Docsity
Docsity

Prepare for your exams
Prepare for your exams

Study with the several resources on Docsity


Earn points to download
Earn points to download

Earn points by helping other students or get them with a premium plan


Guidelines and tips
Guidelines and tips

Cybersecurity Concepts and Techniques, Exams of Programming Languages

A wide range of cybersecurity topics, including common attack vectors, logging and monitoring, network protocols, security controls, risk management, and incident response. It provides an overview of fundamental cybersecurity principles and practices that are essential for understanding and defending against various cyber threats. The content is structured in a question-and-answer format, covering a diverse set of security-related concepts and techniques. This document could be valuable for students, professionals, or lifelong learners interested in gaining a comprehensive understanding of cybersecurity fundamentals and best practices.

Typology: Exams

2024/2025

Available from 10/05/2024

zaza-maica
zaza-maica 🇬🇧

850 documents

Partial preview of the text

Download Cybersecurity Concepts and Techniques and more Exams Programming Languages in PDF only on Docsity! Official (ISC)² SSCP2024-2025. Questions and Correct Answers. Graded A+ _____ is the authoritative entity which lists port assignments A. IANA B. ISSA C. Network Solutions D. Register.com E. InterNIC - ANSA. IANA _________ is a form of Denial of Service attack which interrupts the TCP three way handshake and leaves half open connections. A. DNS Recursion B. NMAP C. Land Attack D. SYN Flooding E. Port Scanning - ANSD. SYN Flooding _________ is a protocol developed by Visa and MasterCard to protect electronic transactions. A. SSL B. SHA-1 C. HMAC D. SET E. ETP - ANSD. SET _________ is the act of a user professing an identity to a system. A. Validation B. Authentication C. Identification D. Confirmation - ANSC. Identification __________ attacks capitalize on programming errors and can allow the originator to gain additional privileges on a machine. A. SYN Flood B. Buffer Overflow C. Denial of Service D. Coordinated E. Distributed Denial of Service - ANSB. Buffer Overflow __________ is the most famous Unix password cracking tool. A. SNIFF B. ROOT C. NMAP D. CRACK E. JOLT - ANSD. CRACK ___________ programs decrease the number of security incidents, educate users about procedures, and can potentially reduce losses. A. New hire orientation B. HR Briefings C. Security Awareness D. Employee Termination - ANSC. Security Awareness ____________ is a file system that was poorly designed and has numerous security flaws. A. NTS B. RPC C. TCP D. NFS E. None of the above - ANSD. NFS ____________ is used in mission critical systems and applications to lock down information based on sensitivity levels (Confidential, Top Secret, etC.. A. MAC - Mandatory Access Control B. DAC - Discretionary Access Control C. SAC - Strategic Access Control D. LAC - Limited Access Control - ANSA. MAC - Mandatory Access Control _____________ states that users should only be given enough access to accomplish their jobs. A. Separation of Duties B. Due Diligence C. Concept of Least Privilege D. All of the listed items are correct - ANSC. Concept of Least Privilege ___________________ is ultimately responsible for security and privacy violations. A. Person committing the violation B. Security Officer C. CIO / CEO D. OS Software - ANSC. CIO / CEO ___________________ viruses change the code order of the strain each time they replicate to another machine. A. Malicious B. Zenomorphic C. Worm D. Super E. Polymorphic - ANSE. Polymorphic ___________, generally considered "need to know" access is given based on permissions granted to the user. A. MAC - Mandatory Access Control B. DAC - Discretionary Access Control C. SAC - Strategic Access Control D. LAC - Limited Access Control - ANSB. DAC - Discretionary Access Control ________, _________, and __________ are required to successfully complete a crime. (Choose three) A. Root kit B. Motive C. Buffer Overflow D. Means E. Opportunity F. Advantage Means, motive, and opportunity are the three items needed to commit a crime. - ANSB. Motive D. Means E. Opportunity 10. An application has received more input than it expected and the resulting error has exposed normally protected memory. What is the best explanation for what happened? A. Phishing attack B. Salami attack C. Buffer overflow D. Session hijacking - ANSC. A buffer overflow occurs when an application receives more input than it expected and it is not able to handle the error gracefully. Attackers exploit buffer overflows to insert malware into systems. The best protection against a buffer overflow is to keep systems up to date. A phishing attack is sent through e-mail. A salami attack uses multiple small, usually unnoticeable actions, such as shaving a penny off a transaction. Session hijacking attempts to take over a session. 10. An organization has a business location in Miami, Florida. Due to Extractor (COFEE) to help law enforcement forensic experts, and hackers developed Detect and Eliminate Computer Assisted Forensics (DECAF) as an antiforensics tool. Neither COFEE nor DECAF provides proof that the evidence was controlled after collection. Audit logs can be used in a forensic investigation but they don't validate evidence. 10. Which of the following is a virtual table and allows a user access to a limited amount of data within a table? A. View B. Tuple C. Row D. Foreign key - ANSA. A view is a virtual table that provides access to specific columns in one or more tables, allowing a user to access a limited amount of data. A tuple is the same as a row and it contains a single record, but it is not a virtual table. Tables are linked together with foreign keys. 10. Which of the following is an accurate statement related to asymmetric encryption? A. It is used to privately share a private key. B. It is used to privately share a public key. C. It is used to privately share a secret key. D. It is faster than symmetric encryption. - ANSC. Asymmetric encryption is used to privately share a secret key (or session key). Asymmetric encryption uses a matched pair of keys known as a private key and a public key. The private key is never shared, and the public key is publicly shared in a certificate. Symmetric encryption is faster than asymmetric encryption. 10. Which one of the following concepts provides the strongest security? A. Defense in depth B. Nonrepudiation C. Security triad D. AAAs of security - ANS10. A. Defense in depth provides a layered approach to security by implementing several different security practices simultaneously and is the best choice of the available answers to provide the strongest security. The security triad (confidentiality, integrity, and availability) identifies the main goals of security. Nonrepudiation prevents an individual from denying that he or she took an action. The AAAs of security are authentication, authorization, and accounting. 10. Which one of the following is a valid step to perform during a business impact analysis? A. Identify alternative locations B. Create a plan to restore critical operations C. Identify resources needed by critical business functions D. Identify minimum outage times for key business services - ANSC. A core goal of a BIA is to identify critical business functions and the resources needed by these critical business functions. Identifying alternative locations is part of a business continuity plan (BCP). A disaster recovery plan (DRP) is a plan to restore critical operations. A BIA does identify maximum acceptable outage times, but not minimum outage times. 11. A virus is detected on a system based on the virus's behavior. What detected the virus? A. Heuristics B. A virus fingerprint C. A virus filter D. A signature - ANSA. Heuristics can detect malware based on the behavior of the malware and are designed to detect previously unknown viruses. There's no such thing as a virus filter or a virus fingerprint, although a virus signature does uniquely identify known malware similar to how a fingerprint can identify a person. 11. An attacker has collected several pieces of unclassified information to deduce a conclusion. What is this called? A. Data mining B. Database normalization C. OLAP D. Data inference - ANSD. Data inference occurs when someone is able to piece together unclassified information to predict or guess an outcome. Data mining is the process of retrieving relevant data from a large database. Database normalization is the process of dividing the data into multiple tables in a database to reduce duplication of data. Online analytical processing (OLAP) uses techniques to make it easier to retrieve data. 11. An organization has implemented several controls to mitigate risks. However, some risk remains. What is the name of the remaining risk? A. Vulnerable risk B. Mitigated risk C. Alternate risk D. Residual risk - ANSD. Residual risk is any risk that remains after implementing controls to mitigate the risk. It's often not cost effective to implement controls to eliminate all risks, so senior management must make decisions on what risk to mitigate and what risk to accept as residual risk. Vulnerable risk and alternate risk are not valid terms associated with risk management. 11. In general, what elements need to come together for a crime? A. Means, motive, and opportunity B. Criminal, software, and hardware C. Discovery, theft, and benefit D. Attacker, attackee, and method - ANSA. The three commonly quoted elements for a crime are means (the ability to commit the crime), motive (such as money or revenge), and opportunity (the chance to commit the crime). Crimes can be committed without software or hardware. Criminals can commit crimes (such as vandalism or destruction) without theft. Similarly, criminals can commit crimes (such as theft) without an attack. 11. Of the following choices, what is NOT one of the methods or goals of hardening a server? A. Reducing the attack surface B. Keeping a system up to date C. Disabling firewalls D. Adding AV software - ANSC. Disabling firewalls is not a method used to harden a server. However, administrators would enable firewalls to harden a server. All of the other answers are valid methods or goals of hardening a server. Administrators reduce the attack surface by disabling or removing unneeded services and protocols. 11. What is a common standard used to encrypt and digitally sign e- mail? A. Symmetric encryption B. S/MIME C. TLS D. Steganography - ANSB. Secure/Multipurpose Internet Mail Extensions (S/MIME) is the standard used to encrypt and digitally sign e-mail. Symmetric encryption uses a single key to encrypt and decrypt data, but cannot digitally sign e-mail. Transport Layer Security (TLS) encrypts data sent over a network and is used with HTTPS. Steganography is the practice of hiding data within data or in plain sight. 11. What is MTO in relation to characters when they enter data. What is the website trying to prevent? A. SQL injection attack B. Cross-site scripting attack C. Input validation attack D. Trojan horse - ANSB. Cross-site scripting (XSS) injects HTML or JavaScript into a web page, and input validation techniques help prevent XSS attacks. The users are prevented from entering HTML or JavaScript tags that start with < and end with >. A SQL injection attack uses SQL code, but SQL code does not use < or > characters. Input validation is a prevention technique, not an attack. A Trojan horse is an application that looks like it's something useful but is actually something malicious. 12. An employee makes unauthorized changes to data as he is entering it. What is this? A. Data diddling B. Data entry C. Data inference D. Data deduplication - ANSA. Data diddling is the unauthorized changing of data before entering it into a system or while entering it into a system. While the employee is involved with data entry, data entry by itself doesn't indicate the employee is making unauthorized changes. Data inference occurs when someone is able to put together unclassified pieces of information to predict or guess an outcome. Data deduplication stores a file only once on a system, even if users attempt to store copies in multiple locations. 12. Countries sometimes engage in espionage against other countries. What is this called? A. Cyberbullying B. Cyberstalking C. Cyberwarfare D. Cyberterrorism - ANSC. Cyberwarfare is a politically motivated attack on entities in another country and is done for sabotage and/or espionage. Cyberbullying occurs when one person harasses, coerces, or intimidates another person using the Internet. Cyberstalking is more serious than cyberbullying and is a criminal act. Cyberterrorism is the use of the Internet to launch terrorist attacks. 12. Of the following choices, what is a primary purpose of a honeypot? A. To give administrators an opportunity to observe new exploits B. To give administrators an opportunity to observe new controls C. To give administrators an opportunity to perform vulnerability tests D. To give administrators an opportunity to perform penetration tests - ANSA. A honeypot entices would-be attackers, luring them away from the live network, and gives administrators an opportunity to observe the attacker. The honeypot is a security control, but it doesn't provide an opportunity to observe new controls. It does not perform vulnerability or penetration tests. 12. Of the following choices, what is NOT provided with a digital signature used for e-mail? A. Authentication B. Integrity C. Confidentiality D. Nonrepudiation - ANSC. A digital signature does not provide confidentiality because the digital signature does not encrypt the data. A digital signature does provide authentication, integrity, and nonrepudiation. It's possible to digitally sign an e-mail without encrypting it. 12. Of the following choices, which one is NOT a recommended strategy for audit logs? A. Review the logs regularly B. Archive logs for later review C. Periodically overwrite logs D. Store logs on remote servers - ANSC. If you periodically overwrite logs, it is no longer possible to review the logs. However, all of the other choices (review the logs, archive the logs, and store logs on remote servers) are recommended strategies to retain the integrity of audit logs. 12. Of the following choices, which provides high- level guidance to employees? A. Procedure B. Policy C. Action steps D. Disaster recovery plan - ANSB. Policies provide high-level guidance to employees. Procedures include action steps to accomplish tasks. A disaster recovery plan can include one or more procedures to use in response to a disaster. 