CISSP certification: Full 125 question practice test #1 – test 2 – Results
Return to reviewAttempt 12All knowledge areasAll questionsQuestion 1: SkippedWhich process would we use to handle updates to our environments?
- Agile project management.
- Change consolidation.
- Change management.(Correct)
- Process review.
Explanation
Change Management: Often called change control, a formalized process on how we handle changes to our environments. If done right we will have full documentation, understanding and we communicate changes to appropriate parties. The change review board should be comprised of both IT and other operational units from the organization, we may consider impacts on IT, but we are there to serve the organization, they need to understand how it will impact them and raise concerns if they have any.Question 2: CorrectWhat was the intent of the US Electronic Communications Privacy Act of 1986 (ECPA)?
- To allow law enforcement to use wiretaps without a warrant or oversight.
- To allow search and seizure without immediate disclosure.
- To protect electronic communication against warrantless wiretapping.(Correct)
- To protect electronic communication by mandating service providers to use strong encryption.
Explanation
Electronic Communications Privacy Act (ECPA) was designed for protection of electronic communications against warrantless wiretapping, but it was very weakened by the Patriot Act.Question 3: CorrectWhich of these would NOT be part of a good identity and access provisioning lifecycle?
- Identify accounts that has not been used for more than 10 days following their creation.
- Locking accounts when employees leave the organization.
- Notifying users to change their passwords before they expire. Revoking accounts and access when contractors stop working for us.
- Leaving accounts unlocked when employees leave the organization.(Correct)
Explanation
Account should be locked when employees leave the organization. Deleting them makes it harder to audit, deactivation/locking is preferred.Question 4: CorrectWe often refer to 0-day vulnerabilities when we talk about IT security vulnerabilities. What would constitute 0-day vulnerabilities?
- Vulnerabilities that do not affect our systems.
- Vulnerabilities not generally known or discovered.(Correct)
- Known vulnerabilities we have already patched.
- Known vulnerabilities that we have not patched yet.
Explanation
0day vulnerabilities: Vulnerabilities not generally known or discovered, the first time an attack is seen is considered day 0, hence the name. From a vulnerability is discovered it is now only a short timespan before patches or signatures are released on major software.Question 5: CorrectTo ensure the confidentiality, integrity, and availability of our backup tapes, where would it be appropriate to store them?
- Under the bed.
- A closet we have access to.
- In a backup storage facility.(Correct)
- Our data center.
Explanation
Where do we keep our sensitive data? It should be kept in a secure, climate-controlled facility, preferably geographically distant or at least far enough away that potential incidents will not affect that facility too. Many older breaches were from bad policies around tape backups. Tapes were kept at the homes of employees instead of at a proper storage facility or in a storage room with no access logs and no access restrictions (often unencrypted).Question 6: SkippedActive Directory (AD) uses trust domains; one domain establishes a trust relationship with another domain. Which of these is NOT an AD trust domain?
- Reflective trust.(Correct)
- Transitive trust.
- One-way trust.
- Intransitive trust.
Explanation
One-way trust, Two-way trust, Trusted domain, Transitive trust and Intransitive trust are all trust domains, there is no reflective trust.Question 7: IncorrectSenior leadership has approved the use of flash drives. Which type of memory do they use?
- SDRAM.(Incorrect)
- DRAM.
- PROM.
- EEPROM.(Correct)
Explanation
Flash memory: Small portable drives (USB sticks are an example); they are a type of EEPROM.Question 8: Correct
When we talk about using cryptanalysis in our work, what exactly are we talking about?
- The science of securing communications.
- Creates messages with a hidden meaning.
- The science of breaking encrypted communications.(Correct)
- A cryptographic algorithm.
Explanation
Cryptanalysis is the science of breaking encrypted communication. Cryptanalysis is used to breach cryptographic security systems and gain access to the contents of encrypted messages, even if the cryptographic key is unknown. It uses mathematical analysis of the cryptographic algorithm, as well as side-channel attacks that do not target weaknesses in the cryptographic algorithms themselves, but instead exploit weaknesses in their implementation and the devices that run them.Question 9: CorrectWe are using the CIA triad to, at a high level, explain IT security to our board of directors. Which of these are the 3 legs of the CIA triad?
- Confidentiality, Integrity and Accountability.
- Integrity, availability and confidentiality.(Correct)
- Identity, accountability and confidentiality.
- Confidentiality, Identity and Availability.
Explanation
The CIA (Confidentiality, Integrity, Availability) Triad: Confidentiality – We keep our data and secrets secret. Integrity – We ensure the data has not been altered. Availability – We ensure authorized people can access the data they need, when they need to.Question 10: CorrectIn our digital forensics, which of these should NEVER happen?
- Keep a perfect chain of custody log.
- Do forensics on a bit level copy of the compromised hard drive.
- Remove the system from the network to prevent the issue from spreading.
- Do forensics on the compromised hard drive.(Correct)
Explanation
Digital forensics should always be done on bit level copies of the original, never the original.Question 11: CorrectWe are implementing several new countermeasures to make our organization less susceptible to fraud. As part of that we are implementing mandatory vacations. How would we use those?
- Used to upgrade systems.
- A detective mechanism that can detect fraud.(Correct)
- Scheduled far in advance and the employee is notified.
- Given to employees to reward them.
Explanation
Mandatory vacations: Done to ensure one person is not always performing the same task, someone else has to cover and it can keep fraud from happening or help us detect it. Their accounts are locked and an audit is performed on the accounts. If the employee has been conducting fraud and covering it up, the audit will discover it. The best way to do this is to not give too much advance notice of vacations.Question 12: CorrectWhat is happening when we experience buffer overflows?
- The buffer overruns its boundaries and overwrites adjacent memory locations.(Correct)
- The buffer overruns its boundaries and overwrites adjacent hard disk locations.
- We are not using SSL/TLS.
- User session IDs or tokens are stolen.
Explanation
Buffer overflow (buffer overrun): An anomaly where a program, while writing data to a buffer, overruns the buffer’s boundary and overwrites adjacent memory locations, happen from improper coding when a programmer fails to perform bounds checking. Buffers are areas of memory set aside to hold data, often while moving it from one section of a program to another, or between programs. Buffer overflows can often be triggered by malformed inputs, if one assumes all inputs will be smaller than a certain size and the buffer is created to be that size, if an anomalous transaction produces more data it could cause it to write past the end of the buffer. If this overwrites adjacent data or executable code, this may result in erratic program behavior, including memory access errors, incorrect results, and crashes. By sending in data designed to cause a buffer overflow, it is possible to write into areas known to hold executable code, and replace it with malicious code.Question 13: CorrectWe have decided to implement job rotation in our organization. What can that help prevent?
- Errors.
- All of these.(Correct)
- Employee burnout.
- Fraud.
Explanation
Job rotation: For the exam, think of it as a way to detect errors and frauds. It is easier to detect fraud, and there is less chance of collusion between individuals if they rotate jobs. It also helps with employee burnout, and it helps employees understand the entire business. This can be too cost prohibitive for the exam/real life; make sure that on the exam, the cost justifies the benefit.Question 14: CorrectWhen our organization is buying custom developed third party software, which of these should NOT be a concern?
