ISC2 Pluralsight

Smurf Attack

Smurfing would refer to the smurf attack, where an attacker sends spoofed packets to the broadcast address on a gateway in order to cause a denial of service.

Audit trails

#(can be used for compliance standards or security violations) #Audit trails maintain a record of system activity both by system and application processes and by user activity of systems and applications. In conjunction with appropriate tools and procedures, audit trails can assist in detecting security violations, performance problems, and flaws in applications. This bulletin focuses on audit trails as a technical control and discusses the benefits and objectives of audit trails, the types of audit trails, and some common implementation issues. #An audit trail is a series of records of computer events, about an operating system, an application, or user activities. A computer system may have several audit trails, each devoted to a particular type of activity. Auditing is a review and analysis of management, operational, and technical controls. The auditor can obtain valuable information about activity on a computer system from the audit trail. #Audit trails improve the auditability of the computer system. Audit trails may be used as either a support for regular system operations or a kind of insurance policy or as both of these. As insurance, audit trails are maintained but are not used unless needed, such as after a system outage. As a support for operations, audit trails are used to help system administrators ensure that the system or resources have not been harmed by hackers, insiders, or technical problems.

BCP strategy

#A BCP plan is a vital component in resolving the effects of a company disaster (DRP) and addressing loss ( IRP)It lays down the operational procedures of how the business can keep running amid certain limitations. The plan strategy can be summarized as follows: 1) Defining and documenting the type of incident that occurred 2) Responsibilities of the team during the incident 3) Communication 4) Assessment of the team 5) Regular updating of the plan

Bus network topology vs. mesh network topology

#A bus network is a local area network (LAN) topology in which each node -- a workstation or other device -- is connected to a main cable or link called a bus. All connected stations on the bus can communicate with all others on the singular network segment. A bus can be linear or tree-shaped and connects each system to trunk or backbone cable. Ethernet networks operate on a bus topology. #A mesh refers to rich interconnection among devices or nodes i.e one device is connected to every other devices. Fully connected mesh networks provide each system with a direct physical link to every other system in the mesh. This is expensive but can provide performance advantages for specific types of computational work.

True Negative (TN)

#A negative result for patients who do not have the disease #A true negative state is similar to TP. This is when the IDS identifies an activity as acceptable behavior and the activity is actually acceptable. NOTE: That means TP is more harmful than TN. But, False positive is more harmful than false negative, because it could allow the malicious actor to enter the IDS, (if it is able to acquire authentication and authorization or credentials for accessing the network.)

BGP routing protocol

#Border Gateway Protocol (BGP) is an exterior gateway routing protocol. An exterior gateway routing protocol is implemented on routers on the boundary of a private network. A BGP router makes routing decisions is a different manner than an interior router. Interior routers each make the best routing decision based on their limited knowledge of local segments. As a packet traverses a private network, each router encountered makes its own routing decision, independent of any previous or future routers. A BGP router makes a routing decisions based on the overall route to the destination. This is because a local preferred segment may be less efficient when compared to a less preferred local segment when considering the entire remaining path to the destination. Each encountered exterior gateway router will make adjustments to the routed path based on its view of the remaining path to the destination. NOTE: An analogy of how interior and exterior routing protocols operate differently can be made using vehicle navigation. If you take a road trip across the country and obtain state road maps each time you enter into a new state, then you are making travel decisions similar to that of an interior routing protocol. You are not taking the overall path into account, but making the best decision you can with limited knowledge. If you take a road trip across the country and use a GPS navigation device, then you are making travel decisions similar to that of an exterior gateway routing protocol. You are taking the overall path into account, but that path is adjusted as your travel based on changing conditions.

Certificate vs. signature

#Certificate is for verifying identity : third-party authentication #Signature is for non-repudiation : A digital signature is created by crafting the hash digest of the message, then encrypting the hash digest with the sender's private key. This encrypted has is the digital signature.

Deniability vs. denial of service

#Deniability is the violation of non-repudiation. #Denial of service is the violation of availability.

HOTP vs TOTP

#HOTP (HMAC-based one time password) creates a one-time use password that doesn't expire #TOTP (Time based one time password) creates a one-time password that expires after 30 seconds #TOTP is much more secure than HOTP because it uses the underlying HOTP algorithm while introducing changes that improve security. There is no reason to use HOTP instead of TOTP. The only exception is old systems that do not support Unix time.

IPSec

#Public key cryptography is used as part of both AH and ESP. Authentication Header (AH) is responsible for establishing the initial connect and the authentication of endpoints. Encapsulating Security Payload (ESP) is the bulk encryptor of an IPSec VPN. Both AH and ESP use the keys managed by IKE. Internet Key Exchange (IKE) is the component of IPSec that handles key generation and distribution. IKE is comprised of three components: Oakley, SKEME, and ISAKMP. Oakley assists with key generation, Secure Key Exchange Mechanism (SKEME) is a mechanism to exchange keys securely, and Internet Security Association Key Management Protocol (ISAKMP) maintains unique security associations for each IPSec VPN. Both AH and ESP use hybrid cryptography, which is a combination of symmetric cryptography and asymmetric public key cryptography.

SAML (Security Assertion Markup Language)

#Security Assertion Markup Language (SAML) is an XML-based way of tagging identities and assertions about identities to provide federated identity management and use. SAML, as a modern open standard defined by the Organization for the Advancement of Structured Information Systems (OASIS), consists of four main components: assertions, protocols, bindings, and profiles. These three SAML roles include the following: 1) Identity provider (IdP): This is the first entity. It makes an assertion about another identity, based on information it has. This information might have just been obtained, say by querying the user for a username/password pair. 2) Service provider (SP): This entity is the relying party that is being asked to provide its service or resource, based on the assurance provided by the IdP. 3) Subject or principal: This entity is the subject of the assertion, usually a person, who is in some sense being vouched for.

Account Maintenance

#The process of keeping a business's chart of accounts up to date by adding new accounts, changing titles of existing accounts, and deleting inactive accounts. OR, #Performed routinely by admin; often done w/ scripts to automate the process and includes deleting accounts that are no longer needed

Routing protocols RIP OSPF

#The routing protocol that makes routing and forwarding decisions based on a metric derived from the number of other routes than must be crossed to reach a destination is Routing Information Protocol (RIP), a distance-vector routing protocol. Other examples of distance-vector routing protocols include Interior Gateway Routing Protocol (IGRP), Enhanced Interior Gateway Routing Protocol (EIGRP), and Babel. Distance-vector protocols can be effective routing mechanisms. However, they do not take into account other parameters and conditions that can affect the efficiency and reliability of a chosen pathway. #Open Shortest Path First (OSPF) and Intermediate System to Intermediate System (ISIS) are examples of link-state routing protocols. Link-state routing protocols take into account various parameters and conditions of a router when calculating the best route. These conditions include latency, error rates, bandwidth, utilization, and even cost. A link-state routing protocol will attempt to find the most efficient route to a destination, even if that route has a greater number of hops than a route selected by a distance-vector routing protocol.

True Positive (TP)

#have disease and have positive test #A result that is correctly identified as positive. #A true positive state is when the IDS identifies an activity as an attack and the activity is actually an attack. A true positive is a successful identification of an attack.

Reasons to use DRP

A Disaster Recovery (DR) plan is a set of policies and procedures created by an organization that enables the recovery or continuation of vital IT infrastructure and systems following a natural or human-induced disaster, such as: 1) Data loss and failed backups 2) Network interruptions 3) Hardware failure 4) Utility outages 5) On-site threats and physical dangers. NOTE: Incident response plan (IRP) is needed for disruption of network. To disrupt is to interrupt. #Disaster Recovery is when you need to recover your technology... It has to do with the IT portion during the aftermath of a disaster. For example, fire comes in and burns down a huge part of an office building, taking out the server room where all data is stored. The DR plan is to immediately start setting up servers in the Cloud before everything gets out of hand. However, just getting the servers back up does not mean the business will continue-that is why a DR should go hand in hand with a Business Continuity Plan (BCP).

Static vs. dynamic passwords

A static password is the direct opposite of a dynamic password - where a dynamic password changes with every use, the static password remains the same unless intentionally changed or reset by an end-user or administrator.

Your organization is using Kerberos for private network authentication. How does Kerberos demonstrate to a resource host that the identity of a user is valid? A) An ST is issued to the user, which is then sent to the resource host. B) A unique session key is used to encrypt the authentication communications. C) A TGT is issued to the resource host. D) A shared credential is issued to each principle in the realm. Explanation

A) An ST is issued to the user, which is then sent to the resource host. #A session ticket (ST) is issued to the user, which is then sent to the resource host. The resource host can verify the validity of the ST, and thus the user's identity, by checking with the key distribution center (KDC). This technique allows the user to be issued the master ticket-granting ticket (TGT) without exposing it to duplication or impersonation. The KDC issues an ST whenever users need to prove their identity to another principle in the Kerberos realm. #While a TGT is issued to the resource host, this does not demonstrate to a resource host that the identity of a user is valid. #A shared credential is issued to each principle in the realm, but this does not validate a user's identity to a resource host. #The unique session key is essential to the security and protection of authentication traffic under Kerberos, but it is not directly responsible for proving the identity of a user as that is the function of the ST.

What is the purpose of a source system? A) Anything that records or maintains data of interest B) The data warehouse were open source code is saved C) The first computer D) The original gold version of a computer which is cloned for enterprise deployment

A) Anything that records or maintains data of interest #Anything that records or maintains data of interest is a source system. This term, source system, is from the concept of security monitoring, logging, and auditing. It refers to any computer, service, or device which is able to record an event and then provide that recoded event data to a management or monitoring solution, such as a SIEM. A Security Information and Event Management (SIEM) provides real-time logging and analysis of security events. #The original gold version of a computer which is cloned for enterprise deployment is incorrect. The term source system is not related to systems deployment methods.

What is the security technology where approved software is allowed to execute but all other forms of code are blocked by default? A) Application whitelisting B) Host IDS C) Software firewall D) Authorization

A) Application whitelisting #Application whitelisting is the security technology where approved software is allowed to execute but all other forms of code are blocked by default. Whitelisting is implemented by first establishing a system-wide prevention of execution of all software, hence a deny-by-default foundation. Then, a list of approved software is crafted which is granted specific exception to execute. The software list is typically comprised of the path and filename, executable size, and the hash of the file. This ensures that no counterfeit executable can fool the system into launching malware. NOTE: authorization, host IDS and software firewall cannot prevent execution of unapproved software applications. Software firewall can allow or deny network access to the local applications.

What is a benefit of a host-based firewall? A) Block attacks originating from the local network. B) Stop attacks from the keyboard. C) Prevent the installation of malware. D) Prevent users from accessing unauthorized files stored on network shares.

A) Block attacks originating from the local network. #A benefit of a host-based firewall is its ability to block attacks originating from the local network. A host-based firewall is a supplement to a hardware or appliance firewall deployed at the network boundary. #A host-based firewall provides additional protection which is not provided by the company network's primary firewall. These additional benefits include blocking attacks from the local network attempting to harm the endpoint system as well as blocking endpoint system originating attacks attempting to harm the local network. #A host-based firewall will limit inbound initiations of connections, especially on a client device, as most endpoint systems do not host resources for other network devices to consume. #A host-based firewall also limits outbound initiations of connections if software attempts to use destination ports which are not already approved for use. A local software tool that attempts to reach out to the network on a new port will either be rejected or will trigger a pop-up query from the host-based firewall asking for an Allow or Deny response to the outbound request.

How does discretionary access control determine whether a subject has valid permission to access an object? A) Check for the user identity in the object's ACL. B) Evaluate the attributes of the subject and object. C) Assess the user's role. D) Compare the classification labels of the subject and object.

A) Check for the user identity in the object's ACL.

What is the term used to describe the violation of availability? A) Denial of service B) Disclosure C) Alteration D) Deniability

A) Denial of service

What is the term used to describe the violation of availability? A) Denial of service B) Disclosure C) Alteration D) Deniability

A) Denial of service #The violation of availability is denial of service (DoS). Availability is the security concept regarding providing access to resources at a reasonable level of throughput and responsiveness. Any breach of this protection is considered a DoS.

How are managerial controls used to encourage compliance typically categorized? A) Directive B) Recovery C) Preventive D) Detective

A) Directive #Managerial controls used to encourage compliance are typically categorized as directive. Managerial controls are the security mechanisms and techniques used to oversee and govern the security efforts of an organization. They generally focus on assessing and reducing risk. The most obvious form of managerial controls is the written security policies and procedures.

