SY0-410:2 TS Quiz Compliance and Operational Security
"What is the process of ensuring the corporate security policies are carried out consistently? social engineering auditing footprinting scanning "
" Answer: auditing Explanation: Auditing is the process of ensuring the corporate security policies are carried out consistently. Social engineering is an attack that deceives others to obtain legitimate information about networks and computer systems. Footprinting is the process of identifying the network and its security configuration. Scanning is the process that hackers use to identify how a network is configured. "
"What is typically part of a company's personnel human resources management policies? information classification authentication acceptable use employee termination "
" Answer: employee termination Explanation: Employee termination procedures are typically part of a company's personnel human resources management policies, which also include procedures for dealing with new employees and transferred employees. Classification of information is typically covered by an information policy. A company usually has a minimum of two classifications for information: public and private. Most companies define public information as information that can be revealed to anyone, and proprietary information as information that can only be shared with employees who have signed a non-disclosure agreement. A company's security policy typically contains standard authentication procedures. Acceptable use policies, which indicate the manner in which employees are allowed to use company resources, are part of a company's computer use policy. "
"What is the purpose of hot and cold aisles? to provide an alternate location for IT services in case of disaster to protect against electromagnetic interferences (EMI) to control airflow in the data center to ensure that humidity remains at a certain level "
" Answer: to control airflow in the data center Explanation: Hot and cold aisles control airflow in the data center. Using environmental controls, hot air is expelled from equipment cabinets as cold air is pulled into the cabinets. Hot, warm, and cold sites provide an alternate location for IT services in case of disaster. EMI shielding protects against EMI, which can be caused by being in close proximity to other electronic devices. EMI shielding is also implemented to prevent a hacker from capturing network traffic. Humidity controls ensure that humidity remains at a certain level. Temperature controls ensure that temperature remains at a certain level."
"You identify a security risk that you do not have in-house skills to address. You decide to procure contract resources. This contractor will be responsible for handling and managing this security risk. Which type of risk response strategy are you demonstrating? avoidance acceptance mitigation transference "
" Answer: transference Explanation: You are demonstrating a risk response strategy of transference. Transference involves transferring the risk and its consequences to a third party. The third party is then responsible for owning and managing the risk. You are not demonstrating a risk response strategy of avoidance. Avoidance involves modifying security to eliminate the risk or its impact."
"Your organization is concerned that network users are violating software and music piracy policies. You need to ensure that these violations are not happening. Which Internet communication model often results in software piracy? client/server model peer-to-peer (P2P) model workgroup model domain model "
" Answer: peer-to-peer (P2P) model Explanation: The peer-to-peer (P2P) communication model can result in organizations being found guilty of software piracy. Recent legislation has been passed that requires organizations to crack down on P2P Internet communication in order to prevent software, music, and video piracy. The client/server model, workgroup model, and domain models are not generally used to violate copyright laws. Internet P2P communication involves a user downloading and installing a P2P application. The user then uses the application to upload the copyrighted software, music, or video to a central server for others to download. "
"Recently, an employee used the computer assigned to him by your organization to carry out an attack against the organization. You have been asked to collect all system-related evidence. You need to collect the evidence using the order of volatility to preserve the evidence. Move the data types from the left column to the right column, and place them in the correct order of volatility, starting with the MOST volatile at the top. (All components will be used.) "
" Explanation: Using the order of volatility to preserve the evidence, the evidence should be preserved in the following order: Memory (MOST volatile) Network processes System processes Hard drive Backup tapes DVDs (LEAST volatile)"
"What are some disadvantages to using a cold site? (Choose all that apply.) expense recovery time administration time testing availability "
"Answer: recovery time testing availability Explanation: Cold sites take a long time to bring online for disaster recovery. They also are not as available for testing as other alternatives. Therefore, recovery time and testing availability are two disadvantages to using a cold site. Cold sites are inexpensive. Cold sites require no daily administration time. Therefore, expense and administration time are two advantages to using a cold site. Cold sites are locations that meet the requirements for power and connectivity only. Hot sites are expensive. They require a lot of administration time to ensure that the site is ready within the maximum tolerable downtime (MTD). Therefore, expense and administration time are two disadvantages to using a hot site. Another disadvantage of a hot site is that it needs extensive security controls. Hot sites are available within the MTD and are available for testing. Therefore, recovery time and testing availability are two advantages to using a hot site. Warm sites are less expensive than hot sites, but more expensive than cold sites. The recovery time of a warm site is slower than for a hot site, but faster than for a cold site. Warm sites usually require less administration time because only the telecommunications equipment is maintained, not the computer equipment. Warm sites are easier to test than cold sites, but harder to test than hot sites. Hot, cold, and warm sites are maintained in facilities that are owned by another company. Hot sites generally contain everything you need to bring your IT facilities up. Warm sites provide some capabilities, including computer systems and media capabilities, in the event of a disaster. Cold sites do not provide any infrastructure to support a company's operations and requires the most setup time. Redundant sites are expensive and require a lot of administration time. Redundant sites are hot sites, but not all hot sites are redundant sites. Redundant sites are usually maintained by a company for itself. Hot sites are maintained by a company for another company. Redundant sites require a small recovery time and are easier to test than the facilities owned by other companies. "
"The new security plan for your organization states that all data on your servers must be classified to ensure appropriate access controls are implemented. Which statements are true of information classification? (Choose three.) A data owner must determine the information classification of an asset. Data classification refers to assigning security labels to information assets. A data custodian must determine the classification of an information asset. The two primary classes of data classification deal with military institutions and commercial organizations. The two primary classes of the data classification scheme apply to nonprofit organizations and financial institutions."
" Answer: A data owner must determine the information classification of an asset. Data classification refers to assigning security labels to information assets. The two primary classes of data classification deal with military institutions and commercial organizations. Explanation: Data classification refers to assigning security labels to information assets. The data owner must determine the information classification of an asset. Data classification is the most crucial method used to ensure data integrity. It is the responsibility of the data owner to decide the level of classification that the information requires. One purpose of information classification is to define the parameters required for security labels. After being classified, it is difficult to declassify data. There are two data classification systems: commercial and military. The types of commercial data classification are as follows: Confidential: Data classified as confidential is meant for use within the organization, irrespective of whether it is commercial or military. This is the only common category between the commercial and military classification systems. Confidential information requires authorization for each access and is available to those employees in the organization whose work relates to the subject. Confidential data is exempted from the Freedom of Information Act (FOIA). Examples include trade secrets, programming codes, or health care information. This can also be referred to as high classification. Private: Private information is personal to the employees of a company so it must be protected as well. An example is the salary of employees. This can also be referred to as medium classification. Sensitive: Sensitive information requires special protection from unauthorized modification or deletion. In other words, integrity and confidentiality need to be ensured. Examples include financial information, profits, or project details. Public: Disclosure of public information would not cause any problem to the company. An example is new project announcements. This can also be referred to as low classification. The types of military data classification are as follows: Top-secret: Information classified as top secret and crucial for national security. Examples include spy satellite information and blueprints to newly developed weapons. Secret: Secret information can pose a threat to national security if disclosed. Examples include deployment of troops and nuclear warheads. Confidential: Confidential information requires authorization for each access and is available to only those in the military organization whose work relates to the subject. Sensitive but unclassified: A military classification for minor secrets, such as medical data and answers to test scores. Unclassified information is not sensitive or classified. Examples are computer manuals or warranty details of a product or a device."
"Management has asked you to ensure that voltage is kept clean and steady at your facility. Which component is MOST appropriate for this purpose? UPS HVAC line conditioners concentric circle"
" Answer: line conditioners Explanation: Fluctuations in voltage supply, such as spike and surges, can damage electronic circuits and components. A line conditioner ensures clean and steady voltage supply by filtering the incoming power and eliminating fluctuations and interference. An uninterruptible power supply (UPS) provides clean distribution of power. The UPS provides a backup power supply. A UPS can also provide surge suppression, but can only protect those items connected to it. In addition, the protection provided is very limited. For voltage issues for the primary power supply, you should use voltage regulators or line conditioners. The heating, ventilation, and air conditioning (HVAC) system is installed in a building to regulate temperature. This includes air conditioning plants, chillers, ducts, and heating systems. HVAC is also referred to as climate control. It is important to note that HVAC has no role in regulating voltage. HVAC should maintain a humidity level of 40 to 60 percent in the air. High humidity can cause either condensation on computer parts or corrosion on electric connections. A low humidity level can cause static electricity that can damage the electronic components of computer equipment. Static electricity can also be reduced using anti-static sprays and anti-static flooring. HVAC systems help ensure availability by maintaining a proper environment. The concentric circle approach defines a circular security zone and determines physical access control. The zone should be secured by fences, badges, mantraps, guards, dogs, and access control systems, such as biometric identification systems. Concentric circle is a layered defense architecture and does not deal with electric power."
" Which type of analysis involves comparing the cost of implementing a safeguard to the impact of a possible threat? risk analysis threat analysis exposure analysis vulnerability analysis"
" Answer: risk analysis Explanation: Risk analysis is the process of identifying information assets and their associated threats, vulnerabilities, and potential risks, and justifying the cost of countermeasures deployed to mitigate the loss. Risk analysis presents a cost-benefit analysis of deploying countermeasures. Risk analysis is part of the disaster recovery plan. Risk analysis also measures the amount of loss that an organization can potentially incur if an asset is exposed to loss. It is important to note that risk analysis is focused on a cost-benefit analysis of countermeasures, and not on the selection of countermeasures. The following are the four major objectives of a risk analysis, in order of execution: To identify all existing assets and estimate their monetary value To identify vulnerabilities and threats to information assets. Vulnerability is a weakness in the system, software, hardware, or procedure. A threat agent, leading to a risk of loss potential, can exploit this weakness. A virus is an example of a threat agent, and the possibility of a virus infecting a system is an example of a threat To quantify the possibility of threats and measure their impact on business operations. To provide a balance between the cost of impact of a threat and the cost of implementing the safeguard measures to mitigate the impact of threats. A threat and vulnerability analysis involves identifying and quantifying the possible threats and vulnerabilities in the system that a threat agent can exploit. Identifying threat and vulnerabilities is an objective of risk analysis and is a part of risk analysis. There is no term named exposure analysis. Therefore, this option is invalid. An exposure factor refers to the percentage or portion of the asset that incurs a loss when exposed to a threat.A1"
"As a consultant, you have created a new security structure for a company that requires that passwords be issued to all employees. The company's IT department has made several password distribution recommendations. Which method is the most secure? Instruct users to send a password request via an e-mail message. Send an e-mail message to each user that contains the user's password. Instruct users to report to the IT department with proper identification for password setup. Issue the same password to all users. Upon initial logon, force the users to change their passwords. "
" Answer: Instruct users to report to the IT department with proper identification for password setup. Explanation: You should instruct users to report to the IT department with proper identification for password setup. This will ensure that users access the appropriate account to create a user password. Instructing the users to send a password request via an e-mail message is not secure. E-mail messages are not encrypted. Therefore, anyone can intercept e-mail messages. Sending an e-mail message to each user that contains the user's password is not secure because e-mail messages can be intercepted. Issuing the same password to all users and forcing the users to change their passwords upon initial logon is not secure. Initially, any user would be able to access another user's account, especially if you use a common naming scheme for the user accounts. Anyone could access another user's account, change the password, and access all of the other user's data. "
"What does an incremental backup do? It backs up all files. It backs up all files in a compressed format. It backs up all new files and any files that have changed since the last full or incremental backup, and resets the archive bit. It backs up all new files and any files that have changed since the last full backup without resetting the archive bit. "
" Answer: It backs up all new files and any files that have changed since the last full or incremental backup, and resets the archive bit. Explanation: An incremental backup backs up all new files and files that have changed since the last full or incremental backup, and also resets the archive bit. When restoring the data, the full backup must be restored first, followed by each incremental backup in order. Incremental backups build on each other; for example, the second incremental backup contains all of the changes made since the first incremental backup. A full backup backs up all files every time it runs. Because of the amount of data that is backed up, full backups can take a long time to complete. A full backup is used as the baseline for any backup strategy and most appropriate when using offsite archiving. A compressed full backup backs up all files in compressed format. A differential backup backs up all new files and files that have changed since the last full backup without resetting the archive bit. When restoring the data, the full backup must be restored first, followed by the most recent differential backup. Differential backups are not dependent on each other. For example, each differential backup contains the changes made since the last full backup. Therefore, differential backups can take a significantly longer time than incremental backups. A continuous backup system is one that performs backups on a regular basis to ensure that data can be restored to a particular point-in-time. SQL Server is an application that provides this feature. If a continuous backup plan is not used, any data changes that occurred since the last backup must be recreated after the restore is completed. Working copies are used to store data that consists of partial or full backups that are stored at the computer center for immediate recovery purposes, if necessary."
