Chapter 5
65. You are the network director and are creating the following year's budget. You submit forensic dollar amounts for the cyber incident response team. Which of the following would you not submit? (Choose two.) A. ALE amounts B. SLE amounts C. Training expenses D. Man-hour expenses
A and B. ALE (annual loss expectancy) is the product of the ARO (annual rate of occurrence) and the SLE (single loss expectancy) and is mathematically expressed as ALE = ARO × SLE. Single loss expectancy is the cost of any single loss and it is mathematically expressed as SLE = AV (asset value) × EF (exposure factor). Options C and D are incorrect. Training expenses and man-hour expenses are valid IT forensic budget items.
43. Zack is a security administrator who has been given permission to run a vulnerability scan on the company's wireless network infrastructure. The results show TCP ports 21 and 23 open on most hosts. What port numbers do these refer to? (Choose two.) A. FTP B. SMTP C. Telnet D. DNS
A and C. FTP (File Transport Protocol) uses port 21 and Telnet uses port 23. These protocols are considered weak and are not recommended for use. They are susceptible to eavesdropping. Option B is incorrect. SMTP (Simple Mail Transport Protocol) uses port 25. Option D is incorrect. DNS (Domain Name System) uses port 53.
95. In the initial stages of a forensics investigation, Zack, a security administrator, was given the hard drive of the compromised workstation by the incident manager. Which of the following data acquisition procedures would Zack need to perform in order to begin the analysis? (Choose two.) A. Take hashes B. Take screenshots C. Capture the system image D. Start the order of volatility
A and C. Taking hashes of the hard drive will preserve the evidence. If the hash has not been changed, the data hasn't changed. Capturing the system image involves making an exact image of the drive so that it can be referenced later in the investigation. Option B is incorrect. Taking screenshots gives an investigator a useful way to collect information on a computer screen. This will allow the investigator to reproduce what happened on the screen. Option D is incorrect. Order of volatility represents the order in which you should collect evidence. In general terms, evidence should be collected starting with the most volatile and moving to the least volatile. Volatile means data is not permanent.
82. Recently, company data that was sent over the Internet was intercepted and read by hackers. This damaged the company's reputation with its customers. You have been asked to implement a policy that will protect against these attacks. Which of the following options would you choose to help protect data that is sent over the Internet? (Choose two.) A. Confidentiality B. Safety C. Availability D. Integrity
A and D. Confidentiality allows authorized users to gain access to sensitive and protected data. Integrity ensures that the data hasn't been altered and is protected from unauthorized modification. Option B is incorrect. Safety is a common goal of security that includes providing protection to personnel and other assets. Option C is incorrect. Availability means information is always going to be something a user can access.
86. Which of the following is an example of a preventive control? (Choose two.) A. Data backups B. Security camera C. Door alarm D. Cable locks
A and D. Preventive controls are proactive and are used to avoid a security breach or an interruption of critical services before they can happen. Options B and C are incorrect. Security cameras and door alarms are examples of detective control. Detective controls detect intrusion as it happens and uncovers a violation.
84. Which of the following impact scenarios would include severe weather events? (Choose two.) A. Life B. Reputation C. Salary D. Property
A and D. The correct answer is life and property. Both of these impact scenarios include examples of severe weather events. Option B is incorrect. A reputation impact scenario includes price gouging during natural disasters and response time for addressing information disclosure. Option C is incorrect. Salary is not an impact scenario.
22. You are the new security administrator and have discovered your company lacks deterrent controls. Which of the following would you install that satisfies your needs? (Choose two.) A. Lighting B. Motion sensor C. No trespassing signs D. Antivirus scanner
A, C. A deterrent control is used to warn a potential attacker not to attack. Lighting added to the perimeter and warning signs such as a "no trespassing" sign are deterrent controls. Options B and D are incorrect. These are examples of detective controls. A detective control is designed to uncover a violation.
56. Which of the following are examples of custodian security roles? (Choose two.) A. Human resources employee B. Sales executive C. CEO D. Server backup operator
A, D. Custodians maintain access to data as well as the integrity. Options B and C are incorrect. CEO and sales executives are not normally responsible for maintaining access to and integrity of the data.
89. Which of the following would help build informed decisions regarding a specific DRP? A. Business impact analysis B. ROI analysis C. RTO D. Life impact
A. A business impact analysis (BIA) helps identify the risks that would affect business operations such as finance impact. The will help a company recover from a disaster. Option B is incorrect. Return on investment (ROI) is used to assess the efficiency of an investment. ROI measures the amount of return on an investment to the investment's cost. Option C is incorrect. Recovery time objective (RTO) is the duration of time in which a company's process must be restored after a disaster. Option D is incorrect. Life impact endangers the lives of employees and customers.
34. Mark is an office manager at a local bank branch. He wants to ensure customer information isn't compromised when the deskside employees are away from their desks for the day. What security concept would Mark use to mitigate this concern? A. Clean desk B. Background checks C. Continuing education D. Job rotation
A. A clean desk policy ensures that all sensitive/confidential documents are removed from an end-user workstation and locked up when the documents are not in use. Option B is incorrect. Background checks are performed when a potential employee is considered for hire. Option C is incorrect. Continuing education is the process of training adult learners in a broad list of postsecondary learning activities and programs. Companies will use continuing education in training their employees on the new threats and also reiterating current policies and their importance. Option D is incorrect. Job rotation policy is the practice of moving employees between different tasks to promote experience and variety.
8. Which of the following is not a step of the incident response process? A. Snapshot B. Preparation C. Recovery D. Containment
A. A snapshot is the state of a system at a particular point in time. It's also known as a system image and is not a step in the incident response process. Options B, C, and D are incorrect. Preparation, recovery, and containment are steps of the incident response process.
99. What should human resources personnel be trained in regarding security policies? A. Guidelines and enforcement B. Order of volatility C. Penetration assessment D. Vulnerability assessment
A. A standard operating procedure (SOP) is a document that details the processes that a company will have in place to ensure that routine operations are delivered consistently every time. Guidelines and enforcement are items that are included in a SOP. Option B is incorrect. Order of volatility represents the order in which you should collect evidence. In general terms, evidence should be collected starting with the most volatile and moving to the least volatile. Volatile means data is not permanent. Option C is incorrect. Penetration assessment is a simulated attack authorized on a network system that searches for security weaknesses that may potentially gain access to the network's features and data. Option D is incorrect. A vulnerability assessment identifies, quantifies, and prioritizes vulnerabilities in a network system.
52. You maintain a network of 150 computers and must determine which hosts are secure and which are not. Which of the following tools would best meet your need? A. Vulnerability scanner B. Protocol analyzer C. Port scanner D. Password cracker
A. A vulnerability scanner attempts to identify weaknesses in a system. Option B is incorrect. A protocol analyzer used with a promiscuous mode NIC can capture all network traffic. Option C is incorrect. A port scanner identifies open ports on a server or host. Option D is incorrect. Password crackers can be used to check for easily crackable passwords. Vulnerability scanners can provide more data about computer security such as open ports and weak passwords.
4. You are a security engineer and discovered an employee using the company's computer systems to operate their small business. The employee installed their personal software on the company's computer and is using the computer hardware, such as the USB port. What policy would you recommend the company implement to prevent any risk of the company's data and network being compromised? A. Acceptable use policy B. Clean desk policy C. Mandatory vacation policy D. Job rotation policy
A. Acceptable use policy is a document stating what a user may or may not have access to on a company's network or the Internet. Option B is incorrect. Clean desk policy ensures that all sensitive/confidential documents are removed from an end-user workstation and locked up when the documents are not in use. Option C is incorrect. Mandatory vacation policy is used by companies to detect fraud by having a second person, familiar with the duties, help discover any illicit activities. Option D is incorrect. Job rotation is a policy that describes the practice of moving employees between different tasks to promote experience and variety.