When using a cloud solution as a component of a backup strategy, what is the most important concern? A) Encryption of transfer and storage B) Speed of communication C) Effort involved in recovery D) Ownership

A) Encryption of transfer and storage #Encryption of transfer and storage is the most important concern when using a cloud solution as a component of a backup strategy. When one data leaves the security protection of a private environment, the only means to maintain any control over that data is encryption. Encryption should be used to protect the data while in transit to the cloud provider and while in storage on the cloud provider's systems. By retaining the encryption key, the cloud provider and any attacker are unable to view the contents of your stored files. At worst, they can be deleted or corrupted. NOTE: Ownership is not usually a challenging issue as most cloud contracts dictate who retains ownership of data stored in a cloud solution. The speed at which data can be uploaded to and downloaded from a cloud-based backup system is important, but not the most important concern. The effort involved in restoring data is an important consideration when selecting a cloud backup provider and designing a backup and recovery solution. However, the security of your data is always the most important concern.

Which term is used to describe the role of the person who takes physical control of a crime scene in order to preserve evidence and prevent tampering before the full forensics team arrives? A) First responder B) BCP team C) Senior management D) CIRT

A) First responder #A first responder is the person who takes physical control of a crime scene in order to preserve evidence and prevent tampering before the full forensics team arrives. The goal of the first responder is to preserve evidence. A first responder might be an organizational staff member, a non-forensically training law enforcement officer, or a forensics lab employee to arrive on the scene before the full forensics team. A first responder should stop all use of items and equipment in the area, remove all personnel from the area, and preserve the crime scene until the full forensics team arrives. #CIRT (Computer Incident Response Team) members do not have the role of securing a crime scene. CIRT members focus on stopping or containing attacks, removing any offending elements, and then restoring the environment back to normal conditions promptly. #Individuals who may have the roles of BCP team member, CIRT member, or senior management might be called upon to serve as a first responder. But when asked to do so, they take on the role of first responder to accomplish that task.

What is the term used for the range of values that can be used to control the symmetric encryption function while converting plaintext into ciphertext? A) Key space B) Key length C) Rounds D) Block size

A) Key space #Key space is the range of values that can be used to control the symmetric encryption function while converting plaintext into ciphertext. The key space is every value between a key of all zeros and a key of all ones. A key is a binary number used to control the encryption and decryption processes of symmetric encryption. (Note: asymmetric encryption may use key pair sets which are also just binary numbers as well.) Keys should be selected at random, never repeated, and from the full spectrum of the key space. NOTE: The block size is the amount of data that is processed by an encryption or decryption operation at one time. The term rounds refers to the number of times an internal operation of encryption is performed on a block of data before its final result is outputted. Key length is the number of bits in the length of a key. So, a 128-bit key has 128 individual digits in its length, each of which can be either a one or a zero. The longer the length, the larger the key space; but the key space is the range of values that the key can take, while length is the number of bits in the key.

What is the term used to describe the amount of time that an organization can survive without functioning mission-critical processes? A) Maximum tolerable downtime B) Recovery time objective C) Mean time to failure D) Recovery point objective

A) Maximum tolerable downtime #An organization's MTD is often a much shorter value than hoped. Once the MTD is calculated, recovery plans should be crafted that seek to restore mission-critical functions within that time frame. In fact, a goal should be to recover successfully before the MTD is reached by a reasonable margin.

What is a significant difference between the secure protocols of TLS-encrypted SMTP and the use of S/MIME for the protection of e-mail communications? A) One provides end-to-end protection of messages, while the other only secures a local link. B) One uses digital certificates, while the other only uses password authentications. C) One is used to create digital signatures, while the other creates digital envelopes. D) One uses symmetric encryption, while the other uses asymmetric encryption.

A) One provides end-to-end protection of messages, while the other only secures a local link. #A significant difference between the secure protocols of TLS-encrypted SMTP and the use of S/MIME for the protection of e-mail communications is that S/MIME provides end-to-end protection of messages, while the TLS-encrypted SMTP only secures a local link. #Both TLS-encrypted SMTP and S/MIME use both symmetric and asymmetric encryption. #S/MIME provides support for both digital signatures and digital envelopes. TLS-encrypted SMTP does not provide for either of these mechanisms. Both S/MIME and TLS-encrypted SMTP use digital certificates. However, TLS-encrypted SMTP can technically be negotiated without digital certificates, but the benefit of third-party identity verification is lost when this takes place. Neither S/MIME or TLS-encrypted SMTP supports password authentication. #S/MIME provides end-to-end protection of messages!!!! #TLS-encrypted SMTP secures local link.

If a security assessment determines that a specific employee has been performing numerous and repeated security violations, what action should be taken? A) Perform an exit interview. B) Increase monitoring of this user's activity. C) Ask the employee to sign the NDA. D) Have the employee repeat the security awareness training.

A) Perform an exit interview. #If a security assessment determines that a specific employ has been performing numerous and repeated security violations, then that employee should be put through an exit interview. An exit interview is a security practice of controlled and organized termination. The employee is reminded of their non-disclosure agreement (NDA). During the exit interview, the IT staff disables the ex-employee's user account, changes their password(s), revokes their digital certificate, and changes any other related codes or PINs. At the end of the exit interview, the ex-employee is escorted out of the building. NOTE: Once there is evidence of employee security violations, it is time to remove the employee from the organization. If there were insufficient evidence to make a solid determination, then increased monitoring might be justified.

You must select the biometric devices that will add multifactor authentication to your company's workstations. Every user will be required to use a biometric as an authentication element to gain access to the company's IT resources. How can you determine which device will provide your organization with the most accurate results? A) Select the devices with the lowest CER. B) Consult a Zephyr analysis chart. C) Evaluate the FRR of several devices. D) Choose the devices with the lowest rate of Type II errors.

A) Select the devices with the lowest CER. #To determine which device will provide your organization with the most accurate results, you should select the device with the lowest crossover error rate (CER) point. The lowest CER point reveals which biometric device is the most accurate. A CER point is derived by creating a graph of Type I false rejection rate (FRR) and Type II false acceptance rate (FAR) error rates. NOTE: The Type 1 FRR is the rate at which an authorized user is falsely rejected. The FRR rate increases as the sensitivity level of the device increases. The Type II FAR is the rate at which unauthorized entities are falsely recognized as authorized users, and thus authenticated. The FAR rate decreases as the sensitivity level of the device increases. The point at which these two error rate lines meet is the crossover error rate (CER) point. The biometric device with the lowest CER point on the # of errors vertical axis has the lowest overall error rate at its specific CER point. Therefore, it is the most accurate device among those compared. #You should not choose the device with the lowest rate of Type II errors because Type II errors are only part of the process. #Type II errors, or FAR, are only one part of the process.

What is the term used to describe an entry in a database describing a violation or exploit which is used to match real-time events in order to detect and record attacks by the continuous monitoring solution? A) Signature B) Vulnerability C) Countermeasure D) Threat

A) Signature #match real-time events (i.e this is not heuristic detection analysis.) #A signature is an entry in a database describing a violation or exploit which is used to match real-time events in order to detect and record attacks by the continuous monitoring solution. A signature or a pattern is used to recognize when a known attack or violation is attempted. Signature-based detection or monitoring tools must be updated regularly to maintain the broadest ability to detect known attacks. However, signature-based detection is not foolproof. If an attack has been modified or customized, it might not match the signature and go undetected. Thus, it is often essential for continuous monitoring solutions to include other forms of detection, such as anomaly, behavioral, and heuristic.

An owner of an online service needs to shut down his Internet operation for about three months in order to focus on family issues. He has recently purchased a three-year extended validation certificate from a certificate authority. He is concerned that during his absence from the Internet, an attack may attempt to impersonate his site using his certificate. How can this owner temporarily prevent use of his certificates while maintaining his ability to use it again once he brings his Web site back online? A) Suspension B) Termination C) Revocation D) Obfuscation

A) Suspension #Suspension is the means by which a certificate can be temporarily disabled without fully causing it to be revoked. This would allow this web site owner to take his site offline for a period of time and still be able to return after a few months to the same digital certificate-based identity. Suspension adds the serial number of the digital certificate to the certificate authority's certificate revocation list (CRL), but in a special subsection named suspension. Placing a digital certificate in suspension does not affect its expiration date.

What is user entitlement? A) The rights and privileges assigned to a user B) The default level of access given to users by the operating system C) The level of privilege assigned to administrative accounts D) The privileges inherited by a user

A) The rights and privileges assigned to a user #User entitlements should be controlled by company policy and restricted based on the concept of the principle of least privilege.

Why would an organization choose to accept risk? A) The risk is of a tolerable level. B) To reduce liability C) No risks can be eliminated fully. D) To save money

A) The risk is of a tolerable level. #This is known as either risk tolerance or risk acceptance. It is the act of choosing to leave a risk as is without implementing any countermeasures. This may be done with the overall remaining risk of an organization has been reduced to a reasonably acceptable level. An acceptable level of risk occurs when the remaining risks are small enough that any damage caused by them would be relatively small and something the organization is willing to absorb. It is also possible that any countermeasures used to address such risks are unavailable or are too expensive for the benefit they would provide. For risk to be legitimately labeled as tolerable or acceptable, it must be formally written out. A risk acceptance document should define the risk and the reason the risk is left as is, and must be signed by senior management. #Failing to address risk will typically increase an organization's liability rather than reducing it.

How is accountability typically enforced? A) Through AAA services B) By checking the hash of all files accessed by a user account C) With smart cards D) Through the use of asymmetric encryption

A) Through AAA services ##Accountability is typically enforced through Authentication, Authorization, and Accounting (AAA) services. AAA services actually refer to five steps in the process of holding people accountable for their user account's actions. Those five steps are: Identification, Authentication, Authorization, Auditing/Monitoring/Logging, and Accounting. In other words, AAA services are used to have all entities claim an identity, prove that they are that identity, control what the entity can do, record the actions of the entity, and then review the recorded event logs to check for compliance or discover violations. #Ultimately, the actions of the user accounts can be linked to the person assigned to that account, and thus, the person can be held responsible for those digital activities.

Why is it important to consider the impact of a threat when performing risk analysis? A) To determine the level of response B) To determine the operating system of concern C) To determine the priority of implementation D) To determine which security control to apply

A) To determine the level of response #It is important to consider the impact of a threat when performing risk analysis in order to determine the level of response. The amount of impact is an assessment of how much damage and/or downtime would be caused if a threat is realized. The larger the potential impact of a threat, the more risk that the company takes. The impact of a threat should not determine the operating system of concern, the priority of implementation, or which security control to apply.

Why is it important to thoroughly test every business continuity plan (BCP) and disaster recovery plan (DRP)? A) To discover deficiencies and assess sufficiency B) To train personnel on response procedures C) To compare the value of countermeasures D) To keep costs to a minimum

A) To discover deficiencies and assess sufficiency

Why do employees have to read and sign an Acceptable Usage Policy (AUP) before they are granted access to the IT network? A) To remind users of their responsibilities and that they will be held accountable for their activities B) To indicate which individuals can and cannot access specific network resources C) To define the laws that can be broken within this network D) To show proof that the company has a business license and is authorized to use computer equipment in the furtherance of their business processes

A) To remind users of their responsibilities and that they will be held accountable for their activities #The AUP can also be implemented as a pop-up or warning screen that is displayed to users each time they attempt to gain access to the IT network. It reminds them of the tenants of the written policy. #The purpose of the AUP is NOT to define the laws that can be broken within this network, NOT to indicate which individuals can and cannot access specific network resources and NOT to show proof that the company has a business license and is authorized to use computer equipment in the furtherance of its business processes.

When using asymmetric cryptography, what is the purpose of using the recipient's public key to perform an encryption function on a data set before sending it to the recipient? A) To restrict delivery B) To support non-repudiation C) To prove the identity of the sender D) To verify integrity

A) To restrict delivery #When using asymmetric cryptography, the purpose of using the recipient's public key to perform an encryption function on a data set before sending it to the recipient is to restrict delivery. #The mechanism that starts off using the recipient's public key can be called a digital envelope. It is a means to ensure that a communication can only be opened by the intended recipient. Anyone can obtain and use someone's public key. But once that encryption takes place, no-one can decrypt the result except the owner of the corresponding private key. NOTE: A digital certificate, not asymmetric cryptography, is often used as a means to verify identity of either a sender or receiver. Keep in mind that asymmetric or public-key cryptography is based on trap-door, one-way functions. A one-way function is a mathematical process that is easily computed in one direction, but very difficult or impossible to reverse.

