CISSP Practice Exam 1

अब Quizwiz के साथ अपने होमवर्क और परीक्षाओं को एस करें!

A grocery store chain collects customer data used in a customer loyalty program. When registering, customers fill out a lengthy form about themselves. The chain uses this data to email customers and allows customers to claim discounts when checking out using their customer loyalty cards. Which of the following identifies a best practice to reduce risks when implementing this program? A. Data retention B. Data labeling C. Collection limitation D. Destruction

A best practice when collecting customer data is to limit the amount of data collected to only what is needed. The company's lengthy form might include physical addresses, phone numbers, cellphone numbers, birthdates, social security numbers, and more. A data breach can reveal all this personal data even though the company never planned to use it. If they don't collect the data, they eliminate the risk of losing it in a data breach. Legal requirements typically drive data retention rules, but this scenario is unrelated to a legal issue. Assets and media are labeled with the classification of data they process or hold, but this scenario doesn't refer to assets. Destruction is at the end of the data lifecycle, not the beginning.

Wendy is analyzing an attack that took place against a web-based discussion forum run by her organization. She discovered that the attacker submitted a post containing embedded code so that future visitors to the site were redirected to a malicious site. What type of attack most likely took place? A. Buffer overflow B. Directory traversal C. Cross-site scripting D. SQL injection

A cross-site scripting (XSS) attack exploits scripting flaws in a targeted website. There are many ways by which XSS can be implemented; one technique involves submitting script content with a discussion forum posting. The script content will then be processed each time another visitor views the posting from the attacker. The injected script code can cause additional browser pop-ups leading to URLs of the attacker's choosing.

IT personnel are concerned that attackers may take over some Internet of Things (IoT) devices on the network's border. They want to ensure that any malicious traffic from these devices is blocked. Which of the following access control models has the best chance of blocking this traffic? A. Attribute-Based Access Control (ABAC) B. Mandatory Access Control (MAC) C. Role-Based Access Control (RBAC) D. Risk-based access control

A risk-based access control model can be coded to block malicious traffic from infected IoT devices. It evaluates the environment and the situation and makes decisions to block traffic that is abnormal. An ABAC model uses attributes to grant access and is often used in software-defined networks (SDNs). A MAC model grants access with the use of labels. RBAC uses a well-defined collection of named job roles for access control. Administrators grant each job role with the privileges they need to perform their jobs.

Firewalls use a set of administrator-defined filters. Which of the following access control models does this describe? A. Rule-based access control B. Role-Based Access Control (RBAC) C. Mandatory Access Control (MAC) D. Attribute-Based Access Control (ABAC)

A rule-based access control model defines access using a set of rules, such as the rules in a firewall's access control list. An RBAC model grants access based on a subject's membership in a group or role. The MAC model uses labels to identify access. An ABAC model grants access based on attributes.

Which of the following actions, when made to a file, would result in a change in the hash value created by running the SHA-2 algorithm against the contents of that file? (Choose all that apply.) A. Changing a single character in the file B. Removing a line from the file C. Adding a blank line to end of the file D. Backing up the file

A, B, C: Any change to the contents of a file changes the hash value generated for that file. This would include changing a single character, removing a line, or adding a line (even if that line is blank). Backing up the file would not change the file's contents and, therefore, would not result in a change in the hash value.

While researching the deployment of a new firewall solution, you realize that it supports several services that could benefit your organization that you did not initially consider evaluating when making the firewall selection. Which of the following is a benefit of NAT? (Choose all that apply.) A. Hiding the internal IP addressing scheme B. Sharing a few public internet addresses with a large number of internal clients C. Using the private IP addresses from RFC 1918 on an internal network D. Filtering network traffic to prevent brute-force attacks

A, B, C: NAT offers many benefits. NAT hides the internal IP addressing scheme and enables the sharing of a few public internet addresses with a large number of internal clients. NAT supports the use of the private IP addresses from RFC 1918 on an internal network. NAT does not protect against or prevent brute-force attacks.

Transmission media is used to carry network traffic. This can include copper wires, fiber-optic cables, and radio waves. What are the three media management or control modes that can be used on typical transmission media? (Choose all that apply.) A. Full-duplex B. Simplex C. 802.1X D. Half-duplex E. Multiplexing

A, B, D: The three media management or control modes are simplex (one-direction), half-duplex (two-way, but only one direction can send data at a time), and full-duplex (two-way, in which data can be sent in both directions simultaneously) communications. 802.1X is the IEEE standard for port authentication. Multiplexing is the mechanism of combining or integrating numerous signals into a single communication over a transmission media.

Remi is evaluating several multimedia collaboration products for use in her company. She needs to determine which products provide the best solution for her organization's business objectives. The product will be used in-house as well as by remote workers using broadband internet services. Which of the following questions should she ask when evaluating each option? (Choose all that apply.) A. Does the communication occur across an open protocol or an encrypted tunnel? B. Are icons and graphics used as avatars in the user profiles? C. Does the service use strong authentication techniques? D. Are activities of users audited and logged? E. What tracking mechanisms are used, can the tracking be disabled, and what is the data collected for? F. What is the minimum bandwidth requirement for chat and voice services?

A, C, D, E: Most questions that relate to the security of the multimedia collaboration product would be relevant to supporting business objectives. This includes the following questions: Does the communication occur across an open protocol or an encrypted tunnel? Does the service use strong authentication techniques? Are activities of users audited and logged? What tracking mechanisms are used, can the tracking be disabled, and what is the data collected for? The other options probably are not relevant to security or support business objectives. Whether or not icons or graphics are used for avatars is not that important. Also, questions about minimum bandwidth requirements for chat and voice are likely unneeded since those services do not require much bandwidth and the remote users are all working over broadband internet services.

Which of the following AAA services does Remote Authentication Dial-in User Service (RADIUS) provide? (Choose three.) A. Authentication B. Availability C. Authorization D. Accounting

A, C, D: RADIUS provides authentication, authorization, and accounting. Although it is possible to add multiple RADIUS servers in failover clusters to increase availability, this isn't a RADIUS function. Instead, the failover clusters provide availability.

The DREAD risk rating system is designed to provide a flexible rating solution that is based on the answers to five main questions about each threat. Which of the following are subjects of those questions? (Choose all that apply.) A. Exploitability B. Elevation of privilege C. Damage potential D. Repudiation E. Affected users F. Discoverability G. Denial of service H. Reproducibility

A, C, E, F, H: The DREAD questions are about Damage potential, Reproducibility, Exploitability, Affected users, and Discoverability. The other options are related to STRIDE: Elevation of privilege, Repudiation, and Denial of service.

Telecommuting is performing work at a remote location. Telecommuting clients use many remote access techniques to establish connectivity to the central office LAN. Which of the following are examples of a remote access techniques? (Choose all that apply.) A. Remote node operation B. Cross-site request forgery C. Remote control D. Port address translation E. Screen scraping F. Service specific

A, C, E, F: The primary examples of remote access techniques are remote node operation, remote control, screen scraping, and service specific. The other options are not remote access techniques. Cross-site request forgery (XSRF) is a form of web attack that plants malware on a victim's system in order to forge commands against target websites that seem to originate from the user. Port address translation (PAT) converts internal IP and port numbers to external IP and port numbers.

Your organization has a strictly enforced email security policy which prohibits messages lacking proof of source and lacking non-repudiation. However, you have received a message which fails to meet these requirements and notice several other concerning characteristics. Which of the following are indicators that this message is a hoax? (Select three.) A. Lack of a digital signature verifying the origin B. Use of poor grammar C. Lack of correct spelling D. Threat of damage to your computer system E. Encouragement to take specific steps to resolve a concern which are not based on standard company procedures F. Claim to be from a trusted authority G. Inclusion of hyperlinks in the body of the message

A, D, E: A hoax is a social engineering attack that is attempting to trick a user into taking actions that will harm them through the use of fear that not taking action would actually cause harm. A hoax will not have a digital signature from a verifiable origin, so its source is questionable. Hoaxes often use the threat of damage or harm to encourage the victim to take action, and those actions are often provided steps that will actually cause the victim harm. (B) Poor grammar, (C) bad spelling, and (G) hyperlinks in the message are all characteristics of both valid and invalid email messages. (F) Claiming to be from a trusted authority is the attempt to use the social engineering principle of authority and/or intimidation, which is not uniquely a feature of a hoax, but many SPAM, BEC, phishing attacks do as well. But the claim of being a trusted authority could also be valid as well.

Michael has been asked to perform an analysis of company network traffic in order to look for anomalies, inefficiencies, or potential vulnerabilities. Michael was asked to specifically divide the assessment report into two sections, one focusing on east-west traffic and the other on north-south traffic. What do those terms mean? A. East-west traffic is the traffic flow that occurs within a specific network, data center, or cloud environment. B. East-west traffic is the traffic flow that occurs between servers/resource hosts and clients/endpoint devices. C. North-south traffic is the traffic flow that occurs between the layers of the OSI stack. D. North-south traffic is the traffic flow that occurs inbound or outbound between internal systems and external systems.

A, D: The correct definitions of these terms are: East-west traffic is the traffic flow that occurs within a specific network, data center, or cloud environment. North-south traffic is the traffic flow that occurs inbound or outbound between internal systems and external systems. The other options are incorrect. Options A and D are just wrong, whereas option C has the correct definitions switched.

