of the risk auditing/assessment team. Only with senior management approval can the risk response strategies be implemented and only with senior management support and backing is such an endeavor able to succeed. Answer B is incorrect. There should be numerous people in the organization with the knowledge, experience, and expertise to read and understand the audit findings. In fact, the members of the risk auditing and assessment group should be fully qualified to read and understand the report they produce. However, the issue is not about expertise to read the report—it is about who has the authority and responsibility to make essential business decisions in regards to protecting the organization against perceived risk. Answer C is incorrect. The bottom-up approach is a management strategy where workers make decisions and implement solutions, then inform senior management of their activities afterwards. The bottom-up approach is not a security strategy that is recommended nor widely adopted. It commonly leads to confusion and cost overruns. The recommended business management strategy is that of the top-down approach. The top-down method places authority and responsibility in the hands of senior management. Thus, they are responsible for making core business decisions and can be held accountable if those decisions fail. Answer A is incorrect. RFC1918 is comprised of government regulations that encourage or mandate the top-down approach, and thus require that all core business decisions be made by senior management. RFC1918 is the document defining the private IP address ranges that can be used in a private network for free, which are not allowed on the public Internet, and which must be translated to public address for outside communications. The RFC1918 private IP address ranges are: 10.0.0.0-10.255.255.255, 172.16.0.0-172.31.255.255, and 192.168.0.0-192.168.255.255.

Why are locks used on doors in secured areas? A To prevent all intrusions B To detect access attempts C To direct intruders to open areas D To keep people honest

D. The reason why locks are used on doors in secured areas is to keep people honest. Locks are a form of physical security. Locks are also used as a preventative security control. However, there are no perfect security measures. Locks only provide prevention up to a point. Locks can be bypassed, broken, picked, and bumped, or a key can be stolen. Locks do not ensure that unauthorized access will be blocked. Thus, locks serve as a reminder to not enter an area that is locked for which a user does not have a

What are the three main components of a smart lock or an electronic access control (EAC) lock? A Proximity reader, light sensor, locking mechanism B Thick metal plating, time based lock, security cameras C Biometric reader, timer, fire suppression system D Credential reader, locking mechanism, door closed sensor

D. The typical three main components of a smart lock or an electronic access control (EAC) lock are a credential reader, the locking mechanism, and a door closed sensor. The credential reader might accept push-pin codes, smart cards, or biometrics. When proper credentials are provided, the locking mechanism unlocks the door. Once the door opens, the door closed sensor monitors for the door closing. If it takes too long for the door to close, a warning buzzer may sound. If the door continues to stay open, an alarm is usually triggered. If the door closes, then the locking mechanism is reengaged. Answer A is incorrect. Proximity reader, light sensor, and locking mechanism do not comprise the typical three main components of a smart lock or an EAC lock. There are some automatic door systems which do not use credentials. Instead proximity is all that is needed to trigger the door to unlock or open. A light sensor is an odd element in a smart lock system as it could be fooled by a flashlight or by blocking light. Answer C is incorrect. Biometric reader, timer, and fire suppression system do not comprise the typical three main components of a smart lock or an EAC lock. Some smart lock systems will use biometrics as the credential. Most smart lock system employ a timer; but normally it is the door closed sensor that is considered dominant and the timer element is just a feature of the door closed sensor. There are some smart locks which can be integrated into the fire detection system in order to unlock a door for personnel egress; but a smart lock would not be tied into the fire suppression component of the fire management system. Answer B is incorrect. Thick metal plating, time based lock, and security cameras do not comprise the typical three main components of a smart lock or an EAC lock. These are potential components of a bank vault door. A smart lock (or EAC lock) does not dictate the type of door being locked. Additionally, it is not typically time based, but credential based, and rarely includes a security camera component.

