DOMAINS 1, 2, 3

What is the database used to interpret the details of SNMP communications? A) MIB B) Oracle C) CRL D) Syslog

A) A Management Information Base (MIB) is the database used to interpret the details of SNMP communications. A typical Simple Network Management Protocol (SNMP) management console will include an MIB. This facilitates communications between source systems and the management console while enabling the display of human readable results.

What is the condition of an IDS security assessment reporting that an event of concern has taken place, but when later analyzed it is determined that the event was benign and Should not have caused an IDS alert? A) False positive C) True negative D) True positive C) False negativ

A) A false positive is the occurrence of an IDS triggering an alert when the event is actually benign. This is a false positive because the alarm or alert is triggered falsely. The concepts of false and true are used to indicate whether the alarm is correct or incorrect. The terms of positive and negative are used to indicate whether an alarm or alert was triggered (i.e. positive) or not (i.e. negative).

What is the term used to describe a relationship between two entities where resources from either side can be accessed by users from either side? A) Two-way trust B) One-way trust C) Web of trust D) Transitive trust

A) A two-way trust is the term used to describe a relationship between two entities where resources from either side can be accessed by users from either side. An example of a two-way trust is that between two Microsoft Windows Active Directory domains. In such a relationship, both domains trust each other and allow users from one domain to access resources in the other domain.

Why is an enterprise risk management (ERM) program implemented? A) To establish a proactive risk response strategy B) To promote decision makers from any sector of the organization C) To provide public transparency to security operations D) To reduce costs associated with security assessments

A) An enterprise risk management (ERM) program should be implemented to establish a proactive risk response strategy. Only with properly managed risk is any organization able to get ahead of the attack-react cycle. Through a well-designed and properly implemented ERM, an organization will become more aware of their risks. As a result, security measures to reduce risk will be implemented, reducing the likelihood of compromise and preparing responses for when compromises occur.

Which of the following types of activities is NOT commonly performed in preparation for a security assessment? A) Apply patches. B) Collect host configuration documentation. C) Review the security policies. D) Analyze the change management procedures.

A) Applying patches is not an activity commonly performed in preparation for a security assessment. Applying patches is often part of the remediation actions taken after the security assessment. The security assessment will determine where security is lax or where improvements to security can be made. This may then require remediation activities such as removing equipment, changing configuration, altering business processes, and applying patches.

Which term is used to indicate the function of access control or defining which subjects can perform various tasks on specific objects? A) Authorization B) Accessibility C) Availability D) Authentication

A) Authorization is the term used to indicate the function of access control or defining which subjects can perform various tasks on specific objects. Authorization is the second element referenced by Authentication, Authorization, and Accounting (AAA). Authorization defines and controls what subjects can and cannot do.

What is a simple example of device authentication that is comprised of a text file used by Web sites? A) Cookies B) CGI C) CRC D) JavaScript

A) Cookies are a simple example of device authentication that is comprised of a text file used by Web sites. A Web browser receives one or more cookies related to user authentication from a Web site upon initial connection. Each time a new Web URL request is made, the cookie is returned back to the Web server to identify the device or user making the request.

Why do employees have to read and sign an Acceptable Usage Policy (AUP) before they are granted access to the IT network? A) To remind users of their responsibilities and that they will be held accountable for their activities B) To indicate which individuals can and cannot access specific network resources C) To show proof that the company has a business license and is authorized to use computer equipment in the furtherance of their business processes D) To define the laws that can be broken within this network

A) Employees have to read and sign an AUP before they are granted access to the IT network to remind users of their responsibilities and that they will be held accountable for their activities. The AUP can also be known as the Authorized Use Policy. The AUP is a written policy that dictates what is and is not appropriate or authorized to take place within the company network. The AUP can also be implemented as a pop-up or warning screen that is displayed to users each time they attempt to gain access to the IT network. It reminds them of the tenants of the written policy.

Why is change control and management used as a component of software asset management? A) To prevent or reduce unintended reduction in security B) To restrict the privileges assigned to compartmentalized administrators C) To oversee the asset procurement process D) To stop changes from being implemented into an environment

A) In software asset management, change control and management is used to prevent or reduce unintended reduction in security. Change control and management aims at evaluating each and every change to understand its impact before it is implemented into the production environment. Change control is most commonly associated with software changes, such as installing updates or changing configuration settings, but it can also be used to oversee hardware, personnel, and physical changes as well.

Why do many security monitoring systems produce a visualization of the collected results? A) It represents complex or bulky data in an easy to understand format. B) The lists of text and numbers takes up too much screen space. C) Security tools do not support spreadsheet presentations. D) It is the only way to represent passively monitored systems.

A) Many security monitoring systems produce a visualization of the collected results because it can represent complex or bulky data in an easy-to-understand format. By producing a graphical display of information, security mentoring systems enable the security staff to quickly comprehend complex information. Humans can more quickly absorb and understand visual data than collections of words and numbers. Visualization of security data also allows for many unique pieces of information to be presented simultaneously for compare and contrast purposes.

How can the burden of handling a specific security risk be transferred to the shoulders of another organization? A) Outsourcing B) Decommissioning equipment C) Implementing market leading countermeasure D) More thorough user training

A) Outsourcing is one method which can be used to transfer the burden of handling a specific security risk to the shoulders of another organization. This concept is known as risk transference or risk assignment. Risk transference does not remove the risk. It simply places the responsibility on someone else. This is commonly accomplished through outsourcing or through the purchasing of insurance. For some risks, risk transference is the best possible mitigation strategy. Leveraging the skills and abilities of another organization can be a smart security decision. However, risk transference is not the best course of action for every security concern. Each organization needs to evaluate its specific risks and available responses to determine the most effective solution.

How is role-based access control implemented? A) By assigning a job name label to subjects B) Through the use of time restrictions C) By assigning sensitivity labels to all objects D) On the basis of ACLs

A) Role-based access control (RBAC) is implemented by assigning a job name label to subjects. The job role assigns the rights and privileges necessary to complete all associated work tasks. By placing the job role name label on a subject, the subject inherits those privileges. RBAC is an effective strategy in environments with a high-rate of employee turnover or where there are numerous workers performing the same tasks.

How is separation of duties typically implemented? A) Segment administrative tasks into compartments, and then assign one or more distinct administrators into each compartment. B) Verify that a sender sent a message and prevent that sender from denying having sent the message. C) Assign each user a unique user account and require multifactor authentication. D) Assign users the minimal privileges necessary to complete work tasks.

A) Separation of duties is typically implemented by segmenting administrative tasks into compartments, and then assigning one or more distinct administrators into each compartment. The risk of failing to implement separation of duties is to have administrators with full privileges across the entire environment. This places the organization at extreme risk to the administrators making mistakes, performing intentional malicious attacks, or having their accounts used by a hacker.

What is the technology that enables a user to authenticate to a company network from their assigned workstation and then interact with resources throughout the private network without entering additional credentials? A) Single sign-on B) CHAP C) Multifactor authentication D) AAA services

A) Single sign-on (SSO) is the technology that enables a user to authenticate to a company network from their assigned workstation and then interact with resources throughout the private network without needing to enter additional credentials. Single sign-on is commonly used in private networks. It allows for an organization to require multifactor authentication for the single, master login without causing too much additional burden on the user in terms of time and effort spent on authentication activities.

You have been asked to help design the security awareness and training program for your company. Which of the following statements is NOT true regarding this program? A) Specialized technical training should be provided for executives. B) End-user training should focus on understanding security threats and social engineering. C) Management training should focus on protecting company assets. D) The security training policy should state which department is responsible with end-user security training.

A) Specialized technical training should be provided for users that must handle sensitive or confidential data—not executives. IT personnel should also obtain specialized technical training. Executive training should focus on the protection of business assets and the role that executives play in the overall security program.

Which item within an organization makes the determination as to which attributes of a subject or object determine whether access is granted or denied? A) Authorization policy B) Acceptable use policy C) Job descriptions D) Security baseline

A) The authorization policy of an organization makes or defines the determination as to what attributes of a subject or object determine whether access is granted or denied. An attribute-based access control system is subjective to the environment and its prescribed access limitations. These details must be written into the security policy so proper access control can be enforced by following the company policy.

What is the definition of risk? A) The probability or likelihood that an asset will be harmed B) A weakness in an asset C) Anything used in a business task D) An entity that can cause harm to an asset

A) The definition of risk is the probability or likelihood that an asset will be harmed. Risk can be calculated or assessed in many ways. One method is to combine the threat with the vulnerability with the chance that harm will occur within a given time frame, such as a year. This can be expressed by the following formula: risk = threat & vulnerability & likelihood

What is the purpose of a Security Information and Event Management (SIEM) product? A) To provide real-time logging and analysis of security events B) To provide event planning guidance for holding industry conferences C) To define the requirements of security procedures D) To improve employee security training

A) The purpose of a Security Information and Event Management (SIEM) is to provide real-time logging and analysis of security events. A SIEM is effectively an event log correlation system. A SIEM combines numerous functions to provide a comprehensive real-time overview of the organization's security status. Those functions include log collection from the various event sources throughout the network, normalization of logs to make them consistent for data mining, correlation of logs to indicate related records, aggregation of logs to reduce the volume of the data, and reporting of the data mined results into a real-time display of security status.