A software company with a worldwide footprint recently bought out another software company based in the United States. The U.S. company needs to maintain its name and domain infrastructure. However, employees in both companies need to access resources in the other network. Which of the following would best meet this need? A. A federation B. Session management C. Credential management D. Single sign-on

A: A federation can include two or more networks and allow users in each network to share network resources. Session management closes inactive sessions, and credential management provides a means to store user credentials. Federations provide single sign-on (SSO) capabilities, but SSO will not share network resources.

Which of the following best describes an access control category that includes hiring and firing policies, data classifications and labels, and security awareness and training? A. Administrative controls B. Technical controls C. Logical controls D. Physical controls

A: Administrative controls are also referred to as management controls and include policies and procedures such as hiring and firing policies, data classifications and labels, and security awareness training. Technical and logical controls are synonymous and include hardware or software mechanisms used to manage access. Physical access controls are physical controls deployed to prevent direct contact with systems or areas within a facility.

What type of interface testing would identify flaws in a program's ability to interact with other programs via web services? A. Application programming interface testing B. User interface testing C. Physical interface testing D. Security interface testing

A: Application programming interfaces (APIs) provide standard mechanisms for web services to interact with each other.

Attackers have exploited the KRBTGT account in an organization's domain. What will this allow them to do? A. Create golden tickets B. Create silver tickets C. Run Python scripts D. Identify accounts with Kerberos preauthentication disabled

A: Attackers can create golden tickets after successfully exploiting the Kerberos service account (KRBTGT). This allows them to create any tickets within an Active Directory domain. Silver tickets use a captured hash-of-service account to create a ticket-granting service (TGS) ticket. The KRBTGT account is unrelated to running Python scripts. The ASREPRoast Kerberos exploit allows attackers to identify accounts with preauthentication disabled.

You need to identify a method to embed unobtrusive labels in digital data. After they are embedded, other methods should be able to detect these labels. Which of the following is the best choice to meet these requirements? A. Watermarking B. Remanence C. Signature D. Encryption

A: Digital watermarking places labels or marking in files (digital data). Other methods, such as data loss prevention (DLP) and digital rights management (DRM), can detect the labels. Remanence refers to data left on media after it should have been removed. A digital signature is used in emails to validate the sender's identity. Encryption scrambles data so that it is unreadable, but it doesn't add labels.

Employees regularly travel to foreign countries as a routine part of their jobs. Which of the following represents a significant risk that they should avoid while traveling? A. Free Wi-Fi B. VPNs C. Encryption D. Physical control

A: Employees should avoid the use of free Wi-Fi networks. Attackers can configure free Wi-Fi networks and capture all traffic going through the free wireless network. The other answers are all useful. Virtual Private Networks (VPNs) create secure encrypted connections. Encryption can provide a layer of protection for sensitive data. Physical control can prevent attackers from installing malware or monitoring devices on employee's electronic systems.

A review of end-user and endpoint security has uncovered the concern that most systems will indefinitely display confidential data on the screen even when a user is no longer sitting at the workstation. How should this issue be resolved? A. Enforce screen savers after a timeout. B. Implement MFA. C. Implement TEMPEST countermeasures. D. Require WPA3.

A: Enforcing screen savers after a timeout will hide any confidential materials behind a screen saver, which should then require a valid logon to regain access to the desktop, applications, and so forth. Multifactor authentication (MFA) is a solid security measure, but it is irrelevant here. Implementing TEMPEST countermeasures is not the right solution since the security issues are not related to emanations. WPA3 is a strong security measure, but it is an wireless encryption concept and not related to display-based disclosure of data.

A security manager is implementing technologies to prohibit rogue devices from gaining network access. After they install a NAC, what additional tool would be able to ensure that only known and authenticated systems gain connectivity? A. IEEE 802.1X B. PFX C. CRL D. PEAP

A: IEEE 802.1X provides port-based access control and is useful both on wired and wireless connections to block access to systems and users that are unknown or that fail authentication. It is a common companion to NAC implementations. PFX or PKCS #12 is a certificate format and not relevant to this scenario. A certificate revocation list (CRL) is used to confirm whether certificates are revoked, which does relate to blocking access to systems or users whose certificates have been canceled, but CRL on its own is insufficient and would need to implemented in concert with a PKI solution and/or 802.1X. PEAP provides for TLS-encrypted EAP methods, but it is not specifically useful in keeping out rogue devices.

Mark approaches the building where he works. At the door a small black box is attached to the wall. Mark retrieves an object from his pocket and waves it near the black box. The door to the building unlocks and opens automatically. Once Mark reaches his work area, he sits down at the desk in front of his workstation. He takes the same object he used earlier to enter the building and slides it into a slot on the side of his keyboard. The computer wakes up and he is prompted for a password. The two events of authentication performed by Mark are known as? A. "Something you have" B. "Something you are" C. "Something you know" D. "Something you can do"

A: In this scenario the object Mark was using is a smartcard. A smartcard is an example of a "something you have" authentication factor. A biometric is "something you are," a password and PINs are "something you know," and solving a puzzle, a secret handshake, or a private knock are examples of "something you can do."

An industrial processing facility has implemented SCADA systems to monitor and manage the mission-critical production lines. These ICSs cannot adhere to the company's 14-day patch application policy. How can these systems be secured in order to minimize malware infection? A. Prohibit nonauthorized nonessential software from executing B. Implement software firewalls C. Deploy the devices in a screened subnet D. Use an IDS

A: In this scenario, the best option is to prohibit nonauthorized nonessential software from executing. A software firewall might limit network communication sessions, but will not necessarily reduce the risk of malware traversing a network link. Deployment in a screened subnet is not a good option as it may expose the ICS to the internet; deployment in a private network segment or an air-gapped network would be a better option. An IDS would only notify about a breach or intrusion or malware infection after it occurred, but an IPS might be a reasonable option.

Which one of the following techniques would be the least effective way to perform backup verification? A. Interview of backup administrator B. Review of system logs C. Restoration of requested files D. Inspection of hash values

A: Interviewing a backup administrator is not generally an effective technique because it does not confirm that the backup was actually performed properly. The other techniques all do this to some extent.

Network-based intrusion detection systems (NIDSs) and network-based intrusion prevention systems (NIPSs) have some differences and some similarities. Which of the following describes a similarity? A. They can both detect attacks using pattern-matching B. They are both placed inline with incoming traffic C. They can both prevent attacks from reaching the internal network D. They both connect to network switch ports using mirror mode

A: NIDSs and NIPSs can both detect attacks using pattern-matching (also known as signature-based detection and knowledge-based detection). A NIPS is placed inline with traffic and can prevent attacks from reaching an internal network. While a NIDS can be placed inline with the traffic, it isn't placed inline by default. An IDS may be connected to a network switch port using mirror mode to collect data, but an NIPS would be inline with all traffic.

Cindy is concerned that high priority network traffic will be dropped when her organization's network becomes overwhelmed and would like to implement a control that prioritizes this traffic. What control would best meet her needs? A. Quality of service B. Fault tolerance C. System resilience D. High availability

A: Quality of service (QoS) controls allow administrators to prioritize different types of network traffic and would meet Cindy's needs. Fault tolerance, system resilience, and high availability are all controls designed to reduce the likelihood and/or impact of a technical failure.

Victoria is conducting a third-party audit of a cloud service provider and is preparing to generate a SOC audit report. During her engagement, she limited her review to assessing the organization's controls that might impact the accuracy of financial reporting. What type of engagement did she conduct under SSAE 18? A. SOC 1 B. SOC 2 C. SOC 3 D. SOC 4

A: SOC 1 engagements assess the organization's controls that might impact the accuracy of financial reporting. SOC 2 and 3 engagements extend into controls protecting confidentiality, integrity, and availability more generally.

An organization wants to enforce strong passwords, with most users logging on with a single set of credentials. Which of the following is the best choice to meet these needs? A. Single sign-on B. Password policy C. Service accounts D. Tokens

A: Single sign-on (SSO) is the best solution. It allows regular users to log on with a single account. Administrators may have two accounts. A password policy can enforce strong passwords, but every system will need a different password policy without SSO. Service accounts are used to start services or applications. Tokens are used for two-factor authentication and do not use passwords.

Which one of the following third-party frameworks is commonly used during audits of information technology systems? A. COBIT B. ATT&CK C. Cyber Kill Chain D. PCI DSS

A: The Control Objectives for Information Technology (COBIT) are a framework for evaluating the controls organizations implement around information systems. ATT&CK and the Cyber Kill Chain are tools used to conduct threat intelligence. PCI DSS is a standard used specifically for audits of credit card processing systems, which are not mentioned in this question.

One of the first and most important security planning steps is to consider the overall security control framework or structure of the security solution desired by the organization. Which of the following frameworks establish mandatory requirements for federal agencies? A. Risk Management Framework B. Cybersecurity Framework C. ISO 27001 D. Center for Internet Security

A: The Risk Management Framework (RMF) establishes mandatory requirements for federal agencies. The Cybersecurity Framework (CSF) is designed for critical infrastructure and commercial organizations. ISO 27001 establishes the guidelines for implementing an information security management system (ISMS) but is nation and industry agnostic. Center for Internet Security (CIS) provides OS, application, and hardware security configuration guides for a wide range of products.

