Simply learn Test 3
Interface testing could involve all of the following, except _______. SELECT THE CORRECT ANSWER Application Programming Interface (API) Graphical User Interface (GUI) Physical interface Dashboard interface
Dashboard interface
Data classification decisions are best made by ___________. SELECT THE CORRECT ANSWER Data custodian Data owners Senior management Data steward
Data owners
Why does an enterprise need to reevaluate the classification of data files and records at least on an annual basis? SELECT THE CORRECT ANSWER To comply with the ISO/IEC 27001 policy To protect the confidentiality of the data Because new threats must be mitigated Because the value of data changes over time
Because the value of data changes over time
Which of the following, if important to the cloud customer or required by regulation, is something that must be addressed by a contract, apart from an SLA, to ensure compliance? SELECT THE CORRECT ANSWER Certifications Availability Incident management Elasticity
Certifications
If an attack uses a combination of brute force and dictionary entries to crack a password, then such an attack is called a _________. SELECT THE CORRECT ANSWER Replay attack Password attack Session hijack Hybrid attack
Hybrid attack
When Alice gets transferred to a different department and role, why would an administrator need to remove her privileges? SELECT THE CORRECT ANSWER To eliminate single points of failure To avoid sequential access processes To prevent race conditions To avoid authorization creep
To avoid authorization creep
What type of action does encapsulation provide? SELECT THE CORRECT ANSWER Ensures perfect forward secrecy with IPsec Places one type of packet inside another Provides data integrity Provides encryption and VPNs
Places one type of packet inside another
The software escrow is intended to mitigate which of the following risks? SELECT THE CORRECT ANSWER In case the software vendor performs poorly In case the software developer goes out of business In case the original source code becomes infected or corrupted In case a transaction fails, and the system must roll back to a known good state
In case the software developer goes out of business
Which cloud model makes the cloud customer responsible for the physical environment? SELECT THE CORRECT ANSWER IaaS PaaS SaaS None
None
Which of the following is one of the MOST effective ways to prevent cross-site scripting(XSS) flaws in software applications? SELECT THE CORRECT ANSWER Use digital certificates to authenticate a server prior to sending data Verify access right before allowing access to protected information and UI controls Use security policies and procedures to define and implement proper security settings Validate and escape all information sent to a server
Validate and escape all information sent to a server
What is the client source port of a secure web communication? SELECT THE CORRECT ANSWER 80 443 8080 A dynamic port
A dynamic port
Auditing seeks to record all of the following except: SELECT THE CORRECT ANSWER code review processes standards policies
code review
A good supplemental control for weak separation of duties is SELECT THE CORRECT ANSWER Intrusion detection Biometrics Auditing Training
Auditing
An online portal requires a fast read performance with data redundancy. Which RAID configuration is the BEST suited? SELECT THE CORRECT ANSWER RAID 0 RAID 1 RAID 3 RAID 5
RAID 1
Which document will enforce uptime and availability requirements between the cloud customer and the cloud provider? SELECT THE CORRECT ANSWER Contract Operational level agreement Service level agreement Regulation
Service level agreement
John recently ran a network port scan of a web server running in his organization's DMZ network. He ran the scan from an external network to get an attacker's perspective on the scan. Which one of the following results is the GREATEST cause for alarm? SELECT THE CORRECT ANSWER 22/open 80/open 443/open 3306/open
3306/open
The following cryptography algorithms were considered by NIST to become the new Advanced Encryption Standard (AES), EXCEPT ________. SELECT THE CORRECT ANSWER RC6 Twofish Serpent 3DES
3DES
Which of the following is NOT a characteristic of IPv6? SELECT THE CORRECT ANSWER Fixed size header DHCP and NAT not required 128 hexadecimal numbers In-built IPsec support
128 hexadecimal numbers
Which of the following is NOT an acceptable option for key distribution? SELECT THE CORRECT ANSWER A can select a key and physically deliver it to B A third-party can select the key and physically deliver it to both, A and B A can transmit the new key to B encrypting it using the recently used key A can transmit the new key to B encrypting it using the private key of A
A can transmit the new key to B encrypting it using the private key of A
The FINAL output of a business impact analysis is _________. SELECT THE CORRECT ANSWER A prioritized list of critical data A prioritized list of sensitive systems The recommendation for alternate processing The scope of the business continuity plan
A prioritized list of critical data
Which of the following correctly describes a nonce? SELECT THE CORRECT ANSWER A randomly generated value appended to a password before hashing A randomly generated value that can be used only once A crypto algorithm where hash of a plaintext is encrypted with a random key A crypto algorithm where plaintext is combined with a random key
A randomly generated value that can be used only once
Which of the following best describes a bastion host? SELECT THE CORRECT ANSWER A system that has been hardened against attack A system that uses a default deny rule A system that has two or more network interfaces A system that replaces private IP addresses with public IP addresses as the packet exits the private network
A system that has been hardened against attack
Agreeing to an "AS-IS" disclaimer clause before installing a software is an example of risk ________. SELECT THE CORRECT ANSWER Acceptance Avoidance Transference Mitigation
