CYB/205: Infrastructure Administration

Downloadable Content

• Wk 4 – Apply: Summative Assessment: Reflection: Information and Security

Answers

Q: Kim wants to place a device on the outward-facing areas of the organization’s network that may be broken into by an attacker so that she can evaluate the strategies that hackers are using on his systems. Which of the following would she use?

A: Honeypot

Explanation: A honeypot is a system that allows investigators to evaluate and analyze the attack strategies used by attackers. It is a sacrificial system placed on the outward-facing areas of the organization’s network. The purpose of a honeypot is to allow an attacker limited, controlled access to the organization’s systems so that more can be learned about systems vulnerabilities by watching the attacker attempt to exploit vulnerabilities in those systems.Answer B is incorrect. A sandbox is an isolated, highly controlled software and hardware environment in which software and data can be tested, inspected, and evaluated.Answer C is incorrect. Network access control (NAC) is the set of services that give network administrators the ability to define and control what devices, processes, and persons can connect to the network or to individual subnetworks or segments of that network.Answer D is incorrect. This is an invalid option.

Q: Which of the following are the key characteristics of information?

Each correct answer represents a complete solution. Choose all that apply.

A: Privacy, Confidentiality, Integrity

Explanation: Information focuses on what people use and what kind of security it needs. The key characteristics of information that directly relate to keeping it safe, secure, and reliable are confidentiality, integrity, privacy, and availability.Answer A is incorrect. Interchangeability means using an object or symbol in place of another. This couldn’t be a key characteristic of information as the change of an object will change the related information as well.

Q: What are the forms of the layers of an organization’s function?

Each correct answer represents a complete solution. Choose all that apply.

A: Physical systems elements, Logical elements, Administrative elements

Explanation: Here are the forms of the layers of an organization’s function:Physical systems elements are typically things such as buildings, machinery, wiring systems, and the hardware elements of IT systems.Administrative elements are the policies, procedures, training, and expectations that are spelled out for the humans in the organization to follow.Logical elements (sometimes called technical elements) are software, firmware, database, or other control systems settings that are used to make the physical elements of the organization’s IT systems obey the dictates and meet the needs of the administrative ones.Answer B is incorrect. Control elements are not the forms of the layers of an organization’s function.

Q: Lauren starts at her new job and finds that she has access to a variety of systems that she does not need to accomplish her job. This is a violation of which of the following?

A: Least privilege

Explanation: When users have more rights than they need to accomplish their job, they have excessive privileges. This is a violation of the concept of least privilege. Using the least privilege concept gives a privileged account only the minimum rights and capabilities required for a role.Answer A is incorrect. Provisioning starts with the initial claim of identity and a request to create a set of credentials for that identity.Answer D is incorrect. Rights collision is a made-up term.Answer C is incorrect. Revocation is the formal process of terminating access privileges for a specific identity in a system.

Q: Renee is using encryption to safeguard sensitive business secrets when in transit over the Internet. What risk metric is she attempting to lower?

A: Likelihood

Explanation: Renee is attempting to lower the likelihood or probability of a risk. Using encryption reduces the risk by lowering the likelihood that an eavesdropper will be able to gain access to sensitive information.Answer A is incorrect. The recovery time objective (RTO) is the amount of time in which system functionality or ability to perform the business process must be back in operation.Answer B is incorrect. The annual rate of occurrence (ARO) is an estimate of how many times per year a particular risk is considered likely to occur.Answer C is incorrect. The safeguard value (SV) is the costs to install, activate, and use the risk mitigation controls that protect from the impact of a risk event.

Q: Kay is selecting an application management approach for her organization. Employees need the flexibility to install software on their systems, but Kay wants to prevent them from installing certain prohibited packages. What type of approach should she use?

A: Blacklist

Explanation: According to the scenario, Kay should use the blacklist approach. This approach to application control blocks certain prohibited packages but allows the installation of other software on systems.Answer C is incorrect. Middleware is special-purpose software that bridges the functional and interface gaps between different systems, applications, or platforms. It provides unified services to users.Answer D is incorrect. The whitelist approach uses the reverse philosophy and allows only approved software.Answer B is incorrect. This is an invalid option.

Q: Stella is using a phishing attack to masquerade a senior player of an organization and directly targeting other important individuals of the organization with the aim of stealing money or sensitive information. Which type of phishing attack is she using?

A: Whaling

Explanation: Stella is using the whaling attack, which aims at the senior level in an organization. This attack targets the high-worth or highly placed individuals, such as a chief financial officer (CFO), and uses much the same storyline to attempt to get the chief financial officer to ask a clerk to initiate a funds transfer.Answer B is incorrect. A spear phishing attack aimed at lower-level personnel in large organizations—people who by themselves can’t or don’t do great things or wield great authority and power inside the company but who may know or have access to some little bit of information or power the attacker can make use of.Answer A is incorrect. A brute-force attack is a trial-and-error method used to decode sensitive data.Answer D is incorrect. Scareware is a malware tactic that manipulates users into believing they need to download or buy malicious, sometimes useless, software.

Q: Ben needs to verify that the most recent patch for his organization’s critical application did not introduce issues elsewhere. What type of testing does Ben need to conduct to ensure this?

A: Regression testing

Explanation: Ben should conduct regression testing that ensures the proper functioning of an application or system after it has been changed. It ensures that changes have not introduced new issues. It is the verification that a fix to one system element did not break others.Answer B is incorrect. Acceptance testing confirms to the end-users that all of the stated requirements have been correctly implemented in the system being tested.Answers A and C are incorrect. Ethical penetration testing is security testing focused on trying to actively find and exploit vulnerabilities in an organization’s information security posture, processes, procedures, and systems. Pen-testing, as it’s sometimes called, often looks to use “ethical hackers” who attempt to gain access to protected, secure elements of those systems.

Q: NIST, in its special publication 800-61r2, refines the mitigation phase by breaking it down into which of the following steps?

Each correct answer represents a complete solution. Choose all that apply.

A: Containment, Eradication

Explanation: NIST, in its special publication 800-61r2, refines the mitigation phase by breaking it down into containment and eradication steps. Containment is the process of identifying the affected or infected systems elements and isolating them from the rest of your systems to prevent the disruption-causing agent. Eradication is the process of identifying every instance of the causal agent and its associated files, executables, and so forth from all elements of your system.Answers C and D are incorrect. NIST, in its special publication 800-61r2, refines the lessons learned phase into information sharing and coordination activities.

Q: How many nodes or hosts per network does a Class C address support?

A: 256

Explanation: Class C addresses are used for small networks. This allows for 2,097,152 networks and 256 hosts or nodes per network.Answers B and D are incorrect. Class A addresses allow for 128 networks and 16,777,216 hosts or nodes per network.Answer C is incorrect. Class B addresses support 65,536 hosts or nodes per network.

Q: During what phase of the incident response process would security professionals analyze the process itself to determine whether any improvements are warranted?

A: Lessons learned

Explanation: During the lessons learned phase, analysts close out an incident by conducting a review of the entire incident response process. This may include making recommendations for improvements to the process that will streamline the efficiency and effectiveness of future incident response efforts.Answer C is incorrect. The detection phase detects irregular activities and figures out exactly what is happening.Answer D is incorrect. The preparation phase involves implementing the right tools and setting up the right processes ahead of an incident occurring.Answer A is incorrect. The recovery phase restores and returns affected systems and devices back into your business environment.

Q: During troubleshooting, Chris uses the nslookup command to check the IP address of a host he is attempting to connect to. The IP he sees in the response is not the IP that should resolve when the lookup is done. What type of attack has likely been conducted?

A: DNS poisoning

Explanation: A DNS poisoning attack occurs when an attacker changes the domain name to IP address mappings of a system to redirect traffic to alternate systems.Answer B is incorrect. A bluesnarfing attack is the theft of information from a wireless device through a Bluetooth connection.Answer D is incorrect. An ARP spoofing attack is a type of attack in which a malicious actor sends falsified Address Resolution Protocol (ARP) messages over a local area network.Answer A is incorrect. A phishing attack is a type of social engineering attack often used to steal user data, including login credentials and credit card numbers.

Q: Norm would like to conduct a disaster recovery test for his organization and wants to choose the most thorough type of test, recognizing that it may be quite disruptive. What type of test should Norm choose?

A: Full interruption

Explanation: During a full interruption test, the team takes down the primary site and confirms that the disaster recovery site is capable of handling regular operations. The full interruption test is the most thorough test but also the most disruptive.Answer D is incorrect. During a parallel test, the team actually activates the disaster recovery site for testing but the primary site remains operational. The checklist review is the least disruptive type of disaster recovery test.Answer C is incorrect. During a structured walk-through test, team members come together and walk through a scenario without making any changes to information systems.Answer B is incorrect. During a checklist review, team members each review the contents of their disaster recovery checklists on their own and suggest any necessary changes.

Q: What type of attack would the following precautions help prevent?

Requesting proof of identity

Requiring callback authorizations on voice-only requests

Not changing passwords via voice communications

A: Social engineering

Explanation: Social engineering encompasses almost any effort to learn about the people in the organization and find exploitable weaknesses via those people. Each of the precautions (requesting proof of identity, requiring callback authorizations on voice-only requests, and not changing passwords via voice communications) helps to prevent social engineering by helping prevent exploitation of trust. Avoiding voice-only communications is particularly important since establishing identity over the phone is difficult.Answers B, A, and C are incorrect because the listed attacks would not be prevented by these techniques.

Q: The preamble of the (ISC)2 Code of Ethics reminds us of which of the following?

A: All of these

Explanation: The preambles of the (ISC)2 Code of Ethics reminds us:Safety and welfare of societyThe common goodDuty to our principalsOur duty to each otherAdhere and be seen to adhere to

Q: Juniper Content is a web content development company with 40 employees located in two offices: one in New York and a smaller office in the San Francisco Bay Area. You are the newly appointed IT manager for Juniper Content, and you are working to augment existing security controls to improve the organization’s security.

You are concerned about the availability of data stored on each office’s server. You would like to add technology that would enable continued access to files located on the server even if a hard drive in a server fails. Which of the following will help in accomplishing the task?

A: RAID

Explanation: Redundant array of independent disks (RAID) uses additional hard drives to protect the server against the failure of a single device. It is a method of storing data across several different hard disks. Using this system, data is written to a series of hard disks in such a manner as to provide either speed or data redundancy.Answer A is incorrect. Security information and event management (SIEM) is an application system that provides a centralized capability to collect, assess, monitor, and analyze information pertaining to precursors, indicators, and information security events.Answer B is incorrect. A network operations center (NOC) performs valuable roles in maintaining the day-to-day operation of the network infrastructure.Answer C is incorrect. An integrated development environment (IDE) is a set of software tools that can be used together to design, develop, test, integrate, and deploy software systems and applications.

Q: Which of the following steps of the PDCA cycle is the process of laying out the step-by-step path we need to take to go from “where we are” to “where we want to be”?

A: Planning

Explanation: Planning is the process of laying out the step-by-step path we need to take to go from “where we are” to “where we want to be.” It’s a natural human activity; we do this every moment of our lives.Answer A is incorrect. Checking is part of conducting due diligence on what the plan asked us to achieve and how it asked us to get it done.Answer D is incorrect. Acting is the phase that involves making decisions and taking corrective or amplifying actions based on what the checking activities revealed.Answer C is incorrect. Doing is the phase that encompasses everything it takes to accomplish the plan.

