ISC2
A new Wirelss Access Point (WAP) is being installed to add wireless connectivity to the company network. The configuratio policy indicated that WPAs is to be used and thus only newer or updated endpoint devices can connect. The policy also states that ENT uthenication will not be implemented. What authentication mechanism can be implemented in this situation? A. IEEE 802.1x B. IEEE 802.1q C. Simultaneous authentication of equals (SAE) d. EAP-FAST
C. Simultaneous authentication of equals (SAE)
5. You have been tasked with crafing a long-term security plan that is failry stable. It needs to define the organizatin's security purpose. It also needs to define the security function and align it to the goals, mission, and objectives of the organization. What are you being asked to create? A. Tactical plan B. Operation Plan C. Strategic plan D. Rollback plan
C. Strategic plan
9. You have performed a risk assessment and determined the threats that represent the most significant concern to your organization. When evaluating safeguards, what is the rule that should be followed in most cases? A. . The expected annual cost of asset loss should not exceed the annual cost of safeguards. B. The annual cost of safeguards should equal the value of the asset C. The annual cost of safeguards should not exceed the expected annual cost of asset value loss. D. The annual cost of safeguard should not exceed 10 percent of the security budget
C. The annual cost of safeguards should not exceed the expected annual cost of asset value loss.
17. What process or event is typically hosted by an organization and is targeted to groups of employees with similar job functions? A. Education B. Awareness C. Training D. Termination
C. Training
Advesaries will use any and all means to harm their targets. This includes mixing attack concepts together to make a more effective campaign. What type of malware uses social enginnering to trick a victim into installing it. A. Virus B. Worm C. Trojan horse D. Logic bomb
C. Trojan horse - form of malware that uses social engineering tactics to trick a victim into installing it. - the trick is to make the victim believe the only they they have downloaded or obtained is the host file, when in fact it has a malicious hidden payload.
Any evidence to be used in a cour proceeding must abide by the Rules of Evidence to be admissible. What type of evidence to written documents that are brought into court to prove a fact? A. Best evidence B. Parol evidence C. documentary evidence D. Testmonial evidence
C. documentary evidence
Discuss and describe the CIA Triad
CIA Triad is the combination of confidentiality, integrity, and availability. - Confidentiality - measures used to ensure the protection of the secrecy of data, information, or resources. - Integrity concept of protecting the reliability and correctness of data - Availability - concept that authorized subjects are granted timely and uninterrupted access to objects.
12. STRIDE is often used in relation to assessing threats against applications or operating systems. When confidential documents are exposed to unauthorized entities, which element of STRIDE is used to reference that violation? A. S B. T C. R D. I E. D F. E
D. (I) When confidential documents are exposed to unauthorized entities, this is described by the "I' in STRIDE, which represents information disclosure. The elements of STRIDE are spoofing, tampering, repudiation, information disclosure, denial of service, and elevation of privilege
Many events can threaten the operation, existence, and stability of an organization. Some of those threats are human caused, whereas other are from natural events. Which of the following represent natural events that can pose a threat or risk to an organization? A. Earthquake B. Flood C. Torando D. All of the above
D. All of the above
A VPN can be a significant security improvement for many communication links. A VPN can be established over which of the following? A. Wireless LAN connection B. Remote access dialup connection C. WAN link D. All of the above
D. All of the above - A VPN can be established over any network communication connection. This could be a typical LAN cable connection, Wirless, WaAN, or even an internet connection used by a client for access to the office LAN.
Security is established by understanding the assets of an organization that need protection and understanding the threats that could cause harm to those assets. Then, controls are selected that provide protection for the CIA Triad of the assets at risk. The CIA Triad consists of what elements? A. Contiguousness, interoperable, arranged B. Authentication, authorization, accountability C. Capable, available, integral D. Availability, confidentiality, integrity
D. Availability, confidentiality, integrity
20. The CSO has expressed concern that after years of security training and awareness programs, the level of minor security violations has actually increased. A new security team member reviews the training material and notices that it was crafted four year ago. They suggest that the materials be revised to be more engaging and to include elements that allow for the ability to earn cognition , team up with coworkers, and strive toward a common goal. They claim these efforts will improve security compliance and foster security behavior change. What is the approach that is being recommended? A. Program effectiveness evaluation B. Onboarding C. Compliance enforcement D. Gamification
D. Gamification - Security awareness and training can often be improved through gamification. Gamification is a means to encourage complance and engagement by intergrating common elements of game play into other activities, such as security compliance and behavior change.
