ISC2 IT Q & A
Which one of the following activities is an example of an authorization process? A. User providing a password B. User passing a facial recognition check C. System logging user activity D. System consulting an access control list
D. System consulting an access control list #Whenever there's access control list involved, it's got to do with authorization!!!
Which evidence source should be collected first when considering the order of volatility? a) logs b) temporary files c) process information d) memory contents
d) memory contents
What type of technology prevents a forensic examiner from accidentally corrupting evidence while creating an image of a disk? a) evidence log b) sealed container c) hashing d) write blocker
d) write blocker NOTE: write blocker is also called forensic disk controller
Types of Access Controls
1) Context-dependent access control is the type of control is based on what the context is, facts about the data rather than what the object contains. 2) least privileges access control is based on the least amount of rights needed to perform their jobs and not based on what is contained in the database. 3) ownership-based access control is based on the owner of the data and and not based on what is contained in the database.
Gina recently took the SSCP certification exam and then wrote a blog post that included the text of many of the exam questions that she experienced. What aspect of the (ISC)2 code of ethics is most directly violated in this situation? A. Advance and protect the profession. B. Act honorably, honestly, justly, responsibly, and legally. C. Protect society, the common good, necessary public trust and confidence, and the infrastructure. D. Provide diligent and competent service to principals.
A. Advance and protect the profession. #Gina's actions harm the CISSP® certification and information security community by undermining the integrity of the examination process. While Gina also is acting dishonestly, the harm to the profession is more of a direct violation of the code of ethics.
Which of the following is needed for System Accountability? A. Audit mechanisms. B. Documented design as laid out in the Common Criteria. C. Authorization. D. Formal verification of system design.
A. Audit mechanisms. #Is a means of being able to track user actions. Through the use of audit logs and other tools the user actions are recorded and can be used at a later date to verify what actions were performed.Accountability is the ability to identify users and to be able to track user actions.
What type of vulnerability scan accesses configuration information from the systems it is run against as well as information that can be accessed via services available via the network? A. Authenticated scans B. Web application scans C. Unauthenticated scans D. Port scans
A. Authenticated scans #Authenticated scans use a read-only account to access configuration files, allowing more accurate testing of vulnerabilities. Web application, unauthenticated scans, and port scans don't have access to configuration files unless they are inadvertently exposed.
John's network begins to experience symptoms of slowness. Upon investigation, he realizes that the network is being bombarded with TCP SYN packets and believes that his organization is the victim of a denial-of-service attack. What principle of information security is being violated? A. Availability B. Integrity C. Confidentiality D. Denial
A. Availability #A smurf attack is an example of a denial-of-service attack, which jeopardizes the availability of a targeted network.
The Computer Security Policy Model the Orange Book is based on is which of the following? A. Bell-LaPadula B. Data Encryption Standard C. Kerberos D. Tempest
A. Bell-LaPadula #The Computer Security Policy Model Orange Book is based is the Bell-LaPadula Model. Orange Book Glossary. The Data Encryption Standard (DES) is a cryptographic algorithm. National InformationSecurity Glossary. TEMPEST is related to limiting the electromagnetic emanations from electronic equipment.
A department manager has read access to the salaries of the employees in his/her department but not to the salaries of employees in other departments. A database security mechanism that enforces this policy would typically be said to provide which of the following? A. Content-dependent access control B. Context-dependent access control C. Least privileges access control D. Ownership-based access control
A. Content-dependent access control #When access control is based on the content of an object, it is considered to be content dependent access control.
Which of the following is the most reliable, secure means of removing data from magnetic storage media such as a magnetic tape, or a cassette? A. Degaussing B. Parity Bit Manipulation C. Zeroization D. Buffer overflow
A. Degaussing #A "Degausser (Otherwise known as a Bulk Eraser) has the main function of reducing to near zero the magnetic flux stored in the magnetized medium. Flux density is measured in Gauss or Tesla. The operation is speedier than overwriting and done in one short operation. This is achieved by subjecting the subject in bulk to a series of fields of alternating polarity and gradually decreasing strength.
Which one of the following is the first step in developing an organization's vital records program? A. Identifying vital records B. Locating vital records C. Archiving vital records D. Preserving vital records
A. Identifying vital records #An organization pursuing a vital records management program should begin by identifying all of the documentation that qualifies as a vital business record. This should include all of the records necessary to restart the business in a new location should the organization invoke its business continuity plan.
During what phase of the incident response process would security professionals analyze the process itself to determine whether any improvements are warranted? A. Lessons learned B. Remediation C. Recovery D. Reporting
A. Lessons learned #Only improvements pertain to lessons learned. New security controls applied to stop recurrence is considered remediation even though it is for the improvement. #During the lessons learned phase, analysts close out an incident by conducting a review of the entire incident response process. This may include making recommendations for improvements to the process that will streamline the efficiency and effectiveness of future incident response efforts.
What is the main concern with single sign-on? A. Maximum unauthorized access would be possible if a password is disclosed. B. The security administrator's workload would increase. C. The users' password would be too hard to remember. D. User access rights would be increased.
A. Maximum unauthorized access would be possible if a password is disclosed. #A major concern with Single Sign-On (SSO) is that if a user's ID and password are compromised, the intruder would have access to all the systems that the user was authorized for.
Which one of the following authentication mechanisms creates a problem for mobile users? A. Mechanisms based on IP addresses B. Mechanism with reusable passwords C. one-time password mechanism. D. challenge response mechanism.
A. Mechanisms based on IP addresses #Anything based on a fixed IP address would be a problem for mobile users because their location and its associated IP address can change from one time to the next.
John deploys his website to multiple regions using load balancers around the world through his cloud infrastructure as a service provider. What availability concept is he using? A. Multiple processing sites B. Warm sites C. Cold sites D. A honeynet
A. Multiple processing sites #John's design provides multiple processing sites, distributing load to multiple regions. Not only does this provide business continuity and disaster recovery functionality, but it also means that his design will be more resilient to denial-of-service attacks.
Which of the following exemplifies proper separation of duties? A. Operators are not permitted modify the system time. B. Programmers are permitted to use the system console. C. Console operators are permitted to mount tapes and disks. D. Tape operators are permitted to use the system console.
A. Operators are not permitted modify the system time.
A confidential number used as an authentication factor to verify a user's identity is called a: A. PIN B. User ID C. Password D. Challenge
A. PIN #PIN Stands for Personal Identification Number
Angie is configuring egress monitoring on her network to provide added security. Which one of the following packet types should Angie allow to leave the network headed for the Internet? A. Packets with a source address from Angie's public IP address block B. Packets with a destination address from Angie's public IP address block C. Packets with a source address outside Angie's address block D. Packets with a source address from Angie's private address block
A. Packets with a source address from Angie's public IP address block #All packets leaving Angie's network should have a source address from her public IP address block. Packets with a destination address from Angie's network should not be leaving the network. Packets with source addresses from other networks are likely spoofed and should be blocked by egress filters. Packets with private IP addresses as sources or destinations should never be routed onto the Internet.
Which of the following is NOT a type of motion detector? A. Photoelectric sensor B. Passive infrared sensors C. Microwave Sensor. D. Ultrasonic Sensor.
A. Photoelectric sensor #A photoelectric sensor does not "directly" sense motion there is a narrow beam that won't set off the sensor unless the beam is broken. Photoelectric sensors, along with dry contact switches, are a type of perimeter intrusion detector.
Ben is selecting an encryption algorithm for use in an organization with 10,000 employees. He must facilitate communication between any two employees within the organization. Which one of the following algorithms would allow him to meet this goal with the least time dedicated to key management? A. RSA B. IDEA C. 3DES D. Skipjack
A. RSA #RSA is an asymmetric encryption algorithm that requires only two keys for each user. IDEA, 3DES, and Skipjack are all symmetric encryption algorithms and would require a key for every unique pair of users in the system.
What is the maximum penalty that may be imposed by an (ISC)2 peer review board when considering a potential ethics violation? A. Revocation of certification B. Termination of employment C. Financial penalty D. Suspension of certification
A. Revocation of certification #If the (ISC)2 peer review board finds that a certified individual has violated the (ISC)2 code of ethics, the board may revoke their certification. The board is not able to terminate an individual's employment or assess financial penalties.
Kathleen is implementing an access control system for her organization and builds the following array: Reviewers: update files, delete files Submitters: upload files Editors: upload files, update files Archivists: delete files What type of access control system has Kathleen implemented? A. Role-based access control B. Task-based access control C. Rule-based access control D. Discretionary access control
A. Role-based access control #Role-based access control gives each user an array of permissions based on their position in the organization, such as the scheme shown here. Task-based access control is not a standard approach. Rule-based access controls use rules that apply to all subjects, which isn't something we see in the list. Discretionary access control gives object owners rights to choose how the objects they own are accessed, which is not what this list shows.
