CISSP Chapter 6 Ted

An application has been written where two processes are running at the same time. For process A to calculate properly, it needs data from process B. If process A calculates before process B completes, this is an example of which condition? A. Race condition B. Buffer overflow C. Process exhaustion D. Application development

Answer: A A buffer overflow attacks memory due to poor coding and allows the attacker to control the process. Process exhaustion occurs when a process hangs because it has run out of resources. Application development is basic computer coding and is not a negative condition.

Which of the following is NOT a software tool that analyzes source code for bugs and security vulnerabilities? A. Compiler B. SonarQube C. WhiteSource D. Veracode

Answer: A A compiler converts source code into machine language and can find coding syntax errors. SonarQube, WhiteSource, and Veracode search for security vulnerabilities, poorly written libraries, and licensing-related issues to keep the source code accurate and consistent.

You can monitor a website's storage, users, and system loads for effectiveness with which of the following utilities? A. Alerts and logs B. Events and logs C. Metrics and logs D. Thresholds and logs

Answer: A Alerts use thresholds and metrics to immediately inform administrators that a system requires attention. Events are entries that go into log files.

What is a key problem with getting too many false positives and false negatives on a system? A. Alerts eventually get ignored. B. Such systems will not pass NIST standards for compliance. C. The system is functional but requires extra attention. D. The system is about to fail.

Answer: A All alerts, including true alerts, can eventually be ignored. The other options are not true because getting false alerts is common across common systems.

Tobin is a security manager and has learned that a new software management application has been introduced to the company. Staff are excited to use it because it will double production at half the cost of past methods. What is her BEST recommendation? A. Test the software for vulnerabilities before rolling into production. B. Because of past user testimonials, roll the application into production immediately. C. Because of user demand, roll the application into production immediately. D. Because of financial pressures, roll the application into production immediately.

Answer: A Applications must be tested and baselined before they are rolled into production; otherwise, the results may be a lot worse than a few unhappy users; for example, a financial shortfall.

Level one merchants are required to conduct network scans how often to comply with PCI-DSS? A. Quarterly scans by an Approved Scanning Vendor (ASV) B. Bi-annual scans by internal auditors C. Annual scans by internal auditors D. Annual scans by an ASV

Answer: A Approved scanning vendors (ASVs) are required to run penetration and internal scans, and then report the results to their acquiring financial institution. Level 1 merchants process more than 6 million credit card transactions annually, so they are desirable targets for hackers. Learn more here: https://semafone.com/blog/a-comprehensive-guide-to-pci-dss-merchant-levels/.

Ewa, a chief security officer (CSO), has just discovered that unreleased designs of their next-generation vehicle are in the Car 'n' Driver magazine. What can she do to mitigate future design leaks to the public? A. Implement DLP. B. Implement MAC. C. Implement a forward proxy server. D. Install and program a firewall.

Answer: A Data loss prevention (DLP) is the best solution for stopping insider attacks like this. Mandatory access control (MAC) can help, but the insider leaking the designs may have top-secret clearance. A proxy server enforces security policies, such as which websites can be viewed. A firewall blocks unwanted traffic from entering the corporate network.

Which of the following is NOT a risk of creating an application with open source components? A. When developing under the LGPL license, the application must also be open sourced. B. The developer may stop supporting the component. C. The license may require fees if the primary application uses a for-profit model. D. The open source code may contain some proprietary content.

Answer: A Free software, although usually free of charge, allows users specific freedoms in terms of liberties; for example, the right to view the source code. The Lesser General Public License (LGPL) allows the developer to keep their source code closed, if desired, whereas the General Public License (GPL) requires that applications using GPL code must also open source their applications. The other risks can harm the developer financially. You can learn more here: https://www.gnu.org/licenses/lgpl-3.0.html.

Internal audit teams have what advantage over third-party auditing? A. Internal auditors have the best understanding of the technology, people, and processes. B. Internal auditors have exposure to other security methods that are used by other organizations. C. Internal auditors are not concerned with the impact of submitting a negative audit. D. Internal audits are looked at more favorably by regulators over third-party audits.

Answer: A In general, options B, C, and D are advantages of third-party audits.

Gregg is a security manager crafting a preparedness audit for the company. To run the audit, he gets help from his staff and members of the human resources and legal departments. Which type of audit is this? A. Internal B. External C. Third party D. Combination

Answer: A Internal audits are conducted by the organization's staff. External audits occur via a business supplier to ensure their security meets the policy. Since all the testers work for the organization, this is not a third-party audit because this requires hiring an outside organization to conduct the audit. A combination audit would be run by company resources and third-party resources. You can learn more here: https://quality-one.com/auditing/.

Yuki uses measurements based on all possible security alerts and monitors them weekly against her baseline and metrics to ensure she can reasonably protect the organization. These measurement indicators are known as what? A. KCI B. KGI C. KRI D. KPI

Answer: A KCIs are used to evaluate security controls and whether they stay within a given threshold. KRIs measure whether risks fall within tolerances. KPIs are a leading indicator to evaluate whether the organization is on target to achieve the desired goals or objectives. KGIs are lagging indicators that are evaluated once a goal has been reached, and they measure how well the goal was achieved. You can learn more here: https://stratexsystemsadmin.squarespace.com/blog/2013/1/30/kpis-kris-kcis-are-they-different-if-so-does-it-really-matte.html.

Restoring systems back to standard operations after a disaster is known as disaster recovery. What is the process called where vital functions operate immediately after a disaster? A. Business continuity B. MTBF C. MTTR D. Disaster recovery

Answer: A Mean time between failure (MTBF) is a prediction as to when hardware will fail. Mean time to repair (MTTR) is the average time it takes to repair an item after a failure. MTBF and MTTR are related to events or incidents, not business-wide disasters.

