CISSP Test Questions combined
Terms in this set (800)
What is the final step of a quantitative risk analysis?
conducting a cost benefit analysis to dtermin whether the organization should implement proposed countermeasure
An evil twin attack that broadcasts a legitimate SSID for an unauthorized network is an example of what category of threat?
spoofing attacks use falsified identities. False IP addresses, email addresses, names or in the case of an evil twin attack, SSIDs.
Under the Digitial Millennium Copyright Act, what type of offenses do not require prompt action by an Internet service provider after it receives a notifcation of infringement claim from a copyright holder?
The DMCA states that providers are not responsiile for the transitory activities of their users. Transmission of information over a network would qualify for this exemptions. The other activities listed are all nontransitory actions that require remediation by the provider.
Flyaway Travel has offices in both the European Union and the United States and transfers personal information between those offices regularly. Which of the serven requirements for processing personal information states that organizations must inform individuals about how the information they collect is used?
The Notice principle says that organizations must inform individuals of the information the organization collects about individuals and how the organization will use it. Based on the Safe Harbor Privacy Principles issued by the DoC in 2000
An evil twin attack that broadcasts a legitimate SSID for an unauthorized network is an example of what category of threat?
The three common threat modeling techniques are foucsed on attackers, software and assets. Social engineering is a subset of attackers.
Which one of the following elements of informatoin is not considered personally identifable information that would trigger most US state data breach laws?
Focus on assets. Most states data breach notification laws are modeled afters California's law, which covers SSN, DL number, state ID card number, credit/debit card numbers, bank acct numbers, medical records and health insurance info.
In 1991, the federal sentencing guidelines formaized a rule that requires senior executives to take personal responsibility for information security matters. What is the name of this rule?
The prudent man rule. Requires that senior executive take personal responsibilty for enruing the due care that ordianary, prudent individual would exercise in the same situation.
Which one of the following provides an authentication mechanism that would be appropriate for pairing with a passowrd to achieve mulitfactor authentication?
A fingerprint scan. This constitutes something you are factor which would approrpriate for pairing with a something your know password to achieve multifactor authentication.
What US government agency is responsible for administering the terms of safe harbor agreements between the EU and the US under the EU Data Protection Directive?
The US Dept. of Commerce is responsibile to implementing the EU-US Safe Harbor agreement.
Youlando is the chief privacy officer for a financial institution and is researching privacy issues related to customer checking accounts. Which one of the following laws is most likely to apply to this situation?
The Gramm-Leach-Billey Act contains provisions regulating the privacy of customer financial information. It applies specifically to financial institutions.
Tim's organization recently received a contract to conduct sponsored research as a governement contractor. What law now likely applies to the information systems involved in this contract?
Federal Information Security Management Act (FISMA) specifically applies to government contractors.
Chris id advising travelers from his organization who will be visting many different countries overseas. He is concerned about compiance with export control laws. Which of the following technoligies is most likely to trigger these regulations?
The export of encryption softrware to certain conuntries is regulated under the US export control laws.
Boobi is investigating a security incident and discovers that n attacker begain witha normal user account but managed to exploit a system vulnerability to privide that account with administrative rights. What type of attack took place under the STRIDE model?
Ina an elevation of a privileged attack, the attacker transforms a limited user account into an account with greater privileges, powers, and/or access to the system.
You are completing your business continuity planning effort and have decided that you wish to accept one the risks. What should you do next?
Document your decision-making process. For risk acceptance you should maintain detailed documentation or the risk acceptance process to satisfy auditors in the future. Should happen before Implementing security controls, Designing a DRP or repeating the BIA.
Which one of the following control categories doesn not accurately describe a fence around a facility?
Detective. A fence doesn't have the ability to detect.
Tony is developing a BCP and is having difficulty prioritizing resources because of the difficulty of comining information about tangible and intangible assets. What would be the most effect risk assessment approach for him to use?
Combining the results of the qualitative and quantitative risk assessment. Qualitative is a good tool for intangible risks. Quantitative analyzes financial risk.
What law provides IP protection to the holds of trade secrets?
The Economic Espionage Act. This gives teeth to IP rights of trade secret owners
Which one of the following principles imposes a standard care upon an individual that is borad and equivalent to what one would expect from a reasonable person under the circumstances?
Due Care prinicple. An individual should react in a situation using the same level of care that would be expected from any resaonable person. Very broad
Darcy is designing a fault tolerant system and wants to implement RAID-5 for her system. What is the minimum number of physical hard disks she can use to build this system?
Three. RAID-5 disk striping with parity, requires a minimum of 3 physical disks to operate.
Which one of the following is an example of administrative control?
Awareness training is an example of administrative control.
Keenans systems recently developed a new namufacturing process for microprocessors. The company want to license the technology to other companies for use but wishes to prevent unauthorizd use of the technology. What type of IP protection is best suited for this situation?
Patent would be the appropriate solution. Trade secrets are appropriate only when the details can be tightly controlled within an organization.
Which one of the following actions might be taken as part of a BCP?
Implementing RAID technology. Provides fault tolerance for HD failures
When developing a business impact analysis, the team should first create a list of assets. What should happen next?
After developing a list of assets, the BIA team should assign values to each asset.
Mike recently implemented an intrusion prevention system designed to block common network attacks from affecting his organization. What type of risk management strategy is Mike pursuing?
Risk mitigation strategies. Attempt to lower the probability and/or impact of a risk occurring.
Which one fo the following is an example of physical infrastructure hardening?
Fire suppression systesm protect infrastructure from physical damage.
Which one fo the following is normally used as an authorization tool?
Access control lists. Use to determine a user's authorization level.
The ISC2 used the logo below to represent itself online and in a variety of forums. What type of intellectual property protection may it use to protect its'rights in this logo?
Trademark protection. Extends to words and symbols used to represent an organization, product or service in the marketplace.
Mary is helping a computer user who sees the following messages appear on this computer screen. What type of attack has occurred?
Which one of the following organziations would not be automatically subject to the terms of HIPAA if they engage in electronic transactions?
Health and fitness application developer.
John's network begins to experience symptoms of slowness. Upon investigation, he relaizes that the network is being bombarded with ICMP ECHO REPLY packets and believes that his organziation is the victim of a Smurf attack. What principle of information security is being violated?
Availability. Smurk attack is a type of availablilty attack which targets the availability of the targeted network
Renee is designing the long-term secuirty plan for her organization and has a three to five year planning horizon. What type of plan is she developing?
Strategic Plans. Long term planning horizon for up to 5 years
What government agency is responsible for the evaluation and registration of trademarks?
The US Patent and Trademark Office
The Acme Widgets Company is putting new controls in place for its accounting department. Management is concerned that rogue accountant may be able to create a new false vendor and then issue checks to that vendor an payment for services that were never rendered. What security control can best hep prevent this situation?
Separation of duties. Orgs divide critical tasks into discrete components and ensure that no one individual has the ability to perform both tasks.
Which one of the following categories of organizations is most likely to be covered by the provision of FISMA?
Defense contractor is most likely to have gov't contracts subject to FISMA. Also includes Federal government agencies and contractors.
Robert is responsible for securing systems used to process credit card information. What standard should guide his actions?
Payment Card Industry Data Security Standard.
Which one of the following individuals is normally responsible for fulfilling the operational data proctection responsibilities delegated by senior management , such as validating data integrity, testing backups, and managing security policies?
The data custodian. Ultimate responsibility is with the Data/Business Owner however the actually operative actions is delegated to the data custodian.
Alan works for an e-commerce company that recently had some content stolen by another website and republished without permission. What type of IP protection would best preserve Alan's company's rights?
Copyright law. Written works (website content) are protected.
Florian receives a flyer from a federal agency announcing that a new administrative law will affect his business operations. Where should he go to find the text of the law?
The Code of Federal Regulations contains the text of all administrative laws promulgated by federal agencies.
Tom is installing a next-generation firewall (NGFW) in his data center that is designed to block many types of application attacks. When viewed from a risk management perspective, what metic is Tom attempting to lower?
Likelihood. Installing a device that blocks attacks is an attempt to reduce likelihood of a successful attack.
Which one of the following individuals would be the most effective organizational owner for an information security program?
The Chief Information Officer (CIO) who would be the most senior position who would be the strongest advocate at the executive level.
What important function do senior managers normally fill on a BCP team?
Arbitrating disputes about criticality.
You are the CISO ofr a major hospital system and are preparing to sign a contract with a SAAS email vendor and want to ensure that its BC planning measures are reasonable. What type of audit might you request to meet this goal?
Service Organizations Control audit program. Includes BC controls in a type 2 not type 1 audit.
Gary is analyzing a security incident and during his investigation, he encounters a user who denies having performed an action that Gary believes he did perform. What type of threat has taekn place under the STRIDE model?
Repudiation threat. Allow an attacker to deny having peformed an action or actitvity without the other party being able to prove differently
Beth is the security administrator for a public school district. She is implementing a new student information system and is testing the code to ensure that students are not able to alter their own grades. What principle of information security is Beth enforcing?
Which one of the following issues is not normally addressed in a service level agreement?
Data confidentiality. Usually this is covered in non-disclosure agreement(NDA)
Joan is seeking to protect a piece of computer software that she developed under IP law. Which one of the following avenues of protection would not apply to a piece of software?
Trademarks. Applies to only words and images that represent a product or service
Juniper Content is a web contect development company with 40 employees located in two offices: one is New York and a smaller office in the San Francisco Bay Area. Each office has a LAN protected by a perimter firewall. the LAN contains modern switch equipment connected to both wired and wireless. Each office has its own file server. and the IT team run software every hour to synchronize files between the two servers, distributing content between the offices. These servers are primarily used to store images and other files related to web content developed by the company. THe team also uses SAAS based email and document collaboration solution for much of their work. You are newly appointed IT manager for Juniper Content and you are working to augment existing security controls to improve the organization's security. Users in the two offices would like to access each other's file servers over the Internet. What control would provide confidentiality for those communications?
Juniper Content is a web contect development company with 40 employees located in two offices: one is New York and a smaller office in the San Francisco Bay Area. Each office has a LAN protected by a perimter firewall. the LAN contains modern switch equipment connected to both wired and wireless. Each office has its own file server. and the IT team run software every hour to synchronize files between the two servers, distributing content between the offices. These servers are primarily used to store images and other files related to web content developed by the company. The team also uses SAAS based email and document collaboration solution for much of their work. You are newly appointed IT manager for Juniper Content and you are working to augment existing security controls to improve the organization's security. You are also concerned about teh availability of data stored on each office's server. You would like to add technology that would enable continued access to files located on the server even if a hard drive in a server fails. What integrity control allows you to add robustness without adding additional servers?
RAID. Uses additional HDs to protect the server against the failure of a single device.
Juniper Content is a web contect development company with 40 employees located in two offices: one is New York and a smaller office in the San Francisco Bay Area. Each office has a LAN protected by a perimter firewall. the LAN contains modern switch equipment connected to both wired and wireless. Each office has its own file server. and the IT team run software every hour to synchronize files between the two servers, distributing content between the offices. These servers are primarily used to store images and other files related to web content developed by the company. THe team also uses SAAS based email and document collaboration solution for much of their work. You are newly appointed IT manager for Juniper Content and you are working to augment existing security controls to improve the organization's security. Finally, there are historical records stored on ther serve that are extremely important to the business and should never be modified. You would like to add an integrity control that allows you to verify on a periodic basis that the files were not modified. What control can you add?
Hashing. Allows you to computationally verify that a file has not been modified between hash evaluations
What law serves as the basis for privacy right in the US?
The Fourth Amendment
Which one of the following is not normally included in the BCP?
Statement of Accounts
An accounting employee at Doolitte Industries was recently arrested for participation in an embezzlement scheme. The employee transferred money to a personal account and the shifted funds around between other accounts every day to disguise the fraud for months. Which one of the following controls might have best allowed the earlier detection of this fraud?
Mandatory vacations, requires employees take time off from work. During that time their accessibility privileges are revoked. This should disrupt and uncover any fraudlent activity.
Which one of the following is not normally considered a BC task?
Electronic vaulting is a part of DRP, data recovery not BCP tasks
Which information security goal is impacted when an organization experiences a DoS or DDoS attack?
Availiability. DoS and DDoS attacks affect the availability of Info systems
Yolanda is writing a document that will provide configuration information regarding the minimum level of security that every system in the organization must meet. What type of document is she preparing?
Baselines. Provides the minimum level of security for every system throughout the organization
Who should recieve initial BCP training in an organization?
Everyone in the organization
James is conducting a risk assessment for his organization and is attempting to assign an asset value to the servers in his data center. The organizations's primary concern is ensuring that it has sufficient funds available to rebuild the data center in the event it is damaged or destroyed. Which one of the following asset valuation methods would be most appropriate in this situation?
Usage of the replacement cost method
The Computer Security Act of 1987 gave a federal agency responsibility for developing computer security standards and guidelines for federal computer systems. What agency did the act give this responsibility to?
National Institute of Standards and Technology (NIST)
Which one of the following is not a requirement for an invention to be patentable?
Requirement that patents for inventions be made by an American citizen
Frank discovers a keylogger hidden on the laptop of his company's CEO. What information security principle is the keylogger most likely designed to disrupt?
What is the formula used to determine risk?
Risk = Threat * Vulnerability
The graphic below shows the NIST risk management framework with step 4 missing. What is the missing step?
Assessing Security Controls
HAL Systems recently decided to stop offering public NTP services because of a fear that its NTP servers would be used in amplification DDoS attacks. What type of risk management strategy did HAL pursue with respect to it NTP services?
Susan is working with management team in her company to classify data in an attempt to apply extra security controls that will limit the likelihood of a data breach. What principle of information security is Susan trying to enforce?
Which one of the following components should be included in an organization's emergency response guidelines?
List of individuals to notified in leu of an emergency incident
Who is the ideal person to approve an organization's BCP?
Which one of the following actions is not normally part of the project scope and planning phase of a BCP?
Documentation of the plan
Gary is implementing a new RAID-based disk system designed to keep a server up and running even in the event of a single disk failure. What principle of information security is Gary seeking to enforce?
Becka recently signed a contract with an alternate data processing facility that will provide her company with space in the event of a disaster. The facility includes HVAC, power, communications circuits but no hardware. What type of facility is Becka using?
What is the threshold for malicious damage to a federal computer system that triggers the Computer Fraud and Abuse Act?
Maliciously cause damage in excess of $5,000 to a federal computer system during any 1-year period
Ben is seeking to a control objective framework that is widely accpeted around the world and focuses specifically on information secuirty controls. Which one of the following framework would best meet his needs?
ISO 27002 (Information technology-Security techniques-Code of practice for information security management) International standard focused on information security
Which one of the following laws requires that communication service providers cooperate with law enforcement requests?
The Communications Assistance to Law Enforcement Act (CALEA).
Every year, Gary receives privacy notices in the mail from financial institutions where he has accounts. What law requires the institutions to send Gary these notices?
The Gramm-Leach-Billey Act contains provisions regulating the privacy of customer financial information, including providing written notice of privacy practices to customers
Which one of the following agreements typically requires that a vendor not disclose confidential information learned during the scope of an engagement?
Which one of the following in not an example of a technical control?
Which one of the following stakeholders is not typically included on a BC planning team?
Ben is designing a messaging system for a bank and would like to incldue a feature that allows the recipent of a message to prove to a 3rd party that the message did indeed come from the purported originator. What goal is Ben trying to achieve?
What principle of information security state that an organization should implement overlapping security controls wheever possible?
Defense in Depth (DiD) states that security controls should overlap to prevent a single point of failure for the control
Which one of the following is not a goal of a formal change management program?
Inform stakeholders of changes after they occur
Ben is responsibile for the security of payment card information stored in a database. Policy directs that he remove the information from the database, but he cannot do this for operational reasons. He obtained an exception to policy and is seeking an appropriate compensating control to mitigate the risk. What would be his best option?
Encrypting the database contents
The Domer Industries risk assessment team recently conducted a qualitative risk assessment and developed a matrix similar to the one shown below. Which quadrant contains the risks that require the most immediate attention?
Quadrant 1: High probability of occuring and high impact on the organization
Tom is planning to terminate an employee this afternoon for fraud and expect that the meeting will be somewhat hostile. He is corrodinating the meeting with Human Resources and wants to protect the company against damage. Which one of the following steps is most important to coordinate in time with termination meeting?
Revocation of electronic access rights
Rolando is a risk manager with a large scale enterprise. The firm recently evaluated the risk of California mudslides on its operations in the region and determined that the cost of responding outweighed the beneifts of any controls it could implement. The company chose to take no action at this time. What risk management strategy did Rolando's organization pursue?
Helen is the owner of a website that provides information for middle and high school student preparing for exams. She is concerned that the activities of her site may fall under the jurisdiction of the Children On Line Privacy Protection Act. What is the cutoff age below which parents must give consent in advance of the collection of personal information from their children under COPPA?
COPPA requires parental consent of children's personal information under the age of 13
Tom is considering locating a business in the downtown area of Miami, FL. He consults the FEMA flood plain map for the region, shown below and determines that the area he is considering lies within a 100-year flood plain. What is the ARO of a flood in this area?
