ISC2 Post-Course Assessment
"Wiring _____" is a common term meaning "a place where wires/conduits are often run, and equipment can be placed, in order to facilitate the use of local networks." (D4.3 L4.3.1) A) Shelf B) Closet C) Bracket D) House
"Wiring closet" is the common term used to described small spaces, typically placed on each floor of a building, where IT infrastructure can be placed. A, C and D are incorrect; these are not common terms used in this manner.
Network traffic originating from outside the organization might be admitted to the internal IT environment or blocked at the perimeter by a ________. (D3, L3.2.1) A) Turnstile B) Fence C) Vacuum D) Firewall
A firewall is a solution used to filter traffic between networks, including between the internal environment and the outside world. D is the correct answer. A and B are incorrect; a turnstile and a fence are physical access control mechanisms. C is incorrect; a vacuum does not affect network traffic, and the term is used here only as a distractor.
A bollard is a post set securely in the ground in order to prevent a vehicle from entering an area or driving past a certain point. Bollards are an example of ______ controls. (D1, L1.3.1) A) Physical B) Administrative C) Drastic D) Technical
A is correct. A bollard is a tangible object that prevents a physical act from occurring; this is a physical control. B and D are incorrect because the bollard is a physical control, not administrative or technical. C is incorrect: "drastic" is not a term commonly used to describe a particular type of security control, and is used here only as a distractor.
Guillermo logs onto a system and opens a document file. In this example, Guillermo is: (D3, L3.1.1) A) The subject B) The object C) The process D) The software
A is correct. Guillermo is the subject in this example. B is incorrect; in this example, the file is the object. C is incorrect; in this example, the process is logging on and opening the file. D is incorrect; in this example, the application used to open the file is the software.
Phrenal is selling a used laptop in an online auction. Phrenal has estimated the value of the laptop to be $100, but has seen other laptops of similar type and quality sell for both more and less than that amount. Phrenal hopes that the laptop will sell for $100 or more, but is prepared to take less for it if nobody bids that amount. This is an example of ___________. (D1, L1.2.2) A) Risk tolerance B) Risk inversion C) Threat D) Vulnerability
A is correct. Phrenal has decided there is an acceptable level of risk associated with the online sale of the laptop; this is within Phrenal's risk tolerance. B is incorrect; "risk inversion" is a term with no actual meaning, and is used here only as a distractor. C is incorrect; a threat is something or someone that poses risk—the sale of the laptop does not pose risk to Phrenal, only a lesser or greater benefit. D is incorrect; the sale of the laptop is not an avenue of attack against Phrenal.
Prachi works as a database administrator for Triffid, Inc. Prachi is allowed to add or delete users, but is not allowed to read or modify the data in the database itself. When Prachi logs onto the system, an access control list (ACL) checks to determine which permissions Prachi has. In this situation, what is the database? (D3, L3.1.1) A) The object B) The rule C) The subject D) The site
A is correct. Prachi is manipulating the database, so the database is the object in the subject-object-rule relationship in this case. B and C are incorrect, because the database is the object in this situation. D is incorrect because "site" has no meaning in this context.
Sophia is visiting Las Vegas and decides to put a bet on a particular number on a roulette wheel. This is an example of _________. (D1, L1.2.2) A) Acceptance B) Avoidance C) Mitigation D) Transference
A is correct. Sophia is accepting the risk that the money will be lost, even though the likelihood is high; Sophia has decided that the potential benefit (winning the bet), while low in likelihood, is worth the risk. B is incorrect; if Sophia used avoidance, Sophia would not place the bet. C is incorrect; mitigation involves applying a control to reduce the risk. There is no practical (or legal) way to reduce the risk that Sophia will lose the bet. D is incorrect; if Sophia wanted to transfer the risk, Sophia might ask some friends to each put up a portion of the bet, so that they would all share the loss (or winnings) from the bet.
Grampon municipal code requires that all companies that operate within city limits will have a set of processes to ensure employees are safe while working with hazardous materials. Triffid Corporation creates a checklist of activities employees must follow while working with hazardous materials inside Grampon city limits. The municipal code is a ______, and the Triffid checklist is a ________. (D1, L1.4.2) A) Law, procedure B) Standard, law C) Law, standard D) Policy, law
A is correct. The municipal code was created by a governmental body and is a legal mandate; this is a law. The Triffid checklist is a detailed set of actions which must be used by Triffid employees in specific circumstances; this is a procedure. B and C are incorrect; neither document is recognized throughout the industry, so neither is a standard. D is incorrect; neither document is a strategic internal overview issued by senior management, so neither is a policy.