Derek sets up a series of virtual machines that are automatically created in a completely isolated environment. Once created, the systems are used to run potentially malicious software and files. The actions taken by those files and programs are recorded and then reported. What technique is Derek using? A. Sandboxing B. Reverse engineering C. Malware disassembly D. Darknet analysis
A. Sandboxing #Derek has created a malware analysis sandbox and may opt to use tools like Cuckoo, Truman, Minibis, or a commercial analysis tool. If he pulls apart the files to analyze how they work, he would be engaging in reverse engineering, and doing code-level analysis of executable malware would require disassembly. Darknets are used to identify malicious traffic and aren't used in this way.
Ben is an information security professional at an organization that is replacing its physical servers with virtual machines. As the organization builds its virtual environment, it is decreasing the number of physical servers it uses while purchasing more powerful servers to act as the virtualization platforms. Ben is concerned about exploits that allow VM escape. What option should Ben suggest to help limit the impact of VM escape exploits? A. Separate virtual machines onto separate physical hardware based on task or data types. B. Use VM escape detection tools on the underlying hypervisor. C. Restore machines to their original snapshots on a regular basis. D. Use a utility like Tripwire to look for changes in the virtual machines.
A. Separate virtual machines onto separate physical hardware based on task or data types. #While virtual machine escape has been demonstrated only in laboratory environments, the threat is best dealt with by limiting what access to the underlying hypervisor can prove to a successful tracker. Segmenting by data types or access levels can limit the potential impact of a hypervisor compromise. If attackers can access the underlying system, restricting the breach to only similar data types or systems will limit the impact. Escape detection tools are not available on the market, restoring machines to their original snapshots will not prevent the exploit from occurring again, and Tripwire detects file changes and is unlikely to catch exploits that escape the virtual machines themselves. NOTE: trip wire is a file integrity monitoring tool.
Which one of the following is not normally included in business continuity plan documentation? A. Statement of accounts B. Statement of importance C. Statement of priorities D. Statement of organizational responsibility
A. Statement of accounts #Business continuity plan documentation normally includes the continuity planning goals, a statement of importance, statement of priorities, statement of organizational responsibility, statement of urgency and timing, risk assessment and risk acceptance and mitigation documentation, a vital records program, emergency response guidelines, and documentation for maintaining and testing the plan.
Susan is reviewing files on a Windows workstation and believes that cmd.exe has been replaced with a malware package. Which of the following is the best way to validate her theory? A. Submit cmd.exe to VirusTotal. B. Compare the hash of cmd.exe to a known good version. C. Check the file using the National Software Reference Library. D. Run cmd.exe to make sure its behavior is normal.
A. Submit cmd.exe to VirusTotal. #Susan's best option is to submit the file to a tool like VirusTotal, which will scan it for virus-like behaviors and known malware tools. Checking the hash using either a manual check or by using the National Software Reference Library can tell her whether the file matches a known good version but won't tell her if it includes malware. Running a suspect file is the worst option on the list!
In the OSI model, when a packet changes from a datastream to a segment or a datagram, what layer has it traversed? A. The Transport layer B. The Application layer C. The Data Link layer D. The Physical layer
A. The Transport layer #When a data stream is converted into a segment (TCP) or a datagram (UDP), it transitions from the Session layer to the Transport layer. This change from a message sent to an encoded segment allows it to then traverse the Network layer.
Guards are appropriate whenever the function required by the security program involves which of the following? A. The use of discriminating judgment B. The use of physical force C. The operation of access control devices D. The need to detect unauthorized access
A. The use of discriminating judgment #The use of discriminating judgment, a guard can make the determinations that hardware or other automated security devices cannot make due to its ability to adjust to rapidly changing conditions, to learn and alter recognizable patterns, and to respond to various conditions in the environment. Guards are better at making value decisions at times of incidents. They are appropriate whenever immediate, discriminating judgment is required by the security entity. #A guard provides the ability to discern the need for physical force. #Guard prevents unauthorized access, not detect. But, may deter social engineering attempts.
In what virtualization model do full guest operating systems run on top of a virtualization platform? A. Virtual machines B. Software-defined networking C. Virtual SAN D. Application virtualization
A. Virtual machines #Virtual machines run full guest operating systems on top of a host platform known as the hypervisor.
Which of the following would assist the most in Host Based intrusion detection? A. audit trails. B. access control lists. C. security clearances. D. host-based authentication.
A. audit trails. #To assist in Intrusion Detection you would review audit logs for access violations.
The number of violations that will be accepted or forgiven before a violation record is produced is called which of the following? A. clipping level B. acceptance level C. forgiveness level D. logging level
A. clipping level #The correct answer is "clipping level". This is the point at which a system decides to take some sort of action when an action repeats a preset number of times. That action may be to log the activity, lock a user account, temporarily close a port, etc. #Acceptance level, forgiveness level, and logging level are nonsensical terms that do not exist (to my knowledge) within network security.
Which of the following is NOT a system-sensing wireless proximity card? A. magnetically striped card B. passive device C. field-powered device D. transponder
A. magnetically striped card
Which is the last line of defense in a physical security sense? A. people B. interior barriers C. exterior barriers D. perimeter barriers
A. people
Which of the following is NOT a technique used to perform a penetration test? A. traffic padding B. scanning and probing C. war dialing D. sniffing
A. traffic padding #Traffic padding is a countermeasure to traffic analysis.
Which NIST special publication covers the assessment of security and privacy controls? A. 800-12 B. 800-53A C. 800-34 D. 800-86
B. 800-53A #NIST SP 800-53A is titled "Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans" and covers methods for assessing and measuring controls. NIST 800-12 is an introduction to computer security, 800-34 covers contingency planning, and 800-86 is the "Guide to Integrating Forensic Techniques into Incident Response."
Ed has been tasked with identifying a service that will provide a low-latency, high-performance, and high-availability way to host content for his employer. What type of solution should he seek out to ensure that his employer's customers around the world can access their content quickly, easily, and reliably? A. A hot site B. A CDN C. Redundant servers D. A P2P CDN
B. A CDN #A content distribution network (CDN) is designed to provide reliable, low-latency, geographically distributed content distribution. In this scenario, a CDN is an ideal solution.
During a port scan, Susan discovers a system running services on TCP and UDP 137-139 and TCP 445, as well as TCP 1433. What type of system is she likely to find if she connects to the machine? A. A Linux email server B. A Windows SQL server C. A Linux file server D. A Windows workstation
B. A Windows SQL server #TCP and UDP ports 137-139 are used for NetBIOS services, whereas 445 is used for Active Directory. TCP 1433 is the default port for Microsoft SQL, indicating that this is probably a Windows server providing SQL services.
Using the OSI model, what format does the Data Link layer use to format messages received from higher up the stack? A. A data stream B. A frame C. A segment D. A datagram
B. A frame #When a message reaches the Data Link layer, it is called a frame. Data streams exist at the Application, Presentation, and Session layers, whereas segments and datagrams exist at the Transport layer (for TCP and UDP, respectively).
Your organization regularly handles three types of data: information that it shares with customers, information that it uses internally to conduct business, and trade secret information that offers the organization significant competitive advantages. Information shared with customers is used and stored on web servers, while both the internal business data and the trade secret information are stored on internal file servers and employee workstations. What type of encryption should you use on the file servers for the proprietary data, and how might you secure the data when it is in motion? A. TLS at rest and AES in motion B. AES at rest and TLS in motion C. VPN at rest and TLS in motion D. DES at rest and AES in motion
B. AES at rest and TLS in motion #AES is a strong modern symmetric encryption algorithm that is appropriate for encrypting data at rest. TLS is frequently used to secure data when it is in transit. A virtual private network is not necessarily an encrypted connection and would be used for data in motion, while DES is an outdated algorithm and should not be used for data that needs strong security.
Alice and Bob would like to use an asymmetric cryptosystem to communicate with each other. They are located in different parts of the country but have exchanged encryption keys by using digital certificates signed by a mutually trusted certificate authority. Which one of the following keys would Bob not possess in this scenario? A. Alice's public key B. Alice's private key C. Bob's public key D. Bob's private key
B. Alice's private key #Each user retains their private key as secret information. In this scenario, Bob would only have access to his own private key and would not have access to the private key of Alice or any other user.
