Skip to content

Question Review

  1. Which one of the following cipher types operates on large pieces of a message rather than individual characters or bits of a message?

    Block cipher

  2. The University of Outer Mongolia runs a web application that processes student tuition payments via credit card and is subject to PCI DSS. The university does not wish to perform web vulnerability scans on a regular basis because they consider them too time-consuming. What technology may they put in place that eliminates the PCI DSS requirement for recurring web vulnerability scans?

    Web application firewall

    PCI DSS allows organizations to choose between performing annual web vulnerability assessment tests or installing a web application firewall.

  3. Your organization has recently decided to allow workers to telecommute from home. However, the CISO requires that the connections be protected by encryption using a standard VPN solution. Which of the following secure protocols can be used as a VPN? (Choose all that apply.)

    • IPsec
    • SSH
    • TLS

    IPsec, SSH, and TLS are all able to be used as a VPN. While IPsec and TLS can be used as either transport mode or tunnel mode VPNs, SSH is limited to be used only as a transport mode VPN. The others are not VPN protocols. Kerberos offers a single sign-on solution for users and provides protection for logon credentials. Modern implementations of Kerberos use hybrid encryption to provide reliable authentication protection. Signal is a cryptographic protocol that provides end-to-end encryption for voice communications, videoconferencing, and text message services. S-RPC (Secure Remote Procedure Call) is an authentication service and is simply a means to prevent unauthorized execution of code on remote systems.

  4. Administrators regularly back up sensitive data on servers within a data center. Security controls restrict access to the data center, and all systems that process sensitive information are marked. After backing up data, they send an unmarked copy to an unstaffed company warehouse for long-term storage. Recently, someone posted some of this data on the internet. Investigators determined much of the backup media is no longer in the warehouse. Which of the following administrator actions would have the best chance of preventing this incident?

    Mark the tapes before sending them to the warehouse.

    If the tapes were marked before they left the data center, employees would recognize their value, and it is more likely someone would challenge their storage in an unstaffed warehouse. Purging or degaussing the tapes before using them will erase previously held data but won’t help if sensitive information is backed up to the tapes after they are purged or degaussed. Adding the tapes to an asset management database will help track them but wouldn’t prevent this incident.

  5. Which of the following VPN protocols has always offered native data encryption?

    IPsec

    From this list of VPN protocols, only IPsec has always offered native data encryption. Generic Routing Encapsulation (GRE) is a proprietary Cisco tunneling protocol that can be used to establish VPNs. GRE provides encapsulation but not encryption. L2TP does not offer native data encryption, but it can support IPsec’s ESP to provide encryption. PPTP did not originally provide native data encryption, but with the adoption of MS-CHAPv2 that feature was added.

  6. A risk assessment includes the evaluation of threats for each identified asset. What are the potential areas of concern related to third-party connectivity? (Choose all that apply.)

    • Business partnerships
    • Cloud services
    • Telecommuting

    The potential areas of concern related to third-party connectivity are those in which an actual outsider is to be directly connected to on-premises networks; these situations include business partnerships, cloud services, and telecommuting. Third-party connectivity is not involved when using VPN links to connect business branches.

  7. Don’s organization is having a difficult time tracking different versions of software being worked on by different developers. What type of tool would best assist with this problem?

    Code repository

    The use of a code repository would provide a central location for the storage of code as well as version control to manage different releases. Integrated development environments (IDE) are tools used to improve the efficiency of individual programmers and do not assist with collaboration. Integrated product teams (IPTs) are a team organizational approach and not a development tool. Runtimes execute code on a system and are not development tools.

  8. What law protects the right of citizens to privacy by placing restrictions on the authority granted to government agencies to search private residences and facilities?

    Fourth Amendment

    The Fourth Amendment to the U.S. Constitution sets the “probable cause” standard that law enforcement officers must follow when conducting searches and/or seizures of private property. It also states that those officers must obtain a warrant before gaining involuntary access to such property. The Privacy Act regulates what information government agencies may collect and maintain about individuals. The Second Amendment grants the right to keep and bear arms. The Gramm–Leach–Bliley Act regulates financial institutions, not the federal government.

  9. In today’s business environment, prudence is mandatory. Showing due diligence and due care is the only way to disprove negligence in an occurrence of loss. Which of the following are true statements? (Choose all that apply.)

    • Due diligence is establishing a plan, policy, and process to protect the interests of an organization.
    • Due care is practicing the individual activities that maintain the security effort.

    Due diligence is establishing a plan, policy, and process to protect the interests of an organization. Due care is practicing the individual activities that maintain the security effort. The other options are incorrect, they have the terms inverted. The corrected statements are as follows: Due diligence is developing a formalized security structure containing a security policy, standards, baselines, guidelines, and procedures. Due care is the continued application of a security structure onto the IT infrastructure of an organization. Due diligence is knowing what should be done and planning for it. Due care is doing the right action at the right time.

  10. An organization wants to improve the security of their DNS operations by implementing DNSSEC. Which of the following is most important to support this new security mechanism?

    PKI

    DNSSEC uses certificates to perform mutual authentication between DNS servers, and thus public key infrastructure (PKI) is needed to provide and support those certificates. HTTPS is not involved in DNSSEC but is the basis for DoH. A hardware security module (HSM) is not used in DNSSEC. LDAPS is not related to DNSSEC.

  11. An administrator has been tasked with reviewing the Human Resources server log files looking for malicious activity. Which of the following identifies the purpose of this activity?

    Accountability

    Accountability is possible by reviewing logs and tracking user activity. Accountability depends on strong identification and authentication methods, but reviewing logs doesn’t provide identification or authentication. Audit trails are the entire body of data gathered by event logging.

  12. Third-party governance is the system of external entity oversight that may be mandated by law, regulation, industry standards, contractual obligation, or licensing requirements. Often third-party assessment is necessary to evaluate the security of a supply chain. Which of the following means of third-party assessment is used to interview personnel and observe their operating habits?

    On-site assessment

    An on-site assessment is a third-party assessment tool where auditors visit the site of the organization to interview personnel and observe their operating habits. Document exchange and review is a mechanism to investigate the means by which datasets and documentation are exchanged as well as the formal processes by which they perform assessments and reviews. Process/policy review is a mechanism that requests copies of their security policies, processes/procedures, and documentation of incidents and responses for review. A third-party audit is performed by a third party, such as defined by AICPA (the American Institute of Certified Public Accountants), to provide an unbiased review of an entity’s security infrastructure.

  13. No one control can protect against all possible threats. Using a multilayered solution allows for numerous, different controls to guard against whatever threats come to pass. Which of the following is the most important and distinctive concept in relation to layered security?

    Series

    Layering is the deployment of multiple security mechanisms in a series. When security restrictions are performed in a series, they are performed one after the other in a linear fashion. Therefore, a single failure of a security control does not render the entire solution ineffective. Multiple security controls are only important so you can use them in a series, rather than have only one protection. Parallel is no better than a single protection. Filtering is a common feature of many security measures, such as firewalls, but it is not an essential element of layered security.

  14. Your organization has a strictly enforced email security policy which prohibits messages lacking proof of source and lacking non-repudiation. However, you have received a message which fails to meet these requirements and notice several other concerning characteristics. Which of the following are indicators that this message is a hoax? (Select three.)