Which of the following is a nontechnical means of enforcing security? A Disaster recovery plan B Development of a disaster response plan C Separation of duties D User training

D. User training is the best way to use nontechnical means to enforce security. The more the users know, the more secure the system will be. Here are the functions of security awareness programs: Decrease the number of security incidents. Educate users about procedures. Reduce losses. Answer B is incorrect. A disaster response plan details the steps which should be taken just after the disaster/risk is detected. Answer C is incorrect. Separation of duties divides the job responsibilities to prevent fraud and errors that must be balanced with the increased cost/effort required. Answer A is incorrect. Disaster recovery planning is a documented set of procedures used to recover and restore IT infrastructure, data, applications, and business communications after a disaster event.

Ring

Device one connects to device two, device two connects to device three, and so on to the last device, which connects back to the first device. It is an older technology predating Ethernet networks and was made popular by IBM.

TCP 21

FTP (control channel) an older interconnect protocol that allows connections between machines for file uploads and downloads. FTP is among the original protocols developed for the Internet. Ports 20 and 21 are used by default by FTP to transfer information between hosts and the Internet. Due to its design, FTP is insecure.

TCP 20

FTP (data channel) an older interconnect protocol that allows connections between machines for file uploads and downloads. FTP is among the original protocols developed for the Internet. Ports 20 and 21 are used by default by FTP to transfer information between hosts and the Internet. Due to its design, FTP is insecure.

UDP 990

FTPS (control channel)

UDP 989

FTPS (data channel)

accreditation

Formal acceptance by management that a system or application has been certified and may be placed into operation.

Data Steward

Handles the nitty gritty details and oversees the implementation of the policies and guidelines since data owners don't have time to make sure they are being implemented. makes day to day decisions on who may access data.

Which of the following is a practice of applying certain policies during the creation and maintenance of information? BIA ILM SIEM NAC

ILM

Tree

Includes the characteristics of star and bus topology, containing networking items one placed on top of the other. If the last centralized device fails, everything below it also fails.

Data Owner

Individuals who are primarily responsible for that data. they are in control of the policies and guidelines. Also are responsible for data privacy.

endpoint defense

It consists of an endpoint-mounted firewall, host intrusion detection systems, and antivirus software. The problem with endpoint defense is that it is required to be installed and maintained by the end user. Endpoint defense for systems connected to a network can be carried out through the use of group management policies.

BIA

It identifies various threats and the possibility of harm they may do to the business. In BIA, all of the major activities of the organization are listed and categorized as to their importance. It evaluates the financial impact on the organization from a quantitative and qualitative viewpoint.

Kerberos

Kerberos makes use of two tickets. The ticket-granting ticket is issued to the user upon authentication. It is a timed ticket and generally expires in less than a day. The user presents the ticket-granting ticket to the ticket-granting server when requesting access to a network resource. The ticket-granting server then issues the second type of ticket, referred to as a session ticket, that is then presented by the user to the network resource. It is an authentication, single-on protocol developed at MIT. It allows single sign-on in a distributed environment. It does not transfer passwords over the network. It uses a key distribution center (KDC) to maintain the entire access process.

L2TP (Layer 2 Tunneling Protocol)

L2TP can be used in many networks besides TCP/IP and will support multiple network protocols. Primarily a point-to-point protocol, L2TP is a combination of PPTP and L2F. Since it works equally well over such network protocols as IPX, SNA, and IP, it can be used as a bridge across many types of systems. L2TP does not provide security encryption, so it requires the use of such security protocols as IPsec to provide end-to-end or tunneling encryption. L2TP uses UDP and port 1701 for connections.

TCP 389

LDAP is a standardized directory protocol that allows queries to be made of a directory database, especially in the form of an X.500 format directory. To retrieve information from the directory database, an LDAP directory is queried using an LDAP client. The Microsoft implementation of LDAP is Active Directory (AD). LDAP is the main access protocol used by Microsoft's Active Directory. LDAP operates, by default, at port 389, and the syntax is a comma-delimited format.

TCP 119

NNTP

What technology is commonly used for Big Data datasets?