Acceptance
Identify the correct order of (ISC)2 Code of Ethics canons: SELECT THE CORRECT ANSWER Protect society, the common good, necessary public trust and confidence, and the infrastructure Advance and protect the profession Act honorably, honestly, justly, responsibly, and legally Provide diligent and competent service to principals Protect society, the common good, necessary public trust and confidence, and the infrastructure Provide diligent and competent service to principals Act honorably, honestly, justly, responsibly, and legally Advance and protect the profession Act honorably, honestly, justly, responsibly, and legally Provide diligent and competent service to principals Protect society, the common good, necessary public trust and confidence, and the infrastructure Advance and protect the profession Advance and protect the profession Act honorably, honestly, justly, responsibly, and legally Protect society, the common good, necessary public trust and confidence, and the infrastructure Provide diligent and competent service to principals
Act honorably, honestly, justly, responsibly, and legally Provide diligent and competent service to principals Protect society, the common good, necessary public trust and confidence, and the infrastructure Advance and protect the profession
The senior management has decided that each and every employee must undergo a security awareness training at least once every year. Under which security control category and control type does this security training fall? SELECT THE CORRECT ANSWER Technical/Preventive Administrative/Preventive Technical/Deterrent Administrative/Deterrent
Administrative/Preventive
Which of the following BEST describes a certificate authority (CA)? SELECT THE CORRECT ANSWER An organization that issues private keys An organization that validates encryption processes An organization that verifies encryption keys An organization that verifies certificates
An organization that verifies certificates
Assembly code is converted into an executable machine code by a utility program referred to as a/an ________ SELECT THE CORRECT ANSWER Interpreter Compiler Assembler Converter
Assembler
Identify the proper sequence of steps carried out when assessing the security of acquired software: SELECT THE CORRECT ANSWER Vulnerability test, penetration test, code review, assessment of vendor Assessment of vendor, code review, vulnerability test, penetration test Vulnerability test, penetration test, assessment of vendor, code review Assessment of vendor, vulnerability test, penetration test, code review
Assessment of vendor, code review, vulnerability test, penetration test
Nutriworld Inc. runs a web application that processes e-commerce orders and handles credit card transactions for which it is compliant with Payment Card Industry Data Security Standard (PCI DSS). The company recently performed a web vulnerability scan of the application, and it had no unsatisfactory findings. How often must Nutriworld Inc. rescan the application? SELECT THE CORRECT ANSWER Only if the application changes At least monthly At the time of PCI DSS certificate renewal At least annually
At least annually
When should a project's security measures be addressed FIRST? SELECT THE CORRECT ANSWER At the initial stage of the project Only after security issues are exploited After the initial project design is done When the functional specifications are being written
At the initial stage of the project
Security awareness, training, and education can help change user mindset and behavior toward information security, thereby making them a more effective security defense in an organization. Which of the following correctly describes the characteristics of a security awareness program? SELECT THE CORRECT ANSWER Attribute: why, Level: insight, Objective: understanding, Impact: long-term Attribute: how, Level: knowledge, Objective: skills, Impact: intermediate Attribute: what, Level: information, Objective: exposure, Impact: short-term Attribute: who, Level: observation, Objective: mastery, Impact: life-time
Attribute: what, Level: information, Objective: exposure, Impact: short-term
What security service does digital certificate provide in a public key infrastructure (PKI)? SELECT THE CORRECT ANSWER Authorization Auditing Authentication Availability
Authentication
In an SaaS model, who is responsible for financial loss due data breach? SELECT THE CORRECT ANSWER Difficult to determine Cloud provider Cloud customer Both, the cloud provider and the cloud customer
Both, the cloud provider and the cloud customer
Reliable electricity is critical for any data center and is one of the top priorities when selecting, building, and designing a site. Which of the following provides correct definitions of some of the common types of electrical faults? SELECT THE CORRECT ANSWER Blackout: prolonged low voltage Brownout: prolonged loss of power Fault: temporary low voltage Surge: prolonged high voltage Spike: temporary high voltage Sag: short loss of power Blackout: prolonged high voltage Brownout: prolonged low voltage Fault: short loss of power Surge: temporary high voltage Spike: prolonged loss of power Sag: temporary low voltage Blackout: prolonged loss of power Brownout: temporary low voltage Fault: prolonged low voltage Surge: prolonged high voltage Spike: temporary high voltage Sag: short loss of power Blackout: prolonged loss of power Brownout: prolonged low voltage Fault: short loss of power Surge: prolonged high voltage Spike: temporary high voltage Sag: temporary low voltage
Blackout: prolonged loss of power Brownout: prolonged low voltage Fault: short loss of power Surge: prolonged high voltage Spike: temporary high voltage Sag: temporary low voltage
One-time pads have been used throughout history to protect extremely sensitive communications. What is the MAJOR issue in the widespread use of a one-time-pad? SELECT THE CORRECT ANSWER Weak encryption Susceptible to man-in-the-middle attack Extensive training required for both, the sender and the receiver Both, the sender and the receiver must have an identical pad