35. You are a security administrator and advise the web development team to include a CAPTCHA on the web page where users register for an account. Which of the following controls is this referring to? A. Deterrent B. Detective C. Compensating D. Degaussing
A. As users register for an account, they enter letters and numbers they are given on the web page before they can register. This is an example of a deterrent control as it prevents bots from registering and proves this is a real person. Option B is incorrect. Detective controls detect intrusion as it happens and uncovers a violation. Option C is incorrect. A compensating control is used to satisfy a requirement for a security measure that is too difficult or impractical to implement at the current time. Option D is incorrect. Degaussing is a method of removing data from a magnetic storage media by changing the magnetic field.
10. You are a security manager for your company and need to reduce the risk of employees working in collusion to embezzle funds. Which of the following policies would you implement? A. Mandatory vacations B. Clean desk C. NDA D. Continuing education
A. Companies will use mandatory vacations policies to detect fraud by having a second person, familiar with the duties, help discover any illicit activities. Option B is incorrect. Clean desk policy ensures that all sensitive/confidential documents are removed from an end user workstation and locked up when the documents are not in use. Option C is incorrect. A nondisclosure agreement (NDA) protects sensitive and intellectual data from getting into the wrong hands. Option D is incorrect. Continuing education is the process of training adult learners in a broad list of post-secondary learning activities and programs. Companies will use continuing education in training their employees on the new threats and also reiterating current policies and their importance.
47. Which of the following are considered detective controls? A. Closed-circuit television (CCTV) B. Guard C. Firewall D. IPS
A. Detective controls detect intrusion as it happens and uncovers a violation. Option B is incorrect. A guard is an example of a preventive control. Preventive controls stop an action from happening. Option C is incorrect. A firewall is an example of a technical control. Technical controls are applied through technology and may be deterrent, preventive, detective, or compensating. Option D is incorrect. An IPS (intrusion prevention system) is an example of a technical control. Technical controls are applied through technology and may be a deterrent, preventive, detective, or compensating.
44. Which of the following backup concepts is the quickest backup but slowest restore? A. Incremental B. Differential C. Full D. Snapshots
A. Incremental backups are the quickest backup method but the slowest method to restore. Incremental backup backs up all new files and any files that have changed since the last full backup or incremental backup. To restore from incremental backups, you will need the full backup and every incremental backup in order. Option B is incorrect. Differential backup backs up all new files and any files that have changed since the last full backup. To restore from differential backups, you will need the full backup and the most recent differential backup. Option C is incorrect. Full backup backs up all the files each time the backup runs. Option D is incorrect. A snapshot is the state of a system at a particular point in time. It's also known as a system image.
32. You are an IT administrator for a company and you are adding new employees to an organization's identity and access management system. Which of the following best describes the process you are performing? A. Onboarding B. Offboarding C. Adverse action D. Job rotation
A. Onboarding is the process of adding an employee to a company's identity and access management system. Option B is incorrect. Offboarding is the process of removing an employee from the company's identity and access management system. Option C is incorrect. Adverse action is an official personnel action that is taken for disciplinary reasons. Option D is incorrect. Job rotation gives individuals the ability to see various parts of the organization and how it operates. It also eliminates the need for a company to rely on one individual for security expertise should the employee become disgruntled and decide to harm the company. Recovering from a disgruntled employee's attack is easier when multiple employees understand the company's security posture.
58. James is a security administrator and is attempting to block unauthorized access to the desktop computers within the company's network. He has configured the computers' operating systems to lock after 5 minutes of no activity. What type of security control has James implemented? A. Preventive B. Corrective C. Deterrent D. Detective
A. Preventive controls stop an action from happening—in this scenario, preventing an unauthorized user from gaining access to the network when the user steps away. Option B is incorrect. A corrective control is designed to correct a situation. Option C is incorrect. A deterrent control is used to deter a security breach. Option D is incorrect. A detective control is designed to uncover a violation.
11. You are a security administrator, and your manager has asked you about protecting the privacy of personally identifiable information (PII) that is collected. Which of the following would be the best option to fulfill the request? A. PIA B. BIA C. RTO D. SPF
A. Privacy impact assessment (PIA) is a measurement of how a company can keep private information safe while the company is in possession of PII. Option B is incorrect. Business impact analysis (BIA) determines the potential effects of an interruption to a company's operations as a result of a disaster or emergency. Option C is incorrect. Recovery time objective (RTO) is the duration of time in which a company's process must be restored after a disaster. Option D is incorrect. A single point-of-failure (SPF) is a component that will stop the entire operations of a system to work if it fails.
41. Your security manager wants to decide which risks to mitigate based on cost. What is this an example of? A. Quantitative risk assessment B. Qualitative risk assessment C. Business impact analysis D. Threat assessment
A. Quantitative risk assessment is the process of assigning numerical values to the probability an event will occur and what the impact of the event will have. Option B is incorrect. Qualitative risk assessment is the process of ranking which risk poses the most danger such as low, medium, and high. Option C is incorrect. Business impact analysis is used to evaluate the possible effect a business can suffer should an interruption to critical system operations occur. This interruption could be as a result of an accident, emergency, or disaster. Option D is incorrect. Threat assessment is a process of identifying and categorizing different threats such as, environmental and manmade. It also attempts to identify the potential impact from the threats.
85. Which of the following outlines a business goal for system restoration and allowable data loss? A. RPO B. Single point of failure C. MTTR D. MTBF
A. RPO (recovery point objective) specifies the allowable data loss. It is the amount of time that can pass during an interruption before the quantity of data lost during that period surpasses business continuity planning's maximum acceptable threshold. Option B is incorrect. A single point of failure is a weakness in the design, or configuration of a system in which one fault or malfunction will cause the whole system to stop operating. Option C is incorrect. MTTR (mean time to repair) is the average time it takes for a failed device or component to be repaired or replaced. Option D is incorrect. MTBF (mean time between failures) is a measurement to show how reliable a hardware component is.
98. A warrant has been issued to investigate a file server that is suspected to be part of an organized crime to steal credit card information. You are instructed to follow the order of volatility. Which data would you collect first? A. RAM B. USB flash drive C. Hard disk D. Swap files
A. Random access memory (RAM) data is lost when the device is powered off. Therefore, RAM must be properly collected first. Option B is incorrect. A USB flash drive will maintain its data when the power is removed. Option C is incorrect. A hard disk will maintain its data when the power is removed. Option D is incorrect. A swap file is an extension of memory and is stored on the hard disk, so it is less volatile than RAM.
25. You are a security administrator for your company and you identify a security risk. You decide to continue with the current security plan. However, you develop a contingency plan in case the security risk occurs. Which of the following type of risk response technique are you demonstrating? A. Accept B. Transfer C. Avoid D. Mitigate
A. Risk acceptance is a strategy of recognizing, identifying, and accepting a risk that is sufficiently unlikely or has limited impact that a corrective control is not warranted. Option B is incorrect. Risk transfer is the act of moving the risk to hosted providers who assume the responsibility for recovery and restoration or by acquiring insurance to cover the costs emerging from a risk. Option C is incorrect. Risk avoidance is the removal of the vulnerability that can increase a particular risk so that it is avoided altogether. Option D is incorrect. Risk mitigation is when a company implements controls to reduce vulnerabilities or weaknesses in a system. It can also reduce the impact of a threat.
77. Your company website is hosted by an Internet service provider. Which of the following risk response techniques is in use? A. Risk avoidance B. Risk register C. Risk acceptance D. Risk mitigation
A. Risk avoidance is a strategy to deflect threats in order to avoid the costly and disruptive consequences of a damaging event. It also attempts to minimize vulnerabilities that can pose a threat. Option B is incorrect. The risk register is a document, also known as a risk log, created at the beginning of a project to track issues and address any problems as they arise. Option C is incorrect. Risk acceptance is a strategy of recognizing, identifying, and accepting a risk that is sufficiently unlikely or has limited impact that a corrective control is not warranted. Option D is incorrect. Risk mitigation is when a company implements controls to reduce vulnerabilities or weaknesses in a system. It can also reduce the impact of a threat.