Q: Andrew believes that a digital certificate belonging to his organization was compromised and would like to add it to a Certificate Revocation List. Who must add the certificate to the Certificate Revocation List?

A: The certificate authority that issued the certificate

Explanation: The certificate authority must add the certificate to the Certificate Revocation List, which is a list of certificates that have either expired or been revoked due to compromise or other situations. The certificate authority issues, manages, and revokes digital certificates. The topmost certificate authority is referred to as the root certificate authority.

Q: In an organization, a dashboard provides which of the following aspects of a critical information infrastructure’s security situation?

Each correct answer represents a complete solution. Choose all that apply.

A: Real-time and near-real-time incident information, Systems health information, Real-time and near-real-time indicators and warnings

Explanation: In an organization, dashboards provide at-a-glance insight into several aspects of a critical information infrastructure’s security situation:Real-time and near-real-time incident informationReal-time and near-real-time indicators and warningsCurrent status of ongoing risk mitigation projects and activitiesSystems health information, whether for critical nodes in the information architecture or across the user base of systems

Q: Which one of the following metrics specifies the amount of time that business continuity planners find acceptable for the restoration of service after a disaster?

A: RTO

Explanation: The recovery time objective (RTO) specifies the amount of time that business continuity planners find acceptable for the restoration of service after a disaster. It is the time by which the systems must be restored to normal operational function after the occurrence of the risk event.Answer B is incorrect. The exposure factor (EF) is the fraction of the value of the asset, process, or outcome that will be lost from a single occurrence of the risk event.Answer D is incorrect. The single loss expectancy (SLE) is the total direct and indirect costs (or losses) from a single occurrence of a risk event.Answer C is incorrect. The maximum allowable outage (MAO) is the greatest time period that business operations can be allowed to be disrupted by a risk event.

Q: Ann is a security professional for a midsize business and typically handles log analysis and security monitoring tasks for her organization. One of her roles is to monitor alerts originating from the organization’s intrusion detection system. The system typically generates several dozen alerts each day, and many of those alerts turn out to be false alarms after her investigation. This morning, the intrusion detection system gave an alert because the network began to receive an unusual high volume of the inbound traffic. Ann received this alert and began looking into the origin of the traffic. Ann continues her investigation and realizes that the traffic generating the alert is abnormally high volumes of inbound UDP traffic on port 53. What service typically uses this port?

A: DNS

Explanation: The Domain Name System (DNS) commonly uses port 53 for both TCP and UDP communications. DNS resolves domain names into IP addresses for network routing.Answer B is incorrect. Secure Shell (SSH) is used to manage network devices securely at the command level and uses TCP port 22.Answer C is incorrect. Secure Socket Layer (SSL) and Transport Layer Security (TLS) do not have ports assigned to them but are commonly used for Hypertext Transfer Protocol Secure (HTTPS) traffic on port 443.Answer D is incorrect. Unencrypted web traffic over the Hypertext Transfer Protocol (HTTP) often uses port 80.

Q: Alex’s job requires him to see protected health information to ensure the proper treatment of patients. His access to their medical records does not provide access to patient addresses or billing information. What access control concept best describes this control?

A: Need to know

Explanation: Need to know is applied when subjects like Alex have access to only the data they need to accomplish their job. Need to know limits who has access to read, use, or modify data based on whether their job functions require them to do so.Answers D and B are incorrect. Separation or segregation of duties is used to limit fraud and abuse by having multiple employees perform parts of a task.Answer C is incorrect. Privilege creep happens when duties have changed and yet privileges that are no longer actually needed remain in effect for a given user.

Q: Ann is a security professional for a midsize business and typically handles log analysis and security monitoring tasks for her organization. One of her roles is to monitor alerts originating from the organization’s intrusion detection system. The system typically generates several dozen alerts each day, and many of those alerts turn out to be false alarms after her investigation. This morning, the intrusion detection system gave an alert because the network began to receive an unusual high volume of the inbound traffic. Ann received this alert and began looking into the origin of the traffic.

A: Security event

Explanation: At this point in the incident response process, Ann has no reason to believe that any actual security compromise or policy violation took place, so this situation does not meet the criteria for a security incident or intrusion. Rather, the alert generated by the intrusion detection system is simply a security event requiring further investigation.

Q: Elaine is developing a business continuity plan for her organization. What value should she seek to minimize?

A: RTO

Explanation: Elaine should seek to minimize the recovery time objective value. The goal of business continuity planning exercises is to reduce the amount of time required to restore operations. This is done by minimizing the recovery time objective (RTO). RTO is the amount of time expected to return an IT service or component to operation after a failure.Answer C is incorrect. SLAs (service-level agreements) are written contracts that document service expectations.Answers B and D are incorrect. The Secure Socket Layer (SSL) and the Lightweight Directory Access Protocol (LDAP) are the network protocols.

Q: Derek sets up a series of virtual machines that are automatically created in a completely isolated environment. Once created, the systems are used to run potentially malicious software and files. The actions taken by those files and programs are recorded and then reported. What technique is Derek using?

A: Sandboxing

Explanation: Derek is using a sandboxing technique, which is a software management strategy that isolates applications from critical system resources and other programs.Answer B is incorrect. A honeypot is a sacrificial system placed on the outward-facing areas of the organization’s network.Answer A is incorrect. Network access control (NAC) is a set of services that give network administrators the ability to define and control what devices, processes, and persons can connect to the network or to individual subnetworks or segments of that network.Answer D is incorrect. Social engineering encompasses almost any effort to learn about the people in the organization and find exploitable weaknesses via those people.

Q: Which of the following cryptographic goals protects against the risks posed when a device is lost or stolen?

A: Confidentiality

Explanation: The greatest risk when a device is lost or stolen is that sensitive data contained on the device will fall into the wrong hands. Confidentiality protects against this risk.Answer B is incorrect. Nonrepudiation provides ways to sign messages, documents, and even software executables so that recipients can be assured of their authenticity.Answer A is incorrect. Authentication is the act of examining or testing the identity credentials provided by a subject that is requesting access.Answer D is incorrect. Accounting is the process of keeping logs or other records that show access requests, whether those were granted or not, and a history of what resources in the system that subject then accessed.

Q: Which of the following is an exploitation of a newly discovered vulnerability before that vulnerability is discovered by or reported to the developers, vendors, or users of the affected system?

A: Zero-day

Explanation: A zero-day exploit or attack is an exploitation of a newly discovered vulnerability before that the vulnerability is discovered by or reported to the developers, vendors, or users of the affected system. The term suggests that the system’s defenders have zero time to prepare for such an exploit since they are not aware of the vulnerability or the potential for an attack based on it.Answer C is incorrect. A bluesnarfing attack is the theft of information from a wireless device through a Bluetooth connection.Answer B is incorrect. A whaling attack targets the high-worth or highly placed individuals, such as a chief financial officer (CFO), and uses much the same storyline to attempt to get the chief financial officer to ask a clerk to initiate a funds transfer.Answer A is incorrect. A phishing attack is a type of social engineering attack often used to steal user data, including login credentials and credit card numbers.

Q: You are conducting a qualitative risk assessment for your organization. The two important risk elements that should weigh most heavily in your analysis of risk are probability and ___________.

A: impact

Explanation: The two most important elements of a qualitative risk assessment are determining the probability and impact of each risk upon the organization.Answer D is incorrect. The likelihood is another word for probability.Answer A is incorrect. Availability means that the information can be extracted, produced, or displayed where it is needed.Answer C is incorrect. Cost should be taken into account but is only one element of impact, which also includes reputational damage, operational disruption, and other ill effects.

Q: Tom is conducting a business continuity planning effort for Orange Blossoms, a fruit orchard located in Central Florida. During the assessment process, the committee determined that there is a small risk of snow in the region but that the cost of implementing controls to reduce the impact of that risk is not warranted. They elect to not take any specific action in response to the risk. What risk management strategy is Orange Blossoms pursuing?

A: Risk acceptance

Explanation: According to the scenario, Orange Blossoms is pursuing a risk acceptance strategy. It occurs when an organization determines that the costs involved in pursuing other risk management strategies are not justified and they choose not to pursue any action.Answer C is incorrect. A risk mitigation strategy includes repairing or replacing the vulnerable system and is often called fixing or mitigating the risk.Answer D is incorrect. A risk transference strategy involves paying someone else to take on the work of repairs, reimbursements, or replacement of damaged systems if the risk event occurs.Answer A is incorrect. A risk avoidance strategy involves changing a business process so that the risk no longer applies.

Q: Tamara recently decided to purchase cyber-liability insurance to cover her company’s costs in the event of a data breach. What risk management strategy is she pursuing?

A: Risk transference

Explanation: Tamara is pursuing a risk transference strategy. It involves shifting the impact of a potential risk from the organization incurring the risk to another organization. Insurance is a common example of risk transference.Answer A is incorrect. A risk acceptance strategy involves accepting the identified risk and not taking any other action to reduce the risk.Answer B is incorrect. A risk mitigation strategy includes repairing or replacing the vulnerable system and is often called fixing or mitigating the risk.Answer D is incorrect. A risk avoidance strategy involves changing a business process so that the risk no longer applies.

Q: What type of access control is intended to discover unwanted or unauthorized activity by providing information after the event has occurred?

A: Detective

Explanation: Detective access controls operate after the fact and are intended to detect or discover unwanted access or activity. Examples of detective access controls include guard dogs, motion detectors, recording and reviewing of events seen by security cameras or CCTV, etc.Answer D is incorrect. Preventive access controls are designed to prevent the activity from occurring.Answer C is incorrect. Corrective controls return an environment to its original status after an issue occurs.Answer A is incorrect. Directive access controls are deployed to direct, confine, or control the actions of the subject to force or encourage compliance with security policies.

Q: During which of the following disaster recovery tests does the team sit together and discuss the response to a scenario but not actually activate any disaster recovery controls?

A: Structured walk-through

Explanation: During a structured walk-through test, team members come together and walk through a scenario without making any changes to information systems. This test is the most common of the plan tests and may be performed frequently across different business units.Answer A is incorrect. During a checklist review, team members each review the contents of their disaster recovery checklists on their own and suggest any necessary changes. The checklist review is the least disruptive type of disaster recovery test.Answer D is incorrect. During a full interruption test, the team takes down the primary site and confirms that the disaster recovery site is capable of handling regular operations. The full interruption test is the most thorough test but also the most disruptive.Answer C is incorrect. During a parallel test, the team actually activates the disaster recovery site for testing, but the primary site remains operational.

Q: Fred’s company wants to ensure the integrity of email messages sent via its central email servers. If the confidentiality of the messages is not critical, what solution should Fred suggest?

A: Digitally sign but don’t encrypt all messages.

Explanation: Fred’s company needs to protect the integrity, which can be accomplished by digitally signing messages. Any change will cause the signature to be invalid. A digital signature provides both proof of origin (and therefore nonrepudiation) and message integrity.Answer B is incorrect. Encrypting isn’t necessary because the company does not want to protect confidentiality.Answer D is incorrect. The Transport Layer Security (TLS) protocol can provide in-transit protection but won’t protect the integrity of the messages.Answer A is incorrect. The Network Time Protocol (NTP) allows the synchronization of system clocks with a standardized time source. It is used to synchronize the devices on the Internet.

Q: Alejandro is an incident response analyst for a large corporation. He is on the midnight shift when an intrusion detection system alerts him to a potential brute-force password attack against one of the company’s critical information systems. He performs an initial triage of the event before taking any additional action.

A: Activate the incident response team.