Earlier this year, the information security team at Jim's employer identified a vulnerability in the web server that Jim is responsible for maintaining. He immediately applied the patch and is sure that it installed properly, but the vulnerability scanner has continued to incorrectly flag the system as vulnerable because of the version number it is finding even though Jim is sure the patch is installed. Which of the following options is Jim's best choice to deal with the issue? A. Uninstall and reinstall the patch. B. Ask the information security team to flag the system as patched and not vulnerable. C. Update the version information in the web server's configuration. D. Review the vulnerability report and use alternate remediation options.
B. Ask the information security team to flag the system as patched and not vulnerable. #Jim should ask the information security team to flag the issue as resolved if he is sure the patch was installed. Many vulnerability scanners rely on version information or banner information and may flag patched versions if the software provider does not update the information they see. Uninstalling and reinstalling the patch will not change this. Changing the version information may not change all of the details that are being flagged by the scanner and may cause issues at a later date. Reviewing the vulnerability information for a workaround may be a good idea but should not be necessary if the proper patch is installed; it can create maintenance issues later.
Which one of the following technologies is not normally a capability of mobile device management (MDM) solutions? A. Remotely wiping the contents of a mobile device B. Assuming control of a nonregistered BYOD mobile device C. Enforcing the use of device encryption D. Managing device backups
B. Assuming control of a nonregistered BYOD mobile device #MDM products do not have the capability of assuming control of a device not currently managed by the organization. This would be equivalent to hacking into a device owned by someone else and might constitute a crime.
Yolanda is writing a document that will provide configuration information regarding the minimum level of security that every system in the organization must meet. What type of document is she preparing? A. Policy B. Baseline C. Guideline D. Procedure
B. Baseline #Baselines provide the minimum level of security that every system throughout the organization must meet.
MAC models use three types of environments. Which of the following is not a mandatory access control design? A. Hierarchical B. Bracketed C. Compartmentalized D. Hybrid
B. Bracketed #Mandatory access control systems can be hierarchical, where each domain is ordered and related to other domains above and below it; compartmentalized, where there is no relationship between each domain; or hybrid, where both hierarchy and compartments are used. There is no concept of bracketing in mandatory access control design.
As part of his team's forensic investigation process, Matt signs drives and other evidence out of storage before working with them. What type of documentation is he creating? A. Criminal B. Chain of custody C. Civil D. CYA
B. Chain of custody #Matt is helping to maintain the chain of custody documentation for his electronic evidence. This can be important if his organization needs to prove that the digital evidence they handled has not been tampered with. A better process would involve more than one person to ensure that no tampering was possible.
Jasper Diamonds is a jewelry manufacturer that markets and sells custom jewelry through their website. Bethany is the manager of Jasper's software development organization, and she is working to bring the company into line with industry standard practices. She is developing a new change management process for the organization and wants to follow commonly accepted approaches. Who should the organization appoint to manage the policies and procedures surrounding change management? A. Project manager B. Change manager C. System security officer D. Architect
B. Change manager #Organizations adopting change management practices should appoint a change manager who will be responsible for managing policies and procedures. The change manager is also responsible for developing and maintaining the processes for requesting, approving, testing, and controlling changes.
During a forensic investigation, Charles discovers that he needs to capture a virtual machine that is part of the critical operations of his company's website. If he cannot suspend or shut down the machine for business reasons, what imaging process should he follow? A. Perform a snapshot of the system, boot it, suspend the copied version, and copy the directory it resides in. B. Copy the virtual disk files and then use a memory capture tool. C. Escalate to management to get permission to suspend the system to allow a true forensic copy. D. Use a tool like the Volatility Framework to capture the live machine completely.
B. Copy the virtual disk files and then use a memory capture tool. #If business concerns override his ability to suspend the system, the best option that Charles has is to copy the virtual disk files and then use a live memory imaging tool. This will give him the best forensic copy achievable under the circumstances. Snapshotting the system and booting it will result in a loss of live memory artifacts. Escalating may be possible in some circumstances, but the scenario specifies that the system must remain online. Finally, Volatility can capture memory artifacts, but is not designed to capture a full virtual machine.
Which one of the following investigation types always uses the beyond-a-reasonable-doubt standard of proof? A. Civil investigation B. Criminal investigation C. Operational investigation D. Regulatory investigation
B. Criminal investigation #Criminal investigations have high stakes with severe punishment for the offender that may include incarceration. Therefore, they use the strictest standard of evidence of all investigations: beyond a reasonable doubt. #Civil investigations use a preponderance-of-the-evidence standard. Regulatory investigations may use whatever standard is appropriate for the venue where the evidence will be heard. This may include the beyond-a-reasonable-doubt standard, but it is not always used in regulatory investigations. Operational investigations do not use a standard of evidence.
Alex is preparing to solicit bids for a penetration test of his company's network and systems. He wants to maximize the effectiveness of the testing rather than the realism of the test. What type of penetration test should he require in his bidding process? A. Black box B. Crystal box C. Gray box D. Zero box
B. Crystal box #Crystal-box penetration testing, which is also sometimes called white-box penetration testing, provides the tester with information about networks, systems, and configurations, allowing highly effective testing. It doesn't simulate an actual attack like black-and gray-box testing can and thus does not have the same realism, and it can lead to attacks succeeding that would fail in a zero- or limited-knowledge attack.
Florian and Tobias would like to begin communicating using a symmetric cryptosystem, but they have no prearranged secret and are not able to meet in person to exchange keys. What algorithm can they use to securely exchange the secret key? A. IDEA B. Diffie-Hellman C. RSA D. MD5
B. Diffie-Hellman #The Diffie-Hellman algorithm allows for the secure exchange of symmetric encryption keys over a public network.
Fred's company wants to ensure the integrity of email messages sent via its central email servers. If the confidentiality of the messages is not critical, what solution should Fred suggest? A. Digitally sign and encrypt all messages to ensure integrity. B. Digitally sign but don't encrypt all messages. C. Use TLS to protect messages, ensuring their integrity. D. Use a hashing algorithm to provide a hash in each message to prove that it hasn't changed.
B. Digitally sign but don't encrypt all messages. #Fred's company needs to protect integrity, which can be accomplished by digitally signing messages. Any change will cause the signature to be invalid. Encrypting isn't necessary because the company does not want to protect confidentiality. TLS can provide in-transit protection but won't protect integrity of the messages, and of course a hash used without a way to verify that the hash wasn't changed won't ensure integrity either.
Ben is seeking a control objective framework that is widely accepted around the world and focuses specifically on information security controls. Which one of the following frameworks would best meet his needs? A. ITIL B. ISO 27002 C. CMM D. PMBOK Guide
B. ISO 27002 #ISO 27002 is an international standard focused on information security and titled "Information technology—Security techniques—Code of practice for information security management." The Information Technology Infrastructure Library (ITIL) does contain security management practices, but it is not the sole focus of the document, and the ITIL security section is derived from ISO 27002. The Capability Maturity Model (CMM) is focused on software development, and the Project Management Body of Knowledge (PMBOK) Guide focuses on project management.
What is the primary advantage of decentralized access control? A. It provides better redundancy. B. It provides control of access to people closer to the resources. C. It is less expensive. D. It provides more granular control of access.
B. It provides control of access to people closer to the resources. #Decentralized access control empowers people closer to the resources to control access but does not provide consistent control. It does not provide redundancy, since it merely moves control points, the cost of access control depends on its implementation and methods, and granularity can be achieved in both centralized and decentralized models.
James has opted to implement a NAC solution that uses a post-admission philosophy for its control of network connectivity. What type of issues can't a strictly post-admission policy handle? A. Out-of-band monitoring B. Preventing an unpatched laptop from being exploited immediately after connecting to the network C. Denying access when user behavior doesn't match an authorization matrix D. Allowing user access when user behavior is allowed based on an authorization matrix
B. Preventing an unpatched laptop from being exploited immediately after connecting to the network #A post-admission philosophy allows or denies access based on user activity after connection. Since this doesn't check the status of a machine before it connects, it can't prevent the exploit of the system immediately after connection. This doesn't preclude out-of-band or in-band monitoring, but it does mean that a strictly post-admission policy won't handle system checks before the systems are admitted to the network.
Brandon observes that an authorized user of a system on his network recently misused his account to exploit a system vulnerability against a shared server that allowed him to gain root access to that server. What type of attack took place? A. Denial-of-service B. Privilege escalation C. Reconnaissance D. Brute force
B. Privilege escalation #The scenario describes a privilege escalation attack where a malicious insider with authorized access to a system misused that access to gain privileged credentials.
As part of hiring a new employee, Kathleen's identity management team creates a new user object and ensures that the user object is available in the directories and systems where it is needed. What is this process called? A. Registration B. Provisioning C. Population D. Authenticator loading
B. Provisioning #Provisioning includes the creation, maintenance, and removal of user objects from applications, systems, and directories. Registration occurs when users are enrolled in a biometric system; population and authenticator loading are not common industry terms.
