MC practice questions
Norm is configuring an RSA cryptosystem for use within his organization and is selecting the key lengths that he will support. Which one of the following key lengths is not both supported by the RSA algorithm and generally considered secure? A. 512 bits B. 1,024 bits C. 2,048 bits D. 4,096 bits
A. 512 bits #The RSA algorithm supports key lengths between 1,024 and 4,096 bits. All of these key lengths are currently considered secure.
Which one of the following is normally used as an authorization tool? A. ACL B. Token C. Username D. Password
A. ACL
Grace would like to implement application control technology in her organization. Users often need to install new applications for research and testing purposes, and she does not want to interfere with that process. At the same time, she would like to block the use of known malicious software. What type of application control would be appropriate in this situation? A. Blacklisting B. Graylisting C. Whitelisting D. Bluelisting
A. Blacklisting #The blacklisting approach to application control allows users to install any software they want except for packages specifically identified by the administrator as prohibited.
Raj is selecting an encryption algorithm for use in his organization and would like to be able to vary the strength of the encryption with the sensitivity of the information. Which one of the following algorithms allows the use of different key strengths? A. Blowfish B. DES C. Skipjack D. IDEA
A. Blowfish #Blowfish allows the user to select any key length between 32 and 448 bits.
Fred is preparing to send backup tapes off-site to a secure third-party storage facility. What steps should Fred take before sending the tapes to that facility? A. Ensure that the tapes are handled the same way the original media would be handled based on their classification. B. Increase the classification level of the tapes because they are leaving the possession of the company. C. Purge the tapes to ensure that classified data is not lost. D. Decrypt the tapes in case they are lost in transit.
A. Ensure that the tapes are handled the same way the original media would be handled based on their classification. #Tapes are frequently exposed because of theft or loss in transit. That means that tapes that are leaving their normal storage facility should be handled according to the organization's classification schemes and handling requirements. Purging the tapes would cause the loss of data, while increasing the classification level of the tapes. The tapes should be encrypted rather than decrypted.
In Transport Layer Security, what type of key is used to encrypt the actual content of communications between a web server and a client? A. Ephemeral session key B. Client's public key C. Server's public key D. Server's private key
A. Ephemeral session key #In TLS, both the server and the client first communicate using an ephemeral symmetric session key. They exchange this key using asymmetric cryptography, but all encrypted content is protected using symmetric cryptography.
Norm would like to conduct a disaster recovery test for his organization and wants to choose the most thorough type of test, recognizing that it may be quite disruptive. What type of test should Norm choose? A. Full interruption test B. Parallel test C. Tabletop exercise D. Checklist review
A. Full interruption test
Chris is worried that the laptops that his organization has recently acquired were modified by a third party to include keyloggers before they were delivered. Where should he focus his efforts to prevent this? A. His supply chain B. His vendor contracts C. His post-purchase build process D. The original equipment manufacturer (OEM)
A. His supply chain #Supply chain management can help ensure the security of hardware, software, and services that an organization acquires. Chris should focus on each step that his laptops take from the original equipment manufacturer to delivery.
During an incident investigation, investigators meet with a system administrator who may have information about the incident but is not a suspect. What type of conversation is taking place during this meeting? A. Interview B. Interrogation C. Both an interview and an interrogation D. Neither an interview nor an interrogation
A. Interview #Interviews occur when investigators meet with an individual who may have information relevant to their investigation but is not a suspect. If the individual is a suspect, then the meeting is an interrogation.
Which one of the following technologies is designed to prevent a web server going offline from becoming a single point of failure in a web application architecture? A. Load balancing B. Dual-power supplies C. IPS D. RAID
A. Load balancing #Load balancing helps to ensure that a failed server will not take a website or service offline. Dual power supplies only work to prevent failure of a power supply or power source. IPS can help to prevent attacks, and RAID can help prevent a disk failure from taking a system offline.
Max is the security administrator for an organization that uses a remote access VPN. The VPN depends upon RADIUS authentication, and Max would like to assess the security of that service. Which one of the following hash functions is the strongest cryptographic hash protocol supported by RADIUS? A. MD5 B. SHA 2 C. SHA-512 D. HMAC
A. MD5 #Unfortunately, the RADIUS protocol only supports the weak MD5 hash function. This is the major criticism of the RADIUS protocol. Most organizations require that RADIUS be protected with additional encryption to compensate for this vulnerability.
Colleen is conducting a business impact assessment for her organization. What metric provides important information about the amount of time that the organization may be without a service before causing irreparable harm? A. MTD B. ALE C. RPO D. RTO
A. MTD #Maximum Tolerable Downtime!!!
Jim would like to identify compromised systems on his network that may be participating in a botnet. He plans to do this by watching for connections made to known command-and-control servers. Which one of the following techniques would be most likely to provide this information if Jim has access to a list of known servers? A. Netflow records B. IDS logs C. Authentication logs D. RFC logs
A. Netflow records #Netflow records contain an entry for every network communication session that took place on a network and can be compared to a list of known malicious hosts. IDS logs may contain a relevant record, but it is less likely because they would create log entries only if the traffic triggers the IDS, as opposed to netflow records, which encompass all communications. Authentication logs and RFC logs would not have records of any network traffic.
Which attack helped drive vendors to move away from SSL toward TLS-only by default? A. POODLE B. Stuxnet C. BEAST D. CRIME
A. POODLE #The POODLE (or Padding Oracle On Downgraded Legacy Encryption) attack helped force the move from SSL 3.0 to TLS because it allowed attackers to easily access SSL encrypted messages. Stuxnet was a worm aimed at the Iranian nuclear program, while CRIME and BEAST were earlier attacks against SSL.
What is the goal of the BCP process? A. RTO ˂ MTD B. MTD ˂ RTO C. RPO ˂ MTD D. MTD ˂ RPO
A. RTO ˂ MTD
What type of access control is being used in the following permission listing? Storage Device X User1: Can read, write, list User2: Can read, list User3: Can read, write, list, delete User4: Can list A. Resource-based access controls B. Role-based access controls C. Mandatory access controls D. Rule-based access controls
A. Resource-based access controls #Resource-based access controls match permissions to resources like a storage volume. Resource-based access controls are becoming increasingly common in cloud-based infrastructure as a service environments. The lack of roles, rules, or a classification system indicate that role-based, rule-based, and mandatory access controls are not in use here.
Ricky would like to access a remote file server through a VPN connection. He begins this process by connecting to the VPN and attempting to log in. Applying the subject/object model to this request, what is the subject of Ricky's login attempt? A. Ricky B. VPN C. Remote file server D. Files contained on the remote server
A. Ricky #In the subject/object model of access control, the user or process making the request for a resource is the subject of that request. In this example, Ricky is requesting access to the VPN (the object of the request) and is, therefore, the subject.
Skip needs to transfer files from his PC to a remote server. What protocol should he use instead of FTP? A. SCP B. SSH C. HTTP D. Telnet
A. SCP #Skip should use SCP—Secure Copy is a secure file transfer method. SSH is a secure command-line and login protocol, whereas HTTP is used for unencrypted web traffic. Telnet is an unencrypted command-line and login protocol.
