(ISC)²

The CISSP exam is governed by the International Information Systems Security Certification Consortium (ISC)². (ISC)² is a global nonprofit organization. It has four primary mission goals:

• Maintain the Common Body of Knowledge (CBK) for the field of information systems security.
• Provide certification for information systems security professionals and practitioners.
• Conduct certification training and administer the certification exams.
• Oversee the ongoing accreditation of qualified certification candidates through continued education.

(ISC)² is operated by a board of directors elected from the ranks of its certified practitioners.

(ISC)² supports and provides a wide variety of certifications, including CISSP, CISSP-ISSAP, CISSP-ISSMP, CISSP-ISSEP, SSCP, CAP, CSSLP, HCISPP, and CCSP. These certifications are designed to verify the knowledge and skills of IT security professionals across all industries. You can obtain more information about (ISC)² and its other certifications from its website at isc2.org.

The CISSP credential is for security professionals responsible for designing and maintaining security infrastructure within an organization.

Topical Domains

The CISSP certification covers material from the eight topical domains. These eight domains are as follows:

• Domain 1: Security and Risk Management
• Domain 2: Asset Security
• Domain 3: Security Architecture and Engineering
• Domain 4: Communication and Network Security
• Domain 5: Identity and Access Management (IAM)
• Domain 6: Security Assessment and Testing
• Domain 7: Security Operations
• Domain 8: Software Development Security

These eight domains provide a vendor-independent overview of a common security framework. This framework is the basis for a discussion on security practices that can be supported in all types of organizations worldwide.

Prequalifications

(ISC)² has defined the qualification requirements you must meet to become a CISSP. First, you must be a practicing security professional with at least five years’ full-time paid work experience or with four years’ experience and a recent IT or IS degree or an approved security certification (see isc2.org for details). Professional experience is defined as security work performed for salary or commission within two or more of the eight CBK domains.

Second, you must agree to adhere to a formal code of ethics. The CISSP Code of Ethics is a set of guidelines (ISC)² wants all CISSP candidates to follow to maintain professionalism in the field of information systems security. You can find it in the Information section on the (ISC)² website at isc2.org.

(ISC)² also offers an entry program known as an Associate of (ISC)². This program allows someone without any or enough experience to qualify as a CISSP to take the CISSP exam anyway and then obtain experience afterward. Associates are granted six years to obtain five years of security experience. Only after providing proof of such experience, usually by means of endorsement and a résumé, can the individual be awarded CISSP certification.

CISSP Exam Question Types

Most of the questions on the CISSP exam are four-option, multiple-choice questions with a single correct answer. Some are straightforward, such as asking you to select a definition. Some are a bit more involved, asking you to select the appropriate concept or best practice. And some questions present you with a scenario or situation and ask you to select the best response.

You must select the one correct or best answer and mark it. In some cases, the correct answer will be obvious to you. In other cases, several answers may seem correct. In these instances, you must choose the best answer for the question asked. Watch for general, specific, universal, superset, and subset answer selections. In other cases, none of the answers will seem correct. In these instances, you'll need to select the least incorrect answer.

Some multiple-choice questions may require that you select more than one answer; if so, these will state what is necessary to provide a complete answer.

In addition to the standard multiple-choice question format, the exam may include a few advanced question formats, which (ISC)² calls advanced innovative questions. These include drag-and-drop questions and hotspot questions. These types of questions require you to place topics or concepts in order of operations, in priority preference, or in relation to proper positioning for the needed solution. Specifically, the drag-and-drop questions require the test taker to move labels or icons to mark items on an image. The hotspot questions require the test taker to pinpoint a location on an image with a crosshair marker. These question concepts are easy to work with and understand, but be careful about your accuracy when dropping or marking.

Advice on Taking the Exam

The CISSP exam consists of two key elements. First, you need to know the material from the eight domains. Second, you must have good test-taking skills. You have a maximum of 3 hours to achieve a passing standard with the potential to see up to 150 questions. Thus, you will have on average just over a minute for each question, so it is important to work quickly, without rushing, but also without wasting time.