Which database principle ensures that transactions execute in an all-or-nothing fashion? A. Atomicity B. Consistency C. Isolation D. Durability

A: The atomicity of database transactions requires transaction execution in an all-or-nothing fashion. If any part of the transaction fails, the entire transaction is rolled back. The isolation principle states that two transactions operating on the same data must be temporarily separated from each other such that one does not interfere with the other. The consistency principle says that the database must always be in a state that complies with the database model's rules. The durability principle says that transactions committed to the database must be preserved. Together, these four principles are known as the ACID model.

What portion of the software configuration management (SCM) process ensures that changes to software versions are made in accordance with the change control and configuration management policies? A. Configuration Control B. Configuration Identification C. Configuration Status Accounting D. Configuration Audit

A: The configuration control process ensures that changes to software versions are made in accordance with the change control and configuration management policies. Updates can be made only from authorized distributions in accordance with those policies.

Your facility has just been upgraded with a new burglar alarm system. This intrusion monitoring mechanism is able to detect both perimeter breaches as well as internal movement. Which of the following is not a typical type of alarm that can be triggered for physical security? A. Preventive B. Deterrent C. Repellant D. Notification

A: There is no such thing as a preventive alarm. Alarms are triggered in response to a detected intrusion or attack. Whenever a motion detector registers a significant or meaningful change in the environment, it triggers an alarm. Common types of alarms include deterrent, repellent, and notification.

A worker reports that they are unable to access an internal web application from their workstation. After you confirm that the worker has been assigned correct authorization, you review the logs from the workstation for clues. You discover the following entries: 2020-01-08 12:15:36 DROP TCP 192.168.6.104 192.168.255.255 443 ---------- RECEIVE 2020-01-08 12:15:51 DROP UDP 192.168.6.104 192.168.255.255 443 ---------- RECEIVE Based on this information, which of the following should you adjust to address this situation? A. Host-based firewall B. VLAN membership C. WAF D. Proxy

A: These log items are from a firewall log. They indicate that TCP and UDP traffic from the 192.168.x.x subnet to the workstation was dropped. Since this log is from the workstation, this indicates that there is a bad rule in the host-based firewall that is blocking all communications to the workstation from the local subnet. There is no mention of VLAN membership. These log entries would not be present on the workstation if the communications were being blocked by a WAF, since those are either on the web server system or on their own standalone system in front of the web server. These entries would not be present on the workstation if a proxy was dropping the communications, because those entries would be in the proxy server's logs.

A worker reports that they are unable to access an internal web application from their workstation. After you confirm that the worker has been assigned correct authorization, you review the logs from the workstation for clues. You discover the following entries: 2020-01-08 12:15:36 DROP TCP 192.168.6.104 192.168.255.255 443 ----------RECEIVE 2020-01-08 12:15:51 DROP UDP 192.168.6.104 192.168.255.255 443 ---------- RECEIVE Based on this information, which of the following should you adjust to address this situation? A. Host-based firewall B. VLAN membership C. WAF D. Proxy

The previous PSTN system is being replaced by a VoIP solution. The CEO wants a briefing of the benefits of the technology. Which of the following is not a typical security concern with VoIP? A. VLAN hopping B. Caller ID falsification C. Vishing D. Remote dialing

A: VLAN hopping is a switch security issue, not a VoIP security issue. Caller ID falsification and vishing are VoIP security concerns. Remote dialing is a VoIP PBX concern.

If a security mechanism offers availability, then it offers a high level of assurance that authorized subjects can _____________________ the data, objects, and resources. A. Control B. Audit C. Access D. Repudiate

Accessibility of data, objects, and resources is the goal of availability. If a security mechanism offers availability, then it is highly likely that the data, objects, and resources are accessible to authorized subjects. Control is managed by authorization or access control. Auditing is the recording of events into a log file, which is part of AAA services. To repudiate is to deny having done something, nonrepudiation is the prevention of that denial by proving that a subject performed an action.

Third-party governance is the system of external entity oversight that may be mandated by law, regulation, industry standards, contractual obligation, or licensing requirements. Often third-party assessment is necessary to evaluate the security of a supply chain. Which of the following means of third-party assessment is used to interview personnel and observe their operating habits? A. On-site assessment B. Document exchange and review C. Process/policy review D. Third-party audit

An on-site assessment is a third-party assessment tool where auditors visit the site of the organization to interview personnel and observe their operating habits. Document exchange and review is a mechanism to investigate the means by which datasets and documentation are exchanged as well as the formal processes by which they perform assessments and reviews. Process/policy review is a mechanism that requests copies of their security policies, processes/procedures, and documentation of incidents and responses for review. A third-party audit is performed by a third party, such as defined by AICPA, to provide an unbiased review of an entity's security infrastructure.

Which of the following are technologies specifically defined as part of 802.11 wireless networking? (Choose all that apply.) A. 802.1X B. WPA3 C. SAE D. 802.11i E. WPS

B, C, D, E: WPA3, 802.11i, SAE, and WPS are all technologies that are specifically defined as part of wireless networking. 802.1X is an IEEE standard for port authentication, which is not strictly related to wireless use. It is, however, the basis of the ENT authentication option on wireless networks, but it is widely used to manage authentication throughout a wired network as well.

Security needs to be designed, architectured, engineered, integrated, and implemented in order to be reliable and cost-effective. There are numerous security design principles that can be adopted and woven into the crafting of company policies as well as deployed solutions. Which of the following are considered secure design principles? (Choose all that apply.) A. People are the weakest link B. Least privilege C. Secure defaults D. Fail securely E. Security is always top priority F. Threat modeling G. Keep it simple H. Risk should be eliminated I. Separation of duties J. Zero trust K. Privacy by design

B, C, D, F, G, I, J, K: The standard secure design principles are: least privilege, secure defaults, fail securely, threat modeling, keep it simple, separation of duties, zero trust, and privacy by design. The not listed but also secure design principles are defense in depth and trust but verify. The other options are incorrect. "People are the weakest link" is not a secure design principle and is also not accurate. Although people can cause security breaches intentionally, accidentally, or via coercion, they are also a key component in a successful security solution. "Security is always top priority" is not a secure design principle. Security should always be limited by business objectives. The most secure solution may interfere with a mission-critical business function, so security must support the business rather than get in the way of it. "Risk should be eliminated" is not a secure design principle and is false. All risk cannot be eliminated. There may be some individual risks that can be eliminated, but in most circumstances risk reduction, management (i.e., deterrence, transfer, avoidance), or acceptance are the only real options.

Your organization has recently decided to allow workers to telecommute from home. However, the CISO requires that the connections be protected by encryption using a standard VPN solution. Which of the following secure protocols can be used as a VPN? (Choose all that apply.) A. Kerberos B. IPsec C. SSH D. Signal E. TLS F. S-RPC

B, C, E: IPsec, SSH, and TLS are all able to be used as a VPN. While IPsec and TLS can be used as either transport mode or tunnel mode VPNs, SSH is limited to be used only as a transport mode VPN. The others are not VPN protocols. Kerberos offers a single sign-on solution for users and provides protection for logon credentials. Modern implementations of Kerberos use hybrid encryption to provide reliable authentication protection. Signal is a cryptographic protocol that provides end-to-end encryption for voice communications, videoconferencing, and text message services. S-RPC is an authentication service and is simply a means to prevent unauthorized execution of code on remote systems.

The CISO has put you in charge of improving the security awareness and training program. The concern they want you to focus on is that it is unknown whether the training efforts are having any affect or benefit. If you cannot establish proof of a positive ROSI, then the program will be terminated. Which of the following would be useful in establishing an effectiveness evaluation procedure? (Choose all that apply.) A. Taking attendance B. Administering a quiz immediately after the awareness event C. Requiring workers to pay $10 for each security incident they are involved in D. Have workers take a test 6 months after a training class E. Collect key security indicators that relate to insider security incidents over time F. Posting a list of employees who cause a security incident on the primary bulletin board in the break room

B, D, E: Training and awareness program effectiveness evaluation should take place on an ongoing or continuous basis. This can often include administering a quiz or exam immediately after an awareness or training event and a follow-up quiz/exam months later. Also, event and incident logs should be reviewed for the rate of occurrences of security violations due to employee actions and behaviors to see if there is any noticeable difference in the rate of occurrence or trends of incidents before and after a training presentation. The other options are not useful for training program effectiveness evaluation. (A) Never assume that just because a worker was marked as attending or completing a training event that they actually learned anything or will be changing their behavior. (C) Forcing employees to pay a fine for each security infraction is not a means to assess effectiveness; it is a crude means to force compliance. (F) Posting a list of employees who cause a security incident is not a means to assess effectiveness; it is a mechanism of using shame to force compliance and it is not an ethical practice.

Your organization is considering an upgrade of the internal network to support IPv6. You have been asked to provide an evaluation of the benefits and drawbacks of this project. Which of the following are true in regard to IPv6? (Choose all that apply.) A. Uses 32 bit addresses B. Uses 16-byte addresses C. Reserves an entire subnet for loopback D. Supports autoconfiguration without DHCP E. Requires NAT to convert between internal and external addresses F. Supports Quality of Service (QoS) priority values

B, D, F: IPv6 uses 16-byte (128-bit) addresses, supports autoconfiguration without DHCP, and supports Quality of Service (QoS) priority values. IPv4 uses 32-bit addresses, reserves an entire subnet (127.0.0.1-127.255.255.254) for loopback, and requires NAT to convert between internal and external addresses. IPv4 also supports QoS priority values, but it is called "type of service" in the IPv4 header.

