security 21-29
What does Diffie-Hellman allow you to do? A. Exchange keys in-band B. Exchange keys out-of-band C. Both A and B D. Neither A nor B
A. Diffie-Hellman allows an in-band key exchange even if the entire data stream is being monitored, because the shared secret is never exposed.
Which of the following is not PII? A. Customer name B. Customer ID number C. Customer Social Security number or taxpayer identification number D. Customer birth date
B. A customer ID number generated by a firm to track customer records is meaningful only inside the firm and is generally not considered to be personally identifiable information (PII). It is important not to use the SSN for the customer ID number, for obvious purposes.
A mantrap is an example of which security control? (Choose all that apply.) A. Physical B. Corrective C. Administrative D. Preventative
A and D. It is possible for a specific security control to fall into more than one category. Because a mantrap is a physical barrier that prevents tailgating, it is both a physical control and a preventative control. Corrective controls are used post event, in an effort to minimize the extent of damage. An administrative control is a policy or procedure used to limit security risk.
Which of the following are reasons for an organization to have a job rotation policy? (Choose all that apply.) A. Since security is often of secondary concern to people in their jobs, rotating individuals through security positions can result in a much wider understanding of the organization's security problems. B. It helps to maintain a high level of employee morale. C. It ensures all important operations can still be accomplished should budget cuts result in the termination of a number of employees. D. It eliminates the need to rely on one individual for security expertise.
A and D. Since security is often of secondary concern to people in their jobs, rotating individuals through security positions can result in a much wider understanding of the organization's security problems. A secondary benefit is that it also eliminates the need to rely on one individual for security expertise. If all security tasks are the domain of one employee, security will suffer if that individual is lost from the organization
Which of the following statements are true when discussing separation of duties? (Choose all that apply.) A. Separation of duties is a principle employed in many organizations to ensure that no single individual has the ability to conduct transactions alone. B. Employing separation of duties means that the level of trust in any one individual is lessened, and the ability for any individual to cause catastrophic damage to the organization is also lessened. C. Separating duties as a security tool is a good practice, but it is possible to go overboard and break up transactions into too many pieces or require too much oversight. D. Separation of duties spreads responsibilities out over an organization so no single individual becomes the indispensable individual with all of the "keys to the kingdom" or unique knowledge about how to make everything work.
A, B, C, and D. All of the statements are true when discussing separation of duties.
Which of the following are considerations for an organization's data backup strategy? (Choose all that apply.) A. How frequently backups should be conducted B. How extensive backups need to be C. Where the backups will be stored D. How long the backups will be kept
A, B, C, and D. All of these are considerations for an organization's data backup strategy.
Which of the following describes mission-essential functions? (Choose all that apply.) A. Functions that if they do not occur, the mission of the organization would be directly affected. B. Functions that if they are not accomplished properly would directly affect the mission of the organization. C. Functions that are considered essential to the organization. D. The routine business functions.
A, B, and C. Mission-essential functions are those that should they not occur, or be performed improperly, the mission of the organization will be directly affected. This is where you spend the majority of your effort, protecting the functions that are essential. It is important to separate mission-essential functions from other business functions.
A privacy impact assessment: A. Determines the gap between a company's privacy practices and required actions B. Determines the damage caused by a breach of privacy C. Determines what companies hold information on a specific person D. Is a corporate procedure to safeguard PII
A. A PIA determines the gap between what a company is doing with PII and what its policies, rules, and regulations state it should be doing.
What is the best method to destroy sensitive data on DVDs at a desktop? A. Shredding B. Burning C. Wiping D. Pulping
A. A desktop shredder can destroy DVDs and CDs. Burning is not wise at a desk. Wiping and pulping don't work on DVDs.
Which of the following is an analysis of whether PII is collected and maintained by a system? A. Privacy threshold assessment B. Privacy impact assessment C. Risk assessment D. Threat assessment
A. A privacy threshold assessment is an analysis of whether PII is collected and maintained by a system. A privacy impact assessment (PIA) is a structured approach to determining the gap between desired privacy performance and actual privacy performance. A risk assessment is an analysis of risks based on statistical and mathematical models. A threat assessment is a structured analysis of the threats that confront an enterprise.
What kind of cryptography makes key management less of a concern? A. Asymmetric B. Hashing C. Digital signatures D. Symmetric
A. Asymmetric cryptography makes key management less of a concern because the private key material is never shared.
What is the term used to describe the requirement where some countries have enacted laws stating that certain types of data must be stored within their boundaries? A. Data sovereignty B. International intellectual property C. International privacy rights D. National data protection rights
A. Data sovereignty is a relatively new phenomena, but in the past couple of years several countries have enacted laws stating the certain types of data must be stored within their boundaries. The other terms do not describe any actual situation.
Which type of evidence is oral testimony that proves a specific fact (such as an eyewitness's statement), where the knowledge of the fact is obtained through the recollection of five senses of the witness, with no inferences or presumptions? A. Direct evidence B. Real evidence C. Documentary evidence D. Demonstrative evidence
A. Direct evidence is oral testimony that proves a specific fact (such as an eyewitness's statement). The knowledge of the facts is obtained through the five senses of the witness, with no inferences or presumptions. Real evidence is also known as associative or physical evidence and this includes tangible objects that prove or disprove a fact. Physical evidence links the suspect to the scene of a crime. Evidence in the form of business records, printouts, manuals, and similar objects, which make up much of the evidence relating to computer crimes, is documentary evidence. Demonstrative evidence is used to aid the jury and can be in the form of a model, experiment, chart, and so on, offered to prove that an event occurred.
Which of the following is a common measure of how long it takes to fix a given failure? A. MTTR B. RTO C. RPO D. MTBF
A. Mean time to repair (MTTR) is a common measure of how long it takes to repair a given failure. The term recovery time objective (RTO) is used to describe the target time that is set for a resumption of operations after an incident. Recovery point objective (RPO) is the time period representing the maximum period of acceptable data loss. Mean time between failures (MTBF) is a common measure of reliability of a system and is an expression of the average time between system failures.
Which of the following is the term used for a document used to explain the boundaries of company secret material, information which control over should be exercised to prevent disclosure to unauthorized parties, and to obtain agreement to follow these limits? A. Non-disclosure agreement (NDA) B. Data access agreement (DAA) C. Data disclosure agreement (DDA) D. Data release agreement (DRA)
A. Non-disclosure agreements (NDA) are standard corporate documents used to explain the boundaries of company secret material, information which control over should be exercised to prevent disclosure to unauthorized parties.