12. What are the AAAs of information security? A. Authentication, availability, and authorization B. Accounting, authentication, and availability C. Authentication, authorization, and accounting D. Availability, accountability, and authorization - ANS12. C. The AAAs of information security are authentication, authorization, and accounting. Availability is part of the CIA security triad (confidentiality, integrity, and availability), but it is not part of the AAAs of information security. 12. What port does a TLS VPN typically use? A. 80 B. 88 C. 143 D. 443 - ANSD. A Transport Layer Security (TLS) virtual private network (VPN) typically uses TCP port 443, the same port as HyperText Transfer Protocol Secure (HTTPS). HyperText Transfer Protocol (HTTP) uses TCP port 80. Kerberos uses TCP port 88. Internet Message Access Protocol version 4 (IMAP4) uses port 143. 12. What should users do to ensure that antivirus software can detect recently released viruses? A. Update signatures B. Update the operating system C. Update the AV software D. Regularly purchase new AV software - ANSA. Antivirus software uses signature definition files to detect viruses, and these signatures must be regularly updated. It's not necessary to update the operating system, update the AV software, or purchase new AV software to detect recently released viruses. 12. Which of the following best describes maximum tolerable downtime? A. The maximum amount of downtime before a business loses viability B. The point in time in which a failed database should be restored C. The maximum amount of time that can be taken to restore a system or process D. The minimum amount of time that can be taken to restore a system or process - ANSA. The maximum allowable outage (MAO), sometimes called maximum tolerable downtime (MTD), indicates the maximum amount of downtime a business can tolerate and still maintain viability as a business. Recovery point objective (RPO) indicates the point in time to which a failed database should be restored. Recovery time objective (RTO) represents the maximum amount of time that can be taken to restore a system or process after an outage. MTD is not related to minimum timeframes. 12. Which of the following which one most accurately reflects differences between risk management and a risk assessment? A. A risk assessment is a point-in-time event, while risk management is an ongoing process. B. Risk management is a point-in-time event, while a risk assessment is an ongoing process. C. Risk assessments are broad in scope, while risk management is focused on a specific system. D. Risk management is one part of an overall risk assessment strategy for an organization. - ANSA. A risk assessment is a point-in-time event, while risk management is an ongoing process. Risk assessment is one element of a risk management strategy, and risk assessments are generally focused on specific systems with a limited scope, while risk management is much broader. 13. What is RPO in relation to business continuity planning? A. Restoring potential outage B. Recovery point objective C. Restoration process option D. Recovery process options - ANSB. RPO represents recovery point objective and indicates the point in time to which a failed database should be restored. The other answers are not valid terms for RPO within business continuity planning. 13. What is the purpose of mandatory vacations in relation to security? A. To ensure that employees do not burn out B. To ensure that employees take time to relax C. To reduce the payroll of an organization D. To reduce the chance of fraud - ANSD. A mandatory vacation policy can reduce the chance of fraud by requiring other employees to take over the tasks and responsibilities of a vacationing employee. While vacations are good to help employees relax and reduce the chance of burnout, these matters aren't as relevant to security issues as reducing the chance of fraud. While some companies do implement mandatory vacations to reduce payroll expenses during periods of low activity, this is not a security policy. 13. What is the purpose of reviewing logs? A. Detecting potential security events B. Preventing potential security events C. Correcting potential security events D. Deterring potential security events - ANSA. Security professionals and auditors can detect potential security events by reviewing logs after the event has occurred. Reviewing the logs doesn't prevent an incident that has already occurred, and reviewing the logs does not enable security professionals and auditors to correct the effects of an incident. While logging some activity, such as proxy servers, can deter events, reviewing the logs doesn't deter the activity. 13. What is used to create a digital signature used with e-mail? A. The public key of the sender B. The private key of the sender C. The public key of the recipient D. The private key of the recipient - ANSB. A digital signature is created by hashing a message and encrypting the hash with the sender's private key. The recipient can then decrypt the hash with the sender's public key. The recipient's keys are not used for a digital signature, but they are used to encrypt and decrypt e-mail. 13. Which of the following accurately identifies a difference between FTP and TFTP? A. FTP uses UDP and TFTP uses TCP. B. FTP supports authentication, but TFTP does not support authentication. C. TFTP sends data across a network in cleartext, but FTP encrypts data. D. TFTP is primarily used to transfer large files, and FTP is used to transfer configuration information to and from network devices. - ANSB. File Transfer Protocol (FTP) supports authentication, but Trivial FTP (TFTP) does not support authentication. FTP uses TCP ports 20 and 21, while TFTP uses UDP port 69. Both FTP and TFTP send data across a network in cleartext, but it is possible to encrypt FTP with Secure Shell (as SFTP). TFTP is commonly used to transfer configuration files to and from network devices, and FTP is primarily used to transfer large files. 13. You want to ensure that a system can identify individual users, track their activity, and log their actions. What does this provide? A. Accountability B. Availability C. Authentication D. Authorization - ANS13. A. If a system can identify individual users, track their activity, and log their actions, it provides accountability. Availability ensures the system is operational when needed. Authentication identifies the individual using credentials. Authorization identifies resources that a user can access. 14. A company authorizes users to transport data from work to home using USB drives. What's the best method of protecting systems from malware without affecting the user? A. Install AV software on the network firewall B. Install AV software on the e-mail server C. Install AV software on each user's work computer D. Prevent users from using USB drives - ANSC. Installing AV software on each user's work computer provides the best protection against a user inadvertently transporting malware from home to work. Installing software on the network firewall and on an e-mail server is a good practice, but it won't help if the virus is transported via a USB drive. Preventing the users from using USB drives will affect the users. 14. An attacker sends an e-mail to many members of an organization and spoofs the From address so that the e-mail looks like it came from within the organization. The e-mail tries to trick recipients into following a link. What is the best definition of this action? A. Phishing B. Spear phishing C. Whaling D. Vishing - ANSB. Spear phishing is a phishing tactic that targets a specific organization. Phishing doesn't target individual organizations, but instead casts a wide net, hoping to catch someone. Whaling targets a specific individual, such as an executive. Vishing uses voice methods such as the telephone or VoIP. 14. Of the following choices, what indicates the primary improvement that MS-CHAPv2 included over previous protocols? A. Support for biometrics B. Use of certificates C. Mutual authentication D. Use of a nonce - ANSC. MS-CHAPv2 uses mutual authentication, where the client for remotely accessing systems of the given choices. Telnet, rlogin (which is remote login), and rexec (remote execute) all send data across a network in cleartext. 14. Which of the following would most likely be used to encrypt data in an e-mail message before it is sent? A. The public key of the sender B. The private key of the sender C. The public key of the recipient D. The private key of the recipient - ANSC. E-mail is encrypted using the recipient's public key. The recipient's public key actually encrypts a symmetric key and uses the symmetric key to encrypt the e-mail. The recipient uses the recipient's private key to decrypt the symmetric key and then decrypts the message with the symmetric key. The sender's keys are not used to encrypt or decrypt e-mail. 14. Your organization has contracted with a security organization to test your network's vulnerability. The security organization is not given access to any internal information from the company. What type of test will the organization perform? A. White box testing B. Gray box testing C. Black box testing D. Partial knowledge testing - ANSC. A black box test (also called a zero knowledge test) is performed without any inside knowledge of the organization. A white box test (also called a full knowledge test) is performed with full access to internal documentation. A gray box test (also called a partial knowledge test) is performed with some internal knowledge. 14. Your organization has recently completed a security audit. Which of the following is NOT a valid step to take after completing the audit? A. Approve changes B. Evaluate controls C. Implement fixes D. Delete the security audit - ANSD. Organizations should keep security audits instead of deleting them. This allows personnel to use them as reference points in future audits. Audits typically evaluate existing controls and recommend changes. Management approves the changes and directs personnel within the organization to implement the fixes. 15. A business in Florida gathers customers' names and ZIP codes and uses them to identify the customers' addresses. What is occurring? A. Violation of an EU directive B. Data breach C. Data inference D. Violation of COPPA - ANSC. This is an example of data inference, because the company is collecting small pieces of information to get other information that isn't provided directly. Since it's occurring in Florida, it isn't in violation of a European Union (EU) directive. A data breach occurs when unauthorized individuals access stored data, but there's no indication of unauthorized access in this scenario. The Children's Online Privacy Protection Act (COPPA) protects the privacy of children under 13. 15. A system has been attacked by an exploit that isn't published. What type of attack is this? A. Scareware B. APT C. Pharming D. Zero day - ANSD. Zero day exploits are attacks that take advantage of vulnerabilities that are unpublished and often include attacks that are unknown by the vendor. The other answers are known methods. Scareware is malware that scares users into thinking their system is infected with a virus and encourages them to install malware on their system. An advanced persistent threat (APT) is a group of people who have the capability and intent to launch extended attacks against organizations. Pharming is an attack that redirects users to bogus websites. 15. An organization handles credit card data from customers on a regular basis. What provides the security objectives and requirements that the organization must follow? A. PCI DSS B. HIPAA C. FIPS Pub 200 D. NIST SP 800-53 - ANSA. The Payment Card Industry Data Security Standard (PCI DSS) provides 6 control objectives and 12 supporting requirements that organizations must follow if they process credit card payments from customers. The Health Insurance Portability and Accountability Act (HIPAA) covers organizations handling health- and medical-related data. Federal Information Processing Standard Publication 200 (FIPS Pub 200) identifies standards required by federal agencies. NIST SP 800-53 provides information on recommended security controls. 15. An organization's location has been hit by a tornado and the organization is moving to an alternative location. What provides the direction for this action? A. BIA B. BCP C. DRP D. Hot site - ANSB. The business continuity plan (BCP) provides direction for moving to an alternative location after a disaster the primary purpose is to continue to provide critical business functions. The business impact analysis (BIA) helps an organization identify what functions are critical. The disaster recovery plan (DRP) has a narrower focus and helps an organization recover one or more systems after the disaster has passed. A hot site is a possible type of alternative location, so it doesn't provide direction for the action. 15. Of the following choices, what is the best technique you can implement on an e-mail server to reduce infection through e-mail? A. Block all e- mail B. Add a spam filter C. Add a polymorphic filter D. Remove all attachments - ANSB. The majority of malware comes through spam, so a spam filter can reduce infections through e-mail. An e-mail server isn't very useful if it blocks all e-mail or removes all attachments. E-mail servers don't have polymorphic filters. 15. Someone has embedded a secret code within a picture used on a web page. What is the best description of this? A. Symmetric encryption B. Asymmetric encryption C. Hashing D. Steganography - ANSD. Steganography is the practice of hiding data within data, such as embedding a secret code within a picture. Symmetric encryption uses a single key for encryption and decryption of data, while asymmetric encryption uses two keys (a public key and a private key) for encryption and decryption. Hashing creates a hash that can be used for integrity. 15. The CEO of a publicly held company entries showing employees entered a secure area but do not include entries showing they exited indicate tailgating is occurring. Some employees are using their credentials to exit (and the logs show them exiting), but other employees are following closely behind these employees without showing their credentials (and the log doesn't include entries for these employees). While it is possible the badge reader has a problem, it is recording some employees exiting, so this isn't the most likely cause. Mantraps prevent tailgating, and if a mantrap is in use, employees would be forced to use it. There isn't any indication of unauthorized entry. 