Fran's company is considering purchasing a web-based email service from a vendor and eliminating its own email server environment as a cost-saving measure. What type of cloud computing environment is Fran's company considering? A. SaaS B. IaaS C. CaaS D. PaaS
A. SaaS #Application provided by the vendor!!!!! #In infrastructure as a service (IaaS), compute as a service (CaaS), and platform as a service (PaaS) approaches, the customer provides their own software, NOT the vendor.
Which one of the following components is used to assign classifications to objects in a mandatory access control system? A. Security label B. Security token C. Security descriptor D. Security capability
A. Security label
Which one of the following is not an attribute of a hashing algorithm? A. They require a cryptographic key. B. They are irreversible. C. It is very difficult to find two messages with the same hash value. D. They take variable-length input.
A. They require a cryptographic key. #Hash functions do not include any element of secrecy and, therefore, do not require a cryptographic key.
Chris wants to prevent users from running a popular game on Windows workstations he is responsible for. How can Chris accomplish this for Windows 10 Pro workstations? A. Using application whitelisting to prevent all unallowed programs from running B. Using Windows Defender and adding the game to the blacklist file C. By listing in the Blocked Programs list via secpol.msc D. You cannot blacklist applications in Windows 10 without a third-party application.
A. Using application whitelisting to prevent all un-allowed programs from running #Windows 10 Pro and Enterprise support application whitelisting. Chris can whitelist his allowed programs and then set the default mode to disallowed, preventing all other applications from running and thus blacklisting the application. This can be a bit of a maintenance hassle but can be useful for high security environments or those in which limiting what programs can run is critical.
Which one of the following files is most likely to contain a macro virus? A. projections.doc B. command.com C. command.exe D. loopmaster.exe
A. projections.doc #Macro viruses are most commonly found in office productivity documents, such as Microsoft Word documents that end in the .doc or .docx extension. They are not commonly found in executable files with the .com or .exe extensions.
Henry is the risk manager for Atwood Landing, a resort community in the midwestern United States. The resort's main data center is located in northern Indiana in an area that is prone to tornados. Henry recently undertook a replacement cost analysis and determined that rebuilding and reconfiguring the data center would cost $10 million. Henry consulted with tornado experts, data center specialists, and structural engineers. Together, they determined that a typical tornado would cause approximately $5 million of damage to the facility. The meteorologists determined that Atwood's facility lies in an area where they are likely to experience a tornado once every 200 years. Based upon the information in this scenario, what is the annualized rate of occurrence for a tornado at Atwood Landing's data center? A. 0.0025 B. 0.005 C. 0.01 D. 0.015
B. 0.005 #The annualized rate of occurrence is the number of times that risk analysts expect a risk to happen in any given year. In this case, the analysts expect tornados once every 200 years, or 0.005 times per year.
Concho Controls is a midsize business focusing on building automation systems. They host a set of local file servers in their on-premises data center that store customer proposals, building plans, product information, and other data that is critical to their business operations. Tara works in the Concho Controls IT department and is responsible for designing and implementing the organization's backup strategy, among other tasks. She currently conducts full backups every Sunday evening at 8 p.m. and differential backups on Monday through Friday at noon. Concho experiences a server failure at 3 p.m. on Wednesday. Tara rebuilds the server and wants to restore data from the backups. How many backups in total must Tara apply to the system to make the data it contains as current as possible? A. 1 B. 2 C. 3 D. 4
B. 2 #To restore the system to as current a state as possible, Tara must first apply Sunday's full backup. She may then apply the most recent differential backup, from Wednesday at noon. Differential backups include all files that have changed since the most recent full backup, so the contents of Wednesday's backup contain all of the data that would be contained in Monday and Tuesday's backups, making the Monday and Tuesday backups irrelevant for this scenario. NOTE: An incremental backup is a backup type that only copies data that has been changed or created since the previous backup activity was conducted. Incremental backups are all of the same size.
Arnold is receiving reports from end users that their Internet connections are extremely slow. He looks at the firewall and determines that there are thousands of unexpected inbound connections per second arriving from all over the world. What type of attack is most likely occurring? A. A worm B. A denial-of-service attack C. A virus D. A smurf attack
B. A denial-of-service attack #DOS causes service to fail.
One of Susan's attacks during a penetration test involves inserting false ARP data into a system's ARP cache. When the system attempts to send traffic to the address it believes belongs to a legitimate system, it will instead send that traffic to a system she controls. What is this attack called? A. RARP flooding B. ARP cache poisoning C. A denial-of-ARP attack D. ARP buffer blasting
B. ARP cache poisoning #ARP cache poisoning occurs when false ARP data is inserted into a system's ARP cache, allowing the attacker to modify its behavior. #RARP flooding, denial-of-ARP attacks, and ARP buffer blasting are all made-up terms.
When a host on an Ethernet network detects a collision and transmits a jam signal, what happens next? A. The host that transmitted the jam signal is allowed to retransmit while all other hosts pause until that transmission is received successfully. B. All hosts stop transmitting, and each host waits a random period of time before attempting to transmit again. C. All hosts stop transmitting, and each host waits a period of time based on how recently it successfully transmitted. D. Hosts wait for the token to be passed and then resume transmitting data as they pass the token.
B. All hosts stop transmitting, and each host waits a random period of time before attempting to transmit again. #Ethernet networks use Carrier-Sense Multiple Access/Collision Detection (CSMA/CD) technology. When a collision is detected and a jam signal is sent, hosts wait a random period of time before attempting retransmission.
Senior management in Adam's company recently read a number of articles about massive ransomware attacks that successfully targeted organizations like the one that Adam is part of. Adam's organization already uses layered security solutions including a border IPS, firewalls between network zones, local host firewalls, antivirus software, and a configuration management system that applies recommended operating system best practice settings to their workstations. What should Adam recommend to minimize the impact of a similar ransomware outbreak at his organization? A. Honeypots B. Backups C. Anti-malware software D. A next-generation firewall appliance
B. Backups #In many cases, backups are the best method to minimize the impact of a ransomware outbreak.
Which of the following is not a potential problem with active wireless scanning? A. Accidently scanning apparent rogue devices that actually belong to guests B. Causing alarms on the organization's wireless IPS C. Scanning devices that belong to nearby organizations D. Misidentifying rogue devices
B. Causing alarms on the organization's wireless IPS #Not only should active scanning be expected to cause wireless IPS alarms, but they may actually be desired if the test is done to test responses. Accidentally scanning guests or neighbors or misidentifying devices belonging to third parties are all potential problems with active scanning and require the security assessor to carefully verify the systems that she is scanning.
Who is the ideal person to approve an organization's business continuity plan? A. Chief information officer B. Chief executive officer C. Chief information security officer D. Chief operating officer
B. Chief executive officer #Although the CEO will not normally serve on a BCP team, it is best to obtain top-level management approval for your plan to increase the likelihood of successful adoption.
What type of forensic investigation typically has the highest evidentiary standards? A. Administrative B. Criminal C. Civil D. Industry
B. Criminal #Administrative investigations merely need to meet the standards of the organization and to be able to be defended in court, while civil investigations operate on a preponderance of evidence. There is not a category of forensic investigation referred to as "industry" in the CISSP® exam's breakdown of forensic types.