What does OCSP do? A. It reviews the CRL for the client and provides a status about the certificate being validated. B. It outlines the details of a certificate authority, including how identities are verified, the steps the CA follows to generate certificates, and why the CA can be trusted. C. It provides for a set of values to be attached to the certificate. D. It provides encryption for digital signatures.
A. Online Certificate Status Protocol (OCSP) is an online protocol that will look for a certificate's serial number on CRLs and provide a status message about the certificate to the client. CRL or certificate revocation list is "a list of digital certificates that have been revoked by the issuing certificate authority before their scheduled expiration date and should no longer be trusted"
How does Open System authentication differ from a pre-shared key? A. Open System authentication only matches the SSID of the system, which is part of all the Wi-Fi packets, so there is no real authentication as with a pre- shared key. B. Open System authentication uses a more complex hashing algorithm to pad the encryption key. C. Open System authentication requires a RADIUS server. D. Open System authentication is best suited for Enterprise applications.
A. Open System authentication only matches to the SSID and generates a random number from that. Because the SSID is part of the Wi-Fi packets, there is no real authentication.
Which phase of the incident response process occurs before an actual incident? A. Preparation B. Identification C. Containment D. Prevention
A. Preparation is the phase of incident response that occurs before a specific incident. Preparation includes all the tasks needed to be organized and ready to respond to an incident. The act of identification is coming to a decision that the information related to the incident is worthy of further investigation by the IR team. Containment is the set of actions taken to constrain the incident to the minimal number of machines. Prevention is not a phase of the incident response process.
What has made the PGP standard popular for so long? A. Its flexible use of both symmetric and asymmetric algorithms B. Simple trust model C. The ability to run on any platform D. The peer-reviewed algorithms
A. Pretty Good Privacy (PGP) is a popular standard because of its use of both symmetric and asymmetric algorithms when best suited to the type of encryption being done.
A friend at work asks you to e-mail him some information about a project you have been working on, but then requests you "to hide the e-mail from the monitoring systems by encrypting it using ROT13." What is the weakness in this strategy? A. ROT13 is a very simple substitution scheme and is well understood by anyone monitoring the system, providing no security. B. ROT13 is not an algorithm.term-40 C. The monitoring system will not allow anything but plaintext to go through. D. ROT13 is more secure than is needed for an internal e-mail.
A. ROT13 is a simple substitution cipher that is very well known and will be simple for any person or system to decode.
A common data element needed later in the forensics process is an accurate system time with respect to an accurate external time source. A record time offset is calculated by measuring system time with an external clock such as a Network Time Protocol (NTP) server. Which of the following must be considered relative to obtaining a record time offset? A. The record time offset can be lost if the system is powered down, so it is best collected while the system is still running. B. The internal clock may not be recorded to the same level of accuracy, so conversions may be necessary. C. External clock times may vary as much as 2 to 3 seconds, so it is best to obtain the time from several NTP servers to gain a more accurate reading. D. Recording time to track man-hours is a legal requirement.
A. Record time offset will be lost if the system is powered down, so it is best collected while the system is still running.
Why does ECC work well on low-power devices? A. Less entropy is needed for a given key strength. B. Less computational power is needed for a given key strength. C. Less memory is needed for a given key strength. D. None of the above.
B. ECC uses less computational power for a given key strength than traditional asymmetric algorithms.
What is the name given to mandatory elements regarding the implementation of a policy? A. Standards B. Guidelines C. Regulations D. Procedures
A. Standards is the term given to mandatory elements regarding the implementation of a policy.
Which rule of evidence addresses the fact that courts prefer original evidence rather than a copy, to ensure that no alteration of the evidence (whether intentional or unintentional) has occurred? A. Best evidence rule B. Hearsay rule C. Exclusionary rule D. Direct evidence rule
A. The best evidence rule addresses the fact that courts prefer original evidence rather than a copy, to ensure that no alteration of the evidence (whether intentional or unintentional) has occurred. Hearsay rule addresses second-hand evidence—evidence offered by the witness that is not based on the personal knowledge of the witness but is being offered to prove the truth of the matter asserted. The Fourth Amendment to the U.S. Constitution precludes illegal search and seizure. Therefore, any evidence collected in violation of the Fourth Amendment is not admissible as evidence. This is addressed by the exclusionary rule. There was no discussion of a direct evidence rule.
Data privacy as applicable to organizations is defined as: A. The control the organization exerts over its data B. The organization being able to keep its information secret C. Making data-sharing illegal without consumer consent D. No longer important in the Internet age
A. The control the organization exerts over its data is the definition of data privacyin an enterprise
Who is responsible for determining what data is needed by the enterprise? A. Data owner B. Privacy officer C. Data custodian D. Data steward
A. The data owner determines the business need. The privacy officer ensures that laws and regulations are followed, and the custodian/steward maintains the data.
What makes a digitally signed message different from an encrypted message? A. A digitally signed message has encryption protections for integrity and non- repudiation, which an encrypted message lacks. B. A digitally signed message uses much stronger encryption and is harder to break. C. An encrypted message only uses symmetric encryption, whereas a digitally signed message use both asymmetric and symmetric encryption. D. There is no difference.
A. The digital signature includes a hash of the message to supply message integrity and uses asymmetric encryption to demonstrate non-repudiation, the fact that the sender's private key was used to sign the message.
Why should you use a VPN when attached to a public WPA hotspot? A. Anyone with the key can store all the packets for later decryption. B. Public Wi-Fi networks are set up for man-in-the-middle attacks. C. To ensure browser secrecy. D. An attacker could sniff your RADIUS packets.
A. The reason to use a VPN on any public Wi-Fi network is that, as a shared network, attackers may be attempting to capture all the traffic. In a public Wi-Fi configured with WEP or WPA, using a shared key also allows attackers to easily decrypt the traffic.
What issue does a wildcard certificate solve? A. The need for separate certificates for multiple, potentially dynamic subdomains B. The failure of proper reverse DNS configurations C. The need for certificates to be reissued after expiration D. The need for the root CA to have intermediate CAs
A. The wildcard certificate will be valid for all possible subdomains of the primary domain. This is good for organizations that have multiple potentially dynamic subdomains.
From the initial step in the forensics process, the most important issue must always be which of the following? A. Preservation of the data B. Chain of custody C. Documenting all actions taken D. Witness preparation
A. While all of these are important, from the initial step in the forensics process, the most important issue must always be preservation of the data.
Which of the following are true in regard to a clean desk policy for security? (Choose all that apply.) A. While a clean desk policy makes for a pleasant work environment, it actually has very little impact on security. B. Sensitive information must not be left unsecured in the work area when the worker is not present to act as custodian. C. Even leaving the desk area and going to the bathroom can leave information exposed and subject to compromise. D. A clean desk policy should identify and prohibit things that are not obvious upon first glance, such as passwords on sticky notes under keyboards and mouse pads.