ARO = #of occurrence
year(s) ex. 1
100yrs = 0.01
You discover that a user on your network has been using the Wireshark tool. Further investigation revealed that he was using it for illicit purposes. What pillar of information security has most likely been violated?
Alan is performing threat modeling and decides that it would be useful to decompose the system into the key elements. What tool is he using?
Reduction analysis, broken down into five key elements: trust boundaries, data flow paths, input points, privileged operations and details about security controls
What law governs the handling of information related to the finacnial statements of publicly traded companies?
Sarbanes-Oxley Act (SOX)
Craig is slecting the site for a new data center and must choose a location somewhere within the US. He obtained the earthquake risk map below from the US Geological survey. Which of the following would be the safest locatio to build his facility if he were primarily concerned with earthquake risk?
Florida, only state not shaded to include a serious risk of a major earthquake
Which one of the following tools is most often used for identification purposes and is not suitabile for use as an authenticator?
Which type of BIA tool is most approapriate when attempting to evaluate the impact of a failure on customer confidence?
Qualitative tools. Use to determine the impact of intangible factors: customer confidence, employee morale, and reputation
Which one of the following is the first step in developing an organization's vital records program?
Identifying vital records
Which one of the following security programs is designed to provide employees with the knowldege they need to perform their specific work tasks?
Which one of the following security programs is designed to estabilsh a minimum standard common denominator of security understatnding?
Awareness establishes a minimum standard of information security understanding.
Ryan is a security risk analyst for an insurance company. He is currently examining a scenario in which a hacker might use a SQL injection attack to deface a web server due to amissing pactch in the company's web application. In this scenario, what is the threat?
Hacker is the threat. The unpatched server (vulnerability), the act of attacking the web server (risk)
Henry is the risk manageer for Atwood Landing, a resort community in the Midwestern US. The resort's main data cetner is located in northern Indiana in an area that is prone to tornados. Henry recently undertook a replacement cost analysis and dtermined that rebuilding and reconfiguring the data center would cost $10 million. Henry consulted with torado experts, data center specialists, and structural engineers. Together, they determined that a typical tornado would cause approximately $5 million of damage to the facility. The meteorologists determined that Atwood's facility lies in an area where they are likely to experience a tornado once every 200 years. Based upon the information in the scenario, what is the expourse factor for the effect of a tornado on Atwood Landing data center?
50% Amount of damage / Asset value Ex. 5M/10M = 50%
Henry is the risk manageer for Atwood Landing, a resort community in the Midwestern US. The resort's main data cetner is located in northern Indiana in an area that is prone to tornados. Henry recently undertook a replacement cost analysis and dtermined that rebuilding and reconfiguring the data center would cost $10 million. Henry consulted with torado experts, data center specialists, and structural engineers. Together, they determined that a typical tornado would cause approximately $5 million of damage to the facility. The meteorologists determined that Atwood's facility lies in an area where they are likely to experience a tornado once every 200 years. Based upon the information in the scenario, what is the annualized rate of occurrrence for a tornado at Atwood Landing's data center?
1/200 = 0.005
Henry is the risk manageer for Atwood Landing, a resort community in the Midwestern US. The resort's main data cetner is located in northern Indiana in an area that is prone to tornados. Henry recently undertook a replacement cost analysis and dtermined that rebuilding and reconfiguring the data center would cost $10 million. Henry consulted with torado experts, data center specialists, and structural engineers. Together, they determined that a typical tornado would cause approximately $5 million of damage to the facility. The meteorologists determined that Atwood's facility lies in an area where they are likely to experience a tornado once every 200 years. Based upon the information in the scenario, what is the annualized loss of expectancy for a tornado on Atwood Landing data center?
ALE = SLE
ARO Ex. (ALE = 5,000,000
0.005 = $25,000)
John is analyzing an attack against his company in which the attacker found comments embedded in HTML code that provided the clues needed to exploit a software vulnerability. Using the STRIDE model, what type of attack did he uncover?
Information disclosure. Rely on revelation of private, confidential or controlled information.
Which one of the following is an administrative control that can protect the confidentiality of information?
Angela is an information security architect at at bank and has been assigned to ensure that transactions are secure as they traverse the network. She recommends that all tranactions us TLS. What threat is she most likely attempting to stop, and what method is she using to protect against it?
COBIT, Control Objectives for Information and Related Technology, is a framework for IT management and governance. Which data management role is most likely to select and apply COBIT to balance the need for security controls against business requirements?
Business owners have to balance the need to provide value with regulatory, security, and other requirements
What term is used to secribe a starting point for a minimum security standard?
A baseline is used to ensure minimum security standard.
Whaen media is labeled based on the classification of the data it contains, what rule is typically applied regarding labels?
Media is typically labeled with the highest classification level of data it contains.
The need to protect sensitive data drives what administrative process?
Information process . allows organizations to focus on data that needs to be protected.
How can data retention policy help reduce liabilities?
ensures outdated data is purged, removing potential additional costs for discovery.
Staff in an IT department who are delegated responsibility for day-to-day tasks hold what data role?
Data custodians are delegated the role of handling day-to-day tasks by managing overseeing how data is handled, stored and protected.
Susan works for an American company that conducts business with customrers in the EU. What is she likely to have to do if she is respoonsible for handling PII from those customers?
Comply with Safe Harbor US-EU requirements
Benn has been tasked with identifying security controls for systems covered by his orgaization's information classification system. Why migh Ben choose to use a security baseline?
Provide a good starting point to scope and tailor security controls towards organization's needs
What term in used to describe overwriting media to allow for its resue in an environment operating at the same sensitvity level?
Clearing preprares media for reuse.
Which of the following classification levels is the US government's classification label for data that could cause damage but wouldn't cause seriou ro grave damage?
What issue is common to spare sectors and bad sectors on hard drives as well as overprovisioned space on modern SSDs?
They may not be cleared, resulting in data remanence
What term describes data that remains after attempts have been made to remove the data?
Your organization regularly handaled three types of data: information that is shares with customers, informaton that is used internally to conduct business, and trade secret information that offers the organization significant competitive advantages. Information shared with custoemrs is used and stored on web servers, while both the internal business data and trade secret information are stored on internal file servers and employee workstations. What civilian data classifications best fit this data?
public (information shared w/customers), sensitive, proprietary
Your organization regularly handaled three types of data: information that is shares with customers, informaton that is used internally to conduct business, and trade secret information that offers the organization significant competitive advantages. Information shared with custoemrs is used and stored on web servers, while both the internal business data and trade secret information are stored on internal file servers and employee workstations. What technique could you use to mark your trade secret information in case it was relaeased or stolen and you need to identify it?
A watermark. Used to digitally id and indicate ownership.
Your organization regularly handaled three types of data: information that is shares with customers, informaton that is used internally to conduct business, and trade secret information that offers the organization significant competitive advantages. Information shared with custoemrs is used and stored on web servers, while both the internal business data and trade secret information are stored on internal file servers and employee workstations. What type of encryption should you use on the file servers for the proprietary data, and how might you secure the data when it is in motion?
TLS (used for protecting data in transit)
What does labeling data allow a DLP system to do?
Allows for appropriate application of controls to the data
What is it cost effective to purchase high-quality media to contain sensitive data?
The value of the data often far exceeds the cost of the media.
Chris is responsible for workstations throughout his company and knows that some of the company's workstations are used to handle proprietary information. Which option best describes what should happen at the end of their lifecycle for workstations he is responsibile for?
Which is the proper order from least to most sensitive for US government classifications?
Confidential, Secret, Top Secret
What scenario describes data at rest?
Inactive data that is physically stored
If you selecting a security standard for a Windows 10 system that processes credit cards, what security standard is your best choice?
PCI DSS, Payment Card Industry Data Security Standard, provides the set of requirements for credit card processing systems
The Center for Internet Security (CIS) works with subject matter experts from a variety of industries to create lists of security controls for operating systems, mobile devices, server software, and network devices. Your organization has decided to use the CIS benchmarks for your systems. The CIS benchmarks are an example of what practice?
CIS benchmarks are an example of a security baseline
The Center for Internet Security (CIS) works with subject matter experts from a variety of industries to create lists of security controls for operating systems, mobile devices, server software, and network devices. Your organization has decided to use the CIS benchmarks for your systems. Adjusting the CIS benchmarks to your organizations' mission and your specific IT systems would involve what two processes?
Scoping (selecting appropriate controls for your IT systems) and Tailoring (matches org's mission and controls from selected baseline)
The Center for Internet Security (CIS) works with subject matter experts from a variety of industries to create lists of security controls for operating systems, mobile devices, server software, and network devices. Your organization has decided to use the CIS benchmarks for your systems. How should you determine what controls from the baseline give system or software package should receive?
Select based o the data classification of the data it stores or handles
What problem with FTP and Telnet makes using SFTP and SSH better alternatives?
FTP and Telnet do not encrypt data
The government defense contractor that Saria works for has recently shut down a major research project and is planning on reusing the hundreds of thousands of dollars of systems and data storage tapes used for the project for other purposes. When Sari reviews teh company's internal processes, she finds that she can't reuse the tapes and that the manual says thaey should be destroyed. Whay isn't Saria allowed to deauss and then reuse the tapes to save her employer money?
Data remanence is a concern
Information maintained about an individual that can be used to distinguish or trace their idenitity is known as what type of information?
Personally Identifiable information
What is the primary information security risk to data at rest?
Full disk encryption like Microsoft's Bit Locker is used to protect data in what state?
Data at rest
Sue's employer has aked her to use an IPsec VPN to connect to its network. When Sue connects, what does the IPsec VPN allow her to do?
Create a private encrypted network carried via a public network and act like she is on her employer's internal network.
What is the primary purpose of data classification?
Identifies value of data to an organization
Fred's organization allows downgrading of systems for resue after projects have been finished and the systems have been purged. What concern should Fred raise about the resue of the systems from his Top Secret classified project for a future project classified as Secret?
The cost of sanitization may exceed the cost of new equipment
Which of the following concerns should not be part of the decision when classifying data?
The cost to classify the data
Which of the following is the least effective method of removing data from media?
Safe Harbor is part of a US program to meet what EU law?
US Dept of Commerce
The healthcare company that Lauren works for handles HIPAA data as well as internal business data, protected health information, and day-to-day business communications. Its internal policy uses the following requirements for securing HIPAA data at rest and in transit. Using the table, answer the following questions. What type of encryption would be appropriate for HIPAA documents in transit?
TLS (protects data in transit)
The healthcare company that Lauren works for handles HIPAA data as well as internal business data, protected health information, and day-to-day business communications. Its internal policy uses the following requirements for securing HIPAA data at rest and in transit. Using the table, answer the following questions. Lauren's employer asks Lauren to classify patient X-ray data that has an internal patient identifier associated with it but does not have any way to directly identify a patient. The company's data owner believes that exposure of the data could cause damage (but not exceptional damage) to the organization. How should Lauren classify the data?
The healthcare company that Lauren works for handles HIPAA data as well as internal business data, protected health information, and day-to-day business communications. Its internal policy uses the following requirements for securing HIPAA data at rest and in transit. Using the table, answer the following questions. What technology could Lauren's employer implement to help prevent confidential data from being emailed out of the organization?
A DLP system or software. designed to id labeled data or data the fits specific criteria
A US government database contains Secret, Confidential, and Top Secret data. How should it be classified?
Top Secret. Highest level of classification of the mixed data.
What tool is used to prevent employees who leave from sharing proprietary information with their new employers?
A non-disclosure agreement (NDA)
What encryption algorithm is used by both BitLocker and Microsoft's Encrypting File System?
Advanced Encryption Standard (AES)
Chris is responsible for his organization's security standards and has guided the selection and implementation of a security baseline for Windows PCs in his organization. How can Chris most effectively make sure that the workstations he is responsibile for are being checked for compliance and that settings are being applied as necessary?
Using Microsoft Group Policy
What term is used to describe a set of common security configurations, often provided by a 3rd party?
What type of policy dsecribes how long data is retained and maintained before destruction?
Record retention. describe how long an org should retain data and specify when destruction should occur
Which attack helped drive vendors to move away from SSL toward TLS-only by default?
POODLE (Padding Oracle On Downgraded Legacy Encryption). Allowed attackers to easily access SSL encrypted msgs
What security measure can provide an addtional security control in the event that backup tapes are stolen or lost?
Using AES256 encryption.
Joe works at a major pharaceutical research and development company and has been taasked with writing his organization's data retention policy. As part of its legal requirements, the organizations must comply with US FDA Code of Federal Regulations Title 21. To do so, it is required to retain records with electronic signatures. Why would a signature be part of a retention requirement?
It validates who approved the data
What protocol is preferred over Telnet for remove server administration via command line?
What method uses a strong magnetic field to erase media?
Degaussing, uses strong magnetic fields to erase data
What primary issue does personnel retention deal with?
Deals with knowledge gained during employment
Alex works for a government agency that is required to meet US Federal governement requirements for data security. To meet these requirements, Alex has been tasked with making sure data is identifiable by its classification level. What should Alex do to the data?
Label the data
Ben is following the NIST SP 800-88 guidelines for sanitization and disposition as shown in the following diagram. He is handling information that his organization classified as sensitive, which is a moderate security categorization in the NIST model. If the media is going to be sold as surplus, what process does Ben need to follow?
Purge, validate and document (NIST 800-88)
What methods are often used to protect data in transit?
TLS, VPN, IPSec
Which data role is described as the person who has ultimate organizational responsibility for data?
Data Owners (CEO, etc)
What US government agency oversees compliance with the Safe Harbor framework for organizations wishing to use the personal data of EU citizens?
The Dept. of Commerce
If Chris is one of the data owners for the organization, what steps in this process is he most likely responsibile for?
Chris is most likely responsible for steps 3(data is classified), 4(Required controls for each classification), 5 (Baseline security stds are selected for org)
Chris manages a team of system administrators. What data role are they fulfilling if they conduct steps 6, 7, and 8 of the classification process?
They are administrators and custodians. Steps 6-8 are all roles for sysadmin/custodians
If Chris' complay operates in the EU and has been contracted to handle the data for a 3rd party, what role is his company operating in when it uses this process to classify and handle data?
Data processors (handling of data, being contracted by a company)
Which of the following is not a part of the EU Data Protection principles?
Reason. Notice, Choice, Onward Transfer, Security, Data Integrity, Access and Enforcement are the correct choices
Ben's company, which is based in the EU, hires a 3rd party organization that processes data for it. Who has responsibility to protect the privacy of the data and ensure that is not used for anyting other than its intended purpose?
The 3rd party data processor is responsible. In accordance to EU DPD.
Major Hunter, a member of the US aremed forces, has been entrusted with information that, if exosed, could cause serious damage to national security. Under the US govt. classification standards, who should this data be classifed?
When a computer is removed from service and dispoed of, the process that ensures that all storage media has been removed or destroyed is known as what?
Sanitization, combination of processes used to remove data from a system or media
Linux systems that use bcrypt are using a tool based on what DES alternative encryption scheme?
bcrypt is based on Blowfish algotrithm.
Susan works in an organization that lables all removable media with the classifcation level of the data it contains, included public data. WHy would Susan's employer label all media instead of labeling only the media that contains data that could cause harm if it was exposed?
It prevents reuse of public media for senstive data
Data stored in RAM is best characterized as what type of data?
Data in use. Data stored in memory is referred to this or ephermal data (temporary storage, ie. RAM)
What issue is the validation portion of the NIST SP 800-88 sample certificate of sanitization intended to help prevent?
Data remanence. Ensures that device was properly sanitized.
Why is declassification rarely chosen as an option for media reuse?
It is more expensive that new media and still may fail.
NISP SP 800-60 provides a process shown in the following diagram to assess information systesm. What process does this diagram show?
Categorizing and selecting controls
Which letters should be associated with data at rest?
A & E.
What would be the best wasy to secure data at points B, D and F?
What is the best way to secure files that are sent from workstation A via the Internet service (C) to remote server E?
Encrypt the data files and send them.
Incineration, crushing, shredding and disintegration all describe what stage in the life cycle of media?
Destruction. Final stage of life cycle media
The EU Data Protection Directive's seven principles do not include which of the following key elements?
Data retention time periods.
Why might an organization use unique screen backgrounds or designs on workstations that deal with data of different classification levels?
Indicate classification level of data or system. Visual indicators assists with identification classification
Charles has been asked to downgrade the media used for storage of private data for his organization. What process should Charles follow?
Follow the ogranization's purgining process, and then downgrade and replace labels
Which of the following tasks are not performed by a system owner per NIST SP 800-18?
Established rules for appropriated use and protection of data. Data owner set rules and protection.
Susan needs to provide a set of minimum security requirements for email. What steps should she recommend for her organization to ensure that the email remains secure?
Sensitive email should be encrypted and labeled
What term describes the process of reviewing baseline security controls and selecting only the controls that are appropriate for the IT system you are trying to protect?
Scoping. Occurs when you match baseline controls to IT system you want to secure.
What data role does a system that is used to process data have?
Which of the following will be superceded in 2018 by the EU General Data Protection Regulation?
