CISSP Practice Questions
There are six major sets of activities applied throughout the data security lifecycle. Which of the following is not one of those steps? (2.4) A. Creating B. Assigning C. Sharing D. Archiving
The correct answer is B. Conceptually the six sets consist of creating, storing, using, sharing, archiving and disposing.
As of 2021, how many countries are members of the Asia-Pacific Economic Council (APEC)? (1.4, 1.5) A. 4 B. 11 C. 21 D. 22
The correct answer is C. APEC members include Russia, People's Republic of China, Viet Nam, Thailand, Malaysia, Singapore, Republic of Korea, Japan, Chinese Taipei, Hong Kong (China), Philippines, Brunei Darussalam, Papua New Guinea, Indonesia, Australia, New Zealand, Canada, United States, Mexico, Peru and Chile.
The right to erasure became EU law in 2018 as a part of the General Data Protection Regulations (GDPR) legislation. When an application to be forgotten is made, does the subject have to specify a reason? (1.4, 1.5) A. Yes, always. B. Yes, sometimes, but it depends on the organization. C. No. D. What is the right to erasure?
The correct answer is C. Individuals can request that all personal data is removed from an organization's database without needing to specify a reason. Not all organizations need to comply, though; if the information affects national security or public interest, then the request might be denied. The right to be forgotten is another term for the right to erasure.
Network and systems security is what type of asset? (2.1) A. Hardware B. Software C. Information D. Firmware
The correct answer is C. Information assets sets of ideas, numbers, values, or relationships that form the core of the digital organization. Whereas the remaining answers list examples of more defined forms of assets.
Generally speaking, who or what provides link encryption? (2.6) A. Users B. Certain software C. Service providers D. The organization
The correct answer is C. Link encryption is performed by service providers, such as a data communications provider on a frame relay network. Link encryption encrypts all the data along a communications path (e.g., a satellite link, telephone circuit, or T-1 line). Organizations may purchase services like a T-1 line, which both users and software can use.
Which of the following assets is not traditionally considered tangible? (2.3) A. A router B. The corporate offices C. Software D. A laptop
The correct answer is C. Tangible assets are those that have physical existence, such as computer servers or buildings. Intangible assets are those that exist in the mind, such as reputation. Software, however, is not considered tangible in a traditional sense; although it does have a physical presence, it cannot be touched even though it can be copied many times. Under accounting rules, businesses are allowed to capitalize software as if it were tangible
Discrete logarithms in a finite field are examples of which of the following? (3.6) A. A type of algorithm B. Encryption processes C. Trapdoor functions D. Processes used to try and defeat encryption systems
The correct answer is C. The trapdoor functions are calculations used to create keys in an asymmetric encryption system that are complex and difficult to calculate. Choices A and B might use trapdoor functions but the function is used for key generation. Trapdoor functions actually make it more difficult to defeat asymmetrical encryption.
What category of security control is designed to function when a primary control fails? (2.6) A. Directive B. Corrective C. Recovery D. Compensating
The correct answer is D. A directive control (choice A) establishes correct or required behaviors or actions and restricts actions. A corrective control (choice B) reacts to a situation in order to remediate or restore operations. A recovery control (choice C) is designed to restore operations to a known good condition.
A common definition of a cybercrime includes all of the following except the use of which? (1.5) A. Information B. Information systems C. Information technology D. Known software flaws
The correct answer is D. A software flaw would be included in both A and B.
Which of the following is an example of an identity store? (5.2) A. Kerberos B. LDAP C. X.500 D. All of these
The correct answer is D. All answers are an identity store, which is essentially a database. LDAP (choice B) is a lightweight version of X.500 (choice D). Kerberos (choice A) is a network authentication protocol, which is a ticket-based system. The tickets are used to allow hosts to identify themselves over the network.
What BEST describes the term security alignment? (1.3) A. Fitting resources together to achieve goals and objectives B. Designing security to meet legal requirements C. Designing security to meet regulatory requirements D. All of these
The correct answer is D. Security alignment refers to aligning security strategies with the goals and objectives of the business and legal and regulatory requirements. Misalignment will result in unnecessary expenditure, a general weakening of the security posture and potential legal ramifications.
Which asymmetric cryptographic system provides confidentiality and non-repudiation? (3.6) A. RSA B. Diffie-Hellman C. Blowfish D. AES
The correct answer is A. Rivest-Shamir-Adleman (RSA) offers integrity, confidentiality and digital signing. Diffie-Hellman, more properly known as Diffie-Hellman-Merkle (choice B), is used for session (pre-shared) key generation and distribution. Choices C and D, Blowfish and advanced encryption standard (AES), are both symmetrical encryption algorithms.
What cryptographic practice covers the act of hiding something within something else? (3.6) A. Cartography B. Steganography C. Cryptology D. Cryptography
The correct answer is B. Cartography (choice A) is the art of mapmaking. Cryptology (choice C) is the study of codes. Cryptography (choice D) is the practice of creating and using codes.
Intellectual property (IP) pertains to intangible creations of human creativity. Of the four types of IP protection, which provides the weakest protection, since its existence is assumed? (1.5) A. Patent B. Copyright C. Trademark D. Trade secret
The correct answer is B. The act of taking a photograph or writing a song does not require a formal process to achieve copyright protection; at the time the picture is taken, the right to control any copies is created and resides with that person. In a copyright dispute, the parties would have to produce evidence that they produced this material first. A patent (choice A) requires investigation before the patent is granted as does a trademark (choice C), and both incur a cost to establish the protection. A trade secret (choice D) is protected by having a commercial value, is known to a limited group of individuals and is reasonably protected.
In CSMA/CD, what does the CS component check for? (4.1) A. If a carrier line is present B. If there is a carrier present C. If nodes are connected D. Connection speed
The correct answer is B. The carrier or signal indicates activity on a network cable. Carrier sense (CS) is looking for the presence of a signal and nodes will not transmit until the signal is gone, denoting that a transmission has been completed. No carrier present would mean that there is no network connection. Choices C and D are incorrect because they are not important. No node would result in transmission failure while nodes really do not care about line speed.
Kerckhoffs's Principle asserts that a cryptographic system will remain secure even if everything about it is public knowledge except which one of the following? (3.6) A. The algorithm B. The process C. The key D. If everything is known, then the system can't be secure.