B, C, and D. A clean desk policy can actually have a positive impact on security for the reasons listed.
A colleague who is performing a rewrite of a custom application that was using 3DES encryption asks you how 3DES can be more secure than the DES it is based on. What is your response? A. 3DES uses a key that's three times longer. B. 3DES loops through the DES algorithm three times, with different keys each time. C. 3DES uses transposition versus the substitution used in DES. D. 3DES is no more secure than DES.
B. 3DES can be more secure because it loops through the DES algorithm three times, with a different key each time: encrypt with key 1, decrypt with key 2, and then encrypt with key 3.
Which of the following is a description of a business partnership agreement (BPA)? A. A negotiated agreement between parties detailing the expectations between a customer and a service provider. B. A legal agreement between entities establishing the terms, conditions, and expectations of the relationship between the entities. C.A specialized agreement between organizations that have interconnected IT systems, the purpose of which is to document the security requirements associated with the interconnection. D. A written agreement expressing a set of intended actions between the parties with respect to some common pursuit or goal.
B. A business partnership agreement is a legal agreement between entities establishing the terms, conditions, and expectations of the relationship between the entities.
Which of the following is a system component whose failure or malfunctioning could result in the failure of the entire system? A. Mean time between failures B. Single point of failure C. Single loss expectancy D. Likelihood of occurrence
B. A single point of failure is any aspect that, if triggered, could result in the failure of the system. Mean time between failures (MTBF) is a common measure of reliability of a system and is an expression of the average time between system failures. Single loss expectancy (SLE) is the expected loss from the occurrence of a risk on an asset. The likelihood of occurrence is the chance that a particular risk will occur.
Which of the following is a partially configured location, usually having the peripherals and software but perhaps not a more expensive main processing computer? A. Cold site B. Warm site C. Hot site D. Recovery site
B. A warm site is partially configured, usually having the peripherals and software but perhaps not the more expensive main processing computer. A cold site will have the basic environmental controls necessary to operate but few of the computing components necessary for processing. A hot site is a fully configured environment similar to the normal operating environment that can be operational immediately or within a few hours depending on its configuration and the needs of the organization. A recovery site is any location where restoration of services would take place, whether cold, warm, or hot.
Information that could disclose the identity of a customer is referred to as? A. Customer identity information (CII) B. Personally identifiable information (PII) C. Privacy protected information (PPI) D. Sensitive customer information (SCI)
B. Any information that can be used to determine identity is referred to collectively as personally identifiable information (PII).
Which of the following is the name often used to describe the process of addressing the questions associated with sources of risk, the impacts and the steps taken to mitigate them in the enterprise? A. Risk assessment B. Business impact analysis C. Threat assessment D. Penetration test
B. Business impact analysis (BIA) is the name often used to describe a document created by addressing the questions associated with sources of risk and the steps taken to mitigate them in the enterprise. A risk assessment is a method to analyze potential risk based on statistical and mathematical models. A common method is the calculation of the annualized loss expectancy (ALE). A threat assessment is a structured analysis of the threats that confront an enterprise. Penetration tests are used by organizations that want a real-world test of their security.
What cipher mode is potentially vulnerable to a POODLE attack? A. ECB B. CBC C. CTR D. GCM
B. Cipher Block Chaining (CBC) mode is vulnerable to a POODLE (Padding Oracle On Downgraded Legacy Encryption) attack, where the system freely responds to a request about a message's padding being correct. Manipulation of the padding is used in the attack.
What is the term for the set of steps needed to develop a comprehensive plan to enact during a situation where normal operations are interrupted? A. Disaster recovery B. Continuity of operations planning C. Incident response planning D. Restoration of business functions planning
B. Continuity of operations planning is the set of steps needed to develop a comprehensive plan to enact during a situation where normal operations are interrupted. Disaster recovery is the process that an organization uses to recover from events that disrupt normal operations. An incident response plan describes the steps an organization performs in response to any situation determined to be abnormal in the operation of a computer system. Restoration of business functions planning is not a standard term used in recovery planning.
Which type of security control is used post event, in an effort to minimize the extent of damage? A. Deterrent B. Corrective C. Preventative D. Detective
B. Corrective controls are used post event, in an effort to minimize the extent of damage. A deterrent control acts to influence the attacker by reducing the likelihood of success. A preventative control is one that prevents specific actions from occurring. A detective control is one that facilitates the detection of a security breach.
What is the advantage of a crypto module? A. Custom hardware adds key entropy. B. It performs operations and maintains the key material in a physical or logical boundary. C. It performs encryption much faster than general-purpose computing devices. D. None of the above.
B. Crypto modules, such as smartcards, maintain the key material inside a physical or logical boundary and perform cryptographic operations inside the boundary. This ensures that private key material is kept secure.
What is the difference between linear and differential cryptanalysis? A. Differential cryptanalysis can examine symmetric and asymmetric ciphers, whereas linear cryptanalysis only works on symmetric ciphers. B. Linear cryptanalysis puts the input text through a simplified cipher, whereas differential cryptanalysis does not. C. Unlike differential cryptanalysis, linear cryptanalysis is deprecated because it does not work on newer ciphers. D. Differential cryptanalysis cannot take advantage of computational improvements, whereas linear cryptanalysis makes full use of newer computations.
B. Differential cryptanalysis works by comparing the input plaintext to the output ciphertext, while linear cryptanalysis runs plaintext through a simplified version of the cipher to attempt to deduce the key.
Which authentication protocol uses a Protected Access Credential (PAC)? A. PEAP B. EAP-FAST C. EAP-TLS D. EAP-TTLS
B. EAP-FAST uses the Protected Access Credential (PAC) to create the TLS tunnel.
Which phase of the incident response process involves removing the problem? A. Identification B. Eradication C. Recovery D. Mitigation
B. Eradication involves removing the problem, and in today's complex system environment, this may mean rebuilding a clean machine. The act of identification is coming to a decision that the information related to the incident is worthy of further investigation by the IR team. The recovery process includes the steps necessary to return the systems and applications to operational status. Mitigation is not a phase in the incident response process.