The disaster recovery plan (DRP) is used to guide the re-creation of mission-critical processes in the event of a disaster. Which of the following is a key element that is required as part of restoration planning to ensure that the most current version of the IT infrastructure is restored? A) Updated configuration documentation B) Troubleshooting guidelines C) Service level agreements with contractors D) Qualitative analysis risk report

A) Updated configuration documentation #Updated configuration documentation is a key element that is required as part of DRP restoration planning in order to ensure that the most current version of the IT infrastructure is restored. Without the most current documentation of hardware, software, and configuration, it will be impossible to restore the environment back to its normal state which existed just prior to the disaster. Thus, while initial security policy and baseline documentation is important, if it is not maintained and revised overtime as the environment changes, it is of little value during restoration after a disaster.

What is the certificate standard used by PKI? A) X.509 v3 B) IEEE 802.11n C) IEEE 802.1q D) X.500

A) X.509 v3 #X.509 v3 is the certificate standard used by PKI. X.509 v3 is the standard used by most certificate-based cryptography or authentication systems. There are other certificate standards, such as the de facto PGP certificate standard, but they are not as widely supported because they are not formally accepted standards. X.509 v3 certificates are issued by third-party certificate authorities (CAs) in a hierarchical trust structure. A CA is a third party when it facilitates trust between two other parties: a primary (such as a client) and a secondary (such as a server)). The trust is hierarchical as it is organized with a single root CA at the top of the trust structure with potentially numerous intermediary levels of subordinate or intermediate CAs, eventually linking at the bottom level to customer or clients. IEEE 802.1q is the standard for VLAN tags. A VLAN tag is an additional element added to an Ethernet frame header to communicate the VLAN membership of a communication between trunked switches. Trunked switches are multiple switches linked together in order to function as a single larger switch rather than separate individual switches.

Which of the following is valid regarding change management and the need for interoperability? A) You should be able to exchange data based on common formats, day types, file formats, and/or protocols. B) You should be able to run the same program on multiple systems simultaneously. C) You should be able to manage a system remotely from any Internet connection. D) You should be able to run the same binary code on any platform.

A) You should be able to exchange data based on common formats, day types, file formats, and/or protocols. #You should be able to exchange data based on common formats, day types, file formats, and/or protocols regarding change management and the need for interoperability. This is the basic definition of interoperability. Change management needs to ensure that any pre-existing interoperability capabilities are maintained or re-established after a change is implemented, especially if that interoperability is used as part of a core business function.

Account or identity proofing

Account or identity proofing is necessary because it verifies that only the authorized person is able to use a specific user account. This can be done through a number of means, including text messaging, pre-arranged security questions, or answering dynamic questions about a user's account or background and history. Identity proofing is focused on verifying an individual before granting access to an authenticated account. For e.g: if helpdesk technician tries to verify your user account for password reset, that is identity proofing.

Attrition Attacks

Attrition attacks focus on brute-force methods of attacking services, impersonation attacks include spoofing, manin-the-middle attacks, and similar threats. Attrition means the action or process of gradually reducing the strength or effectiveness of someone or something through sustained attack or pressure.

What channel is defined as part of the original IEEE 802.11 in the 2.4 GHz range and is restricted from use within the United States? A) 1 B) 14 C) 11 D) 6

B) 14

What is the bit-length, hash-digest output of the SHA-1 hashing algorithm? A) 128 B) 160 C) 64 D) 224

B) 160

How does hashing detect integrity violations? A) The length of the hash is checked. B) A before and after hash value is compared. C) The bit length of the hash must be divisible by three. D) The content of the hash is verified against the standard.

B) A before and after hash value is compared. #Hashing is used to detect integrity violations by comparing a before and after hash value. The before and after can be across a period of time or a transmission of data. The before and after hashes are compared by performing an XOR operation. If all the bits of the two hashes are the same, then every bit position will become a zero. Thus the two hashes are exactly the same and the data from which the hashes were generated did not change across the time or transfer event. If they are not the same, then something about the data changed which caused the after hash to not be exactly the same as the before hash.

What form of monitoring involves the injection of packets into communications in order to measure performance of various elements in the network? A) Passive monitoring B) Active monitoring C) Post mortem monitoring D) Collaborative monitoring

B) Active monitoring #Active monitoring is the form of monitoring which involves the injection of packets into communications in order to measure performance of various elements in the network. The concept behind active monitoring is to introduce a known value or container into an active system and monitor the events around the injected element. In the case of general networking, active monitoring is the activity of injecting a standard network packet and monitoring its progress across network devices on its way to the destination. This is similar to how some highway traffic systems judge congestion by watching a pace vehicle pass through various monitoring points along a stretch of road. Passive monitoring collects data about objects, events, and packets that are natively present in the environment, rather than injecting new elements.

Which item within an organization makes the determination as to which attributes of a subject or object determine whether access is granted or denied? A) Acceptable use policy B) Authorization policy C) Security baseline D) Job descriptions

B) Authorization policy #An attribute-based access control system is subjective to the environment and its prescribed access limitations. These details must be written into the security policy so proper access control can be enforced by following the company policy.

Which term is used when limiting the amount of network traffic a specific protocol or application is allowed to generate or consume, with the goal of keeping the remainder of the network's capacity free for other communications? A) Quality of service management B) Bandwidth throttling C) Load balancing D) Utilization tracking

B) Bandwidth throttling #Bandwidth throttling is the term used when limiting the amount of network traffic a specific protocol or application is allowed to generate or consume in order to keep the remainder of the network's capacity for other communications. The purpose of bandwidth throttling is to prevent a single bandwidth-intensive application, service, or protocol from consuming all available network capacity. Network traffic, such as file transfer and database replication, can quickly consume all available resources.

How is a baseline used in compliance management? A) By reducing risk B) By comparing the current configuration of a system with the required configuration C) By defining the hardware and software to be present on a new system D) By protecting user privacy

B) By comparing the current configuration of a system with the required configuration #A baseline is used in compliance management by comparing the current configuration of a system with the required configuration. With the existence of the baseline, which dictates the hardware and software requirements of the organization, it is possible to assess whether a system is in compliance or has fallen out of compliance. Once any gaps are known, remedies can be applied to bring a system back into compliance. NOTE: A baseline is NOT used to reduce risk, NOT used to define the hardware and software to be present on a new system and NOT used to protect user privacy.

Selecting a cloud provider can be a challenge. Often, it is not possible to determine whether a provider's services are sufficient for your needs until you have started using its service. If you determine that an initial cloud system is insufficient and you need to move your data and custom code to a different cloud provider, what is needed as a feature of the initial cloud provider that did not work out for you? A) Activity auditing B) Data portability C) Storage encryption D) VPN connectivity

B) Data portability #Data portability is an important feature to consider when selecting a cloud provider. If you need to change cloud systems, being able to extract your data from one system and import it into another can be extremely important, especially if you generate new business data while using the initial cloud provider and there is no other copy of that data. Before using any cloud provider, be sure to review all of the features, offerings, parameters, and limitations of its service and compare its characteristics to other cloud providers. Don't get locked into a cloud provider just because you can't extract your own data from it.

What is a security procedure? A) Specific criteria that must be met by implementation B) Detailed steps for performing specific tasks C) Suggested practices D) Minimum hardware and software requirements

B) Detailed steps for performing specific tasks #A security procedure is a document containing detailed steps for performing specific tasks. Procedures are the "how to" components of a security policy. All of the aspects of the policy itself, standards, baselines, and guidelines, are distilled into an organized process to perform specific tasks, such as installing new software, setting up firewalls, establishing secure communications, using encryption on mobile devices, and destroying sensitive documentation.

What is a significant benefit of a HIDS installed on an endpoint system which is not generally possible with a NIDS? A) Detect flooding attacks. B) Determine whether an attack was successful. C) Detect spoofing attacks. D) Detect timing attacks.

B) Determine whether an attack was successful. #Determining whether an attack was successful is a significant benefit of a HIDS installed on an endpoint system which is not generally possible with a NIDS. This benefit is possible because of the differences between a HIDS and a NIDS. A host intrusion detection system (HIDS) sees the result of network delivered payload attacks while a network intrusion detection system (NIDS) rarely notices the content of payload and does not know whether or not an attempted attack was successful. Only a HIDS running on the target of an attack will be able to notice if an attempted attack was successful. NOTE: Both a HIDS and an NIDS can determine if a flooding attack, spoofing attack, and timing attack was attempted.

Which security rule should be implemented to minimize risk of malware infection of endpoint systems? A) Audit user activity. B) Disable the use of USB storage devices. C) Encrypt all file storage. D) Configure a software firewall.

B) Disable the use of USB storage devices. #Disabling the use of USB storage devices is a security rule which should be implemented to minimize risk of malware infection of endpoint systems. USB storage devices, especially small thumb drives, are a common vector of malware infection. #File encryption is always a good generic security concept to implement. However, it will do nothing to prevent the installation of malware on endpoint systems. #A firewall, whether hardware or software, typically focuses on allowing or denying traffic based on simple identity elements, such as IP address, port number, protocol, or keywords in the payload. Unfortunately, a firewall is not reliable enough to protect against malware infection. #Auditing user activities will only reveal the actions that led to an infection after the infection has already occurred.

A type of wireless network attack monitors wireless signals for clients making requests to connect to wireless base stations. It then takes the details from those requests to spoof the identity of the requested base station in order to fool the client devices into connecting to the false version of their trusted network. Which attack is this describing? A) War driving B) Evil twin C) MAC spoofing D) Shared key guessing

B) Evil twin #MAC spoofing is NOT the type of attack described in this scenario. An evil twin attack will include MAC spoofing, but MAC spoofing on its own is not an evil twin attack.

A common attack against wireless networks is to guess the static password needed to authenticate to the base station. Which technology can be used to minimize this risk? A) IEEE 802.15 B) IEEE 802.1x C) IEEE 802.11n D) IEEE 802.1q

B) IEEE 802.1x

Your organization experienced an impersonation attack recently that compromised the network administrator's user account. In response, new security measures are being implemented throughout the organization. You have been assigned the task of improving authentication. You want a new authentication system that ensures the following: Eavesdropped passwords cannot be used by an attacker. Passwords are only able to be used once. Password predication must be prevented. Passwords are only valid for a short period of time. How can you accomplish these goals? A) Implement a rotating, 30-character password authentication system. B) Implement a synchronized, one-time password token-based authentication system. C) Implement an authentication system using wallet cards with a table of password options. D) Implement a PIN-based authentication system where each PIN is incremented by three each time a user logs in.

B) Implement a synchronized, one-time password token-based authentication system. #A valid solution is to implement a synchronized, one-time password token device-based authentication system. This action will address each of the security concerns for the new authentication system: #A one-time password token-based system will prevent use of passwords that are discovered by eavesdropping. Because each password can only be used once, any attempt to reuse an already-used password will fail. Furthermore, token-based systems typically use encrypted communication channels, so eavesdropping on network traffic would not allow the attacker to discover the transmitted password. #A one-time password token-based system will restrict passwords to be used only once. Whether the user types in the current password correctly or not, the password will become invalid after a single attempt to use it. #A one-time password token-based system prevents password prediction as passwords are chaotic and impossible to predict. #A one-time password token-based system ensures that passwords are only valid for a short period of time by creating new passwords at specific time intervals, such as two minutes. A device is required to implement such a solution as a person does not have the ability to remember or calculate an ever-changing series of random passwords.

How does an attribute-based access control system determine if a subject can access an object? A) It compares the job description. B) It assesses the characteristics of the subject, object, and/or environment. C) It evaluates the ACLs. D) It checks for classification labels.

B) It assesses the characteristics of the subject, object, and/or environment.

Many web sites use a digital certificate to prove their identity to visitors. Why is the use of digital certificates considered a reliable form of authentication? A) It is a web of trust. B) It is a form of trusted third-party authentication. C) It complies with 802.1x. D) It uses symmetric encryption keys.

B) It is a form of trusted third-party authentication. #As long as the CA has a reliable reputation, then users can trust in the identity of any entity the CA has verified. Because a CA places its reputation on the line when issuing certificates, it makes reasonable efforts to verify the identity of its customers.

What is the name of the process used to replace an old asymmetric key pair set with a new key pair set? A) Key generation B) Key rotation C) Key exchange D) Key escrow

B) Key rotation #Think about employee rotation!! It's a replacement of employee with the same qualifications. #Key rotation is the name of the process used to replace an old asymmetric key pair set with a new key pair set. An asymmetric key pair set is comprised of a public key and a private key. The system that uses these keys is known as public key cryptography. While public key cryptography key pair sets are crafted to be used multiple times, they are not intended to be used indefinitely. #Key exchange is the process of securely distributing a key between one communication entity and the other. This can be accomplished by using an asymmetric public key-based digital envelope (which is created using the recipient's public key) or with an asymmetric key generation mechanism, such as Diffie-Hellmann. #Key generation is the crafting of new keys. #Key escrow is the storage of encryption keys in a backup or archive database which is held by a third party. A key escrow may be used in an event of recovery or during an investigation.