Your organization has decided to update their IT environment to take advantage of advancements in virtualization solutions. They are primarily focused on containerization products. Which of the following are features or capabilities of some containerization solutions? (Choose all that apply.) A. Operate a full guest OS within a cell B. Allow for multiple concurrent applications within a single container C. Automate the processes of network monitoring and response D. Offer customization of interaction between applications in separate containers

B, D: Containerization or OS virtualization is based on the concept of eliminating the duplication of OS elements in a virtual machine. Some containerization solutions allow for multiple concurrent applications withing a single container, whereas others are limited to one per container. Many containerization solutions allow for customization of how much interaction applications in separate containers is allowed. The other options are incorrect. A virtual machine-based system uses a hypervisor installed onto the bare metal of the host server and then operates a full guest OS within each virtual machine, and each virtual machine often supports only a single primary application. Software-defined visibility (SDV) is a framework to automate the processes of network monitoring and response.

Xavier has been tasked with redesigning the network in order to minimize the risk related to users in one department accessing the systems in another. Which of the following is not used to segment a network? A. Screened subnet B. VPN C. VLAN D. ISFW

B: A VPN is not a network segmentation; it is a secured encapsulation tunnel used to connect networks (or network segments) together. Screened subnets, VLANs, and an internal segmentation firewalls (ISFW) are used to segment a network.

What is used to keep subjects accountable for their actions while they are authenticated to a system? A. Authentication B. Monitoring C. Account lockout D. User entitlement reviews

B: Accountability is maintained by monitoring the activities of subjects and objects as well as monitoring core system functions that maintain the operating environment and the security mechanisms. Authentication is required for effective monitoring, but it doesn't provide accountability by itself. Account lockout prevents login to an account if the wrong password is entered too many times. User entitlement reviews can identify excessive privileges.

Johnnie is learning about the network protocol stack. While evaluating the Data Link and Network layers she notices a protocol, ARP, that is indicated as operating in between those layers. What function does ARP perform in typical network communications? A. It is a routing protocol. B. It resolves IP addresses into MAC addresses. C. It resolves logical addresses into a FQDN. D. It manages multicasting streaming.

B: Address Resolution Protocol (ARP) resolves IP addresses (logical addresses) into MAC addresses (physical addresses). ARP is not a routing protocol. RIP, IGRP, IS-IS, OSPF, BGP, and EIGRP are routing protocols. DNS reverse lookup or a PTR query resolves a logical address into a FQDN. Multicasting streaming is managed by IGMP.

Your organization has a database that includes residents of the EU. Management wants to transfer this to a third party for research and aggregation, but they want to modify the data so it can be transferred without GDPR compliance problems. Which of the following techniques will meet these requirements? A. Pseudonymization B. Anonymization C. Tokenization D. None of the above

B: Anonymization techniques remove all data so that it is difficult to identify the original identities. When done correctly, the GDPR no longer applies. Pseudonymization is the process of replacing some data with an identifier, such as a pseudonym. An external dataset holds the original data along with the pseudonym. However, if applying pseudonymization techniques, the GDPR still applies. Tokenization replaces some data with tokens or aliases. A third party typically keeps the original data along with the token.

Which of the following choices would be the most important consideration when identifying the classification of assets? A. Value of the asset B. Value of the data it holds or processes C. Security controls used to protect the asset D. The user of the assets

B: Assets are classified based on the data that they hold or process. Data is classified based on its value to the organization. Assets are protected using various security controls, and these controls are selected based on the classification of the data. The user of the assets is responsible for following policies related to classifications.

Administrators are installing a database application on server in the server room. Management wants to ensure only authorized personnel can access the server and modify any of the application settings. Which of the following is the best choice of a logical access control that can help meet this goal? A. Authentication B. Authorization C. Single sign-on D. Turnstile

B: Authorization is the best choice. For example, certain users (such as database administrators) can be granted authorization to modify settings, but all other users will be denied access. Users provide credentials (such as a username and password) to authenticate, but all users should not be able to modify server settings simply because they authenticated. Single sign-on (SSO) is not relevant to this scenario. SSO is a centralized access control technique that allows users to be authenticated once and access multiple systems within a network without authenticating again. A turnstile is a physical security control.

You recently wrote and published a book on how to pass the CISSP exam. You want to protect your rights under copyright law. Which of the following would you use? A. DLP B. DRM C. CASB D. EOS

B: Digital rights management (DRM) methods attempt to provide copyright protection for copyrighted works. Data loss prevention (DLP) systems detect and prevent data from leaving a network. A cloud access security broker (CASB) is software placed logically between users and cloud-based resources to enforce security policies used in an internal network.

Brian is planning to conduct a disaster recovery test. During the test, he will relocate personnel to the hot site, activate the site, and simulate live operations by processing the same data at the hot site as the organization processes at the primary site. The primary site will be taken offline once the test is underway. What type of test is Brian planning? A. Parallel test B. Full-interruption test C. Structured walk-through D. Simulation test

B: Full-interruption tests activate the alternate processing facility and take the primary site offline. Parallel tests also activate the alternate facility but keep operational responsibility at the primary site. Structured walk-throughs and simulation tests do not activate the alternate site.

What concept was first introduced by the U.S. Department of Defense in the 1990s as a way to use multifunctional groups to foster parallel decisions in software development? A. COTS B. IPT C. Agile D. DevOps

B: Integrated Product Teams (IPTs) were introduced in 1995 by DoD to bring together stakeholders and foster parallel decision-making. The Agile and DevOps approaches also foster this approach, but they came into practice many years later and were first embraced in the private sector.

A junior administrator is installing an application on a Windows server. The application needs to run in the context of an account with specific privileges. Which of the following is the best choice? A. LocalSystem account B. Service account C. Administrator account D. Sudo account

B: It's best to create a service account and assign the specific privileges to the account needed by the application. The LocalSystem account and the Administrator account both have full administrative privileges, but the scenario doesn't indicate the application needs administrative privileges. Users are granted sudo permissions on Linux systems, allowing them to run commands with root-level permissions, but sudo is not an account.

A customer created an online saving account using a web browser. Before the bank created the account, it asked the customer a series of questions about past addresses where they'd lived and current payment amounts for their car and mortgage. Which of the following best describes this process? A. A cognitive password B. Knowledge-based authentication C. Registration D. Two-factor authentication

B: Knowledge-based authentication (KBA) processes ask a user a series of questions based on their history that is recorded in authoritative sources. A cognitive password asks a series of questions, but these are questions that the user previously answered, such as your favorite color. The registration process is used for internal employees and collect biometric data. Two-factor authentication uses two separate types of authentication, but KBA is only one type of authentication.

No one control can protect against all possible threats. Using a multilayered solution allows for numerous, different controls to guard against whatever threats come to pass. Which of the following is the most important and distinctive concept in relation to layered security? A. Multiple B. Series C. Parallel D. Filter

B: Layering is the deployment of multiple security mechanisms in a series. When security restrictions are performed in a series, they are performed one after the other in a linear fashion. Therefore, a single failure of a security control does not render the entire solution ineffective. Multiple security controls are only important so you can use them in a series, rather than have only one protection. Parallel is no better than a single protection. Filtering is a common feature of many security measures, such as firewalls, but it is not an essential element of layered security.

While performing a risk assessment, you need to create a list of threats. You are focusing on email as an asset, but you then realize email can be used as a weapon as well. What is it called when email itself is used as an attack mechanism? A. Masquerading B. Mail-bombing C. Spoofing D. Smurf attack

B: Mail-bombing is the use of email as an attack mechanism by flooding a system with messages, causing a denial of service. Masquerading is claiming to be someone or something else and is a form of spoofing. Spoofing is the falsification of the source of a communication, such as spoofing an IP address, email address, or MAC address. A Smurf attack is an ICMP-based DoS.

You are reading through the employment documents that you will be required to sign if you accept the job position being offered. These documents include various security policies. One of them includes the statement "the freedom from being observed, monitored, or examined without consent or knowledge." What concept is being defined by this statement? A. Integrity B. Privacy C. Authentication D. Accountability

B: One definition of privacy is freedom from being observed, monitored, or examined without consent or knowledge. The other options are incorrect. Integrity is protection against unauthorized or malicious change. Authentication is proof that an individual (or device or other entity) is the identity that they claim to be. Accountability is holding a subject responsible for their actions when their activities are recorded in a log file (i.e., auditing) and their privileges were clearly established (i.e., authorization) and a solid link between the digital account and the actual person is established (i.e., authentication). This is the final result of an AAA service.

An administrator set the password expiration for 7 days. Which of the following is a benefit of this change? A. It prevents users from reusing the same passwords. B. It forces all active users to change their password within a week. C. It identifies the minimum age of a password. D. It identifies the lockout period after a user enters the incorrect password time.