When TLS is being used to secure web communication, what URL prefix appears in the web browser address bar to signal this fact? A. SHTTP:// B. TLS:// C. FTPS:// D. HTTPS://
D. HTTPS://
15. Your organization has become concerned with risks associated with the supply chain of their retail products. Fortuntely, all coding for their custom products is done in-house. However, a thorough audot of a recently completed product revealed that a listening mechanism was integrated into the solution somewhere along the supply chain. The identified risk is associated with what products component in this scenario? A. Software B. Services C. Data D. Hardware
D. Hardware
1. (ch 2) You have been tasked with overseeing the security improvements projects for your organization. The goal is to reduce the current risk profile to a lower level without spending considerable amounts of money. You decide to focus on the largest convern mentioned by your CISO. Which of the following is likely the element of the organization that is considered the weakest? A. Software products B. Internet connections C. Security policies D. Humans
D. Humans
During an account review, an auditor provided the following report: User last Login Length Last Passord change Bob 4 hours 87 days Sue 3 hours 38 days John 1 hour 935 days Kesha 3 hours 49 days The security manager reviews the account policies of the organization and takes note of the following requirements: - password must be at least 12 characters long - Password must include at least one example of three different characters - Passwords must be changed every 180 days - Password maximum age Which of the following security controls should be corrected to enforce the password policy? A. Minimum password length B. Account lockout C. Password history and minimum age D. Password maximum aged maximum age
D. Password maximum aged maximum age
8. During a meeting of ompany leadership and the security team discussion focuses on defining the value of assets in dollars, inventorying threats, predicting the specific amount of harm of a breach, and determining the number of times a threat could cause harm to the company each year. What is being performed? A. Qualitative risk assessment B. Delphi technique C. Risk avoidance D. Quantitative risk assessment
D. Quantitative risk assessment
4. Optimally, security governance is performed by a board of directors, but smaller organizations may simply have the CEO or CISO perform the activities of security governance. Which of the following is true about security governance? A. Security governance ensure that the requested activity or access to an object is possible given the rights and privileges assigned to the authenticated identity. B. Security governance is used for efficiency. Similar elements are put into groups, classes, or roles that are assigned security controls, restrictions, or permissions as a collective. C. Security governance is a documntated set of best IT security practices that prescribes goals and requirements for security controls and encourages the mapping of IT security ideals to business objectives. D. Security governance seeks to compare the security processes and infrastucture used within the organization with knowledge and insigh obtained from external sources.
D. Security governance seeks to compare the security processes and infrastucture used within the organization with knowledge and insigh obtained from external sources.
Which type of firewall automatically ajusts its filtering rules based on the content and context of the traffic of existing sessions? A. Static packet filtering B. Application-level gateway C. Circuit-level gateway D. Stateful inspection firewall
D. Stateful inspection firewall (aka dynamic packet filtering) enable the real-time modification of the filtering rules based on traffic content and context.
What type of token device produces new time-derived passwords on a specific time interval that can be used on a signle time when attempting to authenticate? A. HOTP B. HMAC C. SAML D. TOTP
D. TOTP
A system administrator is setting up a new data management system. It will be gathering data from numerous locations across the network, even from remote offsite locations. The data will be moved to a centralized facility, where it will be stored on a massive RAID array. The data will be encrypted on the storage system using AES-256, and most files will be signed as well. The location of this data warehouse is secured so that only authorized personnel can enter the room and all digital access is limited to a set of security administrators. Which of the following describes the data? A. The data is encrypted in transit B. The data is encrypted in processing C. The data is redundantly stored D. The data is encrypted at rest
D. The data is encrypted at rest
Your organization is moving a significant portion of their data processing form an on-premises solution to the cloud. When evaluating a cloud service provider (CSP), which of the following is the most important security concern? A. Data rentention policy B. Number of customers C. Hardware used to support VMs D. Whether they offier MaaS, IDaad, and SaaS
D. Whether they offier MaaS, IDaad, and SaaS
Define and detail the aspects of password selection that distinguish good password choices from ultimately poor password choices. A. Is difficult to guess or unpredictable B. Meets minimum length requirements C. Meets specific complexity requirements D. All of the above
D. all of the above
11. Security documentation is an essential element of a successful security program. Understanding the components is an early step in crafting the security documentation Match the following components to their respective defintions 1. Policy 2. Standard 3. Procedure 4. Guideline I. A detailed, step-by-step how-to document that describe the exact actions necessary to implement a specific security mechanism, control, or solution. II. A document that defines the scop of security needed by the organization and discusses the assets that require protection and the exten to which secuity solutions should go to provide hte necessary protection. III. A minimum level of security that every system throughout the organization must meet. IV. Offers recommendation on how security requirements are implemented and servers as an operational guide for both security professional and users. V. Defines compulsory requirements for the homogenous use of hardware, software, technology, and security.