Which of the following is the best security mechanism to minimize risk when browsing the Internet? A) Block access to known phishing URLs. B) Minimize support of mobile code. C) Enable the Do-Not-Track feature, and use private-browsing mode. D) Keep Java and Flash updated.

B) Minimize support of mobile code. #Minimizing support of mobile code is the best security mechanism to minimize risk when browsing the Internet. The most significant risk when browsing the Internet is malicious mobile code. Any Web site could be hosting malicious code. Even Web sites which try to maintain security and control over their content often fail to prevent malicious mobile code due to the complexity of modern dynamic Web applications and the use of numerous linked content management systems and advertising platforms. The only effective strategy is to block the execution of mobile code. However, this is problematic as most Web sites depend upon client-side execution of JavaScript. Thus, a viable strategy is to implement browser plugins which support per Web site configuration of permissions as to what elements will be allowed. Generally, you should block all mobile code by default and then enable mobile code sparingly on only those Web sites you perceive as trustworthy and secure.

If an organization experiences a disaster level event that damages its ability to perform mission-critical operations, what form of emergency response plan will provide a reliable means to ensure the least amount of downtime? A) Warm site B) Multi-site C) Reciprocal agreement D) Cold site

B) Multi-site #If an organization experiences a disaster level event that damages its ability to perform mission-critical operations, a multisite-based emergency response plan will ensure the least amount of downtime. A multi-site alternative processing plan ensures that an organization is split and divided amongst multiple physical locations instead of being housed in a single facility. In the event of a disaster, the members of the non-affected sites can absorb the work load and personnel from the damaged site while it is being repaired. This has the benefit of having minimal downtime

What is the purpose of a baseline in relation to security monitoring? A) Defines job task procedures B) Notices trends away from normal C) Evaluates purchasing requirements D) Keeps configurations consistent

B) Notices trends away from normal #The purpose of a baseline for security monitoring is to notice trends away from normal. Most of security monitoring is about detecting when activities and events are not normal. It is key to know what is normal in order to detect something different from normal.

Other than implementing preventive measures and planning out response and recovery strategies, what is another important element that will help minimize data loss in the event of a harmful event that would trigger a disaster recovery policy (DRP)? A) Performing full interruption testing B) Prior warning of impending harm C) Significant expenditure on avoiding single points of failure D) End user training

B) Prior warning of impending harm #Prior warning of impending harm is another important element that will help minimize data loss in the event of a harmful event that would trigger a disaster recovery policy (DRP), other than implementing preventive measures and planning out response and recovery strategies. With prior warning of impending harm, it is possible to trigger offsite data transfers or backups, trigger the activation of alternative processing facilities, and perform graceful shutdowns on sensitive equipment. This type of warning of a disaster is often available during extreme weather conditions, forest fires, military actions, and so on. An organization's business continuity plan (BCP) and DRP should incorporate actions to be taken whenever prior notice is obtained to an impending damaging event.

A Web service has been experiencing a significant increase in traffic due to a successful media announcement. However, in the chaos of new customers and an avalanche of orders, the site manager forgot to address the Web site's digital certificate. At this point, what process can the site manager perform to resolve his expired certificate? A) Regeneration B) Reissue C) Renewal D) Revocation

B) Reissue #Reissue is the only option available to the site owner once his certificate has expired. The expiration date set on digital certificates is a hard termination date. After that point in time, the certificate is not valid and will not be supported or respected by the issuing certificate authority or any end-point device. The x.509 v3 certificate standard dictates that expired certificates are not reusable and their serial numbers must never be recycled. The only option is reissue, which is to repeat the issuance process to obtain a new certificate. VVI NOTE: Renewal is the process by which a certificate authority extends the expiration date of a digital certificate. This must be performed before the certificate expires, since once the expiration date has passed, the x.509 v3 standard does not allow the expired certificate (specifically its serial number) to be used ever again. #Regeneration is not a valid term or process related to digital certificates. #Revocation is the term used to describe the event of a certificate authority (CA) canceling an issued digital certificate.

What is the term used to describe the event of a certificate authority canceling an issued digital certificate? A) Destruction B) Revocation C) Termination D) Expiration

B) Revocation #Reasons for revocation include that the certificate was used in a crime, the user violated the terms of service, or the user changed some aspect of their identity which was being verified by the certificate.

Your company is partnering with Verigon to produce a new suite of services for the financial industry. To create and support these new services, both organizations will need to share content and perform collaborative work. The new services are to be offered only to pre-selected and invited clients, rather than being sold openly. How can this new service be configured without significantly increasing the risk to either company's private networks? A) Create a DMZ to host the service, and provide company interaction. B) Set up the new service in an extranet and provide VPN credentials to Verigon and invited clients. C) Host the new service in a public SaaS cloud. D) Configure the service on an internal server, and configure port forwarding.

B) Set up the new service in an extranet and provide VPN credentials to Verigon and invited clients. #You should set up the new service in an extranet and provide VPN credentials to Verigon and invited clients. This will protect the private networks of both companies because shared data and resources will be hosted in the extranet. An extranet is a distinct network, run by a private organization, but for the purpose of hosting resources for a specific group of outsiders, such as business partners or high-end clients. Furthermore, access to an extranet is typically controlled by use of a VPN. Thus, only those with valid VPN credentials can connect into the extranet.

What is the technology that enables a user to authenticate to a company network from their assigned workstation and then interact with resources throughout the private network without entering additional credentials? A) AAA services B) Single sign-on C) CHAP D) Multifactor authentication

B) Single sign-on #Single sign-on is commonly used in private networks. It allows for an organization to require multifactor authentication for the single, master login without causing too much additional burden on the user in terms of time and effort spent on authentication activities. #SSO can be used with single-factor authentication or multifactor authentication. #AAA is a common and ubiquitous security concept that all entities need to prove their identity (authenticate), have their access defined (authorize), and their activities monitored (account). AAA is used in relationship to users, software, devices, networks, and entire organizations. SSO can be used while AAA is use, but the presence of AAA does not guarantee that SSO is present. #CHAP allows for secure authentication over cleartext communication channels. The process of CHAP involves the communication of a random challenge number from the server to the connecting client. The client then processes the random number along with the hash of the user's password to create a response.CHAP can be implemented within a SSO solution as the authentication mechanism, but the use of CHAP does not imply SSO.

Which term refers to the virtualization of networking which grants more control and flexibility over networking than using the traditional hardware-only means of network management? A) Hypervisor B) Software-defined network C) iSCSI D) Bridging

B) Software-defined network #A software-defined network (SDN) refers to the virtualization of networking, which grants more control and flexibility over networking than using the traditional hardware-only means of network management. SDN separates traffic control from the hardware plane. It allows networks to use heterogeneous vendor devices without sacrificing features and capabilities. SDN also enables the crafting of networks independent of the physical devices and cables. This is especially important for virtualization and cloud computing. NOTE: Bridging is the term used in virtualization to describe a networking configuration for guest OSes. A guest OS which is bridged is exposed to the external network. This enables the guest OS to receive a network-based DHCP IP configuration and be directly accessible by other networked devices.

When designing end-user training to teach employees about using cryptography within business tasks, which of the following is an important element to include? A) Key destruction B) The consequences of failing to encrypt C) The electricity cost of encryption D) The means of adding additional entropy to the randomness seeds

B) The consequences of failing to encrypt #The consequences of failing to encrypt is an important element to include when designing end-user training to teach employees about using cryptography within business tasks. It is usually obvious and common to explain the need for encryption and to aid workers in learning how to use the company supplied software tools to implement encryption.

A disaster recovery plan (DRP) should focus on restoring mission-critical services. Part of the DRP is to ensure that recent data is available for processing once mission-critical services are restored. How is data loss addressed in DRP? A) By implementing redundancies B) Through understanding the RPO C) By avoiding failure with RAID D) By minimizing recovery time with a small RTO

B) Through understanding the RPO #Data loss is addressed in DRP through understanding the recovery point objective (RPO). RPO is the amount of data loss that can be experienced before the loss is too great to survive as an organization. It is a type of maximum tolerable downtime (MTD) but in terms of data instead of mission-critical process downtime. RPO is still measured in time, such as a loss of 3 hours, 3 days, or 3 weeks of data. Whatever the organization's RPO is, a backup and recovery scheme should be designed and implemented to ensure that recovery efforts can restore data to a point less than the RPO.

What is the purpose of a business continuity plan (BCP)? A) To restore mission-critical tasks B) To maintain the ability to perform mission-critical work tasks while dealing with harmful events C) To train replacement personnel in the event of a senior executive leaving the organization D) To define performance requirements and consequences if providers fail to meet quality expectations

B) To maintain the ability to perform mission-critical work tasks while dealing with harmful events #The purpose of a business continuity plan (BCP) is to maintain the ability to perform mission-critical work tasks while dealing with harmful events. A BCP is designed to handle minor to moderately damaging events. Any interference or affecting situation that does not result in the full and total loss of mission-critical operations is addressed by the BCP. If mission-critical processes are fully interrupted, then the disaster recovery plan (DRP) is triggered. Organizations should have both BCP and DRP in order to be well prepared to handle any breach or incident that may occur. #The purpose of a BCP is NOT to restore mission-critical tasks. The restoration of mission-critical tasks is addressed by the DRP

Why is change control and management used as a component of software asset management? A) To oversee the asset procurement process B) To prevent or reduce unintended reduction in security C) To restrict the privileges assigned to compartmentalized administrators D) To stop changes from being implemented into an environment

B) To prevent or reduce unintended reduction in security #In software asset management, change control and management is used to prevent or reduce unintended reduction in security. Change control and management aims at evaluating each and every change to understand its impact before it is implemented into the production environment. Change control is most commonly associated with software changes, such as installing updates or changing configuration settings, but it can also be used to oversee hardware, personnel, and physical changes as well.

What is the purpose of continuous monitoring? A) To track uptime B) To record all events that may be related to a violation C) To discover new technologies D) To consume as much storage space as possible

B) To record all events that may be related to a violation #If monitoring is not implemented in a consistent manner, then events will be missed and not recorded into the audit log. It is invalid to manually re-create events after the fact if the monitoring mechanisms failed to catch the event and make a record of it in the audit log. Thus, organizations should implement a continuous monitoring solution which is always recording all events to an audit log. This will provide the most complete perspective on the occurrences within the organization. #The purpose of continuous monitoring is NOT to discover new technologies. It may be possible from time to time to discover new attacks or exploit tools, but that is not the purpose of continuous monitoring. #The purpose of continuous monitoring is NOT to track uptime. Uptime recording into a continuous monitoring scheme may take place, but that is not the purpose of continuous monitoring. The purpose is to discover any and all violations.

In the realm of incident response, what is the purpose of the recovery phase? A) To remove the offending element from the environment B) To restore the environment back to normal operating conditions C) To assemble an incident response team D) To prevent the spread of an infection or harm caused by an intrusion

B) To restore the environment back to normal operating conditions #In the realm of incident response, the purpose of the recovery phase is to restore the environment back to normal operating conditions. #A typical incident response policy involves several key steps, including preparation, detection, notification, containment, eradication, recovery, and feedback review. The recovery phase can include the installation of new countermeasures to prevent the re-occurrence of the violation. #Eradication is the removal of the offending element from the environment. Eradication typically occurs immediately after containment. To some extent, eradication will prevent further damage, but its primary goal is to remove the offending element in order to prevent it from being re-used or allowing the attack to be repeated. #Assembling an incident response team is part of the preparation phase. #Containment is the incident response phase which has the goal of preventing further damage to the organization from a known incident. Containment can include disconnected affected systems, disabling software or hardware, disconnecting the Internet link, and removing a suspect from the environment.

Why is a continuous monitoring scheme implemented in a typical organization? A) To reduce employee resource waste B) To take notice of events of interest C) To deflect denial of service attacks D) To improve social engineering resistance

B) To take notice of events of interest #A continuous monitoring scheme is implemented in a typical organization to take notice of events of interest. Each organization will have some variation as to what events are of significant concern as compared to others. Some typical examples of events of interest include multiple successive failed login attempts, port scans, significant increase in protocol load, odd content submitted by visitors, attempting to access sensitive resources, and normal user accounts attempting to perform administrative functions. #Continuous monitoring is NOT implemented to deflect denial of service attacks. Events of interest recorded into an audit log may reveal the occurrence of a denial of service attack. However, the act of recording the events does not deflect denial of service attacks. Deflecting denial of service attacks requires an interpretation of the audit logs, then designing a response strategy, then implementing that strategy.