B: Setting the password expiration to 7 days will force all active users to change their password within a week. This is the same as setting the maximum age of a password. A password history can remember previously used passwords and prevent users from reusing the same passwords. Password history is often combined with a minimum password age. This prevents users from changing their password repeatedly to get back to their original password. A lockout policy (not a password policy) identifies how long an account is locked out after a password is entered incorrectly too many times.

Patricia recently discovered that passwords to systems and user accounts belonging to her organization were for sale on the dark web. She believes that she knows the individual who stole and is selling those passwords and wishes to contact law enforcement. What law has most likely been violated? A. Electronic Communications Privacy Act B. Computer Fraud and Abuse Act C. Federal Sentencing Guidelines D. National Infrastructure Protection Act

B: The Computer Fraud and Abuse Act (CFAA) explicitly covers trafficking in passwords. This is the activity that Patricia discovered and she could refer the matter for possible federal prosecution. The Electronic Communications Privacy Act (ECPA) protects against eavesdropping on electronic communications. The Federal Sentencing Guidelines are not law and do not contain privacy protection provisions. The National Infrastructure Protection Act would only apply if the system were part of a critical infrastructure system. That is not indicated in the scenario.

Which of the following best describes change management? A. Preventing changes to systems B. Ensuring only approved changes are implemented C. Ensuring that changes do not require too many resources to complete D. Auditing privilege access

B: The goal of change management is to ensure that changes are made to systems in an orderly manner, not to prevent changes. It does verify that all changes are properly tested and approved prior to implementation. Change management programs review and approve changes but do not prioritize their use of development resources. Change management doesn't perform any type of auditing of access controls.

While traveling, a worker connects their company-issued computer to a hotel Wi-Fi network, rather than the cellular data service included with the system. After checking email, performing online research, posting a message to a company discussion forum, and updating his itinerary in the company scheduling service, he disconnects. A few days later, the company experiences an intrusion and trade secrets are stolen by an unknown attacker. The incident investigation revealed that the credentials used to gain access to company during the breach belonged to the remote worker. What was the cause of the company compromise? A. Social engineering B. Not using a 4G or 5G link C. Pivoting D. ARP poisoning

B: The most likely cause of this incident was an acceptable use policy violation of not using the 4G/5G cellular service included on the mobile system. If a company-issued computer has a cellular data service, it is likely there is a prohibition of using open Wi-Fi networks. The use of hotel network may have exposed the worker's connection to interception and eavesdropping, granting the attacker knowledge of the company network and the worker's credentials. There is no indication that the incident was related to social engineering by the information provided in the scenario. Pivoting is not a reason for a breach, but it is a technique used by attackers to target additional systems once an initial system compromise is successful. ARP poisoning might have been involved in the attack if the adversary was in the same hotel and on the same Wi-Fi network as the victim, but this is not the primary reason the attack occurred.

Wireless clients connect to the private network through a firewall after being properly authenticated by authentication, authorization, and accounting (AAA) services. The network uses both TACACS+ and RADIUS. What ports should be open in order to support the logon process? A. TCP 389 and UDP 53 B. UDP 1812 and TCP 49 C. TCP 49 and UDP 162 D. UDP 19 and TCP 3389

B: The ports from this list that are relevant to this scenario are UDP 1812 for RADIUS and TCP 49 for TACACS+. Only with these ports open on the firewall between the WAP and the intranet will wireless endpoints be able to authenticate via ENT to one of these AAA services. TCP 389 is for plaintext LDAP, UDP 53 is for DNS queries, UDP 162 is for SNMP trap messages, UDP 19 is for CHARGEN (Character Generator Protocol), and TCP 3389 is for RDP.

There is a risk that an avalanche may damage your $3 million manufacturing facility. Experts claim that there is a 5 percent chance that an avalanche will occur each year. They further advise you that an avalanche would completely destroy your building. Your business insurance will cover the loss, but such coverage would require you to rebuild on the same land. The building and its contents account for 90 percent of the value of the facility; the remainder is attributed to the land itself. What is the single loss expectancy of your shipping facility to avalanches? A. $3 million B. $2,700,000 C. $270,000 D. $135,000

B: The single loss expectancy (SLE) is calculated by multiplying the AV ($3 million) by the EF (90%). Thus SLE = $2,700,000. The EF is only the portion of the value lost due to the risk of avalanche, which is indicated as 90%. The 10% of the remaining value is assigned to the land, which is required as the location for rebuilding (i.e., its value is not lost in this scenario). (A) $3 million is the overall value of the facility, contents, and land combined. (D) $135,000 is the annualized loss expectancy (ALE), which is calculated by multiplying the SLE by the annualized rate of occurrence (ARO) of 5% per year. (C) The $270,000 is not a valid result of any standard quantitative risk analyses calculation based on the parameters of this scenario.

Which of the following is true? A. A security control should only support external monitoring. B. If a security control's benefits cannot be quantified, evaluated, or compared, then it does not actually provide any security. C. Measuring the effectiveness of a countermeasure is always an absolute value. D. Most countermeasures offer specific hard numbers as to the number of breaches prevented or attack attempts thwarted.

B: There is only one true statement from these options: (B) If a security control's benefits cannot be quantified, evaluated, or compared, then it does not actually provide any security. The other options are incorrect. Corrected versions of those statements are: (A) A security control may provide native or internal monitoring, or external monitoring might be required; (C) Measuring the effectiveness of a countermeasure is not always an absolute value; (D) Many countermeasures offer degrees of improvement rather than specific hard numbers as to the number of breaches prevented or attack attempts thwarted.

Tina is preparing to create a forensic image of a hard drive from a system involved in a security incident. What hardware device can she use to help ensure that creating the image does not alter the original evidence? A. Network tap B. Write blocker C. Protocol analyzer D. Cryptographic hash

B: Write blockers are hardware devices used to prevent the accidental writing of data to media that was collected as evidence. Network taps and protocol analyzers are used in the collection of evidence from networks, rather than storage. Cryptographic hashes may be used to detect unauthorized changes to evidence, but they do not prevent those changes from occurring.

Mark is planning to conduct a penetration test against his organization's systems and is documenting the tactics he will use. Which one of the following would not be considered a penetration testing best practice? A. Mimicking attacks previously perpetrated against your system B. Performing the attacks without management's consent C. Using manual and automated attack tools D. Reconfiguring the system to resolve any discovered vulnerabilities

B: You should never conduct a formal or informal penetration test against any company without the advanced knowledge and express consent of management.

You are updating the employee termination procedures in order to reduce risk and avoid liability. A few recent termination events did not go well, which resulted in several very uncomfortable confrontations between the to-be-fired employee and the company leadership. When an employee is to be terminated, which of the following should be done? A. Inform the employee a few hours before they are officially terminated. B. Disable the employee's network access just as they are informed of the termination. C. Send out a broadcast email informing everyone that a specific employee is to be terminated. D. Wait until the manager and the employee are the only people remaining in the building before announcing the termination.

B: You should remove or disable the employee's network user account immediately before or at the same time they are informed of their termination, such as when the door closes on their exit interview. When an employee is to be terminated, it is not in the company's security best interest to inform them hours prior to the official termination process, notify everyone in a memo that someone is going to be terminated, or to wait until the employee-to-be-fired is the last person in the building. These all put the company (and the manager) at greater risk than necessary.

"Trust but verify" is a security approach that leaves an organization vulnerable to insider attacks and grants intruders the ability to easily perform lateral movement among internal systems. Often this approach depends on an initial authentication process to gain access to the internal "secured" environment, and then relies on generic access control methods. What new security approach replaces trust but verify? A. Keep it simple B. Zero trust C. Fail securely D. Privacy by design

B: Zero trust is the recommended replacement security approach for trust but verify. This is due to the rapid growth and changes in the modern threatscape, such as the proliferation of endpoint devices, so that the trust but verify model of security is no longer sufficient. The other options are incorrect. Although they are all secure design principles, they are not the direct replacement for trust but verify. The other options are based on trust by default, and then block or remove trust only after a violation or breach. This is the same concept behind the difference between allow listing (i.e., block by default) and block listing (i.e., allow by default).

Gene is reviewing the shared software libraries used within his organization. He notices that developers widely use open source libraries. Which of the following statements about these libraries are true? (Select all that apply) A. Open-source libraries generally have higher security risks than commercial libraries. B. Open-source libraries should not be used unless absolutely necessary. C. Open-source libraries should be tested for security vulnerabilities. D. Open-source library use within the organization should be tracked.

C and D: Open-source libraries are commonly used by software developers and do not necessarily pose a higher risk than commercially available libraries. The use of these libraries should be tracked and subject to regular security testing, as should any other closed-source library use.

Security administrators suspect that many users have excessive privileges due to creeping privileges. What can be used to verify this? A. Account provisioning B. Disabling an account C. Account review D. Account revocation

C: Account reviews can detect instances of creeping privileges or excessive privileges. Account provisioning grants privileges. Disabling an account ensures it isn't used, and account revocation deletes the account.

Management wants to ensure that an IT network supports accountability. Which of the following is necessary to meet this requirement? A. Identification B. Integrity C. Audit trails D. Confidentiality

C: Audit trails provide a record of events in audit logs. They include what happened and who did it. Users can be held accountable for their actions when the logs show what they did. Authentication (not available as a possible answer) is also necessary. Users claim an identity with identification and prove their identity with authentication (such as a password). However, identification without authentication doesn't support accountability. Integrity provides assurances that unauthorized entities have not modified data or system settings. Confidentiality ensures that unauthorized entities can't access sensitive data and is unrelated to this question.

