Attempt 9
Question 1: Correct

As part of improving the security posture of our organization we have added multifactor authentication. Which of these pairs does NOT constitute multifactor authentication?


Multifactor authentication uses authentication from more than one factor (something you know, are or have). Passwords and usernames are not multifactor, they are both knowledge factors.
Question 2: Correct

When we are implementing new access control mechanisms, looking at the IAAA model, what could we use for identification?


User names are used for identification, we should never allow group logins or accounts. Your name, username, ID number, employee number, SSN etc.
Question 3: Correct

Using EEPROM makes work easier for our IT staff, what is one of the dangers associated with it?


EEPROM (Electrically Erasable Programmable Read Only memory) – These are Electrically Erasable, you can use a flashing program. This is still called Read Only. The ability to write to the BIOS makes it vulnerable to attackers.
Question 4: Correct

We have had a lot of employee complaints since we started blocking TCP/UDP port 80. What are we blocking?


Hypertext Transfer Protocol (HTTP) uses TCP/UDP port 80, can also use port 8008 and 8080 .
Question 5: Skipped

Which of these encryption methods is truly unbreakable if it is implemented right?


One-Time Pad: Cryptographic algorithm where plaintext is combined with a random key. It is the only existing mathematically unbreakable encryption. While it is unbreakable it is also very impractical. It has ONE use per pad; they should never be reused. Characters on the pad have to be truly random. The pads are kept secure.
Question 6: Correct

We are asked to help design the policies for our organization in regarding to PHI. What is that?


PHI is the abbreviation for Protected Health Information.
Question 7: Correct

We often refer to 0-day vulnerabilities when we talk about IT security vulnerabilities. What would constitute 0-day vulnerabilities?


0day vulnerabilities: Vulnerabilities not generally known or discovered, the first time an attack is seen is considered day 0, hence the name. From a vulnerability is discovered it is now only a short timespan before patches or signatures are released on major software.
Question 8: Skipped

Which of these could be some of the ways we can protect our data when an employee is actively using it?


Data in Use: (We are actively using the files/data, it can’t be encrypted). Use good practices: Clean Desk policy, Print Policy, Allow no ‘Shoulder Surfing’, maybe the use of view angle privacy screen for monitors, locking computer screen when leaving workstation.
Question 9: Skipped

When our organization is using mandatory access control. What would subjects have?


Subjects have Clearance assigned to them. A formal decision on a subject’s current and future trustworthiness. The higher the clearance, the more in-depth the background checks should be (always in military, not always in business).
Question 10: Correct

Which type of Intrusion Prevention System (IPS) response prevents authorized traffic?


False Positive: Normal traffic and the system detects it and acts.
Question 11: Correct

We are implementing Active Directory (AD) to use for managing our access control. Which of these OS families have AD natively included in their processes and services?


AD (Active Directory): Included in most Windows Server OS as a set of processes and services. Directory service that Microsoft developed for Windows domain networks. Originally it was only in charge of centralized domain management. As of Windows Server 2008, AD became an umbrella term for a broad range of directory-based identity-related services.
Question 12: Correct

When we talk about auditing in the IAAA model, what does that mean?


Accountability (often referred to as Auditing): Trace an Action to a Subjects Identity: Proves who performed given action, it provides non-repudiation. Group or shared accounts are never OK, they have zero accountability. Uses audit trails and logs, to associate a subject with its actions.
Question 13: Skipped

What does SOC2 type 1 report on?


SOC 2 Type 1 report on management’s description of a service organization’s system and the suitability of the design of controls.
Question 14: Correct

With the CIA triad in mind, if we have too much confidentiality which other control will suffer the MOST?


Finding the right mix of Confidentiality, Integrity and Availability is a balancing act. This is really the cornerstone of IT Security – finding the RIGHT mix for your organization. Too much Confidentiality and the Availability can suffer.
Question 15: Correct

When we are reviewing our audit logs, it is which type of a control?


Audit log reviews is a detective control, we look at what happened after it happened, looking for patterns and issues.
Question 16: Correct

We have a contract with some penetration testers. In which phase would the tester look for vulnerabilities and design the attack?


Discovery (planning): Finding the vulnerabilities, design the attacks.
Question 17: Correct

After a major security incident, we need to provide the chain of custody logs for one of the compromised hard drives. Which of these should NOT be part of the logs?


With the chain of custody everything is documented: Who had it when? What was done? When did they do it? Not what was found.
Question 18: Correct

What would we NOT look at in a security assessment?


Security Assessments: A full picture approach to assessing how effective our access controls are, they have a very broad scope. We would not look at Employee performance. Security assessments often span multiple areas, and can use some or all of these components: Policies, procedures, and other administrative controls. Assessing the real world-effectiveness of administrative controls. Change management. Architectural review. Penetration tests. Vulnerability assessments. Security audits.
Question 19: Incorrect

When we are categorizing disasters for our Business Continuity Plan (BCP), we would categorize them into which of these categories? (Select all that apply).


We categorize disasters in 3 categories: natural, human, or environmental. Natural: Anything caused by nature; this could be earthquakes, floods, snow, tornados, etc. Human: Anything caused by humans; they can be intentional or unintentional disasters; unintentional could be an employee using a personal USB stick on a PC at work and spreading malware, which would be just as bad as if an attacker had done it, but the employee was just ignorant, careless, or didn’t think it would matter. Environmental (not to be confused with natural disasters); Anything in our environment; could be power outage/spikes, hardware failures, provider issues, etc.
Question 20: Incorrect

Active Directory (AD) uses trust domains; one domain establishes a trust relationship with another domain. Which of these is NOT an AD trust domain?


One-way trust, Two-way trust, Trusted domain, Transitive trust and Intransitive trust are all trust domains, there is no reflective trust.
Question 21: Correct

Diameter was designed to replace Radius, but the change never happened. Where is Diameter COMMONLY used now?