"Which RAID level requires at least three hard disks and writes both parity and data across all disks in the array? Level 0 Level 1 Level 3 Level 5 "
" Answer: Level 5 Explanation: Redundant Array of Independent Disks (RAID) Level 5, which provides disk striping with parity across multiple disks, writes both parity and data across all disks in the array. The parity information is stored on a drive separate from its data so that in the event of a single drive failure, information on the functioning disks can be used to reconstruct the data from the failed disk. RAID Level 5 requires at least three hard disks but typically uses five to seven disks. The maximum number of disks supported is 32. RAID Level 0 is known as disk striping. This RAID level stripes data across the drives to improve disk read/write efficiency. However, this RAID level does not provide redundancy. If any drive in the array fails, the data is lost. RAID Level 1 is known as disk mirroring or disk duplexing. Disk mirroring occurs when two disks are configured in a mirror. Any data written to disk one is also written to disk two. Disk duplexing also involves the use of an additional hard drive controller. If either drive fails, the data can be retrieved from the remaining drive. RAID Level 3 is byte-level striping with parity. RAID Level 3 is similar to RAID Level 5, except RAID Level 3 has a dedicated parity drive. In RAID Level 5, parity data exists on all disks in the array. The primary concern of RAID is availability. "
"During which step of incident response does root cause analysis occur? Prepare Detect Contain Remediate Resolve Review and Close "
" Answer: Review and Close Explanation: You should perform root cause analysis during the review and close step. This is the final step in incident response. There are six steps in incident response: Prepare - Ensure that the organization is ready for an incident by documenting and adopting formal incident response procedures. Detect - Analyze events to identify an incident or data breach. If the first responder is not the person responsible for detecting the incident, the person who detects the incident should notify the first responder. Contain - Stop the incident as it occurs and preserve all evidence. Notify personnel of the incident. Escalate the incident if necessary. Containing the incident involves isolating the system or device by either quarantine or device removal. This step also involves ensuring that data loss is minimized by using the appropriate data and loss control procedures. Remediate - Fix the system or device that is affected by the incident. Formal recovery/reconstitution procedures should be documented and followed during this step of incident response. Resolve - Ensure that the system or device is repaired. Return the system or device to production. Review and close - Perform a root cause analysis, and document any lessons learned. Report the incident resolution to the appropriate personnel. During the preparation step of incident response, you may identify incidents that you can prevent or mitigate. Taking the appropriate prevention or mitigation steps is vital to ensure that your organization will not waste valuable time and resources on the incident later. "
"Your company has recently implemented several physical access controls to increase the security of the company's data processing center. The physical access controls that were implemented include surveillance devices, fences, closed-circuit television (CCTV), locks, and passwords. Which statement is true of these controls? Surveillance devices offer more protection than fences in the facility. Passwords provide the best form of physical access control in a facility. The CCTVs in physical access control do not need a recording capability. Only combination locks are part of the physical access control systems. "
" Answer: Surveillance devices offer more protection than fences in the facility. Explanation: Surveillance devices offer more protection than fences in the facility because they actually record activity for traffic areas. This provides a mechanism whereby tapes can be replayed to investigate security breaches. Passwords do NOT provide the best form of physical access facility control. Closed-circuit televisions (CCTVs) should always have a recording capability. CCTV is a detective security control. CCTV or video surveillance is the most reliable proof that a data center was accessed at a certain time of day. CCTVs should be implemented in any section of your organization's facilities where valuable assets are kept. The CCTV will record all activity and will provide video proof of any theft that occurs. However, you must ensure that the recording is configured properly to back up its data before overwriting. Most CCTVs have a maximum amount of storage space. CCTVs cannot be used in situations where mobile devices are allowed to be carried off the premises. All types of locks are part of the physical access control systems. The physical access controls can include the following as security measures: guards to protect the perimeter of the facility fences around the facility to prevent unauthorized access by the intruders badges for the employees for easy identification locks (combination, cipher, mechanical and others) within the facility to deter intruders surveillance devices, such as CCTVs, to continuously monitor the facility for suspicious activity and record each activity for future use It is important to note that though passwords are a commonly used way of protecting data and information systems, they are not a part of the physical access controls in a facility. Passwords are a part of user authentication mechanism. "
"Which two suppression methods are recommended when paper, laminates, and wooden furniture are the elements of a fire in the facility? (Choose two.) Halon Water Soda acid Dry powder "
" Answer: Water Soda acid Explanation: Water or soda acid should be used to suppress a fire that has wood products, laminates, and paper as its elements. The suppression method should be based on the type of fire in the facility. The suppression substance should interfere with the elements of the fire. For example, soda acid removes the fuel while water reduces the temperature. Water or soda acid are used to extinguish class A fires. Electrical wiring and distribution boxes are the most probable cause of fires in data centers. Class C fire suppression agents, such as halon or carbon dioxide, are used when the fire involves electrical equipment and wires. They can also be used to suppress Class B fires that include liquids, such as petroleum products and coolants. The production of halon gas was banned by the Montreal Protocol in 1987. Halon causes damage to the ozone layer and is harmful to humans. The treaty requires vendors who already have halon extinguishers to get the extinguishers refilled with replacements, such as FM-200, approved by the Environmental Protection Agency (EPA). Carbon dioxide, also used to extinguish class B and C fires, eliminates oxygen. Carbon dioxide is harmful to humans and should be used only in unattended facilities. Dry powder is a suppression method for a fire that has magnesium, sodium, and potassium as its elements. Dry powder extinguishes class D fires. Although dry powder can also suppress Class B and C fires, companies commonly use other forms of suppression for Class B and C fires. The only suppression method for combustible metals is dry powder."
"What protects data on computer networks from loss due to power outages? an air conditioner a door lock a sprinkler a UPS "
" Answer: a UPS Explanation: An uninterruptible power supply (UPS) protects data on computer networks from loss due to power outages. A UPS contains a battery that keeps a computer running during a power sag or power outage. A UPS gives a user time to save any unsaved data when a power outage occurs. Computers operate in a relatively narrow temperature range, which requires climate conditioning from heating and air conditioning systems. A door lock is a physical security measure that can protect a data center and other computer equipment from hackers. A sprinkler is a fire suppression system that is required in most office buildings. A sprinkler sprays water, which is damaging to computer equipment, so companies should consider installing non-water fire suppression systems to protect computers in a data center from fire and water. "
"Which procedure is an example of an operational control? a backup control a business continuity plan a database management system identification and authentication "
" Answer: a backup control Explanation: Backup controls, software testing, and anti-virus management are components of operational software controls. Operational software controls check the software to find whether the software is compromising security or not. Trusted recovery procedures, audit trails, clipping levels, operational and life-cycle assurance, configuration management, and media and system controls are all examples of operational controls. A business continuity plan refers to the procedures undertaken for dealing with long-term unavailability of business processes. Business continuity planning differs from disaster recovery. Disaster recovery aims at minimizing the impact of a disaster. A database management system (DBMS) is a collection of software that manages and processes large amounts of data stored in a structured format. A DBMS is an example of an application control and not an operational control. Identification and authentication of employees are examples of technical controls that are defined under the security administration control. "
"What is a physical barrier that acts as the first line of defense against an intruder? a lock a fence a turnstile a mantrap a bollard "
" Answer: a fence Explanation: Fencing acts as the first line of defense against casual trespassers and potential intruders, but fencing should be complemented with other physical security controls, such as guards and dogs, to maintain the security of the facility. A fence height of 6 to 7 feet is considered ideal for preventing intruders from climbing over the fence. In addition to being a barrier to trespassers, the fence can also control crowds. A fence height of 3 to 4 feet acts as a protection against casual trespassers. For critical areas, the fence should be at least 8 feet high with three strands of barbed wire. Locks are an example of physical security controls. An organization can use locks to prevent unauthorized access or to induce a delay in the process of a security breach. Locks should be used in combination with other security controls to guard the facility infrastructure and its critical resources. Locks usually do not serve as the first line of defense against intruders. Turnstiles and mantraps do not serve as the first line of defense against an intruder. A turnstile is a type of gate that allows movement in a single direction at a time. A mantrap refers to a set of double doors usually monitored by a security guard. A mantrap can protect against tailgating. A bollard is a short post or pillar that blocks vehicles from driving into a particular area. Physical security controls include the following: Hardware locks Mantraps Video surveillance (CCTV) Fencing Proximity readers Access lists Proper lighting Signs Guards Barricades Biometrics Protected distribution for cabling Alarms Motion detectors "
"Which option is an example of antivirus software running with old antivirus definitions? a risk a threat an exposure a vulnerability "
" Answer: a vulnerability Explanation: Antivirus software without the latest antivirus definitions is an example of a vulnerability. A vulnerability is defined as the flaw, loophole, or weakness in the system, software, or hardware. A vulnerability can be exploited by a threat agent and can lead to a potential risk of loss. Risk is defined as the likelihood of occurrence of threat and the corresponding loss potential. Risk is the probability of a threat agent to exploit vulnerability. The component that exploits vulnerability is referred to as a threat agent. A virus is an example of a threat agent. An exposure factor refers to the percentage or portion of an asset that is lost or destroyed when exposed to a threat. A threat vector is a path or a tool that a threat agent uses to attack the target. A threat and vulnerability analysis involves identifying and quantifying the possible threats and vulnerabilities in the system that can be exploited by a threat agent. Identifying threat and vulnerabilities through vulnerability analysis is an objective of risk analysis and is a part of risk management. Vulnerability analysis provides either a qualitative or a quantitative analysis of the vulnerabilities and threats. "
"You are the security administrator for your company. You identify a security risk. You decide to continue with the current security plan. However, you develop a contingency plan for if the security risk occurs. Which type of risk response strategy are you demonstrating? avoidance acceptance mitigation transference "
" Answer: acceptance Explanation: You are demonstrating a risk response strategy of acceptance. Acceptance involves accepting the risk and leaving the security plan unchanged. Examples of acceptance would include taking no action at all or leaving the plan unchanged and developing a contingency or fallback plan. You are not demonstrating a risk response strategy of avoidance. Avoidance involves modifying the security plan to eliminate the risk or its impact. Examples of avoidance would include limiting the scope of security, adding security resources to eliminate the risk, or removing resources from a resource to eliminate the risk. You are not demonstrating a risk response strategy of transference. Transference involves transferring the risk and its consequences to a third party. The third party is then responsible for owning and managing the risk. Purchasing insurance is an example of transference. You are not demonstrating a risk response strategy of mitigation. Mitigation involves reducing the probability or impact of a risk to an acceptable risk threshold. Examples of mitigation would include taking actions to minimize the probability of a risk. "
"You administer a small corporate network. On Friday evening, after close of business, you performed a full backup of the hard disk of one of the company's servers. On Monday evening, you performed a differential backup of the same server's hard disk, and on Tuesday, Wednesday, and Thursday evenings you performed incremental backups of the server's hard disk. Which files are recorded in the backup that you performed on Thursday? all of the files on the hard disk all of the files on the hard disk that were changed or created since the differential backup on Monday all of the files on the hard disk that were changed or created since the incremental backup on Tuesday all of the files on the hard disk that were changed or created since the incremental backup on Wednesday "
" Answer: all of the files on the hard disk that were changed or created since the incremental backup on Wednesday Explanation: On Thursday, you performed an incremental backup of the hard disk. An incremental backup backs up files that have been created or changed since the immediately preceding backup, regardless of whether the preceding backup was a full backup, a differential backup, or an incremental backup. You performed a backup on Wednesday, so the incremental backup you performed on Thursday backed up all of the files on the hard disk that were changed or created since the backup on Wednesday. Keep in mind that many organizations today also implement an off-site backup plan to ensure that the data backups are retained at an alternate location. This ensures that backups can be retrieved even if the primary storage location is destroyed or inaccessible. Off-site backup is a way to ensure data for the purpose of retention. One way to minimize the amount of downtime in case of disaster is to make the off-site backup location also act as the organization's hot site. Backup plans and policies should include the backup execution method and backup frequency. The execution method details what type of backup occurs (full, differential, and so on) and type of media (tape, CD, DVD, and so on), and the backup frequency details how often the backup occurs (hourly, daily, weekly, and so on). Any off-site backup plans should also detail the method and frequency of the off-site backup replacements. "
"Which principle stipulates that multiple changes to a computer system should NOT be made at the same time? due diligence due care change management acceptable use "
" Answer: change management Explanation: Change management stipulates that multiple changes to a computer system should NOT be made at the same time. This makes tracking any problems that can occur much simpler. Change management includes the following rules: Distinguish between your system types. Document your change process. Develop your changes based on the current configuration. Always test your changes. Do NOT make more than one change at a time. Document your fallback plan. Assign a person who is responsible for change management. Regularly report on the status of change management. All changes made to your network and computers should be documented in the change management system. An appropriate change management system can help to prevent against ad-hoc configuration mistakes. Due diligence is the investigation of a business, person, or act prior to signing a contract or committing the act. Due care is the normal care that a reasonable entity would exercise over that entity's property. As part of due care, an organization is responsible for implementing policies and procedures to prevent data loss or theft. Acceptable use is employee or customer usage of company resources that is allowed and defined in a contractually binding document, referred to as an acceptable use policy. Incident management is a facet of risk management that is similar to change management. Incident management refers to the activities of an organization to identify, analyze, and correct risks as they are identified. "
"Recently, corporate data that was sent over the Internet has been intercepted and read by hackers. This has resulted in a loss of reputation with your customers. You have been asked to implement policies that will protect against these attacks. Which two security tenets are primarily affected by these attacks? confidentiality and availability integrity and availability confidentiality and integrity integrity and authenticity "
" Answer: confidentiality and integrity Explanation: Sending data across an insecure network, such as the Internet, affects confidentiality and integrity. It is the responsibility of the sender to ensure that proper security controls are in place. For example, the sender of an e-mail message is responsible for encryption if security is desired. Confidentiality and integrity should be implemented to ensure the accuracy of the data and its accessibility to authorized personnel. Data transmission across an insecure network does not affect the availability or authenticity of data. Confidentiality, integrity, and availability are the three core security objectives for the protection of the information assets of an organization. These three objectives are also referred to as the CIA triad. Most computer attacks result in the violation of the CIA triad. Confidentiality is the minimum level of secrecy that is maintained to protect sensitive information from unauthorized disclosure. Confidentiality can be implemented through encryption, access control data classification, steganography, and security awareness. Maintaining the confidentiality of information prevents an organization from attacks, such as shoulder surfing and social engineering, which can lead to disclosure of confidential information and disrupt business operations. Lack of sufficient security controls to maintain confidentiality leads to the disclosure of information. Integrity ensures the following conditions: The data is accurate and reliable. The data and the system are protected from unauthorized alteration. Attacks and user mistakes do not affect the integrity of the data and the system. Ensuring the integrity of information implies that the information is protected from unauthorized modification and that the contents have not been altered."