Question skipping is no longer allowed on the CISSP exam, and you're also not allowed to jump around, so one way or another, you have to come up with your best answer on each question. We recommend that you attempt to eliminate as many answer options as possible before making a guess. Then you can make educated guesses from a reduced set of options to increase your chance of getting a question correct.

Also note that (ISC)² does not disclose if there is partial credit given for multiple-part questions if you get only some of the elements correct. So, pay attention to questions with checkboxes, and be sure to select as many items as necessary to properly address the question.

You will be provided with a dry-erase board and a marker to jot down thoughts and make notes. But nothing written on that board will be used to alter your score. That board must be returned to the test administrator prior to departing the test facility.

To maximize your test-taking activities, here are some general guidelines:

• Read each question, then read the answer options, and then reread the question.
• Eliminate wrong answers before selecting the correct one.
• Watch for double negatives.
• Be sure you understand what the question is asking.

Manage your time. You can take breaks during your test, but this will consume some of your test time. You might consider bringing a drink and snacks, but your food and drink will be stored for you away from the testing area, and that break time will count against your test time limit. Be sure to bring any medications or other essential items, but leave all things electronic at home or in your car. You should avoid wearing anything on your wrists, including watches, fitness trackers, and jewelry. You are not allowed to bring any form of noise-canceling headsets or earbuds, although you can use foam earplugs. We also recommend wearing comfortable clothes and taking a light jacket with you (some testing locations are a bit chilly).

You may want to review the (ISC)² Certification Acronym and (ISC)² CISSP Glossary documents here:

• www.isc2.org/-/media/Files/Certification-Acronym-Glossary.ashx
• www.isc2.org/Certifications/CISSP/CISSP-Student-Glossary

Finally, (ISC)² exam policies are subject to change. Please be sure to check isc2.org for the current policies before you register and take the exam.

Study and Exam Preparation Tips

We recommend planning for a month or so of nightly intensive study for the CISSP exam. Here are some suggestions to maximize your learning time; you can modify them as necessary based on your own learning habits:

• Take one or two evenings to read each chapter in this book and work through its review material.
• Answer all the review questions and take the practice exams provided in the book and/or in the online test engine. Be sure to research each question that you get wrong in order to learn what you didn't know.
• Complete the written labs from each chapter.
• Read and understand the Exam Essentials.
• Review the (ISC)²'s Exam Outline: isc2.org.
• Use the flashcards included with the study tools to reinforce your understanding of concepts.

Completing the Certification Process

Once you have been informed that you successfully passed the CISSP certification, there is one final step before you are actually awarded the CISSP certification. That final step is known as endorsement. Basically, this involves getting someone who is a CISSP, or other (ISC)² certification holder, in good standing and familiar with your work history to submit an endorsement form on your behalf. Once you pass the CISSP exam, you will receive an email with instructions. However, you can review the endorsement application process at www.isc2.org/Endorsement.

If you registered for CISSP, then you must complete endorsement within nine months of your exam. If you registered for Associate of (ISC)², then you have six years from your exam data to complete endorsement. Once (ISC)² accepts your endorsement, the certification process will be completed and you will be sent a welcome packet.

Once you have achieved your CISSP certification, you must now work toward maintaining the certification. You will need to earn 120 Continuing Professional Education (CPE) credits by your third-year anniversary. For details on earning and reporting CPEs, please consult the (ISC)² Continuing Professional Education (CPE) Handbook (www.isc2.org/-/media/ISC2/Certifications/CPE/CPE---Handbook.ashx) and the CPE Opportunities page (www.isc2.org/Membership/CPE-Opportunities). You will also be required to pay an annual maintenance fee (AMF) upon earning your certification and at each annual anniversary. For details on the AMF, please see the (ISC)² CPE Handbook and www.isc2.org/Policies-Procedures/Member-Policies.