Explanation: The incident response process consists of a series of steps that start with detection and run through response, mitigation, reporting, recovery, and remediation, ending with a lessons learned and onward preparation phase. After the detection of a security incident, the next step in the process is the response, which should follow the organization’s formal incident response procedure. The first step of this procedure is activating the appropriate teams, including the organization’s computer security incident response team (CSIRT).Answers A and D are incorrect. Lessons learned involves getting to the root of how and why the incident happened, evaluating how well your incident response plan worked to resolve the issue, and identifying improvements that need to be made.Answer B is incorrect. The preparation phase involves implementing the right tools and setting up the right processes ahead of an incident occurring.

Q: Rick is an application developer who works primarily in Python. He recently decided to evaluate a new service where he provides his Python code to a vendor who then executes it on their server environment. What type of cloud computing environment is this service?

A: PaaS

Explanation: Cloud computing systems where the customer only provides application code for execution on a vendor-supplied computing platform are examples of the platform as a service (PaaS) computing. PaaS provides a large-scale, feature-rich applications platform, again on top of infrastructure as a service foundation. Platforms usually integrate data modeling, data management, and data backup, restore, and failover capabilities focused on the application services the platform delivers to its users.Answer C is incorrect. Software as a service (SaaS) provides a layer of application software on top of an IaaS foundation.Answer A is incorrect. Infrastructure as a service (IaaS) provides CPU, storage, software-defined networking, and server capabilities on which users can host databases, compute-intensive applications, and other elements of their business logic.Answer D is incorrect. Identity as a service (IDaaS) delivers integrated sets of identity management services.

Q: Question 15 :Which of the following come under the guidelines for use during computer forensic investigation?

Each correct answer represents a complete solution. Choose all that apply.

A: Examining or analyzing evidence, Identifying evidence, Collecting or acquiring evidence

Explanation: A number of organizations establish guidelines for use during computer forensic investigations:Identifying evidence: Responding individuals must begin documenting everything that they find at an incident scene.Collecting or acquiring evidence: Adhering to proper evidence collection and documentation techniques while minimizing incident scene contamination is vitally important.Examining or analyzing evidence: The evidence is investigated and analyzed using sound scientific tests and methods which are acceptable both in the forensic community as well as in the court of law.Presentation of evidence and findings: Forensics examiners must present their evidence, findings, and professional opinions in documentation such as court presentations and legal briefs.Answer B is incorrect. Tampering with evidence can be any action that destroys, alters, conceals, or falsifies any sort of evidence. This is an illegal act and does not come under the guidelines for use during computer forensic investigation.

Q: Theresa is implementing a new access control system and wants to ensure that developers do not have the ability to move code from development systems into the production environment. What information security principle is she most directly enforcing?

A: Separation of duties

Explanation: According to the scenario, Theresa is directly enforcing the separation of duties principle. This principle takes a business process that might logically be performed by one subject and breaks it down into subprocesses, each of which is allocated to a different, separate subject to perform. In the given question, while developers may feel like they have a business need to be able to move code into production, the principle of separation of duties dictates that they should not have the ability to write code and place it on a production server. The deployment of code is often performed by change management staff.Answer C is incorrect. Revocation is the formal process of terminating access privileges for a specific identity in a system.Answer B is incorrect. Privilege creep happens when duties have changed and yet privileges that are no longer actually needed remain in effect for a given user.Answer A is incorrect. Job rotation is a strategy where employees rotate between jobs in the same business.

Q: Which of the following is special-purpose software that bridges the functional and interface gaps between different systems, applications, or platforms?

A: Middleware

Explanation: Middleware is special-purpose software that bridges the functional and interface gaps between different systems, applications, or platforms. It provides unified services to users.Answer A is incorrect. Scareware is a malware tactic that manipulates users into believing they need to download or buy malicious, sometimes useless, software.Answer D is incorrect. Spyware is a program that intercepts the user’s interaction with the computer and sends information to its creators about a user’s activities without the user’s consent.Answer C is incorrect. Adware, or advertising-supported software, is software that displays unwanted advertisements on your computer.

Q: What type of alternate processing facility contains the hardware necessary to restore operations but does not have a current copy of data?

A: Warm site

Explanation: Warm sites contain the hardware necessary to restore operations but do not have a current copy of data. It is an alternate IT processing facility that has equipment installed and usually configured. The warm site does not have duplicate data installed and must be provisioned from backups.Answer B is incorrect. A hot site is an alternate IT processing facility that can be brought online within a very short period of time. The hot site will maintain duplicate equipment and duplicate sets of data.Answer D is incorrect. A cold site does not have the network hardware or communications equipment. Equipment would have to be ordered, shipped in, and installed. After installation, all data would have to be restored from backups.Answer A is incorrect. This is an invalid option

Q: Question 11 :Which of the following come under the CIA triad?

Each correct answer represents a complete solution. Choose all that apply.

A: Confidentiality, Integrity, Availability

Explanation: Confidentiality, integrity, and availability, also known as the CIA triad, is a model designed to guide policies for information security within an organization. Accountability does not come under the CIA triad

Q: Which of the following is verification that a process has been completed according to the policy or plan?

A: Auditing

Explanation: Auditing is verification that a process has been completed according to the policy or plan. It may also verify that the product is in compliance with established performance requirements.Answer D is incorrect. Revocation is the formal process of terminating access privileges for a specific identity in a system.Answer A is incorrect. Provisioning starts with the initial claim of identity and a request to create a set of credentials for that identity.Answer B is incorrect. Accounting is the process of keeping logs or other records that show access requests, whether those were granted or not.

Q: What type of disaster recovery test activates the alternate processing facility and uses it to conduct transactions but leaves the primary site up and running?

A: Parallel

Explanation: During a parallel test, the team actually activates the disaster recovery site for testing, but the primary site remains operational.Answer A is incorrect. During a full interruption test, the team takes down the primary site and confirms that the disaster recovery site is capable of handling regular operations.Answer C is incorrect. During a checklist test, team members each review the contents of their disaster recovery checklists on their own and suggest any necessary changes.Answer B is incorrect. During a structured walk-through test, team members come together and walk through a scenario without making any changes to information systems.

Q: If Susan’s organization requires her to log in with her fingerprints, PINs, passwords, and retina scans, how many distinct authentication factor types has she used?

A: Two

Explanation: Susan has used two distinct types of factors: PINs and passwords are both Type 1 factors (something you know), and fingerprints and retina scans are both Type 3 factors (something you are).

Q: What are the four correct steps of the OODA loop?

A: Observe, Orient, Decide, and Act

Explanation: Here are the four steps of the OODA loop:Observe: Gather information about what is happening, right now, and what’s been happening very recently.Orient: Remember what are the organization’s goals and objectives.Decide: Make an educated guess as to what’s going on and what needs to be done about it.Act: Take action on the decision that was made.

Q: Which of the following are the datacenter’s logging and monitoring system activities that are worth raising alarm for any incident that might occur?

A: All of these

Explanation: Here are the datacenter’s logging and monitoring system activities that are worth raising alarm for any incident that might occur:Unplanned shutdown of any asset, such as a router, switch, or serverUnauthorized attempts to elevate a user’s or process’s privilege state to systems owner or root levelUnauthorized attempts to extract, download, or otherwise exfiltrate restricted data from the facilityUnauthorized attempts to change, alter, delete, or replace any data, software, or other controlled elements of the baseline systemUnplanned or unauthorized attempts to initiate system backup or recovery tasksUnplanned or unauthorized attempts to connect a device, cable, or process to the systemAlarms or alerts from malware, intrusion detection, or other defensive systems

Q: The common vulnerabilities and exposures (CVE) data and your own vulnerability assessments indicate that many of your end-user systems do not include recent security patches released by the software vendors. You decide to bring these systems up to date by applying these patches. This is an example of which of the following?

A: Remediating or mitigating a risk

Explanation: Fixing or applying patches to eliminate a vulnerability is the definition of remediating, mitigating, fixing, or repairing a vulnerability. The risk mitigation strategy attempts to lower the probability and/or impact of a risk occurring.Answer D is incorrect. Transferring a risk involves paying someone else to take on the work of repairs, reimbursements, or replacement of damaged systems if the risk event occurs.Answer C is incorrect. Avoiding a risk involves changing a business process so that the risk no longer applies.Answer B is incorrect. Accepting a risk involves accepting the identified risk and not taking any other action to reduce the risk.

Q: Which formula is used to determine risk?

A: Risk = Threat * Vulnerability

Explanation: Risk is a possibility that an event can occur that can disrupt or damage the organization’s planned activities, assets, or processes, which may impact the organization’s ability to achieve some or all of its goals and objectives. Risks exist when there is an intersection of a threat and a vulnerability. This is described using the equation Risk = Threat * Vulnerability.

Q: Javier is verifying that only IT system administrators have the ability to log on to servers used for administrative purposes. What principle of information security is he enforcing?

A: Least privilege

Explanation: Javier is enforcing the principle of least privilege, which says that an individual should only have the privileges necessary to complete their job functions. Removing administrative privileges from non-administrative users is an example of least privilege.Answer C is incorrect. Privilege creep happens when duties have changed and yet privileges that are no longer actually needed remain in effect for a given user.Answer A is incorrect. Revocation is the formal process of terminating access privileges for a specific identity in a system.Answer D is incorrect. The transitive trust relationship exists when one node (node A) in a system trusts another node (node B), which further trusts a third node (node C); this results in node A trusting node C.

Q: During a penetration test, Chris recovers a file containing hashed passwords for the system he is attempting to access. What type of attack is likely to succeed against the hashed passwords?

A: Rainbow table attack

Explanation: A rainbow table attack is likely to succeed against the hashed passwords. This attack is a type of hacking wherein the perpetrator tries to use a rainbow hash table to crack the passwords stored in a database system. Rainbow tables use precomputed password hashes to conduct cracking attacks against password files.Answer D is incorrect. A denial-of-service (DoS) attack occurs when legitimate users are unable to access information systems, devices, or other network resources due to the actions of a malicious cyber threat actor.Answer C is incorrect. A phishing attack is a type of social engineering attack often used to steal user data, including login credentials and credit card numbers.Answer A is incorrect. A bluesnarfing attack is the theft of information from a wireless device through a Bluetooth connection.

Q: You have identified the risks and then you need to mitigate those risks as you find it unacceptable. Once you treat the risks, you won’t completely eliminate all the risks because it is simply not possible and therefore, some risks will remain at a certain level. This is a description of which of the following?

A: Residual risk

Explanation: Residual risk is the risk that is left untreated after the application of a specific set of risk controls have been implemented.Answers D and C are incorrect. The willingness of the organization to accept the risk, and on how leadership makes decisions about risk is referred to as risk appetite, also called risk tolerance.Answer B is incorrect. Risk assessment is a systematic process of identifying risks to achieving organizational priorities.

Q: Which of the following states how a task needs to be performed and what constraints or success criteria apply?

A: Procedure

Explanation: Procedures state how a task needs to be performed and what constraints or success criteria apply. A policy is a broad statement of direction and intention. In most organizations, it establishes direction and provides constraints to leaders, managers, and the workforce. A standard is a technical document designed to be used as a rule, guideline, or definition. A principle is a basic truth or the source or origin of something or someone.

Q: Which of the following is referred to as the maximum tolerable period of disruption?

A: MAO

Explanation: The maximum acceptable outage (MAO) is the maximum time that a business process or task cannot be performed without causing intolerable disruption or damage to the business. It is referred to as the maximum tolerable outage (MTO), or the maximum tolerable period of disruption (MTPOD).