    A. Lack of a digital signature verifying the origin

    D. Threat of damage to your computer system

    E. Encouragement to take specific steps to resolve a concern which are not based on standard company procedures

    A hoax is a social engineering attack that is attempting to trick a user into taking actions that will harm them through the use of fear that not taking action would actually cause harm. A hoax will not have a digital signature from a verifiable origin, so its source is questionable. Hoaxes often use the threat of damage or harm to encourage the victim to take action, and those actions are often provided steps that will actually cause the victim harm. (B) Poor grammar, (C) bad spelling, and (G) hyperlinks in the message are all characteristics of both valid and invalid email messages. (F) Claiming to be from a trusted authority is the attempt to use the social engineering principle of authority and/or intimidation, which is not uniquely a feature of a hoax, but many SPAM, BEC, phishing attacks do as well. But the claim of being a trusted authority could also be valid as well.

  15. The CISO has put you in charge of improving the security awareness and training program. The concern they want you to focus on is that it is unknown whether the training efforts are having any affect or benefit. If you cannot establish proof of a positive ROSI, then the program will be terminated. Which of the following would be useful in establishing an effectiveness evaluation procedure? (Choose all that apply.)

    B. Administering a quiz immediately after the awareness event

    D. Have workers take a test 6 months after a training class

    E. Collect key security indicators that relate to insider security incidents over time

    Training and awareness program effectiveness evaluation should take place on an ongoing or continuous basis. This can often include administering a quiz or exam immediately after an awareness or training event and a follow-up quiz/exam months later. Also, event and incident logs should be reviewed for the rate of occurrences of security violations due to employee actions and behaviors to see if there is any noticeable difference in the rate of occurrence or trends of incidents before and after a training presentation. The other options are not useful for training program effectiveness evaluation. (A) Never assume that just because a worker was marked as attending or completing a training event that they actually learned anything or will be changing their behavior. (C) Forcing employees to pay a fine for each security infraction is not a means to assess effectiveness; it is a crude means to force compliance. (F) Posting a list of employees who cause a security incident is not a means to assess effectiveness; it is a mechanism of using shame to force compliance and it is not an ethical practice.

  16. Patricia recently discovered that passwords to systems and user accounts belonging to her organization were for sale on the dark web. She believes that she knows the individual who stole and is selling those passwords and wishes to contact law enforcement. What law has most likely been violated?

    Computer Fraud and Abuse Act

    The Computer Fraud and Abuse Act (CFAA) explicitly covers trafficking in passwords. This is the activity that Patricia discovered and she could refer the matter for possible federal prosecution. The Electronic Communications Privacy Act (ECPA) protects against eavesdropping on electronic communications. The Federal Sentencing Guidelines are not law and do not contain privacy protection provisions. The National Infrastructure Protection Act would only apply if the system were part of a critical infrastructure system. That is not indicated in the scenario.

  17. What U.S. federal law prohibits attempts to circumvent copyright protection mechanisms placed on a protected work by the copyright holder?

    Digital Millennium Copyright Act

    The Digital Millennium Copyright Act contains provisions prohibiting the circumvention of copyright protection mechanisms. The Trade Secrets Act applies to trade secrets, not copyrights. The USA PATRIOT Act enhances government surveillance capabilities. The Copyright Enhancement Act does not exist as a U.S. federal law.

  18. Barry is the privacy officer for a college that accepts federal funds. He is reviewing the security of student educational records and want to ensure that his college is compliant with all relevant laws and regulations. What law protects the privacy rights of students?

    FERPA

    The Family Educational Rights and Privacy Act (FERPA) protects the rights of students and the parents of minor students. The Gramm–Leach–Bliley Act (GLBA) covers the customer records of financial institutions, whereas the Health Insurance Portability and Accountability Act (HIPAA) regulates healthcare providers. The Sarbanes–Oxley (SOX) Act governs the financial records of publicly traded companies.

  19. An organization plans to donate several older computers to a local school. Chad will sanitize the hard drives in these computers. Which of the following methods is Chad most likely to use?

    Purging

    Purging media removes all data by writing over existing data multiple times to ensure that the data is not recoverable using any known methods. Purged media can then be reused in less secure environments. Erasing the media performs a delete, but the data remains and can easily be restored. Clearing, or overwriting, writes unclassified data over existing data, but some sophisticated forensics techniques may be able to recover the original data, so this method should not be used to reduce the classification of media.

  20. A small business is planning to outsource payroll. This requires the business to pass some data to the payroll company to handle payroll functions. In this scenario, which of the following roles best describes the payroll company?

    Data processor

    The payroll company is fulfilling the role of data processor by processing the payroll data. The data controller identifies what data to pass to the data processor and how that data should be processed. A data subject is like a data user and simply accesses data. A data custodian is responsible for the day-to-day maintenance of data.

  21. You need to identify a method to embed unobtrusive labels in digital data. After they are embedded, other methods should be able to detect these labels. Which of the following is the best choice to meet these requirements?

    Watermarking

    Digital watermarking places labels or marking in files (digital data). Other methods, such as data loss prevention (DLP) and digital rights management (DRM), can detect the labels. Remanence refers to data left on media after it should have been removed. A digital signature is used in emails to validate the sender’s identity. Encryption scrambles data so that it is unreadable, but it doesn’t add labels.

  22. An organization is decommissioning several older computers and replacing them with new ones. The CIO wants to ensure that data remanence is not a problem with the disk drives within these computers. Which of the following methods will most likely result in data remanence?

    Erasing

    Erasing data on a hard disk drive is likely to leave some data on a hard disk drive, also known as data remanence. Clearing (sometimes called overwriting) overwrites the disk drive with different bits in three separate passes. Purging is a more intense method of clearing the disk and repeats the clearing process multiple times. Cryptoshredding deletes encryption keys, but the question doesn’t indicate data is encrypted.

  23. Your company is planning to launch an e-commerce website. Management wants to ensure this website has adequate security controls in place before the site goes live. Administrators started with a baseline of security controls. What else should be a primary consideration related to security controls?

    Selecting a standard

    Standards selection refers to adding security controls based on external standards. The Payment Card Industry Data Security Standard (PCI DSS) is an example of an external standard, and it mandates the use of several specific controls. The identification of the data controller and data processor isn’t related to the selection of security controls. Data loss prevention methods attempt to prevent data from leaving a network but are less of a concern on a public-facing e-commerce server.

  24. Your organization has a database that includes residents of the EU. Management wants to transfer this to a third party for research and aggregation, but they want to modify the data so it can be transferred without GDPR compliance problems. Which of the following techniques will meet these requirements?

    Anonymization

    Anonymization techniques remove all data so that it is difficult to identify the original identities. When done correctly, the GDPR no longer applies. Pseudonymization is the process of replacing some data with an identifier, such as a pseudonym. An external dataset holds the original data along with the pseudonym. However, if applying pseudonymization techniques, the GDPR still applies. Tokenization replaces some data with tokens or aliases. A third party typically keeps the original data along with the token.

  25. What is the maximum key length supported by the Advanced Encryption Standard’s Rijndael encryption algorithm?

    256 bits

    The AES/Rijndael algorithm is capable of operating with 128-, 192-, or 256-bit keys. The algorithm uses a block size equal to the length of the key.

  26. What protocol replaces certificate revocation lists with a real-time method of verifying the status of a digital certificate?