67. Which option is an example of a workstation not hardened? A. Risk B. Threat C. Exposure D. Mitigate
A. Risk is defined as the likelihood of occurrence of a threat and the corresponding loss potential. Risk is the probability of a threat actor to exploit vulnerability. The purpose of system hardening is to remove as many security risks as possible. Hardening is typically performed by disabling all nonessential software programs and utilities from the workstation. Option B is incorrect. The threat agent is the component that exploits a vulnerability. Option C is incorrect. The exposure factor is the percentage or portion of the asset that will be lost or destroyed when exposed to a threat. Option D is incorrect. Risk mitigation is when a company implements controls to reduce vulnerabilities or weaknesses in a system. It can also reduce the impact of a threat.
26. Which of the following best visually shows the state of a computer at the time it was collected by law enforcement? A. Screenshots B. Identification C. Tabletop exercise D. Generate hash values
A. Taking screenshots gives an investigator a useful way to collect information on a computer screen. Screenshots can be acquired in many ways and allow the investigator to reproduce what happened on the screen. Option B is incorrect. The identification phase is part of an incident response process and deals with the discovery and determination of whether a deviation from normal operations within a company was an incident. Option C is incorrect. The tabletop exercise test is considered a cost-effective and efficient way to identify areas of overlaps in a plan before implementing a test. Option D is incorrect. Generating file hashes will ensure integrity and ensure that files have not changed or been tampered with.
91. Which of the following secures access to company data in agreement to management policies? A. Technical controls B. Administrative controls C. HTTPS D. Integrity
A. Technical controls are applied through technology and may be deterrent, preventive, detective, or compensating. They include hardware or software solutions using access control in accordance with established security policies. Option B is incorrect. Administrative controls are defined through policies, procedures, and guidelines. Option C is incorrect. HTTPS is a communications protocol used to secure communication over a computer network used on the Internet. Option D is incorrect. Integrity ensures that the data hasn't been altered and is protected from unauthorized modification.
62. You are a member of your company's security response team and have discovered an incident within your network. You are instructed to remove and restore the affected system. You restore the system with the original disk image and then install patches and disable any unnecessary services to harden the system against any future attacks. Which incident response process have you completed? A. Eradication B. Preparation C. Containment D. Recovery
A. The eradication process involves removing and restoring affected systems by reimaging the system's hard drive and installing patches. Option B is incorrect. The preparation process prepares a company's team to be ready to handle an incident at a moment's notice. Option C is incorrect. The purpose of the containment process is to minimize the damage and prevent any further damage from happening. Option D is incorrect. The recovery process brings affected systems back into the company's production environment carefully to avoid leading to another incident.
3. Why are penetration test often not advised? A. It can be disruptive for the business activities. B. It is able to measure and authenticate the efficiency of a company's defensive mechanisms. C. It's able to find both known and unknown hardware or software weaknesses. D. It permits the exploration of real risks and gives a precise depiction of a company's IT infrastructure security posture at any given time.
A. The main reason to avoid penetration tests is answer A. It's advised to perform vulnerability test often rather than penetration tests. Pentests can cause disruption to businesses. This is the main focus of the question. Options B, C, and D are incorrect. These options are positive reasons why penetration testing should be performed.
20. You have an asset that is valued at $16,000, the exposure factor of a risk affecting that asset is 35%, and the annualized rate of occurrence if 75%. What is the SLE? A. $5,600 B. $5,000 C. $4,200 D. $3,000
A. The single loss expectancy (SLE) is the product of the value ($16,000) and the exposure factor (.35), or $5,600. Options B, C, and D are incorrect. These values do not represent the single loss expectancy.
80. Which of the following statements is true regarding a data retention policy? A. Regulations require financial transactions to be stored for 7 years. B. Employees must remove and lock up all sensitive and confidential documents when not in use. C. It describes a formal process of managing configuration changes made to a network. D. It is a legal document that describes a mutual agreement between parties.
A. This statement refers to the data retention policy. Option B is incorrect. This statement refers to the clean desk policy. Option C is incorrect. This statement refers to the change management policy. Option D is incorrect. This statement refers to the memorandum of understanding (MOU) policy.
61. Which of the following are considered inappropriate places to store backup tapes? (Choose two.) A. Near a workstation B. Near a speaker C. Near a CRT monitor D. Near an LCD screen
B and C. Backup tapes should not be stored near power sources such as CRT monitors and speakers. These devices can cause the tapes to be degaussed. Option A is incorrect. A workstation has no chance of degaussing backup tapes. Option D is incorrect. An LCD screen has no chance of degaussing backup tapes.
73. Which of the following types of testing can help identify risks? (Choose two.) A. Quantitative B. Penetration testing C. Vulnerability testing D. Qualitative
B and C. Penetration and vulnerability testing can help identify risk. Before a tester performs these tests, they should receive written authorization. Option A is incorrect. Quantitative risk assessment is the process of assigning numerical values to the probability an event will occur and what the impact of the event will have. Option D is incorrect. Qualitative risk assessment is the process of ranking which risk poses the most danger using measures such as low, medium, and high.
81. You are attending a meeting with your manager and he wants to validate the cost of a warm site versus a cold site. Which of the following reasons best justify the cost of a warm site? (Choose two.) A. Small amount of income loss during long downtime B. Large amount of income loss during short downtime C. Business contracts enduring no more than 72 hours of downtime D. Business contracts enduring no more than 8 hours of downtime
B and D. Companies can lose a large amount of income in a short period of downtime. Companies can have business contracts that state a minimum amount of downtime can occur if a disaster occurs. These reasons can be used to support the reason for a warm site because the warm site relies on backups to recover from a disaster. Option A is incorrect. A company losing a small amount of income during a long period of downtime may not support the cost of a warm site. Option C is incorrect. A company can bring a cold site online within 72 hours and resume business services. This would not support the cost of a warm site.
96. Which of the following best describes a Computer Incident Response Team (CIRT)? A. Personnel who participate in exercises to practice incident response procedures B. Personnel who promptly and correctly handle incidents so they can be quickly contained, investigated, and recovered from C. A team to identify planning flaws before an actual incident occurs D. Team members using a walk-through checklist to ensure understanding of roles in a DRP
B. A Computer Incident Response Team (CIRT) includes personnel who promptly and correctly handle incidents so that they can be quickly contained, investigated, and recovered from. Options A, C, and D are incorrect. These statements are not considered a CIRT.
19. Your company is considering moving its mail server to a hosting company. This will help reduce hardware and server administrator costs at the local site. Which of the following documents would formally state the reliability and recourse if the reliability is not met? A. MOU B. SLA C. ISA D. BPA
B. A SLA (service level agreement) defines the level of service the customer expects from the service provider. The level of service definitions should be specific and measurable in each area. Option A is incorrect. A MOU (memorandum of understanding) is a legal document that describes a mutual agreement between parties. Option C is incorrect. An ISA (interconnection security agreement) is an agreement that specifies the technical and security requirements of the interconnection between organizations. Option D is incorrect. A BPA (business partnership agreement) is a legal agreement between partners. It establishes the terms, conditions, and expectations of the relationship between the partners.
12. Which of the following plans best identifies critical systems and components to ensure the assets are protected? A. DRP B. BCP C. IT contingency plan D. Succession plan
B. A business continuity plan is a policy that describes and approves the company's overall business continuity strategy. This also includes identifying critical systems to protect. Option A is incorrect. A disaster recovery plan (DRP) is a policy that describes and approves the company's disaster recovery strategy. This plan will help the company recover from an incident with minimal loss of time and money. Option C is incorrect. An IT contingency plan is a component of the BCP. It specifies alternate IT procedures for a company to switch over to when it's faced with a disruption of service leading to a disaster for the company. Option D is incorrect. A succession plan ensures all key company personnel have at least one designated backup who can perform the critical functions when required.