The correct answer is C. Algorithms (choice A) are, in most cases, freely available, which means that a would-be attacker will always have access to most elements. The key, however, must be protected and kept secret.
We are, perhaps, familiar with the concepts of platform as a service (PaaS) and infrastructure as a service (IaaS), but these have been extended to include those in the following list of possible answer choices. All of these are defined under ISO/IEC 17788 except which one? (3.5) A. Communication as a service (CaaS) B. Compute as a service (CompaaS) C. Network as a service (NaaS) D. Data storage as a service (DSaaS)
The correct answer is C. NaaS is defined under ISO/IEC 17789. ISO 17788 provides a common vocabulary for cloud computing terms, whereas 17789 is more technical and describes how aspects of the cloud work together.
Which of the following is not an example of data at rest? (2.6) A. Data stored on a hard drive B. Data stored in the cloud C. Data that is being displayed on a screen in read-only mode D. Data being backed up to a storage area network (SAN)
The correct answer is C. The three data states at rest are in any form of storage such as choices A and B; in use, which includes creating, reading or altering it; and in transit (or in motion), as in choice D. Note that users, their applications and the operating systems supporting their work each may sometimes see the same data as being in different states at the same moment.
Granting users only the permissions required to carry out a task(s) is known as what? (3.1) A. Need to know B. Separation of duties C. Defense in depth D. Least privilege
The correct answer is D. Least privilege is the practice of granting a user the minimum permissions necessary to perform their explicit job function. The concept of defense in depth (choice C) is using a layered approach when designing the security posture. Separation of duties (choice B) occurs when more than one person is required to complete a task. The principle of need to know (choice A) occurs by telling users only what they need for a specific task.
What is a VLAN? (4.1) A. A specialized switch B. A specialized hub C. A specialized router D. A logical separation configured within a switch
The correct answer is D. Switches contain a component known as the primary virtual local area network (VLAN). This primary VLAN can be split or sub-divided to create software-based local area network (LAN) segments known as secondary VLANs. Due to the highly configurable nature of routers (choice C) and switches (choice A), they can be specialized devices. Hubs (choice B) are dumb devices and simply broadcast all traffic.
Does the Fourth Amendment guarantee protection against all search and seizure? (1.4, 1.5) A. Yes B. No C. Not if there is a search warrant in effect D. Only if unreasonable
The correct answer is D. The Fourth Amendment protects against unreasonable search and seizure. In most cases, law enforcement or other government agents must be able to demonstrate that probable cause exists: sufficient evidence to indicate criminal activity may be ongoing or has occurred involving a location or person. This requirement exists with or without a search warrant.
Because it is imperative that the organization applies the same risk-management methodologies to the supply chain as the organization does for its own internal operations, which of the following operations should the organization apply? (1.12) A. Governance reviews B. Site surveys C. Formal security audits D. All of these, plus penetration testing
The correct answer is D. These are all steps or processes that an organization would include in its own risk assessment given that an organization is often heavily reliant on its supply chain. However, this is often untenable, and organizations tend to rely on audit reports prepared by certified third parties.
Which fundamental security model is composed of a set of generic rights and a finite set of commands? (3.2) A. Bell-LaPadula B. Clark-Wilson C. Brewer Nash D. Harrison, Ruzzo, Ullman
The correct answer is D. This model is very similar to the Graham-Denning model, as it is also concerned with situations in which a subject should be restricted from gaining particular privileges. The Bell-LaPadula (BLP) model (choice A) addresses confidentiality in a multilevel security (MLS) system. The Clark-Wilson (choice B) model improves on Biba by focusing on integrity at the transaction level and addressing three major goals of integrity in a commercial environment. The Brewer and Nash model (choice C) focuses on preventing conflict of interest when a given subject has access to objects with sensitive information associated with two competing parties.
What is the goal of security? (1.3) A. To support the business B. To control the business C. To dictate business activities D. To drive the business
The correct answer is A. Security is only a support function. By providing accurate information, the security team can inform the business of associated risks in business practices. The business needs always come first
The International Olympic Committee (IOC) has a five-ring symbol. How is this symbol protected? (1.5) A. It is a trademark. B. It is copyrighted. C. It is a trade secret. D. It is a patent.
The correct answer is A. The logo, like all corporate logos, is a trademark or a mark to trade (do business) under. Trademarks are registered to an organization and have a typical life span of 10 years. A patent (choice D) grants property exclusivity to an inventory for a period of time (typically 20 years). A copyright (choice B) is the exclusive right to the expression of an idea whether in writing, in images, sounds (such as music) or other material form, whether the idea is fictional or not. A trade secret (choice C) is a formula, process or technique used in manufacturing.
What encryption system, invented in 1882 by Frank Miller, is unbreakable? (3.6) A. The one-time pad B. The Scytale cipher C. The ROT13 cipher D. The Vigenère cipher
The correct answer is A. The one-time pad is a cipher system (choice A) that relied on a set of keys, one per sheet of paper, bound up in a pad, with the sender and recipient being the only people with matching pads of keys. It is, in theory, the strongest possible algorithmic cipher. The Scytale cipher (choice B) is a transposition cipher and requires a cylinder around which parchment or paper is wrapped, with the message being written on the parchment. The ROT13 cipher (choice C) is a substitution cipher that replaces a letter in the message with one that is 13 places after it so an A would be replaced with an N. The Vigenère cipher (choice D) is a polyalphabetic substitution cipher.
What routing protocol uses a distance vector protocol to calculate routes? (4.1) A. RIP B. OSPF C. BGP D. IS-IS
The correct answer is A. Using a distance vector Routing Information Protocol (RIP) calculates the route between two points by using hop counts. A hop is the number of routers that the traffic passes through. Open shortest path first (OSPF; choice B) and intermediate system to intermediate system (IS-IS; choice D) both use the link state protocol. Border Gateway Protocol (BGP; choice C) is incorrect as it uses the path vector protocol to calculate the route by maintaining path information.