What is a means to ensure that endpoint devices can interact with the Internet while minimizing risk of system compromise? A) Implement a weekly backup. B) Use a virtualized OS. C) Only use encrypted communication protocols. D) Use strong authentication.

B) Use a virtualized OS. #Use a virtualized OS to ensure than endpoint devices can interact with the Internet while minimizing risk of system compromise. A virtualized OS can be configured to reject any changes made during an operating session and revert to a fixed trusted image version each time the system is used. This tactic would allow for the risky activity of Internet access without placing the system at high risk of system compromise. Even if the virtual OS was breached by malware, the next session launch would revert back to a trusted and safe configuration. #Encrypted communications protect against eavesdropping, session hijacking, and other forms of session attacks. However, encrypted communications do not protect against downloading malicious software, especially when distributed via a Trojan horse. #Strong authentication may limit the ability of impersonation attacks, but it does not protect an authenticated user against downloading malicious software.

Why should forensic investigators give collection priority to the most volatile evidence? A) Volatile evidence is stored as binary information. B) Volatile evidence has the highest risk of being lost or changes due to the passing of time C) Volatile evidence is the most persuasive evidence in a court of law. D) Volatile evidence is considered hearsay evidence in US courts.

B) Volatile evidence has the highest risk of being lost or changes due to the passing of time

Under which condition should a security practitioner of your organization sit out of a security audit? A) When it involves the handling of proprietary information B) When an outside consultant is evaluating compliance C) When the operating budget is running low D) When senior management is dissatisfied with the results from previous audits

B) When an outside consultant is evaluating compliance #An internal security practitioner may be asked to sit out of a security audit when an outside consultant is evaluating compliance. In such a situation, the internal security practitioner represents a conflict of interest. Specifically, the person that configures and manages security should not be the same person to review and assess compliance of that security. This practice may not be considered a serious concern during normal operational management. In this condition, the person or group of people on the security management team will be responsible for both implementing and verifying security. However, when an external auditor is brought in to perform a formal assessment for compliance, it is essential that the results be unbiased. Thus, the security practitioners would sit out during the external security audit.

Which security tool is used to detect known examples of malware? A) Firewall B) IPS C) Anti-virus software D) Proxy

C) Anti-virus software #Anti-virus software is the best answer for the security tool which is used to detect known examples of malware. Anti-virus or anti-malware products have a database of known forms of malware, which is a collection of code snippets, signatures, or data patterns from discovered-in-the-wild malicious code. Anti-virus software is usually very reliable at detecting known exploits. Unfortunately, anti-malware is not very effective at detecting new malware.

What is the Exchange Principle as defined by Dr. Edmund Locard? A) Data files must be hashed in order to prove their integrity. B) A bit-stream image copy must be performed to make an exact duplicate of evidence files. C) Anyone entering or leaving a crime scene will take something with them when they leave and will leave something of themselves behind. D) Only original evidence is valid for submission in court.

C) Anyone entering or leaving a crime scene will take something with them when they leave and will leave something of themselves behind.

Which of the following types of activities is NOT commonly performed in preparation for a security assessment? A) Review the security policies. B) Collect host configuration documentation. C) Apply patches. D) Analyze the change management procedures.

C) Apply patches. #applying patches is remediation. #Collecting host configuration documentation is a common activity performed preparation for a security assessment. Reviewing the security policies is a common activity performed preparation for a security assessment. Analyzing the change management procedures is a common activity performed preparation for a security assessment.

What type of technical control can be used in the process of assessing compliance? A) Encryption B) Security camera C) Auditing D) Multifactor authentication

C) Auditing #Auditing is a technical control which can be used in the process of assessing compliance. A technical control is a security mechanism that is comprised of computer hardware and/or software. Technical controls are distinct from physical and administrative controls. Physical controls focus on facility protections. Administrative controls focus on personnel management, often referenced with the concept of policy and people management. #Examples of technical controls include encryption, firewalls, intrusion detection, content filtering, anti-malware, auditing, and multifactor authentication. Auditing records the events and activities of users, software, and hardware. By reviewing the audit trails against policy, regulations, and authorization, it is possible to assess compliance and detect violations.

Why should escalation requirements be considered as part of an incident response strategy? A) Because all exploits take advantage of software flaws B) Because some countermeasures are more expensive than others C) Because not all violations represent the same threat to an organization D) Because some hackers are smarter than others

C) Because not all violations represent the same threat to an organization #Escalation requirements should be considered as part of an incident response strategy because not all violations represent the same threat to an organization. A port scan of an exterior facing server and the remote connection of a hacker using a breached administrator account are two different categories of threat level of attack. Different levels of attack or threat demand appropriate levels of response.

How is role-based access control implemented? A) On the basis of ACLs B) Through the use of time restrictions C) By assigning a job name label to subjects D) By assigning sensitivity labels to all objects

C) By assigning a job name label to subjects #Role-based access control (RBAC) is implemented by assigning a job name label to subjects. The job role assigns the rights and privileges necessary to complete all associated work tasks. By placing the job role name label on a subject, the subject inherits those privileges. RBAC is an effective strategy in environments with a high-rate of employee turnover or where there are numerous workers performing the same tasks.

What version of AES is used by WPA-2? A) DHCP B) TLS C) CCMP D) RSA

C) CCMP #AES is a block cipher, which means it is appropriate for use to encrypt data-at-rest, i.e. data being stored. Wireless is a communications mechanism that requires an encryption algorithm suitable for encrypting data-in-transit. The CCMP version of AES was created for use by WPA-2, and is effectively a stream cipher.

How can integrity be enforced or assessed across an entire computer system? A) Check that the latest version of software updates has been applied. B) View the available free space. C) Compare a baseline of hardware settings and software configuration against a live system. D) Take a hash calculation of all system files.

C) Compare a baseline of hardware settings and software configuration against a live system. #To enforce or assess integrity across an entire computer system, compare a baseline of hardware settings and software configuration against a live system. This activity is used to ensure that the integrity of an entire computer system has been retained. It is checking to see that a system is still in compliance with prescribed security policy and that user activities have not caused any unauthorized software to be installed or invalid settings to be applied. NOTE: while it might sound like taking a hash calculation of all system files might be correct because of "hash", its not, because there are many more files on a computer than just those of the system itself, including third-party applications and user files. If hash calculations were to be used as a means to enforce or assess integrity across an entire computer system, then all of the files must be included, not just the system files.

When a storage device is taken in as evidence, what is the first step performed by the forensic personnel after starting the chain of custody form and writing out the evidence collection form? A) Create a bit-stream image copy. B) Make a hash calculation of the contents. C) Connect the device to a write blocker. D) Write an evidence header file to the storage device.

C) Connect the device to a write blocker. #When a storage device is taken in as evidence, the first step performed by the forensic personnel after starting the chain of custody form and writing out the evidence collection form is to connect the device to a write blocker. The purpose of a write blocker is to physically block the signals from a computer to the storage device that would cause a change to the data on that storage device. A physical write blocker does not have the electronic pathways connected that would send write signals to the drive, only ready requests are sent to the storage device. A write blocker is used as additional insurance against accidental evidence corruption.

What is a simple example of device authentication that is comprised of a text file used by Web sites? A) CRC B) JavaScript C) Cookies D) CGI

C) Cookies #Cookies are a simple example of device authentication that is comprised of a text file used by Web sites. A Web browser receives one or more cookies related to user authentication from a Web site upon initial connection. Each time a new Web URL request is made, the cookie is returned back to the Web server to identify the device or user making the request.

Your company has recently acquired a small startup company, Metroil. Metroil has a single Microsoft Active Directory domain named Metroil-HQ. Your company has three existing domains: BaseStar1, RemoteOf2, and RemoteOf3. Your company's three existing domains are configured in a standard domain tree, with BaseStar1 linked to RemoteOf2, which is then linked to RemoteOf3. How can users from Metroil access resources in BaseStar1 with the least amount of network reconfiguration? A) Remove each device from Metroil-HQ, and then join each device as a new member of BaseStar1. B) No new configuration is required. All domains automatically have two-way trusts between them. C) Establish a trust between RemoteOf3 and Metroil-HQ. D) Break the tree trusts between BaseStar1 and RemoteOf2 and the trust between RemoteOf2 and RemoteOf3. Establish a trust between BastStar1 and Metroil-HQ.

C) Establish a trust between RemoteOf3 and Metroil-HQ. #You should establish a trust between RemoteOf3 and Metroil-HQ. The standard trusts between domains in a domain tree are transitive two-way trusts. Thus, once a new trust is established between RemoteOf3 and Metroil-HQ, the users in Metroil-HQ can be allowed to access resources in BaseStar1 due to the transitive two-way trusts between all four domains.

What is the condition of an IDS security assessment reporting that an event of concern has taken place, but when later analyzed it is determined that the event was benign and should not have caused an IDS alert? A) True negative B) True positive C) False positive D) False negative

C) False positive #This is a false positive because the alarm or alert is triggered falsely. The concepts of false and true are used to indicate whether the alarm is correct or incorrect. False positives are a concern for security assessment and response management because they can waste resources. If response teams respond to repeated false positives, then they are wasting time, effort, and possibly resources to respond to benign events. #A false negative is when the alarm or alert is silent but malicious events are taking place. False negatives occur when the IDS is unable to detect the event, when the event is not in the IDS detection database, or the event does not trigger any rules, #A true positive is when the alarm or alert occurs because of a malicious event. #A true negative is when the alarm or alert is silent because only benign events are occurring.

What is the name of the software layer or component that enables the creation of virtual machines and may be installed on top of an existing OS or may be installed directly on the bare metal of the computer? A) SDN B) VPN concentrator C) Hypervisor D) Cloud server

C) Hypervisor #Hypervisor is the name of the software layer or component which enables the creation of virtual machines and which may be installed on top of an existing OS or may be installed directly on the bare metal of the computer. The hypervisor manages the creation of the virtual machines, which are a software simulation of computer hardware. The virtual machines must be accurate enough to fool an operating system into functioning as if it was directly installed onto the bare metal of a computer. A hypervisor can be installed as a software add-on into an existing host operating system or a hypervisor can be used which installs directly onto the bare metal of a computer thus functioning as both the host OS and the hypervisor. NOTE: A VPN concentrator is used to manage multiple VPN connections. A VPN concentrator can be a hardware or software solution.

What is the IEEE standard known as port-based network access control which is used to leverage authentication already present in a network to validate clients connecting over hardware devices, such as wireless access points or VPN concentrators? A) IEEE 802.15 B) IEEE 802.11 C) IEEE 802.1x D) IEEE 802.3

C) IEEE 802.1x #The purpose of IEEE 802.1x is to avoid the use of on-device static password authentication, which is a very weak form of authentication.

What component of IPSec provides for the support of multiple simultaneous VPNs? A) SKEME B) IPComp C) ISAKMP D) ESP

C) ISAKMP #Internet Security Association Key Management Protocol (ISAKMP) is the component of IPSec which provides for the support of multiple simultaneous VPNs. ISAKMP maintains unique security associations for each IPSec VPN. Technically, each IPSec VPN uses two security associations. A security association is the collection of cryptography attributes, such as algorithm, its mode, related communication parameters, and encryption keys. It is a little like a digital security key ring. ISAKMP can maintain multiple pairs of SAs, thus providing for multiple simultaneous VPNs.

What is the term used to refer to an activity, occurrence, or event which could cause damage or harm to an organization? A) Baseline B) Alarm C) Incident D) Clipping level

C) Incident #The term incident refers to an activity, occurrence, or event which could cause damage or harm to an organization. For an organization to be prepared to respond to incidents, they need to craft an incident response policy. This policy defines what events are considered incidents, which level of incidents requires a response, and what type of response the organization can perform. An incident can be defined as any violation of company policy or law. However, not all company policy violations are illegal actions. Also, not all company policy violations warrant a specific response by the incident response team. Every incident should be recorded into audit records and included in regular analysis reports

How does salting passwords reduce the likelihood that a password cracking attack will be successful? A) It forces the attacker to focus on one account at a time. B) It prevents automated attacks. C) It increases the work load required to become successful. D) It triggers an account lockout after a fixed number of false attempts.