Q: What does it mean to accept a risk?

A: You simply decide to do nothing about the risk.

Explanation: Accepting risk means you simply decide to do nothing about the risk. You recognize it is there, but you make a conscious decision to do nothing differently to reduce the likelihood of occurrence or the prospects of negative impact. Options D, B, and A describe the mitigate, transfer, and recast risk treatment strategies, respectively.

Q: Which of the following looks at your business procedures and how different risks can impact, disrupt, or block your ability to run those procedures successfully and correctly?

A: Process-based

Explanation: The process-based risk looks at your business procedures and how different risks can impact, disrupt, or block your ability to run those procedures successfully and correctly. The outcomes-based risk looks at why people or organizations do what they do or set out to achieve their goals or objectives. The asset-based risk looks at any tangible or intangible asset and asks how risks can decrease the value of the asset to the business. The threat-based risk focuses on how things go wrong—what the root and proximate causes of risks might be—whether natural, accidental, or deliberately caused.

Q: Fixing patches to eliminate a vulnerability is an example of which of the following?

A: Remediating or mitigating a risk

Explanation: Fixing or applying patches to eliminate a vulnerability is an example of remediating, mitigating, fixing, or repairing a vulnerability.

Q: When we call an attack a “zero-day exploit,” we mean that:

A: the attack exploited a previously unreported vulnerability before the affected systems or software vendor recognized and acknowledged it, reported or disclosed it, or provided a warning to its customers.

Explanation: Option D correctly explains the period from discovery in the wild to first recognition by system owners, users, or the IT community, and how this element of surprise may give the attacker an advantage. Despite the name, the 24 hours of a day have nothing to do with the element of surprise associated with attacking a heretofore-unknown vulnerability. Option C is false since the term is well understood in IT security communities.

Q: All of the following are risk treatment controls except for which one?

A: Functional

Explanation: Risk treatment involves all aspects of taking an identified risk and applying a set of chosen methods to eliminate or reduce the likelihood of its occurrence, the impacts it has on the organization when (not if) it occurs. Physical, logical (technical), and administrative are the risk treatment controls.

Q: What is the first step involved in the risk mitigation process?

A: Assess the information architecture and the information technology architectures that support it.

Explanation: Here are the steps involved in the risk mitigation process:Assess the information architecture and the information technology architectures that support it.Assess vulnerabilities, and conduct threat modeling as necessary.Choose risk treatments and controls.Implement risk mitigation controls.Verify control implementations.Engage and train users as part of the control.Begin routine operations with new controls in place.Monitor and assess system security with new controls in place.

Q: Which of the following starts with the premise that all systems have an external boundary that separates what the system owner, builder, and user own, control, or use, from what’s not part of the system?

A: Threat modeling

Explanation: Threat modeling starts with the premise that all systems have an external boundary that separates what the system owner, builder, and user own, control, or use, from what’s not part of the system. Quantitative assessments attempt to arithmetically compute values for the probability of occurrence and the single loss expectancy. Qualitative assessments depend on experienced people to judge the level or extensiveness of a potential impact, as well as its frequency of occurrence. The business impact analysis is a consolidated statement of how different risks could impact the prioritized goals and objectives of an organization.

Q: Patsy is reviewing the quantitative risk assessment spreadsheet, and she sees multiple entries where the annual rate of occurrence (ARO) is far greater than the single loss expectancy (SLE). This suggests that:

A: the particular risk is assessed to happen many times per year; thus, its ARO is much greater than 1.0.

Explanation: According to the scenario, it suggests that the particular risk is assessed to happen many times per year; thus, its ARO is much greater than 1.0. Option A has the annualized rate of occurrence (ARO) use incorrect; if ARO was less than 1, the single loss expectancy is in effect spread over multiple years (as if it were amortized). Option B involves restore time and point objectives, which are not involved in the annualized loss expectancy (ALE) calculation. Option C misunderstands ALE = ARO * SLE as the basic math involved.

Q: Which of the following is focused on trying to actively find and exploit vulnerabilities in an organization’s information security posture, processes, procedures, and systems?

A: Penetration testing

Explanation: Penetration testing is focused on trying to actively find and exploit vulnerabilities in an organization’s information security posture, processes, procedures, and systems. Acceptance testing confirms to the end-users that all of their stated requirements have been correctly implemented in the system being tested. The architecture assessment is both an inventory of all systems elements and a map or process flow diagram that shows how these elements are connected to form or support business processes and thereby achieve the needs of required business logic. Configuration control is the process of regulating changes so that only authorized changes to controlled systems baselines can be made.

Q: Which area of concern for a common vulnerability scoring system characterizes how vulnerability changes over time?

A: Temporal metric

Explanation: A temporal metric characterizes how vulnerability changes over time. A base metric assesses qualities intrinsic to a particular vulnerability. An environmental metric assesses dependencies on particular implementations of systems environments. A report metric is an invalid choice.

Q: Which of the following shows the major steps of the information risk management process in the correct order?

A: Set priorities; assess risks; implementing risk treatment plans; continuous monitoring

Explanation: Information risk management is a process that guides organizations through identifying risks to their information, information systems, and information technology systems; setting priorities and characterizing those risks in terms of impacts to prioritized goals and objectives; making decisions about which risks to treat, accept, transfer, or ignore; and then implementing risk treatment plans. As an ongoing management effort, it requires continuous monitoring of internal systems and processes, as well as a constant awareness of how threats and vulnerabilities are evolving throughout the world.

Q: Which of the following activities is part of information risk mitigation?

A: Developing an information classification policy and process

Explanation: Improving product quality is a laudable goal but it is not related to information risk mitigation; thus option A is incorrect. Option B refers to activities after an incident; mitigation activities happen before an incident occurs, or result from lessons learned because of the incident. Option C is most likely being done to implement new or revised security policies. Option D is part of information risk management and should precede information risk mitigation.

Q: An architecture assessment includes all of the following activities except for which one?

A: Review of software testing procedures and results.

Explanation: A review of software testing procedures and results is one of the activities of gap analysis. Options C, D, and A are the activities of an architecture assessment. The architecture assessment is both an inventory of all systems elements and a map or process flow diagram that shows how these elements are connected to form or support business processes and thereby achieve the needs of required business logic. This requires a thorough review and analysis of existing physical asset/equipment inventories, network and communications diagrams, contracts with service providers, error reports, and change requests.

Q: Which of the following choices for limiting or containing the damage from risks keeps an attack from happening or contains it so that it cannot progress further into the target’s systems?

A: Prevent

Explanation: Prevention keeps an attack from happening or contains it so that it cannot progress further into the target’s systems. Deter means to convince the attacker that costs they’d incur and difficulties they’d encounter by doing an attack are probably far greater than anticipated gains. Detecting that an attack is imminent or actually occurring is vital to taking any corrective, evasive, or containment actions. Avoiding the possible damage from risk requires terminating the activity that incurs the risk, or redesigning or relocating the activity to nullify the risk.

Q: Which of the following is a consolidated statement of how different risks could impact the prioritized goals and objectives of an organization?

A: BIA

Explanation: The business impact analysis (BIA) is a consolidated statement of how different risks could impact the prioritized goals and objectives of an organization. The service-level agreement (SLA) is a written contract that documents service expectations. The single loss expectancy (SLE) is the total of all losses that could be incurred as a result of one occurrence of a risk. The maximum acceptable outage (MAO) is the time limit to restore all mission-essential systems and services to avoid impact on the mission of the organization.

Q: The risk that is left untreated after the application of a specific set of risk controls have been implemented is known as ___________.

A: residual risk

Explanation: The risk that is left untreated after the application of a specific set of risk controls has been implemented is known as residual risk. Risk appetite, also called risk tolerance, is a subjective measure of how willing an organization’s senior leaders and managers are to accept risks. Risk assessment is a systematic process of identifying risks to achieving organizational priorities.

Q: Which of the following is defined as the estimated cost to implement and operate the chosen risk mitigation control?

A: Safeguard value

Explanation: The safeguard value is the estimated cost to implement and operate the chosen risk mitigation control. The single loss expectancy is the total cost you can reasonably expect should the risk event occur. The annual rate of occurrence is an estimate of how often during a single year the risk event could reasonably be expected to occur. The annual loss expectancy is the total expected losses for a given year.

Q: What are the basic choices for limiting or containing the damage from risks?

A: Deter, detect, prevent, and avoid

Explanation: The basic choices for limiting or containing the damage from risks are deter, detect, prevent, and avoid. Option C includes risk treatment strategies, option A includes the four faces of risk, and option D includes the types of risk assessments.

Q: Which of the following is the probability of an event occurring that disrupts your information and the business processes and systems that use it?

A: Risk

Explanation: Risk is the probability of an event occurring that disrupts your information and the business processes and systems that use it. Containment primarily addresses shutting down connectivity between networks, subnets, systems, and servers. Eradication addresses locating the causal agents (malware, bogus user IDs, etc.) and removing them from each system. An event is something that happens, especially when it is unusual or important.

Q: What kind of information is part of an information risk assessment process?

A: Lost revenues during the downtime caused by the risk incident, including the time it takes to get things back to normal

Explanation: Option C is part of an information risk assessment process, which is a systematic process of identifying risks to achieving organizational priorities. Option B is the safeguard value, which we cannot compute until we have completed a risk assessment and a vulnerability assessment, and then designed, specified, or selected such controls or countermeasures. Option A is typically not the loss incurred by damage of an asset; of greater interest regarding impact to an asset would be the cost to repair it (if repairable), replace it, or design and implement new processes to do without the damaged or disrupted asset.

Q: Which of the following is defined as the identification and selection of an event that may be of significance in information security terms, either as a precursor or an indicator of a possible attack?

A: Incident of interest

Explanation: An incident of interest is defined as the identification and selection of an event that may be of significance in information security terms, either as a precursor or an indicator of a possible attack. Kill chain is an outcome-based planning concept and is geared to achieve national strategic, operational, or tactical outcomes as part of larger battle plans. The incident response framework is defined as a formal plan or process for managing the organization’s response to a suspected information security incident. An indicator of compromise is an observable artifact that with high confidence signals that an information system has been compromised or is in the process of being compromised.

Q: Which of the following steps of the PDCA cycle is part of conducting due diligence on what the plan asked us to achieve and how it asked us to get it done?

A: Checking

Explanation: Checking is part of conducting due diligence on what the plan asked us to achieve and how it asked us to get it done. Planning is the process of laying out the step-by-step path we need to take to go from “where we are” to “where we want to be”. Doing is the phase that encompasses everything it takes to accomplish the plan. Acting is the phase that involves making decisions and taking corrective or amplifying actions based on what the checking activities revealed.

Q: Which step of the OODA loop gathers information about what is happening, right now, and what’s been happening very recently?

A: Observe

Explanation: Here are the steps of John Boyd’s OODA loop:Observe: Gather information about what is happening, right now, and what’s been happening very recently.Orient: Remember what are the organization’s goals and objectives.Decide: Make an educated guess as to what’s going on and what needs to be done about it.Act: Take action on the decision that was made.

Q: All are the major steps described by the risk management framework to information and privacy risk management except for which one?

A: Mitigate

Explanation: Option C is one of the risk treatment strategies. The risk management framework (RMF) describes seven major steps to information and privacy risk management: prepare, categorize, select, implement, assess, authorize, and monitor.

Q: Which of the following terms is also referred to as risk appetite?

A: Risk tolerance

Explanation: Risk appetite, also called risk tolerance, is a subjective measure of how willing an organization’s senior leaders and managers are to accept risks.

