on retwtr.com  we find great content online  and  retweet !

 

watch this video below and be amazed

1

 

 

2. Flying Men ?

CISSP certification: Full 125 question practice test #1 – test 1 – Results

Attempt 9

Question 1: Incorrect

We have tested our software and we have found over 10,000 flaws. What should our next steps be?
  • Leave them alone, 10,000 is too many to fix.
  • Rate them on likelihood of exploit and impact and address the critical issues.
    (Correct)
  • Fix them all.
  • Rate them on likelihood of exploit and impact and address all the issues.
    (Incorrect)

Explanation

Now that we have completed our tests, just like on our log reviews, we need to use it and analyze the data we got from the testing. It can be huge amounts of data, and we need to prioritize what we act on first, what is acceptable and what is not. Think of the qualitative risk analysis, if it is low likelihood and low impact we may leave it alone and focus on higher priority items.

Question 2: Correct

We are wanting to use the most commonly used database management system (DBMS) in our organization. What should we implement?
  • ModoDB.
  • SQL.
    (Correct)
  • Oracle.
  • IBM DB2

Explanation

DBMS (database management system): The most common is SQL or a SQL derivative. A computer software application that interacts with the user, other applications, and the database itself to capture and analyze data. A general-purpose DBMS is designed to allow the definition, creation, querying, update, and administration of databases. MySQL, PostgreSQL, MongoDB, MariaDB, Microsoft SQL Server, Oracle, Sybase, SAP HANA, SQLite and IBM DB2.

Question 3: Incorrect

We want to mitigate injection attacks (OWASP A1) on our web servers. What can we implement to help with that?
  • Secure Sockets Layer (SSL).
  • Input validation.
    (Correct)
  • Non-predictable session IDs.
    (Incorrect)
  • CAPTCHA.

Explanation

A1 Injection. Can be any code injected into user forms, often seen is SQL/LDAP. Attackers can do this because our software does not use: Strong enough input validation and data type limitations input fields. Input length limitations. The fix is to do just that, we only allow users to input appropriate data into the fields, only letters in names, numbers in phone number, have dropdowns for country and state (if applicable), we limit how many characters people can use per cell,

Question 4: Correct

We are implementing some new standards and framework in our organization. We chose to use scoping on one of the standards we are implementing. What does scoping mean?
  • To see if the standard is a good fit for our organization.
  • To find out how much the implementation will cost us.
  • To implement the full standard or framework, but implement higher standards in some areas.
  • To pick and chose which parts of the standard or framework we want to implement.
    (Correct)

Explanation

Scoping is determining which portion of a standard we will deploy in our organization. We take the portions of the standard that we want or that apply to our industry, and determine what is in scope and what is out of scope for us.

Question 5: Correct

When we buy software from a vendor, what should we ALWAYS do?
  • Look at reviews, and if they are good we can go ahead and buy it.
  • Perform a full security assessment to determine if they meet our security posture.
    (Correct)
  • Trust the vendors security claims.
  • Assume it is secure enough for our organization since others use it already.

Explanation

Buying software from other companies: When we buy software from vendors either COTS (Commercial Off The Shelf) or custom built software we need to ensure it is as secure as we need it to be. Vendors claims of security posture should until proven be seen as marketing claims. We need to do our due care and due diligence, as well as use outside council if needed.

Question 6: Incorrect

When an attacker can guess a URL they don’t know about, from another similar logical URL, what is that called?
  • Insecure direct object reference.
    (Correct)
  • Unvalidated redirects.
  • Under protected API’s
  • CSRF.
    (Incorrect)

Explanation

2013 A4 Insecure direct object reference. Users can access resources they shouldn’t, by guessing the URL or path, often if it is logical. If you have access to a report names ending in financials_may2017.pdf on your organization’s network, you can try guessing other file names you should not have access to financials_August.pdf or financials_2017.pdf Mitigated by proper access control, using non-sequential names or monitoring file usage.

Question 7: Correct

6 months ago, we had an attacker trying to gain access to one of our servers. The attack was not successful, and the authorities were able to find the attacker using our forensics. In court, the attacker claims we used entrapment. Which of these options describes entrapment?
  • Something we can do without consulting our legal department.
  • A solid legal defense strategy for the attacker; entrapment is illegal and unethical.
    (Correct)
  • Legal and unethical.
  • Not a solid legal defense strategy for the attacker.

Explanation

Entrapment (illegal and unethical): When someone is persuaded to commit a crime they had no intention to commit and is then charged with it. Openly advertising sensitive data and then charging people when they access them. Entrapment is a solid legal defense.

Question 8: Incorrect

Object-oriented programming tends to lean towards which programming process?
  • Cripple ware.
  • Top-down.
    (Incorrect)
  • Sashimi.
  • Bottom-up.
    (Correct)

Explanation

Bottom-up Programming: Piecing together of systems to build more complex systems, making the original systems a sub-system of the overarching system. OOP leans tends toward Bottom-Up, you start by developing your objects and build up.

Question 9: Correct

In our data centers we have redundancy on many things. Looking at our servers, which of these elements are commonly NOT redundant?
  • Power supplies.
  • Motherboards.
    (Correct)
  • Network cards.
  • Hard disks.

Explanation

Motherboards are rarely redundant, instead we use redundant servers. NICs, PSUs and disks are almost always redundant in servers.

Question 10: Incorrect

We use the CIA triad as a logical model for IT Security and the protection profile our organization wants. What does the A stand for in the CIA triad?
  • Accountability.
    (Incorrect)
  • Authorization.
  • Authentication.
  • Availability.
    (Correct)

Explanation

The CIA (Confidentiality, Integrity, Availability) Triad: Availability – We ensure authorized people can access the data they need, when they need to.

Question 11: Incorrect

Different types of memory are made for specific tasks and functions in our hardware. Which of these are types of nonvolatile memory? (Select all that apply).
  • EEPROM (Electrically erasable programmable read only memory)
    (Correct)
  • SRAM (Static RAM)
    (Incorrect)
  • PLD (Programmable logic devices)
    (Correct)
  • DRAM (Dynamic RAM)
  • ROM (Read Only memory)
    (Correct)

Explanation

ROM (Read Only memory) is nonvolatile (retains memory after power loss). EEPROM (Electrically erasable programmable read only memory) – These are electrically erasable, you can use a flashing program. This is still called read only. The ability to write to the BIOS makes it vulnerable to attackers. PLD (Programmable logic devices) are programmable after they leave the factory (EPROM, EEPROM and flash memory). Not PROM.

Question 12: Correct

What can Redundant Array of Independent Disks (RAID) protect us against, if we are using RAID with fault tolerance?
  • Hardware failures.
  • Data loss if a single disk fails.
    (Correct)
  • Multiple disk failures happening at the same time.
  • Attackers gaining access to our data.

Explanation

Redundant Array of Independent Disks (RAID) can protect our data if we have a single disk failure, as default not against more than one. It can however be configured to support multi disk failure, but is rarely done and is expensive.

Question 13: Incorrect

Which of these would be part of our Disaster Recovery Plan (DRP)?
  • What to do if our staff is hit by a pandemic like the flu.
  • Which teams and roles does what in an incident.
    (Correct)
  • Specific names of who does what in an incident.
    (Incorrect)
  • What to do if our staff goes on strike.

Explanation

Our DRP (Disaster Recovery Plan) should answer at least three basic questions: What is the objective and purpose. Who will be the people or teams who will be responsible in case any disruptions happen. What will these people do (our procedures) when the disaster hits.

Question 14: Correct

For us to ensure CONTINUAL clean power in our data center, we would use which of these?
  • Load balancing.
  • Power Distribution Unit (PDU)
  • Uninterruptable Power Supply (UPS)
    (Correct)
  • Power Supply Unit (PSU)

Explanation

An UPS (Uninterrupted Power Supply) contains a large battery bank that will take over in a power outage, it does also provide surge protection.

Question 15: Incorrect

Which type of Redundant Array of Independent Disks (RAID) configuration ALWAYS provides redundancy?
  • Disk formatting.
  • Disk segmenting.
  • Disk mirroring.
    (Correct)
  • Disk striping.
    (Incorrect)

Explanation

Disk mirroring: Writing the same data across multiple hard disks, this is slower, the Redundant Array of Independent Disks (RAID) controller has to write all data twice, needs at least 2 disks. Disk striping can provide it too IF it uses parity, but as default it does not.

Question 16: Correct

Which kind of type 3 authentication errors are the WORST?
  • False rejection.
  • True acceptance.
  • True acceptance.
  • False acceptance.
    (Correct)

Explanation

FAR (False accept rate) Type 2 error: Unauthorized user is granted access. This is a very serious error.

Question 17: Correct

Which of these countermeasures would be effective against rainbow tables?
  • Salting.
    (Correct)
  • Keeping hashes in plaintext.
  • Limiting login attempts.
  • Key stretching.

Explanation

Salt (Salting): Random data that is used as an additional input to a one-way function that “hashes” a password or passphrase. The primary function of salts is to defend against dictionary attacks or a pre-compiled rainbow table attack. Rainbow Tables: Pre-made list of plaintext and matching ciphertext, often passwords and matching hashes. A table can contain millions of pairs.

Question 18: Correct

Jane has been tasked with finding multifactor authentication solutions for our organization. Which of these is TRUE multifactor authentication?
  • Username and password.
  • Fingerprint and retina scan.
  • Fingerprint and password.
    (Correct)
  • Password and PIN.

Explanation

Multifactor authentication requires more than one type of authentication; username/password are both knowledge factors, so is password/pin and fingerprint/retina scans are both biometrics.

Question 19: Correct

Which of these describes Type 1 authentication?
  • Something you are.
  • Something you have.
  • Somewhere you are.
  • Something you know.
    (Correct)

Explanation

Something you know – Type 1 Authentication: passwords, pass phrase, PIN, etc., also called knowledge factors. The subject uses these to authenticate their identity: they know the secret, therefore they must be who they say they are.

Question 20: Incorrect

We have acquired a competing organization and your team is working on the risk analysis for the applications they use internally. You would use which of these as PART of your Qualitative Risk Analysis?
  • ALE, SLE and ARO.
  • A risk analysis matrix.
    (Correct)
  • Risk = threat x vulnerability.
    (Incorrect)
  • Fact based analysis.

Explanation

Qualitative Risk Analysis: This is vague, guessing, based on a feeling, and relatively quick to do. We add all our assets to a matrix and assign them values on “how likely is it to happen and how bad is it if it happens?” It is often done to know where to focus the Quantitative Risk Analysis.

Question 21: Incorrect

Looking at the governance of our organization, we can use policies, standards, procedures, or other frameworks. Which of these characteristics would BEST describe our policies?
  • Low level step-by-step guides.
  • Recommendations.
  • Non-specific, but can contain patches, updates, strong encryption.
    (Correct)
  • Specific, all laptops are W10, 64 bit, 8GB memory, etc.
    (Incorrect)

Explanation

Policies – Mandatory: High level, non-specific. They can contain “Patches, Updates, strong encryption”, they will not be specific to “OS, Encryption type, Vendor Technology”

Question 22: Incorrect

Which of these protocols is the one Voice over IP (VoIP) PRIMARILY uses?
  • Transmission Control Protocol (TCP)
    (Incorrect)
  • Variable Information Protocol (VIP)
  • User Datagram Protocol (UDP)
    (Correct)
  • Border Gateway Protocol (BGP)

Explanation

VoIP uses UDP. It is connectionless; it is better to lose a packet or two than have it retransmitted half a second later.

Question 23: Incorrect

We are using server clustering on critical applications. What is the MAIN purpose of server clustering?
  • Load balancing.
  • Making configuration easier.
  • Traffic distribution.
    (Incorrect)
  • Fault tolerance.
    (Correct)

Explanation

Clustering is designed for fault tolerance, often combined with load balancing, but not innately. Clustering can be active/active, this is load balancing, with 2 servers both servers would actively process traffic. Active/passive: There is a designated primary active server and a secondary passive server, they are connected and the passive sends a keep-alive or heartbeat every 1-3 seconds, “are you alive, are you alive…”

Question 24: Incorrect

What is the PRIMARY reason we would implement clipping levels?
  • To allow users a few tries when they fat finger their password.
  • To prevent administrative overhead.
    (Correct)
  • To prevent password guessing.
  • To allow users to unlock their own account when they mistype their password too many times.
    (Incorrect)

Explanation

Clipping levels: Clipping levels are in place to prevent administrative overhead. It allows authorized users who forget or mistype their password to still have a couple of extra tries. It prevents password guessing by locking the user account for a certain time frame (an hour), or until unlocked by an administrator.

Question 25: Correct

When using the formal approval process, what is required to access data?
  • Appropriate clearance.
  • Higher clearance than the object requires and data owner approval.
  • Permission from the data owner.
  • Appropriate clearance and data owner approval.
    (Correct)

Explanation

Formal Access Approval: Document from the data owner approving access to the data for the subject. Subject must understand all requirements for accessing the data and the liability involved if compromised, lost or destroyed. Appropriate Security Clearance is required as well as the Formal Access Approval.

Question 26: Correct

We use different risk analysis approaches and tools in our risk assessments. In which type of risk analysis would you see these terms? Exposure factor (EF), Asset Value (AV), and Annual Rate of Occurrence (ARO)?
  • Residual.
  • Qualitative.
  • Quantitative
    (Correct)
  • Quadratic.

Explanation

Quantitative Risk Analysis is where we put a number on the risk: how much does it cost per time? How often does it happen? Asset Value (AV) – How much is the asset worth? Exposure factor (EF) – Percentage of Asset Value lost? Annual Rate of Occurrence (ARO) – How often will this happen each year?

Question 27: Correct

The NSA wanted to embed the clipper chip on all motherboards. Which encryption algorithm did the chip use?
  • 3DES.
  • DSA.
  • RSA.
  • Skipjack.
    (Correct)

Explanation

The Clipper chip was a chipset that was developed and promoted by the United States National Security Agency (NSA) as an encryption device that secured “voice and data messages” with a built-in backdoor. It used SkipJack, a block cipher.

Question 28: Incorrect

In which of these protocols, is IPSEC built into and NOT added on later?
  • HMAC.
  • PGP.
  • IPv6.
    (Correct)
  • IPv4.
    (Incorrect)

Explanation

IPSEC (Internet Protocol Security): Set of protocols that provide a cryptographic layer to IP traffic; for IPv4, it is bolted on. For IPv6, it is designed into the protocol.