Which one of the following control categories does not accurately describe a fence around a facility? A. Physical B. Detective C. Deterrent D. Preventive
B. Detective
The (ISC)2 code of ethics applies to all SSCP holders. Which of the following is not one of the four mandatory canons of the code? A. Protect society, the common good, the necessary public trust and confidence, and the infrastructure. B. Disclose breaches of privacy, trust, and ethics. C. Provide diligent and competent service to the principles. D. Advance and protect the profession.
B. Disclose breaches of privacy, trust, and ethics.
Ben is responsible for the security of payment card information stored in a database. Policy directs that he remove the information from the database, but he cannot do this for operational reasons. He obtained an exception to policy and is seeking an appropriate compensating control to mitigate the risk. What would be his best option? A. Purchasing insurance B. Encrypting the database contents C. Removing the data D. Objecting to the exception
B. Encrypting the database contents
Ian's company has an internal policy requiring that it perform regular port scans of all of its servers. Ian has been part of a recent effort to move his organization's servers to an infrastructure as a service provider. What change will Ian most likely need to make to his scanning efforts? A. Change scanning software. B. Follow the service provider's scan policies. C. Sign a security contract with the provider. D. Discontinue port scanning.
B. Follow the service provider's scan policies. #Most infrastructure as a service providers will allow their customers to perform security scans as long as they follow the rules and policies around such scans. Ian should review his vendor's security documentation and contact them for details if he has questions.
Michelle is in charge of her organization's mobile device management efforts and handles lost and stolen devices. Which of the following recommendations will provide the most assurance to her organization that data will not be lost if a device is stolen? A. Mandatory passcodes and application management B. Full device encryption and mandatory passcodes C. Remote wipe and GPS tracking D. Enabling GPS tracking and full device encryption
B. Full device encryption and mandatory passcodes #While full device encryption doesn't guarantee that data cannot be accessed, it provides Michelle's best option for preventing data from being lost with a stolen device when paired with a passcode.
Susan's organization is updating its password policy and wants to use the strongest possible passwords. What password requirement will have the highest impact in preventing brute-force attacks? A. Change maximum age from 1 year to 180 days. B. Increase the minimum password length from 8 characters to 16 characters. C. Increase the password complexity so that at least three character classes (such as uppercase, lowercase, numbers, and symbols) are required. D. Retain a password history of at least four passwords to prevent reuse.
B. Increase the minimum password length from 8 characters to 16 characters.
Gary was recently hired as the first chief information security officer (CISO) for a local government agency. The agency recently suffered a security breach and is attempting to build a new information security program. Gary would like to apply some best practices for security operations as he is designing this program. As Gary decides what access permissions he should grant to each user, what principle should guide his decisions about default permissions? A. Separation of duties B. Least privilege C. Aggregation D. Separation of privileges
B. Least privilege
Which one of the following is not an example of a backup tape rotation scheme? A. Grandfather/Father/Son B. Meet-in-the-middle C. Tower of Hanoi D. Six Cartridge Weekly
B. Meet-in-the-middle #The Grandfather/Father/Son, Tower of Hanoi, and Six Cartridge Weekly schemes are all different approaches to rotating backup media that balance reuse of media with data retention concerns. Meet-in-the-middle is a cryptographic attack against 2DES encryption.
Which one of the following is an administrative control that can protect the confidentiality of information? A. Encryption B. Nondisclosure agreement C. Firewall D. Fault tolerance
B. Nondisclosure agreement #That's coz it says administrative control. Otherwise, encryption is used for confidentiality (if it said technical or logical control)
Jim wants to allow cloud-based applications to act on his behalf to access information from other sites. Which of the following tools can allow that? A. Kerberos B. OAuth C. OpenID D. LDAP
B. OAuth #OAuth provides the ability to access resources from another service and would meet Jim's needs. OpenID would allow him to use an account from another service with his application, and Kerberos and LDAP are used more frequently for in-house services.
Which type of business impact assessment tool is most appropriate when attempting to evaluate the impact of a failure on customer confidence? A. Quantitative B. Qualitative C. Annualized loss expectancy D. Reduction
B. Qualitative
Greg is building a disaster recovery plan for his organization and would like to determine the amount of time that it should take to restore a particular IT service after an outage. What variable is Greg calculating? A. MTD B. RTO C. RPO D. SLA
B. RTO #The recovery time objective (RTO) is the amount of time expected to return an IT service or component to operation after a failure. The maximum tolerable downtime (MTD) is the longest amount of time that an IT service or component may be unavailable without causing serious damage to the organization. The recovery point objective (RPO) identifies the maximum amount of data, measured in time, that may be lost during a recovery effort. Service-level agreements (SLAs) are written contracts that document service expectations.
When Chris verifies an individual's identity and adds a unique identifier like a user ID to an identity system, what process has occurred? A. Identity proofing B. Registration C. Directory management D. Session management
B. Registration
What name is given to the random value added to a password in an attempt to defeat rainbow table attacks? A. Hash B. Salt C. Extender D. Rebar
B. Salt #The salt is a random value added to a password before it is hashed by the operating system. The salt is then stored in a password file with the hashed password. This increases the complexity of cryptanalytic attacks by negating the usefulness of attacks that use precomputed hash values, such as rainbow tables.
Joe wants to test a program he suspects may contain malware. What technology can he use to isolate the program while it runs? A. ASLR B. Sandboxing C. Clipping D. Process isolation
B. Sandboxing #Running the program in a sandbox provides secure isolation that can prevent the malware from impacting other applications or systems. #ASLR is a memory location randomization technology, process isolation keeps processes from impacting each other, but a sandbox typically provides greater utility in a scenario like this
A remote access tool that copies what is displayed on a desktop PC to a remote computer is an example of what type of technology? A. Remote node operation B. Screen scraping C. Remote control D. RDP
B. Screen scraping #Screen scrapers copy the actual screen displayed and display it at a remote location. RDP provides terminal sessions without doing screen scraping, remote node operation is the same as dial-up access, and remote control is a means of controlling a remote system (screen scraping is a specialized subset of remote control).
The Windows ipconfig command displays the following information: BC-5F-F4-7B-4B-7D What term describes this, and what information can usually be gathered from it? A. The IP address, the network location of the system B. The MAC address, the network interface card's manufacturer C. The MAC address, the media type in use D. The IPv6 client ID, the network interface card's manufacturer
B. The MAC address, the network interface card's manufacturer
As part of her system hardening process for a Windows 10 workstation, Lauren runs the Microsoft Baseline System Analyzer. She sees the following result after MBSA runs. What can she determine from this scan? A. The system has been compromised, and shares allow all users to read and execute administrative files. B. The system has default administrative shares enabled. C. The system is part of a domain that uses administrative shares to manage systems. D. The shares are properly secured and pose no threat to the system.
B. The system has default administrative shares enabled. #Lauren can determine only that the default administrative shares are enabled. While administrative shares are useful for remote administration, they can pose a threat for systems that do not require them, and some security baselines suggest disabling them in the registry if they are not used.