What is the purpose of the user account maintenance mechanism known as account lockout? A) To prevent password-guessing attacks from being successful B) To grant the ability to pass through a mantrap C) To turn off accounts for people no longer employed by the organization D) To remove an account that was used in a system breach

A) The purpose of account lockout is to prevent password-guessing attacks from being successful. Typical configurations of account lockout will give three attempts to provide the correct password (or other credentials) before temporarily disabling the account. This prevents attacks of manual or automated guessing of an account credentials from becoming successful.

Why are locks used on doors in secured areas? A) To keep people honest B) To detect access attempts C) To direct intruders to open areas D) To prevent all intrusions

A) The reason why locks are used on doors in secured areas is to keep people honest. Locks are a form of physical security. Locks are also used as a preventative security control. However, there are no perfect security measures. Locks only provide prevention up to a point. Locks can be bypassed, broken, picked, and bumped, or a key can be stolen. Locks do not ensure that unauthorized access will be blocked. Thus, locks serve as a reminder to not enter an area that is locked for which a user does not have authorization.

Why should the risks of an organization be reported as defined by enterprise risk management (ERM)? A) It helps with internal transparency, risk assessment, risk response, and risk monitoring. B) It assists with strategic planning, compliance, and training. C) It is a means to predict loss, select countermeasures, and reduce downtime. D) It is a government regulation.

A) The risks of an organization should be reported as defined by enterprise risk management (ERM) because it helps with internal transparency, risk assessment, risk response, and risk monitoring. Risk reporting creates and maintains an inventory of risks. Everyone in the organization should report all security concerns to the security staff. Those on the risk management team will review each reported risk and add it to the risk register. The risk register is the centralized reporting and management tool of ERM used to facilitate proper risk handling. Once a risk is reported, it is now visible and known to all other decision makers in the organization, thus proving internal transparency. Once a risk is known, the processes of assessment, response crafting, and monitoring can take place.

What is the term used to refer to anything that can potentially cause harm to an asset? A) Threat B) Vulnerability C) Exploit D) Risk

A) The term threat refers to anything that can potentially cause harm to an asset. In terms of risk management, a threat is anything that can cause harm. A threat can be an intentional action, an automated program, an accident, or a natural event. All sources of threats must be considered when planning a security strategy.

Which of the following is an example of a single-factor authentication being used to gain access to a computer system? A) Using a username and a 16-character password B) Using an RSA SecurID token device and entering a private code C) Using a smart card and entering a secret password D) Using a biometric scan of a fingerprint and entering a PIN

A) Using a username and a 16-character password is an example of a single-factor authentication being used to gain access to a computer system. Entering a username is an identification activity, and only the password is an authentication factor in this scenario. Both factors are something you know. The activity of entering only a single authentication factor is often a simpler form of gaining access to a system than using a multifactor authentication process. However, it is much less secure. Single-factor authentication can be overcome by a single successful authentication attack, such as guessing, keystroke recording, network intercept, social engineering, or password cracking. Whenever possible, use two or more authentication factors to keep your account more secure.

Which of the following is a poor choice for secure password management? A) Use the default password. B) Use auditing tools to test password strength. C) Never share passwords. D) Create long and complex passwords.

A) Using the default password is poor password management. Everyone knows or can easily discover the default password for any device, software, or service. Be sure to change all passwords before using any product.

Your company is about to launch a new Web site offering services and features that are commonly requested but rarely offered by other existing sites. The market research shows that the new site will be very popular and will have significant user growth for years. You must set up user authentication with the following requirements: * Each user must be uniquely identified. * Multifactor authentication should be supported. * Authentication should provide protection of a user's identity even if your Web site's servers are compromised by hackers. How would you implement the authentication for this Web site? A) Set up a one-way federated access with an existing major social network site. B) Ask your boss to alter the requirements as it is not possible to use multifactor authentication and unique identification at the same time. C) Deploy a solution using code taken directly from an open source programming community repository site. D) Create shared group accounts requiring two, 10-character minimum passwords.

A) You should set up a one-way federated access with an existing major social network site to satisfy each of the stated requirements. Federated access is a link between a primary site and a secondary site to share or interconnect authentication. In this scenario, the primary site would be a major social network site, and the secondary site would be the new Web site being deployed by your company. A one-way federated access link would allow your site to accept the authentication from the primary site but would not allow your local Web site authentications to be accepted by the primary site. The use of one-way federated access would ensure that each user is uniquely identified.

How many accounts should a typical administrative user have and why? A) Two accounts: one for general tasks and one for special privileged tasks B) One account to minimize credential management C) One account to simplify auditing and reduce risk D) One account per managed device to ensure the same credentials are not used on multiple devices in the same environment

A) Administrative users should have two accounts: one for general tasks and one for special privileged tasks. This allows the administrator to separate the generic low privileged activities, such as research, email, web surfing, and document crafting, from the privileged actions, such as system administration. Using the general account a majority of the time and only using the privileged account when necessary minimizes risk to the organization. There is risk in the administrator making a mistake when performing generic tasks, because it can cause significant damage due to the higher privileges of the special account.

Why is it important to install updates and patches rather than to keep a system in a static configuration? A) Updates often fix flaws and reduce weak points in a system. B) Static systems do not develop new security flaws. C) Updates add new features and capabilities to a system. D) Static systems allow for changes to the system by end users.

A) It is important to install updates and patches rather that to keep a system in a static configuration because updates often fix flaws and reduce weak points in a system. Over time, new flaws, bugs in code, and vulnerabilities are discovered. Updates are written to address those issues as they are discovered. Applying updates thus reduces the known weak points in a system. A static configuration maintains the current weaknesses and does get the newly discovered flaws addressed. Thus, a static system becomes more vulnerable over time.

How is subject-based access control different from object-based? A) The focus is on an attribute or setting on the subject. B) Labels on resources are the primary concern. C) It always based on ACLs. D) It is based on the content of the object

A) Subject-based access control focuses on an attribute or setting on the subject for making authorization decisions. It is also referred to as attribute-based access control. The attributes or setting on a subject can be time of day, location, or internal or external to the private network, and whether a valid authentication was performed within a specific period of time. Another aspect of subject-based access control is to assign privileges to subjects based specifically on their job responsibilities, as that is used in role-based access control.

How is the chosen risk response strategy of risk acceptance proven and supported in a court of law? A) With a document signed by senior management B) Through storyboarding C) By not applying countermeasures D) Through the results of a qualitative analysis

A) The chosen risk response strategy of risk acceptance is proven and supported in a court of law with a document signed by senior management. This written proof of risk assessment, evaluation, consideration, and specifically choosing to accept or tolerate the risk is the valid means to support this decision in a court of law. Without a written document of this nature, the risk will be seen as being ignored. Ignoring risk is often considered negligent in the eyes of the court.

What is the primary benefit of a security camera for physical security? A) Detective B) Corrective C) Directive D) Preventive

A) The primary benefit of a security camera for physical security is detective. A security camera is a recording device and is a physical activity auditing system. Anything that takes place in view of a camera can be recorded. Thus, the camera serves as a detective security mechanism for physical security. A security camera can also be considered a deterrent as well.

Why is interpretation of a security assessment required before action is taken on the findings? A) Because senior management is not IT savvy and need thing explained in more generic terms B) Because not all findings are obvious nor point to specific causes or reasons C) Because quantitative analysis is based on opinions rather than numbers D) Because people do not typically read binary and hex results

B) A security assessment must be interpreted before action is taken on the findings because not all findings are obvious or point to specific causes or reasons. A security assessment may be performed using automated tools that produce reports made of boiler plate documentation or coded results. Another security assessment may only focus on one device, subnet, service, or protocol, and thus not be aware of all of the relevant facts about a situation or condition. Human interpretation is always required to fully understand a security assessment. Then, before action is taken, senior management needs to provide consent.

Which term refers to an in-house or third-party provided location where ongoing monitoring of the logical and physical security mechanisms of an organization is performed to provide a real-time situational awareness of the state of security? A) Registration Authority (RA) B) Security Operations Center (SOC) C) Continuity of Operations Plan (COOP) D) Intrusion Prevention System (IPS)

B) A security operations center (SOC) is an in-house or third-party provided location where ongoing monitoring of the logical and physical security mechanisms of an organization is performed to provide a real-time situational awareness of the state of security. A SOC is often an important component of security monitoring as it provides a centralized location for the collection, analysis, and coordinated response of security concerns. A SOC is sometimes defined as focusing more on physical security, while an information security operations center (ISOC) is focused on IT security concerns. However, the term SOC is used frequently to refer to either type of centralized security oversight.

Your organization is using Kerberos for private network authentication. How does Kerberos demonstrate to a resource host that the identity of a user is valid? A) A TGT is issued to the resource host. B) An ST is issued to the user, which is then sent to the resource host. C) A shared credential is issued to each principle in the realm. D) A unique session key is used to encrypt the authentication communications.

B) A session ticket (ST) is issued to the user, which is then sent to the resource host. The resource host can verify the validity of the ST, and thus the user's identity, by checking with the key distribution center (KDC). This technique allows the user to be issued the master ticket-granting ticket (TGT) without exposing it to duplication or impersonation. The KDC issues an ST whenever users need to prove their identity to another principle in the Kerberos realm.

Your organization experienced an impersonation attack recently that compromised the network administrator's user account. In response, new security measures are being implemented throughout the organization. You have been assigned the task of improving authentication. You want a new authentication system that ensures the following: Eavesdropped passwords cannot be used by an attacker. Passwords are only able to be used once. Password predication must be prevented. Passwords are only valid for a short period of time. How can you accomplish these goals? A) Implement an authentication system using wallet cards with a table of password options. B) Implement a synchronized, one-time password token-based authentication system. C) Implement a rotating, 30-character password authentication system. D)Implement a PIN-based authentication system where each PIN is incremented by three each time a user logs in.