40. Which of the following might you find in a DRP? A. Single point of failure B. Prioritized list of critical computer systems C. Exposure factor D. Asset value
B. A disaster recovery plan (DRP) is a plan that helps a company recover from an incident with minimal loss of time and money. It prioritizes critical computer systems. Option A is incorrect. A single point of failure is a weakness in the design, or configuration of a system in which one fault or malfunction will cause the whole system to halt operating and would not be found within a DRP. Option C is incorrect. Exposure factor would be found within a risk assessment. Option D is incorrect. Asset value would be found within a risk assessment.
83. How do you calculate the annual loss expectancy (ALE) that may occur due to a threat? A. Exposure Factor (EF) / Single Loss Expectancy (SLE) B. Single Loss Expectancy (SLE) × Annual Rate of Occurrence (ARO) C. Asset Value (AV) × Exposure Factor (EF) D. Single Loss Expectancy (SLE) / Exposure Factor (EF)
B. ALE (annual loss expectancy) is the product of the ARO (annual rate of occurrence) and the SLE (single loss expectancy) and is mathematically expressed as ALE = ARO × SLE. Single loss expectancy is the cost of any single loss and it is mathematically expressed as SLE = AV (asset value) × EF (exposure factor).
30. You are the head of the IT department of a school and are looking for a way to promote safe and responsible use of the Internet for students. With the help of the teachers, you develop a document for students to sign that describes methods of accessing the Internet on the school's network. Which of the following best describes this document? A. Service level agreement B. Acceptable use policy C. Incident response plan D. Chain of custody
B. An acceptable use policy describes the limits and guidelines for users to make use of an organization's physical and intellectual resources. This includes allowing or limiting the use of personal email during work hours. Option A is incorrect. A service level agreement (SLA) defines the level of service the customer expects from the service provider. The level of service definitions should be specific and measurable in each area. Option C is incorrect. An incident response plan provides instructions for detecting, responding to, and limiting the effects of an information security event. Option D is incorrect. Chain of custody refers to the chronological documentation showing the custody, control, transfer, analysis, and disposition of physical or electronic evidence.
100. Which of the following is not a basic concept of computer forensics? A. Preserve evidence B. Determine if the suspect is guilty based on the findings C. Track man-hours and expenses D. Interview all witnesses
B. Determining if the suspect is guilty is determined by the legal system and is not part of the basic concept of computer forensics. Options A, C, and D are incorrect. Other valid basic concepts include capture video and active logging. These options are valid basic concepts of computer forensics.
68. Which of the following elements should not be included in the preparation phase of the incident response process? A. Policy B. Lesson learned documentation C. Response plan/strategy D. Communication
B. Lessons learned documentation is a phase of the incident response process. Options A, C, and D are incorrect. These elements should be included in the preparation phase.
72. During which step of the incident response process does root cause analysis occur? A. Preparation B. Lessons learned C. Containment D. Recovery
B. Lessons learned process is the most critical phase because it is the phase to complete any documentation that may be beneficial in future incidents. Documentation should include information such as when the problem was first detected and by whom, how the problem was contained and eradicated, the work that was performed during the recovery, and areas that may need improvement. Option A is incorrect. The preparation process prepares a company's team to be ready to handle an incident at a moment's notice. Option C is incorrect. The containment process is designed to minimize the damage and prevent any further damage from happening. Option D is incorrect. The recovery process brings affected systems back into the company's production environment carefully to avoid leading to another incident.
13. After your company implemented a clean desk policy, you have been asked to secure physical documents every night. Which of the following would be the best solution? A. Department door lock B. Locking cabinets and drawers C. Proximity card D. Onboarding
B. Locking cabinets and drawers is the best solution because the employee would be the only one with a key. Option A is incorrect. Multiple people may have keys to a department door lock. Option C is incorrect. A proximity card is a contactless smartcard that is held near an electronic reader to grant access to a particular area. Option D is incorrect. Onboarding is the process of adding an employee to a company's identity and access management system.
59. Which of the following terms best describes sensitive medical information? A. AES B. PHI C. PII D. TLS
B. PHI (protected health information) is any data that refers to health status, delivery of health care, or payment for health care that is gathered by a health care provider and can be linked to an individual according to U.S. law. Option A is incorrect. AES (Advanced Encryption Standard) is a symmetrical 128-bit block encryption system. Option C is incorrect. PII (Personally Identifiable Information) is information that can be used on its own or with other information to identify an individual. Option D is incorrect. TLS (Transport Layer Security) is a protocol that encrypts data over a computer network.
38. Users are currently accessing their personal email through company computers, so you and your IT team have created a security policy for email use. What is the next step after creating and approving the email use policy? A. Encrypt all user email messages. B. Provide security user awareness training. C. Provide every employee with their own device to access their personal email. D. Forward all personal emails to their company email account.
B. Provide security user awareness training to all employees regarding the risk of using personal email through company computers. The ability to access personal email is a security risk because the company is unable to filter emails through the company's Exchange server. Option A is incorrect. The company is unable to encrypt user's email messages through services such as Yahoo Mail and Gmail. The encryption is performed by the company providing the email service. Option C is incorrect. Providing every user with their own device to access their personal email is not the best option as the next step. While employees use these devices within the company's network, the company doesn't have full control of what emails are entering the network. Option D is incorrect. The company may have some control of personal emails routing through the company's Exchange server, but this is not the best next step after creating and approving the email use policy. The purpose of the email use policy is to limit the use of personal email because the company doesn't have full control of what emails the employees are allowing into the network.
17. Your competitors are offering a new service that is predicted to sell strong. After much careful research, your company has decided not to launch a competing service due to the uncertainty of the market and the enormous investment required. Which of the following best describes the company's decision? A. Risk transfer B. Risk avoidance C. Risk acceptance D. Risk mitigation
B. Risk avoidance is a strategy to deflect threats in order to avoid the costly and disruptive consequences of a damaging event. It also attempts to minimize vulnerabilities that can pose a threat. Option A is incorrect. Risk transfer is the act of moving the risk to hosted providers who assume the responsibility for recovery and restoration or by acquiring insurance to cover the costs emerging from a risk. Option C is incorrect. Risk acceptance is a strategy of recognizing, identifying, and accepting a risk that is sufficiently unlikely or has limited impact that a corrective control is not warranted. Option D is incorrect. Risk mitigation is when a company implements controls to reduce vulnerabilities or weaknesses in a system. It can also reduce the impact of a threat.
27. You are asked to protect the company's data should a complete disaster occur. Which action would be the best option for this request? A. Back up all data to tape, and store those tapes at an alternate location within the city. B. Back up all data to tape, and store those tapes at an alternate location in another city. C. Back up all data to disk, and store the disk in a safe in the company's basement. D. Back up all data to disk, and store the disk in a safe at the network administrator's home.
B. Storing backup data at an alternate site in another city will help protect the data if there were a complete disaster at the primary location. Storing backups outside of the original location is known as off-site backups. Also, the distance associated with an offsite backup can be a logistics challenge. Option A is incorrect. Storing backup data at an alternate location within the city may not be good if the area has to be evacuated. Option C is incorrect. Storing backup data in a safe at the company's site may not be good should the primary location become completely destroyed. Option D is incorrect. Storing backup data at an employee's home is never a good idea.
7. Katelyn is a network technician for a manufacturing company. She is testing a network forensic capturing software and plugs her laptop into an Ethernet switch port and begins capturing network traffic. Later she begins to analyze the data and notices some broadcast and multicast packets, as well as her own laptop's network traffic. Which of the following statements best describes why Katelyn was unable to capture all network traffic on the switch? A. Each port on the switch is an isolated broadcast domain. B. Each port on the switch is an isolated collision domain. C. Promiscuous mode must be enabled on the NIC. D. Promiscuous mode must be disabled on the NIC.