Question 29: Correct

Attackers are using Distributed Denial Of Service (DDOS) attacks on our organization using UDP flood. How does that type of Distributed Denial Of Service (DDOS) attack work?
  • Sends many IP addresses to a router.
  • Sends many user datagram protocol packets.
    (Correct)
  • Sends many ethernet frames, each with different media access control addresses.
  • Opens many TCP sessions but never replies to the ACK from the host.

Explanation

UDP (User datagram protocol) floods are used frequently for larger bandwidth Distributed Denial Of Service (DDOS) attacks because they are connectionless and it is easy to generate UDP messages from many different scripting and compiled languages.

Question 30: Incorrect

When we use single-use passwords and one-time pads, we are using which type of authentication?
  • Something you are.
  • Something you know.
  • Something you have.
    (Correct)
  • Somewhere you are.
    (Incorrect)

Explanation

Single-use passwords and one-time pads. While they are passwords, it is something you have in your possession, not something you know.

Question 31: Incorrect

Which of these would be the PRIMARY reason we would chose to use hash functions?
  • Availability.
  • Authorization.
    (Incorrect)
  • Integrity.
    (Correct)
  • Confidentiality.

Explanation

Hash Functions (One-Way Hash Functions) are used for Integrity: A variable-length plaintext is hashed into a fixed-length value hash or MD (Message Digest). It is used to prove the Integrity of the data has not changed. Even changing a comma in a 1000 page document will produce an entirely new hash.

Question 32: Correct

On which layer of the OSI model would we consider physical security?
  • 2
  • 4
  • 1
    (Correct)
  • 3

Explanation

Layer 1: Physical Layer: wires, fiber, radio waves, hub, part of NIC, connectors (wireless).

Question 33: Correct

What is the relationship between our Business Continuity Plan (BCP) and our Disaster Recovery Plan (DRP)?
  • The BCP is a sub-plan of the DRP.
  • They are separate and completely independent plans.
  • None of these.
  • The DRP is a sub-plan of the BCP.
    (Correct)

Explanation

BCP’s often contain DRP (Disaster Recovery Plan), COOP (Continuity of Operations Plan), Crisis Communications Plan, Critical Infrastructure Protection Plan, Cyber Incident Response Plan, ISCP (Information System Contingency Plan), Occupant Emergency Plan.

Question 34: Correct

When a penetration tester is doing a black box test, how much knowledge do they have about their target?
  • Full knowledge and privileges access to systems.
  • Partial knowledge, user or vendor access level.
  • All of these.
  • No knowledge other than what is publicly available.
    (Correct)

Explanation

Black box Pen testing (Zero Knowledge): The attacker had no knowledge about the organization other than publicly available information. They start from the point an external attacker would.

Question 35: Incorrect

Which of these types of data destruction would we use to ensure there is no data remanence on our PROM, flash memory, and SSD drives?
  • Formatting.
  • Degaussing.
  • Shredding.
    (Correct)
  • Overwriting.
    (Incorrect)

Explanation

We can’t overwrite, format or degauss PROM. The only way to ensure destruction is shredding.

Question 36: Skipped

We have just added biometrics to our access control systems, and we are seeing a lot of Type 2 authentication errors. Looking at the image, which data point would be the Type 2 errors?

  • A
    (Correct)
  • C
  • B

Explanation

FAR (False accept rate) Type 2 error: Unauthorized user is granted access. This is a very serious error.

Question 37: Correct

When attackers are war dialing, what are they trying to do?
  • Calling our dispatch trying to get information through social engineering.
  • Disrupt our wireless access points by transmitting notice on the wireless channels we use.
  • Use a modem to call different numbers, looking for an answer with a modem carrier tone.
    (Correct)
  • Driving around trying to gain access to unsecured or weak security wireless access points.

Explanation

War dialing: Uses modem to dial a series of phone numbers, looking for an answering modem carrier tone, the penetration tester then attempts to access the answering system. Not really done anymore, but know it for the exam.

Question 38: Correct

We are using social engineering, which of these are effective types of social engineering?
  • Intimidation.
  • Urgency.
  • All of these.
    (Correct)
  • Authority.

Explanation

Social engineering is often more successful if is uses one or more of these approaches: authority, intimidation, consensus, scarcity, urgency, or familiarity.

Question 39: Correct

We are building a new data center, and we will use the new site for real-time backups of our most critical systems. In the conduits between the demarc and the new server room, there are a lot of power cables. Which type of networking cables would be the BEST to use between the demarc and the server room?
  • Fiber Ethernet.
    (Correct)
  • Copper Ethernet.
  • Wireless.
  • Coax copper.

Explanation

Fiber Optic Cables are not susceptible to EMI, so the cables can be run next to power cables with no adverse effects.

Question 40: Skipped

The US HIPAA laws have 3 core rules. Which of these is NOT one of them?
  • Breach notification rule.
  • Encryption rule.
    (Correct)
  • Privacy rule.
  • Security rule.

Explanation

HIPAA (Health Insurance Portability and Accountability Act) has 3 rules – Privacy rule, Security rule and Breach Notification rule. The rules mandate administrative, physical and technical safeguards. Risk Analysis is required.

Question 41: Correct

Acting ethically is very important, especially for IT security professionals. If we look at the IAB’s “Ethics and the Internet,” which of these behaviors does it NOT consider unethical?
  • Seeks to gain unauthorized access to resources of the internet.
  • Having fake social media profiles and accounts.
    (Correct)
  • Disrupts the intended use of the internet.
  • Compromises the privacy of users.

Explanation

IAB’s Ethics and the Internet, defined as a Request for Comment (RFC), #1087 – Published in 1987. It considered the following unethical behavior: Seeks to gain unauthorized access to the resources of the Internet. Disrupts the intended use of the Internet. Wastes resources (people, capacity, computer) through such actions. Destroys the integrity of computer-based information. Compromises the privacy of users.

Question 42: Incorrect

All of these are examples of Distributed Denial Of Service (DDOS) attacks, except one. Which of these is NOT a Distributed Denial Of Service (DDOS) attack?
  • IPSec flood.
    (Correct)
  • SYN flood.
    (Incorrect)
  • UDP flood.
  • MAC flood.

Explanation

There are many different types of Distributed Denial Of Service (DDOS) attacks, there is no such thing as an IPSec flood. UDP, SYN and MAC floods are all Distributed Denial Of Service (DDOS) attacks.

Question 43: Incorrect

We are using the OSI model to categorize attacks and threats. Which of these are COMMON layer 2 threats?
  • Ping of death.
  • Eavesdropping.
  • ARP spoofing.
    (Correct)
  • SYN floods.
    (Incorrect)

Explanation

ARP spoofing is an attack where an attacker sends a fake ARP (Address Resolution Protocol) messages over a local area network. This results in associating the attacker’s MAC address with the IP address of an authorized computer or server on our network.

Question 44: Incorrect

Which of these, is NOT a phase of our Disaster Recovery Planning (DRP) lifecycle?
  • Preparation.
  • Succession planning.
    (Correct)
  • Recovery.
  • Mitigation.
    (Incorrect)

Explanation

DRP has a lifecycle of Mitigation, Preparation, Response and Recovery. Mitigation: Reduce the impact, and likeliness of a disaster. Preparation: Build programs, procedures and tools for our response. Response: How we react in a disaster, following the procedures. Recovery: Reestablish basic functionality and get back to full production.

Question 45: Incorrect

In a new implementation we have chosen to use Redundant Array of Independent Disks (RAID) 0 on a server, what does tell us about the disk configuration?
  • Striping with parity.
  • Mirror set: 2 identical hard disks.
    (Incorrect)
  • Striping without parity.
    (Correct)
  • Mirroring with parity.

Explanation

RAID 0: Striping without mirroring or parity; no fault tolerance; only provides faster read write speed; requires at least 2 disks

Question 46: Correct

When we are doing quantitative risk analysis, what does the Asset Value (AV) tell us?
  • What it will cost us per year if we do nothing.
  • How much something is worth.
    (Correct)
  • How much of the asset is lost per incident.
  • How often that asset type is compromised per year.

Explanation

Asset Value (AV) – How much is the asset worth?

Question 47: Skipped

As part of our authentication process, we have issued our staff TOTP tokens. How do they work?
  • Does not need the clocks of the token and the server to be synchronized.
  • Generates a new password often.
    (Correct)
  • Sends us a new password when we request it, but never when we don’t.
  • Generate a password that is valid until it is used.

Explanation

Something you have – Type 2 Authentication: TOTP (Time-based One-Time Password): Time based with shared secret, often generated every 30 or 60 seconds, synchronized clocks are critical.

Question 48: Correct

Our organization has been court ordered to comply with the “Data Protection Directive” in the EU. What is one of the things we need to do in order to do that?
  • Transmit information out of the EU to countries with lower standards for storage.
  • Refuse to let individuals opt out of data sharing with 3rd party companies.
  • Notify individuals about how their data is gathered and used.
    (Correct)
  • Gather as much personal information as they can to better sell products to the individuals.

Explanation

EU Data Protection Directive: Very aggressive pro-privacy law. Organizations must notify individuals of how their data is gathered and used. Organizations must allow for opt-out for sharing with 3rd parties. Opt-in is required for sharing most sensitive data. No transmission out of EU unless the receiving country is perceived to have adequate (equal) privacy protections; the US does NOT meet this standard. EU-US Safe Harbor: optional between organization and EU.

Question 49: Correct

Which project management methodology uses a linear approach where each phase leads into the next and you can’t go back to a previous phase?
  • Agile.
  • Spiral.
  • Sashimi.
  • Waterfall.
    (Correct)

Explanation

Waterfall: Very linear, each phase leads directly into the next. The unmodified waterfall model does not allow us to go back to the previous phase.

Question 50: Correct

Our networking department is recommending we use a simplex solution for an implementation. What is one of the KEY FEATURES of simplex solutions?
  • One way communication: One system transmits, the other receives. Direction can’t be reversed.
    (Correct)
  • One way communication: one system transmits, the other receives. Direction can be reversed.
  • Both systems can send and receive at the same time.
  • Only one system on the network can send one signal at a time.

Explanation

Simplex is a one-way communication (one system transmits, the other listens).

Question 51: Correct

We need to get rid of some old hard drives, and we need to ensure proper data disposal and no data remanence. Which of these options has NO known tools that can restore the data once that specific disposal process has been used?
  • Overwriting.
    (Correct)
  • Deleting files.
  • Formatting the hard drive.
  • Installing a new OS over the old one.

Explanation

We can still recover files from deleted, formatted or reinstalled drives. Overwriting is done by writing 0’s or random characters over the data. As far as we know there is no tool available that can recover even single pass overwriting (not possible on damaged media).

Question 52: Correct

We have implemented contactless ID cards in our organization. Which type of technology do they use?
  • Magnetic stripe.
  • Redundant Array of Independent Disks (RAID).
  • RFID.
    (Correct)
  • RIPE.

Explanation

Contactless Cards – can be read by proximity. Key fobs or credit cards where you just hold it close to a reader. They use a RFID (Radio Frequency Identification) tag (transponder) which is then read by a RFID Transceiver.

Question 53: Correct

When we list the Minimum Operating Requirements (MOR) for a system in our business impact analysis (BIA), what should it contain?
  • The required time to fully configure a system.
  • The maximum tolerable downtime.
  • Minimum specs for the system to function.
    (Correct)
  • How long is the maximum organizational redundancy.

Explanation

Minimum Operating Requirements (MOR) (Minimum Operating Requirements): The minimum environmental and connectivity requirements for our critical systems to function, can also at times have minimum system requirements for DR sites. We may not need a fully spec’ed system to resume the business functionality.

Question 54: Correct

As part of a security audit, we have found some security flaws. The IT Security team has been asked to suggest mitigation strategies using the OSI model. Which of these would address layer 7 issues?
  • Access Lists.
  • Shut down open unused ports.
  • Start using application firewalls.
    (Correct)
  • Installing UPSes in the data center.

Explanation

Application layer firewalls are on the 7th OSI Layer. The key benefit of application layer firewalls is that they can understand certain applications and protocols. They see the entire packet; the packet isn’t decrypted until layer 6; any other firewall can only inspect the packet, but not the payload. They can detect if an unwanted application or service is attempting to bypass the firewall using a protocol on an allowed port, or detect if a protocol is being used any malicious way.

Question 55: Correct

We need to ensure we are compliant with all the laws and regulations of all the states, territories, and countries we operate in. How are the security breach notification laws in the US handled?
  • Mandatory for states to have.
  • Handled by the individual organizations.
  • Federal.
  • Handled by the individual states.
    (Correct)

Explanation

Security Breach Notification Laws. NOT Federal. 48 states have individual laws. Know the one for your state (none in Alabama and South Dakota). They normally require organizations to inform anyone who had their PII compromised. Many states have an encryption clause where lost encrypted data may not require disclosure.

Question 56: Correct

In our software testing, if we are doing a white box test, how much information would we have?
  • Just the software, no source code.
  • The software, source code, data structures and variables.
    (Correct)
  • A version of the software, but only the cripple ware version.
  • User logs, access entries and project plan.

Explanation

White box software testing: The tester has full access to program source code, data structures, variables, etc.

Question 57: Correct

The CIA triad is of the foundational pieces of IT Security. We want to find the right mix of confidentiality, integrity and availability and we want to ensure none of the legs are compromised. Which of these is NOT one of the CIA triad opposite?
  • Aggregation.
    (Correct)
  • Destruction.
  • Disclosure.
  • Alteration.

Explanation

The CIA (Confidentiality, Integrity, Availability) Triad: Confidentiality – We keep our data and secrets secret. Integrity – We ensure the data has not been altered. Availability – We ensure authorized people can access the data they need, when they need to.

Question 58: Incorrect

With newer CPU (Central Processing Units) we can use pipelining, where each processor cycle does multiple tasks. Which of these are functions the CPU performs? (Select all that apply).
  • Fetch.
    (Correct)
  • Combine.
    (Incorrect)
  • Store.
    (Correct)
  • Decode.
    (Correct)
  • Retrieve.
  • Execute.
    (Correct)

Explanation

CPU (Central Processing Unit), uses Fetch, Decode, Execute, and Store. Fetch – Gets the instructions from memory into the processor. Decode – Internally decodes what it is instructed to do. Execute – Takes the add or subtract values from the registers. Store – Stores the result back into another register (retiring the instruction). Pipelining – Combining multiple steps into one process; can Fetch, Decode, Execute, Store in same clock cycle.

Question 59: Correct

As part of our data disposal process, we overwrite all of the disk’s multiple times with random 0s and 1s. Sometimes that is NOT an option. When would that be?
  • When the disk is still in the system.
  • When the disk is damaged.
    (Correct)
  • When it involves spinning disk hard drives.
  • When it involves SSD drives.