"Which disk systems protect against data loss if a single drive fails? (Choose all that apply.) disk striping disk mirroring disk striping with parity failure resistant disk system (FRDS) "
" Answer: disk mirroring disk striping with parity failure resistant disk system (FRDS) Explanation: Disk mirroring, disk striping with parity, and failure resistant disk system (FRDS) protect against data loss if a single drive fails. Disk mirroring provides a duplicate copy of the data on the mirrored hard drive. Disk striping with parity rebuilds the lost data using the parity information in the event a single drive in the array fails. FRDS is used primarily in file servers and is similar to RAID. Disk striping does not protect against data loss if a single drive fails. If a drive in a disk striping volume fails, the data is lost."
"Which RAID level provides only performance enhancements and does not provide fault tolerance? disk striping disk mirroring RAID 3 RAID 5 clustering "
" Answer: disk striping Explanation: Disk striping provides only performance enhancements and does not provide fault tolerance. RAID 0 is known as disk striping. Data is striped over the number of hard drives in the array. If a single drive fails, the entire array cannot be used. Disk mirroring provides fault tolerance. RAID 1 is known as disk mirroring. Data is written to the first drive and immediately copied to the second drive. If a single drive fails, the data is available from the other drive. When implemented with multiple hard drive controller cards, it is known as duplexing. Duplexing provides fault tolerance for both the hard drives and the controller card. This is a method of hardware fault tolerance. RAID 3 provides fault tolerance. RAID 3 is known as byte-level striping with parity. Data is striped over all of the hard drives in the array, except one. One hard drive is reserved for parity data. If a single drive fails, the data on it can be rebuilt using the parity information. This RAID level is not commonly used today. RAID 5 provides fault tolerance. RAID 5 is known as block-level disk striping with parity. Data is striped over all of the hard drives in the array; parity data is written to all of the drives. If a single drive fails, the data on it can be rebuilt using the information from the other drives. This is one of the most popular raid versions. Clustering is not a RAID level. Clustering is a server technology that distributes processing across multiple servers. Logically a server cluster appears as one server to a client computer. Clustering is similar to redundant servers. However, with redundant servers only one server actually processes requests. The other server acts as a backup in the event the main server fails. RAID 2 is another striping level that stripes data at the bit level instead of the block level. It is not commonly used today. RAID 4 is block-level striping with parity. Data is striped over all of the hard drives in the array, except one. One hard drive is reserved for parity data. If a single drive fails, the data on it can be rebuilt using the parity information. This level is more widely used than RAID 3 because it stripes data at the block level rather than at the bit level. RAID 6 is the same as RAID 5 except that it provides a second parity set. Data is striped over all of the hard drives in the array; two sets of parity data are written to all of the drives as well. RAID 7 is a proprietary RAID level that adds caching to RAID 3 or RAID 4. RAID 10 is a stripe of mirrors. Multiple mirrors are created, and data is striped across these mirrors. For example, the first piece of data is written to the first drive of the first mirror. Then it is copied to the second drive of the first mirror. This RAID level will support multiple drive failures. RAID 0+1 is a mirror of stripes. Two striped sets are created, and the set is mirrored. For example, the first piece of data is written to the first striped set. Then it is copied to the second stripe set. This RAID level will support multiple drive failures. RAID can be implemented using hardware or software. Hardware RAID uses dedicated hardware, such as a RAID controller card, to control the RAID. Software RAID uses software, usually the operating system, to control the RAID. Software RAID is cheaper and easier to configure, but it does not provide the performance enhancements and reliability that hardware RAID does. Software RAID can only be implemented on RAID 0, 1, and 5. Hardware RAID can be implemented on all RAID level, except RAID 1 duplexing. In today's RAID implementations, most of the drives are hot swappable, meaning they can be removed and reinserted while the computer is operational."
"All of the following are security risks associated with cloud computing, EXCEPT: false positives regulatory compliance data location data recovery "
" Answer: false positives Explanation: False positives are NOT security risks associated with cloud computing. False positive is a risk management term that refers to when you mistakenly identify something as a security vulnerability. Often spam filters have false positives when a legitimate e-mail message is tagged as spam. False negative are the direct opposite of false positives and occur when you mistakenly do NOT identify a valid security vulnerability. False positives are less detrimental than false negatives. Cloud computing, also referred to as a provider cloud, facilitates computing for heavily utilized systems and networks. The following security risks should be examined when considering using cloud computing: Regulatory compliance - Consider how the cloud provider will comply with the federal, state, and local regulations that apply to your organization. Data location - Consider where your data will be physically stored. Data recovery - Consider what happens to your data is case of disaster. Investigate support - Consider how security breaches will be investigated. Long-term viability - Consider if the cloud provider would ever close or sell to a larger entity. Data segregation - Consider that your organization's data can reside in the same physical space as a competitor. Privileged user access - Consider who from the provider has access to your data. However, the incorrect reporting from false positives can result in significant administrative overhead. "
"Which two alternate data center facilities are the easiest to test? (Choose two.) hot site warm site cold site redundant site "
" Answer: hot site redundant site Explanation: The hot site and the redundant site are the easiest to test because they both contain all of the alternate computer and telecommunication equipment needed in a disaster. Usually, testing either of these environments is as simple as switching over to them after ensuring they contain the latest versions of your data. A warm site is harder to test than a hot site or a redundant site, but easier to test than a cold site. It only contains telecommunications equipment. Therefore, to properly test disaster recovery procedures at the warm site, alternate computer equipment such as servers would need to be set up and configured. A cold site is the hardest to test. It only includes a basic room with raised flooring, electrical wiring, air conditioning, and telecommunications lines. To properly test disaster recovery procedures at the cold site, alternate telecommunications and computer equipment would need to be set up and configured. Hot sites and redundant sites are usually the most expensive to implement. Warm sites are less expensive than hot sites but more expensive than cold sites. Cold sites are the least expensive to implement. "
"Your company has recently adopted a new security policy that states that all confidential e-mails must be signed using a digital signature. Which three elements are provided by implementation of technology? (Choose three.) integrity availability encryption authentication non-repudiation "
" Answer: integrity authentication non-repudiation Explanation: A digital signature provides integrity, authentication, and non-repudiation in electronic mail. The public key of the signer is used to verify a digital signature. Non-repudiation ensures that the sender cannot deny the previous actions or message. Integrity involves providing assurance that a message was not modified during transmission. Authentication is the process of verifying that the sender is who he says he is. Digital signatures do not provide encryption and cannot ensure availability. A digital signature is a hash value that is encrypted with the sender's private key. For example, a file on Windows 98 that has been digitally signed indicates that the file has passed quality testing by Microsoft. The message is digitally signed. Therefore, it provides authentication, non-repudiation, and integrity. If a recipient wants to verify a digital signature, the public key of the signer must be used in conjunction with the hash value. Digital Signature Standard (DSS) defines digital signatures. It provides integrity and authentication. It is not a symmetric key algorithm. A digital signature cannot be spoofed. Therefore, attacks, such as man-in-the-middle attacks, cannot harm the integrity of the message. Microsoft uses digital signing to ensure the integrity of driver files."