B. Switches forwards data only to the devices that need to receive it, so when capturing network traffic the computer will see only broadcast and multicast packets along with traffic being sent and received to the connected computer. Option A is incorrect. Ethernet switches in an isolated broadcast domain will send broadcast packets to all computers that are part of the domain. The entire switch can be a broadcast domain or a certain number of ports can be grouped into a VLAN (virtual local area network). Option C is incorrect. Promiscuous mode enabled on the NIC will capture all traffic within the network, but this was not the problem in this scenario. Option D is incorrect. Promiscuous mode disabled on the NIC will not capture all traffic within the network but will only broadcast and multicast packets along with traffic being sent and received from the computer. The scenario focused on the Ethernet switch, not the laptop's NIC.
9. Which of the following is another term for technical controls? A. Access controls B. Logical controls C. Detective controls D. Preventive controls
B. Technical controls are used to restrict data access and operating system components, security applications, network devices, and encryption techniques. Logical controls use authentication mechanisms. Option A is incorrect. Access controls can be part of technical controls; however, it is not a term that is synonymous with technical controls. Option C is incorrect. Detective controls detect intrusion as it happens and uncovers a violation. Option D is incorrect. Preventive controls avoid a security breach or an interruption of critical services before they can happen.
50. Your team powered off the SQL database server for over 7 hours to perform a test. Which of the following is the most likely reason for this? A. Business impact analysis B. Succession plan C. Continuity of operations plan D. Service level agreement
C. A continuity of operations plan focuses on restoring critical business functions after an outage to an alternate site. The plan will determine if a company can continue its operations during the outage. Option A is incorrect. BIA (business impact analysis) is performed before the creation of business continuity plans, and BIAs are not tested. Option B is incorrect. A succession plan ensures all key company personnel have at least one designated backup who can perform the critical functions when required. Option D is incorrect. A service level agreement (SLA) defines the level of service the customer expects from the service provider. The level of service definitions should be specific and measurable in each area.
71. Which of the following statements best describes a differential backup? A. Only the changed portions of files are backed up. B. All files are copied to storage media. C. Files that have changed since the last full backup are backed up. D. Only files that have changed since the last full or incremental backup are backed up.
C. A differential backup copies files that have changed since the last full backup. Option A is incorrect. A partial backup is when only portions of files changed are backed up. Option B is incorrect. A full backup is when all files are copied to a storage media. Option D is incorrect. Backing up only the files that have changed since the last full or incremental backup is considered an incremental backup.
6. Which recovery site is the easiest to test? A. Warm site B. Cold site C. Hot site D. Medium site
C. A hot site contains all of the alternate computer and telecommunication equipment needed in a disaster. Testing this environment is simple. Option A is incorrect. A warm site is harder to test because it contains the equipment but no employees and company data. Option B is incorrect. A cold site is the hardest to test because it includes a basic room with limited equipment. Option D is incorrect. A medium site is not something referred to as a recovery site.
78. A call center leases a new space across town, complete with a functioning computer network that mirrors the current live site. A high-speed network link continuously synchronizes data between the two sites. Which of the following describes the site at the new leased location? A. Cold site B. Warm site C. Hot site D. Differential site
C. A hot site, also known as an alternate processing site, contains all of the alternate computer and telecommunication equipment needed in a disaster. Testing this environment is simple. Option A is incorrect. A cold site is the hardest to test because it includes a basic room with limited equipment. Option B is incorrect. A warm site is harder to test because it contains only the equipment and no employees or company data. Option D is incorrect. A differential site is not a valid term.
63. You are a security administrator and have decided to implement a unified threat management (UTM) appliance within your network. This appliance will provide antimalware, spam filtering, and content inspection along with other protections. Which of the following statements best describes the potential problem with this plan? A. The protections can only be performed one at a time. B. This is a complex plan because you will manage several complex platforms. C. This could create the potential for a single point of failure. D. You work with a single vendor and its support department.
C. A unified threat management (UTM) appliance is a single console a security administrator can monitor and manage easily. This could create a single point of failure. Options A, B, and C are incorrect. With a UTM, each protection can be performed simultaneously. This UTM can centralize various security techniques into a single appliance. It is also tied to one vendor and allows for a single, streamlined function.
1. You are a manager of a bank and you suspect one of your tellers has stolen money from their station. After talking with your supervisor, you place the employee on leave with pay, suspend their computer account, and obtain their proximity card and keys to the building. Which of the following policies did you follow? A. Mandatory vacations B. Exit interviews C. Adverse actions D. Onboarding
C. Adverse actions are administrative actions that are placed against employees. These actions include letters of reprimand, leave with or without pay, or termination. Along with these actions the policy should include actions such as disabling user accounts and revoking privileges, such as access to facilities to prevent data from being compromised. When an employee has been placed with administrative actions, the company shouldn't worry about vindictive actions they will take against the company. Option A is incorrect. Mandatory vacation policy is used by companies to detect fraud by having a second person, familiar with the duties, help discover any illicit activities. Option B is incorrect. Exit interviews give the company an opportunity to find problems within departments. They also allow HR to identify any knowledge that is about to be lost, such as information the employee knows that is not written down anywhere. Option D is incorrect. Onboarding is the process of adding an employee to a company's identity and access management system.
31. You are the security administrator and have discovered a malware incident. Which of the following responses should you do first? A. Recovery B. Eradication C. Containment D. Identification
C. After identifying the malware incident, the next step you would perform based on the incident response process is to contain the malware to further study the incident and prevent it from spreading across the network. Option A is incorrect. Recovery is performed after eradicating the malware. Option B is incorrect. Eradicating the malware is performed after you have contained the malware. Option D is incorrect. Identification has been performed when you discovered the malware.
21. During a meeting, you present management with a list of access controls used on your network. Which of the following controls is an example of a corrective control? A. IDS B. Audit logs C. Antivirus software D. Router
C. Antivirus is an example of a corrective control. A corrective control is designed to correct a situation. Option A is incorrect. An IDS (intrusion detection system) is a detective control because it detects security breaches. Option B is incorrect. An audit log is a detective control because it detects security breaches. Option D is incorrect. A router is a preventive control because it prevents security breaches with access control lists.
39. Which of the following is not a physical security control? A. Motion detector B. Fence C. Antivirus software D. CCTV
C. Antivirus software is used to protect computer systems from malware and is not a physical security control. Options A, B, and D are incorrect. Physical controls are security measures put in place to reduce the risk of harm coming to a physical property. This includes protection of personnel, hardware, software, networks, and data from physical actions and events that could cause damage or loss.
66. Computer evidence of a crime is preserved by making an exact copy of the hard disk. Which of the following does this demonstrate? A. Chain of custody B. Order of volatility C. Capture system image D. Taking screenshots
C. Capturing the system image involves making an exact image of the drive so that it can be referenced later in the investigation. Option A is incorrect. Chain of custody offers assurances that evidence has been preserved, protected, and handled correctly after it has been collected. Documents show who handled the evidence and when they handled it. Option B is incorrect. Order of volatility represents the order in which you should collect evidence. In general terms, evidence should be collected starting with the most volatile and moving to the least volatile. Volatile means data is not permanent. Option D is incorrect. Taking screenshots gives an investigator a useful way to collect information on a computer screen. This will allow the investigator to reproduce what happened on the screen.
2. Which of the following principles stipulates that multiple changes to a computer system should not be made at the same time? A. Due diligence B. Acceptable use C. Change management D. Due care
C. Change management is the process of documenting all changes made to a company's network and computers. Avoiding making changes at the same time makes tracking any problems that can occur much simpler. Option A is incorrect. Due diligence is the process of investigation and verification of the accuracy of a particular act. Option B is incorrect. Acceptable use is a policy stating what a user may or may not have access to on a company's network or the Internet. Option D is incorrect. Due care is the effort made by a reasonable party to avoid harm to another. It is the level of judgment, care, determination, and activity a person would reasonably expect to do under certain conditions.