    OCSP

    The Online Certificate Status Protocol (OCSP) provides real-time query/response services to digital certificate users. This overcomes the latency inherent in the traditional certificate revocation list download and cross-check process. Simultaneous Authentication of Equals (SAE) is an authentication protocol used in WPA3 wireless networking. The Lightweight Directory Access Protocol (LDAP) is a directory services protocol. The Border Gateway Protocol (BGP) is used to establish network routes.

  27. You are deploying a new product into the production environment. It is a self-contained next-generation firewall (NGFW), which should be able to filter unwanted traffic by keyword, application, and protocol. You position the new device between the client network segment and the server network segment. However, once it is installed, users report that they can no longer access company servers or the internet. What is the potential cause of this issue?

    The new device has secure defaults.

    This scenario’s problems are caused by the new device having secure defaults. This is a common problem with security products—they are often configured with strong security defaults so that adjustments must be made to allow for typical communications and operations.

  28. Security needs to be designed, architectured, engineered, integrated, and implemented in order to be reliable and cost-effective. There are numerous security design principles that can be adopted and woven into the crafting of company policies as well as deployed solutions. Which of the following are considered secure design principles? (Choose all that apply.)

    B. Least privilege

    C. Secure defaults

    D. Fail securely

    F. Threat modeling

    G. Keep it simple

    I. Separation of duties

    J. Zero trust

    K. Privacy by design

    The standard secure design principles are: least privilege, secure defaults, fail securely, threat modeling, keep it simple, separation of duties, zero trust, and privacy by design. The not listed but also secure design principles are defense in depth and trust but verify. The other options are incorrect. “People are the weakest link” is not a secure design principle and is also not accurate. Although people can cause security breaches intentionally, accidentally, or via coercion, they are also a key component in a successful security solution. “Security is always top priority” is not a secure design principle. Security should always be limited by business objectives. The most secure solution may interfere with a mission-critical business function, so security must support the business rather than get in the way of it. “Risk should be eliminated” is not a secure design principle and is false. All risk cannot be eliminated. There may be some individual risks that can be eliminated, but in most circumstances risk reduction, management (i.e., deterrence, transfer, avoidance), or acceptance are the only real options.

  29. An industrial processing facility has implemented SCADA systems to monitor and manage the mission-critical production lines. These ICSs cannot adhere to the company’s 14-day patch application policy. How can these systems be secured in order to minimize malware infection?

    Prohibit nonauthorized nonessential software from executing

    In this scenario, the best option is to prohibit nonauthorized nonessential software from executing. A software firewall might limit network communication sessions, but will not necessarily reduce the risk of malware traversing a network link. Deployment in a screened subnet is not a good option as it may expose the ICS to the internet; deployment in a private network segment or an air-gapped network would be a better option. An IDS would only notify about a breach or intrusion or malware infection after it occurred, but an IPS might be a reasonable option.

  30. Your organization has decided to update their IT environment to take advantage of advancements in virtualization solutions. They are primarily focused on containerization products. Which of the following are features or capabilities of some containerization solutions? (Choose all that apply.)

    B. Allow for multiple concurrent applications within a single container

    D. Offer customization of interaction between applications in separate containers

    Containerization or OS virtualization is based on the concept of eliminating the duplication of OS elements in a virtual machine. Some containerization solutions allow for multiple concurrent applications withing a single container, whereas others are limited to one per container. Many containerization solutions allow for customization of how much interaction applications in separate containers is allowed. The other options are incorrect. A virtual machine–based system uses a hypervisor installed onto the bare metal of the host server and then operates a full guest OS within each virtual machine, and each virtual machine often supports only a single primary application. Software-defined visibility (SDV) is a framework to automate the processes of network monitoring and response.

  31. Which of the following is typically not a culprit in causing damage to computer equipment in the event of a fire and a triggered suppression?

    Light

    Light is usually not damaging to most computer equipment, but fire, smoke, and the suppression medium (typically water) are very destructive.

  32. Your facility has just been upgraded with a new burglar alarm system. This intrusion monitoring mechanism is able to detect both perimeter breaches as well as internal movement. Which of the following is not a typical type of alarm that can be triggered for physical security?

    A. Preventive

    There is no such thing as a preventive alarm. Alarms are triggered in response to a detected intrusion or attack. Whenever a motion detector registers a significant or meaningful change in the environment, it triggers an alarm. Common types of alarms include deterrent, repellent, and notification.

  33. Your organization is considering an upgrade of the internal network to support IPv6. You have been asked to provide an evaluation of the benefits and drawbacks of this project. Which of the following are true in regard to IPv6? (Choose all that apply.)

    B. Uses 16-byte addresses

    D. Supports autoconfiguration without DHCP

    F. Supports Quality of Service (QoS) priority values

    IPv6 uses 16-byte (128-bit) addresses, supports autoconfiguration without DHCP, and supports Quality of Service (QoS) priority values. IPv4 uses 32-bit addresses, reserves an entire subnet (127.0.0.1–127.255.255.254) for loopback, and requires NAT to convert between internal and external addresses. IPv4 also supports QoS priority values, but it is called “type of service” in the IPv4 header.

  34. Xavier has been tasked with redesigning the network in order to minimize the risk related to users in one department accessing the systems in another. Which of the following is not used to segment a network?

    VPN

    A VPN is not a network segmentation; it is a secured encapsulation tunnel used to connect networks (or network segments) together. Screened subnets, VLANs, and an internal segmentation firewalls (ISFW) are used to segment a network.

  35. Which of the following are technologies specifically defined as part of 802.11 wireless networking? (Choose all that apply.)

    B. WPA3

    C. SAE

    D. 802.11i

    E. WPS

    WPA3, 802.11i, SAE (Simultaneous Authentication of Equals), and WPS are all technologies that are specifically defined as part of wireless networking. 802.1X is an IEEE standard for port authentication, which is not strictly related to wireless use. It is, however, the basis of the ENT (enterprise) authentication option on wireless networks, but it is widely used to manage authentication throughout a wired network as well.

  36. A worker reports that they are unable to access an internal web application from their workstation. After you confirm that the worker has been assigned correct authorization, you review the logs from the workstation for clues. You discover the following entries:

    2020-01-08 12:15:36 DROP TCP 192.168.6.104 192.168.255.255 443 ---------- RECEIVE

    2020-01-08 12:15:51 DROP UDP 192.168.6.104 192.168.255.255 443 ---------- RECEIVE

    Based on this information, which of the following should you adjust to address this situation?

    Host-based firewall

    These log items are from a firewall log. They indicate that TCP and UDP traffic from the 192.168.x.x subnet to the workstation was dropped. Since this log is from the workstation, this indicates that there is a bad rule in the host-based firewall that is blocking all communications to the workstation from the local subnet.

  37. While performing a risk assessment, you need to create a list of threats. You are focusing on email as an asset, but you then realize email can be used as a weapon as well. What is it called when email itself is used as an attack mechanism?

    Mail-bombing

    Mail-bombing is the use of email as an attack mechanism by flooding a system with messages, causing a denial of service. Masquerading is claiming to be someone or something else and is a form of spoofing. Spoofing is the falsification of the source of a communication, such as spoofing an IP address, email address, or MAC address. A Smurf attack is an ICMP-based DoS.