Sari just opened her new SocCo soccer warehouse business and is ready to take orders on her brand-new multi-function fax machine. A few months later, she receives several complaints that someone representing SocCo is demanding payments for fees already paid, and desires repayment by gift cards. What is the MOST LIKELY problem here? A. Attackers collected customer information by hacking her fax machine. B. Her bill collection company mistakenly called clients because they never reconciled payments with SocCo. C. The clients never paid their bills, and the bill collection is in order. D. One of her staff mistakenly called the clients, thinking their accounts were past due.

Answer: A Multi-function printers attached to company networks are vulnerable to attacks and can grant a hacker access to the entire network, where they can exploit customer records. Bill collection companies and staff would not request payment via gift cards.

Before auditing work begins, each organization must understand the Terms of Engagement (ToE). Which of the following is NOT part of the ToE? A. Pricing B. Scope C. Responsibilities D. Requirements

Answer: A Pricing is part of the offer letter, after the terms of engagement (often called the rules of engagement) are completed. Scope, objective, definitions, responsibilities, how to handle changes, and requirements are all part of the written terms of engagement.

Paul is a security administrator reviewing audit logs from a security information and event management (SIEM) device. This activity would fall under which category? A. Detective B. Corrective C. Preventative D. Recovery

Answer: A SIEM devices are Intrusion Detection Devices (IDS), not intrusion prevention devices (IPS) such as firewalls. A corrective device corrects the asset state after an exploit; for example, a water sprinkler is a corrective device in case of a fire. Backup tapes are examples of recovery devices that return the asset to its normal state.

Oguchi is a hacker who has crafted an email to collect bank account numbers from victims when they click the link inside it. He sends this email to the COOs and CFOs of Standard Federal. What type of attack is this? A. Whaling B. Spear phishing C. Vishing D. Phishing

Answer: A Spear phishing is close, but since he is targeting Chief Operating Officers (COOs) and Chief Financial Officers (CFOs), this is whaling because they are high-level executives that have more knowledge about the organization. Phishing is similar, but phishing attacks are sent to a broad community, and vishing is done by phone, not email.

What is the next step of the audit process after conducting the audit? A. Document the results. B. Inform management. C. Determine the goals. D. Select audit team members.

Answer: A The eight-step process is 1) Determine goals, 2) Choose business unit(s), 3) Determine scope, 4) Select the audit team, 5) Audit planning, 6) Conduct the audit, 7) Document results, and 8) Communicate the results.

Jozy is a security analyst reviewing log files as part of a standard audit. He has noticed that apparent threats have attempted access at 2 A.M. on system A, but at 4 P.M. on system B. He checks the date on both systems and sees that it's incorrect on one of them. Which utility needs to be set up or tuned properly? A. NTP B. BIND C. DNS D. NAMED

Answer: A The network time protocol (NTP) ensures that all the systems are time-synchronized from a standard server. Domain name service (DNS), NAMED, and BIND are all domain name search utilities.

What is the process called where one set of systems runs in a test environment, but gets switched to a production environment when testing completes? The systems that were running in production are now in the test environment. A. Blue-green deployment B. Purple deployment C. Test-prod deployment D. Red-blue deployment

Answer: A The production systems may be on the green servers and being tested on the blue servers. Once testing is complete, blue gets switched to production, and green becomes the test environment. The other options are false options. Red-blue teams are used in ethical hacking exercises, where red is the threat and blue is the defender. Purple members maximize the effectiveness of the hacking exercise. You can learn more here: https://blog.christianposta.com/deploy/blue-green-deployments-a-b-testing-and-canary-releases/.

Which function assists administrators in determining how many shoppers did NOT complete a sale on the website? A. User activity telemetry B. Transaction telemetry C. Application telemetry D. Dependency telemetry

Answer: A User activity telemetry informs administrators of click streams that have been started and abandoned. Transaction telemetry is a false option; there is a feature called transaction traceability that monitors workloads. Application telemetry monitors error messages and the response times of web apps. Dependency telemetry monitors varied response times, such as networks or databases.

What are two aspects of compliance audits? (Choose two) A. They prove that the auditee is following regulatory requirements. B. They must be exclusively performed by third-party auditors. C. They must be exclusively performed by internal auditors. D. They prove that the auditee is following their policies.

Answer: A and B Compliance audits are performed because an organization such as a power plant or brokerage firm needs to show they are following the regulations for their industry.

Two programs that contain lists of known cybersecurity vulnerabilities, displaying an identification number of each vulnerability and description, would be which of the following? (Choose two) A. CVD B. NVD C. MITRE D. NIST

Answer: A and B MITRE is a community-driven effort that tracks and provides the common vulnerabilities and exposures (CVE) list. The national vulnerability database (NVD), provided by NIST, syncs the CVE list of vulnerabilities to their list.

Which two of the following Service Organization Controls (SOC) reports are Type I and Type II reports? (Choose two) A. SOC 1 B. SOC 2 C. SOC 3 D. SOC 4

Answer: A and B The SOC 3 report, which is provided by suppliers, contains general information that's usually posted on a website to prove that an organization practices good security protocols. SOC 4 reports do not exist.

The practice of conducting timely network vulnerability scans helps to discover which two exposures? (Choose two) A. Open ports B. Poor passwords C. Unauthorized services D. File modifications

Answer: A and C Poor password testing is done with tools such as Cain & Abel or John the Ripper. File modifications are checked with integrity checkers such as Nessus. Open ports are checked with tools such as Nmap.

Carli is a security auditor providing results of her audit to the firm. A good audit report contains what types of data? (Choose two) A. Likely threats and vulnerabilities B. A list of known attackers and locations C. An estimate of repair fees that an auditor can provide D. Probability and impact of the exploitation

Answer: A and D A good technical audit also lists the recommended actions to take to reduce the impact of exploitation. A list of attackers and locations is too numerous, and changes by the minute. The auditor must not be the repair person because this is poor separation of duties, and therefore insecure.