When using elliptic curve cryptography (ECC), what key size has been certified as acceptable for use with top-secret messages and would require an RSA key size of 7680 bits to achieve the same level of protection? (3.6) A. 256 bits B. 384 bits C. 400 bits D. 560 bits
The correct answer is B. Elliptic curve cryptography relies on the mathematical calculation based upon known curves. It allows the generation of much smaller keys, which makes ECC ideally suited for devices which do not do well with the heat generated when using longer keys. It is also fast, due to the smaller key size, as it is used in situations where latency would present a negative impact.
Asymmetric algorithms are known as trapdoor functions. What is a trapdoor function? (3.6) A. A potential weakness B. A calculation that is easy to perform in one direction but infeasible to perform in the reverse order C. A calculation that is easy to perform in two directions D. A calculation that provides a mechanism that allows a developer to gain access to the algorithm for maintenance
The correct answer is B. If you were asked to multiply 9,000,000 by 6157, the calculation would be straightforward, but if you were presented with a number like 159841311587941 and asked what two numbers multiplied together produced that result, the calculation would be much more difficult. Choice D would be a maintenance hook or backdoor.
In business terms, something is at risk if there are circumstances outside of the organization's control or influence that could cause that at-risk item to be lost. Risk can be calculated from four basic perspectives. Which of the following is not one of them? (1.10) A. Threat-based B. Income-based C. Vulnerability-based D. Asset-based
The correct answer is B. Income-based is not one of the four perspectives. The missing risk perspective is outcome-based; this viewpoint identifies the important goals or objectives the organization must achieve and links them to the core business processes. An asset-based risk perspective (choice D) identifies information assets such as files, databases or knowledge banks. Using a vulnerability-based risk perspective (choice C) allows us to use identified opportunities for systems to be exploited by an attacker. A threat-based risk perspective (choice A) looks at identified threats to the organization.
What is a measurement of time related to the probability of the occurrence of a risk event? (1.10) A. An exposure factor B. An exposure window C. A risk window D. A risk factor
The correct answer is B. Risk exposure can be plotted on a timeline and is used to manage activities. For example, a business which is known to provide financial support to a political cause is likely to experience a greater probability of threats during the lead-in to an election. The exposure factor (choice A) is an estimate of the fraction of an asset's or outcome's value to the organization and is reduced by a single occurrence of a risk event. Circumstances affecting the impact or likelihood of a security risk are defined as a risk factor (choice D). A risk window (choice C) is not applicable to this question.
Is email considered secure on its own? (2.6) A. Yes B. No C. It can be D. It depends on the email client
The correct answer is B. While email can be made secure, it is not considered to be natively so. Sensitive information should not be transmitted via email unless additional encryption tools or techniques are used, which are becoming integrated into some email systems, servers and clients.
Where is governance derived from? (1.3) A. The board of directors B. The C-suite C. Legal and regulatory authorities D. Varies depending on the organizational type
The correct answer is C. Governance can be considered as the process of running an organization, as it defines how decisions are being made. In this context, it would be reasonable to conclude that it befalls the board of directors (choice A) or partners in the C-suite (choice B) to initiate and define governance, and that might be true when it comes to the creation and enforcement of those decisions for the organization. In reality, these decisions or rules usually come from legal or regulatory requirements such as health and safety, and privacy or data protection acts.
How many steps does NIST's cybersecurity framework (CSF) have? (1.10) A. Three B. Four C. Five D. Six
The correct answer is C. The five steps are identify (people, systems, data, assets), protect (select and deploy the appropriate safeguards and countermeasures), detect (events), respond (take the appropriate actions) and recover (restore systems, services and data).
What form of security control would include policies and procedures? (2.6) A. Administrative B. Logical C. Technical D. Physical
The correct answer is A. Administrative controls are implemented through policies and procedures. Technical (also known as logical) controls (choices B and C) are implemented with or by automated or electronic systems. Physical controls (choice D) are implemented through a tangible mechanism such as fences.
Which method reduces the chances of the recovery of data remanence but allows for device reuse? (2.4) A. Clearing B. Purging C. Formatting D. Destruction
The correct answer is B. Currently, purging reduces the chances of the recovery of data remanence, but that might change with future improvements in forensic techniques. Neither clearing (choice A) nor formatting (choice C) really offer significant protection from a forensic investigation. Destruction (choice D) does not reduce the chance; if done correctly, it eliminates it totally.
The original defense-in-depth model defined all but which of the following as a layer of defense? (3.1) A. Data controls B. Software controls C. Application controls D. Host controls
The correct answer is B. Data controls (choice A) protect the actual data, application controls (choice C) protect the application itself and host controls (choice D) are placed at the endpoints. The other controls defined are internal network, perimeter, physical and policies (including procedures and awareness).
Which amendment under U.S. law provides protection from unreasonable search and seizure? (1.4, 1.5) A. First B. Third C. Fourth D. Sixth
The correct answer is C. The First Amendment is the Freedom of Religion, Speech and the Press. The Third Amendment is the Housing of Soldiers. The Sixth Amendment is the Right of Accused Persons in Criminal Cases.
If legislation sets a retention life span of five years (for example, a tax record), can that life span ever be ignored? (2.4, 2.5) A. Yes B. No C. Yes, but under pre-defined circumstances D. Yes, but only if the business can justify the need
The correct answer is C. The retention lifespan is typically set and cannot be overwritten or ignored. However, if the data is currently being used as a part of a legal investigation, then it must be retained until the investigation is complete. The lifespan then begins at the end of the investigation.
Can the Spanning Tree Protocol (STP) be used as a means of attack? (4.1) A. Yes, but it requires a physical re-wiring of a switch B. No C. Yes, by sending STP frames claiming to be a new root bridge D. Yes, but the attacker has to insert new branches into the spanning tree first
The correct answer is C. The root bridge is the preferred path that traffic should take when the frames are moving between different network segments. This is, in effect, a form of machine-in-the-middle (MITM) attack. It is possible to create a broadcast storm by physically re-wiring but the STP cannot be used to prevent this condition.
Which layer of the OSI provides reliable delivery of a datagram packet? (4.1) A. Application B. Session C. Transport D. Network
The correct answer is C. The transmission control protocol (TCP) operating at layer 4 uses a three-way handshake for reliable delivery. The application layer (layer 7, choice A) is the interface between a user's application program and the TCP/IP stack. The session layer (layer 5, choice B) establishes, maintains and tears down a connection between two nodes. The network layer (layer 3, choice D) is used for best-effort delivery, meaning that there is no guarantee of delivery. That is the function of TCP.