Which pair of the following factors is key for user acceptance of biometric identification systems? A. The FAR and FRR B. The throughput rate and the time required to enroll C. The CER and the ERR D. How often users must reenroll and the reference profile requirements
B. The throughput rate and the time required to enroll #Biometric systems can face major usability challenges if the time to enroll is long (more than a couple of minutes) and if the speed at which the biometric system is able to scan and accept or reject the user is too slow. FAR and FRR may be important in the design decisions made by administrators or designers, but they aren't typically visible to users. CER and ERR are the same and are the point where FAR and FRR meet. Reference profile requirements are a system requirement, not a user requirement.
If Susan's organization requires her to log in with her username, a PIN, a password, and a retina scan, how many distinct authentication factor types has she used? A. One B. Two C. Three D. Four
B. Two
Susan is writing a best practices statement for her organizational users who need to use Bluetooth. She knows that there are many potential security issues with Bluetooth and wants to provide the best advice she can. Which of the following sets of guidance should Susan include? A. Use Bluetooth's built-in strong encryption, change the default PIN on your device, turn off discovery mode, and turn off Bluetooth when it's not in active use. B. Use Bluetooth only for those activities that are not confidential, change the default PIN on your device, turn off discovery mode, and turn off Bluetooth when it's not in active use. C. Use Bluetooth's built-in strong encryption, use extended (eight digits or longer) Bluetooth PINs, turn off discovery mode, and turn off Bluetooth when it's not in active use. D. Use Bluetooth only for those activities that are not confidential, use extended (eight digits or longer) Bluetooth PINs, turn off discovery mode, and turn off Bluetooth when it's not in active use.
B. Use Bluetooth only for those activities that are not confidential, change the default PIN on your device, turn off discovery mode, and turn off Bluetooth when it's not in active use. #Bluetooth doesn't provide strong encryption. That's not even an option. #Change the default PIN. Using extended PIN is not required.
The company that Jennifer works for has implemented a central logging infrastructure, as shown in the following image. Use this diagram and your knowledge of logging systems to answer the following questions. During normal operations, Jennifer's team uses the SIEM appliance to monitor for exceptions received via syslog. What system shown does not natively have support for syslog events? A. Enterprise wireless access points B. Windows desktop systems C. Linux web servers D. Enterprise firewall devices
B. Windows desktop systems #Windows systems generate logs in the Windows native logging format. To send syslog events, Windows systems require a helper application or tool. Enterprise wireless access points, firewalls, and Linux systems all typically support syslog.
Jim has been contracted to perform a penetration test of a bank's primary branch. To make the test as real as possible, he has not been given any information about the bank other than its name and address. What type of penetration test has Jim agreed to perform? A. A crystal-box penetration test B. A gray-box penetration test C. A black-box penetration test D. A white-box penetration test
C. A black-box penetration test #Jim has agreed to a black-box penetration test, which provides no information about the organization, its systems, or its defenses. #A crystal- or white-box penetration test provides all of the information an attacker needs, #whereas a gray-box penetration test provides some, but not all, information abt its systems and or its defenses!!
Lauren's networking team has been asked to identify a technology that will allow them to dynamically change the organization's network by treating the network like code. What type of architecture should she recommend? A. A network that follows the 5-4-3 rule B. A converged network C. A software-defined network D. A hypervisor-based network
C. A software-defined network #Software-defined networking provides a network architecture that can be defined and configured as code or software. This will allow Lauren's team to quickly change the network based on organizational requirements. The 5-4-3 rule is an old design rule for networks that relied on repeaters or hubs. A converged network carries multiple types of traffic such as voice, video, and data. A hypervisor-based network may be software defined, but it could also use traditional network devices running as virtual machines.
Susan sets up a firewall that keeps track of the status of the communication between two systems and allows a remote system to respond to a local system after the local system starts communication. What type of firewall is Susan using? A. A static packet filtering firewall B. An application-level gateway firewall C. A stateful packet inspection firewall D. A circuit-level gateway firewall
C. A stateful packet inspection firewall #Stateful packet inspection firewalls, also known as dynamic packet filtering firewalls, track the state of a conversation and can allow a response from a remote system based on an internal system being allowed to start the communication. Static packet filtering and circuit-level gateways only filter based on source, destination, and ports, whereas application-level gateway firewalls proxy traffic for specific applications.
What encryption algorithm is used by both BitLocker and Microsoft's Encrypting File System? A. Blowfish B. Serpent C. AES D. 3DES
C. AES #By default, BitLocker and Microsoft's Encrypting File System (EFS) both use AES (Advanced Encryption Standard), which is the NIST-approved replacement for DES (Data Encryption Standard). Serpent was a competitor of AES, and 3DES was created as a possible replacement for DES.
Alejandro is an incident response analyst for a large corporation. He is on the midnight shift when an intrusion detection system alerts him to a potential brute-force password attack against one of the company's critical information systems. He performs an initial triage of the event before taking any additional action. If Alejandro's initial investigation determines that a security incident is likely taking place, what should be his next step? A. Investigate the root cause. B. File a written report. C. Activate the incident response team. D. Attempt to restore the system to normal operations.
C. Activate the incident response team. #After detection of a security incident, the next step in the process is response, which should follow the organization's formal incident response procedure. The first step of this procedure is activating the appropriate teams, including the organization's computer security incident response team (CSIRT).
Which objects and subjects have a label in a MAC model? A. Objects and subjects that are classified as Confidential, Secret, or Top Secret have a label. B. All objects have a label, and all subjects have a compartment. C. All objects and subjects have a label. D. All subjects have a label and all objects have a compartment.
C. All objects and subjects have a label. #In a mandatory access control system, all subjects and objects have a label. Compartments may or may not be used, but there is not a specific requirement for either subjects or objects to be compartmentalized. The specific labels of Confidential, Secret, and Top Secret are not required by MAC.
Lauren builds a table that includes assigned privileges, objects, and subjects to manage access control for the systems she is responsible for. Each time a subject attempts to access an object, the systems check the table to ensure that the subject has the appropriate rights to the objects. What type of access control system is Lauren using? A. A capability table B. An access control list C. An access control matrix D. A subject/object rights management system
C. An access control matrix #An access control matrix is a table that lists objects, subjects, and their privileges. Access control lists focus on objects and which subjects can access them. NOTE: matrix here is the table that lists objects, subjects and their privileges. ACL is the list itself!!!!!
As the CISO of her organization, Jennifer is working on an incident classification scheme and wants to base her design on NIST's definitions. Which of the following options should she use to best describe a user accessing a file that they are not authorized to view? A. An incident B. An event C. An adverse event D. A security incident
C. An adverse event #NIST describes events with negative consequences as adverse events. It might be tempting to immediately call this a security incident; however, this wouldn't be classified that way until an investigation was conducted. If the user accidentally accessed the file, it would typically not change classification. NOTE: Intentional or malicious access would cause the adverse event to become a security incident.