Policy A document that defines the scop of security needed by the organization and discusses the assets that require protection and the exten to which secuity solutions should go to provide hte necessary protection. Standard (v) Defines compulsory requirements for the homogenous use of hardware, software, technology, and security. Procedure (l) A detailed, step-by-step how-to document that describe the exact actions necessary to implement a specific security mechanism, control, or solution. Guideline - IV. Offers recommendation on how security requirements are implemented and servers as an operational guide for both security professional and users. A. l-I;2 -IV; 3 - ii; 4-V B. 1 -II;2 -V' 3 - I;4-IV C. I - IV;2 - II; 3 - V; F -I D. I -V; 2 - I; 3 - IV; 4 - III Answer: B
6. Name several types of methods of social engineering: scams, hoaxes, impersonation, masquerading, tailgating, piggybacking, dumpster diving, identity fraud, typo squatting, and social media abuse
Possible answers include: - eliciting information - pretexting - pretending - phishing, spear phishing - business email compromise (BEC) - whaling - impersonation - hoaxes - identity fraud - influence campaign
4. Discuss the need to perform a balanced risk assessment. What are techniques that can be used and why is this necessary?
Risk assessment often involves a hybrid approach using both quantitative and qualitative method. both are impossible;however, when combining both method of risk is known as hybrid assessment or hybrid analysis
3. Describe the process or techniques used to reach an anonymous consensus during a qualitative risk assessment:
The Delphi technique is an anonmous feedback-and-response process used to enable a group to reach an anonymous consenses
5. What are the main types of social engineering principles?
The common social engineering principles are: (All Ideas Seem Factial Trust Unconditionally) Authority Intimidation Consensus Scarcity Familiarity Trust Urgency
What are the four components of a complete organizational security policy and their basic purpose
The four components of a security policy are: - policies, standards, guidelines, and procedures - policies - broad security statements - standards - definitions of hardware and software security compliance - Guidelines - not an appropriate procedure - Procedures - detailed step-by-step instructions for performing wok tasks in secure manner
What are the requirements to hold a person accountable for the actions of their user account?
The requirements of accountability are identification, authenticaion, authorization, and auditing. Each of these components needs to be legally supportable to truly hold someone accountable for their actions.
Name the six primary roles as defined by (ISC)2 for CISSP
The six security roles are as follows: - security managment - IT/security staff - owner - custodian - operator/user - auditor
Hardware networking devices operate within the protocol stack just like protocols themselves. Thus, hardware networking devices can be associated with an OSI model layer related to the protocols they manage or control. At which layer of the OSI model does a router operate? a. Network layer b. Layer 1 C. Transport layer D. Layer 5
a. Network layer
1. Name six different administrative controls used to secure personnel:
a. Principles of least privilege, separation of duties, job responsibilities, job rotation/cross-training, performance reviews, background checks, job action warning, awareness, training, job training, exit interviews/terminations, nondisclosure agreements, employment agreements, privacy declaration, and acceptable use policies.
Unfortunately, attackers have many options of attacks to perform against their targets. Which of the following is considered a denial-of-service (DoS) attack? A. Pretending to be a technical manager over the phone and asking a receptionist to change their password. b. While surfing the web, sending to a web server a malfored URL that causes the system to consume 100 percent of the CPU. c. Interepting network traffic by copying the packets as they pass through a specific subnet d. sending message packets to a recipinet who did not request them, simply to be annoying
b. While surfing the web, sending to a web server a malfored URL that causes the system to consume 100 percent of the CPU.