45. Which of the following operations should you undertake to avoid mishandling of tapes, removal drives, CDs, and DVDs? A. Degaussing B. Acceptable use C. Data labeling D. Wiping
C. Data labeling policy includes how data is labeled such as confidential, private, or public. It should also include how the data is handled and disposed of for all classifications of data. Before data can be disposed of, you will need to destroy it with a data sanitization tool. Option A is incorrect. Degaussing is a method of removing data from a magnetic storage media by changing the magnetic field. Option B is incorrect. An acceptable use policy describes the limits and guidelines for users to make use of an organization's physical and intellectual resources. This includes allowing or limiting the use of personal email during work hours. Option D is incorrect. Wiping, also known as overwriting, will replace the data with all zeros to prevent data from being recovered by third-party software.
15. Which of the following is an example of PHI? A. Passport number B. Criminal record C. Fingerprints D. Name of school attended
C. Fingerprints are considered PHI (Protected Health Information), according to HIPPA rules. Options A, B, and D are incorrect. These are classified as PII (Personally Identifiable Information), according to the NIST.
28. Which of the following would not be a purpose of a privacy threshold analysis? A. Identify programs and systems that are privacy-sensitive. B. Demonstrate the inclusion of privacy considerations during the review of a program or system. C. Identify systems that are considered a single point of failure. D. Demonstrate compliance with privacy laws and regulations.
C. Identifying systems that are considered a single point of failure is not a purpose of PTA. Options A, B, and D are incorrect. Privacy threshold analysis (PTA) can determine whether a program or system has privacy implications and whether additional privacy compliance documentation is required such as a privacy impact assessment (PIA).
60. An accounting employee changes roles with another accounting employee every 4 months. What is this an example of? A. Separation of duties B. Mandatory vacation C. Job rotation D. Onboarding
C. Job rotation allows individuals to see various parts of the organization and how it operates. It also eliminates the need for a company to rely on one individual for security expertise should the employee become disgruntled and decide to harm the company. Recovering from a disgruntled employee's attack is easier when multiple employees understand the company's security posture. Option A is incorrect. Separation of duties is the concept of having more than one person required to complete a task. Option B is incorrect. Mandatory vacation policy is used by companies to detect fraud by having a second person, familiar with the duties, help discover any illicit activities. Option D is incorrect. Onboarding is the process of adding an employee to a company's identity and access management system.
92. You are a server administrator for your company's private cloud. To provide service to employees, you are instructed to use reliable hard disks in the server to host a virtual environment. Which of the following best describes the reliability of hard drives? A. MTTR B. RPO C. MTBF D. ALE
C. Mean time between failures (MTBF) is a measurement to show how reliable a hardware component is. Option A is incorrect. MTTR (mean time to repair) is the average time it takes for a failed device or component to be repaired or replaced. Option B is incorrect. RPO (recovery point objective) is the period of time a company can tolerate lost data being unrecoverable between backups. Option D is incorrect. ALE (annual loss expectancy) is the sum of the annual rate of occurrence and the single loss expectancy.
69. Which of the following does not minimize security breaches committed by internal employees? A. Job rotation B. Separation of duties C. Nondisclosure agreements signed by employees D. Mandatory vacations
C. Nondisclosure agreements (NDAs) are signed by an employee at the time of hiring, and they impose a contractual obligation on employees to maintain the confidentiality of information. Disclosure of information can lead to legal ramifications and penalties. NDAs cannot ensure a decrease in security breaches. Option A is incorrect. Job rotation policy is the practice of moving employees between different tasks to promote experience and variety. Option B is incorrect. Separation of duties is the concept of having more than one person required to complete a task. Option D is incorrect. Mandatory vacation policy is used by companies to detect fraud by having a second person, familiar with the duties, help discover any illicit activities.
37. As the IT security officer, you are configuring data label options for your company's research and development file server. Regular users can label documents as contractor, public, or internal. Which label should be assigned to company trade secrets? A. High B. Top secret C. Proprietary D. Low
C. Proprietary data is a form of confidential information, and if the information is revealed, it can have severe effects on the company's competitive edge. Option A is incorrect. High is a generic label assigned to data internally that represents the amount of risk being exposed outside the company. Option B is incorrect. The top-secret label is often used within governmental systems where data and access may be granted or denied based on assigned categories. Option D is incorrect. Low is a generic label assigned to data internally that represents the amount of risk being exposed outside the company.
29. You have purchased new laptops for your salespeople. You plan to dispose of the hard drives of the former laptops as part of a company computer sale. Which of the following methods would you use to properly dispose of the hard drives? A. Destruction B. Shredding C. Purging D. Formatting
C. Purging removes all the data from a hard drive and the data cannot be rebuilt. Option A is incorrect. Destruction wouldn't help the company sell the hard drive at the computer sale. Option B is incorrect. Shredding wouldn't help the company sell the hard drive at the computer sale because it physically destroys the hard drive. Option D is incorrect. Formatting isn't good enough to remove data because it can be recovered by third-party software. Formatting moves the pointer to the location the data resides.
53. You have been instructed to introduce an affected system back into the company's environment and be sure that it will not lead to another incident. You test, monitor, and validate that the system is not being compromised by any other means. Which of the incident response processes have you completed? A. Lessons learned B. Preparation C. Recovery D. Containment
C. Recovery process brings affected systems back into the company's production environment carefully to avoid leading to another incident. Option A is incorrect. The lessons learned process is the most critical phase because it is the phase in which you complete any documentation that may be beneficial in future incidents. Documentation should include information such as when the problem was first detected and by whom, how the problem was contained and eradicated, the work that was performed during the recovery, and areas that may need improvement. Option B is incorrect. The preparation process prepares a company's team to be ready to handle an incident at a moment's notice. Option D is incorrect. The containment process is designed to minimize the damage and prevent any further damage from happening.
87. You are a security administrator for your company and you identify a security risk that you do not have in-house skills to address. You decide to acquire contract resources. The contractor will be responsible for handling and managing this security risk. Which of the following type of risk response technique are you demonstrating? A. Accept B. Mitigate C. Transfer D. Avoid
C. Risk transfer is the act of moving the risk to hosted providers who assume the responsibility for recovery and restoration or by acquiring insurance to cover the costs emerging from a risk. Option A is incorrect. Risk acceptance is a strategy of recognizing, identifying, and accepting a risk that is sufficiently unlikely or has such limited impact that a corrective control is not warranted. Option B is incorrect. Risk mitigation is when a company implements controls to reduce vulnerabilities or weaknesses in a system. It can also reduce the impact of a threat. Option D is incorrect. Risk avoidance is the removal of the vulnerability that can increase a particular risk so that it is avoided altogether.
75. You are a network administrator and have been asked to send a large file that contains PII to an accounting firm. Which of the following protocols would it be best to use? A. Telnet B. FTP C. SFTP D. SMTP
C. SFTP (secure FTP) encrypts data that is transmitted over the network. Option A is incorrect. Telnet is a command-line utility for accessing remote computers and does not provide any security features. Option B is incorrect. FTP (File Transport Protocol) sends data in clear text and can easily be viewed over the network. Option D is incorrect. SMTP (Simple Mail Transfer Protocol) sends and receives emails and does not provide any security features.
70. You find one of your employees posting negative comments about the company on Facebook and Twitter. You also discover the employee is sending negative comments from their personal email on the company's computer. You are asked to implement a policy to help the company avoid any negative reputation in the marketplace. Which of the following would be the best option to fulfill the request? A. Account policy enforcement B. Change management C. Security policy D. Risk assessment
C. Security policy defines how to secure physical and information technology assets. This document should be continuously updated as technology and employee requirements change. Option A is incorrect. Account policy enforcement regulates the security parameters of who can and cannot access a system. Option B is incorrect. Change management is the process of managing configuration changes made to a network. Option D is incorrect. Risk assessment identifies the dangers that could negatively impact a company's ability to conduct business.