Jasper Diamonds is a jewelry manufacturer that markets and sells custom jewelry through their website. Bethany is the manager of Jasper's software development organization, and she is working to bring the company into line with industry standard practices. She is developing a new change management process for the organization and wants to follow commonly accepted approaches. Jasper would like to establish a governing body for the organization's change management efforts. What individual or group within an organization is typically responsible for reviewing the impact of proposed changes? A. Chief information officer B. Senior leadership team C. Change control board D. Software developer
C. Change control board
What technology asset management practice would an organization use to ensure that systems meet baseline security standards? A. Change management B. Patch management C. Configuration management D. Identity management
C. Configuration management #Configuration management practices ensure that an organization manages the configuration of systems in an organized and automated fashion. This would include ensuring that systems remain in compliance with the baseline requirements of the organization's security standards.
Wanda is configuring device-based authentication for systems on her network. Which one of the following approaches offers the strongest way to authenticate devices? A. IP address B. MAC address C. Digital certificate D. Password
C. Digital certificate #Digital certificates are the strongest device-based access control mechanism listed in this scenario. #MAC address sounds like the one, but MAC address can easily be changed.
Ben is troubleshooting a network and discovers that the NAT router he is connected to has the 192.168.x.x subnet as its internal network and that its external IP is 192.168.1.40. What problem is he encountering? A. 192.168.x.x is a nonroutable network and will not be carried to the Internet. B. 192.168.1.40 is not a valid address because it is reserved by RFC 1918. C. Double NATing is not possible using the same IP range. D. The upstream system is unable to de-encapsulate his packets, and he needs to use PAT instead.
C. Double NATing is not possible using the same IP range. #Double NATing isn't possible with the same IP range; the same IP addresses cannot appear inside and outside a NAT router. RFC 1918 addresses are reserved, but only so they are not used and routable on the Internet, and changing to PAT would not fix the issue.
What is the best way to ensure email confidentiality in motion? A. Use TLS between the client and server. B. Use SSL between the client and server. C. Encrypt the email content. D. Use a digital signature.
C. Encrypt the email content. #Remember that encryption is for confidentiality
Which group is best suited to evaluate and report on the effectiveness of administrative controls an organization has put in place to a third party? A. Internal auditors B. Penetration testers C. External auditors D. Employees who design, implement, and monitor the controls
C. External auditors #External auditors can provide an unbiased and impartial view of an organization's controls to third parties. Internal auditors are useful when reporting to senior management of the organization but are typically not asked to report to third parties. Penetration tests test technical controls but are not as well suited to testing many administrative controls. The employees who build and maintain controls are more likely to bring a bias to the testing of those controls and should not be asked to report on them to third parties.
The organization that Ben works for has a traditional on-site Active Directory environment that uses a manual provisioning process for each addition to their 350-employee company. As the company adopts new technologies, they are increasingly using software as a service applications to replace their internally developed software stack. Ben has been tasked with designing an identity management implementation that will allow his company to use cloud services while supporting their existing systems. Using the logical diagram shown here, answer the following question about the identity recommendations Ben should make. If Ben needs to share identity information with the business partner shown, what should he investigate? A. Single sign-on B. Multifactor authentication C. Federation D. IDaaS
C. Federation #Federation links identity information between multiple organizations. Federating with a business partner can allow identification and authorization to occur between them, making integration much easier.
Susan needs to predict high-risk areas for her organization and wants to use metrics to assess risk trends as they occur. What should she do to handle this? A. Perform yearly risk assessments. B. Hire a penetration testing company to regularly test organizational security. C. Identify and track key risk indicators. D. Monitor logs and events using a SIEM device.
C. Identify and track key risk indicators. #Metrics!!!!!!!! #Key risk indicators are used to tell those in charge of risk management how risky an activity is and how much impact changes are having on that risk profile. Identifying key risk indicators and monitoring them can help to identify high-risk areas earlier in their lifecycle. Yearly risk assessments may be a good idea but only provide a point-in-time view, whereas penetration tests may miss out on risks that are not directly security related. Monitoring logs and events using a SIEM device can help detect issues as they occur but won't necessarily show trends in risk.
Alex's organization uses the NIST incident classification scheme. Alex discovers that a laptop belonging to a senior executive had keylogging software installed on it. How should Alex classify this occurrence? A. Event B. Adverse event C. Incident D. Policy violation
C. Incident #NIST describes this type of event as a security incident because it is a violation or imminent threat of violation of security policies and practices. An adverse event is any event with negative consequences, and an event is any observable occurrence on a system or network.
Tiffany needs to assess the patch level of a Windows 2012 server and wants to use a freely available tool to check the system for security issues. Which of the following tools will provide the most detail about specific patches installed or missing from her machine? A. Nmap B. Nessus C. MBSA D. Metasploit
C. MBSA #Clearly says Windows!! #The Microsoft Baseline Security Analyzer, or MBSA, is a tool provided by Microsoft that can identify installed or missing patches as well as common security misconfigurations. Since it is run with administrative rights, it will provide a better view than normal nmap and Nessus scans.
Ryan is a security risk analyst for an insurance company. He is currently examining a scenario in which a malicious hacker might use a SQL injection attack to deface a web server because of a missing patch in the company's web application. In this scenario, what is the threat? A. Unpatched web application B. Web defacement C. Malicious hacker D. Operating system
C. Malicious hacker #Risks are the combination of a threat and a vulnerability. Threats are the external forces seeking to undermine security, such as the malicious hacker in this case. Vulnerabilities are the internal weaknesses that might allow a threat to succeed. In this case, the missing patch is the vulnerability. In this scenario, if the malicious hacker (threat) attempts a SQL injection attack against the unpatched server (vulnerability), the result is website defacement.
Which of the following tools is best suited to testing known exploits against a system? A. Nikto B. Ettercap C. Metasploit D. THC Hydra
C. Metasploit #Metasploit is a tool used to exploit known vulnerabilities. Nikto is a web application and server vulnerability scanning tool, Ettercap is a man-in-the-middle attack tool, and THC Hydra is a password brute-force tool.
Susan wants to integrate her website to allow users to use accounts from sites like Google. What technology should she adopt? A. Kerberos B. LDAP C. OpenID
C. OpenID #OpenID is a widely supported standard that allows a user to use a single account to log into multiple sites, and Google accounts are frequently used with OpenID.
When a user attempts to log into their online account, Google sends a text message with a code to their cell phone. What type of verification is this? A. Knowledge-based authentication B. Dynamic knowledge-based authentication C. Out-of-band identity proofing D. Risk-based identity proofing
C. Out-of-band identity proofing #Identity proofing that relies on a type of verification outside the initial environment that required the verification is out-of-band identity proofing. This type of verification relies on the owner of the phone or phone number having control of it but removes the ability for attackers to use only Internet-based resources to compromise an account. #Knowledge-based authentication relies on answers to preselected information, whereas dynamic knowledge-based authentication builds questions using facts or data about the user. #Risk-based identity proofing uses risk-based metrics to determine whether identities should be permitted or denied access. It is used to limit fraud in financial transactions, such as credit card purchases. This is a valid form of proofing but does not necessarily use an out-of-band channel, such as SMS.
Which one of the following types of firewalls does not have the ability to track connection status between different packets? A. Stateful inspection B. Application proxy C. Packet filter D. Next generation
C. Packet filter #Static packet filtering firewalls are known as first-generation firewalls and do not track connection state. Stateful inspection, application proxying, and next-generation firewalls all add connection state tracking capability.
