CISSP All in One Appendix A

Johnetta is a security engineer at a company that develops highly confidential products for various government agencies. Her company has VPNs set up to protect traffic that travels over the Internet and other nontrusted networks, but she knows that internal traffic should also be protected. Which of the following is the best type of approach Johnetta's company should take? A. Implement a data link technology that provides 802.1AE security functionality. B. Implement a network-level technology that provides 802.1AE security functionality. C. Implement TLS over L2TP. D. Implement IPSec over L2TP

A. 802.1AE is the IEEE MAC Security (MACSec) standard, which defines a security infrastructure to provide data confidentiality, data integrity, and data origin authentication. Where a VPN connection provides protection at the higher networking layers, MACSec provides hop-by-hop protection at layer 2.

Sana has been asked to install a cloud access security broker (CASB) product for her company's environment. What is the best description for what CASBs are commonly used for? A. Monitor end-user behavior and enforce policies across cloud services B. Provision secure cloud services C. Enforce access controls to cloud services through X.500 databases D. Protect cloud services from certain types of attacks

A. A CASB is a system that provides visibility and security controls for cloud services. A CASB monitors what users do in the cloud and applies whatever policies and controls are applicable to that activity.

A __________ is the amount of time it should take to recover from a disaster, and a __________ is the amount of data, measured in time, that can be lost and be tolerable from that same event. A. recovery time objective, recovery point objective B. recovery point objective, recovery time objective C. maximum tolerable downtime, work recovery time D. work recovery time, maximum tolerable downtime

A. A recovery time objective (RTO) is the amount of time it takes to recover from a disaster, and a recovery point objective (RPO) is the amount of data, measured in time, that can be lost and be tolerable from that same event. The RPO is the acceptable amount of data loss measured in time. This value represents the earliest point in time by which data must be recovered. The higher the value of data, the more funds or other resources that can be put into place to ensure a smaller amount of data is lost in the event of a disaster. RTO is the maximum time period within which a business process must be restored to a designated service level after a disaster to avoid unacceptable consequences associated with a break in business continuity.

John is the new director of software development within his company. Several proprietary applications offer individual services to the employees, but the employees have to log into each and every application independently to gain access to these discrete services. John would like to provide a way that allows each of the services provided by the various applications to be centrally accessed and controlled. Which of the following best describes the architecture that John should deploy? A. Service-oriented architecture B. Web services architecture C. Single sign-on architecture D. Hierarchical service architecture

A. A service-oriented architecture (SOA) is way to provide independent services residing on different systems in different business domains in one consistent manner. This architecture is a set of principles and methodologies for designing and developing software in the form of interoperable services.

Uncovering restricted information by using permissible data is referred to as __________. A. inference B. data mining C. perturbation D. cell suppression

A. Aggregation and inference go hand in hand. For example, a user who uses data from a public database to figure out classified information is exercising aggregation (the collection of data) and can then infer the relationship between that data and the data the user does not have access to. This is called an inference attack.

Use the following scenario to answer Questions 48-49. Francisca is the new manager of the in-house software designers and programmers. She has been telling her team that before design and programming on a new product begins, a formal architecture needs to be developed. She also needs this team to understand security issues as they pertain to software design. Francisca has shown the team how to follow a systematic approach that allows them to understand different ways in which the software products they develop could be compromised by specific threat actors. Which of the following best describes what an architecture is in the context of this scenario? A. Tool used to conceptually understand the structure and behavior of a complex entity through different views B. Formal description and representation of a system and the components that make it up C. Framework used to create individual architectures with specific views D. Framework that is necessary to identify needs and meet all of the stakeholder requirements

A. An architecture is a tool used to conceptually understand the structure and behavior of a complex entity through different views. An architecture provides different views of the system, based upon the needs of the stakeholders of that system.

Javad is the security administrator at a credit card processing company. The company has many identity stores, which are not properly synchronized. Javad is going to oversee the process of centralizing and synchronizing the identity data within the company. He has determined that the data in the HR database will be considered the most up-to-date data, which cannot be overwritten by the software in other identity stores during their synchronization processes. Which of the following best describes the role of this database in the identity management structure of the company? A. Authoritative system of record B. Infrastructure source server C. Primary identity store D. Hierarchical database primary

A. An authoritative system of record (ASOR) is a hierarchical tree-like structure system that tracks subjects and their authorization chains. The authoritative source is the "system of record," or the location where identity information originates and is maintained. It should have the most up-to-date and reliable identity information.

Under the principle of ethical disclosure, information systems security professionals must properly disclose __________ to the appropriate parties. A. Vulnerabilities B. Threats C. Exploits D. Incidents

A. As information systems security professionals, if we discover a vulnerability, we have an ethical obligation to properly disclose it to the appropriate parties. If the vulnerability is in our own product, we need to notify our customers and partners as soon as possible. If it is in someone else's product, we need to notify the vendor or manufacturer immediately so they can fix it. The goal of ethical disclosure is to inform anyone who might be affected as soon as feasible, so a patch can be developed before any threat actors become aware of the vulnerability.

Which of the following access control mechanisms gives you the most granularity in defining access control policies? A. Attribute-based access control (ABAC) B. Role-based access control (RBAC) C. Mandatory access control (MAC) D. Discretionary access control (DAC)

A. Attribute-based access control (ABAC) is based on attributes of any component of the system. It is the most granular of the access control models.

Sam wants to test the ability of her technical security controls to stop realistic attacks. Her organization is going through significant growth, which is also increasing the complexity of the networks and systems. To ensure she stays ahead of the adversaries, Sam wants to run these tests frequently. Which approach should she use? A. Breach and attack simulations B. Tabletop exercises C. Red teaming D. Synthetic transactions

A. Breach and attack simulations (BAS) are automated systems that launch simulated attacks against a target environment and then generate reports on their findings. They are meant to be run regularly (even frequently) and be realistic, but not to cause any adverse effect to the target systems. They are usually a much more affordable approach than red teaming, even if you use an internal team.

Which of the following best describes a technical control for dealing with the risks presented by data remanence? A. Encryption B. Data retention policies C. File deletion D. Using solid-state drives (SSDs)

A. Data remanence refers to the persistence of data on storage media after it has been deleted. Encrypting this data is the best of the listed choices because the recoverable data will be meaningless to an adversary without the decryption key. Retention policies are important, but are considered administrative controls that don't deal with remanence directly. Simply deleting the file will not normally render the data unrecoverable, nor will the use of SSDs even though these devices will sometimes (though not always) make it difficult to recover the deleted data.

Which of the following statements is true about employee duress? A. Its risks can be mitigated by installing panic buttons. B. Its risks can be mitigated by installing panic rooms. C. Its risks can be mitigated by enforcing forced vacations. D. It can more easily be detected using the right clipping levels.

A. Duress is the use of threats or violence against someone in order to force them to do something they don't want to do. A popular example of a countermeasure for duress is the use of panic buttons by bank tellers. A panic room could conceivably be another solution, but it would only work if employees are able to get in and lock the door before an assailant can stop them, which makes it a generally poor approach.

Kim is tasked with testing the security of an application but has no access to its source code. Which of the following tests could she use in this scenario? A. Dynamic application security testing B. Static application security testing C. Regression testing D. Code review

A. Dynamic application security testing (DAST), which is also known as dynamic analysis, refers to the evaluation of a program in real time, while it is running. It is the only one of the answers that is effective for analyzing software without having access to the actual source code.

Applications may not work on systems with specific processors. Which of the following best describes why an application may work on an Intel processor but not on an AMD processor? A. The application was not compiled to machine language that is compatible with the AMD architecture. B. It is not possible for the same application to run on both Intel and AMD processors. C. The application was not compiled to machine language that is compatible with the Windows architecture. D. Only applications written in high-level languages will work on different processor architectures.

A. Each CPU type has a specific architecture and set of instructions that it can carry out. The application must be developed to work within this CPU architecture and compiled into machine code that can run on it. This is why one application may work on an Intel processor but not on an AMD processor. There are portable applications that can work on multiple architectures and operating systems, but these rely on a runtime environment.

Which of the following has an incorrect definition mapping? i. Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) Team-oriented approach that assesses organizational and IT risks through facilitated workshops ii. Facilitated Risk Analysis Process (FRAP) Stresses prescreening activities so that the risk assessment steps are only carried out on the item(s) that need(s) it the most iii. ISO/IEC 27005 International standard for the implementation of a risk management program that integrates into an information security management system (ISMS) iv. Failure Modes and Effect Analysis (FMEA) Approach that dissects a component into its basic functions to identify flaws and those flaws' effects v. Fault tree analysis Approach to map specific flaws to root causes in complex systems A. None of them B. ii C. iii, iv D. v

A. Each answer lists the correct definition mapping.

Which of the following is not descriptive of an edge computing architecture? A. It eliminates the need for cloud infrastructure. B. Processing and storage assets are close to where they're needed. C. It reduces latency and network traffic. D. It typically has three layers.

A. Edge computing is a distributed system in which some computational and data storage assets are deployed close to where they are needed in order to reduce latency and network traffic. An edge computing architecture typically has three layers: end devices, edge devices, and cloud infrastructure.

Which of the following best describes the difference between hierarchical storage management (HSM) and storage area network (SAN) technologies? A. HSM uses optical or tape jukeboxes, and SAN is a network of connected storage systems. B. SAN uses optical or tape jukeboxes, and HSM is a network of connected storage systems C. HSM and SAN are one and the same. The difference is in the implementation. D. HSM uses optical or tape jukeboxes, and SAN is a standard of how to develop and implement this technology.

A. Hierarchical storage management (HSM) provides continuous online backup functionality. It combines hard disk technology with the cheaper and slower optical or tape jukeboxes. Storage area network (SAN) is made up of several storage systems that are connected together to form a single backup network.

Mark works for a large corporation operating in multiple countries worldwide. He is reviewing his company's policies and procedures dealing with data breaches. Which of the following is an issue that he must take into consideration? A. Each country may or may not have unique notification requirements. B. All breaches must be announced to affected parties within 24 hours. C. Breach notification is a "best effort" process and not a guaranteed process. D. Breach notifications are avoidable if all PII is removed from data stores.

A. Many (but not all) countries have data breach notification requirements, and these vary greatly in their specifics. While some countries have very strict requirements, others have laxer requirement, or lack them altogether. This requires the security professional to ensure compliance in the appropriate territory. Applying the most stringent rules universally (e.g., 24-hour notification) is usually not a good idea from a business perspective. The term "best effort" is not acceptable in countries with strict rules, nor is the notion that personally identifiable information (PII) is the only type of data that would trigger a mandatory notification.

Use the following scenario to answer Questions 141-142. Ron is in charge of updating his company's business continuity and disaster recovery plans and processes. After conducting a business impact analysis, his team has told him that if the company's e-commerce payment gateway was unable to process payments for 24 hours or more, this could drastically affect the survivability of the company. The analysis indicates that after an outage, the payment gateway and payment processing should be restored within 13 hours. Ron's team needs to integrate solutions that provide redundancy, fault tolerance, and failover capability In the scenario, what does the 24-hour time period represent and what does the 13-hour time period represent, respectively? A. Maximum tolerable downtime, recovery time objective B. Recovery time objective, maximum tolerable downtime C. Maximum tolerable downtime, recovery data period D. Recovery time objective, data recovery period

A. Maximum tolerable downtime (MTD) is the outage time that can be endured by an organization, and the recovery time objective (RTO) is an allowable amount of downtime. The RTO value (13 hours) is smaller than the MTD value (24 hours) because the MTD value represents the time after which an inability to recover significant operations will mean severe and perhaps irreparable damage to the organization's reputation or bottom line. The RTO assumes that there is a period of acceptable downtime. This means that a company can be out of production for a certain period of time (RTO) and still get back on its feet. But if the company cannot get production up and running within the MTD window, the company is sinking too fast to properly recover.