What cipher mode is used in the IEEE 802.1AE standard and recognized by NIST? A. CTR B. GCM C. CBC D. ECB
B. Galois Counter Mode (GCM) is recognized by NIST and is used in the 802.1AE standard.
Hashing is most commonly used for which of the following? A. Digital signatures B. Secure storage of passwords for authentication C. Key management D. Block cipher algorithm padding
B. Hashing is most commonly used to securely store passwords on systems so that users can authenticate to the system.
In the U.S. legal system, at what point does legal precedent require that potentially relevant information must be preserved? A. When the owner is provided with a warrant to seize the storage device B. At the instant a party "reasonably anticipates" litigation or another type of formal dispute C. The moment any investigation is begun D. When a law enforcement official or officer of the court requests that the storage device be secured to ensure no data is modified or destroyed
B. In the U.S. legal system, legal precedent requires that potentially relevant information must be preserved at the instant a party "reasonably anticipates" litigation or another type of formal dispute.
What is the term used to describe the steps an organization performs after any situation determined to be abnormal in the operation of a computer system? A. Computer/network penetration incident plan B. Incident response plan C. Backup restoration and reconfiguration D. Cyber event response
B. Incident response plan is the term used to describe the steps an organization performs in response to any situation determined to be abnormal in the operation of a computer system.
Which of the following purposes for conducting computer forensics is also a description of what is referred to as incident response? A. Investigating and analyzing computer systems as related to a violation of laws B. Investigating computer systems that have been remotely attacked C. Investigating and analyzing computer systems for compliance with an organization's policies D. None of the above
B. Investigating computer systems that have been remotely attacked is often referred to as incident response and can be a subset of the other two points
What is the greatest risk to an organization when employees comingle corporate and personal e-mail? A. Lost work productivity B. Introduction of malware to the network C. Loss of company data D. Use of server resources for personal mail storage
B. Malware can come from personal e-mail as well as corporate e-mail, and serious mail screening on corporate mail servers before users get the mail does not occur with third-party mail apps. While occasional use of work e-mail for personal use probably doesn't add enough data to be a storage concern, nor is the loss of work productivity typically significant, malware should always be a concern.
In the United States, company responses to data disclosures of PII are regulated by: A. Federal law, the Privacy Act B. A series of state statutes C. Contractual agreements with banks and credit card processors D. The Gramm-Leach-Bliley Act (GLBA)
B. No overarching federal disclosure statute exists, so company responses to data disclosures of PII are regulated by individual statutes in most states and territories.
Data that is labeled "Proprietary" typically pertains to what category? A. Information under legal hold B. Information to be safeguarded by business partners because it contains business secrets C. Personal data D. PHI and PII together
B. Proprietary data may be shared with a third party that is not a competitor, but in labeling the data Proprietary, you alert the party you have shared with that the data is not to be shared further.
Why is the random number used in computing called a pseudo-random number? A. They could have an unknown number. B. Algorithms cannot create truly random numbers. C. The numbers have deliberate weaknesses placed in them by the government. D. They follow a defined pattern that can be detected.
B. Random numbers in a computer are generated by an algorithm, and it is not possible to create truly random numbers, so only numbers that are very close to being random, called pseudo-random numbers, are possible.
Which type of evidence is also known as associative or physical evidence and includes tangible objects that prove or disprove a fact? A. Direct evidence B. Real evidence C. Documentary evidence D. Demonstrative evidence
B. Real evidence is also known as associative or physical evidence and includes tangible objects that prove or disprove a fact. Physical evidence links the suspect to the scene of a crime. Direct evidence is oral testimony that proves a specific fact (such as an eyewitness's statement). The knowledge of the facts is obtained through the five senses of the witness, with no inferences or presumptions. Evidence in the form of business records, printouts, manuals, and similar objects, which make up much of the evidence relating to computer crimes, is documentary evidence. Demonstrative evidence is used to aid the jury and can be in the form of a model, experiment, chart, and so on, offered to prove that an event occurred.
Which of the following is the best description of risk? A. The cost associated with a realized risk B. The chance of something not working as planned C. Damage that is the result of unmitigated risk D. The level of concern one places for the well-being of people
B. Risk is the chance of something not working as planned and causing an adverse impact. Impact is the cost associated with a realized risk.
In developing a system with a logon requirement, you need to design the system to store passwords. To ensure that the passwords being stored do not divulge secrets, which of the following is the best solution? A. Key stretching B. Salt C. Obfuscation D. Secret algorithms
B. Salts are used to provide increased entropy and eliminate the problem of identical passwords between accounts.
Which of the following is the name typically given to administrative users with the responsibility of maintaining a system within its defined requirements? A. System owner B. System administrator C. Privileged user D. Executive user
B. System administrators are administrative users with the responsibility of maintaining a system within its defined requirements.
The X.509 standard applies to which of the following? A. SSL providers B. Digital certificates C. Certificate Revocation Lists D. Public key infrastructure
B. The X.509 standard is used to define the properties of digital certificates.
Why are hash collisions bad for malware prevention? A. Malware could corrupt the hash algorithm. B. Two different programs with the same hash could allow malware to be undetected. C. The hashed passwords would be exposed D. The hashes are encrypted and cannot change.
B. The ability to create a program that has the same hash as a known-good program would allow malware to be undetected by detection software that uses a hash list of approved programs.
Which of the following is a representation of the frequency of an event, measured in a standard year? A. Annual Loss Expectancy (ALE) B. Annualized Rate of Occurrence (ARO) C. Single Loss Expectancy (SLE) D. Annualized Expectancy of Occurrence (AEO)
B. The annualized rate of occurrence (ARO) is a representation of the frequency of the event, measured in a standard year. The annual loss expectancy (ALE) is calculated by multiplying the single loss expectancy (SLE) by the likelihood or number of times the event is expected to occur in a year. The SLE is calculated by multiplying the asset value times the exposure factor. Annualized expectancy of occurrence (AEO) is not a term used in the cybersecurity industry.
What is the term used to describe the process that accounts for all persons who handled or had access to a piece of evidence? A. Secure e-discovery B. Chain of custody C. Evidence accountability process D. Evidence custodianship
B. The chain of custody accounts for all persons who handled or had access to the evidence.
All but which of the following are items associated with privacy of health records? A. Protected Health Information B. Personal Health Information C. Notice of Privacy Practices D. HITECH Act extension of HIPAA
B. The correct term per HIPAA is Protected Health Information.
What allows RADIUS to scale to a worldwide authentication network? A. Strong encryption B. Certificate-based tunneling and EAP C. CCMP-delegated authentication D. Two-factor authentication
B. The use of SSL-based tunneling and EAP packets makes the distributed authentication of RADIUS possible.
Your organization has recently acquired another company and needs to enable secure communications with them. You register your CA for a certificate from the other CA and the other organization registers for a certificate from your CA and they each trust the other CA. What is this an example of? A. Third-party trust model B. Bidirectional trust model C. Unidirectional trust model D. Secure key exchange model
B. This is an example of the bidirectional trust model, allowing each CA to trust certificates issued by the other CA, and allowing users to trust the certificates issued by the other CA.