Which of the following Type 3 authenticators is appropriate to use by itself rather than in combination with other biometric factors? A. Voice pattern recognition B. Hand geometry C. Palm scans D. Heart/pulse patterns
C. Palm scans #Palm scans compare the vein patterns in the palm to a database to authenticate a user. Vein patterns are unique, and this method is a better single-factor authentication method than voice pattern recognition, hand geometry, and pulse patterns, each of which can be more difficult to uniquely identify between individuals or can be fooled more easily.
Your organization regularly handles three types of data: information that it shares with customers, information that it uses internally to conduct business, and trade secret information that offers the organization significant competitive advantages. Information shared with customers is used and stored on web servers, while both the internal business data and the trade secret information are stored on internal file servers and employee workstations. What civilian data classifications best fit this data? A. Unclassified, confidential, top secret B. Public, sensitive, private C. Public, sensitive, proprietary D. Public, confidential, private
C. Public, sensitive, proprietary #Information shared with customers is public, internal business could be sensitive or private, and trade secrets are proprietary.
Alejandro is an incident response analyst for a large corporation. He is on the midnight shift when an intrusion detection system alerts him to a potential brute-force password attack against one of the company's critical information systems. He performs an initial triage of the event before taking any additional action. As the incident response progresses, during which stage should the team conduct a root-cause analysis? A. Response B. Reporting C. Remediation D. Lessons learned
C. Remediation #The root-cause analysis examines the incident to determine what allowed it to happen and provides critical information for repairing systems so that the incident does not recur. This is a component of the remediation step of the incident response process because the root cause analysis output is necessary to fully remediate affected systems and processes.
Michael is responsible for forensic investigations and is investigating a medium-severity security incident that involved the defacement of a corporate website. The web server in question ran on a virtualization platform, and the marketing team would like to get the website up and running as quickly as possible. What would be the most reasonable next step for Michael to take? A. Keep the website offline until the investigation is complete. B. Take the virtualization platform offline as evidence. C. Take a snapshot of the compromised system and use that for the investigation. D. Ignore the incident and focus on quickly restoring the website.
C. Take a snapshot of the compromised system and use that for the investigation. #The website needs to be up and running asap, so taking the snapshot and investing is the only option.
Andrew believes that a digital certificate belonging to his organization was compromised and would like to add it to a Certificate Revocation List. Who must add the certificate to the CRL? A. Andrew B. The root authority for the top-level domain C. The CA that issued the certificate D. The revocation authority for the top-level domain
C. The CA that issued the certificate #Certificates may only be added to a Certificate Revocation List by the certificate authority that created the digital certificate.
Which OSI layer includes electrical specifications, protocols, and interface standards? A. The Transport layer B. The Device layer C. The Physical layer D. The Data Link layer
C. The Physical layer #The Physical layer includes electrical specifications, protocols, and standards that allow control of throughput, handling line noise, and a variety of other electrical interface and signaling requirements. The OSI layer doesn't have a Device layer. The Transport layer connects the Network and Session layers, and the Data Link layer packages packets from the network layer for transmission and receipt by devices operating on the Physical layer.
Which of the following is not true about the (ISC)2 code of ethics? A. Adherence to the code is a condition of certification. B. Failure to comply with the code may result in revocation of certification. C. The code applies to all members of the information security profession. D. Members who observe a breach of the code are required to report the possible violation.
C. The code applies to all members of the information security profession.
STRIDE, which stands for Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege, is useful in what part of application threat modeling? A. Vulnerability assessment B. Misuse case testing C. Threat categorization D. Penetration test planning
C. Threat categorization #An important part of application threat modeling is threat categorization. It helps to assess attacker goals that influence the controls that should be put in place. The other answers all involve topics that are not directly part of application threat modeling.
Alan intercepts an encrypted message and wants to determine what type of algorithm was used to create the message. He first performs a frequency analysis and notes that the frequency of letters in the message closely matches the distribution of letters in the English language. What type of cipher was most likely used to create this message? A. Substitution cipher B. AES C. Transposition cipher D. 3DES
C. Transposition cipher
Angela uses a sniffer to monitor traffic from a RADIUS server configured with default settings. What protocol should she monitor, and what traffic will she be able to read? A. UDP, none. All RADIUS traffic is encrypted B. TCP, all traffic but the passwords, which are encrypted C. UDP, all traffic but the passwords, which are encrypted. D. TCP, none. All RADIUS traffic is encrypted.
C. UDP, all traffic but the passwords, which are encrypted. #By default, RADIUS uses UDP and only encrypts passwords. RADIUS supports TCP and TLS, but this is not a default setting.
Vivian works for a chain of retail stores and would like to use a software product that restricts the software used on point-of-sale terminals to those packages on a preapproved list. What approach should Vivian use? A. Antivirus B. Heuristic C. Whitelist D. Blacklist
C. Whitelist #The blacklist approach to application control blocks certain prohibited packages, but allows the installation of other software on systems. #The whitelist approach uses the reverse philosophy and allows only approved software. Antivirus software would only detect the installation of malicious software after the fact. Heuristic detection is a variant of antivirus software.
Lauren wants to ensure that her users run only the software that her organization has approved. What technology should she deploy? A. Blacklisting B. Configuration management C. Whitelisting D. Graylisting
C. Whitelisting #A whitelist of allowed applications will ensure that Lauren's users can run only the applications that she preapproves. #Graylisting is not a technology option, and configuration management can be useful for making sure the right applications are on a PC but typically can't directly prevent users from running undesired applications or programs.
Chris would like to use John the Ripper to test the security of passwords on a compromised Linux system. What files does he need to conduct this analysis? A. /etc/shadow and /etc/user B. /etc/passwd and /etc/user C. /etc/user and /etc/account D. /etc/passwd and /etc/shadow
D. /etc/passwd and /etc/shadow #John the Ripper is a password cracking tool. Using it on a Linux system requires copies of both the /etc/passwd and /etc/shadow files.
How many possible keys exist in a cryptographic algorithm that uses 6-bit encryption keys? A. 12 B. 16 C. 32 D. 64
D. 64 #Two to the sixth power is 64, so a 6-bit keyspace contains 64 possible keys.
What topology correctly describes Ethernet? A. A ring B. A star C. A mesh D. A bus
D. A bus #While devices may be physically connected to a switch in a physical topology that looks like a star, systems using Ethernet can all transmit on the bus simultaneously, possibly leading to collisions.
Kathleen needs to set up an Active Directory trust to allow authentication with an existing Kerberos K5 domain. What type of trust does she need to create? A. A shortcut trust B. A forest trust C. An external trust D. A realm trust
D. A realm trust #Kerberos uses realms, and the proper type of trust to set up for an Active Directory environment that needs to connect to a K5 domain is a realm trust. A shortcut trust is a transitive trust between parts of a domain tree or forest that shortens the trust path, a forest trust is a transitive trust between two forest root domains, and an external trust is a nontransitive trust between AD domains in separate forests.
Saria's team is working to persuade their management that their network has extensive vulnerabilities that attackers could exploit. If she wants to conduct a realistic attack as part of a penetration test, what type of penetration test should she conduct? A. Crystal box B. Gray box C. White box D. Black box
D. Black box #Black-box testing is the most realistic type of penetration test because it does not provide the penetration tester with inside information about the configuration or design of systems, software, or networks. A gray-box test provides some information, whereas a white- or crystal-box test provides significant or full detail.