The Triffid Corporation publishes a strategic overview of the company's intent to secure all the data the company possesses. This document is signed by Triffid senior management. What kind of document is this? (D1, L1.4.1) A) Policy B) Procedure C) Standard D) Law
A is correct. This is an internal, strategic document, and is therefore a policy. B is incorrect; this is a strategic overview, not a specific process or practice, so it is not a procedure. C is incorrect; this is an internal document, not an industry-wide recognized set of practices, so it is not a standard. D is incorrect; this is not a legal mandate issued by a government, so it is not a law
Triffid, Inc., wants to host streaming video files for the company's remote users, but wants to ensure the data is protected while it's streaming. Which of the following methods are probably best for this purpose? (D5.1, L5.1.3) A) Symmetric encryption B) Hashing C) Asymmetric encryption D) VLANs
A is the correct answer; symmetric encryption offers confidentiality of data with the least amount of processing overhead, which makes it the preferred means of protecting streaming data. B is incorrect; hashing would not provide confidentiality of the data. C is incorrect; asymmetric encryption requires more processing overhead than symmetric encryption, and is therefore not preferable for streaming purposes. D is incorrect; VLANs are useful for logical segmentation of networks, but do not serve a purpose for streaming data to remote users.
Garfield is a security analyst at Triffid, Inc. Garfield notices that a particular application in the production environment is being copied very quickly, across systems and devices utilized by many users. What kind of attack could this be? (D4.2 L4.2.1) A) Spoofing B) Side channel C) Trojan D) Worm
Activity of this type, where an application or file is replicating rapidly across an entire environment, is often indicative of a worm. D is correct. A is incorrect; spoofing uses captured credentials for the attack, not replication of apps. B is incorrect; a side channel attack is typically entirely passive. C is incorrect; while a Trojan horse method might be used to introduce a worm to the environment, not all Trojans are worms.
Data retention periods apply to ____ data. (D5.1, L5.1.1) A) Medical B) Sensitive C) All D) Secret
All data should have specific retention periods (even though retention periods may differ for various types of data). C is the correct answer. A, B and D are incorrect; retention periods affect all data
You are reviewing log data from a router; there is an entry that shows a user sent traffic through the router at 11:45 am, local time, yesterday. This is an example of a(n) _______. (D2, L2.1.1) A) Incident B) Event C) Attack D) Threat
An event is any observable occurrence within the IT environment. (Any observable occurrence in a network or system. (Source: NIST SP 800-61 Rev 2) While an event might be part of an incident, attack, or threat, no other information about the event was given in the question, so B is the correct answer.
In order for a biometric security to function properly, an authorized person's physiological data must be ______. (D3, L3.2.1) A) Broadcast B) Stored C) Deleted D) Modified
B is correct. A biometric security system works by capturing and recording a physiological trait of the authorized person and storing it for comparison whenever that person presents the same trait in the future. A is incorrect; access control information should not be broadcast. C is incorrect; if all biometric data is erased, the data cannot be used for comparison purposes to grant access later. D is incorrect; biometric data should not be modified, or it may become useless for comparison purposes.
The Triffid Corporation publishes a policy that states all personnel will act in a manner that protects health and human safety. The security office is tasked with writing a detailed set of processes on how employees should wear protective gear such as hardhats and gloves when in hazardous areas. This detailed set of processes is a _________. (D1, L1.4.1) A) Policy B) Procedure C) Standard D) Law
B is correct. A detailed set of processes used by a specific organization is a procedure. A is incorrect; the policy is the overarching document that requires the procedure be created and implemented. C is incorrect. The procedure is not recognized and implemented throughout the industry; it is used internally. D is incorrect; the procedure was created by Triffid Corporation, not a governmental body.
In risk management concepts, a(n) ___________ is something or someone that poses risk to an organization or asset. (D1, L1.2.1) A) Fear B) Threat C) Control D) Asset
B is correct. A threat is something or someone that poses risk to the organization; this is the definition of a threat. A is incorrect because "fear" is not generally a term associated with risk management. C is incorrect; a control is something used to mitigate risk. D is incorrect; an asset is something of value, which may need protection.
In risk management concepts, a(n) _________ is something a security practitioner might need to protect. (D1, L1.2.1) A) Vulnerability B) Asset C) Threat D) Likelihood
B is correct. An asset is anything with value, and a security practitioner may need to protect assets. A, C, and D are incorrect because vulnerabilities, threats and likelihood are terms associated with risk concepts, but are not things that a practitioner would protect.
True or False? Business continuity planning is a reactive procedure that restores business operations after a disruption occurs. (D2, L2.2.1) A) True B) False
B is correct. Business continuity planning is proactive preparation for restoring operations after disruption. Members from across the organizations participate in the planning to ensure all systems, processes and operations are accounted for in the plan. A is incorrect; business continuity planning is a proactive procedure to prepare for the restoration of operations after disruption.
Which of the following will have the most impact on determining the duration of log retention? (D3, L3.2.1) A) Personal preference B) Applicable laws C) Industry standards D) Type of storage media
B is correct. Laws will have the most impact on policies, including log retention periods, because laws cannot be contravened. All the other answers may have some impact on retention periods, but they will never have as much impact as applicable laws.