Explanation

Overwriting is done by writing 0s or random characters over the data. As far as we know, there is no tool available that can recover even single pass overwriting (not possible on damaged media).

Question 60: Correct

We are building a new data center and the walls must be slab-to-slab. What does that mean?
  • The wall is from the real floor to the sub ceiling.
  • The wall is from the top of the subfloor to the sub ceiling.
  • The wall is made of slabs.
  • The wall is from the real floor to the real ceiling.
    (Correct)

Explanation

Walls should be “slab to slab” (from the REAL floor to the REAL ceiling); if subflooring or sub ceilings are used, then they should be contained within the slab to slab walls.

Question 61: Correct

There are many different types of attacks on intellectual property. Which of these is a COMMON type of attack on trademarks?
  • Someone using your protected design in their products.
  • Software piracy.
  • There are none. This is security through obscurity. If discovered, anyone is allowed to use it.
  • Counterfeiting.
    (Correct)

Explanation

The most common attacks against trademarks is counterfeiting: fake Rolexes, Prada, Nike, Apple products; either using the real name or a very similar name.

Question 62: Correct

We have, for many years, used dogs as part of our physical security. However, we are considering implementing other physical security measures and stop using dogs. Which of these could be the reason we would consider NOT using dogs more?
  • They can cause liability issues.
    (Correct)
  • They are always friendly.
  • They are not very good at deterring.
  • It is expensive.

Explanation

Dogs (Deterrent, Detective, Compensating): Most often used in controlled, enclosed areas. Liability can be an issue. Dogs are trained to corner suspects and attack someone who’s fleeing. People often panic when they encounter a dog and run. Even if they’re in a secure area, the organization may still be liable for injuries.

Question 63: Incorrect

We can use smart cards, tokens, passports, and IDs for which type of authentication?
  • Type 5.
  • Type 3.
    (Incorrect)
  • Type 2.
    (Correct)
  • Type 1.

Explanation

Something you have – Type 2 Authentication: ID, passport, smart card, token, cookie on PC; these are called Possession factors.

Question 64: Skipped

We have hired an IT security firm to do penetration testing on our organization. Which of these could be something they would use?
  • Threats.
  • Rootkits.
  • Crowbars.
  • Kali Linux.
    (Correct)

Explanation

Kali Linux is a version of Linux designed for hackers, it is a toolkit with many different attack vectors.

Question 65: Skipped

When an attacker is using Distributed Denial Of Service (DDOS) attacks, which leg of the CIA Triad is that meant to disrupt?
  • Confidentiality.
  • Availability.
    (Correct)
  • Accountability.
  • Integrity.

Explanation

When we get hit by a Distributed Denial Of Service (DDOS), is disrupts our availability, but not integrity or confidentiality.

Question 66: Skipped

As part of our annual security audit we hired a pen testing company. What could be some of the tools they would use?
  • Cutting power cables.
  • Force against employees.
  • Social engineering.
    (Correct)
  • Access control lists.

Explanation

Social engineering is often the easiest way for pen testers to get the initial foothold on our network.

Question 67: Skipped

What is the ISO 27002 standard focused on?
  • Health Insurance Portability and Accountability Act (HIPAA)
  • Risk management.
  • Protecting Protected Health Information (PHI).
  • Information Security Management System (ISMS).
    (Correct)

Explanation

ISO 27002: (From BS 7799, 1/2, ISO 17799) Provides practical advice on how to implement security controls. It focuses on Information Security Management Systems (ISMS).

Question 68: Skipped

If we are looking for information on a specific systems hardware, which of our plans could we find that in?
  • Disaster Recovery Plan (DRP)
    (Correct)
  • Business Continuity Plan (BCP)
  • Network Recovery Program (NRP)
  • Boarder Gateway Protocol (BGP)

Explanation

DRP (Disaster Recovery Plan): Often the “how” and system specific, while the BCP is more “what” and non-system specific. This is the process of creating the short-term plans, policies, procedures and tools to enable the recovery or continuation of vital IT systems in a disaster. It focuses on the IT systems supporting critical business functions, and how we get those back up after a disaster. DRP is a subset of our BCP. We look at what we would do if a we get hit with a Distributed Denial Of Service (DDOS) attack, if a server gets compromised, if we experience a power outage, etc.

Question 69: Skipped

In our best practice password policy, which of these would be allowed?
  • Minimum length passwords.
    (Correct)
  • Family members’ names.
  • Birthdays.
  • Whole dictionary words.

Explanation

Passwords should never contain: The name of a pet, child, family member, or significant other, anniversary dates, birthdays, birthplace, favorite holiday, something related to a favorite sports team, or the word “password.” Winter2017 is not a good password, even if it does fulfill the password requirements. Official recommendations by the U.S. Department of Defense and Microsoft: password history = set to remember 24 passwords; maximum password age = 90 days; minimum password age = 2 days (to prevent users from cycling through 24 passwords to return to their favorite password again). Minimum password length = 8 characters. Passwords must meet complexity requirements = true. Store password using reversible encryption = false.

Question 70: Skipped

Which of these types of memory keeps the data they store, as long as they have power and the data is NOT overwritten?
  • SDRAM.
  • ROM.
  • SRAM.
    (Correct)
  • DRAM.

Explanation

SRAM (Static RAM): Fast and expensive. Uses latches to store bits (Flip-Flops). Does not need refreshing to keep data, keeps data until power is lost. This can be embedded on the CPU.

Question 71: Skipped

As part of our software testing, we are performing regression testing. What does that mean?
  • Processes and security alerts when encountering errors.
  • Lost or missing features after major code changes.
    (Correct)
  • interfaces between components in the software.
  • That the software installs correctly on the customers hardware.

Explanation

Regression testing: Finding defects after a major code change has occurred. Looks for software regressions, as degraded or lost features, including old bugs that have come back.

Question 72: Skipped

What could be a type of physical access control that we would use, to prevent cars and vans from entering our perimeter?
  • Bollards.
    (Correct)
  • Motion sensors.
  • Cameras.
  • Lights.

Explanation

Bollards (Preventative): Used to prevent cars or trucks from entering an area while allowing foot traffic to pass. Often, shops use planters or similar; it looks prettier, but achieves the same goal. Most are static heavy duty objects, but some cylindrical versions can also be electronically raised or lowered to allow authorized traffic past a “no traffic” point. Some are permanent fixtures and can be removed with a key or other unlock function.

Question 73: Skipped

We are implementing new networking infrastructure in our organization. The new infrastructure is using Carrier-sense multiple access with collision detection (CSMA/CD). What are we implementing?
  • Extranet.
  • Internet.
  • Ethernet.
    (Correct)
  • Wireless.

Explanation

CSMA/CD (Carrier Sense Multiple Access Collision Detection): Used for systems that can send and receive at the same time, like Ethernet. If two clients listen at the same time and see the line is clear, they can both transmit at the same time, causing collisions; CD is added to help with this scenario. Clients listen to see if the line is idle, and if idle, they send; if in use, they wait a random amount of time (milliseconds). While transmitting, they monitor the network. If more input is received than sent, another workstation is also transmitting, and they send a jam signal to tell the other nodes to stop sending, and wait for a random amount of time before starting to retransmit.

Question 74: Skipped

We are using RAID-5 (Redundant Array of Independent Disks) on a one of our servers, that uses at least how many disks?
  • 1
  • 2
  • 4
  • 3
    (Correct)

Explanation

RAID 5: Block level striping with distributed parity, requires at least 3 disks. Combined speed with redundancy.

Question 75: Skipped

You have been tasked with looking at PURELY physical security controls for a new implementation. Which of these would you consider using?
  • Dogs.
    (Correct)
  • Regulations.
  • Access lists.
  • Biometric authentication.

Explanation

Dogs are a physical security control. Access lists and biometrics are technical and regulations are administrative.

Question 76: Skipped

In which order would these recovery site options be ranked from the highest to the lowest cost?
  • Redundant > Hot > Warm > Cold.
    (Correct)
  • Redundant > Warm > Hot > Cold.
  • Redundant > Hot > Cold > Warm.
  • Cold > Warm > Hot > Redundant.

Explanation

Redundant site: Complete identical site to our production, receives a real time copy of our data. Hot site: Similar to the redundant site, but only houses critical applications and systems, often on lower spec’d systems. Warm site: Similar to the hot site, but not with real or near-real time data, often restored with backups. Cold site: No hardware or backups are at the cold site, they require systems to be acquired, configured and applications loaded and configured.

Question 77: Skipped

We are adding random data to our password hashes, to prevent attackers from successfully using rainbow table and dictionary attacks. What are we adding to the hash function?
  • Clipping levels.
  • Nonce.
  • Salting.
    (Correct)
  • Key stretching.

Explanation

Salting is random data that is used as an additional input to a one-way function that hashes a password or passphrase.

Question 78: Skipped

Which of these is NOT a type of open-source software licensing?
  • BSD.
  • GNU.
  • Apache.
  • Oracle.
    (Correct)

Explanation

Open source software can be protected by a variety of licensing agreement. GNU (General Public License), BSD (Berkeley Software Distribution) and Apache are all examples of this.

Question 79: Skipped

There are many types of financial motivated attacks. Which of these attacks is normally not of them?
  • Phishing attacks.
  • Ransomware attacks.
  • Stealing trade secrets.
  • Distributed Denial Of Service (DDOS) attacks.
    (Correct)

Explanation

Distributed Denial Of Service (DDOS) normally does not benefit an attacker financially, the motivation if often revenge, disagreement with a decision or just to prove the attacker can.

Question 80: Skipped

Without using anything to trick our systems, an unauthorized individual is allowed access using our biometric authentication. This is an example of what?
  • FAR.
    (Correct)
  • CER.
  • FRR.
  • CRR.

Explanation

FAR (False accept rate) Type 2 error: Unauthorized user is granted access. This is a very serious error.

Question 81: Skipped

We are choosing a site to build a new data center and offices in. Which of these would NOT be a valid security concern?
  • Crime in the area.
  • Whether the area is prone to flooding.
  • How good the utilities are.
  • How pretty the area is.
    (Correct)

Explanation

Site Selection: Greenfield: Not built on yet; undeveloped land. Topography: the physical shape of the landscape – hills, valleys, trees, streams. Most often used in military sites where they can leverage (sometimes by altering) the topology for higher security. Utilities: How reliable is the power, the internet in the area? Crime: How high are the crime rates in the area? How close are the police?

Question 82: Skipped

Which type of authentication is the WORST to have compromised, because we are unable to reissue it?
  • Type 1.
  • Type 2.
  • Type 3.
    (Correct)
  • Type 4.

Explanation

Something you are – Type 3 Authentication (Biometrics): Lost passwords and ID cards can be replaced with new different ones. Biometrics can’t. You can’t change your fingerprints; once compromised they are always compromised.

Question 83: Skipped

When an attacker is using a brute force attack to break a password, what are they doing?
  • Trying every possible key to, over time, break any encryption.
    (Correct)
  • Looking at common letter frequency to guess the plaintext.
  • Trying to recover the key without breaking the encryption.
  • Looking at the hash values and comparing it to thousands or millions of pre-calculated hashes.

Explanation

Brute Force: Using the entire key space (every possible key); with enough time, any plaintext can be decrypted. Effective against all key-based ciphers except the one-time pad; it would eventually decrypt it, but it would also generate so many false positives that the data would be useless.

Question 84: Skipped

In our physical access control, we use gates and fences to ensure what happens?
  • Ensure entry and exit from our facility only happens through the gates.
    (Correct)
  • Prevent employees from safely exiting in an emergency.
  • Allow employees to safely exit in an emergency.
  • Allow easy entry and exit from our facility.

Explanation

Fences (Deterrence, Preventative): Smaller fences such as 3ft. (1m) can be a deterrence, while taller ones, such as 8ft. (2.4m) can be a prevention mechanism. The purpose of the fences is to ensure that entrances/exits from the facility happen through only a few entry points (doors, gates, turnstiles). Gates (Deterrence, Preventative): Placed at control points at the perimeter. Used with the fences to ensure that access only happens through a few entry points.

Question 85: Skipped

What is another term we could use for penetration testing?
  • Ethical hacking.
    (Correct)
  • Fracking.
  • Black hat hacking.
  • Gray hat hacking.

Explanation

Penetration Testing (Pen Testing), also called ethical hacking or white hat hacking. Test if the vulnerabilities are exploitable

Question 86: Skipped

Which type of disaster would we classify an earthquake as?
  • Preventative.
  • Human.
  • Natural.
    (Correct)
  • Environmental.

Explanation

Natural: Anything caused by nature, this could be earthquakes, floods, snow, tornados, etc. They can be very devastating, but are less common than the other types of threats.

Question 87: Skipped

In our fuzz testing, we analyze data and change the fuzz input iteratively. What is this called?
  • Mitigation fuzzing.
  • Migration fuzzing.
  • Mutilation fuzzing.
  • Mutation fuzzing.
    (Correct)

Explanation

Fuzzing (Fuzz testing): Testing that provides a lot of different inputs, to try to cause unauthorized access or for the application to enter unpredictable state or crash. If the program crashes or hangs the fuzz test failed. The Fuzz tester can enter values into the script or use pre-compiled random or specific values. Mutating fuzzing – The tester analyses real info and modify it iteratively.

Question 88: Skipped

As part of our fault tolerance strategy we are using remote journaling. What does that do?
  • Sends transaction log files to a remote location, not the files themselves.
    (Correct)
  • Using a remote backup service, sends backups off-site at a certain time interval.
  • Sends copies of the database to backup tapes.
  • Sends an exact database or file copy to another location.

Explanation

Remote journaling: Sends transaction log files to a remote location, not the files themselves. The transactions can be rebuilt from the logs if we lose the original files.

Question 89: Skipped

In which type of access control does subjects have clearance and object labels?
  • Discretionary Access Control (DAC)
  • Role-Based Access Control (RBAC)
  • Rule-Based Access Control (RUBAC)
  • Mandatory Access Control (MAC)
    (Correct)

Explanation

MAC (Mandatory Access Control): Often used when confidentiality is most important. Access to an object is determined by labels and clearance. This is often used in the military or in organizations where confidentiality is very important.

Question 90: Skipped

PINs, passwords, and passphrases are all which type of authentication?
  • Type 5.
  • Type 2.
  • Type 3.
  • Type 1.
    (Correct)

Explanation

Something you know – Type 1 Authentication: passwords, pass phrase, PIN, etc., also called knowledge factors. The subject uses these to authenticate their identity: they know the secret, therefore they must be who they say they are.

Question 91: Skipped

We are using DAC (Discretionary Access Control) in our organization. What is DAC based on?
  • The job role of the user.
  • The discretion of the object owner.
    (Correct)
  • IF/THEN statements.
  • Labels and clearance.