Johana needs to ensure that her company's application can accept provisioning data from the company's partner's application in a standardized method. Which of the following best describes the technology that Johana should implement? A. Service Provisioning Markup Language B. Extensible Provisioning Markup Language C. Security Assertion Markup Language D. Security Provisioning Markup Language

A. The Service Provisioning Markup Language (SPML) allows for the exchange of provisioning data between applications, which could reside in one organization or many. SPML allows for the automation of user management (account creation, amendments, revocation) and access entitlement configuration related to electronically published services across multiple provisioning systems. SPML also allows for the integration and interoperation of service provisioning requests across various platforms.

On a Tuesday morning, Jami is summoned to the office of the security director, where she finds six of her peers from other departments. The security director gives them instructions about an event that will be taking place in two weeks. Each of the individuals will be responsible for removing specific systems from the facility, bringing them to the offsite facility, and implementing them. Each individual will need to test the installed systems and ensure the configurations are correct for production activities. What event is Jami about to take part in? A. Parallel test B. Full-interruption test C. Simulation test D. Structured walk-through test

A. Parallel tests are similar to simulation tests, except that parallel tests include moving some of the systems to the offsite facility. Simulation tests stop just short of the move. Parallel tests are effective because they ensure that specific systems work at the new location, but the test itself does not interfere with business operations at the main facility.

Which of the following best describes the purpose of the Organisation for Economic Co-operation and Development (OECD)? A. An international organization where member countries come together and tackle the economic, social, and governance challenges of a globalized economy B. A national organization that helps different governments come together and tackle the economic, social, and governance challenges of a globalized economy C. A United Nations body that regulates economic, social, and governance issues of a globalized economy D. A national organization that helps different organizations come together and tackle the economic, social, and governance challenges of a globalized economy

A. The OECD is an international organization where member countries come together to address economic, social, and governance challenges of a globalized economy. Thus, the OECD came up with guidelines for the various countries to follow so data is properly protected and everyone follows the same type of rules.

The main goal of the Wassenaar Arrangement is to prevent the buildup of military capabilities that could threaten regional and international security and stability. How does this relate to technology? A. Cryptography is a dual-use tool. B. Technology is used in weaponry systems. C. Military actions directly relate to critical infrastructure systems. D. Critical infrastructure systems can be at risk under this agreement.

A. The Wassenaar Arrangement implements export controls for "Conventional Arms and Dual-Use Goods and Technologies." The main goal of this arrangement is to prevent the buildup of military capabilities that could threaten regional and international security and stability. So, everyone is keeping an eye on each other to make sure no one country's weapons can take everyone else out. One item the agreement deals with is cryptography, which is considered a dual-use good because it can be used for both military and civilian purposes. The agreement recognizes the danger of exporting products with cryptographic functionality to countries that are in the "offensive" column, meaning that they are thought to have friendly ties with terrorist organizations and/or want to take over the world through the use of weapons of mass destruction.

Many enterprise architecture models have been developed over the years for specific purposes. Some of them can be used to provide structure for information security processes and technology to be integrated throughout an organization. Which of the following provides an incorrect mapping between the architecture type and the associated definition? A. Zachman Framework Model and methodology for the development of information security enterprise architectures B. TOGAF Model and methodology for the development of enterprise architectures developed by The Open Group C. DoDAF U.S. Department of Defense architecture framework that ensures interoperability of systems to meet military mission goals D. SABSA Framework and methodology for enterprise security architecture and service management

A. The Zachman Framework is for business enterprise architectures, not security enterprises. The proper definition mappings are as follows: • Zachman Framework Model for the development of enterprise architectures developed by John Zachman • TOGAF Model and methodology for the development of enterprise architectures developed by The Open Group • DoDAF U.S. Department of Defense architecture framework that ensures interoperability of systems to meet military mission goals • SABSA Model and methodology for the development of information security enterprise architectures

A group of software designers are at a stage in their software development project where they need to reduce the amount of code running, reduce entry points available to untrusted users, reduce privilege levels as much as possible, and eliminate unnecessary services. Which of the following best describes the first step the team needs to carry out to accomplish these tasks? A. Attack surface analysis B. Software development life cycle C. Risk assessment D. Unit testing

A. The aim of an attack surface analysis is to identify and reduce the amount of code accessible to untrusted users. The basic strategies of attack surface reduction are to reduce the amount of code running, reduce entry points available to untrusted users, reduce privilege levels as much as possible, and eliminate unnecessary services. Attack surface analysis is generally carried out through specialized tools to enumerate different parts of a product and aggregate their findings into a numerical value. Attack surface analyzers scrutinize files, registry keys, memory data, session information, processes, and services details.

Which world legal system is used in continental European countries, such as France and Spain, and is rule-based law, not precedent-based? A. Civil (code) law system B. Common law system C. Customary law system D. Mixed law system

A. The civil (code) law system is used in continental European countries such as France and Spain. It is a different legal system from the common law system used in the United Kingdom and United States. A civil law system is rule-based law, not precedent-based. For the most part, a civil law system is focused on codified law—or written laws.

When conducting a quantitative risk analysis, items are gathered and assigned numeric values so that cost/benefit analysis can be carried out. Which of the following formulas could be used to understand the value of a safeguard? A. (ALE before implementing safeguard) - (ALE after implementing safeguard) - (annual cost of safeguard) = value of safeguard to the organization B. (ALE before implementing safeguard) - (ALE during implementing safeguard) - (annual cost of safeguard) = value of safeguard to the organization C. (ALE before implementing safeguard) - (ALE while implementing safeguard) - (annual cost of safeguard) = value of safeguard to the organization D. (ALE before implementing safeguard) - (ALE after implementing safeguard) - (annual cost of asset) = value of safeguard to the organization

A. The correct answer for cost/benefit analysis is the formula: (ALE before implementing safeguard) - (ALE after implementing safeguard) - (annual cost of safeguard) = value of safeguard to the organization.

What is the purpose of the Logical Link Control (LLC) layer in the OSI model? A. Provides a standard interface for the network layer protocol B. Provides the framing functionality of the data link layer C. Provides addressing of the packet during encapsulation D. Provides the functionality of converting bits into electrical signals

A. The data link layer has two sublayers: the Logical Link Control (LLC) and Media Access Control (MAC) layers. The LLC sublayer provides a standard interface for whatever network protocol is being used. This provides an abstraction layer so that the network protocol does not need to be programmed to communicate with all of the possible MAC-level protocols (Ethernet, WLAN, frame relay, etc.).

A company needs to implement a CCTV system that will monitor a large area of the facility. Which of the following is the correct lens combination for this? A. A wide-angle lens and a small lens opening B. A wide-angle lens and a large lens opening C. A wide-angle lens and a large lens opening with a small focal length D. A wide-angle lens and a large lens opening with a large focal length

A. The depth of field refers to the portion of the environment that is in focus when shown on the monitor. The depth of field varies, depending upon the size of the lens opening, the distance of the object being focused on, and the focal length of the lens. The depth of field increases as the size of the lens opening decreases, the subject distance increases, or the focal length of the lens decreases. So if you want to cover a large area and not focus on specific items, it is best to use a wide-angle lens and a small lens opening.

All of the following are weaknesses of Kerberos except which one? A. Principals don't trust each other. B. Only the KDC can vouch for individuals' identities and entitlements. C. Secret keys are stored on the users' workstations temporarily. D. Susceptibility to password guessing and brute-force attacks.

A. The primary reason to use Kerberos is that the principals do not trust each other enough to communicate directly; they only trust the Key Distribution Center (KDC). This is a strength, not a weakness, of the system, but it does point to the fact that if only the KDC can vouch for identities, this creates a single point of failure. The fact that secret keys are stored on users' workstations, albeit temporarily, presents an attack opportunity for threat actors, who can also perform password attacks on the system.

Proper access control requires a structured user provisioning process. Which of the following best describes user provisioning? A. The creation, maintenance, and deactivation of user objects and attributes as they exist in one or more systems, directories, or applications, in response to business processes B. The creation, maintenance, activation, and delegation of user objects and attributes as they exist in one or more systems, directories, or applications, in response to compliance processes C. The maintenance of user objects and attributes as they exist in one or more systems, directories, or applications, in response to business processes D. The creation and deactivation of user objects and attributes as they exist in one or more systems, directories, or applications, in response to business processes

A. User provisioning refers to the creation, maintenance, and deactivation of user objects and attributes as they exist in one or more systems, directories, or applications, in response to business processes.

In the structure of Extensible Access Control Markup Language (XACML), a Subject element is the __________, a Resource element is the __________, and an Action element is the __________. A. requesting entity, requested entity, types of access B. requested entity, requesting entity, types of access C. requesting entity, requested entity, access control D. requested entity, requesting entity, access control

A. XACML uses a Subject element (requesting entity), a Resource element (requested entity), and an Action element (types of access). XACML defines a declarative access control policy language implemented in XML.

What is Extensible Markup Language (XML) and why was it created? A. A specification that provides a structure for creating other markup languages and still allow for interoperability B. A specification that is used to create static and dynamic websites C. A specification that outlines a detailed markup language dictating all formats of all companies that use it D. A specification that does not allow for interoperability for the sake of security

A. XML is a universal and foundational standard that provides a structure for other independent markup languages to be built from and still allow for interoperability. Markup languages with various functionalities were built from XML, and while each language provides its own individual functionality, if they all follow the core rules of XML, then they are interoperable and can be used across different web-based applications and platforms.

If the annualized loss expectancy (ALE) for a specific asset is $100,000, and after implementation of a control to safeguard the asset the new ALE is $45,000 and the annual cost of the control is $30,000, should the company implement this control? A. Yes B. No C. Not enough information D. Depends on the annualized rate of occurrence (ARO)

A. Yes, the company should implement the control, as the value would be $25,000. The cost/benefit calculation is (ALE before implementing safeguard) - (ALE after implementing safeguard) - (annual cost of safeguard) = value of safeguard to the organization, which in this case is $100,000 - $45,000 - $30,000 = $25,000.

A(n) __________ is the graphical representation of data commonly used on websites. It is a skewed representation of characteristics a person must enter to prove that the subject is a human and not an automated tool, as in a software robot. A. anti-spoofing symbol B. CAPTCHA C. spam anti-spoofing symbol D. CAPCHAT

B. A CAPTCHA is a skewed representation of characteristics a person must enter to prove that the subject is a human and not an automated tool, as in a software robot. It is the graphical representation of data.

What is the name of a water sprinkler system that keeps pipes empty and doesn't release water until a certain temperature is met and a "delay mechanism" is instituted? A. Wet B. Preaction C. Delayed D. Dry

B. In a preaction system, a link must melt before the water will pass through the sprinkler heads, which creates the delay in water release. This type of suppression system is best in data-processing environments because it allows time to deactivate the system if there is a false alarm.