Diameter is largely used in the 3/4G space, RADIUS is used elsewhere. Was intended to replacement for RADIUS, but the use cases changed and both now have different uses. Also provides centralized AAA (Authentication, Authorization, and Accounting) management for users who connect and use a network service.
Question 22: Correct

In the TCP/IP model, frames and bits are the Protocol Data Units (PDUs) of which layer?


Frames and bits are the Protocol Data Units (PDUs) of the Link and physical layer of the TCP/IP model. (Frames are OSI layer 2 and bits are OSI layer 1).
Question 23: Incorrect

In Scrum project management, what is the Scrum master’s role?


Scrum master: Facilitates and accountable for removing impediments to the ability of the team to deliver the product goals and deliverables. Not a traditional team lead or project manager but acts as a buffer between the team and any distracting influences. The scrum master ensures that the Scrum framework is followed.
Question 24: Correct

Which type of software development uses programming pairs?


XP (Extreme programming) uses programming in pairs or doing extensive code review. Intended to improve software quality and responsiveness to changing customer requirements. Uses advocates frequent releases in short development cycles, intended to improve productivity and introduce checkpoints at which new customer requirements can be adopted.
Question 25: Correct

Which industry is the US Gramm-Leach-Bliley Act (GLBA) focused on?


Gramm-Leach-Bliley Act (GLBA): Applies to financial institutions; driven by the Federal Financial Institutions Examination Council (FFIEC); enforced by member agencies, OCC, FDIC, FRB, NCUA, and CFPB. Enacted in 1999, requires protection of the confidentiality and integrity of consumer financial information.
Question 26: Skipped

As part of our server hardening, are blocking all ports on our servers, unless specified as something we needed open in the technical design documentation. When we block TCP/UDP port 3389, what are we blocking?


Microsoft Terminal Server (RDP) uses TCP/UDP port 3389.
Question 27: Incorrect

There are a lot of challenges with audit record management. Which of these is not of them?


Audit record management typically faces five distinct problems: Log are not reviewed on a regular and timely basis. Audit logs and audit trails are not stored for a long enough time period. Logs are not standardized or viewable by correlation toolsets – they are only viewable from the system being audited. Log entries and alerts are not prioritized. Audit records are only reviewed for the bad stuff.
Question 28: Correct

What would we use a Security Information and Event Management (SIEM) system for?


SIEM (Security Information and Event Management) provides real-time analysis of security alerts generated by network hardware and applications.
Question 29: Correct

We have decided to implement job rotation in our organization. What can that help prevent?


Job rotation: For the exam, think of it as a way to detect errors and frauds. It is easier to detect fraud, and there is less chance of collusion between individuals if they rotate jobs. It also helps with employee burnout, and it helps employees understand the entire business. This can be too cost prohibitive for the exam/real life; make sure that on the exam, the cost justifies the benefit.
Question 30: Correct

What would a penetration testing Statement Of Work (SOW) NOT include?


Penetration Testing (Pen Testing) have very clear rules of engagement defined in a SOW (Statement Of Work). Which IP ranges, time frame, tools, POC, how to test, what to test.
Question 31: Correct

When we are performing background checks on our new employees, we would NEVER look at which of these?


When we hire new staff we often do background to ensure we minimize our risks. We can check: References, Degrees, Employment, Criminal, Credit history (less common, more costly). We have new staff sign an NDA (Non-Disclosure Agreement). It is illegal to check or inquire about political preference.
Question 32: Correct

Jane is using the Scrum project management methodology. Which of these would be some of the core team roles in the Scrum framework? (Select all that apply).


Scrum is a framework for managing software development. Scrum is designed for teams of approximately 10 individuals, and generally relies on two-week development cycles, called “sprints”, as well as short daily stand-up meetings. The three core roles in the Scrum framework. The product owner: Representing the product’s stakeholders, the voice of the customer, and is accountable for ensuring that the team delivers value to the business. Development team: Responsible for delivering the product at the end of each sprint (sprint goal). The team is made up of 3–9 individuals who do the actual work (analysis, design, develop, test, technical communication, document, etc.). Scrum master: Facilitates and accountable for removing impediments to the ability of the team to deliver the product goals and deliverables. Not a traditional team lead or project manager but acts as a buffer between the team and any distracting influences. The scrum master ensures that the Scrum framework is followed.
Question 33: Correct

We are in a court of law and we are presenting real evidence. What constitutes real evidence?


Real Evidence is tangible and physical objects, in IT Security it is things like hard disks, USB drives and not the data on them.
Question 34: Correct

Bob is working on designing new access controls across our organization. Which documentation should he reference to know how and what to implement?


Our Access Control is determined by our policies, procedures, and standards. This outlines how we grant access whom to what: We use least privilege, need to know, and we give our staff and systems exactly the access they need and no more.
Question 35: Correct

Those acting under “the color of law” can act on an exigent circumstance. What would constitute exigent circumstances?


Exigent circumstances apply if there is an immediate threat to human life or of evidence destruction. This will later be decided by a court if it was justified. Only applies to law enforcement and those operating under the “color of law” – Title 18. U.S.C. Section 242 – Deprivation of Rights Under the Color of Law.
Question 36: Incorrect

We are using the CIA triad to, at a high level, explain IT security to our board of directors. Which of these are the 3 legs of the CIA triad?


The CIA (Confidentiality, Integrity, Availability) Triad: Confidentiality – We keep our data and secrets secret. Integrity – We ensure the data has not been altered. Availability – We ensure authorized people can access the data they need, when they need to.
Question 37: Incorrect

In our data management, which of these BEST describe the data owner responsibilities?