- Who owns the code.
- Who will support it when development is completed.
- How good are they at what they do.
- What other companies who have implemented the exact same software says about it.(Correct)
Explanation
We should address support, who owns the code and how good the software development company is, we can’t really see what other companies say about the software it is being custom developed for us.Question 15: IncorrectWhich of these is the WEAKEST form of authentication we can implement?
- Biometrics.
- Something you are.
- Something you have.(Incorrect)
- Something you know.(Correct)
Explanation
Something you know – Type 1 Authentication: Passwords, pass phrase, PIN etc., also called Knowledge factors. It is the weakest form of authentication, and can easily be compromised.Question 16: CorrectWhich of these hackers would you hire to do penetration testing?
- Black hat hacker.
- Gray hat hacker.
- Script kiddie.
- White hat hacker.(Correct)
Explanation
White Hat hackers: Professional Pen Testers trying to find flaws so we can fix it (Ethical Hackers). Black Hat hackers: Malicious hackers, trying to find flaws to exploit them (Crackers – they crack the code). Gray/Grey Hat hackers: They are somewhere between the white and black hats, they go looking for vulnerable code, systems or products. They often just publicize the vulnerability (which can lead to black hats using it before a patch is developed). Gray hats sometimes also approach the company with the vulnerability and ask them to fix it and if nothing happens they publish. Script Kiddies: They have little or no coding knowledge, but many sophisticated hacking tools are available and easy to use. They pose a very real threat. They are just as dangerous as skilled hackers; they often have no clue what they are doing.Question 17: CorrectWhich organization is responsible for delegating IP address ranges to ISPs (Internet Service Providers) in North America?
- LACNIC.
- ARIN.(Correct)
- APNIC.
- RIPE NNC.
Explanation
The world is divided into RIR (Regional Internet Registry) regions and organizations in those areas delegate the address space they have control over. ARIN (American Registry for Internet Numbers): United States, Canada, several parts of the Caribbean region, and Antarctica.Question 18: SkippedWhich layer of the Open Systems Interconnect (OSI) model isolates traffic into broadcast domains?
- 5
- 4
- 1
- 3(Correct)
Explanation
Layer 3: Network Layer: Expands to many different nodes (IP) – The Internet is IP based. Isolates traffic into broadcast domains.Question 19: SkippedFor access control management, which of these is considered something you have?
- Cookie on computer.(Correct)
- PIN.
- MAC address.
- Fingerprint.
Explanation
Things in your possession, not things you know (knowledge factor) or something you are (biometrics).Question 20: CorrectAs part of our backup policy we are deciding on how long we should keep our backups. What should we base that decision on?
- 1 month, as long as we have a full backup of everything.
- All data is required to be kept 1 year.
- Forever, we can never get rid of backup data.
- As long as it is useful or required, whichever is longer.(Correct)
Explanation
Data Retention: Data should not be kept beyond the period of usefulness or beyond the legal requirements (whichever is greater).Question 21: CorrectIf our organization have role-based access control and need to know policies, which of these actions are allowed?
- Accessing data you don’t need to do your job.
- Accessing your colleagues payroll data to see how much they get paid.
- Accessing data you need to do your job.(Correct)
- Browsing around random data to just see what it contains.
Explanation
Role based access control assigns access to roles, with added need to know, just because you have access does not mean you are allowed the data. You need a valid reason for accessing the data. If you do not have one you can be terminated/sued/jailed/fined.Question 22: CorrectWhich of these protocols is NOT found on layer 7 of the Open Systems Interconnection (OSI) model?
- Telnet
- PAP.(Correct)
- FTP.
- HTTP.
Explanation
PAP is a layer 5 protocol (used for setting up sessions). FTP, LDAP and HTTP are all layer 7 protocols.Question 23: CorrectWhich of these is a TRUE statement about the TCP protocol?
- It is always encrypted.
- It is connectionless.
- It is connection oriented.(Correct)
- It is proprietary.
Explanation
TCP (Transmission Control Protocol): Reliable, Connection oriented, Guaranteed delivery, 3 way handshake, slower/more overhead, data reassembled.Question 24: SkippedWhen we talk about WORM media, what are we referring to?
- R DVD’s.(Correct)
- Hard disks.
- EEPROM.
- RAM.
Explanation
WORM Media (Write Once Read Many): CD/DVDs can be WORM Media (R), if they are not R/W (Read/Write).Question 25: CorrectTo establish a TCP session, we are using the TCP 3-way handshake. What is the correct order of the handshake?
- SYN > SYN/ACK > ACK.(Correct)
- SYN > SYN/ACK > SYN.
- SYN/ACK > ACK > SYN.
- SYN > ACK > ACK.
Explanation
The 3-way handshake is client SYN > Server SYN/ACK > Client ACK.Question 26: CorrectOur organization is using least privilege in our user access management. How are our users assigned privileges?
- Privileges at the data owner’s discretion
- Exactly the minimum feasible access for the user to perform their job.(Correct)
- The same privileges as the rest of the group has.
- More privileges than they need for their day-to-day job, so they can perform certain tasks in an emergency.
Explanation
Least Privilege also called “Minimum necessary access”, we give our users and systems exactly the access they need, no more, no less.Question 27: CorrectWith the CIA triad in mind, if we have too much confidentiality which other control will suffer the MOST?
- Accountability.
- Integrity.
- Authentication.
- Availability.(Correct)
Explanation
Finding the right mix of Confidentiality, Integrity and Availability is a balancing act. This is really the cornerstone of IT Security – finding the RIGHT mix for your organization. Too much Confidentiality and the Availability can suffer.Question 28: IncorrectWe are using some of the best practice rules on our password’s requirements. Which of these would NOT be part of that?
- No minimum password age.(Correct)
- Maximum password age.
- Password hashing and salting.(Incorrect)
- Minimum password age.
Explanation
Minimum password age is implemented to prevent users from cycling through the last used passwords to return to their favorite password again. They should also use contain minimum length, upper/lower case letters, numbers and symbols, they should not contain full words or other easy to guess phrases.Question 29: IncorrectWhen would we deploy honeypots?
- During an attack to trick the attacker.
- Whenever we deploy a new system to see if it is vulnerable.
- Whenever we want to, to lure attackers in.(Incorrect)
- None of these.(Correct)
Explanation
While honeypots can be useful, we do not want to lure attackers in (entrapment). If we deployed one each time we launched a system we could have 1000’s of them, and during an attack we are busy with more important things.Question 30: IncorrectAs part of a security assessment we are having an external company do penetration testing. What do we call a penetration test where the tester has full admin level knowledge about our organization and IT infrastructure? (Select all that apply).
- Crystal box.(Correct)
- Clear box.(Correct)
- Black box.
- Full box.(Incorrect)
- Gray box.
- White box.(Correct)
Explanation
White box (Crystal/Clear) Pen testing: (Full Knowledge). The attacker has knowledge of the internal network and access to it like a privileged employee would. Normally Administrator access employee with full knowledge of our environment. There is no full box, gray is partial knowledge and black is no knowledge.Question 31: IncorrectWhen the Patriot Act was signed into law in 2001, it allowed law enforcement to do what?