Both, the sender and the receiver must have an identical pad
What is the MOST effective defense against buffer overflow attack? SELECT THE CORRECT ANSWER Output encoding Bounds checking Garbage collection Sandboxing
Bounds checking
An accounting system ignores login failures until an account has three login failures. It then disables the login functionality for 30 mins. What security mechanism is being implemented in the accounting system? SELECT THE CORRECT ANSWER Account lockout API limit Snipping level Clipping level
Clipping level
Which of the following protocols does not provide the AAA (Authentication, Authorization, and Accounting) functionality? SELECT THE CORRECT ANSWER RADIUS DIAMETER CIRCLE TACACS+
CIRCLE
Wireless is a shared medium in which all the wireless devices (APs and endpoints) share the same air space which could lead to data collisions if more than one device tries to communicate simultaneously. What mechanism is in place in WLAN to make sure there is no collision? SELECT THE CORRECT ANSWER Direct-Sequence Spread Spectrum (DSSS) CSMA/CA (Carrier Sense Multiple Access/Collision Avoidance) Frequency Hopping Spread Spectrum (FHSS) CSMA/CD (Carrier Sense Multiple Access/Collision Detect)
CSMA/CA (Carrier Sense Multiple Access/Collision Avoidance)
Which of the following security controls is most effective against intruders tampering with evidence during an attack? SELECT THE CORRECT ANSWER Chain of custody Intrusion detection systems Antivirus software Centralized logging
Centralized logging
Which of the following disaster recovery sites is the most appropriate if a company requires proprietary or unusual hardware or software? SELECT THE CORRECT ANSWER Hot site Warm site Cold site Mirror site
Cold site
Alice works for an American company that conducts business with customers in the European Union region. What must she do if she is responsible for collecting personally identifiable information (PII) for those customers? SELECT THE CORRECT ANSWER Encrypt data at all times Classify and label the data as per HIPAA guidelines Comply with the GDPR requirements Ensure the usage of DLP solution to prevent data breach
Comply with the GDPR requirements
Identify the commercial data classification levels: SELECT THE CORRECT ANSWER Secret, confidential, private, public Confidential, secret, restricted, public Confidential, private, sensitive, public Secret, confidential, restricted, public
Confidential, private, sensitive, public
Integrity is dependent on ___________. SELECT THE CORRECT ANSWER Confidentiality Availability Nonrepudiation Accountability
Confidentiality
Which of the following is an important component included in a penetration testing agreement document? SELECT THE CORRECT ANSWER Confidentiality and nondisclosure clause Availability of information clause Integrity of information and systems clause Nonrepudiation of audit actions taken clause
Confidentiality and nondisclosure clause
Assurance is dependent on: SELECT THE CORRECT ANSWER Confidentiality Confidentiality, Integrity Confidentiality, Integrity, Availability Confidentiality, Integrity, Availability, Accountability
Confidentiality, Integrity, Availability, Accountability
A compromised source code repository could affect the ________ of the source code. SELECT THE CORRECT ANSWER Confidentiality and Integrity Integrity and Availability Confidentiality and Availability Confidentiality, Integrity, and Availability
Confidentiality, Integrity, and Availability
Who is ultimately responsible for the success of company security in the organization? SELECT THE CORRECT ANSWER Everyone in the organization Incident response team IT security manager Corporate management
Corporate management
Identify the proper sequence of the data lifecycle: SELECT THE CORRECT ANSWER Acquire, use, share, store, archive, destroy Acquire, store, use, share, destroy, archive Create, store, use, share, destroy, archive Create, store, use, share, archive, destroy
Create, store, use, share, archive, destroy
Which of the following statements is INCORRECT regarding backups? SELECT THE CORRECT ANSWER Mixing differential and incremental backups could cause files to be missed Full backups simplify the backup and restore process Critical data should be backed up and stored only at an offsite location Archive bit set to 1 indicates that the file has been recently created or modified and needs to be backed up
Critical data should be backed up and stored only at an offsite location
Which of the following is LEAST likely to be found in a DMZ (demilitarized zone)? SELECT THE CORRECT ANSWER Honeypot Webserver FTP server Domain controllers
Domain controllers
Who is generally associated with the following roles: Project manager, Application Developer, IT specialist, and Database administrator? SELECT THE CORRECT ANSWER Data owner Data administrator Data custodian Security administrator
Data custodian
Data that remains after erasure or formatting the media is known as: SELECT THE CORRECT ANSWER Purged data Data remanence Residual data Media sanitization
Data remanence
Bob is evaluating a SaaS financial application for his organization. The application meets all of his functional requirements but is hosted in another country. What is the PRIMARY concern that Bob has regarding this application? SELECT THE CORRECT ANSWER Currency format is not supported by an application from another country Data residency is in another country Customization is not supported by SaaS application SaaS applications are prone to injection and XSS attacks
Data residency is in another country
Identify the proper phases of equipment lifecycle: SELECT THE CORRECT ANSWER Defining requirements, acquiring and implementing, operations and recommission, maintenance and disposal Defining requirements, acquiring and implementing, operations and maintenance, disposal and decommission Defining requirements, acquiring and implementing, operations and decommission, decomposition and disposal Defining requirements, acquiring and implementing, operations and decommission, maintenance and decomposition