Data/Information Owner: Management level, they assign sensitivity labels and backup frequency. This could be you or a Data Owner from HR, Payroll or other departments.
Question 38: Skipped

We are using cloud computing and have chosen to use IaaS. Who is responsible for the databases?


IaaS – (Infrastructure as a Service) The vendor provides infrastructure up to the OS, the customer adds the OS and up.
Question 39: Correct

One of your coworkers is telling you about our new policies for PII. What is she referring to?


PII is the abbreviation for Personally Identifiable Information.
Question 40: Incorrect

When the Patriot Act was signed into law in 2001, it allowed law enforcement to do what?


PATRIOT Act of 2001: Expands law enforcement electronic monitoring capabilities. Allows search and seizure without immediate disclosure.
Question 41: Correct

When our organization is buying custom developed third party software, which of these should NOT be a concern?


We should address support, who owns the code and how good the software development company is, we can’t really see what other companies say about the software it is being custom developed for us.
Question 42: Correct

The Central Processing Unit (CPU) consists of which two elements?


CPU (Central Processing Unit) is the brains of the system. Arithmetic logic unit (ALU) performs arithmetic and logic operations. It’s a processor that registers that supply operands (Object of a Mathematical Operation) to the ALU and stores the results of ALU operations. It does all the math. Control unit (CU) handles fetching (from memory) and execution of instructions by directing the coordinated operations of the ALU, registers and other components. It also sends instructions to the ALU.
Question 43: Correct

What could be one of the ways we could protect our data-at-rest?


Data at Rest (Stored Data): This is data on Disks, Tapes, CDs/DVDs, USB Sticks. We use disk encryption (full/partial), USB encryption, tape encryption (avoid CDs/DVDs). Encryption can be Hardware or Software Encryption.
Question 44: Correct

As part of our backup policy we are deciding on how long we should keep our backups. What should we base that decision on?


Data Retention: Data should not be kept beyond the period of usefulness or beyond the legal requirements (whichever is greater).
Question 45: Correct

Which of these protocols is NOT found on layer 7 of the Open Systems Interconnection (OSI) model?


PAP is a layer 5 protocol (used for setting up sessions). FTP, LDAP and HTTP are all layer 7 protocols.
Question 46: Correct

If our organization have role-based access control and need to know policies, which of these actions are allowed?


Role based access control assigns access to roles, with added need to know, just because you have access does not mean you are allowed the data. You need a valid reason for accessing the data. If you do not have one you can be terminated/sued/jailed/fined.
Question 47: Incorrect

When you discover a software vulnerability, you notify the vendor of the vulnerability for them to fix it. What is the term used for this?


Responsible/Partial disclosure: Telling the vendor, they have time to develop a patch and then disclose it. If they do nothing we can revert to the full disclosure forcing them to act.
Question 48: Correct

We are throughout our organization using Intrusion detection systems (IDS) and Intrusion prevention system (IPS). What are some of the COMMON types of those?


IDSs (Intrusion Detection Systems) and IPSs (Intrusion Prevention Systems) can be categorized into 2 types and with 2 different approaches to identifying malicious traffic. Network based, placed on a network segment (a switch port in promiscuous mode). Host based, on a client, normally a server or workstation. Signature (Pattern) matching, similar to anti virus, it matches traffic against a long list of known malicious traffic patterns. Heuristic (Behavioral) based, uses a normal traffic pattern baseline to monitor for abnormal traffic.
Question 49: Correct

We are implementing several new countermeasures to make our organization less susceptible to fraud. As part of that we are implementing mandatory vacations. How would we use those?


Mandatory vacations: Done to ensure one person is not always performing the same task, someone else has to cover and it can keep fraud from happening or help us detect it. Their accounts are locked and an audit is performed on the accounts. If the employee has been conducting fraud and covering it up, the audit will discover it. The best way to do this is to not give too much advance notice of vacations.
Question 50: Incorrect

When would we deploy honeypots?


While honeypots can be useful, we do not want to lure attackers in (entrapment). If we deployed one each time we launched a system we could have 1000’s of them, and during an attack we are busy with more important things.
Question 51: Correct

When an attacker is using intimidation, it is a form of what?


Social engineering uses people skills to bypass security controls. Intimidation (If you don’t bad thing happens) – Virus on the network, credit card compromised, lawsuit against your company, intimidation is most effective with impersonation and vishing attacks.
Question 52: Correct

After a major security breach, we are wanting to a lessons learned. Why is that?


Lessons Learned: This phase is often overlooked, we removed the problem, we have implemented new controls and safeguards. We can learn a lot from lessons learned, not just about the specific incidence, but how well we handle them, what worked, what didn’t. How can we as an organization grow and become better next time we have another incidence, while we may have fixed this one vulnerability there are potentially 100’s of new ones we know nothing about yet. At the end of lessons learned we produce a report to senior management, with our finding, we can only make suggestions, they are ultimately in charge (and liable).
Question 53: Correct

To ensure the confidentiality, integrity, and availability of our backup tapes, where would it be appropriate to store them?


Where do we keep our sensitive data? It should be kept in a secure, climate-controlled facility, preferably geographically distant or at least far enough away that potential incidents will not affect that facility too. Many older breaches were from bad policies around tape backups. Tapes were kept at the homes of employees instead of at a proper storage facility or in a storage room with no access logs and no access restrictions (often unencrypted).
Question 54: Skipped

What is your public key in asymmetric encryption?


Asymmetric Encryption uses 2 keys: a Public Key and a Private Key (Key Pair). Your Public Key is publicly available. Used by others to encrypt messages sent to you. Since the key is asymmetric, the ciphertext can’t be decrypted with your public Key. Your Private Key – You keep this safe. You use it to decrypt messages sent with your public key.
Question 55: Incorrect

Which is NOT one of the (ISC)² ethics canons?