  38. Remi is evaluating several multimedia collaboration products for use in her company. She needs to determine which products provide the best solution for her organization’s business objectives. The product will be used in-house as well as by remote workers using broadband internet services. Which of the following questions should she ask when evaluating each option? (Choose all that apply.)

    A. Does the communication occur across an open protocol or an encrypted tunnel?

    C. Does the service use strong authentication techniques?

    D. Are activities of users audited and logged?

    E. What tracking mechanisms are used, can the tracking be disabled, and what is the data collected for?

    Questions about minimum bandwidth requirements for chat and voice are likely unneeded since those services do not require much bandwidth and the remote users are all working over broadband internet services.

  39. Telecommuting is performing work at a remote location. Telecommuting clients use many remote access techniques to establish connectivity to the central office LAN. Which of the following are examples of a remote access techniques? (Choose all that apply.)

    A. Remote node operation

    C. Remote control

    E. Screen scraping

    F. Service specific

  40. A software company with a worldwide footprint recently bought out another software company based in the United States. The U.S. company needs to maintain its name and domain infrastructure. However, employees in both companies need to access resources in the other network. Which of the following would best meet this need?

    A federation

    A federation can include two or more networks and allow users in each network to share network resources. Federations provide single sign-on (SSO) capabilities, but SSO will not share network resources.

  41. A company’s security policy states that user accounts should be disabled during the exit interview for any employee leaving the company. Which of the following is the most likely reason for this policy?

    To retain the decryption key

    The most likely reason (of the provided answers) is the retention of the account’s decryption key. Data encrypted by a user is typically encrypted with a key tied to the user account, and deleting the account may result in the data staying encrypted and unavailable. Though not available as an option, disabling the account also prevents an employee from logging on after leaving the company. Disabling the account allows supervisors to review the user’s data. Employees should return company property, but disabling an account won’t ensure they do so. Disabling a user account won’t terminate employee benefits.

  42. Network-based intrusion detection systems (NIDSs) and network-based intrusion prevention systems (NIPSs) have some differences and some similarities. Which of the following describes a similarity?

    They can both detect attacks using pattern-matching

    NIDSs and NIPSs can both detect attacks using pattern-matching (also known as signature-based detection and knowledge-based detection). A NIPS is placed inline with traffic and can prevent attacks from reaching an internal network. While a NIDS can be placed inline with the traffic, it isn’t placed inline by default. An IDS may be connected to a network switch port using mirror mode to collect data, but an NIPS would be inline with all traffic.

  43. Tina is preparing to create a forensic image of a hard drive from a system involved in a security incident. What hardware device can she use to help ensure that creating the image does not alter the original evidence?

    Write blocker

    Write blockers are hardware devices used to prevent the accidental writing of data to media that was collected as evidence. Network taps and protocol analyzers are used in the collection of evidence from networks, rather than storage. Cryptographic hashes may be used to detect unauthorized changes to evidence, but they do not prevent those changes from occurring.

  44. Gene is reviewing the shared software libraries used within his organization. He notices that developers widely use open source libraries. Which of the following statements about these libraries are true? (Select all that apply)

    Open-source libraries should be tested for security vulnerabilities.

    Open-source library use within the organization should be tracked.

    Open-source libraries are commonly used by software developers and do not necessarily pose a higher risk than commercially available libraries. The use of these libraries should be tracked and subject to regular security testing, as should any other closed-source library use.

  45. What test coverage analysis technique verifies that every if statement in the code has been executed under all if and else conditions?

    Branch coverage

    Branch coverage evaluates whether every if statement has been executed under all if and else conditions. Condition coverage tests whether every logical test in the code has been executed under all sets of input. Function coverage verifies that every function in the code has been called and returned results. Loop coverage verifies that every loop in the code has been executed under conditions that cause code execution multiple times, only once, and not at all.

  46. What is a hardware-imposed network segmentation that requires a routing function to support intersegment communications otherwise known as?

    VLAN

    A VLAN (virtual LAN) is a hardware-imposed network segmentation created by switches that requires a routing function to support communication between different segments. A subnet is defined by IP address and subnet mask assignment. Subnets are not defined by routers, but subnets do require a routing function to support intersegment communications. An internal segmentation firewall (ISFW) is not the name of a network segment, but it can be used to create network segments by dividing subnets. An extranet is a type of screened subnet typically separated from the intranet and internet by firewalls.

  47. Which of the following statements are true in regard to NAC (Network access control)?

    Agent-based NACs can quarantine noncompliant devices and implement updates automatically.

    Preadmission-based NAC requires a system to meet all current security requirements (such as patch application and malware scanner updates) before it is allowed to communicate with the network.

    A dissolvable NAC agent can be set to run once and then terminate.

    An agentless NAC performs port scans, service queries, and vulnerability scans against networked systems to determine whether devices are authorized and baseline compliant.

    Revise other incorrect answers:

    An agentless NAC is unable to automatically quarantine and resolve security issues on hosts. An agentless system requires an administrator to manually resolve any discovered issues.

    IEEE 802.1X can be used by a NAC solution as a means to grant or deny network access based on authentication, but NAC does not require the use of IEEE 802.1X.

  48. Your CISO is implementing a new technology to enable the various satellite offices to be connected to the central headquarters. This will increase business operations efficiency as well as allow for a more consistent application of company security policy. The technology is based on an encapsulation protocol that enables switch-created network segments to be stretched across subnets and geographic distances. What technology is being implemented in this scenario?

    VXLAN

    Virtual eXtensible LAN (VXLAN) is an encapsulation protocol that enables switch-created network segments (i.e., VLANs) to be stretched across subnets and geographic distances. Software-defined wide-area networks (SDWANs or SD-WANs) is an evolution of SDN that can be used to manage the connectivity and control services between distant data centers, remote locations, and cloud services over WAN links. SDN (Software Defined Network) offers a new network design that is directly programmable from a central location, flexible, vendor neutral, and open standards based. A VPN is a secured encapsulation tunnel used to connect networks (or network segments) together.

  49. A mission-critical server has experienced a compromise that caused it to go offline for seven hours. This nearly caused the organization to go out of business. After the attack, investigations revealed malicious code that would have corrupted the core database, but it was coded poorly and did not execute. This incident has caused the organization to rethink their security precautions against compromise, downtime, and disaster events. In order to prevent future downtime or at least reduce it significantly, which of the following technologies should be deployed? (Choose all that apply.)

    B. RAID

    C. UPS

    D. Dual power supplies

    E. Offsite backups of system images and snapshots

    H. Replication

    I. Clustering

    For this scenario, many different redundancy, resiliency, or uptime management options should be considered. This includes option B: Redundant array of inexpensive disks (RAID) to maintain data availability; option C: Uninterruptible power supply (UPS) to protect against power issues; option D: Dual power supplies to provide redundancy against power supply failures; option E: Offsite backups to provide a recovery path in the event of a major disaster’ option H: Replication to ensure multiple similar servers are hosting cloned material so that no matter which server is accessed the most current version of data is available; and option I: Clustering that is used to operate numerous servers as a collective to support a single or primary resource and provide high availability. The following options are incorrect for this scenario: option A: Full-disk encryption (FDE), though a good security practice, is not related to redundancy, resiliency, or uptime management; option F: Multifactor authentication (MFA), though a good security practice, is not related to redundancy, resiliency, or uptime management; and option G: Security information and event management (SIEM) is a centralized application to automate the monitoring of network systems, which a good security practice, but is not related to redundancy, resiliency, or uptime management.