What type of access control is typically used by firewalls? A. Discretionary access controls B. Rule-based access controls C. Task-based access control D. Mandatory access controls
B. Rule-based access controls #Firewalls use rule-based access control in their access control lists and apply rules created by administrators to all traffic that passes through them. DAC, or discretionary access control, allows owners to determine who can access objects they control, while task-based access control lists tasks for users. MAC, or mandatory access control, uses classifications to determine access.
Ben has written the password hashing system for the web application he is building. His hashing code function for passwords results in the following process for a series of passwords: hash (password1 + 07C98BFE4CF67B0BFE2643B5B22E2D7D) = 10B222970537B97919DB36EC757370D2 hash (password2 + 07C98BFE4CF67B0BFE2643B5B22E2D7D) = F1F16683F3E0208131B46D37A79C8921 What flaw has Ben introduced with his hashing implementation? A. Plaintext salting B. Salt reuse C. Use of a short salt D. Poor salt algorithm selection
B. Salt reuse #Ben is reusing his salt. When the same salt is used for each hash, all users with the same password will have the same hash, and the attack can either attempt to steal the salt or may attempt to guess the salt by targeting the most frequent hash occurrences based on commonly used passwords. Short salts are an issue, but the salts used here are 32 bytes (256 bits) long. There is no salting algorithm used or mentioned here; salt is an added value for a hash, and plaintext salting is a made-up term.
The Acme Widgets Company is putting new controls in place for its accounting department. Management is concerned that a rogue accountant may be able to create a new false vendor and then issue checks to that vendor as payment for services that were never rendered. What security control can best help prevent this situation? A. Mandatory vacation B. Separation of duties C. Defense in depth D. Job rotation
B. Separation of duties #When following the separation of duties principle, organizations divide critical tasks into discrete components and ensure that no one individual has the ability to perform both actions. This prevents a single rogue individual from performing that task in an unauthorized manner.
Ben's organization has had an issue with unauthorized access to applications and workstations during the lunch hour when employees aren't at their desk. What are the best types of session management solutions for Ben to recommend to help prevent this type of access? A. Use session IDs for all access and verify system IP addresses of all workstations. B. Set session timeouts for applications and use password-protected screensavers with inactivity time-outs on workstations. C. Use session IDs for all applications and use password protected screensavers with inactivity timeouts on workstations. D. Set session timeouts for applications and verify system IP addresses of all workstations.
B. Set session timeouts for applications and use password-protected screensavers with inactivity time-outs on workstations. #Since physical access to the workstations is part of the problem, setting application timeouts and password-protected screensavers with relatively short inactivity timeouts can help prevent unauthorized access. Using session IDs for all applications and verifying system IP addresses would be helpful for online attacks against applications.
Which of the following attacks could capture network user passwords? A. Data diddling B. Sniffing C. IP Spoofing D. Smurfing
B. Sniffing #A network sniffer captures a copy every packet that traverses the network segment the sniffer is connect to. #Sniffers are typically devices that can collect information from a communication medium, such as a network. These devices can range from specialized equipment to basic workstations with customized software. #Data diddling involves changing data before, as it is entered into a computer, or after it is extracted. #Smurfing would refer to the smurf attack, where an attacker sends spoofed packets to the broadcast address on a gateway in order to cause a denial of service.
Which of the following is the most reliable authentication method for remote access? A. Variable callback system B. Synchronous token C. Fixed callback system D. Combination of callback and caller ID
B. Synchronous token #A Synchronous token generates a one-time password that is only valid for a short period of time.
Sonia recently removed an encrypted hard drive from a laptop and moved it to a new device because of a hardware failure. She is having difficulty accessing encrypted content on the drive despite that she knows the user's password. What hardware security feature is likely causing this problem? A. TCB B. TPM C. NIACAP D. RSA
B. TPM #The Trusted Platform Module (TPM) is a hardware security technique that stores an encryption key on a chip on the motherboard and prevents someone from accessing an encrypted drive by installing it in another computer.
A denial-of-service (DoS) attack that sends fragmented TCP packets is known as what kind of attack? A. Christmas tree B. Teardrop C. Stack killer D. Frag grenade
B. Teardrop #A teardrop attack uses fragmented packets to target a flaw in how the TCP stack on a system handles fragment reassembly. If the attack is successful, the TCP stack fails, resulting in a denial of service. Christmas tree attacks set all of the possible TCP flags on a packet, thus "lighting it up like a Christmas tree." Stack killer and frag grenade attacks are made-up answers.
In Mandatory Access Control, sensitivity labels attached to object contain what information? A. The item's classification B. The item's classification and category set C. The item's category D. The item's need to know
B. The item's classification and category set #A Sensitivity label must contain at least one classification and one category set.
As part of his incident response process, Charles securely wipes the drive of a compromised machine and reinstalls the operating system (OS) from original media. Once he is done, he patches the machine fully and applies his organization's security templates before reconnecting the system to the network. Almost immediately after the system is returned to service, he discovers that it has reconnected to the same botnet it was part of before. Where should Charles look for the malware that is causing this behavior? A. The operating system partition B. The system BIOS or firmware C. The system memory D. The installation media
B. The system BIOS or firmware #The system Charles is remediating may have a firmware or BIOS infection, with malware resident on the system board. While uncommon, this type of malware can be difficult to find and remove. Since he used original media, it is unlikely that the malware came from the software vendor. Charles wiped the system partition, and the system would have been rebooted before being rebuilt, thus clearing system memory.
What layer of the OSI model is associated with datagrams? A. Session B. Transport C. Network D. Data Link
B. Transport #When data reaches the Transport layer, it is sent as segments (TCP) or datagrams (UDP). Above the Transport layer, data becomes a data stream, while below the Transport layer they are converted to packets at the Network layer, frames at the Data Link layer, and bits at the Physical layer.
Chris is responsible for his organization's security standards and has guided the selection and implementation of a security baseline for Windows PCs in his organization. How can Chris most effectively make sure that the workstations he is responsible for are being checked for compliance and that settings are being applied as necessary? A. Assign users to spot-check baseline compliance. B. Use Microsoft Group Policy. C. Create startup scripts to apply policy at system start. D. Periodically review the baselines with the data owner and system owners.
B. Use Microsoft Group Policy. #Group Policy provides the ability to monitor and apply settings in a security baseline. Manual checks by users and using startup scripts provide fewer reviews and may be prone to failure, while periodic review of the baseline won't result in compliance being checked.
The company that Lauren works for is making significant investments in infrastructure as a service hosting to replace its traditional data center. Members of her organization's management have expressed concerns about data remanence when Lauren's team moves from one virtual host to another in their cloud service provider's environment. What should she instruct her team to do to avoid this concern? A. Zero-wipe drives before moving systems. B. Use full disk encryption. C. Use data masking. D. Span multiple virtual disks to fragment data.
B. Use full disk encryption. #Remember FDE!! #Lauren's team should use full disk encryption or volume encryption and should secure the encryption keys properly. This will ensure that any data that remains cannot be exposed to future users of the virtual infrastructure. While many cloud providers have implemented technology to ensure that this won't happen, Lauren can avoid any potential issues by ensuring that she has taken proactive action to prevent data exposure. #Using a zero wipe is often impossible because virtual environments may move without her team's intervention, data masking will not prevent unmasked data or temporary data stored on the virtual disks from being exposed, and spanning multiple virtual disks will still leave data accessible, albeit possibly in fragmented form.
In a software as a service cloud computing environment, who is normally responsible for ensuring that appropriate firewall controls are in place to protect the application? A. Customer's security team B. Vendor C. Customer's networking team D. Customer's infrastructure management team
B. Vendor #In a software as a service environment, the customer has no access to any underlying infrastructure, so firewall management is a vendor responsibility under the cloud computing shared responsibility model.
Kim is the system administrator for a small business network that is experiencing security problems. She is in the office in the evening working on the problem, and nobody else is there. As she is watching, she can see that systems on the other side of the office that were previously behaving normally are now exhibiting signs of infection. What type of malware is Kim likely dealing with? A. Virus B. Worm C. Trojan horse D. Logic bomb
B. Worm #Worms have built-in propagation mechanisms that do not require user interaction, such as scanning for systems containing known vulnerabilities and then exploiting those vulnerabilities to gain access. Viruses and Trojan horses typically require user interaction to spread. Logic bombs do not spread from system to system but lie in wait until certain conditions are met, triggering the delivery of their payload.