Which of the following is an issue that must be addressed if an organization enforces a mandatory vacation policy? A. Enforcing a mandatory vacation policy in most cases is a costly policy. B. Using mandatory vacations as a tool to detect fraud will require that somebody else also be trained in the functions of the employee who is on vacation. C. Vacations often occur at the most inopportune time for the organization and can affect its ability to complete projects or deliver services. D. Forcing employees to take a vacation if they don't want to often will result in disgruntled employees, which can introduce another security threat.
B. Using mandatory vacations as a tool to detect fraud will require that somebody else also be trained in the functions of the employee who is on vacation. The organization must therefore ensure that they have a second person who is familiar with the vacationing employee's duties.
Why would WPA be considered a stopgap fix for the issues with WEP? A. It modernizes Wi-Fi with a new encryption cipher. B. It provides for using temporary WEP keys to avoid the weakness in WEP, but does not replace the underlying encryption cipher. C. It overlays TLS connections on top of the existing WEP encryption to tunnel all traffic back to the access point, but it does not enhance the underlying encryption cipher. D. It enforces the use of long-key WEP while having an autogenerated MAC filtering list to avoid potential eavesdropping.
B. WPA is a stopgap due to its software-only implementation in that it still uses the flawed WEP RC4 cipher, albeit with temporary keys.
Why is WPA2-Personal not ideal for a large organization? A. It has weak encryption. B. The pre-shared key must be securely shared with all users. C. It has only an eight-digit pin. D. It uses Open System authentication.
B. WPA2 in Personal mode uses a pre-shared key, and this key must be shared with all users, which is challenging in a large organization.
Your manager wants you to review the company's internal PKI system's CPS (Certification Practice Statement) for applicability and verification and to ensure that it meets current needs. What are you most likely to focus on? A. Revocations B. Trust level provided to users C. Key entropy D. How the keys are stored
B. You are most likely to focus on the level of trust provided by the CA to users of the system, as providing trust is the primary purpose of the CA.
Taking a root CA offline is important for security purposes, but with the root CA offline, how does the PKI operate? A. It has to be started periodically to provide CSR signing and CRL updates. B. All services are delegated to an intermediate CA. C. The endpoints cache the trust model until the root CA comes back online. D. Pinning.
B. You can take a root CA offline if all its normal services, such as signing CSRs and generating CRLs, are delegated to an intermediate CA. Because root CA certificates tend to have very long timelines, 20 years, and those of intermediate CAs are much shorter, 3 to 5 years, this solution works much better to avoid the problem of a compromised CA certificate.
When discussing location for storage of backups, which of the following is true? (Choose all that apply.) A. The most recent copy should be stored off-site, as it is the one that is most current and is thus the most valuable one. B. Off-site storage is generally not necessary except in cases where the possibility of a break-in at the main facility is high. C. Off-site storage is a good idea so that you don't lose your backup to the same event that caused you to lose your operational data and thus need the backup. D. The most recent copy can be stored locally, as it is the most likely to be needed, while other copies can be kept at other locations.
C and D. Off-site storage is a good idea so that you don't lose your backup to the same event that caused you to lose your operational data and thus need the backup. Additionally, the most recent copy can be stored locally, as it is the most likely to be needed, while other copies can be kept at other locations.
Volatile information locations such as the RAM change constantly and data collection should occur in the order of volatility or lifetime of the data. Order the following list from most volatile (which should be collected first) to least volatile. A. Routing tables, ARP cache, process tables, kernel statistics B. Memory (RAM) C. CPU, cache, and register contents D. Temporary file system/swap space
C, A, B, and D. The most volatile elements should be examined and collected first and in this order.
Which of the following is a fully configured environment similar to the normal operating environment that can be operational immediately or within a few hours depending on its configuration and the needs of the organization? A. Cold site B. Warm site C. Hot site D. Recovery site
C. A hot site is a fully configured environment similar to the normal operating environment that can be operational immediately or within a few hours depending on its configuration and the needs of the organization. A cold site will have the basic environmental controls necessary to operate but few of the computing components necessary for processing. A warm site is partially configured, usually having the peripherals and software but perhaps not the more expensive main processing computer. A recovery site is any location where restoration of services would take place, whether cold, warm, or hot.
What is the term used for a high-level statement produced by senior management that outlines what security means to the organization and what the organization's goals are for security? A. Security standard B. Statement of security goals (SSG) C. Security policy D. Security guidance
C. A security policy is a high-level statement produced by senior management that outlines what security means to the organization and what the organization's goals are for security.
Which of the following would a capture video not be used to collect? A. Serial number plates B. Cable connections C. System image D. Physical layout and existence of systems
C. A system image is a dump of the physical memory of a computer system and would not be captured in a video. All of the others are static sources of information that a capture video is valuable in recording.
Which security control is a policy or procedure used to limit physical security risk? A. Physical B. Technical C. Administrative D. Corrective
C. An administrative control is a policy or procedure used to limit security risk. A physical control is one that prevents specific physical actions from occurring. A technical control is the use of some form of technology to address a security issue. Corrective controls are used post event, in an effort to minimize the extent of damage.
What is the primary vulnerability of pre-shared keys? A. They have a weak initialization vector. B. They could have too low a key strength. C. They can be brute forced. D. All of the above.
C. Any pre-shared keys can be configured to be short, and therefore susceptible to a brute force attack. The defense against this is to always use long and complex PSKs.
What is a key consideration when implementing an RC4 cipher system? A. Key entropy B. External integrity checks C. Checks for weak keys D. Secure key exchange
C. As RC4 is susceptible to weak keys, one key in 256 is considered weak and should not be utilized. Any implementation should have a check for weak keys as part of the protocol.
You are issued a certificate from a CA, delivered by e-mail, but the file does not have an extension. The e-mail notes that the root CA, the intermediate CAs, and your certificate are all attached in the file. What format is your certificate likely in? A. DER B. CER C. PEM D. None of the above
C. Because the certificate includes the entire certificate chain, it is most likely delivered to you in PEM format.
Why are computers helpful in the function of public key systems? A. They can store keys that are very large in memory. B. They provide more efficient SSL key exchange for servers. C. They can easily multiply very large prime numbers. D. They can encrypt large amounts of data.