The EU Data Protection Directive
What type of health information is the Heath Information Portability and Accountability Act required to protect?
PHI-Protected Health Information
What encryption algorithm would provide strong protection for data stored on a USB thumb drive?
AES, appropriate for use with data at rest.
Lauren's multinational compnay wants to ensure compliance with the EU Data Protection Directive. If she allows data to be used against the requirements of teh notice principle and against what users slected in the choice principle, what principle has her organization violated?
Data Integrity. reliability of data and data used for its intended purpose.
What is the best method to sanitize a solid-state drive (SSD)?
Disintegration. The NSA recommended way to destroy SSDs.
What data role will own responsibility for step 1, the categorization of information system, to whom will they delegate step 2, and what data role will be responsible for step 3?
Data owners, System owners, custodians
If the systems that are being assessed all handle credit card informatin (and no other sensitive data), at what step would the PCI DSS first play an important role?
What data security role is primarily responsible for step 5?
Susan's organization peforms a zero fill on hard drives before they are sent to a 3rd party organization to be shredded. What issue is her oganization attempting to avoid?
Mishandling of drives by 3rd party
Embedded data used to help identify the owner of a file is an example of what type of label?
Retaining and maintaining information for as long as it is needed is known as what?
Which of the following activities is not a consideration during data classification?
How much the data cost to create
What type of encryption is typically used for data at rest?
Symmetric encryption. AES is an example
Which data role is tasked with granting appropriate access to staff members?
Which California law requires conspicously posted privacy policies on commerical websites that collect the personal information of California residents?
California Online Privacy Protection Act (COPPA)
Fred is preparing to send backup tapes off site to a secure 3rd party storage facility. What steps should Fred take before sending the tapes to that facility?
Ensure that the tapes are handled the same way the orginal media would be handled based on their classification
Which of the following does not describe data in motion?
Data on a backup tape that is being shipped to a storage facility
A new law is passed that would result in significant financial harm to your company if the data that it covers was stolen or inadvertently released. What should your organization do about this?
Review its data classifications and classify the data appropriately
Ed has been asked to send data that his organization classifies as confidential and proprietary via email. What encryption technology would be appropriate to ensure that the contenst of the files attasched to the email remain condiedential as they traverse the Internet?
PGP-Pretty Good Privacy. Provides strong encryption of files, which can be sent via email.
Which mapping correctly matches data classifications between nongovernment and government classification schemes?
Top Secret -Confidential/Proprietary Secret-Private Confidential-Sensitive
Matthew is the security administrator for a consulting firm and must enforce access controls that restrict users' access based upon their prvious activity. For example once a consultant accesses data belonging to Acme Cola, a consulting client, they may no longer access data belonging to any of Acme' competitors. What security model best fits Matthew's needs?
Brewer-Nash. Allows access controls to change dynamically based upon a user's actions. Chinese wall between data belonging to different clients
Referring to the figure shown below, what is the earliest stage of a fire where it is possible to use detection technology to identify it?
Incipent stage. Air ionization occur, a specialized incipent fire detection system can identify and provide a alert
Ralph is designing a physical security infrastructure for a new computing facility that will remain largely unstaffed. He plans to implement motion detectors in the facility but would also like to include a secondary verification control for physical presence. Which one of the following would best meet his needs?
Closed circuit television (CCTV). Can be a secondary physical verification mechanism
Harry would like to retrieve a lost encryption key from a database that uses m of n control with m=4 and n=8. What is minimum number of escrow agents required to retrieve the key?
4. m and n control system, at least m of n possible escrow agents must collaborate to retrieve an encryption key from the escrow database
Fran's company is considering purchasing a web-baed email service from a vendor and eliminating its own email server environment as a cost-saving measure. What type of cloud computing environment is Fran's company considering?
SaaS (Software as a Service)
Bob is security administrator with the federal government and wishes to choose a digital signature approach that is an approved part of the federal Digital Signature Standard under FIPS 186-4. Which one of the following encryption algorithms is not an acceptable choice for use in digital signatures?
HAVAL. This is a hash function
Harry would like to access a document owned by Sally and stored on a file server. Applying the subject/object model to this scenario, who or what is the subject of the resource request?
Harry. subject/object access control model the user or process making the request for a resource is the subject.
Michael is responsible for forensic investigations, and is investigating a medium serverity secuirty incident that involved the defacement of a corportate website. The web server in question ran on a virtualization platform, and the marketing team would like to get the website up and running as quickly as possible. What would be the most reasonable next step for Michael to take?
Take the virtualization platform offline as evidence. (Take a snapshot to use for investigation and put back online ASAP to resume or meet business needs)
Helen is a software engineer and is developing code that she would like to restrict to running within an isolated sandbox for security purposes. What software development technique is Helen using?
Confinement. system restricts access of a particular access to limit its affect on other processes within the same system
What concept describes the degree of confidence that an organization has that its controls satisfy security requirements?
Assurance. the degree of confidence and org has in its security controls are correctly implemented and verified.
What type of security vulnerability are developers most likely to introduces into code when they seek to facilitate their own access, for testing purposes, to software they developed?
Maintenance hooks (backdoors) provide developers with easy access to a system, bypassing normal security controls (system)
In the figure shown below, Sally is blocked from reading the file duet to the Biba integerity model. Sally has a Secret security clearance and the file has a Condifential classification. What principle of the Bibal model is being enforced?
Simple Integrity Property states that an individual may not read a file classifed a lower security level than the individual's security clearance.
Tom is responsibile for maintaining the security of systems used to control industrial processes located within a power plant. What term is used to describe these systems?
SCADA (Supervisory control and data acquistion) systems are used to control and gather data from industrial processes.
Sonia recently removed an encrypted hard drive froma laptop and moved it to a new device because of hardware failure. She is having difficulty accessing encrypted content on the drive despite the fact that she knows the user's password. What hardware security feature is likely causing this problem?
Trusted Platform Module (TPM). Stored encryption key on a chip on the motherboard and prevents someone from accessing an encrypted key by installing it on another computer
Marcy would like to continue using some old DES encryption equipment to avoid throwing it away. She understands that running DES mulitiple times improves the security of the algorithm. What is the minimum number of times she must rn DES on the same data to achieve security that is cryptographically strong by modern standards?
3 . this is known a Triple DES or 3DES. DES must also be run using two different keys for additional security
Alice and Bob would like to use an asymmetric cryptosystem to communicate with each other. They are located in different parts of the country but have exchanged encryption keys by using digital certificates signed by a mutually trusted certificate authority. If Alice wishes to send Bob an encrypted message, what key does she use to encrypt the message?
Bob's public key. Asymmetric encryption: sender always encrypts the message using the recipient's public key
Alice and Bob would like to use an asymmetric cryptosystem to communicate with each other. They are located in different parts of the country but have exchanged encryption keys by using digital certificates signed by a mutually trusted certificate authority.When Bob receives the encrypted message from Alice, what key does he use to decrypt the message?
Bob's private key. Recipient uses their private key to decrypt (Asymmetric encryption)
Alice and Bob would like to use an asymmetric cryptosystem to communicate with each other. They are located in different parts of the country but have exchanged encryption keys by using digital certificates signed by a mutually trusted certificate authority. Which one of the following keys would Bob not possess in this scenario?
Alice's private key. Sender/Recipient retains private key as secret info (Asymmetric encryption)
Alice and Bob would like to use an asymmetric cryptosystem to communicate with each other. They are located in different parts of the country but have exchanged encryption keys by using digital certificates signed by a mutually trusted certificate authority. Alice would also like to digitally sign the message that she sends to Bob. What key should she use to create the digital signature?
Alice's private key. Recipient will be able to decrypt using sender's public key (Asymmetric encryption)
What name is given to the random value added to a password in an attempt to defeat rainbow table attacks?
Salt. random value added to a password before it's hashed, adding complexity
Which one of the following is not an attribute of a hashing algorithm?
What type of fire suppression system fills with water when the initial stages of a fire are detected and then requires a sprinkler head heat activation before dispensing water?
Preaction fire supression system. Water fills the pipes, water is dispensed only when heat sensors (om sprinkers) are triggered
Susan would like to configre IPSec in a manner that provides confidentiality for the content of packets. What component of IPSec provides this capability?
Encapsulating Security Payload (ESP) protocol. Provides confidentiality and integrity, encrypts packet payloads, limited authentication and protection against replay attacks
Which one of the following cryptographic goals protects againist the risks posed when a device is lost or stolen?
What logical operation is described by the truth table below?
XOR (Exclusive operation). 1|0 = 1
How many bits of keying material does the Data Encryption Standard used for encrypting information?
In the figure shown below, Harry's request to write to the data file blocked. Harry has a Secret security clearance and the data file has a Confidential classification. What principle of the Bell -LaPadula model blocked this request?
*-Security Property. ind may not write to a file at a lower classification than that of the ind. confinement property
Florian and Tobias would like to begin communicating using a symmetric cryptosystem but they have no prearranged secret and are not able to meet in person to exchange keys. What algorithm can they use to securely exchange the secret key?
Diffle-Hellman (DH). Used to exchange symmetric keys over public network
Under the Common Criteria, what element describes the security requirements for a product?
PP (Protection Profiles) specify the security requirements and protections that must be in place for a product to be accepted under the Common Criteria
Which one of the following is not one of the basic requirements for a cryptographic hash function?
The function must work on fixed length input. Hash functions= must work on any variable length input
How many possible keys exist for a cipher that uses a key containing 5 bits?
What cryptographic principle stands behind the idea that cryptographic algorithms should be open to public inspection?
Kerchoff principle. cryptographic system should be secure even if everything about it (except key) is public knowledge
Referring to the figure shown below, what is the name of the security control indicated by the arrow?
Mantraps. prevents piggybacking
Which one of the following does not describe a standard physical security requirement for wiring closets?
Place only in areas monitored by security guards
In the figure shown below, Sally is blocked from reading the file due to the Biba integerity model. Sally has a Secret security clearance and the file is classified Top Secret. What principle is preventing her from writing to the file?
*-Integrity Property. A subject can't modify an object in a higher security level than possesed by the subject
Which one of the following security controls is least often required in Bring Your Own Device (BYOD) environments?
What is the minimum number of independent parties necessary to implement the Fair Cryptosystems approach to key escrow?
2. Fair Cryptosystem key escrow = secret key used in communications are divided into two or more pieces, each given to a independent 3rd party
In what state does a processor's scheduler place a process when it is prepared to execute but the CPU is not currently available?
Ready state. Used when a process is prepared but CPU is not available
Alan is reviewing a system that has been assigned the EAL1 evaluation assurance level under the Common Criteria. What is the degree assurance that he may have about the system?
It has been functionally tested. (Lowest level of assurance under Common Criteria)
Which one of the following components is used assign classifications to objects in a mandatory access control system?
What type of software program exposes the code anyone who wishes to inspect it?
Open source software
Adam recently configured permissions on an NTFS filesystem to describe the access that different users may have to a file by listing each user individually. What did Adam create?
An access control list
Betty is concerned about the use of buffer overflow attackes against a custom application developed for use in her organization. What security control would provide the strongest defense against these attacks?
Parameter checking (input validation). Ensures imput provided by users matches the app's expected parameters for the app.
Which one of the following terms is not used to describe a privileged mode system operation?
James is working with a DoD system that is authorized to simultaneously handle information classified at the Secret and Top Secret levels. What type of system is he using?
Multistate system. used to maintain data segregation between different security classifications
Kyle is being granted access to a military computer system that uses System High mode. What is not true about Kyle's security clearance requirements?
Kyle must have a valid need to know for all information processed by the system.
Gary intercepts a communication between two individuals and suspects that they are exchanging secret messages. The content of the communication appears to be the image shown below. What type of technique may the individuals use to hide messages inside this image?
Which one of the following terms accurately describes the Caesar cipher?
In the ring protection model shown below, what ring contains the operating systems's kernel?
In an IaaS enivronment where a vendor supplies a customer with access to storage services, who is normally responsible for removing sensitive data from drives that are taken out of service?
Vendor. (customer's responsibility to validate vendor's sanitization procedures)
Which one of the following is an example of a code, not a cipher?
"One if by land, two if by sea"
Which one of the following systems assurance processes provides an independent third-party evaluation of a system's controls that may be trusted by many different organizations?
Verification. similar to certification (system validation) but uses 3rd party testing
Process ________ ensures that any behavior will affect only the memory and resources associated with a process.
Harold is assessing the susceptibility of his environment to hardware failures and would like to identify the expected lifetime of a piece of hardware. What measure should he use for this?
Mean time to failure (MTTF)
What type of fire extinguisher is useful only against common combustibles?
Class A-combustible (Class B-liquid, Class C-gases, Class D-metals)
Gary is concerned about applying consistent security setting to the many mobile devices used throughout his organization. What techology would best assist with this challenge?
Mobile Device Management (MDM), provides a centralized interface from applying security configuration setting to mobile devices
Alice sent a message to Bob. Bob would like to demonstrate to Charlie that the message he received definitely came from Alice. What goal of cryptography is Bob attempting to achieve?
Nonrepudiation-demostrating to a 3rd party msg came from purported member
Rhonda is considering the use of new id cards for physical access control in her organization. She comes across a military system that uses the card shown below. What type of card is this?
Smart Card Ex. Common Access Card, smart chip embedded
Gordon is concerned about the possibility that hackers may be able to use the Van Eck radiation phenonmenon to remotely read the contents of computer monitors in his facility. What technology would protect against this type of attack?
In the diagram shown below of security boundaries with a computer system, what component's name has been replaced with XXX?
Trusted Computing Base (TCB)
Sherry, conducted an inventory of the cryptographic technologies in use within her organization and found the following algorithms and protocols in use. Which one of these technologies shold she replace because it is no longer considered secure?
MD5, has known collisions no longer consider secure for modern environments (2005)
What action can you take to prevent accidental data disclosure due to wear leveling on an SSD device before resusing the drive?
Tom is cryptanalyst and is working on breaking a cryptographic algorithm's secret key. He has a copy of an intercepted message that is encrupted and he also has a copy of the decrypted version of that message. He wants to use both the encrypted message and its decrypted plaintext to retrieve the secret key for use in decrupting other messages. What type of attack is Tom engaging in?
A hacker recently violated the integrity of data in James' company by modifying a file using a presie timing attack. The attacker waited until James verifited the integrity of a file's contents using a hash value and then modified the file between the time that James verified the integrity and read the content of the file. What type of attack took place?
Time of Check/Time of Use (TOCTOU), expoits difference in time between security control verification and use of protected data.
What standard governs the create and validation of digital certificates for use in a public key infrastructure?
What is the minimum fense height that makes a fence difficult to climb easily, deterring most intruders?
Johnson Widgets strictly limits access to total sales volume information, classifying it as a competitive secret. However, shipping clerks have unrestricted access to order records to facilitate transaction completion. A shipping clerk recently pulled all of the individual sales records for a quarter and totaled them up to determine the total sales volume. What type of attack occurred?
Aggregation, pieces together small bits of info to create the bigger picture (data exploitation)
What physical security control broadcasts false emanations constantly to mask the presence of true electronmagnetic emanations from computing equipment?
White noise. Active control "jams" true emanations from electronic equipment
In a SaaS cloud computing environment, who is normally responsible for ensuring that appropriate firewall controls are in place ?
Alice has read permissions on an object and she would like Bob to have those sames rights. Which one of the rules in the Take-Grant protecton model would allow her to complete this operation?
Grant rule. grants rights it possesses on an object to another subject.
In what type of attack does the attacker replace the legitimate BIOS on a computer with a malicious alternative that allow them to take control of the system?
Phlashing. malcious BIOS that grants attacker some level of access to system
Which one of the following computing models allowas the execution of multiple concurrent tasks within a single process?
Alan intercepts an encrypted message and wants to determine what type of algorithm was used to create the message. He first performs a frequency analysis and notes that the frequency of letters in the message closely matches the distribution of letters in the English language. What type of cipher was most likely used to create this message?
The Double DES (2DES) was never used as a viable alternative to the original DES algorithm. What attack is 2DES vulnerable to that does not exist for the DES or 3DES approach?
Meet in the middle attack. Uses both plaintext msg and both encryption of plaintext and decryption of ciphertext simultaneously (brute force mannerism) to id the encryption key.
Grace would like to implement application control technolodgy in her organization. Users often need to install new application for research and testing purposes, and she does not want to interfer with that process. At the same time, she wold like to block the use of known malicious software. What type of application control would be appropriate in this situation?
Warren is dsignening a physical intrusion detection system for his data center and wants to include technology that issues an alret if the communcation lines for the alarm system are unexpectedly cut. What technology would meet this requirement?
Heartbeat sensors. Send periodic msg to monitor system from alarm system. Alarm triggers if msg isn't received for defined period of time
John and Gary are negotiating a business transation and John must demonstrate to Gary that he has access to a system. He engage in a electronic version of the "magic door" scenario shown below. What technique is John using?
zero-knowledge proof. individual demostrates they can achieve a result that requires sensitive info w/o disclosing sensitive info.
Raj is selecting an encryption algortithm for use in his organization and would like to be able to vary the strength of the encryption with the sensitivity of the information. Which of the the following algorithms allows the use of different key strengths?