- Protect electronic communication against warrantless wiretapping.
- Allows search and seizure without immediate disclosure.(Correct)
- Allow law enforcement to use wiretaps without a warrant or oversight.(Incorrect)
- Protect electronic communication by mandating service providers to use strong encryption.
Explanation
PATRIOT Act of 2001: Expands law enforcement electronic monitoring capabilities. Allows search and seizure without immediate disclosure.Question 32: CorrectWhich industry is the US Gramm-Leach-Bliley Act (GLBA) focused on?
- Healthcare.
- Online stores.
- Aerospace.
- Financial.(Correct)
Explanation
Gramm-Leach-Bliley Act (GLBA): Applies to financial institutions; driven by the Federal Financial Institutions Examination Council (FFIEC); enforced by member agencies, OCC, FDIC, FRB, NCUA, and CFPB. Enacted in 1999, requires protection of the confidentiality and integrity of consumer financial information.Question 33: CorrectWhat could be one of the NEGATIVE consequences of implementing Single Sign On (SSO) in our organization?
- SSO has weaker password requirements than regular applications does.
- If compromised the attacker has access to all the systems the user does.(Correct)
- It is easier for users to just use one login.
- It takes too long to remember a single password over many.
Explanation
SSO (Single sign-on): Users use a single sign-on for multiple systems. If an attacker compromises a single password they have access to everything that user can access. Often deployed in organizations where users have to access 10+ systems, and they think it is too burdensome to remember all those passwords. SSO have the same strong password requirements as normal single system passwords.Question 34: CorrectBob is working on designing new access controls across our organization. Which documentation should he reference to know how and what to implement?
- The latest tech reviews and technology.
- Our policies, procedures and standards.(Correct)
- It is at his discretion, Bob is the most knowledgeable employee we have on access control.
- He would ask his peers what they would implement since they know best and when they agree implement that.
Explanation
Our Access Control is determined by our policies, procedures, and standards. This outlines how we grant access whom to what: We use least privilege, need to know, and we give our staff and systems exactly the access they need and no more.Question 35: SkippedWhich of these is NOT an example of broken authentication or session management (OWASP A2)?
- Session IDs are predictable.
- Session IDs are kept in plaintext.
- Session IDs are pseudo random.(Correct)
- Session never expires.
Explanation
A2 Broken Authentication and Session Management. Sessions do not expire or take too long to expire. Session IDs are predictable. 001, 002, 003, 004, etc. Tokens, session IDs, Passwords, etc., are kept in plaintext. Pseudo random session IDs would be a broken authentication counter measure.Question 36: CorrectIn IT Security we are talking about something as an event, what does that mean?
- Something changed, neither negative or positive.(Correct)
- We are being hacked.
- A system has crashed.
- A triggered warning when something predefined happens (i.e. disk usage over 85%).
Explanation
Event: An observable change in state, this is neither negative nor positive, it is just something has changed. A system powered on, traffic from one segment to another, an application started.Question 37: CorrectAfter an attack on our servers, who should handle digital forensic evidence?
- Anyone who is available.
- The data steward.
- Someone trained in the process.(Correct)
- The data owner.
Explanation
People handling digital forensic evidence should always be trained in proper handling.Question 38: SkippedWhich of these authentication protocols is no longer considered secure?
- Radius.
- TACACS.(Correct)
- Diameter.
- TACACS+.
Explanation
TACACS (The Terminal Access Controller Access Control System): Centralized access control system requiring users to send an ID and reusable (vulnerable) passwords for authentication, because of this it is no longer considered secure. Uses TCP/UDP port 49. TACACS has generally been replaced by TACACS+ and RADIUS.Question 39: CorrectIn the TCP/IP model, frames and bits are the Protocol Data Units (PDUs) of which layer?
- Application.
- Internetworks.
- Transport.
- Link and physical.(Correct)
Explanation
Frames and bits are the Protocol Data Units (PDUs) of the Link and physical layer of the TCP/IP model. (Frames are OSI layer 2 and bits are OSI layer 1).Question 40: SkippedWhich is the MOST secure encryption type of these 4?
- AES.(Correct)
- DES.
- Blowfish.
- RC4.
Explanation
DES, Blowfish and RC4 are no longer considered secure, AES is still considered secure.Question 41: CorrectWe are implementing Active Directory (AD) to use for managing our access control. Which of these OS families have AD natively included in their processes and services?
- Linux.
- MacOS.
- Windows.(Correct)
- Unix.
Explanation
AD (Active Directory): Included in most Windows Server OS as a set of processes and services. Directory service that Microsoft developed for Windows domain networks. Originally it was only in charge of centralized domain management. As of Windows Server 2008, AD became an umbrella term for a broad range of directory-based identity-related services.Question 42: SkippedBIBA’s Invocation Property prohibits users from what?
- No write up.
- No read and write up and down.
- No read and write up.(Correct)
- No write down.
Explanation
Invocation Property: “No Read or Write UP”. Subjects can never access or alter data on a higher level.Question 43: CorrectWhat are some of the dangers if we chose to NOT use proper and regular patching of our systems?
- We are at risk of compromise from publicly known attacks.(Correct)
- There are no real dangers as long as we have firewalls.
- We can’t access the internet if we are missing too many patches.
- We won’t have enough for our employees to do.
Explanation
Patches are released to fix known security vulnerabilities, not applying leaves us open to those vulnerabilities that the attackers also know about.Question 44: CorrectIn Scrum project management, what is the Scrum master’s role?
- Representing the stakeholders/customers.
- Developing the code/product at the end of each sprint.
- Removing obstacles for the development team.(Correct)
- Being a traditional project manager.
Explanation
Scrum master: Facilitates and accountable for removing impediments to the ability of the team to deliver the product goals and deliverables. Not a traditional team lead or project manager but acts as a buffer between the team and any distracting influences. The scrum master ensures that the Scrum framework is followed.Question 45: SkippedWhen we are implementing new access control mechanisms, looking at the IAAA model, what could we use for identification?
- Non-repudiation.
- Usernames.(Correct)
- A password.
- Role based access control.
Explanation
User names are used for identification, we should never allow group logins or accounts. Your name, username, ID number, employee number, SSN etc.Question 46: SkippedWhich of these would be an IP socket-pair?
- 10.0.10.1 and 21.12.12.1
- 10.0.10.1:80 and 21.12.12.1
- 10.0.10.1:http and 21.12.12.1:51515(Correct)
- 10.0.10.1 and 21.12.12.1:https
Explanation
Socket Pairs (TCP): 2 sets of IP and Port (Source and Destination). This could be Source pair:192.168.0.6:49691 Destination pair: 195.122.177.218:https. Well-known ports are often translated, port 443 is https.Question 47: CorrectWhich of these encryption methods is truly unbreakable if it is implemented right?
- A Vigenère cipher.
- Enigma.
- One-time pads.(Correct)
- Symmetric encryption.