Chad is a security practitioner tasked with ensuring that the information on the organization's public website is not changed by anyone outside the organization. This task is an example of ensuring _________. (D1, L1.1.1) A) Confidentiality B) Integrity C) Availability D) Confirmation
B is correct. Preventing unauthorized modification is the definition of integrity. A is incorrect because the website is not meant to be secret; it is open to the public. C is incorrect because Chad is not tasked with ensuring the website is accessible, only that the information on it is not changed. D is incorrect because "confirmation" is not a typical security term, and is used here only as a distractor.
Proper alignment of security policy and business goals within the organization is important because: (D5.3, L5.3.1) A) Security should always be as strict as possible B) Security policy that conflicts with business goals can inhibit productivity C) Bad security policy can be illegal D) Security is more important than business
B is correct. Security is a support function in most organizations, not a business function; therefore, security policy must conform to business needs to avoid inhibiting productivity. A is incorrect; security that is too strict can cause the organization to fail in its business purpose—the right balance has to be created. C is incorrect; while it is true that policies might violate the law if improperly crafted, that is not a reason to align the policy to the business goals (business goals should not violate the law, either). D is incorrect; business goals are typically more important than security.
Who approves the incident response policy? (D2, L2.1.1) A) (ISC)² B) Senior management C) The security manager D) Investors
B is correct. The organization's senior management are the only entities authorized to accept risk on behalf of the organization, and therefore all organizational policies must be approved by senior management. A is incorrect; (ISC)² has no authority over individual organizations. C is incorrect; the security manager will likely be involved in crafting and implementing the policy, but only senior management can approve it. D is incorrect; investors leave policy review and approval to senior management.
The European Union (EU) law that grants legal protections to individual human privacy. (D1, L1.1.1) A) The Privacy Human Rights Act B) The General Data Protection Regulation C) The Magna Carta D) The Constitution
B is correct: The GDPR is the EU law that treats privacy as a human right. A is incorrect because there is no Privacy Human Rights Act, which is only used here as a distractor. C is incorrect because the Magna Carta is a British law describing the relationship between the monarchy and the people, and does not mention privacy. D is incorrect because the Constitution is the basis of United States federal law, and does not mention privacy.
By far, the most crucial element of any security instruction program. (D5.4, L5.4.1) A) Protect assets B) Preserve health and human safety C) Ensure availability of IT systems D) Preserve shareholder value
B is correct: This is the paramount rule in all security efforts. A, C and D are incorrect; these are goals of the security instruction program, but all are secondary to B.
Which common cloud service model offers the customer the most control of the cloud environment? (D4.3 L4.3.2) A) Lunch as a service (LaaS) B) Infrastructure as a service (IaaS) C) Platform as a service (PaaS) D) Software as a service (SaaS)
B is correct; IaaS offers the customer the most control of the cloud environment, in terms of common cloud service models. A is incorrect; this is not a common cloud service model. C and D are incorrect; IaaS offers the customer more control than any other common cloud service model.
Zarma is an ISC2 member and a security analyst for Triffid Corporation. One of Zarma's colleagues is interested in getting an ISC2 certification and asks Zarma what the test questions are like. What should Zarma do? (D1, L1.5.1) A) Inform ISC2 B) Explain the style and format of the questions, but no detail C) Inform the colleague's supervisor D) Nothing
B is the best answer. It is all right to explain the format of the exam, and even to share your own impressions of how challenging and difficult you found the exam to be. But in order to protect the security of the test, and to adhere to the ISC2 Code of Ethics ("advance and protect the profession"), Zarma should not share any explicit information about details of the exam or reveal any actual questions.
Which of the following is probably most useful at the perimeter of a property? (D3, L3.2.1) A) A safe B) A fence C) A data center D) A centralized log storage facility
B is the best answer. Of the options listed, a fence would be most useful at the perimeter of a property. A, C and D are incorrect, because those contain high-value assets which would be better located away from the perimeter of the property, so they can be protected with multiple security controls of varying types.
When should a business continuity plan (BCP) be activated? (D2, L2.2.1) A) As soon as possible B) At the very beginning of a disaster C) When senior management authorizes D) When instructed to do so by regulators
C is correct. A senior manager with the proper authority must initiate the BCP. A is incorrect; this answer has no context—there is no way to know when "as soon as possible" would be. B is incorrect; typically, it is impossible to determine the "beginning" of a disaster. D is incorrect; not all organizations are in regulated industries, and regulators do not supervise disaster response.
Kerpak works in the security office of a medium-sized entertainment company. Kerpak is asked to assess a particular risk, and he suggests that the best way to counter this risk would be to purchase and implement a particular security solution. This is an example of _______. (D1, L1.2.2) A) Acceptance B) Avoidance C) Mitigation D) Transference
C is correct. Applying a security solution (a type of control) is an example of mitigation. A is incorrect; if Kerpak suggested acceptance, then the threat, and the acceptance of the associated risk, only needs to be documented—no other action is necessary. B is incorrect; if Kerpak suggested avoidance, the course of action would be to cease whatever activity was associated with the risk. D is incorrect; if Kerpak suggested transference, this would involve forming some sort of risk-sharing relationship with an external party, such as an insurance underwriter.