Blowfish. key length between 32 and 448bits
Referring to the fire triangle shown below, which one of the following suppresion materials attacks a fire by removing the fuel source?
Howard is choosing a cryptographic algorithm for his organization and he would like to choose an algorithm that supports the creation of digital signatures. Which one of the following algorithms would meet his requirement?
Laura is responsible for securing her company's web-based applications and wishes to conduct and educational program for developes on common web application security vulnerabilities. Where can she turn for a concise listing of the most common web application issues?
Open Web Application Security Project (OWASP). Produces an annual list of top ten web app security issues.
The Bell-La Paudla and Biba models implement state machines in a fashion that uses what specific state machine model?
Information flow. Bell-LaPadula (confidentiality) Biba (Integrity)
The _______ of a process consist(s) of the limit is set on memory addresses and resources that the process may access.
What type of motion detector senses changes in the electromagnetic fields in monitored areas?
Capacitance motion detectors.
Which one of the following fire suppression systems uses a supressant that is no longer manufactured due to environmental concerns?
Halon (uses CFC)
Which of the following statements is correct about the Biba model of access control?
It focuses on protecting objects from external threats (Integrity)
In TLS, what type of key is used to encrypt the actual content of communications between a web server and a client?
ephemeral session key.
Beth would like to include technology in a secure area of her data center to protect against unwanted electromagnetic emanations. What technology would assist her with this goal?
In a virutalized computing enviroment, what compent is responsible for enforcing separation between gues machines?
Rick is an application developer who works primarily in Python. He recently decided to evaluate a new service wher he provides his Python code to a vendor who then executes it on their server environment. What type of cloud computing environment is this service?
PaaS (Platform as a Service)
A software company developed two systems that share information. Saystem A provides information to the input of System B, which then reciprocates by providiing information back to System A as input. What type of compostion theory best describes this practice?
Feedback. One system provides input for 2nd system and 2nd system provides input for the 1st. (Cascading modeling)
Tommy is planning to implement a pwoer conditioning UPS for a rack of servers in his data center. Which one of the following conditions will the UPS be unable to protect against if it persists for more than a few minutes?
Whic on of the following humidity values is within the acceptable range for a data center operation?
Chris is designing a cryptographic system for use within his company. The company has 1,000 employees, and they plan to use an asymmetric encryption system. How many total keys will they need?
What term is used to describe the formal declaration by a designated approving authority (DAA) that an IT system is approved to operation in a specific environment?
Object-oriented programming languages use a black box approach to development, where users of an object do not neccessarily need to know the object's implementation details. What term is used to describe this concept?
Todd wants to add a certificate to a certiciation revoacation list. What element of the certificate goes on the list?
Serial number. SN of digital certs go on the CRL
Alison is examining a digitial certiciate presented to her by her bank's website. Which one of the following requirements is not neccessary for her to trust the digital certificate?
She knows the server belongs to the bank.
Which one of the following is an example of a covert timing channel when used to exfiltrate information from an organization?
Typing with the rhythm of Morse code
Which one of the following would be reasonable application for the use of self signed digital certificates?
Internal scheduling application. Self signed certs should only be used for this type of action.
What important factor listed below differentiates Frame Relay from X.25?
Frame Relay supports multiple PVCs over a single WAN carrier connection
During a security assessment of a wireless network, Jim discovers that LEAP is in use on a network using WPA. What recommendation should Jim make?
Use an alternative protocl like PEAP or EAP-TLS and implemnt WPA2 in supported.
Ben has connected his laptop to his tablet PC using an 802.11g connection. What wireless network mode has he used to connect these devices?
Ad hoc mode
Lauren's and Nick's PCs simultaneously send traffic by transmitting at the same time. What network term describes the range of systems on a network that could be affected by this same issue?
Sarah is manually reviewing a packet capture of TCP traffic and finds that a system is setting the RST flag in the TCP packets it sends repeatedly during a short period of time. What does this flag mean in the TCP packet header?
RST mean "Reset". The TCP session will be disconnected.
Gary is deploying a wireless network and wants to deploy the fastest possible wireless technology. Of the 802.11 standards listed below, which is the fastest 2.4GHz option he has?
802.11n. Supports 200+Mbps in 2.4 or 5GHz
What common applications are associated with each of the following TCP ports: 23,25,143,515?
TCP 23: Telnet, TCP 25: SMTP, TCP 143:IMAP, TCP 515: LPD(Printer)
Chris is configuring an IDS to monitor for unencrypted FTP traffic. What ports should Chris use in his configuration?
TCP ports 20 and 21
FHSS, DSSS, and OFDM all use what wireless communication method that occurs over mulitple frequencies simultaneously?
Use spread spectrum technology.
Which authentication protocol commonly used for PPP links encrypts both the username and password and uses a challenge/repsonse dialog that cannot be replyaed and periodically reauthenticates remote systems throughout its use in a session?
Challenge-Handshake Authentication Protocol (CHAP). Used by PPP servers to authenticate remote clients
Which of the following options is not a common best practice for securing a wireless network?
Enable SSID broadcast
What network topology is shown in the image below?
Chris is designing layered network security for his organization. Using the diagram below, what type of firewall design is shown in the diagram?
A two-tiered firewall
Chris is designing layered network security for his organization. Using the diagram below, if the VPN grants remote users the same access to network and system resources as local workstations have, what security issue should Chris raise?
VPN users should only connect from managed PCs.
Chris is designing layered network security for his organization. Using the diagram below, if Chris wants to stop cross-site scripting attacks agains the web server, what is the best device for this purpose, and where should he put it?
An IPS, location B (in front of web server behind the firewall)
Susan is deploying a routing protocol that maintains a list of destination networks with metrics that include the distance in hops to them and the direction traffic should be sent to them. What type of protocol is she using?
Ben has configured his network to not broadcast a SSID. Why might Ben disable SSID broadcast, and how could his SSID be discovered?
Disabling SSID broadcaset hidse network from unauthorized personnel. The SSID can be discovered using a wireless sniffer.
What network tool can be used to protect the identity of clients while providing Internet access by accepting client requests, altering the source addresses of the requests, mapping requests to clients, and sending the modified requests out to their destination?
During troubleshooting, Chris uses the nslookup command to check the IP address of a host he is attempting to connect to. The IP he sees in the response is not the IP that should resolve when the lookup is done. What type of attack has likely been conducted?
A remote access tool that copies what is displayed on a desktop PC to a remote computer is an example of what type of technology?
Screen scraping. copies the actual screen displayed and display it at a remote location.
Which email security solution provides two major usage modes: (1) signed messages that provide integrity, sender authentication, nonrepudiation; and (2) an enveloped message mode that provides integrity, sender authentication, and confidentiality?
During a security assessment, Jim discovers that the organization he is working with uses a multilayer protocol to handle SCADA systems and recently connected the SCADA network to the rest of the organization's production network. What concern should he raise about serial data transfers carried via TCP/IP?
SCADA devices that are now connected to the network can now be attacked over the network.
What type of key does WEP use to encrypt wireless communications?
A predefined shared static key
An attack that causes a service to fail by exhausting all of a system's resources is what type of attack?
A denial of service attack.
What speed and frequency range is used by 802.11n?
200+Mbps, 2.4 and 5GHz
The ARP and RARP operate at what level of the OSI model?
Layer 2 (Data Link)
Which of the following is a converged protocol that allows storage mounts over TCP, which is frequently used as a lower-cost alternative to Fibre Channel?
iSCSI. A converged protocll that allows location-independent file services over traditional network technologies.
Chris is building an Ethernet network and knows that he needs to span a distance over 150 meters with his 1000Base-T network. What network technology should he use to help with this?
Install a repeater or concentrator before the 100 meters. A repeater or concentrator to amplifies the signal, ensuring the distance isn't an issue.
Lauren's organization has used a popular instant messaging service for a number of years. Recently, concerns have been raised about the use of instant messaging. Using the diagram below, answer questions about instant messaging, what protocol is the instant message traffic most likely to use based on the diagram?
TCP 80, HTTP
Lauren's organization has used a popular instant messaging service for a number of years. Recently, concerns have been raised about the use of instant messaging. Using the diagram below, answer questions about instant messaging, what security concern does sending internal communications from A to B cause?
It is traveling via an unencrypted protocol (TCP 80)
Lauren's organization has used a popular instant messaging service for a number of years. Recently, concerns have been raised about the use of instant messaging. Using the diagram about instant messaging, how could Lauren's company best address a desire for secure instant messaging for users of internal systems A & C?
Implement and use a locally hosted IM service
Which of the following drawbacks is a concern when multilayer protocols are allowed?
Covert channels are allowed. Use of a IM server would assist and allow more control (security) for information to traverse w/in the company.
What network topology is shown in the image below?
Chris uses a cellular hot spot (modem) to provide Internet access when he is traveling. If he leaves the hot sopt connected to his PC while his PC is no his organization's corporate network, what security issue might he cause?
His system may act as a bridge from the Internet to the local network
In her role an an information security professional, Susan has been asked to identify areas wher her organization's wireless network may be accessible even though it isn't intended to be. What should Susan do to determine where the organizations's wireless network is accessible?
A site survey
The DARPA TCP/IP model's Application layer matches up to what thre OSI model layers?
Application, Presentation, and Session
One of Susan's attacks during a penetration test involeves inserting false ARP dat into a system's ARP cache. When the system attempts to send traffic to the address it believes belongs to a legitmate sytes, it will instead send that traffic to a system she controls. What is this attacked called?
ARP cache poisoning. False ARP data inserted into a system's ARP cache, allowing the attacker to modify its behavior
Sue modifies her MAC address to one that is allowed on a network that uses MAC filtering to provide security. What is the technique Sue used, and what non-security issue could her actions cause?
Spoofing, address conflict
Jim's audit of a large orgaanization's traditional PBX showed that DISA was being abused by 3rd parties. What issue is most likely to lead to this problem?
One or more user's access codes have been compromised
SMTP, HTTP, and SNMP all occur at what layer of the OSI model?
Application layer of the OSI model
Lauren uses the ping utility to check whether a remote system is up as apart of a penetration testing exercise. If she wants to filter ping out by protocol, what protocol should she filter out from her packet sniffer's logs?
Lauren wants to provides port-based authenctication on her network to ensure that clients must authenticate before using the network. What technology is an appropriate solution for this requirement?
Ben has deployed a 1000Base-T 1GB network and needs to run a cable to another building. If Ben is running his link directly from a switch to another switch in that building, what is the maximum distance Ben can cover according to the 1000Base-T specification?
Jim's remote site has only ISDN as an option for connectivity. What type of ISDN should he look for to get the maximum speed possible?
Primary Rate Interface (PRI) 23B channel 2D channel = 1.544Mbps
SPIT attacks target what technology?
Spam over Internet Telephony (SPIT). Targets VoIP systems
What dos a bluesnarfing attack target?
Data from Bluetooth enabled-devices
Which of the follwoing options includes standards or protocol that exist in Layer 6 of the OSI model?
JPEG, ASCII, MIDI
What topology is shown below?
There are four commom VPN protocols. Which group of four below contains all of the common VPN protocols?
PPTP, L2F, L2TP, IPSec
What network technology is best described as a token-passing network that use a pair of rings with traffic following in opposite directions?
FDDI(Fiber Distributed Data Interface)
Which OSI layer includes electrical specifications, protocols and interface standards?
Ben is designing a Wi-Fi network and has been asked to choose the most secure option for the network. Which wireless security standard should he choose?
If your organization needs to allow attachments in email to support critical business processes, what are the two best options for helping to avoid security problems caused by attachments?
Train your users and use anti-malware tools
Segmentation, sequencing, and error checking all occur at what layer of the OSI model that is associated with SSL, TLS, and UDP?
The Windows ipconfig commnad displays the following information: BC-5F-F4-7B-4B-7D. What term describes this and what information can be gathered from it?
The MAC address, the network interface acard's manufacturer
Chris has been asked to choose between implementing PEAP AND LEAP for wireless authentication. What should he choose, and why?
PEAP, because it can provide TLS tunnel that encapsulates EAP methods, protecting thte entire session.
Ben is troubleshooting a network and discovers that the NAT router he is connected to has the 192.168.x.x subnet as its internal network and that its external IP is 192.168.1.40. What problem is he encountering?
192.168.1.40 is not a valid address because it is reserved by RFC1918
What is the default subnet mask for a Class B network?
Jim's organization uses a traditional PBX for voice communication. What is the most common security issue that internal communications are likely to face and what should he recommend to prevent it?
What common security issue is often overlooked with cordeless phones?
Their signal is rarely encrypted thus can be easily monitored
Lauren's organization has deployed VoIP phones on the same switches that the desktop PCs are on. What security issue could this create, and what solution would help?
VLAN hopping, use physically separate switches.
Which type of firewall can be described as " a device that filters traffic based on its source destination and the port is is sent from or is going to"?
A static packet filtering firewall
A phreacking tool used to manipulate line voltages to steal long-distance service is known as what type of box?
A black box
Data streams occur at what three layer of the OSI model?
Application, Presentation and Session-3 layers of data streams
Chris needs to design a firewall archietecture that can support separately a DMZ, a database, and a private internal network. What type of designed should he use, and how many firewalls does he needs?
3-tier firewall design with at least one firewall
Lauren's network team has been asked to identify a technology that will allow them to dyanamically change the organziation's network by treating the network like code. What type of architecture should she recommend?
Software designed network
Jim's organization uses fax machines to receive sensitive data. Since the fax machine is located in a public area. what actions should Jim take to deal with issues related to faxes his organization receives?
Disable automatic printing and purge local memory
Cable modems, ISDN,and DSL are all examples of what type of technology?
What type of firewalls designed is shown in the image below?
During a review of her organization's network, Angela discovered that it was suffering from broadcast strorms and that contractors, guest, and organizational adminstrative staff were on the same network segment. What design change should Angela recommend?
Segment the network based on functional requirements
ICMP, RIP and NAT all occur an what layer of the OSI model?
Layer 3 (Network)
Ben is an information security professional at an organization that is replacing its physical server with virtual machines. As the organization builds its virtual environment, it is descreasing the number of physical servicer it uses while purchasing more powerful servers to act as the virtualization platforms. The IDS Ben is responsible for is used to monitor sommuications in the dat center using a mirrored port on the data center switch. What traffic will Ben see once the majority of servers in the data cetner have been virtualized?
Only traffic sent outside of the VM environment
Ben is an information security professional at an organization that is replacing its physical server with virtual machines. As the organization builds its virtual environment, it is descreasing the number of phyical servicer it uses while purchasing more powerful servers to act as the virtualization platforms. The VM administrators recommend enabling cut and paste between virtual machines. What security concern should Ben raise about his practice?
It can serve as a covert channel
Ben is an information security professional at an organization that is replacing its physical server with virtual machines. As the organization builds its virtual environment, it is descreasing the number of phyical servicer it uses while purchasing more powerful servers to act as the virtualization platforms. Ben is concerned about exploits that allow VM escape exploits?
Separate vitrual machines onto speaerate physical hardware based on task or data types.
WPA2's CCMP is based on which common encryption scheme?
When a host on a Ethernet network detects a colision and transmits a jam signal, what happens next?
All hosts stop transmitting and each host waits a random period of time before attempting to transmit again. (CSMA/CD)
IPX, AppleTalk, and NetBEUI are all examples of what?
What is the speed of a T3 line?
What type of firewall design does the image below show?
A 2 tier firewall
What challenge is most common for endpoint security system deployments?
The volume of data
What type of address is 127.0.0.1?
A loopback address
Susan is writing a best practices statemetn for her organizational users who need to use Bluetooth. She knows that there are many potential security issues with Bluetooth and wants to provide the best advice she can. Which of the following sets of guidance should Susan include?
Use bluetooth only for those activities that are not confidential, change the default PIN on your device , turn off discovery mode, and turn off Bluetooth when it's not in active use.
What type of firewall is known as a 2nd-generation firewall?
Application-level gateway firewalls
Steve has been tasked with implementing a network storage protocol over an IP network. What storage-centric converged protocol is he likley to use in his implementation?
Fiber Channel over Ethernet (FCoE)
What type of network device modulates betweeen an analog carrier signal and digital information for computer communications?
Which list presents the layer of the OSI model in the correct order?
Application, Presentation, Session, Transport, Network, Data Link, Physical
A DoS attack that sends fragmented TCP packets is known as what kind of attack?
Teardrop attack. Uses fragmented packet to attack a flaw in TCP packet stacking process
Modern dial-up connections use what dial-up protocol?
Point to Point Protocol (PPP)
One of the findings that Jim made when performing a security audit was the use of non-IP protocols in a private network. What issue should Jim point out that may result from the use of these non-IP protocols?
They may not be able to be filtered by firewall devices
Angela needs to choose between EAP, PEAP and LEAP for secure authentication. Which authentication protocol should she choose and why?
PEAP, because it provides encryption and doesn't surffer from the same vulnerabilities that LEAP does
Lauren has been asked to replace her organizations's PPTP implementation with an L2TP implementation for security reasons. What is the primary security reason that L2TP would replace PPTP?
