Security+ 2.0 Compliance and Operational Security (18%)

Ace your homework & exams now with Quizwiz!

QUESTION NO: 220 Which of the following concepts are included on the three sides of the "security triangle"? (Select THREE). A. Confidentiality B. Availability C. Integrity D. Authorization E. Authentication F. Continuity

Answer: A,B,C Explanation: Confidentiality, integrity, and availability are the three most important concepts in security. Thus they form the security triangle.

QUESTION NO: 364 Which of the following risk concepts requires an organization to determine the number of failures per year? A. SLE B. ALE C. MTBF D. Quantitative analysis

Answer: B Explanation: ALE is the annual loss expectancy value. This is a monetary measure of how much loss you could expect in a year.

QUESTION NO: 362 Which of the following utilities can be used in Linux to view a list of users' failed authentication attempts? A. badlog B. faillog C. wronglog D. killlog

Answer: B Explanation: var/log/faillog - This Linux log fi le contains failed user logins. You'll find this log useful when tracking attempts to crack into your system. /var/log/apport.log This log records application crashes. Sometimes these can reveal attempts to compromise the system or the presence of a virus or spyware.

QUESTION NO: 396 The Chief Information Officer (CIO) wants to implement a redundant server location to which the production server images can be moved within 48 hours and services can be quickly restored, in case of a catastrophic failure of the primary datacenter's HVAC. Which of the following can be implemented? A. Cold site B. Load balancing C. Warm site D. Hot site

Answer: C Explanation: Warm sites provide computer systems and compatible media capabilities. If a warm site is used, administrators and other staff will need to install and configure systems to resume operations. For most organizations, a warm site could be a remote office, a leased facility, or another organization with which yours has a reciprocal agreement.

QUESTION NO: 382 A company replaces a number of devices with a mobile appliance, combining several functions. Which of the following descriptions fits this new implementation? (Select TWO). A. Cloud computing B. Virtualization C. All-in-one device D. Load balancing E. Single point of failure

Answer: C,E Explanation: The disadvantages of combining everything into one include a potential single point of failure, and the dependence on the one vendor. The all -in-one device represents a single point of failure risk being taken on.

QUESTION NO: 225 Which of the following describes the purpose of an MOU? A. Define interoperability requirements B. Define data backup process C. Define onboard/offboard procedure D. Define responsibilities of each party

Answer: D Explanation: MOU or Memorandum of Understanding is a document outlining which party is responsible for what portion of the work.

QUESTION NO: 280 The helpdesk reports increased calls from clients reporting spikes in malware infections on their systems. Which of the following phases of incident response is MOST appropriate as a FIRST response? A. Recovery B. Follow-up C. Validation D. Identification E. Eradication F. Containment

Answer: D Explanation: To be able to respond to the incident of malware infection you need to know what type of malware was used since there are many types of malware around. This makes identification critical in this case.

QUESTION NO: 349 After running into the data center with a vehicle, attackers were able to enter through the hole in the building and steal several key servers in the ensuing chaos. Which of the following security measures can be put in place to mitigate the issue from occurring in the future? A. Fencing B. Proximity readers C. Video surveillance D. Bollards

Answer: D Explanation: To stop someone from entering a facility, barricades or gauntlets can be used. These are often used in conjunction with guards, fencing, and other physical security measures. Bollards are physical barriers that are strong enough to withstand impact with a vehicle.

QUESTION NO: 297 Which of the following concepts is a term that directly relates to customer privacy considerations? A. Data handling policies B. Personally identifiable information C. Information classification D. Clean desk policies

Answer: B Explanation: Personally identifiable information (PII) is a catchall for any data that can be used to uniquely identify an individual. This data can be anything from the person's name to a fingerprint (think biometrics), credit card number, or patient record. This has a direct relation to customer privacy considerations.

QUESTION NO: 387 Sara, a security architect, has developed a framework in which several authentication servers work together to increase processing power for an application. Which of the following does this represent? A. Warm site B. Load balancing C. Clustering D. RAID

Answer: C Explanation: Anytime you connect multiple computers to work/act together as a single server, it is known as clustering. Clustered systems utilize parallel processing (improving performance and availability) and add redundancy. Server clustering is used to provide failover capabilities / redundancy in addition to scalability as demand increases.

QUESTION NO: 416 An email client says a digital signature is invalid and the sender cannot be verified. The recipient is concerned with which of the following concepts? A. Integrity B. Availability C. Confidentiality D. Remediation

Answer: A Explanation: A digital signature is similar in function to a standard signature on a document. It validates the integrity of the message and the sender. The message is encrypted using the encryption system, and a second piece of information, the digital signature, is added to the message. Digital Signatures is used to validate the integrity of the message and the sender. Integrity means the message can't be altered without detection.

QUESTION NO: 230 An administrator wants to minimize the amount of time needed to perform backups during the week. It is also acceptable to the administrator for restoration to take an extended time frame. Which of the following strategies would the administrator MOST likely implement? A. Full backups on the weekend and incremental during the week B. Full backups on the weekend and full backups every day C. Incremental backups on the weekend and differential backups every day D. Differential backups on the weekend and full backups every day

Answer: A Explanation: A full backup is a complete, comprehensive backup of all fi les on a disk or server. The full backup is current only at the time it's performed. Once a full backup is made, you have a complete archive of the system at that point in time. A system shouldn't be in use while it undergoes a full backup because some fi les may not get backed up. Once the system goes back into operation, the backup is no longer current. A full backup can be a time-consuming process on a large system. An incremental backup is a partial backup that stores only the information that has been changed since the last full or the last incremental backup. If a full backup were performed on a Sunday night, an incremental backup done on Monday night would contain only the information that changed since Sunday night. Such a backup is typically considerably smaller than a full backup. Each incremental backup must be retained until a full backup can be performed. Incremental backups are usually the fastest backups to perform on most systems, and each incremental backup tape is relatively small.

QUESTION NO: 348 A security administrator wants to deploy a physical security control to limit an individual's access into a sensitive area. Which of the following should be implemented? A. Guards B. CCTV C. Bollards D. Spike strip

Answer: A Explanation: A guard can be intimidating and respond to a situation and in a case where you want to limit an individual's access to a sensitive area a guard would be the most effective.

QUESTION NO: 205 In order to prevent and detect fraud, which of the following should be implemented? A. Job rotation B. Risk analysis C. Incident management D. Employee evaluations

Answer: A Explanation: A job rotation policy defines intervals at which employees must rotate through positions. Similar in purpose to mandatory vacations, it helps to ensure that the company does not become too dependent on one person and it does afford the company with the opportunity to place another person in that same job and in this way the company can potentially uncover any fraud perhaps committed by the incumbent.

QUESTION NO: 212 Which of the following risk mitigation strategies will allow Ann, a security analyst, to enforce least privilege principles? A. User rights reviews B. Incident management C. Risk based controls D. Annual loss expectancy

Answer: A Explanation: A least privilege policy should be used when assigning permissions. Give users only the permissions and rights that they need to do their work and no more.

QUESTION NO: 307 Why would a technician use a password cracker? A. To look for weak passwords on the network B. To change a user's passwords when they leave the company C. To enforce password complexity requirements D. To change users passwords if they have forgotten them

Answer: A Explanation: A password cracker will be able to expose weak passwords on a network.

QUESTION NO: 242 An internal auditor is concerned with privilege creep that is associated with transfers inside the company. Which mitigation measure would detect and correct this? A. User rights reviews B. Least privilege and job rotation C. Change management D. Change Control

Answer: A Explanation: A privilege audit is used to determine that all groups, users, and other accounts have the appropriate privileges assigned according to the policies of an organization. This means that a user rights review will reveal whether user accounts have been assigned according to their 'new' job descriptions , or if there are privilege creep culprits after transfers has occurred.

QUESTION NO: 370 Ann is starting a disaster recovery program. She has gathered specifics and team members for a meeting on site. Which of the following types of tests is this? A. Structured walkthrough B. Full Interruption test C. Checklist test D. Tabletop exercise

Answer: A Explanation: A structured walkthrough test of a recovery plan involves representatives from each of the functional areas coming together to review the plan to determine if the plan pertaining to their area is accurate and complete and can be implemented when required.

QUESTION NO: 369 Pete, the system administrator, is reviewing his disaster recovery plans. He wishes to limit the downtime in the event of a disaster, but does not have the budget approval to implement or maintain an offsite location that ensures 99.99% availability. Which of the following would be Pete's BEST option? A. Use hardware already at an offsite location and configure it to be quickly utilized. B. Move the servers and data to another part of the company's main campus from the server room. C. Retain data back-ups on the main campus and establish redundant servers in a virtual environment. D. Move the data back-ups to the offsite location, but retain the hardware on the main campus for redundancy.

Answer: A Explanation: A warm site provides some of the capabilities of a hot site, but it requires the customer to do more work to become operational. Warm sites provide computer systems and compatible media capabilities. If a warm site is used, administrators and other staff will need to install and configure systems to resume operations. For most organizations, a warm site could be a remote office, a leased facility, or another organization with which yours has a reciprocal agreement. Warm sites may be for your exclusive use, but they don't have to be. A warm site requires more advanced planning, testing, and access to media for system recovery. Warm sites represent a compromise between a hot site, which is very expensive, and a cold site, which isn't preconfigured.

QUESTION NO: 300 Which of the following helps to apply the proper security controls to information? A. Data classification B. Deduplication C. Clean desk policy D. Encryption

Answer: A Explanation: Information classification is done by confidentiality and comprises of three categories, namely: public use, internal use and restricted use. These categories make applying the appropriate policies and security controls practical.

QUESTION NO: 191 Joe, a newly hired employee, has a corporate workstation that has been compromised due to several visits to P2P sites. Joe insisted that he was not aware of any company policy that prohibits the use of such web sites. Which of the following is the BEST method to deter employees from the improper use of the company's information systems? A. Acceptable Use Policy B. Privacy Policy C. Security Policy D. Human Resource Policy

Answer: A Explanation: Acceptable use policies (AUPs) describe how the employees in an organization can use company systems and resources, both software and hardware.

QUESTION NO: 437 A cafe provides laptops for Internet access to their customers. The cafe is located in the center corridor of a busy shopping mall. The company has experienced several laptop thefts from the cafe during peak shopping hours of the day. Corporate has asked that the IT department provide a solution to eliminate laptop theft. Which of the following would provide the IT department with the BEST solution? A. Attach cable locks to each laptop B. Require each customer to sign an AUP C. Install a GPS tracking device onto each laptop D. Install security cameras within the perimeter of the café

Answer: A Explanation: All laptop cases include a built-in security slot in which a cable lock can be inserted to prevent it from easily being removed from the premises.

QUESTION NO: 298 Which of the following policies is implemented in order to minimize data loss or theft? A. PII handling B. Password policy C. Chain of custody D. Zero day exploits

Answer: A Explanation: Although the concept of PII is old, it has become much more important as information technology and the Internet have made it easier to collect PII through breaches of internet security, network security and web browser security, leading to a profitable market in collecting and reselling PII. PII can also be exploited by criminals to stalk or steal the identity of a person, or to aid in the planning of criminal acts. Personally identifiable information (PII) is a catchall for any data that can be used to uniquely identify an individual. This data can be anything from the person's name to a fingerprint (think biometrics), credit card number, or patient record. Thus a PII handling policy can be used to protect data.

QUESTION NO: 389 Jane has implemented an array of four servers to accomplish one specific task. This is BEST known as which of the following? A. Clustering B. RAID C. Load balancing D. Virtualization

Answer: A Explanation: Anytime you connect multiple computers to work/act together as a single server, it is known as clustering. Clustered systems utilize parallel processing (improving performance and availability) and add redundancy (but also add costs).

QUESTION NO: 388 Which of the following concepts allows an organization to group large numbers of servers together in order to deliver a common service? A. Clustering B. RAID C. Backup Redundancy D. Cold site

Answer: A Explanation: Anytime you connect multiple computers to work/act together as a single server, it is known as clustering. Clustered systems utilize parallel processing (improving performance and availability) and add redundancy (but also add costs). Clustering is done whenever you connect multiple computers to work and act together as a single server. It is meant to utilize parallel processing and can also add to redundancy.

QUESTION NO: 324 A company that purchased an HVAC system for the datacenter is MOST concerned with which of the following? A. Availability B. Integrity C. Confidentiality D. Fire suppression

Answer: A Explanation: Availability means simply to make sure that the data and systems are available for authorized users. Data backups, redundant systems, and disaster recovery plans all support availability; as does environmental support by means of HVAC.

QUESTION NO: 357 In the case of a major outage or business interruption, the security office has documented the expected loss of earnings, potential fines and potential consequence to customer service. Which of the following would include the MOST detail on these objectives? A. Business Impact Analysis B. IT Contingency Plan C. Disaster Recovery Plan D. Continuity of Operations

Answer: A Explanation: Business impact analysis (BIA) is the process of evaluating all of the critical systems in an organization to define impact and recovery plans. BIA isn't concerned with external threats or vulnerabilities; the analysis focuses on the impact a loss would have on the organization. A BIA comprises the following: identifying critical functions, prioritizing critical business functions, calculating a timeframe for critical systems loss, and estimating the tangible impact on the organization.

QUESTION NO: 276 The security manager received a report that an employee was involved in illegal activity and has saved data to a workstation's hard drive. During the investigation, local law enforcement's criminal division confiscates the hard drive as evidence. Which of the following forensic procedures is involved? A. Chain of custody B. System image C. Take hashes D. Order of volatility

Answer: A Explanation: Chain of custody deals with how evidence is secured, where it is stored, and who has access to it. When you begin to collect evidence, you must keep track of that evidence at all times and show who has it, who has seen it, and where it has been.

QUESTION NO: 222 The system administrator notices that their application is no longer able to keep up with the large amounts of traffic their server is receiving daily. Several packets are dropped and sometimes the server is taken offline. Which of the following would be a possible solution to look into to ensure their application remains secure and available? A. Cloud computing B. Full disk encryption C. Data Loss Prevention D. HSM

Answer: A Explanation: Cloud computing means hosting services and data on the Internet instead of hosting it locally. There is thus no issue when the company's server is taken offline.

QUESTION NO: 254 An employee recently lost a USB drive containing confidential customer data. Which of the following controls could be utilized to minimize the risk involved with the use of USB drives? A. DLP B. Asset tracking C. HSM D. Access control

Answer: A Explanation: Data loss prevention (DLP) systems monitor the contents of systems (workstations, servers, and networks) to make sure that key content is not deleted or removed. They also monitor who is using the data (looking for unauthorized access) and transmitting the data.

QUESTION NO: 255 Which of the following controls would prevent an employee from emailing unencrypted information to their personal email account over the corporate network? A. DLP B. CRL C. TPM D. HSM

Answer: A Explanation: Data loss prevention (DLP) systems monitor the contents of systems (workstations, servers, and networks) to make sure that key content is not deleted or removed. They also monitor who is using the data (looking for unauthorized access) and transmitting the data.

QUESTION NO: 417 A software firm posts patches and updates to a publicly accessible FTP site. The software firm also posts digitally signed checksums of all patches and updates. The firm does this to address: A. Integrity of downloaded software. B. Availability of the FTP site. C. Confidentiality of downloaded software. D. Integrity of the server logs.

Answer: A Explanation: Digital Signatures is used to validate the integrity of the message and the sender. In this case the software firm that posted the patches and updates digitally signed the checksums of all patches and updates.

QUESTION NO: 288 After a number of highly publicized and embarrassing customer data leaks as a result of social engineering attacks by phone, the Chief Information Officer (CIO) has decided user training will reduce the risk of another data leak. Which of the following would be MOST effective in reducing data leaks in this situation? A. Information Security Awareness B. Social Media and BYOD C. Data Handling and Disposal D. Acceptable Use of IT Systems

Answer: A Explanation: Education and training with regard to Information Security Awareness will reduce the risk of data leaks and as such forms an integral part of Security Awareness. By employing social engineering data can be leaked by employees and only when company users are made aware of the methods of social engineering via Information Security Awareness Training, you can reduce the risk of data leaks.

QUESTION NO: 260 A customer service department has a business need to send high volumes of confidential information to customers electronically. All emails go through a DLP scanner. Which of the following is the BEST solution to meet the business needs and protect confidential information? A. Automatically encrypt impacted outgoing emails B. Automatically encrypt impacted incoming emails C. Monitor impacted outgoing emails D. Prevent impacted outgoing emails

Answer: A Explanation: Encryption is done to protect confidentiality and integrity of data. It also provides authentication, nonrepudiation and access control to the data. Since all emails go through a DLP scanner and it is outgoing main that requires protection then the best option is to put a system in place that will encrypt the outgoing emails automatically.

QUESTION NO: 403 Several departments within a company have a business need to send high volumes of confidential information to customers via email. Which of the following is the BEST solution to mitigate unintentional exposure of confidential information? A. Employ encryption on all outbound emails containing confidential information. B. Employ exact data matching and prevent inbound emails with Data Loss Prevention. C. Employ hashing on all outbound emails containing confidential information. D. Employ exact data matching and encrypt inbound e-mails with Data Loss Prevention.