C) It increases the work load required to become successful. #Salting passwords reduce the likelihood that a password cracking attack will be successful because it increases the work load required to become successful. Salting is the adding of additional values to the plaintext characters of a password just before running the entire data set through the hashing process. Salts are assigned, usually randomly, to each user account uniquely and typically changed each time the user changes their password.

Why is account or identity proofing necessary? A) It checks that users are logging into the assigned workstation at their desk. B) It allows for hiring of individuals with criminal records or sealed histories. C) It verifies that only the authorized person is able to use a specific user ac count. D) It ensures that privileged accounts are never used across network links.

C) It verifies that only the authorized person is able to use a specific user ac count. #Account or identity proofing is necessary because it verifies that only the authorized person is able to use a specific user account. This can be done through a number of means, including text messaging, pre-arranged security questions, or answering dynamic questions about a user's account or background and history. #Account or identity proofing does NOT ensure that privileged accounts are never used across network links. #Account or identity proofing does NOT check that users are logging into the assigned workstation at their desk. #Account or identity proofing does NOT allow for hiring of individuals with criminal records or sealed histories.

Which attack attempts to steal information from victims by tricking them into visiting false or fake Web sites using a spoofed email communication that seems to originate from a legitimate source? A) Botnet B) Pharming C) Phishing D) Hijacking

C) Phishing #If users can be fooled into believing a message is real, they are likely to follow instructions to visit a Web site and login. The attack is based on the attacker running a duplicated version of the real Web site on a different URL. The site may superficially look the same as the real site, but it will record the provided logon credentials and display an access unavailable message or other distraction. Never blindly trust any unsolicited communications.

What is a primary goal of a forensic investigator while collecting evidence? A) Collect sufficient evidence. B) Prove that a specific suspect committed the crime. C) Preserve evidence integrity. D) Locate evidence to support a pre-determined outcome.

C) Preserve evidence integrity. #One of the primary goals of a forensic investigator while collecting evidence is to preserve evidence integrity. Without evidence integrity, the evidence is of no value and is not admissible in court. Preservation of integrity is one of the requirements of the rules of evidence which determines whether evidence is admissible or not. Forensic investigators should follow standard forensics practices to locate and collect evidence. This includes taking hash calculations of evidence in order to check and verify integrity over time.

What is the result of an access control management process that adds new capabilities to users as their job tasks change over time, but does not perform a regular reassessment of the assigned authorization? A) Fraud and abuse B) Collision C) Privilege creep D) Collusion

C) Privilege creep

You are working hard to complete a major project before the deadline, which is next Monday. Three days before the deadline, you discover that the final task of the project requires a specific software product which you do not have. After searching for a version to purchase either from a local store or over the Internet, you discover that there are no copies of the software available for immediate access and use. The only version you can locate for purchase is through an overseas retailer. However, even with expedited shipping, it will not arrive until next Wednesday. During your search, you notice that there is a pirated copy available for download available immediately. How should you handle this situation according to (ISC)2 guidance? A) Use the pirated version, but go ahead and purchase the legitimate version. B) Install the pirated version in a virtual machine, and destroy the evidence once the project is complete. C) Purchase the legitimate product, and ask for a deadline extension. D) Use the pirated version.

C) Purchase the legitimate product, and ask for a deadline extension. #You should purchase the legitimate product and ask for a deadline extension. According to the (ISC)2 Code Of Ethics, you should strive to always act honorably, honestly, justly, responsibly, and legally. The only ethical and legal option for this scenario is to ask for a deadline extension and purchase the legitimate product to complete the project.

In what phase of incident response are new countermeasures implemented? A) Containment B) Eradication C) Recovery D) Detection

C) Recovery #A typical incident response policy involves several key steps, including preparation, detection, notification, containment, eradication, recovery, and feedback review. The goal of the recovery phase is to return the environment back to normal operating conditions. It also includes the installation of new countermeasures to prevent the re-occurrence of the violation. A typical incident response policy involves several key steps, including preparation, detection, notification, containment, eradication, recovery, and feedback review. #Detection is an early phase of incident response, immediately after preparation. Detection is essential to becoming aware that an attack or violation is taking place. Only with detection can the later phased of incident response be triggered or have a target to address. #Containment is the phase or step of an incident response policy that has the goal of preventing further damage to the organization from a known incident. Containment can include disconnected affected systems, disabling software or hardware, disconnecting the Internet link, and removing a suspect from the environment. #Eradication is the removal of the offending element from the environment. Eradication typically occurs immediately after containment. To some extent, eradication will prevent further damage, but its primary goal is to remove the offending element in order to prevent it from being re-used or allowing the attack to be repeated.

How can a switch or router be secured against unauthorized access to its management console from within the private network without inconveniencing the administrators? A) Set a longer password. B) Require a physical direct cable connection. C) Restrict access to SSH or HTTPS. D) Update the firmware.

C) Restrict access to SSH or HTTPS. #Access only by using SSH or HTTPS. Don't use HTTP or telnet (which is apparently enabled by default) #A switch or router can be secured against unauthorized access to its management console from within the private network without inconveniencing the administrators by restricting access to SSH or HTTPS. Many devices are set to accept Telnet or HTTP connections by default. These plaintext connection options expose the authentication credentials of administrators to eavesdropping. Telnet and HTTP connections also make password guessing at a rapid pace simple to implement. The use of encrypted connections will protect administrator credentials and limit the use of password guessing attacks.

How does a typical SIEM or systems management console retrieve event details from a source system? A) SMTP B) OVAL C) SNMP D) IPSec

C) SNMP #A typical SIEM or systems management console retrieves event details from a source system via Simple Network Management Protocol (SNMP). SNMP is used to exchange management information between source systems and management consoles. SNMP is defined by RFC1157 and operates over UDP ports 161 and 162. #Internet Protocol Security (IPSec) is not used to transfer event details between a source system and a management console. IPSec are the native encryption features of IPv6 made into an add-on for IPv4. IPSec is used to encrypt IP communications. Some SNMP traffic will be protected by IPSec encryption, but IPSec is not essential to the transference of event data by SNMP. #Open Vulnerability Assessment Language (OVAL) is not used to transfer event details between a source system and a management console. OVAL is a standardized vulnerability referencing language employed by vulnerability scanners.

How can skilled IT workers evaluate new software without exposing their systems to infection or malware compromise? A) Use an administrator account. B) Use anti-malware scanners. C) Test using a sandbox. D) Implement an IDS.

C) Test using a sandbox. #Skilled IT workers can evaluate new software without exposing their systems to infection or malware compromise by testing using a sandbox. A sandbox is a tightly secured operating area where unknown code can be executed without exposing the main environment to compromise. A sandbox is often a virtual or guest operating system. Code run in a sandbox is monitored on a detailed level to discover how it interacts with the operating system, the file system, and other aspects of the virtual computer. If the code is discovered to perform suspicious or malicious actions, the virtual machine can be deleted, leaving no trace of the problematic code. If the software seems to be safe and benign, it can be installed into the production system for ongoing use.

What is the purpose or benefit of an after-action report in an incident response strategy? A) To have law enforcement provide guidance on handling security breaches B) To increase the sensitivity of incident detectors C) To learn from events in order to improve future incident handling D) To gain sufficient support from senior management

C) To learn from events in order to improve future incident handling #The after-action report is also known as a post-mortem review, a post-incident report, or a feedback loop. Incident response policies are crafted based on knowledge from prior security breaches.

When is a search warrant required? A) When evidence is in plain sight of a law enforcement officer B) When evidence is collected in connection with a lawful arrest C) When evidence is located within a private location D) When evidence is in the possession of an authority that is willing to give consent

C) When evidence is located within a private location #A search warrant is required when evidence is located within a private location. A search warrant is required whenever there is a reasonable expectation of privacy, but law enforcement is sure that evidence exists which needs to be collected. A judge will review a search warrant request, which includes an affidavit stating the reasoning behind the request to be given permission to breach privacy in order to seize evidence, before deciding whether to issue the search warrant. However, not all collections of evidence require a search warrant, such as in cases of consent or plain sight.

How is the chosen risk response strategy of risk acceptance proven and supported in a court of law? A) Through the results of a qualitative analysis B) Through storyboarding C) With a document signed by senior management D) By not applying countermeasures

C) With a document signed by senior management #Explanation The chosen risk response strategy of risk acceptance is proven and supported in a court of law with a document signed by senior management. This written proof of risk assessment, evaluation, consideration, and specifically choosing to accept or tolerate the risk is the valid means to support this decision in a court of law. Without a written document of this nature, the risk will be seen as being ignored. Ignoring risk is often considered negligent in the eyes of the court. NOTE: When countermeasures are not applied, this could be either ignoring risk or risk acceptance. Without that document, the risk has been ignored!!!!!

There are eight standard security log event severity levels.

Code 0 - Emergency Code 1 - Alert Code 2 - Critical Code 3 - Error Code 4 - Warning Code 5 - Notice Code 6 - Information Code 7 - Debug

How can non-repudiation be achieved by the typical user when communicating over e-mail? A) Obtain a digital certificate. B) Ask for proof of receipt. C) Employ encryption and a digital envelope. D) Use a digital signature.

D) Use a digital signature.

How is the total amount of potential risk calculated for a single asset and a specific threat? A) SLE x EF B) AV x CCM − EF C) Accumulate residual risk D) AV x EF x ARO

D) AV x EF x ARO #AV x EF x ARO is the formula used to calculate the total amount of potential risk calculated for a single asset and a specific threat. This formula is based on three values: AV, EF, and ARO. Asset value (AV) is a value based on both tangible and intangible value of an asset to the organization. Exposure factor (EF) is a prediction as to the percentage of loss that would be experienced if a specific threat is realized against a specific asset. Annualized rate of occurrence (ARO) is a prediction as to the number of times in the next year that the threat could be realized. When these three values are multiplied together they produce the annualized loss expectancy (ALE). The full formula is thus: ALE = AV x EF x ARO. For example, an asset could be a file server which has an AV = $1,000,000; a threat could be a fire which could have an EF = 75%; and the ARO of the firewall is .1 per year, thus the ALE would be $1,000,000 x 75% x .1 = $75,000.

Which term is used to indicate the function of access control or defining which subjects can perform various tasks on specific objects? A) Authentication B) Availability C) Accessibility D) Authorization

D) Authorization #Authorization is the term used to indicate the function of access control or defining which subjects can perform various tasks on specific objects. Authorization is the second element referenced by Authentication, Authorization, and Accounting (AAA). Authorization defines and controls what subjects can and cannot do. Authentication is the verification or proof that a subject is a claimed identity. To perform authentication, one or more authentication factor, such as a password, token, or biometric, must be provided. Authentication is the first element referenced by AAA. Accessibility is usually used in reference to altering the input and control mechanisms of a computer system to make them usable by those with disabilities. Availability is the concept of ensuring access to resources in order to accomplish work tasks. The violation of availability is known as denial of service (DoS). Availability is the third element in the Confidentiality, Integrity, and Availability (CIA) triad.

What is the term used to describe the risk management strategy of an organization altering a business task to work around a specific event or activity in order to prevent compromise? A) Transference B) Acceptance C) Deterrence D) Avoidance

D) Avoidance #Avoidance is the term used to describe the risk management strategy of an organization altering a business task in order to work around a specific event or activity in order to prevent compromise. By adjusting business processes to work around a risky activity or event, the impact of a realized threat can be eliminated or reduced. This can be an effective tool when designing a risk management strategy. Risk avoidance or risk removal is sometimes considered a sub-category of risk mitigation.

What is the logical network topology of Ethernet when deployed in a physical star wiring layout? A) Mesh B) Ring C) Star D) Bus

D) Bus #Ethernet is always a logical network topology of a bus. Logical network topology is not dependent upon or altered by physical network topology. Ethernet was designed when the only network topology type was a bus. Originally, Ethernet connected devices were linked in a series or a chain along a single cable pathway. Communications along the cable chain were relayed by each device until the recipient received the communication. #Star topologies exist as a physical topology, not a logical topology. While Ethernet (and Token Ring) can be deployed as physical stars, Ethernet is always a logical bus topology. #Ring topology is a key component in Token Ring and Fiber Distributed Data Interface (FDDI). A ring topology is a bus that has been looped back onto itself to form a ring instead of a straight path. Similar to Ethernet, Token Ring can be deployed as a physical star #Mesh topologies are deployments of connections where multiple pathways between end-points are established. This topology setup allows for most transmissions to be distributed even if one of the connections goes down. It is a topology commonly used for wireless networks.