NoSQL

Which of the following policies describes access controls for the privacy and security of corporate assets? Retention Physical security Outsourcing Network security

Outsourcing

What are the three categories of controls?

Physical, logical (technical), and administrative

Plenum Cable

Plenum cable is a specifically jacketed cable with a fire retardant plastic jacket. Most local building codes adopted cable specifications for any cabling or wires that are routed through the plenum spaces within a building. Plenum spaces include areas above all ceilings, interior walls, riser areas, and control cabinets and closets. Plenum cables not only offer fire resistance, they are constructed of low-smoke and low-toxic-fume-emitting polymers such as polyvinyl chloride (PVC).

What is the correct hierarchy of the components of a policy?

Policies > standards > baselines > procedures > guidelines

ISO 27002:2013

Provides organizational information security standards and information security management practices which takes into consideration the organization's information risk appetite. These guidelines include the selection, implementation, and management of risk mitigation controls. ISO/IEC 27002:2013 is a popular, internationally recognized standard of good practice for information security.

Which of the following is either created by a government entity or agreed upon by a specific industry group? A Standard organization B Procedural standard C Regulatory agency D Proprietary

Regulatory agency

UDP 161

SNMP a management tool that allows network devices to send selected parameter data to a management console. A software client runs on the network device and captures various parameters and performance data at the request of a central administrator. Most routers, bridges, and other network appliances can be monitored using SNMP.

What are the steps of NIST Special Publication 800-37 Revision 1?

Step 1: CategorizeInformation is evaluated to determine the asset value and potential risks to the system. Step 2: SelectSecurity controls are selected based on the category of the system. Step 3: ImplementControls are installed and initiated throughout the system. Step 4: AssessAn evaluation of controls is performed to ensure that they are functioning as desired to meet risk mitigation requirements. Step 5: AuthorizeThis occurs when an acceptable level of risk is achieved based on implementation of controls. Step 6: MonitorThis is an ongoing process to ensure that mitigations are maintained and risk mitigations are effective.

TCP 23

Telnet

What is the cost benefit equation? A total initial risk - countermeasure benefit B AV x EF x ARO C [ALE1 - ALE2] - CCM D AES - CCMP

The cost benefit equation is [ALE1 - ALE2] - CCM. In this equation, ALE stands for annualized loss expectancy, which is the value of the asset multiplied by the percentage of loss a specific threat could have multiplied by the number of times in a year that threat could be realized (a.k.a. AV x EF x ARO). ALE1 is the calculation of ALE prior to the countermeasure and ALE2 is the reduced ALE based on the countermeasure being implemented. In this equation, CCM stands for cost of the countermeasure. Since any security measure will cost something, such as purchasing, licensing, downtime, training, management, and implementation, this must be subtracted from the benefit otherwise provided by the countermeasure. If the benefit calculated by this equation is larger than any other considered countermeasure, then it would likely be the best security choice to implement. Let's look at an example of the use of the cost/benefit equation to determine a countermeasures benefit. Suppose that the ALE calculated for a database at risk of remote access exploitation might be ALE1 = $10,000,000, the proposed firewall countermeasure would cost $20,000 per year to implement (thus CCM = $20,000), and the ALE would be reduced to ALE2=$2,000,000 if the firewall was installed. With these values, the [ALE1-ALE2]-CCM would be [$10,000,000 - $2,000,000] - $20,000 = $7,980,000. Thus, the benefit of the firewall for this database against the risk of remote access exploitation is $7,980,000. Answer B is incorrect. AV x EF x ARO is the formula used to calculate the total amount of potential risk calculated for a single asset and a specific threat. This formula is based on three values: AV, EF, and ARO. Asset value (AV) is a value based on both tangible and intangible value of an asset to the organization. Exposure factor (EF) is a prediction as to the percentage of loss that would be experienced if a specific threat is realized against a specific asset. Annualized rate of occurrence (ARO) is a prediction as to the number of times in the next year that the threat could be realized. When these three values are multiplied together they produce the annualized loss expectancy (ALE). The full formula is thus: ALE = AV x EF x ARO. For example, an asset could be a file server which has an AV = $1,000,000, a threat could be a fire which could have an EF = 75%, and the ARO of the firewall is .1 per year; thus the ALE would be $1,000,000 x 75% x .1 = $75,000. Answer A is incorrect. The equation total initial risk - countermeasure benefit is incorrect. This is the residual risk formula. The remaining risk after countermeasures and other risk mitigation strategies are applied to an organization is known as residual risk. The means to assess residual risk is: total initial risk - countermeasure benefit = residual risk. Answer D is incorrect. The equation AES - CCMP is invalid. The AES-CCMP acronym stands for Advanced Encryption Standard - Counter Mode Cipher Block Chaining Message Authentication Code Protocol.