Explanation
One-Time Pad: Cryptographic algorithm where plaintext is combined with a random key. It is the only existing mathematically unbreakable encryption. While it is unbreakable it is also very impractical. It has ONE use per pad; they should never be reused. Characters on the pad have to be truly random. The pads are kept secure.Question 48: SkippedWhen we are using knowledge-based factors in our authentication process, we would use all of these, EXCEPT which?
- Pass phrases.
- PINs.
- Passwords.
- Single-use passwords.(Correct)
Explanation
Single-use password is not a knowledge based factor, it is a possession based factor.Question 49: SkippedWhich type of Intrusion Prevention System (IPS) response prevents authorized traffic?
- False positive.(Correct)
- False negative.
- True positive.
- True negative.
Explanation
False Positive: Normal traffic and the system detects it and acts.Question 50: SkippedWe have a contract with some penetration testers. In which phase would the tester look for vulnerabilities and design the attack?
- Escalate privileges.
- Discovery.(Correct)
- Gaining access.
- System browsing.
Explanation
Discovery (planning): Finding the vulnerabilities, design the attacks.Question 51: SkippedWe are using cloud computing and have chosen to use IaaS. Who is responsible for the databases?
- The security team.
- The network team.
- The customer.(Correct)
- The vendor.
Explanation
IaaS – (Infrastructure as a Service) The vendor provides infrastructure up to the OS, the customer adds the OS and up.Question 52: SkippedWhen our organization is using mandatory access control. What would subjects have?
- Labels.
- Clearance.(Correct)
- Objects.
- Assets.
Explanation
Subjects have Clearance assigned to them. A formal decision on a subject’s current and future trustworthiness. The higher the clearance, the more in-depth the background checks should be (always in military, not always in business).Question 53: SkippedAfter a security breach, Bob has been asked to ensure evidence integrity. What would he do with the compromised hard drive?
- Pull the drive from the system, format it and reinsert it into another production server.
- Add another drive to the system and copy all he can see on the compromised drive onto the new drive and then do his analysis on the new drive.
- Hash the drive and take a bit level copy, hash the copy drive and they should match, then work on the bit level copy.(Correct)
- Encrypt the drive, then do his forensics on the original drive and when he is done do a hash.
Explanation
Evidence Integrity – It is vital that the evidence’s integrity cannot be questioned. We do this with hashes; any forensics is done on copies and never the originals. We make a bit level copy of the original, hash it, and the copy should match. We do another hash after the forensics, and that should be the same as the prior two.Question 54: SkippedIn incident management, which of these is NOT a recognized category of events and/or incidents?
- Natural.
- Environments.
- Behavioral.(Correct)
- Human.
Explanation
Behavioral is a subset of human, and no a recognized category.Question 55: SkippedWhich type of access control model is based on a subject’s clearance?
- Mandatory Access Control (MAC)(Correct)
- Rule-Based Access Control (RUBAC)
- Discretionary Access Control (DAC)
- Role-Based Access Control (RBAC)
Explanation
MAC – (Mandatory Access Control) is system-enforced access control based on a subject’s clearance and an object’s labels.Question 56: SkippedWe have removed a server from our production environment. We format the hard drives, install a new OS (Operating System), and application on the disks. We then put the newly installed server back into production. Which of these would be TRUE about the original data a week later?
- Always completely recoverable.
- Hidden, but not recoverable.
- Gone forever.
- Possibly partially recoverable.(Correct)
Explanation
We can still recover files that has not been overwritten yet, formatting just removes the file structure.Question 57: SkippedThe Central Processing Unit (CPU) consists of which two elements?
- CU and RPG.
- South bridge and RAM.
- ALU and CU.(Correct)
- RAM and BIOS.
Explanation
CPU (Central Processing Unit) is the brains of the system. Arithmetic logic unit (ALU) performs arithmetic and logic operations. It’s a processor that registers that supply operands (Object of a Mathematical Operation) to the ALU and stores the results of ALU operations. It does all the math. Control unit (CU) handles fetching (from memory) and execution of instructions by directing the coordinated operations of the ALU, registers and other components. It also sends instructions to the ALU.Question 58: SkippedWhen you discover a software vulnerability, you notify the vendor of the vulnerability for them to fix it. What is the term used for this?
- Predictable disclosure.
- Partial disclosure.(Correct)
- No disclosure.
- Full disclosure.
Explanation
Responsible/Partial disclosure: Telling the vendor, they have time to develop a patch and then disclose it. If they do nothing we can revert to the full disclosure forcing them to act.Question 59: SkippedWe are implementing biometric authentication. What would be a good reason to do that?
- People can easily change their biometrics.
- It rarely changes.(Correct)
- It is easy to copy.
- It is much cheaper than knowledge factors.
Explanation
Biometric features rarely change unless we have a serious accident. It is more difficult to copy, people can’t change them unless they get surgery and it is normally more expensive than possession or knowledge factors.Question 60: SkippedWhich type of Intrusion Detection Systems (IDS) and Intrusion Prevention System (IPS) are completely vulnerable to 0-day attacks?
- Heuristic based.
- Network based.
- Behavioral based.
- Signature based.(Correct)
Explanation
Signature based: Looks for known malware signatures. Faster since they just check traffic against malicious signatures. Easier to set up and manage, someone else does the signatures for us. They are completely vulnerable to 0 day attacks, and have to be updated constantly to keep up with new vulnerability patterns.Question 61: SkippedWhich security principle is Clark-Wilson based on?
- Accountability.
- Confidentiality.
- Integrity.(Correct)
- Availability.
Explanation
Clark-Wilson – Integrity: Separates end users from the backend data through ‘Well-formed transactions’ and ‘Separation of Duties’. The model uses Subject/Program/Object. We have discussed the Subject/Object relationship before, but this puts a program between the two. We don’t allow people access to our inventory when they buy from us. We give them a limited functionality interface they can access.Question 62: SkippedAs part of our server hardening, are blocking all ports on our servers, unless specified as something we needed open in the technical design documentation. When we block TCP/UDP port 3389, what are we blocking?
- IMAP.
- Microsoft Terminal Server (RDP).(Correct)
- NetBIOS name service.
- NetBIOS datagram service.
Explanation
Microsoft Terminal Server (RDP) uses TCP/UDP port 3389.Question 63: SkippedWhat would be one of the EASIEST ways to confirm if our access control mechanics are working?
- Reviewing CCTV files.
- Get alerts for each login and manually check them all.
- Stand at the doors and look at who enters a building or a certain room.
- Reviewing security audit logs.(Correct)
Explanation
Audit log reviews is the easiest way to confirm our access control mechanisms are working.Question 64: SkippedWhich of these is NOT a normal phase of a white hat hacker’s strategy?
- Installing additional tools as they gain more access and higher privileges.
- Escalate privileges.
- Discovery, finding the vulnerabilities.
- Deleting their tracks, the audit files and logs.(Correct)
Explanation
White hat hackers use many of the same tools and approaches that black hats would, but they do not delete their tracks, audit files or logs.Question 65: Skipped
As part of our layered defense, and to prevent unauthorized devices on our network, we have added the MAC sticky command. Where would we configure that?
Larger image
- Router.
- Switch.(Correct)
- File server.
- Firewall.
- Desktop.