Q: Which of the following looks at why people or organizations do what they set out to achieve their goals or objectives?

A: Outcomes-based risk

Explanation: The outcomes-based risk looks at why people or organizations do what they set out to achieve their goals or objectives. The process-based risk looks at your business procedures and how different risks can impact, disrupt, or block your ability to run those procedures successfully and correctly. The asset-based risk looks at any tangible or intangible asset and asks how risks can decrease the value of the asset to the business. The threat-based risk focuses on how things go wrong—what the root and proximate causes of risks might be—whether natural, accidental, or deliberately caused.

Q: During which phase does the incident response team limit the damage caused by an incident?

A: Containment

Explanation: During the containment phase, the incident response team’s goal is to limit the damage caused by an incident. They do this by isolating impacted systems and restricting access to resources to prevent the spread of the incident.Answer C is incorrect. The detection phase detects irregular activities and figures out exactly what is happening.Answer A is incorrect. The preparation phase involves implementing the right tools and setting up the right processes ahead of an incident occurring.Answer D is incorrect. The recovery phase restores and returns affected systems and devices back into your business environment.

Q: Greg is building a disaster recovery plan for his organization and would like to determine the amount of time that it should take to restore a particular IT service after an outage. What variable is Greg calculating?

A: RTO

Explanation: According to the scenario, Greg is calculating the recovery time objective (RTO) variable. It is the amount of time expected to return an IT service or component to operation after a failure.Answer A is incorrect. The annual loss expectancy (ALE) is the total expected losses for a given year and is determined by multiplying SLE (single loss expectancy) by ARO (annual rate of occurrence).Answer C is incorrect. The mean time to repair (MTTR), or mean time to restore, reflects our average experience in doing whatever it takes to get the failed system, component, or process repaired or replaced.Answer B is incorrect. SLAs (service-level agreements) are written contracts that document service expectations.

Q: Alex has been with the university he works at for more than 10 years. During that time, he has been a system administrator and a database administrator, and he has worked in the university’s help desk. He is now a manager for the team that runs the university’s web applications. When Alex changes roles, what should occur?

A: He should be provisioned for only the rights that match his role.

Explanation: According to the scenario, when Alex’s role changes, he should be provisioned for only the rights that match his role and other access entitlements.Answer B is incorrect because deprovisioning and reprovisioning is time-consuming and can lead to problems with changed IDs and how existing credentials work.Answer A is incorrect because simply adding new rights leads to privilege creep.Answer C is incorrect because matching another user’s rights can lead to excessive privileges because of privilege creep for the other user.

Q: Florian is building a disaster recovery plan for his organization and would like to determine the amount of time that a particular IT service may be down without causing serious damage to business operations. What variable is Florian calculating?

A: MTO

Explanation: According to the scenario, Florian is calculating the maximum tolerable outage (MTO), which is the longest amount of time that an IT service or component may be unavailable without causing serious damage to business operations.Answer D is incorrect. The recovery time objective (RTO) is the amount of time expected to return an IT service or component to operation after a failure.Answer B is incorrect. The recovery point objective (RPO) identifies the maximum amount of data, measured in time, that may be lost during a recovery effort.Answer A is incorrect. The service-level agreement (SLA) is a written contract that documents service expectations.

Q: Qualitative assessment of information is used as the basis of an information classification system that labels which broad categories of data to indicate the range of possible harm or impact?Each correct answer represents a complete solution. Choose all that apply.

A: Top Secret, Confidential, For Official Use Only

Explanation: Qualitative assessment of information is used as the basis of an information classification system that labels broad categories of data to indicate the range of possible harm or impact. Such simple hierarchical information classification systems often start with “Unclassified” and move up through “For Official Use Only,” “Confidential,” “Secret,” and “Top Secret” in a way to broadly outlining how severely the nation would be impacted if the information was disclosed, stolen, or otherwise compromised.

Q: Greg would like to implement an application control technology in his organization. He would like to limit users to install only approved software on their systems. What type of application control would be appropriate in this situation?

A: Whitelisting

Explanation: The whitelisting approach to application control allows users to install only those software packages specifically approved by administrators. This would be an appropriate approach in a scenario where application installation needs to be tightly controlled.Answers C and D are incorrect. The blacklisting or negative control approach to application control blocks certain prohibited packages but allows the installation of other software on systems.Answer B is incorrect. This is an invalid option.

Q: What layer of the planning process takes business continuity considerations a few steps further by examining and selecting how to provide alternate means of getting business operations up and running again?

A: Contingency operations planning

Explanation: Contingency operations planning takes business continuity considerations a few steps further by examining and selecting how to provide alternate means of getting business operations up and running again. Its purpose is to allow an organization to return to its daily operations as quickly as possible after an unforeseen event.Answer B is incorrect. Critical asset protection planning looks at the protection required for strategic, high-value, or high-risk assets to prevent significant loss of value, utility, or availability of these assets to serve the organization’s needs.Answer A is incorrect. Physical security and safety planning focuses on preventing unauthorized physical access to the organization’s premises, property, systems, and people.

Q: Susan has discovered that the smart card-based locks used to keep the facility secure are not effective because staff members are propping the doors open. She places signs on the doors reminding staff that leaving the door open creates a security issue, and she adds alarms that will sound if the doors are left open for more than five minutes. What type of controls has she put into place?

A: Compensation

Explanation: Susan has placed compensation controls in place. Compensation controls are used when controls like the locks in this example are not sufficient. It is deployed to provide various options to other existing controls to aid in the enforcement and support of a security policy. Examples of compensation access controls include security policy, personnel supervision, monitoring, and work task procedures.Answer C is incorrect. Detective access controls are deployed to discover unwanted or unauthorized activity.Answer B is incorrect. Administrative access controls are the policies and procedures defined by an organization’s security policy to implement and enforce overall access control.Answer D is incorrect. Recovery access controls are deployed to repair or restore resources, functions, and capabilities after a violation of security policies.

Q: Which of the following is the process by which the organization decides what changes in controlled systems baselines will be made?

A: Configuration management

Explanation: Configuration management is the process by which the organization decides what changes in controlled systems baselines will be made, when to implement them, and the verification and acceptance needs that the change and business conditions dictate as necessary and prudent.Answer B is incorrect. Asset management identifies everything that could be a key or valuable asset and adding it to an inventory system that tracks information about its acquisition costs, its direct users, its physical (or logical) location, and any relevant licensing or contract details.Answer A is incorrect. Incident management provides the ability in real-time to decide when and how to intervene to prevent further damage, halt the incident, restore operational capabilities, and possibly request support from other emergency responders.Answer D is incorrect. Configuration control implements what the configuration management process decides and prevents unauthorized changes.

Q: Linda is selecting a disaster recovery facility for her organization, and she wants to retain independence from other organizations as much as possible. She would like to choose a facility that balances cost and recovery time, allowing activation in about one week after a disaster is declared. What type of facility should she choose?

A: Warm site

Explanation: Linda should choose a warm site. This approach balances cost and recovery time. It is an alternate IT processing facility that has equipment installed and usually configured.Answer B is incorrect. Cold sites take a long time to activate, measured in weeks or months.Answer D is incorrect. Mutual sites depend on the support of another organization.Answer A is incorrect. Hot sites activate immediately but are quite expensive.

Q: Question 40 :Which of the following can put the organization completely out of existence and, along the way, inflict significant levels of pain and suffering on its employees?Each correct answer represents a complete solution. Choose all that apply.

A: Disruption, Disaster, Anomaly

Explanation: The events that put the organization completely out of existence and, along the way, inflict significant levels of pain and suffering on its employees, owners, stakeholders, and others in its business ecosystem are an anomaly, incident, disruption, and disaster.Answer A is incorrect. Triage refers to the prioritization of damages and the communication of this prioritization so that damaged entities can be addressed based on need, usually ranked high to low.

Q: Which of the following is not one of the canons of the (ISC)2 Code of Ethics?

A: Maintain competent records of all investigations and assessments.

Explanation: Here are the four canons of the (ISC)2 Code of Ethics:Protect society, the common good, necessary public trust and confidence, and the infrastructure.Act honorably, honestly, justly, responsibly, and legally.Provide diligent and competent service to principals.Advance and protect the profession.

Q: During a management meeting, the chief information security officer, Jim, is describing attacks made against the senior level at an organization. Which attack is Jim describing?

A: Whaling

Explanation: Jim is describing the whaling attack, which aims at the senior level in an organization. This attack targets the high-worth or highly placed individuals, such as a chief financial officer (CFO), and uses much the same storyline to attempt to get the CFO to ask a clerk to initiate a funds transfer.Answer B is incorrect. A rainbow table attack is a type of hacking wherein the perpetrator tries to use a rainbow hash table to crack the passwords stored in a database system.Answer C is incorrect. A bluesnarfing attack is the theft of information from a wireless device through a Bluetooth connection.Answer D is incorrect. An ARP spoofing attack is a type of attack in which a malicious actor sends falsified Address Resolution Protocol (ARP) messages over a local area network.

Q: An incident response team works using the prepositioned sets of software and hardware tools for capturing data, analyzing it, and drawing conclusions about the event. Which tool helps the team in accomplishing this?

A: Responder’s workbench

Explanation: Responder’s workbench is prepositioned sets of software and hardware tools and support data to be used by incident response team members. This workbench can provide the incident response team with a set of known, clean systems to use as they capture data, analyze it, and draw conclusions about the event.Answer C is incorrect. Semantics are the rules that define how we represent ideas and meaning via the construction of words, sentences, or other expressions and phrases, and how we interpret (decode) such expressions to make its meaning plain.Answer D is incorrect. Resiliency is a characteristic of a system’s design that reflects how well it can deal with unanticipated errors or conditions without crashing or causing unacceptable data loss or business process interruption.Answer A is incorrect. A precursor is a sign, signal, or observable characteristic of the occurrence of an event that in and of itself is not an attack but that might indicate an attack could happen in the future.

Q: Which of the following tools is best suited for exploiting known vulnerabilities?

A: Metasploit

Explanation: Metasploit is a tool used to exploit known vulnerabilities. It is one of the most popular exploitation tool suites used by black hat and white hat hackers alike.Answers D, C, and A are incorrect. Nikto is a web application and server vulnerability scanning tool, Ettercap is a man-in-the-middle attack tool, and Wireshark is a free and open-source packet analyzer.

Q: James is building a disaster recovery plan for his organization and would like to determine the amount of acceptable data loss after an outage. Which variable is James determining?

A: RPO

Explanation: James is determining the recovery point objective (RPO) variable. It identifies the maximum amount of data, measured in time, that may be lost during a recovery effort.Answer D is incorrect. The recovery time objective (RTO) is the amount of time expected to return an IT service or component to operation after a failure.Answer C is incorrect. The annual rate of occurrence (ARO) is an estimate of how many times per year a particular risk is considered likely to occur.Answer B is incorrect. The single loss expectancy (SLE) is the amount of damage that a risk is expected to cause each time it occurs.

Q: How many possible keys exist when using a cryptographic algorithm that has an 8-bit binary encryption key?

A: 256

Explanation: Binary keyspaces contain a number of keys equal to 2 raised to the power of the number of bits. Two to the eighth power is 256, so an 8-bit keyspace contains 256 possible keys.

Q: The Wi-Fi Protected Access Version 2 (WPA2) security protocol is based on which common encryption scheme?

A: AES

Explanation: WPA2 is based on the Advanced Encryption Standard (AES), which is implemented to encrypt sensitive data. AES is a symmetric block cipher chosen by the U.S. government to protect classified information.