Answer: A Explanation: Encryption is used to ensure the confidentiality of information and in this case the outbound email that contains the confidential information should be encrypted.

QUESTION NO: 303 What is the term for the process of luring someone in (usually done by an enforcement officer or a government agent)? A. Enticement B. Entrapment C. Deceit D. Sting

Answer: A Explanation: Enticement is the process of luring someone into your plan or trap.

QUESTION NO: 327 Which of the following fire suppression systems is MOST likely used in a datacenter? A. FM-200 B. Dry-pipe C. Wet-pipe D. Vacuum

Answer: A Explanation: FM200 is a gas and the principle of a gas system is that it displaces the oxygen in the room, thereby removing this essential component of a fi re. in a data center is is the preferred choice of fire suppressant.

Which of the following concepts describes the use of a one way transformation in order to validate the integrity of a program? A. Hashing B. Key escrow C. Non-repudiation D. Steganography

Answer: A Explanation: Hashing refers to the hash algorithms used in cryptography. It is used to store data, such as hash tables and its main characteristics are: It must be one-way - it is not reversible. Variable-length input produces fixed-length output - whether you have two characters or 2 million, the hash size is the same. The algorithm must have few or no collisions - in hashing two different inputs does not give the same output.

QUESTION NO: 407 Which of the following functions provides an output which cannot be reversed and converts data into a string of characters? A. Hashing B. Stream ciphers C. Steganography D. Block ciphers

Answer: A Explanation: Hashing refers to the hash algorithms used in cryptography. It is used to store data, such as hash tables one of its characteristics is that it must be one-way - it is not reversible.

QUESTION NO: 379 A network administrator recently updated various network devices to ensure redundancy throughout the network. If an interface on any of the Layer 3 devices were to go down, traffic will still pass through another interface and the production environment would be unaffected. This type of configuration represents which of the following concepts? A. High availability B. Load balancing C. Backout contingency plan D. Clustering

Answer: A Explanation: High availability (HA) refers to the measures used to keep services and systems operational during an outage. In short, the goal is to provide all services to all users, where they need them and when they need them. With high availability, the goal is to have key services available 99.999 percent of the time (also known as five nines availability).

QUESTION NO: 226 A company has decided to move large data sets to a cloud provider in order to limit the costs of new infrastructure. Some of the data is sensitive and the Chief Information Officer wants to make sure both parties have a clear understanding of the controls needed to protect the data. Which of the following types of interoperability agreement is this? A. ISA B. MOU C. SLA D. BPA

Answer: A Explanation: ISA/ Interconnection Security Agreement is an agreement between two organizations that have connected systems. The agreement documents the technical requirements of the connected systems.

QUESTION NO: 427 Some customers have reported receiving an untrusted certificate warning when visiting the company's website. The administrator ensures that the certificate is not expired and that customers have trusted the original issuer of the certificate. Which of the following could be causing the problem? A. The intermediate CA certificates were not installed on the server. B. The certificate is not the correct type for a virtual server. C. The encryption key used in the certificate is too short. D. The client's browser is trying to negotiate SSL instead of TLS.

Answer: A Explanation: In a hierarchical trust model, also known as a tree, a root CA at the top provides all of the information. The intermediate CAs are next in the hierarchy, and they trust only information provided by the root CA. The root CA also trusts intermediate CAs that are in their level in the hierarchy and none that aren't.

QUESTION NO: 418 It is important to staff who use email messaging to provide PII to others on a regular basis to have confidence that their messages are not intercepted or altered during transmission. They are concerned about which of the following types of security control? A. Integrity B. Safety C. Availability D. Confidentiality

Answer: A Explanation: Integrity means that the messages/ data is not altered. PII is personally identifiable information that can be used to uniquely identify an individual. PII can be used to ensure the integrity of data/messages.

QUESTION NO: 248 Which of the following security account management techniques should a security analyst implement to prevent staff, who has switched company roles, from exceeding privileges? A. Internal account audits B. Account disablement C. Time of day restriction D. Password complexity

Answer: A Explanation: Internal account auditing will allow you to switch the appropriate users to the proper accounts required after the switching of roles occurred and thus check that the principle of least privilege is followed.

QUESTION NO: 197 Mandatory vacations are a security control which can be used to uncover which of the following? A. Fraud committed by a system administrator B. Poor password security among users C. The need for additional security staff D. Software vulnerabilities in vendor code

Answer: A Explanation: Mandatory vacations also provide an opportunity to discover fraud apart from the obvious benefits of giving employees a chance to refresh and making sure that others in the company can fill those positions and make the company less dependent on those persons; a sort pf replication and duplication at all levels.

QUESTION NO: 318 Which of the following is a security risk regarding the use of public P2P as a method of collaboration? A. Data integrity is susceptible to being compromised. B. Monitoring data changes induces a higher cost. C. Users are not responsible for data usage tracking. D. Limiting the amount of necessary space for data storage.

Answer: A Explanation: Peer-to-peer (P2P) networking is commonly used to share files such as movies and music, but you must not allow users to bring in devices and create their own little networks. All networking must be done through administrators and not on a P2P basis. Data integrity can easily be compromised when using public P2P networking.

QUESTION NO: 320 The use of social networking sites introduces the risk of: A. Disclosure of proprietary information B. Data classification issues C. Data availability issues D. Broken chain of custody

Answer: A Explanation: People and processes must be in place to prevent the unauthorized disclosure or proprietary information and sensitive information s these pose a security risk to companies. With social networking your company can be exposed to as many threats as the amount of users that make use of social networking and are not advised on security policy regarding the use of social networking.

QUESTION NO: 296 End-user awareness training for handling sensitive personally identifiable information would include secure storage and transmission of customer: A. Date of birth. B. First and last name. C. Phone number. D. Employer name.

Answer: A Explanation: Personally identifiable information (PII) is a catchall for any data that can be used to uniquely identify an individual. This data can be anything from the person's name to a fingerprint (think biometrics), credit card number, or patient record. Date of birth is personally identifiable information.

QUESTION NO: 386 Which of the following provides the LEAST availability? A. RAID 0 B. RAID 1 C. RAID 3 D. RAID 5

Answer: A Explanation: RAID, or redundant array of independent disks (RAID). RAID allows your existing servers to have more than one hard drive so that if the main hard drive fails, the system keeps functioning. RAID 0 is disk striping. It uses multiple drives and maps them together as a single physical drive. This is done primarily for performance, not for fault tolerance. If any drive in a RAID 0 array fails, the entire logical drive becomes unusable.

QUESTION NO: 243 A security administrator is responsible for performing periodic reviews of user permission settings due to high turnover and internal transfers at a corporation. Which of the following BEST describes the procedure and security rationale for performing such reviews? A. Review all user permissions and group memberships to ensure only the minimum set of permissions required to perform a job is assigned. B. Review the permissions of all transferred users to ensure new permissions are granted so the employee can work effectively. C. Ensure all users have adequate permissions and appropriate group memberships, so the volume of help desk calls is reduced. D. Ensure former employee accounts have no permissions so that they cannot access any network file stores and resources.

Answer: A Explanation: Reviewing user permissions and group memberships form part of a privilege audit is used to determine that all groups, users, and other accounts have the appropriate privileges assigned according to the policies of the corporation.

QUESTION NO: 244 Various network outages have occurred recently due to unapproved changes to network and security devices. All changes were made using various system credentials. The security analyst has been tasked to update the security policy. Which of the following risk mitigation strategies would also need to be implemented to reduce the number of network outages due to unauthorized changes? A. User rights and permissions review B. Configuration management C. Incident management D. Implement security controls on Layer 3 devices

Answer: A Explanation: Reviewing user rights and permissions can be used to determine that all groups, users, and other accounts have the appropriate privileges assigned according to the policies of the corporation and their job descriptions. Also reviewing user rights and permissions will afford the security analyst the opportunity to put the principle of least privilege in practice as well as update the security policy

QUESTION NO: 199 A company that has a mandatory vacation policy has implemented which of the following controls? A. Risk control B. Privacy control C. Technical control D. Physical control

Answer: A Explanation: Risk mitigation is done anytime you take steps to reduce risks. Thus mandatory vacation implementation is done as a risk control measure because it is a step that is taken as risk mitigation.

QUESTION NO: 347 Due to issues with building keys being duplicated and distributed, a security administrator wishes to change to a different security control regarding a restricted area. The goal is to provide access based upon facial recognition. Which of the following will address this requirement? A. Set up mantraps to avoid tailgating of approved users. B. Place a guard at the entrance to approve access. C. Install a fingerprint scanner at the entrance. D. Implement proximity readers to scan users' badges

Answer: B Explanation: A guard can be instructed to deny access until authentication has occurred will address the situation adequately.

QUESTION NO: 284 A server dedicated to the storage and processing of sensitive information was compromised with a rootkit and sensitive data was extracted. Which of the following incident response procedures is best suited to restore the server? A. Wipe the storage, reinstall the OS from original media and restore the data from the last known good backup. B. Keep the data partition, restore the OS from the most current backup and run a full system antivirus scan. C. Format the storage and reinstall both the OS and the data from the most current backup. D. Erase the storage, reinstall the OS from most current backup and only restore the data that was not compromised.

Answer: A Explanation: Rootkits are software programs that have the ability to hide certain things from the operating system. With a rootkit, there may be a number of processes running on a system that do not show up in Task Manager or connections established or available that do not appear in a netstat display—the rootkit masks the presence of these items. The rootkit is able to do this by manipulating function calls to the operating system and filtering out information that would normally appear. Theoretically, rootkits could hide anywhere that there is enough memory to reside: video cards, PCI cards, and the like. The best way to handle this situation is to wipe the server and reinstall the operating system with the original installation disks and then restore the extracted data from your last known good backup. This way you can eradicate the rootkit and restore the data.

QUESTION NO: 291 The method to provide end users of IT systems and applications with requirements related to acceptable use, privacy, new threats and trends, and use of social networking is: A. Security awareness training. B. BYOD security training. C. Role-based security training. D. Legal compliance training.

Answer: A Explanation: Security awareness and training are critical to the success of a security effort. They include explaining policies, procedures, and current threats to both users and management.

QUESTION NO: 209 Everyone in the accounting department has the ability to print and sign checks. Internal audit has asked that only one group of employees may print checks while only two other employees may sign the checks. Which of the following concepts would enforce this process? A. Separation of Duties B. Mandatory Vacations C. Discretionary Access Control D. Job Rotation

Answer: A Explanation: Separation of duties means that users are granted only the permissions they need to do their work and no more.

QUESTION NO: 377 Pete, the Chief Executive Officer (CEO) of a company, has increased his travel plans for the next two years to improve business relations. Which of the following would need to be in place in case something happens to Pete? A. Succession planning B. Disaster recovery C. Separation of duty D. Removing single loss expectancy

Answer: A Explanation: Succession planning outlines those internal to the organization who have the ability to step into positions when they open. By identifying key roles that cannot be left unfilled and associating internal employees who can step into these roles, you can groom those employees to make sure that they are up to speed when it comes time for them to fill those positions.

QUESTION NO: 414 Matt, a forensic analyst, wants to obtain the digital fingerprint for a given message. The message is 160-bits long. Which of the following hashing methods would Matt have to use to obtain this digital fingerprint? A. SHA1 B. MD2 C. MD4 D. MD5

Answer: A Explanation: The Secure Hash Algorithm (SHA) was designed to ensure the integrity of a message. SHA is a one-way hash that provides a hash value that can be used with an encryption protocol. This algorithm produces a 160-bit hash value. SHA (1 or 2) is preferred over Message Digest Algorithm.

QUESTION NO: 193 A major security risk with co-mingling of hosts with different security requirements is: A. Security policy violations. B. Zombie attacks. C. Password compromises. D. Privilege creep.

Answer: A Explanation: The entire network is only as strong as the weakest host. Thus with the co-mingling of hosts with different security requirements would be risking security policy violations.

QUESTION NO: 332 The datacenter design team is implementing a system, which requires all servers installed in racks to face in a predetermined direction. AN infrared camera will be used to verify that servers are properly racked. Which of the following datacenter elements is being designed? A. Hot and cold aisles B. Humidity control C. HVAC system D. EMI shielding

Answer: A Explanation: There are often multiple rows of servers located in racks in server rooms. The rows of servers are known as aisles, and they can be cooled as hot aisles and cold aisles. With a hot aisle, hot air outlets are used to cool the equipment, whereas with cold aisles, cold air intake is used to cool the equipment. Combining the two, you have cold air intake from below the aisle and hot air outtake above it, providing constant circulation. Infrared cameras are heat detection measures thus it is hot and cold aisle design elements.

QUESTION NO: 354 An advantage of virtualizing servers, databases, and office applications is: A. Centralized management. B. Providing greater resources to users. C. Stronger access control. D. Decentralized management.

Answer: A Explanation: Virtualization consists of allowing one set of hardware to host multiple virtual Machines and in the case of software and applications; one host is all that is required. This makes centralized management a better prospect.

QUESTION NO: 188 Which of the following is an example of a false negative? A. The IDS does not identify a buffer overflow. B. Anti-virus identifies a benign application as malware. C. Anti-virus protection interferes with the normal operation of an application. D. A user account is locked out after the user mistypes the password too many times.

Answer: A Explanation: With a false negative, you are not alerted to a situation when you should be alerted.

QUESTION NO: 430 An administrator has successfully implemented SSL on srv4.comptia.com using wildcard certificate *.comptia.com, and now wishes to implement SSL on srv5.comptia.com. Which of the following files should be copied from srv4 to accomplish this? A. certificate, private key, and intermediate certificate chain B. certificate, intermediate certificate chain, and root certificate C. certificate, root certificate, and certificate signing request D. certificate, public key, and certificate signing request

Answer: A Explanation: a wildcard certificate is a public key certificate which can be used with multiple subdomains of a domain. In public-key cryptography, the receiver has a private key known only to them; a public key corresponds to it, which they make known to others. The public key can be sent to all other parties; the private key is never divulged. A symmetric algorithm requires that receivers of the message use the same private key. Thus you should copy the certificate, the private key and the intermediate certificate chain from srv4 to srv5.

QUESTION NO: 371 When a communications plan is developed for disaster recovery and business continuity plans, the MOST relevant items to include would be: (Select TWO). A. Methods and templates to respond to press requests, institutional and regulatory reporting requirements. B. Methods to exchange essential information to and from all response team members, employees, suppliers, and customers. C. Developed recovery strategies, test plans, post-test evaluation and update processes. D. Defined scenarios by type and scope of impact and dependencies, with quantification of loss potential. E. Methods to review and report on system logs, incident response, and incident handling

Answer: A,B Explanation: A: External emergency communications that should fit into your business continuity plan include notifying family members of an injury or death, discussing the disaster with the media, and providing status information to key clients and stakeholders. Each message needs to be prepared with the audience (e.g., employees, media, families, government regulators) in mind; broad general announcements may be acceptable in the initial aftermath of an incident, but these will need to be tailored to the audiences in subsequent releases. B: A typical emergency communications plan should be extensive in detail and properly planned by a business continuity planner. Internal alerts are sent using either email, overhead building paging systems, voice messages or text messages to cell/smartphones with instructions to evacuate the building and relocate at assembly points, updates on the status of the situation, and notification of when it's safe to return to work.

QUESTION NO: 190 Joe, a security analyst, asks each employee of an organization to sign a statement saying that they understand how their activities may be monitored. Which of the following BEST describes this statement? (Select TWO). A. Acceptable use policy B. Risk acceptance policy C. Privacy policy D. Email policy E. Security policy

Answer: A,C Explanation: Privacy policies define what controls are required to implement and maintain the sanctity of data privacy in the work environment. Privacy policy is a legal document that outlines how data collected is secured. It should encompass information regarding the information the company collects, privacy choices you have based on your account, potential information sharing of your data with other parties, security measures in place, and enforcement. Acceptable use policies (AUPs) describe how the employees in an organization can use company systems and resources, both software and hardware.

QUESTION NO: 285 In the initial stages of an incident response, Matt, the security administrator, was provided the hard drives in question from the incident manager. Which of the following incident response procedures would he need to perform in order to begin the analysis? (Select TWO). A. Take hashes B. Begin the chain of custody paperwork C. Take screen shots D. Capture the system image E. Decompile suspicious files

Answer: A,D Explanation: A: Take Hashes. NIST (the National Institute of Standards and Technology) maintains a National Software Reference Library (NSRL). One of the purposes of the NSRL is to collect "known, traceable software applications" through their hash values and store them in a Reference Data Set (RDS). The RDS can then be used by law enforcement, government agencies, and businesses to determine which fi les are important as evidence in criminal investigations. D: A system image is a snapshot of what exists. Capturing an image of the operating system in its exploited state can be helpful in revisiting the issue after the fact to learn more about it.

QUESTION NO: 426 Certificates are used for: (Select TWO). A. Client authentication. B. WEP encryption. C. Access control lists. D. Code signing. E. Password hashing.

Answer: A,D Explanation: Certificates are used in PKI to digitally sign data, information, files, email, code, etc. Certificates are also used in PKI for client authentication.