16. A user connected to a free wireless network at a coffee shop to access Facebook. Later, someone else started making posts on the user's page. What is the most likely cause of this? A. Zero day exploit B. WPS cracking C. Evil twin D. WPA cracking - ANSC. The most likely cause is an evil twin. An attacker likely created a free wireless hotspot in the coffee shop (perhaps on the attacker's laptop). When the user connected to it, the attacker captured the user's data, including logon credentials. This is a known attack, and whereas a zero day exploit is not widely known. Wi-Fi Protected Setup (WPS) cracking discovers the PIN of an access point and uses it to discover the access point's password. Wi-Fi Protected Access (WPA) cracking discovers the password on the access point by intercepting the four-way handshake and performing an offline brute-force attack. 16. An organization collects customer data such as their name, e- mail address, physical address, and phone number. What term best describes this information? A. PHI B. PII C. COFEE D. DECAF - ANSB. This information is personally identifiable information (PII) because it can be used to identify the customers personally. Protected health information (PHI) is information concerning the health status, provision of health care, or payment of health care for an individual. COFEE is a forensic tool used by law enforcement agencies, and DECAF is an antiforensics tool designed to detect COFEE. 16. An organization decides to designate an alternative location to be used in case of an emergency. The organization doesn't need anything other than an open building with water and electricity. What type of site best meets this need? A. Hot B. Warm C. Cold D. Distant - ANSC. A cold site is a building with water and electricity and nothing else (such as no computer equipment or data). A hot site includes everything and is ready to take over operations within a short time after an outage. A warm site is a compromise between the two. A distant site isn't a valid term for an alternative location. 16. How are public keys distributed to clients from Internet websites? A. As e-mail attachments B. Embedded in certificates C. As cookies D. Embedded in the HTML code for the page - ANSB. Public keys are embedded in certificates and distributed to clients in the certificate. Although users can send certificates to each other as e-mail attachments, a website does not use this method. Public keys are not included in cookies or in HTML code. 16. Of the following choices, which one is NOT a valid method to reduce malware infections? A. Don't open attachments from unsolicited e-mails. B. Don't click links in unsolicited e- mails. C. Don't send encrypted personal information via e-mail. D. Don't follow shortened links from unknown sources. - ANSC. If you need to send personal information via e-mail, the best choice is to send it in an encrypted format. All of the other choices are valid methods to reduce malware infections. 16. What is the last step in a vulnerability assessment? A. Discovery B. Analysis C. Remediation D. Document vulnerabilities - ANSC. The last step in a vulnerability assessment is remediation of vulnerabilities using controls approved by management. Discovery, analysis, and documentation all occur after gaining approval from management, but before remediation. 16. What port does TACACS+ typically use? A. 25 B. 49 C. 53 D. 443 - ANSB. Terminal Access Controller Access Control System+ uses TCP port 49. Simple Mail Transport Protocol (SMTP) uses TCP port 25, Domain Name System (DNS) uses TCP port 53 and UDP port 53, and HyperText Transfer Protocol Secure (HTTPS) uses TCP port 443. 16. Which of the following formulas will determine the annual loss expectancy (ALE)? A. SLE - ARO B. SLE × ARO C. ARO - SLE D. SLE divide by ARO - ANSB. ALE is the product calculated from the single loss expectancy (SLE) and the annual rate of occurrence (ARO), or SLE × ARO. The ALE is not calculated by subtraction of the ARO and SLE or by dividing the SLE and ARO. 16. Which of the following helps ensure that mobile devices have all relevant patches? A. BYOD B. COPE C. MDM D. USB - ANSC. Mobile device management (MDM) solutions help ensure that mobile devices (such as smartphones and tablets) have all relevant patches. Bring your own device (BYOD) refers to employees bringing their own devices to work and connecting them to an organization's network. Corporate- owned, personally enabled (COPE) devices refer to mobile devices that an organization purchases and issues to employees. Universal Serial Bus (USB) cannot apply patches to mobile devices. 16. Within the U.S. government, who can formally approve a system for operation at a specific level of risk? A. Certification authority B. NIST C. Senator D. Designated Approving Authority (DAA) - ANSD. A DAA provides official accreditation by approving a system for operation at a specific level of risk. The certification authority does not approve a system, but instead evaluates, describes, and tests a system. The National Institute of Standards and Technology (NIST) provides recommendations of standard best practices, but it does not certify or accredit systems. Senators do not certify or accredit systems. 16. You are applications, the user is not given permission to do so, which reduces the possibility of the user accidentally installing malware. Nonrepudiation prevents a person from denying an action. Separation of duties divides tasks so that no single person or entity controls an entire process. Accountability ensures that user actions can be tracked and monitored. 17. What can be used to examine the health of a client prior to allowing network access and restricting access of unhealthy clients to a quarantined network? A. RADIUS B. TACACS+ C. NAC D. SRTP - ANSC. A network access control (NAC) system can check a system's health based on a predefined health policy and restrict the access of unhealthy clients to a quarantined network. Remote Authentication Dial-in User Service (RADIUS) and Terminal Access Controller Access Control System+ (TACACS+) are used to provide authentication, authorization, and accounting (AAA) for remote access. Secure Real-time Transport Protocol (SRTP) provides confidentiality, authentication, and replay protection for Voice over IP (VoIP) transmissions. 17. What is an important benefit to organizations that use virtual servers? (Choose all that apply.) A. VM escape capabilities B. Better control of data with cloud computing C. Reduction of costs associated with power and cooling D. Reduction of costs for physical security - ANSC, D. Organizations often use virtualization to reduce costs associated with power and cooling and associated with physical security. Virtualization requires fewer physical servers to power, cool, and physically secure. Virtual machine (VM) escape is one of the biggest risks associated with virtual servers. Virtual servers can be used with cloud computing, but cloud computing reduces control of data. 17. Which of the following EAL levels indicates a system was methodically designed, tested, and reviewed, and is the level of assurance assigned to many commercial operating systems? A. EAL0 B. EAL1 C. EAL4 D. EAL7 - ANSC. Most commercial operating systems achieve Evaluation Assurance Level 4 (EAL4) when evaluated by the Common Criteria (CC). EAL4 indicates the operating system has been methodically designed, tested, and reviewed. EAL0 is not a valid level of CC. EAL1, the lowest level of assurance, indicates the system has been functionally tested. EAL7 is the highest level of assurance and indicates the system has a formally verified design and has been tested, but EAL7 ratings are not as common as EAL4, especially for operating systems. 17. Which of the following statements is correct related to IPsec? A. IPsec provides confidentiality by encrypting data with AH. B. IPsec provides confidentiality by encrypting data on the Network layer. C. IPsec AH uses protocol number 50. D. IPsec ESP uses protocol number 51. - ANSB. Internet Protocol security (IPsec) provides confidentiality by encrypting data on the Network layer. Encapsulating Security Payload (ESP) provides confidentiality by encrypting data, but Authentication Header (AH) only provides authentication and integrity. AH uses protocol number 51, and ESP uses protocol number 50. 17. Who would measure the effectiveness of an organization's security controls? A. An administrator B. A manager C. An auditor D. A data owner - ANSC. An auditor would measure the effectiveness of a security control. An internal auditor might have other roles, such as an administrator, a manager, or a data owner. However, when measuring the effectiveness of security controls, they are acting as an auditor. 17. You are completing a risk assessment and using historical data. You've identified that a system has failed five times in each of the past two years, and each outage resulted in losses of about $5,000. What is the ARO? A. Five B. $5,000 C. $25,000 D. Impossible to determine with the information provided - ANSA. The annual rate of occurrence (ARO) is five because it happened five times each in the past two years. The single loss expectancy (SLE) is $5,000 and the annual loss expectancy (ALE) is $25,000. 18. A vulnerability assessment reports that a patch is not installed on a system, but you've verified that the patch is installed. What is this called? A. Anomaly-based vulnerability B. Signature-based vulnerability C. False negative D. False positive - ANSD. A false positive occurs when a vulnerability assessment tool indicates that a vulnerability exists when it actually does not exist. A false negative occurs when a vulnerability assessment tool indicates that a vulnerability doesn't exist when it actually does exist. Anomaly-based and signature-based vulnerabilities are detection methods of IDSs and are not associated with vulnerability assessment tools. 18. A website sent a user a certificate to initiate a secure web session over the Internet. What information would NOT be in the certificate? A. Name of the website B. Name of the issuing CA C. Private key D. Expiration date - ANSC. The private key is not included in the certificate but instead is kept private on the server. The public key is included in the certificate along with the name of the website, the name of the CA that issued the certificate, the expiration date of the certificate, and more. 18. An organization is updating its business continuity plan (BCP) and wants to implement an alternative location that is the easiest to relocate. What type of site best meets this need? A. Cold B. Hot C. Mobile D. Warm - ANSC. A mobile site is the easiest to relocate. Hot, cold, and warm sites use a designated location that the organization either purchases or leases. 18. Of the following choices, what is a primary method used for configuration control? A. Baseline B. Change management requests C. Security logs D. Password audits - ANSA. A baseline is a primary method used for configuration control and it ensures that systems start in a known state. Automated can use virtual systems internally to keep control of their data. 18. You have completed a risk assessment and determined that you can purchase a control to mitigate a risk for only $10,000. The SLE is $2,000 and the ARO is 20. Is this cost justified? A. Yes. The control is less than the ALE. B. No. The control exceeds the ALE. C. Yes. The control exceeds the ARO. D. No. The control is less than the ARO. - ANSA. Because the cost of the control is less than the annual loss expectancy (ALE), the cost is justified. The cost of the control is $10,000 and the ALE is $40,000. The annual rate of occurrence (ARO) is how many times the loss occurred (20 in the example), but it is only useful when you multiply it with the single loss expectancy (SLE) to identify the ALE. 18. You have two disk drives and you want to provide fault tolerance by mirroring the two drives. What should you use? A. RAID-0 B. RAID-1 C. RAID-5 D. RAID-6 - ANSB. RAID-1 provides fault tolerance by mirroring two drives. RAID-0 does not provide fault tolerance. RAID-5 uses three or more drives. RAID-6 is an alternative to RAID-5 and uses four or more drives. 19. A user attempted to access http:/mcgraw-hill.com/ but was redirected to a website that advertised pharmaceutical drugs for sale. What does this describe? A. Phishing B. Impersonation C. Whaling D. Pharming - ANSD. A pharming attack is one where the user is redirected to another website by manipulating one of the name resolution methods. Phishing involves sending an e-mail to many users and encouraging them to respond with personal information or by clicking a link. Impersonation, also known as masquerading or spoofing, is a social engineering tactic where the social engineer impersonates someone. Whaling is phishing attack that targets executives such as CEOs 19. An organization is using a system development life cycle for the design of a system. When should personnel first address security issues? A. During the initiation phase B. During the development/acquisition phase C. During the operations/maintenance phase D. During the disposal phase - ANSA. It's important to address security during each phase of the system development life cycle, starting with the initiation phase. If you start addressing security later, it's very possible that it will be more difficult and more expensive to add security controls. 19. Of the following choices, what is a U.S. government entity that regularly publishes Special Publications (known as SP 800 series documents) related to IT security? A. ITIL B. NIST C. CERT Division D. US-CERT - ANSB. The National Institute of Standards and Technology (NIST) publishes documents in the SP 800 series related to IT security. ITIL is a United Kingdom project. CERT Division is a federally funded program located in the Software Engineering Institute at Carnegie Mellon University, and the United States Computer Emergency Readiness Team (US-CERT) provides response support and defense against cyber-attacks. While CERT Division and US-CERT publish documents related to IT security, they don't publish SP 800 series documents. 