Q: Mark is planning a disaster recovery test for his organization. He would like to perform a live test of the disaster recovery facility but does not want to disrupt operations at the primary facility. What type of test should Mark choose?

A: Parallel test

Explanation: Mark should choose a parallel test. During this test, the team actually activates the disaster recovery site for testing, but the primary site remains operational.Answer C is incorrect. During a full interruption test, the team takes down the primary site and confirms that the disaster recovery site is capable of handling regular operations. The full interruption test is the most thorough test but also the most disruptive.Answer B is incorrect. During a checklist review, team members each review the contents of their disaster recovery checklists on their own and suggest any necessary changes. It is the least disruptive type of disaster recovery test.Answer D is incorrect. During a structured walk-through test, team members come together and walk through a scenario without making any changes to information systems.

Q: An attacker conceals their true identities and motives and presents themselves as a trusted individual for manipulating users into giving up inside information of an organization. This is a description of which of the following?

A: Social engineering

Explanation: An attacker uses the social engineering technique to conceal their true identities and motives and presents themselves as a trusted individual for manipulating users into giving up inside information of an organization. The goal of any social engineering process is to gain access to insider information—information that is normally not made public or disclosed to outsiders, for whatever reason.Answer B is incorrect. A Trojan horse is a type of malware that looks legitimate but can take control of your computer.Answer D is incorrect. A rainbow table attack is a type of hacking wherein the perpetrator tries to use a rainbow hash table to crack the passwords stored in a database system.Answer A is incorrect. A distributed denial-of-service (DDoS) attack is a malicious attempt to disrupt the normal traffic of a targeted server, service, or network by overwhelming the target or its surrounding infrastructure with a flood of Internet traffic.

Q: Ann is a security professional for a midsize business and typically handles log analysis and security monitoring tasks for her organization. One of her roles is to monitor alerts originating from the organization’s intrusion detection system. The system typically generates several dozen alerts each day, and many of those alerts turn out to be false alarms after her investigation. This morning, the intrusion detection system gave an alert because the network began to receive an unusual high volume of the inbound traffic. Ann received this alert and began looking into the origin of the http://traffic.As Ann analyzes the traffic further, she realizes that the traffic is coming from many different sources and has overwhelmed the network, preventing legitimate uses. The inbound packets are responses to queries that she does not see in the outbound traffic. The responses are abnormally large for their type. What type of attack should Ann suspect?

A: Denial-of-service

Explanation: This is a clear example of a denial-of-service attack—denying legitimate users authorized access to the system through the use of overwhelming traffic. A denial-of-service (DoS) attack occurs when legitimate users are unable to access information systems, devices, or other network resources due to the actions of a malicious cyber threat actor.Answer C is incorrect. A phishing attack is a type of social engineering attack often used to steal user data, including login credentials and credit card numbers.Answer D is incorrect. A rainbow table attack is a type of hacking wherein the perpetrator tries to use a rainbow hash table to crack the passwords stored in a database system.Answer A is incorrect. A cryptanalysis attack that attempts to deduce the meaning of encrypted communications by looking for patterns in the sender and recipient address information, protocols, or packet types.

Q: Alice and Bob would like to use an asymmetric cryptosystem to communicate with each other. They are located in different parts of the country but have exchanged encryption keys by using digital certificates signed by a mutually trusted certificate authority. Which of the following keys would Bob not possess in this scenario?

A: Alice’s private key

Explanation: In this scenario, Bob would not have access to the private key of Alice or any other user. Each user retains their private key as secret information. Bob will have his public key, private key, and Alice’s public key since in asymmetric cryptography, the public key may be freely and openly distributed.

Q: John is a network administrator of his organization. He wants to monitor all network traffic on his local network for suspicious activities and alert with a notification when a possible attack is in process. Which of the following will help in detecting this type of incident?

A: NIDS

Explanation: The network-based intrusion detection system (NIDS) will help in detecting this type of incident. It sits between the protected, managed portions of your network and less secure zones (such as the Internet). It monitors network traffic and alerts when packets attempt to access ports, services, or addresses, or attempt other actions that NIDS is configured to detect.Answer A is incorrect. The host-based intrusion detection system (HIDS) will be able to detect unauthorized processes running on a system. It is a system that is installed as a software application that runs on a host computer, under the control of its operating system, such as a server, workstation, laptop, or smartphone, or other mobile devices.Answer B is incorrect. The integrated development environment (IDE) is a set of software tools that can be used together to design, develop, test, integrate, and deploy software systems and applications.Answer C is incorrect. Network access control (NAC) is the set of services that give network administrators the ability to define and control what devices, processes, and persons can connect to the network or to individual subnetworks or segments of that network.

Q: In this figure of the TCP three-way handshake, what should system A send to system B in step 3?

A: ACK

Explanation: In step 3, system A should send an ACK to end the three-way handshake. The TCP three-way handshake is SYN, SYN/ACK, ACK. The three-way handshake is used to begin a TCP session. The first step of the handshake is where system A sends system B a packet with an SYN, or synchronize, flag turned on, or “set.” System B responds with a packet that has both the acknowledgment ACK and SYN flags set. Finally, system A responds with a packet that has the ACK flag set. At this point, the TCP session has been established.

Q: The large business that Jack works for has been using noncentralized logging for years. They have recently started to implement centralized logging, and as they reviewed logs, they discovered a breach that appeared to have involved a malicious insider. How can Jack detect issues like this using his organization’s new centralized logging?

A: Deploy and use SIEM.

Explanation: Jack can detect issues using a security information and event management (SIEM) tool, which is designed to provide automated analysis and monitoring of logs and security events. It is an application system that provides a centralized capability to collect, assess, monitor, and analyze information pertaining to precursors, indicators, and information security events.Answer A is incorrect. Mobile device management (MDM) systems provide a variety of integrated tools that can help the organization maintain awareness of its mobile assets, track their usage, and provide management with insight and control of software, firmware, and data updates on these devices.Answer B is incorrect. A hypervisor is responsible for coordinating access to physical hardware and enforcing isolation between different virtual machines running on the same physical platform.Answer D is incorrect. A honeypot is a system that allows investigators to evaluate and analyze the attack strategies used by attackers.

Q: Kolin is searching for a network security solution that will allow him to help reduce zero-day attacks while using identities to enforce a security policy on systems before they connect to the network. What type of solution should Kolin implement?

A: NAC system

Explanation: Kolin should implement the NAC (network access control) system that can be used to authenticate users and then validate their system’s compliance with a security standard before they are allowed to connect to the network. Enforcing security profiles can help reduce zero-day attacks, making NAC a useful solution.Answers A and C are incorrect because a firewall can’t enforce system security policies, whereas an intrusion detection system can only monitor for attacks and alarm when they happen. Thus, neither a firewall nor an intrusion detection system (IDS) meets Kolin’s needs.Answer D is incorrect because port security is a MAC address-based security feature that can restrict only which systems or devices can connect to a given port.

Q: GAD Systems is concerned about the risk of hackers stealing sensitive information stored on a file server. They choose to pursue a risk mitigation strategy. Which one of the following actions would support that strategy?

A: Encrypting the files

Explanation: Encrypting the files reduces the probability that the data will be successfully stolen, so it is an example of risk mitigation.Answers B, A, and D are incorrect because deleting the files would be risk avoidance; purchasing insurance would be risk transference; taking no action would be risk acceptance.

Q: Gordon is developing a business continuity plan for a manufacturing company’s IT operations. The company is located in North Dakota and currently evaluating the risk of earthquakes. They choose to pursue a risk transference strategy. Which of the following actions is consistent with that strategy?

A: Purchasing earthquake insurance

Explanation: In a risk transference strategy, the organization chooses to purchase earthquake insurance. Transferring a risk means that rather than spend our own money, time, and effort to reduce, contain, or eliminate the risk, we assign responsibility for it to someone else.Answer D is incorrect because relocating the data center is an example of a risk avoidance strategy.Answer A is incorrect because taking no action other than documenting the risk is an example of a risk acceptance strategy.Answer B is incorrect because reengineering the facility is an example of a risk mitigation strategy.

Q: Colleen is conducting a business impact assessment for her organization. What metric provides important information about the amount of time that the organization may be without service before causing irreparable harm?

A: MAO

Explanation: The maximum acceptable outage (MAO) is the amount of time that a business may be without service before irreparable harm occurs. This measure is sometimes also called the maximum tolerable outage (MTO).Answer A is incorrect. The annual loss expectancy (ALE) is the total expected losses for a given year.Answer D is incorrect. The mean time to repair (MTTR), or mean time to restore, reflects our average experience in doing whatever it takes to get the failed system, component, or process repaired or replaced.Answer C is incorrect. The recovery time objective (RTO) is the amount of time in which system functionality or ability to perform the business process must be back in operation.

Q: At a murder crime scene, a laptop is found which is password protected. The investigation team has hired a hacker to access the laptop to get all the relevant information of the deceased. The hacker is trying to access the laptop by systematically entering every word/phrase as a password. Which type of attack does this describe?

A: Dictionary

Explanation: This describes a dictionary attack, which is a systematic method of guessing a password by trying many common words/phrases and their simple variations.Answer C is incorrect. Data exfiltration is the unauthorized transfer of data from a computer.Answer A is incorrect. A man-in-the-middle (MITM) attack can happen when a third party can place themselves between the two nodes and either insert their own false traffic or modify traffic being exchanged between the two nodes, to fool one or both nodes into mistaking the third party for the other (legitimate) node.Answer D is incorrect. A denial-of-service (DoS) attack occurs when legitimate users are unable to access information systems, devices, or other network resources due to the actions of a malicious cyber threat actor

Q: In what model of cloud computing do two or more organizations collaborate to build a shared cloud computing environment that is for their own use?

A: Community cloud

Explanation: In the community cloud computing model, two or more organizations pool their resources to create a cloud environment that they can share. Community clouds can be established to provide cloud services to a group of users that can be defined as users requiring access to the same information to be used for a similar purpose.Answer A is incorrect. Public clouds are cloud systems in which multiple, unrelated customers are hosted on the cloud provider’s systems, sharing that set of hardware, systems, and software resources.Answer B is incorrect. Private clouds are those cloud systems that one organization has sole and dedicated use of.Answer D is incorrect. Hybrid clouds are cloud systems that have a mix of both public and private characteristics.

Q: Jim is implementing an IDaaS solution for his organization. What type of technology is he putting in place?

A: Identity as a service

Explanation: Jim is using the IDaaS (Identity as a service) technology, which provides an identity platform as a third-party service. It is a cloud-based service for obtaining subscription-based identity management and access control capabilities.Answers B and C are incorrect. These are the invalid choices.Answer D is incorrect. OAuth is a standard that applications can use to provide client applications with secure delegated access.

Q: Which of the following verifies that a given system and the people-powered processes, that implement the overall set of business logic and purpose, get work done correctly and completely when seen from the end-users’ or operators’ perspective?

A: OT&E

Explanation: An operational test and evaluation (OT&E) is a formal system testing to verify that a given system and the people-powered processes, that implement the overall set of business logic and purpose, get work done correctly and completely when seen from the end-users’ or operators’ perspective.Answer D is incorrect. A business impact analysis (BIA) reflects a combination of due care and due diligence in that it combines “how we do business” with “how we know how well we’re doing it.”Answer C is incorrect. A service-level agreement (SLA) is a written contract that documents service expectations.Answer B is incorrect. Supervisory control and data acquisition (SCADA) is a special class of network and system devices for data sharing, command, and control protocols used throughout the world for industrial process control, such as in electric power generation and transmission systems.