  50. An organization’s security policy allows users to connect their mobile devices to the internal network. However, it requires that their devices are up-to-date with a current operating system. Which of the following access control models can enforce this requirement?

    Attribute-Based Access Control (ABAC)

    An ABAC model can require user devices to meet specific requirements, such as being up-to-date with a current operating system. A rule-based access control model defines access using a set of rules, such as the rules in a firewall’s access control list. A MAC model uses matching labels to grant access. An RBAC model uses job roles, or groups, for access control.

  51. Tina is selecting a cryptographic algorithm that will be used in a parallelized environment to distribute the workload of encryption and decryption among multiple processors. What cryptographic mode would best support this computing model?

    Counter

    Counter mode allows you to break an encryption or decryption operation into multiple independent steps. This makes Counter mode well suited for use in parallel computing.

  52. Which of the following statements are not true in regard to static electricity?

    A. Electrostatic discharge can damage most computing components. (True)

    B. Static charge accumulation is more prevalent when there is ~~high~~ (low) humidity. (False. Low humidity)

    C. Static discharge from a person to a metal object can be over 1,000 volts. (True)

    D. Static electricity is not managed by the deployment of a UPS. (True)

  53. An organization has recently implemented an asset management program. Which of the following BEST represents the primary goal of this program?

    Prevent losses

  54. Which of the following is an advantage of a single sign-on (SSO) solution within an internal network?

    It improves the administrator’s ability to manage user accounts.

    SSO solutions and centralized administration and make it easier for administrators to manage user accounts. SSO solutions can be a single point of failure, but this is a vulnerability. Another vulnerability is that compromise of a single account can give an attacker access to multiple resources. Although SSO solutions typically can support more than one operating system, it isn’t always easy to support all operating systems in internal networks.

  55. Which of the following is not an element defined under the Clark–Wilson model?

    Redundant commit statement (not an element of the Clark–Wilson model, it is instead an element in database replication.)

    The Clark–Wilson model does define the constrained data item, transformation procedures, and integrity verification procedure.

  56. An organization has merged with another organization. The two organizations are using different network operating systems. Management wants to implement a solution that will give them the most control while allowing both organizations to access resources in both networks. Which of the following choices is the best to meet these needs?

    On-premises identity management

    An on-premises identity management system will provide the organization with the most control and is the best choice. A cloud-based solution is controlled by a third party. There’s no need to have both an on-premises and a cloud-based solution in this situation, which would be a hybrid solution. Identity management solutions provide single sign-on (SSO), but SSO is a benefit of identity management, not a type of identity management.

  57. When you install a new wireless access point to extend your company’s network into a newly opened portion of the building, someone raises the concern of interference between the existing Wi-Fi network and the new extension. What media access technology is used by 802.11 networks to manage collisions?

    CSMA/CA

    IEEE 802.11 wireless networks use Carrier-Sense Multiple Access with Collision Avoidance (CSMA/CA) to manage (technically avoid) collisions. Ethernet (IEEE 802.3) uses Carrier-Sense Multiple Access with Collision Detection (CSMA/CD). Token Ring networks used token passing. Polling is used by some mainframe systems.

  58. Which one of the following disaster types is not usually covered by standard business insurance?

    Flood

    Most general business insurance and homeowner’s insurance policies do not provide any protection against the risk of flooding or flash floods. If floods pose a risk to your organization, you should consider purchasing supplemental flood insurance under FEMA’s National Flood Insurance Program.

  59. Security administrators recently detected an attack that allowed attackers to exfiltrate data from several servers. They implemented the incident response plan on response. Which of the following would security personnel do during the remediation stage of incident management?

    Root cause analysis

    Security personnel perform a root cause analysis during the remediation stage. A root cause analysis attempts to discover the source of the problem. After discovering the cause, the review will often identify a solution to help prevent a similar occurrence in the future. Containing the incident and collecting evidence is done early in the incident management process. Rebuilding a system may be needed during the recovery stage.

  60. Temporary internet files or the internet files cache is the temporary storage of files downloaded from internet sites that are being held by the client’s utility (typically a browser) for current and possibly future use. What type of attack is possible if an adversary is able to gain access to this cache? (Choose all that apply.)

    Split-response attack

    Cache poisoning

    DOM XSS

    The temporary internet files cache if accessed by an adversary could result in a split-response attack, cache poisoning, and/or DOM XSS. Split-response attacks can cause the client to download content and store it in the cache that was not an intended element of a requested web page. Once files have been poisoned in the cache, then even when a legitimate web document calls on a cached item, the malicious item will be activated. DOM XSS may be able to access and use locally cached files to execute malicious code or exfiltrate data. Internet files cache access will not likely result in identity theft. Identity theft is the act of stealing someone’s identity. Cache access might allow for some forms of spoofing, masquerading, or impersonation of websites, but it is unlikely to contain enough information about the person using the system to be able to perform actual identity theft.

  61. A web developer implemented an authentication solution on a website allowing users to authenticate with a third party. The website doesn’t see or store the user’s credentials. The solution uses technologies described in RFC 6749 but is not maintained by IETF. What does this describe?

    OpenID Connect (OIDC) uses the OAuth framework (described in RFC 6749) and is maintained by the OpenID Foundation. RFC 6749 describes OAuth and is maintained by the Internet Engineering Task Force (IETF).

  62. Which backup facility is large enough to support current operational capacity and load but lacks the supportive infrastructure?

    Cold site

  63. Proximity devices can be used to control physical access. The proximity device is worn or held by the authorized bearer. When it passes near a proximity reader, the reader device is able to determine who the bearer is and whether they have authorized access. Which of the following is a proximity technology that is the equivalent of RFID?

    Field-powered proximity device

    RFID (radio-frequency identification) is effectively a field-powered proximity device. A passive proximity device is often a magnet; an RFID does not use a magnet, but an antenna to generate current from a magnet field provided by an external source. A self-powered proximity device has its own battery, which RFID does not, but NFC may. A TOTP token is a device with an LCD screen that displays a one-time use password that is based on time and that changes at fixed time intervals. There is no such thing as a TOTP proximity token.

  64. You need to run networking cables between two office buildings. Between the buildings are several electrical boxes that manage the primary power for the entire business park. Which of the following cable is the worst option to use?

    UTP

    UTP is the least resistant to EMI because it is unshielded. STP is a shielded form of twisted pair that resists EMI. Fiber is not affected by terrestrial EMI. Wireless is not a cable, but it could be affected by EMI if the interference occurred in the wireless transmission frequencies.

  65. Developers of a web application want to ensure that users are logged off automatically after 20 minutes of inactivity. Which of the following choices indicates the easiest way to do this?

    A web development framework

    The easiest way (and the best way) to implement session management is with a web development framework, such as one recommended by the Open Web Application Security Project (OWASP). Writing the code from scratch in Python or JavaScript would not be the easiest way and may introduce vulnerabilities, whereas established frameworks are reliable and well tested. TLS should be used in session management, but TLS doesn’t close sessions.

  66. You have three applications running on a dual-core single-processor system that supports multitasking. One of those applications is a word processing program that is managing two threads simultaneously. The other two applications are using only one thread of execution. How many application threads are running on the processor at any given time?