Defining requirements, acquiring and implementing, operations and maintenance, disposal and decommission
Which of the following water sprinkler system is MOST appropriate when large volumes of water should be discharged to contain the fire? SELECT THE CORRECT ANSWER Wet pipe Dry pipe Pre-action Deluge
Deluge
Which one of the following is an example of the Ping of death? SELECT THE CORRECT ANSWER Denial-of-service attack Protocol manipulation attack Man-in-the-middle attack Spoofing attack
Denial-of-service attack
What is the PRIMARY purpose of displaying last successful login time? SELECT THE CORRECT ANSWER Detect compromised account Prevent compromise of account Deter compromise of account Recover compromised account
Detect compromised account
What type of control is an audit trail? SELECT THE CORRECT ANSWER Preventive control Corrective control Detective control Deterrent control
Detective control
If one plaintext bit is changed in a strong block cipher, it will change every ciphertext bit with the probability of 50 percent. This property of a secure cipher is known as _________. SELECT THE CORRECT ANSWER Confusion Diffusion Substitution Transposition
Diffusion
Access control for proprietary distributable content is best protected using _________. SELECT THE CORRECT ANSWER Digital signatures Digital certificates Digital rights management Data loss prevention
Digital rights management
Which of the following actions is the MOST appropriate when an employee leaves the company? SELECT THE CORRECT ANSWER Delete the user's account as soon as possible Disable the user's account as soon as possible Modify the user's password as soon as possible Modify the user's permissions as soon as possible
Disable the user's account as soon as possible
STRIDE is a model of threats often used to assess threats against applications or operating systems. Which of the following is not an element of STRIDE? SELECT THE CORRECT ANSWER Spoofing Tampering Repudiation Disclosure
Disclosure
What are the opposites of Confidentiality, Integrity, and Availability? SELECT THE CORRECT ANSWER Compromise, Inaccuracy, and Denial of service Data Breach, Data Diddling, and Data Loss Disclosure, Alteration, and Destruction Sensitive, Classified, and Critical
Disclosure, Alteration, and Destruction
Identify the proper sequence of steps during a penetration test: SELECT THE CORRECT ANSWER Discovery, exploitation, vulnerability mapping, enumeration, report to management Discovery, enumeration, vulnerability mapping, exploitation, report to management Discovery, enumeration, exploitation, vulnerability mapping, report to management Discovery, vulnerability mapping, exploitation, enumeration, report to management
Discovery, enumeration, vulnerability mapping, exploitation, report to management
Which of the following would be used and controlled by the user in the setting of access levels on objects that they control? SELECT THE CORRECT ANSWER Mandatory access control (MAC) Discretionary access control (DAC) Role-based access control (RBAC) Attribute-based access control (ABAC)
Discretionary access control (DAC)
Identify the proper sequence of steps that is required to establish governance documents in an organization: SELECT THE CORRECT ANSWER Establish security program and plan, create policies, establish procedures, adopt standards Establish security program and plan, create policies, adopt standards, establish procedures Create policies, establish security program and plan, adopt standards, establish procedures Create policies, establish security program and plan, establish procedures, adopt standards
Establish security program and plan, create policies, adopt standards, establish procedures
Identify the correct match for the following IEEE 802 standards: SELECT THE CORRECT ANSWER Ethernet: 802.2, Wireless: 802.11, Bluetooth: 802.14, WiMax: 802.15 Ethernet: 802.3, Wireless: 802.11, Bluetooth: 802.14, WiMax: 802.15 Ethernet: 802.3, Wireless: 802.11, Bluetooth: 802.15, WiMax: 802.16 Ethernet: 802.2, Wireless: 802.11, Bluetooth: 802.15, WiMax: 802.16
Ethernet: 802.3, Wireless: 802.11, Bluetooth: 802.15, WiMax: 802.16
The overall risk from supply chains has risen significantly in the last quarter. What should be done NEXT? SELECT THE CORRECT ANSWER Examine each supply chain risk, and address those that have increased Review the supply chain risk management policy Terminate all supply chain contracts Redesign questionnaires used to access supply chains
Examine each supply chain risk, and address those that have increased
What are the MAJOR issues that must be addressed while configuring a data loss prevention (DLP) solution? SELECT THE CORRECT ANSWER True positive and true negative False positive and false negative True positive and false positive False positive and true negative
False positive and false negative
What is the most common and inexpensive form of perimeter security devices or mechanisms designed and installed to keep intruders out? SELECT THE CORRECT ANSWER Walls Fences Bollards Mantraps
Fences
Which of the following media types provides the best protection against electromagnetic emanations? SELECT THE CORRECT ANSWER Coax Shielded twisted pair (STP) Unshielded twisted pair (UTP) Fiber optic
Fiber optic
Which of the following is NOT an element to consider during data policy creation? SELECT THE CORRECT ANSWER Future laws Policies and processes Privacy Cost
Future laws
Which of the following would be the LEAST beneficial reason to consider a cloud platform as a BCDR solution? SELECT THE CORRECT ANSWER Metered service costs Broad network access Hardware ownership Virtual host replication
Hardware ownership
Bob has been asked to testify in the court regarding a recent cyber attack on the company's website. His best friend Alice had told him in confidence that she had seen Charlie, one of their colleagues, commit this crime. This testimonial evidence provided by Bob would be considered ___________. SELECT THE CORRECT ANSWER Best evidence Direct evidence Hearsay evidence Corroborative evidence