Q: What is the process of identifying everything that could be a key or valuable thing and adding it to an inventory system that tracks information about its acquisition costs, direct users, physical (or logical) location, and any relevant licensing or contract details?

A: Asset management

Explanation: Asset management identifies everything that could be a key or valuable asset (thing) and adding it to an inventory system that tracks information about its acquisition costs, its direct users, its physical (or logical) location, and any relevant licensing or contract details. It includes processes to periodically verify that tagged property (items that have been added to the formal inventory) is still in the company’s possession and have not disappeared, been lost, or been stolen.Answer C is incorrect. Configuration management is the process by which the organization decides what changes in controlled systems baselines will be made, when to implement them, and the verification and acceptance needs that the change and business conditions dictate as necessary and prudent.Answer A is incorrect. Incident management provides the ability in real-time to decide when and how to intervene to prevent further damage, halt the incident, restore operational capabilities, and possibly request support from other emergency responders.Answer B is incorrect. Configuration control implements what the configuration management process decides and prevents unauthorized changes.

Q: As part of his team’s forensic investigation process, Matt signs drives and other evidence out of storage before working with them. What type of documentation is Matt maintaining?

A: Chain of custody

Explanation: Matt is helping to maintain the chain of custody documentation for his electronic evidence. This can be important if his organization needs to prove that the digital evidence they handled has not been tampered with. A better process would involve more than one person to ensure that no tampering was possible.Answers D and B are incorrect. The service-level agreement (SLA) or terms of reference (TOR) is the contractual agreement between a service provider and service consumer that specifies such things as service quality, quantities, timeliness and responsiveness, appropriate usage constraints, security provisions, backup and restore provisions, and others.Answer C is incorrect. The statement of work (SOW) is the narrative description of a project’s work requirement.

Q: Sally’s organization needs to be able to prove that certain staff members sent emails, and she wants to adopt a technology that will provide that capability without changing their existing email system. What is the technical term for the capability Sally needs to implement as the owner of the email system, and what tool could she use to do it?

A: Nonrepudiation; digital signatures

Explanation: Sally needs to provide nonrepudiation, the ability to provably associate a given email with a sender. Digital signatures can provide nonrepudiation and are her best option.Answer B is incorrect. IMAP (Internet Message Access Protocol) is a mail protocol. Integrity means that something is whole and complete and that its parts are smoothly joined together.Answer C is incorrect. Repudiation means denial of the truth or validity of something and encryption is used for providing confidentiality.Answer A is incorrect. Authentication is the act of examining or testing the identity credentials provided by a subject that is requesting access. DKIM (DomainKeys Identified Mail) is a tool for identifying domains that send an email.

Q: An investment has been made in obtaining and producing information. The competitive advantage this information investment gives us is that others cannot take this information away and neutralize our advantage. Which of the following is about protecting such investment?

A: Confidentiality

Explanation: Confidentiality is about protecting the investment we have made in obtaining or producing information and the competitive advantage that information investment gives us so that others cannot take the information away from us and neutralize our advantage.Answer B is incorrect. Due care is making sure that you have designed, built, and used all the necessary and prudent steps to satisfy all of your responsibilities.Answer A is incorrect. Nonrepudiation refers to the characteristic of a communications system that prevents a user from claiming that they never sent or never received a particular message.Answer D is incorrect. Integrity means that the information as a set is reliable, complete, and correct, and has been created, modified, or used only by people and processes that we trust.

Q: Which of the following security programs is designed to provide employees with the knowledge they need to perform their specific work tasks?

A: Training

Explanation: Training is designed to provide employees with the specific knowledge they need to fulfill their job functions. It brings an employee into a position where they can do their job correctly, effectively, and conscientiously.Answer A is incorrect. Awareness is the state of being conscious of something.Answer C is incorrect. Education is the process of facilitating learning, or the acquisition of knowledge, skills, values, beliefs, and habits.Answer B is incorrect. Indoctrination is the process of inculcating a person with ideas, attitudes, cognitive strategies, or professional methodologies.

Q: The company Chris works for has notifications posted at each door reminding employees to be careful to not allow people to enter when they try to do. Which type of control best describes this?

A: Directive

Explanation: Directive controls are actions taken to cause or encourage a desirable event to occur. Notifications and procedures like the signs posted at the company Chris works for are examples of directive controls.Answer B is incorrect. Detective controls are designed to operate after the fact. It refers to a type of internal control intended to find problems within a company’s processes once they have occurred.Answer A is incorrect. Physical controls are combinations of hardware, software, electrical, and electronic mechanisms that, taken together, prevent, delay, or deter somebody or something from physically crossing the threat surface around a set of system components you need to protect.Answer D is incorrect. Preventive controls are designed to stop an event and deter or mitigate undesired actions or events.

Q: Alan is installing a fire suppression system that will kick in after a fire breaks out and protect the equipment in the data center from extensive damage. What metric is Alan attempting to lower?

A: Impact

Explanation: Fire suppression systems do not stop a fire from occurring but do reduce the damage that fires cause. This is an example of reducing risk by lowering the impact of an event.Answer A is incorrect. The likelihood means the probability of the occurrence of the risk.Answer B is incorrect. The recovery time objective (RTO) is the amount of time in which system functionality or ability to perform the business process must be back in operation.Answer C is incorrect. The recovery point objective (RPO) is the maximum data loss that the organization can tolerate because of a risk event.

Q: What principle of information security states that an organization should implement overlapping security controls whenever possible?

A: Defense in depth

Explanation: The defense in depth principle of information security states that organizations should have overlapping security controls designed to meet the same security objectives whenever possible. This principle provides security in the event of a single control failure.Answer A is incorrect. The chain of custody is the process of maintaining and documenting the handling of evidence.Answer D is incorrect. Separation of duties takes a business process that might logically be performed by one subject and breaks it down into subprocesses, each of which is allocated to a different, separate subject to perform.Answer B is incorrect. Revocation is the formal process of terminating access privileges for a specific identity in a system.

Q: Don’s company is considering the use of an object-based storage system where data is placed in a vendor-managed storage environment through the use of API calls. What type of cloud computing service is in use?

A: IaaS

Explanation: In this scenario, the vendor is providing object-based storage that is a core infrastructure service. Therefore, this is an example of infrastructure as a service (IaaS). Infrastructure as a service provides CPU, storage, software-defined networking, and server capabilities on which users can host databases, compute-intensive applications, and other elements of their business logic.Answer A is incorrect. Software as a service (SaaS) provides a layer of application software on top of an IaaS foundation.Answer B is incorrect. Platform as a service (PaaS) provides a large-scale, feature-rich applications platform, again on top of an IaaS foundation.Answer C is incorrect. Identity as a service (IDaaS) delivers integrated sets of identity management services.

Q: Alex’s organization uses the NIST incident classification scheme. Alex discovers that a laptop belonging to a senior executive had keylogging software installed on it. How should Alex classify this occurrence?

A: Security incident

Explanation: NIST describes this type of event as a security incident because it is a violation or imminent threat of violation of security policies and practices. An incident is an event that could cause harm to the organization. In most organizations, an incident is defined as an activity that is a serious threat to or violation of the security policies, security practices, or acceptable use policies of the organization.Answer B is incorrect. Kill chain is an outcome-based planning concept and is geared to achieve national strategic, operational, or tactical outcomes as part of larger battle plans.Answers A and C are incorrect. Risk appetite, also called risk tolerance, is a subjective measure of how willing an organization’s senior leaders and managers are to accept risks.

Q: Chris is conducting a risk assessment for his organization and has determined the amount of damage that a single flood could be expected to cause to his facilities. What metric has Chris identified?

A: SLE

Explanation: Chris has identified the single loss expectancy (SLE), which is the amount of damage that risk is expected to cause each time that it occurs. It is the total direct and indirect costs (or losses) from a single occurrence of a risk event.Answer D is incorrect. The recovery point objective (RPO) measures the data loss that is tolerable to the organization.Answer B is incorrect. The annual rate of occurrence (ARO) is an estimate of how many times per year a particular risk is considered likely to occur.Answer A is incorrect. The maximum allowable outage (MAO) is the greatest time period that business operations can be allowed to be disrupted by the risk event.

Q: A company is implementing asymmetric key cryptography for the emails of their employees. The company is concerned that employees may lose their private keys and will not be able to decrypt their messages. Which of the following is the best solution to this problem?

A: Key escrow

Explanation: Key escrows are trusted third parties that hold private keys for individuals or companies. If the private key is lost, the owner can verify their identity to the key escrow and have their key restored.Answer C is incorrect. Zeroization is the process by which cryptologic systems are cleared of all keying materials, plaintext, ciphertext, control parameters, and sometimes even their software and firmware.Answer B is incorrect. Key encapsulation is the process of wrapping an encryption key inside a data payload using some combination of symmetric and asymmetric encryption to provide for secure in-band key exchange.Answer A is incorrect. Data remanence is defined as the data that remains on or in a device or system after it has been shut down, powered off, or even physically removed from the larger information system it is a part of.

Q: Veronica is considering the implementation of a database recovery mechanism recommended by a consultant. In the recommended approach, an automated process will move database backups from the primary facility to an off-site location each night. What type of database recovery technique is the consultant describing?

A: Electronic vaulting

Explanation: The consultant is describing an electronic vaulting approach. It is another name for transmitting data offsite to either a physical storage location or a cloud storage location. At the physical storage location, the transmitted data is recorded onto tape or media, while on the cloud storage location, virtual storage techniques may be employed.Answer B is incorrect. A hypervisor runs within the virtualization platform and serves as the moderator between virtual resources and physical resources.Answer A is incorrect. Striping is a method of writing information to all disks at the same time.Answer C is incorrect. Load balancing clustering is a technique of utilizing various servers and systems in an array to spread the workload.

Q: Concho Controls is a midsize business focusing on building automation systems. They host a set of local file servers in their on-premises data center that store customer proposals, building plans, product information, and other data that is critical to their business operations.Tara works in the Concho Controls IT department and is responsible for designing and implementing the organization’s backup strategy, among other tasks. She currently conducts full backups every Sunday evening at 8 p.m. and differential backups throughout the weekdays at noon.Concho experiences a server failure at 3 p.m. on Wednesday. Tara rebuilds the server and wants to restore data from the backups. What backup should Tara apply to the server first?

A: Sunday’s full backup

Explanation: Tara first must achieve a system baseline. She does this by applying the most recent full backup to the new system. This is Sunday’s full backup. Once Tara establishes this baseline, she may then proceed to apply differential backups to bring the system back to a more recent state.

Q: Which of the following is the process of taking raw data from numerous sources, assimilating and processing it, and presenting the result in a way that can be easily interpreted and acted upon?

A: Event data analysis

Explanation: Event data analysis is the process of taking raw data from numerous sources, assimilating and processing it, and presenting the result in a way that can be easily interpreted and acted upon. The security practitioner should understand the sources of the data and what the data represents.Answer A is incorrect. Business impact analysis is a consolidated statement of how different risks could impact the prioritized goals and objectives of an organization.Answer B is incorrect. Gap analysis focuses on places where the functions performed by one element of the system do not quite meet the expectations or needs of the next element in line in a process chain, and thus indicate an exploitable vulnerability or point of possible failure.Answer C is incorrect. Traffic analysis is a cryptanalysis attack that attempts to deduce the meaning of encrypted communications by looking for patterns in the sender and recipient address information, protocols or packet types, volumes and timing, and just plain coincidences.