To adequately ensure availability for a data center, it is best to plan for both resilience and _______ of the elements in the facility. (D4.3 L4.3.1) A) Uniqueness B) Destruction C) Redundancy D) Hue
C is correct. Availability is enhanced by ensuring that elements of the data center are replicated, in case any given individual element fails. A is incorrect; this is the opposite of redundancy—is any single element is unique, that could become a single point of failure and affect the overall operation. B is incorrect; while secure destruction is worth planning for, that will come at the end of the system life cycle and is not part of ensuring availability. D is incorrect; we generally don't care what color the elements of a data center are.
Prachi works as a database administrator for Triffid, Inc. Prachi is allowed to add or delete users, but is not allowed to read or modify the data in the database itself. When Prachi logs onto the system, an access control list (ACL) checks to determine which permissions Prachi has. In this situation, what is the ACL? (D3, L3.1.1) A) The subject B) The object C) The rule D) The firmware
C is correct. The ACL, in this case, acts as the rule in the subject-object-rule relationship. It determines what Prachi is allowed to do, and what Prachi is not permitted to do. A and B are incorrect, because the ACL is the rule in this case. D is incorrect, because firmware is not typically part of the subject-object-rule relationship, and the ACL is not firmware in any case.
ISC2 publishes a Common Body of Knowledge (CBK) that IT security practitioners should be familiar with; this is recognized throughout the industry as a set of material that is useful for practitioners to refer to. Certifications can be issued for demonstrating expertise in this Common Body of Knowledge. What kind of document is the Common Body of Knowledge? (D1, L1.4.1) A) Policy B) Procedure C) Standard D) Law
C is correct. The Common Body of Knowledge is used throughout the industry, recognized among many people, countries and organizations. This is a standard. A is incorrect; the CBK is not a set of internal rules used for a particular organization; it is used throughout the industry. B is incorrect. The CBK is not a process that is followed; it is a set of information. D is incorrect; the CBK is not mandated by a governmental body.
A means to allow remote users to have secure access to the internal IT environment. (D4.3 L4.3.3) A) Internet B) VLAN C) MAC D) VPN
D is correct; a virtual private network protects communication traffic over untrusted media. A is incorrect; the internet is an untrusted medium. B is incorrect; VLANs are used to segment portions of the internal environment. C is incorrect; MAC is the physical address of a given networked device.
Druna is a security practitioner tasked with ensuring that laptops are not stolen from the organization's offices. Which sort of security control would probably be best for this purpose? (D1, L1.3.1) A) Technical B) Obverse C) Physical D) Administrative
C is the best answer. Because laptops are tangible objects, and Druna is trying to ensure that these objects are not moved from a certain place, physical controls are probably best for the purpose. A is incorrect; technical controls might help detect an attempt to steal a laptop, or locate the laptop after it has been stolen, but won't prevent the laptop from being taken. B is incorrect; "obverse" is not a term commonly used to describe a particular type of security control, and is used here only as a distractor. D is incorrect; administrative controls may help reduce theft, such as ensuring that laptops are not left in a place unobserved, but won't prevent the laptop from being taken.
Barry wants to upload a series of files to a web-based storage service, so that people Barry has granted authorization can retrieve these files. Which of the following would be Barry's preferred communication protocol if he wanted this activity to be efficient and secure? (D4, L4.1.2) A) SMTP (Simple Mail Transfer Protocol) B) FTP (File Transfer Protocol) C) SFTP (Secure File Transfer Protocol) D) SNMP (Simple Network Management Protocol)
C is the correct answer; SFTP is designed specifically for this purpose. A, B and D are incorrect; these protocols are either not efficient or not secure in Barry's intended use.
The concept that the deployment of multiple types of controls provides better security than using a single type of control. (D4.3 L4.3.3) A) VPN B) Least privilege C) Internet D) Defense in depth
D is correct; defense in depth involves multiple types of controls to provide better security. A is incorrect; a virtual private network protects communication traffic over untrusted media, but does not involve multiple types of controls. B is incorrect; the principle of least privilege is a system of access control. C is incorrect; the internet is an untrusted medium.
Which of the following is a biometric access control mechanism? (D3, L3.2.1) A) A badge reader B) A copper key C) A fence with razor tape on it D) A door locked by a voiceprint identifier
D is correct. A lock that opens according to a person's voice is a type of biometric access control. A, B and C are all access control mechanisms, but none of them are based on unique physiological characteristics of a person, so they are not biometric systems.
A software firewall is an application that runs on a device and prevents specific types of traffic from entering that device. This is a type of ________ control. (D1, L1.3.1) A) Physical B) Administrative C) Passive D) Technical
D is correct. A software firewall is a technical control, because it is a part of the IT environment. A is incorrect; a software firewall is not a tangible object that protects something. B is incorrect; a software firewall is not a rule or process. Without trying to confuse the issue, a software firewall might incorporate an administrative control: the set of rules which the firewall uses to allow or block particular traffic. However, answer D is a much better way to describe a software firewall. C is incorrect; "passive" is not a term commonly used to describe a particular type of security control, and is used here only as a distractor.