C. Computers can easily multiply prime numbers that are many digits in length, improving the security of the cipher.
In which phase of the incident response process are actions taken to constrain the incident to the minimal number of machines? A. Eradication B. Identification C. Containment D. Recovery
C. Containment is the set of actions taken to constrain the incident to the minimal number of machines. Eradication involves removing the problem, and in today's complex system environment, this may mean rebuilding a clean machine. The act of identification is coming to a decision that the information related to the incident is worthy of further investigation by the IR team.The recovery process includes the steps necessary to return the systems and applications to operational status.
Security, privacy, and retention policies for data are important to an organization. Not all data requires the same handling restrictions, but all data requires these characteristics to be defined. Defining these characteristics for specific information is generally the responsibility of which of the following? A. The data security office B. The privacy office C. The data owner D. An individual specifically given this responsibility for the organization
C. Defining these characteristics is the responsibility of the data owner.
If you need to ensure authentication, confidentiality, and non-repudiation when sending sales quotes, which method best achieves the objective? A. Key stretching B. Asymmetric encryption C. Digital signature D. Ephemeral keys
C. Digital signatures can support confidentiality, integrity, and authentication of "signed" materials.
Which authentication protocol uses mandatory client-side certificates, making it more challenging to maintain if guest access is provided to visitors? A. PEAP B. EAP-FAST C. EAP-TLS D. EAP-TTLS
C. EAP-TLS uses client-side certificates.
You are tasked with the implementation of Wi-Fi in Enterprise mode. The initial network diagram shows only the updated access points and network switches. What component is missing from the diagram? A. Guest wireless B. NAC server C. Authentication server D. Certificate authority
C. Enterprise mode mandates authentication, so an authentication server, typically RADIUS, is required.
What is the name of the process for moving from a normal operational capability to the continuity-of-operations version of the business? A. Disaster recovery B. Alternate business practices C. Failover D. Continuity of business functions
C. Failover is the process for moving from a normal operational capability to the continuity-of-operations version of the business. Disaster recovery is the process that an organization uses to recover from events that disrupt normal operations. Alternate business practices are developed in recognition that processes may need to be different in a continuity of operations situation since the focus is only on maintaining key systems. Continuity of business functions is not a term used in industry.
Which of the following impacts is in many ways the final arbiter of all activities, for it is how we "keep score"? A. Reputation B. Safety C. Finance D. Life
C. Finance is in many ways the final arbiter of all activities, for it is how we keep score. The others are important but are not considered the final arbiter.
What is the best way, if any, to get the plaintext from a hash value? A. Use linear cryptanalysis. B. Factor prime numbers. C. You cannot get the plaintext out of a hash value. D. Use an ephemeral key.
C. Hash ciphers are designed to reduce the plaintext to a small value and are built to not allow extraction of the plaintext. This is why they are commonly called "one-way" functions.
You are browsing a website when your browser provides you with a warning message that "There is a problem with this website's security certificate." When you examine the certificate, it indicates that the root CA is not trusted. What most likely happened to cause this error? A. The certificate was revoked. B. The certificate does not have enough bit length for the TLS protocol. C. The server's CSR was not signed by a trusted CA. D. The certificate has expired.
C. In this case, the server's CSR (certificate signing request) was not signed by a CA that is trusted by the endpoint computer, so no third-party trust can be established. This could be an indication of an attack, so the certificate should be manually verified before providing data to the web server.
Why is LSB encoding the preferred method for steganography? A. It uses much stronger encryption. B. It applies a digital signature to the message. C. It alters the picture the least amount possible. D. It provides additional entropy.
C. LSB, or Least Significant Bit, is designed to place the encoding into the image in the least significant way to avoid altering the image.
The Freedom of Information Act applies to which of the following? A. All federal government documents, without restrictions B. All levels of government documents (federal, state, and local) C. Federal government documents, with a few enumerated restrictions D. Only federal documents containing information concerning the requester
C. Nine groups of documents are exempt from FOIA requests.
Why would you use PBKDF2 as part of your encryption architecture? A. To use the speed of the crypto subsystems built into modern CPUs B. To increase the number of rounds a symmetric cipher has to perform C. To stretch passwords into secure-length keys appropriate for encryption D. To add hash-based message integrity to a message authentication code
C. PBKDF2 is a key stretching algorithm that stretches a password into a key of suitable length by adding a salt and then performing an HMAC to the input thousands of times.
Which of the following is the process of subjectively determining the impact of an event that affects a project, program, or business? A. Likelihood of occurrence B. Supply chain assessment C. Qualitative risk assessment D. Quantitative risk assessment
C. Qualitative risk assessment is the process of subjectively determining the impact of an event that affects a project, program, or business. The likelihood of occurrence is the chance that a particular risk will occur. A supply-chain assessment considers not just the risk associated with a system, but the risk embedded in a system as a result of its components that the vendor has obtained through its supply chain, which could span the globe. Quantitative risk assessment is the process of objectively determining the impact of an event that affects a project, program, or business.
Which standard of evidence states the evidence must be material to the case or have a bearing on the matter at hand? A. Direct evidence B. Competent evidence C. Relevant evidence D. Sufficient evidence
C. Relevant evidence states the evidence must be material to the case or have a bearing on the matter at hand. Sufficient evidence states the evidence must be convincing or measure up without question. Direct evidence is oral testimony that proves a specific fact (such as an eyewitness's statement). The knowledge of the facts is obtained through the five senses of the witness, with no inferences or presumptions. Competent evidence states the evidence must be legally qualified and reliable.
Which of the following models best describes Internet SSL public key infrastructure? A. Third-party trust model B. Bidirectional trust model C. Unidirectional trust model D. Secure key exchange model
C. SSL PKI is based largely on the unidirectional trust model, where the lower servers in the certificate chain all trust the higher ones in the certificate chain.
Which backup strategy focuses on copies of virtual machines? A. Incremental B. Full C. Snapshot D. Differential
C. Snapshots refer to copies of virtual machines. The incremental backup isa variation on a differential backup, with the difference being that instead of copying all files that have changed since the last full backup, the incremental backup backs up only files that have changed since the last full or incremental backup occurred, thus requiring fewer files to be backed up. In a full backup, all files and software are copied onto the storage media. In a differential backup, only the files and software that have changed since the last full backup was completed are backed up.
Given a large quantity of data in the form of a streaming video file, what is the best type of encryption method to protect the content from unauthorized live viewing? A. Symmetric block B. Hashing algorithm C. Stream cipher D. Asymmetric block
C. Stream ciphers work best when the data is in very small chunks to be processed rapidly, such as live streaming video. Block ciphers are better for large chunks of data.
How does TKIP improve security? A. It uses stronger authentication. B. It changes the WEP padding algorithm. C. It uses a different key for each packet. D. It uses SSL VPN tunneling.