Explanation

DAC (Discretionary Access Control): Often used when Availability is most important. Access to an object is assigned at the discretion of the object owner. The owner can add, remove rights, commonly used by most OS’. Uses DACL’s (Discretionary ACL), based on user identity.

Question 92: Skipped

In a Business Impact Analysis (BIA) assessment, which of these statements would be acceptable?
  • RTO > MTD
  • MTD ≥ RTO + WRT
    (Correct)
  • WRT + MTD < RTO
  • MTD < WRT + RTO

Explanation

MTD ≥ RTO + WRT: The time to rebuild the system and configure it for reinsertion into production must be less than or equal to our MTD.

Question 93: Skipped

Which type of networking circuits would we use to ensure the traffic ALWAYS uses the same path?
  • Full traffic switching.
  • Packet switching.
  • Weighted routing tables.
  • Circuit switching.
    (Correct)

Explanation

Circuit switching – Expensive, but always available; used less often. A dedicated communications channel through the network. The circuit guarantees the full bandwidth. The circuit functions as if the nodes were physically connected by a cable.

Question 94: Skipped

Our Disaster Recovery Plan (DRP) is a subplan of our Business Continuity Plan (BCP), and the DRP lifecycle has 4 distinct phases. What are those 4 phases? (Select all that apply).
  • Recovery.
    (Correct)
  • Action.
  • Response.
    (Correct)
  • Failback.
  • Mitigation.
    (Correct)
  • Preparation.
    (Correct)

Explanation

DRP has a lifecycle of Mitigation, Preparation, Response and Recovery. Mitigation: Reduce the impact, and likeliness of a disaster. Preparation: Build programs, procedures and tools for our response. Response: How we react in a disaster, following the procedures. Recovery: Reestablish basic functionality and get back to full production.

Question 95: Skipped

We are adding hashing to our passwords. Which of these is a hashing function we could consider?
  • DES.
  • RSA.
  • Salting.
  • RIPEMD.
    (Correct)

Explanation

Hash Functions: RIPEMD: Developed outside of defense to ensure no government backdoors. 128, 256, 320 bit hashes. Not widely used. No longer secure.

Question 96: Skipped

Health care systems in the US must be HIPAA compliant. What is HIPAA an abbreviation of?
  • Health Insurrection Portability and Accountability Act.
  • Health Information Portability and Accountability Act.
  • Health Information Portability and Authorization Act.
  • Health Insurance Portability and Accountability Act.
    (Correct)

Explanation

HIPAA is the Health Insurance Portability and Accountability Act.

Question 97: Skipped

We are using a hot site secondary data center as part of DR (Disaster Recovery) plan. What would we have at the hot site?
  • Internet, power, racks, but no servers or applications installed.
  • Internet, power, racks, servers, applications installed and real-time or near real-time copies of the data.
    (Correct)
  • Internet, power, racks, servers, but no applications installed.
  • Internet, power, racks, servers and applications, but no backups.

Explanation

Hot site: Similar to the redundant site, but only houses critical applications and systems, often on lower spec’d systems. Still often a smaller but a full data center, with redundant UPS’, HVACs, ISPs, generators. We may have to manually fail traffic over, but a full switch can take an hour or less. Near or real-time copies of data.

Question 98: Skipped

When we design our defense in depth, we use multiple overlapping controls. Which of these is a type of preventative access control?
  • Backups.
  • Encryption.
    (Correct)
  • Patches.
  • Intrusion detection systems.

Explanation

Preventative access control: Prevents action from happening – Least Privilege, Drug Tests, IPS, Firewalls, Encryption.

Question 99: Skipped

Which of these should NOT be part of our proper hardware disposal procedures?
  • Deleting all files on the hard drive.
    (Correct)
  • Disk crushing.
  • Degaussing.
  • Overwriting all bits on the disks with 0s.

Explanation

Deleting a file just removes it from the table. Everything is still recoverable. Crushing, degaussing and overwriting should all be non-recoverable.

Question 100: Skipped

When is it appropriate to install and use backdoors and maintenance hooks?
  • When it makes it easier for the administrators to use the software.
  • Never.
  • When it is easier for the users to use the software.
  • When the code is still in development.
    (Correct)

Explanation

Backdoors: Often installed by attackers during an attack to allow them access to the systems after the initial attack is over, to continue exfiltrating data over time, or to come back and compromise other systems. Bypassing normal authentication or encryption in a computer system, a product, or an embedded device, etc. Backdoors are often used for securing remote access to a computer, or obtaining access to plaintext in cryptographic systems.

Question 101: Skipped

What would be a reason to do misuse case testing on our software?
  • To see how well the software installs on certain hardware systems.
  • To expose the system to normal user traffic and use.
  • To ensure all exposed interfaces are tested.
  • Because attackers do not act like normal users, we need to test against that.
    (Correct)

Explanation

Misuse Case Testing: Executing a malicious act against a system, attackers won’t do what normal users would, we need to test misuse to ensure our application or software is safe.

Question 102: Skipped

When we are talking about data remanence, what does that refer to?
  • Data left over after normal removal and deletion.
    (Correct)
  • Files saved locally and not on a remote storage device.
  • All the data on our systems.
  • Data we are actively using and therefore can’t encrypt.

Explanation

Data Remanence: Data left over after normal removal and deletion of data.

Question 103: Skipped

A pen tester is calling one of our employees. The pen tester explains to the employee the company will be hit with a lawsuit if he won’t do what he is told. Which type of social engineering is the pen tester using?
  • Familiarity.
  • Intimidation.
    (Correct)
  • Scarcity.
  • Authority.

Explanation

Social engineering uses people skills to bypass security controls. Intimidation (If you don’t bad thing happens) – Virus on the network, credit card compromised, lawsuit against your company, intimidation is most effective with impersonation and vishing attacks.

Question 104: Skipped

If we want to implement a type of encryption that uses discrete logarithms, which of these could we choose?
  • ECC.
    (Correct)
  • AES.
  • DES.
  • Twofish.

Explanation

Elliptic Curve Cryptography (ECC) is a one-way function that uses discrete Logarithms applied to elliptical curves. Much stronger per bit than normal discrete Logarithms.

Question 105: Skipped

We have decided to change the type of hashing we use to a newer version that is collision resistant. What happens when a hash collision occurs?
  • A variable-length text produces a fixed-length hash.
  • The same plain text produces two different hashes using the same hash function.
  • When two different plaintexts produce the same hash.
    (Correct)
  • You can figure out the plain text from the hash.

Explanation

Collisions: When 2 hashes of different data provide the same hash. It is possible, but very unlikely.

Question 106: Skipped

We use many different names for different types of networks. When our engineers are talking about the extranet, what are they referring to?
  • The local area network we have in our home.
  • The global collection of peered WAN networks, often between ISPs or long haul providers.
  • Connected private intranets often between business partners or parent/child companies.
    (Correct)
  • An organization’s privately owned and operated internal network.

Explanation

An Extranet is a connection between private Intranets, often connecting business partners’ Intranets.

Question 107: Skipped

Which generation of programming languages often use a graphical user interfaces and drag and drops for generating the actual code?
  • 3rd generation.
  • 1st generation.
  • 4th generation.
    (Correct)
  • 2nd generation.

Explanation

4th Generation languages (4GL): Often uses a GUI, drag and drop, and then generating the code, often used for websites, databases and reports.

Question 108: Skipped

Which of these is NOT related to security misconfigurations (OWASP A5)?
  • Not applying patches.
  • Keeping default logins and passwords.
  • Using deprecated objects or code.
    (Correct)
  • Misconfigured databases.

Explanation

While using deprecated objects or code is a security issue, is OWASP A9 using Components with Known Vulnerabilities. A5 Security Misconfiguration would be databases configured incorrectly, not removing out of the box default access and settings. Keeping default usernames and passwords. OS, Web Server, DBMS, applications, etc. Not patched and up to date. Unnecessary features are enabled or installed; this could be open ports, services, pages, accounts, privileges, etc.

Question 109: Skipped

In a new data center implementation, we are wanting to use IPv6 addresses. Which of these statements are TRUE about IPv6 addresses? (Select all that apply).
  • They are 128 bit binary.
    (Correct)
  • They use broadcast addresses.
  • They can use EUI/MAC48 addresses, by adding fffe in the middle of the mac address.
    (Correct)
  • They are 32-bit binary.
  • They use the fe80: prefix for link local addresses.
    (Correct)

Explanation

IPv6 is 128-bit binary, often expressed in hexadecimal numbers (using 0-9 and a-f); for Link Local addresses we add the fe80: prefix to an address, and for EUI/MAC48 addresses we add “fffe” to make it an EUI/MAC64 address.

Question 110: Skipped

All but one of these are networking topologies we could use in our design. Which is NOT a network topology?
  • Mesh
  • Matrix.
    (Correct)
  • Ring.
  • Star.

Explanation

Matrix is not a network topology. Ring, Mesh and Star are network topologies.

Question 111: Skipped

Which are the COMMON US military clearance levels?
  • Top secret, secret, sensitive, public.
  • Top secret, secret, internal, unclassified.
  • Secret, top secret, confidential, public.
  • Secret, confidential, unclassified, top secret.
    (Correct)

Explanation

The US military uses: Top-secret, secret, confidential and unclassified.

Question 112: Skipped

When we talk about data, we look at the 3 states it can be in. In which of those states, are we unable to protect the data by using encryption?
  • Data at rest.
  • Data on backup tapes.
  • Data in motion.
  • Data in use.
    (Correct)

Explanation

Data in Use: (We are actively using the files/data, it can’t be encrypted). Use good practices: Clean Desk policy, Print Policy, Allow no ‘Shoulder Surfing’, maybe the use of view angle privacy screen for monitors, locking computer screen when leaving workstation.

Question 113: Skipped

We have just signed a contract with a vendor for a Software as a Service (SaaS) implementation. Where does our responsibility start, and the vendor’s responsibility stop?

  • A: After the application.
    (Correct)
  • C: Between virtualization and OS.
  • D: Between storage and servers.
  • B: Between security and application.

Explanation

In Software as a Service (SaaS), the vendor provides everything including the applications and programs. We would provide the data for the applications.

Question 114: Skipped

Which of these COMMON frameworks focuses on Information Technology Service Management (ITSM)?
  • ITIL.
    (Correct)
  • COBIT.
  • COSO.
  • PCI-DSS.

Explanation

ITIL – Information Technology Infrastructure Library. IT Service Management (ITSM).

Question 115: Skipped

Which type of access control model would we use if confidentiality was the MOST important factor to us?
  • Discretionary Access Control (DAC)
  • Mandatory Access Control (MAC)
    (Correct)
  • Rule-Based Access Control (RUBAC)
  • Role-Based Access Control (RBAC)

Explanation

MAC (Mandatory Access Control): Often used when Confidentiality is most important. Access to an object is determined by labels and clearance, this is often used in the military or in organizations where confidentiality is very important.

Question 116: Skipped

What is the difference between freeware and shareware?
  • Freeware is free forever, shareware you buy it, but you are allowed to share it.
  • Freeware is free with no time restrictions, shareware is free for a limited amount of time.
    (Correct)
  • Freeware is free for a limited amount of time, shareware is free with no time restrictions.
  • They are the same thing, there is no difference.

Explanation

Freeware: Actually free software, it is free of charge to use. Shareware: Fully functional proprietary software that is initially free to use. Often for trials to test the software, after 30 days you have to pay to continue to use.

Question 117: Skipped

Jane has written a book on IT security. With books, copyright is automatically granted, and Jane owns all the rights to her materials. How long are copyrighted materials protected after the creator’s death?
  • 70 years.
    (Correct)
  • 20 years.
  • 95 years.
  • 10 years.

Explanation

Copyright © applies to books, art, music, software and much more. It is automatically granted and lasts 70 years after creator’s death or 95 years after creation by/for corporations.

Question 118: Skipped

In the software capability maturity model, at which level are some processes “possibly repeatable with consistent results”?
  • Level 1.
  • Level 3.
  • Level 4.
  • Level 2.
    (Correct)

Explanation

Level 2: Repeatable This level of maturity that some processes are repeatable, possibly with consistent results. Process discipline is unlikely to be rigorous, but where it exists it may help to ensure that existing processes are maintained during times of stress.

Question 119: Skipped

Using the OSI model, which of these are COMMON layer 5-7 threats?
  • Worms.
    (Correct)
  • Eavesdropping.
  • SYN floods.
  • Ping of death.

Explanation

A computer worm is a standalone malware computer program that replicates itself to spread to other computers; they normally operate on OSI layer 5-7.

Question 120: Skipped

When, in telecommunications, we talk about the Demarc, what are we referring to?
  • The ISP terminates their line and your network begins.
    (Correct)
  • You place all your routers and switches.
  • The servers are places to ensure faster speeds.
  • You ensure all of the other tenants have full access to your network equipment.

Explanation

Demarc – Point of Demarcation (POD): Where the ISP (Internet Service Provider) terminates their phone/internet lines and your network begins; most buildings only have one.

Question 121: Skipped

Which type of access control could we use to limit access outside of regular work hours?
  • Role-based access control.
  • Content-based access control.
  • Context-based access control.
    (Correct)
  • Discretionary access control.

Explanation

Context-based access control: Access to an object is controlled based on certain contextual parameters, such as location, time, sequence of responses, access history.

Question 122: Skipped

Jane is implementing Quality of Service (QoS) on our network. Which of these is one of the KEY benefits of QOS?
  • We have less traffic congestion, because we spread the traffic over multiple paths.
  • Larger data gets priority. This could be file uploads or downloads.
  • Priority traffic (often VoIP) gets higher priority.
    (Correct)
  • All traffic gets equal preference on the network.

Explanation

QoS (Quality of Service) gives specific traffic priority over other traffic; this is most commonly VoIP (Voice over IP), or other UDP traffic needing close to real time communication. Other non real time traffic is down prioritized; the 0.25 second delay won’t be noticed.

Question 123: Skipped

At the quarterly leadership conference, you are talking about threats to our environments, and one of the participants asks you to define what a threat is. Which of these could be your answer?
  • A potential harmful incident.
    (Correct)
  • A weakness that can possibly be exploited.
  • The total risk after we have implemented our countermeasures.
  • How bad is it if we are compromised?

Explanation

Threat – A potentially harmful incident (Tsunami, Earthquake, Virus, etc.)

Question 124: Skipped

Which of these backup types would NOT clear the archive bit on Windows systems?
  • Full backup.
  • Weekly backup.
  • Differential backup.
    (Correct)
  • Incremental backup.