"You are the incident investigator for your organization performing a routine incident investigation. The next step you must perform is network analysis. Which of the following examples is considered this type of analysis? reverse engineering content analysis disk imaging log analysis "
" Answer: log analysis Explanation: Log analysis is an example of a network analysis. Network analysis includes communications analysis, log analysis, and path tracing. The other options are not examples of network analysis. Reverse engineering is an example of software analysis. Other examples of software analysis include malicious code review and exploit review. Content analysis and disk imaging are examples of media analysis. Other examples of media analysis include modify, access, create (MAC) time analysis, slack space analysis, and steganography. "
"Which events should be considered as part of the business continuity plan? (Choose all that apply.) natural disaster hardware failure non-emergency server relocation employee resignation "
" Answer: natural disaster hardware failure Explanation: As part of the business continuity plan, natural disasters should be considered. Natural disasters include tornadoes, floods, hurricanes, and earthquakes. Continuity of operations should be a primary consideration when developing the business continuity plan. Hardware failure should also be considered. This hardware can be limited a single computer component, but can include network link or communications line failures. The majority of the unplanned downtime experienced by a company is usually due to hardware failure. A business continuity plan is created to ensure that policies are in place to deal with long-term outages and disasters to sustain operations. Its primary goal is to ensure that the company maintains its long-term business goals both during and after the disruption, and mainly focuses on the continuity of the data, telecommunications, and information systems infrastructures. The business continuity plan should only include those events that interrupt services. Normally, server relocation is planned in such a way as to ensure either no interruption or minimal interruption of services. As such, it is usually not part of the business continuity plan. Employee resignation, even resignation of a high-level IT manager, should not be considered part of the business continuity plan. Employee resignation is a normal part of doing business. However, employee strikes and the actions of disgruntled employees should be considered as part of the business continuity plan. When a disaster occurs, emergency actions should be taken to prevent injuries and loss of life. You should attempt to diminish damage to corporate function to avoid the need for recovery. "
"Which component of a computer use policy should state that the data stored on a company computer is not guaranteed to remain confidential? computer ownership information ownership acceptable use no expectation of privacy "
" Answer: no expectation of privacy Explanation: A no expectation of privacy policy is the component of a computer use policy that should indicate that data stored on a company computer is not guaranteed to remain confidential. A no expectation of privacy policy should also state that data transferred to and from a company network is not guaranteed to remain confidential. A company's privacy policy should be reviewed by the security administrator to determine what data is allowed to be collected from users of the corporate Internet-facing Web application. Computer ownership is a component of a computer use policy that indicates that computers are owned by the company and should be used only for company purposes. Information ownership is a component of a computer use policy that states that all information stored on company computers is owned by the company. Acceptable use is a computer use policy that states the conditions under which company computers should be used. Often security administrators must advise a company on implementing the appropriate security policies to ensure that corporate assets and data are protected. For example, a security policy preventing the use of portable flash drives and personal music devices may be necessary to reduce the risk of data leakage. "
"You assessed the physical security of your company's data processing center. As part of this assessment, you documented all of the locks on both internal and external doors. You have identified several traditional door locks that you want to replace with digital locks. To support the need for this upgrade, you want to identify methods whereby traditional locks can be circumvented. Which methods involve circumventing a lock for intrusion? (Choose all that apply.) raking shimming spamming SYN flood "
" Answer: raking shimming Explanation: Both raking and shimming are techniques to circumvent locks. Raking is a technique used by intruders to circumvent a lock. For example, a pick is used to circumvent a pin tumbler lock. Shimming is a technique in which an authorized user disassembles a lock without the use of an operating key. Spamming involves sending large number of unsolicited commercial emails to unsuspecting clients. Spamming floods the mailbox of a user and overloads a network, which adversely affects the performance of the network. A SYN flood is an example of network-based attack. In a SYN flood attack, the attacker repeatedly sends synchronization (SYN) packets from a spoofed IP addresses to the victim's host computer. The victim's host computer responds with valid synchronization acknowledgement (SYN-ACK) packets and keeps waiting for the acknowledgement (ACK) packet to establish a TCP three-way handshake process for data transfer. In the absence of the ACK packets from the malicious computer, the victim's host computer continues to respond to each connection attempt from the hostile computer. This results in denial of service to legitimate hosts because of resource exhaustion. Locks are safety controls that can be used to increase physical security. Other safety controls include fencing, lighting, closed-circuit television (CCTV), and testing controls. As part of any safety measures you implement, you should prepare escape plans with mapped escape routes for all building occupants. These escape plans and routes should be posted prominently throughout the building. In addition, your company should periodically perform escape drills to ensure that personnel know how to vacate the building properly. "
"What concept is being illustrated when user accounts are created by one employee and user permissions are configured by another employee? collusion two-man control separation of duties rotation of duties "
" Answer: separation of duties Explanation: Separation of duties is employed when user accounts are created by one employee and user permissions are configured be another employee. An administrator who is responsible for creating a user account should not have the authorization to configure the permissions associated with the account. Therefore, duties should be separated. Separation of duties requires more than one individual to accomplish a critical task. Separation of duties ensures that no individual can compromise a system, and it is considered valuable in deterring fraud. Separation of duties can be either static or dynamic. Static separation of duties refers to the assignment of individuals to roles and the allocation of transactions to roles. In static separation of duties, an individual can be either an initiator of the transaction or the authorizer of the transaction. In dynamic separation of duties, an individual can initiate as well as authorize transactions. Collusion is the involvement of more than one person in fraudulent activity. Separation of duties drastically reduces the chances of collusion and helps prevent fraud. A two-man control implies that two operators review and approve each other's work. A two-man control acts as a crosscheck and reduces chances of fraud, minimizing the risks associated with operations involving highly sensitive information. Rotation of duties or job rotation implies the ability of an employee to carry out tasks of another employee within the organization. In an environment using job rotation, an individual can perform the tasks of more than one role in the organization. This maintains a check on other employees' activities, provides a backup resource, and acts as a deterrent for possible fraud. "
"As the security administrator for you company, you are primarily concerned with protecting corporate assets. Currently, you are working to ensure confidentiality for corporate data. Which activity is NOT covered under this objective? treason dumpster diving shoulder surfing social engineering "
" Answer: treason Explanation: Treason or subversion is not an activity that amounts to a breach of confidentiality. Therefore, treason cannot be defined in the confidentiality objective of the confidentiality, integrity, and availability (CIA) triad. Treason or subversion refers to an attempt to destroy an authorized governing body. Treason is the crime of disloyalty to one's nation or state. Confidentiality is the minimum level of secrecy maintained to protect sensitive information from unauthorized disclosure. All of the other options affect the confidentiality objective of the CIA triad. Dumpster diving refers to searching the garbage collection area or dustbin to look for non-shredded confidential documents. Dumpster diving can reveal confidential information to individuals that affects its integrity. For example, non-shredded printouts containing project details can be found by unauthorized persons. Shoulder surfing refers to examining someone's computer from behind to steal confidential information, such as user passwords or information related to business. Such information can be used to break into the network or the system and can affect the confidentiality and integrity of the information assets of the organization. Social engineering refers to tricking someone into sharing classified information by pretending to be an authorized person. Social engineering is used to discover confidential information, such as system passwords, which are later used by the intruder to gain unauthorized access either to the system or to the network. "
"You must deploy the appropriate control to a section of the network shown in the exhibit. Because of budget constraints, you can only deploy one of each of the following controls: Proximity badges Device encryption Safe CCTV You need to deploy each of these controls on a single section of the diagram. The controls may be used to protect either the entire section or a single component within that section. "
" The proximity badges will control access to the data center and limit access to approved employees. The safe will provide a location in the office to store the laptops and tablets when they are not in use. The CCTV will provide a means to monitor activity in the customer wireless network lounge. Device encryption will ensure that the data on the laptops cannot be accessed by attackers while the sales reps are in the field. Always consider the types of controls and the numbers of each control that are required when deploying them on your network. In this scenario, you were limited to four controls. In the real world, it would be better to implement proximity badges for both the office and the data center to ensure that only employees have access to these areas. However, if you can only deploy them in one location, protecting the data center is more important. A safe could be appropriately deployed in either the data center or the office. In the real world, it would be ideal to use CCTV in the data center, the office, and the customer wireless network lounge. While you can deploy device encryption for all devices, it is most important to deploy it for any devices that are regularly used outside the organization's network, such as mobile laptops. "
"Which three statements regarding an audit trail are NOT true? (Choose three.) An audit trail is a preventive control. An audit trail assists in intrusion detection. An audit trail does not record successful login attempts. An audit trail establishes accountability for access control. An audit trail is reviewed only when an intrusion is detected. "
"Answer: An audit trail is a preventive control. An audit trail does not record successful login attempts. An audit trail is reviewed only when an intrusion is detected. Explanation: An audit trail is not a preventive control. It is a detective control that maintains a sequential record of the system activities and the system resource usage. An audit trail records a lot of useful information, such as successful and unsuccessful login attempts, user identification, password usage, and resources accessed by a user over a span of time. Audit trails can also provide information about events related to the operating system and the application. Audit trail records are usually reviewed before an intrusion has been detected and contained. Before the affected system is reinstalled and production restarted, audit trail records enable you to track the source of the intrusion, understand the type of attack, and identify any loophole that can result in a potential security breach in the future. The main purpose of audit logs and trails is to establish individual accountability and responsibility. Access to audit logs and trails should be tightly controlled. In addition, the data recorded in an audit log must be strictly controlled. Separation of duties must be enforced to ensure that personnel who administer the access control function and personnel who administer the audit trail are two different people. A security administrator should periodically review audit trails to detect any suspicious activity or a performance bottleneck in the infrastructure resources. An administrator can select certain critical events and log them for review. The administrator can later use the events for analysis. Instead of manually reviewing a large amount of audit trail data, applications and audit trail analysis tools can be used to reduce the volume of audit logs and to improve the efficiency of the review process. Such analysis tools can be used to provide information about specific events in a useful format and in sufficient details. "
"When calculating risks by using the quantitative method, what is the result of multiplying the asset values by the exposure factor (EF)? risk elimination ACV SLE ALE "
"Answer: SLE Explanation: The result of multiplying the asset values by the exposure factor (EF) is the single loss expectancy (SLE) value. SLE refers to the quantitative amount of loss incurred by a single event when a threat takes places. The formula for calculating SLE is: SLE = asset value x EF EF is defined as the percentage of the expected loss when an event occurs. For example, a virus hits five computer systems out of 100 before it is prevented by the safeguard from further infecting the other 95 computers, resulting in a loss of five percent of the computers. If the asset value of 100 computers is $10,000, then the exposure factor will be $500, which is five percent of the total asset value. Annualized loss expectancy (ALE) refers to the loss potential of an asset for a single year. ALE is calculated by multiplying the SLE value with the annualized rate of occurrence (ARO) of an event. ARO refers to the frequency of a threat occurring in a single year. SLE is the amount, in dollars, which an organization will lose if even a single threat event. ALE = SLE x ARO Let?s look at an example of this: Suppose your organization has a server that is worth $10,000. When an outage occurs, you approximate that 10% of the data will be lost. The administrator has determined that the server will fail approximately 5 times each year. To calculate SLE, you would multiply the asset value ($10,000) times the exposure factor (10%) and get an SLE value of $1,000. This is the value of a single loss incident. Then to determine the ALE, you would multiply the SLE ($1,000) times the approximate number of times this incident will occur annually (5) and get an ALE value of $5,000. Total risk can be calculated by multiplying the threats, the vulnerabilities, and the asset value. Total risk = threats x vulnerabilities x asset value Actual Cost Evaluation (ACV) is typically used for insurance calculation. ACV is based on the value of the item at the time of loss, plus some percent of the total loss as defined in the insurance contact clause. A risk cannot be eliminated completely. It can be accepted, reduced, or transferred, but some amount of risk will always be present, referred to as residual risk. You can also take steps to deter against risk. Risk deterrence is any action that you take to prevent a risk from occurring. Identifying residual risk is the most important aspect of the risk acceptance strategy. "
"What is DLP? a technology that allows organizations to use the Internet to host services and data remotely instead of locally an application that protects against malware a chip that implements hardware-based encryption a network system that monitors data on computers to ensure the data is not deleted or removed "
"Answer: a network system that monitors data on computers to ensure the data is not deleted or removed Explanation: Data Loss Prevention (DLP) is a network system that monitors data on computers to ensure the data is not deleted or removed. If your organization implements a DLP system, you can prevent users from transmitting confidential data to individuals outside the company. Cloud computing is a technology that allows organizations to use the Internet to host services and data remotely instead of locally. Microsoft Security Essentials is an application that protects against malware. It is included in Windows Vista, Windows XP SP2, and Windows 7. Other applications are available that protect against malware. Trusted Platform Module (TPM) and Hardware Security Module (HSM) are both chips that implement hardware-based encryption. The main difference between the two is that a TPM chip is usually mounted on the motherboard and HSM chips are PCI adapter cards. "
"You collect evidence after an attack has occurred. You need to ensure that the evidence collected follows chain of custody procedures. Which stage is NOT a part of the life cycle of evidence? storage collection accreditation presentation in court "
"Answer: accreditation Explanation: Accreditation is not a part of the life cycle of evidence. Accreditation is the process in which the management accepts a system's functionality and assurance. Accreditation represents the satisfaction of management regarding the adequacy of the product with respect to functionality and assurance after the evaluation process is over. The stages in the life cycle of the evidence or the chain of custody are as follows: collection of evidence from the site analysis of the evidence by a team of experts storage of the evidence in a secure place to ensure that the evidence is not tampered with presentation of the evidence by legal experts in a court of law returning the evidence to the owner after the proceedings are over Most computer-related evidence is hearsay in nature and can be easily dismissed in court due to its volatile nature. Strict and organized procedures should be followed for collection, analysis, and handling of evidence. "