The General Data Protection REgulation (GDPR) has defined several roles in relation to the protection and management of personally Identifiable information (PII). Which of the following statements is true? A. A data processor is the entity assigned specific responsibility for a data asset in order to ensure its protection for use by the organization b. A data custodian is the entity that performs operation on data c. A data controller is the entity that makes decisions about the data they are collection d. A data owner is the entity assigned or delegated the day-to-day responsibility of proper storage and transport as well as protecting data, assets, and other organization objects.
c. A data controller is the entity that makes decisions about the data they are collection
Which of the following types of access control seeks to discover evidence of unwanted, unauthorized, or illicit behavior or activity? A. Preventive B. Deterrent C. Detective D. Corrective
c. Detective Detective access controls are used to discover (and document) unwanted or unauthorized activity.
9. Control objectives for Information and Releated Technology (COBIT) is a documented set of best IT security practices crafted by the Information System Audit and Control Association (ISACA). It prescribes goals and requirements for security controls and encourages the mapping of IT security ideals to business objectives. COBIT is based on sex key principles for governance and management of enterprise IT. Which of the following are among these key principles? (choose all that apply) A. Holistic Approach B. End-to-End Governance System C. Provide stakeholder Value D. Maintaining Authenticity and Accountabiliy E. Dynamic Governance System
A B C E
6. Annaliese's organization is undergoing a peroid of increased business activity where they are conducting a large number of mergers and acquistions. She is concerned about the risks assocated with those activities. Which of the following are example of those risks? (choose all that apply) A. inappropriate information disclousure B. Increased worker compliance C. Data loss D. Downtime E. Additinal insight into the motivations of inside attackers F. Failure to achieve sufficient return on investment (ROI)
A C D F
Computers are based on binary mathematics. All computer functions are dervied from the basic set of Boolean operations. What is the value of the logical operation shown here? X: 0 1 1 0 1 0 Y: 0 0 1 1 0 1 _______________________ X * Y: ? A. 0 1 0 1 1 1 B. 0 0 1 0 0 0 C. 0 1 1 1 1 1 D. 1 0 0 1 0 1
A. 0 1 0 1 1 1
11. During the annual review the company's deployed security infrastructure, you have been reevaluating each security control selection. How is the value of a safeguard to a company calculated? A. ALE before safeguard - ALE after implementing the safeguard - annual cost of safeguard B. ALE before safeguard *ARO of safeguard C. ALE after implementing safeguard + annual cost of safeguard - controls gap D. Total risk - controls gap
A. ALE before safeguard - ALE after implementing the safeguard - annual cost of safeguard
Risk assessment is a process by whch the assets, threats, probabilities, and likelihoods are evaluated in order to establish criticality priorization. What is the formula used to compute the ALE? A. ALE=AV * EF *ARO B. ALE =ARO * EF C. ALE = AV * ARO D. ALE=EF * ARO
A. ALE=AV * EF *ARO
Security needs to be designed ad support the business objectives, but it also needs to be legally defensible. To defend the security of an organization, a log of events and activities must be created. Auditing is a required factor to sustain and enforce what? A. Accountability B. Confidentiality C. Acccessibility D. Redundancy
A. Accountability
12. Which of the following are valid definitions for risk? (choose all that apply) A. An assessment that removes a vulnerability or protects against one or more specific threats B. Anything that removes a vulnerability C. Risk = threat * vulnerability D. Total risk - controls gap
A. An assessment that removes a vulnerability or protects against one or more specific threats C. Risk = threat * vulnerability D. Total risk - controls gap
DevOps manager John is concerned with the CEO's plan to minimize his department and outsource code development to a foregin programming group. John has a meeting scheduled with the board of directors to encourage them to retain code development. in house due to several concerns. Which of the following should John include in his presentation? (choose all that apply.) A. Code from third parties will need to be manually reviewed for function and security B. If the third part goes out of business, existing code may need to be adandoned. C. Third-party code development is always more expensive D. A software escrow agreement should be established
A. Code from third parties will need to be manually reviewed for function and security B. If the third part goes out of business, existing code may need to be adandoned.
2. Due to the recent organization restructuring, the CEO believes that new workers should be hired to perform necessary work tasks and support the mission and goals of the organization. When seeking to hire new employees, what is the first step? A. Create a job description B. Set position classification C. Screen candidates D. Request resumes
A. Create a job description
The ___________ is the entity assigned specific responsibility for a data asset in order to ensure its protection for use by the organization. A. Data owner B. Data controller C. Data processor D. Data custodian
A. Data owner
10. In today's business environment, prudence is mandatory. Showing due diligence and due care is the only way to disaprove negligence in an occurence of loss. Which of the following are true statements? (choose all that apply) A. Due diligence is establishing a plan, policy, and process to protect the interests of an organization b. Due care is developing a formalized security structure containing a security policy, standars baseline, guidelines and procedures. C. Due diligence is the continued application of a security structure onto the IT infrastructure of an organizatino. D. Due care is practicing the individual activities that maintain the security effort. E. Due care is knowing what should be done and planning for it F. Due dilegence is doing the right action at the right time
A. Due diligence is establishing a plan, policy, and process to protect the interests of an organization D. Due care is practicing the individual activities that maintain the security effort.