In his role as a forensic examiner, Lucas has been asked to produce forensic evidence related to a civil case. What is this process called? A. Criminal forensics B. eDiscovery C. Cyber production D. Civil tort
B. eDiscovery #When forensic evidence or information is produced for a civil case, it is called eDiscovery. This type of discovery often involves massive amounts of data including email, files, text messages, and any other electronic evidence that is relevant to the case.
Kerberos can prevent which one of the following attacks? A. tunneling attack. B. playback (replay) attack. C. destructive attack. D. process attack.
B. playback (replay) attack. #Each ticket in Kerberos has a timestamp and are subject to time expiration to help prevent these types of attacks.
Henry is the risk manager for Atwood Landing, a resort community in the midwestern United States. The resort's main data center is located in northern Indiana in an area that is prone to tornados. Henry recently undertook a replacement cost analysis and determined that rebuilding and reconfiguring the data center would cost $10 million. Henry consulted with tornado experts, data center specialists, and structural engineers. Together, they determined that a typical tornado would cause approximately $5 million of damage to the facility. The meteorologists determined that Atwood's facility lies in an area where they are likely to experience a tornado once every 200 years. Based upon the information in this scenario, what is the exposure factor for the effect of a tornado on Atwood Landing's data center? A. 10 percent B. 25 percent C. 50 percent D. 75 percent
C. 50 percent #Exposure factor = amount of damage/asset value
During a penetration test, Chris recovers a file containing hashed passwords for the system he is attempting to access. What type of attack is most likely to succeed against the hashed passwords? A. A brute-force attack B. A pass-the-hash attack C. A rainbow table attack D. A salt recovery attack
C. A rainbow table attack #Rainbow tables are databases of prehashed passwords paired with high-speed lookup functions. Since they can quickly compare known hashes against those in a file, using rainbow tables is the fastest way to quickly determine passwords from hashes. A brute-force attack may eventually succeed but will be very slow against most hashes. Pass-the-hash attacks rely on sniffed or otherwise acquired NTLM or LanMan hashes being sent to a system to avoid the need to know a user's password. Salts are data added to a hash to avoid the use of tools like rainbow tables. A salt added to a password means the hash won't match a rainbow table generated without the same salt.
Which one of the following mobile device strategies is most likely to result in the introduction of vulnerable devices to a network? A. COPE B. TLS C. BYOD D. MDM
C. BYOD #Bring your own device (BYOD) strategies allow users to operate personally owned devices on corporate networks. These devices are more likely to contain vulnerabilities than those managed under a mobile device management (MDM) system or a corporate-owned, personally enabled (COPE) strategy. Transport Layer Security (TLS) is a network encryption protocol, not a mobile device strategy.
Which one of the following tools helps system administrators by providing a standard, secure template of configuration settings for operating systems and applications? A. Security guidelines B. Security policy C. Baseline configuration D. Running configuration
C. Baseline configuration #Baseline configurations serve as the starting point for configuring secure systems and applications. They contain the security settings necessary to comply with an organization's security policy and may then be customized to meet the specific needs of an implementation. While security policies and guidelines may contain information needed to secure a system, they do not contain a set of configuration settings that may be applied to a system. The running configuration of a system is the set of currently applied settings, which may or may not be secure.
Who developed one of the first mathematical models of a multilevel-security computer system? A. Diffie and Hellman. B. Clark and Wilson. C. Bell and LaPadula. D. Gasser and Lipner.
C. Bell and LaPadula. #In 1973 Bell and LaPadula created the first mathematical model of a multi- level security system. #Diffie and Hellman was involved with cryptography. #TheClark-Wilson model came later, 1987. #Gasser and Lipner is a distractor.
What business process typically requires sign-off from a manager before modifications are made to a system? A. SDN B. Release management C. Change management D. Versioning
C. Change management #Change management typically requires sign-off from a manager or supervisor before changes are made. This helps to ensure proper awareness and communication. SDN stands for software-defined networking, release management is the process that new software releases go through to be accepted, and versioning is used to differentiate versions of software, code, or other objects.
Susan has discovered that the smart card-based locks used to keep the facility she works at secure are not effective because staff members are propping the doors open. She places signs on the doors reminding staff that leaving the door open creates a security issue, and she adds alarms that will sound if the doors are left open for more than five minutes. What type of controls has she put into place? A. Physical B. Administrative C. Compensation D. Recovery
C. Compensation #She has placed compensation controls in place. Compensation controls are used when controls like the locks in this example are not sufficient. While the alarm is a physical control, the signs she posted are not. Similarly, the alarms are not administrative controls. These controls do not help to recover from an issue and are thus not recovery controls.
Tara recently detected a security incident in progress on her network. What action should be her highest priority at this point? A. Eradication B. Recovery C. Containment D. Detection
C. Containment #Tara's highest priority should be containing the damage to prevent the spread of the incident to other systems and networks. She has already detected the incident, so detection is not a priority. Eradication and recovery should occur only after the incident has been contained.
What is the process that occurs when the Session layer removes the header from data sent by the Transport layer? A. Encapsulation B. Packet unwrapping C. De-encapsulation D. Payloading
C. De-encapsulation #The process of removing a header (and possibly a footer) from the data received from a previous layer in the OSI model is known as de-encapsulation. Encapsulation occurs when the header and/or footer are added. Payloads are part of a virus or malware package that are delivered to a target, and packet unwrapping is a made-up term.
During which phase of the incident response process would an analyst receive an intrusion detection system alert and verify its accuracy? A. Response B. Mitigation C. Detection D. Reporting
C. Detection #Both the receipt of alerts and the verification of their accuracy occur during the Detection phase of the incident response process.
When developing a business impact analysis, the team should first create a list of assets. What should happen next? A. Identify vulnerabilities in each asset. B. Determine the risks facing the asset. C. Develop a value for each asset. D. Identify threats facing each asset.
C. Develop a value for each asset. #After identify comes develop. This is the second step, so u can disregard answers with identify....duhh!!! #After developing a list of assets, the business impact analysis team should assign values to each asset.
Gordon is developing a business continuity plan for a manufacturing company's IT operations. The company is located in North Dakota and currently evaluating the risk of earthquake. They choose to pursue a risk acceptance strategy. Which one of the following actions is consistent with that strategy? A. Purchasing earthquake insurance B. Relocating the data center to a safer area C. Documenting the decision-making process D. Reengineering the facility to withstand the shock of an earthquake
C. Documenting the decision-making process #In a risk acceptance strategy, the organization chooses to take no action other than documenting the risk. Purchasing insurance would be an example of risk transference. Relocating the data center would be risk avoidance. Reengineering the facility is an example of a risk mitigation strategy.
Which one of the following is not normally considered a business continuity task? A. Business impact assessment B. Emergency response guidelines C. Electronic vaulting D. Vital records program
C. Electronic vaulting #Electronic vaulting is a data backup task that is part of disaster recovery, not business continuity, efforts.
Veronica is considering the implementation of a database recovery mechanism recommended by a consultant. In the recommended approach, an automated process will move database backups from the primary facility to an off-site location each night. What type of database recovery technique is the consultant describing? A. Remote journaling B. Remote mirroring C. Electronic vaulting D. Transaction logging
C. Electronic vaulting #In an electronic vaulting approach, automated technology moves database backups from the primary database server to a remote site on a scheduled basis, typically daily. Transaction logging is not a recovery technique alone; it is a process for generating the logs used in remote journaling. Remote journaling transfers transaction logs to a remote site on a more frequent basis than electronic vaulting, typically hourly. Remote mirroring maintains a live database server at the backup site and mirrors all transactions at the primary site on the server at the backup site.
Which one of the following information sources is most likely to detect a security incident involving unauthorized modification of information by an employee? A. Intrusion detection system B. Antivirus software C. File integrity monitoring system D. Firewall logs
C. File integrity monitoring system #In this case, the person perpretrating the security incident is an employee. This person is likely able to bypass many of the organization's security controls and the activity would not likely be identified by an intrusion detection system or firewall logs. There is no mention of malicious software, so antivirus software would also be unlikely to detect the issue. However, file integrity monitoring systems would likely detect the unauthorized data modification.
The organization that Ben works for has a traditional on-site Active Directory environment that uses a manual provisioning process for each addition to their 350-employee company. As the company adopts new technologies, they are increasingly using software as a service applications to replace their internally developed software stack. Ben has been tasked with designing an identity management implementation that will allow his company to use cloud services while supporting their existing systems. Using the logical diagram shown here, answer the following question about the identity recommendations Ben should make. If availability of authentication services is the organization's biggest priority, what type of identity platform should Ben recommend? A. On-site B. Cloud-based C. Hybrid D. Outsourced
C. Hybrid #A hybrid authentication service can provide authentication services in both the cloud and on-premise, ensuring that service outages due to interrupted links are minimized. An on-site service would continue to work during an Internet outage, but would not allow the e-commerce website to authenticate, while a cloud service would leave the corporate location offline. Outsourcing authentication does not indicate whether the solution is on or off premise, and thus isn't a useful answer.