Users normally log on with a username and password. Management wants to increase security by adding an authentication method in the something you are category. Which of the following is the best choice? A. A smartcard B. The maiden name of the user's mother C. Fingerprints D. A PIN

C: Fingerprints is the only answer in the something you are factor. A smartcard is in the something you have factor. The maiden name of the user's mother and a personal identification number (PIN) are both in the something you know factor.

Juniper Enterprises' data center lies in a 500-year FEMA flood plain. What is the likelihood that a flood will affect the data center in any given year? A. 1% B. 5% C. 0.2% D. 0.1%

C: Flooding is expected once every 500 years in a 500-year flood plain. This is equivalent to a 0.2% annual risk of flood.

An important reason to maintain separate work areas between different levels of employees is the prevention of which of the following? A. Collision B. Collusion C. Shoulder surfing D. Loss of portable storage devices

C: If an employee with a lower level of clearance can be present in an area of higher clearance, then that employee may be able to see sensitive information on displays (i.e., shoulder surfing). The other options are incorrect. A collision is when two data sets produce the same hash value. Collusion is when two or more people work together to commit a policy violation or a crime. Separating personnel authority levels does not really address collusion. It is arguable that it might encourage it as a lower level employee may need the cooperation of a higher level employee to gain access to a valuable asset. Separating employee areas does not affect the loss of portable storage devices. It would make it more challenging for a lower-level employee to use a portable storage device with a higher-level computer system.

A small business owner has created a network to support employees. When an employee creates a file, the employee is the owner and can assign access to the file. Which of the following access control models does this describe? A. Mandatory Access Control (MAC) B. Rule-based access control C. Discretionary Access Control (DAC) D. Role-Based Access Control (RBAC)

C: In a DAC model, every object has an owner, and the owner assigns access to the object. The MAC model uses labels to assign access and is sometimes referred to as a lattice-based model. A rule-based access control model uses rules to grant access. RBAC models use groups or roles to assign access.

What nontraditional alternative recovery site is made up of transportable relocation units? A. Cloud service provider B. Hot site C. Mobile site D. Mobility suite

C: Mobile sites are nonmainstream alternatives to traditional recovery sites. They typically consist of self-contained trailers or other easily relocated units. Hot sites are stationary locations and not mobile. Cloud service providers do not offer the exclusive use of facilities but operate on a multitenancy model. Mobility suites are not a type of disaster recovery site.

An organization plans to donate several older computers to a local school. Chad will sanitize the hard drives in these computers. Which of the following methods is Chad most likely to use? A. Erasing B. Clearing C. Purging D. Overwriting

C: Purging media removes all data by writing over existing data multiple times to ensure that the data is not recoverable using any known methods. Purged media can then be reused in less secure environments. Erasing the media performs a delete, but the data remains and can easily be restored. Clearing, or overwriting, writes unclassified data over existing data, but some sophisticated forensics techniques may be able to recover the original data, so this method should not be used to reduce the classification of media.

You are creating a data policy identifying data that should be destroyed at the end of its lifecycle. You want to stress one of the problems that can result from incomplete sanitization. Which of the following statements correctly identifies a problem statement you should add? A. Methods are not available to remove data, ensuring that unauthorized personnel cannot retrieve data. B. Even fully incinerated media can offer extractable data. C. Personnel can perform sanitization steps improperly. D. Stored data is physically etched into the media.

C: Sanitization can be unreliable because personnel can perform the purging, degaussing, or other processes improperly. When done properly, purged data is not recoverable using any known methods. Data cannot be retrieved from incinerated or burned media. Data is not physically etched into the media.

Your organization wants to reduce the administrative workload by implementing automated responses to common attacks. Which of the following will meet this need? A. Web application firewall B. Clipping levels C. SOAR D. Sampling

C: Security Orchestration, Automation, and Response (SOAR) technologies provide automated responses to common attacks, reducing an administrator's workload. A web application firewall protects a web server, but it doesn't address all attacks. Sampling and clipping are methods used to reduce what needs to be examined in logs, and they do not automate any attack responses.

Which of the following statements is false? A. Security governance is the collection of practices related to supporting, defining, and directing the security efforts of an organization. B. Security governance is the implementation of a security solution and a management method that are tightly interconnected. C. Security governance is an IT issue only. D. Security governance directly oversees and gets involved in all levels of security.

C: Security governance is not and should not be treated as an IT issue only. Security governance is a business operations issue. The other statements are true.

David gathered his organization's disaster recovery team on a videoconference and asked them to consider how they would respond if the area suffered an earthquake and they were unable to return to their primary facility. What type of testing is he conducting? A. Full-interruption test B. Parallel test C. Simulation test D. Structured walk-through

C: Simulation tests are similar to the structured walk-throughs. In simulation tests, disaster recovery team members are presented with a scenario and asked to develop an appropriate response. That is the case in David's earthquake exercise. There is no activation of any alternate facility, as would take place in a full-interruption or parallel test.

Your company is planning to launch an e-commerce website. Management wants to ensure this website has adequate security controls in place before the site goes live. Administrators started with a baseline of security controls. What else should be a primary consideration related to security controls? A. Identifying the data controller B. Identifying the data processor C. Selecting a standard D. Preventing data loss

C: Standards selection refers to adding security controls based on external standards. The Payment Card Industry Data Security Standard (PCI DSS) is an example of an external standard, and it mandates the use of several specific controls. The identification of the data controller and data processor isn't related to the selection of security controls. Data loss prevention methods attempt to prevent data from leaving a network but are less of a concern on a public-facing e-commerce server.

What is the maximum key length supported by the Advanced Encryption Standard's Rijndael encryption algorithm? A. 128 bits B. 192 bits C. 256 bits D. 512 bits

C: The AES/Rijndael algorithm is capable of operating with 128-, 192-, or 256-bit keys. The algorithm uses a block size equal to the length of the key.

What protocol replaces certificate revocation lists with a real-time method of verifying the status of a digital certificate? A. SAE B. LDAP C. OCSP D. BGP

C: The Online Certificate Status Protocol (OCSP) provides real-time query/response services to digital certificate users. This overcomes the latency inherent in the traditional certificate revocation list download and cross-check process. Simultaneous Authentication of Equals (SAE) is an authentication protocol used in WPA3 wireless networking. The Lightweight Directory Access Protocol (LDAP) is a directory services protocol. The Border Gateway Protocol (BGP) is used to establish network routes.

Which one of the following is a cloud-based software delivery model that allows users to access email via a web browser? A. Infrastructure as a Service (IaaS) B. Platform as a Service (PaaS) C. Software as a Service (SaaS) D. Public

C: The SaaS service model provides services such as email available via a web browser. IaaS provides the infrastructure (such as servers) and PaaS provides a platform (such as an operating system and application installed on a server). Public is a deployment method, not service model.

What rule of evidence states that a written agreement is assumed to contain all terms of the agreement? A. Real evidence B. Best evidence C. Parol evidence D. Chain of evidence

C: The parol evidence rule states that when an agreement between parties is put into written form, the written document is assumed to contain all the terms of the agreement, and no verbal agreements may modify the written agreement.

The Roscommon Rangers baseball team is concerned about the risk that a storm might result in the cancellation of a baseball game. There is a 30 percent chance that the storm will occur, and if it does, the team must refund all single-game tickets because the game cannot be rescheduled. Season ticket holders will not receive a refund and account for 20 percent of ticket sales. The ticket sales for the game are $1,500,000. What is the single loss expectancy in this scenario? A. $300,000 B. $1,050,000 C. $1,200,000 D. $1,500,000

C: The single loss expectancy is calculated as the product of the exposure factor (80 percent) and the asset value ($1,500,000). In this example, the single loss expectancy is $1,200,000.

You are deploying a new product into the production environment. It is a self-contained next-generation firewall (NGFW), which should be able to filter unwanted traffic by keyword, application, and protocol. You position the new device between the client network segment and the server network segment. However, once it is installed, users report that they can no longer access company servers or the internet. What is the potential cause of this issue? A. There is poor network segmentation. B. The firewall is a fail-open solution. C. The new device has secure defaults. D. The new product is a closed system.

C: This scenario's problems are caused by the new device having secure defaults. This is a common problem with security products—they are often configured with strong security defaults so that adjustments must be made to allow for typical communications and operations. Option A is incorrect because network segmentation is not the issue since the network was already divided prior to the deployment of the new device. Option A is incorrect because a fail-open system will allow for open communications when a failure event occurs in order to protect availability. This situation does not indicate that the new device itself experienced a failure, just that end users are unable to access resources after its deployment. So, even if the firewall was a fail-open system, it did not experience a failure and did not revert to its open-upon-fault state. Option D is incorrect because the issue of whether the new product is a closed or open system is not the cause of the communication problems. A closed system firewall can be just as effective as an open system firewall; the difference is that no third-party products can directly or easily interface with a closed system product.

What evidence standard do most criminal investigations follow? A. Beyond a reasonable doubt B. Beyond the shadow of a doubt C. Preponderance of the evidence D. Clear and convincing evidence

Criminal investigations typically follow the "beyond a reasonable doubt" standard of evidence.