14. Supply chain risk management (SCRM) is a mean to ensure that all the vendors links in the supply chain are reliable, trustyworthy, reputable organization. Which of the following are true statements? Choose all that apply A. Each link in the supply chain should be responsible and accountable to the next link in the chain. B. Commodity vendors are unlikely to have minded their own metals or procesed the oil for plastics or etched the silicon on their chips. C. If the final product derived from a supply chain meets expectations and functional requirements, it is assured to not have unauthorized elements D. Failing to properly secure a supply chain can result in flawed or less reliable products, or even embedded listing or remove control mechanism
A. Each link in the supply chain should be responsible and accountable to the next link in the chain. B. Commodity vendors are unlikely to have minded their own metals or procesed the oil for plastics or etched the silicon on their chips. D. Failing to properly secure a supply chain can result in flawed or less reliable products, or even embedded listing or remove control mechanism
17. Whenever an organization works with a third party, its supply chain risk management (SCRM) processes should be applied. One of the common requirements is the establishment of minimum security requirements of the third party. What should these requirements be based on? A. Existing security policy B. Third-part audit C. On-site assessment D. Vulnerability scan results
A. Existing security policy
When securing a mobile device, what types of authentication can be used that depend on the user's physcial attributes? (Choose all that apply) A. Fingerprint B. TOTP (time-based one-time password) C. Voice D. SMS (short message service) E. Retina F. Gait G. Phone call H. Facial recognition I. Smartcard J. Password
A. Fingerprint C. Voice E. Retina H. Facial recognition
What kind of recovery facility enables an organization to resume operation as quickly as possible, if not immediately, upon failure of the primary facility? A. Hot site B. Warm site C. Cold site D. all of the above
A. Hot site
7. Which security framework was initally crafted by a government for domestic use is now an international standard, which is set of recommendd best practices for optimization of IT services to support business growth, transformation, and change; which focuses on understanding how IT and security need to be integrated with and aligned to the objectives of an organization; and which is often used as a starting point for the crafing of a customized IT security solution within an established infrastructure? A. ITIL B. ISO 27000 C. CIS D. CSF
A. ITIL
Incident response plans, business, continuity plans, and disaster recovery plans are crafted when implementing business-level redundancy. These plans are derived from the information obtained when performing a business impact assessment (BIA). What is the first step of the BIA process? A. Identification of priorities B. Likelihood assessment C. Risk identification D. Resource priorization
A. Identification of priorities
13. A new web application was installed onto the company's public web server last week. Over the weekend a malicious hacker was able to exploit the new code and gained access to data files hosted on the system. This is an example of what issue? A. Inherent risk B. Risk matrix C. Qualitative assessment D. Residual risk
A. Inherent risk
20. Defense in depth is simply the use of multiple controls in a series. No one control can protect against all possible threats. Using a multilayered solution allows for numerous, different controls to guard aginast whatever threats come to pass. Which of the following are terms that relate to or are on defense in depth? (choose all that apply) A. Layering B. Classification C. Zones D. Realms E. Compartments F. Silos G. Segmentation H. Lattice structure I. Protection rings
A. Layering B. Classification C. Zones D. Realms E. Compartments F. Silos G. Segmentation H. Lattice structure I. Protection rings
Which of the following are considered standard data type classifications used in either a government/military or a private sector organization? (choose all that apply) A. Public B. Healthy C. Private D. Internal E. Sensitive F. Proprietary G. Essential H. Certified I. Critical J. Confidential K. For Your Eyes Only