During a review of access logs, Alex notices that Danielle logged into her workstation in New York at 8 a.m. daily but that she was recorded as logging into her department's main web application shortly after 3 a.m. daily. What common logging issue has Alex likely encountered? A. Inconsistent log formatting B. Modified logs C. Inconsistent timestamps D. Multiple log sources
C. Inconsistent timestamps #Inconsistent time stamps are a common problem, often caused by improperly set time zones or because of differences in how system clocks are set. In this case, a consistent time difference often indicates that one system uses local time, and the other is using Greenwich mean time (GMT). Logs from multiple sources tend to cause problems with centralization and collection, whereas different log formats can create challenges in parsing log data. Finally, modified logs are often a sign of intrusion or malicious intent.
Which of the following is true about Kerberos? A. It utilizes public key cryptography. B. It encrypts data after a ticket is granted, but passwords are exchanged in plain text. C. It depends upon symmetric ciphers. D. It is a second party authentication system.
C. It depends upon symmetric ciphers. #Kerberos depends on secret keys (symmetric ciphers). Kerberos is a third party authentication protocol. It was designed and developed in the mid 1980's by MIT. It is considered open source but is copyrighted and owned by MIT. It relies on the user's secret keys. The password is used to encrypt and decrypt the keys.
Tom is a cryptanalyst and is working on breaking a cryptographic algorithm's secret key. He has a copy of an intercepted message that is encrypted, and he also has a copy of the decrypted version of that message. He wants to use both the encrypted message and its decrypted plaintext to retrieve the secret key for use in decrypting other messages. What type of attack is Tom engaging in? A. Chosen ciphertext B. Chosen plaintext C. Known plaintext D. Brute force
C. Known plaintext #In a known plaintext attack, the attacker has a copy of the encrypted message along with the plaintext message used to generate that ciphertext.
Mandatory access control is based on what type of model? A. Discretionary B. Group-based C. Lattice-based D. Rule-based
C. Lattice-based #Mandatory access control systems are based on a lattice-based model. Lattice-based models use a matrix of classification labels to compartmentalize data. Discretionary access models allow object owners to determine access to the objects they control, role-based access controls are often group-based, and rule-based access controls like firewall ACLs apply rules to all subjects they apply to.
During what phase of the incident response process do administrators take action to limit the effect or scope of an incident? A. Detection B. Response C. Mitigation D. Recovery
C. Mitigation #The Mitigation phase of incident response focuses on actions that can contain the damage incurred during an incident. This includes limiting the scope and or effectiveness of the incident.
Juniper Content is a web content development company with 40 employees located in two offices: one in New York and a smaller office in the San Francisco Bay Area. Each office has a local area network protected by a perimeter firewall. The local area network (LAN) contains modern switch equipment connected to both wired and wireless networks. Each office has its own file server, and the information technology (IT) team runs software every hour to synchronize files between the two servers, distributing content between the offices. These servers are primarily used to store images and other files related to web content developed by the company. The team also uses a SaaS-based email and document collaboration solution for much of their work. You are the newly appointed IT manager for Juniper Content, and you are working to augment existing security controls to improve the organization's security. You are also concerned about the availability of data stored on each office's server. You would like to add technology that would enable continued access to files located on the server even if a hard drive in a server fails. What integrity control allows you to add robustness without adding additional servers? A. Server clustering B. Load balancing C. RAID D. Scheduled backups
C. RAID #RAID uses additional hard drives to protect the server against the failure of a single device. Load balancing and server clustering do add robustness but require the addition of a server. Scheduled backups protect against data loss but do not provide immediate access to data in the event of a hard drive failure.
Elaine is developing a business continuity plan for her organization. What value should she seek to minimize? A. AV B. SSL C. RTO D. MTO
C. RTO #The goal of business continuity planning exercises is to reduce the amount of time required to restore operations. This is done by minimizing the recovery time objective (RTO).
Which of the following vulnerabilities is unlikely to be found by a web vulnerability scanner? A. Path disclosure B. Local file inclusion C. Race condition D. Buffer overflow
C. Race condition #Path disclosures, local file inclusions, and buffer overflows are all vulnerabilities that may be found by a web vulnerability scanner, but race conditions that take advantage of timing issues tend to be found either by code analysis or using automated tools that specifically test for race conditions as part of software testing.
During a system audit, Casey notices that the private key for her organization's web server has been stored in a public Amazon S3 storage bucket for more than a year. What should she do? A. Remove the key from the bucket. B. Notify all customers that their data may have been exposed. C. Request a new certificate using a new key. D. Nothing, because the private key should be accessible for validation
C. Request a new certificate using a new key. #The first thing Casey should do is notify her management, but after that, replacing the certificate and using proper key management practices with the new certificate's key should be at the top of her list.
The separation of network infrastructure from the control layer, combined with the ability to centrally program a network design in a vendor-neutral, standards-based implementation, is an example of what important concept? A. MPLS, a way to replace long network addresses with shorter labels and support a wide range of protocols B. FCoE, a converged protocol that allows common applications over Ethernet C. SDN, a converged protocol that allows network virtualization D. CDN, a converged protocol that makes common network designs accessible
C. SDN, a converged protocol that allows network virtualization #control layer!! #Not CDN, it's SDN. #Software-defined networking (SDN) is a converged protocol that allows virtualization concepts and practices to be applied to networks. MPLS handles a wide range of protocols like ATM, DSL, and others, but isn't intended to provide the centralization capabilities that SDN does. Content distribution network (CDN) is not a converged protocol, and FCoE is Fibre Channel over Ethernet, a converged protocol for storage.
Lauren needs to send information about services she is provisioning to a third-party organization. What standards-based markup language should she choose to build the interface? A. SAML B. SOAP C. SPML D. XACML
C. SPML #Service Provisioning Markup Language, or SPML, is an XML-based language designed to allow platforms to generate and respond to provisioning requests. SAML is used to make authorization and authentication data, while XACML is used to describe access controls. SOAP, or Simple Object Access Protocol, is a messaging protocol and could be used for any XML messaging but is not a markup language itself.
Chris is responsible for workstations throughout his company and knows that some of the company's workstations are used to handle proprietary information. Which option best describes what should happen at the end of their lifecycle for workstations he is responsible for? A. Erasing B. Clearing C. Sanitization D. Destruction
C. Sanitization #Sanitization is a combination of processes that ensure that data from a system cannot be recovered by any means. Erasing and clearing are both prone to mistakes and technical problems that can result in remnant data and don't make sense for systems that handled proprietary information. Destruction is the most complete method of ensuring that data cannot be exposed, and some organizations opt to destroy the entire workstation, but that is not a typical solution because of the cost involved.
Which of the following tools is not typically used to verify that a provisioning process was followed in a way that ensures that the organization's security policy is being followed? A. Log review B. Manual review of permissions C. Signature-based detection D. Review the audit trail
C. Signature-based detection #While signature-based detection is used to detect attacks, review of provisioning processes typically involves checking logs, reviewing the audit trail, or performing a manual review of permissions granted during the provisioning process.
Ben uses a software-based token that changes its code every minute. What type of token is he using? A. Asynchronous B. Smart card C. Synchronous D. Static
C. Synchronous #Synchronous soft tokens, such as Google Authenticator, use a time-based algorithm that generates a constantly changing series of codes. Asynchronous tokens typically require a challenge to be entered on the token to allow it to calculate a response, which the server compares to the response it expects. Smartcards typically present a certificate but may have other token capabilities built in. Static tokens are physical devices that can contain credentials and include smart cards and memory cards.
Lauren is responsible for building a banking website. She needs proof of the identity of the users who register for the site. How should she validate user identities? A. Require users to create unique questions that only they will know. B. Require new users to bring their driver's license or passport in person to the bank. C. Use information that both the bank and the user have such as questions pulled from their credit report. D. Call the user on their registered phone number to verify that they are who they claim to be.
C. Use information that both the bank and the user have such as questions pulled from their credit report. #Identity proofing can be done by comparing user information that the organization already has, such as account numbers or personal information. Requiring users to create unique questions can help with future support by providing a way for them to do password resets.
The primary service provided by Kerberos is which of the following? A. non-repudiation B. confidentiality C. authentication D. authorization
C. authentication #Kerberos is an authentication service. It can use single-factor or multi-factor authentication methods. #Since Kerberos deals primarily with symmetric cryptography, it does not help with non-repudiation. Only confidentiality. #authorization is not a primary Kerberos service.