Explanation
Good switch security includes shut down unused ports, add mac-sticky and hardcode if ports are access or trunk ports. Making all ports trunk ports is a bad idea.Question 66: SkippedWhich of these is NOT covered by the Wassenaar Arrangement?
- Encryption algorithms.
- Munitions.
- Rockets.
- SQL Databases.(Correct)
Explanation
Wassenaar Arrangement – 1996 – present. Limits exports on military and “dual-use” technologies. Cryptography is part of that. Some nations also use it to prevent their citizens from having strong encryption (easier to spy on your own people if they can’t use strong cryptography).Question 67: SkippedLooking at our incident management plan, which of these can we possibly mitigate with a redundant geographical distant site?
- Incidents.
- Events.
- Disasters.(Correct)
- Emergencies.
Explanation
Disaster: Our entire facility is unusable for 24 hours or longer. If we are geographically diverse and redundant we can mitigate this a lot. Yes, a snowstorm can be a disaster.Question 68: SkippedAs part of our risk management, we are working on quantitative risk analysis. Select all the terms we would use in this phase:
- Exposure factor (EF) (Correct)
- Future Growth Potential (FGP)
- Risk Analysis Matrix (RAM)
- Asset Value (AV) (Correct)
- Annualized Loss Expectancy (ALE)(Correct)
Explanation
Quantitative Risk Analysis – We want exactly enough security for our needs. This is where we put a number on that. We find the asset’s value: How much of it is compromised, how much one incident will cost, how often the incident occurs and how much that is per year. Asset Value (AV) – How much is the asset worth? Exposure factor (EF) – Percentage of Asset Value lost? Single Loss Expectancy (SLE) – (AV x EF) – What does it cost if it happens once? Annual Rate of Occurrence (ARO) – How often will this happen each year? Annualized Loss Expectancy (ALE) – This is what it cost per year if we do nothing.Question 69: SkippedOne of your coworkers is telling you about our new policies for PII. What is she referring to?
- Professional Information Identifiers.
- Personality Indicator Information.
- Personally Identifiable Information.(Correct)
- Personally Information Indicators.
Explanation
PII is the abbreviation for Personally Identifiable Information.Question 70: SkippedWe have 100 users all needing to communicate with each other. If we are using asymmetric encryption how many keys would we need?
- 2000
- 100
- 200(Correct)
- 4950
Explanation
Asymmetric encryption uses 2 keys per user, so we would need 200 keys.Question 71: SkippedPrior to an external structured audit, we would often do an ‘unstructured’ audit. Who would perform that?
- Internal auditors.(Correct)
- External auditors.
- IT security staff.
- Senior management.
Explanation
Unstructured audits: Internal auditors to improve our security and find flaws, often done before an external audit.Question 72: SkippedWe have had a lot of employee complaints since we started blocking TCP/UDP port 80. What are we blocking?
- POP3.
- HTTP.(Correct)
- HTTPS.
- SMTP.
Explanation
Hypertext Transfer Protocol (HTTP) uses TCP/UDP port 80, can also use port 8008 and 8080 .Question 73: SkippedUsing EEPROM makes work easier for our IT staff, what is one of the dangers associated with it?
- Since it is programmable, attackers can attack it.(Correct)
- There are no dangers, it is completely safe.
- Anyone can easily access it.
- Flashing with an UV light can damage your eyes.
Explanation
EEPROM (Electrically Erasable Programmable Read Only memory) – These are Electrically Erasable, you can use a flashing program. This is still called Read Only. The ability to write to the BIOS makes it vulnerable to attackers.Question 74: SkippedWe want to be able to restore our systems with no more than 48 hours of data loss. Which of these could be a backup rotation we could chose to implement?
- Backups before each system update or patch we apply.
- Monthly full backups and weekly incrementals.
- Weekly full and incremental backups every 3 days.
- Weekly full backups and daily differential backups.(Correct)
Explanation
If we can have no more than 48 hours of data loss the only viable option is a daily backup.Question 75: SkippedOn which layer of the Open Systems Interconnect (OSI) model do we establish the connection between 2 applications?
- 5(Correct)
- 6
- 3
- 4
Explanation
Layer 5: Session Layer: Establishes connection between 2 applications: Setup > Maintenance > Tear Down.Question 76: SkippedJane is explaining how using AI can help predict healthcare issues for patients. What is AI?
- Arithmetic Interference.
- Artificial Integrity.
- Artifact Incidents.
- Artificial Intelligence.(Correct)
Explanation
AI (Artificial Intelligence): Intelligence exhibited by machines, rather than humans or other animals. True AI is a topic of discussion; what was considered AI years ago has been achieved, and once the goal is reached, the AI definition is tweaked a little.Question 77: SkippedWhat does SOC2 type 1 report on?
- The future state of our controls and countermeasures.
- How resilient our systems are and how often we can expect exploits with our current settings.
- The suitability of the design of controls.(Correct)
- The suitability of the design AND operating effectiveness of controls.
Explanation
SOC 2 Type 1 report on management’s description of a service organization’s system and the suitability of the design of controls.Question 78: SkippedWhy would we choose a centralized access control system over a decentralized one?
- Faster response time at remote locations.
- If the internet between sites is down, we can’t authenticate.
- Different security postures at different locations.
- It is easier to manage.(Correct)
Explanation
Centralized Pros: (Decentralized Cons): All systems and locations have the same security posture. Easier to manage: All records, configurations and policies are centralized and only configured once per policy. Attackers look for the weakest link in our chain, if a small satellite office is not following our security posture, they can be an easy way onto our network. It is more secure, only a few people have access and can make changes to the system. It can also provide separation of duties, the local admin can’t edit/delete logs from their facility. SSO can be used for user access to multiple systems with one login. Centralized Con’s: (Decentralized Pros): Traffic overhead and response time, how long does it take for a door lock to authenticate the user against the database at the head office? Is connectivity to the head office stable, is important equipment on redundant power and internet?Question 79: SkippedWhen someone is typo squatting, what are they doing?
- Legal.
- Always illegal.
- Potentially illegal.(Correct)
- Never profitable.
Explanation
Typo squatting – Buying an URL that is VERY close to real website name (Can be illegal in certain circumstances).Question 80: SkippedWhich is NOT one of the (ISC)² ethics canons?
- Provide diligent and competent service to principles.
- Think about the social consequences of the program you are writing or the system you are designing.(Correct)
- Act honorably, honestly, justly, responsibly, and legally.
- Protect society, the common good, necessary public trust and confidence, and the infrastructure.
Explanation
ISC2 Code of Ethics Canons: Protect society, the common good, necessary public trust and confidence, and the infrastructure. Act honorably, honestly, justly, responsibly, and legally. Provide diligent and competent service to principles. Advance and protect the profession.Question 81: SkippedWhich type of security governance and management would we want to see in our organization?
- Middle of the road.
- Top-down.(Correct)
- Bottom-up.
- Agile.
Explanation
We always want top-down security governance and management, we want senior leadership on our side. Top-Down: IT leadership is on board with IT Security, they lead and set the direction. Bottom-Up: IT Security is seen as a nuisance and not a helper, often change when breaches happen.Question 82: SkippedIn which order would you use the Software Development Life Cycle (SDLC)?