Q: Marty discovers that his organization allows any user to log into the workstation assigned to any other user, even if they are from completely different departments. This type of access violates which information security principle?

A: Least privilege

Explanation: According to the scenario, this type of access is most directly a violation of least privilege because it grants users privileges that they do not need for their job functions. Using the least privilege concept gives a privileged account only the minimum rights and capabilities required for the role.Answer A is incorrect. Provisioning starts with the initial claim of identity and a request to create a set of credentials for that identity.Answer B is incorrect. Revocation is the formal process of terminating access privileges for a specific identity in a system.Answer C is incorrect. Aggregation is the accumulation of privileges over time.

Q: Alice wants to send Bob a message with the confidence that Bob will know the message was not altered while in transit. What goal of cryptography is Alice trying to achieve?

A: Integrity

Explanation: Alice is trying to achieve integrity, which ensures that unauthorized changes are not made to data while stored or in transit. It means that the information as a set is reliable and has been created, modified, or used only by people and processes that are trusted.Answer C is incorrect. Confidentiality refers to how much an individual trusts that the information they are about to use to make a decision has not been seen by unauthorized people.Answer D is incorrect. Nonrepudiation refers to the characteristic of a communications system that prevents a user from claiming that they never sent or never received a particular message.Answer A is incorrect. Authentication is the act of examining or testing the identity credentials provided by a subject that is requesting access.

Q: Which value sets the maximum time lag or latency time for data to be considered useful for business operations?

A: RPO

Explanation: The recovery point objective (RPO) sets the maximum time lag or latency time for data to be considered useful for business operations. The recovery time objective (RTO) is the time by which the systems must be restored to normal operational functions after the occurrence of this risk event. The maximum allowable outage (MAO) is the greatest time period that business operations can be allowed to be disrupted by the risk event. The annual rate of occurrence (ARO) is the anticipated number of times per year that such an event may occur.

Q: Which of the following is an application system that provides a centralized capability to collect, assess, monitor, and analyze information pertaining to precursors, indicators, and information security events?

A: SIEM

Explanation: Security information and event management (SIEM) is an application system that provides a centralized capability to collect, assess, monitor, and analyze information pertaining to precursors, indicators, and information security events. Supervisory control and data acquisition (SCADA) is a special class of network and systems devices for data sharing, command, and control protocols used throughout the world for industrial process control, such as in electric power generation and transmission systems. Software-defined networks (SDN) use network management and virtualization tools to completely define the network in software. Network access control (NAC) is the set of services that give network administrators the ability to define and control what devices, processes, and persons can connect to the network or to individual subnetworks or segments of that network.

Q: What is the process by which the organization’s IT infrastructure, applications, data, and workflows are reestablished and declared operational?

A: Recovery

Explanation: Recovery is the process by which the organization’s IT infrastructure, applications, data, and workflows are reestablished and declared operational. Containment is the process of identifying the affected or infected systems elements and isolating them from the rest of your systems to prevent the disruption-causing agent. Eradication is the process of identifying every instance of the causal agent and its associated files, executables, and so forth from all elements of your system. Exfiltration is defined as the unauthorized movement by copying data from within an information system, whether by an authorized user or an external, unauthorized attacker.

Q: The incident response framework consists of a series of steps that start with which of the following phases?

A: Detection

Explanation: The incident response framework is defined as a formal plan or process for managing the organization’s response to a suspected information security incident. It consists of a series of steps that start with detection and run through response, mitigation, reporting, recovery, and remediation, ending with lessons learned and onward preparation phase.

Q: Which of the following considers how to keep core business logic and processes operating safely and reliably in the face of disruptive incidents?

A: Business continuity planning

Explanation: Business continuity planning considers how to keep core business logic and processes operating safely and reliably in the face of disruptive incidents. Disaster recovery planning must concern itself with significant loss of life, injury to people, damage to organizational assets (or the property or assets of others), and significant disruption to normal business operations. Critical asset protection planning looks at the protection required for strategic, high-value, or high-risk assets to prevent significant loss of value, utility, or availability of these assets to serve the organization’s needs. Physical security and safety planning focuses on preventing unauthorized physical access to the organization’s premises, property, systems, and people.

Q: Which of the following is not a step of the PDCA model?

A: Analysis

Explanation: PDCA is an iterative four-step management model used in business for the control and continuous improvement of processes and products. The steps of the PDCA model are plan, do, check, and act.

Q: Which of the following types of actions or responses would you not expect to see in an information security incident response plan?

A: Relocation of business operations to alternate sites

Explanation: The relocation of business operations is typically part of disaster recovery plans. Option B, off-site systems and data archives may well be used in the restoration phase of an information security incident response. Options A and C are parts of incident response, continuity, and recovery planning.

Q: Which of the following is an outcome-based planning concept and is geared to achieve national strategic, operational, or tactical outcomes as part of larger battle plans?

A: Kill chain

Explanation: Kill chain is an outcome-based planning concept and is geared to achieve national strategic, operational, or tactical outcomes as part of larger battle plans. Eradication is the process of identifying every instance of the causal agent and its associated files, executables, etc. from all elements of your system. The incident response framework is defined as a formal plan or process for managing the organization’s response to a suspected information security incident. An event of interest is defined as something that happens that might be an indicator of something that might impact your information systems security.

Q: What should be your highest priority as you consider improving the information security of your organization’s telephone and voice communication systems?

A: Ensuring that users, managers, and leaders understand the risks of sharing sensitive information with the wrong parties and that effective administrative controls support everyone in protecting information accordingly

Explanation: You should correctly focus on what people in your organization need to know: how and why to protect the organization, by controlling what they say to others. Option A is not correct; most of the risk is in what people say to each other over these systems, and technical controls can do little to mitigate this. Option B is incorrect; the service provider has no role in how you keep your people from saying the wrong things to the wrong parties. Option D is incorrect; a signed NDA may make the employee signing it aware of the restrictions, and provide authority for sanctions (such as litigation, termination, etc.), but it doesn’t help operationally in achieving information security.

Q: Which way to prioritize the team’s efforts in responding to an incident looks to the nature of the business processes, objectives, or outcomes that are put at risk by the incident?

A: Functional impact

Explanation: Functional impact looks to the nature of the business processes, objectives, or outcomes that are put at risk by the incident. Information impact considers whether the incident risks unauthorized disclosure, exfiltration, corruption, deletion, or other unauthorized changes to information assets. Recoverability involves whether the impact of the incident is eliminated or significantly reduced if the incident is promptly and thoroughly contained. Operability is not a way to prioritize the team’s efforts in responding to an incident.

Q: Which statement about planning and plans is correct?

A: Planning should continuously bring plans and procedures in tune with ongoing operational reality.

Explanation: Planning should be an ongoing, continuous, and iterative process; plans are thus continually tested against reality so that changes to plans and procedures stay harmonized. Option B is incorrect because plans are not living documents and planning is an iterative process. Option C is incorrect; plans are good, useful, and necessary, but it is the planning process that brings the team together to better understand needs versus resources.

Q: Which of the following examples illustrates a precursor concept?

A: Server or other logs that indicate a vulnerability scanner has been used against a system.

Explanation: A precursor is a sign, signal, or observable characteristic of the occurrence of an event that in and of itself is not an attack but that might indicate that an attack could happen in the future.

Q: Which statement about phishing attacks is correct?

A: Phishing attacks of all kinds are still in use because they can be effective social engineering tools when trying to do reconnaissance or gain illicit entry into an organization or its systems.

Explanation: Phishing attacks of all kinds are still in use because they can be effective social engineering tools when trying to do reconnaissance or gain illicit entry into an organization or its systems. Option B is false; even if thousands of phishing emails are sent as part of a low-and-slow attack, one response can generate exploitable information for the attacker. Option D is false because the phishing attack is a social engineering attack. Option A is false; attackers work hard to mimic the style, format, expression, and construction of their phishing emails, and continually attempt to spoof email addresses, domain names, and so forth. Tools may filter a lot of such junk email for you, but they won’t catch it all.

Q: In general, what differentiates phishing from whaling attacks?

A: Phishing attacks tend to be used to gain access to systems via malware payloads or by getting recipients to disclose information, whereas whaling attacks try to get responsible managers to authorize payments to the attacker’s accounts.

Explanation: Phishing attacks tend to be used to gain access to systems via malware payloads or by getting recipients to disclose information, whereas whaling attacks try to get responsible managers to authorize payments to the attacker’s accounts. Option B is incorrect; whaling is primarily aimed at senior business leaders, whereas phishing can be aimed at anybody, anywhere, if the attacker perceives there is something worthwhile to learn in doing so. Option C has these reversed; whaling attacks depend on the credibility of the business transaction they request. Option D is incorrect as there is a difference between these two attacks.

Q: Which plan would you expect to be driven by assessments such as SLE (single loss expectancy), ARO (annual rate of occurrence), or ALE (annual loss expectancy)?

A: Risk management plan

Explanation: Risk management plan

Q: Social engineering attacks present a threat to organizations and individuals for all of the following reasons except which of the following?

A: Most targeted individuals and organizations have effective tools and procedures to filter out phishing and related scams, so they are now better protected from such attacks.

Explanation: Most targeted individuals and organizations have effective tools and procedures to filter out phishing and related scams, so they are now better protected from such attacks.

Q: What is the key step or process in the recovery phase of responding to an information security incident?

A: Restoring databases and network storage systems to backup copies made prior to the incident

Explanation: Restoring databases and network storage systems to backup copies made prior to the incident is one of the key steps in the recovery phase. Options D and A are the critical steps of the post-recovery activities and thus are incorrect. Option C is incorrect; verification of complete containment and eradication should be done as part of containment and eradication, prior to starting recovery tasks.

Q: Which statement about containment or eradication is correct?

A: Containment primarily addresses shutting down connectivity between networks, subnets, systems, and servers. Eradication addresses locating the causal agents (malware, bogus user IDs, etc.) and removing them from each system.

Explanation: Containment primarily addresses shutting down connectivity between networks, subnets, systems, and servers. Eradication addresses locating the causal agents (malware, bogus user IDs, etc.) and removing them from each system.

Q: Which of the following is the process of maintaining and documenting the handling of evidence?

A: Chain of custody

Explanation: The process of maintaining and documenting the handling of evidence is referred to as the chain of custody. Separation of duties takes a business process that might logically be performed by one subject and breaks it down into subprocesses, each of which is allocated to a different, separate subject to perform. Privilege creep happens when duties have changed and yet privileges that are no longer actually needed remain in effect for a given user. Revocation is the formal process of terminating access privileges for a specific identity in a system.

Q: Which term is defined as the fraction of the value of an asset, a process, or an outcome that will be lost from a single occurrence of the risk event?

A: EF

Explanation: The exposure factor (EF) is the fraction of the value of an asset, a process, or an outcome that will be lost from a single occurrence of the risk event. The annual rate of occurrence (ARO) is the anticipated number of times per year that such an event may occur. The safeguard value (SV) is the cost to install, activate, and use the risk mitigation controls that provide protection from the impact of this risk event. The maximum allowable outage (MAO) is the greatest time period that business operations can be allowed to be disrupted by the risk event.

Q: Which statement about precursors or indicators is correct?

A: Precursors are the observable signals from an event, which may suggest that an information systems security event may happen later.

Q: All of the following are the key tasks to consider as part of the containment of an information security incident except for which one?

A: Prompting updates to procedures and content for internal and external communication and coordination during and after an incident response