QUESTION NO: 423 Joe, a user, wants to send an encrypted email to Ann. Which of the following will Ann need to use to verify the validity's of Joe's certificate? (Select TWO). A. The CA's public key B. Joe's private key C. Ann's public key D. The CA's private key E. Joe's public key F. Ann's private key

Answer: A,E Explanation: Joe wants to send a message to Ann. It's important that this message not be altered. Joe will use the private key to create a digital signature. The message is, in effect, signed with the private key. Joe then sends the message to Ann. Ann will use the public key attached to the message to validate the digital signature. If the values match, Ann knows the message is authentic and came from Joe. Ann will use a key provided by Joe—the public key—to decrypt the message. Most digital signature implementations also use a hash to verify that the message has not been altered, intentionally or accidently, in transit. Thus Ann would compare the signature area referred to as a message in the message with the calculated value digest (her private key in this case). If the values match, the message hasn't been tampered with and the originator is verified as the person they claim to be. This process provides message integrity, nonrepudiation, and authentication. A certificate authority (CA) is an organization that is responsible for issuing, revoking, and distributing certificates. A certificate is nothing more than a mechanism that associates the public key with an individual. If Joe wants to send Ann an encrypted e-mail, there should be a mechanism to verify to Ann that the message received from Mike is really from Joe. If a third party (the CA) vouches for Joe and Ann trusts that third party, Ann can assume that the message is authentic because the third party says so.

QUESTION NO: 309 The manager has a need to secure physical documents every night, since the company began enforcing the clean desk policy. The BEST solution would include: (Select TWO). A. Fire- or water-proof safe. B. Department door locks. C. Proximity card. D. 24-hour security guard. E. Locking cabinets and drawers.

Answer: A,E Explanation: Using a safe and locking cabinets to protect backup media, documentation, and any other physical artifacts that could do harm if they fell into the wrong hands would form part of keeping employees desks clean as in a clean desk policy.

QUESTION NO: 372 After a production outage, which of the following documents contains detailed information on the order in which the system should be restored to service? A. Succession planning B. Disaster recovery plan C. Information security plan D. Business impact analysis

Answer: B Explanation: A disaster-recovery plan, or scheme, helps an organization respond effectively when a disaster occurs. Disasters may include system failure, network failure, infrastructure failure, and natural disaster. The primary emphasis of such a plan is reestablishing services and minimizing losses.

QUESTION NO: 411 An Information Systems Security Officer (ISSO) has been placed in charge of a classified peer-topeer network that cannot connect to the Internet. The ISSO can update the antivirus definitions manually, but which of the following steps is MOST important? A. A full scan must be run on the network after the DAT file is installed. B. The signatures must have a hash value equal to what is displayed on the vendor site. C. The definition file must be updated within seven days. D. All users must be logged off of the network prior to the installation of the definition file.

Answer: B Explanation: A hash value can be used to uniquely identify secret information. This requires that the hash function is collision resistant, which means that it is very hard to find data that generate the same hash value and thus it means that in hashing two different inputs will not yield the same output. Thus the hash value must be equal to that displayed on the vendor site.

QUESTION NO: 394 Which of the following disaster recovery strategies has the highest cost and shortest recovery time? A. Warm site B. Hot site C. Cold site D. Co-location site

Answer: B Explanation: A hot site is a location that can provide operations within hours of a failure. This type of site would have servers, networks, and telecommunications equipment in place to reestablish service in a short time. Hot sites provide network connectivity, systems, and preconfigured software to meet the needs of an organization. Databases can be kept up-to-date using network connections. These types of facilities are expensive, and they're primarily suitable for short-term situations.

QUESTION NO: 203 A software developer is responsible for writing the code on an accounting application. Another software developer is responsible for developing code on a system in human resources. Once a year they have to switch roles for several weeks. Which of the following practices is being implemented? A. Mandatory vacations B. Job rotation C. Least privilege D. Separation of duties

Answer: B Explanation: A job rotation policy defines intervals at which employees must rotate through positions.

QUESTION NO: 204 Which of the following types of risk reducing policies also has the added indirect benefit of cross training employees when implemented? A. Least privilege B. Job rotation C. Mandatory vacations D. Separation of duties

Answer: B Explanation: A job rotation policy defines intervals at which employees must rotate through positions. Similar in purpose to mandatory vacations, it helps to ensure that the company does not become too dependent on one person and it does afford the company with the opportunity to place another person in that same job.

QUESTION NO: 201 A company is looking to reduce the likelihood of employees in the finance department being involved with money laundering. Which of the following controls would BEST mitigate this risk? A. Implement privacy policies B. Enforce mandatory vacations C. Implement a security policy D. Enforce time of day restrictions

Answer: B Explanation: A mandatory vacation policy requires all users to take time away from work to refresh. And in the same time it also gives the company a chance to make sure that others can fill in any gaps in skills and satisfy the need to have replication or duplication at all levels in addition to affording the company an opportunity to discover fraud for when others do the same job in the absence of the regular staff member then there is transparency.

QUESTION NO: 268 A security technician wishes to gather and analyze all Web traffic during a particular time period. Which of the following represents the BEST approach to gathering the required data? A. Configure a VPN concentrator to log all traffic destined for ports 80 and 443. B. Configure a proxy server to log all traffic destined for ports 80 and 443. C. Configure a switch to log all traffic destined for ports 80 and 443. D. Configure a NIDS to log all traffic destined for ports 80 and 443.

Answer: B Explanation: A proxy server is in essence a device that acts on behalf of others and in security terms all internal user interaction with the Internet should be controlled through a proxy server. This makes a proxy server the best tool to gather the required data.

QUESTION NO: 429 A certificate used on an ecommerce web server is about to expire. Which of the following will occur if the certificate is allowed to expire? A. The certificate will be added to the Certificate Revocation List (CRL). B. Clients will be notified that the certificate is invalid. C. The ecommerce site will not function until the certificate is renewed. D. The ecommerce site will no longer use encryption.

Answer: B Explanation: A similar process to certificate revocation will occur when a certificate is allowed to expire. Notification will be sent out to clients of the invalid certificate. The process of revoking a certificate begins when the CA is notified that a particular certificate needs to be revoked. This must be done whenever the private key becomes known. The owner of a certificate can request that it be revoked at any time, or the administrator can make the request.

QUESTION NO: 265 Computer evidence at a crime is preserved by making an exact copy of the hard disk. Which of the following does this illustrate? A. Taking screenshots B. System image capture C. Chain of custody D. Order of volatility

Answer: B Explanation: A system image would be a snapshot of what exists at the moment. Thus capturing an image of the operating system in its exploited state can be helpful in revisiting the issue after the fact to learn more about it.

QUESTION NO: 317 Pete, the system administrator, has blocked users from accessing social media web sites. In addition to protecting company information from being accidentally leaked, which additional security benefit does this provide? A. No competition with the company's official social presence B. Protection against malware introduced by banner ads C. Increased user productivity based upon fewer distractions D. Elimination of risks caused by unauthorized P2P file sharing

Answer: B Explanation: Banner, or header information messages sent with data to find out about the system(s) does happen. Banners often identify the host, the operating system running on it, and other information that can be useful if you are going to attempt to later breach the security of it.

QUESTION NO: 304 In which of the following categories would creating a corporate privacy policy, drafting acceptable use policies, and group based access control be classified? A. Security control frameworks B. Best practice C. Access control methodologies D. Compliance activity

Answer: B Explanation: Best practices are based on what is known in the industry and those methods that have consistently shown superior results over those achieved by other means. Furthermore best practices are applied to all aspects in the work environment.

QUESTION NO: 424 A user was reissued a smart card after the previous smart card had expired. The user is able to log into the domain but is now unable to send digitally signed or encrypted email. Which of the following would the user need to perform? A. Remove all previous smart card certificates from the local certificate store. B. Publish the new certificates to the global address list. C. Make the certificates available to the operating system. D. Recover the previous smart card certificates.

Answer: B Explanation: CAs can be either private or public, with VeriSign being one of the best known of the public variety. Many operating system providers allow their systems to be configured as CA systems. These CA systems can be used to generate internal certificates that are used within a business or in large external settings. The process provides certificates to the users. Since the user in question has been re-issued a smart card, the user must receive a new certificate by the CA to allow the user to send digitally signed email. This is achieved by publishing the new certificates to the global address list.

QUESTION NO: 277 Which of the following is the MOST important step for preserving evidence during forensic procedures? A. Involve law enforcement B. Chain of custody C. Record the time of the incident D. Report within one hour of discovery

Answer: B Explanation: Chain of custody deals with how evidence is secured, where it is stored, and who has access to it. When you begin to collect evidence, you must keep track of that evidence at all times and show who has it, who has seen it, and where it has been. The evidence must always be within your custody, or you're open to dispute about possible evidence tampering. Thus to preserve evidence during a forensic procedure the chain of custody is of utmost importance.

QUESTION NO: 235 Which of the following MOST specifically defines the procedures to follow when scheduled system patching fails resulting in system outages? A. Risk transference B. Change management C. Configuration management D. Access control revalidation

Answer: B Explanation: Change Management is a risk mitigation approach and refers to the structured approach that is followed to secure a company's assets. In this case 'scheduled system patching'.

QUESTION NO: 308 Which of the following security concepts would Sara, the security administrator, use to mitigate the risk of data loss? A. Record time offset B. Clean desk policy C. Cloud computing D. Routine log review

Answer: B Explanation: Clean Desk Policy Information on a desk—in terms of printouts, pads of note paper, sticky notes, and the like—can be easily seen by prying eyes and taken by thieving hands. To protect data and your business, encourage employees to maintain clean desks and to leave out only those papers that are relevant to the project they are working on at that moment. All sensitive information should be put away when the employee is away from their desk. This will mitigate the risk of data loss when applied.

QUESTION NO: 381 The main corporate website has a service level agreement that requires availability 100% of the time, even in the case of a disaster. Which of the following would be required to meet this demand? A. Warm site implementation for the datacenter B. Geographically disparate site redundant datacenter C. Localized clustering of the datacenter D. Cold site implementation for the datacenter

Answer: B Explanation: Data backups, redundant systems, and disaster recovery plans all support availability. AN in this case a geographically disparate site redundant datacenter represents 100% availability regardless of whether a disaster event occurs.

QUESTION NO: 253 Matt, a security analyst, needs to implement encryption for company data and also prevent theft of company data. Where and how should Matt meet this requirement? A. Matt should implement access control lists and turn on EFS. B. Matt should implement DLP and encrypt the company database. C. Matt should install Truecrypt and encrypt the company server. D. Matt should install TPMs and encrypt the company database.

Answer: B Explanation: Data loss prevention (DLP) systems monitor the contents of systems (workstations, servers, and networks) to make sure that key content is not deleted or removed. They also monitor who is using the data (looking for unauthorized access) and transmitting the data. Encryption is used to protect data.

QUESTION NO: 257 Which of the following assets is MOST likely considered for DLP? A. Application server content B. USB mass storage devices C. Reverse proxy D. Print server

Answer: B Explanation: Data loss prevention (DLP) systems monitor the contents of systems (workstations, servers, and networks) to make sure that key content is not deleted or removed. They also monitor who is using the data (looking for unauthorized access) and transmitting the data. A USB presents the most likely device to be used to steal data because of its physical size.

QUESTION NO: 221 Elastic cloud computing environments often reuse the same physical hardware for multiple customers over time as virtual machines are instantiated and deleted. This has important implications for which of the following data security concerns? A. Hardware integrity B. Data confidentiality C. Availability of servers D. Integrity of data

Answer: B Explanation: Data that is not kept separate or segregated will impact on that data's confidentiality maybe being compromised. Be aware of the fact that your data is only as safe as the data with which it is integrated. For example, assume that your client database is hosted on a server that another company is also using to test an application that they are creating. If their application obtains rootlevel access at some point (such as to change passwords) and crashes at that point, then the user running the application could be left with root permissions and conceivably be to access data on the server for which they are not authorized, such as your client database. Data segregation is crucial; keep your data on secure servers.

QUESTION NO: 404 After recovering from a data breach in which customer data was lost, the legal team meets with the Chief Security Officer (CSO) to discuss ways to better protect the privacy of customer data. Which of the following controls support this goal? A. Contingency planning B. Encryption and stronger access control C. Hashing and non-repudiation D. Redundancy and fault tolerance

Answer: B Explanation: Encryption is used to protect data/contents/documents. Access control refers to controlling who accesses any data/contents/documents and to exercise authorized control to the accessing of that data.

QUESTION NO: 305 Which of the following is the process in which a law enforcement officer or a government agent encourages or induces a person to commit a crime when the potential criminal expresses a desire not to go ahead? A. Enticement B. Entrapment C. Deceit D. Sting

Answer: B Explanation: Entrapment is the process in which a law enforcement officer or a government agent encourages or induces a person to commit a crime when the potential criminal expresses a desire not to go ahead. Entrapment is a valid legal defense in a criminal prosecution.

A vulnerability scan is reporting that patches are missing on a server. After a review, it is determined that the application requiring the patch does not exist on the operating system. Which of the following describes this cause? A. Application hardening B. False positive C. Baseline code review D. False negative

Answer: B Explanation: False positives are essentially events that are mistakenly flagged and are not really events to be concerned about.

QUESTION NO: 434 Matt, a security consultant, has been tasked with increasing server fault tolerance and has been given no budget to accomplish his task. Which of the following can Matt implement to ensure servers will withstand hardware failure? A. Hardware load balancing B. RAID C. A cold site D. A host standby

Answer: B Explanation: Fault tolerance is the ability of a system to sustain operations in the event of a component failure. Fault-tolerant systems can continue operation even though a critical component, such as a disk drive, has failed. This capability involves overengineering systems by adding redundant components and subsystems. RAID can achieve fault tolerance using software which can be done using the existing hardware and software.

QUESTION NO: 402 A system administrator has been instructed by the head of security to protect their data at-rest. Which of the following would provide the strongest protection? A. Prohibiting removable media B. Incorporating a full-disk encryption system C. Biometric controls on data center entry points D. A host-based intrusion detection system

Answer: B Explanation: Full disk encryption can be used to encrypt an entire volume with 128-bit encryption. When the entire volume is encrypted, the data is not accessible to someone who might boot another operating system in an attempt to bypass the computer's security. Full disk encryption is sometimes referred to as hard drive encryption. This would be best to protect data that is at rest.

QUESTION NO: 335 The datacenter manager is reviewing a problem with a humidity factor that is too low. Which of the following environmental problems may occur? A. EMI emanations B. Static electricity C. Condensation D. Dry-pipe fire suppression

Answer: B Explanation: Humidity control prevents the buildup of static electricity in the environment. If the humidity drops much below 50 percent, electronic components are extremely vulnerable to damage from electrostatic shock.

QUESTION NO: 293 Which of the following is the BEST reason to provide user awareness and training programs for organizational staff? A. To ensure proper use of social media B. To reduce organizational IT risk C. To detail business impact analyses D. To train staff on zero-days

Answer: B Explanation: Ideally, a security awareness training program for the entire organization should cover the following areas: Importance of security Responsibilities of people in the organization Policies and procedures Usage policies Account and password-selection criteria Social engineering prevention You can accomplish this training either by using internal staff or by hiring outside trainers. This type of training will significantly reduce the organizational IT risk.

QUESTION NO: 278 During which of the following phases of the Incident Response process should a security administrator define and implement general defense against malware? A. Lessons Learned B. Preparation C. Eradication D. Identification

Answer: B Explanation: Incident response procedures involves: Preparation; Incident identification; Escalation and notification; Mitigation steps; Lessons learned; Reporting; Recover/reconstitution procedures; First responder; Incident isolation (Quarantine; Device removal); Data breach; Damage and loss control. It is important to stop malware before it ever gets hold of a system -thus you should know which malware is out there and take defensive measures - this means preparation to guard against malware infection should be done.

QUESTION NO: 287 The security officer is preparing a read-only USB stick with a document of important personal phone numbers, vendor contacts, an MD5 program, and other tools to provide to employees. At which of the following points in an incident should the officer instruct employees to use this information? A. Business Impact Analysis B. First Responder C. Damage and Loss Control D. Contingency Planning

Answer: B Explanation: Incident response procedures involves: Preparation; Incident identification; Escalation and notification; Mitigation steps; Lessons learned; Reporting; Recover/reconstitution procedures; First responder; Incident isolation (Quarantine; Device removal); Data breach; Damage and loss control. In this scenario the security officer is carrying out an incident response measure that will address and be of benefit to those in the vanguard, i.e. the employees and they are the first responders.

QUESTION NO: 419 Matt, a security administrator, wants to ensure that the message he is sending does not get intercepted or modified in transit. This concern relates to which of the following concepts? A. Availability B. Integrity C. Accounting D. Confidentiality

Answer: B Explanation: Integrity means ensuring that data has not been altered. Hashing and message authentication codes are the most common methods to accomplish this. In addition, ensuring nonrepudiation via digital signatures supports integrity.

QUESTION NO: 339 A malicious person gained access to a datacenter by ripping the proximity badge reader off the wall near the datacenter entrance. This caused the electronic locks on the datacenter door to release because the: A. badge reader was improperly installed. B. system was designed to fail open for life-safety. C. system was installed in a fail closed configuration. D. system used magnetic locks and the locks became demagnetized.