A. Public C. Private E. Sensitive F. Proprietary I. Critical J. Confidential
2. What are the basic formulas or values used in quantitative risk assessment?
AV = $ EF = % LOSS SLE = AV *EF ARO = # / YR ALE = SLE * ARO OR AV * EF * ARO Cost/benefit = (ALE1 - ALE2) - ACS
19. The next step after threat modeling is reduction analysis. Reduction analysis is also known as decomposing the appolication, system, or environment. The purpose of this task is to gain a greater understanding of the logic of the product, its internal components, as well as its interactions with external elements. Which of the following are key components to identify when perfoming decomposition? (choose all that apply) A. Patch or update versions B. Trust boundaries C. Dataflow paths D. Open vs. closed source code use E. Input points F. Privileged operations G. Details about security stance and approach
B C E F G
A recently acquired piece of equipment is not working properly. Your organization does not have a trained repair technician on staff, so you have to bring in an outside expert. What type of account should be issued to a trusted third-pair repair technician? A. Guest account B Privileged account C. Service account D. User account
B Privileged account
TCP operates at the Transport layer and is a connection-oriented protocol. It uses special process to establish a session each tiime a communication takes place. What is the last phase of the TCP three way handshake sequence? A. SYN flagged packet B. ACK flagged packet C. FIN flagged packet D. SYN/ACK flagged packet
B. ACK flagged packet
15. The Risk Management Framework (RMF) provides a disciplined, structured, and flexible process for managing security and privacy risk that includes information security categorization; control selection, implementation, and assessment; system and common control authorizations; and continuous monitoring. The RMF has seven steps and phases. Which phase of the RMF focuses on determining whether system or common controls based ona determination that the risk to organizational operations and assets, individuals, other organizations, and the nation are reasonable? A. Categorize B. Authorize C. Assess D. Monitor
B. Authorize
3. James recently discovered an attack taking place against his organization that prevented employees from accessing critical records. What element of the CIA Triad was violated? A. Identification B. Availablility C. Encryption D. Layering
B. Availablility
16. Company proprietary data are discovered on a public social media posting by the CEO. While investigating, a significant number of similar emails were discovered to have been sent to employees, which included links to malicious sites. Some employees report that they had received similar messages to their personal email accounts as well. What improvements should the company implement to address the issue? (choose two) A. Deploy a web application firewall B. Block access to personal email from the company network C. Update the company email server. D. Implement multifactor authentication (MFA) on the company email server E. Perform an access review of all company files F. Prohibit access to social networks on company equipment
B. Block access to personal email from the company network F. Prohibit access to social networks on company equipment
The lack of secure coding practices has enabled an uncountable number of software vulnerabilities that hackers have discovered and exploited. Which of the following vulnerabilities would be best countered by adequate parameter checking? A. Time-of-check to time-of-use B. Buffer overflow C. SYN flood D. Distributed denial of service (DDoS)
B. Buffer overflow
A security auditor is seeking evidence of how sensitive documents made their way out of the organization and onto a public document distribution site. It is suspected that an insider exfilitrated the data over a network connection to an external server, but his is only a guess. Which of the following would be useful in determining whether this suspicion is accurate? (Choose tow) A. NAC B. DLP alerts C. Syslog D. Log analysis E. Malware scanner reports F. Integrity monitoring
B. DLP alerts D. Log analysis
7. While performing a risk analysis, you identify a threat of fire and a vulnerability of things being flammable because there are no fire extinguishers. Based on this information, which of the following is a possible risk? A. Virus infection B. Damage to equipment C. System malfunction D. Unauthorized access to confidential information
B. Damage to equipment
Which one of the following is a layer of the ring protection scheme design concept that is not normally implemented? A. Layer 0 B. Layer 1 C. Layer 3 D. Layer 4
B. Layer 1
Some adversaries use DoS attacks as their primary weapons to harm targets, whereas others may use them as weapons of last resort when all other attempts to intrude on a target fail. Which of the following is most likely to detect DoS attacks? A. Host-based IDS B. Network-based IDS C. Vulnerability scanner D. Penetration testing
B. Network-based IDS Usually able to detect the initiation of an attack or the ongoing attempts to penetrate an attack (including DoS). They are, however, unable to provide information about whether an attack was successful or which specific systems, user, accounts, files, or applications were affected.