L2TP can use IPSec
Jim is building a research computing system that benefits from being part of a full mesh topology between systems. In a five-node full mesh topology design, how many connections will an individual node have?
What topology correctly describes Ethernet?
A bus topology. Ethernet uses bus topology to connect devices
What type of attack is most likely to occur after a successful ARP spoofing attempt?
A man in the middle attack (MITM). ARP spoofing done to replace the cache entry on targeted device, allowing for a new entry to occur.
What speed is Category 3 UTP cable used for?
What issue occurs when data transmitted over one set of wires is picked up by another set of wires?
What two key issues with the implementation of RC4 make WEP even weaker that it might otherwise be?
It's use of a static common key and limited number of intialization vectors
Chris is setting up a hotel network, and needs to ensure that systems in each room or suite can connect to each other, but systems in other suites or rooms cannot. At the same time, he needs to ensure that all systesm in the hotel can reach the Internet. What solution shoul he recommend as the most effective business solution?
During a forensic investigation, Charles is able to determine the MAC address of a system that was connected to a compromised network. Charles knows that MAC addresses are tied back to a manufacturer or vendor and are part of the fingerprint of the system. To which OSI layer odes a MAC address belong?
The physical layer
Ben knows that his organization wants to be able to validate the identity of other organizations baed on their doman name when receiving and sending email. What tool should Ben recommend?
Domain Keys Identified Mail (DKIM). Designed to allow assertions of domain id to validate email
Which of the following is best described as an access control model that focuses on subjects and identifies the object that each subject can access?
A capability table. Lists the privileges assigned to subject and id objects that subjects can access
Jim's organization-wide implementation of IDaaS offers broad support for cloud based applications. The ecisting infrastructure for Jim's company does not use centralized identity services but uses Active Directory for AAA services. Which of the following choices is the best option to recommend to handle the company's onsite identity needs?
Use an on-premise 3td party identity service
Which of the following is not a weakness in Kerberos?
Authentication info is not encrypted
Voice pattern recognition is what type of authentication factor?
Type 3 "something you are" (Type 1 "something you know"[pwd], Type 2 "something you have"[CAC])
If Susan's organization requires her to log in with her username, a PIN, a password, and a retina scan, how many distinct types of facrot has she used?
Two types of factors
Which of the following items are not commonly associated with restricted interfaces?
Keyboards (Menus, shells, DB views are constrained interfaces)
During a log review, Saria discovers a series of logs that show login falures as show here: Jan 31 11:39:12 ip 10-0-0-2 sshd: Invalid user admin from remote host passwd=orange Jan 31 11:39:20 ip 10-0-0-2 sshd: Invalid user admin from remote host passwd=orang3 Jan 31 11:39:23 ip 10-0-0-2 sshd: Invalid user admin from remote host passwd=Orange93 Jan 31 11:39:31 ip 10-0-0-2 sshd: Invalid user admin from remote host passwd=Orangutan1 What type of attack has Saria discovered?
Dictionary attack. Uses a list of common passwords or dictionary words.
What type of attack can be prevent by using a trusted path?
Login spoofing. (Trusted paths are ways to protect data bwt users and security component)
What major issues often results from decentralized access control?
Control is not consistent. Loose interpretation of policies and requirements, roles.
Callback to a home phone number is an example of what type of factor?
"somewhere you are" factor
Kathleen needs to setup an AD trust to allow authenctication with an existing Kerberos K5 domain. What type of trust does she need to create?
A realm trust. Appropriate way to set up a AD environment that needs to connect to a K5 domain
Which of the following AAA protocols is the most commonly used?
Which of the following is not a single sign on implementation?
RADIUS (ADFS, Kerberos, CAS are SSO implementations)
As seen in the following image, a user on a Windows system is not able to use the "Send Message" functionality. What access control model best describes this type of limitation?
A constrained interface
What type of access controls allow the owner of a file to grant other users access to it using an access control list?
Discretionary Access Control
Alex's job requires him to see personal health information to ensure proper treatment of patients. His access to ehier medical records does not provide access to patient addresses or billing information. What access control concept best describes this control?
Need to know
Using your knowledge of the Kerberos logon process and the following diagram, At point A in the diagram, the client sends the username and password to the KDC. How is the username and password protected?
Use of AES to encrypt username and password
Using your knowledge of the Kerberos logon process and the following diagram, At point B in the diagram, what two important elements does the KDC send to the client after verifying that the username is valid?
An encrypted, time-stamped TGT and a symmetric key encrypted with a hash of the user's password.
Using your knowledge of the Kerberos logon process and the following diagram, What tasks must the client perform before is can use the TGT?
It must install the TGT and decrypt the symmetric key
Jacob is planning his organization's biometric authentication system and is considering retina scans. What concern may be raised about retina scans by others in his organization?
Retina scans can reveal information about medical conditions
Mandatory access control is based on what type of model?
Lattice-based, uses matrix of classification labels to compartmentalize data
Which of the following is not a type of attack used against access controls?
What is the best way to provide accountability for the use of identities?
Jim has worked in human relations, payroll, and customer service roles in his company over the past few years. What ypes of process should his company perform to ensure that he has appropriate rights?
Biba is what type of access control model?
MAC (Mandatory Access Control model)
Which of the following is a client/server protocol designed to allow network access servers to authenticate remote users by sending access request messages to a central server?
What type of access control is being used in the following permission listing; Storage Device X User1: Can read, write, list User2: Can read , list User3: Can read, write, list , delete User4: Can list
rBAC (resource based access control) model, deals with volume storage, esp in IaaS environments
Angela uses a sniffer to monitor traffic from a RADIUS server configured with default settings. What protocol should she monitor and what traffic will she be able to read?
UDP , all traffic but the passwords, which are encrypted
Which of the following is not part of a Kerberos authentication system?
When an application or system allows a logged-in user to perform specific actions, it is an example of what?
Authorization. Provides user with capabilities or rights
Alex has been employed by his company for over a decade and has held a number of positions in the company. During an audit, it is discovered that he has access to shared folders and applications due to his former roles. What issue has Alex's company encountered?
Privilege creep. Acculminating rights from previous jobs held not pertaining to current position.
Which of the following is not a common threat to access control mechanisms?
What term properly describes what occurs when two or more processes require access to the same resource and must complete their tasks in the proper order fro normal function?
Race conditions, two or more processes need access to same resource
What type of access control scheme is shown in the following table?
MAC (Mandatory Access Control)
Which of the following is not a valid LDAP DN (distinguished name)?
When a subject claims and identity, what process is occurring?
Dog, guards, and fences are all common examples of what type of control?
Susan's organization is updating its passowrd policy and wants to use the strongest possible passwrrds. What password requirement will have the highest impact in prevent brute force attacks?
Increase the minimum password length from 8 to 16 characters
What is the stored sample of a biometric factor called?
A reference template/profile
When might an organization using biometrics choose to allow a higher FRR instead of a higher FAR?
When security is more important than usability
Susan is working to improve the strength of her organization's passwords by changing the password policy. THe password system that she is using allows upper-and lowercase letters as well as number but no other characters. How much additional complexity does adding a single character to the minimum length of passwords for her organization create?
62 times more complex
Whic pair of the following factors are key for user acceptance of biometric identification systems?
The throughput rate and the time required to enroll
Alex is in charge of SAML intergration with a major 3rd party partner that provides a varitey of business productivity services for his organization. Using the following diagram and your knowledge of SAML integration and security architecture design, Alex is concerned about eavesdropping on the SAML traffic and also wants to ensure that forged assertion will not be successful. What should he do to prevent these potential attacks?
Implement TLS using a strong cipher suite and use digital signatures
Alex is in charge of SAML intergration witha major 3rd party partner that provides a varitey of business productivity services for his organization. Using the following diagram and your knowledge of SAML integration and security architecture design, If Alex's organization is one that is primarily made up of offsite, traveling users, what availability riks odes integration of crtitcal business application to onsite authentication create and how could he solve it?
If the home organziation is offline, traveling users won't be able to access 3rd party applications; implement a hybrid cloud/local authentication system.
Alex is in charge of SAML intergration witha major 3rd party partner that provides a varitey of business productivity services for his organization. Using the following diagram and your knowledge of SAML integration and security architecture design, What solution can best help address converns about 3 parties that control SSO directs as shown in step 2 in the diagram?
An awareness campaign about trusted 3rd parties
Susan has bee asked to recommend whether her organization should use a mandatory access control scheme or a discretionary access control scheme. If flexibility and scalability is an important requirement for implementing access controls, which scheme should she recommend and why?
DAC, because allowing individual administrators to make choices about the objects they control provides scalability and flexibility
Which of the following tools is not typically used to verify that a provisioning process was followed in a way that ensures that the organization's security policy is being followed?
Lauren needs to send information about services she is provisioning to a 3rd party organization. What standards based markup language should she choose to build the interface?
SPML (Service Provisioning Markup Language)
During a penetration test, Chris recovers a file containing hashed passwords for the system he is attempting to access. What type of attack is most likely to succeed against the hashed passwords?
A rainbow table attack
Google's identity integration with a variety of organizations and applications across domains is an example of which of the following?
Lauren starts her new job and finds that she has access to a variety of sytems that she does not need access to to accomplishe her job. What problem has she encountered?
When Cris verifies an individual's identity and adds a UID like a user ID to an identity system, what process has occurred?
Jim configures his LDAP client to connect to an LDAP directory server. According to the configuration guide, his client should connect to the serve on port 636. What odes this indicate to Jim about the configuration of the LDAP server?
It requires connections over SSL/TLS
The X.500 standards cover what type of important identity systems?
Microsofts's AD Domain Services is based on which of the following technologies?
Lauren is responsible for building a banking website. She needs proof of the identity of the users who register for the site. How should she validate user identities?
Use information that both the bank and the user have such as questions ulled from their credit report
By default, in what format does OpenLDAP store the value of the userPassword attribute?
In the clear
A new customer at a bank that uses fingerprint scanners to authenticate its users is suprised when he scans his fingerprint and is logged in to another customer's account. What type of biometric factor error occurred?
Type 2 error
What type of access control is typically used by firewalls?
Rule-BAC (Based Access Control)
When you input a user id and password, you are performing what important identity and access management activity?
Kathleen works for data center hosting facility that provides physical data center space for individuals and organizations. Until recently, each client was given a magnetic-strip-based keycard to access the section of the facility where their servers are located, and they were also given a key to access the cage or rack where the servers resides. In the past month, a number of server have been stolen, but the logs for the passcards show only valid IDs. What is Kathleen's best option to make sure that the users of the passcards are who they are supposed to be?
Add a biometric factor
Which of the following is a ticket based authentication protocol designed to provide secure communication?
What ytpe of access control is composed of policies and procedures that support regulations, requirements, and the organization's own policies?
In a Kerberos environment, when a user needs to access a network resource, what is sent to the TGS?
A TGT is sent
Which objects and subjects have a label in a MAC model?
All objects and subjects have a label
Chris is the identity architect for a growing e-commerce website that wants to leverage social identity. To do this, he and his team intend to allow users to sue their existing Google accounts as thier primay accounts when using the e-commerce site. This means that when a new user initially connects to a ecomcerc platform, they are given the choic between using their Google+ account using OAuth 2.0, or creating a new account on the platofrm using htier own email address and password of their choice. When the e-commerce application creates an account for a Google+ user, where should that user's passwords be stored?
The password is never stored; a salted hash is stored in Google's accoutn mgmt system
Chris is the identity architect for a growing e-commerce website that wants to leverage social identity. To do this, he and his team intend to allow users to sue their existing Google accounts as thier primay accounts when using the e-commerce site. This means that when a new user initially connects to a ecomcerc platform, they are given the choic between using their Google+ account using OAuth 2.0, or creating a new account on the platofrm using htier own email address and password of their choice. Which system or systems is /are responsibile for user authentication for Google+ users?
Chris is the identity architect for a growing e-commerce website that wants to leverage social identity. To do this, he and his team intend to allow users to sue their existing Google accounts as thier primay accounts when using the e-commerce site. This means that when a new user initially connects to a ecomcerc platform, they are given the choic between using their Google+ account using OAuth 2.0, or creating a new account on the platofrm using htier own email address and password of their choice. What type of attack is the creation and exchange of state tokens intended to prevent?
Questions like "What's your pet's name?" are examples of what type of identity proofing?
Lauren builds a table that includes assigned privileges, objects, and subjects to manage access control for the systems she is responsible for. Each time a subject attempts to access an object, the systems check the table to ensure that the subject has the appropriate rights to the objects. What type of access control sytem is Lauren using?
An access control matrix
During a review of support incidents, Ben's organization discovered that passord changes accounted for more than quarter of its help desk's cases. Which of the following options would be most likely to decrease that number significantly?
Self service password reset tools
Brian's large organization has used RADIUS for AAA services for its network devices for years and has recently become aware of security issues with the unencrypted information transferred during authentication. How should Brian implement encryption for RADIUS?
Implement RADIUS over TCP using TLS for protection.
Jim wants to allow cloud-based applications to act on its behalf to access information from other sites. Which of the following tools can allow that?
Ben's organization has had an issue with unauthorized access to application and workstations during the lunch hours when employees aren't at their desk. What are the best type of session management solutions for Ben to recommend to help prevent this type of access?
Set session timeouts for applications and use password protected screensavers with inactivity timeouts on workstations.
Lauren is an information security analyst tasked with deploying technical access controls for her organization. Which of the following is not a logical or technical access control?
The financial services company that Susan works for provides a web portal for its users. When users need to verify their identity, the company uses information from 3 party sources to ask questions based on their past credit reports, such as "Which of the following streets did you live on in 2007? What process is Susan's organization using?
The US government CAC is an example of what form of Type 2 authentication factor?
A smart card
What authentication technology can be paired with OAuth to perform identity verification and obtain user profile information using a RESTful API?
Jim has Secret clearance and is accessing files that use a mandatory access control scheme to apply the TS, Secret, Confidential and UNCLAS label scheme. If his rights include the ability to access all data of his clearnce level or lower, what classification levels of data can he access?
Secret, Confidential and UNCLASS
The security administrators at the company that Susan works for have configured the workstation she uses to allow her to log in only during her work hours. What type of access control best describes this limitation?
Context dependent control. (Time)
When Lauren uses a fingerprint scanner to access her bank account. What type of authentication factor is she using?
Type 3 "something you are"
Which of the following is not a access control layer?
Ben uses a software based token which changes its code every minute. What type of token is he using?
What type of token-based authentication system uses a challenge/response process in which the challenge has to be entered on the token?
Ben's organization is adopting biometric authentication for its high-security building's access control system. Using the following chart, Ben's company is considering configuring its systems to work at the level shown by point A on the diagram. To what level is it setting the sensitivity?
The CER (x-over error rate). The point where false acceptance rate (FAR) and the false rejection rate(FRR) crossover. Is a standard assessment used to companre the accuracy of biometric devices
Ben's organization is adopting biometric authentication for its high-security building's access control system. Using the following chart,At point B, what probelm is likely to occur?
False acceptance will be very high.
Ben's organization is adopting biometric authentication for its high-security building's access control system. Using the following chart,What should Ben do if the FAR and FRR shown in this diagram doesn't provide an acceptable performace level for his organization's needs?
Assess other biometric systems to compare them
What LDAP authentication mode can provide secure authentication?
SASL (Simple Authentication and Security Layer)
Which of the following Type 3 authenticator is appropriate to use by istelf rather than in combination with other biometric factors?
What danager is created by allowing the OpenID relying party to control the connection to the OpenID provider?
It creates the possiblity of a phishing attack by sending data to a fake OpenID provider.
Jim is implementing a cloud identity solution for his organization. What type of technology is he putting in place?
Identity as a Service (IDaaS)
RAID-5 is an example of what type of control?
When Alex sets the permissions shown in the following image as one of many users on a Linux server, what ytpe of access control model is he leveraging?
Discretionary Access Control (permissions setting)
What open protocol was designed to replace RADIUS-including support for additonal commands and protocols, replacing UDP traffic with TCP, and providing for extensible command- but doesn't preserver backward compatibility with RADIUS?
LDAP distinguished names are made up of comma-separated components called relative distinguished names that have an attribute name and a value. DNs hbecome less specific as they progress from left to right. Which of the following LDAP DN best fits this rule?
uid=ben, ou=sales. dc=example dc=com
Susan is troubleshooting Kerberos authentication problems with symptoms including TGTs that are not accepted as valid and an inability to receive new tickets. If the system she is troubleshooting is properly configured for Kerberos authentication, her username and password are correct, and her network connection is functioning, what is the most likely issue?
The Kerberos server and the local client's time clocks are not synchronized
Kerbero, KryptoKnight, and SESAME are all examples of what type of system?
Single Sign On (SSO) systems
Which of the following types of access controls do not describe a lock?
What authentication protocol does Windows use by default for AD systems?
Kerberos (AD authentication)
Alex configures his LDAP server to provide services on 636 and 3269. What type of LDAP services has he configured based on LDAP's default ports?
Secure LDAP and secure global directory
During a port scan, Susan discovers a system running services on TCP and UDP 137-139 and TCP 445, as well as TCP 1433. What type of system is she likely to find if she connects to the machine?