802.11

The original IEEE 802.11 standard defines wireless local area networks that transmit at 1 Mbit/s or 2 Mbit/s using the 2.4 GHz frequency spectrum.

Plastic Optical Fiber

This type of fiber-optic cable uses a plastic core that allows for larger-diameter fibers. Plastic optical fiber is less capable of transmitting light over distances; therefore, this cable is restricted to 100 m or less but is the least expensive of any optical transmission cable.

Which risk component describes any incident or action, if carried out, could cause harm or loss of data or an asset? A Malware B Threat C Control D Vulnerability

Threat

How many levels of disaster does the disaster recovery plan contain?

Three

Data Custodian

Usually the IT staff who are implement the policies. They are the ones implementing the encryption, retention, and everything else involved with the policy.

Which of the following statements defines auditing? Requests and changes proposals and their subsequent approval or disapproval Displays the system status at any point in time Processes logs and reports any change to configuration Verifies that the product is in compliance with established performance requirements

Verifies that the product is in compliance with established performance requirements

TACACS (Terminal Access Controller Access Control System)

a client-server environment that operates in a similar manner to RADIUS. It is a central point for user authentication. Extended TACACS (XTACACS) replaced the original TACACS and combined authentication and authorization along with logging, which enables communication auditing. The most current method or level of TACACS is TACACS+, and this replaces the previous versions. TACACS+ has been widely implemented by Cisco and possibly may become a viable alternative to RADIUS.

ICMP

a number of communication information commands, such as ping to test connectivity and traceroute to return the route used by packets to a destination. Routers and other network devices can report path information between hosts using ICMP.

Implicit Deny

a type of access rule that states that if a subject is not listed on the access control list, access is denied. This type of rule is usually at the bottom of the rules list in either a router or a firewall. Its purpose is to act as a catchall. If entry has not been explicitly granted, it is implicitly denied. In other words, the implicit deny rule catches anything to which no other rule applies and denies access.

Functional policy

addresses specific issues or concerns of the organization. It defines requirements related to particular areas of security, such as access control, acceptable use, and so on.

Guideline

allows the individual to make a discretionary judgment on how to proceed when executing procedural steps.

Stateful packet inspection (SPI) firewall

analyzes packets to determine the external originating source as well as the destination on the internal network. analyze packets to determine the external originating source as well as the destination on the internal network. This type of firewall records this information as a continuity of conversation record. It keeps the record using a state table that tracks every communication channel. A stateful firewall compares existing conversations with new packets entering the firewall connecting for the first time. The new packets are compared against rulesets for a decision about whether to allow or deny. Other firewalls that do not track the continuity of conversations and only make allow or deny decisions based upon simple rulesets are referred to as stateless firewalls.

CSMA/CA (carrier sense multiple access/collision avoidance)

announces that a device is wishing to transmit on the media broadcasting a tone prior to transmission.

Hotfix

applies to a piece of hardware or software that is currently online and in use. Hotfixes have become known in the software industry as providing the ability to fix a bug very rapidly and possibly without going through formal development channels.