3. _________ is the process of adding new employees to the organization, haing them review and sign policies, be introduced to managers and coworkers, and be trained in employee organizations and logistics. A. Reissue B. Onboarding C. Background checks D. Site survey
B. Onboarding
The security concepts of AAA services describes the elements that are necessary to establish subject accountability. Which of the follwoing is not a required component in the support of accountability? A. Logging B. Privacy C. Identification verficiation D. Authorization
B. Privacy - is not necessary to provide accountability, as defined in AAA services, are as follows: identification (which is sometimes considered an element of authentication, a silent first step of AAA services, or represented by IAAA
13. A development team is working on a new project. During the early stages of systems development, the team considers the vulnerabilities, threat, and risk of their solution and integrates protection against unwanted outcomes. What concept of threat modeling is this? A. Threat Hunting B. Proactive Approach C. Qualitative approach D. Adversarial approach
B. Proactive Approach
4. After repeated vents of retraining a particular worker was caught for the fourth time attempting to access documents that were not relevant to their job description. The CSO decides this was the last chance and the workers is to be fired. The CSO reminds you that the organization has formal termination process that should be followed. Which of the following is an important tak to perform during the termnation procudures to reduce future security issues related to this ex-employee? A. Return the exiting employee's personal belongings B. Review the nondisclosure agreement C. Evaluate the exiting employee's performance D. Cancel the exiting employee's parking permit
B. Review the nondisclosure agreement
19. Often a _______ is a member of a group who decides (or is assigned) to take charge of leading the adoption and integration of security concepts into th group's work activities. _____ are often non-security emoployees who take up the mantle to encourage others to support and adopt more security practices and behaviors. A. CISO(s) B. Security champion(s) C. Security auditor(s) D. Custodian
B. Security champion(s)
8. A security role is the part an individual plays in the overrall scheme of security implementatio and administration within an organization. What is the security role that has the security role that has the functional responsibility for security, including writing the security policy and implementing it? A. Senior Management B. Security professinal C. Custodian D. Auditor
B. Security professinal
2. Security goernance requires a clear understanding of the objectives of the organization as the core concepts of security. Which of the following contains the primary goals and objectives of security? A. A network's border perimeter B. The CIA Triad C. AAA Services D. Ensuring that subject activities are recorded
B. The CIA Triad
A data custodian is responsible for securing resources after___________ has assigned the resource a security label. A. Senior management B. The data owner C. An auditor D. Security Staff
B. The data owner - must assign a security label to a resource before the data custodian can secure the resource appropriately.
Most software vulnerabilities exist because of a lack of secure or defensive coding practices used by the developers. Which of the following is considered a secure coding technique? (choose all that apply) A. Using immutable systems B. Using stored procedures C. Using code signing D. Using server-side validation E. Optimizing file sizes F. Using third-party software libraries
B. Using stored procedures C. Using code signing D. Using server-side validation
16. Cathy's employer has asked her to perform a documentation review of the policies and procedures of a third-party supplier. This supplier is just the final link in a software supply chain. Their components are being used as a key element of an online service operated for high-end customers. Cathy discovers serveral issues with the vendor, such as failing to require encryption for all communications and not requiring multifactor authentication on management interfaces. What should Cathy do in response to this finding? A. Write up a report and submit it to the CIO. B. Void the ATO of the vendor C. Require that the vendor review their terms and conditions D. Have the vendor sign an NDA
B. Void the ATO of the vendor
18. Whichof the following could be classified as a form of social engineering attack? (choose all that apply) A. A user logs in to their workstation and then decides to get a soda from the vending machine in the stairwell. As soon as the user walks away from their workstation, another person sits down at their desk and copies all the files from a local folder onto a network share. B. You receive an email warning about a dangerous new virus spreading across the internet. The message tells you to look for a specific file on your hard drive and delete it., since it indicates the presence of the virus. C. A website claims to offer free temporary access to their products and services but requires that you alter the configuration of your web browser and/or firewall in order to downlad the access software. D. A secretary receives a phone call from a person claiming to be a client who is running late to meet the CEO. The caller asks for the CEO's private cell phone number so that they can call them.
B. You receive an email warning about a dangerous new virus spreading across the internet. The message tells you to look for a specific file on your hard drive and delete it., since it indicates the presence of the virus. C. A website claims to offer free temporary access to their products and services but requires that you alter the configuration of your web browser and/or firewall in order to downlad the access software. D. A secretary receives a phone call from a person claiming to be a client who is running late to meet the CEO. The caller asks for the CEO's private cell phone number so that they can call them.