- Investigation, design, analysis, build, implement, test, maintenance and support.
- Investigation, analysis, design, build, test, implement, maintenance and support.(Correct)
- Analysis, investigation, design, build, implement, test, maintenance and support.
- Investigation, analysis, design, build, implement, test, maintenance and support.
Explanation
SDLC (Software Development Life Cycle): The SDLC is not really a methodology, but a description of the phases in the life cycle of software development. These phases are (in general), investigation, analysis, design, build, test, implement, maintenance and support (and disposal). Can have security built into each step of the process, for the exam it always does.Question 83: SkippedWhen we are categorizing disasters for our Business Continuity Plan (BCP), we would categorize them into which of these categories? (Select all that apply).
- Physical.
- Natural.(Correct)
- Environmental.(Correct)
- Human.(Correct)
- Hardware.
Explanation
We categorize disasters in 3 categories: natural, human, or environmental. Natural: Anything caused by nature; this could be earthquakes, floods, snow, tornados, etc. Human: Anything caused by humans; they can be intentional or unintentional disasters; unintentional could be an employee using a personal USB stick on a PC at work and spreading malware, which would be just as bad as if an attacker had done it, but the employee was just ignorant, careless, or didn’t think it would matter. Environmental (not to be confused with natural disasters); Anything in our environment; could be power outage/spikes, hardware failures, provider issues, etc.Question 84: SkippedWhat is one of the key benefits of using a Host-based Intrusion Prevention System (HIPS) over a Network-based Intrusion Prevention System (NIPS)?
- We look at the entire network segment.
- We can see the unencrypted data.(Correct)
- We can protect against Distributed Denial Of Service (DDOS) attacks.
- We can inspect the IP packets and prevent port scans.
Explanation
Host based, on a client, normally a server or workstation. Can look at the actual data (it is decrypted at the end device), NIDS/NIPS can’t look at encrypted packets.Question 85: SkippedWhen would a logic bomb go off?
- When the system gets internet access.
- As soon as it is introduced to the system.
- A certain event happens or at a certain time.(Correct)
- When it has infected the entire network.
Explanation
Logic Bombs – Malicious code that executes at a certain time or event – they are dormant until the event (IF/THEN). IF Bob is not getting an annual bonus over $10,000, THEN execute malicious code. IF date and time 5/15/18 00:02:12, THEN execute malicious code.Question 86: SkippedWhen we are reviewing our audit logs, it is which type of a control?
- Physical.
- Detective.(Correct)
- Deterrent.
- Preventative.
Explanation
Audit log reviews is a detective control, we look at what happened after it happened, looking for patterns and issues.Question 87: SkippedIn our data management, which of these BEST describe the data owner responsibilities?
- Assigning sensitivity labels and backup frequency.(Correct)
- Backups, restores, patches, system configuration.
- The policies that govern our data security.
- The systems that house the data.
Explanation
Data/Information Owner: Management level, they assign sensitivity labels and backup frequency. This could be you or a Data Owner from HR, Payroll or other departments.Question 88: SkippedWhat would a penetration testing Statement Of Work (SOW) NOT include?
- Rules of engagement.
- Complete and accurate employee Protected Health Information (PHI).(Correct)
- IP ranges.
- Time frames.
Explanation
Penetration Testing (Pen Testing) have very clear rules of engagement defined in a SOW (Statement Of Work). Which IP ranges, time frame, tools, POC, how to test, what to test.Question 89: SkippedWhat is your public key in asymmetric encryption?
- Shared.(Correct)
- Used by you to decrypt messages sent to you.
- Used by someone else to decrypt messages from you.
- Secret.
Explanation
Asymmetric Encryption uses 2 keys: a Public Key and a Private Key (Key Pair). Your Public Key is publicly available. Used by others to encrypt messages sent to you. Since the key is asymmetric, the ciphertext can’t be decrypted with your public Key. Your Private Key – You keep this safe. You use it to decrypt messages sent with your public key.Question 90: Skipped
On which layer of the Open Systems Interconnection model (OSI) model would we find the broadcast address FF:FF:FF:FF:FF:FF?
Larger image
- B: Layer 4.
- C: Layer 3.
- E: Layer 1.
- D: Layer 2.(Correct)
- A: Layer 5.
Explanation
FF:FF:FF:FF:FF:FF is the layer 2 broadcast address. Layer 2 uses mac addresses.Question 91: SkippedWe are wanting to erase EPROM memory to update to the latest firmware. How would we do that?
- Taking the chip out of the motherboard and degauss it.
- We can use programs to erase the content.
- Shine an UV light on the chip.(Correct)
- It can’t be erased once it has been written.
Explanation
EPROM (Erasable Programmable Read Only memory) – Can be erased (flashed) and written many times, by shining an ultraviolet light (flash) on a small window on the chip (normally covered by foil).Question 92: SkippedWhich type of software development uses programming pairs?
- Agile.
- Scrum.
- Waterfall.
- XP.(Correct)
Explanation
XP (Extreme programming) uses programming in pairs or doing extensive code review. Intended to improve software quality and responsiveness to changing customer requirements. Uses advocates frequent releases in short development cycles, intended to improve productivity and introduce checkpoints at which new customer requirements can be adopted.Question 93: SkippedJane is using the Scrum project management methodology. Which of these would be some of the core team roles in the Scrum framework? (Select all that apply).
- The project sponsor.
- The Scrum master.(Correct)
- The development team.(Correct)
- The product owner.(Correct)
- The project manager.
Explanation
Scrum is a framework for managing software development. Scrum is designed for teams of approximately 10 individuals, and generally relies on two-week development cycles, called “sprints”, as well as short daily stand-up meetings. The three core roles in the Scrum framework. The product owner: Representing the product’s stakeholders, the voice of the customer, and is accountable for ensuring that the team delivers value to the business. Development team: Responsible for delivering the product at the end of each sprint (sprint goal). The team is made up of 3–9 individuals who do the actual work (analysis, design, develop, test, technical communication, document, etc.). Scrum master: Facilitates and accountable for removing impediments to the ability of the team to deliver the product goals and deliverables. Not a traditional team lead or project manager but acts as a buffer between the team and any distracting influences. The scrum master ensures that the Scrum framework is followed.Question 94: SkippedJack is looking at different types of encryption. Which of these is a type of asymmetric encryption?
- Twofish.
- 3DES.
- RC6.
- RSA.(Correct)
Explanation
RSA is asymmetric. 3DES, RC6 and Twofish are all symmetric forms of encryption.Question 95: SkippedWhich of these could be some of the ways we can protect our data when an employee is actively using it?
- Encryption, clean desk policies, view angle screen.
- Clean desk policies, print policies, job rotation, mandatory vacations, view angle screens.
- Clean desk policies, view angle screens, computer locking when not in use.(Correct)
- Need to know policy.
Explanation
Data in Use: (We are actively using the files/data, it can’t be encrypted). Use good practices: Clean Desk policy, Print Policy, Allow no ‘Shoulder Surfing’, maybe the use of view angle privacy screen for monitors, locking computer screen when leaving workstation.Question 96: SkippedWhen we talk about referential databases, what does referential integrity mean?