Hearsay evidence
Which of the following is TRUE for using HVAC inside a data center? SELECT THE CORRECT ANSWER High humidity causes temperature increase, and low humidity causes power fluctuations High humidity causes corrosion, and low humidity causes static electricity High humidity causes power fluctuations, and low humidity causes temperature increase High humidity causes static electricity, and low humidity causes power corrosion
High humidity causes corrosion, and low humidity causes static electricity
What is the MOST important goal of all security solutions? SELECT THE CORRECT ANSWER Maintaining integrity Preventing unauthorized disclosure Sustaining availability Human safety
Human safety
Which cloud hosting model would be the most appropriate for a company looking to leverage multiple cloud providers for disaster recovery or load bursts? SELECT THE CORRECT ANSWER Public cloud Private cloud Hybrid cloud Community cloud
Hybrid cloud
Which of the following is an example of a half-duplex communication? SELECT THE CORRECT ANSWER IEEE 802.11 VoIP (Voice over Internet Protocol) IEEE 802.3 Television
IEEE 802.11
Which of the following is true about IPsec? SELECT THE CORRECT ANSWER IPsec always provides confidentiality IPsec operates at the TCP/IP Internet layer AH and ESP cannot be used together in an IPsec VPN configuration IPsec support is mandatory for both IPv4 and IPv6
IPsec operates at the TCP/IP Internet layer
Which of the following is the MOST widely accepted approach to IT service management in the world? SELECT THE CORRECT ANSWER ISO/IEC 20001 ITIL (Information Technology Infrastructure Library) COBIT (Control Objectives for Information and Related Technologies) NIST SP 800-35
ITIL (Information Technology Infrastructure Library)
Identify the proper sequence of steps that are carried out during threat modeling: SELECT THE CORRECT ANSWER Identify assets, describe architecture, decompose application, identify threats, document threats, rate threats Identify assets, decompose application, describe architecture, identify threats, rate threats, document threats Describe architecture, decompose application, identify assets, identify threats, document threats, rate threats Identify assets, decompose application, describe architecture, document threats, identify threats, rate threats
Identify assets, describe architecture, decompose application, identify threats, document threats, rate threats
What are the two components of a federated identity system? SELECT THE CORRECT ANSWER Service provider and relying party LDAP and web server Identity provider and relying party Kerberos and SSO
Identity provider and relying party
Which is the MOST important reason for the removal of unused and unnecessary usernames, protocols, services, and applications from a system? SELECT THE CORRECT ANSWER Increased performance Increased security Reduced administrative overhead Reduced system workload
Increased security
SSH is intended to provide confidentiality and __________ of the data being passed between the client and the host. SELECT THE CORRECT ANSWER Integrity Availability Accountability Speed
Integrity
The resiliency of software to withstand attacks that attempt to modify or alter data in an unauthorized manner is referred to as: SELECT THE CORRECT ANSWER Confidentiality Integrity Availability Nonrepudiation
Integrity
Which of the following component of an IPsec connection is responsible for authenticating and establishing security associations? SELECT THE CORRECT ANSWER Authentication Header (AH) Encapsulating Security Payload (ESP) Internet Key Exchange (IKE) Diffie-Hellman Key Exchange
Internet Key Exchange (IKE)
Which of the following is an essential trait of a well-designed security test? SELECT THE CORRECT ANSWER Requires penetration testing Is documented and repeatable Relies exclusively on automated tools Foregoes the need of analyzing the results
Is documented and repeatable
Which of the following is not a true choice for the Kerberos implementation? SELECT THE CORRECT ANSWER It can be used to authorize network services It relies on symmetric-key cryptography It maintains a centralized server The Kerberos server is a single point of compromise
It can be used to authorize network services
Which of the following BEST describes a centralized access control? SELECT THE CORRECT ANSWER It's designed for network equipments only It's implemented closest to the resources it is designed to protect It's designed to consider and accept business partner authentication tokens It implements authentication, authorization, and accounting
It implements authentication, authorization, and accounting
Which of the following is FALSE regarding a digital signature? SELECT THE CORRECT ANSWER It does not provide confidentiality services It has more legal significance than a physical signature in many countries It prevents unauthorized modifications of files It uses only the asymmetric cryptography
It prevents unauthorized modifications of files
A bank has set specific metrics to track the progress made in serving the interests of its shareholders, customers, and employees. These specific metrics are known as __________. SELECT THE CORRECT ANSWER Key Risk Indicators (KRI) Key Result Area (KRA) Key Performance Indicators (KPI) Key Performance Area (KPA)
Key Performance Indicators (KPI)
What are the key lengths and the block lengths supported by the Rijndael algorithm in AES (Advanced Encryption Standard)? SELECT THE CORRECT ANSWER Key length: 128, 192, 256 bits Block length: 128 bits Key length: 128, 192, 256 bits Block length: 128, 192, 256 bits Key length: 64, 128, 192, 256 bits Block length: 128 bits Key length: 128, 192, 256, 512 bits Block length: 128, 192, 256, 512 bits
Key length: 128, 192, 256 bits Block length: 128 bits