A baseline that requires the use of strong passwords, strong encryption, watermarks and real-time monitoring would be an example of what classification level? (2.6) A. Low B. Medium C. Moderate D. High
The correct answer is D. Baselines should be developed for each classification used within an organization and provide that minimum level of security required for each classification. Baselines are developed by a risk assessment process aligned to the organization's risk appetite.
Which of the following is a cryptovariable? (3.6) A. A key B. An algorithm C. The key space D. An encryption process
The correct answer is A. An algorithm (choice B) is a finite sequence of instructions that manipulate and transform the plaintext into cipher text. The key space (choice C) represents the set of possible keys that can be used. An encryption process (choice D) is the act of converting plaintext to ciphertext.
Most organizations have acceptable use policies (AUP) that define acceptable and unacceptable behavior such as racial and religious discrimination, sexual harassment, nepotism and gift handling. While some of these activities might be prohibited under law, that might not be true for all. What document would define such behavior? (1.1) A. An organizational code of ethics B. A professional code of ethics C. A personal code of ethics D. A global code of ethics
The correct answer is A. An organizational code of ethics is a policy document approved and supported by the organization's senior management. The code dictates modes of acceptable behavior and is often combined with the overall organizational personnel policies. It may outline the organization's mission and core values. Choices B, C, and D may include all or some of the elements in the question, but the AUP is a set of organizational principles.
GDPR Privacy Principles are drawn broadly from principles outlined by the Organisation for Economic Co-operation and Development (OECD). Under GDPR, there are six broad principles. Which of the following is not one of those principles? (1.4, 1.5) A. Authenticity B. Storage limitation C. Purpose limitation D. Lawfulness
The correct answer is A. Article 5 specifies lawfulness, fairness and transparency; purpose limitation; data minimization; accuracy; storage limitation; and integrity and confidentiality. Source: https://gdpr-info.eu/art-5-gdpr/
As of 2020, there are how many public, root domain name servers (DNS)? (4.1) A. 13 B. 50 C. 500 D. 1 million
The correct answer is A. DNS maintains a directory of zones that has a hierarchical superior known as the root that is represented by an administrative dot (".") that is appended to the end of a fully qualified domain name (FQDN). The root servers carry references to what is known as top-level domains (TLDs) such as .com, .edu and .gov.
Which one of the following is not an example of data states? (2.6) A. Data in transition B. Data at rest C. Data in motion D. Data in use
The correct answer is A. Data at rest (choice B) is data stored on media in any type of form. It is at rest because it is not being transmitted or processed in any way. Data in motion (choice C) is currently traveling, typically across a network. While it is in motion, it is not being processed in any way. (Encapsulation, encryption or other processes necessary for data transmission and receipt are part of making the motion happen and are not using the data, per se.) Data in use (choice D) is being processed by any software, hardware, human or nonhuman user. The term data in transition (choice A) has no meaning in data systems or security modeling and analysis.
Which of the following addresses an organization's ability to reliably and confidently use its own information, knowing that it is free from interference by others? (2.1) A. Information classification B. Information management C. Information categorization D. Information ownership
The correct answer is A. Information classification addresses the impact or loss to the organization if the confidentiality, availability, integrity, authenticity or non-repudiability of their information is compromised, whether by an insider or someone outside of the organization. Categorization (choice C) is the process of grouping sets of data, information or knowledge that have comparable sensitivities (impact or loss ratings) and have similar security needs mandated by law, contracts or other compliance regimes. Neither B nor D are applicable to this question.
Microtraining is short, concise training that lasts how long? (1.13) A. Less than a minute B. Less than five minutes C. Less than 20 minutes D. Less than an hour
The correct answer is A. Microtraining, as practiced by the companies that are using it successfully, is less than a minute long. It is not a structured, classroom-kind of activity. It is a pop-up learning moment that appears during normal workflows or tasks, such as processing email or online transactions. It is often driven by rule-based systems and may attempt to mimic a phishing or other cyber-attack technique, observes the trainee-user's responses, and then coaches the user with reinforcement knowledge. These rules often are driven by user and entity behavior analytics that identify individuals or groups of users who may need focused, specialized knowledge reinforcement. Each microtraining event is typically focused on one specific bit of learning, and therefore on one specific task or part of a task. Multiple microtraining events can be packaged into larger sequences.
Industrial control systems (ICS) are used to monitor and control machinery in factories, refineries, transportation systems and many other similar settings. Which of the following components are ruggedized controllers that use specialized components to provide real-time control? (3.5) A. PLC B. SCADA C. DCS D. Not an option here
The correct answer is A. Programmable logic controllers (PLC) use specialized hardware, firmware and software to provide real-time control and monitoring of their attached equipment. Supervisory control and data acquisition (SCADA) systems (choice B) are assemblies of interconnected equipment used to monitor and control physical equipment. Usually confined to a geographical area, distributed control systems (DCS) (choice C) may encompass large numbers of semi-autonomous controllers.
When an organization believes that their way of doing business, products or services is unique and that no other experience in the industry or marketplace can compare, what type of risk assessment is commonly used for measuring risk that occurs with this belief? (1.10) A. Qualitative B. Quantitative C. Either D. Both
The correct answer is A. Qualitative risk assessments are subjective and focus on identifying impact against likelihood. Often this involves developing scenarios and producing a risk assessment table or matrix. Quantitative risk assessments (choice B) are objective in their approach and use verifiable information in the calculation of the risk, such as asset value and probability, or the exposure factor.
Which type of fiber allows for data transmission of up to 80 km (50 miles)? (4.1) A. Single mode B. Multimode C. Plastic optical D. None support that distance
The correct answer is A. Single mode has a small diameter core that decreases the number of light reflections within the cable. Multimode (choice B) is typically used for shorter distances up to 2,000 meters and uses a larger diameter cable than single mode, which increases light reflections. Plastic optical fiber (POF) (choice C) uses a plastic core but signal distortion is greatly increased, and transmission distances are around 100 meters.