Explanation

Full and incremental backups clear the archive bit, differential backups does not. We have no clue as to what type of backup the weekly is so not the right answer.

Question 125: Skipped

We are doing security audits and we test against published standards. Which of these is NOT one of the standards we would test against?
  • PCI-DSS.
  • RBAC.
    (Correct)
  • SOC 2 type 2.
  • SOC-2 type 1.

Explanation

RBAC is role based access control, not a security audit standard. SOC 2 and PCI-DSS are standards we audit against.

Attempt 8
Question 1: Skipped

As part of our risk management, we are working on quantitative risk analysis. Select all the terms we would use in this phase:
  • ​Future Growth Potential (FGP)
  • Asset Value (AV)
    (Correct)
  • ​Exposure factor (EF)
    (Correct)
  • ​Risk Analysis Matrix (RAM)
  • ​Annualized Loss Expectancy (ALE)
    (Correct)

Explanation

Quantitative Risk Analysis – We want exactly enough security for our needs. This is where we put a number on that. We find the asset’s value: How much of it is compromised, how much one incident will cost, how often the incident occurs and how much that is per year. Asset Value (AV) – How much is the asset worth? Exposure factor (EF) – Percentage of Asset Value lost? Single Loss Expectancy (SLE) – (AV x EF) – What does it cost if it happens once? Annual Rate of Occurrence (ARO) – How often will this happen each year? Annualized Loss Expectancy (ALE) – This is what it cost per year if we do nothing.
Question 2: Correct

What would a penetration testing Statement Of Work (SOW) NOT include?
  • Time frames.
  • IP ranges.
  • Rules of engagement.
  • Complete and accurate employee Protected Health Information (PHI).
    (Correct)

Explanation

Penetration Testing (Pen Testing) have very clear rules of engagement defined in a SOW (Statement Of Work). Which IP ranges, time frame, tools, POC, how to test, what to test.
Question 3: Skipped

Which type of access control model is based on a subject’s clearance?
  • Discretionary Access Control (DAC)
  • Role-Based Access Control (RBAC)
  • Mandatory Access Control (MAC)
    (Correct)
  • Rule-Based Access Control (RUBAC)

Explanation

MAC – (Mandatory Access Control) is system-enforced access control based on a subject’s clearance and an object’s labels.
Question 4: Correct

Which process would we use to handle updates to our environments?
  • Change management.
    (Correct)
  • Process review.
  • Change consolidation.
  • Agile project management.

Explanation

Change Management: Often called change control, a formalized process on how we handle changes to our environments. If done right we will have full documentation, understanding and we communicate changes to appropriate parties. The change review board should be comprised of both IT and other operational units from the organization, we may consider impacts on IT, but we are there to serve the organization, they need to understand how it will impact them and raise concerns if they have any.
Question 5: Correct

We have decided to implement job rotation in our organization. What can that help prevent?
  • Errors.
  • All of these.
    (Correct)
  • Employee burnout.
  • Fraud.

Explanation

Job rotation: For the exam, think of it as a way to detect errors and frauds. It is easier to detect fraud, and there is less chance of collusion between individuals if they rotate jobs. It also helps with employee burnout, and it helps employees understand the entire business. This can be too cost prohibitive for the exam/real life; make sure that on the exam, the cost justifies the benefit.
Question 6: Correct

When you discover a software vulnerability, you notify the vendor of the vulnerability for them to fix it. What is the term used for this?
  • Partial disclosure.
    (Correct)
  • Full disclosure.
  • No disclosure.
  • Predictable disclosure.

Explanation

Responsible/Partial disclosure: Telling the vendor, they have time to develop a patch and then disclose it. If they do nothing we can revert to the full disclosure forcing them to act.
Question 7: Skipped

Active Directory (AD) uses trust domains; one domain establishes a trust relationship with another domain. Which of these is NOT an AD trust domain?
  • Transitive trust.
  • Reflective trust.
    (Correct)
  • Intransitive trust.
  • One-way trust.

Explanation

One-way trust, Two-way trust, Trusted domain, Transitive trust and Intransitive trust are all trust domains, there is no reflective trust.
Question 8: Skipped

What does SOC2 type 1 report on?
  • The future state of our controls and countermeasures.
  • How resilient our systems are and how often we can expect exploits with our current settings.
  • The suitability of the design of controls.
    (Correct)
  • The suitability of the design AND operating effectiveness of controls.

Explanation

SOC 2 Type 1 report on management’s description of a service organization’s system and the suitability of the design of controls.
Question 9: Correct

Why would we choose a centralized access control system over a decentralized one?
  • It is easier to manage.
    (Correct)
  • If the internet between sites is down, we can’t authenticate.
  • Different security postures at different locations.
  • Faster response time at remote locations.

Explanation

Centralized Pros: (Decentralized Cons): All systems and locations have the same security posture. Easier to manage: All records, configurations and policies are centralized and only configured once per policy. Attackers look for the weakest link in our chain, if a small satellite office is not following our security posture, they can be an easy way onto our network. It is more secure, only a few people have access and can make changes to the system. It can also provide separation of duties, the local admin can’t edit/delete logs from their facility. SSO can be used for user access to multiple systems with one login. Centralized Con’s: (Decentralized Pros): Traffic overhead and response time, how long does it take for a door lock to authenticate the user against the database at the head office? Is connectivity to the head office stable, is important equipment on redundant power and internet?
Question 10: Correct

Which type of software development uses programming pairs?
  • Agile.
  • XP.
    (Correct)
  • Waterfall.
  • Scrum.

Explanation

XP (Extreme programming) uses programming in pairs or doing extensive code review. Intended to improve software quality and responsiveness to changing customer requirements. Uses advocates frequent releases in short development cycles, intended to improve productivity and introduce checkpoints at which new customer requirements can be adopted.
Question 11: Correct

In the TCP/IP model, frames and bits are the Protocol Data Units (PDUs) of which layer?
  • Link and physical.
    (Correct)
  • Application.
  • Transport.
  • Internetworks.

Explanation

Frames and bits are the Protocol Data Units (PDUs) of the Link and physical layer of the TCP/IP model. (Frames are OSI layer 2 and bits are OSI layer 1).
Question 12: Incorrect

What would we use a Security Information and Event Management (SIEM) system for?
  • Near real-time automated identification, analysis and recovery from some security events.
    (Incorrect)
  • Giving us a holistic view of all events and incidents in our organization.
  • Centralized storage and interpreting of logs and traffic.
  • All of these.
    (Correct)

Explanation

SIEM (Security Information and Event Management) provides real-time analysis of security alerts generated by network hardware and applications.
Question 13: Correct

We often allow users to use “secret questions and answers” to unlock their accounts, because it makes our administrators workload lighter. Can they also be used as an attack vector?
  • Yes, but it really never happens, the information we use for them is so hard to get it is hardly worth it.
  • Yes, but it would be harder to break than encryption.
  • No, no one else would know the answers.
  • Yes, the answers are often something that can be researched.
    (Correct)

Explanation

Secret questions like “Where were you born?” are poor examples of a knowledge factor, it is known by a lot of people and can often be researched easily.
Question 14: Skipped

Which of these encryption methods is truly unbreakable if it is implemented right?
  • Symmetric encryption.
  • Enigma.
  • A Vigenère cipher.
  • One-time pads.
    (Correct)

Explanation

One-Time Pad: Cryptographic algorithm where plaintext is combined with a random key. It is the only existing mathematically unbreakable encryption. While it is unbreakable it is also very impractical. It has ONE use per pad; they should never be reused. Characters on the pad have to be truly random. The pads are kept secure.
Question 15: Skipped

When our organization is using mandatory access control. What would subjects have?
  • Labels.
  • Objects.
  • Assets.
  • Clearance.
    (Correct)

Explanation

Subjects have Clearance assigned to them. A formal decision on a subject’s current and future trustworthiness. The higher the clearance, the more in-depth the background checks should be (always in military, not always in business).
Question 16: Correct

We want to be able to restore our systems with no more than 48 hours of data loss. Which of these could be a backup rotation we could chose to implement?
  • Weekly full and incremental backups every 3 days.
  • Monthly full backups and weekly incrementals.
  • Weekly full backups and daily differential backups.
    (Correct)
  • Backups before each system update or patch we apply.

Explanation

If we can have no more than 48 hours of data loss the only viable option is a daily backup.
Question 17: Incorrect

There are a lot of challenges with audit record management. Which of these is not of them?
  • We are storing logs and alerts for too long.
    (Correct)
  • Log entries and alerts are not prioritized.
  • Logs are not reviews on a regular and timely basis.
    (Incorrect)
  • Audit records are only reviewed for the bad stuff.

Explanation

Audit record management typically faces five distinct problems: Log are not reviewed on a regular and timely basis. Audit logs and audit trails are not stored for a long enough time period. Logs are not standardized or viewable by correlation toolsets – they are only viewable from the system being audited. Log entries and alerts are not prioritized. Audit records are only reviewed for the bad stuff.
Question 18: Skipped

Jane is explaining how using AI can help predict healthcare issues for patients. What is AI?
  • Artificial Intelligence.
    (Correct)
  • Artifact Incidents.
  • Arithmetic Interference.
  • Artificial Integrity.

Explanation

AI (Artificial Intelligence): Intelligence exhibited by machines, rather than humans or other animals. True AI is a topic of discussion; what was considered AI years ago has been achieved, and once the goal is reached, the AI definition is tweaked a little.
Question 19: Skipped

Which of these authentication protocols is no longer considered secure?
  • TACACS.
    (Correct)
  • TACACS+.
  • Diameter.
  • Radius.

Explanation

TACACS (The Terminal Access Controller Access Control System): Centralized access control system requiring users to send an ID and reusable (vulnerable) passwords for authentication, because of this it is no longer considered secure. Uses TCP/UDP port 49. TACACS has generally been replaced by TACACS+ and RADIUS.
Question 20: Skipped

When we are talking about RAM what are we referencing?
  • Non-volatile memory.
  • Volatile memory.
    (Correct)
  • Real alerting mirroring.
  • Remote access management.

Explanation

RAM (Random Access memory) is volatile memory. It loses the memory content after a power loss(or within a few minutes). This can be memory sticks or embedded memory.
Question 21: Skipped

Our organization is using least privilege in our user access management. How are our users assigned privileges?
  • Exactly the minimum feasible access for the user to perform their job.
    (Correct)
  • Privileges at the data owner’s discretion

  • The same privileges as the rest of the group has.
  • More privileges than they need for their day-to-day job, so they can perform certain tasks in an emergency.

Explanation

Least Privilege also called “Minimum necessary access”, we give our users and systems exactly the access they need, no more, no less.
Question 22: Skipped

Which of these protocols is NOT found on layer 7 of the Open Systems Interconnection (OSI) model?
  • PAP.
    (Correct)
  • Telnet
  • HTTP.
  • FTP.

Explanation

PAP is a layer 5 protocol (used for setting up sessions). FTP, LDAP and HTTP are all layer 7 protocols.
Question 23: Skipped

When we implement centralized logging, we want it to be:
  • Automated, unsecure, and accessible by administrators.
  • Automated, secure and accessible by everyone.
  • Automated, secure, and accessible by administrators.
  • Automated, secure and administrators should have limited access.
    (Correct)

Explanation

Centralized Logging: Should be automated, secure and even administrators should have limited access.
Question 24: Skipped

Which of these would NOT be part of a good identity and access provisioning lifecycle?
  • Identify accounts that has not been used for more than 10 days following their creation.
  • Leaving accounts unlocked when employees leave the organization.
    (Correct)
  • Locking accounts when employees leave the organization.​
  • Notifying users to change their passwords before they expire. Revoking accounts and access when contractors stop working for us.

Explanation

Account should be locked when employees leave the organization. Deleting them makes it harder to audit, deactivation/locking is preferred.
Question 25: Skipped

Using EEPROM makes work easier for our IT staff, what is one of the dangers associated with it?
  • Anyone can easily access it.
  • There are no dangers, it is completely safe.
  • Flashing with an UV light can damage your eyes.
  • Since it is programmable, attackers can attack it.
    (Correct)

Explanation

EEPROM (Electrically Erasable Programmable Read Only memory) – These are Electrically Erasable, you can use a flashing program. This is still called Read Only. The ability to write to the BIOS makes it vulnerable to attackers.
Question 26: Skipped

We are in a court of law and we are presenting real evidence. What constitutes real evidence?
  • The data on our hard drives.
  • Logs, audit trails and other data from the time of the attack.
  • Tangible and physical objects.
    (Correct)
  • Something you personally saw or witnessed.

Explanation

Real Evidence is tangible and physical objects, in IT Security it is things like hard disks, USB drives and not the data on them.
Question 27: Skipped

What is a WEAKNESS of the Challenge Handshake Authentication Protocol (CHAP)?
  • It periodically verifies the identity of clients with a 3-way handshake.
  • Credentials are stored in plaintext on the server.
    (Correct)
  • It uses incremental changing identifiers and variable challenge-values.
  • Credentials are sent over the network in plaintext.

Explanation

CHAP (Challenge-Handshake Authentication Protocol): The CHAP server stores plaintext passwords of each client, an attacker gaining access to the server can steal all the client passwords stored on it. Provides protection against replay attacks by the peer through the use of an incrementally changing identifier and of a variable challenge-value. Requires the client and server know the plaintext of a shared secret, but it is never sent over the network. Providing better security compared to PAP which is vulnerable for both these reasons. Used by PPP (Point to Point Protocol) servers to validate the remote clients. CHAP periodically verifies the identity of the client by using a three-way handshake.
Question 28: Skipped

Which of these is NOT a normal phase of a white hat hacker’s strategy?
  • Installing additional tools as they gain more access and higher privileges.
  • Deleting their tracks, the audit files and logs.
    (Correct)
  • Escalate privileges.
  • Discovery, finding the vulnerabilities.

Explanation

White hat hackers use many of the same tools and approaches that black hats would, but they do not delete their tracks, audit files or logs.
Question 29: Skipped

What is one of the key benefits of using a Host-based Intrusion Prevention System (HIPS) over a Network-based Intrusion Prevention System (NIPS)?
  • We can inspect the IP packets and prevent port scans.
  • We can protect against Distributed Denial Of Service (DDOS) attacks.
  • We can see the unencrypted data.
    (Correct)
  • We look at the entire network segment.

Explanation

Host based, on a client, normally a server or workstation. Can look at the actual data (it is decrypted at the end device), NIDS/NIPS can’t look at encrypted packets.
Question 30: Skipped

What would we NOT look at in a security assessment?
  • Employee performance.
    (Correct)
  • Change management.
  • Penetration tests.
  • Security audits.