19. Of the following choices, what is used to determine whether a certificate has been revoked? A. OCSP B. Digital signature C. CARL D. Trust chain - ANSA. The Online Certificate Status Protocol (OCSP) is used to verify the health of a certificate. An OCSP responder will indicate whether a certificate has been revoked when queried with the certificate's serial number. A digital signature uses certificates but doesn't determine whether a certificate is revoked. CAs issue a certificate revocation list (CRL), but CARL isn't a valid acronym in the context of checking certificates. A trust chain determines if the CA that issued the certificate is trusted, but doesn't indicate if a certificate is revoked. 19. What is the first step in incident response? A. Analysis B. Containment, eradication, and recovery C. Detection D. Preparation - ANSD. The first step in incident response is preparation, which includes creating an incident response plan. The other answers are valid steps in incident response, but they aren't the first step. 19. What law requires an organization to get a parent's consent prior to collecting information on children under 13? A. COPPA B. OPPA C. Data Protection Directive D. E-Privacy Directive - ANSA. The Children's Online Privacy Protection Act (COPPA) requires organizations to get a parent's consent prior to collecting information on children under 13. The California Online Privacy Protection Act of 2003 (OPPA) requires operators of commercial websites to post a privacy policy on the website if the website collects personally identifiable information (PII). The Data Protection Directive (Directive 95/46/EC) restricts data transfers of privacy data to countries outside of the European Union. The E-Privacy Directive (European Directive 95/46/EC) focuses on the protection of digital data and regulates the use of cookies. 19. What's the primary difference between a penetration test and a vulnerability assessment? A. A vulnerability assessment includes a penetration test, but a penetration test does not include a vulnerability assessment. B. A penetration test is intrusive and can cause damage, while a vulnerability assessment is passive. C. A vulnerability assessment is intrusive and can cause damage, while a penetration test is passive. D. They are basically the same, but with different names. - ANSB. A penetration test is intrusive it includes a vulnerability assessment, attempts to exploit discovered vulnerabilities, and can cause damage. Vulnerability assessments are not intrusive and do not cause damage. 19. Where is a DMZ located? A. Behind the intranet firewall B. In front of the first intranet-facing firewall C. In front of the first Internet-facing firewall D. Behind the first Internet-facing firewall - ANSD. A demilitarized zone (DMZ), or perimeter network, is located behind the first Internet- designed to prevent losses in confidentiality, integrity, and availability. Authentication, authorization, and accounting are the AAAs of security, and identification, authentication, and authorization are required for accountability, but these are not part of the CIA security triad. 2. What is the difference between a DoS attack and a DDoS attack? A. There is no real difference. B. A DoS attack uses technical methods, but a DDoS attack uses nontechnical methods. C. A DDoS attack is an attack from a single system, but a DoS attack is an attack from multiple systems. D. A DoS attack is an attack from a single system, but a DDoS attack is an attack from multiple - ANSD. A DoS attack is an attack from a single system, and a DDoS attack is an attack from multiple systems. Both typically use technical methods. 2. Which layer of the OSI Model packages data as a frame? A. Physical layer B. Data Link layer C. Network layer D. Transport layer - ANSB. The Data Link layer packages data as a frame. The Physical layer packages data as bits. The Network layer packages data as a packet. The Transport layer packages data as a segment. 2. Which of the following choices allows you to verify that a file has not been modified? A. AES B. SHA C. PKI D. IDEA - ANSB. Secure Hashing Algorithm (SHA) is a hashing algorithm, and hashing is a key method of ensuring integrity (or verifying a file has not been modified). The hash is calculated at two different times, and if the hash is the same, the file has not been modified. Advanced Encryption Standard (AES) is a strong symmetric encryption protocol. A public key infrastructure (PKI) is used to support the creation, management, and distribution of certificates. International Data Encryption Algorithm (IDEA) is an older symmetric encryption protocol. 2. Which of the following choices best describes an organization's security policy? A. An authoritative written document that identifies an organization's overall security goals B. A non- authoritative written document that identifies an organization's overall security goals C. A technical control that mitigates risks D. A baseline used to ensure that systems are secure when deployed - ANSA. A security policy is an authoritative (not non- authoritative) written document that identifies an organization's overall security goals. It is a management (or administrative) control, not a technical control or a baseline however, technical controls and baselines are created based on the direction from the security policy. 2. Which of the following is the best choice to segment traffic on a network? A. VLAN B. EAP C. SSL D. TLS - ANSA. A virtual local area network (VLAN) segments traffic on a network using a switch. Extensible Authentication Protocol (EAP) is used for authentication, not segmentation. Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are transport encryption protocols and do not segment traffic. 2. Which of the following malware types alters its own code to avoid detection by antivirus software? A. Armored virus B. Metamorphic virus C. Polymorphic virus D. Ransomware - ANSB. A metamorphic virus changes or mutates its code as it replicates itself to prevent detection. An armored virus uses techniques such as encryption to make it more difficult for AV researchers to decompile the virus. A polymorphic virus changes the file, but not the code. Ransomware takes over a user's computer and demands a monetary ransom to return control back to the user. 2. Which of the following provides the best confidentiality protection for data at rest? A. Marking it B. Labeling it C. Backing it up D. Encrypting it - ANSD. Encryption provides the best confidentiality protection for data at rest. While it is appropriate to mark or label it, this isn't as strong as encrypting it. Backing it up provides protection for availability. 2. Which one of the following is mostly like to be performed during a feedback loop in an incident handling process? A. Chain of custody B. Hashing C. Escalation D. Perform a lessons learned review - ANSD. Feedback loops in an incident handling process include a lessons learned review, which examines the incident and the response. The goal is to prevent a recurrence of the incident. A chain of custody validates that evidence has been controlled since it was collected. Hashing provides assurances that data (such as a bit-by-bit copy of a disk) is identical. Escalation refers to getting more people involved in an incident. 2. You are involved in risk management activities within your organization. Of the following activities, which one is the best choice to reduce risk? A. Reducing threats B. Increasing vulnerabilities C. Increasing impact D. Mitigating risk - ANSD. Risk mitigation is the process of reducing risk. You can rarely reduce threats, but you can often reduce (not increase) vulnerabilities or reduce (not increase) the impact of a risk. 2. You want to monitor a server for potential attacks. Of the following choices, what is the best choice? A. HIDS B. NIDS C. Anomaly-based IDS D. Signature-based IDS - ANSA. A host-based IDS (HIDS) can monitor a single computer (such as a server) for possible attacks and intrusions. A network-based IDS (NIDS) monitors network activity. Both HIDS and NIDS can use either anomaly-based detection or signature-based detection. 20. An organization is sharing resources with another organization using cloud-based computing. Which of the following cloud operation models does this describe? A. Community B. Hybrid C. Private D. Public - ANSA. A community cloud is a private cloud that is shared by two or more organizations. A hybrid cloud is a combination of any two or more clouds. A private cloud is only available to users within an organization. Public cloud- based services are provided by third-party vendors and are available to anyone. 20. Of the following choices, what best represents all of the steps related to incident response? A. (CVE) list - ANSD. The CVE is maintained by the MITRE Corporation and provides a standardized method of describing security vulnerabilities, exploits, and malware. There is no such thing as the Consortium of Antivirus Vendors (CAV) or Consortium of Virus Authors (CVA). NIST is a U.S. government entity that regularly publishes standard publications related to IT security, standards, and practices, but it does not maintain the CVE. 20. When should a penetration test stop? A. After discovering the vulnerabilities B. After discovering the threats C. Before causing any damage D. Before discovering the exploits - ANSC. Most penetration steps stop before executing an exploit that can cause damage. Penetration steps include the basic vulnerability assessment components of identifying vulnerabilities, threats, and exploits, and then follow these steps with an attempt to exploit a discovered vulnerability. 20. Which of the following is the recommended security mechanism to use with wireless networks? A. 802.11a B. 802.11g C. 802.11i D. 802.11n - ANSC. The 802.11i standard documents Wi-Fi Protected Access 2 (WPA2), the recommended security mechanism for wireless networks. It uses AES-based CCMP for very strong security. The other standards focus on the base frequency and speed of wireless networks, not security. 20. Which of the following organizations provides regular cyber-security alerts about current security issues, vulnerabilities, and exploits as part of the U.S. National Cyber Awareness System? A. ITL B. NIST C. CERT Division D. US-CERT - ANSD. The U.S. Computer Emergency Response Team (US-CERT) manages the National Cyber Awareness System, which provides cyber-security alerts, bulletins, tips, and updates. The other organizations provide information, but not alerts through the National Cyber Awareness System. 20. You don't have enough maintenance time during the week to perform full backups, so you decide to implement a backup strategy that takes less time to do backups during the week. Of the following choices, what strategy will minimize the amount of time needed to restore a backup after a failure? A. Full B. Incremental C. Full / incremental D. Full / differential - ANSD. A full/differential backup strategy takes the least amount of time to restore because it will require only two backups to restore: the full backup and the last differential backup. The scenario says that there isn't enough time to do a full backup during the week, and you can't do an incremental backup by itself. A full & incremental would require you to restore the full backup and each of the incremental backups since the last full backup, which usually requires restoring more than just two backups. 3. A system ignores potential security violations until it detects a specific number of events. It then raises an alert. What does this describe? A. Clipping level B. Acceptance level C. Audit level D. Baseline level - ANSA. A clipping level uses a predetermined number of events as a threshold. An auditing system ignores the events until it detects the number of events has exceeded the threshold level. Acceptance level and audit level are not valid terms. The question doesn't describe a baseline level. 3. Of the following choices, what is a common DoS attack? A. TCP flood B. Tailgating C. Smishing the following choices, what is a common DoS attack? D. Whaling - ANSA. A TCP flood attack (also known as a SYN flood, TCP SYN, or TCP half- open attack) is a common DoS attack that withholds the third packet of the TCP three-way handshake. The other answers are not DoS attacks. Tailgating is a social engineering tactic. Smishing is a form of phishing using SMS messages. Whaling is a form of phishing against a single person, such as an executive. 3. What type of malware can spread without any user intervention? A. Virus B. Trojan horse C. Worm D. Spyware - ANSC. Worms spread through a network without any user intervention. Viruses, Trojan horses, and spyware all require some level of interaction. 3. Which layer of the OSI Model handles physical addressing? A. Physical layer B. Network layer C. Data Link layer D. Transport layer - ANSC. The Data Link layer uses physical addresses, also called hardware addresses and media access control (MAC) addresses. The Physical layer packages data as bits and doesn,t use addresses. The Network layer uses IP addresses (also called logical addresses). The Transport layer doesn,t use addresses but uses ports to identify traffic. 3. Which of the following best describes the purpose of a security policy? A. Ensures personnel understand their responsibilities B. Ensures personnel use strong authentication C. Informs personnel of management priorities related to security D. Provides guidance on management controls - ANSC. Of the choices, the best description is that the security policy informs personnel of management priorities related to security. The other answers provide some specific goals of a security policy but do not address the overall purpose. An acceptable use policy helps ensure personnel understand their responsibilities. Technical controls ensure personnel use strong authentication, but a security policy covers more than just technical controls. Similarly, a security policy provides guidance on more than just management controls. 3. Which of the following can provide security for VoIP? A. RADIUS B. TACACS+ C. PSTN D. SRTP - ANSD. The Secure Real-time Transport Protocol (SRTP) provides confidentiality, authentication, and replay protection for Voice over IP (VoIP) transmissions. Remote Authentication Dial-in User Service (RADIUS) and Terminal Access Controller Access Control System+ (TACACS+) are used to provide authentication, authorization, and accounting (AAA) for remote access. The public switched telephone network (PSTN) is one of the methods used for Internet access. 3. Which of the following choices in no one taking responsibility. 3G - ANSThird generation of wireless technologies. 1G uses analog signals, and 2G uses digital signals. 3G provides higher transfer speeds using digital technologies. 