Which encryption algorithm was used in wired equivalency protocol (WEP)? (3.6) A. RC4 B. RC5 C. RFC6 D. Twofish
The correct answer is A. The Rivest Cipher 4 (RC4) is a stream-based cipher, encrypting bit-by-bit or byte-by-byte, and was widely deployed in WEP and SSL (Secure Socket Layer) security. All of the others are examples of block mode encryption systems.
Which layers of the OSI 7-Layer Model map to layer 4 of the TCP/IP model? (4.1) A. Application, presentation and session B. Presentation, session and transport C. Transport, network and data link D. Network, application and session
The correct answer is A. The TCP/IP model is an older four-layer model but extensively used. The top three layers of the OSI 7-Layer Model map directly to the top layer of the TCP/IP model.
A switch is considered a filter or forward device and establishes one collision domain per port. What information does a layer 2 switch use to make the decision to filter or forward? (4.1) A. MAC address B. IP address C. Both D. Neither
The correct answer is A. The media access control (MAC) address is the physical address of a network interface card (NIC). As final delivery must be to a fixed address, MAC is a layer 2 process and is used by a layer 2 switch. The Internet Protocol (IP) address (choice B) is a logical address and susceptible to change. Routers provide the filter or forward service based on the IP address. A Layer 3 switch (choice C) can make a decision based on either IP or MAC address.
What is meant by the term embedded systems? (3.5) A. Computer technology built directly into a device B. Computer technology built into a cellphone C. Computer technology built into a tablet D. All computers are examples of embedded systems
The correct answer is A. The miniaturization of computer equipment, such as cellphones, has led to multiple components being incorporated into single chips. In this regard, they could be considered a paradigm of the embedded concept. Answer A is the best answer, since, generally speaking, an embedded system has a single and specific purpose such as mechanical thermostats or a biomedical implant, whereas tablets, phones and laptops do not.
Which type of access control system can authorize or deny an individual user's ability to use IT systems, resources or assets and has the capability to assign different access privileges to different users depending on their role in the organization? (5.1) A. Logical B. Physical C. Mandatory D. Discretionary
The correct answer is A. These are two of the characteristics defined in the U.S. government's Federal Identity, Credential, and Access Management (FICAM) roadmap (among others) that are components of a logical access control system. A physical access control system (choice B) would be, as the name suggests, a physical device such as a door. Choices C and D are examples of models, not systems.
In IT asset management, what is one of the most useful first steps? (2.3) A. Defining an asset B. Assigning a value C. Assigning a classification D. Assigning an owner
The correct answer is A. Without clearly identifying what is an asset to the organization, we cannot complete any of the other steps outlined in the other possible answer choices. It is important to remember that assets lie at the heart of any business process.
In what year did Chile (a member of APEC) introduce a constitutional change that declared data privacy a human right? (1.4, 1.5) A. 2016 B. 2018 C. 2019 D. 2020
The correct answer is B.
Policies are formally prepared, authoritatively issued directions or statements of intent and can be written at many levels. Which of the following would be considered a functional policy? (1.3) A. A document's retention policy B. A marketing policy C. A records destruction policy D. A privacy policy
The correct answer is B. A marketing policy is a functional policy as it is a set of standardized processes used within an organization. All of the others are examples of compliance policies.
Which network topology provides a second ring for failover? (4.1) A. Ring B. Fiber distributed data interface (FDDI) C. Tree D. Personal area network (PAN)
The correct answer is B. An FDDI network uses two rings (cables) that pass traffic in opposite directions. A conventional ring (choice A) typically has one cable or ring. A tree (choice C) is similar to a bus in that the nodes are connected to branching cables like an actual tree. A PAN (choice D) is a Bluetooth (wireless) network.
The Declaration of Geneva is an example of which of the following? (1.1) A. A code of conduct B. A code of ethics C. A set of legal standards D. A global framework
The correct answer is B. Building on the Hippocratic Oath, the Declaration of Geneva (1947) serves as a set of ethical principles for the medical profession. A code of ethics focuses on values and principles, whereas a code of conduct (choice A) focuses on sets of rules. Legal standards (choice C) are based on legislation, and frameworks (choice D) are guidelines that an organization might put into place when designing a security solution.
In software-defined networking (SDN), what happens at the control plane? (4.1) A. Business applications are managed. B. Node functionality is managed. C. Network elements can be found. D. None of these.
The correct answer is B. Choice A is the application plane, which manages the underlying control plane and is connected with northbound interfaces. Choice B is the control plane that controls the network functionality and programmability and is connected via the southbound interfaces to the data plane. Choice C is the data plane where the network elements (switches and routers) are located
What function does a credential management system perform? (5.2) A. It is a repository for user and computer accounts. B. It is the binding between an authenticator and an identifier. C. It is used to create user accounts. D. It is used to create machine accounts.
The correct answer is B. Credentials are used to identify and verify a user, machine or other entity identity claim. The credential management system (CMS) is an established form of issuing and managing those credentials, based on software. The creation of user and machine accounts (choices C and D) would be a part of the identity management process. The identities would then be placed in an identity store (choice A).
Your network engineer has configured a firewall rule blocking ports 50 through 100. Users complain of network problems. Which of the following services will have been blocked? (4.1) A. SMTP B. DNS C. POP 3 D. IMAP
The correct answer is B. DNS (domain name service) by default uses port 53. If DNS cannot resolve FQDNs, then most, if not all, internet traffic will stop. SMTP (Simple Mail Transfer Protocol; choice A) uses port 25 to push email. POP 3 (Post Office Protocol v3; choice C) uses port 110 to collect mail. IMAP (Internet Mail Access Protocol; choice D) uses port 143 to replace SMTP and POP in order to synchronize mail.
Which of the following was the most recent control that was designed to protect the exchange of personal data between the U.S. and the European Union? (1.4, 1.5) A. Safe Harbor B. Privacy Shield C. Individual contracts D. General Data Protection Regulations (GDPR)
The correct answer is B. Privacy Shield was a voluntary framework designed to provide privacy protection and to allow the exchange of personal data between U.S. organizations and EU citizens. It replaced Safe Harbor (choice A), which was struck down by the Court of Justice of the European Union (CJEU) because it did not provide sufficient protection. Privacy Shield was later also struck down by the CJEU in July 2020. GDPR (choice D) is a European legislation that applies to EU companies, but elements will apply to any countries doing business with EU citizens. Controls can be placed in contracts (choice C), but they are likely to be specific to an organization and not general principles.