Explanation

Security Assessments: A full picture approach to assessing how effective our access controls are, they have a very broad scope. We would not look at Employee performance. Security assessments often span multiple areas, and can use some or all of these components: Policies, procedures, and other administrative controls. Assessing the real world-effectiveness of administrative controls. Change management. Architectural review. Penetration tests. Vulnerability assessments. Security audits.
Question 31: Skipped

Bob is working on designing new access controls across our organization. Which documentation should he reference to know how and what to implement?
  • He would ask his peers what they would implement since they know best and when they agree implement that.
  • The latest tech reviews and technology.
  • Our policies, procedures and standards.
    (Correct)
  • It is at his discretion, Bob is the most knowledgeable employee we have on access control.

Explanation

Our Access Control is determined by our policies, procedures, and standards. This outlines how we grant access whom to what: We use least privilege, need to know, and we give our staff and systems exactly the access they need and no more.
Question 32: Skipped

What is LDAP COMMONLY used for?
  • Central username and password storage.
    (Correct)
  • Managing firewall and router access lists.
  • Hashing passwords.
  • Internet routing protocol.

Explanation

LDAP (The Lightweight Directory Access Protocol) is commonly used for central usernames and passwords storage, many different applications and services can connect to the LDAP server to validate users. Open, vendor-neutral, industry standard application protocol for accessing and maintaining distributed directory information services over an IP network. Application layer protocol and use TCP and UDP port 389.
Question 33: Skipped

Which of these is NOT covered by the Wassenaar Arrangement?
  • Encryption algorithms.
  • Munitions.
  • SQL Databases.
    (Correct)
  • Rockets.

Explanation

Wassenaar Arrangement – 1996 – present. Limits exports on military and “dual-use” technologies. Cryptography is part of that. Some nations also use it to prevent their citizens from having strong encryption (easier to spy on your own people if they can’t use strong cryptography).
Question 34: Skipped

Looking at our data management, what is the user’s role?
  • Perform the backups and restores.
  • Make the policies, procedures and standards that govern our data security.
  • Assign the sensitivity labels and backup frequency of the data.
  • Be trained in the policies, procedures and standards.
    (Correct)

Explanation

Users: These are the users of the data. User awareness must be trained; they need to know what is acceptable and what is not acceptable, and the consequences for not following the policies, procedures and standards.
Question 35: Skipped

Which of these is NOT an example of broken authentication or session management (OWASP A2)?
  • Session IDs are kept in plaintext.
  • Session IDs are predictable.
  • Session IDs are pseudo random.
    (Correct)
  • Session never expires.

Explanation

A2 Broken Authentication and Session Management. Sessions do not expire or take too long to expire. Session IDs are predictable. 001, 002, 003, 004, etc. Tokens, session IDs, Passwords, etc., are kept in plaintext. Pseudo random session IDs would be a broken authentication counter measure.
Question 36: Skipped

As part of a security assessment we are having an external company do penetration testing. What do we call a penetration test where the tester has full admin level knowledge about our organization and IT infrastructure? (Select all that apply).
  • Black box.
  • Gray box.
  • Clear box.
    (Correct)
  • Full box.
  • Crystal box.
    (Correct)
  • White box.
    (Correct)

Explanation

White box (Crystal/Clear) Pen testing: (Full Knowledge). The attacker has knowledge of the internal network and access to it like a privileged employee would. Normally Administrator access employee with full knowledge of our environment. There is no full box, gray is partial knowledge and black is no knowledge.
Question 37: Skipped

We have had a lot of employee complaints since we started blocking TCP/UDP port 80. What are we blocking?
  • SMTP.
  • POP3.
  • HTTPS.
  • HTTP.
    (Correct)

Explanation

Hypertext Transfer Protocol (HTTP) uses TCP/UDP port 80, can also use port 8008 and 8080 .
Question 38: Skipped

Which is NOT one of the (ISC)² ethics canons?
  • Protect society, the common good, necessary public trust and confidence, and the infrastructure.
  • Act honorably, honestly, justly, responsibly, and legally.
  • Provide diligent and competent service to principles.
  • Think about the social consequences of the program you are writing or the system you are designing.
    (Correct)

Explanation

ISC2 Code of Ethics Canons: Protect society, the common good, necessary public trust and confidence, and the infrastructure. Act honorably, honestly, justly, responsibly, and legally. Provide diligent and competent service to principles. Advance and protect the profession.
Question 39: Skipped

As part of our server hardening, are blocking all ports on our servers, unless specified as something we needed open in the technical design documentation. When we block TCP/UDP port 3389, what are we blocking?
  • IMAP.
  • NetBIOS datagram service.
  • Microsoft Terminal Server (RDP).
    (Correct)
  • NetBIOS name service.

Explanation

Microsoft Terminal Server (RDP) uses TCP/UDP port 3389.
Question 40: Skipped

Prior to an external structured audit, we would often do an ‘unstructured’ audit. Who would perform that?
  • Internal auditors.
    (Correct)
  • IT security staff.
  • Senior management.
  • External auditors.

Explanation

Unstructured audits: Internal auditors to improve our security and find flaws, often done before an external audit.
Question 41: Skipped

We are throughout our organization using Intrusion detection systems (IDS) and Intrusion prevention system (IPS). What are some of the COMMON types of those?
  • Heuristic, host based, network based.
    (Correct)
  • Network based, host based, firewall based.
  • Switch based, network based, signature based.
  • Signature based, network based, firewall based.

Explanation

IDSs (Intrusion Detection Systems) and IPSs (Intrusion Prevention Systems) can be categorized into 2 types and with 2 different approaches to identifying malicious traffic. Network based, placed on a network segment (a switch port in promiscuous mode). Host based, on a client, normally a server or workstation. Signature (Pattern) matching, similar to anti virus, it matches traffic against a long list of known malicious traffic patterns. Heuristic (Behavioral) based, uses a normal traffic pattern baseline to monitor for abnormal traffic.
Question 42: Skipped

Which type of security governance and management would we want to see in our organization?
  • Middle of the road.
  • Agile.
  • Bottom-up.
  • Top-down.
    (Correct)

Explanation

We always want top-down security governance and management, we want senior leadership on our side. Top-Down: IT leadership is on board with IT Security, they lead and set the direction. Bottom-Up: IT Security is seen as a nuisance and not a helper, often change when breaches happen.
Question 43: Skipped

When we are performing background checks on our new employees, we would NEVER look at which of these?
  • References, employment history, criminal records.
  • References, degrees, criminal records, credit history.
  • References, degrees, political affiliation, employment history.
    (Correct)
  • Employment history, credit history, references.

Explanation

When we hire new staff we often do background to ensure we minimize our risks. We can check: References, Degrees, Employment, Criminal, Credit history (less common, more costly). We have new staff sign an NDA (Non-Disclosure Agreement). It is illegal to check or inquire about political preference.
Question 44: Skipped

We are using cloud computing and have chosen to use IaaS. Who is responsible for the databases?
  • The network team.
  • The customer.
    (Correct)
  • The vendor.
  • The security team.

Explanation

IaaS – (Infrastructure as a Service) The vendor provides infrastructure up to the OS, the customer adds the OS and up.
Question 45: Skipped

When our organization is buying custom developed third party software, which of these should NOT be a concern?
  • How good are they at what they do.
  • What other companies who have implemented the exact same software says about it.
    (Correct)
  • Who will support it when development is completed.
  • Who owns the code.

Explanation

We should address support, who owns the code and how good the software development company is, we can’t really see what other companies say about the software it is being custom developed for us.
Question 46: Skipped

We are implementing several new countermeasures to make our organization less susceptible to fraud. As part of that we are implementing mandatory vacations. How would we use those?
  • Scheduled far in advance and the employee is notified.
  • Used to upgrade systems.
  • Given to employees to reward them.
  • A detective mechanism that can detect fraud.
    (Correct)

Explanation

Mandatory vacations: Done to ensure one person is not always performing the same task, someone else has to cover and it can keep fraud from happening or help us detect it. Their accounts are locked and an audit is performed on the accounts. If the employee has been conducting fraud and covering it up, the audit will discover it. The best way to do this is to not give too much advance notice of vacations.
Question 47: Skipped

Why would an organization offer to use a source code escrow to their customers?
  • Because we want them to see the source code whenever they want to.
  • To make our source code publicly available.
  • To ensure the code is tested completely.
  • So the customer has access to the source code if we go bankrupt.
    (Correct)

Explanation

Source code escrow: The deposit of the source code of software with a third party escrow agent. Escrow is typically requested by a party licensing software (the licensee), to ensure maintenance of the software instead of abandonment or orphaning. The software source code is released to the licensee if the licensor files for bankruptcy or otherwise fails to maintain and update the software as promised in the software license agreement.
Question 48: Skipped

We are implementing biometric authentication. What would be a good reason to do that?
  • It is much cheaper than knowledge factors.
  • People can easily change their biometrics.
  • It is easy to copy.
  • It rarely changes.
    (Correct)

Explanation

Biometric features rarely change unless we have a serious accident. It is more difficult to copy, people can’t change them unless they get surgery and it is normally more expensive than possession or knowledge factors.
Question 49: Skipped

When we talk about referential databases, what does referential integrity mean?
  • Each attribute value is consistent with the attribute data type.
  • When every foreign key in a secondary table matches the primary key in the parent table.
    (Correct)
  • When the database has errors.
  • Each tuple has a unique primary value that is not null.

Explanation

Referential integrity: When every foreign key in a secondary table matches a primary key in the parent table. It is broken if not all foreign keys match the primary key.
Question 50: Skipped

Looking at our incident management plan, which of these can we possibly mitigate with a redundant geographical distant site?
  • Disasters.
    (Correct)
  • Emergencies.
  • Events.
  • Incidents.

Explanation

Disaster: Our entire facility is unusable for 24 hours or longer. If we are geographically diverse and redundant we can mitigate this a lot. Yes, a snowstorm can be a disaster.
Question 51: Skipped

As part of our updated security posture, we have started blocking TCP/UDP port 22 as a default. What are we blocking?
  • Telnet.
  • FTP data transfer.
  • FTP control.
  • SSH.
    (Correct)

Explanation

SSH (Secure Shell) uses the well-known TCP/UDP port 22.
Question 52: Skipped

The Central Processing Unit (CPU) consists of which two elements?
  • RAM and BIOS.
  • CU and RPG.
  • South bridge and RAM.
  • ALU and CU.
    (Correct)

Explanation

CPU (Central Processing Unit) is the brains of the system. Arithmetic logic unit (ALU) performs arithmetic and logic operations. It’s a processor that registers that supply operands (Object of a Mathematical Operation) to the ALU and stores the results of ALU operations. It does all the math. Control unit (CU) handles fetching (from memory) and execution of instructions by directing the coordinated operations of the ALU, registers and other components. It also sends instructions to the ALU.
Question 53: Skipped

If our organization have role-based access control and need to know policies, which of these actions are allowed?
  • Accessing your colleagues payroll data to see how much they get paid.
  • Browsing around random data to just see what it contains.
  • Accessing data you need to do your job.
    (Correct)
  • Accessing data you don’t need to do your job.

Explanation

Role based access control assigns access to roles, with added need to know, just because you have access does not mean you are allowed the data. You need a valid reason for accessing the data. If you do not have one you can be terminated/sued/jailed/fined.
Question 54: Skipped

When someone is typo squatting, what are they doing?
  • Legal.
  • Never profitable.
  • Potentially illegal.
    (Correct)
  • Always illegal.

Explanation

Typo squatting – Buying an URL that is VERY close to real website name (Can be illegal in certain circumstances).
Question 55: Skipped

When we are implementing new access control mechanisms, looking at the IAAA model, what could we use for identification?
  • Usernames.
    (Correct)
  • Non-repudiation.
  • A password.
  • Role based access control.

Explanation

User names are used for identification, we should never allow group logins or accounts. Your name, username, ID number, employee number, SSN etc.
Question 56: Skipped

We are using some of the best practice rules on our password’s requirements. Which of these would NOT be part of that?
  • Maximum password age.
  • No minimum password age.
    (Correct)
  • Password hashing and salting.
  • Minimum password age.

Explanation

Minimum password age is implemented to prevent users from cycling through the last used passwords to return to their favorite password again. They should also use contain minimum length, upper/lower case letters, numbers and symbols, they should not contain full words or other easy to guess phrases.
Question 57: Skipped

We are wanting to erase EPROM memory to update to the latest firmware. How would we do that?
  • We can use programs to erase the content.
  • It can’t be erased once it has been written.
  • Taking the chip out of the motherboard and degauss it.
  • Shine an UV light on the chip.
    (Correct)

Explanation

EPROM (Erasable Programmable Read Only memory) – Can be erased (flashed) and written many times, by shining an ultraviolet light (flash) on a small window on the chip (normally covered by foil).
Question 58: Skipped

Which of these could be some of the ways we can protect our data when an employee is actively using it?
  • Clean desk policies, print policies, job rotation, mandatory vacations, view angle screens.
  • Need to know policy.
  • Clean desk policies, view angle screens, computer locking when not in use.
    (Correct)
  • Encryption, clean desk policies, view angle screen.

Explanation

Data in Use: (We are actively using the files/data, it can’t be encrypted). Use good practices: Clean Desk policy, Print Policy, Allow no ‘Shoulder Surfing’, maybe the use of view angle privacy screen for monitors, locking computer screen when leaving workstation.
Question 59: Skipped

In our digital forensics, which of these should NEVER happen?
  • Do forensics on a bit level copy of the compromised hard drive.
  • Do forensics on the compromised hard drive.
    (Correct)
  • Keep a perfect chain of custody log.
  • Remove the system from the network to prevent the issue from spreading.

Explanation

Digital forensics should always be done on bit level copies of the original, never the original.
Question 60: Skipped

When we are reviewing our audit logs, it is which type of a control?
  • Preventative.
  • Deterrent.
  • Detective.
    (Correct)
  • Physical.

Explanation

Audit log reviews is a detective control, we look at what happened after it happened, looking for patterns and issues.
Question 61: Skipped

When we are using knowledge-based factors in our authentication process, we would use all of these, EXCEPT which?
  • Passwords.
  • Pass phrases.
  • Single-use passwords.
    (Correct)
  • PINs.

Explanation

Single-use password is not a knowledge based factor, it is a possession based factor.
Question 62: Skipped

On which layer of the Open Systems Interconnect (OSI) model do we establish the connection between 2 applications?
  • 4
  • 6
  • 3
  • 5
    (Correct)

Explanation

Layer 5: Session Layer: Establishes connection between 2 applications: Setup > Maintenance > Tear Down.
Question 63: Skipped

After a major security incident, we need to provide the chain of custody logs for one of the compromised hard drives. Which of these should NOT be part of the logs?
  • What was done.
  • What was found.
    (Correct)
  • Who handled it.
  • When they did it.