D: A risk-based access control model can be coded to block malicious traffic from infected IoT devices. It evaluates the environment and the situation and makes decisions to block traffic that is abnormal. An ABAC model uses attributes to grant access and is often used in software-defined networks (SDNs). A MAC model grants access with the use of labels. RBAC uses a well-defined collection of named job roles for access control. Administrators grant each job role with the privileges they need to perform their jobs.

Which of the following is in the something you have factor of authentication and doesn't generate a password? A. A synchronous dynamic token B. An asynchronous dynamic token C. An authenticator app D. Smartcard

D: A smartcard is in the something you have factor of authentication, but it doesn't generate a password. A synchronous dynamic token is synchronized with an authentication server and generates synchronous onetime passwords. An asynchronous dynamic token generates and displays onetime passwords using a challenge-response process to generate the password. An authenticator app creates personal identification numbers (PINs) used as passwords.

A bank has a website that allows customers to log on and access their accounts, pay bills, and transfer funds. Of the following choices, when should online customer sessions automatically be closed? A. Never B. After 5 minutes C. After an hour of inactivity D. After 2 minutes of inactivity

D: Closing the session after 2 minutes of inactivity is the best choice of the given options. A bank account where users can transfer funds is a high-value application, so the session should be closed at some time. Never closing a session isn't a secure option. It's common to close sessions of high-value applications sometime between 2 and 5 minutes of inactivity. If it's closed after 5 minutes, it may be closing while a customer is in the middle of a transaction.

Your organization recently updated the incident response plan using the incident management steps identified in the CISSP objectives. Which of the following steps should be identified as the first step? A. Response B. Recovery C. Remediation D. Detection

D: Detection is the first step. The order of the next steps are response, mitigation, reporting, recovery, remediation, and lessons learned.

An organization is decommissioning several older computers and replacing them with new ones. The CIO wants to ensure that data remanence is not a problem with the disk drives within these computers. Which of the following methods will most likely result in data remanence? A. Clearing B. Purging C. Cryptoshredding D. Erasing

D: Erasing data on a hard disk drive is likely to leave some data on a hard disk drive, also known as data remanence. Clearing (sometimes called overwriting) overwrites the disk drive with different bits in three separate passes. Purging is a more intense method of clearing the disk and repeats the clearing process multiple times. Cryptoshredding deletes encryption keys, but the question doesn't indicate data is encrypted.

Gavin is conducting a test of his organization's disaster recovery plan and reached the phase of the test where they shut down the primary data center. What type of test is he running? A. Parallel test B. Simulation C. Walkthrough D. Full interruption

D: Full interruption tests are the only type of test where the primary data center is shut down. Parallel tests also activate the alternate processing facility but do not shift operational responsibility away from the primary data center. Simulations and walkthroughs do not activate the alternate site.

Your company has just initiated an IPsec policy that requires all systems to request an encrypted session for each communication. While attempting to monitor the network, you want to configure a capture filter in Wireshark to collect just the IPsec negotiations. At which OSI model layer does the IPsec protocol function? A. Data Link B. Transport C. Session D. Network

D: IPsec operates at the Network layer (layer 3). IPsec does not operate at the Data Link, Transport, or Session layer. The primary Data Link VPNs are L2TP and PPTP, although wireless encryption occurs here as well. The primary VPNs at the Transport layer are TLS and SSH. There is no actual Session layer in TCP/IP networks—that function (when performed at all) is handled by TCP at the Transport layer.

An administrator is tasked with provisioning eight computers for new software developers. Each computer needs the same applications and settings. Which of the following is the easiest method of configuring these computers? A. Set up the computers individually B. Using baselines C. Change management D. Using images

D: Images would be the easiest way to provision these computers. Images ensure that all the systems have identical settings. It would take too long to set up the computers individually, and this increases the chance of errors. Baselines are starting points, generally using lists, and they typically require modifications. Baselines are often used when creating images. Change management processes are used after a system has been deployed.

Kevin is conducting a software assessment and does not have access to the underlying source code. What type of test is he performing? A. Static testing B. White box testing C. Gray box testing D. Black box testing

D: In a black box test, the tester must not have access to the application's source code.

Jon is testing a new software application. He has developed a list of possible ways that an attacker might exploit the application and is now working through each scenario, testing the application to see if it is vulnerable to that exploit. What type of testing is Jon conducting? A. Test coverage analysis B. Fagan inspection C. Synthetic transactions D. Misuse case testing

D: In misuse case testing the testers first enumerate known misuse/abuse cases. They then attempt to exploit those use cases with manual and/or automated attack techniques.

Which of the following actions is the best method to protect data in transit? A. Disk-level encryption B. Column-level encryption C. Purging memory buffers D. Network-level encryption

D: Network-level encryption protects data in transit. Disk-level encryption and column-level encryption protects data at rest. Purging memory buffers after data has been used protects data in use.

When performing access review audits, which type of account is the most important to audit? A. None is more important. They are all equal. B. Regular user accounts. C. Auditor accounts. D. Privileged accounts.

D: Privileged accounts (such as administrator accounts) are granted the most access and should be a primary focus in an access review audit. Regular user and auditor accounts don't have as many rights and permissions as privileged accounts and are not as important to audit.

Which of the following is the best choice to support authentication and authorization in federated organizations? A. Kerberos B. Hypertext Markup Language (HTML) C. Extensible Markup Language (XML) D. Security Assertion Markup Language (SAML)

D: SAML is an XML-based framework used to exchange user information for single sign-on (SSO) between federated organizations within a federated identity management system. Kerberos supports SSO in a single organization, not a federation. HTML only describes how data is displayed. Although XML could be used, it would require redefining tags already defined in SAML.

Which of the following is the best method to protect against rainbow-table attacks? A. Encrypting passwords sent over the network B. Enabling firewalls C. Locking out accounts D. Salting passwords

D: Salting passwords can reduce the effectiveness of rainbow table attacks. Rainbow-table attacks are offline password attacks, so encrypting data sent over the network doesn't directly protect against rainbow-table attacks. Although enabling firewalls is always a good idea, it does not directly protect against rainbow-table attacks. Account lockout is a good defense against online brute-force attacks, but it would not work against a rainbow-table attack that takes place offline.

After learning that sensitive data was leaked to the Internet, you discover it was retrieved from a specific Windows server. You suspect that malware started a service on the server, sent the data to an Internet IP address, and stopped the service. You want to find out when this was done. Which of the following logs is MOST likely to show when the service was started and stopped? A. Application log B. Firewall log C. Proxy log D. System log

D: System logs record system events such as when services start or stop. None of the other logs listed as available answers will log when a service is started or stopped. Application logs record information for specific applications. Firewall logs can record events related to any traffic that reaches a firewall.

Several desktop PCs have reached the end of their lifecycle. Management wants to donate these to a charity if possible. What should employees do before giving the equipment away? A. Remove all CDs and DVDs. B. Remove all software licenses. C. Sanitize it. D. Install the original software.

D: Systems should be sanitized when they reach the end of their lifecycle and are being donated to charity. This ensures that they do not include any sensitive data. Removing CDs and DVDs is part of the sanitation process, but other elements of the system, such as disk drives, should also be checked to ensure that they don't include sensitive information. Removing software licenses or installing the original software is not necessarily required unless the organization's sanitization process requires it.

Barry is the privacy officer for a college that accepts federal funds. He is reviewing the security of student educational records and want to ensure that his college is compliant with all relevant laws and regulations. What law protects the privacy rights of students? A. HIPAA B. SOX C. GLBA D. FERPA

D: The Family Educational Rights and Privacy Act (FERPA) protects the rights of students and the parents of minor students. The Gramm-Leach-Bliley Act (GLBA) covers the customer records of financial institutions, whereas the Health Insurance Portability and Accountability Act (HIPAA) regulates healthcare providers. The Sarbanes-Oxley (SOX) Act governs the financial records of publicly traded companies.

What contractual obligation requires credit card merchants to report the potential compromise of credit card data? A. GLBA B. Sarbanes-Oxley C. FERPA D. PCI DSS

D: The Payment Card Industry Data Security Standard (PCI DSS) requires that credit card merchants immediately report any known or suspected compromise of cardholder data.

What type of network discovery scan attempts to simulate an already open network connection? A. TCP connect scan B. Xmas scan C. TCP SYN scan D. TCP ACK scan

D: The TCP ACK scan sends an ACK packet, simulating a packet from the middle of an already established connection.

A worker attempts to use a 15-year-old laptop under the BYOD policy of his organization. When connecting to the company Wi-Fi network, it shows connectivity, but there is no network access. The network admin confirms that the WAP is requiring WPA3. No other worker is reporting a problem with their mobile device. What is the cause of this connection problem? A. The WAP's antenna are disconnected. B. The DHCP has a reservation for the MAC address of the laptop. C. DLP is blocking access. D. The laptop supports only WEP and WPA.