Hedvig is a developer who just completed unit testing for her product. Once this test has passed, which test should she run to ensure the entire product is valid before releasing it to production? (Choose two) A. End-to-end testing B. Performance testing C. More unit testing D. Integration testing

Answer: A and D End-to-end testing checks the entire system, while integration testing validates that the different units work together. More unit testing is not necessary, and performance testing tests the product under varied loads, but not in terms of functionality.

Timely log reviews are conducted because they help security professionals uncover which kinds of issues? (Choose two) A. Detect attackers attempting to break into the network. B. Zero days. C. Whether users are using strong passwords. D. Whether files are being modified via integrity checks.

Answer: A and D Zero days are undiscovered vulnerabilities, so log reviews cannot detect these. Authentication tools force users to use strong passwords.

Dzsenifer is an ethical hacker who has been hired by RCG Credit Union to find security vulnerabilities as if she were a high-level executive at the bank. What type of testing is this? A. Gray box testing B. White box testing C. Black box testing D. Red box testing

Answer: B A high-level executive has complete knowledge of the environment and demonstrates the biggest risk as an internal threat to an organization. A black box test simulates an external attacker having no knowledge of the environment. A gray box test simulates some knowledge of the organization, such as an administrator or engineer. Red box is a false option.

Users have been split into two groups to test whether a single difference in a social media website keeps users more interested in the website and on it for longer. What is this testing called? A. Negative testing B. A/B testing C. Red/blue teams D. Penetration testing

Answer: B A/B testing is a basic controlled experiment where a single difference is tested. Red and blue teams are used as part of penetration testing. The red team acts as the hacker, while the blue team acts as the defender. Negative testing hardens applications, checking to see how they will respond to unwanted input.

Arnie is a software developer and suggests to his supervisor to delay the project 1 week so that he can update the application with security mitigations. Why should his supervisor take this advice? A. Because delays are normal in software development projects. B. It costs significantly less to resolve security issues earlier in the process than later. C. Customers are trained to expect projects to always be delayed. D. You should always strive for perfect security.

Answer: B According to NIST and the Poleman Institute, repairs that might cost $80 to fix during development end up costing $240 to fix at build time. If you were to repair during the quality assurance (QA) process, it would cost $960, and after production, it would cost $7,600. You can learn more about defect costs here: https://owasp.org/www-pdf-archive/APAC13_Keynote_HyojinChoi.pdf.

Nikita is a systems administrator who is in charge of recovering data on a server because the hard drive has crashed. She starts the recovery process and learns that the backup tapes are blank. What did the team neglect to do? A. Test the RAID 0 (zero) system. B. Perform backup verification. C. Use the correct backup tape size. D. Enable encrypted and compressed backups.

Answer: B After encrypted and compressed backups are made, they must be tested. RAID 0 systems don't data mirroring like RAID 1 systems do. If the backup tapes did not physically fit, they would have discovered that much earlier.

What is one of the BEST ways of ensuring the business continuity plan stays up to date? A. Updating BCPs is not required if desk checks are done properly. B. Keep the BCP updated as part of change management. C. Conduct quarterly reviews of the BCP. D. Conduct annual reviews of the BCP.

Answer: B As new systems and software are added to the environment, always ask what effect this change will have on business continuity. This is normally done within the change management process. Most teams run change management weekly, so updates are frequent.

Kosovare runs a security training class for her team, teaching them to ask people "Did you forget your badge?" if they see someone wandering around the building without their badge. What can she do to be certain that staff are following their training? A. Run example scenarios in class, pretending someone does not have a badge. B. Hire an ethical hacker to wander around the building without a badge. C. Leave a badge lying in the parking lot and see if someone tries to use it. D. Ask security not to check for badges and allow anyone into the building.

Answer: B Asking security not to check for badges leaves the entire building insecure; this should never be done. Leaving a badge in the parking lot to see if it will be abused is testing a different scenario; we are concerned with people not wearing a badge. Example scenarios in the class are good, but an ethical hacker runs a live case scenario and can provide a report on the experience.

Buffer overflow attacks occur because of poorly written applications. Attackers can exploit this vulnerability and can potentially gain access to the entire computer. They are called buffer overflow attacks because these attacks occur where? A. Spaces on hard drives where files have been marked for removal B. The main memory of the computer C. Unused space in applications D. Unused space within files

Answer: B Data that's written within unused space is called a SNOW attack, a type of steganography attack that hides attacks in plain sight.

An open sourced utility that runs vulnerability scans and penetration tests on a website is called what? A. OWASP APPSEC B. OWASP ZAP C. OWASP API D. OWASP WEBGOAT

Answer: B Features include an intercepting proxy server, automation tools, fuzz testing, and script support. OWASP Webgoat is an intentionally vulnerable website you can practice on with OWASP ZAP. OWASP AppSec Pipeline applies DevOps and Lean principles for designing secure applications. OWASP API Security Project focuses on mitigating vulnerabilities in application programming interfaces (APIs).

Which of the following is NOT a requirement of the payment card industry data security standard (PCI DSS)? A. Protect stored cardholder data. B. Collect the logins and passwords of each online customer. C. Restrict physical access to cardholder data. D. Regularly test security systems and processes.

Answer: B Maintaining account information for online customers is not a requirement of PCI-DSS.

Virgil is a certified ethical hacker hired to find vulnerabilities in the GRC Bank website as if he were a malicious attacker. What type of testing is he conducting? A. Purple box testing B. Black box testing C. Gray box testing D. White box testing

Answer: B Malicious hackers have no internal knowledge of the environment. White box testing simulates an internal attacker because they have full knowledge of the environment. Gray box means the hacker has some knowledge of the internal environment. Purple box is a false option.