ISC2 Code of Ethics Canons: Protect society, the common good, necessary public trust and confidence, and the infrastructure. Act honorably, honestly, justly, responsibly, and legally. Provide diligent and competent service to principles. Advance and protect the profession.
Question 56: Correct

When we are using knowledge-based factors in our authentication process, we would use all of these, EXCEPT which?


Single-use password is not a knowledge based factor, it is a possession based factor.
Question 57: Correct

We often allow users to use “secret questions and answers” to unlock their accounts, because it makes our administrators workload lighter. Can they also be used as an attack vector?


Secret questions like “Where were you born?” are poor examples of a knowledge factor, it is known by a lot of people and can often be researched easily.
Question 58: Correct

Which layer of the Open Systems Interconnect (OSI) model isolates traffic into broadcast domains?


Layer 3: Network Layer: Expands to many different nodes (IP) – The Internet is IP based. Isolates traffic into broadcast domains.
Question 59: Correct

Which of these is the WEAKEST form of authentication we can implement?


Something you know – Type 1 Authentication: Passwords, pass phrase, PIN etc., also called Knowledge factors. It is the weakest form of authentication, and can easily be compromised.
Question 60: Incorrect

On which layer of the Open Systems Interconnect (OSI) model do we establish the connection between 2 applications?


Layer 5: Session Layer: Establishes connection between 2 applications: Setup > Maintenance > Tear Down.
Question 61: Skipped

Senior leadership has approved the use of flash drives. Which type of memory do they use?


Flash memory: Small portable drives (USB sticks are an example); they are a type of EEPROM.
Question 62: Skipped

What is LDAP COMMONLY used for?


LDAP (The Lightweight Directory Access Protocol) is commonly used for central usernames and passwords storage, many different applications and services can connect to the LDAP server to validate users. Open, vendor-neutral, industry standard application protocol for accessing and maintaining distributed directory information services over an IP network. Application layer protocol and use TCP and UDP port 389.
Question 63: Skipped

Why would an organization offer to use a source code escrow to their customers?


Source code escrow: The deposit of the source code of software with a third party escrow agent. Escrow is typically requested by a party licensing software (the licensee), to ensure maintenance of the software instead of abandonment or orphaning. The software source code is released to the licensee if the licensor files for bankruptcy or otherwise fails to maintain and update the software as promised in the software license agreement.
Question 64: Skipped

What would be one of the EASIEST ways to confirm if our access control mechanics are working?


Audit log reviews is the easiest way to confirm our access control mechanisms are working.
Question 65: Skipped

In incident management, which of these is NOT a recognized category of events and/or incidents?


Behavioral is a subset of human, and no a recognized category.
Question 66: Skipped

Which of these authentication protocols is no longer considered secure?


TACACS (The Terminal Access Controller Access Control System): Centralized access control system requiring users to send an ID and reusable (vulnerable) passwords for authentication, because of this it is no longer considered secure. Uses TCP/UDP port 49. TACACS has generally been replaced by TACACS+ and RADIUS.
Question 67: Skipped

What is one of the key benefits of using a Host-based Intrusion Prevention System (HIPS) over a Network-based Intrusion Prevention System (NIPS)?


Host based, on a client, normally a server or workstation. Can look at the actual data (it is decrypted at the end device), NIDS/NIPS can’t look at encrypted packets.
Question 68: Skipped

Which of these is NOT a normal phase of a white hat hacker’s strategy?


White hat hackers use many of the same tools and approaches that black hats would, but they do not delete their tracks, audit files or logs.
Question 69: Skipped

Which of these is a TRUE statement about the TCP protocol?


TCP (Transmission Control Protocol): Reliable, Connection oriented, Guaranteed delivery, 3 way handshake, slower/more overhead, data reassembled.
Question 70: Skipped

Prior to an external structured audit, we would often do an ‘unstructured’ audit. Who would perform that?


Unstructured audits: Internal auditors to improve our security and find flaws, often done before an external audit.
Question 71: Skipped

In which order would you use the Software Development Life Cycle (SDLC)?


SDLC (Software Development Life Cycle): The SDLC is not really a methodology, but a description of the phases in the life cycle of software development. These phases are (in general), investigation, analysis, design, build, test, implement, maintenance and support (and disposal). Can have security built into each step of the process, for the exam it always does.
Question 72: Skipped

After a security breach, Bob has been asked to ensure evidence integrity. What would he do with the compromised hard drive?


Evidence Integrity – It is vital that the evidence’s integrity cannot be questioned. We do this with hashes; any forensics is done on copies and never the originals. We make a bit level copy of the original, hash it, and the copy should match. We do another hash after the forensics, and that should be the same as the prior two.
Question 73: Skipped

Why would we choose a centralized access control system over a decentralized one?


Centralized Pros: (Decentralized Cons): All systems and locations have the same security posture. Easier to manage: All records, configurations and policies are centralized and only configured once per policy. Attackers look for the weakest link in our chain, if a small satellite office is not following our security posture, they can be an easy way onto our network. It is more secure, only a few people have access and can make changes to the system. It can also provide separation of duties, the local admin can’t edit/delete logs from their facility. SSO can be used for user access to multiple systems with one login. Centralized Con’s: (Decentralized Pros): Traffic overhead and response time, how long does it take for a door lock to authenticate the user against the database at the head office? Is connectivity to the head office stable, is important equipment on redundant power and internet?
Question 74: Skipped

Which is the MOST secure encryption type of these 4?


DES, Blowfish and RC4 are no longer considered secure, AES is still considered secure.
Question 75: Skipped

Which of these is NOT covered by the Wassenaar Arrangement?


Wassenaar Arrangement – 1996 – present. Limits exports on military and “dual-use” technologies. Cryptography is part of that. Some nations also use it to prevent their citizens from having strong encryption (easier to spy on your own people if they can’t use strong cryptography).
Question 76: Skipped

In our digital forensics, which of these should NEVER happen?