B) A valid solution is to implement a synchronized, one-time password token device-based authentication system. This action will address each of the security concerns for the new authentication system:

How can an organization protect itself from compromise by accounts that were used by previous employees? A) Account audit B) Account deactivation C) Account provisioning D) Account lockout

B) Account deactivation is the primary means by which an organization can protect itself from compromise by accounts which were used by previous employees. As soon as someone is removed from the organization, the user account should be disabled or deactivated. This deactivation prevents any use of this account.

Why is account or identity proofing necessary? A) It allows for hiring of individuals with criminal records or sealed histories. B) It verifies that only the authorized person is able to use a specific user account. C) It ensures that privileged accounts are never used across network links. D) It checks that users are logging into the assigned workstation at their desk.

B) Account or identity proofing is necessary because it verifies that only the authorized person is able to use a specific user account. This can be done through a number of means, including text messaging, pre-arranged security questions, or answering dynamic questions about a user's account or background and history.

Why would an organization choose to accept risk? A) No risks can be eliminated fully. B) The risk is of a tolerable level. C) To save money D) To reduce liability

B) An organization may choose to accept risk if it is of a tolerable level. This is known as either risk tolerance or risk acceptance. It is the act of choosing to leave a risk as is without implementing any countermeasures. This may be done with the overall remaining risk of an organization has been reduced to a reasonably acceptable level. An acceptable level of risk occurs when the remaining risks are small enough that any damage caused by them would be relatively small and something the organization is willing to absorb. It is also possible that any countermeasures used to address such risks are unavailable or are too expensive for the benefit they would provide. For risk to be legitimately labeled as tolerable or acceptable, it must be formally written out. A risk acceptance document should define the risk and the reason the risk is left as is, and must be signed by senior management.

In addition to having at least one year of relevant experience in a domain of SSCP, what is another requirement to be qualified to take the SSCP exam? A) Earning a minimum of $75,000 per year in a security career B) Agreeing to abide by the (ISC) Code Of Ethics C) Having a four-year college degree in information technology or computer science D) Employment in a security position for three years

B) Another requirement to take the SSCP exam is to agree to abide by the (ISC) Code Of Ethics. To be qualified to take the SSCP exam, you must have one year of work experience in one or more of the seven domains of SSCP, and you must agree to abide by the (ISC) Code Of Ethics.

What is the purpose of a source system? A) The original gold version of a computer which is cloned for enterprise deployment B) Anything that records or maintains data of interest C) The first computer D) The data warehouse were open source code is saved

B) Anything that records or maintains data of interest is a source system. This term, source system, is from the concept of security monitoring, logging, and auditing. It refers to any computer, service, or device which is able to record an event and then provide that recoded event data to a management or monitoring solution, such as a SIEM. A Security Information and Event Management (SIEM) provides real-time logging and analysis of security events.

How do compensation controls fit into a complete organization security infrastructure? A) They notify visitors that video surveillance is taking place in the area. B) They replace a failed primary control or substitute for a desired control which is unavailable. C) They inform personnel of the proper procedure for performing sensitive tasks. D) They repair damage caused by a violation in order to restore a system to normal.

B) Compensation controls fit into a complete organization security infrastructure because they replace a failed primary control or substitute for a desired control which is unavailable. The purpose of a compensation control is to support the requirements of a security policy directive when the existing security controls or mechanism do not fulfill the requirements. Compensation controls can also be used as a substitute when the desired control either does not exist, is not compatible, or is unable to be used for whatever reason. Examples of compensation controls include job rotation, supervision, protocol encryption, keystroke logging, and layered defenses.

How is account provisioning commonly accomplished? A) Assign all users a random number-based name. B) Create user groups based on assigned company department or job responsibility. C) Grant each user full spectrum privileges. D) Compartmentalize users into their own individual area of assignment.

B) Creating user groups based on assigned company department or job responsibility is how account provisioning is commonly accomplished. The process ensures that users are granted privileges and access appropriate to their job responsibilities. The provisioning process is typically detailed in user management, identity management security policies, or both.

Why is data declassification an essential element of data asset management? A) To enable peer reviews and supervisory checks of the security solution B) To prevent the wasting of higher level security efforts C) To allow subjects with lower classifications to access previously highly classified information D) To disclose sensitive documentation to the public

B) Data declassification is an essential element of data asset management because it prevents the wasting of higher-level security efforts. When data value decreases or the data no longer warrants the protections of higher classification, it should be declassified. The activity of declassification is a re-assessment of the asset to apply the correct and current classification label and protections to that asset.

How does hardware asset management affect security? A) By preventing the use of cheap equipment through minimal cost vs. performance metrics B) By reducing the likelihood of hardware-focused attacks C) By replacing hardware as it becomes three years old D) By assessing the purpose of hardware before it is acquired

B) Hardware asset management reduces the likelihood of hardware-focused attacks. Since unmanaged hardware is more likely to have vulnerabilities and be compromised by an attack, the act of performing hardware asset management reduces these vulnerabilities and the potential for compromise. Thus, hardware asset management has a direct benefit by improving hardware security.

Why is it important to consider the impact of a threat when performing risk analysis? A) To determine which security control to apply B) To determine the level of response C) To determine the priority of implementation D) To determine the operating system of concern

B) It is important to consider the impact of a threat when performing risk analysis in order to determine the level of response. The amount of impact is an assessment of how much damage and/or downtime would be caused if a threat is realized. The larger the potential impact of a threat, the more risk that the company takes.

How are the access control schemes of MAC and RBAC distinguished from DAC? A) They are not based on assigned labels. B) They are not based on user decisions. C) They are based on object hosted ACLs. D) They are based on user identity.

B) MAC and RBAC are not based on user decisions. Mandatory access control (MAC) and role-based access control (RBAC) are examples of non-discretionary access control, while DAC stands for discretionary access control.

How does mandatory access control determine which objects a subject can access? A) By referencing the physical location of the workstation B) Through the use of classification labels C) Based on the job role of the user D) By checking ACLs

B) Mandatory access control (MAC) determines which objects a subject can access through the use of classification labels. Each subject and object is assigned a classification level, which is then indicated by a label placed on the subject or object. At the time of attempted access, the labels of each are compared. If the subject has equal or superior classification to that of the object, access is granted. If the subject has inferior classification to that of the object, then access is denied.

Why is multifactor authentication considered more secure than single-factor authentication? A) Single-factor authentication is less compatible with operating systems. B) Multifactor authentication requires multiple distinct attacks to perform impersonation. C) Multifactor authentication is available on the Internet. D) Multifactor authentication solutions cost more.

B) Multifactor authentication requires multiple distinct attacks to perform impersonation. Because multifactor requires the use of two or more different forms of authentication factors, an attacker would have to perform two or more distinct attacks to impersonate a valid user. For example, if authentication required a password and a smart card, then the attacker would have to steal or duplicate the smart card and crack or learn the password to log in as the target user.

Why is mutual authentication preferred over single-sided authentication? A) Impersonation is impossible when using mutual authentication. B) Mutual authentication requires both entities to prove themselves to each other simultaneously. C) Mutual authentication does not use open source solutions. D) Single-sided authentication does not support multifactor authentication.

B) Mutual authentication requires both entities to prove themselves to each other simultaneously. This makes mutual authentication preferred over single-sided authentication. This form of authentication minimizes the chance of connecting to a false site or accepting a false user. If both entities do not prove genuine, the connection is refused.

Which of the following clearance levels or classification labels is not generally used in a government- or military-based MAC scheme? A) Confidential B) Proprietary C) Unclassified D) Top Secret

B) Proprietary is not a classification label used in a government- or military-based MAC scheme. Proprietary may be a label used in a private sector business-based MAC scheme. The typical classification labels in a government- or military-based MAC scheme are: Unclassified, Confidential, Secret, and Top Secret.

Why is it important to perform a physical security assessment after a fire, chemical release, or bomb false alarm? A) It is a legal requirement to do so after emergency response personnel have been contacted. B) The event could have been triggered as a distraction to alter physical security mechanisms. C) The assessment might reveal the identity of the perpetrator. D) It gives your organization the opportunity to further train your personnel.

B) The event could have been triggered as a distraction to alter physical security mechanisms. For example, if your organization has emergency doorways that only have handles on the inside, an attacker could modify the lock mechanism while it is open, allowing personnel to exit the building. Thus, when the door re-closes, it might look closed and secure; but it is actually a means of entry for a future attack. It is essential to perform a thorough physical security assessment after each real or false incident. Additionally, it is also good security management practice to perform a physical security assessment on a periodic basis.

What is the purpose of a baseline in relation to security monitoring? A) Defines job task procedures B) Notices trends away from normal C) Keeps configurations consistent D) Evaluates purchasing requirements

B) The purpose of a baseline for security monitoring is to notice trends away from normal. Most of security monitoring is about detecting when activities and events are not normal. It is key to know what is normal in order to detect something different from normal. The baseline provides that recorded or defined and established normal as a point of comparison.

What is the purpose of sharing threat intelligence? A) Remove all private ownership of intellectual property. B) Equip other organizations to handle a looming security concern. C) Prevent lawsuits based on retaining proprietary information. D) Misdirect attackers into thinking their exploit is universally blocked.