How does a deterrent control provide increased security? A) By blocking the event of the violation B) Through repairing damage caused by a violation C) Through recording the activity of a violation D) By discouraging perpetrators from committing a violation

D) By discouraging perpetrators from committing a violation #This can be done through the implementation of physical security controls, such as barbed wire fences, tire spikes, security guards, video cameras, and signs that indicate unauthorized access is prohibited.

How can a vulnerability be reduced or eliminated? A) Through delegation B) Through monitoring C) By crafting a response strategy D) By improving the asset

D) By improving the asset #A vulnerability can be reduced or eliminated by improving the asset. The weaknesses in an asset are its vulnerabilities. These weak points can be resolved by implementing patches or upgrades or installing defensive countermeasures, such as firewalls or access control. Thus any improvement or upgrading of the asset may reduce or eliminate its vulnerabilities. #Monitoring of an asset is important to security management. However, monitoring only takes notice of an exploitation of a vulnerability rather than reducing or eliminating it. NOTE: A response strategy typically focuses on containment and eradication of an offensive event or entity. But a response strategy does not reduce or eliminate a vulnerability. To reduce or eliminate a vulnerability, an asset must be improved or preventive security measures implemented.

How does IPSec verify that data arrived at the destination without intentional or accidental corruption? A) By exchanging symmetric keys B) Through the use of public key encryption C) With the use of a compression technology D) By using a randomized hashing operation

D) By using a randomized hashing operation #The VPN protocol of IPSec verifies that data arrived at the destination without intentional or accidental corruption (i.e. verifies integrity) by using a randomized hashing operation known as HMAC. Hash-based Message Authentication Code (HMAC) is a hashing mechanism that uses hashing algorithms along with a symmetric key to produce more robust hash digests. HMAC can use any standard hashing algorithm, such as MD5, SHA-1, or SHA-2, and modifies their process by integrating random values. The values are derived from a symmetric key, which serves as a random input.

What is the most critical document of the computer forensic process to ensure that evidence is admissible in court? A) Evidence collection sheet B) Search warrant C) Consent form D) Chain of custody

D) Chain of custody #The chain of custody document defines what the evidence is, when it was discovered, where it was located, who discovered it, and the identity of every person in controlling possession of the evidence from the point of discovery through presentation in court. The goal of the chain of custody is to prove that evidence was under protective custody at all times and never subjected to manipulation by unauthorized entities. If the chain of custody document is incomplete or has an error, it typically results in the evidence being inadmissible. This is due to the fact that if the chain of custody does not prove a continuous unbroken chain of protected custody, then the evidence might have been subjected to manipulation. The chain of custody document is thus the most critical document in the forensic process in relation to assuring admissibility in court.

What is the purpose of security policies? A) Redirect responsibility to external entities. B) Remove all risk. C) Keep costs to a minimum. D) Define how security is to be implemented and managed.

D) Define how security is to be implemented and managed. #The purpose of security policies is to define how security is to be implemented and managed. Security policies are often comprised of dozens or possibly hundreds of individual documents. These documents may be policies, standards, guidelines, baselines, or procedures. With the exception of guidelines, compliance with all of the security prescriptions in security policy documents is mandatory. #The purpose of security policies is NOT to keep costs to a minimum, NOT to redirect responsibility to external entities. Some aspects of implemented security as defined by a security policy can include outsourcing and purchasing insurance. These activities may transfer some of the risk burden onto external entities. However, these are only small elements of an overall security implementation. #The purpose of security policies is NOT to remove all risk. It is not possible to remove all risk.

Which of the following actions will have the LEAST benefit in relation to securing a wireless network? A) Changing the base station's default SSID and MAC addresses B) Changing the default management password on the base station C) Enabling WPA-2 D) Disabling DHCP

D) Disabling DHCP #Disabling DHCP is the least effective activity from this list in relation to securing a wireless network. Dynamic Host Configuration Protocol (DHCP) is used to assign IP address configurations to clients as they initiate a network connection. For a wireless network, DHCP is almost mandatory to avoid the administrative nightmare of managing static address assignments and configuration for a large collection of wireless clients. Additionally, because most wireless networks use private IP addresses from RFC 1918 (10.0.0.0−10.255.255.255, 172.16.0.0−172.31.255.255, and 192.168.0.0−192.168.255.255), it is not challenging for an attacker to determine a valid IP address for use on a wireless network.

Many businesses craft an ethical guidance policy as part of their overall security policy. In the event that there is a conflict between your employer's ethical policy and your own personal ethical views, how should you handle this conflict? A) Post your disagreements with the issue on your social network account. B) Protest the concern by picketing outside of your employer's building. C) Contact a lawyer to have the company policy changed. D) Discuss the issue internally with your manager and IT security administrator.

D) Discuss the issue internally with your manager and IT security administrator. #A code of ethics is not the law. Thus, your organization can make adjustments to the company policy for everyone, or can make an exception for just you to the specific tenant of the company's ethics policy that you have a conflict with. Open and honest discussion of the conflict internally with the persons of authority is the best approach to address any disagreements with the ethics policy. Discussing ethical concerns internally does not guarantee that the company will make a change in your favor, but it is the first and best option to begin dealing with the issue before it becomes a problem.

When crafting a digital signature, what are the initial steps in the process performed by the sender? A) Encrypt the message with a symmetric key. B) Sign the message with the recipient's public key. C) Hash the message, and then encrypt the message with the private key. D) Hash the message, and then encrypt the digest with the private key.

D) Hash the message, and then encrypt the digest with the private key. #When crafting a digital signature, the initial steps in the process performed by the sender are to hash the message and then encrypt the digest with the private key. The actual message is not changed or affected by the crafting of a digital signature. The digital signature is the sender's private key encrypted hash of the message.

How can a user avoid being seriously harmed by ransomware? A) Avoid becoming infected. B) Use Linux. C) Pay the required ransom fee. D) Have an offline backup.

D) Have an offline backup. #An offline backup is any backup which is not a local, USB-attached, or network-attached storage device, as all of these could be encrypted by ransomware. It is also a backup which is not mapped to a drive letter or a mount point. It must be a backup which cannot be encrypted by a local encryption operation (such as what ransomware implements). Only with such a backup can you restore your data after cleaning up the infected system. Generally, cleanup requires formatting the drive, reinstalling software from trusted sources, and then restoring your backup.

An office worker needs to access the remote, off-site technical support center. The worker sends an e-mail query to the support center to request a remote video conference session to discuss and resolve the problem. After a few minutes, an inbound VoIP audio conference call is received. The worker selects to accept the call as it seems to originate from the remote, off-site technical support center based on the displayed name of the caller. During the call, the worker is asked to disclose their employee number, their system's IP address, and their account password. The worker is concerned about these queries as they are not related to the problem, and the caller seems insistent on obtaining the information from the worker. What is the most likely activity taking place during this VoIP call? A) Session hijack B) Pharming C) Denial of service D) Impersonation

D) Impersonation #There are several indicators that this is an attack rather than a valid technical support connection. First, the inbound call is for a voice-only communication rather than the video conference that was requested. Second, the caller asks about sensitive information unrelated to the issue at hand. Third, the caller is insistent on obtaining the sensitive information from the worker. These are common symptoms of an impersonation attack.

How can a risk be mitigated? A) Alter business processes to avoid them. B) Purchase insurance. C) Accept a risk as is. D) Implement safeguards.

D) Implement safeguards. #Risk mitigation is the concept of implementing any strategy that would either reduce or eliminate a risk. This often includes the application of safeguards (which can also be called countermeasures or security controls).

What is the most important foundational security concept upon which most other security ideas and solutions are based? A) Non-repudiation B) Revocation C) Availability D) Implicit deny

D) Implicit deny #Implicit deny, implicit denial, or default deny is the core of all security. The idea is that nothing and no one is allowed any form of default or automatic access. With implicit deny, all things and all entities are stopped. Then, as needed and when specifically implemented, explicit allows can be granted to allow users to access and use resources. #NO access until authorized!!

What is the component of IPSec that handles key generation and distribution? A) Encapsulating Security Payload B) IP Compression C) Authentication Header D) Internet Key Exchange

D) Internet Key Exchange #Internet Key Exchange (IKE) is the component of IPSec that handles key generation and distribution. IKE is comprised of three components: Oakley, Secure Key Exchange MEchanism (SKEME), and Internet Security Association Key Management Protocol (ISAKMP). Oakley assists with key generation, SKEME is a mechanism to exchange keys securely, and ISAKMP maintains unique security associations for each IPSec VPN. #Authentication Header (AH) is responsible for establishing the initial connect and the authentication of end-points. AH uses the keys managed by IKE. #IP Compression (IPComp) is used to pre-compress data prior to being encrypted by ESP. #Encapsulating Security Payload (ESP) is the bulk encryptor of an IPSec VPN. ESP uses the keys managed by IKE.

Why is multifactor authentication considered more secure than single-factor authentication? A) Single-factor authentication is less compatible with operating systems. B) Multifactor authentication solutions cost more. C) Multifactor authentication is available on the Internet. D) Multifactor authentication requires multiple distinct attacks to perform impersonation.

D) Multifactor authentication requires multiple distinct attacks to perform impersonation. #Because multifactor requires the use of two or more different forms of authentication factors, an attacker would have to perform two or more distinct attacks to impersonate a valid user. For example, if authentication required a password and a smart card, then the attacker would have to steal or duplicate the smart card and crack or learn the password to log in as the target user.

An IT security manager is struggling to keep the organization's computers in working order. He is testing updates and configuring them to be installed onto systems and making tweaks to the configuration settings to various systems as business tasks require. However, he often discovers systems which do not have the necessary updates or which are using out-of-date settings. This may be caused by systems being disconnected from the company network when taken into the field or when used for special offline projects. What technology should the IT security manager implement to help handle this complex issue? A) IEEE 802.1x B) OCSP C) NTP synchronization D) NAC

D) NAC #Network access control (NAC) should be implemented in this scenario. When a system is determined by NAC to lack specific configuration settings or to be missing a required update, the system will be quarantined. A NAC quarantine is an isolation triggered by a system being out of compliance. It usually involves shifting IP address assignments to place the system in a quarantine subnet where the system is only able to access the remediation server. Quarantine remediation can be performed automatically or it may require an administrator to perform manual operations. Once the system is brought into compliance, then it is returned to the production network. This technology will ensure that only systems that are current in configuration and updates are allowed to interact with the production environment. NOTE: OCSP (Online Certificate Status Protocol) is used by certificate authorities to check the status of the X.509 certificate.

Why are the audit findings presented to senior management? A) No one else in the organization has the expertise to read the report. B) RFC1918 requires it. C) The bottom-up business structure approach requires it. D) Only with approval can a response plan be implemented.

D) Only with approval can a response plan be implemented. #Audit findings are presented to senior management because a response plan can only be implemented with their approval. It is the responsibility of senior leadership to make the primary business management decisions.

Where should backups be stored? A) In encrypted form and in plain text format B) On tape and in the cloud C) Online and offline D) Onsite and offsite

D) Onsite and offsite #Backups should be stored both onsite and offsite. Onsite backup storage is for use when minor issues happen which require quick restorations, such as accidental file deletion or drive failure. Offsite backup storage is to protect the organization's data in the event of a significant disaster, such as a fire, which could destroy anything stored onsite. Onsite storage addresses minor problems, while offsite storage addresses major ones. It is possible to use offsite storage only, but this makes restorations due to minor issues less convenient.

Which of the following clearance levels or classification labels is not generally used in a government- or military-based MAC scheme? A) Top Secret B) Confidential C) Unclassified D) Proprietary

D) Proprietary #The typical classification labels in a government- or military-based MAC scheme are: Unclassified, Confidential, Secret, and Top Secret.

Which routing protocol makes routing and forwarding decisions based on a metric derived from the number of other routes than must be crossed to reach a destination? A) ISIS B) OSPF C) BGP D) RIP

D) RIP #The routing protocol that makes routing and forwarding decisions based on a metric derived from the number of other routes than must be crossed to reach a destination is Routing Information Protocol (RIP), a distance-vector routing protocol. Other examples of distance-vector routing protocols include Interior Gateway Routing Protocol (IGRP), Enhanced Interior Gateway Routing Protocol (EIGRP), and Babel. Distance-vector protocols can be effective routing mechanisms. However, they do not take into account other parameters and conditions that can affect the efficiency and reliability of a chosen pathway.