Cloud vendors maintain data and applications using which life cycle steps? A. Migrate --> secure --> monitor --> protect --> configure --> govern B. Migrate --> secure --> protect --> monitor --> configure --> govern C. Migrate --> secure --> protect --> monitor --> govern --> configure D. Migrate --> protect --> secure --> monitor --> configure --> govern

Answer: B Migration refers to moving data to the cloud vendor. Securing data is ensuring that the software can defend known threats. Protection ensures the data is always available; part of this is making backups. Monitoring tracks the health and availability of data. Configuring ensures that the application is set up to run efficiently. Governance ensures that applications correspond to the policy that has been set up.

Good vulnerability reduction practices include all the following, Except for what? A. Patch updates B. New software C. Closing unused ports D. Firmware updates

Answer: B New software generally contains bugs and needs to be updated and patched immediately. The others are good vulnerability reduction practices.

Debinha is an application developer who has completed a program that accepts credit cards. She simulates being a hacker, attempting to steal credit card information. This is an example of what kind of testing? A. Normal case testing B. Misuse case testing C. Static code analysis D. Code review

Answer: B Normal case testing assumes that you are attempting to use the software in a normal manner, not as an attacker. Code review and static analysis involves other members of the team reviewing each other's source code for the application.

A feature that's available in cloud systems monitors specific metrics to determine if more memory, CPU, or disk space is needed for an application to run efficiently. Once the loads return to normal, the system requirements return to normal. What is this feature called? A. On-demand self-service B. Autoscaling C. Measured service D. Resource pooling

Answer: B On-demand self-service does not operate automatically but requires manual intervention when it comes to adding resources. Measured services can provide more services manually, but not automatically. Resource pooling allows multiple tenants to share resources; if one user overloads the system, it will affect all the users.

When an architect, designer, or developer reuses parts, components, or code instead of validating new replacements, the individual is engaged in which activity? A. Band-aiding B. Technical debt C. Refactoring D. Poor testing

Answer: B Poor testing, band-aiding, and code refactoring, such as reusing code and making small changes so that it works in the new software, are all components of technical debt. These quick fixes are left unvalidated and can end up costing much more to fix as the project moves closer to production.

Diego is an IT manager getting reports that three smaller departments have suffered from ransomware attacks. Because of the company having proper backups, no payments were made. What is his next BEST step? A. Pay the attackers. B. Run phishing exercises. C. Respond with ransomware attacks against the hackers. D. Have staff sign an agreement on not clicking on ransomware links.

Answer: B Ransomware against hackers is considered a hack-back and is against the law. An employee agreement will not help. Most users are fooled into clicking ransomware links since they appear to be normal.

Bug number 535 was fixed with patch number 1. Bug number 435 was fixed with patch number 2. After customers installed patch number 2, several calls to support stated bug number 535 was returned. What type of testing was NOT done in this scenario? A. Acceptance testing B. Regression testing C. Performance testing D. Unit testing

Answer: B Regression testing ensures no functionality is lost or that past fixed problems are not reintroduced into the system. Acceptance testing focuses on meeting requirements. Performance testing checks how the system responds to different loads. Unit testing checks an individual module; this usually results in regression problems because examiners do not continue with a full functional or integration test.

Which of the following SOC reports not only affirms that security controls are in place, but also lists the effectiveness of the security controls? A. SOC 2 - Type I B. SOC 2 - Type II C. SOC 3 - Type I D. SOC 3 - Type II

Answer: B SOC 3 reports do not have differing types, and SOC 2 - Type I shows that security controls are in place.

Davici is an auditor. As part of their inspection, they must review a room where no cameras are allowed due to the risk of a fire occurring. What is his next BEST step? A. Conduct the audit within the room and shoot fewer pictures because the risk of a fire occurring is low. B. Conduct the audit within the room and sketch drawings where required. C. Skip the room; if the rest of the audit passes, provide a positive complete certification. D. Cancel the audit and delay the final certification.

Answer: B Safety first, even when conducting an audit.

A hacker dials multiple phone numbers, attempting to find modems and fax machines. What is this attack called? A. Sandstorm B. War dialing C. War driving D. WarVOX

Answer: B Sandstorm's PhoneSweep and WarVOX are applications that are used to conduct war dialing. War driving is where you scan for Wi-Fi hotspots, usually while driving a car.

One key advantage of virtual machines related to security is which of the following? A. The ability to run applications B. The ability to take snapshots C. The ability to run the Windows operating system D. The ability to run the Linux operating system

Answer: B Snapshots are instant backups. Virtual machines can make snapshots daily, or even more frequently. When data needs to be recovered, it is as simple as reverting to a snapshot, which is much faster than recovering from a backup tape.

Frankie is taking 3 months of leave from AMCO Inc. to stay with his family because they just had a child. How should his accounts be managed while he is gone? A. Make no changes to his account access. B. Suspend his login credentials. C. Make no changes to his account access but enforce a password change upon his return. D. Delete his account.

Answer: B Temporarily suspending access protects Frankie's data. At the same time, the account is not vulnerable to hackers since it has been temporarily closed. Timely password changes are important, but if the account is left open while he is gone, it is still vulnerable to attack.

Which of the following is NOT a requirement of the payment card industry data security standard (PCI DSS)? A. Maintain a firewall to protect cardholder data. B. Securely store credit card numbers and CVC codes. C. Do not use default settings or default passwords. D. Use and regularly update antivirus software.

Answer: B The card verification code (CVC) that is on the back of most credit cards should not be saved by the merchant.

QWRK Inc.'s software product has just released an update for their application. Soon, the hotline is overwhelmed with calls about a defect. What is the MOST LIKELY thing to have occurred? A. Users have not upgraded to the latest release of the application. B. A developer did not test the code before pushing it to the Git master branch. C. QWRK's hotline is the victim of a Telephony Denial of Service (TDoS) attack. D. Several hundred customers had their caps lock key on when they tried to enter their new passwords.

Answer: B The hotline was not overwhelmed until the new software was released, so customers performed the update. The attacker behind a TDoS attack would not hang on the phone line long enough to open a service call about a defect. Most systems warn users that their Caps Lock key is on when entering their passwords.