Within the organization, who can identify risk? (D1, L1.2.2) A) The security manager B) Any security team member C) Senior management D) Anyone
D is correct. Anyone within the organization can identify risk.
For which of the following systems would the security concept of availability probably be most important? (D1, L1.1.1) A) Medical systems that store patient data B) Retail records of past transactions C) Online streaming of camera feeds that display historical works of art in museums around the world D) Medical systems that monitor patient condition in an intensive care unit
D is correct. Information that reflects patient condition is data that necessarily must be kept available in real time, because that data is directly linked to the patients' well-being (and possibly their life). This is, by far, the most important of the options listed. A is incorrect because stored data, while important, is not as critical to patient health as the monitoring function listed in answer D. B is incorrect because retail transactions do not constitute a risk to health and human safety. C is incorrect because displaying artwork does not reflect a risk to health and human safety; also because the loss of online streaming does not actually affect the asset (the artwork in the museum) in any way—the art will still be in the museum, regardless of whether the camera is functioning.
Larry and Fern both work in the data center. In order to enter the data center to begin their workday, they must both present their own keys (which are different) to the key reader, before the door to the data center opens. Which security concept is being applied in this situation? (D3, L3.1.1) A) Defense in depth B) Segregation of duties C) Least privilege D) Dual control
D is correct. This is an example of dual control, where two people, each with distinct authentication factors, must be present to perform a function. A is incorrect; defense in depth requires multiple controls protecting assets—there is no description of multiple controls in this situation. B is incorrect; in segregation of duties, the parts of a given transaction are split among multiple people, and the task cannot be completed unless each of them takes part. Typically, in segregation of duties, the people involved do not have to take part simultaneously; their actions can be spread over time and distance. This differs from dual control, where both people must be present at the same time. C is incorrect; the situation described in the question does not reduce the permissions of either person involved or limit their capabilities to their job function.
Prachi works as a database administrator for Triffid, Inc. Prachi is allowed to add or delete users, but is not allowed to read or modify the data in the database itself. When Prachis logs onto the system, an access control list (ACL) checks to determine which permissions Prachi has. Which security concept is being applied in this situation? (D3, L3.1.1) A) Defense in depth B) Layered defense C) Two-person integrity D) Least privilege
D is correct. This is an example of least privilege; Prachi needs to be able to add or delete users from the database in order to perform as a database administrator, but does not need to view or modify the data in the database itself in order to perform the job. A and B are incorrect; "defense in depth" and "layered defense" are two terms that mean the same thing: multiple (and multiple types of) overlapping controls to protect assets. Nothing in the question describes multiple controls. C is incorrect; no second person is involved in Prachi's activity.
Which of the following are not typically involved in incident detection? (D2, L2.1.1) A) Users B) Security analysts C) Automated tools D) Regulators
D is correct. Typically, regulators do not detect incidents, nor alert organizations to the existence of incidents. All the other answers are often involved in incident detection.
Which of the following is not an appropriate control to add to privileged accounts? (D3, L3.1.1) A) Increased logging B) Multifactor authentication C) Increased auditing D) Security deposit
D is correct. We typically do not ask privileged account holders for security deposits. A, B, and C are incorrect; those are appropriate controls to enact for privileged accounts.
Log data should be kept ______. (D5.1, L5.1.2) A) On the device that the log data was captured from B) In an underground bunker C) In airtight containers D) On a device other than where it was captured
D is the correct answer. Log data can often be useful in diagnosing or investigating the device it was captured from; it is therefore useful to store the data away from the device where it was harvested, in case something happens to the source device. A is incorrect; if something happens to the source machine, the log data may be affected if it is stored on the source. B is incorrect; log data may be stored underground, aboveground, underwater, in the sky, or in orbit, as long as it is stored securely. C is incorrect; airtight seals do not affect log data positively or negatively.
A tool that inspects outbound traffic to reduce potential threats. (D4.2 L4.2.3) A) NIDS (network-based intrusion-detection systems) B) Anti-malware C) DLP (data loss prevention) D) Firewall
DLP solutions typically inspect outbound communications traffic to check for unauthorized exfiltration of sensitive/valuable information. C is correct. A, B and D are incorrect; these solutions are not typically suited to inspect outbound traffic.
Inbound traffic from an external source seems to indicate much higher rates of communication than normal, to the point where the internal systems might be overwhelmed. Which security solution can often identify and potentially counter this risk? (D4.2 L4.2.2) A) Firewall B) Turnstile C) Anti-malware D) Badge system
Firewalls can often identify hostile inbound traffic, and potentially counter it. A is the correct answer. B and D are incorrect; these are physical controls and aren't effective in identifying/countering communications attacks. C is incorrect; anti-malware is not typically useful in countering attacks that employ excess traffic as an attack mechanism.