"During a meeting, you present management with a list of the access controls used on your network. You explain that these controls include preventative, detective, and corrective controls. Which control is an example of a corrective control? router intrusion detection system (IDS) audit log antivirus software "
"Answer: antivirus software Explanation: Antivirus software is an example of a corrective technical control because it attempts to correct any damage that was inflicted during a security breach. Antivirus software can also be considered a compensative technical control. Routers are examples of preventative technical controls because they prevent security breaches. Routers are a compensatory technical control. IDSs are a detective technical control and a compensative technical control Audit logs are examples of detective technical controls because they detect security breaches. Audit logs are also a compensative technical control. There are three categories of access control: technical, administrative, and physical controls. A technical control is a control that is put into place to restrict access. Technical controls work to protect system access, network architecture and access, control zones, auditing, and encryption and protocols. An administrative or management control is a control that dictates how security policies are implemented to fulfill the company's security goals. Administrative controls include policies and procedures, personnel controls, supervisory structure, security training, and testing. A physical or operational control is a control that is implemented to secure physical access to an object, such as a building, a room, or a computer. Physical controls include network segregation, perimeter security, computer controls, work area separation, backups, and cabling. The three access control categories provide seven different functionalities or types: preventative - A preventative control prevents security breaches. detective - A detective control detects security breaches as they occur corrective - A corrective control restores control and attempts to correct any damage that was inflicted during a security breach. deterrent - A deterrent control deters potentials violations. recovery - A recovery control restores resources. compensative - A compensative control provides an alternative control if another control may be too expensive. All controls are generally considered compensative. directive - A directive control provides mandatory controls based on regulations or environmental requirements. Each category of control includes controls that provide different functions. For example, a fence is both a deterrent physical control and a compensative physical control. Monitoring and supervising is both a detective administrative control and a compensative administrative control. "
"You have recently been hired to serve as your company's security administrator. You are currently working to ensure that all information assets are protected. What are the core security objectives you should address? risks, liabilities, and vulnerabilities risks, threats, and vulnerabilities asset, liabilities, and risks confidentiality, integrity, and availability "
"Answer: confidentiality, integrity, and availability Explanation: Confidentiality, integrity, and availability are the core security objectives for protecting the information assets of an organization. These three objectives are also referred to as the CIA triad. Availability includes the ability to provide redundancy and fault-tolerance, to operate at the optimum level of performance, the ability to cope with vulnerabilities and threats such as DoS attacks, and the ability to recover from disruption without compromising security and productivity. Availability can be improved by implementing technologies that provide redundancy, fault tolerance, and system and device patching. Integrity ensures the correctness of data and the reliability of information, the protection of data and the system from unauthorized alteration, and the inability of attacks and user mistakes to affect the integrity of the data and the system. An example of when integrity has been compromised is when a bulk update operation writes incorrect data throughout a database. Data integrity can be improved by using digital signatures, hashing, certificates, and non-repudiation. Confidentiality is defined as the minimum level of secrecy maintained to protect sensitive information from unauthorized disclosure. Confidentiality can be implemented through encryption, access control data classification, steganography, and security awareness. Maintaining the confidentiality of information prevents an organization from attacks, such as shoulder surfing and social engineering. These attacks can lead to the disclosure of confidential information and can disrupt business operations. Confidentiality ensures that data is only viewable by authorized users. Risks, threats, and vulnerabilities are evaluated during the course of risk analysis conducted by an organization. During a risk analysis, an asset is valued based on its sensitivity and value. The evaluation of risks, threats, and vulnerabilities provides an estimate regarding the controls that should be placed in an organization to achieve the security objectives of an organization. The rest of the options are invalid in terms of security evaluation and security objectives of an organization. "
"What is defined in an acceptable use policy? which method administrators should use to back up network data the sensitivity of company data which users require access to certain company data how users are allowed to employ company hardware "
"Answer: how users are allowed to employ company hardware Explanation: An acceptable use policy defines how users are allowed to employ company hardware. For example, an acceptable use policy, which is sometimes referred to as a use policy, might answer the following questions: Are employees allowed to store personal files on company computers? Are employees allowed to play network games on breaks? Are employees allowed to ""surf the Web"" after hours? An information policy defines the sensitivity of a company's data. In part, a security policy defines separation of duties, which determines who needs access to certain company information. A backup policy defines the procedure that administrators should use to back up company information. A privacy policy defines which information is considered private and how this information should be handled, stored, and destroyed. "
"Which access control principle ensures that a particular role has more than one person trained to perform its duties? job rotation separation of duties least privilege implicit deny "
"Answer: job rotation Explanation: Job rotation ensures that a particular role has more than one person trained to perform its duties. Personnel should be periodically rotated, particularly in important positions. Job rotation and separation of duties also help to prevent collusion. Separation of duties requires the involvement of more than one individual to accomplish a critical task. Separation of duties ensures that no individual can compromise a system, and is considered valuable in deterring fraud. Separation of duties can be either static or dynamic. Static separation of duties refers to the assignment of individuals to roles and to the allocation of transactions to roles. In static separation of duties, an individual can be either an initiator of the transaction or the authorizer of the transaction. In dynamic separation of duties, an individual can initiate as well as authorize transactions. The principle of least privilege grants users only those permissions they need to do their work. Limiting user access to administrative accounts is part of this principle. A need-to-know security policy is based on the principle of least privilege. The least privilege principle is most commonly associated with mandatory access control (MAC.) An implicit deny ensures that certain users are not allowed to access a certain file, folder, or application. An implicit deny overrides all other permissions, including an explicit allow. "
"What is another term for technical controls? logical controls access controls detective controls preventative controls "
"Answer: logical controls Explanation: Another term for technical controls is logical controls. Technical controls are used to restrict data access and operating system components, security applications, network devices, protocols, and encryption techniques. Access controls can be included as part of technical controls. However, access controls is not a term that is synonymous with technical controls. Detective controls are controls that are used to detect intrusion when it occurs. While you can include detective technical controls in your security plan, detective controls can be technical, physical, or administrative. Detective technical controls include audit logs and intrusion detection systems (IDSs). Preventative controls are controls that are used to prevent intrusion before it occurs. While you can include preventative technical controls in your security plan, preventative controls can be technical, physical, or administrative. Preventative technical controls include access control lists (ACLs), routers, encryption, antivirus software, encryption, smart cards, and call-back systems. Technical or logical controls include all authentication mechanisms, including password, two-factor, Kerberos, and RADIUS authentication. Network segmentation is accomplished by using logical controls. There are three categories of access control: technical, administrative, and physical controls. A technical control is a control that is put into place to restrict access. Technical controls work to protect system access, network architecture and access, control zones, auditing, and encryption and protocols. An administrative or management control is developed to dictate how security policies are implemented to fulfill the company's security goals. Administrative controls include policies and procedures, personnel controls, supervisory structure, security training, and testing. A physical or operational control is a control that is implemented to secure physical access to an object, such as a building, a room, or a computer. Physical controls include network segregation, perimeter security, computer controls, work area separation, backups, and cabling. The three access control categories provide seven different functionalities or types: preventative - A preventative control prevents security breaches. detective - A detective control detects security breaches as they occur. corrective - A corrective control attempts to correct any damage that has been inflicted during a security breach and restores control. deterrent - A deterrent control deters potentials violations. recovery - A recovery control restores resources. compensative - A compensative control provides an alternative control if another control may be too expensive. All controls are generally considered compensative. directive - A directive control provides mandatory controls based on regulations or environmental requirements. Each category of control includes controls that provide different functions. For example, a security badge is both a preventative physical control and a compensative physical control. Monitoring and supervising is both a detective administrative control and a compensative administrative control. "
"Which factor does NOT minimize the security breach incidents committed by internal employees? rotation of duties separation of duties mandatory vacations nondisclosure agreements signed by employees "
"Answer: nondisclosure agreements signed by employees Explanation: Nondisclosure agreements (NDAs) do not minimize the security breach incidents committed by internal employees. NDAs are signed by an employee at the time of hiring, and impose a contractual obligation on employees to maintain the confidentiality of information, stating that a disclosure of information can lead to legal ramifications and penalties. Unlike the other options, NDAs cannot ensure a decrease in security breaches. In spite of signing an NDA, the staff members of an organization pose most security threats. Disgruntled employees typically attempt the security breaches in an organization. Existing employees can commit a security breach accidentally or by mistake and may put the security of the organization at risk. Therefore, staff members should be provided extensive training on security policies, security practices, the acceptable use of resources, and the implications of noncompliance. It is important to understand that each employee of the organization is responsible for managing the security. The other factors enable you to avoid security incidents committed by employees. Job rotation implies the ability of an employee to carry out the tasks of another employee within the organization. In an environment using job rotation, an individual fulfills the tasks of more than one position in the organization. This ensures a check on the activities of other employees, provides a backup resource, and act as a deterrent for possible fraud. Segregation of duties aims at putting limited trust on a particular individual for a sensitive task. The term implies that a sensitive activity is segregated into multiple activities and that tasks are assigned to different individuals to enable them to achieve the common goal. A clear distinction between the duties of individuals prevents acts, such as fraud. This is because this act will require collusion for a breach to take place. Segregating the functions of a computer user and a system administrator is an example of segregation of duties. Mandatory vacations, which are an administrative control, ensure that employees take vacations at periodic intervals. This control proves helpful in detecting suspicious activities or fraud from an employee in a sensitive position. This is because the replacement employee can discover whether the employee on vacation has indulged in fraudulent activities or not. "
"Your company's security policy includes system testing and security awareness training guidelines. Which control type is this considered? detective technical control detective administrative control preventative technical control preventative administrative control "
"Answer: preventative administrative control Explanation: Testing and training are considered preventative administrative controls. Administrative controls dictate how security policies are implemented to fulfill the company's security goals. Preventative controls are controls that are implemented to prevent security breaches. Preventative administrative controls place emphasis on soft mechanisms that are deployed to support the security objectives and include security policies, information classification, personnel procedures, testing, and security awareness training. Detective technical controls include audit logs and intrusion detection systems (IDSs). Detective administrative controls include monitoring and supervising, job rotation, and investigations. Preventative technical controls include access control lists (ACLs), routers, encryption, antivirus software, server images, smart cards, and call-back systems. There are three categories of access control: technical, administrative, and physical controls. A technical control is a control that is put into place to restrict access. Technical controls work to protect system access, network architecture and access, control zones, auditing, and encryption and protocols. An administrative or management control is developed to dictate how security policies are implemented to fulfill the company's security goals. Administrative controls include policies and procedures, personnel controls, supervisory structure, security training, and testing. A physical or operational control is a control that is implemented to secure physical access to an object, such as a building, a room, or a computer. Physical controls include network segregation, perimeter security, computer controls, work area separation, backups, and cabling. The three access control categories provide seven different functionalities or types: preventative - A preventative control prevents security breaches. detective - A detective control detects security breaches as they occur. corrective - A corrective control attempts to correct any damage that has been inflicted during a security breach and restores control. deterrent - A deterrent control deters potentials violations. recovery - A recovery control restores resources. compensative - A compensative control provides an alternative control if another control may be too expensive. All controls are generally considered compensative. directive - A directive control provides mandatory controls based on regulations or environmental requirements. Each category of control includes controls that provide different functions. For example, a security badge is both a preventative physical control and a compensative physical control. Monitoring and supervising is both a detective administrative control and a compensative administrative control. "
"Which type of assessment examines whether network security practices follow the company security policy? security audit network risk assessment organizational risk assessment penetration test "
"Answer: security audit Explanation: Administrators use a security audit to examine specific security measures and the extent to which a security measure adheres to a company security policy. A penetration test is used to determine whether network security is properly configured to rebuff hacker attacks. A network risk assessment is used to examine network resources and information in order to determine the probability of a successful attack by a hacker. An organizational risk assessment examines physical and electronic information handling issues to determine whether security weaknesses exist. "
"Your company has a backup solution that performs a full backup each Saturday evening and an incremental backup all other evenings. A vital system crashes on Monday morning. How many backups will need to be restored? one two three four "
"Answer: two Explanation: Because the system crashes on Monday morning, you will need to restore two backups: the full backup from Saturday evening and the incremental backup from Sunday evening. When incremental backups are included in your backup plan, you will need to restore the full backup and all incremental backups that have been taken since the full backup. Because the failure occurred on Monday morning, only the full Saturday backup and the incremental Sunday backup need to be restored. If the crash had occurred on Tuesday morning, you would have needed to restore three backups: Saturday evening's full backup, Sunday evening's incremental backup, and Monday evening's incremental backup. If the crash had occurred on Wednesday morning, you would have needed to restore four backups: Saturday evening's full backup, Sunday evening's incremental backup, Monday evening's incremental backup, and Tuesday evening's incremental backup. "
"You must deploy the appropriate control to a section of the network shown in the exhibit. Because of budget constraints, you can only deploy one of each of the following controls: Cable locks Mantrap Biometric readers NAC policies You need to deploy each of these controls on a single section of the diagram. The controls may be used to protect either the entire section or a single component within that section. Drag the appropriate control to one of the four designated locations on the network exhibit. All four locations require a control. Each control can be used only once."