B) The purpose of sharing threat intelligence is to equip other organizations to handle a looming security concern. Only through sharing of known security problems are they typically resolved. This is due to the public demand to repair a problem once it is known, as well as keeping the vendor aware of an issue that needs to be addressed. If one organization is compromised by a new attack, when information about the new attack is distributed, other organizations can take steps to protect their assets.

Which form or method of SDLC involves a repeated Plan-Do-Check-Act (PDCA) cycle sequence to each stage of the SDLC prior to deployment of a final product? A) Agile development B) Spiral model C) Waterfall model D) Rapid Application Development

B) The spiral model involves a repeated Plan-Do-Check-Act (PDCA) cycle sequence to each stage of the system development life cycle. The spiral model is based on the waterfall model, in that it has the six main steps or phases of requirement gathering, system design, implementation, integration, deployment, and maintenance. The difference the spiral model makes is that the phases are repeated, and during each repetition a prototype is crafted of the project to date. The prototype is then used as a basis for improvements during the next iteration of the phases.

What are the three main components of a smart lock or an electronic access control (EAC) lock? A) Proximity reader, light sensor, locking mechanism B) Credential reader, locking mechanism, door closed sensor C) Thick metal plating, time based lock, security cameras D) Biometric reader, timer, fire suppression system

B) The typical three main components of a smart lock or an electronic access control (EAC) lock are a credential reader, the locking mechanism, and a door closed sensor. The credential reader might accept push-pin codes, smart cards, or biometrics. When proper credentials are provided, the locking mechanism unlocks the door. Once the door opens, the door closed sensor monitors for the door closing. If it takes too long for the door to close, a warning buzzer may sound. It the door continues to stay open, an alarm is usually triggered. If the door closes, then the locking mechanism is reengaged.

A certificate authority (CA) system is used to verify the identity of its customers. The CA system allows general Internet users to access online resources and have some level of knowledge about who the entities are that are hosting online content. For example, a user can be confident in the identity of an online shopping site while making a purchase. How is the CA provide the benefit of verified identity? A) Peer trust B) Trusted third-party C) Independent assignment of trust D) Transitive trust

B) Trusted third-party is the means by which a certificate authority (CA) system is able to provide the benefit of verified identity. The system acts as a third party between the end user, who is the first party, and the server or resource host, which is the second party. On their own, the user and server may not be able to trust the identity of each other, so they employ the service of a trusted third party, the CA. The CA verifies the identity of its customers, such as the server, and issues a digital certificate to the customer—in this case, a server. The digital certificate is then sent to the visitors of the customer, such as the end user. If the end user trusts in the reputation of the CA that issued the digital certificate, then the user can be assured of the identity of that server, at least to the level the CA is itself trustworthy and the effort to which the CA verified the identity.

What is the definition of the principle of least privilege? A) All users are assigned the same privilege level. B) Users are assigned minimal privileges sufficient to accomplish job responsibilities. C) Users determine their own privilege level. D) No users are assigned sufficient privilege.

B) Users are assigned minimal privileges sufficient to accomplish job responsibilities is the definition of the principle of least privilege. This security principle ensures that users can accomplish their tasks without placing the organization at any higher level of risk. To properly enforce the principle of least privilege, privileges must be reviewed and revised on a regular basis to avoid privilege creep. Privilege creep occurs when users accumulate more privileges than necessary due to the shifting of job tasks over time.

Many businesses craft an ethical guidance policy as part of their overall security policy. In the event that there is a conflict between your employer's ethical policy and your own personal ethical views, how should you handle this conflict? A) Protest the concern by picketing outside of your employer's building. B) Discuss the issue internally with your manager and IT security administrator. C) Contact a lawyer to have the company policy changed. D) Post your disagreements with the issue on your social network account.

B) You should discuss the issue internally with your manager and IT security administrator. A code of ethics is not the law. Thus, your organization can make adjustments to the company policy for everyone, or can make an exception for just you to the specific tenant of the company's ethics policy that you have a conflict with. Open and honest discussion of the conflict internally with the persons of authority is the best approach to address any disagreements with the ethics policy. Discussing ethical concerns internally does not guarantee that the company will make a change in your favor, but it is the first and best option to begin dealing with the issue before it becomes a problem.

Your company is partnering with Verigon to produce a new suite of services for the financial industry. To create and support these new services, both organizations will need to share content and perform collaborative work. The new services are to be offered only to pre-selected and invited clients, rather than being sold openly. How can this new service be configured without significantly increasing the risk to either company's private networks? A) Configure the service on an internal server, and configure port forwarding. B) Set up the new service in an extranet and provide VPN credentials to Verigon and invited clients. C) Create a DMZ to host the service, and provide company interaction. D) Host the new service in a public SaaS cloud.

B) You should set up the new service in an extranet and provide VPN credentials to Verigon and invited clients. This will protect the private networks of both companies because shared data and resources will be hosted in the extranet. An extranet is a distinct network, run by a private organization, but for the purpose of hosting resources for a specific group of outsiders, such as business partners or high-end clients. Furthermore, access to an extranet is typically controlled by use of a VPN. Thus, only those with valid VPN credentials can connect into the extranet.

Why would a system display last login notifications to users once they have successfully entered their credentials? A) To inform users of their amount of time since their last connection B) To alert users of potential account logon violations C) To discourage users from staying away too long D) To encourage users to visit more often and stay connected longer

B) A system would display the last login notifications to users once they have successfully entered their credentials to alert them of potential account logon violations. The last login notifications show the time of the last successful logon and any failed logon attempts to the account since the last successful logon. By reviewing this information, users may become aware that someone logged into their account or someone attempted to log into their account. If a user suspects fraudulent activity, they should report it immediately to the security department.

Which trust architecture or model is based on the concept of an individual top level entity that all other entities trust and with entities organized in levels or layers below the top level? A) Transitive trust B) Hierarchical trust C) Peer trust D) Web trust

B) Hierarchical trust is the trust architecture or model that is based on the concept of an individual top level entity that all other entities trust with entities organized in levels or layers below the top level. A hierarchical trust model is commonly used in certificate authority (CA) configurations. The top entity in a hierarchical trust model is known as the root, an entity on a level below the root is known as an intermediary or subordinate, and an entity on the bottom level is known as a leaf.

How is a baseline used in compliance management? A) By protecting user privacy B) By reducing risk C) By comparing the current configuration of a system with the required configuration D) By defining the hardware and software to be present on a new system

C) A baseline is used in compliance management by comparing the current configuration of a system with the required configuration. With the existence of the baseline, which dictates the hardware and software requirements of the organization, it is possible to assess whether a system is in compliance or has fallen out of compliance. Once any gaps are known, remedies can be applied to bring a system back into compliance.

How does a deterrent control provide increased security? A) By blocking the event of the violation B) Through recording the activity of a violation C) By discouraging perpetrators from committing a violation D) Through repairing damage caused by a violation

C) A deterrent control provides increased security by discouraging perpetrators from committing a violation. This can be done through the implementation of physical security controls, such as barbed wire fences, tire spikes, security guards, video cameras, and signs that indicate unauthorized access is prohibited. These security controls need to be noticed and/or known to the potential attacker to have an effect. The controls are meant to communicate that the threat of either physical harm or legal harm will be encountered if a violation is attempted. The goal is to convince the attacker not to attack through the show of force, resistance, or recording abilities.

What is a directive control? A) A system to block intrusion attempts before they become successful B) A substitution of an alternate security solution when the primary solution fails C) A means to communicate instructions, guidelines, or security rules D) A mechanism to record compromising activities

C) A directive control is a means to communicate instructions, guidelines, or security rules. The function of a directive control is to provide guidance on how to behave when performing work tasks and how to avoid security violations. Directive controls include written security policies, posted signs, training, and security guards.

Which of the following is the best example of a threat agent? A) A flaw in the source code of a firewall B) A poor configuration in the authentication system C) A disgruntled employee D) A zero-day attack

C) A disgruntled employee is the best example of a threat agent from this list of four options. A threat agent is any entity which can initiate or control an attack against a target. A threat agent is typically a person, but can also be a natural event or an automated exploit. Under risk analysis, threat, threat agent, threat action, and threat vector are all closely related. A threat is something which can cause harm to an asset. A threat agent is the entity that can control or initiate an attack. A threat action is the attack or event of harm itself. A threat vector is the means or pathway by which a threat agent was able to gain access to an asset in order to realize the threat to perform the threat action resulting in damage.

How is quantitative risk analysis performed? A) Via employee interviews B) With scenario-based assessments C) Using calculations D) Through the Delphi technique

C) A quantitative risk analysis is performed using mathematical calculations. Quantitative risk analysis starts with creating an inventory of business assets. Then a list of potential threats is generated for each asset. For each asset-threat pair, calculations of asset value (AV) and exposure factor (EF) are determined. Then, the rate at which a threat may cause harm to an asset is calculated, i.e. the annualized rate of occurrence (ARO).

What is a security procedure? A) Specific criteria that must be met by implementation B) Suggested practices C) Detailed steps for performing specific tasks D) Minimum hardware and software requirements

C) A security procedure is a document containing detailed steps for performing specific tasks. Procedures are the "how to" components of a security policy. All of the aspects of the policy itself, standards, baselines, and guidelines, are distilled into an organized process to perform specific tasks, such as installing new software, setting up firewalls, establishing secure communications, using encryption on mobile devices, and destroying sensitive documentation.