Griedge is a network administrator who keeps router and switch firmware updated. She scans each update for malware and verifies the hash values. Users have noticed anomalies in the network and have discovered that hackers have gained entry. What caused this? A. A hacker was able to infect the routers and switches with malware after the firmware updates. B. A hacker was able to get malware installed in the firmware source code. C. An inside attacker infected the routers and switches with malware after the firmware updates. D. Untrained users unintentionally installed malware on their routers and switches after the firmware updates.

Answer: B The update developer created a hash value in the code they believed was credible; therefore, the resulting hash gets marked as trusted, even though the code should be marked as untrusted. Malware protection scanners would have picked up issues in options A, C, and D.

A computer job is running multiple threads. The value from thread A is passed to thread B a few seconds after the value is defined. If the value is altered within the few seconds before it reaches thread B, and thread B uses this new value, what kind of error occurs? A. Bug B. TOCTOU C. Docker D. Race condition

Answer: B This is a bug, but there is a more specific answer. Time-of-check to time-of-use (TOCTOU) is the result of a race condition where the value is not verified immediately before it's used by the next computational thread. Docker is a utility that's used to clone a virtual machine image.

Antoine is an auditor who needs to conduct an audit remotely from home because of a worldwide pandemic. An issue is discovered during the planning phase. What must be resolved? A. There is no such thing as a remote audit. All audits must be conducted onsite. B. Antoine currently uses dial-up internet at his home. C. Wireless internet at the company site is secure. D. The equipment operator does not like appearing on camera.

Answer: B This question is intentionally vague because the real exam contains some questions like this where certain likely assumptions must be made; that is, to conduct a remote audit, there will need to be a live video feed. Dial-up internet is too slow for viewing the video stream from the audit site. Remote audits are allowed, if necessary, for example, during a worldwide pandemic. Corporate policies should cover whether an employee can be on camera. You can learn more about audits at https://iaf.nu/articles/FAQ/288.

Hugo runs the business continuity planning board. After completing other testing, he is ready to run a full test in the production environment. Which test should he choose to run? A. Structured walkthrough test B. Full interruption test C. Desk check test D. Checklist test

Answer: B Walkthroughs are what they sound like, where the team walks through a scenario without touching the production systems. Desk checks and checklist tests allow the team to discuss scenarios and make educated guesses as to how to best recover from disaster. Full interruption tests use live systems to evaluate responses to a disaster.

Earnie is developing a website and has concerns that the website will look different on a smartphone, a computer, and a tablet. What kind of testing can he do to ensure the website will look good on all devices? A. Website testing B. Interface testing C. Code review D. Misuse case testing

Answer: B Website testing is too general an answer. Interface testing is specifically what needs to be done: testing the website with each device. A code review is where the source code is inspected by a team, while misuse testing is intentionally trying to break the software's security.

Integrating validating security with applications that are part of the DevOps cycle is also known as what? (Choose two) A. DevOps B. Rugged DevOps C. DevSecOps D. Development

Answer: B and C DevOps is the combination of development and operations, which includes testing and release to production. You can learn more about rugged DevOps here: https://insights.sei.cmu.edu/blog/build-devops-tough/.

Members of a software development team inspect each other's programming for bugs, bloat, and poor assumptions. This is an example of which activity? (Choose two) A. Vericoding B. Code review C. Static code analysis D. Dynamic code analysis

Answer: B and C Dynamic code analysis is where we validate results when users run the application. Vericoding is a false option.

What are two key differences between internal and external auditors? (Choose two) A. Internal auditors have a black box view of the organization. B. External auditors are more effective because they are not affected by internal bias. C. Internal auditors can measure effectiveness based on a recent baseline. D. External auditors are more affected than internal auditors by the politics of the organization.

Answer: B and C Internal auditors have a white box view of the organization because they know all the details of the company. Internal auditors are more affected by organizational politics, and these relationships could cause them to alter the results so that they're more favorable to companies or business units.

Which Service Organization Controls (SOC) reports related to security and privacy do NOT focus on financial controls? (Choose two) A. SOC 1 B. SOC 2 C. SOC 3 D. SOC 4

Answer: B and C SOC 1 reports focus on financial services and policies, such as proper accounting and bookkeeping standards. SOC 4 reports do not exist.

Which two common vulnerabilities are typically found during internal scans? A. Wireshark results B. Open network ports C. Unpatched systems D. Nessus results

Answer: B and C Wireshark and Nessus are tools that are used to discover vulnerabilities.

Two free, open source utilities that security administrators use to verify whether users are prone to phishing attacks are called what? (Choose two) A. Hak5 B. Gophish C. Kali D. King Phisher

Answer: B and D Hak5 and Kali provide security toolkits that contain phishing simulators, but these are general-purpose ethical hacking utilities. Gophish and King Phisher provide phishing simulators with GUI environments showing users that fell victim to the email.

Pernille just ran a scan on her website and discovered that a hacker dropped files into her web server. The result of this test is considered which of the following? A. False positive B. False negative C. True positive D. True negative

Answer: C A true negative rarely gives an alert because no problem has been detected. An example of a false positive is when a user attempts to download a file but is denied because the system incorrectly sees them as a threat. A false negative would not have reported a website breach. To learn more about true and false positives and how they work, visit https://bit.ly/3cTBFIU.

Vivianne is a security tester working with management to determine which systems and departments to examine for an assessment. They also need to explain which processes need to be monitored. This is an example of which phase of the penetration test? A. Executing exploits B. Conducting documentation C. Defining the scope D. Running reconnaissance

Answer: C After defining the scope of an audit, penetration testing includes reconnaissance, enumeration, vulnerability analysis, launching the exploit, and documenting the final report for management.

The main difference between a business continuity plan (BCP) and a disaster recovery plan (DRP) is which of the following? A. The BCP requires testing, but the DRP does not because it is not as critical as business continuity. B. The DRP ensures the core business functions operate during a disaster; the BCP details steps to restore to normal operations after a disaster. C. The BCP ensures the core business functions operate during a disaster; the DRP details steps to restore to normal operations after a disaster. D. There really is no difference because they both reduce downtime.