The best practices for cryptographic keys include all, except that _________ SELECT THE CORRECT ANSWER Keys need to be generated randomly Keys must never be destroyed Keys must be stored securely Keys must be long enough
Keys must never be destroyed
Alice is a cryptanalysis and has access to the plaintext and corresponding ciphertext of several messages which has been encrypted using the same algorithm. Her goal is to discover the keys used in the encryption process and use them in decrypting other ciphertexts. What type of attack is Alice engaging in? SELECT THE CORRECT ANSWER Ciphertext only Known-plaintext Chosen-plaintext Chosen-ciphertext
Known-plaintext
Which of the following is TRUE regarding Lightweight Directory Access Protocol (LDAP)? SELECT THE CORRECT ANSWER X.500 is based on LDAP LDAP uses the ubiquitous TCP/IP protocol LDAP is proprietary to Microsoft LDAP is designed to authenticate only human beings
LDAP uses the ubiquitous TCP/IP protocol
What term describes the statistical appraisal of the functional lifetime of a system or device? SELECT THE CORRECT ANSWER Maximum tolerable downtime Mean time to repair Mean time to fail Mean time between failures
Mean time between failures
What kind of virus is most commonly found embedded in documents or inserted as malicious code into word processing programs? SELECT THE CORRECT ANSWER Multipartite virus Polymorphic virus Macro virus Stealth virus
Macro virus
Who is the PRIMARY audience of a security assessment report? SELECT THE CORRECT ANSWER Management Security auditor Security professional Customers
Management
Which of the following will help identify sensitive information, whether electronic or hard copy? SELECT THE CORRECT ANSWER Marking Steganography Digital watermark Barcode
Marking
Alice is testing an accounting software, and part of her testing process requires her to deliberately input invalid data. What type of test is Alice conducting? SELECT THE CORRECT ANSWER Improper testing Invalid testing Misuse case testing Use case testing
Misuse case testing
In Bell-LaPadula model, what does * (star) property rule mean? SELECT THE CORRECT ANSWER No Read Up No Write Down No Read Down No Write Up
No Write Down
Which one of the following disaster recovery tests takes the maximum time without disrupting the primary systems? SELECT THE CORRECT ANSWER Checklist review Table-top exercise Cutover test Parallel test
Parallel test
The key to a successful security program is the integration of: SELECT THE CORRECT ANSWER Administrative, logical, and physical controls Confidentiality, integrity, and availability Encryption, authorization, and training People, processes, and technology
People, processes, and technology
What is the BEST way to determine whether specific controls are effective? SELECT THE CORRECT ANSWER Perform risk assessment on the controls and related activities Review the incident remediation report Review control design documents Perform fuzzy and regression testing on the controls
Perform risk assessment on the controls and related activities
When using penetration testing to verify the strength of your security policy, which of the following is NOT recommended? SELECT THE CORRECT ANSWER Emulating same methods used by attackers Performing attacks without management consent Using manual and automated testing tools Performing tests on physical security as well as personnel security
Performing attacks without management consent
A document that is used to communicate and mandate organizational and management goals and objectives at a high level is a ___________. SELECT THE CORRECT ANSWER Policy Standard Guideline Baseline
Policy
The pen-test team has just concluded the penetration testing process on an e-commerce website. They have identified several security issues in the application which could lead to a customer's private information being leaked publicly. What is the next best step? SELECT THE CORRECT ANSWER Fix the vulnerabilities Prepare an executive summary Disclose the vulnerabilities publicly to warn the customers Report the vulnerabilities to the regulatory authorities
Prepare an executive summary
What is the PRIMARY benefit of change management? SELECT THE CORRECT ANSWER Prevent security compromises Keep everyone informed of changes Provide nonrepudiation for the changes Maintain record for the changes
Prevent security compromises
Which cloud deployment model offers the most control and ownership over systems and operations for an organization? SELECT THE CORRECT ANSWER Private Public Community Hybrid
Private
A honeypot is a computer often configured with vulnerabilities which are intended to be exploited by attackers. The following are the the benefits of using a honeypot, EXCEPT for: SELECT THE CORRECT ANSWER Determining the intent of hackers Detecting and analyzing zero-day attacks Primarily using for entrapment Keeping the attacker away from a production environment
Primarily using for entrapment
Which security principle helps prevent users from accessing memory spaces assigned to applications being run by other users? SELECT THE CORRECT ANSWER Least privilege Separation of environment Process isolation Reference monitor
Process isolation
Adam is responsible for applying software updates to the production system. What is the LEAST important thing he must ensure before deploying the patches to the server? SELECT THE CORRECT ANSWER Approval to apply the patches Production system is hardened Patches have been thoroughly tested Production system is backed up
Production system is hardened
The PRIMARY objective of software security is to: SELECT THE CORRECT ANSWER Eliminate all risks Protect the confidentiality, integrity, and availability of data Train developers in software security Identify zero-day vulnerabilities before attackers do
Protect the confidentiality, integrity, and availability of data
The PRIMARY reason for incorporating security into the software development life cycle is to _________. SELECT THE CORRECT ANSWER Protect the corporate brand and reputation Prevent unauthorized disclosure of information Protect against hackers who intend to misuse the software Prevent developers from releasing software with security defects