A Windows SQL server
Which of the following is a method used to design a new software tests and to ensure the quality of tests?
Mutation testing. Modifies a program in small ways, tests that mutant to determine if it behaves as it should or fails.
During a port scan, Lauren found TCP port 443 open on a system. Which tool is best suited to scanning the service that is most likely running on that port?
Nikto. port 443 is used to https servers, which is used for vulnerability testing for web servers and applications
What message logging standard is commonly used by network devices, Linux and Unix systems and many other enterprise devices?
Alex wants to use an automated tool to fill web applications forms to test for format string vulnerabilities. What type of tool should he use?
Susan needs to scan a system for vulnerabilities, and she wants to use an open source tool to test the system remotely. Which of the following tools will meet her requirements and allow vulnerability scanning?
NIST SP 800-53A describes four major typues of assessment objects that can be used to identitfy items being assessed. If the assessment covers IPS devices, which of the types of assessment objects is being assessed?
A mechanism. IPS ex of an hardware, software or firmware based control or system
Jim has been contracteed to perform a penetration test of a bank's primary branch. In order to make the test as real as possible, he has not been given any information about the bank other than its name and address. What type of penetration test has Jim agreed to perform?
A black box penetration test (Crystal or white box=provides all info for attacker. Gray box=provides some but not all info)
As part of a penetration test, Alex needs to determine if ther are web servers that could sufer from the 2014 Heartbleed buy. What type of tool could he use, and what should he check to verify that the tool can identify the problem?
A vulnerability scanner, to see whether the scanner hass a signature or test for the Heartbleed CVE number
In a response to a Request for Proposal, Susan receives a SAS-70 Type 1 report. If she wants a report that includes operating effectiveness detail, what should Susan ask for as followup and why?
An SOC Type 2, because Type 1 does not cover operating effectiveness
During a wireless network penetration test, Susan runs aircrack-ng against the network using a password file. What might cause her to fail in her password-cracking efforts?
Running WPA2 in Enterprise mode
Which type of SOC report is best suited to provide assurance to users about an organization's security availability, and the integrity of their service operations?
A SOC 3 report. Intended to be shared with a broad community
What type of testing is ussed to ensure that separately developed software modules properly exchange data?
Interface testing. Ensures software modules properly meet interface specs and properly exchange data
Which of the following is not a potential problem with active wireless scanning?
Causing alarms on the oranization's wireless IPS
Ben uses a fuzzing tool that develops datat models and creates fuzzed data based on information about how the application uses datat to test the application. Whaty types of fuzzing is Ben doing?
Generational. Relies on models for application input and conducts fuzzing attacks based on that information.
Saria wants to log and review traffic information between parts of her network. What type of network logging should she enable on her routers to allow her to perform this analysis?
Flow logging (Flows)-captures data to provide insight for security, t/sing, performance mgmt
Jim has been contracted to conduct a gray box penetration test, and his clients have provided him with the following information about their networks so that he can them. Data center: 10.0.0.0/24 Sales: 10.10.11.0/24 Billing: 10.10.12.0/24 Wireless: 192.168.0.0/16 What problem will Jim encounter if he is contracted to conduct a scan from offsite?
The IP addresses provided are RFC 1918 addresses
Karen's organization has been performing system backups for years but has not used the backups frequently. During a recent system outrage, when adminstrators tried to restore from backup they found that the backups had errors and could not be resotred. Which of the following options should Karen avoid when selecting ways to ensure that her organization's backup will work next time?
MTD verification. This will only state how long systems can be down w/o significant business impact
The company that Jennifer works for has implememted a central logging infrastructure, as showin in the following image. Use this diagram and your knowledge of logging systems to answer the following questions. Jennifer needs to ensure that all Windows systems provide indentical logging information to the SIEM. HOw can she best ensure tha ll Windows desktops have the same log settings?
Use Group Policy
The company that Jennifer works for has implememted a central logging infrastructure, as showin in the following image. Use this diagram and your knowledge of logging systems to answer the following questions. During normal operation, Jennifer's team uses the SIEM appliance to monitor for eceptions received via syslog. What system shown doesn't natively have support for syslog events?
A windows desktop system
The company that Jennifer works for has implememted a central logging infrastructure, as showin in the following image. Use this diagram and your knowledge of logging systems to answer the following questions. What technology should an organization use for each of the devices shown in the diagram to ensure that logs can be time swquenced across the entire infrastructure?
NTP (Network Time Protocol)
During a penetration test, Danielle needs to identify systems, but she hasn't gained sufficient access on the system she is using to generate raw packets. What type of scan should she run to verify the most open services?
A TCP connect scan
During a port scan using nmap, Joseph discovers that system shows two ports open that cause him to immediate worry: 21/open, 23/open What services are likely running on those ports?
Telnet and FTP
Saria's team is working to persuade their management that their network has extensive vulnerabilities that attackers could exploit. If she wants to conduct a realistic attack as part of a penetration test, what type of penetration test should she conduct?
Black box testing
What method is coomonly used to assess how well software testing covered the potential uses of an application?
A test coverage analysis
Testing that is focused on functions that a system should not allow are an example of what type of testing?
Misuse case testing
What type of monitoring uses simulated traffic to a website to monitor performance?
Synthetic monitoring. Uses emulated or recorded transactions to monitor changes in RT, functionality, etc.
Which of the following vulnerabilities is unlikely to be found by a web vulnerability scanner?
Jim uses a tool that scans a system for available services, then connects to them to collect banner information to determine what version of teh service is running. It then provides a report detailing what it gathers, basing results on servics fingerpringting, banner information, and similar details, it gathers combined with CVE information. What type of tool is Jim using?
A vulnerability scanner
Emily builds a script that sends data to a web application that she is testing. Each time the script runs, it sends a series of transactions with data that gits the expected requirements of the we application to verify that is responds to typical customer behavior. What type of transactions is she using, and what type of test is this?
Synthetic, use case testing
What passive monitoring technique records all user interaction with an application or we site to ensure quality and performance?
Real use monitoring (RuM)
Earlier this year, the information security team a Jim's employer identified vulnerability in the web server that Jim is responsible for maitaining. He immediately applied the patch and is sure that it installed properly, but the vulnerability scanner has continued to flag the system as vulnerable even though Jim is sure the patch is installed. Which of the following options is Jim's best choice to deal with the issue?
Ask the information security team to flag the system as patched or not vulnerable
Angela wants to test a web browser's handling of unexpected data using an automated tool. What tool should she choose?
zzuf. Specifically designed to work with tools like web browsers, image viewers and similar software by modifying network and file input to application
STRIDE, which stands for Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege, is useful in what part of application threat modeling?
Why should passive scanning be conducted in addition to implementing wireless security technologies like wireless intrusion detection systems?
It can help identify rouge devices
During a penetration test, Lauren is asked to test the organization's Bluetooth secuirty. Which of the following is not a concern she should explain to her employers?
Bluetooth active scans can't evaluate the security mode of Bluetooth devices
What term describes software testing that is intended to uncover new bugs introduced by patches or configuration changes?
Regression testing. ensures that changes haven't introduced new issues
Which of the tools cannot identify a target's operating system for a penetration tester?
Susan needs to predict high-risk areas for her organization and wants to use metrics to assess risk trends as they occur. What should she do to handle this?
Identify and track key risk indicators.
What major difference separates synthetic and passive monitoring?
Passive monitoring only works after problems have occurred
Chris uses the standard penetration testing methodology shown here. Use this methodology and your knowledge of penetration testing to answer the following questions about tool usage during a penetration test. What task is the most important durin Phase 1 Planning?
Chris uses the standard penetration testing methodology shown here. Use this methodology and your knowledge of penetration testing to answer the following questions about tool usage during a penetration test. Which of the following tools is most likely to be used during discovery?
Chris uses the standard penetration testing methodology shown here. Use this methodology and your knowledge of penetration testing to answer the following questions about tool usage during a penetration test. Which of these concerns is most important to address during planning to ensure the reporting phase does not cause problems?
How the vulnerabilty data will be stored and sent
What four types of coverage criteria are commonly used when validating the work of a code testing suite?
Function, statement, branch and condition coverage
As a part of his role as a security manager, Jacob provides the following chart to his organization's management team. What type of measurement is he providing for them?
A key performance indicator. (Time of remediate a vulnerability)
What does using the unique user IDs for all users provide when reviewing logs?
Which of the following is not an interface that is typically tested during the software testing process?
What protocol is used to handle vulnerability management data?
Security Content Auotmation Protocol (SCAP) community source spec for security flaw and config info, defined in NIST SP 800-126
Misconfiguration, logical and functional flaws, and poor programming practices are all causes of what type of issue?
Which of the following strategies should should be used to handle a vulnerability identified by a vulnerability scanner?
Update the banner or version number
During a penetration test Sari calls her target's helpdesk claiming to be the senior assistance to an officer of the company. She requests that the help desk reset the officer's password because of an issue with his laptop while traveling and persuades them to do so. What type of attack has she successfully completed?
In this image, what issue many occur due to the log handling settings?
Log data may fill the system disk
Which of the following is not a hazard associated with penetration testing?
Exploitation of vulnerabilities
Which NIST SP covers the assessment of security and privacy controls?
NIST SP 800-53A , covers methods for assessing and measuring controls
What type of port scanning is known as "half open" scanning?
Lauren is performing a review of a 3rd party service organization and wants to determine if the organization's policies and procedures are effectively enforced over a period of time. What type of industry standard assessment report should she request?
SSAE 16 (Statements on Stds for Attestation Engagements) SOC 1 Type II
Jim is working with a penetration testing contractor who proposes using Metasploit as part of her penetration testing effort. What should Jim expect to ccur when Metasploit is used?
Systems will have known vulnerabilities exploited
During a 3rd party audit, Jim's company receives a finding that states, "The administrator should review backup success and filure logs on daily basis, and take action in a timely manner to resolve reported exceptions." What is the giggest issue that is likely to result if Jim's IT staff need to restore from a backup?
The backups may not be usable
Jims is helping his organization decide on audit standards for use throughout their international organization. Which of the following is not an IT standard that Jim's organization is likely to use as part of its audits?
Which of the following best describes a typical process for building and implementing an Information Security Continuous Monitoring program as described by NIST sp 800-137?
Define, establish, implement, analyze and report, respond, review, and update
Lauren's team conducts regression testing on each patch that they release. What key peformance measure should they maintain to measure the effectiveness of their testing?
A measure of the rate of defect recurrence
Which of the following types of code review is not typically performed by a human?
Static program analysis
Susan is the lead of a QA team at her company. THey have been tasked with the testing for amajor release of their company's core software product. Use your knowledge of code review and testing to answer the following questions. Susan's team of software tester are requrired to test every code path, including those that will only be used when an error condition occurs. What type of testing environment does her team need to ensure complete code coverage?
White box testing
Susan is the lead of a QA team at her company. THey have been tasked with the testing for amajor release of their company's core software product. Use your knowledge of code review and testing to answer the following questions. As part of the continued testing of their new application, Susan's QA team has designed a set test cases for a series black box tests. These functional tests are then run, and a report is prepared explaining what has occurred. What type of report is typically generated during this testing to indicate test metrics?
A test coverage report
Susan is the lead of a QA team at her company. THey have been tasked with the testing for amajor release of their company's core software product. Use your knowledge of code review and testing to answer the following questions. As apart of their code coverage testing, Susan's team runs te analysis in a nonproduction environment using logging and tracing tools. Which of the following types of code issues is most likely to be missed during testing due to this change in the operating environment?
A race condition
What step should occur after a vulnerability scan finds a critical vulnerability on a system?
Validation, verfy if an issue exists
Kathleen is reviewing the code for an application. She first planst the review, conducts an overivew session with the reviewers and assigns roles, and then works with the reviewers to review materials and prepare for their roles. Next, she intends to review the code and rework it, and ensure that all defects found have been corrected. What ype of review is Kathleen conducting?
Danielle wants to compare vulnerabilities she has disvovered in her data center based on how exploitable they are, if exploit code exists, as wel as how hard they are to remediate. What scoring system should she use to compare vulnearbaility metrics like these?
Common Vulnerability Scoring System (CVSS)
During a port scan of his network, Alex finds that a number of host reponse on TCP ports 80, 443, 515, and 9100 in offices throughout his organization. What type of devices is Alex likely discovering?
Nikto, Burp Suite, and Wapiti are all examples of what type of tool?
Web application vulnerability scanners
During an nmap scan, what three potential statuses are provided for a port?
Open, Closed and Filtered
Which of the following is not a method of synthetic transaction monitoring?
User session monitoring
Susan needs to ensure that the interactions between the components of her e-commerce application are all handled properly. She intends to verify communications, error handling, and session management capabilities throughout her infrastructure. What type of tesing is she planning to conduct?
Jim is designing his organization's log management systems and knows that he needs to carefully plan to handle the organization's log data. Which of the following is not a factor that Jim should be concerned with?
Jim has contracted with a software testing organization that uses automated testing tools to validate software. He is concerned that they may not completely test all statements in his software. What measurement should he ask for in their report to provide information about this?
A code coverage report
When a Windows system is rebooted, what type of log is generated?
During a review of access logs, Alex notices that Danielle logged into her sorstation in NY at 8am daily, but that she was recorded as logiing into her departement's main web application shortly after 3am daily. What coomon logging issue has Alex likely encountered?
What type of vulnerability scan accesses configuration information from the system it is run against as well as information that can be accessed via services available via the network?
Ben's organization has begun to use STRIDE to assess their sofwrare, and has identified therat agents and the business impacts that thes threat could have. Now they are working to identify appropriate controls for the issues they have identified. Use the STRIDE model to answer the following questions. Ben's development team needs to address an authorization issue, resulting in an eelvation or privilege threat. Which of the following controls is most appropriate to this type of issue?
role based access controls (RBACs)
Ben's organization has begun to use STRIDE to assess their sofwrare, and has identified therat agents and the business impacts that thes threat could have. Now they are working to identify appropriate controls for the issues they have identified. Use the STRIDE model to answer the following questions. Ben's team is attempting to cateogrize a transaction identification issue that is caused by use of a symmetric key shared by multiple servers. What STRIDE category should this fall into?
Repudiation, shared symmetric key used by any servers, transaction identification problems
Ben's organization has begun to use STRIDE to assess their sofwrare, and has identified therat agents and the business impacts that thes threat could have. Now they are working to identify appropriate controls for the issues they have identified. Use the STRIDE model to answer the following questions. Ben wants to prevent or detect tampering with data. Which of the following is not an appropriate solution?
Filtering, prevents DoS attacks but not Hashing
Which NIST document covers the creation of an Information Security Continuous Monitoring? (ISCM)
NIST 800-137, describes the process of building and maintaining an ISCM
Which of the following is not an issue when using fuzzing to find program faults?
Fuzz testing bugs are often severe
What term describes an evaluation of the effectiveness of security controls performed by a 3rd party.
A security audit
During a port scan Ben uses nmap's default setting and sees the following results. Use this information to answer the following questions. If Ben is conducting a penetration test, what should his next step be after receiving these results?
Id interesting ports for further scanning
During a port scan Ben uses nmap's default setting and sees the following results. Use this information to answer the following questions. Based on the scan results, what OS was the system that was scanned most likely running?
Linux system (X11,login, shell and nfs ports)
During a port scan Ben uses nmap's default setting and sees the following results. Use this information to answer the following questions. Ben's manager expresses concern about the coveabe of his scan. Why might his manager have this concern?
Ben only tested a limited number of ports
What technique relies on reviewing code without running it?
Saria needs to write a request for proposal for code review and wants to ensure that the reviewers take the business logic behind her organization's applications into account. What type of code review should she specify in the RFP?
A manual code review
What type of diagram used in application threat modeling includes malicious users as well as descriptions like mitgates and threatens?
Misuse case diagrams, uses langauge beyond typical case use diagrams
What is the first step that should occur before a penetration test is performed?
What international framework was SSAE-16 based on?
ISAE 3402 (International Std on Assurance Engagements)
During a penetration test of her organization, Kathleen's IPS detects a port scan that has the URG, FIN and PSH flags set and produces an alarm. What type of scan is the penetration tester attempting?
A Christmas tree (X-mas) scan
Nmap is an example of what type of tool?
(open source) port scanner
What type of vulnerabilities will not be found by a vulnerability scanner?
MITRE's CVE database provides what type of information?
A zero-day vulnerability is announced for the popular Apache web server in the middle of a workday. In Jacob's role as an information security analyst, he needs to quickly scan his network to determine what server are vulnerable to the issue. What is Jacob's best route to quickly identify vulnerable systems?
Identify affected versions and check systems for that version number using an automated scanner.
NIST SP 800-115, the Technical Guide to Information Security Testing and Assessment, provides NIST's process for penetration testing. Using this image as well as your knwledge of penetration testing, answer the following questions. Which of the following is not a part of the discovery phase?
NIST SP 800-115, the Technical Guide to Information Security Testing and Assessment, provides NIST's process for penetration testing. Using this image as well as your knwledge of penetration testing, answer the following questions. NIST specifies four attack pahse steps: gaining access, escalating privileges, system browsing, and installing additional tools. Once attackers install additional tools, what phase will a penetration tester typically return to?