Answer: B Explanation: It describes a design the lock to fail open for life safety, causing the door to stay open when power is lost - in this case the proximity badge reader was ripped off the wall.

QUESTION NO: 390 Which of the following technologies uses multiple devices to share work? A. Switching B. Load balancing C. RAID D. VPN concentrator

Answer: B Explanation: Load balancing is a way of providing high availability by splitting the workload across multiple computers.

QUESTION NO: 391 Which of the following provides the BEST application availability and is easily expanded as demand grows? A. Server virtualization B. Load balancing C. Active-Passive Cluster D. RAID 6

Answer: B Explanation: Load balancing is a way of providing high availability by splitting the workload across multiple computers.

QUESTION NO: 184 Which of the following is a management control? A. Logon banners B. Written security policy C. SYN attack prevention D. Access Control List (ACL)

Answer: B Explanation: Management control types include risk assessment, planning, systems and Services Acquisition as well as Certification, Accreditation and Security Assessment; and written security policy falls in this category.

QUESTION NO: 341 Pete, an IT Administrator, needs to secure his server room. Which of the following mitigation methods would provide the MOST physical protection? A. Sign in and sign out logs B. Mantrap C. Video surveillance D. HVAC

Answer: B Explanation: Mantraps are designed to contain an unauthorized, potentially hostile person/individual physically until authorities arrive. Mantraps are typically manufactured with bulletproof glass, high-strength doors, and locks and to allow the minimal amount of individuals depending on its size. Some mantraps even include scales that will weigh the person. The doors are designed in such a way as to open only when the mantrap is occupied or empty and not in-between. This means that the backdoor must first close before the front door will open. Mantraps are in most cases also combined with guards. This is the most physical protection any one measure will provide.

QUESTION NO: 343 A company is installing a new security measure that would allow one person at a time to be authenticated to an area without human interaction. Which of the following does this describe? A. Fencing B. Mantrap C. A guard D. Video surveillance

Answer: B Explanation: Mantraps make use of electronic locks and are designed to allow you to limit the amount of individual allowed access to an area at any one time.

QUESTION NO: 262 An incident response team member needs to perform a forensics examination but does not have the required hardware. Which of the following will allow the team member to perform the examination with minimal impact to the potential evidence? A. Using a software file recovery disc B. Mounting the drive in read-only mode C. Imaging based on order of volatility D. Hashing the image after capture

Answer: B Explanation: Mounting the drive in read-only mode will prevent any executable commands from being executed. This is turn will have the least impact on potential evidence using the drive in question.

QUESTION NO: 431 An encrypted message is sent using PKI from Sara, a client, to a customer. Sara claims she never sent the message. Which of the following aspects of PKI BEST ensures the identity of the sender? A. CRL B. Non-repudiation C. Trust models D. Recovery agents

Answer: B Explanation: Nonrepudiation prevents one party from denying actions they carried out. This means that the identity of the email sender will not be repudiated.

QUESTION NO: 384 Which of the following may significantly reduce data loss if multiple drives fail at the same time? A. Virtualization B. RAID C. Load balancing D. Server clustering

Answer: B Explanation: RAID, or redundant array of independent disks (RAID). RAID allows your existing servers to have more than one hard drive so that if the main hard drive fails, the system keeps functioning

QUESTION NO: 215 Identifying residual risk is MOST important to which of the following concepts? A. Risk deterrence B. Risk acceptance C. Risk mitigation D. Risk avoidance

Answer: B Explanation: Risk acceptance is often the choice you must make when the cost of implementing any of the other four choices exceeds the value of the harm that would occur if the risk came to fruition. To truly qualify as acceptance, it cannot be a risk where the administrator or manager is unaware of its existence; it has to be an identified risk for which those involved understand the potential cost or damage and agree to accept it. Residual risk is always present and will remain a risk thus it should be accepted (risk acceptance)

QUESTION NO: 241 Which of the following is the BEST approach to perform risk mitigation of user access control rights? A. Conduct surveys and rank the results. B. Perform routine user permission reviews. C. Implement periodic vulnerability scanning. D. Disable user accounts that have not been used within the last two weeks.

Answer: B Explanation: Risk mitigation is accomplished any time you take steps to reduce risk. This category includes installing antivirus software, educating users about possible threats, monitoring network traffic, adding a firewall, and so on. User permissions may be the most basic aspect of security and is best coupled with a principle of least privilege. And related to permissions is the concept of the access control list (ACL). An ACL is literally a list of who can access what resource and at what level. Thus the best risk mitigation steps insofar as access control rights are concerned, is the regular/routine review of user permissions.

QUESTION NO: 352 Joe, the system administrator, has been asked to calculate the Annual Loss Expectancy (ALE) for a $5,000 server, which often crashes. In the past year, the server has crashed 10 times, requiring a system reboot to recover with only 10% loss of data or function. Which of the following is the ALE of this server? A. $500 B. $5,000 C. $25,000 D. $50,000

Answer: B Explanation: SLE × ARO = ALE, where SLE is equal to asset value (AV) times exposure factor (EF); and ARO is the annualized rate of occurrence. (5000 x 10) x 0.1 = 5000

QUESTION NO: 353 Sara, a security analyst, is trying to prove to management what costs they could incur if their customer database was breached. This database contains 250 records with PII. Studies show that the cost per record for a breach is $300. The likelihood that their database would be breached in the next year is only 5%. Which of the following is the ALE that Sara should report to management for a security breach? A. $1,500 B. $3,750 C. $15,000 D. $75,000

Answer: B Explanation: SLE × ARO = ALE, where SLE is equal to asset value (AV) times exposure factor (EF); and ARO is the annualized rate of occurrence. SLE = 250 x $300; ARO = 5% $75000 x 0.05 = $3750

QUESTION NO: 207 Separation of duties is often implemented between developers and administrators in order to separate which of the following? A. More experienced employees from less experienced employees B. Changes to program code and the ability to deploy to production C. Upper level management users from standard development employees D. The network access layer from the application access layer

Answer: B Explanation: Separation of duties means that there is differentiation between users, employees and duties per se which form part of best practices.

QUESTION NO: 206 The Chief Technical Officer (CTO) has been informed of a potential fraud committed by a database administrator performing several other job functions within the company. Which of the following is the BEST method to prevent such activities in the future? A. Job rotation B. Separation of duties C. Mandatory Vacations D. Least Privilege

Answer: B Explanation: Separation of duties means that users are granted only the permissions they need to do their work and no more. More so it means that you are employing best practices. The segregation of duties and separation of environments is a way to reduce the likelihood of misuse of systems or information. A separation of duties policy is designed to reduce the risk of fraud and to prevent other losses in an organization.

QUESTION NO: 331 When a new network drop was installed, the cable was run across several fluorescent lights. The users of the new network drop experience intermittent connectivity. Which of the following environmental controls was MOST likely overlooked during installation? A. Humidity sensors B. EMI shielding C. Channel interference D. Cable kinking

Answer: B Explanation: Shielding refers to the process of preventing electronic emissions from your computer systems from being used to gather intelligence and preventing outside electronic emissions from disrupting your information-processing abilities. In this case you are experiencing intermittent connectivity since Electro Magnetic Interference (EMI) was not taken into account when running the cables over fluorescent lighting.

QUESTION NO: 393 A security administrator has just finished creating a hot site for the company. This implementation relates to which of the following concepts? A. Confidentiality B. Availability C. Succession planning D. Integrity

Answer: B Explanation: Simply making sure that the data and systems are available for authorized users is what availability is all about. Data backups, redundant systems, and disaster recovery plans all support availability. And creating a hot site is about providing availability.

QUESTION NO: 192 Pete, a security analyst, has been informed that the development team has plans to develop an application which does not meet the company's password policy. Which of the following should Pete do NEXT? A. Contact the Chief Information Officer and ask them to change the company password policy so that the application is made compliant. B. Tell the application development manager to code the application to adhere to the company's password policy. C. Ask the application development manager to submit a risk acceptance memo so that the issue can be documented. D. Inform the Chief Information Officer of non-adherence to the security policy so that the developers can be reprimanded.

Answer: B Explanation: Since the application is violating the security policy it should be coded differently to comply with the password policy.

QUESTION NO: 405 A security audit identifies a number of large email messages being sent by a specific user from their company email account to another address external to the company. These messages were sent prior to a company data breach, which prompted the security audit. The user was one of a few people who had access to the leaked data. Review of the suspect's emails show they consist mostly of pictures of the user at various locations during a recent vacation. No suspicious activities from other users who have access to the data were discovered. Which of the following is occurring? A. The user is encrypting the data in the outgoing messages. B. The user is using steganography. C. The user is spamming to obfuscate the activity. D. The user is using hashing to embed data in the emails.

Answer: B Explanation: Steganography is the process of hiding one message in another. Steganography may also be referred to as electronic watermarking. It is also the process of hiding a message in a medium such as a digital image, audio fi le, or other fi le. In theory, doing this prevents analysts from detecting the real message. You could encode your message in another file or message and use that file to hide your message.

QUESTION NO: 406 A security analyst has been notified that trade secrets are being leaked from one of the executives in the corporation. When reviewing this executive's laptop they notice several pictures of the employee's pets are on the hard drive and on a cloud storage network. When the analyst hashes the images on the hard drive against the hashes on the cloud network they do not match. Which of the following describes how the employee is leaking these secrets? A. Social engineering B. Steganography C. Hashing D. Digital signatures

Answer: B Explanation: Steganography is the process of hiding one message in another. Steganography may also be referred to as electronic watermarking. It is also the process of hiding a message in a medium such as a digital image, audio fi le, or other fi le. In theory, doing this prevents analysts from detecting the real message. You could encode your message in another file or message and use that file to hide your message.

QUESTION NO: 378 Establishing a published chart of roles, responsibilities, and chain of command to be used during a disaster is an example of which of the following? A. Fault tolerance B. Succession planning C. Business continuity testing D. Recovery point objectives

Answer: B Explanation: Succession planning outlines those internal to the organization that has the ability to step into positions when they open. By identifying key roles that cannot be left unfilled and associating internal employees who can step into these roles, you can groom those employees to make sure that they are up to speed when it comes time for them to fill those positions.

QUESTION NO: 270 Joe, a security administrator, is concerned with users tailgating into the restricted areas. Given a limited budget, which of the following would BEST assist Joe with detecting this activity? A. Place a full-time guard at the entrance to confirm user identity. B. Install a camera and DVR at the entrance to monitor access. C. Revoke all proximity badge access to make users justify access. D. Install a motion detector near the entrance.

Answer: B Explanation: Tailgating is a favorite method of gaining entry to electronically locked systems by following someone through the door they just unlocked. With a limited budget installing a camera and DVR at the entrance to monitor access to the restricted areas is the most feasible solution. The benefit of a camera (also known as closed-circuit television, or CCTV) is that it is always running and can record everything it sees, creating evidence that can be admissible in court if necessary.

QUESTION NO: 326 Which of the following is a security benefit of providing additional HVAC capacity or increased tonnage in a datacenter? A. Increased availability of network services due to higher throughput B. Longer MTBF of hardware due to lower operating temperatures C. Higher data integrity due to more efficient SSD cooling D. Longer UPS run time due to increased airflow

Answer: B Explanation: The mean time between failures (MTBF) is the measure of the anticipated incidence of failure for a system or component. This measurement determines the component's anticipated lifetime. If the MTBF of a cooling system is one year, you can anticipate that the system will last for a one-year period; this means that you should be prepared to replace or rebuild the system once a year. If the system lasts longer than the MTBF, your organization receives a bonus. MTBF is helpful in evaluating a system's reliability and life expectancy. Thus longer MTBF due to lower operating temperatures is a definite advantage

QUESTION NO: 237 A user has received an email from an external source which asks for details on the company's new product line set for release in one month. The user has a detailed spec sheet but it is marked "Internal Proprietary Information". Which of the following should the user do NEXT? A. Contact their manager and request guidance on how to best move forward B. Contact the help desk and/or incident response team to determine next steps C. Provide the requestor with the email information since it will be released soon anyway D. Reply back to the requestor to gain their contact information and call them

Answer: B Explanation: This is an incident that has to be responded to by the person who discovered it- in this case the user. An incident is any attempt to violate a security policy, a successful penetration, a compromise of a system, or any unauthorized access to information. It's important that an incident response policy establish at least the following items: Outside agencies that should be contacted or notified in case of an incident Resources used to deal with an incident Procedures to gather and secure evidence List of information that should be collected about an incident Outside experts who can be used to address issues if needed Policies and guidelines regarding how to handle an incident Since the spec sheet has been marked Internal Proprietary Information the user should refer the incident to the incident response team.

QUESTION NO: 344 Key cards at a bank are not tied to individuals, but rather to organizational roles. After a break in, it becomes apparent that extra efforts must be taken to successfully pinpoint who exactly enters secure areas. Which of the following security measures can be put in place to mitigate the issue until a new key card system can be installed? A. Bollards B. Video surveillance C. Proximity readers D. Fencing

Answer: B Explanation: Video surveillance is making use of a camera, or CCTV that is able to record everything it sees and is always running. This way you will be able to check exactly who enters secure areas.

QUESTION NO: 328 When implementing fire suppression controls in a datacenter it is important to: A. Select a fire suppression system which protects equipment but may harm technicians. B. Ensure proper placement of sprinkler lines to avoid accidental leakage onto servers. C. Integrate maintenance procedures to include regularly discharging the system. D. Use a system with audible alarms to ensure technicians have 20 minutes to evacuate.

Answer: B Explanation: Water-based systems can cause serious damage to all electrical equipment and the sprinkler lines in a fire suppression control system should be placed in such a way so as not to leak onto computers when it do get activated because it works with overhead nozzles.

QUESTION NO: 420 Which of the following is used by the recipient of a digitally signed email to verify the identity of the sender? A. Recipient's private key B. Sender's public key C. Recipient's public key D. Sender's private key

Answer: B Explanation: When the sender wants to send a message to the receiver. It's important that this message not be altered. The sender uses the private key to create a digital signature. The message is, in effect, signed with the private key. The sender then sends the message to the receiver. The recipient uses the public key attached to the message to validate the digital signature. If the values match, the receiver knows the message is authentic. Thus the recipient uses the sender's public key to verify the sender's identity.

QUESTION NO: 312 Which of the following is a security concern regarding users bringing personally-owned devices that they connect to the corporate network? A. Cross-platform compatibility issues between personal devices and server-based applications B. Lack of controls in place to ensure that the devices have the latest system patches and signature files C. Non-corporate devices are more difficult to locate when a user is terminated D. Non-purchased or leased equipment may cause failure during the audits of company-owned assets

Answer: B Explanation: With employees who want to bring their own devices you will have to make them understand why they cannot. You do not want them plugging in a flash drive, let alone a camera, smartphone, tablet computer, or other device, on which company fi les could get intermingled with personal files. Allowing this to happen can create situations where data can leave the building that shouldn't as well as introduce malware to the system. Employees should not sync unauthorized smartphones to their work systems. Some smartphones use multiple wireless spectrums and unwittingly open up the possibility for an attacker in the parking lot to gain access through the phone to the internal network. Thus if you do not have controls in place then your network is definitely at risk.

QUESTION NO: 421 Digital signatures are used for ensuring which of the following items? (Select TWO). A. Confidentiality B. Integrity C. Non-Repudiation D. Availability E. Algorithm strength

Answer: B,C Explanation: A digital signature is similar in function to a standard signature on a document. It validates the integrity of the message and the sender. The message is encrypted using the encryption system, and a second piece of information, the digital signature, is added to the message. Nonrepudiation prevents one party from denying actions that they carried out and in the electronic world nonrepudiation measures can be a two-key cryptographic system and the involvement of a third party to verify the validity. This respected third party 'vouches' for the individuals in the twokey system. Thus non-repudiation also impacts on integrity.

QUESTION NO: 361 After an assessment, auditors recommended that an application hosting company should contract with additional data providers for redundant high speed Internet connections. Which of the following is MOST likely the reason for this recommendation? (Select TWO). A. To allow load balancing for cloud support B. To allow for business continuity if one provider goes out of business C. To eliminate a single point of failure D. To allow for a hot site in case of disaster E. To improve intranet communication speeds

Answer: B,C Explanation: A high-speed internet connection to a second data provider could be used to keep an up-to-date replicate of the main site. In case of problem on the first site, operation can quickly switch to the second site. This eliminates the single point of failure and allows the business to continue uninterrupted on the second site. Note: Recovery Time Objective The recovery time objective (RTO) is the maximum amount of time that a process or service is allowed to be down and the consequences still be considered acceptable. Beyond this time, the break in business continuity is considered to affect the business negatively. The RTO is agreed on during BIA creation.

QUESTION NO: 358 Which of the following would BEST be used to calculate the expected loss of an event, if the likelihood of an event occurring is known? (Select TWO). A. DAC B. ALE C. SLE D. ARO E. ROI

Answer: B,C Explanation: ALE (Annual Loss Expectancy) is equal to the SLE (Single Loss Expectancy) times the annualized rate of occurrence. SLE (Single Loss Expectancy) is equal to asset value (AV) times exposure factor (EF).