Internet key exchange (IKE) is a widely used method that allows two devices to exchange symmetric keys for the use of encrypting in AH or ESP. There are a number of ways to securely exchange keys. Which of the following is a mechanism used to exchange these keys? (4.1) A. RC4 B. Diffie-Hellman C. AES D. ElGamal
The correct answer is B. Published in 1976 by Whitfield Diffie and Martin Hellman, the DH algorithm provided one of the earliest mechanisms to exchange symmetric keys over an unsecure network. Based on the DH algorithm, Taher ElGamal produced his variant in 1985. While DH only provides a mechanism for session key exchange, the ElGamal algorithm (choice D) also provides message confidentiality. AES is advanced encryption standard (choice C) and a symmetrical algorithm. RC4 is the Rivest Cipher (choice A), a streaming cipher used in wired equivalency protocol (WEP).
Which of the following is an open-source methodology used in threat modeling? (1.11) A. OCTAVE B. TRIKE C. STRIDE D. None of the above
The correct answer is B. TRIKE is an open-source threat modeling methodology and toolset from the Massachusetts Institute of Technology (MIT). OCTAVE (choice A) was created by Carnegie-Mellon University; the model is designed for viewing the overall risk of IT systems across an organization. STRIDE (choice C) is one of the leading tools from Microsoft, which serves as a threat classification system used to inform software developers about threats during the development process.
Which cybersecurity framework provides a certifiable framework aimed at providing healthcare organizations a mechanism to demonstrate compliance is being provided in a constant manner? (1.7) A. RMF B. CSF C. STAR D. ISO 27xxx
The correct answer is B. The Health Information Trust Alliance (HITRUST) Common Security Framework (CSF) builds on the HITECH Act and HIPAA to provide a compliance assessment and certification process. Developed by NIST (National Institute of Standards and Technology), the Risk Management Framework (RMF, choice A) structures processes used to identify risk. The Cloud Security Alliance (CSA) Security Trust Assurance and Risk (STAR) registry (choice C) is a voluntary list of all cloud service providers who comply with the STAR program framework and agree to publish documentation on the STAR website attesting to compliance. ISO 27xxx (choice D) is a series of information security best practices
Lightweight Directory Access Protocol (LDAP) is a lookup protocol that uses a hierarchical tree structure for data entries. Common attributes for LDAP include all but one of the following? (4.1) A. Distinguished name (DN) B. Real distinguished name (RDN) C. Common name (CN) D. Organizational unit (OU)
The correct answer is B. The RDN is actually the relative distinguished name (RDN). LDAP entries support the DN and RDN concepts. DN attributes are typically based on an entity's DNS name. Each entry in the database has a series of name/value pairs to denote the various attributes associated with each entry.
Which security model focuses on the movement of information throughout a system? (3.4) A. State machine model B. The information flow model C. The non-interference model D. The ring model
The correct answer is B. The information flow model extends the state machine model, and it describes how privileges are granted to subjects. The state machine model (choice A) identifies the systems start condition and the end state in which the system must be once the process has completed. The non-interference model (choice C) introduces strict separation of the different security levels. This ensures that higher-level activities do not dictate what lower-level users can see or do. The ring model (choice D) emphasizes the interactions between the underlying hardware's security capabilities and their use by the layers of software supported by that hardware.
Which security engineering enabling process defines the security requirements used to assess the qualifications, selection and ongoing training of personnel? (3.4) A. Portfolio management B. Human resource management C. Quality management D. Knowledge management
The correct answer is B. The portfolio management process (choice A) ensures that security considerations are a factor in managing the portfolio of organizational projects and security considerations. The quality management process (choice C) defines security quality objectives and the criteria used to determine that those objectives are met. The knowledge management process (choice D) identifies, obtains, maintains and manages the security knowledge and skills by the organization.
What function does the RA serve in a public key infrastructure (PKI)? (3.6) A. It creates and signs a certificate. B. It tracks certificate revocations. C. It validates the identification information supplied by the requestor of a certificate. D. It is used to collect the information for inclusion into the certificate.
The correct answer is C. A PKI is based on the trust, but verify principle. For a certificate to be considered trustworthy, a number of steps need to be satisfied. This begins at the time of creation. The certificate authority (CA) signs the certificate owner's public key with its private key. This only occurs after the registration authority (RA) verifies the requestor's information. Revoked certificates are tracked via a certificate revocation list (CRL). The details found within a certificate are included in the certificate signing request (CSR), a document that is completed by the requestor and then sent to the CA.
Which of the following is the precondition of a system, workplace or environment that could lead to an event? (1.10) A. Vulnerability B. Risk C. Hazard D. Threat
The correct answer is C. A hazard is a potential source of harm. Any event or set of circumstances has the potential to cause a security event. A risk (choice B) is a possible event that can have a negative impact upon the organization. A vulnerability (choice A) is an inherent weakness or flaw in a system or component. A threat (choice D) is a human actor or group that makes the deliberate, intentional decision to exploit a target organization's systems vulnerabilities.
What is a reasonable action? (1.3) A. Relying on instinct B. Making a decision based on past experience C. Making a decision based on clear, logical and thoughtfully justifiable information D. Following a set of procedures
The correct answer is C. Acting on instinct (a hunch) (choice A) or based on a past experience (choice B) may feel necessary and reasonable, but whether it is still defensible or justifiable after the fact (choice C) is its test of reasonableness. While procedures (choice D) are important and mandate certain steps, they may not be reasonable for certain situations.
What is the IEEE 802.1d (Spanning Tree Protocol) used for? (4.1) A. Connecting network segments together B. Connecting different VLANs together C. Preventing broadcast storms D. Defining the size or span of a network
The correct answer is C. Broadcast storms occur when a switch is misconfigured, allowing a loop to be created and, basically, sending traffic in an endless loop. In seconds or minutes, this will increase the network traffic to a point where the network will stop functioning. A switch connects different network segments (choice A), while a router is used to connect different VLANs together (choice B).