Protect the corporate brand and reputation
Logging captures events, changes, messages, and other data that describe activities that occurred on a system. Which of the following is the MOST important reason for implementing logging? SELECT THE CORRECT ANSWER Preserving data integrity Providing individual accountability Checking data authentication Identifying data owners
Providing individual accountability
Pretty Good Privacy (PGP), which was designed by Phil Zimmerman as a freeware email security program and released in 1991, uses which algorithms? SELECT THE CORRECT ANSWER RSA for key exchange, IDEA for encryption/decryption, and MD5 for message digest RSA for key exchange, AES for encryption/decryption, and MD5 for message digest RSA for key exchange, IDEA for encryption/decryption, and SHA1 for message digest RSA for key exchange, AES for encryption/decryption, and SHA1 for message digest
RSA for key exchange, IDEA for encryption/decryption, and MD5 for message digest
A review of the log audits of an accounting system revealed that an attacker was able to force the authorization step to take place before the authentication step and gain unauthorized access to a resource. This attack is an example of: SELECT THE CORRECT ANSWER Time-of-check/Time-of-use Federated identity Race condition Buffer overflow
Race condition
What type of malware encrypts the files on the device and subjects the user to extortion who is trying to obtain the key? SELECT THE CORRECT ANSWER Ransomware Trojan Horse Adware Spyware
Ransomware
Due care is using reasonable care to protect the interests of an organization. What is the PRIMARY reason behind the concept of due care? SELECT THE CORRECT ANSWER Minimizing downtime Eliminating risks Reducing liability Decreasing due diligence overhead
Reducing liability
Which of the following BEST describes the mitigation of data remanence by a degaussing destruction process? SELECT THE CORRECT ANSWER Placing the content of the media inside a faraday cage to protect against magnetic radiations Erasing the content of the media using purging tools Removing or reducing the magnetic field patterns on conventional disk drives or magnetic tapes Obfuscating the content of the storage by using random values
Removing or reducing the magnetic field patterns on conventional disk drives or magnetic tapes
Identify the correct sequence of steps to be followed in an application software change control process: SELECT THE CORRECT ANSWER Review, approve, request, document, implement Request, review, approve, implement, document Review, request, approve, implement, document Request, approve, review, implement, document
Request, review, approve, implement, document
Which of the following is FALSE regarding sensitive data? SELECT THE CORRECT ANSWER Sensitive data must be clearly marked, properly handled, and securely stored per the organizational policies Regulations contain specific requirements for handling sensitive information Requirements for handling and destroying sensitive data must be consistent for all classification levels Sensitive data must eventually be destroyed whether in hard copy or saved as an electronic file
Requirements for handling and destroying sensitive data must be consistent for all classification levels
Developers have just finished adding a new component allowing users authenticate to the e-commerce website using an Application Programming Interface (API) for a federated identity solution provided by a third-party provider. What is the next best step? SELECT THE CORRECT ANSWER Merge the component into the main code repository Perform user acceptance testing (UAT) Web server Review the code
Review the code
John has been tasked with the construction of a data center, but the location is in an area highly prone to earthquakes. In order to deal with this risk, he selects a type of building and foundation that is particularly earthquake resistant. This is an example of: SELECT THE CORRECT ANSWER Risk transfer Risk avoidance Risk mitigation Risk acceptance
Risk mitigation
Separation of duties are ideally implemented using __________. SELECT THE CORRECT ANSWER Roles Permissions Rights Rules
Roles
Firewalls typically employ ____________. SELECT THE CORRECT ANSWER Role-based access control (RBAC) Rule-based access control Mandatory access control (MAC) Attribute-based access control (ABAC)
Rule-based access control
What certification would be MOST appropriate to use for financial statement auditing? SELECT THE CORRECT ANSWER NIST SP 800-53 FIPS 140-2 ISO/IEC 27001 SOC 1
SOC 1
What is the MAJOR benefit of using Secure Shell (SSH) over Telnet? SELECT THE CORRECT ANSWER SSH is open source unlike Telnet SSH is faster than Telnet SSH encrypts the session unlike Telnet SSH is less expensive than Telnet
SSH encrypts the session unlike Telnet
A TCP handshake is a three-step method that requires both the client and server to exchange SYN (synchronize) and ACK (acknowledgment) packets before actual data communication begins. Which of the following is the correct order and direction of packets sent during a TCP 3-way handshake? SELECT THE CORRECT ANSWER SYN from server to client, SYN/ACK from client to server, and ACK from server to client ACK from server to client, SYN/ACK from client to server, and SYN from server to client SYN from client to server, ACK from server to client, and SYN/ACK from client to server SYN from client to server, SYN/ACK from server to client, and ACK from client to server
SYN from client to server, SYN/ACK from server to client, and ACK from client to server
Which of the following role is responsible for implementing and maintaining specific security network devices and software in the enterprise? SELECT THE CORRECT ANSWER Data owner Security administrator Data custodian Network administrator
Security administrator