QUESTION NO: 366 Corporate IM presents multiple concerns to enterprise IT. Which of the following concerns should Jane, the IT security manager, ensure are under control? (Select THREE). A. Authentication B. Data leakage C. Compliance D. Malware E. Non-repudiation F. Network loading

Answer: B,C,D Explanation: In a joint enterprise, data may be combined from both organizations. It must be determined, in advance, who is responsible for that data and how the data backups will be managed. Data leakage, compliance and Malware issues are all issues concerning data ownership and backup which are both impacted on by corporate IM.

QUESTION NO: 236 A security engineer is given new application extensions each month that need to be secured prior to implementation. They do not want the new extensions to invalidate or interfere with existing application security. Additionally, the engineer wants to ensure that the new requirements are approved by the appropriate personnel. Which of the following should be in place to meet these two goals? (Select TWO). A. Patch Audit Policy B. Change Control Policy C. Incident Management Policy D. Regression Testing Policy E. Escalation Policy F. Application Audit Policy

Answer: B,D Explanation: A backout (regression testing) is a reversion from a change that had negative consequences. It could be, for example, that everything was working fine until you installed a service pack on a production machine, and then services that were normally available were no longer accessible. The backout, in this instance, would revert the system to the state that it was in before the service pack was applied. Backout plans can include uninstalling service packs, hotfi xes, and patches, but they can also include reversing a migration and using previous firmware. A key component to creating such a plan is identifying what events will trigger your implementing the backout. A change control policy refers to the structured approach that is followed to secure a company's assets in the event of changes occurring.

QUESTION NO: 214 A company is preparing to decommission an offline, non-networked root certificate server. Before sending the server's drives to be destroyed by a contracted company, the Chief Security Officer (CSO) wants to be certain that the data will not be accessed. Which of the following, if implemented, would BEST reassure the CSO? (Select TWO). A. Disk hashing procedures B. Full disk encryption C. Data retention policies D. Disk wiping procedures E. Removable media encryption

Answer: B,D Explanation: B: Full disk encryption is when the entire volume is encrypted; the data is not accessible to someone who might boot another operating system in an attempt to bypass the computer's security. Full disk encryption is sometimes referred to as hard drive encryption. D: Disk wiping is the process of overwriting data on the repeatedly, or using a magnet to alter the magnetic structure of the disks. This renders the data unreadable.

QUESTION NO: 334 Which of the following results in datacenters with failed humidity controls? (Select TWO). A. Excessive EMI B. Electrostatic charge C. Improper ventilation D. Condensation E. Irregular temperature

Answer: B,D Explanation: Humidity control prevents the buildup of static electricity in the environment. If the humidity drops much below 50 percent, electronic components are extremely vulnerable to damage from electrostatic shock. Most environmental systems also regulate humidity; however, a malfunctioning system can cause the humidity to be almost entirely extracted from a room. Make sure that environmental systems are regularly serviced. Electrostatic damage can occur when humidity levels get too low. Condensation is a direct result from failed humidity levels.

QUESTION NO: 428 Digital certificates can be used to ensure which of the following? (Select TWO). A. Availability B. Confidentiality C. Verification D. Authorization E. Non-repudiation

Answer: B,E Explanation: Digital Signatures is used to validate the integrity of the message and the sender. Digital certificates refer to cryptography which is mainly concerned with Confidentiality, Integrity, Authentication, Nonrepudiation and Access Control. Nonrepudiation prevents one party from denying actions they carried out.

QUESTION NO: 245 After an audit, it was discovered that the security group memberships were not properly adjusted for employees' accounts when they moved from one role to another. Which of the following has the organization failed to properly implement? (Select TWO). A. Mandatory access control enforcement. B. User rights and permission reviews. C. Technical controls over account management. D. Account termination procedures. E. Management controls over account management. F. Incident management and response plan.

Answer: B,E Explanation: Reviewing user rights and permissions can be used to determine that all groups, users, and other accounts have the appropriate privileges assigned according to the policies of the corporation and their job descriptions since they were all moved to different roles. Control over account management would have taken into account the different roles that employees have and adjusted the rights and permissions of these roles accordingly.

QUESTION NO: 256 Which of the following are Data Loss Prevention (DLP) strategies that address data in transit issues? (Select TWO). A. Scanning printing of documents. B. Scanning of outbound IM (Instance Messaging). C. Scanning copying of documents to USB. D. Scanning of SharePoint document library. E. Scanning of shared drives. F. Scanning of HTTP user traffic.

Answer: B,F Explanation: DLP systems monitor the contents of systems (workstations, servers, networks) to make sure key content is not deleted or removed. They also monitor who is using the data (looking for unauthorized access) and transmitting the data. Outbound IM and HTTP user traffic refers to data over a network which falls within the DLP strategy.

QUESTION NO: 269 A forensic analyst is reviewing electronic evidence after a robbery. Security cameras installed at the site were facing the wrong direction to capture the incident. The analyst ensures the cameras are turned to face the proper direction. Which of the following types of controls is being used? A. Detective B. Deterrent C. Corrective D. Preventive

Answer: C Explanation: A corrective control would be any corrective action taken to correct any existing control that were faulty or wrongly installed - as in this case the cameras were already there, it just had to be adjusted to perform its function as intended.

QUESTION NO: 373 Which of the following concepts defines the requirement for data availability? A. Authentication to RADIUS B. Non-repudiation of email messages C. Disaster recovery planning D. Encryption of email messages

Answer: C Explanation: A disaster-recovery plan, or scheme, helps an organization respond effectively when a disaster occurs. Disasters may include system failure, network failure, infrastructure failure, and natural disaster. The primary emphasis of such a plan is reestablishing services and minimizing losses.

QUESTION NO: 395 A company wants to ensure that its hot site is prepared and functioning. Which of the following would be the BEST process to verify the backup datacenter is prepared for such a scenario? A. Site visit to the backup data center B. Disaster recovery plan review C. Disaster recovery exercise D. Restore from backup

Answer: C Explanation: A hot site is a location that can provide operations within hours of a failure. This type of site would have servers, networks, and telecommunications equipment in place to reestablish service in a short time. Hot sites provide network connectivity, systems, and preconfigured software to meet the needs of an organization. This means that an actual exercise run would test the abilities of your hot site best.

QUESTION NO: 211 A security administrator notices that a specific network administrator is making unauthorized changes to the firewall every Saturday morning. Which of the following would be used to mitigate this issue so that only security administrators can make changes to the firewall? A. Mandatory vacations B. Job rotation C. Least privilege D. Time of day restrictions

Answer: C Explanation: A least privilege policy is to give users only the permissions that they need to do their work and no more. That is only allowing security administrators to be able to make changes to the firewall by practicing the least privilege principle.

QUESTION NO: 210 One of the system administrators at a company is assigned to maintain a secure computer lab. The administrator has rights to configure machines, install software, and perform user account maintenance. However, the administrator cannot add new computers to the domain, because that requires authorization from the Information Assurance Officer. This is an example of which of the following? A. Mandatory access B. Rule-based access control C. Least privilege D. Job rotation

Answer: C Explanation: A least privilege policy should be used when assigning permissions. Give users only the permissions that they need to do their work and no more.

QUESTION NO: 202 The Chief Security Officer (CSO) is concerned about misuse of company assets and wishes to determine who may be responsible. Which of the following would be the BEST course of action? A. Create a single, shared user account for every system that is audited and logged based upon time of use. B. Implement a single sign-on application on equipment with sensitive data and high-profile shares. C. Enact a policy that employees must use their vacation time in a staggered schedule. D. Separate employees into teams led by a person who acts as a single point of contact for observation purposes.

Answer: C Explanation: A policy that states employees should use their vacation time in a staggered schedule is a way of employing mandatory vacations. A mandatory vacation policy requires all users to take time away from work while others step in and do the work of that employee on vacation. This will afford the CSO the opportunity to see who is using the company assets responsibly and who is abusing it.

QUESTION NO: 281 Who should be contacted FIRST in the event of a security breach? A. Forensics analysis team B. Internal auditors C. Incident response team D. Software vendors

Answer: C Explanation: A security breach is an incident and requires a response. The incident response team would be better equipped to deal with any incident insofar as all their procedures are concerned. Their procedures in addressing incidents are: Preparation; Incident identification; Escalation and notification; Mitigation steps; Lessons learned; Reporting; Recover/reconstitution procedures; First responder; Incident isolation (Quarantine; Device removal); Data breach; Damage and loss control.

QUESTION NO: 247 The system administrator has deployed updated security controls for the network to limit risk of attack. The security manager is concerned that controls continue to function as intended to maintain appropriate security posture. Which of the following risk mitigation strategies is MOST important to the security manager? A. User permissions B. Policy enforcement C. Routine audits D. Change management

Answer: C Explanation: After you have implemented security controls based on risk, you must perform routine audits. These audits should include reviews of user rights and permissions as well as specific events. You should pay particular attention to false positives and negatives.

QUESTION NO: 322 A security team has established a security awareness program. Which of the following would BEST prove the success of the program? A. Policies B. Procedures C. Metrics D. Standards

Answer: C Explanation: All types of training should be followed up- be tested to see if it worked and how much was learned in the training process. You must follow up and gather training metrics to validate compliance and security posture. By training metrics, we mean some quantifiable method for determining the efficacy of training.

QUESTION NO: 292 Sara, an employee, tethers her smartphone to her work PC to bypass the corporate web security gateway while connected to the LAN. While Sara is out at lunch her PC is compromised via the tethered connection and corporate data is stolen. Which of the following would BEST prevent this from occurring again? A. Disable the wireless access and implement strict router ACLs. B. Reduce restrictions on the corporate web security gateway. C. Security policy and threat awareness training. D. Perform user rights and permissions reviews.

Answer: C Explanation: BYOD (In this case Sara's smart phone) involves the possibility of a personal device that is infected with malware introducing that malware to the network and security awareness training will address the issue of the company's security policy with regard to BYOD.

QUESTION NO: 350 A system administrator has concerns regarding their users accessing systems and secured areas using others' credentials. Which of the following can BEST address this concern? A. Create conduct policies prohibiting sharing credentials. B. Enforce a policy shortening the credential expiration timeframe. C. Implement biometric readers on laptops and restricted areas. D. Install security cameras in areas containing sensitive systems.

Answer: C Explanation: Biometrics is an authentication process that makes use of physical characteristics to establish identification. This will prevent users making use of others credentials.

QUESTION NO: 313 Several employees submit the same phishing email to the administrator. The administrator finds that the links in the email are not being blocked by the company's security device. Which of the following might the administrator do in the short term to prevent the emails from being received? A. Configure an ACL B. Implement a URL filter C. Add the domain to a block list D. Enable TLS on the mail server

Answer: C Explanation: Blocking e-mail is the same as preventing the receipt of those e-mails and this is done by applying a filter. But the filter must be configured to block it. Thus you should add that specific domain from where the e-mails are being sent to the list of addresses that is to be blocked.

QUESTION NO: 266 To ensure proper evidence collection, which of the following steps should be performed FIRST? A. Take hashes from the live system B. Review logs C. Capture the system image D. Copy all compromised files

Answer: C Explanation: Capturing an image of the operating system in its exploited state can be helpful in revisiting the issue after the fact to learn more about it. This is essential since the collection of evidence process may result in some mishandling and changing the exploited state.

QUESTION NO: 264 Which of the following should Jane, a security administrator, perform before a hard drive is analyzed with forensics tools? A. Identify user habits B. Disconnect system from network C. Capture system image D. Interview witnesses

Answer: C Explanation: Capturing an image of the operating system in its exploited state can be helpful in revisiting the issue after the fact to learn more about it. Very much as helpful in same way that a virus sample is kept in laboratories to study later after a breakout. Also you should act in the order of volatility which states that the system image capture is first on the list of a forensic analysis.

QUESTION NO: 275 A compromised workstation utilized in a Distributed Denial of Service (DDOS) attack has been removed from the network and an image of the hard drive has been created. However, the system administrator stated that the system was left unattended for several hours before the image was created. In the event of a court case, which of the following is likely to be an issue with this incident? A. Eye Witness B. Data Analysis of the hard drive C. Chain of custody D. Expert Witness

Answer: C Explanation: Chain of custody deals with how evidence is secured, where it is stored, and who has access to it. When you begin to collect evidence, you must keep track of that evidence at all times and show who has it, who has seen it, and where it has been. The evidence must always be within your custody, or you're open to dispute about possible evidence tampering.

QUESTION NO: 233 Which of the following mitigation strategies is established to reduce risk when performing updates to business critical systems? A. Incident management B. Server clustering C. Change management D. Forensic analysis

Answer: C Explanation: Change Management is a risk mitigation approach and refers to the structured approach that is followed to secure a company's assets. In this case 'performing updates to business critical systems.

QUESTION NO: 231 A security administrator needs to update the OS on all the switches in the company. Which of the following MUST be done before any actual switch configuration is performed? A. The request needs to be sent to the incident management team. B. The request needs to be approved through the incident management process. C. The request needs to be approved through the change management process. D. The request needs to be sent to the change management team.

Answer: C Explanation: Change Management is a risk mitigation approach and refers to the structured approach that is followed to secure a company's assets. Thus the actual switch configuration should first be subject to the change management approval.

QUESTION NO: 234 The network administrator is responsible for promoting code to applications on a DMZ web server. Which of the following processes is being followed to ensure application integrity? A. Application hardening B. Application firewall review C. Application change management D. Application patch management

Answer: C Explanation: Change management is the structured approach that is followed to secure a company's assets. Promoting code to application on a SMZ web server would be change management.

QUESTION NO: 252 Which of the following security strategies allows a company to limit damage to internal systems and provides loss control? A. Restoration and recovery strategies B. Deterrent strategies C. Containment strategies D. Detection strategies

Answer: C Explanation: Containment strategies is used to limit damages, contain a loss so that it may be controlled, much like quarantine, and loss incident isolation.

QUESTION NO: 367 Which of the following is being tested when a company's payroll server is powered off for eight hours? A. Succession plan B. Business impact document C. Continuity of operations plan D. Risk assessment plan

Answer: C Explanation: Continuity of operations plan is the effort to ensure the continued performance of critical business functions during a wide range of potential emergencies.

QUESTION NO: 258 The Chief Information Officer (CIO) is concerned with moving an application to a SaaS cloud provider. Which of the following can be implemented to provide for data confidentiality assurance during and after the migration to the cloud? A. HPM technology B. Full disk encryption C. DLP policy D. TPM technology

Answer: C Explanation: Data loss prevention (DLP) systems monitor the contents of systems (workstations, servers, and networks) to make sure that key content is not deleted or removed. They also monitor who is using the data (looking for unauthorized access) and transmitting the data. The Software as a Service (SaaS) applications are remotely run over the Web and as such requires DLP monitoring.

QUESTION NO: 336 A technician is investigating intermittent switch degradation. The issue only seems to occur when the building's roof air conditioning system runs. Which of the following would reduce the connectivity issues? A. Adding a heat deflector B. Redundant HVAC systems C. Shielding D. Add a wireless network

Answer: C Explanation: EMI can cause circuit overload, spikes, or even electrical component failure. In the question it is mentioned that switch degradation occurs when the building's roof air-conditioning system is also running. All electromechanical systems emanate EMI. Thus you could alleviate the problem using EMI shielding.

QUESTION NO: 323 Which of the following is an attack vector that can cause extensive physical damage to a datacenter without physical access? A. CCTV system access B. Dial-up access C. Changing environmental controls D. Ping of death

Answer: C Explanation: Environmental systems include heating, air conditioning, humidity control, fire suppression, and power systems. All of these functions are critical to a well-designed physical plant. A computer room will typically require full-time environmental control. Changing any of these controls (when it was set to its optimum values) will result in damage.

QUESTION NO: 261 Which of the following is a best practice when a mistake is made during a forensics examination? A. The examiner should verify the tools before, during, and after an examination. B. The examiner should attempt to hide the mistake during cross-examination. C. The examiner should document the mistake and workaround the problem. D. The examiner should disclose the mistake and assess another area of the disc.

Answer: C Explanation: Every step in an incident response should be documented, including every action taken by end users and the incident-response team.

QUESTION NO: 187 Ann, a security technician, is reviewing the IDS log files. She notices a large number of alerts for multicast packets from the switches on the network. After investigation, she discovers that this is normal activity for her network. Which of the following BEST describes these results? A. True negatives B. True positives C. False positives D. False negatives

Answer: C Explanation: False positives are essentially events that are mistakenly flagged and are not really events to be concerned about.

QUESTION NO: 185 Which of the following can result in significant administrative overhead from incorrect reporting? A. Job rotation B. Acceptable usage policies C. False positives D. Mandatory vacations

Answer: C Explanation: False positives are essentially events that are mistakenly flagged and are not really events to be concerned about. This causes a significant administrative overhead because the reporting is what results in the false positives.