49. Which of the following is typically included in a BPA? A. Clear statements detailing the expectation between a customer and a service provider B. The agreement that a specific function or service will be delivered at the agreed-upon level of performance C. Sharing of profits and losses and the addition or removal of a partner D. Security requirements associated with interconnecting IT systems
C. Sharing of profits and losses and the addition or removal of a partner are typically included in a BPA (business partner agreement). Also included are the responsibilities of each partner. Option A is incorrect. Expectations between parties such as a company and an Internet service provider are typically found in a service level agreement. Expectations include the level of performance given during the contractual service. Option B is incorrect. A service level agreement will provide a clear means of determining whether a specific function or service has been provided according to the agreed-upon level of performance. Option D is incorrect. Security requirements associated with interconnecting IT systems are typically found in an interconnection security agreement.
74. What can a company do to prevent sensitive data from being retrieved by dumpster diving? A. Degaussing B. Capture system image C. Shredding D. Wiping
C. Shredding is the process of reducing the size of objects so the information is no longer usable. Other practices includes burning, pulping, and pulverizing. Option A is incorrect. Degaussing is a method of removing data from a magnetic storage media by changing the magnetic field. Option B is incorrect. Capturing the system image involves making an exact image of the drive so that it can be referenced later in the investigation. Option D is incorrect. Wiping, also known as overwriting, will replace the data with all zeros to prevent data from being recovered by third-party software.
93. You are replacing a number of devices with a mobile appliance that combines several functions. Which of the following describes the new implementation? A. Cloud computing B. Load balancing C. Single point of failure D. Virtualization
C. Single point of failure is a single weakness that can bring an entire system down and prevent it from working. Option A is incorrect. Cloud computing allows the delivery of hosted service over the Internet. Option B is incorrect. Load-balancing divides the amount of work a computer can do between two or more computers. This allows more work to be completed in the same amount of time. Option D is incorrect. Virtualization allows the creation of virtual resources such as a server operating system. Multiple operating systems can run on one machine by sharing the resources such as RAM, hard drive, and CPU.
97. Which of the following decreases the success of brute-force attacks? A. Password complexity B. Password hints C. Account lockout threshold D. Enforce password history
C. The account lockout threshold setting defines the number of failed sign-in attempts that will cause a user account to be locked. This policy best mitigates brute-force password attacks. Option A is incorrect. Password complexity is a series of guidelines that a password adheres to three of the four categories: uppercase letter, lowercase letter, numbers, and symbols. Option B is incorrect. Password hints help users remember their passwords. Option D is incorrect. Password history determines the number of unique new passwords a user can use before an old password can be reused.
88. You are an IT manager and discovered your department had a break-in, and the company's computers were physically damaged. What type of impact best describes this situation? A. Life B. Reputation C. Property D. Safety
C. The correct answer is property. Physical damage to a building and the company's computer equipment can be caused by intentional man-made attacks. Option A is incorrect. Life impact endangers the lives of employees and customers. Option B is incorrect. Reputation impact could impact the image the company has in its community. Option D is incorrect. Safety impact jeopardizes the safety of employees and customers.
64. You are attending a risk analysis meeting and are asked to define internal threats. Which of the following is not considered an internal threat? A. Employees accessing external websites through the company's hosts B. Embezzlement C. Threat actors compromising a network through a firewall D. Users connecting a personal USB thumb drive to a workstation
C. Unauthorized access of a network through a firewall by a threat actor is considered an external threat. Options A, B, and D are incorrect. Each of the threats are considered internal because they can compromise a company's network from within.
76. Zackary is a network backup engineer and performs a full backup each Sunday evening and an incremental backup Monday through Friday evenings. One of the company's network servers crashes on Thursday afternoon. How many backups will Zack need to do to restore the server? A. Two B. Three C. Four D. Five
C. Zackary will need four backups to restore the server if it crashes on Thursday afternoon. The four backups are Sunday evening full backup, Monday evening incremental backup, Tuesday evening incremental backup, and Wednesday evening incremental backup. Incremental backups require the full backup and all the incremental backups in order. Options A, B, and D are incorrect. Incremental backups require the full backup and all the incremental backups in order.
57. You are the network administrator of your company, and the manager of a retail site located across town has complained about the loss of power to their building several times this year. The branch manager is asking for a compensating control to overcome the power outage. What compensating control would you recommend? A. Firewall B. Security guard C. IDS D. Backup generator
D. A backup generator is a compensating control—an alternate control that replaces the original control when it cannot be used due to limitations of the environment. Option A is incorrect. A firewall is considered a preventive control. Option B is incorrect. A security guard is considered a physical control. Option C is incorrect. An IDS (intrusion detection system) is considered a detective control.
18. Which of the following agreements is less formal than a traditional contract but still has a certain level of importance to all parties involved? A. SLA B. BPA C. ISA D. MOU
D. A memorandum of understanding (MOU) is a type of agreement that is usually not legally binding. This agreement is intended to be mutually beneficial without involving courts or money. Option A is incorrect. A SLA (service level agreement) defines the level of service the customer expects from the service provider. The level of service definitions should be specific and measurable in each area. Option B is incorrect. A BPA (business partnership agreement) is a legal agreement between partners. It establishes the terms, conditions, and expectations of the relationship between the partners. Option C is incorrect. An ISA (interconnection security agreement) is an agreement that specifies the technical and security requirements of the interconnection between organizations.
42. Your company has outsourced its proprietary processes to Acme Corporation. Due to technical issues, Acme Corporation wants to include a third-party vendor to help resolve the technical issues. Which of the following must Acme Corporation consider before sending data to the third party? A. This data should be encrypted before it is sent to the third-party vendor. B. This may constitute unauthorized data sharing. C. This may violate the privileged user role-based awareness training. D. This may violate a nondisclosure agreement.
D. A nondisclosure agreement (NDA) protects sensitive and intellectual data from getting into the wrong hands. Options A, B, and C are incorrect. An NDA is a legal contract between the company and third-party vendor to not disclose information per the agreement. Sending encrypted data can still be decrypted by the third-party vendor if they have the appropriate certificate but does not restrict access to the data. Violating an NDA would constitute unauthorized data sharing, and a violation of privileged user role-based awareness training has nothing to do with sharing proprietary information.
94. Which of the following can help mitigate adware intrusions? A. Antivirus B. Antispam C. Spyware D. Pop-up blocker
D. A pop-up blocker program can help prevent pop-ups from displaying in a user's web browser. Pop-ups can contain adware or spyware. Option A is incorrect. Antivirus software can help prevent the spreading of malware such as worms and Trojans. Option B is incorrect. Antispam software can help reduce the amount of junk email in a user's inbox. Option C is incorrect. Spyware gathers personal information and computer usage habits without the user's knowledge.
90. Each salesperson who travels has a cable lock to lock down their laptop when they step away from the device. Which of the following controls does this apply? A. Administrative B. Compensating C. Deterrent D. Preventive
D. A preventive control is used to avoid a security breach or an interruption of critical services before they can happen. Option A is incorrect. Administrative controls are defined through policies, procedures, and guidelines. Option B is incorrect. A compensating control is used to satisfy a requirement for a security measure that is too difficult or impractical to implement at the current time. Option C is incorrect. A deterrent control is used to deter a security breach.
46. Which of the following can be classified as a single point of failure? A. Failover B. A cluster C. Load balancing D. A configuration
D. A single point of failure is a weakness in the design or configuration of a system in which one fault or malfunction will cause the whole system to halt operating. Option A is incorrect. Failover is the continuous ability to automatically and flawlessly switch to a highly reliable backup. Option B is incorrect. A cluster ensures the availability of critical services by using a group of computers instead of a single computer. Option C is incorrect. Load-balancing divides the amount of work a computer can do between two or more computers. This allows more work to be completed in the same amount of time.