Which of the following is not a logical control when implementing logical access security? A. access profiles. B. userids. C. employee badges. D. passwords.
C. employee badges. #Employee badges are considered Physical so would not be a logical control.
Controls to keep password sniffing attacks from compromising computer systems include which of the following? A. static and recurring passwords. B. encryption and recurring passwords. C. one-time passwords and encryption. D. static and one-time passwords.
C. one-time passwords and encryption. #To minimize the chance of passwords being captured one-time passwords would prevent a password sniffing attack because once used it is no longer valid.Encryption will also minimize these types of attacks.
There are parallels between the trust models in Kerberos and Public Key Infrastructure(PKI). When we compare them side by side, Kerberos tickets correspond most closely to which of the following? A. public keys B. private keys C. public-key certificates D. private-key certificates
C. public-key certificates #A Kerberos ticket is issued by a trusted third party. It is an encrypted data structure that includes the service encryption key. In that sense it is similar to a public-key certificate. However, the ticket is not the key.
What type of attack is most likely to occur after a successful ARP spoofing attempt? A. A DoS attack B. A Trojan C. A replay attack D. A man-in-the-middle attack
D. A man-in-the-middle attack #ARP spoofing is often done to replace a target's cache entry for a destination IP, allowing the attacker to conduct a man-in-the-middle attack. A denial-of-service attack would be aimed at disrupting services rather than spoofing an ARP response, a replay attack will involve existing sessions, and a Trojan is malware that is disguised in a way that makes it look harmless.
What are the components of an object's sensitivity label? A. A Classification Set and a single Compartment. B. A single classification and a single compartment. C. A Classification Set and user credentials. D. A single classification and a Compartment Set.
D. A single classification and a Compartment Set.
Which component of IPsec provides authentication, integrity, and nonrepudiation? A. L2TP B. Encapsulating Security Payload C. Encryption Security Header D. Authentication Header
D. Authentication Header #The Authentication Header provides authentication, integrity, and nonrepudiation for IPsec connections. #The Encapsulating Security Payload provides encryption and thus provides confidentiality. It can also provide limited authentication. L2TP is an independent VPN protocol, and Encryption Security Header is a made-up term.
Which one of the following security programs is designed to establish a minimum standard common denominator of security understanding? A. Training B. Education C. Indoctrination D. Awareness
D. Awareness #Awareness establishes a minimum standard of information security understanding. It is designed to accommodate all personnel in an organization, regardless of their assigned tasks. NOTE: indoctrination is teaching a person or a group to accept a set of beliefs uncritically. For e.g: I would never subject children to religious indoctrination!
Linux systems that use bcrypt are using a tool based on what DES alternative encryption scheme? A. 3DES B. AES C. Diffie-Hellman D. Blowfish
D. Blowfish #Bcrypt is based on Blowfish (the b is a key hint here). AES and 3DES are both replacements for DES, while Diffie-Hellman is a protocol for key exchange.
Alice and Bob would like to use an asymmetric cryptosystem to communicate with each other. They are located in different parts of the country but have exchanged encryption keys by using digital certificates signed by a mutually trusted certificate authority. When Bob receives the encrypted message from Alice, what key does he use to decrypt the message? A. Alice's public key B. Alice's private key C. Bob's public key D. Bob's private key
D. Bob's private key #When Bob receives the message, he uses his own private key to decrypt it. Since he is the only one with his private key, he is the only one who should be able to decrypt it, thus preserving confidentiality.
Which one of the following cryptographic goals protects against the risks posed when a device is lost or stolen? A. Nonrepudiation B. Authentication C. Integrity D. Confidentiality
D. Confidentiality #The greatest risk when a device is lost or stolen is that sensitive data contained on the device will fall into the wrong hands. Confidentiality protects against this risk.
The company that Fred works for is reviewing the security of its company-issued cell phones. They issue 4G-capable smartphones running Android and iOS and use a mobile device management solution to deploy company software to the phones. The mobile device management software also allows the company to remotely wipe the phones if they are lost. Fred intends to attend a major hacker conference this year. What should he do when connecting to his cellular provider's 4G network while at the conference? A. Continue normal usage. B. Discontinue all usage; towers can be spoofed. C. Only use trusted Wi-Fi networks. D. Connect to his company's encrypted VPN service.
D. Connect to his company's encrypted VPN service. #Fred's best option is to use an encrypted, trusted VPN service to tunnel all of his data usage. Trusted Wi-Fi networks are unlikely to exist at a hacker conference, normal usage is dangerous due to the proliferation of technology that allows fake towers to be set up, and discontinuing all usage won't support Fred's business needs.
In discretionary access environments, which of the following entities is authorized to grant information access to other people? A. Manager B. Group Leader C. Security Manager D. Data Owner
D. Data Owner #In Discretionary Access Control (DAC) environments, the user who creates a file is also considered the owner and has full control over the file including the ability to set permissions for that file.
Ann is a security professional for a midsize business and typically handles log analysis and security monitoring tasks for her organization. One of her roles is to monitor alerts originating from the organization's intrusion detection system. The system typically generates several dozen alerts each day, and many of those alerts turn out to be false alarms after her investigation. This morning, the intrusion detection system alerted because the network began to receive an unusually high volume of inbound traffic. Ann received this alert and began looking into the origin of the traffic. As Ann analyzes the traffic further, she realizes that the traffic is coming from many different sources and has overwhelmed the network, preventing legitimate uses. The inbound packets are responses to queries that she does not see in outbound traffic. The responses are abnormally large for their type. What type of attack should Ann suspect? A. Reconnaissance B. Malicious code C. System penetration D. Denial of service
D. Denial of service #The attack described in this scenario has all of the hallmarks of a denial-of-service attack. More specifically, Ann's organization is likely experiencing a DNS amplification attack where an attacker sends false requests to third-party DNS servers with a forged source IP address belonging to the targeted system. Because the attack uses UDP requests, there is no three-way handshake. The attack packets are carefully crafted to elicit a lengthy response from a short query. The purpose of these queries is to generate responses headed to the target system that are sufficiently large and numerous enough to overwhelm the targeted network or system.
What term is used to describe the default set of privileges assigned to a user when a new account is created? A. Aggregation B. Transitivity C. Baseline D. Entitlement
D. Entitlement #Entitlement refers to the privileges granted to users when an account is first provisioned. Aggregation is the accumulation of privileges over time. Transitivity is the inheritance of privileges and trust through relationships. Baselines are snapshots of a system or application's security that allow analysts to detect future modifications.
Which of the following is true of two-factor authentication? A. It uses the RSA public-key signature based on integers with large prime factors. B. It requires two measurements of hand geometry. C. It does not use single sign-on technology. D. It relies on two independent proofs of identity.
D. It relies on two independent proofs of identity. #Two-factor authentication refers to using two independent proofs of identity, such as something the user has (e.g. a token card) and something the user knows (a password).
An accounting employee at Doolittle Industries was recently arrested for participation in an embezzlement scheme. The employee transferred money to a personal account and then shifted funds around between other accounts every day to disguise the fraud for months. Which one of the following controls might have best allowed the earlier detection of this fraud? A. Separation of duties B. Least privilege C. Defense in depth D. Mandatory vacation
D. Mandatory vacation #Mandatory vacation programs require that employees take continuous periods of time off each year and revoke their system privileges during that time. This will ideally disrupt any attempt to engage in the cover-up actions necessary to hide fraud and result in exposing the threat. Separation of duties, least privilege, and defense in depth controls all may help prevent the fraud in the first place but are unlikely to speed the detection of fraud that has already occurred.
Glenda is investigating a potential privacy violation within her organization. The organization notified users that it was collecting data for product research that would last for six months and then disposed of the data at the end of that period. During the time that they had the data, they also used it to target a marketing campaign. Which principle of data privacy was most directly violated? A. Data minimization B. Accuracy C. Storage limitations D. Purpose limitations
D. Purpose limitations #In this case, the organization used the data that they collected for a purpose other than the one that they obtained consent for from the data subjects. This is a violation of purpose limitations. There is no evidence presented that the organization collected more data than was necessary, which would violate data minimization. They disposed of the data promptly, so there was no violation of storage limitations. There is also no indication that any of the data was inaccurate.
Retaining and maintaining information for as long as it is needed is known as what? A. Data storage policy B. Data storage C. Asset maintenance D. Record retention
D. Record retention #Record retention is the process of retaining and maintaining information for as long as it is needed. A data storage policy describes how and why data is stored, while data storage is the process of actually keeping the data. Asset maintenance is a process for maintaining physical assets that is not related to information security.