- Each tuple has a unique primary value that is not null.
- When every foreign key in a secondary table matches the primary key in the parent table.(Correct)
- When the database has errors.
- Each attribute value is consistent with the attribute data type.
Explanation
Referential integrity: When every foreign key in a secondary table matches a primary key in the parent table. It is broken if not all foreign keys match the primary key.Question 97: SkippedThere are a lot of challenges with audit record management. Which of these is not of them?
- We are storing logs and alerts for too long.(Correct)
- Audit records are only reviewed for the bad stuff.
- Logs are not reviews on a regular and timely basis.
- Log entries and alerts are not prioritized.
Explanation
Audit record management typically faces five distinct problems: Log are not reviewed on a regular and timely basis. Audit logs and audit trails are not stored for a long enough time period. Logs are not standardized or viewable by correlation toolsets – they are only viewable from the system being audited. Log entries and alerts are not prioritized. Audit records are only reviewed for the bad stuff.Question 98: SkippedWhat could be one of the ways we could protect our data-at-rest?
- Privacy screens for monitors.
- Clean desk policy.
- DAC.
- Encryption.(Correct)
Explanation
Data at Rest (Stored Data): This is data on Disks, Tapes, CDs/DVDs, USB Sticks. We use disk encryption (full/partial), USB encryption, tape encryption (avoid CDs/DVDs). Encryption can be Hardware or Software Encryption.Question 99: SkippedAs part of our software testing, we are doing static software testing. What are we doing?
- Passively test the code, but not run it.(Correct)
- Submit random malformed input to crash the software or elevate privileges.
- Test the code while executing it.
- Build scripts and tools that would simulate normal user activity.
Explanation
Static testing – Passively testing the code, it is not running. This is walkthroughs, syntax checking, and code reviews. Looks at the raw source code itself looking for evidence of known insecure practices, functions, libraries, or other characteristics having been used in the source code.Question 100: SkippedAs part of our updated security posture, we have started blocking TCP/UDP port 22 as a default. What are we blocking?
- SSH.(Correct)
- Telnet.
- FTP data transfer.
- FTP control.
Explanation
SSH (Secure Shell) uses the well-known TCP/UDP port 22.Question 101: SkippedWhich of these protocols is NOT found on layer 3 of the OSI model?
- IP.
- IMAP.(Correct)
- ICMP.
- IKE.
Explanation
IMAP is a layer 7 protocol. IP, IPSEC, IKE, ICMP, … are all layer 3 protocols.Question 102: SkippedWhat could a vulnerability scan possibly help us find?
- Missing patches, outdated software and users accessing files they shouldn’t.
- Outdated software, missing patches and system misconfigurations.(Correct)
- Missing patches, outdated software and high utilization on a resource.
- System misconfigurations, missing patches and a list of threats.
Explanation
A vulnerability scanner tool is used to scan a network or system for a list of predefined vulnerabilities such as system misconfiguration, outdated software, or a lack of patching.Question 103: SkippedIn software acceptance testing, what is the purpose of production acceptance testing?
- To ensure the backups are in place, we have a DR plan, how patching is handled and that the software is tested for vulnerabilities.
- To ensure the software is as secure or more secure than the rules, laws and regulations of our industry.
- To ensure the software perform as expected in our live environment vs. our development environment.(Correct)
- To ensure the software is functional for and tested by the end user and the application manager.
Explanation
Compatibility/production testing: Does the software interface as expected with other applications or systems? Does the software perform as expected in our production environment vs. the development environmentQuestion 104: SkippedWhen we talk about auditing in the IAAA model, what does that mean?
- Traces actions to subjects identities.(Correct)
- Assigns attributes to identities.
- Compares object labels to the clearance of the subject.
- Allows users to access data 24/7.
Explanation
Accountability (often referred to as Auditing): Trace an Action to a Subjects Identity: Proves who performed given action, it provides non-repudiation. Group or shared accounts are never OK, they have zero accountability. Uses audit trails and logs, to associate a subject with its actions.Question 105: SkippedWhen we are performing background checks on our new employees, we would NEVER look at which of these?
- Employment history, credit history, references.
- References, degrees, political affiliation, employment history.(Correct)
- References, degrees, criminal records, credit history.
- References, employment history, criminal records.
Explanation
When we hire new staff we often do background to ensure we minimize our risks. We can check: References, Degrees, Employment, Criminal, Credit history (less common, more costly). We have new staff sign an NDA (Non-Disclosure Agreement). It is illegal to check or inquire about political preference.Question 106: SkippedDiameter was designed to replace Radius, but the change never happened. Where is Diameter COMMONLY used now?
- Router management.
- In the 3/4G space.(Correct)
- Wireless access points.
- Webserver file uploads and downloads.
Explanation
Diameter is largely used in the 3/4G space, RADIUS is used elsewhere. Was intended to replacement for RADIUS, but the use cases changed and both now have different uses. Also provides centralized AAA (Authentication, Authorization, and Accounting) management for users who connect and use a network service.Question 107: SkippedWhat is LDAP COMMONLY used for?
- Central username and password storage.(Correct)
- Managing firewall and router access lists.
- Hashing passwords.
- Internet routing protocol.
Explanation
LDAP (The Lightweight Directory Access Protocol) is commonly used for central usernames and passwords storage, many different applications and services can connect to the LDAP server to validate users. Open, vendor-neutral, industry standard application protocol for accessing and maintaining distributed directory information services over an IP network. Application layer protocol and use TCP and UDP port 389.Question 108: SkippedAfter a major security breach, we are wanting to a lessons learned. Why is that?
- To learn from the incident so we can do better on future incidents.(Correct)
- To show what exactly happened in this incident.
- To prevent incidents from ever happening again.
- To blame someone.
Explanation
Lessons Learned: This phase is often overlooked, we removed the problem, we have implemented new controls and safeguards. We can learn a lot from lessons learned, not just about the specific incidence, but how well we handle them, what worked, what didn’t. How can we as an organization grow and become better next time we have another incidence, while we may have fixed this one vulnerability there are potentially 100’s of new ones we know nothing about yet. At the end of lessons learned we produce a report to senior management, with our finding, we can only make suggestions, they are ultimately in charge (and liable).Question 109: SkippedAfter a major security incident, we need to provide the chain of custody logs for one of the compromised hard drives. Which of these should NOT be part of the logs?
- What was found.(Correct)
- Who handled it.
- When they did it.
- What was done.
Explanation
With the chain of custody everything is documented: Who had it when? What was done? When did they do it? Not what was found.Question 110: SkippedWhy would an organization offer to use a source code escrow to their customers?
- So the customer has access to the source code if we go bankrupt.(Correct)
- To make our source code publicly available.
- To ensure the code is tested completely.
- Because we want them to see the source code whenever they want to.
Explanation
Source code escrow: The deposit of the source code of software with a third party escrow agent. Escrow is typically requested by a party licensing software (the licensee), to ensure maintenance of the software instead of abandonment or orphaning. The software source code is released to the licensee if the licensor files for bankruptcy or otherwise fails to maintain and update the software as promised in the software license agreement.Question 111: SkippedWhen we are talking about RAM what are we referencing?