What is the term used to describe an entry in a database describing a violation or exploit which is used to match real-time events in order to detect and record attacks by the continuous monitoring solution? A) Threat B) Vulnerability C) Signature D) Countermeasure

C) A signature is an entry in a database describing a violation or exploit which is used to match real-time events in order to detect and record attacks by the continuous monitoring solution. A signature or a pattern is used to recognize when a known attack or violation is attempted. Signature-based detection or monitoring tools must be updated regularly to maintain the broadest ability to detect known attacks. However, signature-based detection is not foolproof. If an attack has been modified or customized, it might not match the signature and go undetected. Thus, it is often essential for continuous monitoring solutions to include other forms of detection, such as anomaly, behavioral, and heuristic.

How is the total amount of potential risk calculated for a single asset and a specific threat? A) AV x CCM − EF B) SLE x EF C) AV x EF x ARO D) Accumulate residual risk

C) AV x EF x ARO is the formula used to calculate the total amount of potential risk calculated for a single asset and a specific threat. This formula is based on three values: AV, EF, and ARO. Asset value (AV) is a value based on both tangible and intangible value of an asset to the organization. Exposure factor (EF) is a prediction as to the percentage of loss that would be experienced if a specific threat is realized against a specific asset. Annualized rate of occurrence (ARO) is a prediction as to the number of times in the next year that the threat could be realized. When these three values are multiplied together they produce the annualized loss expectancy (ALE). The full formula is thus: ALE = AV x EF x ARO.

How are alterations to mission-critical servers approved before implementation when a change management process is involved? A) By showing a less than 10% chance of failure B) By documenting all changes that will take place C) By being assessed by a Change Control Board D) By providing a rollback option

C) Alterations to mission-critical servers are approved before implementation by being assessed by a Change Control Board. The Change Control Board (CCB) or Change Approval Board (CAB) is the individual or group of individuals assigned the responsibility to review the tested modifications. Their purpose is to determine if the risk of downtime or security reduction is minimal, and if not, what mitigations could be implemented to reduce the risk further. Only when the CCB/CAB is satisfied that a change will improve the organization in some way while minimizing downtime or other losses will a change be approved for implementation.

Which of the following is not considered an example of a non-discretionary access control system? A) MAC B) RBAC C) ACL D) ABAC

C) An access control list (ACL) is not considered an example of a non-discretionary access control system. ACLs are used by discretionary access control (DAC) systems. An ACL is placed on an object to define which subjects have been explicitly granted or denied access to that object.

What is an asset? A) All of the equipment in an organization B) Any data set with tangible value C) anything required to complete a business task D) Only those items costing more than $10,000 to purchase

C) An asset is anything required to complete a business task. If a business task cannot be completed without a particular item, then it is an asset. It does not matter whether an asset is of high or low cost, is a physical object or a digital element, or whether it is unique and proprietary or common and ubiquitous. The purpose of an organization is to perform its mission-critical processes. Thus, anything needed to support or perform those processes is an asset.

Under which condition should a security practitioner of your organization sit out of a security audit? A) When the operating budget is running low B) When it involves the handling of proprietary information C) When an outside consultant is evaluating compliance D) When senior management is dissatisfied with the results from previous audits

C) An internal security practitioner may be asked to sit out of a security audit when an outside consultant is evaluating compliance. In such a situation, the internal security practitioner represents a conflict of interest. Specifically, the person that configures and manages security should not be the same person to review and assess compliance of that security. This practice may not be considered a serious concern during normal operational management. In this condition, the person or group of people on the security management team will be responsible for both implementing and verifying security. However, when an external auditor is brought in to perform a formal assessment for compliance, it is essential that the results be unbiased. Thus, the security practitioners would sit out during the external security audit.

Why are the audit findings presented to senior management? A) The bottom-up business structure approach requires it. B) No one else in the organization has the expertise to read the report. C) Only with approval can a response plan be implemented. D) RFC1918 requires it.

C) Audit findings are presented to senior management because a response plan can only be implemented with their approval. It is the responsibility of senior leadership to make the primary business management decisions. This includes reviewing the results of risk analysis and risk assessment, which are the audit findings, and make decisions based on the recommendations of the risk auditing/assessment team. Only with senior management approval can the risk response strategies be implemented and only with senior management support and backing is such an endeavor able to succeed.

What type of technical control can be used in the process of assessing compliance? A) Security camera B) Multifactor authentication C) Auditing D) Encryption

C) Auditing is a technical control which can be used in the process of assessing compliance. A technical control is a security mechanism that is comprised of computer hardware and/or software. Technical controls are distinct from physical and administrative controls. Physical controls focus on facility protections. Administrative controls focus on personnel management, often referenced with the concept of policy and people management. Examples of technical controls include encryption, firewalls, intrusion detection, content filtering, anti-malware, auditing, and multifactor authentication. Auditing records the events and activities of users, software, and hardware. By reviewing the audit trails against policy, regulations, and authorization, it is possible to assess compliance and detect violations.

How is confidentiality different from privacy? A) Confidentiality relates to people and being in control of access to information about ourselves. B) Privacy is not legally protected. C) Confidentiality relates to the control of information in order to prevent disclosure to unauthorized entities. D) Privacy is only provided when inside your own home or using your own devices.

C) Confidentiality relates to the control of information in order to prevent disclosure to unauthorized entities is correct. This is a distinction of confidentiality. Privacy relates to people and being in control of access to information about ourselves. Most organizations need to provide security controls to address both confidentiality and privacy.

How long should event logs be retained? A) indefinitely B) 30-60 days C) as defined by company policy D) 1 year

C) Event logs should be retained as defined by company policy. The reasons for maintaining logs vary. They include mandates from government regulations, industry guidelines, and others. Such regulations may define a specific length of time to maintain logs, ranging for 30 days to indefinitely. The regulations may also indicate various events or circumstances which may dictate a need to retain logs for a longer period of time, such as due to an investigation. Some regulations prohibit indefinite storage of logs and thus require a destruction deadline. Some contractual obligations may dictate the length of time to retain event logs. In other cases, organizations may adopt industry-based best-business practices or adopt their own aspirations for record retentions. These and other affecting conditions should be integrated into the company's written security policy which defines the actually implemented retention parameters.

What is the most important consideration in regards to communicating findings from a security monitoring system? A) Informing the public of each security violation B) Linking each violation to a standard vulnerability reference, such as the CVE C) Speed of notification D) Having the presentation include all details related to an event

C) From this list of options, the speed of notification is the most important consideration in regards to communicating findings from a security monitoring system. Maybe second only to accuracy, the speed at which responsible entities are made aware of a security concern is of utmost importance. The faster notification occurs, the faster a response can be initiated to contain the compromise or prevent further exploitation.

How can a user be given the power to set privileges on an object for other users when within a DAC operating system? A) Give the user the modify privilege on the object. B) Remove special permissions for the user on the object. C) Grant the user full control over the object. D) Issue an administrative job label to the user

C) Granting the user full control over the object will provide a user with the power to set privileges on an object for other users when within a DAC operating system. Three other methods within a DAC environment to accomplish this are to 1) have the user be an owner of the object, 2) grant the user the change permissions special permission, or 3) be a member of the administrators group. Any user who creates a new object is automatically the owner of that object, but administrators can either take ownership or grant ownership to other users. Administrators can take ownership in order to gain full access over an object.

Which procedure is NOT a valid mechanism for performing account proofing when users are attempting to log into their account? A) Send a text message to the user's phone. B) Have the user click a hyperlink in an email message. C) Have the user type in the username and password a second time. D) Ask the user three security questions based upon facts that only the user is likely to know.

C) Having the user type in the username and password a second time is NOT a valid mechanism for performing account proofing. This activity would provide no security benefit, especially if the credentials were already entered properly. A valid account proofing mechanism will perform either an in-band or out-of-band exchange of information so that only the valid user would know or receive the information. Any invalid user would be unable to provide the correct response to the process, and thus, be rejected from the system.

If a security assessment determines that a specific employee has been performing numerous and repeated security violations, what action should be taken? A) Increase monitoring of this user's activity. B) Have the employee repeat the security awareness training. C) Perform an exit interview. D) Ask the employee to sign the NDA.

C) If a security assessment determines that a specific employ has been performing numerous and repeated security violations, then that employee should be put through an exit interview. An exit interview is a security practice of controlled and organized termination. During an exit interview, the employee is informed that they are being fired and the reasoning behind that decision. The employee is asked to turn over all company property, such as mobile phone, page, access badge, ID, etc. The employee is reminded of their non-disclosure agreement (NDA). During the exit interview, the IT staff disables the ex-employee's user account, changes their password(s), revokes their digital certificate, and changes any other related codes or PINs. At the end of the exit interview, the ex-employee is escorted out of the building.

How are managerial controls used to encourage compliance typically categorized? A) Recovery B) Preventive C) Directive D) Detective

C) Managerial controls used to encourage compliance are typically categorized as directive. Managerial controls are the security mechanisms and techniques used to oversee and govern the security efforts of an organization. They generally focus on assessing and reducing risk. The most obvious form of managerial controls is the written security policies and procedures. Security policies dictate the requirements for security throughout the organization, and compliance with these policies is mandatory.