NIST SP 800-115, the Technical Guide to Information Security Testing and Assessment, provides NIST's process for penetration testing. Using this image as well as your knwledge of penetration testing, answer the following questions. Which of the following is not typical part of a penetration test report?
All sensitive data that was gathered during the test
Referring to the figure below, what technology is shown that provides fault tolerance for the database servers?
Joe is the security administrator fo an ERP system. He is preparing to create accounts for several new employees. What defualt access should he give to all of the new employees as he creates the accounts?
Which one of the following is not a privileged administrative activity that should be automatically sent to a log of superuser actions?
Logging into a workstation
Which one of the following individuals is most likely to lead a regulatory investigation?
What type of evidence consists entirely of tangible items that may be brought into a court of law?
Real evidence (Documentary-written items may or may not be in tangible form, Testimonial-verbal given by witness with relevant testimony, Parol-agreement is put into written form, all terms of agreement
Which one of the following trusted recovery types doesn't fail into a secure operating state?
Manual recovery, system doesn't fail into secure state but requires administrator to manually restore operations
Which one of the following might a security team use on a honeypot system to consume an attacker's time while alerting administrators?
Pseudoflaw, false vulnerability in a system that may attract an attacker.
Toni responds to the desk of a user who reports slow system activity. Upon checking outbound network connections from that system, Toni notices a large amount of social media traffic originating from the system. The user doesn't use social media, and when Toni checks the accounts in question, they contain strange messages that appear encrypted. What is the most likely cause of this traffic?
Toni's computer is part of a botnet
Under what virtualization model does the vituralization platform separate the network control plane from the data plane and replace complex network devices with simpler devices that simply receive instructions from the controller?
Jim would like to identify compromiesed systems on his network that may be participating in a botnet. He plans to do this by watching for connections made to known command and control servers. Which one of the following techniques would be most likely provide this information if Jim has access to a list known servers?
Netflow records. Contains a record of every network communication session, compare to a list of known malicious hosts.
Gary was recently hired as the first CISO for a local government agency. The agency recently suffered a security breach and is attempting to build a new information security program. Gary would like to apply some best practices for security operations as he is designing this program. As Gary decides what access permissions he should grant to each user, what principle should guide his decisions about default permissions?
Gary was recently hired as the first CISO for a local government agency. The agency recently suffered a security breach and is attempting to build a new information security program. Gary would like to apply some best practices for security operations as he is designing this program. As Gary designs the program, he uses the matrix shown below. What principle of information security does this matrix most directly help enforce?
Segregation of duties matrix, used to prevent a user from acculmating two permissions that would create a potential conflict
Gary was recently hired as the first CISO for a local government agency. The agency recently suffered a security breach and is attempting to build a new information security program. Gary would like to apply some best practices for security operations as he is designing this program. Gary is preparing to creat an account for a new user and assign privileges to the HR database. What wo elements of infomration must Gary verify before granting this access?
Clearance and need to know
Gary was recently hired as the first CISO for a local government agency. The agency recently suffered a security breach and is attempting to build a new information security program. Gary would like to apply some best practices for security operations as he is designing this program. Gary is preparing to develop controls around access to root encryption keys and would like to apply a principle of security designed specifically for very sensitive operations. Which principle should he apply?
Two person control
When should an organization conduct a review of the privileged access that a user has to sensitive systems?
All of the above. When a user leaves the company, roles change, regular and recurring basis
Which one of the following terms is often used to describe a collection of unrelated patches released in a large collection?
Which one of the following tasks is performed by a forensic disk controller?
Intercepting and modifying or discarding commands sent to the storage device
Lydia is processing access control requests for her organization. She comes across a request where the user does have the required security clearnce, but ther is no business justifcation for the access. Lydia denies this request. What security principle is she following?
Need to know
Which one of the following security tools consists of an unused network address space that may detect unauthorized activity?
Which one of the following mechanisms is not commonly seen as a deterrent to fraud?
Brian recently joined an organization that runs the majority of its services on a virtualization platform located in its own data center but also leverages an IaaS provider for hosting its web services and a SaaS email system. What term best describes the tyepe of cloud environment this organization uses?
Tom is responding to a recent security incident and is seeking information on the approval process for a recent modification to a system's security settings. Where would he most likely find this information?
Mark is considering replacing his organization's customer relationship mgmt (CRM) solution with a new product that is available in the cloud. THe new solution is completely managed by the vendor and Mark's company will not have to write any code or manage any physical resources. What type of cloud solution is Mark considering?
Which one of the following information sources is useful to security administrators seeking a list of information security vulnerabilities in applications, devices and operating systems?
CVE, dictionary with common security related issues
Which of the following would normally be considered an example of a disaster when performing diaster recovery planning? I. Hacking incident, II. Flood, III. Fire, IV. Terrorism
I, II, III, IV
Glenda would like to conduct a disaster recovery test and is seeking a test that will allow a review of the plan with no disruption to normal information system activities and a minimal a commitment of time as possible. What type of test should she choose?
Which one of the following is not an example of a backup tape rotation scheme?
Meet in the middle
Helen is implementing a new security mechanism for granting employees administrative privileges in the accounting system. She designs the process so that both the employee's manager and the accounting manager must approve the request before the access is granted. What information security principle is Helen enforcing?
Two person control
Which one of the following is not requirement for evidence to be admissible in court?
The evidence must be tangible
In which cloud computing model does a customer share computing infrastructure with other customers of the cloud vendor where one customer may not the other's identity?
Which of the following organizations would be likely to have a representative on CSIRT? I. Information security, II. Legal Counsel, III. Senior mgmt, IV. Engineering
I, III, IV
Sam responsible for backing up his company's primary file server. He configured a backup schedule that performs full backups every Monday evening a 9pm. and differential backups on other days of the week at that same time. File change accourding to the information shown in the difure below. How many files will be compied in Wednesday's backup?
Which one the following secuirty tools is not capable of generating an active response to a security event?
In virtualization platofrms, what name is given to the model that is responsible for controlling access to physical resources by virtual resources?
What term is used to describe the default set of privileges assigned to a user when a new account is created?
Entitlement, privileges granted to user when account is first created/provisioned
Which one fo the following types of agreements is the most formal document that ocntains expecations about availability and other performance parameters between a service provider and a customer?
Service Level Agreement (SLA)
Which one of the following frameworks focuses on IT service mgmt and includes topics such as change mgmt, config mgmt, and SLAs?
Richard is experiencing issues with the quality of network service on his organization's network. The primary symptom is that packets are consitently taking too long to travel from source to their destination. What term describes the issue Richard is facing?
Joe is an investigator with a law enforcment agency. He recived a tip that a suspect is communicating sensitive information with a 3rd party via a message board. After obtaining a warrant for the message, he obtained the contents and found that teh message only contanins the image show in the figure below. If this is the sole content of teh communication, what techniques could teh suspect have used to embed sensitive infomraiton in the message?
Which of the following is an example of a manmade disaster?
Which of the following is not ture about the ISC2 code of ethics?
The code applies to all members of the information security profession
Javier is verifying that only IT systems administrators have the ability to log on to servers used for administrative purposes. What principle of information security is he enforcing?
Which one of the following is not a basic preventative measure that you can take to protect your systems and applications against attack?
Conduct forensic imaging of all systems
Tim is a forensic analyst who is attempting to retrieve information from a hard drive. It appears that teh user attempted to erase the data, and Time is trying to reconstruct it. What type of forensic analysis is Tim performing?
Which one of the following is an example of computer security incident?
Unauthorized vulnerability scan of a file server
Which one of the following technologies would provide the most automation of an inventory control process in a cost effective manner?
Connor's company recently experienced a DoS attack that Connor believes came from an inside source. If true, what type of event has the company experienced?
What type of attack is show in the figure below
SYN Flood attack
Florian is buidling a disaster recovery plan for his organization and would like to determine the amount of time that particular IT service may be down without causing serious damage to business operations. What variable is Florian calculating?
MTD (Max Tolerable Downtime)
Which one of the following statements best describes a zero-day vulnerability?
An attack previously unknown to the security community
Which one of the following is not a canon of the ISC2 code of ethics?
Promptly report security vulnerabilites to relevant authorities
During an incident investigation, investigators meet with a systme administrator who may have information about the incident but is not a suspect. What type of conversarion is take place during this meeting?
Beth is selecting a disaster recovery facility for her organization. She would like to choose a fcility that has appropriate enviromnetal controls and power for her operations but wants to minmize costs. She is willing to accept a lengthy recovery time. What type of facility should she choose?
What technique has been used to protec teh IP in the image shown below?
You are working to evaluate the risk of flood to an area and consult flood maps from FEMA. According to those maps, the area lies within a 200 year flood plain. What is the ARO of a flood in that region?
Which one of thef ollowing individuals poses the greatest risk to security in most well-defended organizations?
Veronica is considering the implementation of a database recovery mechanism recommeded by a consultant. In the recommended approach, an automated process will move database backups from the primary facility to an offisite location each night. What type of database recovery technique is the consultant describing?
Electronic vaulting, automated DB backup approach, DB backups are moved from primary to remote server on scheduled daily basis.
When designeing an access control scheme, Hilda set up roles so that the same person does not have the ability to provision a new user account and assigne superuse privleges to an account. What information security principle is Hilda following?
Separation of duties
Reggie recently received a letter from his company's interal auditors scheduling the kickoff meeting for an assessment of his group. Which of the following should Reggie not expect to learn during that meeting?
Which one of the following events marks the completion of a DRP?
Restoring operations in the primary facility
Melanie suspects that someone is using malcious software to steal computing cycles from her company. Which one of the following security tools would be in teh best position to detect this type of incident?
HIDS (Host-based Intrusion Detection System)
Brandon observes that an authorized user of a system on his network recently misused his account to exploit a system vulnerability against a shared server that allow him to gain root access to that server. What type of attack took place?
Carla has worked for her company for 15 years and has held a variety of different positions. Each time she changed positions, she gainsed new privileges associated with that position, but no privileges were ever taken away. What concept describes the sets of privileges she has accumulated?
During what phase of the incident response process do administrators take action to limit the effect or scope of an incident?
Ann is a security professional for a mid-sized business and typically handles log analysis and security monitoring tasks for her organization. One of her roles is to monitor alerts orignating from the organization's IDS. The system typically generates several dozen alerts each day, and many of those alrets turn out to be false alarms after her investigation. This morning, the IDS alerted because teh network began to receive an unusually high volume of inbound traffic. Ann received this alert and began looking into the origin of the traffic. At this point in the incident response process, what term best describes what has occurred in Ann's organization?
Security event, no reason to believe security compromise or policy violation occurred
Ann is a security professional for a mid-sized business and typically handles log analysis and security monitoring tasks for her organization. One of her roles is to monitor alerts orignating from the organization's IDS. The system typically generates several dozen alerts each day, and many of those alrets turn out to be false alarms after her investigation. This morning, the IDS alerted because teh network began to receive an unusually high volume of inbound traffic. Ann received this alert and began looking tino the origin of the traffic. Ann continues her investigation and realizes that the traffic generating the alert in abnormally high volumes of inbound UDP traffic on port 53. What service typicall uses this port?
Ann is a security professional for a mid-sized business and typically handles log analysis and security monitoring tasks for her organization. One of her roles is to monitor alerts orignating from the organization's IDS. The system typically generates several dozen alerts each day, and many of those alrets turn out to be false alarms after her investigation. This morning, the IDS alerted because the network began to receive an unusually high volume of inbound traffic. Ann received this alert and began looking tino the origin of the traffic. As Ann analyzes the traffic further, she realizes that the traffic is coming from many different sources and has overwhelmed the network, preventing legitimate uses. The inbound packets are responses to quires that she doesn't see in outbound traffic. The responses are abnormally large for their type. What type of attack should Ann suspect?
Ann is a security professional for a mid-sized business and typically handles log analysis and security monitoring tasks for her organization. One of her roles is to monitor alerts orignating from the organization's IDS. The system typically generates several dozen alerts each day, and many of those alrets turn out to be false alarms after her investigation. This morning, the IDS alerted because the network began to receive an unusually high volume of inbound traffic. Ann received this alert and began looking tino the origin of the traffic. At this point in the incident response process, what term best describes what has occurred in Ann's organization?
Frank is seeking to introduce a hacker's laptop in court as evidence against the hacker. The laptop does contain logs that indicate the hacker committed the crime, but the court rules tht the search of the apartment that resulted in the police finding the laptop was unconstitutional. What admissibility criteria prevents Frank from introducing the laptop as evidence?
Competence, was not legally obtained correctly
Gordon suspects that a hacker has penetrated a system belonging to his compay. The system doesn't contain any regulated information and Gordon wished to conduct an investigation on behalf of his company. He has permission from his supervisor to conduct the investigation. Which of the following statements is true?
Gordon's investigation may include examining the contents of hard disks, network traffic, and any other systems or information belogning to the company
Which one of the following tools provides an organization with the greatest level of protection against a software vendor going out of business?
Software Escrow agreements, places a copy of the source code for software to a 3rd party, who will turn code over to customer if business ops stops.
Fran is considering new human resources policies for her bank that will deter fraud. She plans to implement a mandatory vacation policy. What is typically considered the shortest effective length of a mandatory vacation?
Which one of the following events would constitute a security incident? 1. An attempted network intrusion, 2. A successful database intrusion, 3. A malware infection, 4. A violation of a confidentiality policy, 5. An unsuccessful attempt to remove information from a secured area.
All of the above 1. An attempted network intrusion, 2. A successful database intrusion, 3. A malware infection, 4. A violation of a confidentiality policy, 5. An unsuccessful attempt to remove information from a secured area.
Which one of the following traffic types should not be blocked by an organization's egress filtering policy?
Traffic with a destination address on a external network
Allie is responsible for reviewing authentication logs on her organization's network. She doesn't have the time to review all logs, so she decides to choose only records where there have been four or more invalid authentication attempts. What technique is Allie using to reduce the size of the pool?
Clipping, uses threshold values to select records that exceed predefined values, most interest to analysts
You are performing an investigation into a potential bot infection on your network an sish to perform a forensic analysis of the information that passed between different systems on your network and those on the Internet. You believe tht teh information was likely encrypted. You are beginning your investigation after the activity concluded. What would be the best and easiest way to obtain the source of this information?
Which one of the following tools helps systems administrators by providing a standard, secure template of configuration setting or operating systems and applications?
What type of disaster recovery test activates the alternate processing facility and uses it to conduct transactions but leaves the primary site up and running?
During which phase of the incident response process would an analyst receive an intrusion detection system alert and verify its accuracy?
In what virtualization model do full guest operating systems run on top of a virtualization platform?
What level of RAID is also known as disk mirroring?
RAID-1 = disk mirroring
Bruce is seeing quite a bit of suspicious activity on his network. It appears that an outside entity is attempting to connect to all of his systems using a TCP connection on port 22. What type of scanning is the outsider likely engaging in?
The historic ping of death attack is most simliar to which of the following model attack types?
Roger recently accepted a new position as a security pforessional at a company that runs its entire IT frastructure wihin an IaaS environment. Which one of the following would most likely be the responsibility of Roger's firm?
Patching operating systems
What technique can application developers use to test application in an ioslated virtualized environment before allowing themon a production network?
Gina is a firwall administrator for a small business and recently installed a new firewall. After seeing signs of unusually heavy network traffic, she checked the IDS, which reported that faggle attack was underway. Whatre FW configuration change can Gina make to most effectively prevent this attack?
Block UDP port 7 and 9 traffic from entering the network. Fraggle attacks uses UDP port 7 and 9
What type of trust relationship extends beyond the two domains participating in the trust to on or more of their subdomains?
Renee is a software developer who writes code in Node.js for her organization. The company is consdiering moving from a self hosted Node.js environment to one where Renee will run her code on application servers managed by a cloud vendor. What type of cloud solution is Renees's company considering?
Timber Indisturies recently go into a dispute with a customer. During a meeting with his account represetative, the customer stood up and declared, "There is no other solution. We will have to take this matter to court." He then left the room. When does Timber Industries have an obligation to begin preserving evidence?
Immediately begin preserving evidence
What legal protection prevents law enforcement agencies from searching a facility or electronic system without either probable cause or consent?
Darcy is a computer security specialist who is assisting with the prosecution of a hacker. The prosecutor request that Darcy give testimony in court about whether, in her opinon, the logs and other records in a case are indicative of a hacking attempt. What type of evidence is Darcy being asked to provide?
Which one of the following techniques is not commonly used to remove unwanted remnant data from magentic tapes?
What is the minimum number of disks required to implement RAID level 1?
min 2 disk required for RAID 1
Jerome is conducting a forensic invetisgation and is reviewing databse server logs to invetisage query contesnt for evidence SQL injection attacks. What type of analysis is he performing?
Quantum Computing regularly ships tapes of backup data across the country to a secondary facility. These tapes contain confidential information. What is the most important security control that Quantum can use to protect these tapes?
Carolyn is concerned that users on her network may be storing sensitive information, such as SSN, on their hard drives without proper authorization or security controls. What technology can she use to best detect this activity?