Chris wants to verify that a software package that he downloaded matches the original version. What hashing tool should he use if he believes that technically sophisticated attackers may have replaced the software package with a version containing a backdoor? A. MD5 B. 3DES C. SHA1 D. SHA 256
D. SHA 256 #Intentional collisions have been created with MD5, and a real-world collision attack against SHA 1 was announced in early 2017. 3DES is not a hashing tool, leaving SHA 256 (sometimes called SHA 2) as the only real choice that Chris has in this list.
What physical characteristic does a retinal scan biometric device measure? A. The amount of light reaching the retina B. The amount of light reflected by the retina C. The pattern of light receptors at the back of the eye D. The pattern of blood vessels at the back of the eye
D. The pattern of blood vessels at the back of the eye
A timely review of system access audit records would be an example of which of the basic security functions? A. avoidance. B. deterrence. C. prevention. D. detection.
D. detection #Explanation: By reviewing system logs you can detect events that have occured.
Examples of types of physical access controls include all EXCEPT which of the following? A. badges B. locks C. guards D. passwords
D. passwords #Passwords are considered a Preventive/Technical (logical) control.
Organizations should consider which of the following first before allowing external access to their LANs via the Internet? A. plan for implementing workstation locking mechanisms. B. plan for protecting the modem pool. C. plan for providing the user with his account usage information. D. plan for considering proper authentication options.
D. plan for considering proper authentication options. #Before a LAN is connected to the Internet, you need to determine what the access controls mechanisms are to be used, this would include how you are going to authenticate individuals that may access your network externally through access control.
A potential problem related to the physical installation of the Iris Scanner in regards to the usage of the iris pattern within a biometric system is: A. concern that the laser beam may cause eye damage B. the iris pattern changes as a person grows older. C. there is a relatively high rate of false accepts. D. the optical unit must be positioned so that the sun does not shine into the aperture.
D. the optical unit must be positioned so that the sun does not shine into the aperture. #Because the optical unit utilizes a camera and infrared light to create the images, sun light can impact the aperture so it must not be positioned in direct light of any type.
Federal law requires U.S. businesses to report verified security incidents to US-CERT. FALSE TRUE
FALSE
How would a network technician write the subnet mask 255.255.0.0 in slash notation? a) /16 b) /8 c) /32 d) /24
a) /16
What technology is commonly used to create software-defined networks over large distances? a) SD-WAN b) SD-LAN c) VXLAN d) CANBUS
a) SD-WAN
What router technology can be used to perform basic firewall functionality? a) access control lists b) flood guard c) spanning tree d) IPS
a) access control lists
Server logs are an example of _____ evidence. a) documentary b) testimonial c) real d) expert opinion
a) documentary
Which device would not typically be found in a DMZ? a) file server b) SSL accelerator c) load balancer d) web server
a) file server
What action can users take to overcome security flaws in RC4? a) it is not possible to use RC4 securely b) use three rounds of encryption c) use two rounds of encryption d) increase the key length
a) it is not possible to use RC4 securely
Three of these choices are data elements found in NetFlow data. Which is not? a) packet contents b) amount of data transferred c) destination address d) source address
a) packet contents
Cryptolocker is an example of what type of malicious software? a) ransomware b) spyware c) Trojan horse d) adware
a) ransomware
Which one of the following is NOT critical to the security of one-time pad operations? a) using aes in conjunction with the one-time pad b) choosing the key at random c) securely exchanging the pads d) only using the pad one time
a) using aes in conjunction with the one-time pad
Which service is an example of desktop virtualization? a) Amazon CloudFront b) Amazon Workspaces c) Amazon EC2 d) Amazon S3
b) Amazon Workspaces #Amazon Workspaces is a VDI service.
What algorithm uses the Blowfish cipher along with a salt to strengthen cryptographic keys? a) PBKDF1 b) Bcrypt c) Blowdart d) PBKDF2
b) Bcrypt
In the early 1990s, the National Security Agency attempted to introduce key escrow using what failed technology? a) Common certificates b) Clipper chip c) Common criteria d) DES
b) Clipper chip
What technique should network administrators use on switches to limit the exposure of sensitive network traffic? a) VLAN hopping b) VLAN pruning c) loop prevention d) spanning tree
b) VLAN pruning
What technology can help prevent denial of service attacks on a network? a) BGP b) flood guard c) VLAN hopping d) VLAN pruning
b) flood guard
What type of attacker is primarily concerned with advancing an ideological agenda? a) script kiddie b) hacktivist c) APT d) organized crime
b) hacktivist
What type of firewall rule error occurs when a service is decommissioned but the related firewall rules are not removed? a) shadowed rule b) orphaned rule c) typographical error d) promiscuous rule
b) orphaned rule
What information is not found in network flow data? a) destination address b) packet content c) destination port d) source address
b) packet content
The difficulty of solving what mathematical problem provides the security underlying the Diffie-Hellman algorithm? a) graph isomorphism b) prime factorization c) elliptic curve d) traveling salesman
b) prime factorization
During what phase of e-discovery does an organization share information with the other side? a) analysis b) production c) collection d) preservation
b) production
What is the piece of software running on a device that enables it to connect to a NAC-protected network? a) authentication server b) supplicant c) authenticator d) SNMP agent
b) supplicant
What message can an SNMP agent send to a network management system to report an unusual event? a) SetRequest b) trap c) response d) GetRequest
b) trap
Which option is a common command-and-control mechanism for botnets? a) SMTP b) FTP c) IRC d) HTTP
c) IRC #Internet Relay Chat
Which control is not particularly effective against the insider threat? a) background checks b) separation of duties c) firewalls d) least privilege
c) firewalls
Nancy is designing a security strategy for remote access. She would like to provide administrators with an intermediate box that they connect to before reaching sensitive systems. What type of service is Nancy planning? a) honeynet b) SSL acceleration c) jump box d) honeypot
c) jump box
What type of malware delivers its payload only after certain conditions are met, such as a specific date and time occurring? a) Trojan horse b) ransomware c) logic bomb d) worm
c) logic bomb #mostly used by disgruntled employees. Insider threat.
What type of investigation would typically be launched in response to a report of high network latency? a) criminal b) regulatory c) operational d) civil
c) operational
In what technique do attackers pose as their victim to elicit information from third parties? a) skimming b) spoofing c) pretexting d) phishing
c) pretexting
What key is actually used to encrypt the contents of a message when using PGP? a) sender's private key b) recipient's public key c) randomly generated key d) sender's public key
c) randomly generated key
What device is often used in card cloning attacks? a) malicious USB b) smart card c) skimmer d) unsecured network
c) skimmer
Bob is planning to use a cryptographic cipher that rearranges the characters in a message. What type of cipher is Bob planning to use? a) stream cipher b) substitution cipher c) transposition cipher d) elliptic cipher
c) transposition cipher
Which option is a public IP address? a) 172.18.144.144 b) 10.194.99.16 c) 192.168.14.129 d) 142.19.15.4
d) 142.19.15.4
Chris is attending a hacker convention and overhears someone talking about "force pairing" a mobile device. What type of attack is the individual discussing? a) Bluejacking b) Bluechalking c) Bluedriving d) Bluesnarfing
d) Bluesnarfing
Which one of the following is an example of an in-band approach to key exchange? a) telephone call b) U.S. mail c) physical meeting d) Diffie-Hellman
d) Diffie-Hellman #Symmetric cryptography
What technology uses light to transmit data wirelessly? a) fiber optic b) WiFi c) ethernet d) LiFi
d) LiFi
Vic is planning a redesign of his organization's firewall strategy and is planning to issue an RFP for a firewall vendor. Which vendor would not be able to meet Vic's needs? a) Checkpoint b) Cisco c) Palo Alto d) Proofpoint
d) Proofpoint
What type of website does the attacker use when waging a watering hole attack? a) a known malicious site b) a software distribution site c) a hacker forum d) a site trusted by the end user
d) a site trusted by the end user #Think abt the example of a water pond implemented to let all the animals (tigers, cows, sheep) drink water at one spot. Predator tiger and cow drinking on the same pond...Just imagine!!!
What basic cryptographic functions does the AES algorithm use to encrypt plaintext? a) substitution only b) neither substitution nor transposition c) transposition only d) both substitution and transposition
d) both substitution and transposition
Which one of the following encryption approaches is most susceptible to a quantum computing attack? a) RSA cryptography b) AES cryptography c) quantum cryptography d) elliptic curve cryptography
d) elliptic curve cryptography #ECC
Ricky would like to separate his network into three distinct security zones. Which device is best suited to that task? a) router b) switch c) IPS d) firewall
d) firewall
What type of control are we using if we supplement a single firewall with a second standby firewall ready to assume responsibility if the primary firewall fails? a) component redundancy b) clustering c) load balancing d) high availability
d) high availability