How is non-repudiation often implemented? A) Hash calculations B) M-of-N control C) Digital signatures D) Baselining of security configurations

C) Non-repudiation is often implemented using digital signatures. A digital signature is a hash of the original data or message which has been encrypted or signed by the sender's private key. The resulting encrypted hash is the digital signature. The recipient verifies the signature by creating a hash of the received message, and then, using the sender's public key, decrypts the original hash from the digital signature. If the two hashes are identical, then the received message retained its integrity. This is known as authentication of source. The proof that the sender's private key was used provides non-repudiation. Unless the sender can show that someone else has access to his or her private key, then the sender cannot deny having signed and sent the communication.

What type of access control is typically the first line of defense? A) Administrative B) Logical C) Physical D) Technical

C) Physical access control is typically the first line of defense. In a layered defense security configuration, the center of the infrastructure contains assets. Around the assets are layers of security protections. These protection layers are organized so that the first or innermost layer is administrative, the next is logical/technical, and the final or exterior layer is physical. Thus physical protections are the first line of defense while personnel are the last line of defense.

Why are preventive controls important? A) They instruct the attacker to only perform benign activities. B) They discourage the attacker from performing the violation. C) They attempt to stop the violation from being possible. D) They record the occurrence of the violation.

C) Preventive controls are important because they attempt to stop the violation from being possible. Preventive controls include requiring authentication, setting authorization, using encryption for storage and transmission, locking doors and cabinets, using cable locks on portable equipment, using strong construction materials, and installing fencing. The purpose of a preventive control is to make the violation impossible. It is important to realize that no security mechanism is perfect, so even preventive controls can and do fail. Thus, preventive controls must be combined with other controls, including detective, deterrent, corrective, and directive controls, for a complete security solution.

Which of the following is a valid definition for privacy? A) Preventing the saving of modifications to a user profile B) Tracking the activity of a Web browser while performing online shopping or banking C) Providing a means of control of distribution of the information about an individual D) Using encryption to protect the content of a transaction

C) Privacy is providing a means of control of distribution of the information about an individual. Privacy is focused on controlling information about individuals, specifically giving the control to the person about whom the information is focused. Often, means of confidentiality are used to assist in the enforcement and protection of privacy, but confidentiality and privacy are not the same.

Which of the following is a tenant of the (ISC) Code Of Ethics? A) Do not waste resources. B) Do not bear false witness. C) Act honorably, honestly, justly, responsibly, and legally. D) Security is constrained by societal factors.

C) The (ISC) Code Of Ethics contains the tenant to act honorably, honestly, justly, responsibly, and legally. It is important to be familiar with the full text of the (ISC) Code Of Ethics. You will be agreeing to it before starting your exam, and there will be questions on the exam related to it.

What is the cost benefit equation? A) AES − CCMP B) AV x EF x ARO C) [ALE1 - ALE2] − CCM D) total initial risk - countermeasure benefit

C) The cost benefit equation is: [ALE1 − ALE2] − CCM In this equation, ALE stands for annualized loss expectancy, which is the value of the asset multiplied by the percentage of loss a specific threat could have multiplied by the number of times in a year that threat could be realized (a.k.a. AV x EF x ARO). ALE1 is the calculation of ALE prior to the countermeasure, and ALE2 is the reduced ALE based on the countermeasure being implemented. CCM stands for cost of the countermeasure. Because any security measure will cost something, such as purchasing, licensing, downtime, training, management, and implementation, this must be subtracted from the benefit otherwise provided by the countermeasure. If the benefit calculated by this equation is larger than any other considered countermeasure, then it would likely be the best security choice to implement.

What is the goal of event data analysis? A) Reduce the vulnerabilities of an organization. B) Discover the identity of perpetrators. C) Interpret collected events, and take appropriate action. D) Locate new exploitations.

C) The goal of event data analysis is to interpret collected events and take appropriate action. The gathered event details from source systems are raw data. This event data needs to be collected, processed, and analyzed in order to reveal meaningful information. Once a management console has performed initial event analysis, an interpretation of the initial data is displayed to the security staff. This information helps to determine the best course of action to take in response to discovered events.

When an organization has a properly implemented enterprise risk management (ERM), what is the tool used to list and categorize each discovered or encountered risk? A) Cost/benefit equation B) Threat model C) Risk register D) Delphi technique

C) The risk register lists and categorizes each discovered or encountered risk within a properly implemented enterprise risk management (ERM). The risk register is the master list of all risks of the organization. It serves as a tracking document as well as a call to action. Each listed item on the risk register needs to be evaluated and responded to. The risk register is a key tool in the management and response systems implemented under an ERM.

What is the term used to describe the violation of availability? A) Deniability B) Alteration C) Denial of service D) Disclosure

C) The violation of availability is denial of service (DoS). Availability is the security concept regarding providing access to resources at a reasonable level of throughput and responsiveness. Any breach of this protection is considered a DoS.

What do the following concepts have in common: weather, utilities and services, human actions, business processes, information technology, and reputation? A) They are elements in a qualitative risk analysis approach. B) They are examples of assets. C) They are all potential sources of threats. D) They are levels of classification.

C) They are all potential sources of threats. Weather, utilities and services, human actions, business processes, information technology, and reputation are all sources of threats which can harm assets, business tasks, or the organization as a whole. When performing a risk assessment, it is essential to consider all possible threats for all possible sources.

How can an equivalent to RBAC be implemented in a DAC operating system? A) Use filter lists to control access, set time restrictions, and block access based on logical address. B) Assign users classification labels. C) Create groups with the names of jobs, assign privileges to the groups, and place users into named groups. D) Assign users job labels.

C) To create an equivalent role-based access control (RBAC) solution in a discretionary access control (DAC) operating system, an administrator should create groups with the names of jobs, assign privileges to the groups, and then place users into named groups. Thus, users will be members of job role named groups and inherit the privileges assign to that group. This will result in users being able to perform their work tasks assigned to them. This is the same result as in a true RBAC system where a job label is created, privileges are assigned to the label, and then the label is assigned to or placed onto a user.

You must select the biometric devices that will add multifactor authentication to your company's workstations. Every user will be required to use a biometric as an authentication element to gain access to the company's IT resources. How can you determine which device will provide your organization with the most accurate results? A) Evaluate the FRR of several devices. B) Choose the devices with the lowest rate of Type II errors. C) Select the devices with the lowest CER. D) Consult a Zephyr analysis chart.

C) To determine which device will provide your organization with the most accurate results, you should select the device with the lowest crossover error rate (CER) point. The lowest CER point reveals which biometric device is the most accurate. A CER point is derived by creating a graph of Type I false rejection rate (FRR) and Type II false acceptance rate (FAR) error rates. Examine the chart in the following exhibit:

How can integrity be enforced or assessed across an entire computer system? A) Check that the latest version of software updates has been applied. B) Take a hash calculation of all system files. C) Compare a baseline of hardware settings and software configuration against a live system. D) View the available free space.

C) To enforce or assess integrity across an entire computer system, compare a baseline of hardware settings and software configuration against a live system. This activity is used to ensure that the integrity of an entire computer system has been retained. It is checking to see that a system is still in compliance with prescribed security policy and that user activities have not caused any unauthorized software to be installed or invalid settings to be applied.

What is user entitlement? A) The default level of access given to users by the operating system B) The level of privilege assigned to administrative accounts C) The rights and privileges assigned to a user D) The privileges inherited by a user

C) User entitlement is the rights and privileges assigned to a user. An entitlement is what is assigned or given to someone; thus, user entitlement is the abilities and access capabilities allocated to a user. User entitlements should be controlled by company policy and restricted based on the concept of the principle of least privilege.

What is the purpose of security policies? A) Keep costs to a minimum. B) Redirect responsibility to external entities. C) Define how security is to be implemented and managed. D) Remove all risk.

C) The purpose of security policies is to define how security is to be implemented and managed. Security policies are often comprised of dozens or possibly hundreds of individual documents. These documents may be policies, standards, guidelines, baselines, or procedures. With the exception of guidelines, compliance with all of the security prescriptions in security policy documents is mandatory.

How does a change management system ensure that updates to software do not cause unexpected downtime or reduction of security? A) By only rolling out updates on the third Thursday of each month B) By aggregating updates from multiple vendors to be applied simultaneously C) By scheduling changes to be implemented over a weekend D) By testing patches thoroughly before deployment

D) A change management system ensures that updates to software do not cause unexpected downtime or reduction of security by testing patches thoroughly before deployment. Testing is one of the most important elements of a change management process. It is the testing that helps an organization to determine what the consequences of deployment of a change will bring. Only with that knowledge can adjustments be made or mitigations implemented to prevent downtime and maintain security, even when the change must be applied. Testing an update before deployment does not absolutely guarantee that all negative effects will be eliminated or avoided, but it does significantly reduce their occurrence when compared to not testing.

Why is a continuous monitoring scheme implemented in a typical organization? A) To improve social engineering resistance B) To reduce employee resource waste C) To deflect denial of service attacks D) To take notice of events of interest

D) A continuous monitoring scheme is implemented in a typical organization to take notice of events of interest. Each organization will have some variation as to what events are of significant concern as compared to others. Some typical examples of events of interest include multiple successive failed login attempts, port scans, significant increase in protocol load, odd content submitted by visitors, attempting to access sensitive resources, and normal user accounts attempting to perform administrative functions. Events of interest are often indicators of intentional attack or exploit attempts by internal personnel or external entities. It is essential for these events to be noticed and for the security staff to be made aware of them to trigger appropriate incident response and management strategies.