"The mantrap will control access to the data center. The cable locks will provide security for the laptops used in the office. The NAC policies will provide a means to ensure that customer devices have the appropriate security technologies configured on their devices before they are able to connect to your wireless access point. Biometric readers will ensure that the mobile laptops used by sales reps cannot be accessed by attackers or thieves. Always consider the types of controls and the numbers of each control that are required when deploying them on your network. In this scenario, you were limited to four controls. In the real world, it would be better to implement mantraps for both the office and data center to ensure that only employees have access to these areas. However, if you can only deploy them in one location, protecting the data center is more important. Cable locks could be used for all internal laptops to prevent theft. Cable locks probably would not be useful for the sales reps' laptops because of the mobile nature of their usage. You would not issue cable locks to customers in the wireless network lounge because they are responsible for the security of their personal mobile devices. However, if you provided laptops for customers to use in a public area that is not secured by proximity badges, you should secure them with cable locks to prevent theft by taking. While NAC policies can be configured for every device that connects to your network, including company-owned devices, NAC is most popularly used when organizations allow BYOD. Biometric readers could be used to protect any area of the network, but are very expensive to deploy. Ideally, you would at least deploy biometrics to protect the data center and for each sales rep's laptop. However, in this scenario, the biometric readers would be assigned to the sales rep's laptops because the data center is protected by a mantrap, which is a configuration that only allows one person at a time to enter a room or building. "
"As part of a new security initiative, your organization has decided that all employees must undergo security awareness training. What is the aim of this training? All employees in the IT department should be able to handle security incidents. All employees excluding top management should understand the legal implications of loss of information. All employees in the IT department should be able to handle social engineering attacks. All employees must understand their security responsibilities. "
" Answer: All employees must understand their security responsibilities. Explanation: The primary aim of security awareness training is to ensure that all employees understand their security responsibilities, the ethical conduct expected from them, and the acceptable use of an effective security program. An effective security program includes a mix of technical and non-technical methods. It is important to understand the corporate culture and environment and their effect on the security of the organization. A security awareness program is all about communicating the company's attitude about safeguarding resources. An example of a cost-effective way to enhance security awareness in an organization is to create an award or recognition program for employees. User responsibilities for protection of information assets are defined in the organization's information security policies, procedures, standards, and best practices developed for information protection. User training should include security policy training and procedures. Security awareness training may be customized for different groups of employees, such as senior management, technical staff, and users. Each group has different responsibilities and needs to understand security from a perspective pertaining to their domain. For example, the security awareness training for the management group should focus on a clear understanding of the potential risks, exposure, and legal obligations resulting from loss of information. Technical staff should be well versed regarding the procedures, standards, and guidelines to be followed. User training should include examples of acceptable and unacceptable activities and the implication of noncompliance. User training might be focused on threats, such as social engineering, which can lead to the divulgence of confidential information that may hamper business operations by compromising the confidentiality and the integrity of information assets. Staff members should particularly be made aware of such attacks to avoid unauthorized access attempts. Before developing security awareness training, it is important that the corporate environment is fully understood. Security awareness training has these benefits: It helps operators understand the value of the information. It can help system administrators recognize unauthorized intrusion attempts. It can help an organization reduce the number and severity of errors and omissions. Security awareness, security training, and security education are usually considered three unique topics. Security awareness is used to reinforce the fact that security supports the mission of the organization by protecting valuable resources. The purpose of security training is to teach people the skills that will enable them to perform their jobs more securely. Training focuses on security awareness. Security education is more in-depth than security training and targets security professionals and those whose jobs require expertise in security. Management commitment is necessary because of the resources used in developing and implementing the program, and also because the program affects their staff. Role-based training should be implemented to ensure that the appropriate training is given to personnel based on their role within the organization. An organization's security awareness and training must ensure compliance with laws, best practices, and standards. The best way to prove the success of a security awareness program is to provide metrics showing improvements in security issues. "
"Which policy defines the sensitivity of a company's data? a backup policy an information policy a security policy a use policy "
" Answer: an information policy Explanation: An information policy defines the sensitivity of a company's data and the proper procedures for storage, transmission, disposal, and marking of a company's data. The cornerstone practice of a company's information policy, as with all security-related policies, is to grant only the level of access that is required to allow particular individuals to fulfill their responsibilities. Accordingly, a well-developed information policy will rely on information about separation of duties to establish different levels of access by group role or individual responsibility. Individuals will be granted access only to that information for which they have a 'need to know' to accomplish the goals of their position. A backup policy defines the procedures that should be used to back up information stored on a company's network. A security policy defines the technical means that are used to protect data on a network. A use policy, sometimes referred to as an acceptable use policy, defines the manner in which employees are allowed to use a company's network equipment and resources, such as bandwidth, Internet access, and e-mail services. Policies contain conditions of expected performance and the consequences of non-compliance. An access control policy details guidelines on the rights, privileges, and restrictions for using company equipment and assets. "
"You need to view events that are generated based on your auditing settings. Which log in Event Viewer should you view? Application Security System DNS "
"Answer: Security Explanation: You should view the Security log in Event Viewer to view events that are generated based on your auditing settings. As part of the routine audit review, you should ensure that you perform a user rights and permissions review, which will ensure that devices maintain the correct security configuration. After deploying security controls to limit the risk of attack, you should implement routine audits to ensure that controls continue to function as intended to maintain an appropriate security posture. None of the other logs records this information. The Application log contains events logged by applications. The System log contains events logged by computer system components. The DNS log contains events on host name registrations. "
"You have been asked to implement a plan whereby the server room for your company will remain online for three hours after a power failure. This will give your IT department enough time to implement the alternate site. Which technology would be best in this scenario? RAID UPS backup generator clustering "
" Answer: backup generator Explanation: You should implement a backup generator. A backup generator will provide power for a limited time. It runs on gasoline or diesel to generate electricity. Backup generators provide redundant power. Redundant Array of Independent Disks (RAID) is a disk solution whereby hard drives can provide fault tolerant solutions. It has nothing to do with power capability. An uninterruptible power supply (UPS) will provide power for a short time, usually under an hour. A UPS will not provide enough time to implement the alternate site. However, it may be necessary to implement UPS systems to provide power until the backup generator can be brought online. Clustering provides fault tolerance for servers. Servers that are part of a cluster provide services in the event that other servers in the clusters fail. Clustering reduces the likelihood of a single point of failure when a server fails. "
"Match each access control type with the example that best fits with that type. Missing Image"
" Explanation: The access control types should be matched with the examples in the following manner: Technical - encryption protocols Administrative - security policies Physical - locks "
"According to the business continuity plan, this week your team must complete a test of specific systems to ensure their operation at alternate facilities. The results of the test must be compared with the live environment. Which test are you completing? structured walk-through test simulation test parallel test full-interruption test "
" Answer: parallel test Explanation: A parallel test tests specific systems to ensure operation at alternate facilities. Results of this test should be compared with the original system's test results to ensure operation as close to normal as possible. With a parallel test, performance baselines are taken to ensure processing is still at acceptable levels. The structured walk-through test is a review of the disaster recovery plan to ensure that all steps are included. A simulation test is a practice run of the disaster recovery plan for a given scenario. A full-interruption test includes shutting down the original site and making the optional site fully operational. This test should only be performed when all other tests have been performed and are successful. While a parallel test tests the processing functionality of the alternate site, the full-interruption test actually replicates a disaster by halting production. Another disaster recovery test is the checklist, which determines if sufficient supplies are stored at the backup site, telephone number listings are current, quantities of forms are adequate, and a copy of the recovery plan and necessary operational manuals are available. Under this testing technique, the recovery team reviews the plan and identifies key components that should be available. The checklist test ensures that the organization complies with the requirements of the disaster recovery plan. A table-top exercise test is considered the most cost-effective and efficient way to identify areas of overlap in the plan before conducting more demanding training exercises. But it is not considered to be one of the disaster recovery testing types. The following list of disaster recovery testing types goes from least extensive to most extensive: Checklist Structured walk-through Parallel Simulation Full-interruption The one thing that is certain about all business continuity plans and recovery plans is that they become obsolete quickly. For this reason, testing and review of some sort is vital. The most useful results for management are a list of the successful and unsuccessful operations. This will give management a chance to review any problem areas and correct them if necessary. The plan should be revised as needed to ensure successful recovery of all business functions. It is important to test disaster recovery plans frequently because a plan is not considered viable until a test has been performed. If no deficiencies are found during a test, then the test was probably flawed. Testing the disaster recovery plan should be completed for the following reasons: Testing verifies the processing capability of the alternate backup site. Testing prepares and trains the personnel to execute their emergency duties. Testing identifies deficiencies in the recovery procedures. Testing verifies the accuracy of the recovery procedures. During a test recovery procedure, one important step is to maintain records of important events that happen during the procedure. In addition, you should report the events to management."