    Two

    A dual-core single-processor system can operate on two threads at a time (one by each core). There would be a total of four application threads in this scenario (ignoring any threads created by the OS), but the OS would be responsible for deciding which single thread is running on the processor at any given time. A single-core single processor system would be limited to one thread executing at a time. Other multicore and/or multiprocessor configurations would be needed to execute three or four (or more) threads simultaneously.

  67. Under what method are database backups bulk transferred to off-site recovery locations?

    Electronic vaulting

    Electronic vaulting automatically backs up data to a secure site where storage professionals at the vaulting company’s site handle the details.

  68. Security administrators are considering different configuration management methods. Which of the following is the MOST effective method of configuration management provisioning?

    Using images

    Images are an effective provisioning method that ensures systems receive an initial, known baseline configuration. Change management processes help prevent outages from unauthorized changes. Vulnerability management processes help to identify vulnerabilities, and patch management processes help to ensure that systems are kept up-to-date.

  69. A company has not been implementing patches consistently, and you are tasked with writing a policy related to patch management. Which of the following should you include in the policy? (Choose three.)

    A. Evaluate patches.

    B. Test patches.

    D. Audit patches.

    A patch management process includes evaluating patches, testing patches, and auditing patches. Evaluating patches determines what patches should be deployed. Testing helps discover unintended problems before they are deployed. Auditing ensures required patches have been deployed. All patches should not be deployed. Instead, only patches that apply to a system and have been approved should be applied.

  70. The ______ data model has data stored in more than one database, but the data is still logically connected. The user perceives the database as a single entity, even though it comprises numerous parts interconnected over a network.

    Distributed

    The distributed data model has data stored in more than one database, but the data is still logically connected. The user perceives the database as a single entity, even though it comprises numerous parts interconnected over a network.

  71. Internet Protocol Security (IPsec) is a standard of IP security extensions used as an add-on for IPv4 and integrated into IPv6. IPsec isn’t a single protocol but rather a collection of protocols. Which component of IPsec enables multiple simultaneous VPNs?

    ISAKMP

    Internet Security Association and Key Management Protocol (ISAKMP), an element of Internet Key Exchange (IKE), is used to organize and manage the encryption keys that have been generated and exchanged by OAKLEY and SKEME. A security association is the agreed-on method of authentication and encryption used by two entities (a bit like a digital keyring). ISAKMPs’ use of security associations is what enables IPsec to support multiple simultaneous VPNs from each host. Encapsulating Security Payload (ESP) provides confidentiality and integrity of packet contents. ESP provides encryption and limited authentication, and prevents replay attacks. Secure Key Exchange Mechanism (SKEME), an element of Internet Key Exchange (IKE), is a means of exchanging keys securely. Authentication Header (AH) provides assurances of message integrity and nonrepudiation. AH also provides authentication and access control, and prevents replay attacks.

  72. You’re working for a financial institution that has job rotation and separation of duties policies. What is a primary benefit of these policies?

    Preventing fraud

    Job rotation and separation of duties policies help prevent fraud. Collusion is an agreement among multiple persons to perform some unauthorized or illegal actions, and implementing these policies doesn't prevent collusion, nor does it encourage employees to collude against an organization. They help deter and prevent incidents, but they do not correct them.

  73. A recent update to networking equipment has provided the IT management and security teams with many new capabilities. These include the ability to implement customized network segments and use NATing between them. Which of the following is an appropriate container where static NAT can be used to grant external entities access to resources that are otherwise using private IP addresses? (Choose all that apply.)

    Screened subnet

    Extranet

    Static NAT can be appropriately and securely used to grant external entities access to resources positioned in a screened subnet or an extranet, especially when those resource hosts are using private IP addresses. VLANs are typically not relevant to NAT because NAT operates at layers 3 and 4 and a VLAN exists at layer 2. It is not appropriate or secure to use static NAT to grant external entities access into the LAN.

  74. A cloud application has been deployed and shared among several organisations with similar concerns. What type of cloud-based deployment model does this describe?

    Community

    A community cloud deployment model provides cloud-based assets to two or more organizations. A public cloud model includes assets available for any consumers to rent or lease. A private cloud deployment model includes cloud-based assets that are exclusive to a single organization. A hybrid model includes a combination of two or more deployment models. It doesn't matter if it is a Software as a Service (SaaS) model or any other service model.

  75. A user is attempting to access a website, but when they type the FQDN into the address bar of their browser, a different site appears. The user opens a command prompt and performs an nslookup query to obtain the IP address their system is receiving when resolving the FQDN of the website. The user then checks with a colleague who is working from home and they get a different IP address and they have no issue accessing the website. The user checks their IP configuration and sees that the correct DNS server is listed as their query target. The user runs ipconfig /flushdns and then the ipconfig /displaydns commands but does not see the correct website’s identity listed in the final result. Which of the following is the most likely cause for this situation?

    Local DNS caching server poisoning

    The most likely cause of this situation is the poisoning of the local DNS caching server. This is the DNS server that the user’s computer is using to send DNS queries to. When the user types in the fully qualified domain name (FQDN), the resolution returns the wrong IP address. The investigations performed by the user demonstrated that this is the only remaining option. After a DNS flush, the display command would have shown the FQDN and the wrong IP address if the hosts file had been modified since those entries would not be removed from the DNS cache as they are boot persistent. When their local IP configuration is correct, it shows that DHCP was not altered to hand out an invalid DNS server IP address. Since their colleague had no issue getting to the correct website, the authoritative DNS server’s zone file was not modified.

  76. A DCE typically includes an interface definition language (IDL). An IDL is a language used to define the interface between client and server processes or objects in a distributed system. Which of the following are considered examples of DCE IDL? (Choose all that apply.)

    RPC

    CORBA (Common Object Request Broker Architecture)

    DCOM (Distributed Component Object Model)

    There are numerous examples DCE IDL or frameworks, such as remote procedure calls (RPC), the Common Object Request Broker Architecture (CORBA), and the Distributed Component Object Model (DCOM). The other options are incorrect. Security Assertion Markup Language (SAML) is used for authentication federation. Online Certificate Status Protocol (OCSP) is used to check on the revocation status of a certificate. Structured Query Language (SQL) is a means to interact with a database management system and its hosted databases.

  77. Applications developed on ____ are similar to microservices, and each function is crafted to operate independently and autonomously. This allows each function to be independently scaled by the CSP. With this technology, the functions run only when called and then terminate when their operations are completed.

    Serverless architecture

    Applications developed on serverless architecture are similar to microservices, and each function is crafted to operate independently and autonomously. This allows each function to be independently scaled by the CSP. With this technology, the functions run only when called and then terminate when their operations are completed. The other options are incorrect. JavaScript is the most widely used scripting language in the world and is embedded into HTML documents using ˂script˃˂/script˃ enclosure tags. In asymmetric multiprocessing (AMP), the processors are often operating independently of one another. Usually, each processor has its own OS and/or task instruction set. Smart devices are a range of devices that offer the user a plethora of customization options, typically through installing apps, and may take advantage of on-device or in-the-cloud machine learning (ML) processing.