4. A software application appears to have a useful purpose, but it includes malicious code. What does this describe? A. A virus B. A backdoor C. A worm D. A Trojan horse - ANSD. A Trojan horse appears to be something useful to the user but includes malicious code or malware. While Trojans often include viruses and backdoors, not all viruses and backdoors come from Trojans. Worms travel over the network and are not embedded in software applications. 4. An organization wants to ensure that users are aware of their responsibilities related to the use of IT systems. What should the organization create? A. A video monitoring system B. An audio monitoring system C. An acceptable use policy D. An account lockout policy - ANSC. An acceptable use policy (also called an acceptable usage policy) lets users know what is acceptable use of computer equipment and networks. Monitoring systems ensure users follow policies, but they don't ensure users know the policy. Account lockout policies lock out users after too many failed password attempts. 4. An organization wants to restrict risks associated with proprietary data transmitted over the network. What can it do in its data management policy to achieve this objective? A. Restrict how long data is retained B. Specify how data is deleted from storage media C. Require the encryption of data in motion D. Require the encryption of data at rest - ANSC. Encrypting data in motion can protect it against loss of confidentiality when it is transmitted over a network. Retention policies restrict how long data is retained, but do not affect data in motion. Destruction policies dictate how to delete data or destroy media, but aren't related to data in motion. Encrypting data at rest doesn't ensure that it is encrypted when it is transmitted. Some data-at-rest encryption methods will decrypt the data before transmitting it over a network. 4. Of the following choices, what best describes an IPS? A. An active antivirus program that can detect malware B. An inline monitoring system that can perform penetration testing C. An inline monitoring system that can perform vulnerability assessments D. An inline monitoring system that can modify the environment to block an attack - ANSD. An intrusion prevention system is an inline monitoring and detection system that can modify the environment (such as by changing ACLs or closing half-open connections) to block an attack. Although it may be able to detect some malware such as worms, this isn't the best definition. It is not used for vulnerability assessments or penetration tests. 4. Thousands of computers have been infected with malware and are periodically directed to send out spam to other computers. What does this describe? A. Zombies B. Spear phishing C. A botnet D. Phishing - ANSC. A botnet is a group of computers that an attacker has taken over and now controls from a command and control center. The individual computers are referred to as zombies, but together they are a botnet. They may be directed to send out phishing or spear phishing e-mails, but that is the attack, not the network. 4. What forensic evidence can be lost if a system is powered down before the evidence is collected? A. Data on the disk drive B. Data on a USB drive C. Data in memory D. Data in files - ANSC. Data in memory (volatile RAM) is lost if a system is powered down. Power isn't required to retain data on disk drives or USB drives, so it is not lost when powered down. Data in files is retained on disk drives. 4. What type of control is an audit log? A. Technical B. Corrective C. Detective D. Preventive - ANSC. An audit log is a detective control because it identifies events either as they are occurring or after they've occurred. Technical is a class of control. A corrective control takes action to reverse the effects or impact of an incident. A preventive control prevents the event from occurring. 4. Which layer of the OSI Model packages data as a packet? A. Physical layer B. Data Link layer C. Network layer D. Transport layer - ANSC. The Network layer packages data as a packet. The Physical layer packages data as bits. The Data Link layer packages data as a frame. The Transport layer packages data as a segment. 4. Which of the following can cause a negative impact on an organization's assets? A. A threat B. A risk C. A weakness D. A control - ANSA. A threat source can cause a negative impact by exploiting a vulnerability. Risk is the likelihood that a threat will exploit a vulnerability and cause a loss, the risk doesn't cause the negative impact. A weakness is a vulnerability. Attackers can exploit a vulnerability, but the vulnerability doesn't cause the loss. Controls attempt to reduce risk by reducing vulnerabilities or reducing the impact of a risk. 4. Which of the following statements best describes a benefit of using clipping levels? A. Clipping levels ignore baselines and generate alerts when they detect security violations. B. Clipping levels ignore normal user errors, but generate alerts when these errors exceed a predetermined threshold. C. Audit trails use clipping levels to record all potential alerts for accountability. D. Clipping levels ensure systems generate alerts when they detect any potential security violations. - ANSB. Clipping levels ignore normal user errors, but generate alerts when these errors exceed a predetermined threshold. Clipping levels are not associated with baselines. It is possible to configure an audit trail without clipping levels, but if clipping levels exist, the audit trail does not ignore them. Clipping levels do not generate alerts when they detect any potential errors or security violations, but instead only generate alerts when they not power the system down, as doing so will delete any data in volatile RAM. All of the other answers are valid actions in response to an incident that may result in legal proceedings. Organizations often have policies to disconnect a computer from the local area network (LAN) to isolate it and protect evidence on the system. No one should be allowed to access the system as a precaution to ensure that data (and potential evidence) is not modified. There's nothing wrong with taking pictures of the system to preserve evidence. 5. Of the following choices, what represents the primary benefits provided by a proxy server? A. Caching and filtering B. Authentication and caching C. Authentication, authorization, and accounting D. Stateful inspection - ANSA. A proxy server can cache web pages that are retrieved from the Internet. It can also block users from accessing restricted websites by filtering the web page requests. A proxy server does not provide authentication directly, although some proxy servers can be tied into an authentication system. A proxy server does not normally perform firewall functions. 5. Sally notices that Homer appears to be stealing from the company. What should Sally do? A. Confront Homer B. Ignore the activity because it doesn't concern her C. Call the police D. Report the activity to a manager - ANSD. An employee's loyalty should be to the organization, so Sally should report this activity to a manager or supervisor. An organization's ethics policy often includes procedures for reporting these types of incidents. Confronting Homer may not solve the problem but instead may result in Homer causing problems for Sally, especially if Homer is stealing from the company. Because continued employment is based on the success of an organization, losses are the concern of every employee. The organization should make the decision of whether or not to call the police. 5. What type of control is a NIDS? A. Corrective B. Detective C. Deterrent D. Preventive - ANSB. A network-based IDS (NIDS) is a detective control, as it detects potential attacks as they are occurring. An active IDS is a corrective control because it can take action to reverse the effects of an attack by changing the environment, but all IDSs are not active. A deterrent control attempts to deter would-be attackers from attempting an attack, but attackers don't know if a network has an IDS. An intrusion prevention system (IPS) is a preventive control because it can prevent an attack from reaching a network, but an IDS does not prevent the attack. 5. What's a primary method used to reduce risk? A. Reducing threats B. Reducing vulnerabilities C. Increasing threats D. Increasing vulnerabilities - ANSB. A primary method of risk mitigation is reducing vulnerabilities. Threats often can't be reduced, and adding more threats won't reduce risk. You reduce vulnerabilities by implementing controls. 5. Which layer of the OSI Model provides reliable end-to-end communication services? A. Physical layer B. Transport layer C. Data Link layer D. Host layer - ANSB. The Transport layer provides reliable end-to- end communication services. Neither the Physical layer nor the Data Link layer provides this service. The Host layer is on the TCP/IP Model, not the OSI Model. 5. Which of the following best identifies a computer controlled by a botnet? A. DoS computer B. DDoS computer C. Attacker D. Zombie - ANSD. Computers controlled within a botnet are commonly called zombies. They are not referred to as DoS or DDoS computers, or attackers, although they can be directed to take part in a DDoS attack. 5. Which of the following keys is changed the most often? A. Public key B. Private key C. Symmetric key D. Session key - ANSD. A session key is only used for a session (such as a web browsing session) and is changed more often than the other keys. Public and private keys typically last for a year or longer. Symmetric encryption uses a symmetric key (also called a secret key), which can stay the same for a specific piece of data as long as the data remains encrypted. 5. Which of the following methods will reliably remove all data from a backup tape? A. Erasing B. Degaussing C. Diddling D. Sanitizing - ANSB. Degaussing will reliably remove all data from a backup tape. Degaussing uses a powerful magnet to erase the data. Other methods of erasing data from a tape don't necessarily erase all the data. Data diddling is the unauthorized changing of data before or while entering it into a system and is unrelated to removing data from a tape. Sanitizing the tape is the goal, but it is not a method. 5. Which of the following security controls can restore a failed or disabled control? A. Preventive B. Corrective C. Detective D. Deterrent - ANSB. A corrective control can restore a failed or disabled control. A preventive control attempts to prevent incidents, and a detective control attempts to detect incidents. A deterrent control attempts to dissuade or deter personnel from trying to circumvent security policies or otherwise cause an incident. 5. Your organization wants to ensure that attackers are unable to modify data within a database. What security principle is the organization trying to enforce? A. Accountability B. Availability C. Confidentiality D. Integrity - ANS5. D. Integrity ensures that data is not modified, and this includes data within a database. Accountability ensures that systems identify users, track their actions, and monitor their behavior. Availability ensures that IT systems and data are available when needed. Confidentiality protects against the unauthorized disclosure of data. 6. A packet-filtering firewall can block ICMP traffic, such as ping requests. How does a packet-filtering firewall identify ICMP traffic? A. Based on the protocol ID having a value of 1 B. Based on the protocol ID having a value of 2 C. Based on the port of 50 D. Based on the port of 51 - ANSA. Packet-filtering firewalls can filter the OSI Model includes TCP and UDP? A. Transport layer B. Network layer C. Data Link layer D. Application - ANSA. The Transport layer includes the TCP and UDP protocols. These protocols are not implemented on the Network layer, the Data Link layer, or the Application layer. 6. Which of the following choices are effective methods of ensuring that employees know the relevant contents of an organization's security policy? (Choose all that apply.) A. Providing training B. Using warning banners C. Using posters D. Storing the policy in the company vault - ANSA, B, and C. Providing training, using warning banners, and using posters are all effective methods of ensuring that employees know the relevant contents of a security policy. If the security policy is stored in the company vault, it won't be accessible to employees. 6. Which of the following identifies a system that requires a database to detect attacks? A. Anomaly-based IDS B. Signature-based IDS C. HIPS D. NIPS - ANSB. A signature-based IDS compares activity against a signature file (or database of signatures) to identify attacks. An anomaly-based IDS requires a baseline. Both a host-based IPS (HIPS) and a network-based IPS (NIPS) can use either anomaly- based or signature-based detection methods. 6. Which of the following is a benefit of a chain-of-custody form? A. It helps ensure that evidence is protected. B. It helps ensure that evidence is controlled. C. It helps ensure that evidence is not modified. D. It helps ensure that evidence is admissible in court. - ANSD. A chain-of-custody form provides proof that evidence has been protected and helps ensure that the evidence is admissible in court. Note that it only documents how the evidence has been protected and controlled, but it doesn't actually protect or control the evidence. It also doesn't ensure that the evidence is not modified. 6. Which of the following is a secure method of sanitizing optical media? A. Degaussing B. Overwriting C. Shining D. Destroying - ANSD. Optical media must be destroyed to ensure it doesn't include any remaining data. Degaussing isn't effective because optical media doesn't use magnetic methods of storing data. Overwriting isn't effective because the media might still have data remaining after overwriting it. Shining is not a valid method of sanitizing media. 6. Which of the following is NOT a symmetric encryption standard? A. AES B. Blowfish C. RC4 D. RSAChapter - ANSD. RSA is an asymmetric encryption standard using public and private keys and is widely used with Transport Layer Security (TLS). The other choices are all symmetric encryption standards using a single key to encrypt and decrypt the data. 6to4 - ANSTransition mechanism for migrating from IPv4 to IPv6. It allows systems to use IPv6 to communicate if their traffic has to transverse an IPv4 network. 