There are different types of fire suppression systems. Which of the following answers best describes the difference between a deluge system and a preaction system? A. A deluge system provides a delaying mechanism that allows someone to deactivate the system in case of a false alarm or if the fire can be extinguished by other means. A preaction system provides similar functionality but has wide open sprinkler heads that allow a lot of water to be dispersed quickly. B. A preaction system provides a delaying mechanism that allows someone to deactivate the system in case of a false alarm or if the fire can be extinguished by other means. A deluge system has wide open sprinkler heads that allow a lot of water to be dispersed quickly. C. A dry pipe system provides a delaying mechanism that allows someone to deactivate the system in case of a false alarm or if the fire can be extinguished by other means. A deluge system has wide open sprinkler heads that allow a lot of water to be dispersed quickly. D. A preaction system provides a delaying mechanism that allows someone to deactivate the system in case of a false alarm or if the fire can be extinguished by other means. A deluge system provides similar functionality but has wide open sprinkler heads that allow a lot of water to be dispersed quickly.

B. A preaction system has a link that must melt before water is released. This is the mechanism that provides the delay in water release. A deluge system has wide open sprinkler heads that allow a lot of water to be released quickly. It does not have a delaying component.

Which access control policy is based on the necessary operations and tasks users need to fulfill their responsibilities within an organization and allows for implicit permission inheritance using a nondiscretionary model? A. Rule-based B. Role-based C. Identity-based D. Mandatory

B. A role-based access control (RBAC) model is based on the necessary operations and tasks a user needs to carry out to fulfill her responsibilities within an organization. This type of model lets access to resources be based on the user's roles. In hierarchical RBAC, role hierarchies define an inheritance relation among roles.

The confidentiality of sensitive data is protected in different ways depending on the state of the data. Which of the following is the best approach to protecting data in transit? A. SSL B. VPN C. IEEE 802.1X D. Whole-disk encryption

B. A virtual private network (VPN) provides confidentiality for data being exchanged between two endpoints. While the use of VPNs may not be sufficient in every case, it is the only answer among those provided that addresses the question. The use of Secure Sockets Layer (SSL) is not considered secure. IEEE 802.1X is an authentication protocol that does not protect data in transit. Finally, whole-disk encryption may be a good approach to protecting sensitive data, but only while it is at rest.

Jane is suspicious that an employee is sending sensitive data to one of the company's competitors but is unable to confirm this. The employee has to use this data for daily activities, thus it is difficult to properly restrict the employee's access rights. In this scenario, which best describes the company's vulnerability, threat, risk, and necessary control? A. Vulnerability is employee access rights, threat is internal entities misusing privileged access, risk is the business impact of data loss, and the necessary control is detailed network traffic monitoring. B. Vulnerability is lack of user monitoring, threat is internal entities misusing privileged access, risk is the business impact of data loss, and the necessary control is detailed user activity logs. C. Vulnerability is employee access rights, threat is internal employees misusing privileged access, risk is the business impact of confidentiality, and the necessary control is multifactor authentication. D. Vulnerability is employee access rights, threat is internal users misusing privileged access, risk is the business impact of confidentiality, and the necessary control is CCTV.

B. A vulnerability is a lack or weakness of a control. The vulnerability is that the user, who must be given access to the sensitive data, is not properly monitored to deter and detect a willful breach of security. The threat is that any internal entity might misuse given access. The risk is the business impact of losing sensitive data. One control that could be put into place is monitoring so that access activities can be closely watched.

Information security is a field that is maturing and becoming more organized and standardized. Organizational security models should be based on an enterprise architecture framework. Which of the following best describes what an enterprise architecture framework is and why it would be used? A. Mathematical model that defines the secure states that various software components can enter and still provide the necessary protection B. Conceptual model that is organized into multiple views addressing each of the stakeholder's concerns C. Business enterprise framework that is broken down into six conceptual levels to ensure security is deployed and managed in a controllable manner D. Enterprise framework that allows for proper security governance

B. An enterprise architecture framework is a conceptual model in which an architecture description is organized into multiple architecture views, where each view addresses specific concerns originating with the specific stakeholders. Individual stakeholders have a variety of system concerns, which the architecture must address. To express these concerns, each view applies the conventions of its architecture viewpoint.

Your company enters into a contract with another company as part of which your company requires the other company to abide by specific security practices. Six months into the effort, you decide to verify that the other company is satisfying these security requirements. Which of the following would you conduct? A. Third-party audit B. External (second-party) audit C. Structured walk-through test D. Full-interruption test

B. An external audit (sometimes called a second-party audit) is one conducted by (or on behalf of) a business partner to verify contractual obligations. Though this audit could be conducted by a third party (e.g., an auditing firm hired by either party), it is still considered an external audit because it is being done to satisfy an external entity.

Clustering is an unsupervised machine learning approach that determines where data samples naturally clump together. It does this by calculating the distance between a new data point and the existing clusters and assigning the point to the closest cluster if, indeed, it is close to any of them. What is this approach typically used for in cybersecurity? A. Spam filtering B. Anomaly detection C. Network flow analysis D. Signature matching

B. Clustering algorithms are frequently used for anomaly detection. Classifiers are helpful when trying to determine whether a binary file is malware or detect whether an e-mail is spam. Predictive machine learning models can be applied wherever historical numerical data is available and work by estimating what the value of the next data point should be, which makes them very useful for network flow analysis (e.g., when someone is exfiltrating large amounts of data from the network).

Which of the following is not an advantage of using content distribution networks? A. Improved responsiveness to regional users B. Resistance to ARP spoofing attacks C. Customization of content for regional users D. Resistance to DDoS attacks

B. Content distribution networks (CDNs) work by replicating content across geographically dispersed nodes. This means that regional users (those closest to a given node) will see improved responsiveness and could have tailored content delivered to them. It also means that mounting a successful DDoS attack is much more difficult. An ARP spoofing attack, however, takes place on the local area network and is therefore unrelated to the advantages of CDNs.

Patty is giving a presentation next week to the executive staff of her company. She wants to illustrate the benefits of the company using specific cloud computing solutions. Which of the following does not properly describe one of these benefits or advantages? A. Organizations have more flexibility and agility in IT growth and functionality. B. Cost of computing can be increased since it is a shared delivery model. C. Location independence can be achieved because the computing is not centralized and tied to a physical data center. D. Scalability and elasticity of resources can be accomplished in near real-time through automation.

B. Each of the listed items are correct benefits or characteristics of cloud computing except "Cost of computing can be increased since it is a shared delivery model." The correct answer would be "Cost of computing can be decreased since it is a shared delivery model."

A risk analysis can be carried out through qualitative or quantitative means. It is important to choose the right approach to meet the organization's goals. In a quantitative analysis, which of the following items would not be assigned a numeric value? i. Asset value ii. Threat frequency iii. Severity of vulnerability iv. Impact damage v. Safeguard costs vi. Safeguard effectiveness vii. Probability A. All of them B. None of them C. ii D. vii

B. Each of these items would be assigned a numeric value in a quantitative risk analysis. Each element is quantified and entered into equations to determine total and residual risks. Quantitative risk analysis is more of a scientific or mathematical approach to risk analysis compared to qualitative.

. __________, a declarative access control policy language implemented in XML and a processing model, describes how to interpret security policies. __________ is an XML-based language that allows for the exchange of provisioning data betweenapplications, which could reside in one organization or many. A. Service Provisioning Markup Language (SPML), Extensible Access Control Markup Language (XACML) B. Extensible Access Control Markup Language (XACML), Service Provisioning Markup Language (SPML) C. Extensible Access Control Markup Language (XACML), Security Assertion Markup Language (SAML) D. Security Assertion Markup Language (SAML), Service Provisioning Markup Language (SPML)

B. Extensible Access Control Markup Language (XACML), a declarative access control policy language implemented in XML and a processing model, describes how to interpret security policies. Service Provisioning Markup Language (SPML) is an XML-based language that allows for the exchange of provisioning data between applications, which could reside in one organization or many; allows for the automation of user management (account creation, amendments, revocation) and access entitlement configuration related to electronically published services across multiple provisioning systems; and allows for the integration and interoperation of service provisioning requests across various platforms. Security Assertion Markup Language (SAML) is an XML-based language that allows for the exchange of provisioning data between applications, which could reside in one organization or many.

Which of the following is a true statement pertaining to markup languages? A. Hypertext Markup Language (HTML) came from Generalized Markup Language (GML), which came from Standard Generalized Markup Language (SGML). B. Hypertext Markup Language (HTML) came from Standard Generalized Markup Language (SGML), which came from Generalized Markup Language (GML). C. Standard Generalized Markup Language (SGML) came from Hypertext Markup Language (HTML), which came from Generalized Markup Language (GML). D. Standard Generalized Markup Language (SGML) came from Generalized Markup Language (GML), which came from Hypertext Markup Language (HTML).

B. HTML came from SGML, which came from GML. A markup language is a way to structure text and data sets, and it dictates how these will be viewed and used. When developing a web page, a markup language enables you to control how the text looks and some of the actual functionality the page provides.

Betty has received several e-mail messages from unknown sources that try and entice her to click a specific link using a "Click Here" approach. Which of the following best describes what is most likely taking place in this situation? A. DNS pharming attack B. Embedded hyperlink is obfuscated C. Malware back-door installation D. Bidirectional injection attack

B. HTML documents and e-mails allow users to attach or embed hyperlinks in any given text, such as the "Click Here" links you commonly see in e-mail messages or web pages. Attackers misuse hyperlinks to deceive unsuspecting users into clicking rogue links. The most common approach is known as URL hiding.

Internet Protocol Security (IPSec) is actually a suite of protocols. Each protocol within the suite provides different functionality. Which of the following is not a function or characteristic of IPSec? A. Encryption B. Link layer protection C. Authentication D. Protection of packet payloads and the headers

B. IPSec is a suite of protocols used to provide VPNs that use strong encryption and authentication functionality. It can work in two different modes: tunnel mode (payload and headers are protected) or transport mode (payload protection only). IPSec works at the network layer, not the data link layer.

Which of the following should not be considered as part of the supply chain risk management process for a smartphone manufacturer? A. Hardware Trojans inserted by downstream partners B. ISO/IEC 27001 C. Hardware Trojans inserted by upstream partners D. NIST Special Publication 800-161

B. ISO/IEC 27001 is a standard covering information security management systems (ISMSs), which is a much broader topic than supply chain risk management. The other three options are better answers because they are directly tied to this process: NIST Special Publication 800-161, Supply Chain Risk Management Practices for Federal Information Systems and Organizations, directly addresses supply chain risk, and the insertion of hardware Trojans could happen at any point in the chain, upstream or downstream.

Use the following scenario to answer Questions 61-63. Jim works for a large energy company. His senior management just conducted a meeting with Jim's team with the purpose of reducing IT costs without degrading their security posture. The senior management decided to move all administrative systems to a cloud provider. These systems are proprietary applications currently running on Linux servers. Which of the following services would allow Jim to transition all administrative custom applications to the cloud while leveraging the service provider for security and patching of the cloud platforms? A. IaaS B. PaaS C. SaaS D. IDaaS

B. In a Platform as a Service (PaaS) contract, the service provider normally takes care of all configuration, patches, and updates for the virtual platform. Jim would only have to worry about porting the applications and running them.

Lynn logs into a website and purchases an airline ticket for her upcoming trip. The website also offers her pricing and package deals for hotel rooms and rental cars while she is completing her purchase. The airline, hotel, and rental companies are all separate and individual companies. Lynn decides to purchase her hotel room through the same website at the same time. The website is using Security Assertion Markup Language to allow for this type of federated identity management functionality. In this example which entity is the principal, which entity is the identity provider, and which entity is the service provider, respectively? A. Portal, Lynn, hotel company B. Lynn, airline company, hotel company C. Lynn, hotel company, airline company D. Portal, Lynn, airline company

B. In this scenario, Lynn is considered the principal, the airline company is considered the identity provider, and the hotel company that receives the user's authentication information from the airline company web server is considered the service provider. Security Assertion Markup Language (SAML) provides the authentication pieces to federated identity management systems to allow business-to-business (B2B) and business-to-consumer (B2C) transactions.