Explanation

With the chain of custody everything is documented: Who had it when? What was done? When did they do it? Not what was found.
Question 64: Skipped

In IT Security we are talking about something as an event, what does that mean?
  • Something changed, neither negative or positive.
    (Correct)
  • A system has crashed.
  • A triggered warning when something predefined happens (i.e. disk usage over 85%).
  • We are being hacked.

Explanation

Event: An observable change in state, this is neither negative nor positive, it is just something has changed. A system powered on, traffic from one segment to another, an application started.
Question 65: Skipped

Which of these is the WEAKEST form of authentication we can implement?
  • Something you are.
  • Something you have.
  • Something you know.
    (Correct)
  • Biometrics.

Explanation

Something you know – Type 1 Authentication: Passwords, pass phrase, PIN etc., also called Knowledge factors. It is the weakest form of authentication, and can easily be compromised.
Question 66: Skipped

In Scrum project management, what is the Scrum master’s role?
  • Removing obstacles for the development team.
    (Correct)
  • Representing the stakeholders/customers.
  • Developing the code/product at the end of each sprint.
  • Being a traditional project manager.

Explanation

Scrum master: Facilitates and accountable for removing impediments to the ability of the team to deliver the product goals and deliverables. Not a traditional team lead or project manager but acts as a buffer between the team and any distracting influences. The scrum master ensures that the Scrum framework is followed.
Question 67: Skipped

Which of these would be an IP socket-pair?
  • 10.0.10.1 and 21.12.12.1
  • 10.0.10.1:80 and 21.12.12.1
  • 10.0.10.1 and 21.12.12.1:https
  • 10.0.10.1:http and 21.12.12.1:51515
    (Correct)

Explanation

Socket Pairs (TCP): 2 sets of IP and Port (Source and Destination). This could be Source pair:192.168.0.6:49691 Destination pair: 195.122.177.218:https. Well-known ports are often translated, port 443 is https.
Question 68: Skipped

After a major security breach, we are wanting to a lessons learned. Why is that?
  • To prevent incidents from ever happening again.
  • To learn from the incident so we can do better on future incidents.
    (Correct)
  • To blame someone.
  • To show what exactly happened in this incident.

Explanation

Lessons Learned: This phase is often overlooked, we removed the problem, we have implemented new controls and safeguards. We can learn a lot from lessons learned, not just about the specific incidence, but how well we handle them, what worked, what didn’t. How can we as an organization grow and become better next time we have another incidence, while we may have fixed this one vulnerability there are potentially 100’s of new ones we know nothing about yet. At the end of lessons learned we produce a report to senior management, with our finding, we can only make suggestions, they are ultimately in charge (and liable).
Question 69: Skipped

When we talk about WORM media, what are we referring to?
  • RAM.
  • R DVD’s.
    (Correct)
  • Hard disks.
  • EEPROM.

Explanation

WORM Media (Write Once Read Many): CD/DVDs can be WORM Media (R), if they are not R/W (Read/Write).
Question 70: Skipped

As part of improving the security posture of our organization we have added multifactor authentication. Which of these pairs does NOT constitute multifactor authentication?
  • Fingerprint and PIN.
  • PIN and credit card.
  • Username and smartcard.
  • Password and username.
    (Correct)

Explanation

Multifactor authentication uses authentication from more than one factor (something you know, are or have). Passwords and usernames are not multifactor, they are both knowledge factors.
Question 71: Skipped

Which layer of the Open Systems Interconnect (OSI) model isolates traffic into broadcast domains?
  • 3
    (Correct)
  • 1
  • 4
  • 5

Explanation

Layer 3: Network Layer: Expands to many different nodes (IP) – The Internet is IP based. Isolates traffic into broadcast domains.
Question 72: Skipped

When the Patriot Act was signed into law in 2001, it allowed law enforcement to do what?
  • Allows search and seizure without immediate disclosure.
    (Correct)
  • Protect electronic communication by mandating service providers to use strong encryption.
  • Allow law enforcement to use wiretaps without a warrant or oversight.
  • Protect electronic communication against warrantless wiretapping.

Explanation

PATRIOT Act of 2001: Expands law enforcement electronic monitoring capabilities. Allows search and seizure without immediate disclosure.
Question 73: Skipped

To ensure the confidentiality, integrity, and availability of our backup tapes, where would it be appropriate to store them?
  • A closet we have access to.
  • In a backup storage facility.
    (Correct)
  • Our data center.
  • Under the bed.

Explanation

Where do we keep our sensitive data? It should be kept in a secure, climate-controlled facility, preferably geographically distant or at least far enough away that potential incidents will not affect that facility too. Many older breaches were from bad policies around tape backups. Tapes were kept at the homes of employees instead of at a proper storage facility or in a storage room with no access logs and no access restrictions (often unencrypted).
Question 74: Skipped

With the CIA triad in mind, if we have too much confidentiality which other control will suffer the MOST?
  • Availability.
    (Correct)
  • Integrity.
  • Authentication.
  • Accountability.

Explanation

Finding the right mix of Confidentiality, Integrity and Availability is a balancing act. This is really the cornerstone of IT Security – finding the RIGHT mix for your organization. Too much Confidentiality and the Availability can suffer.
Question 75: Skipped

We are implementing Active Directory (AD) to use for managing our access control. Which of these OS families have AD natively included in their processes and services?
  • Linux.
  • Windows.
    (Correct)
  • Unix.
  • MacOS.

Explanation

AD (Active Directory): Included in most Windows Server OS as a set of processes and services. Directory service that Microsoft developed for Windows domain networks. Originally it was only in charge of centralized domain management. As of Windows Server 2008, AD became an umbrella term for a broad range of directory-based identity-related services.
Question 76: Skipped

What is happening when we experience buffer overflows?
  • User session IDs or tokens are stolen.
  • We are not using SSL/TLS.
  • The buffer overruns its boundaries and overwrites adjacent hard disk locations.
  • The buffer overruns its boundaries and overwrites adjacent memory locations.
    (Correct)

Explanation

Buffer overflow (buffer overrun): An anomaly where a program, while writing data to a buffer, overruns the buffer’s boundary and overwrites adjacent memory locations, happen from improper coding when a programmer fails to perform bounds checking. Buffers are areas of memory set aside to hold data, often while moving it from one section of a program to another, or between programs. Buffer overflows can often be triggered by malformed inputs, if one assumes all inputs will be smaller than a certain size and the buffer is created to be that size, if an anomalous transaction produces more data it could cause it to write past the end of the buffer. If this overwrites adjacent data or executable code, this may result in erratic program behavior, including memory access errors, incorrect results, and crashes. By sending in data designed to cause a buffer overflow, it is possible to write into areas known to hold executable code, and replace it with malicious code.
Question 77: Skipped

What was the intent of the US Electronic Communications Privacy Act of 1986 (ECPA)?
  • To protect electronic communication by mandating service providers to use strong encryption.
  • To allow law enforcement to use wiretaps without a warrant or oversight.
  • To allow search and seizure without immediate disclosure.
  • To protect electronic communication against warrantless wiretapping.
    (Correct)

Explanation

Electronic Communications Privacy Act (ECPA) was designed for protection of electronic communications against warrantless wiretapping, but it was very weakened by the Patriot Act.
Question 78: Skipped

One of your coworkers is telling you about our new policies for PII. What is she referring to?
  • Professional Information Identifiers.
  • Personality Indicator Information.
  • Personally Identifiable Information.
    (Correct)
  • Personally Information Indicators.

Explanation

PII is the abbreviation for Personally Identifiable Information.
Question 79: Skipped

As part of our layered defense, and to prevent unauthorized devices on our network, we have added the MAC sticky command. Where would we configure that?

  • File server.
  • Router.
  • Firewall.
  • Desktop.
  • Switch.
    (Correct)

Explanation

Good switch security includes shut down unused ports, add mac-sticky and hardcode if ports are access or trunk ports. Making all ports trunk ports is a bad idea.
Question 80: Skipped

What could be one of the ways we could protect our data-at-rest?
  • Privacy screens for monitors.
  • Clean desk policy.
  • Encryption.
    (Correct)
  • DAC.

Explanation

Data at Rest (Stored Data): This is data on Disks, Tapes, CDs/DVDs, USB Sticks. We use disk encryption (full/partial), USB encryption, tape encryption (avoid CDs/DVDs). Encryption can be Hardware or Software Encryption.
Question 81: Skipped

When we talk about using cryptanalysis in our work, what are we doing?
  • The science of securing communications.
  • A cryptographic algorithm.
  • The science of breaking encrypted communications.
    (Correct)
  • Creates messages with a hidden meaning.

Explanation

Cryptanalysis is the science of breaking encrypted communication. Cryptanalysis is used to breach cryptographic security systems and gain access to the contents of encrypted messages, even if the cryptographic key is unknown. It uses mathematical analysis of the cryptographic algorithm, as well as side-channel attacks that do not target weaknesses in the cryptographic algorithms themselves, but instead exploit weaknesses in their implementation and the devices that run them.
Question 82: Skipped

Which of these hackers would you hire to do penetration testing?
  • Gray hat hacker.
  • White hat hacker.
    (Correct)
  • Black hat hacker.
  • Script kiddie.

Explanation

White Hat hackers: Professional Pen Testers trying to find flaws so we can fix it (Ethical Hackers). Black Hat hackers: Malicious hackers, trying to find flaws to exploit them (Crackers – they crack the code). Gray/Grey Hat hackers: They are somewhere between the white and black hats, they go looking for vulnerable code, systems or products. They often just publicize the vulnerability (which can lead to black hats using it before a patch is developed). Gray hats sometimes also approach the company with the vulnerability and ask them to fix it and if nothing happens they publish. Script Kiddies: They have little or no coding knowledge, but many sophisticated hacking tools are available and easy to use. They pose a very real threat. They are just as dangerous as skilled hackers; they often have no clue what they are doing.
Question 83: Skipped

Which of these protocols is NOT found on layer 3 of the OSI model?
  • IKE.
  • IP.
  • ICMP.
  • IMAP.
    (Correct)

Explanation

IMAP is a layer 7 protocol. IP, IPSEC, IKE, ICMP, … are all layer 3 protocols.
Question 84: Skipped

When would we deploy honeypots?
  • During an attack to trick the attacker.
  • None of these.
    (Correct)
  • Whenever we want to, to lure attackers in.
  • Whenever we deploy a new system to see if it is vulnerable.

Explanation

While honeypots can be useful, we do not want to lure attackers in (entrapment). If we deployed one each time we launched a system we could have 1000’s of them, and during an attack we are busy with more important things.
Question 85: Skipped

What are some of the dangers if we chose to NOT use proper and regular patching of our systems?
  • We are at risk of compromise from publicly known attacks.
    (Correct)
  • We won’t have enough for our employees to do.
  • There are no real dangers as long as we have firewalls.
  • We can’t access the internet if we are missing too many patches.

Explanation

Patches are released to fix known security vulnerabilities, not applying leaves us open to those vulnerabilities that the attackers also know about.
Question 86: Skipped

The port numbers we use can categorized as well-known, registered, or dynamic/private/ephemeral ports. Which of these is NOT a well-known port?
  • 1023
  • 1024
    (Correct)
  • 80
  • 666

Explanation

Well-known Ports are the ports from port 0-1023, they are mostly used for protocols.
Question 87: Skipped

For access control management, which of these is considered something you have?
  • PIN.
  • Cookie on computer.
    (Correct)
  • Fingerprint.
  • MAC address.

Explanation

Things in your possession, not things you know (knowledge factor) or something you are (biometrics).
Question 88: Skipped

Which industry is the US Gramm-Leach-Bliley Act (GLBA) focused on?
  • Financial.
    (Correct)
  • Aerospace.
  • Online stores.
  • Healthcare.

Explanation

Gramm-Leach-Bliley Act (GLBA): Applies to financial institutions; driven by the Federal Financial Institutions Examination Council (FFIEC); enforced by member agencies, OCC, FDIC, FRB, NCUA, and CFPB. Enacted in 1999, requires protection of the confidentiality and integrity of consumer financial information.
Question 89: Skipped

To establish a TCP session, we are using the TCP 3-way handshake. What is the correct order of the handshake?
  • SYN > ACK > ACK.
  • SYN/ACK > ACK > SYN.
  • SYN > SYN/ACK > ACK.
    (Correct)
  • SYN > SYN/ACK > SYN.

Explanation

The 3-way handshake is client SYN > Server SYN/ACK > Client ACK.
Question 90: Skipped

As part of our backup policy we are deciding on how long we should keep our backups. What should we base that decision on?
  • 1 month, as long as we have a full backup of everything.
  • As long as it is useful or required, whichever is longer.
    (Correct)
  • All data is required to be kept 1 year.
  • Forever, we can never get rid of backup data.

Explanation

Data Retention: Data should not be kept beyond the period of usefulness or beyond the legal requirements (whichever is greater).
Question 91: Skipped

We have 100 users all needing to communicate with each other. If we are using asymmetric encryption how many keys would we need?
  • 2000
  • 200
    (Correct)
  • 100
  • 4950

Explanation

Asymmetric encryption uses 2 keys per user, so we would need 200 keys.
Question 92: Skipped

Which type of Intrusion Detection Systems (IDS) and Intrusion Prevention System (IPS) are completely vulnerable to 0-day attacks?
  • Signature based.
    (Correct)
  • Heuristic based.
  • Network based.
  • Behavioral based.

Explanation

Signature based: Looks for known malware signatures. Faster since they just check traffic against malicious signatures. Easier to set up and manage, someone else does the signatures for us. They are completely vulnerable to 0 day attacks, and have to be updated constantly to keep up with new vulnerability patterns.
Question 93: Skipped

After an attack on our servers, who should handle digital forensic evidence?
  • The data owner.
  • The data steward.
  • Anyone who is available.
  • Someone trained in the process.
    (Correct)

Explanation

People handling digital forensic evidence should always be trained in proper handling.
Question 94: Skipped

Jack is looking at different types of encryption. Which of these is a type of asymmetric encryption?
  • RSA.
    (Correct)
  • RC6.
  • 3DES.
  • Twofish.

Explanation

RSA is asymmetric. 3DES, RC6 and Twofish are all symmetric forms of encryption.
Question 95: Skipped

We often refer to 0-day vulnerabilities when we talk about IT security vulnerabilities. What would constitute 0-day vulnerabilities?
  • Known vulnerabilities that we have not patched yet.
  • Vulnerabilities not generally known or discovered.
    (Correct)
  • Known vulnerabilities we have already patched.
  • Vulnerabilities that do not affect our systems.