How to Contact the Publisher

If you believe you've found a mistake in this book, please bring it to our attention. At John Wiley & Sons, we understand how important it is to provide our customers with accurate content, but even with our best efforts an error may occur.

In order to submit your possible errata, please email it to our Customer Service Team at [email protected] with the subject line “Possible Book Errata Submission.”

1. Which of the following types of access control seeks to discover evidence of unwanted, unauthorized, or illicit behavior or activity?
   1. Preventive
   2. Deterrent
   3. Detective
   4. Corrective
2. Define and detail the aspects of password selection that distinguish good password choices from ultimately poor password choices.
   1. Is difficult to guess or unpredictable
   2. Meets minimum length requirements
   3. Meets specific complexity requirements
   4. All of the above
3. Some adversaries use DoS attacks as their primary weapon to harm targets, whereas others may use them as weapons of last resort when all other attempts to intrude on a target fail. Which of the following is most likely to detect DoS attacks?
   1. Host-based IDS
   2. Network-based IDS
   3. Vulnerability scanner
   4. Penetration testing
4. Unfortunately, attackers have many options of attacks to perform against their targets. Which of the following is considered a denial-of-service (DoS) attack?
   1. Pretending to be a technical manager over the phone and asking a receptionist to change their password
   2. While surfing the web, sending to a web server a malformed URL that causes the system to consume 100 percent of the CPU
   3. Intercepting network traffic by copying the packets as they pass through a specific subnet
   4. Sending message packets to a recipient who did not request them, simply to be annoying
5. Hardware networking devices operate within the protocol stack just like protocols themselves. Thus, hardware networking devices can be associated with an OSI model layer related to the protocols they manage or control. At which layer of the OSI model does a router operate?
   1. Network layer
   2. Layer 1
   3. Transport layer
   4. Layer 5
6. Which type of firewall automatically adjusts its filtering rules based on the content and context of the traffic of existing sessions?
   1. Static packet filtering
   2. Application-level gateway
   3. Circuit-level gateway
   4. Stateful inspection firewall
7. A VPN can be a significant security improvement for many communication links. A VPN can be established over which of the following?
   1. Wireless LAN connection
   2. Remote access dial-up connection
   3. WAN link
   4. All of the above
8. Adversaries will use any and all means to harm their targets. This includes mixing attack concepts together to make a more effective campaign. What type of malware uses social engineering to trick a victim into installing it?
   1. Virus
   2. Worm
   3. Trojan horse
   4. Logic bomb
9. Security is established by understanding the assets of an organization that need protection and understanding the threats that could cause harm to those assets. Then, controls are selected that provide protection for the CIA Triad of the assets at risk. The CIA Triad consists of what elements?
   1. Contiguousness, interoperable, arranged
   2. Authentication, authorization, accountability
   3. Capable, available, integral
   4. Availability, confidentiality, integrity
10. The security concept of AAA services describes the elements that are necessary to establish subject accountability. Which of the following is not a required component in the support of accountability?
    1. Logging
    2. Privacy
    3. Identification verification
    4. Authorization
11. Collusion is when two or more people work together to commit a crime or violate a company policy. Which of the following is not a defense against collusion?
    1. Separation of duties
    2. Restricted job responsibilities
    3. Group user accounts
    4. Job rotation
12. A data custodian is responsible for securing resources after ______________ has assigned the resource a security label.
    1. Senior management
    2. The data owner
    3. An auditor
    4. Security staff
13. In what phase of the Capability Maturity Model for Software (SW-CMM) are quantitative measures used to gain a detailed understanding of the software development process?
    1. Repeatable
    2. Defined
    3. Managed
    4. Optimizing
14. Which one of the following is a layer of the ring protection scheme design concept that is not normally implemented?
    1. Layer 0
    2. Layer 1
    3. Layer 3
    4. Layer 4
15. TCP operates at the Transport layer and is a connection-oriented protocol. It uses a special process to establish a session each time a communication takes place. What is the last phase of the TCP three-way handshake sequence?
    1. SYN flagged packet
    2. ACK flagged packet
    3. FIN flagged packet
    4. SYN/ACK flagged packet
16. The lack of secure coding practices has enabled an uncountable number of software vulnerabilities that hackers have discovered and exploited. Which one of the following vulnerabilities would be best countered by adequate parameter checking?
    1. Time-of-check to time-of-use
    2. Buffer overflow
    3. SYN flood
    4. Distributed denial of service (DDoS)
17. Computers are based on binary mathematics. All computer functions are derived from the basic set of Boolean operations. What is the value of the logical operation shown here?