Answer: C Business continuity plans and disaster recovery plans must be tested to ensure the organization can operate and recover after a major disaster, such as a fire or tornado.

Sacha is a software developer in the area of research and development and requires beta application updates, and sometimes alpha releases. This would make him what type of user? A. Early adopter B. Mature user C. Canary user D. End user

Answer: C Canary users desire bleeding-edge features as soon as possible. Early adopters use applications after some testing and may use higher generation beta software, but not early releases. End users only use applications after thorough testing, often using older software versions because they do not trust newly released gamma software.

Cobi is a new business owner and has just purchased 100 prospect leads from Glengary Leads. The prospects are guaranteed to be interested in real estate opportunities. What is his Greatest risk? A. That only 90% of prospects will have interest in real estate opportunities. B. That only 50% of prospects will have interest in real estate opportunities. C. The lead list is stale because Glengary Leads has a poor reputation. D. That only 10% of prospects will have interest in real estate opportunities.

Answer: C Cobi should validate and verify his suppliers before using them. Cobi starts calling the prospect leads that he bought, and several prospects complain to him that they wish the phone calls would stop because the same leads were sold to several others, and they are calling the same prospects. He will eventually find that Glengary Leads will not honor their guarantee because they will not respond to his requests for a refund.

Data remediation and reconciliation projects help keep records clean and consistent. Systems that monitor records for inconsistencies, and alert administrators of inefficiencies, are known as what? A. Remediation systems B. Reconciliation systems C. Continuous auditing and analytics D. Information governance

Answer: C Continuous auditing and analytics enforces good information governance, which includes remediation and reconciliation to keep records such as social security numbers, phone numbers, pricing, costing, and more clean and consistent.

When simulating an attack on an organization with penetration testing, which test should be done FIRST? A. Both tests should be done at the same time. B. External penetration test when done with automated tools; otherwise, internal penetration test is done first. C. External penetration testing. D. Internal penetration testing.

Answer: C External penetration testing simulates a threat from outside the company and helps expose vulnerabilities that can be exploited. Then, an internal penetration test is performed to simulate what an attacker can do after exploiting external vulnerabilities. The internal test also simulates an insider attack. These tests can be performed by corporate teams or professional third-party organizations.

Gyasi measures single loss expectancies, along with likelihoods, to evaluate whether he should purchase insurance or provide his own mitigations to protect corporate assets. These measurement indicators are known as what? A. KCI B. KGI C. KRI D. KPI

Answer: C Key control indicators (KCIs) are used to evaluate a security control and if it stays within a certain tolerance level. Key risk indicators (KRIs) measure whether risks fall within tolerances that have been measured against SLEs. Key performance indicators (KPIs) are a leading indicator for evaluating whether the organization is on target to achieving a goal. Key goal indicators (KGIs) are lagging indicators that are evaluated once a goal has been reached.

Mix is the chief security officer (CSO) of MLX Corp, and he is helping the security managers find the best security controls to protect their assets. Which technique does he advise the security managers to use to select the best controls? A. Calculate single loss expectancies. B. Rank threats and vulnerabilities. C. Conduct risk analysis. D. List all assets and recommended safeguards.

Answer: C Listing assets and safeguards, ranking threats and vulnerabilities, and calculating single loss expectancies (SLEs) are all phases of the risk analysis process.

When attackers use Google searches, WHOIS results, and Wikipedia articles to learn about their potential victim, they are using what kinds of materials? A. Privately accessible B. Double-blind C. OSINT D. Library

Answer: C Open source intelligence (OSINT) uses common free, legal, and publicly available tools to learn about the target.

XYZ bank has been shut down due to a tornado that destroyed the building. Staff have attempted to call their managers on their cell phones, but a few numbers have changed, so they have reached the wrong people. Also, no one is familiar with first aid or CPR to assist the injured. How could the bank have been better prepared? A. Hire an on-site nurse. B. Keep the phone and extension lists updated. C. Run a desk check. D. Train the staff on the best escape routes.

Answer: C Part of the desk checking process is to make sure phone numbers are updated, training programs are implemented on escape routes and first aid, and to determine whether everyone knows their role as part of a disaster.

Alyssa is a security system administrator taking a Linux class and learning how to hack networks with a utility called Kali. This type of learning falls under which category? A. Awareness B. Professional development C. Training D. Education

Answer: C Professional development and education are formalized programs where students can obtain credit hours toward a certificate or degree. Training includes classes that are designed to teach an individual a new skill. Awareness is exposure to different subjects so that people can recognize security issues and respond to them better.

Several signs and emails warn staff not to pick up and use USB drives found in parking lots, or elsewhere. These types of security notices fall under which category? A. Training B. Professional development C. Awareness D. Education

Answer: C Professional development and education are formalized programs where students can obtain credit hours toward a certificate or degree. Training includes classes that are designed to teach an individual a new skill. Awareness is exposure to different subjects so that people can recognize security issues and respond to them better.

Which BEST represents the five-step penetration testing process? A. Reconnaissance --> Assess vulnerabilities --> Scan --> Exploit --> Reporting B. Reconnaissance --> Scan --> Exploit --> Assess vulnerabilities --> Reporting C. Reconnaissance --> Scan --> Assess vulnerabilities --> Exploit --> Reporting D. Reconnaissance --> Exploit --> Assess vulnerabilities --> Scan --> Reporting

Answer: C Reconnaissance allows the attacker to collect information about a target, such as their IP address and location. The scanning phase is where the attacker enumerates the devices that have been found. Next, they need to see which devices are vulnerable. Finally, an ethical hacker will launch exploits without causing harm and report the findings to management.