Tony is developing a business continuity plan and is having difficulty prioritizing resources because of the difficulty of combining information about tangible and intangible assets. What would be the most effective risk assessment approach for him to use? A. Quantitative risk assessment B. Qualitative risk assessment C. Neither quantitative nor qualitative risk assessment D. Combination of quantitative and qualitative risk assessment
D. Combination of quantitative and qualitative risk assessment #Tony would see the best results by combining elements of quantitative and qualitative risk assessment. Quantitative risk assessment excels at analyzing financial risk, while qualitative risk assessment is a good tool for intangible risks. Combining the two techniques provides a well-rounded risk picture.
You discover that a user on your network has been using the Wireshark tool, as shown here. Further investigation revealed that he was using it for illicit purposes. What pillar of information security has most likely been violated? A. Integrity B. Denial C. Availability D. Confidentiality
D. Confidentiality #Wireshark is a protocol analyzer and may be used to eavesdrop on network connections. Eavesdropping is an attack against confidentiality.
Harry would like to access a document owned by Sally stored on a file server. Applying the subject/object model to this scenario, who or what is the object of the resource request? A. Harry B. Sally C. File server D. Document
D. Document
Which one of the following is an example of physical infrastructure hardening? A. Antivirus software B. Hardware-based network firewall C. Two-factor authentication D. Fire suppression system
D. Fire suppression system #Along with uninterruptible power supplies, fire suppression systems are good examples of technology used to harden physical infrastructure. Antivirus software, hardware firewalls, and two-factor authentication are all examples of logical controls.
A zero-day vulnerability is announced for the popular Apache web server in the middle of a workday. In Jacob's role as an information security analyst, he needs to quickly scan his network to determine what servers are vulnerable to the issue. What is Jacob's best route to quickly identify vulnerable systems? A. Immediately run Nessus against all of the servers to identify which systems are vulnerable. B. Review the CVE database to find the vulnerability information and patch information. C. Create a custom IDS or IPS signature. D. Identify affected versions and check systems for that version number using an automated scanner.
D. Identify affected versions and check systems for that version number using an automated scanner.
Alan is installing a fire suppression system that will kick in after a fire breaks out and protect the equipment in the data center from extensive damage. What metric is Alan attempting to lower? A. Likelihood B. RTO C. RPO D. Impact
D. Impact #Fire suppression systems do not stop a fire from occurring but do reduce the damage that fires cause. This is an example of reducing risk by lowering the impact of an event.
Jasper Diamonds is a jewelry manufacturer that markets and sells custom jewelry through their website. Bethany is the manager of Jasper's software development organization, and she is working to bring the company into line with industry standard practices. She is developing a new change management process for the organization and wants to follow commonly accepted approaches. Which one of the following elements is not a crucial component of a change request? A. Description of the change B. Implementation plan C. Backout plan D. Incident response plan
D. Incident response plan #An organization's incident response plan may be invoked as a result of a change gone awry, but the incident response plan itself is a stand-alone process and does not need to be included in a change request. The change request should definitely include a description of the change, an implementation plan, and a backout plan, among other components.
Marty discovers that the access restrictions in his organization allow any user to log into the workstation assigned to any other user, even if they are from completely different departments. This type of access most directly violates which information security principle? A. Separation of duties B. Two-person control C. Need to know D. Least privilege
D. Least privilege
Tom enables an application firewall provided by his cloud infrastructure as a service provider that is designed to block many types of application attacks. When viewed from a risk management perspective, what metric is Tom attempting to lower? A. Impact B. RPO C. MTO D. Likelihood
D. Likelihood #Installing a device that will block attacks is an attempt to lower risk by reducing the likelihood of a successful application attack.
Which of the following is a method used to design new software tests and to ensure the quality of tests? A. Code auditing B. Static code analysis C. Regression testing D. Mutation testing
D. Mutation testing #Mutation testing modifies a program in small ways and then tests that mutant to determine whether it behaves as it should or whether it fails. This technique is used to design and test software tests through mutation. Static code analysis and regression testing are both means of testing code, whereas code auditing is an analysis of source code rather than a means of designing and testing software tests.
Ben owns a coffeehouse and wants to provide wireless Internet service for his customers. Ben's network is simple and uses a single consumer-grade wireless router and a cable modem connected via a commercial cable data contract. After implementing the solution from the first question, Ben receives a complaint about users in his cafe hijacking other customers' web traffic, including using their usernames and passwords. How is this possible? A. The password is shared by all users, making traffic vulnerable. B. A malicious user has installed a Trojan on the router. C. A user has ARP spoofed the router, making all traffic broadcast to all users. D. Open networks are unencrypted, making traffic easily sniffable.
D. Open networks are unencrypted, making traffic easily sniffable. #This is all abt network sniffers!! Unencrypted networks don't provide confidentiality. #Unencrypted open networks broadcast traffic in the clear. This means that unencrypted sessions to websites can be easily captured with a packet sniffer. Some tools like FireSheep have been specifically designed to capture sessions from popular websites. Fortunately, many now use TLS by default, but other sites still send user session information in the clear. Shared passwords are not the cause of the vulnerability, ARP spoofing isn't an issue with wireless networks, and a Trojan is designed to look like safe software, not to compromise a router.
Data is sent as bits at what layer of the OSI model? A. Transport B. Network C. Data Link D. Physical
D. Physical #The Physical layer deals with the electrical impulses or optical pulses that are sent as bits to convey data.
Nmap is an example of what type of tool? A. Vulnerability scanner B. Web application fuzzer C. Network design and layout D. Port scanner
D. Port scanner #Nmap is a popular open source port scanner. Nmap is not a vulnerability scanner, nor is it a web application fuzzer. While port scanners can be used to partially map a network and its name stands for Network Mapper, it is not a network design tool.
What term describes software testing that is intended to uncover new bugs introduced by patches or configuration changes? A. Non-regression testing B. Evolution testing C. Smoke testing D. Regression testing
D. Regression testing #Regression testing, which is a type of functional or unit testing, tests to ensure that changes have not introduced new issues. Nonregression testing checks to see whether a change has had the effect it was supposed to, smoke testing focuses on simple problems with impact on critical functionality, and evolution testing is not a software testing technique.
During which phase of the incident response process would an organization determine whether it is required to notify law enforcement officials or other regulators of the incident? A. Detection B. Recovery C. Remediation D. Reporting
D. Reporting
Ben's organization has begun to use STRIDE to assess its software and has identified threat agents and the business impacts that these threats could have. Now they are working to identify appropriate controls for the issues they have identified. Ben's team is attempting to categorize a transaction identification issue that is caused by use of a symmetric key shared by multiple servers. What STRIDE category should this fall into? A. Information disclosure B. Denial of service C. Tampering D. Repudiation
D. Repudiation #Since a shared symmetric key could be used by any of the servers, transaction identification problems caused by a shared key are likely to involve a repudiation issue.