Which statements among the following describe the need-to-know principle? SELECT THE CORRECT ANSWER Information that can be disclosed unconditionally Confidential information restricted with two-factor authorization Sensitive-but-unclassified information that everyone should know Sensitive information that requires a reason for access
Sensitive information that requires a reason for access
Which security principle mandates that someone other than the developer performs code review? SELECT THE CORRECT ANSWER Need-to-know Job rotation Separation of duties Change management
Separation of duties
Which of the following is the BEST way to protect your organization from revealing sensitive information through dumpster diving? SELECT THE CORRECT ANSWER Create a policy to disallow anyone to perform dumpster diving Install host-based intrusion detection system (HIDS) Teach employees about social engineering attacks Shred all sensitive documentation
Shred all sensitive documentation
Which of the following is typically not a criterion by which commercial data is classified? SELECT THE CORRECT ANSWER Value of data Age/useful life Regulatory requirements Size of data
Size of data
What security testing technique can best assess training and awareness issues within the organization? SELECT THE CORRECT ANSWER Fuzzing Social engineering Vulnerability scanning Black box testing
Social engineering
What type of cipher is used to encrypt the message in a one-time-pad? SELECT THE CORRECT ANSWER Block transposition cipher Block substitution cipher Stream transposition cipher Stream substitution cipher
Stream substitution cipher
Effective implementation of a security system finds a balance between: SELECT THE CORRECT ANSWER Authentication, authorization, and accounting Confidentiality, integrity, and nonrepudiation System efficiency, security expenses, and information protection Something-you-know, something-you-have, and something-you-are
System efficiency, security expenses, and information protection
Internal audits may be preferred over external audits if ____________. SELECT THE CORRECT ANSWER Regulatory requirements prohibit external audits There is concern over the leakage of confidential information The budget for security testing is limited or nonexistent The risk appetite of the organization is very high
The budget for security testing is limited or nonexistent
Which of the following choices is the MOST important to determine risk appetite? SELECT THE CORRECT ANSWER The organization's risk culture The business strategy The result of business risk analysis (BIA) Prevalence of data breaches in the industry
The organization's risk culture
Which one of the following is NOT normally included in a security assessment? SELECT THE CORRECT ANSWER Vulnerability scan Risk assessment Threat mitigation Threat assessment
Threat mitigation
What is the PRIMARY consideration for implementing enterprise information system security? SELECT THE CORRECT ANSWER To ensure an absolutely secure information system To deploy defenses that are proportionate to the threat To make all employees undergo security training To mitigate all information security risks
To deploy defenses that are proportionate to the threat
The MAIN reason why senior management must endorse a security policy is: SELECT THE CORRECT ANSWER To show their level of commitment towards security To ensure all employees adhere to the policy directives To support the development of documents on standards and procedures To eliminate all risks the organization faces
To show their level of commitment towards security
IPsec implemented in _____________ specifies that only the data payload is encrypted during the transfer. SELECT THE CORRECT ANSWER Tunnel mode Transport mode Transfer mode Gateway mode
Transport mode
Which of the following rates need to be high for a good biometrics system? SELECT THE CORRECT ANSWER True Acceptance Rate (TAR) and True Rejection Rate (TRR) False Acceptance Rate (FAR) and False Rejection Rate (FRR) True Rejection Rate (TRR) and False Acceptance Rate (FAR) False Rejection Rate (FRR) and True Acceptance Rate (TAR)
True Acceptance Rate (TAR) and True Rejection Rate (TRR)
Alice uses a network sniffer to monitor traffic from the RADIUS server configured with default settings. What protocol should she monitor, and what traffic would she be able to read? SELECT THE CORRECT ANSWER TCP, none. All RADIUS traffic is encrypted UDP, none. All RADIUS traffic is encrypted TCP, all traffic expects passwords which are encrypted UDP, all traffic expects passwords which are encrypted
UDP, all traffic expects passwords which are encrypted
A well-designed demilitarized zone (DMZ) prevents: SELECT THE CORRECT ANSWER Direct access to the DMZ from the protected network Access to assets within the DMZ to unauthenticated users Insiders on the protected network from conducting attacks Uncontrolled access to the protected network from outside the DMZ
Uncontrolled access to the protected network from outside the DMZ
In IPsec, a security association (SA) is the establishment of shared security attributes between two network entities to support secure communication. Which values can be used in an SA to provide greater security through confidentiality protection of the data payload? SELECT THE CORRECT ANSWER Use of AES within AH SHA-1 combined with HMAC Using ESP AH and ESP together
Using ESP
When should a Class C fire extinguisher be used instead of a Class A fire extinguisher? SELECT THE CORRECT ANSWER When electrical equipment is on fire When wood and clothes are on fire When a combustible liquid is on fire When cooking oil is on fire
When electrical equipment is on fire
Which of the following is TRUE regarding differential and incremental backups? SELECT THE CORRECT ANSWER Only differential backups begin with a full backup Only incremental backups begin with a full backup Differential backups only back up files modified since the recent differential or full backup was performed Incremental backups only back up files modified since the recent incremental or full backup was performed
incremental or full backup was performed