A tool that filters inbound traffic to reduce potential threats. (D4.2 L4.2.3) A) NIDS (network-based intrusion-detection systems) B) Anti-malware C) DLP (data loss prevention) D) Firewall
Firewalls typically filter traffic originating from outside the organization's IT environment. D is the correct answer. A is incorrect; NIDS typically monitor traffic within the production environment. B is incorrect; anti-malware solutions typically identify hostile software. C is incorrect; DLP solutions typically monitor outbound traffic.
The common term for systems that ensure proper temperature and humidity in the data center. (D4.3 L4.3.1) A) RBAC B) HVAC C) MAC
HVAC stands for "heating, ventilation and air conditioning," and is a common industry term. B is correct. A is incorrect; RBAC is an access control model. C is incorrect; MAC is the physical address of an IT device.
The output of any given hashing algorithm is always _____. (D5.1, L5.1.3) A) The same length B) The same characters C) The same language D) Different for the same inputs
Hashing algorithms create output of a fixed length. A is the correct answer. B is incorrect; the characters in the output will change depending on the input. C is incorrect; hashing algorithms do not create output in any particular language—usually, the output is a mix of alphanumeric characters. D is incorrect; hash outputs should be the same when the same input is used.
Triffid, Inc., has many remote workers who use their own IT devices to process Triffid's information. The Triffid security team wants to deploy some sort of sensor on user devices in order to recognize and identify potential security issues. Which of the following is probably most appropriate for this specific purpose? (D4.2 L4.2.2) A) HIDS (host-based intrusion-detection systems) B) NIDS (network-based intrusion-detection systems) C) LIDS (logistical intrusion-detection systems) D) Firewalls
Host-based intrusion-detection systems are expressly designed for this purpose; each HIDS is installed on each endpoint machine. A is the correct answer. B is incorrect; NIDS are useful for monitoring internal traffic, but a HIDS would be better for distributed users/devices. C is incorrect; LIDS is not a term standard within our industry, and was just made up and used here as a distractor. D is incorrect; firewalls limit traffic, and can be used to identify potential threats, but a HIDS is specifically intended for this purpose.
Every document owned by Triffid, Inc., whether hardcopy or electronic, has a clear, 24-point word at the top and bottom. Only three words can be used: "Sensitive," "Proprietary" and "Public." This is an example of _____. (D5.1, L5.1.1) A) Secrecy B) Privacy C) Inverting D) Labeling
Labeling is the practice of annotating assets with classification markings. D is the correct answer. A is incorrect; "secrecy" is too broad a term in this context, and not accurate—the markings are visible. B is incorrect; privacy is associated with information that identifies a specific person (or specific people). C is incorrect; this term has no meaning in this context, and is used here only as a distractor.
Security controls on log data should reflect ________. (D5.1, L5.1.2) A) The organization's commitment to customer service B) The local culture where the log data is stored C) The price of the storage device D) The sensitivity of the source device
Log data should be protected with security as high, or higher, than the security level of the systems or devices that log was captured from. D is the correct answer. A, B and C are incorrect; these are not qualities that dictate security level of protection on log data.
Which of the following would be considered a logical access control? (D3, L3.3.1) A) An iris reader that allows an employee to enter a controlled area B) A fingerprint reader that allows an employee to enter a controlled area C) A fingerprint reader that allows an employee to access a laptop computer D) A chain attached to a laptop computer that connects it to furniture so it cannot be taken
Logical access controls limit who can gain user access to a device/system. C is the correct answer. A, B and D are all physical controls, as they limit physical access to areas and assets.
Who dictates policy? (D5.3, L5.3.1) A) The security manager B) The Human Resources office C) Senior management D) Auditors
Only senior management has the legal and financial authority to issue policy and accept risk on behalf of the organization. C is the correct answer. A, B and D are incorrect; only senior management can issue policy.
A tool that aggregates log data from multiple sources, and typically analyzes it and reports potential threats. (D4.2 L4.2.2) A) HIDS B) Anti-malware C) Router D) SIEM
SIEM/SEM/SIM solutions are typically designed specifically for this purpose. D is the correct answer. A and C are incorrect; these are specific single sources of log data. B is incorrect; anti-malware does not typically gather log data from multiple sources.
Gary is an attacker. Gary is able to get access to the communication wire between Dauphine's machine and Linda's machine and can then surveil the traffic between the two when they're communicating. What kind of attack is this? (D4.2 L4.2.1) A) Side channel B) DDOS C) On-path D) Physical
This is a textbook example of an on-path attack, where the attackers insert themselves between communicating parties. C is the correct answer. A is incorrect; a side channel attack is entirely passive, and typically does not include surveilling actual data (it instead surveils operational activity, such as changes in power usage, emissions and so forth). B is incorrect; a DDOS attack involves multiple machines flooding the target to overwhelm the target; Gary is neither shutting down the target nor using multiple devices in the attack. D is incorrect; a physical attack involves tangible materials. An example of a physical attack would be Gary cutting the wire between Linda and Dauphine, so that they could not communicate.