"Your organization has decided to outsource its e-mail service. The company chosen for this purpose has provided a document that details the e-mail functions that will be provided for a specified period, along with guaranteed performance metrics. What is this document called? SLA BPA MOU ISA "
"Answer: SLA Explanation: A service level agreement (SLA) is an agreement between a company and a vendor in which the vendor agrees to provide certain functions for a specified period. A business partners agreement (BPA) is an agreement between two companies that ensures that both parties implement the appropriate security measures. This type of agreement is particularly important when the two partners exchange data that could harm the companies' reputations if the data was accessed by an attacker. A memorandum of understanding (MOU) is a mutual agreement between two parties to perform a common action or relationship. If well-defined legal elements are included, the MOU is considered binding. MOUs are generally loose agreements and therefore may not have strict guidelines in place to protect sensitive data between the two entities. An interconnection security agreement (ISA) is an agreement established between organizations that own and operate connected systems to document the technical requirements of the connection. An ISA can also be used to ensure both parties have a clear understanding of the controls needed to protect the data. All of these components are interoperability agreements. Security professionals should fully research the security implications of all of these types of agreements, as well as any others that their organization may employ as part of the risk assessment. This will ensure that the organization can implement the appropriate measures to prevent or at least reduce the risk. As a security professional, you must also understand the security implications of integrating systems and data with third parties, including the following: On-boarding/off-boarding business partners - When you bring new business partners on board, you must ensure that all of your organization's security policies and regulations are fully understood and implemented by the partner organization. The transfer, storage, and collection of any data must be protected according to your organization's security policy, unless a valid reason exists for ignoring certain security tenets (such as if they contradict local, state, or federal laws, etc.) When you are terminating a business partner, you must ensure that the partner organization transfers all assets back to your organization and that the partner organization understands the legal ramifications if the data is compromised at their facilities AFTER the transfer has occurred. Social media networks and applications - Organizations should analyze the security implications of social media networks and applications and should adopt a formal policy regarding their usage. Any security awareness training should fully cover the organization's policy regarding such usage. If usage is forbidden, repercussions for non-compliance should be fully spelled out in any employment agreements. Keep in mind that social media networks and their applications are often under attack because of the proliferation of usage. Companies should not allow users to authenticate to a company's Web applications using credentials from a popular social media site because password breaches to the social media site would affect the company application as well. Privacy considerations - Any organization that collects and stores personally identifiable information (PII) or any other protected information should be concerned with the security of that data. If the privacy data that your organization collects is stored or managed by a third party, you must ensure that the other organization properly secures the data. In addition, personnel should be trained to recognize PII, as well as how to protect this data. If for any reason you need to be able to transmit PII, you should use SSH or PGP/GPG. The best ways to address customer data privacy concerns are to employ encryption and stronger access controls. Risk awareness - It is vital that your organization understands the risks involved with integrating systems and data with third parties. You should ensure that a risk assessment is performed and that management is given the results of this assessment. Both organizations should be periodically reminded regarding the security risks of the partnership. Unauthorized data sharing - Whenever systems and data are integrated with third parties, personnel from both organizations should be given clear guidelines on the data that can and cannot be shared between the organizations. These guidelines should include the methods of sharing as well as the type of data that can and cannot be shared. Personnel should fully understand the penalties that could occur from noncompliance. Data ownership - Organizations should fully define the ownership of any data that is collected, stored, and exchanged. Without a clear definition, legal issues could arise if the partnership is ever dissolved. Data backups - The frequency of any data backups should be documented in a formal backup plan. In addition, the formal backup plan should include storage guidelines. Follow security policy and procedures - Any third parties with which your organization deals should modify their security policies and procedures to follow your organization's policies and procedures if your policies and procedures are stricter unless they contradict local, state, or federal laws. Review agreement requirements to verify compliance and performance standards - All agreements should be reviewed at least annually to ensure that they comply with regulations and laws and to ensure that performance is maintained. "
"You are explaining to a new employee the proper process of evidence collection. As part of this explanation, you need to ensure that the new employee understands the evidence life cycle. Move the steps in the evidence life cycle from the left column to the right column, and place them in the correct order, starting with the first step at the top. "
"Explanation: The correct order for the evidence life cycle is as follows: Collect Analyze Store Present Return"
"A risk assessment team has identified several risks to your company's security. You need to ensure that you provide as much protection against these risks as possible. Which of the listed risks will have the least effect on the organization's confidentiality, integrity, and availability? a stolen computer lost keys to the door a damaged hard drive primary power failure "
"Answer: a damaged hard drive Explanation: A damaged hard drive will have the least effect on the organization's confidentiality, integrity, and availability because the data inside the damaged hard disk is rendered unusable and cannot be retrieved by any individual with malicious intent. Stolen computers and lost keys will have the most impact on the confidentially and integrity of the resources within the organization. Power failure will have a direct impact on the availability of the system. "
"Which element is created to ensure that your company is able to resume operation after unplanned downtime in a timely manner? vulnerability analysis disaster recovery plan business continuity plan business impact analysis (BIA) "
"Answer: disaster recovery plan Explanation: The disaster recovery plan is created to ensure that your company is able to resume operation in a timely manner. As part of the business continuity plan, it mainly focuses on alternative procedures for processing transactions in the short term. It is carried out when the emergency occurs and immediately following the emergency. The disaster recovery plan (DRP) should include a hierarchical list of critical systems. A vulnerability analysis identifies your company's vulnerabilities. It is part of the business continuity plan. A business continuity plan is created to ensure that policies are in place to deal with long-term outages and disasters to sustain operations. Its primary goal is to ensure that the company maintains its long-term business goals both during and after the disruption, and mainly focuses on the continuity of the data, telecommunications, and information systems infrastructures. Multiple plans should be developed to cover all company locations. The business continuity plan is broader in focus than the disaster recovery plan and usually includes the following steps: Policy statement initiation - includes writing the policy to give business continuity plan direction and creating business continuity plan committee, roles, and role definitions. Business impact analysis (BIA) creation - includes identifying vulnerabilities, threats, and calculating risks. The risk management process is one of the core infrastructure and service elements required to support the business processes of the organization. This stage should also identify potential countermeasures associated with each threat. Recovery point objectives and recovery time objectives directly relate to the BIA. Recovery strategies creation - includes creating plans to bring systems and functions online quickly. Contingency plan creation - includes writing guidelines to ensure the company can operate at a reduced capacity. Plan testing, maintenance, and personnel training - includes a formal test of the plan to identify problems training the parties who have roles in the business continuity plan to fulfill their role, and updating the plan as needed. The company should quantitatively measure the results of the test to ensure that the plan is feasible. This step ensures that the business continuity plan remains a constant focus of the company. Major elements of the business continuity plan include the disaster recovery plan, BIA, risk management process, and contingency plan. Although the business continuity plan committee should be created, it is not considered a major element of the plan. A BIA is created to identify the company's vital functions and prioritize them based on need. Vulnerabilities and threats are identified, and risks are calculated. One of the most critical elements in a business continuity plan is management support. "
"Your company has a backup solution that performs a full backup each Saturday evening and a differential backup all other evenings. A vital system crashes on Tuesday morning. How many backups will need to be restored? one two three four "
"Answer: two Explanation: You would need to restore two backups if the system crashes on Tuesday morning. The two backups that should be restored are the Saturday evening full backup and the Monday evening differential backup. When you use differential backups in your backup plan, you only need to restore the full backup and the most recent differential backup. If the failure had occurred on Sunday morning, only the full backup would need to be restored. If the failure occurs any other day of the week, the full backup and the most recent differential backup would need to be restored. "
"Your organization has recently been the victim of several well-known attacks. These attacks could have been prevented with certain identified measures. Management has asked you to identify, analyze, and correct any security issues so that these issues will not affect your organization in the future. Which process are you implementing? change management incident management risk assessment data loss prevention "
" Answer: incident management Explanation: When you identify, analyze, and correct any security issues, you are implementing incident management. Change management involves identifying, analyzing, implementing, and documenting any changes to your systems and devices. Risk assessment assesses systems and devices for risks and then analyzes these risks to determine any controls that can be implemented to reduce risk. A risk assessment does not actually correct any security issues. Data loss prevention (DLP) implements the appropriate policies to ensure that data is not lost. Your organization must ensure that it enforces any policies or procedures that it adopts to prevent data loss or theft. Even the best designed policies and procedures are useless if they are not enforced. DLP can also be used to prevent users from printing files that include personally identifiable information (PII). "
" As your organization's security administrator, you are reviewing the audit results to assess if your organization's security baselines are maintained. In which phase of the security management life cycle are you engaged? Plan and Organize Implement Operate and Maintain Monitor and Evaluate "
" Answer: Monitor and Evaluate Explanation: You are engaged in the Monitor and Evaluate phase of the security management life cycle. This phase includes the following components: Review logs, audit results, metrics, and service level agreements. Assess accomplishments. Complete quarterly steering committee meetings. Develop improvement steps for integration into Plan and Organize phase. Reviewing audits is not part of any of the other phases."
"As your organization's security officer, you are currently completing audits to ensure that your security settings meet the established baselines. In which phase of the security management life cycle are you engaged? Plan and Organize Implement Operate and Maintain Monitor and Evaluate "
" Answer: Operate and Maintain Explanation: You are engaged in the Operate and Maintain phase of the security management life cycle. This phase includes the following components: Ensure that all baselines are met. Complete internal and external audits. Complete tasks outlined in the blueprints. Manage service level agreements as outlined in the blueprints. Completing audits is not part of any of the other phases. "
"Which type of incident is not usually addressed in a contingency plan? a power outage a T1 connection failure a hurricane a server crash "
" Answer: a hurricane Explanation: A hurricane is not usually addressed in a contingency plan. All natural disasters are part of the business continuity plan, not the contingency plan. The contingency plan addresses how to deal with small incidents, such as power outages, connection failures, server crashes, and software corruption."
"Move the items in the list from the left column to the right column, and place them in the correct order in which the forensic analyst should preserve them, starting with the first item at the top. "
" Explanation: The correct order in which items should be preserved for forensic analysis is as follows: Cache RAM Running processes Hard drives Backup media"
"Which hardware contingency solutions offer high availability? (Choose two.) RAID tape backups vaulting disk replication "
"Answer: RAID disk replication Explanation: Both RAID and disk replication offer high availability. Redundant array of independent disks (RAID) provides redundancy for hard drives. A RAID volume that includes multiple drives is seen as one drive to applications and other devices. In most RAID implementations, the data remains available if a drive within the volume fails. Disk replication is the process of replicating the data on a disk to another disk. If the main disk fails, the disk that contains the replicated data can take over. Tape backups are not highly available. They must be restored, which could take a long time depending on the amount of data to be restored. Vaulting makes electronic backups of data and transmits them to offsite storage locations. These backups must be restored in a similar way as tape backups. Load balancing, disk replication, and clustering provide a server contingency solution that offers high availability. These solutions are often referred to as server fault tolerance. Offsite facilities can also offer server contingency solutions with a lower availability than load balancing, disk replication, or clustering. "
"Which technique attempts to predict the likelihood a threat will occur and assigns monetary values in the event a loss occurs? Delphi technique Vulnerability assessment Quantitative risk analysis Qualitative risk analysis"
" Answer: Quantitative risk analysis Explanation: Quantitative risk analysis attempts to predict the likelihood a threat will occur and assigns a monetary value in the event a loss occurs. The Delphi technique is a type of qualitative risk analysis in which each member of the risk analysis team gives anonymous opinions. The anonymous opinions ensure that members are not pressured into agreeing with other parties. A vulnerability assessment is a method of determining system vulnerabilities and their risk(s). Steps are then taken to reduce the risk. Qualitative risk analysis does not assign monetary values. It is simply a subjective report that is compiled by the risk analysis team that describes the threats, countermeasures, and likelihood an event will occur. There are many assessment techniques that are used, including the following: Perform baseline reporting. Review code. Determine attack surface. Review network and system design. Use an architectural approach to security."