    X: 0 1 1 0 1 0
    

    Y: 0 0 1 1 0 1
    

    ___________________
    

    X Å Y: ?
    

    1. 0 1 0 1 1 1
    2. 0 0 1 0 0 0
    3. 0 1 1 1 1 1
    4. 1 0 0 1 0 1
18. Which of the following are considered standard data type classifications used in either a government/military or a private sector organization? (Choose all that apply.)
    1. Public
    2. Healthy
    3. Private
    4. Internal
    5. Sensitive
    6. Proprietary
    7. Essential
    8. Certified
    9. Critical
    10. Confidential
    11. For Your Eyes Only
19. The General Data Protection Regulation (GDPR) has defined several roles in relation to the protection and management of personally identifiable information (PII). Which of the following statements is true?
    1. A data processor is the entity assigned specific responsibility for a data asset in order to ensure its protection for use by the organization.
    2. A data custodian is the entity that performs operations on data.
    3. A data controller is the entity that makes decisions about the data they are collecting.
    4. A data owner is the entity assigned or delegated the day-to-day responsibility of proper storage and transport as well as protecting data, assets, and other organizational objects.
20. If Renee receives a digitally signed message from Mike, what key does she use to verify that the message truly came from Mike?
    1. Renee's public key
    2. Renee's private key
    3. Mike's public key
    4. Mike's private key
21. A systems administrator is setting up a new data management system. It will be gathering data from numerous locations across the network, even from remote offsite locations. The data will be moved to a centralized facility, where it will be stored on a massive RAID array. The data will be encrypted on the storage system using AES-256, and most files will be signed as well. The location of this data warehouse is secured so that only authorized personnel can enter the room and all digital access is limited to a set of security administrators. Which of the following describes the data?
    1. The data is encrypted in transit.
    2. The data is encrypted in processing.
    3. The data is redundantly stored.
    4. The data is encrypted at rest.
22. The __________ is the entity assigned specific responsibility for a data asset in order to ensure its protection for use by the organization.
    1. Data owner
    2. Data controller
    3. Data processor
    4. Data custodian
23. A security auditor is seeking evidence of how sensitive documents made their way out of the organization and onto a public document distribution site. It is suspected that an insider exfiltrated the data over a network connection to an external server, but this is only a guess. Which of the following would be useful in determining whether this suspicion is accurate? (Choose two.)
    1. NAC
    2. DLP alerts
    3. Syslog
    4. Log analysis
    5. Malware scanner reports
    6. Integrity monitoring
24. A new Wireless Application Protocol (WAP) is being installed to add wireless connectivity to the company network. The configuration policy indicates that WPA3 is to be used and thus only newer or updated endpoint devices can connect. The policy also states that ENT authentication will not be implemented. What authentication mechanism can be implemented in this situation?
    1. IEEE 802.1X
    2. IEEE 802.1q
    3. Simultaneous authentication of equals (SAE)
    4. EAP-FAST
25. When securing a mobile device, what types of authentication can be used that depend on the user's physical attributes? (Choose all that apply.)
    1. Fingerprint
    2. TOTP (time-based one-time password)
    3. Voice
    4. SMS (short message service)
    5. Retina
    6. Gait
    7. Phone call
    8. Facial recognition
    9. Smartcard
    10. Password
26. A recently acquired piece of equipment is not working properly. Your organization does not have a trained repair technician on staff, so you have to bring in an outside expert. What type of account should be issued to a trusted third-party repair technician?
    1. Guest account
    2. Privileged account
    3. Service account
    4. User account
27. Security should be designed and integrated into the organization as a means to support and maintain the business objectives. However, the only way to know if the implemented security is sufficient is to test it. Which of the following is a procedure designed to test and perhaps bypass a system's security controls?
    1. Logging usage data
    2. War dialing
    3. Penetration testing
    4. Deploying secured desktop workstations
28. Security needs to be designed to support the business objectives, but it also needs to be legally defensible. To defend the security of an organization, a log of events and activities must be created. Auditing is a required factor to sustain and enforce what?
    1. Accountability
    2. Confidentiality
    3. Accessibility
    4. Redundancy
29. Risk assessment is a process by which the assets, threats, probabilities, and likelihoods are evaluated in order to establish criticality prioritization. What is the formula used to compute the ALE?
    1. ALE = AV * EF * ARO
    2. ALE = ARO * EF
    3. ALE = AV * ARO
    4. ALE = EF * ARO
30. Incident response plans, business continuity plans, and disaster recovery plans are crafted when implementing business-level redundancy. These plans are derived from the information obtained when performing a business impact assessment (BIA). What is the first step of the BIA process?
    1. Identification of priorities
    2. Likelihood assessment
    3. Risk identification
    4. Resource prioritization
31. Many events can threaten the operation, existence, and stability of an organization. Some of those threats are human caused, whereas others are from natural events. Which of the following represent natural events that can pose a threat or risk to an organization?
    1. Earthquake
    2. Flood
    3. Tornado
    4. All of the above
32. What kind of recovery facility enables an organization to resume operations as quickly as possible, if not immediately, upon failure of the primary facility?
    1. Hot site
    2. Warm site
    3. Cold site
    4. All of the above
33. During an account review, an auditor provided the following report:

    User	Last Login Length	Lass Password Change
    Bob	4 hours	87 days
    Sue	3 hours	38 days
    John	1 hour	935 days
    Kesha	3 hours	49 days

    The security manager reviews the account policies of the organization and takes note of the following requirements:

    • • Passwords must be at least 12 characters long.
      • Passwords must include at least one example of three different character types.
      • Passwords must be changed every 180 days.
      • Passwords cannot be reused.

    Which of the following security controls should be corrected to enforce the password policy?

    1. Minimum password length
    2. Account lockout
    3. Password history and minimum age
    4. Password maximum age
34. Any evidence to be used in a court proceeding must abide by the Rules of Evidence to be admissible. What type of evidence refers to written documents that are brought into court to prove a fact?
    1. Best evidence
    2. Parol evidence
    3. Documentary evidence
    4. Testimonial evidence
35. DevOps manager John is concerned with the CEO's plan to minimize his department and outsource code development to a foreign programming group. John has a meeting scheduled with the board of directors to encourage them to retain code development in house due to several concerns. Which of the following should John include in his presentation? (Choose all that apply.)
    1. Code from third parties will need to be manually reviewed for function and security.
    2. If the third party goes out of business, existing code may need to be abandoned.
    3. Third-party code development is always more expensive.
    4. A software escrow agreement should be established.
36. When TLS is being used to secure web communications, what URL prefix appears in the web browser address bar to signal this fact?
    1. SHTTP://
    2. TLS://
    3. FTPS://
    4. HTTPS://
37. A new update has been released by the vendor of an important software product that is an essential element of a critical business task. The chief security officer (CSO) indicates that the new software version needs to be tested and evaluated in a virtual lab, which has a cloned simulation of many of the company's production systems. Furthermore, the results of this evaluation must be reviewed before a decision is made as to whether the software update should be installed and, if so, when to install it. What security principle is the CSO demonstrating?
    1. Business continuity planning (BCP)
    2. Onboarding
    3. Change management
    4. Static analysis
38. What type of token device produces new time-derived passwords on a specific time interval that can be used only a single time when attempting to authenticate?
    1. HOTP
    2. HMAC
    3. SAML
    4. TOTP
39. Your organization is moving a significant portion of their data processing from an on-premises solution to the cloud. When evaluating a cloud service provider (CSP), which of the following is the most important security concern?
    1. Data retention policy
    2. Number of customers
    3. Hardware used to support VMs
    4. Whether they offer MaaS, IDaaS, and SaaS
40. Most software vulnerabilities exist because of a lack of secure or defensive coding practices used by the developers. Which of the following is not considered a secure coding technique? (Choose all that apply.)
    1. Using immutable systems
    2. Using stored procedures
    3. Using code signing
    4. Using server-side validation
    5. Optimizing file sizes
    6. Using third-party software libraries