In order to be admissible in court, evidence should normally be which of the following? A. Subpoenaed B. Relevant C. Motioned D. Adjudicated

B. It is important that evidence be relevant, complete, sufficient, and reliable to the case at hand. These four characteristics of evidence provide a foundation for a case and help ensure that the evidence is legally permissible.

Yazan leads the IT help desk at a large manufacturing company. He is concerned about the amount of time his team spends resetting passwords for the various accounts that each of his organizational users has. All of the following would be good approaches to alleviating this help desk load except which one? A. Single sign-on (SSO) B. Just-in-time (JIT) access C. Password managers D. Self-service password reset

B. Just-in-time (JIT) access temporarily elevates users to the necessary privileged access to perform a specific task, on a specific asset, for a short time. This approach mitigates the risk of privileged account abuse by reducing the time a threat actor has to gain access to a privileged account. While this could reduce some of the workload on the IT staff, it would have no impact on the time needed to reset a multitude of passwords.

Barry was told that the IDS product that is being used on the network has heuristic capabilities. Which of the following best describes this functionality? A. Gathers packets and reassembles the fragments before assigning anomaly values B. Gathers data and assesses the likelihood of it being malicious in nature C. Gathers packets and compares their payload values to a signature engine D. Gathers packet headers to determine if something suspicious is taking place within the network traffic

B. Many IDSs have "heuristic" capabilities, which means that the system gathers different "clues" from the network or system and calculates the probability an attack is taking place. If the probability hits a set threshold, then the alarm sounds.

Which type of authorization mechanism can incorporate historical data into its access control decision-making in real time? A. Rule-based access control B. Risk-based access control C. Attribute-based access control D. Discretionary access control

B. Risk-based access control estimates the risk associated with a particular request in real time and, if it doesn't exceed a given threshold, grants the subject access to the requested resource. This estimate can be based on multiple factors, including the risk history of similar requests. It is possible to improve a rule-based access control mechanism over time (based on historical data), but that would have to be a manual process and wouldn't happen in real time.

Bartosz is developing a new web application for his marketing department. One of the requirements for the software is that it allows users to post specific content to LinkedIn and Twitter directly from the web app. Which technology would allow him to do this? A. OpenID Connect B. OAuth C. SSO D. Federated Identity Management

B. OAuth is an open standard for authorization to third parties. It lets you authorize a web application to use something that you control at a different website. For instance, if users wanted to share an article in the web app directly to their LinkedIn account, the system would ask them for access to their accounts in LinkedIn. If they agree, they'd see a pop-up from LinkedIn asking whether they want to authorize the web app to share a post. If they agree to this, the web app gains access to all their contacts until they rescind this authorization.

System ports allow different computers to communicate with each other's services and protocols. The Internet Assigned Numbers Authority (IANA) has assigned registered ports to be __________ and dynamic ports to be __________. A. 0-1024, 49152-65535 B. 1024-49151, 49152-65535 C. 1024-49152, 49153-65535 D. 0-1024, 1025-49151

B. Registered ports are 1024-49151, which can be registered with the Internet Assigned Numbers Authority (IANA) for a particular use. Vendors register specific ports to map to their proprietary software. Dynamic ports are 49152-65535 and are available to be used by any application on an "as needed" basis. Port numbers from 0 to 1023 are well-known ports.

Use the following scenario to answer Questions 13-15. Jack has just been hired as the security officer for a large hospital system. The organization develops some of its own proprietary applications. The organization does not have as many layers of controls when it comes to the data processed by these applications, since it is assumed that external entities will not understand the internal logic of the applications. One of the first things that Jack wants to carry out is a risk assessment to determine the organization's current risk profile. He also tells his boss that the hospital should become ISO certified to bolster its customers' and partners' confidence in its risk management processes. Which of the following approaches has been implemented in this scenario? A. Defense-in-depth B. Security through obscurity C. Information security management system D. ISO/IEC 27001

B. Security through obscurity depends upon complexity or secrecy as a protection method. Some organizations feel that since their proprietary code is not standards based, outsiders will not know how to compromise its components. This is an insecure approach. Defense-in-depth is a better approach, with the assumption that anyone can figure out how something works.

Juan needs to assess the performance of a critical web application that his company recently upgraded. Some of the new features are very profitable, but not frequently used. He wants to ensure that the user experience is positive, but doesn't want to wait for the users to report problems. Which of the following techniques should Juan use? A. Real user monitoring B. Synthetic transactions C. Log reviews D. Management review

B. Synthetic transactions are scripted events that mimic the behaviors of real users and allow security professionals to systematically test the performance of critical services. They are the best approach, because they can detect problems before users notice them. Real user monitoring (RUM) would rely on users encountering the problem, whereupon the system would automatically report it.

Which security model is defined by three main rules: simple security, star property, and strong star property? A. Biba B. Bell-LaPadula C. Brewer-Nash D. Noninterference

B. The Bell-LaPadula model enforces the confidentiality aspects of access control and consists of three main rules. The simple security rule states that a subject at a given security level cannot read data that resides at a higher security level. The *-property rule (star property rule) states that a subject in a given security level cannot write information to a lower security level. Finally, the strong star property rule states that a subject who has read and write capabilities can only perform both of those functions at the same security level; nothing higher and nothing lower.

Mark has been asked to interview individuals to fulfill a new position in his company, chief privacy officer (CPO). What is the function of this type of position? A. Ensuring that company financial information is correct and secure B. Ensuring that customer, company, and employee data is protected C. Ensuring that security policies are defined and enforced D. Ensuring that partner information is kept safe

B. The CPO position was created mainly because of the increasing demands on organizations to protect a long laundry list of different types of data. This role is responsible for ensuring that customer, organizational, and employee data is secure and kept secret, which keeps the organization out of criminal and civil courts and hopefully out of the headlines.

Jenny needs to engage a new software development company to create her company's internal banking software. The software needs to be created specifically for her company's environment, so it must be proprietary in nature. Which of the following would be useful for Jenny to use as a gauge to determine how advanced the various software development companies are in their processes? A. Waterfall methodology B. Capability Maturity Model Integration level C. Auditing results D. Key performance metrics

B. The Capability Maturity Model Integration (CMMI) model outlines the necessary characteristics of an organization's security engineering process. It addresses the different phases of a secure software development life cycle, including concept definition, requirements analysis, design, development, integration, installation, operations, and maintenance, and what should happen in each phase. It can be used to evaluate security engineering practices and identify ways to improve them. It can also be used by customers in the evaluation process of a software vendor. Ideally, software vendors would use the model to help improve their processes, and customers would use the model to assess the vendor's practices.

Which of the following best describes the difference between the role of the ISO/IEC 27000 series and COBIT? A. COBIT provides a high-level overview of security program requirements, while the ISO/IEC 27000 series provides the objectives of the individual security controls. B. The ISO/IEC 27000 series provides a high-level overview of security program requirements, while COBIT maps IT goals to enterprise goals to stakeholder needs. C. COBIT is process oriented, and the ISO/IEC 27000 series is solution oriented. D. The ISO/IEC 27000 series is process oriented, and COBIT is solution oriented.

B. The ISO/IEC 27000 series provides a high-level overview of security program requirements, while COBIT maps IT goals to enterprise goals to stakeholder needs through a series of transforms called cascading goals. COBIT specifies 13 enterprise and 13 alignment goals that take the guesswork out of ensuring we consider all dimensions in our decision-making processes.

An organization's information systems risk management (ISRM) policy should address many items to provide clear direction and structure. Which of the following is not a core item that should be covered in this type of policy? i. The objectives of the ISRM team ii. The level of risk the organization will accept and what is considered an acceptable level of risk iii. Formal processes of risk identification iv. The connection between the ISRM policy and the organization's strategic planning processes v. Responsibilities that fall under ISRM and the roles to fulfill them vi. The mapping of risk to specific physical controls vii. The approach toward changing staff behaviors and resource allocation in response to risk analysis viii. The mapping of risks to performance targets and budgets ix. Key metrics and performance indicators to monitor the effectiveness of controls A. ii, v, ix B. vi C. v D. vii, ix

B. The ISRM policy should address all of the items listed except specific physical controls. Policies should not specify any type of controls, whether they are administrative, physical, or technical.

The Mobile IP protocol allows location-independent routing of IP datagrams on the Internet. Each mobile node is identified by its __________, disregarding its current location in the Internet. While away from its home network, a mobile node is associated with a __________. A. prime address, care-of address B. home address, care-of address C. home address, secondary address D. prime address, secondary address

B. The Mobile IP protocol allows location-independent routing of IP packets on web-based environments. Each mobile device is identified by its home address. While away from its home network, a mobile node is associated with a care-of address, which identifies its current location, and its home address is associated with the local endpoint of a tunnel to its home agent. Mobile IP specifies how a mobile device registers with its home agent and how the home agent routes packets to the mobile device.

Use the following scenario to answer Questions 61-63. Jim works for a large energy company. His senior management just conducted a meeting with Jim's team with the purpose of reducing IT costs without degrading their security posture. The senior management decided to move all administrative systems to a cloud provider. These systems are proprietary applications currently running on Linux servers. Which of the following would not be an issue that Jim would have to consider in transitioning administrative services to the cloud? A. Privacy and data breach laws in the country where the cloud servers are located B. Loss of efficiencies, performance, reliability, scalability, and security C. Security provisions in the terms of service D. Total cost of ownership compared to the current systems

B. The biggest advantages of cloud computing are enhanced efficiency, performance, reliability, scalability, and security. Still, cloud computing is not a panacea. An organization must still carefully consider legal, contractual, and cost issues since they could potentially place the organization in a difficult position.

Not every data transmission incorporates the session layer. Which of the following best describes the functionality of the session layer? A. End-to-end data transmission B. Application client/server communication mechanism in a distributed environment C. Application-to-computer physical communication D. Provides application with the proper syntax for transmission

B. The communication between two pieces of the same software product that reside on different computers needs to be controlled, which is why session layer protocols even exist. Session layer protocols take on the functionality of middleware, enabling software on two different computers to communicate.

Frank is a new security manager for a large financial institution. He has been told that the organization needs to reduce the total cost of ownership for many components of the network and infrastructure. The organization currently maintains many distributed networks, software packages, and applications. Which of the following best describes the cloud service models that Frank could leverage to obtain cloud services to replace on-premises network and infrastructure components A. Infrastructure as a Service provides an environment similar to an operating system, Platform as a Service provides operating systems and other major processing platforms, and Software as a Service provides specific application-based functionality. B. Infrastructure as a Service provides an environment similar to a data center, Platform as a Service provides operating systems and other major processing platforms, and Software as a Service provides specific application-based functionality. C. Infrastructure as a Service provides an environment similar to a data center, Platform as a Service provides application-based functionality, and Software as a Service provides specific operating system functionality. D. Infrastructure as a Service provides an environment similar to a database, Platform as a Service provides operating systems and other major processing platforms, and Software as a Service provides specific application-based functionality.

B. The most common cloud service models are • Infrastructure as a Service (IaaS) Cloud service providers offer the infrastructure environment of a traditional data center in an on-demand delivery method. • Platform as a Service (PaaS) Cloud service providers deliver a computing platform, which can include an operating system, database, and web server as a holistic execution environment. • Software as a Service (SaaS) Cloud service providers give users access to specific application software (e.g., CRM, e-mail, and games).