Digital forensics should always be done on bit level copies of the original, never the original.
Question 77: Skipped

When we implement centralized logging, we want it to be:


Centralized Logging: Should be automated, secure and even administrators should have limited access.
Question 78: Skipped

You hear a colleague talk about polyinstantiation. What does that mean?


Polyinstantiation  (Alternative Facts) – Two (or more) instances of the same file depending on who accesses it. The real information may be available to subjects with Top Secret clearance, but different information will be available to staff with Secret or lower clearance.
Question 79: Skipped

What could be one of the NEGATIVE consequences of implementing Single Sign On (SSO) in our organization?


SSO (Single sign-on): Users use a single sign-on for multiple systems. If an attacker compromises a single password they have access to everything that user can access. Often deployed in organizations where users have to access 10+ systems, and they think it is too burdensome to remember all those passwords. SSO have the same strong password requirements as normal single system passwords.
Question 80: Skipped

To establish a TCP session, we are using the TCP 3-way handshake. What is the correct order of the handshake?


The 3-way handshake is client SYN > Server SYN/ACK > Client ACK.
Question 81: Skipped

As part of our layered defense, and to prevent unauthorized devices on our network, we have added the MAC sticky command. Where would we configure that?


Good switch security includes shut down unused ports, add mac-sticky and hardcode if ports are access or trunk ports. Making all ports trunk ports is a bad idea.
Question 82: Skipped

Which organization is responsible for delegating IP address ranges to ISPs (Internet Service Providers) in North America?


The world is divided into RIR (Regional Internet Registry) regions and organizations in those areas delegate the address space they have control over. ARIN (American Registry for Internet Numbers): United States, Canada, several parts of the Caribbean region, and Antarctica.
Question 83: Skipped

As part of a security assessment we are having an external company do penetration testing. What do we call a penetration test where the tester has full admin level knowledge about our organization and IT infrastructure? (Select all that apply).


White box (Crystal/Clear) Pen testing: (Full Knowledge). The attacker has knowledge of the internal network and access to it like a privileged employee would. Normally Administrator access employee with full knowledge of our environment. There is no full box, gray is partial knowledge and black is no knowledge.
Question 84: Skipped

When we are talking about RAM what are we referencing?


RAM (Random Access memory) is volatile memory. It loses the memory content after a power loss(or within a few minutes). This can be memory sticks or embedded memory.
Question 85: Skipped

Jane is explaining how using AI can help predict healthcare issues for patients. What is AI?


AI (Artificial Intelligence): Intelligence exhibited by machines, rather than humans or other animals. True AI is a topic of discussion; what was considered AI years ago has been achieved, and once the goal is reached, the AI definition is tweaked a little.
Question 86: Skipped

For access control management, which of these is considered something you have?


Things in your possession, not things you know (knowledge factor) or something you are (biometrics).
Question 87: Skipped

Which of these protocols is NOT found on layer 3 of the OSI model?


IMAP is a layer 7 protocol. IP, IPSEC, IKE, ICMP, … are all layer 3 protocols.
Question 88: Skipped

As part of our software testing, we are doing static software testing. What are we doing?


Static testing – Passively testing the code, it is not running. This is walkthroughs, syntax checking, and code reviews. Looks at the raw source code itself looking for evidence of known insecure practices, functions, libraries, or other characteristics having been used in the source code.
Question 89: Skipped

What are some of the dangers if we chose to NOT use proper and regular patching of our systems?


Patches are released to fix known security vulnerabilities, not applying leaves us open to those vulnerabilities that the attackers also know about.
Question 90: Skipped

What could a vulnerability scan possibly help us find?


A vulnerability scanner tool is used to scan a network or system for a list of predefined vulnerabilities such as system misconfiguration, outdated software, or a lack of patching.
Question 91: Skipped

Looking at our data management, what is the user’s role?


Users: These are the users of the data. User awareness must be trained; they need to know what is acceptable and what is not acceptable, and the consequences for not following the policies, procedures and standards.
Question 92: Skipped

When would a logic bomb go off?


Logic Bombs – Malicious code that executes at a certain time or event – they are dormant until the event (IF/THEN). IF Bob is not getting an annual bonus over $10,000, THEN execute malicious code. IF date and time 5/15/18 00:02:12, THEN execute malicious code.
Question 93: Skipped

What is a WEAKNESS of the Challenge Handshake Authentication Protocol (CHAP)?


CHAP (Challenge-Handshake Authentication Protocol): The CHAP server stores plaintext passwords of each client, an attacker gaining access to the server can steal all the client passwords stored on it. Provides protection against replay attacks by the peer through the use of an incrementally changing identifier and of a variable challenge-value. Requires the client and server know the plaintext of a shared secret, but it is never sent over the network. Providing better security compared to PAP which is vulnerable for both these reasons. Used by PPP (Point to Point Protocol) servers to validate the remote clients. CHAP periodically verifies the identity of the client by using a three-way handshake.
Question 94: Skipped

In IT Security we are talking about something as an event, what does that mean?


Event: An observable change in state, this is neither negative nor positive, it is just something has changed. A system powered on, traffic from one segment to another, an application started.
Question 95: Skipped

After an attack on our servers, who should handle digital forensic evidence?


People handling digital forensic evidence should always be trained in proper handling.
Question 96: Skipped

Which of these would be an IP socket-pair?


Socket Pairs (TCP): 2 sets of IP and Port (Source and Destination). This could be Source pair: Destination pair: Well-known ports are often translated, port 443 is https.
Question 97: Skipped

In software acceptance testing, what is the purpose of production acceptance testing?


Compatibility/production testing: Does the software interface as expected with other applications or systems? Does the software perform as expected in our production environment vs. the development environment
Question 98: Skipped

The port numbers we use can categorized as well-known, registered, or dynamic/private/ephemeral ports. Which of these is NOT a well-known port?