What is the name of a physical security mechanism that is used to eliminate piggybacking and tailgating and includes two locked doorways? A) Bollard B) Access badge checkpoint C) Turnstile D) Mantrap

D) A mantrap is a physical security mechanism used to eliminate piggybacking. A mantrap is a small room with two locked doors. One door faces the less secure area while the second door faces the more secure area. Employees must authenticate to unlock the outside door; then once they enter the small room, they must close and lock the outside door before authenticating to unlock the inside door. If someone fails to authenticate to the second door, they are trapped, and security guards are notified to handle the situation.

You are starting a new website. You want to quickly allow users to begin using your site without having the hassle of creating a new user account. You set up a one-way trust federated access link from your website to the three major social networks. Why should you use a one-way trust in this configuration rather than a two-way trust in this scenario? A) Two-way trusts are only valid in private networks and cannot be used across the Internet. B) A one-way trust allows your website to access the file storage of the social networks. C) A two-way trust would grant the social network administrators full access to your backend database. D) A one-way trust allows your website to trust the user accounts of the social networks without requiring the social networks to trust your website.

D) A one-way trust allows your website to trust the user accounts of the social networks without requiring the social networks to trust your website. A one-way trust to the social networks allows your website to use the existing user accounts of the social networks, granting those users access to your website. This eliminates the need for users to create new accounts that only exist on your website. Additionally, this specific configuration of a one-way trust ensures that the social networks do not have to trust your website in order to allow their users access to your content. Instead, you simply have to use a supported federated access mechanism, such as OAuth, to create the one-way trust.

How can account provisioning be configured so that the assignment of rights and privileges is nearly automatic once the account is created? A) Enable new users to set their own privileges. B) Trigger a random number generator to assign privileges on various resources. C) Follow a strict procedure where granular access is set on a per-object basis for each user by an administrator. D) Use an RBAC mechanism where a new user's role is set by an HR admin.

D) A role-based access control (RBAC) mechanism where a new user's role is set by a human resources (HR) admin can ensure the assignment of rights and privileges is nearly automatic once the account is created. The RBAC system would use the assigned user role to provide the user's rights and privileges automatically, based on the user's job responsibilities.

Why is a security impact assessment performed as part of a change management process? A) To assess compliance with regulations B) To find out if sufficient funds have been allocated to the security function C) To review the level of security against the efforts involved in testing change D) To determine the likelihood of downtime or security reduction caused by a potential change

D) A security impact assessment is performed as part of a change management process to determine the likelihood of downtime or security reduction caused by a potential change. The security impact assessment determines what effects a change will have, which systems will be affected by the change, and how significant the change's impact is on overall organizational security. This information is used by the Change Control Board (CCB) or Change Approval Board (CAB) to decide whether or not to implement a change or if additional research or mitigation efforts are required.

How does a typical SIEM or systems management console retrieve event details from a source system? A) SMTP B) OVAL C) IPSec D) SNMP

D) A typical SIEM or systems management console retrieves event details from a source system via Simple Network Management Protocol (SNMP). SNMP is used to exchange management information between source systems and management consoles. SNMP is defined by RFC1157 and operates over UDP ports 161 and 162.

How can a vulnerability be reduced or eliminated? A) By crafting a response strategy B) Through delegation C) Through monitoring D) By improving the asset

D) A vulnerability can be reduced or eliminated by improving the asset. The weaknesses in an asset are its vulnerabilities. These weak points can be resolved by implementing patches or upgrades or installing defensive countermeasures, such as firewalls or access control. Thus any improvement or upgrading of the asset may reduce or eliminate its vulnerabilities.

What form of monitoring involves the injection of packets into communications in order to measure performance of various elements in the network? A) Post mortem monitoring B) Passive monitoring C) Collaborative monitoring D) Active monitoring

D) Active monitoring is the form of monitoring which involves the injection of packets into communications in order to measure performance of various elements in the network. The concept behind active monitoring is to introduce a known value or container into an active system and monitor the events around the injected element. In the case of general networking, active monitoring is the activity of injecting a standard network packet and monitoring its progress across network devices on its way to the destination. This is similar to how some highway traffic systems judge congestion by watching a pace vehicle pass through various monitoring points along a stretch of road.

How does an attribute-based access control system determine if a subject can access an object? A) It compares the job description. B) It checks for classification labels. C) It evaluates the ACLs. D) It assesses the characteristics of the subject, object, and/or environment.

D) An attribute-based access control system assesses the characteristics of the subject, object, and/or environment to determine if a subject can access an object. The characteristics or attributes on subjects, objects, and in the environment are used to assess whether a subject is granted or denied access to an object. The characteristics or attributes that determine access are defined by the organization's security policies.

What is the term used to describe the risk management strategy of an organization altering a business task to work around a specific event or activity in order to prevent compromise? A) Deterrence B) Acceptance C) Transference D) Avoidance

D) Avoidance is the term used to describe the risk management strategy of an organization altering a business task in order to work around a specific event or activity in order to prevent compromise. By adjusting business processes to work around a risky activity or event, the impact of a realized threat can be eliminated or reduced. This can be an effective tool when designing a risk management strategy. Risk avoidance or risk removal is sometimes considered a sub-category of risk mitigation. However, risk avoidance is not the dominate concept or defining factor.

How does discretionary access control determine whether a subject has valid permission to access an object? A) Evaluate the attributes of the subject and object. B) Assess the user's role. C) Compare the classification labels of the subject and object. D) Check for the user identity in the object's ACL.

D) Checking for the user identity in the object's ACL is the means by which discretionary access control (DAC) determines whether a subject has valid permission to access an object. DAC is based on assigning privileges to subjects through object-based access control lists (ACLs). An ACL is a list of subjects' identities or group identities and the privilege granted or denied to that entity. Any subject that is a member of a group which has assigned privileges inherits those privileges from the group.

Why are corrective controls important to the long term success of an organization's security implementation? A) They provide a means to determining what took place and who the perpetrator was. B) They can cause attackers to rethink their actions before actually performing a violation. C) They effectively prevent damage from occurring when attackers attempt a violation. D) They return systems and the environment back to a state of normal security.

D) Corrective controls are important to the long term success of an organization's security implementation because they are used to return systems and the environment back to a state of normal security. The purpose of a corrective control is to quickly remedy a violation or a change into an unwanted or abnormal state by restoring a system or returning the environment back to a normal secure state. Examples of corrective controls include automated reboots after system failure and the mechanism on a door to reclose and relock it after an employee walks through.

Many Web sites use a digital certificate to prove their identity to visitors. Why is the use of digital certificates considered a reliable form of authentication? A) It complies with 802.1x. B) It is a web of trust. C) It uses symmetric encryption keys. D) It is a form of trusted third-party authentication.

D) Digital certificates are a form of trusted third-party authentication. This means that if a user trusts a certificate authority (CA) and servers to also trust the same CA, then users can be assured of the identity of the server. As long as the CA has a reliable reputation, then users can trust in the identity of any entity the CA has verified. Because a CA places its reputation on the line when issuing certificates, it makes reasonable efforts to verify the identity of its customers.

How can a risk be mitigated? A) Alter business processes to avoid them. B) Accept a risk as is. C) Purchase insurance. D)Implement safeguards

D) Implementing safeguards is the best means of risk mitigation. Risk mitigation is the concept of implementing any strategy that would either reduce or eliminate a risk. This often includes the application of safeguards (which can also be called countermeasures or security controls). Risk mitigation can also be achieved through reconfiguration of existing hardware and software as well as removal of equipment from the environment. However, this later activity can be specifically labeled as risk elimination.

What is the most important foundational security concept upon which most other security ideas and solutions are based? A) Non-repudiation B) Availability C) Revocation D) Implicit deny

D) Implicit deny is the most important foundational security concept upon which most other security ideas and solutions are based. Implicit deny, implicit denial, or default deny is the core of all security. The idea is that nothing and no one is allowed any form of default or automatic access. With implicit deny, all things and all entities are stopped. Then, as needed and when specifically implemented, explicit allows can be granted to allow users to access and use resources.

How is granular control of objects and resources implemented within a mandatory access control environment? A) Logical location assessment B) ACLs on objects C) Job label D) Need to know

D) Need to know is the means by which granular control of objects and resources implement within a mandatory access control environment. In most MAC environments, there are only a few levels of classification. To provide more granular control over object access, objects of unique value, special use, or sensitive content are restricted by need to know. A subject with the proper clearance for a specific classification label does not gain access to all objects and resources in that level automatically. Instead, subjects are assigned need to know permissions on those objects which are necessary for the completion of assigned work responsibilities.

How can operational controls be used to improve security compliance? A) Implement encryption and multifactor authentication. B) Require M-of-N controls and place administrators into compartmented areas. C) Track activities with auditing and review the audit logs. D) Set procedures for work tasks and provide training.

D) Operational controls can be used to improve security compliance by setting procedures for work tasks and providing training. Operational controls are security mechanisms that are implemented and operated by personnel rather than by hardware or software. Operational controls include physical protection, training, hiring practices, supervisory review, incident response, media protection, configuration and change management, and termination practices. Most operational controls have the goal or focus of establishing or improving security compliance.

According to NIST SP 800-30 Revision 1, what is the first major step in risk assessment? A) Conduct B) Communicate C) Maintain D) Preparation

D) Preparation is defined as the first major step in risk assessment according to NIST SP 800-30 Revision 1. The purpose of this initial step is to lay a solid foundation for the remainder of the risk assessment processes. The subsequent steps of conduct, communicate, and maintain require solid preparation in order to be completed in a manner supporting an organization's security goals. This preparation would include setting risk goals, selecting assessment methodologies, identify assumptions, select a risk model, and evaluating assessment constraints and limitations.