" Which plan ensures that a vital corporate position is filled in the event it is vacated during a disaster? occupant emergency plan (OEP) continuity of operations plan (COOP) executive succession plan reciprocal agreement "
"Answer: executive succession plan Explanation: An executive succession plan ensures that a vital corporate position is filled in the event it is vacated during a disaster. This plan could be carried out in the event of the death, resignation, or retirement of a corporate executive. An occupant emergency plan (OEP) is created to ensure that injury and loss of life are minimized when an outage or disaster occurs. It also focuses on property damage. Interviewing is not included as part of its development. A continuity of operations plan (COOP) is a document that explains how critical operations will be maintained in the event a disaster occurs. When a company?s payroll server or another server is intentionally powered off for eight hours, the company's continuity of operations plan is being tested. A reciprocal agreement is an agreement in which two companies agree to provide offsite facilities to each other in the event a disaster occurs. "
" Which operation must you undertake to avoid mishandling of tapes, CDs, DVDs, and printed material? degaussing zeroization labeling offsite storage "
" Answer: labeling Explanation: Proper labeling is required to avoid mishandling of the information on storage media, such as tapes and DVDs. Compact discs are used to store small data sets while backup tapes and DVDs are used to store large numbers of data sets. Storage media containing confidential information must be appropriately marked and labeled to ensure appropriate classification. The storage media should also be stored in a protected area. Each media should be labeled with the following details: classification date of creation retention period volume name and version name of the person who created the backup Your organization's security policy should document the proper data labeling, handling, and disposal procedures for all classifications of data. Degaussing is not a media handling technique but a media sanitization technique. Degaussing is the process of reducing or eliminating an unwanted magnetic field of a storage media by applying strong magnetic forces. Degaussing devices generate powerful opposing magnetic fields that reduce the magnetic flux density of the storage media to zero. Degaussing is the most preferred method for erasing data from magnetic media, such as floppy disks and magnetic tapes. Zeroization is also a media sanitization technique. Zeroization implies that a storage media is repeatedly overwritten with null values, such as multiple ones and zeros, for sanitization. Zeroization is generally used in a software development environment. Data transfer to an offsite location should take place to create a backup copy of the media if there is a disaster at the primary site. Data transferred to an offsite location acts as a backup copy of the data. The storage media should be labeled appropriately to prevent mishandling. Your organization's security policy should also address user habits. As a security professional, you must ensure that the following user habits are addressed: Password behaviors - Passwords are constantly under attack. Users should be discouraged from storing their passwords in an easily accessible location, such as on the back of their keyboard. In addition, users should be encouraged to use passwords that are not common or that include special characters and numbers. Implementing a complex password policy over the network can enforce this policy. Data handling - Users should be instructed as to the acceptable methods of handling data, including how data should be transferred and stored and the media that can be used. If encryption is required for certain confidential data, encryption should be enforced at the system to ensure that users cannot transfer or store the confidential data in unencrypted format. Clean desk policies - Many organizations adopt a clean desk policy so that physical access to a facility will not result in access to confidential data. Tailgating - Employees should be cautioned against allowing tailgating into the facility. All personnel should use their own access card or access code to access the facility. This ensures that an unauthorized user is not granted access to the facility. Personally owned devices - Organizations should analyze whether they will allow users to attach personally owned devices to the organization's devices and network. If personally owned devices are allowed, the organization should adopt a policy whereby users must ensure that their personally owned devices do not infect organizational devices or networks with malicious software. "
"Match each description with the appropriate risk management method. "
" Explanation: The risk management methods should be matched with the descriptions in the following manner: Acceptance - Deciding to bear the cost of a potential risk Avoidance - Deciding to no longer employ the actions associated with a particular risk Deterrence - Discouraging certain actions from being taken to protect against risk Mitigation - Taking steps to reduce risk Transference - Sharing the burden of a potential risk with another entity "
"Which audit events could be monitored to improve user accountability? (Choose all that apply.) file creation logon attempts file modification account modification "
"Answer: logon attempts file modification account modification Explanation: You should monitor logon attempts, file modification events, and account modification events to improve user accountability. According to the principle of accountability, significant events should be traceable to an individual. What constitutes a significant event depends on the nature of the data and the security policy of the network. This individual accountability revolves around the use of unique IDs, access rules, and audit trails. You do not need to monitor file creation. Audit logging is the process of keeping track of significant user actions. Actions that should be monitored are usually determined by the company and are dependent on the business circumstances. You should also monitor the use of administration utilities, functions performed, and commands initiated. It is important that a company determine an audit policy that will provide maximum protection while minimizing the effect on system resources. Reviewing routine security audits is an example of a detective control. "
"According to your organization's data backup policy, you must keep track of the number and location of backup versions of the organization's data. What is the main purpose of this activity? to restrict access to the backup versions to create an audit trail to ensure proper disposal of information to demonstrate due diligence "
"Answer: to ensure proper disposal of information Explanation: The main purpose of keeping track of the number and location of backup versions is to ensure proper disposal of information. To restrict access to the backup version, you should implement the appropriate access and physical controls. To create an audit trail, you should enable event or audit logging. To demonstrate due diligence, you need to retain event and audit logs. "
"What is meant by MTBF? the estimated amount of time that a piece of equipment will be used before it should be replaced the estimated amount of time that it will take to repair a piece of equipment when failure occurs the estimated amount of time that a piece of equipment should remain operational before failure the estimated amount of time that it will take to replace a piece of equipment "
" Answer: the estimated amount of time that a piece of equipment should remain operational before failure Explanation: The mean time between failures (MTBF) is the estimated amount of time that a piece of equipment should remain operational before failure. The MTBF is usually supplied by the hardware vendor or a third party. MTBF can also be referred to as mean time to failure (MTTF). The mean time to repair (MTTR) is the amount of time that it will take to repair a piece of equipment when failure occurs. None of the other options is correct."
"What is covered by the last step of a business continuity plan? testing the plan analyzing risks updating the plan training personnel "
"Answer: updating the plan Explanation: The last step of a business continuity plan is concerned with updating the plan. A business continuity plan is a living document that requires regular updates. If the plan is not maintained properly, the organization will be unable to recover from a disaster. Testing the plan and training personnel is the next to last step in the business continuity plan. This step ensures that the plan works and personnel understand how to implement it. Analyzing risks is part of the Business Impact Analysis (BIA), which is the second step of a business continuity plan. Performing a risk assessment will help you to identify the risks. The steps in the business continuity planning process are as follows: Develop the business continuity planning policy statement. Conduct the business impact analysis (BIA). Identify preventative controls. Develop the recovery strategies. Develop the contingency plans. Test the plan, and train the users. Maintain the plan. "
"What is typically part of an information policy? classification of information authentication acceptable use employee termination procedure "
"Answer: classification of information Explanation: Classification of information is typically part of an information policy. A company usually has at least two information classifications: public and proprietary. Public information can be revealed to the public, and proprietary information can only be shared with individuals who have signed a non-disclosure agreement. Some companies also use the restricted classification. Only a small group of individuals within a company can gain access to restricted information. The cornerstone of a well-defined information policy is to limit individual access to that information which the individual 'needs to know' to perform required functions. Authentication is typically part of a company's security policy. Acceptable use is typically part of a company's computer use policy. An acceptable use policy typically stipulates that company employees use computers and other equipment only for purposes of completing company projects. An employee termination procedure is typically part of a company's management policies, which also include new employee and transferred employee procedures. Termination procedures should include disabling a user's network access account no later than the end of the last day of the employee's relationship with the company. Because a network is vulnerable to attack by employees who are being terminated, most companies do not provide advanced notice to terminated employees. It is also a common practice to provide an escort for the terminated employee from the time they are informed of termination until the time they leave company facilities. This practice limits the possibility that the person will damage company equipment or harm other personnel. If two companies have a contract where company A outsources it proprietary business processes to company B, it would violate data ownership and non-disclosure agreements (NDAs) for company B to send some of company A's data to the third party for problem resolution. Company B would need to verify the NDA and contact company A to negotiate any permissions necessary. "
" You discover that an investigator made some mistakes during a recent forensic investigation. You need to ensure that the investigator follows the appropriate process for the collection, analysis, and preservation of evidence. Which term should you use for this process? law procedure evidence chain chain of custody incident handling "
" Answer: chain of custody Explanation: Chain of custody refers to strict and organized formal procedures in accordance with the law and the legal regulations governing the collection, analysis, and preservation of the evidence before the evidence is produced in a court of law. In computer crimes, most of the evidence is electronic in nature and is referred to as hearsay evidence. Therefore, it is important that a clearly defined chain of custody be established to ensure the reliability and the integrity of the evidence and to make the evidence admissible in court. Chain of custody assists in identifying whether a system was properly handled during transport. Chain of custody guarantees the identity and integrity of the evidence from the collection stage to its presentation in the court of law. The following procedure is used to establish a chain of custody for evidence submission in a court: The evidence should be collected in the predefined manner by following strict and formal procedures and stating the names of people who secured the evidence and validated it. The evidence should be marked by the investigating officer by mentioning the date, the time, and the respective case number. The evidence is sealed in a container, and the container is again marked with the same information. Writing the information on the seal is preferred because it is easier to detect any change to the evidence by examining either the broken or the tampered seal. The location of the evidence is also documented. The evidence is processed and analyzed by technical experts. Logs are maintained mentioning people who accessed the information, the time at which the information was accessed, and the reasons for accessing the information. The prosecuting lawyer presents the evidence in the court of law to implicate the suspect. Chain of custody applies to forensic image retention in that the chain of custody provides documentation as to who handled the evidence. When performing routine forensic procedures, you should ensure that the following incident response procedures are followed: Follow order of volatility rules. - All data is volatile. More rapidly changing information should be preserved first, in this order: 1) registers, peripheral memory, caches, 2) main memory, 3) network state, 4) running processes, 5) disk, 6) floppies and backup media, and 7) CD-ROMs, DVDs, and printouts. Capture a system image. - Ensure that appropriate forensic hashes are taken of the disk both before and after the image is taken and of the image itself. Get copies of both a network traffic capture and logs. Ensure that the correct record time offset is obtained to ensure that any recordings can be calibrated together. Takes hashes of all files and images. Record the appropriate screenshots. Record any witnesses, including contact information. Keep track of man hours and expense involved in the forensic process. Obtain and preserve any video capture that exists, including computer video and CCTV. Perform big data analysis. - It is vital that your organization's data is not corrupted. For this purpose, you need software in place to help you analyze the data. Remember, your organization is responsible for protecting the data. During any breach or security-related event, it is important to ensure that damage loss and control is a primary concern during the incident response. For this reason, a damage loss and control plan should be developed to ensure that further damage is not caused or allowed during an incident response. A first responder should be identified for each type of incident to ensure that proper procedures are followed. This first responder should be familiar with all incident response plans. Remember in incident response that you must consider the incident time offsets. For example, if the incident response team has received an e-mail alert saying that a certain event occurred, it usually gives the IP address where the attack occurred and time of the occurrence. Then, when the team analyzes the log for the affected computer, they might not be able to determine the offender if they do not factor in incident time offsets. In most server logs, you may only get login and logout entries. You will then need to use the login and logout times to determine who was logged in to the server at the time the incident occurred. This will at least give the team a starting point for determining who the attacker was. "
"In the context of backup media, what is meant by the term retention time? the amount of time a tape takes to back up the data the amount of time a tape is stored before its data is overwritten the amount of time a tape is used before being destroyed the amount of time a tape takes to restore the data "
"Answer: the amount of time a tape is stored before its data is overwritten Explanation: The retention time is the amount of time a tape is stored before its data is overwritten. The longer the retention time, the more media sets will be needed for backup purposes. A longer retention time will give you more flexibility for restoration. The backup time is the amount of time a tape takes to back up the data. It is based on the speed of the device and the amount of data being backed up. The life of a tape is the amount of time a tape is used before being destroyed. The life of a tape is based on the amount of time it is used. Most vendors provide an estimate on backup media life. The restoration time is the amount of time a tape takes to restore the data. It is based on the speed of the device, the amount of data being restored, and the type of backups used. When selecting backup devices and media, you should consider the physical characteristics or type of the drive. The type of the drive includes the media type, capacity, and speed. You should also consider the rotation scheme. The rotation scheme includes the frequency of backups and the tape retention time. "
"During a forensic investigation, you are asked to make a copy of the contents of a hard drive. You need to ensure that this evidence can be used in court if needed. Which statement is true of disk imaging in this investigation? The original copy of the disk should be used. The content of the memory should not be dumped. A bit-level copy of the disk assists in the forensic investigation. A byte-level copy of the disk assists in the forensic investigation."
" Answer: A bit-level copy of the disk assists in the forensic investigation. Explanation: A bit-level copy of the original disk proves helpful in the forensic investigation. A bit-level copy of a hard disk refers to making a copy at the sector level to cover every part of the area that can store user data, such as slack space and free space. When creating a copy of the original disk, you should also perform a forensic hashing of the disk contents, both before and after the copy is made. In addition, a forensic hashing of the image itself should be performed. By doing so, you can ensure that image remains intact by comparing the hash values that are generated. A byte-level copy of the hard disk is not preferred for forensic analysis after an incident has occurred. A byte-level copy initiates the forensic imaging of the attacked workstation. To ensure the integrity of the evidence, the forensic investigation is not performed on the actual system. The system is taken offline by disconnecting it from the network, dumping the contents of the memory, and powering down the system. A backup copy of the system is taken, and this backup copy is used for investigation purposes. The output from the forensic imaging software should be directed towards a small computer system interface (SCSI) drive or some other media that is external to the system being investigated. This is done to initiate the forensic imaging of the attacked workstation. Changes made to the system, such as changing the file timestamps and modifying the files, can destroy the evidence. Therefore, skilled personnel should perform the forensic investigation to ensure that the evidence is unharmed and uncorrupted. "
"Your company has recently started adopting formal security policies to comply with several state regulations. One of the security policies states that certain hardware is vital to the organization. As part of this security policy, you must ensure that you have the required number of components plus one extra to plug into any system in case of failure. Which strategy is this policy demonstrating? clustering fault tolerance cold site server redundancy "
" Answer: fault tolerance Explanation: Fault tolerance ensures that you have the required number of components plus one extra to plug into any system in case of failure. Clustering is the process of providing failover capabilities for servers by using multiple servers together. A cluster consists of several servers providing the same services. If one server in the cluster fails, the other servers will continue to operate. A cold site for disaster recovery includes a basic room with raised flooring, electrical wiring, air conditioning, and telecommunications lines. To properly test disaster recovery procedures at the cold site, alternate telecommunications and computer equipment would need to be set up and configured. Server redundancy ensures that each server has another server that can operate in its place should the original server fail. Clustering is a form of server redundancy. "