QUESTION NO: 325 Which of the following should be connected to the fire alarm system in order to help prevent the spread of a fire in a server room without data loss to assist in an FM-200 deployment? A. Water base sprinkler system B. Electrical C. HVAC D. Video surveillance

Answer: C Explanation: HVAC refers to heating, ventilation and air-conditioning to allow for a zone-based environmental control measure. The fire-alarm system should ideally also be hooked up to the HVAC so that the HVAC can monitor the changes in heating and ventilation.

QUESTION NO: 340 A company is trying to implement physical deterrent controls to improve the overall security posture of their data center. Which of the following BEST meets their goal? A. Visitor logs B. Firewall C. Hardware locks D. Environmental monitoring

Answer: C Explanation: Hardware security involves applying physical security modifications to secure the system(s) and preventing them from leaving the facility. Don't spend all of your time worrying about intruders coming through the network wire while overlooking the obvious need for physical security. Hardware security involves the use of locks to prevent someone from picking up and carrying out your equipment.

QUESTION NO: 410 The security administrator is implementing a malware storage system to archive all malware seen by the company into a central database. The malware must be categorized and stored based on similarities in the code. Which of the following should the security administrator use to identify similar malware? A. TwoFish B. SHA-512 C. Fuzzy hashes D. HMAC

Answer: C Explanation: Hashing is used to ensure that a message has not been altered. It can be useful for positively identifying malware when a suspected file has the same hash value as a known piece of malware. However, modifying a single bit of a malicious file will alter its hash value. To counter this, a continuous stream of hash values is generated for rolling block of code. This can be used to determine the similarity between a suspected file and known pieces of malware.

QUESTION NO: 401 An online store wants to protect user credentials and credit card information so that customers can store their credit card information and use their card for multiple separate transactions. Which of the following database designs provides the BEST security for the online store? A. Use encryption for the credential fields and hash the credit card field B. Encrypt the username and hash the password C. Hash the credential fields and use encryption for the credit card field D. Hash both the credential fields and the credit card field

Answer: C Explanation: Hashing refers to the hash algorithms used in cryptography. It is used to store data, such as hash tables. One main characteristic of hashing is that the algorithm must have few or no collisions - in hashing two different inputs does not give the same output. Thus the credential fields should be hashed because anyone customer will have a unique credit card number/identity and since they will use their credit cards for many different transactions, the credit card field should be encrypted only, not hashed.

QUESTION NO: 240 Requiring technicians to report spyware infections is a step in which of the following? A. Routine audits B. Change management C. Incident management D. Clean desk policy

Answer: C Explanation: Incident management refers to the steps followed when events occur (making sure controls are in place to prevent unauthorized access to, and changes of, all IT assets).

QUESTION NO: 302 An organization is recovering data following a datacenter outage and determines that backup copies of files containing personal information were stored in an unsecure location, because the sensitivity was unknown. Which of the following activities should occur to prevent this in the future? A. Business continuity planning B. Quantitative assessment C. Data classification D. Qualitative assessment

Answer: C Explanation: Information classification is done by confidentiality and comprises of three categories, namely: public use, internal use and restricted use. Knowing how to apply these categories and matching it up with the appropriate data handling will address the situation of the data 'unknown sensitivity'

QUESTION NO: 413 Sara, a security administrator, manually hashes all network device configuration files daily and compares them to the previous days' hashes. Which of the following security concepts is Sara using? A. Confidentiality B. Compliance C. Integrity D. Availability

Answer: C Explanation: Integrity means the message can't be altered without detection.

QUESTION NO: 273 A recent intrusion has resulted in the need to perform incident response procedures. The incident response team has identified audit logs throughout the network and organizational systems which hold details of the security breach. Prior to this incident, a security consultant informed the company that they needed to implement an NTP server on the network. Which of the following is a problem that the incident response team will likely encounter during their assessment? A. Chain of custody B. Tracking man hours C. Record time offset D. Capture video traffic

Answer: C Explanation: It is quite common for workstation as well as server times to be off slightly from actual time. Since a forensic investigation is usually dependent on a step-by-step account of what has happened, being able to follow events in the correct time sequence is critical. Because of this, it is imperative to record the time offset on each affected machine during the investigation. One method of assisting with this is to add an entry to a log file and note the time that this was done and the time associated with it on the system. There is no mention that this was done by the incident response team.

QUESTION NO: 319 Which of the following has serious security implications for large organizations and can potentially allow an attacker to capture conversations? A. Subnetting B. NAT C. Jabber D. DMZ

Answer: C Explanation: Jabber is a new unified communications application and could possible expose you to attackers that want to capture conversations because Jabber provides a single interface across presence, instant messaging, voice, video messaging, desktop sharing and conferencing.

QUESTION NO: 227 Which of the following is the primary security concern when deploying a mobile device on a network? A. Strong authentication B. Interoperability C. Data security D. Cloud storage technique

Answer: C Explanation: Mobile devices, such as laptops, tablet computers, and smartphones, provide security challenges above those of desktop workstations, servers, and such in that they leave the office and this increases the odds of their theft which makes data security a real concern. At a bare minimum, the following security measures should be in place on mobile devices: Screen lock, Strong password, Device encryption, Remote Wipe or Sanitation, voice encryption, GPS tracking, Application control, storage segmentation, asses tracking and device access control.

QUESTION NO: 432 Ann, a newly hired human resource employee, sent out confidential emails with digital signatures, to an unintended group. Which of the following would prevent her from denying accountability? A. Email Encryption B. Steganography C. Non Repudiation D. Access Control

Answer: C Explanation: Nonrepudiation prevents one party from denying actions they carried out.

QUESTION NO: 194 Which of the following provides the BEST explanation regarding why an organization needs to implement IT security policies? A. To ensure that false positives are identified B. To ensure that staff conform to the policy C. To reduce the organizational risk D. To require acceptable usage of IT systems

Answer: C Explanation: Once risks has been identified and assessed then there are five possible actions that should be taken. These are: Risk avoidance, Risk transference, Risk mitigation, Risk deterrence and Risk acceptance. Anytime you engage in steps to reduce risk, you are busy with risk mitigation and implementing IT security policy is a risk mitigation strategy.

QUESTION NO: 425 Which of the following could cause a browser to display the message below? "The security certificate presented by this website was issued for a different website's address." A. The website certificate was issued by a different CA than what the browser recognizes in its trusted CAs. B. The website is using a wildcard certificate issued for the company's domain. C. HTTPS://127.0.01 was used instead of HTTPS://localhost. D. The website is using an expired self signed certificate.

Answer: C Explanation: PKI is a two-key, asymmetric system with four main components: certificate authority (CA), registration authority (RA), RSA (the encryption algorithm), and digital certificates. In typical public key infrastructure (PKI) arrangements, a digital signature from a certificate authority (CA) attests that a particular public key certificate is valid (i.e., contains correct information). Users, or their software on their behalf, check that the private key used to sign some certificate matches the public key in the CA's certificate. Since CA certificates are often signed by other, "higher-ranking," CAs, there must necessarily be a highest CA, which provides the ultimate in attestation authority in that particular PKI scheme. Localhost is a hostname that means this computer and may be used to access the computer's own network services via its loopback network interface. Using the loopback interface bypasses local network interface hardware. In this case the HTTPS://127.0.01 was used and not HTTPS//localhost

QUESTION NO: 295 Ann a technician received a spear-phishing email asking her to update her personal information by clicking the link within the body of the email. Which of the following type of training would prevent Ann and other employees from becoming victims to such attacks? A. User Awareness B. Acceptable Use Policy C. Personal Identifiable Information D. Information Sharing

Answer: C Explanation: Personally identifiable information (PII) is a catchall for any data that can be used to uniquely identify an individual. This data can be anything from the person's name to a fingerprint (think biometrics), credit card number, or patient record. Employees should be made aware of this type of attack by means of training.

QUESTION NO: 383 A small business needs to incorporate fault tolerance into their infrastructure to increase data availability. Which of the following options would be the BEST solution at a minimal cost? A. Clustering B. Mirrored server C. RAID D. Tape backup

Answer: C Explanation: RAID, or redundant array of independent disks (RAID). RAID allows your existing servers to have more than one hard drive so that if the main hard drive fails, the system keeps functioning. RAID can achieve fault tolerance using software which can be done using the existing hardware and software.

QUESTION NO: 345 A datacenter requires that staff be able to identify whether or not items have been removed from the facility. Which of the following controls will allow the organization to provide automated notification of item removal? A. CCTV B. Environmental monitoring C. RFID D. EMI shielding

Answer: C Explanation: RFID is radio frequency identification that works with readers that work with 13.56 MHz smart cards and 125 kHz proximity cards and can open turnstiles, gates, and any other physical security safeguards once the signal is read. Fitting out the equipment with RFID will allow you to provide automated notification of item removal in the event of any of the equipped items is taken off the premises.

QUESTION NO: 360 A network administrator has recently updated their network devices to ensure redundancy is in place so that: A. switches can redistribute routes across the network. B. environmental monitoring can be performed. C. single points of failure are removed. D. hot and cold aisles are functioning.

Answer: C Explanation: Redundancy refers to systems that either are duplicated or fail over to other systems in the event of a malfunction. The best way to remove an SPOF from your environment is to add redundancy.

QUESTION NO: 356 A security administrator is tasked with calculating the total ALE on servers. In a two year period of time, a company has to replace five servers. Each server replacement has cost the company $4,000 with downtime costing $3,000. Which of the following is the ALE for the company? A. $7,000 B. $10,000 C. $17,500 D. $35,000

Answer: C Explanation: SLE × ARO = ALE, where SLE is equal to asset value (AV) times exposure factor (EF); and ARO is the annualized rate of occurrence. SLE =($4000 + $3000) x 5 = $35000 ARO = 2 years Thus per year it would be 50% = 0,5 The ALE is thus $35000 x 0.5 = $17500

QUESTION NO: 408 A software developer wants to prevent stored passwords from being easily decrypted. When the password is stored by the application, additional text is added to each password before the password is hashed. This technique is known as: A. Symmetric cryptography. B. Private key cryptography. C. Salting. D. Rainbow tables.

Answer: C Explanation: Salting can be used to strengthen the hashing when the passwords were encrypted. Though hashing is a one-way algorithm it does not mean that it cannot be hacked. One method to hack a hash is though rainbow tables and salt is the counter measure to rainbow tables. With salt a password that you typed in and that has been encrypted with a hash will yield a letter combination other than what you actually types in when it is rainbow table attacked.

QUESTION NO: 224 Which of the following is the GREATEST security risk of two or more companies working together under a Memorandum of Understanding? A. Budgetary considerations may not have been written into the MOU, leaving an entity to absorb more cost than intended at signing. B. MOUs have strict policies in place for services performed between the entities and the penalties for compromising a partner are high. C. MOUs are generally loose agreements and therefore may not have strict guidelines in place to protect sensitive data between the two entities. D. MOUs between two companies working together cannot be held to the same legal standards as SLAs.

Answer: C Explanation: The Memorandum of Understanding This document is used in many settings in the information industry. It is a brief summary of which party is responsible for what portion of the work. For example, Company A may be responsible for maintaining the database server and Company B may be responsible for telecommunications. MOUs are not legally binding but they carry a degree of seriousness and mutual respect, stronger than a gentlemen's agreement. Often, MOUs are the first steps towards a legal contract.

QUESTION NO: 181 Three of the primary security control types that can be implemented are. A. Supervisory, subordinate, and peer. B. Personal, procedural, and legal. C. Operational, technical, and management. D. Mandatory, discretionary, and permanent.

Answer: C Explanation: The National Institute of Standards and Technology (NIST) places controls into various types. The control types fall into three categories: Management, Operational, and Technical.

QUESTION NO: 306 Results from a vulnerability analysis indicate that all enabled virtual terminals on a router can be accessed using the same password. The company's network device security policy mandates that at least one virtual terminal have a different password than the other virtual terminals. Which of the following sets of commands would meet this requirement? A. line vty 0 6 P@s5W0Rd password line vty 7 Qwer++!Y password B. line console 0 password password line vty 0 4 password P@s5W0Rd C. line vty 0 3 password Qwer++!Y line vty 4 password P@s5W0Rd D. line vty 0 3 password Qwer++!Y line console 0 password P@s5W0Rd

Answer: C Explanation: The VTY lines are the Virtual Terminal lines of the router, used solely to control inbound Telnet connections. They are virtual, in the sense that they are a function of software - there is no hardware associated with them. Two numbers follow the keyword VTY because there is more than one VTY line for router access. The default number of lines is five on many Cisco routers. Here, I'm configuring one password for all terminal (VTY) lines. I can specify the actual terminal or VTY line numbers as a range. The syntax that you'll see most often, vty 0 4, covers all five terminal access lines.

QUESTION NO: 363 Which of the following risks could IT management be mitigating by removing an all-in-one device? A. Continuity of operations B. Input validation C. Single point of failure D. Single sign on

Answer: C Explanation: The major disadvantage of combining everything into one, although you do this to save costs, is to include a potential single point of failure and the reliance/dependence on a single vendor.

QUESTION NO: 218 Which of the following defines a business goal for system restoration and acceptable data loss? A. MTTR B. MTBF C. RPO D. Warm site

Answer: C Explanation: The recovery point objective (RPO) defines the point at which the system needs to be restored. This could be where the system was two days before it crashed (whip out the old backup tapes) or five minutes before it crashed (requiring complete redundancy). This is an essential business goal insofar as system restoration and acceptable data loss is concerned.

QUESTION NO: 368 A security administrator is reviewing the company's continuity plan. The plan specifies an RTO of six hours and RPO of two days. Which of the following is the plan describing? A. Systems should be restored within six hours and no later than two days after the incident. B. Systems should be restored within two days and should remain operational for at least six hours. C. Systems should be restored within six hours with a minimum of two days worth of data. D. Systems should be restored within two days with a minimum of six hours worth of data.

Answer: C Explanation: The recovery time objective (RTO) is the maximum amount of time that a process or service is allowed to be down and the consequences still to be considered acceptable. Beyond this time, the break in business continuity is considered to affect the business negatively. The RTO is agreed on during the business impact analysis (BIA) creation. The recovery point objective (RPO) is similar to RTO, but it defines the point at which the system needs to be restored. This could be where the system was two days before it crashed (whip out the old backup tapes) or five minutes before it crashed (requiring complete redundancy). As a general rule, the closer the RPO matches the item of the crash, the more expensive it is to obtain.

QUESTION NO: 315 A security administrator has concerns about new types of media which allow for the mass distribution of personal comments to a select group of people. To mitigate the risks involved with this media, employees should receive training on which of the following? A. Peer to Peer B. Mobile devices C. Social networking D. Personally owned devices

Answer: C Explanation: There many companies that allow full use of social media in the workplace, believing that the marketing opportunities it holds outweigh any loss in productivity. What they are unknowingly minimizing are the threats that exist. Rather than being all new threats, the social networking/media threats tend to fall in the categories of the same old tricks used elsewhere but in a new format. A tweet can be sent with a shortened URL so that it does not exceed the 140- character limit set by Twitter; unfortunately, the user has no idea what the shortened URL leads to. This makes training your employees regarding the risks social networking entails essential.

QUESTION NO: 182 Which of the following technical controls is BEST used to define which applications a user can install and run on a company issued mobile device? A. Authentication B. Blacklisting C. Whitelisting D. Acceptable use policy

Answer: C Explanation: White lists are closely related to ACLs and essentially, a white list is a list of items that are allowed.

QUESTION NO: 229 Acme Corp has selectively outsourced proprietary business processes to ABC Services. Due to some technical issues, ABC services wants to send some of Acme Corp's debug data to a third party vendor for problem resolution. Which of the following MUST be considered prior to sending data to a third party? A. The data should be encrypted prior to transport B. This would not constitute unauthorized data sharing C. This may violate data ownership and non-disclosure agreements D. Acme Corp should send the data to ABC Services' vendor instead

Answer: C Explanation: With sending your data to a third party is already a risk since the third party may have a different policy than yours. Data ownership and non-disclosure is already a risk that you will have to accept since the data will be sent for debugging /troubleshooting purposes which will result in definite disclosure of the data.

QUESTION NO: 189 A company storing data on a secure server wants to ensure it is legally able to dismiss and prosecute staff who intentionally access the server via Telnet and illegally tamper with customer data. Which of the following administrative controls should be implemented to BEST achieve this? A. Command shell restrictions B. Restricted interface C. Warning banners D. Session output pipe to /dev/null

Answer: C Explanation: Within Microsoft Windows, you have the ability to put signs (in the form of onscreen pop-up banners) that appear before the login telling similar information—authorized access only, violators will be prosecuted, and so forth. Such banners convey warnings or regulatory information to the user that they must "accept" in order to use the machine or network. You need to make staff aware that they may legally be prosecuted and a message is best given via a banner so that all staff using workstation will get notification.

QUESTION NO: 314 A security researcher wants to reverse engineer an executable file to determine if it is malicious. The file was found on an underused server and appears to contain a zero-day exploit. Which of the following can the researcher do to determine if the file is malicious in nature? A. TCP/IP socket design review B. Executable code review C. OS Baseline comparison D. Software architecture review

Answer: C Explanation: Zero-Day Exploits begin exploiting holes in any software the very day it is discovered. It is very difficult to respond to a zero-day exploit. Often, the only thing that you as a security administrator can do is to turn off the service. Although this can be a costly undertaking in terms of productivity, it is the only way to keep the network safe. In this case you want to check if the executable file is malicious. Since a baseline represents a secure state is would be possible to check the nature of the executable file in an isolated environment against the OS baseline.