Well-known Ports are the ports from port 0-1023, they are mostly used for protocols.
Question 99: Skipped

We are wanting to erase EPROM memory to update to the latest firmware. How would we do that?


EPROM (Erasable Programmable Read Only memory) – Can be erased (flashed) and written many times, by shining an ultraviolet light (flash) on a small window on the chip (normally covered by foil).
Question 100: Skipped

We are implementing biometric authentication. What would be a good reason to do that?


Biometric features rarely change unless we have a serious accident. It is more difficult to copy, people can’t change them unless they get surgery and it is normally more expensive than possession or knowledge factors.
Question 101: Skipped

What is happening when we experience buffer overflows?


Buffer overflow (buffer overrun): An anomaly where a program, while writing data to a buffer, overruns the buffer’s boundary and overwrites adjacent memory locations, happen from improper coding when a programmer fails to perform bounds checking. Buffers are areas of memory set aside to hold data, often while moving it from one section of a program to another, or between programs. Buffer overflows can often be triggered by malformed inputs, if one assumes all inputs will be smaller than a certain size and the buffer is created to be that size, if an anomalous transaction produces more data it could cause it to write past the end of the buffer. If this overwrites adjacent data or executable code, this may result in erratic program behavior, including memory access errors, incorrect results, and crashes. By sending in data designed to cause a buffer overflow, it is possible to write into areas known to hold executable code, and replace it with malicious code.
Question 102: Skipped

Which type of access control model is based on a subject’s clearance?


MAC – (Mandatory Access Control) is system-enforced access control based on a subject’s clearance and an object’s labels.
Question 103: Skipped

As part of our updated security posture, we have started blocking TCP/UDP port 22 as a default. What are we blocking?


SSH (Secure Shell) uses the well-known TCP/UDP port 22.
Question 104: Skipped

On which layer of the Open Systems Interconnection model (OSI) model would we find the broadcast address FF:FF:FF:FF:FF:FF?


FF:FF:FF:FF:FF:FF is the layer 2 broadcast address. Layer 2 uses mac addresses.
Question 105: Skipped

We are using some of the best practice rules on our password’s requirements. Which of these would NOT be part of that?


Minimum password age is implemented to prevent users from cycling through the last used passwords to return to their favorite password again. They should also use contain minimum length, upper/lower case letters, numbers and symbols, they should not contain full words or other easy to guess phrases.
Question 106: Skipped

Jack is looking at different types of encryption. Which of these is a type of asymmetric encryption?


RSA is asymmetric. 3DES, RC6 and Twofish are all symmetric forms of encryption.
Question 107: Skipped

We have 100 users all needing to communicate with each other. If we are using asymmetric encryption how many keys would we need?


Asymmetric encryption uses 2 keys per user, so we would need 200 keys.
Question 108: Skipped

Looking at our incident management plan, which of these can we possibly mitigate with a redundant geographical distant site?


Disaster: Our entire facility is unusable for 24 hours or longer. If we are geographically diverse and redundant we can mitigate this a lot. Yes, a snowstorm can be a disaster.
Question 109: Skipped

Which of these would NOT be part of a good identity and access provisioning lifecycle?


Account should be locked when employees leave the organization. Deleting them makes it harder to audit, deactivation/locking is preferred.
Question 110: Skipped

BIBA’s Invocation Property prohibits users from what?


Invocation Property: “No Read or Write UP”. Subjects can never access or alter data on a higher level.
Question 111: Skipped

Which of these is NOT an example of broken authentication or session management (OWASP A2)?


A2 Broken Authentication and Session Management. Sessions do not expire or take too long to expire. Session IDs are predictable. 001, 002, 003, 004, etc. Tokens, session IDs, Passwords, etc., are kept in plaintext. Pseudo random session IDs would be a broken authentication counter measure.
Question 112: Skipped

When we talk about referential databases, what does referential integrity mean?


Referential integrity: When every foreign key in a secondary table matches a primary key in the parent table. It is broken if not all foreign keys match the primary key.
Question 113: Skipped

As part of our risk management, we are working on quantitative risk analysis. Select all the terms we would use in this phase:


Quantitative Risk Analysis – We want exactly enough security for our needs. This is where we put a number on that. We find the asset’s value: How much of it is compromised, how much one incident will cost, how often the incident occurs and how much that is per year. Asset Value (AV) – How much is the asset worth? Exposure factor (EF) – Percentage of Asset Value lost? Single Loss Expectancy (SLE) – (AV x EF) – What does it cost if it happens once? Annual Rate of Occurrence (ARO) – How often will this happen each year? Annualized Loss Expectancy (ALE) – This is what it cost per year if we do nothing.
Question 114: Skipped

What was the intent of the US Electronic Communications Privacy Act of 1986 (ECPA)?


Electronic Communications Privacy Act (ECPA) was designed for protection of electronic communications against warrantless wiretapping, but it was very weakened by the Patriot Act.
Question 115: Skipped

Which type of security governance and management would we want to see in our organization?


We always want top-down security governance and management, we want senior leadership on our side. Top-Down: IT leadership is on board with IT Security, they lead and set the direction. Bottom-Up: IT Security is seen as a nuisance and not a helper, often change when breaches happen.
Question 116: Skipped

Which type of Intrusion Detection Systems (IDS) and Intrusion Prevention System (IPS) are completely vulnerable to 0-day attacks?


Signature based: Looks for known malware signatures. Faster since they just check traffic against malicious signatures. Easier to set up and manage, someone else does the signatures for us. They are completely vulnerable to 0 day attacks, and have to be updated constantly to keep up with new vulnerability patterns.
Question 117: Skipped

Which process would we use to handle updates to our environments?