C. TKIP (Temporal Key Integrity Protocol) uses temporal keys, so there is a new key for every packet.
Which rule states that evidence is not admissible if it was collected in violation of the Fourth Amendment's prohibition of unreasonable search and seizure? A. Best evidence rule B. Hearsay rule C. Exclusionary rule D. Legal hold rule
C. The Fourth Amendment to the U.S. Constitution precludes illegal search and seizure. Therefore, any evidence collected in violation of the Fourth Amendment is not admissible as evidence. This is addressed by the exclusionary rule. The best evidence rule addresses the fact that courts prefer original evidence rather than a copy, to ensure that no alteration of the evidence (whether intentional or unintentional) has occurred. Hearsay rule addesses second-hand evidence— evidence offered by the witness that is not based on the personal knowledge of the witness but is being offered to prove the truth of the matter asserted. There was no discussion of a direct evidence rule.
The U.S. Privacy Act of 1974 applies to which of the following? A. Corporate records for U.S.-based companies B. Records from any company doing business in the United States C. Federal records containing PII D. All levels of government records containing PII
C. The Privacy Act is a federal law, affecting federal records only.
You are preparing an e-mail to send to a colleague at work, and because the message information is sensitive, you decide you should encrypt it. When you attempt to apply the certificate that you have for the colleague, the encryption fails. The certificate was listed as still valid for another year, and the certificate authority is still trusted and working. What happened to this user's key? A. It was using the wrong algorithm. B. You are querying the incorrect certificate authority. C. Revocation. D. The third-party trust model failed.
C. The certificate has likely been revoked, or removed from that user's identity and no longer marked valid by the certificate authority.
Your organization wants to deploy a new encryption system that will protect the majority of data with a symmetric cipher of at least 256 bits in strength. What is the best choice of cipher for large amounts of data at rest? A. RC4 B. 3DES C. AES D. Twofish
C. The most likely utilized cipher is AES. It can be run at 128-, 192-, and 256-bit strengths and is considered the gold standard of current symmetric ciphers, with no known attacks, and is computationally efficient.
Two major elements play a role in determining the level of response to an incident. Information criticality is the primary determinant. What is the other? A. Information sensitivity or the classification of the data B. The value of any data lost in the incident C. How the incident potentially affects the organization's operations D. Whether the organization wishes to pursue a legal settlement against the attacker(s)
C. The second factor involves a business decision on how this incident plays into current business operations. A series of breaches, whether minor or not, indicates a pattern that can have public relations and regulatory issues.
Which of the following terms is used to describe the target time that is set for a resumption of operations after an incident? A. RPO B. MTBF C. RTO D. MTTR
C. The term recovery time objective (RTO) is used to describe the target time that is set for a resumption of operations after an incident. Recovery point objective (RPO) is the time period representing the maximum period of acceptable data loss. Mean time between failures (MTBF) is a common measure of reliability of a system and is an expression of the average time between system failures. Mean time to repair (MTTR) is a common measure of how long it takes to repair a given failure.
You are asked by the senior system administrator to refresh the SSL certificates on the web servers. The process is to generate a certificate signing request (CSR), send it to a third party to be signed, and then apply the return information to the CSR. What is this an example of? A. Pinning B. Borrowed authority C. Third-party trust model D. MITM hardening
C. This is an example of the third-party trust model. Although you are generating the encryption keys on the local server, you are getting these keys signed by a third-party authority so that you can present the third party as the trusted agent for users to trust your keys.
While all employees may need general security awareness training, they also need specific training in areas where they have individual responsibilities. This type of training is referred to as which of the following? A. Functional training B. User training C. Role-based training D. Advanced user training
C. Training targeted to the user with regard to their role in the organization is generally referred to as role-based training or role-based awareness training.
You are building out a corporate Wi-Fi network that is intended for use only by corporate employees using corporate laptops (no guest access) and must be highly secure. Which of the following is the best solution? A. WPA B. WPA2-PSK C. WPA2-Enterprise D. WPS
C. WPA2-Enterprise is the correct version of WPA2 for this setup, as it uses enterprise-grade options to establish a shared secret.
Why is enabling WPS not recommended? A. It uses WEP-based encryption. B. The lack of support for AES. C. The use of an eight-digit PIN makes it susceptible to brute force attacks. D. All of the above.
C. WPS uses an eight-digit pin and is subject to brute force attacks.
A certificate authority consists of which of the following? A. Hardware and software B. Policies and procedures C. People who manage certificates D. All of the above
D. A certificate authority is the hardware and software that manage the actual certificate bits, the policies and procedures that determine when certificates are properly issued, and the people who make and monitor the policies for compliance.
Why are ephemeral keys important to key exchange protocols? A. They are longer than normal keys. B. They add entropy to the algorithm. C. They allow the key exchange to be completed faster. D. They increase security by using a different key for each connection.
D. Ephemeral keys are important to key exchange protocols because they ensure that each connection has its own key for the symmetric encryption, and if an attacker compromises one key, he does not have all the traffic for this connection.
Which type of security control is used to meet a requirement when the requirement cannot be directly met? A. Preventative B. Physical C. Deterrent D. Compensating
D. A compensating control is one that is used to meet a requirement when the requirement cannot be directly met. Fire suppression systems do not prevent fire damage, but if properly employed, they can mitigate or limit the level of damage from fire. A preventative control is one that prevents specific actions from occurring. A physical control is one that prevents specific physical actions from occurring, such as a mantrap prevents tailgating. A deterrent control acts to influence the attacker by reducing the likelihood of success.
Which of the following performs a function similar to the familiar parity bits, checksum, or cyclic redundancy check? A. Record offset B. Cryptographic algorithm C. Authentication code D. Hashing algorithm
D. A hashing algorithm performs a function similar to the familiar parity bits, checksum, or cyclic redundancy check (CRC). It applies mathematical operations to a data stream (or file) to calculate some number that is unique based on the information contained in the data stream (or file).
Which of the following is used to essentially set the requisite level of performance of a given contractual service? A. Memorandum of understanding B. Inter-organizational service agreement (ISA) C. Memorandum of agreement D. Service level agreement (SLA)
D. A service level agreement (SLA) essentially sets the requisite level of performance for a given contractual service.
HIPAA requires which of the following controls for medical records? A. Encryption of all data B. Technical controls only C. Physical controls only D. Administrative, technical, and physical controls
D. Administrative, technical, and physical controls are mandated by HIPAA, including workforce training and awareness, encryption of data transfers, and physical barriers to records (locked storage rooms).