- Remote access management.
- Volatile memory.(Correct)
- Non-volatile memory.
- Real alerting mirroring.
Explanation
RAM (Random Access memory) is volatile memory. It loses the memory content after a power loss(or within a few minutes). This can be memory sticks or embedded memory.Question 112: SkippedWhat would we NOT look at in a security assessment?
- Employee performance.(Correct)
- Penetration tests.
- Change management.
- Security audits.
Explanation
Security Assessments: A full picture approach to assessing how effective our access controls are, they have a very broad scope. We would not look at Employee performance. Security assessments often span multiple areas, and can use some or all of these components: Policies, procedures, and other administrative controls. Assessing the real world-effectiveness of administrative controls. Change management. Architectural review. Penetration tests. Vulnerability assessments. Security audits.Question 113: SkippedWe are throughout our organization using Intrusion detection systems (IDS) and Intrusion prevention system (IPS). What are some of the COMMON types of those?
- Heuristic, host based, network based.(Correct)
- Network based, host based, firewall based.
- Switch based, network based, signature based.
- Signature based, network based, firewall based.
Explanation
IDSs (Intrusion Detection Systems) and IPSs (Intrusion Prevention Systems) can be categorized into 2 types and with 2 different approaches to identifying malicious traffic. Network based, placed on a network segment (a switch port in promiscuous mode). Host based, on a client, normally a server or workstation. Signature (Pattern) matching, similar to anti virus, it matches traffic against a long list of known malicious traffic patterns. Heuristic (Behavioral) based, uses a normal traffic pattern baseline to monitor for abnormal traffic.Question 114: SkippedLooking at our data management, what is the user’s role?
- Perform the backups and restores.
- Be trained in the policies, procedures and standards.(Correct)
- Make the policies, procedures and standards that govern our data security.
- Assign the sensitivity labels and backup frequency of the data.
Explanation
Users: These are the users of the data. User awareness must be trained; they need to know what is acceptable and what is not acceptable, and the consequences for not following the policies, procedures and standards.Question 115: SkippedWhat is a WEAKNESS of the Challenge Handshake Authentication Protocol (CHAP)?
- It periodically verifies the identity of clients with a 3-way handshake.
- Credentials are sent over the network in plaintext.
- Credentials are stored in plaintext on the server.(Correct)
- It uses incremental changing identifiers and variable challenge-values.
Explanation
CHAP (Challenge-Handshake Authentication Protocol): The CHAP server stores plaintext passwords of each client, an attacker gaining access to the server can steal all the client passwords stored on it. Provides protection against replay attacks by the peer through the use of an incrementally changing identifier and of a variable challenge-value. Requires the client and server know the plaintext of a shared secret, but it is never sent over the network. Providing better security compared to PAP which is vulnerable for both these reasons. Used by PPP (Point to Point Protocol) servers to validate the remote clients. CHAP periodically verifies the identity of the client by using a three-way handshake.Question 116: SkippedWhen an attacker is using intimidation, it is a form of what?
- Social engineering.(Correct)
- Proper management.
- Reverse psychology.
- Brute force attack.
Explanation
Social engineering uses people skills to bypass security controls. Intimidation (If you don’t bad thing happens) – Virus on the network, credit card compromised, lawsuit against your company, intimidation is most effective with impersonation and vishing attacks.Question 117: SkippedWhen we implement centralized logging, we want it to be:
- Automated, unsecure, and accessible by administrators.
- Automated, secure, and accessible by administrators.
- Automated, secure and administrators should have limited access.(Correct)
- Automated, secure and accessible by everyone.
Explanation
Centralized Logging: Should be automated, secure and even administrators should have limited access.Question 118: SkippedWhat would we use a Security Information and Event Management (SIEM) system for?
- Centralized storage and interpreting of logs and traffic.
- Giving us a holistic view of all events and incidents in our organization.
- All of these.(Correct)
- Near real-time automated identification, analysis and recovery from some security events.
Explanation
SIEM (Security Information and Event Management) provides real-time analysis of security alerts generated by network hardware and applications.Question 119: SkippedWe often allow users to use “secret questions and answers” to unlock their accounts, because it makes our administrators workload lighter. Can they also be used as an attack vector?
- Yes, but it really never happens, the information we use for them is so hard to get it is hardly worth it.
- No, no one else would know the answers.
- Yes, but it would be harder to break than encryption.
- Yes, the answers are often something that can be researched.(Correct)
Explanation
Secret questions like “Where were you born?” are poor examples of a knowledge factor, it is known by a lot of people and can often be researched easily.Question 120: SkippedAs part of improving the security posture of our organization we have added multifactor authentication. Which of these pairs does NOT constitute multifactor authentication?
- Password and username.(Correct)
- PIN and credit card.
- Fingerprint and PIN.
- Username and smartcard.
Explanation
Multifactor authentication uses authentication from more than one factor (something you know, are or have). Passwords and usernames are not multifactor, they are both knowledge factors.Question 121: SkippedThose acting under “the color of law” can act on an exigent circumstance. What would constitute exigent circumstances?
- Immediate threat to human life or of evidence destruction.(Correct)
- An outside circumstance which does not pose any threat to life or data.
- Potential threat to data or human life in the future.
- An unpatched vulnerability on our systems, attackers have no way of exploiting.
Explanation
Exigent circumstances apply if there is an immediate threat to human life or of evidence destruction. This will later be decided by a court if it was justified. Only applies to law enforcement and those operating under the “color of law” – Title 18. U.S.C. Section 242 – Deprivation of Rights Under the Color of Law.Question 122: SkippedThe port numbers we use can categorized as well-known, registered, or dynamic/private/ephemeral ports. Which of these is NOT a well-known port?
- 80
- 1024(Correct)
- 1023
- 666
Explanation
Well-known Ports are the ports from port 0-1023, they are mostly used for protocols.Question 123: SkippedWe are in a court of law and we are presenting real evidence. What constitutes real evidence?
- Logs, audit trails and other data from the time of the attack.
- Something you personally saw or witnessed.
- Tangible and physical objects.(Correct)
- The data on our hard drives.
Explanation
Real Evidence is tangible and physical objects, in IT Security it is things like hard disks, USB drives and not the data on them.Question 124: SkippedWe are asked to help design the policies for our organization in regarding to PHI. What is that?
- Protected Human Interactions.
- Procured Hospital Information.
- Personal Heuristic Information.
- Protected Health Information.(Correct)
Explanation
PHI is the abbreviation for Protected Health Information.Question 125: SkippedYou hear a colleague talk about polyinstantiation. What does that mean?
- Deducing facts from data rather than specific statements.
- Looking at a normal baseline and learning of new factors on the network from higher traffic.
- Two or more instances of the same data, depending on who accesses it.(Correct)
- Collecting data to analyze it.
Explanation
Polyinstantiation (Alternative Facts) – Two (or more) instances of the same file depending on who accesses it. The real information may be available to subjects with Top Secret clearance, but different information will be available to staff with Secret or lower clearance.