Change Management: Often called change control, a formalized process on how we handle changes to our environments. If done right we will have full documentation, understanding and we communicate changes to appropriate parties. The change review board should be comprised of both IT and other operational units from the organization, we may consider impacts on IT, but we are there to serve the organization, they need to understand how it will impact them and raise concerns if they have any.
Question 118: Skipped

When someone is typo squatting, what are they doing?


Typo squatting – Buying an URL that is VERY close to real website name (Can be illegal in certain circumstances).
Question 119: Skipped

When we talk about WORM media, what are we referring to?


WORM Media (Write Once Read Many): CD/DVDs can be WORM Media (R), if they are not R/W (Read/Write).
Question 120: Skipped

Which of these hackers would you hire to do penetration testing?


White Hat hackers: Professional Pen Testers trying to find flaws so we can fix it (Ethical Hackers). Black Hat hackers: Malicious hackers, trying to find flaws to exploit them (Crackers – they crack the code). Gray/Grey Hat hackers: They are somewhere between the white and black hats, they go looking for vulnerable code, systems or products. They often just publicize the vulnerability (which can lead to black hats using it before a patch is developed). Gray hats sometimes also approach the company with the vulnerability and ask them to fix it and if nothing happens they publish. Script Kiddies: They have little or no coding knowledge, but many sophisticated hacking tools are available and easy to use. They pose a very real threat. They are just as dangerous as skilled hackers; they often have no clue what they are doing.
Question 121: Skipped

Our organization is using least privilege in our user access management. How are our users assigned privileges?


Least Privilege also called “Minimum necessary access”, we give our users and systems exactly the access they need, no more, no less.
Question 122: Skipped

We have removed a server from our production environment. We format the hard drives, install a new OS (Operating System), and application on the disks. We then put the newly installed server back into production. Which of these would be TRUE about the original data a week later?


We can still recover files that has not been overwritten yet, formatting just removes the file structure.
Question 123: Skipped

We want to be able to restore our systems with no more than 48 hours of data loss. Which of these could be a backup rotation we could chose to implement?


If we can have no more than 48 hours of data loss the only viable option is a daily backup.
Question 124: Skipped

When we talk about using cryptanalysis in our work, what exactly are we talking about?


Cryptanalysis is the science of breaking encrypted communication. Cryptanalysis is used to breach cryptographic security systems and gain access to the contents of encrypted messages, even if the cryptographic key is unknown. It uses mathematical analysis of the cryptographic algorithm, as well as side-channel attacks that do not target weaknesses in the cryptographic algorithms themselves, but instead exploit weaknesses in their implementation and the devices that run them.
Question 125: Skipped

Which security principle is Clark-Wilson based on?


Clark-Wilson – Integrity: Separates end users from the backend data through ‘Well-formed transactions’ and ‘Separation of Duties’. The model uses Subject/Program/Object. We have discussed the Subject/Object relationship before, but this puts a program between the two. We don’t allow people access to our inventory when they buy from us. We give them a limited functionality interface they can access.

Spread the words

MMC: Active Directory Domains and Trusts is the Microsoft Management Console snap-in that is used to administer domain trusts, domain and forest functional levels, and user principal name (UPN) suffixes.


Active Directory Trusts

A trust is a relationship, which you establish between domains that makes it possible for users in the domain to be authenticated by the other domain.

All Active Directory trusts between domains within a forest are transitive, two-way trusts. Therefore, both domains in a trust relationship are trusted. This means that if Domain A trusts Domain B and Domain B trusts Domain C, then users from Domain C can access resources in Domain A.


Trusted domain objects (TDO) are objects that represent each trust relationship within a particular domain. Each time that a trust is established, a unique TDO is created and stored in its domain. Domain trust TDO stores attributes such as trust transitivity, type, and the reciprocal domain names. Forest trust TDO store additional attributes to identify all the trusted namespaces from its partner forest. These attributes include domain tree names, user principal name (UPN) suffixes, service principal name (SPN) suffixes, and security identifier (SID) namespaces.

Trust Types

External: Nontransitive. Could be one-way or two-way. External trusts provide access to resources that are located on a domain that is located in a separate forest that is not joined by a forest trust.

When to create an external trust:

External trusts are necessary when users need access to resources in a domain that is located in a separate forest that is not joined by a forest trust.


When there is a trust between a domain in a forest and a domain outside that forest, security principals from the external domain can access resources in the internal domain. ADDS creates a foreign security principal object in the internal domain to represent each security principal from the trusted external domain. These foreign security principals can become members of domain local groups in the internal domain. Domain local groups can have members from domains outside the forest.

Realm: Transitive or nontransitive. Could be one-way or two-way. Use realm trusts to form a trust relationship between a non-Windows Kerberos realm and an Active Directory domain. This trust relationship allows cross-platform interoperability with security services that are based on other versions of the Kerberos V5 protocol, for example, UNIX and MIT implementations.

Forest: Transitive. Could be one-way or two-way. Use forest trusts to share resources between forests. If a forest trust is a two-way trust, authentication requests that are made in either forest can reach other forest.

When to create a forest trust:

You can create a forest trust between forest root domains if the forest functional level is Windows server 2003 or higher. A forest trust provides a one-way or two-way, transitive trust relationship between every domain in each forest.

Shortcut: transitive. Could be one-way or two way. Use shortcut trusts to improve user logon times between two domains within an Active Directory forest. This is useful when two domains are separated by two domain trees.

When to create a shortcut trust:

Shortcut trusts are one-way or two-way, transitive trusts that administrators can use to optimize the authentication process. Authentication request must first travel a trust path between domain trees. In a complex forest this can take time, which you can reduce with shortcut trusts.


Trust Direction

The trust type and its assigned direction affect the trust path that is used for authentication. A trust path is a series of trust relationships that authentication requests must follow between domains. Before a user can access a resource in another domain, the security system on domain controllers must determine whether the trusting domain has a trust relationship with the trusted domain. To determine this, the security system computes the trust path between a domain controller in the trusting domain and a domain controller in the trusted domain.