What is HAVAL? (3.6) A. A message integrity checker that produces a 128-bit output B. A message integrity checker that produces a 160-bit output C. A message integrity checker that produces a variable length output D. A symmetrical encryption algorithm
The correct answer is C. Choices A and B would be the characteristics shown with MD5 (Message Digest 5, 128-bit) and SHA1 (Secure Hashing Algorithm1, 160-bit), both of which produce a fixed size output from an arbitrary length input. HAVAL (hash of variable length) is a hashing algorithm with a variable length output message digest that may be 128, 160, 192, 224 or 256 bits.
Which of the following is not one of the four main types of forensic investigations? (1.6) A. Administrative B. Civil C. Compliance D. Criminal
The correct answer is C. Compliance falls under the wider scope of regulatory investigations. These investigations will be done by or on behalf of regulatory bodies. An administrative investigation (choice A) is conducted when the entirety of the process will be contained within the organization; it exists solely as an internal function. A civil investigation (choice B) comes from a civil dispute, and it involves a court but not a prosecutor. Civil law applies when a victimized entity sues the offensive party. An investigation with the intended purpose of a lawsuit should involve the same degree of documentation and adherence to detail as a criminal investigation. A criminal investigation (choice D) is carried out where there is an allegation of a criminal act.
What protocol is used to manage multicast groups? (4.1) A. ICMP B. TCP C. IGMP D. UDP
The correct answer is C. IGMP (Internet Group Management Protocol) creates and manages multicast groups. ICMP (Internet Control Message Protocol; choice A) is a support protocol and used by devices to send error messages. TCP (Transmission Control Protocol; choice B) is used to provide reliable delivery of a datagram. UDP (User Datagram Protocol; choice D) is a faster and less reliable variant of TCP and used for message exchange, primarily when speed of transmission is an important factor. UDP provides no protection
In which cryptanalytical technique does the attacker have access to the decryption device or software and attempt to use it to defeat the cryptographic protection by decrypting pieces of ciphertext to see the corresponding plaintext in order to discover the key? (3.7) A. A known ciphertext attack B. A ciphertext-only attack C. A chosen ciphertext attack D. A known plaintext attack
The correct answer is C. In a ciphertext-only attack (also known as a known ciphertext attack, choices A and B), the attacker has the least amount of information to work with, often little more than a copy of the ciphertext and perhaps knowledge of the plaintext language. In a known plaintext attack (choice D), the attacker has access to both the ciphertext and the plaintext versions of the same message. Since the method or algorithm is always known, the goal of this type of attack is to find the relationship between the two.
Which generation of cellular networking introduced support for long-term evolution (LTE) and provided transmission speeds of up to 100 Mbps? (4.1) A. 2G B. 3G C. 4G D. 5G
The correct answer is C. LTE is based on earlier standards with the combination of core network improvement together with a new radio interface; transmission speeds were also increased. 2G (choice A) used general packet radio service (GPRS), providing speeds of up to 1Mbps. 3G (choice B) used high-speed download packet access (HSDPA), providing speeds of up to 52Mbps. 5G (choice D) used software-defined networks (SDN), providing speeds of up to 35Gbps.
The U.S. government agencies and many of its contractors use the NIST's Risk Management Framework (RMF) as the standard against which audits and control assessments will be performed. Which NIST Special Publication (SP) details the RMF? (1.7) A. 800-171 R1 B. 800-53 R5 C. 800-37 R2 D. None of the above
The correct answer is C. NIST SP 800-53 Rev 5 (choice B) covers Security and Privacy Controls for Information Systems and Organizations. NIST SP 800-171 Rev 1 (choice A) covers Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations
Generally speaking, what is an automated system (that is, logical control elements) that manages the movement or passage of people, materials and equipment through a specified set of entryways? (5.1) A. Temporal B. Attribute C. Physical D. Non-discretionary
The correct answer is C. Physical access control systems (PACS) are used to manage physical movement through a given environment. Time (temporal, choice A) and attribute (role, for example, choice B) might be incorporated into PACS given that these are logical elements. Non-discretionary (choice D) is an access control model that applies role-based access control in a mandatory fashion, with a central authority making the policy decisions. Remember, too, that PACS is both a general term for these systems worldwide, and a specific U.S. government policy and approach to their use by government agencies.
What are prudent actions? (1.3) A. Actions prescribed by management B. Actions prescribed by policies C. Actions taken by people with similar backgrounds D. Actions taken after careful consideration
The correct answer is C. Prudent actions are generally considered as those actions that other people with similar backgrounds of experience, education and authority would take in the same circumstances. Management may have mandated the prudent person approach to security (choice A), and that might be reflected in an organization's policy (choice B), but we would have to start the process by asking, "What would a prudent person do under these circumstances?" While all actions should be carefully considered (choice D), without the same experience or education, the actions might be different from what the organization expects.
Following a series of dramatic and severe financial industry sector scandals in the 1980s, which of the following was created to suggest guidelines and practices to address financial reporting irregularities and fraud? (1.7) A. ISO Standard 31000 B. ISACA RISK IT C. COSO D. NIST SP 800-37
The correct answer is C. Since the formation of the Committee of Sponsoring Organizations (COSO) of the Treadway Commission, its publications have been widely accepted and adopted by many large organizations. ISO 31000 (Risk Management—Principles and Guidelines; choice A) discusses risk from a holistic organizational perspective, specifically relating to IT. ISACA RISK IT (choice B) is a comprehensive view of all risks related to the use of information technology (IT) in organizations. NIST SP 800-37 (choice D) is a guide for Applying the Risk Management Framework to Federal Information Systems.
Which security engineering technical process provides security-related system data and information? (3.5) A. Business and mission analysis B. System requirements and definition process C. Design definition process D. System analysis process
The correct answer is C. The business and mission analysis process (choice A) assists the engineering team to understand the scope, basis and drivers of the business. The systems requirements and definition requirements (choice B) looks at two elements: (1) system requirements, an assessment of the current or predicted hardware is made during this phase, i.e., will the system be fast enough? does it have enough memory?; (2) definition, which is when the function of a system or software is evaluated, i.e., does it match the business need? The system analysis process (choice D) provides a security view to system analyses and contributes specific system security analyses.