7. A company wants to reduce the amount of space used to store files used and shared by employees. What can it use to reduce the amount of storage space used? A. Data loss prevention (DLP) systems B. Deduplication C. Information rights management (IRM) D. Retention policies - ANSB. Deduplication ensures that a file is stored only once on a system, even if multiple users have access to the same file. DLP systems attempt to monitor data usage and prevent the unauthorized use or transmission of sensitive data. IRM refers to the different methods used to protect sensitive information from unauthorized access. Retention policies restrict how long data is retained. 7. A security professional is reviewing existing security controls. What type of security control is this? A. Management B. Technical C. Physical D. Compensating - ANSA. Reviewing security controls is a management control. This is part of risk management, and reviewing existing security controls is part of a risk assessment. Technical controls use technical means, not an individual such as a security professional. Physical controls refer to the controls you can touch. Compensating controls are controls used as an alternative if the primary controls cannot be used. It's also worth mentioning that the other three answers all refer to classes of controls, while compensating controls refer to a control goal (similar to how preventive, detective, and corrective controls are control goals). 7. A system has a protocol analyzer installed. What mode must the system operate in to capture all packets that reach it, including those that are not directly addressed to or from the system? A. Promiscuous B. Nonpromiscuous C. DoS D. DDoS - ANSA. The network interface card of the system running the protocol analyzer (or sniffer) must be in promiscuous mode. If it is in nonpromiscuous mode, the sniffer will only capture packets addressed directly to or from the sniffer. DoS and DDoS are not modes for a sniffer. 7. An employee configured malicious code to execute at midnight on February 2. What does this describe? A. Logic bomb B. Groundhog Day virus C. Worm D. Ransomware - ANSA. A logic bomb is malware that executes in response to an event such as a specific date and time. While February 2 is Groundhog Day, the scenario doesn't describe a Groundhog Day virus. Worms infect computers over a network, not on a specific day. Ransomware takes control of a user's computer or data and demands a ransom from the user. 7. An organization has a security policy in place. What can personnel within the organization do to ensure it remains relevant? A. Perform audits B. Perform training C. Review it D. Test it - ANSC. A security policy should be reviewed on a regular basis (such as once a year or after a security incident) to ensure that it is still relevant. Audits help to prove that the security policy is being used and enforced. Training ensures that people know the contents of the security policy. It's appropriate to test a BCP or a DRP, but not a security policy. and this baseline should be updated when the network is modified. This provides the NIDS with an accurate baseline. A signature-based NIDS uses a signature database file. Router gateways and firewalls do not need to be re-created for the NIDS. 8. An attacker has written a program to shave off a penny from each transaction and divert the penny to the attacker's bank account. What best describes this attack? A. Salami attack B. Sniffing attack C. Replay attack D. Covert channel - ANSA. A salami attack uses multiple small, usually unnoticeable actions, such as shaving a penny off a transaction. A sniffing attack uses a sniffer (protocol analyzer) to capture and analyze traffic. A replay attack captures data and then later resends it to impersonate one of the parties. A covert channel uses an uncommon communications path to exchange information surreptitiously. 8. How can you provide defense diversity with a DMZ? A. Use a single firewall. B. Use two firewalls from the same vendor. C. Use two firewalls from different vendors. D. Ensure that only trusted partners are allowed access. - ANSC. You can provide defense diversity with a DMZ by using two firewalls from different vendors. If a vulnerability appears in one, it's unlikely that a vulnerability will exist in the second firewall at the same time (unless the second is from the same vendor). A single firewall doesn't provide any diversity. An extranet (not a DMZ) would allow access only to trusted partners. 8. How does a behavior-based IDS detect attacks? A. It compares current activity against a baseline. B. It compares current activity against a database of known attack methods. C. It compares current activity with antivirus signatures. D. It monitors activity on firewalls. - ANSA. A behavior-based IDS detects attacks by comparing current activity against a baseline. A signature-based IDS detects attacks by comparing network activity with a database of known attack methods. An IDS does not use antivirus signatures. While an IDS monitors activity on firewalls, this doesn't identify how it detects attacks. 8. Of the following choices, which one is considered a strong, efficient symmetric encryption algorithm? A. TLS B. DES C. 3DES D. AES - ANSD. The Advanced Encryption Standard (AES) is considered a strong, efficient symmetric encryption algorithm and it is widely used. DES is an older algorithm that has been cracked. 3DES is strong, but takes more processing power and is less efficient than AES. Transport Layer Security (TLS) uses both symmetric and asymmetric encryption, and calling it a symmetric encryption algorithm is inaccurate. 8. Users within an organization have recently sent sensitive data outside the organization in e-mail attachments. Management believes this was an accident, but they want to prevent a recurrence. Which of the following is the best method to do so? A. Implement a network-based intrusion prevention system (IPS) B. Provide training to users C. Ensure the data is marked appropriately D. Implement a network-based data loss prevention (DLP) system - ANSD. The best solution is to implement a network-based DLP system. It can scan outgoing data to look for sensitive data and block any it finds. An IPS focuses on incoming traffic to block attacks, and doesn't necessarily scan outgoing traffic. Thus, it wouldn't necessarily stop data sent as an e-mail attachment. Training is appropriate, but training doesn't necessarily prevent accidents. Also, training wouldn't stop a malicious insider from this action. The data should be marked with its appropriate classification, but there isn't any indication that it isn't. Also, even if the data is marked, it doesn't necessarily prevent accidents. 8. What type of log on a Microsoft system records auditable events, such as when a user deletes a file? A. System B. Security C. Application D. Forwarded Events - ANSB. The Security log records auditable events, such as when a user accesses or deletes a file (as long as resource auditing is enabled). The System log records system events such as when a service stops or starts. The Application log records application events. The Forwarded Events log shows events forwarded from other systems as part of an event subscription. 8. What type of malware takes control of the operating system at the kernel level? A. Trojan horse B. Worm C. Keylogger D. Rootkit - ANSD. A rootkit is a set of programs that runs on a system, largely undetected, because it runs at the kernel level or root level of the operating system. A Trojan horse is malware that looks like one thing but is something else. A worm is a type of malware that spreads through a network without any user intervention. A keylogger captures keystrokes from users. 8. Which layer of the TCP/IP Model corresponds to the OSI Network layer? A. Host layer B. Application layer C. Internet layer D. Link layer - ANSC. The TCP/IP Internet layer corresponds to the OSI Network layer. The TCP/ IP Host (or Host-to-Host) layer corresponds to the OSI Transport layer. The TCP/IP Application layer corresponds to the Application, Presentation, and Session OSI layers. The TCP/IP Link layer (also called the Network Interface or Network Access layer) corresponds to the OSI Data Link and Physical layers. 8. Which of the following choices best describes an operational control? A. A control implemented by people (rather than systems) B. A control implemented using hardware, software, or firmware C. A control that focuses on the management of risk and the management of IT security D. A control that focuses on preventing losses due to risks - ANSA. People, rather than systems, implement an operational control. A technical control is implemented with hardware, software, or firmware. A management control focuses on the management of risk and the management of IT security. A preventive control focuses on preventing losses due to risks. 8. Which of the following choices is the to another system and examining it on the other system will modify the original evidence. 9. A website developer wants to provide assurances to users that ActiveX controls used on the site are not malicious. What can provide this assurance? A. Input validation B. Code signing C. Code review D. Enabling cross-site scripting - ANSB. Code signing digitally signs ActiveX controls and provides assurances to users of who created the control and that it hasn't been modified. Input validation helps prevent injection attacks, but it's used to protect the website, not provide assurance to users. Code review is a valuable tool to detect problems with applications before an organization releases them. Cross-site scripting is an attack and would not be enabled. 9. It's common to enable or install a firewall on a server to protect the server. What type of firewall is this? A. Network-based B. Hardware-based C. Packet- filtering D. Host-based - ANSD. A host-based firewall is installed or enabled on individual hosts, such as desktop computers or servers, and provides protection for the host. Network- based firewalls protect the network rather than individual systems. Packet filtering identifies the method used by the firewall, and both network-based and host- based firewalls can filter packets. 9. Of the following choices, what best describes a whitelist as a replacement for a HIDS? A. A listing of websites that a user can visit, blocking access to all other websites for a HIDS? B. A listing of applications that a user can run, blocking attempts to run any other applications C. A listing of MAC addresses blocked through a firewall, allowing traffic from all other systems D. A listing of suitable vendors for IPSs - ANSB. A whitelist can include a list of applications that a user can run and block all other applications. Some security professionals are suggesting this as a replacement for both HIDSs and AV software. A proxy server can block access to specific websites, but this isn't a replacement for a HIDS. A MAC address whitelist identifies addresses that are allowed, not blocked. A whitelist is not a list of vendors. 9. Of the following choices, what is a tuple? A. A column in a database B. A row in a database C. A primary key D. A foreign key - ANSB. A tuple is a row in a database. Columns are also known as attributes. A primary key uniquely identifies a row in a table and is related to a foreign key in another table to create a relationship between two tables. 9. Of the following choices, what is an example of an auditable event logged in an operating system's security log? A. Access through a firewall B. Accessing a website through a proxy server C. Reading a file D. The date and time when a service starts - ANSC. A security log records auditable events related to resources, such as when a user reads, modifies, or deletes a file. Firewall and proxy server logs are not operating system logs. A system log would record events such as when a service stops or starts, but not security events. 9. Of the following choices, what provides the best protection against buffer overflow attacks? A. SQL injection B. Input validation C. Cross-site scripting D. Code signing - ANSB. Input validation techniques validate data before using it and can help prevent a wide variety of attacks, including buffer overflow attacks. SQL injection is an attack that attempts to inject SQL code into an application. Cross-site scripting is an attack that attempts to inject HTML or JavaScript code into a web page. Code signing uses a certificate to digitally sign an application, but will not protect against buffer overflow attacks. 9. What is the purpose of a BIA? A. To identify recovery plans B. To drive the creation of the BCP C. To test recovery plans D. To identify critical business functions - ANSD. The business impact analysis (BIA) identifies critical business functions and is a part of the BCP. Personnel create recovery plans later in the process, after creating recovery strategies. The BCP drives the creation of the BIA, not the other way around as suggested by answer B. You can only test the plans after personnel have created them. 9. What type of cryptography does public cryptography use? A. Asymmetric encryption B. Symmetric encryption C. Steganography D. One-way functions - ANSA. Public key cryptography uses asymmetric encryption with two matched keys (a public key and a private key) to encrypt and decrypt information. Symmetric encryption uses a single key (often called a session key) to encrypt and decrypt data. Steganography hides data within data. Hashes are also known as one-way functions and they provide integrity. 9. Which of the following topologies avoids collisions using a token? A. IEEE 802.3 B. IEEE 802.5 C. CSMA/CD D. CSMA/CA - ANSB. IEEE 802.5 defines token ring networks, which avoid collisions using a token. Ethernet (IEEE 802.3) attempts to detect collisions using Carrier Sense Multiple Access with Collision Detection (CSMA/CD). Wireless networks (802.11) attempt to avoid collisions using Carrier Sense Multiple Access with Collision Avoidance (CSMA/CA). 9. You decide to manage risk by purchasing insurance to cover any losses. Which one of the following risk management techniques are you using? A. Accept B. Avoid C. Mitigate D. Transfer - ANSD. Insurance is one of the ways that you can manage risk by transferring the risk to a third party. Risk acceptance doesn't take any further action to mitigate the risk. In risk avoidance, you avoid the activity that results in the risk. It's most common to try to reduce the risk using risk mitigation. 