  78. Which of the following are examples of risk management frameworks? (Choose all that apply.)

    There are six actual risk management frameworks included in this list of options. They are: (A) Risk Management Framework (RMF) defined by NIST, (C) The Committee of Sponsoring Organizations (COSO) of the Treadway Commission’s Enterprise Risk Management — Integrated Framework, (D) ISACA’s Risk IT Framework, (F) Operationally Critical Threat, Asset, And Vulnerability Evaluation (OCTAVE), (H) Factor Analysis of Information Risk (FAIR), and (I) Threat Agent Risk Assessment (TARA).

    The other options listed are not risk management frameworks. The incorrect answers are: (B) CCMP (Counter Mode Cipher Block Chaining Message Authentication Code Protocol) is the streaming cipher variation of block ciphers, such as AES, (E) EC Council (ECC)’s Certified Ethical Hacker (CEH) is a certification focusing on penetration testing, (G) annualized rate of occurrence (ARO) is an element used in quantitative risk analysis, and (J) The National Institute of Standards and Technology (NIST) is an agency of the U.S. government that establishes security standards, including the RMF.

  79. You notice a message on your system that asks you to visit a web URL in order to confirm your identity. You don’t recognize the site. You also realize that the message seems to be handled by your Bluetooth subsystem. You think you have been the victim of bluejacking. What was compromised?

    Your cell phone

    This scenario is describing a bluejacking attack. A bluejacking attack is a wireless attack on Bluetooth, and the most common device compromised in a bluejacking attack is a cell phone. Firewalls and switches do not usually support Bluetooth; therefore, they are not subject to bluejacking attacks. Although the bluejacking attack included an inducement to visit a web URL to confirm identity, the scenario does not indicate that the URL was visited or that the requested information was provided. Thus, there is no evidence that your account was compromised.

  80. A technician came across a collection of DVDs. Some appear to be blank, but others have data written to them and the classification of the data isn’t clear. A supervisor tells the technician to dispose of them. Which of the following methods would be the most secure method of disposing of the DVDs?

    Destroying them in an incinerator

    Physical destruction is the most secure method of deleting data on optical media such as a DVD. Formatting and deleting processes rarely remove the data from any media. DVDs do not have magnetic flux, so degaussing a DVD doesn’t destroy data.

  81. Tom built a database table consisting of the names, telephone numbers, and customer IDs for his business. The table contains information on 30 customers. What is the cardinality of this table?

    Thirty

    The cardinality of a table refers to the number of rows in the table, whereas the degree of a table is the number of columns.

  82. Which of the following is not related to verifying that a candidate for employment is qualified as well as not disqualified for a position?

    Signing an NDA

    Signing an NDA (non-disclosure agreement) may be a part of the hiring process, but it is not related to verifying that a candidate for employment is qualified as well as not disqualified for a position. Employment candidate screening, background checks, reference checks, education verification, and security clearance validation are essential elements in proving that a candidate is adequate, qualified, and trustworthy for a secured position.

  83. A divestiture or any form of asset or employee reduction is another time period of increased risk and thus increased need for focused security governance. Which of the following are security processes that should be implemented to reduce the risk associated with a divestiture event? (Choose all that apply.)

    Sanitize assets.

    Storage media should be removed and destroyed.

    Employees released from duty need to be debriefed.

    A divestiture occurs when something is being removed from the organization, whether a device, service, employee, or partnership. Security processes should be implemented at these times to reduce the risk of data loss and leakage, such as sanitizing assets, remove and destroy storage media, and debrief ex-employees. What is not needed is to update the firmware of, renew system certificates for, or propose feature improvements for devices being disposed of.

  84. Sharif is preparing an audit report after completing an SSAE 18 engagement. His report offers an opinion on the controls described by management and the results of his testing of the effectiveness of those controls over the last year. What type report is he preparing?

    Type II

    Type I reports provide the auditor’s opinion on the description of controls provided by management and the suitability of the design of those controls. Type II reports go further and also provide the auditor’s opinion on the operating effectiveness of the controls over an extended period of time. Type III and IV reports do not exist under SSAE 18.

  85. Kaitlyn is concerned about the security of data users are retrieving from a website and would like to apply an appropriate cryptographic solution. What type of use case is she attempting to secure?

    Data in motion

    Kaitlyn is specifically concerned about information that users are retrieving. Therefore, she is considering a data in motion use case.

  86. Kelly is reviewing privileged accounts and would like to ensure that each account was appropriately authorized. What process should she verify?

    Management review and approval

    The management review and approval process ensures that each account was appropriately authorized and remains necessary to meet business needs.

  87. Your organization works with several third-party suppliers for a wide range of services, including accounting, payroll, benefits management, help desk, incident response, log analysis, and more. The CEO has recently complained that the organization is likely wasting money due to paying for the same services from multiple providers and not taking full advantage of the services from those providers and still performing some of those tasks in-house. In order to gain a better understanding of the outsourced services as well as improve ordering convenience, manage related training, and consolidate billing, which of the following should be implemented?

    VMS

    This scenario describes a situation that would benefit from a vendor management system (VMS). VMS is a software solution that assists with the management and procurement of staffing services, hardware, software, and other needed products and services. A VMS can offer ordering convenience, order distribution, order training, consolidated billing, and more. The other three options do not apply to this scenario since they are not a means to view, manage, or optimize the relationship between an organization and third-party suppliers. Security information and event management (SIEM) can be used to aggregate data sources, such as log files, perform real-time network traffic capture, and perform data analytics to provide near-real-time alerts and reports on security issues and incidents. A service-level requirement (SLR) is a statement of the expectations of service and performance from the product or service of a vendor. This is the wrong tool in this scenario since existing vendor services need to be managed and a new relationship with another vendor is not being established. A business partners agreement (BPA) is a contract between two entities dictating the terms of their business relationship. It clearly defines the expectations and obligations of each partner in the endeavor. A BPA is the closest but still an incorrect option, since it focuses on the business partner relationship rather than that of a customer to a vendor.

  88. There’s an almost infinite possibility of threats, so it’s important to use a structured approach to accurately identify relevant threats. What are the common examples of threat modeling approaches? (Choose all that apply.)

    Focus on attackers

    Focus on assets

    Focus on software

    The three common threat modeling approaches from this list of options are focus on attackers, focus on assets, and focus on software. Focus on insiders and focus on stakeholders may have some benefit for threat evaluation, but they are not widely recognized as common approaches to threat modeling.

  89. When conducting an internal investigation, what is the most common source of evidence?

    Voluntary surrender

    Internal investigations usually operate under the authority of senior managers, who grant access (i.e., voluntary surrender) to all information and resources necessary to conduct the investigation.

  90. Charlie is seeking a common naming scheme that he can use to describe system configurations during vulnerability analysis. Which one of the following SCAP components would be best suited to this task?

    CCE

    Common Configuration Enumeration (CCE) provides a naming system for system configuration issues. Common Vulnerabilities and Exposures (CVE) provides a naming system for describing security vulnerabilities. Common Platform Enumeration (CPE) provides a naming system for operating systems, applications, and devices. The Common Vulnerability Scoring System (CVSS) provides a standardized scoring system for describing the severity of security vulnerabilities.

  91. Which of the following is the best response after detecting, verifying, and responding to an incident?

    Contain it.

    Mitigation is the next step after detecting, verifying, and responding to an incident, and responders attempt to contain the incident in the mitigation step. This limits the effect or scope of an incident. Organizations report the incident based on policies and governing laws, but this is not the first step. Remediation attempts to identify the cause of the incident and steps that can be taken to prevent a reoccurrence. It is important to protect evidence while trying to contain an incident, but gathering the evidence will occur after containment.