One way trust: A one-way trust is a unidirectional authentication path that is created between two domains. This means that in a one way trust between Domain A and Domain B, users in Domain A can access resources in Domain B. However, users in Domain B cannot access resources in Domain A.

Two-way trust: All domains trusts in an Active Directory forest are two-way, transitive trusts. When a new child domain is created, a two way, transitive trust is automatically created between the new child domain and the parent domain. In a two-way trust, Domain A trusts Domain B and Domain B trusts Domain A. this means that authentication requests can be passed between the two domains in both directions.

Trust Transitivity

Transitivity determines whether a trust can be extended outside the two domains between which the trust was formed. You can use a transitive trust to extend trust relationships with other domains. You can use a nontransitive trust to deny trust relationship with other domains.

Transitive trust: each time that you create a new domain in a forest, a two-way, transitive trust is automatically created between the new domain and its parent domain. If child domains are added to the new domain, the trust path flows upward through the domain hierarchy, extending the initial trust path that is created between the new domain and its parent domain.

Authentication request follows these trust paths. Therefore, accounts from any domain in the forest can be authenticated at any other domain in the forest. With a single logon process, accounts with the proper permissions can access resources in any domain in the forest.


Nontransitive trust:  A nontransitive trust is restricted by the two domains in the trust relationship. It does not flow to any other domains in the forest. Nontransitive trusts are one-way by default.

Home > 3. Evidence Collection > Chain of Custody

A chainThe chain of custody is a tracking record beginning with detailed scene notes that describe where the evidence was received or collected. Collection techniques, preservation, packaging, transportation, storage and creation of the inventory list are all part of the process used in establishing the chain of custody. The chain of custody is established whenever an investigator takes custody of evidence at a crime scene. The chain is maintained when evidence is received from another officer or detective.

A clear, well-documented chain of custody should be established through a process that includes the following:

  • Taking notes, including documentation of the recovery location, the time and date recovered or received, description of the item, condition of the item and any unusual markings on or alterations to the item.
  • Marking and packaging the evidence.
  • Sealing the evidence.
  • Preparing the chain-of-custody record.

The chain-of-custody record for all items collected from the scene must include the following:

  • Unique identifier.
  • Item description.
  • Identity of the person who collected the item.
  • Time and date of collection.
  • Location where item was found.

Individuals assuming custody of the evidence from collection through analysis sign a chain-of-custody document or otherwise conduct a secure electronic transfer identifying them as contributors to the analysis of the evidentiary materials. When evidence is submitted to a property and evidence section or to a forensic laboratory, a receipt documenting the transfer is obtained.

To maintain an accurate and complete chain of custody:

  • Limit the number of individuals handling evidence.
  • Confirm that all names, identification numbers, and dates are listed on the chain-of-custody documents.
  • Insure that all evidence packaging is properly sealed and marked prior to submission.
  • Obtain signed or otherwise secure receipts upon transfer of evidence.




What is IAAA?

How does security in systems actually work? Well, security generally works on a principle called IAAA; Identification, Authentication, Authorisation, Accountability. Read on to find out what this principle looks like in the real world.

First of all, what are some examples of IAAA?

  • Identification (who are you?):
    • Your name, username, ID number etc
  • Authentication (prove who you are):
    • Something you know, such as a password
    • Something you have, such as a token
    • Something you are, such as a fingerprint
    • Somewhere you are, such as your IP address
    • Something you can do, such as a signature
  • Authorisation (what are you allowed to access?):
    • Different access models can be used, such as DACMAC, and RBAC.
  • Accountability (otherwise known as auditing):
    • Being able to trace an action back to an individual.
    • Prove what someone did, and when they did it. Known as non-repudiation.


Now think of an example which includes each element of IAAA. Thinking of a standard login page, which is how most of us access systems, we usually see two fields; username and password. The username is your identity, without it the system doesn’t know who we are and cannot grant us access. By providing a username, we tell the system who we are.

Once we’ve identified ourselves we need to authenticate and prove our identity. This is the password field. You need to authenticate your username in order to access the system, with other methods such as fingerprints, pins, and iris scans also being used for authentication.

Now you’ve successfully accessed the system, you can view, edit and delete information based on the rights you have been provided. This is where access control models, such as RBAC, come into play. By providing your identity and authenticating it, you are now an authorised user.

All systems should have some form of logging or auditing in place to ensure accountability is considered. Auditing will be able to prove that we have just logged on to the system and provide activity information on the actions we have carried out whilst logged in. This is useful for non-repudiation; making people accountable for their actions.

Leave a Reply

Your email address will not be published. Required fields are marked *


  • Identification:
    • Your name, username, ID number, employee number, SSN etc.
    • “I am Thor”.
  • Authentication:
    • “Prove you are Thor”. – Should always be done with Multifactor Authentication!
    • Something you know – Type 1 Authentication (passwords, pass phrase, PIN etc.).
    • Something you have – Type 2 Authentication (ID, Passport, Smart Card, Token, cookie on PC etc.).
    • Something you are – Type 3 Authentication (and Biometrics) (Fingerprint, Iris Scan, Facial geometry etc.).
    • Somewhere you are – Type 4 Authentication (IP/MAC Address).
    • Something you do – Type 5 Authentication (Signature, Pattern unlock).
  • Authorization
    • What are you allowed to access – We use Access Control models, what and how we implement depends on the organization and what our security goals are.
    • More on this in Domain 5 – Identity and Access Management (DAC, MAC, RBAC, RUBAC)
  • Accountability (also often referred to as Auditing)
    • Trace an Action to a Subjects Identity:
    • Prove who/what a given action was performed by (non-repudiation).