D: The likely issue is that the old laptop does not support WPA3 and might only support WEP and WPA. This would allow for the wireless connection to be established, but without encryption no communications are being allowed to occur across or through the WAP. If the WAP's antenna were disconnected, other workers might have complained about connectivity, plus the old laptop is getting a radio signal connection. A DHCP reservation would not affect network connectivity, as it would specifically reserve an IP address configuration for the specific device. And DHCP negotiation would occur after a wireless connection was established. DLP is not usually related to Wi-Fi connectivity; it is more typically used to block application features or external data transfers that breach confidentiality restrictions.

A company's security policy states that user accounts should be disabled during the exit interview for any employee leaving the company. Which of the following is the most likely reason for this policy? A. To prevent supervisors from accessing the employee's data B. To ensure employees return company property C. To terminate employee benefits D. To retain the decryption key

D: The most likely reason (of the provided answers) is the retention of the account's decryption key. Data encrypted by a user is typically encrypted with a key tied to the user account, and deleting the account may result in the data staying encrypted and unavailable. Though not available as an option, disabling the account also prevents an employee from logging on after leaving the company. Disabling the account allows supervisors to review the user's data. Employees should return company property, but disabling an account won't ensure they do so. Disabling a user account won't terminate employee benefits.

Which software development life cycle model allows for multiple iterations of the development process, resulting in multiple prototypes, each produced according to a complete design and testing process? A. Software Capability Maturity model B. Waterfall model C. Development cycle D. Spiral model

D: The spiral model allows developers to repeat iterations of another life cycle model (such as the waterfall model) to produce a number of fully tested prototypes.

What software development methodology focuses on the iterative creation of new prototypes? A. Software Capability Maturity Model B. Waterfall model C. Software Assurance Maturity Model D. Spiral model

D: The spiral model seeks to iteratively produce new prototypes of a system during the development process. The waterfall model allows the development process to return only to the immediately preceding phase of development at any given time. The SW-CMM and SAMM are maturity models that assess an organization's software development practices and are not development methodologies.

A large manufacturer is deploying various sensors and devices throughout its operation to monitor and remotely control certain aspects of its operations. It is essential that all data collected by these devices be analyzed on a central server. What type of system is likely being installed? A. Edge computing B. MSSP C. Microservices D. Fog computing

D: This situation is describing a fog computing deployment. Fog computing relies on sensors, IoT devices, or even edge computing devices to collect data and then transfer it back to a central location for processing. In edge computing, the intelligence and processing is contained within each device. This is not specifically a managed security service provider (MSSP) since there is no mention of a third party performing the data collection and analysis or any mention of cloud integration. This is also not microservices because the situation is focusing on deploying hardware rather than crafting new applications out of software.

Which one of the following tools is specifically designed to identify database vulnerabilities in web applications? A. OpenVAS B. Nikto C. Burp Suite D. Sqlmap

D: While all of these tools are capable of detecting database vulnerabilities, only sqlmap is custom-designed for that purpose. OpenVAS is a general-purpose network vulnerability scanner; Nikto is a web application scanner; and Burp Suite is an application proxy.

Which of the following best describes the difference between end-of-service (EOS) and end-of-life (EOL)? A. EOL identifies when a vendor will no longer support a product, and EOS identifies when a vendor will no longer offer a product for sale. B. EOL identifies when an organization destroyed a product, and EOS identifies when a vendor stopped selling a product. C. EOS identifies when a product is removed from service, and EOL identifies when a product is destroyed. D. EOS identifies when a vendor will no longer support a product, and EOL identifies when a vendor will no longer offer a product for sale.

EOS identifies when a vendor will no longer support a product, and EOL identifies when a vendor will no longer offer a product for sale. EOL is not related to the destruction of a product. EOS does not refer to when a vendor stopped selling a product.

Gwen is developing a security awareness and training program for software developers. What business function is she engaging in under the Software Assurance Maturity Model (SAMM)? A. Governance B. Design C. Verification D. Operations

Education and guidance programs, including training & awareness and organization & culture are components of the Governance function under the Software Assurance Maturity Model (SAMM).

Full interruption tests are the only type of test where the primary data center is shut down. Parallel tests also activate the alternate processing facility but do not shift operational responsibility away from the primary data center. Simulations and walkthroughs do not activate the alternate site.

What type of alternate processing facility contains a full complement of computing equipment in working order with copies of data ready to go? A. Hot site B. Warm site C. Cold site D. Cloud site

Hot sites are ready to assume full operational capacity at a moment's notice.

An organization wants to reduce vulnerabilities against fraud from malicious employees. Of the following choices, what would help with this goal? (Choose three.) A. Job rotation B. Separation of duties C. Mandatory vacations D. Baselining

Job rotation, separation of duties, and mandatory vacation policies will all help reduce fraud. Baselining is used for configuration management and would not help reduce collusion or fraud.

Which of the following is typically not a culprit in causing damage to computer equipment in the event of a fire and a triggered suppression? A. Heat B. Suppression medium C. Smoke D. Light

Light is usually not damaging to most computer equipment, but fire, smoke, and the suppression medium (typically water) are very destructive.

Tom is preparing to conduct a penetration test and would like to use a testing framework that allows him to easily deploy exploits. Which one of the following tools would best meet his needs? A. OpenVAS B. Nmap C. Sqlmap D. Metasploit Framework

Metasploit Framework is a penetration testing framework that allows the easy deployment of exploits against target systems. It would be the best tool for Tom to use during his penetration test.

Some cloud-based service models require an organization to perform some maintenance and take responsibility for some security. Which of the following is a service model that places the most responsibilities on the organization leasing the cloud-based resources? A. IaaS B. PaaS C. SaaS D. Hybrid

Organizations have the most responsibility for maintenance and security when leasing Infrastructure as a Service (IaaS) cloud resources. The cloud service provider takes more responsibility with the Platform as a Service (PaaS) model and the most responsibility with the Software as a Service (SaaS) model. Hybrid refers to a cloud deployment model (not a service model) and indicates that two or more deployment models are used (such as private, public, and/or community.

Security administrators want to implement a method to identify when personnel are using elevated privileges, and detect violations of the least privilege principle. Which of the following is the BEST choice to meet these requirements? A. Privileged account management B. Review of security logs C. Review of inactive accounts D. Traffic analysis

Privileged account management ensures that personnel do not have more privileges than they need and do not misuse their privileges. It can identify whether users have excessive privileges violating the least privilege principle. Security logs would be used, but not alone. A review of inactive accounts and traffic analysis are not part of privileged account management.

Which of the following is not an element of the risk analysis process? A. Analyzing an environment for risks B. Creating a cost/benefit report for safeguards to present to upper management C. Selecting appropriate safeguards and implementing them D. Evaluating each threat event as to its likelihood of occurring and cost of the resulting damage

Risk analysis includes analyzing an environment for risks, evaluating each threat event as to its likelihood of occurring and the cost of the damage it would cause, assessing the cost of various countermeasures for each risk, and creating a cost/benefit report for safeguards to present to upper management. Selecting safeguards is a task of upper management based on the results of risk analysis known as risk response. It is a task that falls under risk management, but it is not part of the risk analysis/assessment process.

SOC 1 engagements assess the organization's controls that might impact the accuracy of financial reporting. SOC 2 and 3 engagements extend into controls protecting confidentiality, integrity, and availability more generally.

What U.S. federal law prohibits attempts to circumvent copyright protection mechanisms placed on a protected work by the copyright holder? A. Digital Millennium Copyright Act B. Trade Secrets Act C. Copyright Enhancement Act D. USA PATRIOT Act

The Digital Millennium Copyright Act contains provisions prohibiting the circumvention of copyright protection mechanisms. The Trade Secrets Act applies to trade secrets, not copyrights. The USA PATRIOT Act enhances government surveillance capabilities. The Copyright Enhancement Act does not exist as a U.S. federal law.

Eric is conducting a compliance check to determine whether controls in his organization are effectively enforcing credit card processing requirements. What security standard would be most appropriate for this check? A. HIPAA B. GLBA C. PCI DSS D. SOX

The Payment Card Industry Data Security Standard (PCI DSS) contains security requirements for processing credit card transactions and would be the most appropriate resource for this testing.

A small business is planning to outsource payroll. This requires the business to pass some data to the payroll company to handle payroll functions. In this scenario, which of the following roles best describes the payroll company? A. Data controller B. Data subject C. Data processor D. Data custodian

The payroll company is fulfilling the role of data processor by processing the payroll data. The data controller identifies what data to pass to the data processor and how that data should be processed. A data subject is like a data user and simply accesses data. A data custodian is responsible for the day-to-day maintenance of data.

सभी स्टडी सेट्स देखें

CISSP Practice Exam 1

संबंधित स्टडी सेट्स

physics exam 3 chapter 11 and 12 online homework

Валер'ян Підмогильний "Місто" (питання за змістом)

Non-Traditional Machining Processes

MGT 6311 Final Exam

Stats Final exam

Paramedic Chapter 4-7 review

NCLEX/SAUNDERS Pre-Test

Intro to Psychology Test 1

neclex pharm

h

SOM 354- Exam 1

Accounting Exam 4 Chapter 10

EXAM 3 - CH 7, 8, 9

POL1: Fanon

Study guide for mid-term exam History 1010- 01/02

Ethical Decision Making Exam II Chapters 5-7

RMIN 3022 Test 2..

NU373 Week 4 HESI Case Study: Cystic Fibrosis - 26 questions

art 1.6-1.8

Chapter 5: Security