9. Your organization wants to implement policies that will deter fraud by dividing job responsibilities. Which of the following policies should they implement? A. Nonrepudiation B. Least privilege C. Defense in depth D. Separation of duties - ANS9. D. Separation of duties helps prevent fraud by dividing job responsibilities and access to individuals based on their proven identity. Accounting tracks and records their activity in logs. Absolute addresses - ANSHardware addresses used by the CPU. Abstraction - ANSThe capability to suppress unnecessary details so the important, inherent properties can be examined and reviewed. Accepted ways for handling risk - ANSAccept, transfer, mitigate, avoid. Access - ANSThe flow of information between a subject and an object. access control - ANSMechanism used to restrict or control access to resources. Access controls can be logical (implemented with technology) and implemented by the security kernel, or physical, such as a locked door or security guard. Access controls allow subjects access to objects, such as allowing a user to access a file. Some relevant access control models are Mandatory Access Control (MAC), Discretionary Access Control (DAC), Rolebased Access Control (RoleBAC), Rulebased Access Control (RuleBAC), and Attributebased Access Control (ABAC). Biba, BellLaPadula, ClarkWilson, and the Chinese Wall are specific MAC models. access control list (ACL) - ANSA list of rules. ACLs are most commonly associated with routers and firewalls. The rules identify the traffic allowed in or out of a network. On hostbased firewalls, the rules identify the traffic allowed in or out of a system. Access Control Lists - ANSThese lists are used to identify systems and specify which users, protocols, or services are allowed Access control matrix - ANSA table of subjects and objects indicating what actions individual subjects can take upon individual objects. Access control model - ANSAn access control model is a framework that dictates how subjects access objects. Access Control Models - ANSRegulate the admission of users into trusted areas of the organization-both logical access to information systems and physical access to the organization's facilities Access Control Object - ANSA passive entity that typically receives or contains some form of data. Access Control Object - ANSA passive entity that typically receives or contains some form of data. Access Control Subject - ANSAn active entity and can be any user, program, or process that requests permission to cause data to flow from an access control object to the access control subject or between access control objects. Access Control Subject - ANSAn active entity and can be any user, program, or process that requests permission to cause data to flow from an access control object to the access control subject or between access control objects. Access controls - ANSAre security features that control how users and systems communicate and interact with other systems and resources. Access controls protect assets such as files by preventing unauthorized access. What must occur before a system can implement access controls to restrict access to these types of assets? A. Identification and authentication B. Identification and accountability C. Authentication and accounting D. Accountability and availability - ANSA. Identification and authentication must occur before a system can implement access controls. Identification is the act of a user professing an identity, and authentication occurs when an authentication system verifies the user's credentials (such as a username and password). ACCESS CONTROLS: A user professes an identity by entering a user logon name and then enters a password. What is the purpose of the logon name? A. Authentication B. Accountability C. Identification D. Accounting - ANSC. The logon name provides identification of the user. When combined with the username, the password provides authentication. According to the annual CSI/FBI Computer Crime report, which group commits the most computer crimes? A. Foreign governments B. Teenage Hackers C. Company Insiders D. Company Competitors E. All of these groups create equal numbers of computer crimes - ANSC. Company Insiders Accountability - ANSThe ability of a system to track the activity of an individual. It depends on proper identification and authentication. If a system can identify individual users, track their actions, and monitor their behavior, it provides accountability. Accountability - ANSUnderlying goals of the AAAs of security. The trait of being willing to take responsibility for your actions Accounting - ANSLogs that track the activity of a user through monitoring. One method of accounting is audit logs that create an audit trail. Accounting - ANSTracking user(s) activities. Accreditation - ANSFormal acceptance of the adequacy of a system's overall security by management. Accreditation - ANSThe process of formally declaring that the system is approved to operate. Accreditation comes after system certification. Accreditation grants permission to operate a system freely since all risk has been eliminated. A. True B. False - ANSB. False Active attack - ANSAttack where the attacker does interact with processing or communication activities. ActiveX - ANSA Microsoft technology composed of a set of OOP technologies and tools based on COM and DCOM. It is a framework for defining reusable software components in a programming language-independent manner Address bus - ANSPhysical connections between processing components and memory segments used to communicate the physical memory addresses being used during processing procedures. Address resolution protocol (ARP) - ANSA networking protocol used for resolution of network layer IP addresses into link layer MAC addresses. Address Resolution Protocol (ARP) - ANSProtocol that resolves Internet Protocol (IP) addresses to Media Access Control (MAC) addresses. ARP is used on the Data Link layer of the Open Systems Interconnection (OSI) Model. Compare to Bootstrap Protocol (BootP) and Reverse Address Resolution Protocol (RARP). Address space layout randomization (ASLR) - is exploited and how it affects a single asset. SLE × ARO = ALE. anomaly based - ANSA method of detection used by intrusion detection systems (IDSs) and intrusion prevention systems (IPSs). The IDS/IPS attempts to document normal behavior in the form of a baseline. It then monitors the activity and constantly compares it to the baseline. If the current activity differs significantly from the baseline, the IDS/ IPS will issue an alert on the activity. antivirus (AV) software - ANSA primary method used to detect and prevent infections from malware. In addition to being able to detect and prevent infections, most AV soft ware is able to remove the malware, restore the infected file to its original state, or quar antine the file. Application programming interface (API) - ANSSoftware interface that enables process-to- process interaction. Common way to provide access to standard routines to a set of software programs. Arithmetic logic unit (ALU) - ANSA component of the computer's processing unit, in which arithmetic and matching operations are performed. armored virus - ANSA virus that uses code to make it difficult for AV researchers to reverseengineer the code. Encryption is often combined with other methods to prevent reverseengineering. As telnet is widely know to be insecure, one time passwords (OPIE) offer a great alternative. After a user logs on remotely, OPIE will issue a challenge. What two elements will thi challenge contain?(Choose two) A. CHAP B. A hashed value C. A random value D. A seed number E. A sequence number - ANSD. A seed number E. A sequence number AS/NZS 4360 - ANSAustralia and New Zealand business risk management assessment approach. Assemblers - ANSTools that convert assembly code into the necessary machine-compatible binary language for processing activities to take place. Assembly language - ANSA low-level programming language that is the mnemonic representation of machine-level instructions. Assurance evaluation criteria - ANSCheck-list and process of examining the security- relevant parts of a system (TCB, reference monitor, security kernel) and assigning the system an assurance rating. Asymmetric algorithm - ANSEncryption method that uses two different key types, public and private. Also called public key cryptography. asymmetric encryption - ANSA process of encrypting and decrypting data using two matched keys known as a public key and a private key. It is also known as public key cryp tography. Anything encrypted with the public key can be decrypted only with the match ing private key. Anything encrypted with the private key can be decrypted only with the matching public key. The private key is always kept private and never shared. The public key is freely shared and publicly available. Asymmetric mode multiprocessing - ANSWhen a computer has two or more CPUs and one CPU is dedicated to a specific program while the other CPUs carry out general processing procedures Asynchronous communication - ANSTransmission sequencing technology that uses start and stop bits or similar encoding mechanism. Used in environments that transmit a variable amount of data in a periodic fashion. Asynchronous Password Token - ANSA one-time password is generated without the use of a clock, either from a one-time pad or cryptographic algorithm. Asynchronous Password Token - ANSA one-time password is generated without the use of a clock, either from a one-time pad or cryptographic algorithm. Asynchronous token generating method - ANSEmploys a challenge/response scheme to authenticate the user. Attack surface - ANSComponents available to be used by an attacker against the product itself. ATTACKS: 1. What is an APT? A. A group, often sponsored by a government, that has the capability and intent to launch persistent attacks against an organization B. Software that alerts a user that their system is infected with malware, but won't remove the malware unless the user pays a fee C. An attack that redirects users to a bogus website D. A scan to detect open ports - ANSA. An advanced persistent threat (APT) is a group of people (often sponsored by a government) that has the capability and intent to launch persistent attacks against organizations. Scareware is software that alerts a user their system is infected with malware, but won't remove the malware unless the user pays. Pharming is an attack that redirects users to a bogus website. A port scan is a scan that detects open ports. Attenuation - ANSGradual loss in intensity of any kind of flux through a medium. As an electrical signal travels down a cable, the signal can degrade and distort or corrupt the data it is carrying. Attribute - ANSA column in a two-dimensional database. Attribute - ANSIn a database, a table column. Data within the table is stored in rows, or tuples. Attributebased Access Control (ABAC) - ANSAn access control model that uses attributes to determine access. It evaluates subject and object attributes and grants access based on the value of these attributes. Attributes can be almost any characteristic of a user, the environment, or the resource. Other access control models are Mandatory Access Control (MAC), Discretionary Access Control (DAC), Rolebased Access Control (RoleBAC), and Rulebased Access Control (RuleBAC). audit trail - ANSA record of events occurring on a system or network, recorded in one or more logs. When you have access to all the logs, you are able to recreate the events that occurred leading up to an event and identify what actually occurred during an event. Auditing: 1. Your organization uses strong authentication and authorization mechanisms and has robust logging capabilities. Combined, what do these three elements provide? A. Guaranteed security B. Prevention of unintended outages from unauthorized changes C. Accountability D. Configuration control - ANSC. Authentication, design requirement so that slight changes to the input result in drastic changes to the output. Backdoor - ANSA nontraditional method of accessing an application or system. It can be code embedded in an application that provides access to the application, the application's code, or data via a covert method. Attackers often try to install a backdoor onto a system after infecting it with malware that grants them remote access. Backups - ANSCopies of data stored in case the original is stolen or becomes corrupt Base registers - ANSBeginning of address space assigned to a process. Used to ensure a process does not make a request outside its assigned memory boundaries. Baseband transmission - ANSUses the full bandwidth for only one communication channel and has a low data transfer rate compared to broadband. baseline - ANSA known starting point. Baselines are an important element of configura tion control and are often implemented with images. If the baseline configuration is known, it's relatively simple to check the system to determine whether the configuration has been modified from the baseline. Anomalybased intrusion detection systems (IDSs) and intrusion prevention systems (IPSs) also use baselines by first documenting normal behavior in the form of a baseline. The system then monitors the activity and constantly compares it to the baseline. Basic Networking and Communications: Which layer of the OSI Model defines cable standards? A. Physical layer B. Data Link layer C. Network layer D. Transport layer - ANSA. Cable standards are defined at the Physical layer, layer 1. They are not defined at the Data Link layer (layer 2), the Network layer (layer 3), or the Transport layer (layer 4). Bastion host - ANSA highly exposed device that will most likely be targeted for attacks, and thus should be hardened. Bcrypt - ANSA keystretching algorithm used to protect passwords on UNIX and Linux distributions stored in the shadow password file. It salts passwords before encrypting them with Blowfish, which helps thwart rainbow table attacks. Behavior blocking - ANSAllowing the suspicious code to execute within the operating system and watches its interactions with the operating system, looking for suspicious activities. Bell- LaPadula Model - ANSSecurity model that deals only with confidentiality. Two rules: simple security property rule, the star property rule BellLaPadula model - ANSAn access control model used to ensure confidentiality. It uses two primary rules: no read up and no write down. Compare to Biba model. Berkeley Internet Name Domain (BIND) - ANSA version of DNS software that runs on UNIX systems. It is freely available and runs on many DNS servers on the Internet. BIA - Business Impact Analysis deals strictly with financial assessment of a loss in relation to business operations? A. True B. False - ANSB. False Biba model - ANSAn access control model used to ensure integrity. It