Hot patch

applies to hardware or software without the requirement to power down or reboot the product. This type of patch addresses the availability component of the CIA triad.

How is confidentiality different from privacy? A Privacy is only provided when inside your own home or using your own devices. B Confidentiality relates to the control of information in order to prevent disclosure to unauthorized entities. C Confidentiality relates to people and being in control of access to information about ourselves. D Privacy is not legally protected.

b. Confidentiality relates to the control of information in order to prevent disclosure to unauthorized entities is correct. This is a distinction of confidentiality. Privacy relates to people and being in control of access to information about ourselves. Most organizations need to provide security controls to address both confidentiality and privacy. Answer C is incorrect. Confidentiality does NOT relate to people and being in control of access to information about ourselves. This is the distinction of privacy. Answer D is incorrect. Some aspects of privacy are legally protected. There is some privacy protection in the U.S. Constitution, specifically the 4th Amendment. Other aspects of privacy are protected by contract or agreement between parties. Answer A is incorrect. While U.S. citizens typically enjoy privacy protection while in their homes and when using personal devices, there are many other places outside of the home where privacy is protected, either legally, by contract, or by explicit granting.

IPsec transport mode

can be used between two endpoints.

IPsec tunneling mode

can be used between two routers or two firewalls

CSMA/CD (carrier sense multiple access/collision detection)

communicates in an organized fashion on a type of media. This is the most often used technique to reduce transmission contention on modern local area networks.

CSMA (carrier sense multiple access)

communicates on the media such as a wire, fiber-optic cable, or modulated radio signal. It is the least effective of any of the transmission protocols because none of the devices have any means of determining when to transmit data.

Service pack

consists of a number of updates, enhancements, or fixes delivered by the manufacturer in the form of a single executable file.

disaster level 1

describes a disaster that is local in nature and affects only a small part of the operation.

Cold

describes a facility that has power, ventilation, and air-conditioning and does not have communications or computer equipment.

(SVC) switched virtual circuit

dynamically configures the circuit routes each time the circuit is used by the end user. A switched virtual circuit is less expensive and is billed for only time of use.

Packet filter firewall

forwards the packet based upon an application or port designation and does not analyze the data included in it. A packet filter firewall passes data based upon packet addressing information. It does not analyze the data included in a packet but simply forwards the packet based upon an application or port designation. For example, a packet filter firewall may block web traffic on port 80 and also block Telnet traffic on port 23. This is the standard filtering mechanism built into all firewalls. If a received packet specifies a port that isn't authorized, the filter will reject the request or simply ignore it. Most packet filter firewalls may also filter packets based on IP source address and allow or deny them based on the security settings of the firewall.

disaster level 3

includes significant damage to the facility, requiring personnel to evacuate the premises.

Event log

includes some logs not relevant to security issues. It records various activities as they occur. It includes the application and security logs.

Bluebugging

is a Bluetooth attack in which the attacker accesses and uses all phone features.

Warm

is a computer facility that is contractually available and has some power, ventilation, and basic networking equipment.

PVC (permanent virtual circuit)

is a connection between endpoints where the carrier configures the circuit routes to provide the requested speed and bandwidth through their equipment. This provisioning is usually accomplished when the permanent virtual circuit is initially contracted and when the dedicated hardware and contracted bandwidth is determined.

Procedure

is a detailed set of instructions for performing a specific task.

Reminder memo

is a follow-up that highlights the briefing paper and formal briefing steps and tells them of their responsibility.

Policy statement

is a high-level directive setting forward in support of the mission goals and objectives.

RADIUS (Remote Authentication Dial-In User Service)

is a protocol and system that allows user authentication of remote and other network connections. The RADIUS protocol is an IETF standard, and it has been implemented by most of the major operating system manufacturers. Once intended for use on dial-up modem connections, it now has many modern features. A RADIUS server can be managed centrally, and the servers that allow access to a network can verify with a RADIUS server whether an incoming caller is authorized. In a large network with many users, RADIUS allows a single server to perform all authentications. Since a RADIUS server may be used to centrally authenticate incoming connection requests, it poses a single point of failure. Many organizations provide multiple servers to increase system reliability. Of course, like all authentication mechanisms, the servers should be highly protected from attack.