The FTC Disposal Rule applies to which of the following? A. Small businesses using consumer reporting information B. Debt collectors C. Individuals using consumer reporting information D. All of the above
D. All are listed by FTC as responsible for following the Disposal Rule. The Rule, formally known as the Disposal of Consumer Report Information and Records Rule, requires certain persons who have consumer report information for a business purpose to properly dispose of it by taking reasonable measures to protect it from unauthorized access.
Which of the following is an acceptable PII disposal procedure? A. Shredding B. Burning C. Electronic destruction per military data destruction standards D. All of the above
D. Although using electronic destruction per military data destruction standards might seem excessive (and in many cases it is), all of the options comply with FTC-mandated disposal procedures for PII.
What is the name given to a policy that outlines what an organization considers to be the appropriate use of its resources, such as computer systems, e-mail, Internet, and networks? A. Resource usage policy (RUP) B. Acceptable use of resources policy (AURP) C. Organizational use policy (OUP) D. Acceptable use policy (AUP)
D. An acceptable use policy (AUP) outlines what the organization considers to be the appropriate use of its resources, such as computer systems, e-mail, Internet, and networks.
You are the lead architect of the new encryption project. In a meeting one of your management staff members asks why she will be implementing key escrow as part of the encryption solution. Which reason or reasons would be important with the implementation of key escrow? A. Prevent data loss when a user forgets their private key passphrase B. Legal action in the form of court ordered discovery C. Satisfy security audit findings D. Both A and B
D. Both a forgotten key passphrase and a court-ordered government action could be remediated when the system design uses key escrow.
Which of the following is a requirement for a CRL? A. It must have the e-mail addresses of all the certificate owners B. It must contain a list of all expired certificates C. It must contain information about all the subdomains that are covered by the CA. D. It must be posted to a public directory.
D. Certificate Revocation Lists must be posted to a public directory so that all users of the system can query it.
Which of the following has its roots in system engineering, where it is commonly referred to as configuration management? A. Configuration control B. Security control C. Administrative control D. Change management
D. Change management has its roots in system engineering, where it is commonly referred to as configuration management. Configuration control is the process of controlling changes to items that have been baselined. Configuration control ensures that only approved changes to a baseline are allowed to be implemented. A security control is a mechanisms employed to minimize exposure to risk and mitigate the effects of loss. An administrative control is a policy or procedure used to limit security risk.
Your manager wants you to spearhead the effort to implement digital signatures in the organization and to report to him what is needed for proper security of those signatures. You likely have to study which algorithm? A. RC4 B. AES C. SHA-1 D. RSA
D. Digital signatures require a public key algorithm, so most likely you need to study RSA to provide the asymmetric cryptography.
You are implementing a new wireless system to allow access in all buildings of your corporate campus. You have selected WPA2-Enterprise with 802.1X and a RADIUS server. What is the most efficient way to allow visitors access to the wireless network? A. Set up an air-gapped wireless network with Open System authentication enabled so that visitors can easily get access. B. Have a series of one-time-use authentication tokens available at the front guard desk so that visitors can use 802.1X and the RADIUS server. C. Add all visitors to your Active Directory so they can log onto the wireless natively. D. Implement a captive portal.
D. Implementing a captive portal will ensure that users can easily authenticate and gain access. A captive portal is a Web page that the user of a public-access network is obliged to view and interact with before access is granted.
Which backup strategy includes only the files and software that have changed since the last full backup? A. Incremental B. Full C. Snapshot D. Differential
D. In a differential backup, only the files and software that have changed since the last full backup was completed are backed up. The incremental backup is a variation on a differential backup, with the difference being that instead of copying all files that have changed since the last full backup, the incremental backup backs up only files that have changed since the last full or incremental backup occurred, thus requiring fewer files to be backed up. In a full backup, all files and software are copied onto the storage media. Snapshots refer to copies of virtual machines.
Why is pinning more important on mobile devices? A. It uses elliptic curve cryptography. B. It uses less power for pinned certificate requests. C. It reduces network bandwidth usage by combining multiple CA requests into one. D. It allows caching of a known good certificate when roaming to low-trust networks.
D. Pinning is important on mobile devices because they are much more likely to be used on various networks, many of which have much lower trust than their home network.
Data that is labeled "Private" typically pertains to what category? A. Proprietary data B. Confidential information C. Legal data D. Personal information
D. Private data frequently refers to personal data.
What is the name given to the step-by-step instructions on how to implement policies in an organization? A. Standards B. Guidelines C. Regulations D. Procedures
D. Procedures are the step-by-step instructions on how to implement policies in an organization.
Which standard of evidence states the evidence must be convincing or measure up without question? A. Direct evidence B. Competent evidence C. Relevant evidence D. Sufficient evidence
D. Sufficient evidence states the evidence must be convincing or measure up without question. Direct evidence is oral testimony that proves a specific fact (such as an eyewitness's statement). The knowledge of the facts is obtained through the five senses of the witness, with no inferences or presumptions. Competent evidence states the evidence must be legally qualified and reliable. Relevant evidence states the evidence must be material to the case or have a bearing on the matter at hand.
What is the oldest form of cryptography? A. Asymmetric B. Hashing C. Digital signatures D. Symmetric
D. Symmetric is the oldest form of cryptography.
What makes EAP-TLS so hard for an attacker to break? A. The user's key is held by the RADIUS server. B. The encryption keys are escrowed. C. The access point enforces client isolation as part of the protocol. D. The client-side key is needed to break the TLS tunnel.
D. The TLS connection uses a client key, so the attacker would need this key before being able to break the TLS tunnel.
The designated group of personnel who will respond to an incident is called which of the following? A. Incident response red team B. Incident action group C. Cyber-emergency response group D. Cyber-incident response team
D. The designated group of personnel who will respond to an incident is known as the cyber-incident response team.
What does a salt do? A. It tells the algorithm how many digits of primes to use. B. It primes the algorithm by giving it initial noncritical data. C. It adds additional rounds to the cipher. D. It provides additional entropy.
D. The salt adds additional entropy, or randomness, to the encryption key.
What type of plan is implemented when you have an idea of what information you will want to be able to examine and want to ensure the information is logged when it occurs, and if at all possible in a location that prevents alteration? A. System logging plan B. Forensic logging plan C. Investigative logging plan D. Active logging plan
D. When you have an idea of what information you will want to be able to examine, you can make an active logging plan that ensures the information is logged when it occurs, and if at all possible in a location that prevents alteration.
List four Wi-Fi authentication protocols: _________________ _________________ _________________ _____________________
The Wi-Fi authentication protocols listed in the exam objectives include EAP, PEAP, EAP-FAST, EAP-TLS, EAP-TTLS, IEEE 802.1X, and RADIUS.