1. C. Detective access controls are used to discover (and document) unwanted or unauthorized activity. Preventive access controls block the ability to perform unwanted activity. Deterrent access controls attempt to persuade the perpetrator not to perform unwanted activity. Corrective access controls restore a system to normal function in the event of a failure or system interruption.
2. D. Strong password choices are difficult to guess, unpredictable, and of specified minimum lengths to ensure that password entries cannot be computationally determined. They may be randomly generated and use all the alphabetic, numeric, and punctuation characters; they should never be written down or shared; they should not be stored in publicly accessible or generally readable locations; and they shouldn't be transmitted in the clear.
3. B. Network-based IDSs are usually able to detect the initiation of an attack or the ongoing attempts to perpetrate an attack (including denial of service, or DoS). They are, however, unable to provide information about whether an attack was successful or which specific systems, user accounts, files, or applications were affected. Host-based IDSs have some difficulty with detecting and tracking down DoS attacks. Vulnerability scanners don't detect DoS attacks; they test for possible vulnerabilities. Penetration testing may cause a DoS or test for DoS vulnerabilities, but it is not a detection tool.
4. B. Not all instances of DoS are the result of a malicious attack. Errors in coding OSs, services, and applications have resulted in DoS conditions. Some examples of this include a process failing to release control of the CPU or a service consuming system resources out of proportion to the service requests it is handling. Social engineering (i.e., pretending to be a technical manager) and sniffing (i.e., intercepting network traffic) are typically not considered DoS attacks. Sending message packets to a recipient who did not request them simply to be annoying may be a type of social engineering and it is definitely spam, but unless the volume of the messages is significant, it does not warrant the label of DoS.
5. A. Network hardware devices, including routers, function at layer 3, the Network layer. Layer 1, the Physical layer, is where repeaters and hubs operate, not routers. The Transport layer, layer 4, is where circuit level firewalls and proxies operate, not routers. Layer 5, the Session layer, does not actually exist in a modern TCP/IP network, and thus no hardware directly operates at this layer, but its functions are performed by TCP in the Transport layer, layer 4, when sessions are in use.
6. D. Stateful inspection firewalls (aka dynamic packet-filtering firewall) enable the real-time modification of the filtering rules based on traffic content and context. The other firewalls listed as options—static packet filtering, application level, and circuit level—are all stateless and thus do not consider the context when applying filtering rules.
7. D. A virtual private network (VPN) link can be established over any network communication connection. This could be a typical LAN cable connection, a wireless LAN connection, a remote access dial-up connection, a WAN link, or even an internet connection used by a client for access to the office LAN.
8. C. A Trojan horse is a form of malware that uses social engineering tactics to trick a victim into installing it—the trick is to make the victim believe that the only thing they have downloaded or obtained is the host file, when in fact it has a malicious hidden payload. Viruses and logic bombs do not typically use social engineering as an element in their means of infecting a system. A worm sometimes is designed to take advantage of social engineering, such as when the worm is an executable email attachment and the message tricks the victim into opening it. However, not all worms are designed this way—this is a core design concept of a Trojan horse.
9. D. The components of the CIA Triad are confidentiality, availability, and integrity. The other options are not the terms that define the CIA Triad, although they are security concepts that need to be evaluated when establishing a security infrastructure.
10. B. Privacy is not necessary to provide accountability. The required elements of accountability, as defined in AAA services, are as follows: identification (which is sometimes considered an element of authentication, a silent first step of AAA services, or represented by IAAA), authentication (i.e., identification verification), authorization (i.e., access control), auditing (i.e., logging and monitoring), and accounting.
11. C. Group user accounts allow for multiple people to log in under a single user account. This allows collusion because it prevents individual accountability. Separation of duties, restricted job responsibilities, and job rotation help establish individual accountability and control access (especially to privileged capabilities), which in turn limits or restricts collusion.