QUESTION NO: 183 To help prevent unauthorized access to PCs, a security administrator implements screen savers that lock the PC after five minutes of inactivity. Which of the following controls is being described in this situation? A. Management B. Administrative C. Technical D. Operational

Answer: C Explanation: controls such as preventing unauthorized access to PC's and applying screensavers that lock the PC after five minutes of inactivity is a technical control type, the same as Identification and Authentication, Access Control, Audit and Accountability as well as System and Communication Protection.

QUESTION NO: 267 A security administrator needs to image a large hard drive for forensic analysis. Which of the following will allow for faster imaging to a second hard drive? A. cp /dev/sda /dev/sdb bs=8k B. tail -f /dev/sda > /dev/sdb bs=8k C. dd in=/dev/sda out=/dev/sdb bs=4k D. locate /dev/sda /dev/sdb bs=4k

Answer: C Explanation: dd is a command-line utility for Unix and Unix-like operating systems whose primary purpose is to convert and copy files. dd can duplicate data across files, devices, partitions and volumes On Unix, device drivers for hardware (such as hard disks) and special device files (such as /dev/zero and /dev/random) appear in the file system just like normal files; dd can also read and/or write from/to these files, provided that function is implemented in their respective driver. As a result, dd can be used for tasks such as backing up the boot sector of a hard drive, and obtaining a fixed amount of random data. The dd program can also perform conversions on the data as it is copied, including byte order swapping and conversion to and from the ASCII and EBCDIC text encodings. An attempt to copy the entire disk using cp may omit the final block if it is of an unexpected length; whereas dd may succeed. The source and destination disks should have the same size.

QUESTION NO: 375 Joe, the system administrator, is performing an overnight system refresh of hundreds of user computers. The refresh has a strict timeframe and must have zero downtime during business hours. Which of the following should Joe take into consideration? A. A disk-based image of every computer as they are being replaced. B. A plan that skips every other replaced computer to limit the area of affected users. C. An offsite contingency server farm that can act as a warm site should any issues appear. D. A back-out strategy planned out anticipating any unforeseen problems that may arise.

Answer: D Explanation: A backout is a reversion from a change that had negative consequences. It could be, for example, that everything was working fine until you installed a service pack on a production machine, and then services that were normally available were no longer accessible. The backout, in this instance, would revert the system to the state that it was in before the service pack was applied. Backout plans can include uninstalling service packs, hotfixes, and patches, but they can also include reversing a migration and using previous firmware. A key component to creating such a plan is identifying what events will trigger your implementing the backout.

QUESTION NO: 415 Company A submitted a bid on a contract to do work for Company B via email. Company B was insistent that the bid did not come from Company A. Which of the following would have assured that the bid was submitted by Company A? A. Steganography B. Hashing C. Encryption D. Digital Signatures

Answer: D Explanation: A digital signature is similar in function to a standard signature on a document. It validates the integrity of the message and the sender. The message is encrypted using the encryption system, and a second piece of information, the digital signature, is added to the message.

QUESTION NO: 195 Which of the following should Pete, a security manager, implement to reduce the risk of employees working in collusion to embezzle funds from their company? A. Privacy Policy B. Least Privilege C. Acceptable Use D. Mandatory Vacations

Answer: D Explanation: A mandatory vacation policy requires all users to take time away from work to refresh. But not only does mandatory vacation give the employee a chance to refresh, but it also gives the company a chance to make sure that others can fill in any gaps in skills and satisfies the need to have replication or duplication at all levels as well as an opportunity to discover fraud.

QUESTION NO: 196 Two members of the finance department have access to sensitive information. The company is concerned they may work together to steal information. Which of the following controls could be implemented to discover if they are working together? A. Least privilege access B. Separation of duties C. Mandatory access control D. Mandatory vacations

Answer: D Explanation: A mandatory vacation policy requires all users to take time away from work to refresh. Mandatory vacation give the employee a chance to refresh, but it also gives the company a chance to make sure that others can fill in any gaps in skills and satisfies the need to have replication or duplication at all levels. Mandatory vacations also provide an opportunity to discover fraud. In this case mandatory vacations can prevent the two members from colluding to steal the information that they have access to.

QUESTION NO: 435 After a company has standardized to a single operating system, not all servers are immune to a well-known OS vulnerability. Which of the following solutions would mitigate this issue? A. Host based firewall B. Initial baseline configurations C. Discretionary access control D. Patch management system

Answer: D Explanation: A patch is an update to a system. Sometimes a patch adds new functionality; in other cases, it corrects a bug in the software. Patch Management can thus be used to fix security problems discovered within the OS thus negating a known OS vulnerability.

QUESTION NO: 374 Which of the following is the MOST specific plan for various problems that can arise within a system? A. Business Continuity Plan B. Continuity of Operation Plan C. Disaster Recovery Plan D. IT Contingency Plan

Answer: D Explanation: An IT contingency plan would focus on the IT aspect in particular to ensure business continuity.

QUESTION NO: 286 Which of the following is the LEAST volatile when performing incident response procedures? A. Registers B. RAID cache C. RAM D. Hard drive

Answer: D Explanation: An example of OOV in an investigation may be RAM, hard drive data, CDs/DVDs, and printouts. Of the options stated in the question the hard drive would be the least volatile.

QUESTION NO: 359 A company's chief information officer (CIO) has analyzed the financial loss associated with the company's database breach. They calculated that one single breach could cost the company $1,000,000 at a minimum. Which of the following documents is the CIO MOST likely updating? A. Succession plan B. Continuity of operation plan C. Disaster recovery plan D. Business impact analysis

Answer: D Explanation: Business impact analysis (BIA) is the process of evaluating all of the critical systems in an organization to define impact and recovery plans. BIA isn't concerned with external threats or vulnerabilities; the analysis focuses on the impact a loss would have on the organization. A BIA comprises the following: identifying critical functions, prioritizing critical business functions, calculating a timeframe for critical systems loss, and estimating the tangible impact on the organization.

QUESTION NO: 274 Computer evidence at a crime scene is documented with a tag stating who had possession of the evidence at a given time. Which of the following does this illustrate? A. System image capture B. Record time offset C. Order of volatility D. Chain of custody

Answer: D Explanation: Chain of custody deals with how evidence is secured, where it is stored, and who has access to it. When you begin to collect evidence, you must keep track of that evidence at all times and show who has it, who has seen it, and where it has been.

QUESTION NO: 232 Developers currently have access to update production servers without going through an approval process. Which of the following strategies would BEST mitigate this risk? A. Incident management B. Clean desk policy C. Routine audits D. Change management

Answer: D Explanation: Change Management is a risk mitigation approach and refers to the structured approach that is followed to secure a company's assets. This structured approach involves policies that should be in place and technological controls that should be enforced.

QUESTION NO: 310 XYZ Corporation is about to purchase another company to expand its operations. The CEO is concerned about information leaking out, especially with the cleaning crew that comes in at night. The CEO would like to ensure no paper files are leaked. Which of the following is the BEST policy to implement? A. Social media policy B. Data retention policy C. CCTV policy D. Clean desk policy

Answer: D Explanation: Clean Desk Policy Information on a desk—in terms of printouts, pads of note paper, sticky notes, and the like—can be easily seen by prying eyes and taken by thieving hands. To protect data and your business, encourage employees to maintain clean desks and to leave out only those papers that are relevant to the project they are working on at that moment. All sensitive information should be put away when the employee is away from their desk.

QUESTION NO: 249 Encryption of data at rest is important for sensitive information because of which of the following? A. Facilitates tier 2 support, by preventing users from changing the OS B. Renders the recovery of data harder in the event of user password loss C. Allows the remote removal of data following eDiscovery requests D. Prevents data from being accessed following theft of physical equipment

Answer: D Explanation: Data encryption allows data that has been stolen to remain out of the eyes of the intruders who took it as long as they do not have the proper passwords.

QUESTION NO: 250 A company is trying to limit the risk associated with the use of unapproved USB devices to copy documents. Which of the following would be the BEST technology control to use in this scenario? A. Content filtering B. IDS C. Audit logs D. DLP

Answer: D Explanation: Data loss prevention (DLP) is a strategy for making sure that end users do not send sensitive or critical information outside the corporate network. The term is also used to describe software products that help a network administrator control what data end users can transfer.

QUESTION NO: 259 Which of the following is a Data Loss Prevention (DLP) strategy and is MOST useful for securing data in use? A. Email scanning B. Content discovery C. Database fingerprinting D. Endpoint protection

Answer: D Explanation: Data loss prevention (DLP) systems monitor the contents of systems (workstations, servers, and networks) to make sure that key content is not deleted or removed. They also monitor who is using the data (looking for unauthorized access) and transmitting the data. DLP systems share commonality with network intrusion prevention systems. Endpoint protection provides security and management over both physical and virtual environments.

QUESTION NO: 251 Several employees have been printing files that include personally identifiable information of customers. Auditors have raised concerns about the destruction of these hard copies after they are created, and management has decided the best way to address this concern is by preventing these files from being printed. Which of the following would be the BEST control to implement? A. File encryption B. Printer hardening C. Clean desk policies D. Data loss prevention

Answer: D Explanation: Data loss prevention (DLP) systems monitor the contents of systems (workstations, servers, and networks) to make sure that key content is not deleted or removed. They also monitor who is using the data (looking for unauthorized access) and transmitting the data. This would address the concerns of the auditors.

QUESTION NO: 329 Which of the following should be considered to mitigate data theft when using CAT5 wiring? A. CCTV B. Environmental monitoring C. Multimode fiber D. EMI shielding

Answer: D Explanation: EMI Shielding refers to the process of preventing electronic emissions from your computer systems from being used to gather intelligence and preventing outside electronic emissions from disrupting your information-processing abilities. Thus all wiring should be shielded to mitigate data theft.

QUESTION NO: 400 Which of the following controls can be used to prevent the disclosure of sensitive information stored on a mobile device's removable media in the event that the device is lost or stolen? A. Hashing B. Screen locks C. Device password D. Encryption

Answer: D Explanation: Encryption is used to ensure the confidentiality of information.

QUESTION NO: 398 After copying a sensitive document from his desktop to a flash drive, Joe, a user, realizes that the document is no longer encrypted. Which of the following can a security technician implement to ensure that documents stored on Joe's desktop remain encrypted when moved to external media or other network based storage? A. Whole disk encryption B. Removable disk encryption C. Database record level encryption D. File level encryption

Answer: D Explanation: Encryption is used to ensure the confidentiality of information. In this case you should make use of file level encryption. File level encryption is a form of disk encryption where individual files or directories are encrypted by the file system itself. This is in contrast to full disk encryption where the entire partition or disk, in which the file system resides, is encrypted.

QUESTION NO: 294 Ann would like to forward some Personal Identifiable Information to her HR department by email, but she is worried about the confidentiality of the information. Which of the following will accomplish this task securely? A. Digital Signatures B. Hashing C. Secret Key D. Encryption

Answer: D Explanation: Encryption is used to prevent unauthorized users from accessing data. Data encryption will support the confidentiality of the email.

QUESTION NO: 330 Environmental control measures include which of the following? A. Access list B. Lighting C. Motion detection D. EMI shielding

Answer: D Explanation: Environmental controls include HVAC, Fire Suppression, EMI Shielding, Hot and Cold Aisles, Environmental monitoring as well as Temperature and Humidity controls.

QUESTION NO: 380 A network administrator has purchased two devices that will act as failovers for each other. Which of the following concepts does this BEST illustrate? A. Authentication B. Integrity C. Confidentiality D. Availability

Answer: D Explanation: Failover refers to the process of reconstructing a system or switching over to other systems when a failure is detected. In the case of a server, the server switches to a redundant server when a fault is detected. This strategy allows service to continue uninterrupted until the primary server can be restored. In the case of a network, this means processing switches to another network path in the event of a network failure in the primary path. This means availability.

QUESTION NO: 436 A security manager requires fencing around the perimeter, and cipher locks on all entrances. The manager is concerned with which of the following security controls? A. Integrity B. Availability C. Confidentiality D. Safety

Answer: D Explanation: Fencing is used to increase physical security and safety. Locks are used to keep those who are unauthorized out.

QUESTION NO: 412 Which of the following would a security administrator use to verify the integrity of a file? A. Time stamp B. MAC times C. File descriptor D. Hash

Answer: D Explanation: Hashing refers to the hash algorithms used in cryptography. It is used to store data, such as hash tables and it is a one-way transformation in order to validate the integrity of data.

QUESTION NO: 238 Which of the following is BEST carried out immediately after a security breach is discovered? A. Risk transference B. Access control revalidation C. Change management D. Incident management

Answer: D Explanation: Incident management is the steps followed when security incident occurs.

QUESTION NO: 282 In which of the following steps of incident response does a team analyse the incident and determine steps to prevent a future occurrence? A. Mitigation B. Identification C. Preparation D. Lessons learned

Answer: D Explanation: Incident response procedures involves in chronological order: Preparation; Incident identification; Escalation and notification; Mitigation steps; Lessons learned; Reporting; Recover/reconstitution procedures; First responder; Incident isolation (Quarantine; Device removal); Data breach; Damage and loss control. Thus lessons are only learned after the mitigation occurred. For only then can you 'step back' and analyze the incident to prevent the same occurrence in future.

QUESTION NO: 283 After a recent security breach, the network administrator has been tasked to update and backup all router and switch configurations. The security administrator has been tasked to enforce stricter security policies. All users were forced to undergo additional user awareness training. All of these actions are due to which of the following types of risk mitigation strategies? A. Change management B. Implementing policies to prevent data loss C. User rights and permissions review D. Lessons learned

Answer: D Explanation: Incident response procedures involves: Preparation; Incident identification; Escalation and notification; Mitigation steps; Lessons learned; Reporting; Recover/reconstitution procedures; First responder; Incident isolation (Quarantine; Device removal); Data breach; Damage and loss control. Described in the question is a situation where a security breach had occurred and its response which shows that lessons have been learned and used to put in place measures that will prevent any future security breaches of the same kind.

QUESTION NO: 279 The Chief Technical Officer (CTO) has tasked The Computer Emergency Response Team (CERT) to develop and update all Internal Operating Procedures and Standard Operating Procedures documentation in order to successfully respond to future incidents. Which of the following stages of the Incident Handling process is the team working on? A. Lessons Learned B. Eradication C. Recovery D. Preparation

Answer: D Explanation: Incident response procedures involves: Preparation; Incident identification; Escalation and notification; Mitigation steps; Lessons learned; Reporting; Recover/reconstitution procedures; First responder; Incident isolation (Quarantine; Device removal); Data breach; Damage and loss control. Developing and updating all internal operating and standard operating procedures documentation to handle future incidents is preparation.

QUESTION NO: 301 Which of the following security awareness training is BEST suited for data owners who are concerned with protecting the confidentiality of their data? A. Social networking use training B. Personally owned device policy training C. Tailgating awareness policy training D. Information classification training

Answer: D Explanation: Information classification is done by confidentiality and comprises of three categories, namely: public use, internal use and restricted use. Knowing these categories and how to handle data according to its category is essential in protecting the confidentiality of the data.

QUESTION NO: 271 The incident response team has received the following email message. From: [email protected] To: [email protected] Subject: Copyright infringement A copyright infringement alert was triggered by IP address 13.10.66.5 at 09: 50: 01 GMT. After reviewing the following web logs for IP 13.10.66.5, the team is unable to correlate and identify the incident. 09: 45: 33 13.10.66.5 http: //remote.site.com/login.asp?user=john 09: 50: 22 13.10.66.5 http: //remote.site.com/logout.asp?user=anne 10: 50: 01 13.10.66.5 http: //remote.site.com/access.asp?file=movie.mov 11: 02: 45 13.10.65.5 http: //remote.site.com/download.asp?movie.mov=ok Which of the following is the MOST likely reason why the incident response team is unable to identify and correlate the incident? A. The logs are corrupt and no longer forensically sound. B. Traffic logs for the incident are unavailable. C. Chain of custody was not properly maintained. D. Incident time offsets were not accounted for.

Answer: D Explanation: It is quite common for workstation times to be off slightly from actual time, and that can happen with servers as well. Since a forensic investigation is usually dependent on a step-by-step account of what has happened, being able to follow events in the correct time sequence is critical. Because of this, it is imperative to record the time offset on each affected machine during the investigation. One method of assisting with this is to add an entry to a log file and note the time that this was done and the time associated with it on the system.

QUESTION NO: 272 A system administrator is responding to a legal order to turn over all logs from all company servers. The system administrator records the system time of all servers to ensure that: A. HDD hashes are accurate. B. the NTP server works properly. C. chain of custody is preserved. D. time offset can be calculated.

Answer: D Explanation: It is quite common for workstation times to be off slightly from actual time, and that can happen with servers as well. Since a forensic investigation is usually dependent on a step-by-step account of what has happened, being able to follow events in the correct time sequence is critical. Because of this, it is imperative to record the time offset on each affected machine during the investigation. One method of assisting with this is to add an entry to a log file and note the time that this was done and the time associated with it on the system.