Meeta recently started working at an organization with no defined security processes. One of the areas she'd like to improve is software patching. Consistent with the organizational culture, she is considering a decentralized or unmanaged model for patching. Which of the following is not one of the risks her organization would face with such a model? A. This model typically requires users to have admin credentials, which violates the principle of least privilege. B. It will be easier to ensure that all software products are updated, since they will be configured to do so automatically. C. It may be difficult (or impossible) to attest to the status of every application in the organization. D. Having each application or service independently download the patches will lead to network congestion.

B. This option is not a risk, but a (probably unrealistic) benefit, so it cannot be the right answer. The other three options are all risks associated with an unmanaged patching model.

Mary is doing online research about prospective employers and discovers a way to compromise a small company's personnel files. She decides to take a look around, but does not steal any information. Is she still committing a crime even if she does not steal any of the information? A. No, since she does not steal any information, she is not committing a crime. B. Probably, because she has gained unauthorized access. C. Not if she discloses the vulnerability she exploited to the company. D. Yes, she could jeopardize the system without knowing it.

B. Though laws vary around the world, many countries criminalize unauthorized access, even if it lacked malicious intent.

Use the following scenario to answer Questions 48-49. Francisca is the new manager of the in-house software designers and programmers. She has been telling her team that before design and programming on a new product begins, a formal architecture needs to be developed. She also needs this team to understand security issues as they pertain to software design. Francisca has shown the team how to follow a systematic approach that allows them to understand different ways in which the software products they develop could be compromised by specific threat actors. Which of the following best describes the approach Francisca has shown her team as outlined in the scenario? A. Attack surface analysis B. Threat modeling C. Penetration testing D. Double-blind penetration testing

B. Threat modeling is a systematic approach used to understand how different threats could be realized and how a successful compromise could take place. A threat model is a description of a set of security aspects that can help define a threat and a set of possible attacks to consider. It may be useful to define different threat models for one software product. Each model defines a narrow set of possible attacks to focus on. A threat model can help to assess the probability, the potential harm, and the priority of attacks, and thus help to minimize or eradicate the threats.

Your boss asks you to put together a report describing probable adverse effects on your assets caused by specific threat sources. What term describes this? A. Risk analysis B. Threat modeling C. Attack trees D. MITRE ATT&CK

B. Threat modeling is the process of describing probable adverse effects on an organization's assets caused by specific threat sources. This modeling can use a variety of approaches, including attack trees and the MITRE ATT&CK framework. However, since the question refers to a report and neither of those approaches specifically points to a report, the more general answer of threat modeling is the best one.

John has uncovered a rogue system on the company network that emulates a switch. The software on this system is being used by an attacker to modify frame tag values. Which of the following best describes the type of attack that has most likely been taking place? A. DHCP snooping B. VLAN hopping C. Network traffic shaping D. Network traffic hopping

B. VLAN hopping attacks allow attackers to gain access to traffic in various VLAN segments. An attacker can have a system act as though it is a switch. The system understands the tagging values being used in the network and the trunking protocols, and can insert itself between other VLAN devices and gain access to the traffic going back and forth. Attackers can also insert tagging values to manipulate the control of traffic at the data link layer.

Data sovereignty is increasingly becoming an issue that most of us in cybersecurity should address within our organizations. What does the term data sovereignty mean? A. Certain types of data concerning a country's citizens must be stored and processed in that country. B. Data on a country's citizens must be stored and processed according to that country's laws, regardless of where the storing/processing takes place. C. Certain types of data concerning a country's citizens are the sovereign property of that data subject. D. Data on a country's citizens must never cross the sovereign borders of another country.

B. Various countries have data sovereignty laws that stipulate that anyone who stores or processes certain types of data (typically personal data on their citizens), whether or not they do so locally, must comply with those countries' laws. Data localization laws, on the other hand, require certain types of data to be stored and processed in that country (examples include laws in China and Russia).

While disaster recovery planning (DRP) and business continuity planning (BCP) are directed at the development of "plans," __________ is the holistic management process that should cover both of them. It provides a framework for integrating resilience with the capability for effective responses that protects the interests of the organization's key stakeholders. A. continuity of operations B. business continuity management C. risk management D. enterprise management architecture

B. While DRP and BCP are directed at the development of plans, business continuity management (BCM) is the holistic management process that should cover both of them. BCM provides a framework for integrating resilience with the capability for effective responses in a manner that protects the interests of the organization's key stakeholders. The main objective of BCM is to allow the organization to continue to perform business operations under various conditions. BCM is the overarching approach to managing all aspects of BCP and DRP

Which of the following best describes why classless interdomain routing (CIDR) was created? A. To allow IPv6 traffic to tunnel through IPv4 networks B. To allow IPSec to be integrated into IPv4 traffic C. To allow an address class size to meet an organization's need D. To allow IPv6 to tunnel IPSec traffic

C. A Class B address range is usually too large for most companies, and a Class C address range is too small, so CIDR provides the flexibility to increase or decrease the class sizes as necessary. CIDR is the method to specify more flexible IP address classes.

Doors configured in fail-safe mode assume what position in the event of a power failure? A. Open and locked B. Closed and locked C. Closed and unlocked D. Open

C. A company must decide how to handle physical access control in the event of a power failure. In fail-safe mode, doorways are automatically unlocked. This is usually dictated by fire codes to ensure that people do not get stuck inside of a burning building. Fail-secure means that the door will default to lock.

Which of the following allows a user to be authenticated across multiple IT systems and enterprises? A. Single sign-on (SSO) B. Session management C. Federated identity D. Role-based access control (RBAC)

C. A federated identity is a portable identity, and its associated entitlements, that can be used across business boundaries. It allows a user to be authenticated across multiple IT systems and enterprises. Single sign-on (SSO) allows users to enter credentials one time and be able to access all resources in primary and secondary network domains, but is not the best answer because it doesn't specifically address the capability to provide authentication across enterprises. A federated identity is a kind of SSO, but not every SSO implementation is federated.

Which cryptanalytic attack method is characterized by the identification of statistically significant patterns in the ciphertext generated by a cryptosystem? A. Differential attack B. Implementation attack C. Frequency analysis D. Side-channel attack

C. A frequency analysis, also known as a statistical attack, identifies statistically significant patterns in the ciphertext generated by a cryptosystem. For example, the number of zeroes may be significantly higher than the number of ones. This could show that the pseudorandom number generator (PRNG) in use may be biased.

Which of the following best describes what role-based access control offers organizations in reducing administrative burdens? A. It allows entities closer to the resources to make decisions about who can and cannot access resources. B. It provides a centralized approach for access control, which frees up department managers. C. User membership in roles can be easily revoked and new ones established as job assignments dictate. D. It enforces an enterprise-wide security policy, standards, and guidelines.

C. A role-based access control (RBAC) model uses a centrally administrated set of controls to determine how subjects and objects interact. An administrator does not need to revoke and reassign permissions to individual users as they change jobs. Instead, the administrator assigns permissions and rights to a role, and users are plugged into those roles.

Which of the following is not true about software libraries? A. They make software development more efficient through code reuse. B. They are typically accessed through an application programming interface (API). C. They almost never introduce vulnerabilities into programs that use them. D. They are used in most major software development projects.

C. According to Veracode, seven in ten applications use at least one open-source software library with a security flaw, which makes those applications vulnerable. This estimate doesn't include proprietary libraries, which are probably even more insecure because they haven't been subjected to the same amount of scrutiny as open-source ones. This is the main risk in using software libraries.

Hanna is a security manager of a company that relies heavily on one specific operating system. The operating system is used in the employee workstations and is embedded within devices that support the automated production line software. She has uncovered a vulnerability in the operating system that could allow an attacker to force applications to not release memory segments after execution. Which of the following best describes the type of threat this vulnerability introduces? A. Injection attacks B. Memory corruption C. Denial of service D. Software locking

C. Attackers have identified programming errors in operating systems that allow them to "starve" the system of its own memory. This means the attackers exploit a software vulnerability that ensures that processes do not properly release their memory resources. Memory is continually committed and not released, and the system is depleted of this resource until it can no longer function. This is an example of a denial-of-service attack.

Terry is a security manager for a credit card processing company. His company uses internal DNS servers, which are placed within the LAN, and external DNS servers, which are placed in the DMZ. The company also relies on DNS servers provided by its service provider. Terry has found out that attackers have been able to manipulate several DNS server caches to point employee traffic to malicious websites. Which of the following best describes the solution this company should implement? A. IPSec B. PKI C. DNSSEC D. MAC-based security

C. DNS Security Extensions (DNSSEC, which is part of the many current implementations of DNS server software) works within a PKI and uses digital signatures, which allows DNS servers to validate the origin of a message to ensure that it is not spoofed and potentially malicious. Suppose DNSSEC were enabled on server A, and a client sends it a DNS request for a resource that is not cached locally. Server A would relay the request to one or more external DNS servers and, upon receiving a response, validate the digital signature on the message before accepting the information to make sure that it is from an authorized DNS server. So even if an attacker sent a message to a DNS server, the DNS server would discard it because the message would not contain a valid digital signature. DNSSEC allows DNS servers to send and receive only authenticated and authorized messages between themselves and thwarts the attacker's goal of poisoning a DNS cache table.

Which of the following centralized access control protocols would a security professional choose if her network consisted of multiple protocols, including Mobile IP, and had users connecting via wireless and wired transmissions? A. RADIUS B. TACACS+ C. Diameter D. Kerberos

C. Diameter is a more diverse centralized access control administration technique than RADIUS and TACACS+ because it supports a wide range of protocols that often accompany wireless technologies. RADIUS supports PPP, SLIP, and traditional network connections. TACACS+ is a RADIUS-like protocol that is Cisco-proprietary. Kerberos is a single sign-on technology, not a centralized access control administration protocol that supports all stated technologies.

Aaron is a security manager who needs to develop a solution to allow his company's mobile devices to be authenticated in a standardized and centralized manner using digital certificates. The applications these mobile clients use require a TCP connection. Which of the following is the best solution for Aaron to implement? A. TACACS+ B. RADIUS C. Diameter D. Mobile IP

C. Diameter is a protocol that has been developed to build upon the functionality of RADIUS and TACACS+ while overcoming some of their limitations, particularly with regard to mobile clients. RADIUS uses UDP and cannot effectively deal well with remote access, IP mobility, and policy control. Mobile IP is not an authentication and authorization protocol, but rather a technology that allows users to move from one network to another and still use the same IP address.

What is an advantage of microservices compared to traditional server-based architectures? A. Web services support B. Security C. Scalability D. Database connectivity

C. Each microservice lives in its own container and gets called as needed. If, for example, you see a spike in orders, you can automatically deploy a new container (in seconds), perhaps in a different host, and destroy it when you no longer need it. This contrasts with traditional servers that have fixed resources available and don't scale as well. Both approaches deal equally well with both web and database services and (properly deployed) have comparable security.

More organizations are outsourcing supporting functions to allow them to focus on their core business functions. Organizations use hosting companies to maintain websites and e-mail servers, service providers for various telecommunication connections, disaster recovery companies for co-location capabilities, cloud computing providers for infrastructure or application services, developers for software creation, and security companies to carry out vulnerability management. Which of the following items should be included during the analysis of an outsourced partner or vendor? i. Conduct onsite inspection and interviews ii. Review contracts to ensure security and protection levels are agreed upon iii. Ensure service level agreements are in place iv. Review internal and external audit reports and third-party reviews v. Review references and communicate with former and existing customers A. ii, iii, iv B. iv, v C. All of them D. i, ii, iii

C. Each of these items should be considered before committing to an outsource partner or vendor.

Encryption and decryption can take place at different layers of an operating system, application, and network stack. End-to-end encryption happens within the __________. IPSec encryption takes place at the __________ layer. PPTP encryption takes place at the __________ layer. Link encryption takes place at the __________ and __________ layers. A. applications, transport, data link, data link, physical B. applications, transport, network, data link, physical C. applications, network, data link, data link, physical D. network, transport, data link, data link, physical

C. End-to-end encryption happens within the applications. IPSec encryption takes place at the network layer. PPTP encryption takes place at the data link layer. Link encryption takes place at the data link and physical layers.