What is the result of an access control management process that adds new capabilities to users as their job tasks change over time, but does not perform a regular reassessment of the assigned authorization? A) Collusion B) Collision C) Fraud and abuse D) Privilege creep

D) Privilege creep is the result of an access control management process that adds new capabilities to users as their job tasks change over time, but does not perform a regular reassessment of the assigned authorization. Privilege creep is the result of failing to maintain the principle of least privilege. It is an essential security management task to reassess all privileges on a regular basis. Any excessive privilege is additional and unnecessary risk to the organization.

When should security be implemented or included in the asset life cycle? A) Before implementation B) Once the asset is being used in daily operations C) During the maintaining phase D) As early as possible

D) Security should be implemented or included in the asset life cycle as early as possible. Security should be an essential element of all aspects of an organization, especially in relation to assets. Whenever possible, security should be included in the initial design and architecture of an asset. If that is not possible because the asset is obtained from outside sources, then including or implementing security as early as possible after procurement is essential. If security is added late in the asset life cycle, it will cost more and be less effective than when it is implemented earlier.

An organizational security policy defines the requirements of implementing and managing security. Many of the elements of a security policy are dictated to the organization by many entities, while others are adopted based on other factors. The document type known as a standard clarifies and prioritizes these elements. Which of the following is UNLIKELY to be used as a source for a company's standards? A) Government regulations B) Contractual obligations C) Industry best practices D) Monetary expediency evaluations

D) Standards should generally NOT be based on monetary expediency evaluations. Selecting security mechanisms based on what is cheapest or easiest to implement is a poor foundation for reliable security.

What is the purpose of continuous monitoring? A) To discover new technologies B) To track uptime C) To consume as much storage space as possible D) To record all events that may be related to a violation

D) The purpose of continuous monitoring is to record all events that may be related to a violation. If monitoring is not implemented in a consistent manner, then events will be missed and not recorded into the audit log. It is invalid to manually re-create events after the fact if the monitoring mechanisms failed to catch the event and make a record of it in the audit log. Thus, organizations should implement a continuous monitoring solution which is always recording all events to an audit log. This will provide the most complete perspective on the occurrences within the organization.

When an organization has limited visibility of their risk, in addition to how risk affects daily operations, in what state or condition is the organization? A) Processing state B) Proactive state C) Preventive state D) Reactive state

D) When an organization has limited visibility of their risk and on how risk affects daily operations, they are in a reactive state. A reactive state or condition occurs when an organization is only equipped to respond to compromises as they occur. This is a condition of always being behind and being pushed by security violations into taking actions, often without planning or consideration. Organizations should strive to break out of the reactive state in order to become proactive. By implementing a risk management and response strategy, an organization can become more aware of their ongoing and operational risks. They can take efforts to plan for potential compromises and how to response appropriately. By implementing a sound security strategy, risk can be managed rather than being only reacted to.

Which of the following is valid regarding change management and the need for interoperability? A) You should be able to run the same binary code on any platform. B) You should be able to manage a system remotely from any Internet connection. C) You should be able to run the same program on multiple systems simultaneously. D) You should be able to exchange data based on common formats, day types, file formats, and/or protocols.

D) You should be able to exchange data based on common formats, day types, file formats, and/or protocols regarding change management and the need for interoperability. This is the basic definition of interoperability. Change management needs to ensure that any pre-existing interoperability capabilities are maintained or re-established after a change is implemented, especially if that interoperability is used as part of a core business function.

Your company has recently acquired a small startup company, Metroil. Metroil has a single Microsoft Active Directory domain named Metroil-HQ. Your company has three existing domains: BaseStar1, RemoteOf2, and RemoteOf3. Your company's three existing domains are configured in a standard domain tree, with BaseStar1 linked to RemoteOf2, which is then linked to RemoteOf3. How can users from Metroil access resources in BaseStar1 with the least amount of network reconfiguration? A) No new configuration is required. All domains automatically have two-way trusts between them. B) Break the tree trusts between BaseStar1 and RemoteOf2 and the trust between RemoteOf2 and RemoteOf3. Establish a trust between BastStar1 and Metroil-HQ. C) Remove each device from Metroil-HQ, and then join each device as a new member of BaseStar1. D) Establish a trust between RemoteOf3 and Metroil-HQ.

D) You should establish a trust between RemoteOf3 and Metroil-HQ. The standard trusts between domains in a domain tree are transitive two-way trusts. Thus, once a new trust is established between RemoteOf3 and Metroil-HQ, the users in Metroil-HQ can be allowed to access resources in BaseStar1 due to the transitive two-way trusts between all four domains

You are working hard to complete a major project before the deadline, which is next Monday. Three days before the deadline, you discover that the final task of the project requires a specific software product which you do not have. After searching for a version to purchase either from a local store or over the Internet, you discover that there are no copies of the software available for immediate access and use. The only version you can locate for purchase is through an overseas retailer. However, even with expedited shipping, it will not arrive until next Wednesday. During your search, you notice that there is a pirated copy available for download available immediately. How should you handle this situation according to (ISC) guidance? A) Install the pirated version in a virtual machine, and destroy the evidence once the project is complete. B) Use the pirated version, but go ahead and purchase the legitimate version. C) Use the pirated version. D) Purchase the legitimate product, and ask for a deadline extension.

D) You should purchase the legitimate product and ask for a deadline extension. According to the (ISC) Code Of Ethics, you should strive to always act honorably, honestly, justly, responsibly, and legally. The only ethical and legal option for this scenario is to ask for a deadline extension and purchase the legitimate product to complete the project.

What do detective controls do? A) Deflect a violation. B) Stop a violation from occurring. C) Restore the environment after a violation. D) Notice when a violation is taking place.

D) A detective control notices when a violation is taking place. The purpose of a detective control is to record the occurrences of events and activities. This includes both compliance and violation events. Detective controls include auditing, monitoring, logging, security cameras, intrusion detection, and physical access violations.

How is accountability typically enforced? A) By checking the hash of all files accessed by a user account B) Through the use of asymmetric encryption C) With smart cards D) Through AAA services

D) Accountability is typically enforced through Authentication, Authorization, and Accounting (AAA) services. AAA services actually refer to five steps in the process of holding people accountable for their user account's actions. Those five steps are: Identification, Authentication, Authorization, Auditing/Monitoring/Logging, and Accounting. In other words, AAA services are used to have all entities claim an identity, prove that they are that identity, control what the entity can do, record the actions of the entity, and then review the recorded event logs to check for compliance or discover violations. Ultimately, the actions of the user accounts can be linked to the person assigned to that account, and thus, the person can be held responsible for those digital activities.

Properly managing user accounts is an essential element in maintaining security. How should the process of identity management be implemented? A) Account creation - create all potentially needed privileged accounts during the initial phase of network installation, then assign those accounts as needed over time. B) Account provisioning - create privileged accounts that have equal access and capability throughout the network. C) Account monitoring - configure user account auditing and monitoring to focus on end users only, as privileged users are highly trusted entities. D) Policies and procedures - grant privileged accounts significant access capability; define the parameters of use with authorized use policies, nondisclosure agreements, and confidentiality agreements to reduce risk.

D. You should implement the process of identity management with the following policies and procedures: * Grant privileged accounts significant access capability. * Define the parameters of use with authorized use policies, nondisclosure agreements, and confidentiality agreements to reduce risk. Because privileged accounts have more access capabilities than other accounts, they require more rigid restrictions and clearly defined requirements. All personnel assigned a privileged account should read and sign-on off on understanding and agreeing to stay in compliance with all company policies and procedures.

Your company adopts a new end-user security awareness program. This training includes malware introduction, social media issues, password guidelines, data exposure, and lost devices. How often should end users receive this training? A) upon new hire B) twice a year C) one a year and upon termination D) upon termination E) upon new hire and once a year thereafter F) once a year

E) End users should receive security awareness training upon new hire and once a year thereafter. This ensures that new hires understand security issues immediately. It also ensures that end users receive updates to their security awareness knowledge on an annual basis

Why is it important to evaluate intangible assets while performing a risk assessment? A) Intangible assets cannot be harmed by threats. B) They can be sold for operating funds. C) Only tangible assets have value. D) Not all assets are tangible.

It is important to evaluate intangible assets while performing a risk assessment because not all assets are tangible. Many assets are intangible, such as trade secrets, intellectual property, proprietary data, customer databases, contracts, agreements, public opinion, market share, customer loyalty, and any and all data storage. Generally, an intangible asset is one that is not a physical item. However, intangible assets can be very valuable and thus need protection. Evaluating the risks to intangible assets is an early step towards implementing proper security measures.

Which of the following are examples of security log event severity levels? (Choose all that apply.) A) Emergency B) Critical C) Alert D) Notice E) Urgent F) Reference G) Warning H) Error I) Basic J) Important K) Debug

The correct answers from this list security log event severity levels are: Emergency, Critical, Warning, Alert, Notice, Debug, and Error. There are eight standard security log event severity levels. They are listed below: Code 0 - Emergency Code 1 - Alert Code 2 - Critical Code 3 - Error Code 4 - Warning Code 5 - Notice Code 6 - Information Code 7 - Debug The other selection options of Important, Reference, Basic, and Urgent are incorrect. These are not examples of security log event severity levels.