DORA describes the four steps taken to obtain an IP address. Which of the following is not one of those steps? (4.1) A. Discover B. Offer C. Reply D. Acknowledge
The correct answer is C. There is no reply but rather a request. The client sends out a broadcast with a DHCPDISCOVER packet, and the server responds with a DHCPOFFER giving the client an available address to use. The client responds back with DHCPREQUEST to use the offered address, and the server sends back a DHCPACK allowing the client to bind the requested address to the network interface card (NIC).
The Uptime Institute is an industry organization that provides data center operators with certification of their facilities. Their tiered classification system consists of four tiers. Which tier requires a concurrently maintainable site infrastructure? (3.8) A. Tier I B. Tier II C. Tier III D. Tier IV
The correct answer is C. Tier I (choice A) describes the basic site infrastructure. Tier II (choice B) requires redundant site infrastructure and component capacity. Tier IV (choice D) requires a full, fault-tolerant site infrastructure.
Asset management is an organization process that should be carried out to conform to governance process and standards. These might include which of the following? (2.3) A. Accounting B. Insurance C. Health and safety D. All of these
The correct answer is D. All of the answers are correct as they are all derived from governance.
Which of the following is an example of third-party baseline catalogs that can guide organizations in producing their baseline requirements? (2.6) A. International and national standards organizations B. Industry sector standards or recommendations C. Other companies, preferably with similar business objectives and of comparable size D. All of these
The correct answer is D. All of these are possible sources of information that can assist an organization in the creation of its own baseline catalog.
Which of the following should be considered a source of data remanence? (2.4) A. CPU (central processing unit) registers B. RAM (random access memory) C. SSD (solid state drives) D. All of these
The correct answer is D. Data is retained in some form or another in all IT and communication equipment. While some of the examples are considered volatile (the data will be deleted when the system powers down), they are all potential sources for data leakage or capture. A data destruction policy should include mechanisms to ensure no data remains on systems.
Applying authenticity to information provides an organization with which of the following? (1.2) A. Confidence that the information is genuine B. Verification that it has come from a trusted source C. Confidence that it is reliable D. All of these
The correct answer is D. For an organization to makes use of any information that it hides or gathers, authenticity must be verified. Without authenticity, the information is largely useless and might even be illegal.
When considering mechanisms necessary to support policies, which one acts as advisory information? (1.3) A. Procedures B. Baselines C. Standards D. Guidelines
The correct answer is D. Guidelines can offer insights drawn from experience and observation, and they can clarify expectations of activity or provide alternative solutions or courses of action. Procedures (choice A) define the explicit, repeatable mandated activities necessary to accomplish a specific task or set of tasks. A baseline (choice B) is a minimum set of security requirements that must be met by systems or services. A standard (choice C) is a low-level mechanism used to enforce a given policy, such as a password standard.
A virtual private network (VPN) uses what form of encryption to protect data in transmission? (2.6) A. Symmetric B. Asymmetric C. Link D. End-to-end
The correct answer is D. In end-to end encryption, the data is encrypted at the start of the transmission by the sender and is decrypted by the receiver. This will typically involve the use of a symmetric algorithm with a pre-shared key (the same key is used to encrypt and decrypt). Asymmetric encryption may be used to exchange the pre-shared key between parties. Link encryption is generally applied by service providers.
Which of the following is an example of a privacy framework? (1.2, 1.4, 1.7) A. GDPR B. PMF C. OECD D. All of these
The correct answer is D. The General Data Protection Regulation (GDPR, choice A) is the European Union privacy regulation, which addresses personal privacy and deems it an individual human right. The Privacy Management Framework (PMF, choice B) was created as a revision to the former 2009 Generally Accepted Privacy Principles (GAPP) by the American Institute of Certified Public Accountants (AICPA). The OECD Privacy Principles (choice C) provide privacy and data protection laws and tie closely to EU member nations' data protection legislation.
Who is responsible for the data content and context and the associated business rules? (2.4) A. The data owner B. The data controller C. The data custodian D. The data steward
The correct answer is D. The data owner (choice A) is accountable for determining the value of the data and how it should be protected. The data controller (choice B) is assigned with the accountability of protecting the value of the data in the absence of the data owner and determines the way personal data is processed. The data custodian (choice C) is responsible for the protection of the data while it is in their custody, including safe custody, transport, storage and processing of the data.
Which security engineering technical management process collects, analyzes and reports security-related data? (3.4) A. Project planning B. Decision making C. Risk management D. Measurement
The correct answer is D. The project planning process (choice A) produces and coordinates the security aspects of project plans. The decision making process (choice B) identifies, analyzes, characterizes and evaluates a set of security-based and security-informed alternatives for a decision. The risk management process (choice C) identifies, analyzes, treats and monitors security risks.
IP Security (IPSec) is a suite of protocols for communicating securely with IP by providing mechanisms for authentication and encryption. IPSec uses authentication headers (AH) to prove the identity of the originator and encapsulating security payload (ESP) for payload encryption. What is the protocol ID for AH? (4.1) A. 17 B. 47 C. 50 D. 51
The correct answer is D. The protocol ID is found in the header of IPv4. It is used to determine the data layout. UDP is ID 17 (choice A). Generic routing encapsulation (GRE) is ID 47 (choice B). ESP is ID 50 (choice C).
For how long can financial records be retained? (2.4, 2.5) A. Financial records can be retained as long as the organization wants to keep them. B. The retention period is set by law. C. There is no pre-set period. D. The retention period is defined by jurisdiction and (or) regulatory requirements.
The correct answer is D. While answer A is almost correct, it is not the best answer because jurisdiction will define the applicable law and the authority for a regulator to publish additional requirements. Additional factors such as industry sectors may also factor into the retention life span.
At what layer of the OSI 7-Layer Model does multiprotocol label switching (MPLS) operate? (4.1) A. Layer 2 B. Layer 3 C. Layer 4 D. Layer 2.5
The correct answer is D. While officially there is not a layer 2.5, MPLS is often referred to as a 2.5-layer protocol as it operates across both layers 2 and 3. The data link layer (layer 2, choice A) is where we apply MAC addressing. The network layer (layer 3, choice B) is where we apply IP addressing and the transport layer (Layer 4, choice C) is responsible for the reliable delivery of the datagram.