Bringing in third-party auditors has advantages over using an internal team. Which of the following is not true about using external auditors? A. They are required by certain governmental regulations. B. They bring experience gained by working in many other organizations. C. They know the organization's processes and technology better than anyone else. D. They are less influenced by internal culture and politics.

C. External auditors have certain advantages over in-house teams, but they will almost certainly not be as knowledgeable of internal processes and technology as the folks who deal with them on a daily basis.

Which of the following is not a correct characteristic of the Failure Modes and Effect Analysis (FMEA) method? A. Determining functions and identifying functional failures B. Assessing the causes of failure and their failure effects through a structured process C. Structured process carried out by an identified team to address high-level security compromises D. Identifying where something is most likely going to break and either fixing the flaws that could cause this issue or implementing controls to reduce the impact of the break

C. FMEA is a method for determining functions, identifying functional failures, and assessing the causes of failure and their failure effects through a structured process. It is commonly used in product development and operational environments. The goal is to identify where something is most likely going to break and either fix the flaws that could cause this issue or implement controls to reduce the impact of the break.

Which of the following provides a true characteristic of a fault tree analysis? A. Fault trees are assigned qualitative values to faults that can take place over a series of business processes. B. Fault trees are assigned failure mode values. C. Fault trees are labeled with actual numbers pertaining to failure probabilities. D. Fault trees are used in a stepwise approach to software debugging.

C. Fault tree analysis follows this general process. First, an undesired effect is taken as the root, or top, event of a tree of logic. Then, each situation that has the potential to cause that effect is added to the tree as a series of logic expressions. Fault trees are then labeled with actual numbers pertaining to failure probabilities.

For an enterprise security architecture to be successful in its development and implementation, which of the following items must be understood and followed? i. Strategic alignment ii. Process enhancement iii. Business enablement iv. Security effectiveness A. i, ii B. ii, iii C. i, ii, iii, iv D. iii, iv

C. For an enterprise security architecture to be successful in its development and implementation, the following items must be understood and followed: strategic alignment, process enhancement, business enablement, and security effectiveness.

Which of the following is an international organization that helps different governments come together and tackle the economic, social, and governance challenges of a globalized economy and provides guidelines on the protection of privacy and transborder flows of personal data rules? A. Council of Global Convention on Cybercrime B. Council of Europe Convention on Cybercrime C. Organisation for Economic Co-operation and Development D. Organisation for Cybercrime Co-operation and Development

C. Global organizations that move data across other country boundaries must be aware of and follow the Organisation for Economic Co-operation and Development (OECD) Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. Since most countries have a different set of laws pertaining to the definition of private data and how it should be protected, international trade and business get more convoluted and can negatively affect the economy of nations. The OECD is an international organization that helps different governments come together and tackle the economic, social, and governance challenges of a globalized economy. Because of this, the OECD came up with guidelines for the various countries to follow so that data is properly protected and everyone follows the same type of rules.

Use the following scenario to answer Questions 141-142. Ron is in charge of updating his company's business continuity and disaster recovery plans and processes. After conducting a business impact analysis, his team has told him that if the company's e-commerce payment gateway was unable to process payments for 24 hours or more, this could drastically affect the survivability of the company. The analysis indicates that after an outage, the payment gateway and payment processing should be restored within 13 hours. Ron's team needs to integrate solutions that provide redundancy, fault tolerance, and failover capability Which of the following best describes the type of solution Ron's team needs to implement? A. RAID and clustering B. Storage area networks C. High availability D. Grid computing and clustering

C. High availability (HA) is a combination of technologies and processes that work together to ensure that critical functions are always up and running at the necessary level. To provide this level of high availability, a company has to have a long list of technologies and processes that provide redundancy, fault tolerance, and failover capabilities.

A financial institution has developed its internal security program based upon the ISO/IEC 27000 series. The security officer has been told that metrics need to be developed and integrated into this program so that effectiveness can be gauged. Which of the following standards should be followed to provide this type of guidance and functionality? A. ISO/IEC 27002 B. ISO/IEC 27003 C. ISO/IEC 27004 D. ISO/IEC 27005

C. ISO/IEC 27004:2016, which is used to assess the effectiveness of an ISMS and the controls that make up the security program as outlined in ISO/IEC 27001. ISO/IEC 27004 provides guidance for ISMS monitoring, measurement, analysis, and evaluation.

Use the following scenario to answer Questions 13-15. Jack has just been hired as the security officer for a large hospital system. The organization develops some of its own proprietary applications. The organization does not have as many layers of controls when it comes to the data processed by these applications, since it is assumed that external entities will not understand the internal logic of the applications. One of the first things that Jack wants to carry out is a risk assessment to determine the organization's current risk profile. He also tells his boss that the hospital should become ISO certified to bolster its customers' and partners' confidence in its risk management processes. Which ISO/IEC standard would be best for Jack to follow to meet his goals? A. ISO/IEC 27001 B. ISO/IEC 27004 C. ISO/IEC 27005 D. ISO/IEC 27006

C. ISO/IEC 27005 is the international standard for risk assessments and analysis.

Use the following scenario to answer Questions 13-15. Jack has just been hired as the security officer for a large hospital system. The organization develops some of its own proprietary applications. The organization does not have as many layers of controls when it comes to the data processed by these applications, since it is assumed that external entities will not understand the internal logic of the applications. One of the first things that Jack wants to carry out is a risk assessment to determine the organization's current risk profile. He also tells his boss that the hospital should become ISO certified to bolster its customers' and partners' confidence in its risk management processes. Which standard should Jack suggest to his boss for compliance with best practices regarding storing and processing sensitive medical information? A. ISO/IEC 27004 B. ISO/IEC 27001 C. ISO/IEC 27799 D. ISO/IEC 27006

C. ISO/IEC 27799 is a guideline for information security management in health organizations. It deals with how organizations that store and process sensitive medical information should protect it.

In what order would a typical PKI perform the following transactions? i. Receiver decrypts and obtains session key. ii. Public key is verified. iii. Public key is sent from a public directory. iv. Sender sends a session key encrypted with receiver's public key. A. iv, iii, ii, i B. ii, i, iii, iv C. iii, ii, iv, i D. ii, iv, iii, i

C. In a typical public key infrastructure, the sender first needs to obtain the receiver's public key, which could be from the receiver or a public directory, and then verify it. The sender needs to protect the symmetric session key as it is being sent, so the sender encrypts it with the receiver's public key. The receiver decrypts the session key with the receiver's private key.

Don is a senior manager of an architectural firm. He has just found out that a key contract was renewed, allowing the company to continue developing an operating system that was idle for several months. Excited to get started, Don begins work on the operating system privately, but cannot tell his staff until the news is announced publicly in a few days. However, as Don begins making changes in the software, various staff members notice changes in their connected systems, even though they have a lower security level than Don. What kind of model could be used to ensure this does not happen? A. Biba B. Bell-LaPadula C. Noninterference D. Clark-Wilson

C. In this example, staffers with lower security clearance than Don has could have deduced that the contract had been renewed by paying attention to the changes in their systems. The noninterference model addresses this specifically by dictating that no action or state in higher levels can impact or be visible to lower levels. In this example, the staff could learn something indirectly or infer something that they do not have a right to know yet.

Use the following scenario to answer Questions 1-3. Josh has discovered that an organized hacking ring in China has been targeting his company's research and development department. If these hackers have been able to uncover his company's research findings, this means they probably have access to his company's intellectual property. Josh thinks that an e-mail server in his company's DMZ may have been successfully compromised and a rootkit loaded. If Josh is correct in his assumptions, which of the following best describes the vulnerability, threat, and exposure, respectively? A. E-mail server is hardened, an entity could exploit programming code flaw, server is compromised and leaking data. B. E-mail server is not patched, an entity could exploit a vulnerability, server is hardened. C. E-mail server misconfiguration, an entity could exploit misconfiguration, server is compromised and leaking data. D. DMZ firewall misconfiguration, an entity could exploit misconfiguration, internal e-mail server is compromised.

C. In this situation the e-mail server most likely is misconfigured or has a programming flaw that can be exploited. Either of these would be considered a vulnerability. The threat is that someone would find out about this vulnerability and exploit it. The exposure is allowing sensitive data to be accessed in an unauthorized manner.

Next-generation firewalls combine the best attributes of other types of firewalls. Which of the following is not a common characteristic of these firewall types? A. Integrated intrusion prevention system B. Sharing signatures with cloud-based aggregators C. Automated incident response D. High cost

C. Incident response typically requires humans in the loop. Next-generation firewalls (NGFWs) do not completely automate the process of responding to security incidents. NGFWs typically involve integrated IPS and signature sharing capabilities with cloud-based aggregators, but are also significantly more expensive than other firewall types.

Rebecca is an internal auditor for a large retail company. The company has a number of web applications that run critical business processes with customers and partners around the world. Her company would like to ensure the security of technical controls on these processes. Which of the following would not be a good approach to auditing these technical controls? A. Log reviews B. Code reviews C. Personnel background checks D. Misuse case testing

C. Personnel background checks are a common administrative (not technical) control. This type of audit would have nothing to do with the web applications themselves. The other three options (log reviews, code reviews, misuse case testing) are typical ways to verify the effectiveness of technical controls.

Which of the following is an XML-based protocol that defines the schema of how web service communication takes place over HTTP transmissions? A. Service-Oriented Protocol B. Active X Protocol C. SOAP D. Web Ontology Language

C. SOAP enables programs running on different operating systems and written in different programming languages to communicate over web-based communication methods. SOAP is an XML-based protocol that encodes messages in a web service environment. SOAP actually defines an XML schema or a structure of how communication is going to take place. The SOAP XML schema defines how objects communicate directly.

Use the following scenario to answer Questions 61-63. Jim works for a large energy company. His senior management just conducted a meeting with Jim's team with the purpose of reducing IT costs without degrading their security posture. The senior management decided to move all administrative systems to a cloud provider. These systems are proprietary applications currently running on Linux servers. Which of the following secure design principles would be most important to consider as Jim plans the transition to the cloud? A. Defense in depth B. Secure defaults C. Shared responsibility D. Zero trust

C. Shared responsibility addresses situations in which a cloud service provider is responsible for certain security controls, while the customer is responsible for others. It will be critical for Jim to delineate where these responsibilities lie. The other principles listed would presumably be equally important before and after the transition.

Terry works in a training services provider where the network topology and access controls change very frequently. His boss tells him that he needs to implement a network infrastructure that enables changes to be made quickly and securely with minimal effort. What does Terry need to roll out? A. Wi-Fi B. Infrastructure as a Service C. Software-defined networking D. Software-defined wide area networking

C. Software-defined networking (SDN) is an approach to networking that relies on distributed software to provide unprecedented agility and efficiency. Using SDN, it becomes much easier to dynamically route traffic to and from newly provisioned services and platforms. It also means that a service or platform can be quickly moved from one location to another and the SDN will just as quickly update traffic-flow rules in response to this change.