6. Match the term to its definition: 1. Asset 2. Threat 3. Vulnerabilities 4. Exposure 5. Risk 1. The weakness is an asset, or the absense or the weakness of a safeguard or countermeasure. II. Anything used in a business process or task III. Being susceptible to asset loss because of a threat; there is the possibility that a vulnerability can or will be exploited. IV. The possibility or likelihood that a threat will exploit a vulnerability to cause harm to an assetand the seerity of damage that couldresult. V. Any potential occurrence that may cause an undersibable or unwanted outcome for an organization or for a specific asset. A. 1-II, 2-V, 3-I, 4-III, 5-IV B. I-I, 2- II, 3-IV, 4 -III, 5-V C. 1-II, 2-V, 3-I, 4-IV, 5-III D. 1-IV, 2-V, 3-III, 4-II, 5-I
C. 1-II, 2-V, 3-I, 4-IV, 5-III
10. During a risk management project, an evaluation of several controls determines that none are cost-effective in reducing the risk related to a specific important assest . What risk response is being exhibited by this situation? A. Mitigation B. Ignoring C. Acceptance D. Assignment
C. Acceptance
A new update has been released by the vendor of an important software product that is an esential element of a critical business task. The chief security officer (CSO) indicates that the new software version needs to be tested and evaluated in a virtual lab, which has a cloned simulation of many of the company's production system. Furthermore, the results of this evaluation must be reviewed before a decision is made as to whether the software update should be installed and, if so, when to install it. What security principle is the CSO demonstrating? A. Business continuity planning (BCP) B. Onboarding C. Change management D. Static Analysis
C. Change management
14. Your organization is courting a new business partner. During the negotiations the other party definesseveral requirements of your organization's security that must be met prior to the signing of the SLA and business partners agreement (BPA). One of the requirements is that your organization demonstrate their level of achievement on the Risk Maturity MOdel t(RMM). The requirement is specifically that a common or standarized risk framework is adopted organization-wide. Which of the five possible level of RMM is being required of your organization? A. Preliminary B. Integrated C. Defined D. Optimized
C. Defined
Collision is when two or more people work together to commit a crime or violate a company policy. Which of the following is not a defense against collusion? A. Separation of duties B. Restricted job responsibilities C. Group user accounts D. Job rotation
C. Group user accounts allows for multiple people to log in under a sigle user account. This allows collusion because it prevents individual accountability.
1. Confidentiality, integrity, and availability are typically viewed as the primary goals and objectives of a security infrasture. Which of the following is not considered a violation of confidentiality? A. Stealing passwords using a keystroke logging tool B. Eavesdropoing on wireless network communication C. Hardware destruction caused by arson D. Social engineerin that tricks a user into providing personal information to a false website
C. Hardware destruction caused by arson
In what phae of the Capability Maturity Model for Software (SW-CMM) are quantitiative meansures used to gain a detailed understanding of the software development process? A. Repeatable B. Defined C. Managed D. Optimizing
C. Managed
If Renee receives a digitally signed message from Mike, what key does she use to verify that the message truly came from Mike? A. Renee's public key B. Renee's private key C. Mike's public key D. Mike's private key
C. Mike's public key
5. Which of the following is a true statement in regard to vendor, consultant, and contractor controls? A. Using business email compromise (BEC) is a means to ensure that organizations providing services maintain an appropriate level of service agreed on by the service provider, vendor, or contractor and the customer organization. B. Outsoucing can be used as a risk response known as acceptance or appetite. C. Multiparty risk exists when server entities or organizations are involved in a project. The risk or threats are often due to the variations of objectives, expectations, timelines, budgets, and security priorities of those involved. D. Risk management strategies implemented by one party do not cause additional risks against or from another party.
C. Multiparty risk exists when server entities or organizations are involved in a project. The risk or threats are often due to the variations of objectives, expectations, timelines, budgets, and security priorities of those involved.
18. It's common to pair threats with vulnerabilities to identify threats that can exploit assets and represent significant risks to the organization. An ultimate goal of threat modeling is to prioritize the potential threats against an organization's valuable assets. Which of the following is a risk-centric threat modeling approach that aims at selecting or developing countermeasures in relation to the value of the assets to be protected? A. VAST B. SD3+C C. PASTA D. STRIDE
C. PASTA
Security should be designed and integrated into the organization as a means to support and maintain the business objectives. However, the only way to know if the implemented security is sufficient is to test it. Which of the following is a procedure designed to test and perhaps bypass a system's security controls? A. Logging ussage data B. War dialing C. Penetration testing D. Deploying secured desktop workstations
C. Penetration testing