Under what type of software license does the recipient of software have an unlimited right to copy, modify, distribute, or resell a software package?
In what type of attack do attackers manage to insert themselves into a connection between a user and a legitimate website?
Which one of the following techniques uses statistical methods to select a small number of records from a large pool for further analysis with the goal of choosing a set of records that is represetative of the entire pool?
Sampling, uses statistical techniques to choose a sample representative of the entire pool.
Which one of the following controls protects an organization in the event of a sustainied period of power loss?
When designing an object-oriented model, which of the following situations is ideal?
High cohesion (strength of relationship bwt purposes of methods w/in same class, low coupling (lvl of interaction bwt objects)
Which of the following is a common way that attackers leverage botnets?
All of the above. Sending spam mgs, conducting brute force attacks, Scanning for vulnerable systems
Which one of the following statements is not true about code review?
Code review occurs during the design phase
Harolds' company has a strong password policy that requries a minimum length of 12 characters and the use of both alphanumberic characters and symbols. What techniques would be the most effective way for an attacker to compromise passwords in Harold's organization?
Social engineering attack
Which process is responsible for ensuring that changes to software include acceptance testing?
Which one of the following attack types attempts to exploit the trust relationship that a user's browser has with other websites by forcing the submission of an authenticated request to a 3rd party site?
Cross site request forgery (XSRF or CSRF)
When using the SDLC, which one of these steps should you take before the others?
Functional requirements determination
Jaime is a technical support analyst and is asked to visit a user whose computer is displaying the error message shown here. What state has this computer entered?
Fail secure. "Blue screen of Death"
Which one the following is not a goal of software threat modeling?
To reduce number of threat vectors. STM-reduce number of security related design and coding flaws
In the diagram shown here, which is an example of a method?
Which one of the following is considered primary storage?
Which one of the following testing methodologies typically works without access to source code?
Dyanmic testing (occurs in a black box env. no access to source code)
What concept in object oriented promgramming allows a subclass to access methods belonging to a superclass?
Inheritance, when a subclass (or child class) is able to use methods belonging to a superclass (parent class)
Bobby is investigating how an authorized database user is gaining access to information outside his normal clearance level. Bobby believes that the user is make use of a tuype of function that summarizes data. What term describes this type of function?
Which one of the following controls would best protesct an application against buffer overflow attacks?
Input validation (server-side). Limits user input to approved range of values that fits w/in allocated buffers
Berta is analyzing the logs of the Windows Firewall on one of her servers and comes across the entries shown in this figure. What type of attack do these entries indicate?
Robert is a consutlant who helps organizations create and develop mature software development practices. He prefers to use the Software Capability Maturity Model (SW-CMM) to evaluate the current and future status of organizations using both independent review and self-assessments. He is currently working with two different clients. Acme Widgets is not very well organizaed with their software development practices. They have a deicated team of developers who do "whatever it takes" to get software out the door, but they do not have any formal processes. Beta Particles is a compnay with years of experience developing software using foraml, documented software development processes. They use a standard model for software developement but do not have quantitative management of those processes. What phase of SW-CMM should Robert report as the current status of Acme Widgets?
Robert is a consutlant who helps organizations create and develop mature software development practices. He prefers to use the Software Capability Maturity Model (SW-CMM) to evaluate the current and future status of organizations using both independent review and self-assessments. He is currently working with two different clients. Acme Widgets is not very well organizaed with their software development practices. They have a deicated team of developers who do "whatever it takes" to get software out the door, but they do not have any formal processes. Beta Particles is a compnay with years of experience developing software using foraml, documented software development processes. They use a standard model for software developement but do not have quantitative management of those processes. Robert is working with Acme Widgets on a strategy to advance their software development practices. What SW-CMM stage should be their next target milestone?
Repeatable (basic life cycle mgmt processes)
Robert is a consutlant who helps organizations create and develop mature software development practices. He prefers to use the Software Capability Maturity Model (SW-CMM) to evaluate the current and future status of organizations using both independent review and self-assessments. He is currently working with two different clients. Acme Widgets is not very well organizaed with their software development practices. They have a deicated team of developers who do "whatever it takes" to get software out the door, but they do not have any formal processes. Beta Particles is a compnay with years of experience developing software using foraml, documented software development processes. They use a standard model for software developement but do not have quantitative management of those processes. What phase of the SW-CMM should Robert report as the current status of Beta Particles?
Defined (presence of basic life cycle mgmt processes and reuse of code) Requirement mgmt, SW project planning, QA, config mgmt practices
Robert is a consutlant who helps organizations create and develop mature software development practices. He prefers to use the Software Capability Maturity Model (SW-CMM) to evaluate the current and future status of organizations using both independent review and self-assessments. He is currently working with two different clients. Acme Widgets is not very well organizaed with their software development practices. They have a deicated team of developers who do "whatever it takes" to get software out the door, but they do not have any formal processes. Beta Particles is a compnay with years of experience developing software using foraml, documented software development processes. They use a standard model for software developement but do not have quantitative management of those processes. Robert is also working with Beta Particles on a strategy to advance their software development practices. What SW-CMM stage should be their next target target milestone?
Which one of the following database keys is used to enforce referential integrity relationships between tables?
Which one of the following files is most likely to contain a macro virus?
projections.doc (commonly found in Windows docs. (.doc/.docx/.xls/.xlx/.ppt/.pptx)
Victor created a dtabase table that contains information on his organization's employees. Teh table contains the employee's user ID, theree different telephone number fields (home, work and mobile), the employee's officer location, and the employee's job title. There are 16 records in the table. What is the degree of this table?
6 attributes(employee ID, 3 phone fields, office location, job title)
Carrie is analyzing the application logs for her web-based application and comes across the following string: ../../../../../../../../../etc/passwd What type of attack was likely attempted against Carrie's application?
Directory traversal attack (force web app to navigate up to retrieve pwd file)
When should a design review take place when following SDLC approach to software development?
After the development of functional requirements
Tracy is preparing to apply a patch to her organization's enterprise resource planning system. She is concerned that the patch may introduce flaws that did not exist in prior versions, so she plans to conduct a test that will compare previous responses to input with those produced by the newly patched application. What type of testing is Tracy planning?
What term is used to describe the level of confidence that software is free from vulnerabilities, either intentionally designed into the software or accidentally inserted at any time during its life cycle, and the software functions in the intended manner?
Victor recently took a new position at an online dating website and is responsible for leadering a team of developers. He realized quickly that the developers are having issues with procudtion code because the are working on different projects that result in conflicting modifications to the production code. What process should Victor invest in improving?
What type of database security issue exists when a collection of facts has a higher classification than the classificiation of any of those facts standing alone?
What are the two types of covert channels that are commonly exploited by attakers seeking to surreptitiously exfiltrate information?
Timing (conveys channel info, alerting performance or modifying resource's timing) and storage (writes info to a common area to be read by another process)
Vivan would like to hire a software tester to come in and evaluate a new web application froma user's perspective. Which of the following test best simulates that perspective?
Referring to the database transaction shown here, what would happen if no account exists in the Accounts table with account number 1001?
The database would ignore that command and still reduce the balance of the 2nd account by $250
What type of malware is characterized by spreading from system to system under it's own power by exploiting vulnerabilities that do not require user intervention?
Kim is troubleshooting an application firewall that serves as a supplement to the organizaiton's network and hosts firewalls and IPS, providing added protection against web-based attacks. The issue the organization is experiencing is that the firewall technology suffers somewhat frequent restarts that render it unavailable for 10 minutes at a time. What configuration might Kim consider to maintain availability during that period at the lowest cost to the company?
What type of security issue arises when an attacker can deduce a more sensitive piece of information by analyzing several pieces of information classified at a lower level?
Inference. An attacker can pull together piececs of less sensitive info and use them to derive info of great sensistivity
Greg is battling a malware outbreak in his organization. He used specialized malware analysis tools to capture samples of malware from three different systems and noticed that the code is changing slightly from infection to infection. Greg believes that this is the reason that antivirus software is having a tought time defeating the outbreak. What type of malware should Greg suspect is responsible for this security incident?
Linda is reviewing posts to a user forum on her company's website and, when she browses a certain post, a message pops up in a dialog box on her screen reading "Alert." She reviews the cource code for the post and finds the following code snippet: <script>alert( 'Alert' );</script> What vulnerability defintiely exists on Linda's message board?
Cross site scripting (XSS)
Linda is reviewing posts to a user forum on her company's website and, when she browses a certain post, a message pops up in a dialog box on her screen reading "Alert." She reviews the cource code for the post and finds the following code snippet: <script>alert( 'Alert' );</script> What was the likely motivation of the user who posted the message on the forum containing this code?
Linda is reviewing posts to a user forum on her company's website and, when she browses a certain post, a message pops up in a dialog box on her screen reading "Alert." She reviews the cource code for the post and finds the following code snippet: <script>alert( 'Alert' );</script> Linda communicates with the vendor and determines that no patch is available to correct his vulnerability. Which one of the following devices would best helper defend the application against further attack?
WAF (Web application Firewall)
Linda is reviewing posts to a user forum on her company's website and, when she browses a certain post, a message pops up in a dialog box on her screen reading "Alert." She reviews the cource code for the post and finds the following code snippet: <script>alert( 'Alert' );</script> In further discussions with the vendor, Linda finds that they are willing to correct the issue but do not know how to update their software. What technique would be most effective in mitigating the vulnerability of the application to this type of attack?
Input validation (user-supplied input)
What property of relational databases esnures that once a database transaction is committed to the database, it is preserved?
Durability, once a trancation is committed to the DB it must be preserved
Which one of the followoing programming languages does not make use of a compiler?
Which one of the following is not a technique used by virus authors to hide the existence of their virus from antimalware software?
Which one of the following types of software testing usually occurs last and is executed against test scenarios?
User acceptance testing (UAT)
What type of requirement specifies what software must do by describing the inputs, behavior, and outputs of software?
Functional requirements (specify inputs, behavior, outputs of software)
Which of the following organizations is widely consdered as the definitive source for information on web based attack vectors?
Open Web Application Security Project (OWASP)
In an object-oriented programming language, what dos one object invoke in a second object to interact with the second object?
Lisa is attempting to prevent her network from being tagreted by IP spoofing attacks as a well as preventing her network from being the source of those attacks. Which one fo the following rules is not a best practice that Lisa can configure at her network border?
Block packets with public IP addresses from entering the network
What type of attack is demonstrated in the C programming language example below? int myarray; myarray = 8;
Overflow (off by one error)
Which one of the following database issues occurs when one transaction writes a value to the database that overwrites a value tha was needed by transactions with earlier precedence?
Which one of the following is the most effective control aganist session hijacking attacks?
TLS (Transport Layer Security)
Faith is looking a the /etc/passwd file on a system configured to use shadowed passwords. When she examines a line in the file for a user with interactive login perissions, what should she expect ot see in the password field?
What type of vulnerability does a TOC/TOU attack target?
Race condition (timing of actions grants impermissible actions)
While evaluating a potential security incident, Harry comes across a log entry from a web server requests showing that a user entred the following input into a form field: CARROT'&1=1;-- What type of attack was attempted?
SQL injection attack (single quotation mark in input field)
Which one of the following is not an effective control aganist SQL injection attacks?
Client side input validation (easily bypass validation)
What type of project management tool is shown in the figure?
PERT chart (uses nodes to represent milestones or deliverables, showing est time to move between milestones)
In what software testing technique does the evaluator retest a large number of scenarios each time that the software changes to verify that the results are consistent with the standard baseline?
Regression (after developer made changes to app)
Which one of the following conditions may make an application most vulnerable to a XSS attack?
Roger is conducting a software test for a tax preparation application developed by his company. End users will access the application over the web, but Roger is conducting his test on the back end, evaluating the source code on the web server. What type of test is Roger conducting?
Which of the following statements is true about heuristic based antimalware software?
It has a higher likelihood of detecting zero-day exploits than signature detection
Martin is inspecting a system where the user reported unusual activity, including disk activity when the system is idle and abnormal CPU and network usage. He suspects that the machine is infected by a virus but scans come up clean. What malware technique might in use her that would explain the clean scan results?
Tomas discovers a line in his application log that appears to correspond with an attempt to conduct a directory traversal attack. He believes the attack was condcuted using URL encoding. The line reads: %252E%252E%252F%252E%252E%252Fetc/passwd What character is respresented by the %252E value?
An attacker posted a message to a public discussion forum that contains an embedded malicious script that is not displayed to the user but executes on the user's system when read. What type of attack is this?
Which one of the following is not a principle of the Agile software development process?
Clear documentation is the primary measure of progress
Samantha is responsible for the development of three new code modules that will form part of a complex system that her company is developing. She is prepared to publish her code and runs a series of tests against each module to verify that it works as intended. What type of testing is Samantha conducting?
What are thet two components of an expert system?
knowledge bank (collected wisdom) and inference engine (make decisions based on info from knowledge bank)
Neal is working with DyanamoDB database. The database is not structured like a relational database but allows Neal to sotre data using a key-value store. What type of database is DynamoDB?
In the transaction shown here, what would happen if the database failed in between the first and second update statement?
The database would roll back the transaction, ignoring the results of both commands
In the diagram shown here, which is an example of a attribute?
Owner (or Balance) are attributes
Which one of the following statements is true about software testing?
Static testing performs code analysis
David is working on developing a project schedule for a software development effort, and he comes across the chart shown here. What type of chart is this?
Barry is a software tester who is working with a new gaming application developed by his company. He is playing the game on a smartphone to conduct his testing in a environment that best simluates a normal end user, but he is referencing the source code as he conducts his test. What type of test is Barry conducting?
Miguel recently completed a penetration test of the applications that his organization uses to handle sensitve information. During his testing, he discovered a condition where an attacker can exploit a timing condition to mainpulate software into allowing him to perform an unauthorized action. Which one of the following attack types fits this scenario?
TOC/TOU (Time of check to time of understanding)
In the diagram shown here, which is an example of a class?
Gary is designing a database-driven application that relies on the use of aggregate functions. Which one of the following database concurrency issues might occur with aggregate fucntions and should be one of Gary's top concerns?
Incorrect summaries(one transaction uses aggregate function, 2nd transaction makes modification to database)
Which one of the following approaches to failure management is the most conservative from a security perspective?
Fail closed (prevents any activity from taking place during a system security failure)
What software development model is shown in the figure?
Spiral model of SDLC
Which of the following database keys is used by an RDBMS to uniquely identify each row in a database table?
Primary key (RDBMS relational database mgmt systems)
Which one of the following change mgmt processes is inititated by users rather than developers?
Which one of the following techniques is an effective countermeasure against some inference attacks?
Polyinstantiation (stores info in a DB at different levels prevents inference)
Ursula is a government web developer who recetnly created a public application that offers property records. She would like to make it available for other developers to integrate into their applications. What can Ursula create to make it easiest for developers to call her code directly and integrate the output into their applications?
During what phase of the IDEAL model do organizations develop a specific plan of action for implementing change?
TJ is inspecting a system where the user reported a strange error message and the inability to access files. He sees the window shown in the figure. What type of malware should TJ suspect?
What function can be used to convert a string to a safe value for use in passing from a PHP application to a database?
Which one of the following types of artificial intelligence attempts to use complex computations to replicate the partial function of the human mind?
At which level of the SW-CMM does an organization introduce basic life cycle mgmt processes?
Repeatable level of SW-CMM
Lucas runs the accounting systems for his company. The morning after a key employee was fired, systems began mysteriously losing information. Lucas suspects that the fired employee tampered with the systems prior to his departure. Wht type of attack should Lucas suspect?
Which one of the following principles would not be favored in an Agile approach to software development?
Processes and tools over individuals and interactions (Agile values the opposite of this answer)
What technique do API developers most commonly use to limit access to an API authorized individuals and applications?
Which one of the following statements about malware is correct?
Signature detection is the most effective technique to combat known malware
Which one of the following is the proper order of steps in the waterfall model of software development?
Requirements, Design, Coding, Testing and Maintenance
Which component of the database ACID model ensures that database transcation are an "all or nothing" affair?
Atomicity (all or nothing)
Tom is writing a software program that calculates the sales tax for online orders placed from various jurisdictions. The application includes a user-definted field tha allows the entry of the total sales amount. Tom would like to ensure that the data entered in this field is a properly formatted dollar amount. What technique should he use?
Mal is eavesdropping on the unencrypted communication between the user of a website and the web server. She manages to intercept the cookies from a request header. What type of attack can she perform with these cookies?
Which of the following vulnerabilities might be discovered during a penetration test of a web-based application?
All of the above. XSS, XSRF, SQL injection
What approach to technology management integrates the three componetns of technology management shown in this illustration?
DevOps (integrates Software Development, Ops, QA)
Which one of the following tools might an attacker use to best identify vulnerabilities in a targeted system?
Which one fo the following database concurrency issues occurs when one transaction reads information that was written to a database by a second transaction that never committed?
What type of virus works by latering the system boot prodcess to redirect the BIOS ot load malware before the operating system loads?
MBR (Master Boot Record) virus
What type of virus is characterized by the use of two or more different propagation mechanisms to improve its likeilhood of spreading between systems?