Which of the following is not a key provision of the GDPR? A. Requirement for consent from data subjects B. Right to be informed C. Exclusion for temporary workers D. Right to be forgotten

C. The General Data Protection Regulation (GDPR) impacts every organization that holds or uses European personal data both inside and outside of Europe. In other words, if your company is a U.S.-based company that has never done business with the EU but it has an EU citizen working even as temporary staff (e.g., a summer intern), it probably has to comply with the GDPR or risk facing stiff penalties. There is no exclusion based on the nature of the relations between the data subjects and the data controllers and processors.

Larry is a seasoned security professional and knows the potential dangers associated with using an ISP's DNS server for Internet connectivity. When Larry stays at a hotel or uses his laptop in any type of environment he does not fully trust, he updates values in his HOSTS file. Which of the following best describes why Larry carries out this type of task? A. Reduces the risk of an attacker sending his system a corrupt ARP address that points his system to a malicious website B. Ensures his host-based IDS is properly updated C. Reduces the risk of an attacker sending his system an incorrect IP address-to-host mapping that points his system to a malicious website D. Ensures his network-based IDS is properly synchronized with his host-based IDS

C. The HOSTS file resides on the local computer and can contain static hostname-to-IP mapping information. If you do not want your system to query a DNS server, you can add the necessary data in the HOSTS file, and your system will first check its contents before reaching out to a DNS server. Some people use these files to reduce the risk of an attacker sending their system a bogus IP address that points them to a malicious website.

Which legal system is characterized by its reliance on previous interpretations of the law? A. Tort B. Customary C. Common D. Civil (code)

C. The common law system is the only one that is based on previous interpretations of the law. This means that the system consists of both laws and court decisions in specific cases. Torts can be (and usually are) part of a common law system, but that would be an incomplete answer to this question.

Use the following scenario to answer Questions 27-28. Tim is the CISO for a large distributed financial investment organization. The company's network is made up of different network devices and software applications, which generate their own proprietary logs and audit data. Tim and his security team have become overwhelmed with trying to review all of the log files when attempting to identify if anything suspicious is taking place within the network. Another issue Tim's team needs to deal with is that many of the network devices have automated IPv6-to-IPv4 tunneling enabled by default, which is not what the organization needs. Which of the following is the best solution to Tim's difficulties handling the quantity and diversity of logs and audit data? A. Event correlation tools B. Intrusion detection systems C. Security information and event management D. Hire more analysts

C. Today, more organizations are implementing security information and event management (SIEM) systems. These products gather logs from various devices (servers, firewalls, routers, etc.) and attempt to correlate the log data and provide analysis capabilities. Organizations also have different types of systems on a network (routers, firewalls, IDS, IPS, servers, gateways, proxies) collecting logs in various proprietary formats, which requires centralization, standardization, and normalization. Log formats are different per product type and vendor.

George is the security manager of a large bank, which provides online banking and other online services to its customers. George has recently found out that some of the bank's customers have complained about changes to their bank accounts that they did not make. George worked with the security team and found out that all changes took place after proper authentication steps were completed. Which of the following describes what most likely took place in this situation? A. Web servers were compromised through cross-scripting attacks. B. TLS connections were decrypted through a man-in-the-middle attack. C. Personal computers were compromised with malware that installed keyloggers. D. Web servers were compromised and masquerading attacks were carried out.

C. While all of these situations could have taken place, the most likely attack type in this scenario is the use of a keylogger. Attackers commonly compromise personal computers by tricking the users into installing Trojan horses that have the capability to install keystroke loggers. The keystroke logger can capture authentication data that the attacker can use to authenticate as a legitimate user and carry out malicious activities.

IEEE __________ provides a unique ID for a device. IEEE __________ provides data encryption, integrity, and origin authentication functionality. IEEE __________ carries out key agreement functions for the session keys used for data encryption. Each of these standards provides specific parameters to work within an IEEE __________ framework. A. 802.1AF, 802.1AE, 802.1AR, 802.1X EAP-TLS B. 802.1AT, 802.1AE, 802.1AM, 802.1X EAP-SSL C. 802.1AR, 802.1AE, 802.1AF, 802.1X EAP-SSL D. 802.1AR, 802.1AE, 802.1AF, 802.1X EAP-TLS

D. 802.1AR provides a unique ID for a device. 802.1AE provides data encryption, integrity, and origin authentication functionality. 802.1AF carries out key agreement functions for the session keys used for data encryption. Each of these standards provides specific parameters to work within an 802.1X EAP-TLS framework.

Because she has many different types of security products and solutions, Joan wants to purchase a product that integrates her many technologies into one user interface. She would like her staff to analyze all security alerts from the same application environment. Which of the following would best fit Joan's needs? A. Dedicated appliance B. Data analytics platform C. Hybrid IDS\IPS integration D. Security information and event management (SIEM)

D. A SIEM solution is a software platform that aggregates security information and security events and presents them in a single, consistent, and cohesive manner.

Which of the following best describes why Crime Prevention Through Environmental Design (CPTED) would integrate benches, walkways, and bike paths into a site? A. These features are designed to provide natural access control. B. These features are designed to emphasize or extend the organization's physical sphere of influence so legitimate users feel a sense of ownership of that space. C. These features are designed to make criminals think that those in the site are more attentive, well resourced, and possibly alert. D. These features are designed to make criminals feel uncomfortable by providing many ways observers could potentially see them.

D. CPTED encourages natural surveillance, the goal of which is to make criminals feel uncomfortable by providing many ways observers could potentially see them and to make all other people feel safe and comfortable by providing an open and well-designed environment. The other answers refer to the other three CPTED strategies, which are natural access control, territorial reinforcement, and maintenance, respectively.

Use the following scenario to answer Questions 27-28. Tim is the CISO for a large distributed financial investment organization. The company's network is made up of different network devices and software applications, which generate their own proprietary logs and audit data. Tim and his security team have become overwhelmed with trying to review all of the log files when attempting to identify if anything suspicious is taking place within the network. Another issue Tim's team needs to deal with is that many of the network devices have automated IPv6-to-IPv4 tunneling enabled by default, which is not what the organization needs. How could Tim best address the IP version issue described in the scenario? A. Change management B. Zero trust C. Converged protocols D. Configuration management

D. Configuration management is a process aimed at ensuring that systems and controls are configured correctly and are responsive to the current threat and operational environments. Since the IPv6-to-IPv4 tunneling is not desirable, ensuring all devices are properly configured is the best approach of those listed. Change management is a broader term that includes configuration management but is not the best answer listed because it is more general.

Which of the following is not considered a secure coding practice? A. Validate user inputs B. Default deny C. Defense in depth D. High (tight) coupling

D. Coupling is not considered a secure coding practice, though it does affect the quality (and hence the security) of software. It is a measurement that indicates how much interaction one module requires to carry out its tasks. High (tight) coupling means a module depends upon many other modules to carry out its tasks. Low (loose) coupling means a module does not need to communicate with many other modules to carry out its job, which is better because the module is easier to understand and easier to reuse, and changes can take place to one module and not affect many modules around it.

Capability Maturity Model Integration (CMMI) is a process improvement approach that is used to help organizations improve their performance. The CMMI model may also be used as a framework for appraising the process maturity of the organization. Which of the following is an incorrect mapping of the levels that may be assigned to an organization based upon this model? i. Maturity Level 2 - Managed or Repeatable ii. Maturity Level 3 - Defined iii. Maturity Level 4 - Quantitatively Managed iv. Maturity Level 5 - Optimizing A. i B. i, ii C. All of them D. None of them

D. Each answer provides the correct definition of the four levels that can be assigned to an organization during its evaluation against the CMMI model. This model can be used to determine how well the organization's processes compare to CMMI best practices and to identify areas where improvement can be made. Maturity Level 1 is Initial.

You just received an e-mail from one of your hardware manufacturers notifying you that it will no longer manufacture a certain product and, after the end of the year, you won't be able to send it in for repairs, buy spare parts, or get technical assistance from that manufacturer. What term describes this? A. End-of-support (EOS) B. End-of-service-life (EOSL) C. Deprecation D. End-of-life (EOL)

D. End-of-life (EOL) for an asset is that point in time when its manufacturer is neither manufacturing nor sustaining it. In other words, you can't send it in for repairs, buy spare parts, or get technical assistance from the manufacturer. The related term, end-of-support (EOS), which is sometimes also called end-of service-life (EOSL), means that the manufacturer is no longer patching bugs or vulnerabilities on the product

IPSec's main protocols are AH and ESP. Which of the following services does AH provide? A. Confidentiality and authentication B. Confidentiality and availability C. Integrity and accessibility D. Integrity and authentication

D. IPSec is made up of two main protocols, Authentication Header (AH) and Encapsulating Security Payload (ESP). AH provides system authentication and integrity, but not confidentiality or availability. ESP provides system authentication, integrity, and confidentiality, but not availability. Nothing within IPSec can ensure the availability of the system it is residing on.

Khadijah is leading a software development team for her company. She knows the importance of conducting an attack surface analysis and developing a threat model. During which phase of the software development life cycle should she perform these actions? A. Requirements gathering B. Testing and validation C. Release and maintenance D. Design

D. In the system design phase, the software development team gathers system requirement specifications and determines how the system will accomplish design goals, such as required functionality, compatibility, fault tolerance, extensibility, security, usability, and maintainability. The attack surface analysis, together with the threat model, inform the developers' decisions because they can look at proposed architectures and competing designs from the perspective of an attacker. This allows them to develop a more defensible system. Though it is possible to start the threat model during the earlier phase of requirements gathering, this modeling effort is normally not done that early. Furthermore, the attack surface cannot be properly studied until there is a proposed architecture to analyze. Performing this activity later in the SDLC is less effective and usually results in security being "bolted on" instead of "baked in."

Which of the following is not a concern of a security professional considering adoption of Internet of Things (IoT) devices? A. Weak or nonexistent authentication mechanisms B. Vulnerability of data at rest and data in motion C. Difficulty of deploying patches and updates D. High costs associated with connectivity

D. IoT devices run the gamut of cost, from the very cheap to the very expensive. Cost, among the listed options, is the least likely to be a direct concern for a security professional. Lack of authentication, encryption, and update mechanisms are much more likely to be significant issues in any IoT adoption plan.

Which of the following protocols would an Identity as a Service (IDaaS) provider use to authenticate you to a third party? A. Diameter B. OAuth C. Kerberos D. OpenID Connect

D. OpenID Connect (OIDC) is a simple authentication layer built on top of the OAuth 2.0 protocol. It allows transparent authentication and authorization of client resource requests. Though it is possible to use OAuth, which is an authorization standard, for authentication, you would do so by leveraging its OpenID Connect layer. Diameter and Kerberos are not well-suited for IDaaS.

A software development company released a product that committed several errors that were not expected once deployed in their customers' environments. All of the software code went through a long list of tests before being released. The team manager found out that after a small change was made to the code, the program was not tested before it was released. Which of the following tests was most likely not conducted? A. Unit B. Compiled C. Integration D. Regression

D. Regression testing should take place after a change to a system takes place, retesting to ensure functionality, performance, and protection.

It is important that organizations ensure that their security efforts are effective and measurable. Which of the following is not a common method used to track the effectiveness of security efforts? A. Service level agreement B. Return on investment C. Balanced scorecard system D. Provisioning system

D. Security effectiveness deals with metrics, meeting service level agreement (SLA) requirements, achieving return on investment (ROI), meeting set baselines, and providing management with a dashboard or balanced scorecard system. These are ways to determine how useful the current security solutions and architecture as a whole are performing.