Rose has conducted an audit for MMOH Enterprises, but because of a missing part, she cannot complete the audit. The part will arrive next week. What is her next BEST step? A. Pass MMOH as a completed audit and apply for the certificate of success. B. Fail MMOH Enterprises and schedule the next 3-year audit. C. Schedule a time when the audit can be completed. D. Redefine the scope of the audit.

Answer: C Regulations may not allow the audit to be redefined, and audits must be completed before they are certified.

Frances has just completed version 1.0.1 of their website and has switched over to the new version. Customers are complaining their purchases are failing. What is Frances' next BEST step? A. Revert to version 0.99.1 of the website, even though it performs at 10% of normal operations. B. Keep version 1.0.1 of the website running, quickly find a fix, and update the website to 1.0.1 when it's complete since the changes are minimal. C. Revert to version 1.0.0 of the website and do further testing of 1.0.1 before uploading it. D. Keep version 1.0.1 of the website running, quickly find a fix, and update the website to 1.0.2 when it's complete.

Answer: C Revert to a known-good version so that the organization does not lose sales. The other options risk losing business and customer goodwill.

Alejandro has noticed that a standard system file is missing. What utility can he use to help determine who deleted the file? A. Folder auditing B. Directory auditing C. File auditing D. Server auditing

Answer: C Server, directory, and folder auditing are too broad for validating the entire server, directories, and folders, respectively. File auditing just validates files and informs Alejandro who modified, created, or deleted a file.

A hacker compromises Kasey's account and uses malware to gain administrator rights. What is the term for when a hacker elevates their privileges? A. Verification B. Validation C. Privilege escalation D. Privilege creep

Answer: C Verification ensures all the components are in place, while validation ensures that all the components are effective. Privilege creep is the accumulation of privileges that you might obtain as you move from department to department within an organization.

Amel is a security professional who believes hackers are within her network. She is concerned they are successfully covering their tracks by modifying log files. What are two steps she can take to mitigate altered log files? (Choose two) A. Run consistent network scans. B. Install mantraps in the most vulnerable locations of the building. C. Write to WORM media. D. Periodically copy log files to remote locations.

Answer: C and D Write-once read-many (WORM) media cannot be modified once written. This media prevents attackers from deleting their entries. Also, hackers cannot delete entries from remote systems they cannot access. Mantraps lock a threat in a room until security staff arrives. Network scans search for open ports and services.

Steph is a security administrator who only wants to be notified of valid staff not gaining entry (false negative) when alerts reach three per minute. This level of notification would be considered a what? A. False negative counter B. Control zone C. Baseline D. Clipping level

Answer: D A baseline is considered an expected normal level for alerts; this value could be higher or lower than the clipping level. False negative counters and control zones are both false options.

A centralized system that analyzes, correlates, and retains log files for the entire corporate network is known as which device? A. TACACS B. LDAP C. Kerberos D. SIEM

Answer: D A security information and event management system (SIEM) logs and tracks events over the entire network. Kerberos, LDAP, and TACACS are network-based authentication systems, and they only log authentication events.

The key difference between a vulnerability scan and a penetration test is which of the following? A. There is no difference between the two as they both search for vulnerabilities. B. Vulnerability testing is done only in physical environments to ensure the exit and safety doors are not vulnerable. C. Penetration testing is done only in logical environments to ensure firewalls are not vulnerable to attack. D. A vulnerability scan searches for vulnerabilities, but a penetration test exploits vulnerabilities.

Answer: D Both types of testing are done in physical, logical, and administrative environments, and both search for vulnerabilities, but penetration testing takes the extra step of running exploits, ideally doing no harm.

In the arena of software development and using the principles of continuous integration (CI), developers work in which order before releasing finished code to production? A. Test --> build --> code B. Build --> code --> test C. Code --> test --> build D. Code --> build --> test

Answer: D Coding, building, and testing are the correct steps to take when developing code before releasing it to production. Most releases start smaller with some form of beta testing before being released to a wider audience.

Which individual is responsible for data classification? A. Data processor B. Data custodian C. Data user D. Data owner

Answer: D Data users can access the data if they meet the correct classification level. The data custodian is in charge of making good backups. The data processor uses this information to send postal mail and emails. The data owner is legally accountable if the data is breached.

As part of a physical audit, Wendie discovers several notes in wastebaskets revealing social security numbers, tax identification numbers, birth dates, and home addresses. Which attack did he execute to discover this issue? A. Social engineering B. Phishing simulation C. Wastebasket check D. Dumpster diving

Answer: D Dumpster diving is more detailed than social engineering, even though dumpster diving is a type of social engineering. The wastebasket check is a false option. Phishing simulations are done via email.

Nilla is the manager of the business continuity plan board and wants to run a very simple, low-effort drill that ensures most of the vital pieces are in place in case of a disaster. Which test does she seek to run? A. Full interruption test B. Cutover test C. Parallel test D. Desk check test

Answer: D Full interruption and cutover tests simulate a disaster using production systems. Parallel tests build up systems that are identical to production systems and simulate a disaster on the secondary systems. A desk check involves the team reviewing and updating a checklist of items that are important in case a disaster occurs.

Irene is a network manager whose team has recently installed 50 IP cameras. Practicing good security, all default logins and passwords were changed to strong credentials. It is later discovered that one of the cameras is being used as an attack vector to breach the corporate network. What did the team miss? A. They forgot to change the credentials of the breached camera. B. A team member installed a 51st camera with the default credentials. C. Malware is within the cameras that go back to the manufacturer. D. The camera had a hardcoded password.

Answer: D Hardcoded passwords are written into the firmware. The best way to remove these is with a security firmware update from the manufacturer. They changed all the credentials, so they did not miss one. Also, they only installed 50 cameras according to the question. If malware was followed back to the manufacturer, several cameras would have been breached.