Explanation

0day vulnerabilities: Vulnerabilities not generally known or discovered, the first time an attack is seen is considered day 0, hence the name. From a vulnerability is discovered it is now only a short timespan before patches or signatures are released on major software.
Question 96: Skipped

Which type of Intrusion Prevention System (IPS) response prevents authorized traffic?
  • False negative.
  • True positive.
  • False positive.
    (Correct)
  • True negative.

Explanation

False Positive: Normal traffic and the system detects it and acts.
Question 97: Skipped

BIBA’s Invocation Property prohibits users from what?
  • No read and write up.
    (Correct)
  • No read and write up and down.
  • No write up.
  • No write down.

Explanation

Invocation Property: “No Read or Write UP”. Subjects can never access or alter data on a higher level.
Question 98: Skipped

What could a vulnerability scan possibly help us find?
  • System misconfigurations, missing patches and a list of threats.
  • Missing patches, outdated software and high utilization on a resource.
  • Missing patches, outdated software and users accessing files they shouldn’t.
  • Outdated software, missing patches and system misconfigurations.
    (Correct)

Explanation

A vulnerability scanner tool is used to scan a network or system for a list of predefined vulnerabilities such as system misconfiguration, outdated software, or a lack of patching.
Question 99: Skipped

On which layer of the Open Systems Interconnection model (OSI) model would we find the broadcast address FF:FF:FF:FF:FF:FF?

  • A: Layer 5.
  • C: Layer 3.
  • E: Layer 1.
  • D: Layer 2.
    (Correct)
  • B: Layer 4.

Explanation

FF:FF:FF:FF:FF:FF is the layer 2 broadcast address. Layer 2 uses mac addresses.
Question 100: Skipped

In incident management, which of these is NOT a recognized category of events and/or incidents?
  • Behavioral.
    (Correct)
  • Human.
  • Environments.
  • Natural.

Explanation

Behavioral is a subset of human, and no a recognized category.
Question 101: Skipped

In software acceptance testing, what is the purpose of production acceptance testing?
  • To ensure the software perform as expected in our live environment vs. our development environment.
    (Correct)
  • To ensure the backups are in place, we have a DR plan, how patching is handled and that the software is tested for vulnerabilities.
  • To ensure the software is functional for and tested by the end user and the application manager.
  • To ensure the software is as secure or more secure than the rules, laws and regulations of our industry.

Explanation

Compatibility/production testing: Does the software interface as expected with other applications or systems? Does the software perform as expected in our production environment vs. the development environment
Question 102: Skipped

What would be one of the EASIEST ways to confirm if our access control mechanics are working?
  • Stand at the doors and look at who enters a building or a certain room.
  • Get alerts for each login and manually check them all.
  • Reviewing CCTV files.
  • Reviewing security audit logs.
    (Correct)

Explanation

Audit log reviews is the easiest way to confirm our access control mechanisms are working.
Question 103: Skipped

We have removed a server from our production environment. We format the hard drives, install a new OS (Operating System), and application on the disks. We then put the newly installed server back into production. Which of these would be TRUE about the original data a week later?
  • Always completely recoverable.
  • Hidden, but not recoverable.
  • Possibly partially recoverable.
    (Correct)
  • Gone forever.

Explanation

We can still recover files that has not been overwritten yet, formatting just removes the file structure.
Question 104: Skipped

Senior leadership has approved the use of flash drives. Which type of memory do they use?
  • DRAM.
  • PROM.
  • EEPROM.
    (Correct)
  • SDRAM.

Explanation

Flash memory: Small portable drives (USB sticks are an example); they are a type of EEPROM.
Question 105: Skipped

We have a contract with some penetration testers. In which phase would the tester look for vulnerabilities and design the attack?
  • Gaining access.
  • Discovery.
    (Correct)
  • Escalate privileges.
  • System browsing.

Explanation

Discovery (planning): Finding the vulnerabilities, design the attacks.
Question 106: Skipped

As part of our software testing, we are doing static software testing. What are we doing?
  • Test the code while executing it.
  • Submit random malformed input to crash the software or elevate privileges.
  • Build scripts and tools that would simulate normal user activity.
  • Passively test the code, but not run it.
    (Correct)

Explanation

Static testing – Passively testing the code, it is not running. This is walkthroughs, syntax checking, and code reviews. Looks at the raw source code itself looking for evidence of known insecure practices, functions, libraries, or other characteristics having been used in the source code.
Question 107: Skipped

When would a logic bomb go off?
  • When the system gets internet access.
  • As soon as it is introduced to the system.
  • When it has infected the entire network.
  • A certain event happens or at a certain time.
    (Correct)

Explanation

Logic Bombs – Malicious code that executes at a certain time or event – they are dormant until the event (IF/THEN). IF Bob is not getting an annual bonus over $10,000, THEN execute malicious code. IF date and time 5/15/18 00:02:12, THEN execute malicious code.
Question 108: Skipped

What could be one of the NEGATIVE consequences of implementing Single Sign On (SSO) in our organization?
  • It takes too long to remember a single password over many.
  • It is easier for users to just use one login.
  • If compromised the attacker has access to all the systems the user does.
    (Correct)
  • SSO has weaker password requirements than regular applications does.

Explanation

SSO (Single sign-on): Users use a single sign-on for multiple systems. If an attacker compromises a single password they have access to everything that user can access. Often deployed in organizations where users have to access 10+ systems, and they think it is too burdensome to remember all those passwords. SSO have the same strong password requirements as normal single system passwords.
Question 109: Skipped

After a security breach, Bob has been asked to ensure evidence integrity. What would he do with the compromised hard drive?
  • Add another drive to the system and copy all he can see on the compromised drive onto the new drive and then do his analysis on the new drive.
  • Pull the drive from the system, format it and reinsert it into another production server.
  • Encrypt the drive, then do his forensics on the original drive and when he is done do a hash.
  • Hash the drive and take a bit level copy, hash the copy drive and they should match, then work on the bit level copy.
    (Correct)

Explanation

Evidence Integrity – It is vital that the evidence’s integrity cannot be questioned. We do this with hashes; any forensics is done on copies and never the originals. We make a bit level copy of the original, hash it, and the copy should match. We do another hash after the forensics, and that should be the same as the prior two.
Question 110: Skipped

Which organization is responsible for delegating IP address ranges to ISPs (Internet Service Providers) in North America?
  • RIPE NNC.
  • APNIC.
  • ARIN.
    (Correct)
  • LACNIC.

Explanation

The world is divided into RIR (Regional Internet Registry) regions and organizations in those areas delegate the address space they have control over. ARIN (American Registry for Internet Numbers): United States, Canada, several parts of the Caribbean region, and Antarctica.
Question 111: Skipped

When we are categorizing disasters for our Business Continuity Plan (BCP), we would categorize them into which of these categories? (Select all that apply).
  • Environmental.
    (Correct)
  • Physical.
  • Hardware.
  • Human.
    (Correct)
  • Natural.
    (Correct)

Explanation

We categorize disasters in 3 categories: natural, human, or environmental. Natural: Anything caused by nature; this could be earthquakes, floods, snow, tornados, etc. Human: Anything caused by humans; they can be intentional or unintentional disasters; unintentional could be an employee using a personal USB stick on a PC at work and spreading malware, which would be just as bad as if an attacker had done it, but the employee was just ignorant, careless, or didn’t think it would matter. Environmental (not to be confused with natural disasters); Anything in our environment; could be power outage/spikes, hardware failures, provider issues, etc.
Question 112: Skipped

Which security principle is Clark-Wilson based on?
  • Confidentiality.
  • Accountability.
  • Integrity.
    (Correct)
  • Availability.

Explanation

Clark-Wilson – Integrity: Separates end users from the backend data through ‘Well-formed transactions’ and ‘Separation of Duties’. The model uses Subject/Program/Object. We have discussed the Subject/Object relationship before, but this puts a program between the two. We don’t allow people access to our inventory when they buy from us. We give them a limited functionality interface they can access.
Question 113: Skipped

Jane is using the Scrum project management methodology. Which of these would be some of the core team roles in the Scrum framework? (Select all that apply).
  • The development team.
    (Correct)
  • The project sponsor.
  • The Scrum master.
    (Correct)
  • The product owner.
    (Correct)
  • The project manager.

Explanation

Scrum is a framework for managing software development. Scrum is designed for teams of approximately 10 individuals, and generally relies on two-week development cycles, called “sprints”, as well as short daily stand-up meetings. The three core roles in the Scrum framework. The product owner: Representing the product’s stakeholders, the voice of the customer, and is accountable for ensuring that the team delivers value to the business. Development team: Responsible for delivering the product at the end of each sprint (sprint goal). The team is made up of 3–9 individuals who do the actual work (analysis, design, develop, test, technical communication, document, etc.). Scrum master: Facilitates and accountable for removing impediments to the ability of the team to deliver the product goals and deliverables. Not a traditional team lead or project manager but acts as a buffer between the team and any distracting influences. The scrum master ensures that the Scrum framework is followed.
Question 114: Skipped

Those acting under “the color of law” can act on an exigent circumstance. What would constitute exigent circumstances?
  • Immediate threat to human life or of evidence destruction.
    (Correct)
  • An outside circumstance which does not pose any threat to life or data.
  • Potential threat to data or human life in the future.
  • An unpatched vulnerability on our systems, attackers have no way of exploiting.

Explanation

Exigent circumstances apply if there is an immediate threat to human life or of evidence destruction. This will later be decided by a court if it was justified. Only applies to law enforcement and those operating under the “color of law” – Title 18. U.S.C. Section 242 – Deprivation of Rights Under the Color of Law.
Question 115: Skipped

We are using the CIA triad to, at a high level, explain IT security to our board of directors. Which of these are the 3 legs of the CIA triad?
  • Identity, accountability and confidentiality.
  • Confidentiality, Integrity and Accountability.
  • Integrity, availability and confidentiality.
    (Correct)
  • Confidentiality, Identity and Availability.

Explanation

The CIA (Confidentiality, Integrity, Availability) Triad: Confidentiality – We keep our data and secrets secret. Integrity – We ensure the data has not been altered. Availability – We ensure authorized people can access the data they need, when they need to.
Question 116: Skipped

When we talk about auditing in the IAAA model, what does that mean?
  • Allows users to access data 24/7.
  • Compares object labels to the clearance of the subject.
  • Assigns attributes to identities.
  • Traces actions to subjects identities.
    (Correct)

Explanation

Accountability (often referred to as Auditing): Trace an Action to a Subjects Identity: Proves who performed given action, it provides non-repudiation. Group or shared accounts are never OK, they have zero accountability. Uses audit trails and logs, to associate a subject with its actions.
Question 117: Skipped

In which order would you use the Software Development Life Cycle (SDLC)?
  • Analysis, investigation, design, build, implement, test, maintenance and support.
  • Investigation, analysis, design, build, implement, test, maintenance and support.
  • Investigation, design, analysis, build, implement, test, maintenance and support.
  • Investigation, analysis, design, build, test, implement, maintenance and support.
    (Correct)

Explanation

SDLC (Software Development Life Cycle): The SDLC is not really a methodology, but a description of the phases in the life cycle of software development. These phases are (in general), investigation, analysis, design, build, test, implement, maintenance and support (and disposal). Can have security built into each step of the process, for the exam it always does.
Question 118: Skipped

You hear a colleague talk about polyinstantiation. What does that mean?
  • Deducing facts from data rather than specific statements.
  • Looking at a normal baseline and learning of new factors on the network from higher traffic.
  • Collecting data to analyze it.
  • Two or more instances of the same data, depending on who accesses it.
    (Correct)

Explanation

Polyinstantiation  (Alternative Facts) – Two (or more) instances of the same file depending on who accesses it. The real information may be available to subjects with Top Secret clearance, but different information will be available to staff with Secret or lower clearance.
Question 119: Skipped

When an attacker is using intimidation, it is a form of what?
  • Reverse psychology.
  • Proper management.
  • Social engineering.
    (Correct)
  • Brute force attack.

Explanation

Social engineering uses people skills to bypass security controls. Intimidation (If you don’t bad thing happens) – Virus on the network, credit card compromised, lawsuit against your company, intimidation is most effective with impersonation and vishing attacks.
Question 120: Skipped

In our data management, which of these BEST describe the data owner responsibilities?
  • Backups, restores, patches, system configuration.
  • The systems that house the data.
  • Assigning sensitivity labels and backup frequency.
    (Correct)
  • The policies that govern our data security.

Explanation

Data/Information Owner: Management level, they assign sensitivity labels and backup frequency. This could be you or a Data Owner from HR, Payroll or other departments.
Question 121: Skipped

What is your public key in asymmetric encryption?
  • Used by you to decrypt messages sent to you.
  • Shared.
    (Correct)
  • Used by someone else to decrypt messages from you.
  • Secret.

Explanation

Asymmetric Encryption uses 2 keys: a Public Key and a Private Key (Key Pair). Your Public Key is publicly available. Used by others to encrypt messages sent to you. Since the key is asymmetric, the ciphertext can’t be decrypted with your public Key. Your Private Key – You keep this safe. You use it to decrypt messages sent with your public key.
Question 122: Skipped

Which of these is a TRUE statement about the TCP protocol?
  • It is connection oriented.
    (Correct)
  • It is connectionless.
  • It is proprietary.
  • It is always encrypted.

Explanation

TCP (Transmission Control Protocol): Reliable, Connection oriented, Guaranteed delivery, 3 way handshake, slower/more overhead, data reassembled.
Question 123: Skipped

Which is the MOST secure encryption type of these 4?
  • AES.
    (Correct)
  • DES.
  • RC4.
  • Blowfish.

Explanation

DES, Blowfish and RC4 are no longer considered secure, AES is still considered secure.
Question 124: Skipped

We are asked to help design the policies for our organization in regarding to PHI. What is that?
  • Personal Heuristic Information.
  • Protected Human Interactions.
  • Protected Health Information.
    (Correct)
  • Procured Hospital Information.

Explanation

PHI is the abbreviation for Protected Health Information.
Question 125: Skipped

Diameter was designed to replace Radius, but the change never happened. Where is Diameter COMMONLY used now?
  • In the 3/4G space.
    (Correct)
  • Router management.
  • Wireless access points.
  • Webserver file uploads and downloads.

Explanation

Diameter is largely used in the 3/4G space, RADIUS is used elsewhere. Was intended to replacement for RADIUS, but the use cases changed and both now have different uses. Also provides centralized AAA (Authentication, Authorization, and Accounting) management for users who connect and use a network service.