Use the following scenario to answer Questions 35-36. Zack is a security consultant who has been hired to help an accounting company improve some of its current e-mail security practices. The company wants to ensure that when its clients send the company accounting files and data, the clients cannot later deny sending these messages. The company also wants to integrate a more granular and secure authentication method for its current mail server and clients. Which of the following would be the best solution to integrate to meet the authentication requirements outlined in the scenario? A. TLS B. IPSec C. 802.1X D. SASL

D. Simple Authentication and Security Layer (SASL) is a protocol-independent authentication framework for authentication and data security in Internet protocols. It decouples authentication mechanisms from application protocols, with the goal of allowing any authentication mechanism supported by SASL to be used in any application protocol that uses SASL. SASL's design is intended to allow new protocols to reuse existing mechanisms without requiring redesign of the mechanisms, and allows existing protocols to make use of new mechanisms without redesign of protocols.

Which of the following multiplexing technologies analyzes statistics related to the typical workload of each input device and makes real-time decisions on how much time each device should be allocated for data transmission? A. Time-division multiplexing B. Wave-division multiplexing C. Frequency-division multiplexing D. Statistical time-division multiplexing

D. Statistical time-division multiplexing (STDM) transmits several types of data simultaneously across a single transmission line. STDM technologies analyze statistics related to the typical workload of each input device and make real-time decisions on how much time each device should be allocated for data transmission.

When multiple databases exchange transactions, each database is updated. This can happen many times and in many different ways. To protect the integrity of the data, databases should incorporate a concept known as an ACID test. What does this acronym stand for? A. Availability, confidentiality, integrity, durability B. Availability, consistency, integrity, durability C. Atomicity, confidentiality, isolation, durability D. Atomicity, consistency, isolation, durability

D. The ACID test concept should be incorporated into the software of a database. ACID stands for: • Atomicity Either the entire transaction succeeds or the database rolls it back to its previous state. • Consistency A transaction strictly follows all applicable rules on all data affected. • Isolation If transactions are allowed to happen in parallel (which most of them are), then they will be isolated from each other so that the effects of one don't corrupt another. In other words, isolated transactions have the same effect whether they happen in parallel or one after the other. • Durability Ensures that a completed transaction is permanently stored (for instance, in nonvolatile memory) so that it cannot be wiped by a power outage or other such failure.

If Jose wanted to use a risk assessment methodology across the entire organization and allow the various business owners to identify risks and know how to deal with them, what methodology would he use? A. Qualitative B. COBIT C. FRAP D. OCTAVE

D. The Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) relies on the idea that the people working in a given environment best understand what is needed and what kind of risks they are facing. This places the people who work inside the organization in the power positions of being able to make the decisions regarding what is the best approach for evaluating the security of their organization.

Which of the following frameworks is a two-dimensional model that uses six basic communication interrogatives intersecting with different viewpoints to give a holistic understanding of the enterprise? A. SABSA B. TOGAF C. CMMI D. Zachman

D. The Zachman Framework is a two-dimensional model that uses six basic communication interrogatives (What, How, Where, Who, When, and Why) intersecting with different viewpoints (Executives, Business Managers, System Architects, Engineers, Technicians, and Enterprise-wide) to give a holistic understanding of the enterprise. This framework was developed in the 1980s and is based on the principles of classical business architecture that contain rules that govern an ordered set of relationships.

In a VoIP environment, the Real-time Transport Protocol (RTP) and RTP Control Protocol (RTCP) are commonly used. Which of the following best describes the difference between these two protocols? A. RTCP provides a standardized packet format for delivering audio and video over IP networks. RTP provides out-of-band statistics and control information to provide feedback on QoS levels. B. RTP provides a standardized packet format for delivering data over IP networks. RTCP provides control information to provide feedback on QoS levels. C. RTP provides a standardized packet format for delivering audio and video over MPLS networks. RTCP provides control information to provide feedback on QoS levels. D. RTP provides a standardized packet format for delivering audio and video over IP networks. RTCP provides out-of-band statistics and control information to provide feedback on QoS levels.

D. The actual voice stream is carried on media protocols such as RTP. RTP provides a standardized packet format for delivering audio and video over IP networks. RTP is a session layer protocol that carries data in media stream format, as in audio and video, and is used extensively in VoIP, telephony, video conferencing, and other multimedia streaming technologies. It provides end-to-end delivery services and is commonly run over the transport layer protocol UDP. RTCP is used in conjunction with RTP and is also considered a session layer protocol. It provides out-of-band statistics and control information to provide feedback on QoS levels of individual streaming multimedia sessions.

Use the following scenario to answer Questions 1-3. Josh has discovered that an organized hacking ring in China has been targeting his company's research and development department. If these hackers have been able to uncover his company's research findings, this means they probably have access to his company's intellectual property. Josh thinks that an e-mail server in his company's DMZ may have been successfully compromised and a rootkit loaded. The attackers in this situation would be seen as which of the following? A. Vulnerability B. Threat C. Risk D. Threat agent

D. The attackers are the entities that have exploited a vulnerability; thus, they are the threat agent.

ISO/IEC 27000 is a growing family of ISO/IEC information security management system (ISMS) standards. Which of the following provides an incorrect mapping of the individual standard number to its description? A. ISO/IEC 27002: Code of practice for information security controls B. ISO/IEC 27003: ISMS implementation guidance C. ISO/IEC 27004: ISMS monitoring, measurement, analysis, and evaluation D. ISO/IEC 27005: ISMS auditing guidelines

D. The correct mappings for the individual standards are as follows: • ISO/IEC 27002: Code of practice for information security controls • ISO/IEC 27003: ISMS implementation guidance • ISO/IEC 27004: ISMS monitoring, measurement, analysis, and evaluation • ISO/IEC 27005: Information security risk management • ISO/IEC 27007: ISMS auditing guidelines

A risk management program must be developed properly and in the right sequence. Which of the following provides the correct sequence for the steps listed? i. Develop a risk management team. ii. Calculate the value of each asset. iii. Identify the vulnerabilities and threats that can affect the identified assets. iv. Identify company assets to be assessed. A. i, iii, ii, iv B. ii, i, iv, iii C. iii, i, iv, ii D. i, iv, ii, iii

D. The correct sequence for the steps listed in the question is as follows: i. Develop a risk management team. ii. Identify company assets to be assessed. iii. Calculate the value of each asset. iv. Identify the vulnerabilities and threats that can affect the identified assets.

When classifying an information asset, which of the following is true concerning its sensitivity? A. It is commensurate with how its loss would impact the fundamental business processes of the organization. B. It is determined by its replacement cost. C. It is determined by the product of its replacement cost and the probability of its compromise. D. It is commensurate with the losses to an organization if it were revealed to unauthorized individuals.

D. The sensitivity of information is commensurate with the losses to an organization if that information were revealed to unauthorized individuals. Its criticality, on the other hand, is an indicator of how the loss of the information would impact the fundamental business processes of the organization. While replacement costs could factor into a determination of criticality, they almost never do when it comes to sensitivity.

Which of the following is normally not an element of e-discovery? A. Identification B. Preservation C. Production D. Remanence

D. The steps normally involved in the discovery of electronically stored information, or e-discovery, are identifying, preserving, collecting, processing, reviewing, analyzing, and producing the data in compliance with the court order. Data remanence is not part of e-discovery, though it could influence the process.

Kerberos is a commonly used access control and authentication technology. It is important to understand what the technology can and cannot do and its potential downfalls. Which of the following is not a potential security issue that must be addressed when using Kerberos? i. The KDC can be a single point of failure. ii. The KDC must be scalable. iii. Secret keys are temporarily stored on the users' workstations. iv. Kerberos is vulnerable to password guessing. A. i, iv B. iii C. All of them D. None of them

D. These are all issues that are directly related to Kerberos. These items are as follows: • The Key Distribution Center (KDC) can be a single point of failure. If the KDC goes down, no one can access needed resources. Redundancy is necessary for the KDC. • The KDC must be scalable to handle the number of requests it receives in a timely manner. • Secret keys are temporarily stored on the users' workstations, which means it is possible for an intruder to obtain these cryptographic keys. • Session keys are decrypted and reside on the users' workstations, either in a cache or in a key table. Again, an intruder can capture these keys. • Kerberos is vulnerable to password guessing. The KDC does not know if a dictionary attack is taking place.

The Capability Maturity Model Integration (CMMI) approach is being used more frequently in security program and enterprise development. Which of the following provides an incorrect characteristic of this model? A. It provides a pathway for how incremental improvement can take place. B. It provides structured steps that can be followed so an organization can evolve from one level to the next and constantly improve its processes. C. It was created for process improvement and developed by Carnegie Mellon. D. It was built upon the SABSA model.

D. This model was not built upon the SABSA model. All other characteristics are true.

The purpose of security awareness training is to expose personnel to security issues so that they may be able to recognize them and better respond to them. Which of the following is not normally a topic covered in security awareness training? A. Social engineering B. Phishing C. Whaling D. Trolling

D. Trolling is the term used to describe people who sow discord on various social platforms on the Internet by starting arguments or making inflammatory statements aimed at upsetting others. This is not a topic normally covered in security awareness training. Social engineering, phishing, and whaling are important topics to include in any security awareness program.

Which type of organization would be likeliest to implement Virtual eXtensible Local Area Network (VxLAN) technology? A. Organizations that need to support more than 2,048 VLANs B. Small and medium businesses C. Organizations with hosts in close proximity to each other D. Cloud service providers with hundreds of customers

D. VxLANs are designed to overcome two limitations of traditional VLANs: the limit of no more than 4,096 VLANs imposed by the 12-bit VLAN ID (VID) field, and the need for VLANs to be connected to the same router port. Accordingly, VxLANs are mostly used by cloud service providers with hundreds of customers and by large organizations with a global presence.

Use the following scenario to answer Questions 35-36. Zack is a security consultant who has been hired to help an accounting company improve some of its current e-mail security practices. The company wants to ensure that when its clients send the company accounting files and data, the clients cannot later deny sending these messages. The company also wants to integrate a more granular and secure authentication method for its current mail server and clients. Which of the following best describes how client messages can be dealt with and addresses the first issue outlined in the scenario? A. The company needs to integrate a public key infrastructure and the Diameter protocol. B. The company needs to require that clients encrypt messages with their public key before sending them to the company. C. The company needs to have all clients sign a formal document outlining nonrepudiation requirements. D. The company needs to require that clients digitally sign messages that contain financial information.

D. When clients digitally sign messages, this ensures nonrepudiation. Since the client should be the only person who has the client's private key, and only the client's public key can decrypt it, the e-mail must have been sent from the client. Digital signatures provide nonrepudiation protection, which is what this company needs.

Use the following scenario to answer Questions 1-3. Josh has discovered that an organized hacking ring in China has been targeting his company's research and development department. If these hackers have been able to uncover his company's research findings, this means they probably have access to his company's intellectual property. Josh thinks that an e-mail server in his company's DMZ may have been successfully compromised and a rootkit loaded. Based upon this scenario, what is most likely the biggest risk Josh's company needs to be concerned with? A. Market share drop if the attackers are able to bring the specific product to market more quickly than Josh's company. B. Confidentiality of e-mail messages. Attackers may post all captured e-mail messages to the Internet. C. Impact on reputation if the customer base finds out about the attack. D. Depth of infiltration of attackers. If attackers have compromised other systems, more confidential data could be at risk.

D. While they are all issues to be concerned with, risk is a combination of probability and business impact. The largest business impact out of this list and in this situation is the fact that intellectual property for product development has been lost. If a competitor can produce the product and bring it to market quickly, this can have a long-lasting financial impact on the company.