48. Your CIO wants to move the company's large sets of sensitive data to an SaaS cloud provider to limit the storage and infrastructure costs. Both the cloud provider and the company are required to have a clear understanding of the security controls that will be applied to protect the sensitive data. What type of agreement would the SaaS cloud provider and your company initiate? A. MOU B. BPA C. SLA D. ISA
D. An ISA (interconnection security agreement) is an agreement that specifies the technical and security requirements of the interconnection between organizations. Option A is incorrect. A memorandum of understanding (MOU) is a type of agreement that is usually not legally binding. This agreement is intended to be mutually beneficial without involving courts or money. Option B is incorrect. A BPA (business partnership agreement) is a legal agreement between partners. It establishes the terms, conditions, and expectations of the relationship between the partners. Option C is incorrect. An SLA (service level agreement) defines the level of service the customer expects from the service provider. The level of service definitions should be specific and measurable in each area.
33. Your company is partnering with another company and requires systems to be shared. Which of the following agreements would outline how the shared systems should be interfaced? A. BPA B. MOU C. SLA D. ISA
D. An interconnection security agreement (ISA) is an agreement that specifies technical and security requirements for planning, establishing, maintaining, and disconnecting a secure connection between at least two companies. Option A is incorrect. A business partners agreement (BPA) is a written agreement that details what the relationship will be between business partners. This agreement will include the partner's obligations toward the partnership. A BPA can help settle conflicts that arise within the partnership. Option B is incorrect. A memorandum of understanding (MOU) is an agreement of understanding between two or more parties signifying their purpose to work together toward a common goal. A MOU is less formal than an SLA and will not include monetary penalties. Option C is incorrect. A service level agreement (SLA) is an agreement between a company and a vendor that specifies performance expectations. Minimum uptime and maximum downtime levels are included in an SLA. Also included is a monetary penalty should the vendor not be able to meet the agreed expectations.
54. You discover that an investigator made a few mistakes during a recent forensic investigation. You want to ensure the investigator follows the appropriate process for the collection, analysis, and preservation of evidence. Which of the following terms should you use for this process? A. Incident handling B. Legal hold C. Order of volatility D. Chain of custody
D. Chain of custody refers to the chronological documentation showing the custody, control, transfer, analysis, and disposition of physical or electronic evidence. Option A is incorrect. Incident handling is a guide that explains the process and procedures of how to handle particular incidents. Option B is incorrect. Legal hold is a written directive issued by attorneys ordering clients to preserve pertinent evidence in an anticipated litigation, audit, or government investigation. This evidence can include paper documents and electronically stored information. Option C is incorrect. Order of volatility represents the order in which you should collect evidence. In general terms, evidence should be collected starting with the most volatile and moving to the least volatile. Volatile means data is not permanent.
5. What should be done to back up tapes that are stored off-site? A. Generate a file hash for each backup file. B. Scan the backup data for viruses. C. Perform a chain of custody on the backup tape. D. Encrypt the backup data.
D. Encrypting the backup data before storing it off-site ensures data confidentiality. Option A is incorrect. Generating file hashes will ensure integrity; files have not changed or been tampered with. Option B is incorrect. Scanning the backup data for viruses is a task that's performed before the data is restored. Option C is incorrect. Chain of custody refers to the chronological documentation showing the custody, control, transfer, analysis, and disposition of physical or electronic evidence.
24. Which step of the incident response process occurs after containment? A. Preparation B. Recovery C. Identification D. Eradication
D. Eradication is the next step after containment. Options A, B, and C are incorrect. The correct steps of the incident response process are preparation, identification, containment, eradication, recovery, and lessons learned.
36. Which of the following is not a common security policy type? A. Acceptable use policy B. Social media policy C. Password policy D. Parking policy
D. Parking policy generally outlines parking provisions for employees and visitors. This includes the criteria and procedures for allocating parking spaces for employees. Option A is incorrect. An acceptable use policy describes the limits and guidelines for users to make use of an organization's physical and intellectual resources. This includes allowing or limiting the use of personal email during work hours. Option B is incorrect. Social media policy defines how employees should use social media networks and applications such as Facebook, Twitter, LinkedIn, and others. It can adversely affect a company's reputation. Option C is incorrect. Password policy defines the complexity of creating passwords. It should also define weak passwords and how users should protect password safety.
16. Which of the following techniques attempts to predict the likelihood a threat will occur and assigns monetary values should a loss occur? A. Change management B. Vulnerability assessment C. Qualitative risk assessment D. Quantitative risk assessment
D. Quantitative risk assessment is the process of assigning numerical values to the probability an event will occur and what the impact of the event will have. Option A is incorrect. Change management is the process of managing configuration changes made to a network. Option B is incorrect. Vulnerability assessment attempts to identify, quantify, and rank the weaknesses in a system. Option C is incorrect. Qualitative risk assessment is the process of ranking which risk poses the most danger such as low, medium, and high.
51. Which of the following role-based positions should receive training on how to manage a particular system? A. Users B. Privileged users C. Executive users D. System owners
D. System owner is a type of employee who would receive role-based training on how best to manage a particular system. Option A is incorrect. Users are generally the front-line employees and would receive general security awareness training. Option B is incorrect. Privileged users would receive training on how best to handle additional network and system access. Option C is incorrect. Executive users would receive training on how to spot targeted attacks.
79. A security administrator is reviewing the company's continuity plan, and it specifies an RTO of 4 hours and an RPO of 1 day. Which of the following is the plan describing? A. Systems should be restored within 1 day and should remain operational for at least 4 hours. B. Systems should be restored within 4 hours and no later than 1 day after the incident. C. Systems should be restored within 1 day and lose, at most, 4 hours' worth of data. D. Systems should be restored within 4 hours with a loss of 1 day's worth of data at most.
D. Systems should be restored within four hours with a minimum loss of one day's worth of data. RTO is the amount of time within which a process must be restored after a disaster to meet business continuity. It defines how much time it takes to recover after notification of process disruption. RPO specifies the allowable data loss. It is the amount of time that can pass during an interruption before the quantity of data lost during that period surpasses business continuity planning's maximum acceptable threshold. Options A, B, and C are incorrect. These restorations do not fall within the description of the plan.
23. Your company's security policy includes system testing and security awareness training guidelines. Which of the following control types is this? A. Detective technical control B. Preventive technical control C. Detective administrative control D. Preventive administrative control
D. Testing and training are preventative administrative controls. Administrative controls dictate how security policies should be executed to accomplish the company's security goals. Option A is incorrect. Detective technical control uncovers a violation through technology. Option B is incorrect. Preventive technical control attempts to stop a violation through technology. Option C is incorrect. Detective administrative control uncovers a violation through policies, procedures, and guidelines.
55. You receive a call from the help desk manager stating that there has been an increase in calls from users reporting their computers are infected with malware. Which of the following incident response steps should be completed first? A. Containment B. Eradication C. Lessons learned D. Identification
D. The first response from the incident response should be identification. The malware needs to be identified as well as the computers. Option A is incorrect. The containment process is designed to minimize the damage and prevent any further damage from happening. Option B is incorrect. The eradication process involves removing and restoring affected systems by reimaging the system's hard drive and installing patches. Option C is incorrect. The lessons learned process is the most critical phase because it is the phase in which you complete any documentation that may be beneficial in future incidents. Documentation should include information such as when the problem was first detected and by whom, how the problem was contained and eradicated, the work that was performed during the recovery, and areas that may need improvement.
14. Your manager has instructed the team to test certain systems based on the business continuity plan to ensure they are operating properly. The manager wants to ensure there are no overlaps in the plan before implementing the test. Which continuity of operation planning concept is your manager referring to? A. After-action report B. Failover C. Eradication D. Tabletop exercise
D. The tabletop exercise test is considered a cost-effective and efficient way to identify areas of overlaps in a plan before implementing a test. Option A is incorrect. An after-action report examines a response to an incident or exercise and identifies its strengths that will be maintained and built on. Also, it helps recognize potential areas of improvement. Option B is incorrect. Failover is the continuous ability to automatically and flawlessly switch to a highly reliable backup. This can be activated in a redundant manner or in a standby operating mode should the primary server fail. The main purpose of failover is to provide availability of data or service to a user. Option C is incorrect. The eradication process involves removing and restoring affected systems by reimaging the system's hard drive and installing patches.