Cooperative

is a reciprocal site that involves an agreement between two companies to share resources in the event of a disaster.

ISO 27001:2013

is a specification for the evaluation of the performance of an information security management system (ISMS). Organizations that meet the standard may gain an official certification issued by an independent and accredited certification body on successful completion of a formal audit process.

Baseline

is established as the normal or minimal criteria that must be met by a policy.

Organizational policy

is established by a person or group with a high level of authority. It is usually very broad in nature, affecting the entire organization.

Unofficial patch

is provided by third-party individuals or organizations for commercial software.

Audit log

offers crucial information about the actions and activities on an organization's network.

Quick fix

performs rapid repair to an identified problem related to a specific user of software.

Operational policy

provides a clear direction on access to specific database information or application software. It states the requirement that a specific action requires separation of duties.

Hot

refers to a physical location available for immediate switchover of processing operations and contains ventilation and air-conditioning devices.

Web application firewall (WAF)

regulates traffic to and from web servers and specialized web applications. a specialized firewall used to regulate traffic to and from web servers and specialized web applications. It utilizes specialized rules such as content filtering, access control, and intelligent rulesets that are customized specifically for the web application. A web application firewall operates at the highest layer of the OSI model, layer 7, and is dedicated to filtering traffic into and out of a web application or web server operating in real time. It operates as a very sophisticated intrusion protection system and protects against content-based attacks such as cross site scripting (XSS), injection attacks, and HTTP forgery attacks.

PPTP (Point-to-Point Tunneling Protocol)

supports encapsulation in a single point-to-point environment. PPTP encapsulates and encrypts point-to-point protocol (PPP) packets. Although PPTP is a favorite protocol for network communications, one of its major weaknesses is that all channel negotiation is done in the clear. After the tunnel is created, the data is encrypted. Developed by Microsoft, PPTP is supported on most of the company's products. PPTP is assigned to port 1723 and uses TCP for connections.

Your company adopts a new end-user security awareness program. This training includes malware introduction, social media issues, password guidelines, data exposure, and lost devices. How often should end users receive this training? A upon termination B twice a year C upon new hire D once a year E once a year and upon termination F upon new hire and once a year thereafter

upon new hire and once a year thereafter. End users should receive security awareness training upon new hire and once a year thereafter. This ensures that new hires understand security issues immediately. It also ensures that end users receive updates to their security awareness knowledge on an annual basis.

Proxy firewall

uses increased intelligence and packet inspection methodology to improve the protection of internal network. uses increased intelligence and packet inspection methodology to better protect the internal network. A proxy is always described as an intermediary between two systems, hosts, or networks. In effect, a proxy firewall isolates the internal network from the external untrusted network by intercepting communications. It does this by receiving a packet from an external untrusted source and repackages it for use by the internal protected network host. During this process, the untrusted source does not have direct access or even IP address knowledge of the internal host. Once the internal host decides to reply to the message, it sends the response message to the proxy firewall, which then repackages it, stripping off the internal IP address and sending it on to the external untrusted host.

L2F (Layer 2 Forwarding)

was created by Cisco as a method of creating tunnels that do not require encryption. Used primarily for dial-up connections, L2F provides authentication only. L2F uses port 1701 (a little Cisco humor; 1701 is the number of the Starship Enterprise while it "tunnels through space"). L2F uses TCP for connections.


Ensembles d'études connexes

AP Chemistry Semester Test Study Guide

View Set

Chapter 35: Hypothalamic and Pituitary Agents

View Set

Ch. 11 - Input Demand: Capital Market and the Investment Decision

View Set