What type of information or data is the basis of most forms of modern cryptography, making modern cryptography possible and encryption cracking significantly more difficult? A) Key triplet usage B) 128-bit block sizes C) Static keys D) Randomness

D) Randomness #Randomness is the basis of most forms of cryptography. Without randomness, most forms of modern cryptography would not be possible and cracking encryption would be significantly simpler. The use of randomness increases the complexity of the ciphertext output. Thus it makes the act of cryptanalysis or cryptography cracking significantly more difficult. Without randomness, cryptography would be more predictable and thus much easier to break. The block size of a cryptographic algorithm determines how much work it can perform at one time. Smaller block sizes process less data than larger block sizes. Thus, the overall speed of cryptography is often increased as the block size increases. However, the limitation on block size is the capabilities of the hardware—specifically the CPU—and its ability to perform the complicated mathematical operations on large sets of data. If all cryptography used 64-bit or 128-bit blocks or some other number, there would not be any significant difference in capabilities of modern algorithms, or any reduction of security, just a reduction of efficiency.

What form of social engineering tricks a victim into contacting the attacker to ask for technical support? A) Scarcity B) Impersonation C) MAC spoofing D) Reverse social engineering

D) Reverse social engineering ##Reverse social engineering is the form of social engineering which tricks a victim into contacting the attacker to ask for technical support. The concept of reverse social engineering is that it involves three steps or phases: advertisement, sabotage, and support. The advertisement is to inform the victim that the attacker is the person to contact when tech support is needed. #This could be accomplished by meeting victims in the company parking lot as they leave work, and then the attacker would introduce himself as the technical support manager. The attacker would claim that the tech support system has been overlooking support requests and to contact him directly with on a personal phone number. If victims believe this false story, then when they need technical support, they would contact the attacker thinking he is the real technical support manager. The attacker then either waits for the victim to need technical support assistance or performs an act of sabotage to force the need for assistance. NOTE: Most forms of social engineering include some element of impersonation. However, impersonation on its own does not trick a victim into contacting the attacker to ask for technical support. Scarcity is a common form of social engineering, just not one that tricks a victim into contacting the attacker to ask for technical support.

Which malware attempts to embed itself deeply into a system in order to hide itself and other items, such as files, folders, or even executable processes? A) Trojan horse B) Worm C) Virus D) Rootkit

D) Rootkit #A rootkit is malware that attempts to embed itself deeply into a system in order to hide itself and other items, such as files, folders, or even executable processes. A rootkit is a difficult-to-detect form of malware that often requires extreme efforts to remove from a system.

Which of the following is NOT a means to implement a Denial of Service (DoS) attack? A) Make numerous repeated requests for bulky resources. B) Transmit significant volumes of random traffic to a target. C) Initiate a firmware update, and then interrupt the process. D) Send dozens of email solicitation messages to an organization

D) Send dozens of email solicitation messages to an organization #This is a description of SPAM transmission or possibly a phishing attack. Dozens of email messages is not a significant amount of traffic and should not cause any noticeable increase in resource consumption. SPAM may be unwanted communication and can be a hassle, but SPAM on its own does not constitute a DoS.

Your company is about to launch a new Web site offering services and features that are commonly requested but rarely offered by other existing sites. The market research shows that the new site will be very popular and will have significant user growth for years. You must set up user authentication with the following requirements: Each user must be uniquely identified. Multifactor authentication should be supported. Authentication should provide protection of a user's identity even if your Web site's servers are compromised by hackers. How would you implement the authentication for this Web site? A) Ask your boss to alter the requirements as it is not possible to use multifactor authentication and unique identification at the same time. B) Deploy a solution using code taken directly from an open source programming community repository site. C) Create shared group accounts requiring two, 10-character minimum passwords. D) Set up a one-way federated access with an existing major social network site.

D) Set up a one-way federated access with an existing major social network site. #You should set up a one-way federated access with an existing major social network site to satisfy each of the stated requirements. Federated access is a link between a primary site and a secondary site to share or interconnect authentication. In this scenario, the primary site would be a major social network site, and the secondary site would be the new Web site being deployed by your company. A one-way federated access link would allow your site to accept the authentication from the primary site but would not allow your local Web site authentications to be accepted by the primary site. The use of one-way federated access would ensure that each user is uniquely identified.

How is subject-based access control different from object-based? A) It always based on ACLs. B) Labels on resources are the primary concern. C) It is based on the content of the object. D) The focus is on an attribute or setting on the subject.

D) The focus is on an attribute or setting on the subject. #Subject-based access control focuses on an attribute or setting on the subject for making authorization decisions. It is also referred to as attribute-based access control. The attributes or setting on a subject can be time of day, location, or internal or external to the private network, and whether a valid authentication was performed within a specific period of time. Another aspect of subject-based access control is to assign privileges to subjects based specifically on their job responsibilities, as that is used in role-based access control. #Subject-based access control is NOT based on the content of the object. Subject-based access control focuses on the user, not the object. #Labels on resources are NOT the primary concern. Subject-based access control focuses on the user, not the object. If labels are in use, a subject must have either a matching label or a superior label of that assigned to the object. #Subject-based access control is NOT always based on ACLs. Subject-based access control focuses on the user, not the object. Access control lists (ACLs) are defined on individual objects.

Why are corrective controls important to the long term success of an organization's security implementation? A) They effectively prevent damage from occurring when attackers attempt a violation. B) They provide a means to determining what took place and who the perpetrator was. C) They can cause attackers to rethink their actions before actually performing a violation. D) They return systems and the environment back to a state of normal security.

D) They return systems and the environment back to a state of normal security. #The purpose of a corrective control is to quickly remedy a violation or a change into an unwanted or abnormal state by restoring a system or returning the environment back to a normal secure state. Examples of corrective controls include automated reboots after system failure and the mechanism on a door to reclose and relock it after an employee walks through.

How does S/MIME provide for verification that a received message was not modified during transit? A) With a recipient's private key B) Using the shared symmetric key C) By hashing the e-mail header D) Through a digital signature

D) Through a digital signature #S/MIME provides for verification that a received message was not modified during transit through a digital signature. S/MIME is a standard for using public key encryption to secure e-mail communications. It supports digital envelopes and digital signatures. To verify that a message was not changed during transit, a digital signature is used. (non-repudiation and integrity protection) A digital signature is created by crafting the hash digest of the message, then encrypting the hash digest with the sender's private key. This encrypted hash is the digital signature. NOTE: S/MIME does NOT verify that a received message was not modified by hashing the e-mail header. When a hash of an e-mail message is performed, the whole message including the header and the body is hashed as a single data set. (not just email header!!) S/MIME does not use hashing on its own; it is only used when involved in a digital signature.

What is the purpose of the user account maintenance mechanism known as account lockout? A) To grant the ability to pass through a mantrap B) To remove an account that was used in a system breach C) To turn off accounts for people no longer employed by the organization D) To prevent password-guessing attacks from being successful

D) To prevent password-guessing attacks from being successful

What is the purpose of a Security Information and Event Management (SIEM) product? A) To improve employee security training B) To define the requirements of security procedures C) To provide event planning guidance for holding industry conferences D) To provide real-time logging and analysis of security events

D) To provide real-time logging and analysis of security events #A SIEM is effectively an event log correlation system. A SIEM combines numerous functions to provide a comprehensive real-time overview of the organization's security status. Those functions include log collection from the various event sources throughout the network, normalization of logs to make them consistent for data mining, correlation of logs to indicate related records, aggregation of logs to reduce the volume of the data, and reporting of the data mined results into a real-time display of security status.

Which of the following is NOT a method by which devices are assigned to VLAN network segments? A) Switch port configuration B) Mimicking IP subnet configuration C) MAC address D) Transport-layer port assignment

D) Transport-layer port assignment #Transport-layer port assignment is NOT a method by which devices are assigned to VLAN network segments. Transport-layer ports, as related to TCP and UDP, are often used in access control lists (ACLs), rule sets, or filter lists to control or manage traffic. Port-based ACLs can be found on firewalls, wireless access point, proxies, gateway devices, remote access concentrators, and multi-layer switches. Communications that match an allow rule will be passed through the device, while any traffic matching a deny rule or failing to match any rule will be denied by default and thus dropped. NOTE: Switch port configuration is a valid means of assigning devices to a VLAN. #MAC address management is another valid means of assigning devices to a VLAN. In networks where devices may be moved around and thus connect into the network via different ports, or even via wireless, MAC address VLAN assignment is essential. #Mimicking IP subnet configuration is a third valid means of assigning devices to a VLAN. If both the subnet and VLAN network segments contain the same devices, then performing the configuration at the IP level (i.e. OSI Network layer or Layer 3) and again on switches is essentially doubling the workload to perform the same grouping. Thus, switches can be configured to mimic the grouping of devices into subnets in order to assign devices to VLANs of the same grouping and membership.

What level of government classification regulations does NOT require encryption to be applied to resources assigned this specific label? A) Top secret B) Secret C) Confidential D) Unclassified

D) Unclassified #Unclassified is the level of government classification regulations that does not require encryption to be applied to resources assigned this specific label. This is the lowest level of classification and is applied to data that is for public use or that was obtained from the public. Some government and military organizations may still apply encryption to unclassified resources, but the government regulation of classifications does not mandate encryption for unclassified assets.

Why is it important to install updates and patches rather than to keep a system in a static configuration? A) Static systems do not develop new security flaws. B) Updates add new features and capabilities to a system. C) Static systems allow for changes to the system by end users. D) Updates often fix flaws and reduce weak points in a system.

D) Updates often fix flaws and reduce weak points in a system. #It is important to install updates and patches rather that to keep a system in a static configuration because updates often fix flaws and reduce weak points in a system. Over time, new flaws, bugs in code, and vulnerabilities are discovered. Updates are written to address those issues as they are discovered. Applying updates thus reduces the known weak points in a system. A static configuration maintains the current weaknesses and does get the newly discovered flaws addressed. Thus, a static system becomes more vulnerable over time. NOTE: Static systems do NOT allow for changes to the system by end users. While updates add new features and capabilities to a system, this is not why it is important to install updates and patches. Static systems DO develop new security flaws. New attacks and exploitations are being developed by hackers constantly. Thus, static systems do have new attacks created for them, and more existing security flaws are discovered.

Which wireless configuration protocol can use either RC4 or TKIP for communication encryption? A) OSA B) WEP C) SKA D) WPA

D) WPA #Wi-Fi Protected Access (WPA) is a wireless configuration protocol that can use either Rivest Cipher #4 (RC4) or Temporal Key Integrity Protocol (TKIP) for communication encryption. #Open System Authentication (OSA) is the version of the original IEEE 802.11 wireless configuration, which does not require authentication or encryption. OSA is the basis for modern wireless networks labeled as open or public. #WEP was part of the original 1997 IEEE 802.11 standard. It uses the RC4 algorithm for encryption.

What is an asset? A) All of the equipment in an organization B) Only those items costing more than $10,000 to purchase C) Any data set with tangible value D) anything required to complete a business task

D) anything required to complete a business task #If a business task cannot be completed without a particular item, then it is an asset. It does not matter whether an asset is of high or low cost, is a physical object or a digital element, or whether it is unique and proprietary or common and ubiquitous. The purpose of an organization is to perform its mission-critical processes. Thus, anything needed to support or perform those processes is an asset.

M-of-N control

M-of-N control is an important security concept to prevent a single administrator from having too much power to abuse a sensitive data store or system control. M-of-N control is not directly related to non-repudiation. A protection measure that requires that a minimum number of agents (M) out of the total number of agents (N) work together to perform high-security tasks. For example, at least 2 of the 5 people who have a password need to enter it to gain access.

Traffic padding used to countermeasure traffic analysis.

Traffic padding is adding additional data in your network traffic to make it more difficult to identify the sender, receiver, and/or the data being transmitted. It's designed to make the traffic look more random, or at least less identifiable. For example, using encryption may hide the actual data being transferred but analyzing how the data is being transmitted may help create a signature.

Credentials

Username is the identity and the rest of the information provided during identity management process, for the authorization and authentication is credentials. AND, #written evidence showing that a person has a right to a certain position or authority in workplaces.

Reasons to use Incident Response plan.

When a cyberattack or breach occurs, the Incident Response (IR) plan is a document that must guide the team through the recovery processes. It will be extremely beneficial if a company is equipped with complete information about the response procedures to any cyber incident. Such events may be: 1) Disclosure of confidential information 2) Asset theft or damage 3) Unauthorized use of services and information 4) Malware in the system 5) Unauthorized modifications and access to organizational hardware and software 6) Disruption of the network 7) Failure of critical servers #Incident Response or IR is a cybersecurity term that denotes a security incident within the organization. It means something has happened. Maybe an unauthorized individual got into the network, or a malicious virus or ransomware infiltrated your connection. The incident could be a major one, such as all the computers getting hacked, or a localized one where only one computer isn't working. Case in point, you have an incident, and you need a predefined plan of what you must do.