What steps should be followed for an internal audit to ensure that the security study is beneficial? A. Define audit --> Define threats --> Assess current status --> Resolve --> Prioritize B. Define audit --> Define threats --> Prioritize --> Assess current status --> Resolve C. Define threats --> Define audit --> Assess current status --> Prioritize --> Resolve D. Define audit --> Define threats --> Assess current status --> Prioritize --> Resolve

Answer: D Internal security audits help mitigate data breaches. Conducting an audit at the best value involves the five steps provided in answer D. For more details, visit https://blog.dashlane.com/conduct-internal-security-audit/.

Tab is a systems administrator putting together a backup strategy to secure his files. Which of the following statements is correct? A. In general, differential backups are no different than incremental backups. B. In general, making full backups every day is not recommended. C. In general, differential backups require more tapes to restore, but daily differential backups are faster. D. In general, incremental backups require more tapes to restore, but daily incremental backups are faster.

Answer: D Many companies make daily full backups, which simplifies recoveries because only one tape is needed. Differential backups require fewer tapes to restore than incremental, but daily backups generally take longer.

Which groups are MOST responsible for data leaks of personally identifiable information (PII)? A. Hackers and script kiddies B. External hacktivists C. Nation-sponsored hackers D. Employees and contractors

Answer: D Nation-sponsored hackers and other hackers often persuade employees to leak data by offering them money or making threats. Script kiddies are people who are new to hacking and generally harm themselves more than others. Hacktivist are driven by a cause; for example, they may really want people to use stronger passwords. Learn more about data breaches here: https://www.pandasecurity.com/en/mediacenter/security/who-is-to-blame-data-breaches/.

Sadio is the president of Generic Plastics. To win a bid with a Fortune 500 company, Generic Plastics are requesting their SOC 2 reports, stating they need more detail than the SOC 3 provides. SOC 2 reports are internal-only reports. What should he do? A. Inform the Fortune 500 company that SOC 2 reports are Generic Plastics-internal only. B. Provide the SOC 2 reports to the Fortune 500 company, but do not inform the board. C. Follow the policies of the Fortune 500 company. D. Follow the policies of Generic Plastics.

Answer: D Policies may allow internal data to be released, depending on certain sized deals or relationships. If they have such a policy, they must provide the SOC 2 reports to the Fortune 500 company, so following Generic Plastics' policies is the best answer here.

The practice of capturing and analyzing live user transactions from a website or application to monitor the user experience, or measure the performance of the application, is known as what? A. RPM B. DNF C. YUM D. RUM

Answer: D Real-user monitoring (RUM) measures user and application performance. Yellowdog Updater, Modified (YUM), Red Hat Package Manager (RPM), and Dandified YUM (DNF) are Linux package management tools.

DeMarcus is an ethical hacker attacking HART Hospital, as authorized by their chief information security officer. Federal investigators notice the attack and raid DeMarcus' facility and arrest him. What is the MOST LIKELY reason for him being arrested? A. All hacking is against the law, including ethical hacking. B. He was attacking HERT Hospital instead of HART Hospital, which was unapproved. C. He was attacking the human resources department instead of the financial department, as per the agreement. D. He started the attack before getting his Get-Out-of-Jail-Free-Card document.

Answer: D Running approved penetration tests is not against the law. Once chief management has agreed to the test, they need to provide a Penetration Test Approval document to the ethical hacker in case they appear malicious to authorities. This includes the contact information of top management so that the authorities can contact them and ensure the hacking was approved.

Maurice operates a website selling car parts. From time to time, customers click on the link for reporting a problem with the website. One customer wrote that she cannot find a part for her 1980 Chevy Chevette. What is the next step Maurice must take? A. Ignore the message because it has nothing to do with a website issue. B. Contact Chevy to see if he can get the part for her. C. Ignore the message because he does not sell parts for Chevy cars. D. Contact the customer.

Answer: D The next step is to contact the customer to learn more about the issue and determine which part she needs. This is because if Maurice contacts Chevy first, he will not know which part to order. If Maurice ignores customers' issues, they will eventually feel like he does not care about them, and they will shop elsewhere.

Several engineers at Desel Corp are getting phone calls from a salesperson to make a $5,000 investment in gold. What caused this? A. Vishing B. War dialing C. PhoneSweep D. An engineer responded to an advertisement in a magazine.

Answer: D The question asked what caused the attack, not the type of attack being performed. The technique the boiler room operators are using is known as war dialing. They dial through all the extensions the original investor gave them by responding to the advertisement. This is a type of vishing attack because the attackers are selling investments they do not own. PhoneSweep is a tool that's used for war dialing.

Paul is a hardware technician who needs to replace the hard drive on the server. To complete this job, all users must be off the server. However, he has noticed that there are three users still on the system, since he has been checking remotely every 10 minutes. What is a better way for him to determine whether users are still logged on? A. Physically walk to each user's office and visibly determine whether they are still logged on to the server. B. Email all logged-on users, asking them to reply to the message once they are ready to log off the server. C. Text the users, asking them to call or text Paul once they have logged off the server. D. Create a synthetic transaction that polls for users every 5 minutes and then texts Paul when there are no users on the server.

Answer: D This is a great case for using synthetic transactions. Physically walking to each user could take too much time because they could be 100 miles away from Paul. Email and texting are good, but the user might forget to contact Paul after logging off.

Any testing that's performed where the evaluator has zero knowledge of the environment is also known as which kind of test? A. White box testing B. Red box testing C. Opaque testing D. Blind testing

Answer: D White box testing would mean the evaluator has full knowledge of the environment. Red box and opaque are false options.

RMFco announced they have resolved a zero day in their code. What should their clients do next? A. Wait to hear how early adopters are doing with the new security patch. B. Download the security patch, but do not install it until the CEO approves. C. Wait for RMFco to make a rollup patch with all their latest patches. D. Download the new security patch, test it, and install it on their production systems.

Answer: D Zero days are major security issues that hackers exploit, and there is no fix for the vulnerability yet. Once a fix is created, the update needs to occur as soon as possible.