Tekila works for a government agency. All data in the agency is assigned a particular sensitivity level, called a "classification." Every person in the agency is assigned a "clearance" level, which determines the classification of data each person can access. What is the access control model being implemented in Tekila's agency? (D3, L3.3.1) A) MAC (mandatory access control) B) DAC (discretionary access control) C) RBAC (role-based access control) D) FAC (formal access control)
This is an example of how MAC can be implemented. A is the correct answer. B is incorrect; in discretionary access control, operational managers are granted authority to determine which personnel have access to assets the manager controls. C is incorrect; in RBAC, personnel might not have clearance levels, and assets might not have classifications. D is incorrect; FAC is not a term used in this context, and is only included here as a distractor.
Suvid works at Triffid, Inc. When Suvid attempts to log in to the production environment, a message appears stating that Suvid has to reset the password. What may have occurred to cause this? (D3, L3.3.1) A) Suvid broke the law B) Suvid's password has expired C) Suvid made the manager angry D) Someone hacked Suvid's machine
Typically, users are required to reset passwords when the password has reached a certain age. Permanent passwords are more likely to be compromised or revealed. B is the correct answer. A, C and D are incorrect; these are not likely reasons to require password refresh.
Trina and Doug both work at Triffid, Inc. Doug is having trouble logging into the network. Trina offers to log in for Doug, using Trina's credentials, so that Doug can get some work done. What is the problem with this? (D3, L3.3.1) A) Doug is a bad person B) If Trina logs in for Doug, then Doug will never be encouraged to remember credentials without assistance C) Anything either of them do will be attributed to Trina D) It is against the law
If two users are sharing one set of credentials, then the actions of both users will be attributed to that single account; the organization will be unable to discern exactly who performed which action, which can be troublesome if either user does something negligent or wrong. C is the correct answer. A is incorrect; we don't know enough about Doug from the question. B is incorrect; while true, getting Doug to remember credentials shouldn't be the priority of the situation. D is incorrect; regardless of whether sharing credentials is against the law (and it might or might not be, depending on the jurisdiction), the important point is that both users' actions must be distinct.
______ is used to ensure that configuration management activities are effective and enforced. (D5.2, L5.2.1) A) Inventory B) Baseline C) Identification D) Verification and audit
Verification and audit are methods we use to review the IT environment to ensure that configuration management activities have taken place and are achieving their intended purpose. D is the correct answer. A, B and C are incorrect; while these are terms related to configuration management, the answer is verification and audit.
Which type of fire-suppression system is typically the least expensive? (D4.3 L4.3.1) A) Water B) Dirt C) Oxygen-depletion D) Gaseous
Water is typically the least expensive type of fire-suppression system, as water is one of the most common chemicals on the planet. A is correct. B is incorrect; dirt is usually only used in the suppression of forest fires. C and D are incorrect; gaseous/oxygen depletion systems are typically much, much more expensive than water-based systems.
Gelbi is a Technical Support analyst for Triffid, Inc. Gelbi sometimes is required to install or remove software. Which of the following could be used to describe Gelbi's account? (D3, L3.1.1) A) Privileged B) Internal C) External D) User
A is Correct. This is the description of a privileged account; an account that typically needs greater permissions than a basic user. B and C are incorrect; the question does not specify whether Gelbi connects to the environment from within the network, or from outside. D is incorrect; this is too vague—Gelbi is a user, but has permissions that are typically greater than what basic users have.
Which of the following is likely to be included in the business continuity plan? (D2, L2.2.1) A) Alternate work areas for personnel affected by a natural disaster B) The organization's strategic security approach C) Last year's budget information D) Log data from all systems
A is correct. The business continuity plan should include provisions for alternate work sites, if the primary site is affected by an interruption, such as a natural disaster. B is incorrect; the organization's strategic security approach should be included in the organization's security policy. C is incorrect; budgetary information is not typically included in the business continuity plan. D is incorrect; log data is not typically included in the business continuity plan.
What is the overall objective of a disaster recovery (DR) effort? (D2, L2.3.1) A) Save money B) Return to normal, full operations C) Preserve critical business functions during a disaster D) Enhance public perception of the organization
B is correct. DR efforts are intended to return the organization to normal, full operations. A is incorrect; DR is often quite expensive, and not a cost-saving measure. C is incorrect; this is the goal of business continuity (BC) efforts. D is incorrect; DR efforts are intended to return the organization to normal, full operations, not enhance public perception.
Tina is an ISC2 member and is invited to join an online group of IT security enthusiasts. After attending a few online sessions, Tina learns that some participants in the group are sharing malware with each other, in order to use it against other organizations online. What should Tina do? (D1, L1.5.1) A) Nothing B) Stop participating in the group C) Report the group to law enforcement D) Report the group to ISC2
B is the best answer. The ISC2 Code of Ethics requires that members "protect society, the common good, necessary public trust and confidence, and the infrastructure"; this would include a prohibition against disseminating and deploying malware for offensive purposes. However, the Code does not make ISC2 members into law enforcement officers; there is no requirement to get involved in legal matters beyond the scope of personal responsibility. Tina should stop participating in the group, and perhaps (for Tina's own protection) document when participation started and stopped, but no other action is necessary on Tina's part.