Tom is planning to terminate an employee this afternoon for fraud and expects that the meeting will be somewhat hostile. He is coordinating the meeting with human resources and wants to protect the company against damage. Which one of the following steps is most important to coordinate in time with the termination meeting? A. Informing other employees of the termination B. Retrieving the employee's photo ID C. Calculating the final paycheck D. Revoking electronic access rights
D. Revoking electronic access rights
Matthew and Richard are friends located in different physical locations who would like to begin communicating with each other using cryptography to protect the confidentiality of their communications. They exchange digital certificates to begin this process and plan to use an asymmetric encryption algorithm for the secure exchange of email messages. When Richard receives the message from Matthew, what key should he use to decrypt the message? A. Matthew's public key B. Matthew's private key C. Richard's public key D. Richard's private key
D. Richard's private key #The recipient of a message uses his or her own private key to decrypt messages that were encrypted with the recipient's public key. This ensures that nobody other than the intended recipient can decrypt the message.
Lauren is the IT manager for a small company and occasionally serves as the organization's information security officer. Which of the following roles should she include as the leader of her organization's CSIRT? A. Her lead IT support staff technician B. Her organization's legal counsel C. A third-party IR team lead D. She should select herself.
D. She should select herself. #A CSIRT leader must have authority to direct the incident response process and should be able to act as a liaison with organizational management. While Lauren may not have deep incident response experience, she is in the right role to provide those connections and leadership. She should look at retaining third-party experts for incidents if she needs additional skills or expertise on her IR team.
What methods are often used to protect data in transit? A. Telnet, ISDN, UDP B. BitLocker, FileVault C. AES, Serpent, IDEA D. TLS, VPN, IPSec
D. TLS, VPN, IPSec #Data in transit is data that is traversing a network or is otherwise in motion. TLS, VPNs, and IPsec tunnels are all techniques used to protect data in transit. #AES, Serpent, and IDEA are all symmetric algorithms, while Telnet, ISDN, and UDP are all protocols. #BitLocker and FileVault are both used to encrypt data, but they protect only stored data, not data in transit.
During which of the following disaster recovery tests does the team sit together and discuss the response to a scenario but not actually activate any disaster recovery controls? A. Checklist review B. Full interruption test C. Parallel test D. Tabletop exercise
D. Tabletop exercise #During a tabletop exercise, team members come together and walk through a scenario without making any changes to information systems. #During a checklist review, team members each review the contents of their disaster recovery checklists on their own and suggest any necessary changes. #During a parallel test, the team actually activates the disaster recovery site for testing, but the primary site remains operational. #During a full interruption test, the team takes down the primary site and confirms that the disaster recovery site is capable of handling regular operations. The full interruption test is the most thorough test but also the most disruptive.
Jim has been asked to individually identify devices that users are bringing to work as part of a new BYOD policy. The devices will not be joined to a central management system like Active Directory, but he still needs to uniquely identify the systems. Which of the following options will provide Jim with the best means of reliably identifying each unique device? A. Record the MAC address of each system. B. Require users to fill out a form to register each system. C. Scan each system using a port scanner. D. Use device fingerprinting via a web-based registration system.
D. Use device fingerprinting via a web-based registration system.
Account reviews should verify that every inactive account is associated with a current employee. FALSE TRUE
FALSE
What is the minimum acceptable temperature for a data center? a) 64.4 degrees Fahrenheit b) 80.6 degrees Fahrenheit c) 68.0 degrees Fahrenheit d) 72.4 degrees Fahrenheit
a) 64.4 degrees Fahrenheit
Which one of the following is the lowest level of classification in the government's classification scheme? a) Confidential b) Top Secret c) Public d) Secret
a) Confidential #The classification level goes by Top Secret, Secret and Confidential...!!!!
In SAML, what organization performs authentication of the end user? a) Identity Provider b) Principal c) Service Provider d) Authentication Source
a) Identity Provider
Which one of the following authentication protocols requires the use of external encryption to protect passwords? a) PAP b) CHAP c) SAML d) Kerberos
a) PAP
How many separate roles are involved in a properly implemented registration and identity proofing process? a) 3 b) 4 c) 2 d) 5
b) 4
What class of fire extinguisher is designed to work on electrical fires? a) Class B b) Class C c) Class D d) Class A
b) Class C #Class A: Common combustibles (Wood, cloth, trash) #Class B: Flammable Liquids (Gasoline, oil) #Class C: Electrical fires (data centers) #Class D: Heavy metal burns (Industrial) #Class K : Kitchen (Fats, oils)
_____ controls mitigate the risk of exceptions to security policies. a) Technical b) Compensating c) Logical d) Administrative
b) Compensating
_____ demonstrate the success of a security program. a) CRIs b) KPIs c) KRIs d) CPIs
b) KPIs #KPIs (Key Performance Indicators) help ensure that a security operations program continues to remain effective and that any process or technology gaps are addressed appropriately. When choosing KPIs to measure, quality should be valued above quantity. Each KPI should have meaning to the organization and add value to the security program.
Matt would like to assign users to roles within his Windows enterprise. What feature can he use to create a role? a) Domain b) Security group c) Forest d) Distribution group
b) Security group
What type of physical security control should always be disclosed to visitors when used? a) fences b) cameras c) security guards d) intrusion alarms
b) cameras
What command can administrators use to determine whether the SELinux kernel module is enabled? a) secheck b) getenforce c) selmodule d) fsck
b) getenforce
Which one of the following is not an example of security education? a) briefings at team meetings b) reminder posters in the hallway c) classroom instruction d) online education
b) reminder posters in the hallway
The results of backup verification are an example of _____ data. a) personnel b) security process c) technical d) HIPAA
b) security process
Which one of the following is not a normal account activity attribute to monitor? a) Login time b) Login location c) Password d) Incorrect login attempts
c) Password
What type of lock always requires entering a code to enter the facility? a) proximity card lock b) biometric lock c) cipher lock d) magnetic stripe card lock
c) cipher lock
What type of security control is designed to scare a potential intruder into not attempting a break-in in the first place? a) preventive control b) detective control c) deterrent control d) administrative control
c) deterrent control
What characteristic of biometrics measures the frequency at which legitimiate users are denied access to a system or facility? a) false acceptance rate b) enrollment reliability c) false rejection rate d) intrusiveness factor
c) false rejection rate
What Windows mechanism allows the easy application of security settings to groups of users? a) SCEP b) ADUC c) MMC d) GPOs
d) GPOs
Jane uses an authentication token that requires her to push a button each time she wishes to login to a system. What type of token is she using? a) SSL b) HMAC c) TOTP d) HOTP
d) HOTP #HMAC-based one time password creates a password that doesn't expire. #TOTP creates a password that expires every 30 seconds.
Which one of the following access control cards is the easiest to duplicate without permission? a) Smart card b) Proximity card c) Active card d) Magnetic stripe card
d) Magnetic stripe card
Which one of the following is not an example of federated authentication? a) Facebook Connect b) Google Accounts c) Twitter Accounts d) RADIUS
d) RADIUS
Tobias recently permanently moved from a job in accounting to a job in human resources but never had his accounting privileges revoked. What situation occurred in this case? a) job rotation b) least privilege c) separation of duties d) privilege creep
d) privilege creep