QUESTION NO: 198 While rarely enforced, mandatory vacation policies are effective at uncovering: A. Help desk technicians with oversight by multiple supervisors and detailed quality control systems. B. Collusion between two employees who perform the same business function. C. Acts of incompetence by a systems engineer designing complex architectures as a member of a team. D. Acts of gross negligence on the part of system administrators with unfettered access to system and no oversight.

Answer: D Explanation: Least privilege (privilege reviews) and job rotation is done when mandatory vacations are implemented. Then it will uncover areas where the system administrators neglected to check all users' privileges since the other users must fill in their positions when they are on their mandatory vacation.

QUESTION NO: 342 Visitors entering a building are required to close the back door before the front door of the same entry room is open. Which of the following is being described? A. Tailgating B. Fencing C. Screening D. Mantrap

Answer: D Explanation: Mantraps are designed to contain an unauthorized, potentially hostile person/individual physically until authorities arrive. Mantraps are typically manufactured with bulletproof glass, high-strength doors, and locks and to allow the minimal amount of individuals depending on its size. Some mantraps even include scales that will weigh the person. The doors are designed in such a way as to open only when the mantrap is occupied or empty and not in-between. This means that the backdoor must first close before the front door will open; exactly what is required in this scenario

QUESTION NO: 392 Which of the following can be utilized in order to provide temporary IT support during a disaster, where the organization sets aside funds for contingencies, but does not necessarily have a dedicated site to restore those services? A. Hot site B. Warm site C. Cold site D. Mobile site

Answer: D Explanation: Not having a dedicated site means that the mobile site can fill the role of either being a hot, warm or cold site as a disaster recovery measure.

QUESTION NO: 321 Which of the following statements is MOST likely to be included in the security awareness training about P2P? A. P2P is always used to download copyrighted material. B. P2P can be used to improve computer system response. C. P2P may prevent viruses from entering the network. D. P2P may cause excessive network bandwidth.

Answer: D Explanation: P2P networking by definition involves networking which will reduce available bandwidth for the rest of the users on the network.

QUESTION NO: 376 Which of the following concepts is BEST described as developing a new chain of command in the event of a contingency? A. Business continuity planning B. Continuity of operations C. Business impact analysis D. Succession planning

Answer: D Explanation: Succession planning outlines those internal to the organization who have the ability to step into positions when they open. By identifying key roles that cannot be left unfilled and associating internal employees who can step into these roles, you can groom those employees to make sure that they are up to speed when it comes time for them to fill those positions.

QUESTION NO: 351 Which of the following preventative controls would be appropriate for responding to a directive to reduce the attack surface of a specific host? A. Installing anti-malware B. Implementing an IDS C. Taking a baseline configuration D. Disabling unnecessary services

Answer: D Explanation: Preventive controls are to stop something from happening. These can include locked doors that keep intruders out, user training on potential harm (to keep them vigilant and alert), or even biometric devices and guards that deny access until authentication has occurred. By disabling all unnecessary services you would be reducing the attack surface because then there is less opportunity for risk incidents to happen. There are many risks with having many services enabled since a service can provide an attack vector that someone could exploit against your system. It is thus best practice to enable only those services that are absolutely required.

QUESTION NO: 365 Upper management decides which risk to mitigate based on cost. This is an example of: A. Qualitative risk assessment B. Business impact analysis C. Risk management framework D. Quantitative risk assessment

Answer: D Explanation: Quantitative analysis / assessment is used to the show the logic and cost savings in replacing a server for example before it fails rather than after the failure. Quantitative assessments assign a dollar amount.

QUESTION NO: 385 Which of the following provides data the best fault tolerance at the LOWEST cost? A. Load balancing B. Clustering C. Server virtualization D. RAID 6

Answer: D Explanation: RAID, or redundant array of independent disks (RAID). RAID allows your existing servers to have more than one hard drive so that if the main hard drive fails, the system keeps functioning. RAID can achieve fault tolerance using software which can be done using the existing hardware and software thus representing the lowest cost option.

QUESTION NO: 433 A company recently experienced data loss when a server crashed due to a midday power outage. Which of the following should be used to prevent this from occurring again? A. Recovery procedures B. EMI shielding C. Environmental monitoring D. Redundancy

Answer: D Explanation: Redundancy refers to systems that either are duplicated or fail over to other systems in the event of a malfunction (in this case a power outage). Failover refers to the process of reconstructing a system or switching over to other systems when a failure is detected. In the case of a server, the server switches to a redundant server when a fault is detected. This strategy allows service to continue uninterrupted until the primary server can be restored.

QUESTION NO: 219 Sara, the Chief Security Officer (CSO), has had four security breaches during the past two years. Each breach has cost the company $3,000. A third party vendor has offered to repair the security hole in the system for $25,000. The breached system is scheduled to be replaced in five years. Which of the following should Sara do to address the risk? A. Accept the risk saving $10,000. B. Ignore the risk saving $5,000. C. Mitigate the risk saving $10,000. D. Transfer the risk saving $5,000.

Answer: D Explanation: Risk transference involves sharing some of the risk burden with someone else, such as an insurance company. The cost of the security breach over a period of 5 years would amount to $30,000 and it is better to save $5,000.

QUESTION NO: 246 The security administrator is currently unaware of an incident that occurred a week ago. Which of the following will ensure the administrator is notified in a timely manner in the future? A. User permissions reviews B. Incident response team C. Change management D. Routine auditing

Answer: D Explanation: Routine audits are carried out after you have implemented security controls based on risk. These audits include aspects such as user rights and permissions and specific events.

QUESTION NO: 289 Sara, a company's security officer, often receives reports of unauthorized personnel having access codes to the cipher locks of secure areas in the building. Sara should immediately implement which of the following? A. Acceptable Use Policy B. Physical security controls C. Technical controls D. Security awareness training

Answer: D Explanation: Security awareness and training include explaining policies, procedures, and current threats to both users and management. A security awareness and training program can do much to assist in your efforts to improve and maintain security. A good security awareness training program for the entire organization should cover the following areas: Importance of security; Responsibilities of people in the organization; Policies and procedures; Usage policies; Account and passwordselection criteria as well as Social engineering prevention.

QUESTION NO: 208 A user in the company is in charge of various financial roles but needs to prepare for an upcoming audit. They use the same account to access each financial system. Which of the following security controls will MOST likely be implemented within the company? A. Account lockout policy B. Account password enforcement C. Password complexity enabled D. Separation of duties

Answer: D Explanation: Separation of duties means that users are granted only the permissions they need to do their work and no more. More so it means that there is differentiation between users, employees and duties per se which form part of best practices.

QUESTION NO: 316 The information security team does a presentation on social media and advises the participants not to provide too much personal information on social media web sites. This advice would BEST protect people from which of the following? A. Rainbow tables attacks B. Brute force attacks C. Birthday attacks D. Cognitive passwords attacks

Answer: D Explanation: Social Networking Dangers are 'amplified' in that social media networks are designed to mass distribute personal messages. If an employee reveals too much personal information it would be easy for miscreants to use the messages containing the personal information to work out possible passwords.

QUESTION NO: 223 Users can authenticate to a company's web applications using their credentials from a popular social media site. Which of the following poses the greatest risk with this integration? A. Malicious users can exploit local corporate credentials with their social media credentials B. Changes to passwords on the social media site can be delayed from replicating to the company C. Data loss from the corporate servers can create legal liabilities with the social media site D. Password breaches to the social media site affect the company application as well

Answer: D Explanation: Social networking and having you company's application authentication 'linked' to users' credential that they use on social media sites exposes your company's application exponentially more than is necessary. You should strive to practice risk avoidance.

QUESTION NO: 311 Which of the following could a security administrator implement to mitigate the risk of tailgating for a large organization? A. Train employees on correct data disposal techniques and enforce policies. B. Only allow employees to enter or leave through one door at specified times of the day. C. Only allow employees to go on break one at a time and post security guards 24/7 at each entrance. D. Train employees on risks associated with social engineering attacks and enforce policies.

Answer: D Explanation: Tailgating is the term used for someone being so close to you when you enter a building that they are able to come in right behind you without needing to use a key, a card, or any other security device. Many social engineering intruders needing physical access to a site will use this method of gaining entry. Educate users to beware of this and other social engineering ploys and prevent them from happening.

QUESTION NO: 346 Datacenter access is controlled with proximity badges that record all entries and exits from the datacenter. The access records are used to identify which staff members accessed the data center in the event of equipment theft. Which of the following MUST be prevented in order for this policy to be effective? A. Password reuse B. Phishing C. Social engineering D. Tailgating

Answer: D Explanation: Tailgating is the term used for someone being so close to you when you enter a building that they are able to come in right behind you without needing to use a key, a card, or any other security device. This should be prevented in this case.

QUESTION NO: 355 Key elements of a business impact analysis should include which of the following tasks? A. Develop recovery strategies, prioritize recovery, create test plans, post-test evaluation, and update processes. B. Identify institutional and regulatory reporting requirements, develop response teams and communication trees, and develop press release templates. C. Employ regular preventive measures such as patch management, change management, antivirus and vulnerability scans, and reports to management. D. Identify critical assets systems and functions, identify dependencies, determine critical downtime limit, define scenarios by type and scope of impact, and quantify loss potential.

Answer: D Explanation: The key components of a Business impact analysis (BIA) include: Identifying Critical Functions Prioritizing Critical Business Functions Calculating a Timeframe for Critical Systems Loss Estimating the Tangible and Intangible Impact on the Organization

QUESTION NO: 333 Which of the following is an effective way to ensure the BEST temperature for all equipment within a datacenter? A. Fire suppression B. Raised floor implementation C. EMI shielding D. Hot or cool aisle containment

Answer: D Explanation: There are often multiple rows of servers located in racks in server rooms. The rows of servers are known as aisles, and they can be cooled as hot aisles and cold aisles. With a hot aisle, hot air outlets are used to cool the equipment, whereas with cold aisles, cold air intake is used to cool the equipment. Combining the two, you have cold air intake from below the aisle and hot air outtake above it, providing constant circulation. This is a more effective way of controlling temperature to safeguard your equipment in a data center.

QUESTION NO: 228 A security administrator plans on replacing a critical business application in five years. Recently, there was a security flaw discovered in the application that will cause the IT department to manually re-enable user accounts each month at a cost of $2,000. Patching the application today would cost $140,000 and take two months to implement. Which of the following should the security administrator do in regards to the application? A. Avoid the risk to the user base allowing them to re-enable their own accounts B. Mitigate the risk by patching the application to increase security and saving money C. Transfer the risk replacing the application now instead of in five years D. Accept the risk and continue to enable the accounts each month saving money

Answer: D Explanation: This is a risk acceptance measure that has to be implemented since the cost of patching would be too high compared to the cost to keep the system going as is. Risk acceptance is often the choice you must make when the cost of implementing any of the other four choices (i.e. risk deterrence, mitigation, transference or avoidance) exceeds the value of the harm that would occur if the risk came to fruition.

QUESTION NO: 213 An IT security manager is asked to provide the total risk to the business. Which of the following calculations would he security manager choose to determine total risk? A. (Threats X vulnerability X asset value) x controls gap B. (Threats X vulnerability X profit) x asset value C. Threats X vulnerability X control gap D. Threats X vulnerability X asset value

Answer: D Explanation: Threats X vulnerability X asset value is equal to asset value (AV) times exposure factor (EF). This is used to calculate a risk.

QUESTION NO: 397 Which of the following is the BEST concept to maintain required but non-critical server availability? A. SaaS site B. Cold site C. Hot site D. Warm site

Answer: D Explanation: Warm sites provide computer systems and compatible media capabilities. If a warm site is used, administrators and other staff will need to install and configure systems to resume operations. For most organizations, a warm site could be a remote office, a leased facility, or another organization with which yours has a reciprocal agreement. Another term for a warm site/reciprocal site is active/active model.

QUESTION NO: 200 Which of the following should Joe, a security manager, implement to reduce the risk of employees working in collusion to embezzle funds from his company? A. Privacy Policy B. Least Privilege C. Acceptable Use D. Mandatory Vacations

Answer: D Explanation: When one person fills in for another, such as for mandatory vacations, it provides an opportunity to see what the person is doing and potentially uncover any fraud.

QUESTION NO: 399 Customers' credit card information was stolen from a popular video streaming company. A security consultant determined that the information was stolen, while in transit, from the gaming consoles of a particular vendor. Which of the following methods should the company consider to secure this data in the future? A. Application firewalls B. Manual updates C. Firmware version control D. Encrypted TCP wrappers

Answer: D Explanation: Wrapping sensitive systems with a specific control is required when protecting data in transit. TCP wrappers are also security controls. TCP Wrapper is a host-based networking ACL system, used to filter network access to Internet Protocol servers on (Unix-like) operating systems such as Linux or BSD. It allows host or subnetwork IP addresses, names and/or inetd query replies, to be used as tokens on which to filter for access control purposes. TCP Wrapper should not be considered a replacement for a properly configured firewall. Instead, TCP Wrapper should be used in conjunction with a firewall and other security enhancements in order to provide another layer of protection in the implementation of a security policy.

QUESTION NO: 239 A security analyst informs the Chief Executive Officer (CEO) that a security breach has just occurred. This results in the Risk Manager and Chief Information Officer (CIO) being caught unaware when the CEO asks for further information. Which of the following strategies should be implemented to ensure the Risk Manager and CIO are not caught unaware in the future? A. Procedure and policy management B. Chain of custody management C. Change management D. Incident management

Answer: D Explanation: incident management refers to the steps followed when events occur (making sure controls are in place to prevent unauthorized access to, and changes of, all IT assets). The events that could occur include security breaches.

QUESTION NO: 216 A software company has completed a security assessment. The assessment states that the company should implement fencing and lighting around the property. Additionally, the assessment states that production releases of their software should be digitally signed. Given the recommendations, the company was deficient in which of the following core security areas? (Select TWO). A. Fault tolerance B. Encryption C. Availability D. Integrity E. Safety F. Confidentiality

Answer: D,E Explanation: Aspects such as fencing, proper lighting, locks, CCTV, Escape plans Drills, escape routes and testing controls form part of safety controls. Integrity refers to aspects such as hashing, digital signatures, certificates and non-repudiation - all of which has to do with data integrity.

QUESTION NO: 299 Used in conjunction, which of the following are PII? (Select TWO). A. Marital status B. Favorite movie C. Pet's name D. Birthday E. Full name

Answer: D,E Explanation: Personally identifiable information (PII) is a catchall for any data that can be used to uniquely identify an individual. This data can be anything from the person's name to a fingerprint (think biometrics), credit card number, or patient record. A birthday together with a full name makes it personally identifiable information.

QUESTION NO: 422 Joe, a user, wants to send an encrypted email to Ann. Which of the following will Ann need to use to verify that the email came from Joe and decrypt it? (Select TWO). A. The CA's public key B. Ann's public key C. Joe's private key D. Ann's private key E. The CA's private key F. Joe's public key

Answer: D,F Explanation: Joe wants to send a message to Ann. It's important that this message not be altered. Joe will use the private key to create a digital signature. The message is, in effect, signed with the private key. Joe then sends the message to Ann. Ann will use the public key attached to the message to validate the digital signature. If the values match, Ann knows the message is authentic and came from Joe. Ann will use a key provided by Joe—the public key—to decrypt the message. Most digital signature implementations also use a hash to verify that the message has not been altered, intentionally or accidently, in transit. Thus Ann would compare the signature area referred to as a message in the message with the calculated value digest (her private key in this case). If the values match, the message hasn't been tampered with and the originator is verified as the person they claim to be.

QUESTION NO: 290 Human Resources (HR) would like executives to undergo only two specific security training programs a year. Which of the following provides the BEST level of security training for the executives? (Select TWO). A. Acceptable use of social media B. Data handling and disposal C. Zero day exploits and viruses D. Phishing threats and attacks E. Clean desk and BYOD F. Information security awareness

Answer: D,F Explanation: Managers/ i.e. executives in the company are concerned with more global issues in the organization, including enforcing security policies and procedures. Managers should receive additional training or exposure that explains the issues, threats, and methods of dealing with threats. Management will also be concerned about productivity impacts and enforcement and how the various departments are affected by security policies. Phishing is a form of social engineering in which you ask someone for a piece of information that you are missing by making it look as if it is a legitimate request. An email might look as if it is from a bank and contain some basic information, such as the user's name. Executives an easily fall prey to phishing if they are not trained to lookout for these attacks.

QUESTION NO: 337 DRAG DROP

Simulation Question

QUESTION NO: 338 DRAG DROP

Simulation Question

QUESTION NO: 217 DRAG DROP

Simulation question

QUESTION NO: 263 DRAG DROP

Simulation question


Related study sets

Biology Exam #2 - Ch. 5, 7, 8, 25

View Set

SCIENCE FORM 4 - 3.3 BLOOD PRESSURE

View Set

The Industrial Revolution Quiz Review Modules 15.1 & 15.3

View Set

Chapter 24 Intermediate Accounting: Review

View Set