Triffid, Inc., has deployed anti-malware solutions across its internal IT environment. What is an additional task necessary to ensure this control will function properly? (D4.2 L4.2.3) A) Pay all employees a bonus for allowing anti-malware solutions to be run on their systems B) Update the anti-malware solution regularly C) Install a monitoring solution to check the anti-malware solution D) Alert the public that this protective measure has been taken
B is the correct answer. Anti-malware solutions typically work with signatures for known malware; without continual updates, these tools lose their efficacy. A, C and D are incorrect; these measures will not aid in the effectiveness of anti-malware solutions.
One of the benefits of computer-based training (CBT): (D5.4, L5.4.1) A) Expensive B) Scalable C) Personal interaction with instructor D) Interacting with other participants
B is the correct answer. CBT is completely scalable, because it can be replicated uniformly for any number of users. A, C and D are incorrect; these are not characteristics of CBT.
The senior leadership of Triffid Corporation decides that the best way to minimize liability for the company is to demonstrate the company's commitment to adopting best practices recognized throughout the industry. Triffid management issues a document that explains that Triffid will follow the best practices published by SANS, an industry body that addresses computer and information security. The Triffid document is a ______, and the SANS documents are ________. (D1, L1.4.2) A) Law, policy B) Policy, standard C) Policy, law D) Procedure, procedure
B is the correct answer. The Triffid document is a strategic, internal rule published by senior management; this is a policy. The SANS documents are industry best practices recognized globally; these are standards. A and C are incorrect, because neither document was issued by a governmental body, so they are not laws. D is incorrect because neither document is a detailed set of instructions, so they are not procedures.
Cyril wants to ensure all the devices on his company's internal IT environment are properly synchronized. Which of the following protocols would aid in this effort? (D4, L4.1.2) A) FTP (File Transfer Protocol) B) NTP (Network Time Protocol) C) SMTP (Simple Mail Transfer Protocol) D) HTTP (Hypertext Transfer Protocol)
B is the correct answer; this is the purpose of NTP. A, C and D are incorrect; these do not serve the purpose of synchronization.
The city of Grampon wants to ensure that all of its citizens are protected from malware, so the city council creates a rule that anyone caught creating and launching malware within the city limits will receive a fine and go to jail. What kind of rule is this? (D1, L1.4.1) A) Policy B) Procedure C) Standard D) Law
D is correct. The city council is a governmental body making a legal mandate; this is a law. A is incorrect; the rule is not a policy used by a specific organization, but instead applies to anyone within the jurisdiction of the Grampon city council. B is incorrect; this rule is not a process to follow. C is incorrect; this rule is not recognized outside the jurisdiction of the Grampon city council.
Handel is a senior manager at Triffid, Inc., and is in charge of implementing a new access control scheme for the company. Handel wants to ensure that employees transferring from one department to another, getting promoted, or cross-training to new positions can get access to the different assets they'll need for their new positions, in the most efficient manner. Which method should Handel select? (D3, L3.3.1) A) Role-based access controls (RBAC) B) Mandatory access controls (MAC) C) Discretionary access controls (DAC) D) Barbed wire
RBAC is the most efficient way to assign permissions to users based on their job duties. A is the correct answer. B and C are incorrect; MAC and DAC don't offer the same kind of efficiency in this regard. D is incorrect; barbed wire is a physical control, and won't be useful in this context.
When Pritha started working for Triffid, Inc., Pritha had to sign a policy that described how Pritha would be allowed to use Triffid's IT equipment. What policy was this? (D5.3, L5.3.1) A) The organizational security policy B) The acceptable use policy (AUP) C) The bring-your-own-device (BYOD) policy D) The workplace attire policy
The AUP describes how users will be permitted to use the organization's IT assets. B is the correct answer. A, C and D are incorrect; while these are all common policies, they do not serve the same function as the AUP.
The organization should keep a copy of every signed Acceptable Use Policy (AUP) on file, and issue a copy to _______. (D5.3, L5.3.1) A) The user who signed it B) The regulators overseeing that industry C) Lawmakers D) The Public Relations office
The AUP is an agreement between the user and the organization, so both parties need to keep a copy of it. A is the correct answer. B, C and D are incorrect; those entities are not party to the agreement, and should therefore not receive a copy.
The logical address of a device connected to the network or Internet. (D4.1 L4.1.1) A) Media access control (MAC) address B) Internet Protocol (IP) address C) Geophysical address D) Terminal address
The IP address is the logical address assigned to a device connected to a network or the Internet. B is the correct answer. A is incorrect; the MAC address of a device is its physical address. C is incorrect; the geophysical address is typically the postal address assigned to a building, not an IT device. D is incorrect; "terminal address" has no meaning in this context, and is only used here as a distractor.