  92. A new intern has been hired to provide assistance to the security team. The intern is not as familiar with enterprise network concepts as the CISO would like. The CISO is gathering some facts that they want the intern to learn. But the CISO needs to confirm that they are providing only true statements. Which of the following statements is not true?

    A subnet is created by a router. (False)

    A subnet is not created by a router; a subnet is created through the assignment of an IP address and a subnet mask. Routers only manage traffic between subnets. The other statements are true. VLANs are created by switches. Multilayer switches can allow cross-VLAN communications by providing a routing function. VLANs contain or restrict traffic by default.

  93. The risk management team has been diligently assessing risk and selecting appropriate response. Only a few unresolved issues remain, but they are still above the risk acceptance threshold. A member of the team recommends insurance to cover the loss potential. The purchasing of insurance is a form of _______.

    Risk assignment

    Insurance is a form of risk assignment or transference. (A) Reducing risk, or risk mitigation, is the implementation of safeguards, security controls, and countermeasures to reduce and/or eliminate vulnerabilities or block threats. (C) Accepting risk or acceptance of risk is the result after a cost/benefit analysis shows that countermeasure costs would outweigh the possible cost of loss due to a risk. (D) An unacceptable possible response to risk is to reject risk or ignore risk. Denying that a risk exists and hoping that it will never be realized are not valid or prudent due care/due diligence responses to risk.

  94. Which of the following best describes the tailoring process?

    Assigning different values for a control

    The tailoring process refers to modifying a list of controls to align with the organization’s mission. One way it does so is by modifying control parameters, such as changing the account lockout threshold. Scoping is specifically used to remove controls from a suggested baseline. While tailoring includes scoping, assigning different values for controls only apples to tailoring. Tailoring is done after selecting a baseline. Tailoring doesn’t include creating an image.

  95. Your company’s data policy identifies several data roles and their responsibilities. It mentions the data custodian. Which of the following tasks would the data custodian be responsible for completing?

    Backing up data

    The data custodian is responsible for day-to-day tasks to protect data, such as backing up data. Data owners have the ultimate responsibility for protecting data, and they identify the classification of data. A data processor controls the processing of the data, based on what the data controller tells them. A data controller decides what data to process and how to process it.

  96. What is the concept of a computer implemented as part of a larger system that is typically designed around a limited set of specific functions (such as management, monitoring, and control) in relation to the larger product of which it’s a component?

    Embedded system

    An embedded system is a computer implemented as part of a larger system. The embedded system is typically designed around a limited set of specific functions in relation to the larger product of which it’s a component. It may consist of the same components found in a typical computer system, or it may be a microcontroller. The Internet of Things (IoT) is a class of smart devices that are internet-connected in order to provide automation, remote control, or AI processing to appliances or devices. A microservice is simply one element, feature, capability, business logic, or function of a web application that can be called on or used by other web applications. It is a software concept, not a hardware device. A system on a chip (SoC) is an integrated circuit (IC) or chip that has all of the elements of a computer integrated into a single chip. An SoC may be the main component of a microcontroller that is used to control or manage another system. An SoC is not considered an embedded device.

  97. An invitation-only VoIP call among the members of the board of directors took place last month. You just received notice that a partial recording of that call was found on a hacker discussion forum. After investigating the breach, you discover that your VoIP solution was the focus of the security breach and someone was able to eavesdrop on the conversation midstream. Which of the following would be the best option to prevent this incident from reoccurring?

    SRTP

    Implementing Secure Real-time Transport Protocol (SRTP) is the best option to secure VoIP and prevent the reoccurrence of the eavesdropping attack. Most likely the VoIP service used for the call last month was using plaintext RTP. Note that VoIP recording can still occur at the endpoints even if SRTP or other communication encryption is in use. Multimedia collaboration is not likely to be a security improvement over the existing solution. Adding other features, such as video and whiteboard sharing, would not address the problem. Direct inward system access (DISA) is a security solution for PBX, not VoIP. Domain Message Authentication Reporting and Conformance (DMARC) is a DNS- based email authentication system, not a VoIP security solution.

  98. An organization has decided to outsource the management of its benefit plans. Management wants to minimize the administrative workload when implementing this. Which of the following solutions would meet this need?

    Use just-in-time provisioning.

    Just-in-time (JIT) provisioning will create the accounts automatically the first time the employee accesses the benefits site. The other solutions require much more administrator work. Sending a database of accounts requires administrators to export the accounts, and the other company to import them. Duplicating the accounts internally won’t grant them access to the other site. Creating a trust also won’t grant employees access to the other site.

  99. Carla’s organization recently suffered a security incident where the attackers exploited a SQL injection vulnerability. As she reviewed the situation, she determined that the organization’s incident response process was lacking maturity. What business function should she focus on under the Software Assurance Maturity Model (SAMM)?

    Operations

    Incident management, detection, and response are all security practices under the Operations business function in the Software Assurance Maturity Model.

  100. Which of the following are true? (Choose all that apply.)

    A purely quantitative analysis is not possible.

    Quantitative risk analysis assigns real dollar figures to the loss of an asset.

    Qualitative risk analysis assigns subjective and intangible values to the loss of an asset.

    Three of these statements are true. (A) A purely quantitative analysis is not possible; (C) Quantitative risk analysis assigns real dollar figures to the loss of an asset; and (D) Qualitative risk analysis assigns subjective and intangible values to the loss of an asset. The other statement is false. Its corrected version is (B) Qualitative risk analysis does not employ complex formulas and calculations. Scenario discussions and simple value assignments are used to evaluate risk, incidents, losses, and safeguards in a qualitative risk assessment.

  101. An organization provides online training to employees of multiple organizations. Employees log on normally, and they can then access the training website without logging on again. Which of the following best identifies the system the training company is using?

    Cloud-based identity management

    The training company is most likely using a cloud-based identity management system. On-premises identity management systems are used when users are from the same organization, not multiple different organizations. Hybrid solutions implement both an on-premises and a cloud-based solution, but both are not needed in this scenario. A credential management system provides storage space for credentials.

  102. In object-oriented programming, what term describes a collection of the common methods from a set of objects that defines the behavior of those objects?

    Class

    A class is a collection of the common methods from a set of objects that defines the behavior of those objects.

  103. Your organization is redesigning its IT infrastructure to increase ease of management and add new capabilities. The leadership has issued a mandate that a SAN solution is needed and that all landline-based telephone services are to be removed. The mandate also indicates that replacement solutions should integrate into the overall IT environment seamlessly. Which of the following technologies would be worth considering in this scenario? (Choose all that apply.)

    A. iSCSI: Internet Small Computer System Interface, an IP-based storage networking protocol developed by the Internet Engineering Task Force (IETF) to link data storage facilities.

    B. VoIP: Voice over Internet Protocol and is a technology that allows voice and multimedia communication over the internet.

    C. FCoE: Fibre Channel over Ethernet (FcoE) is a storage protocol that enables Fibre Channel (FC) communications to run directly over Ethernet.

    VoIP, iSCSI and FCoE are converged protocols, which provide for a SAN (Storage Area Network) and voice communication services. Trivial File Transfer Protocol (TFTP) is not an example of a converged protocol, nor is it relevant to this scenario.