uses two primary rules: no read down and no write up. Compare to BellLaPadula model. Biba Model - ANSSecurity model that deals only with integrity. BIND should be disabled on the which of the following? A. All DNS servers to avoid recursive lookups B. All non DNS servers C. Firewalls D. Routers - ANSB. All non DNS servers biometrics - ANSMethod of identifying unique characteristics of a person, such as a finger print or retina scan. Biometrics provide authentication in the "something you are" factor. bitcopy - ANStools Software used to capture the contents of a drive without modifying the data. The copy is known as a forensic duplicate image and can be examined without affecting the original. Blacklist - ANSA list of prohibited applications. Application blacklisting identifies specific applications that cannot run on a system. Compare to whitelist. Bootstrap Protocol (BootP) - ANSA protocol that provides an IP address to clients and can be used to retrieve a bootable image for clients. It is similar to Reverse Address Resolution Protocol (RARP), although RARP only retrieves the IP address. Botnet - ANSA group of computers (called zombies) controlled by an attacker. The term botnet is derived from robot and network. The attacker manages a command control cen ter, and the computers in the botnet do the bidding of the attacker. Breach - ANSThe intentional or unintentional release of secure information to an untrusted environment. bring your own device (BYOD) - ANSAn organizational policy that allows users to bring their personally owned devices (such as smartphones and tablets) to work and con nect them to the organization's network. Compare to corporateowned, personally enabled (COPE) policies. buffer overflow - ANSAn error that can occur when a system receives more data than it expects and is unable to handle it gracefully. Attackers attempt to exploit buffer overflow errors to install malware on systems. buffer overflow attack - ANSAn attack on a system that has a buffer overflow vulner ability. Buffer overflow vulnerabilities can be reduced with input validation techniques and by keeping systems up to date. Bus - ANSNetwork configuration where all computing devices are connected directly to each other via a shared cable connection. Both ends of the bus must be terminated. If one of the terminators is not present or the cable is disconnected, communication with all devices on the bus stops. See also mesh, star, token ring, and tree. business continuity plan (BCP) - ANSA written document that includes the processes and procedures to prevent missioncritical services from being interrupted or disrupted. A BCP includes disaster recovery elements used to restore the organization to fully func tioning operations as quickly and efficiently as possible. business impact analysis (BIA) - ANSA part of a BCP. It identifies the impact to the organization if any business detects a preset number of events. An auditing system ignores events until the number of events reaches the clipping level. Cloud Computing - ANSAny type of computing services provided over the Internet CMDB - ANSA configuration management database (CMDB) is a repository that contains a collection of IT assets that are referred to as configuration items. code of ethics - ANSStatements and principles that individuals can use to guide their decisions and help in ethical dilemma situations. (ISC)2's Code of Ethics includes a pre amble and four canons describing ethical expectations from its certified practitioners. Candidates must commit to and abide by them to earn and keep the SSCP certification. Organizations can also use ethics statements for internal employees. cold site - ANSAn alternative location used in business continuity planning. A cold site is a building with a roof, running water, and electricity. It doesn't include the necessary hardware, software, or personnel. In the event of an emergency, personnel move all of the resources to the cold site location, hook them up, and configure them for operation. Compare to hot site, warm site, and mobile site. command injection - ANSAn attack that attempts to inject commands into an applica tion. In some cases, a command injection attack can inject operating system commands that would normally be executed at the command line. In other cases, it injects code such as JavaScript or SQL statements. Input validation techniques help mitigate command injection attacks. Common Criteria - ANSA framework used to evaluate systems, formally known as Com mon Criteria for Information Technology Security Evaluation. It provides assurances that the specification, implementation, and evaluation of a system's security has gone through a rigorous and standardized process. community cloud - ANSA cloudbased service shared by two or more organizations. It is similar to a private cloud in that it is not available to the public. Compare to public cloud, private cloud, and hybrid cloud. Companies can now be sued for privacy violations just as easily as they can be sued for security compromises. A. True B. False - ANSA. True Compensating Controls - ANSIntroduced when the existing capabilities of a system do not support the requirements of a policy. Confidentiality - ANSdata is not disclosed to unauthorized users Confidentiality - ANSEnsures that unauthorized entities cannot access data. Access con trols and encryption help protect against the loss of confidentiality. Confidentiality is one of the three main goals of information security known as the CIA security triad. The other two goals are integrity and availability. Confidentiality - ANSRefers to the property of information in which it is only made available to those who have a legitimate need to know. configuration management - ANSA process that ensures that information about sys tem configuration is available for any system and helps ensure that similar systems are configured similarly. Configuration Management (CM) - ANSA discipline that seeks to manage configuration changes so that they are appropriately approved and documented, so that the integrity of the security state is maintained, and so that disruptions to performance and availability are minimized. Connected Tokens - ANSMust be physically connected to the computer to which the user is authenticating. Connected Tokens - ANSMust be physically connected to the computer to which the user is authenticating. Contactless Tokens - ANSForm a logical connection to the client computer but do not require a physical connection. Contactless Tokens - ANSForm a logical connection to the client computer but do not require a physical connection. Contracting with an insurance company to cover losses due to information security breaches is known as risk __________. A. Avoidance B. Reduction C. Assignment D. Acceptance - ANSC. Assignment Control - ANSA means, method, action, technique, process, procedure, or device that reduces the vulnerability of a system or the possibility of a threat exploiting a vulnerabil ity in a system. Controls are risk management tools. The terms control, countermeasure, and safeguard are often used interchangeably. Controls and Countermeasures: 1. Which of the following provides the best definition of a control? A. The means, methods, actions, techniques, processes, procedures, or devices used to prevent attackers from launching attacks on systems B. A detective method that identifies threats C. A corrective method that reverses the impact of an incident D. The means, methods, actions, techniques, processes, procedures, or devices used to reduce the vulnerability of a system or the possibility of a threat exploiting a vulnerability - ANSD. A control provides the means, methods, actions, techniques, processes, procedures, or devices that reduce the vulnerability of a system or the possibility of a threat exploiting a vulnerability in a system. You can't actually prevent attackers from launching an attack, but you can reduce their possibilities of success by either reducing vulnerabilities or reducing the impact of the threat. Controls can be preventive, detective, and/or corrective, but it isn't accurate to limit a control to only one of these types. Corporate networks are safer if an end user connects through a VPN connection? A. True B. False - ANSB. False corporateowned, personally enabled (COPE) - ANSAn alternative to bring your own device (BYOD) policies. An organization purchases and issues devices (such as smartphones and tablets) to users instead of allowing them to connect their personally owned devices to the network. Compare to bring your own device (BYOD) policies. Corrective Control - ANSThese controls remedy the circumstances that enabled unwarranted activity, through deduction. data loss prevention (DLP) - ANSTechniques used to monitor data usage and prevent the unauthorized use or transmission of sensitive data. Different types of DLP systems can monitor data in motion and data at rest. database view - ANSA virtual table that provides access to specific columns in one or more tables. A view doesn't hold any data but presents the data in the underlying table or tables. A database administrator can grant access to a view without granting access to a table to limit what a user can see and manipulate. Decentralized access control allows ______________________. A. File owners to determine access rights B. Help Desk personnel to determine access rights C. IT personnel to determine access rights D. Security Officers to determine access rights E. Security Officers to delegate authority to other users - ANSA. File owners to determine access rights Decentralized Authentication - ANSEvery computer has a separate database that stores credentials. If a user needed to log on to all four computers in this network, he or she would need to have four separate sets of credentials—one for each system. Decryption - ANSThe process of converting ciphertext data into plaintext data. Data is encrypted to prevent loss of confidentiality. Compare to encryption. Deduplication - ANSA process that scans the entire collection of information looking for similar chunks of data that can be consolidated. Deduplication - ANSThe process of keeping only a single copy of a file on a system instead of multiple identical files. Deduplication saves storage space. defense diversity - ANSA defenseindepth strategy using dissimilar technologies. Implementing a demilitarized zone (DMZ) with firewalls from two separate vendors is an example of defense diversity. Defense in Depth - ANSA defense that uses multiple types of security devices to protect a network. Also called layered security. defense in depth - ANSA strategy that provides a layered approach to security. Instead of using one or two security controls, multiple controls are used. If one control fails, other controls continue to provide protection. Defense-in-depth - ANSProvision of several overlapping subsequent limiting barriers with no respect to one safety or security threshold, so that the threshold can only be surpassed if all barriers have failed. Define the acronym RBAC A. Role Based Access Center B. Rule Based Access Center C. Role Based Access Control D. Rule Based Access Control - ANSC. Role Based Access Control Definitions: 3DES - ANSA symmetric encryption standard. It improves Data Encryption Standard (DES) by encrypting data in three passes with three separate keys. It was one of the standards evaluated by the National Institute of Standards and Technology (NIST) with Advanced Encryption Standard (AES), but was not selected. It is a slower and processor intensive block cipher, but is still strong and used in some applications. It is also called triple DES and three DES. Degaussing - ANSA technique of erasing data on disk or tape (including video tapes) that, when performed properly, ensures that there is insufficient magnetic remanence to reconstruct data. Deluge System - ANSA fire suppression system with open sprinker heads, water is held back until a detector in the area is activated. demilitarized zone (DMZ) - ANSA perimeter network used to host resources on the Internet (such as web servers, email servers, or FTP servers). The DMZ provides a layer of protection for the resources that would not be available if they were placed directly on the Internet. denial of service (DoS) - ANSAn attack that attempts to prevent a system from answer ing legitimate requests from users, directly affecting the availability portion of the CIA triad. The attack is launched by a single system. DES - Data Encryption standard has a 128 bit key and is very difficult to break. A. True B. False - ANSB. False DES, 3DES, Blowfish, and AES are all examples of what type of cryptography? A. Public Key B. Message Digest C. Hash Algorithm D. Secret Key - ANSD. Secret Key describe a MAC model - ANSused by gov, most secure, objects are given classification lables, subjects are given clearance levels describe business impact analysis - ANScategorize systems on importance and and determine how long the business can function without their activities Describe TCB - ANSThis system has two main components the reference monitor and the security kernel database and helps to enforce a MAC model. describe the heirarchy from policy to guidelines - ANSpolicy regulations baselines procedures guidelines Deterrent Control - ANSControls that prescribe some sort of punishment, randing from embarrassment to job termination or jail time for noncompliance. Their intent is to dissuade people from performing unwanted acts. differential backup - ANSA type of backup used in full/differential backup strategies. Differential backups only back up data that has changed since the last full backup, with out regard to any other differential backups. Compare to incremental backup. Diffie Hellman, RSA, and ___________ are all examples of Public Key cryptography? A. SSL - Secure Sockets Layer B. DSS - Digital Signature Standard C. Blowfish D. AES - Advanced Encryption Standard - ANSB. DSS - Digital Signature Standard Digital Certificates use which protocol? A. X.400 B. X.500 C. X.509 D. X.511 E. X.525 F. None of the above - ANSC. X.509 digital signature - ANSA file used to provide authentication, integrity, and nonrepudia tion security for email. A digital signature is created by hashing an email message and then encrypting the hash with the sender's private key. It is decrypted with the sender's public key. Directive Control - ANSControls dictated by organizational and legal authorities. disaster recovery plan (DRP) - ANSA document used to provide an organization with a plan to restore critical operations after a disaster. The overall