12. B. The data owner must first assign a security label to a resource before the data custodian can secure the resource appropriately. Senior management is ultimately responsible for the success or failure of a security endeavor. An auditor is responsible for reviewing and verifying that the security policy is properly implemented, that the derived security solutions are adequate, and that user events are in compliance with security policy. The security staff is responsible for designing, implementing, and managing the security infrastructure once approved by senior management.
13. C. The Managed phase (level 4) of the SW-CMM involves the use of quantitative development metrics. The Software Engineering Institute (SEI) defines the key process areas for this level as Quantitative Process Management and Software Quality Management. The Repeatable phase (level 2) is where basic lifecycle processes are introduced. The Defined phase (level 3) is where developers operate according to a set of formal, documented development processes. The Optimizing phase (level 5) is where a process of continuous improvement is achieved.
14. B. Layers 1 and 2 contain device drivers but are not normally implemented in practice, since they are often collapsed into layer 0. Layer 0 always contains the security kernel. Layer 3 contains user applications. Layer 4 does not exist in the design concept, but it may exist in customized implementations.
15. B. The SYN flagged packet is first sent from the initiating host to the destination host. The destination host then responds with a SYN/ACK flagged packet. The initiating host sends an ACK flagged packet, and the connection is then established. The FIN flagged packet is not used in the TCP three-way handshake to establish a session; it is used in the session teardown process.
16. B. Parameter checking (i.e., confirming input is within reasonable boundaries) is used to prevent the possibility of buffer overflow attacks. Time-of-check to time-of-use (TOCTTOU) attacks are not directly addressed by parameter checking or input filtering; defensive coding practices are needed to eliminate or reduce this issue. SYN flood attacks are a type of DoS, which is not fully protected against with just improved coding practices. A DDoS is also not prohibited by just improved coding practices such as parameter checking. For any type of DoS, adequate filtering and processing capacity are the most effective security responses.
17. A. The ⊕ symbol represents the XOR function and returns a true value when only one of the input values is true. If both values are false or both values are true, the output of the XOR function is false. Option B is the result if these two values were combined using the AND (the ∧ symbol) function, which returns a value of true if the two values are both true. Option C is the result if these two values were combined using the OR (the ∨ symbol) function, which returns a value of true if either input values is true. Option D is the result if only the X value was subjected to the NOR (the ~ symbol) function, which reverses the value of an input.
18. A, C, E, F, I, J. There are six standard data type classifications used in either a government/military or a private sector organization in this list of options: public, private, sensitive, proprietary, critical, and confidential. The other options (healthy, internal, essential, certified, and for your eyes only) are incorrect since they are not typical or standard classifications.
19. C. The correct statement is regarding the data controller. The other statements are incorrect. The correct versions of those statements are as follows. A data owner is the entity assigned specific responsibility for a data asset in order to ensure its protection for use by the organization. A data processor is the entity that performs operations on data. A data custodian is the entity assigned or delegated the day-to-day responsibility for proper storage and transport as well as protecting data, assets, and other organizational objects.
20. C. Any recipient can use Mike's public key to verify the authenticity of the digital signature. Renee's (the recipient) public key is not used in this scenario. However, it could be used to create a digital envelope to protect a symmetric session encryption key sent from Mike to Renee. Renee's (the recipient) private key is not used in this scenario. However, it could be used if Renee becomes a sender to send Mike a digitally signed message. Mike's (the sender) private key was used to encrypt the hash of the data to be sent to Renee, and this is what creates the digital signature.
21. D. In this scenario, the data is encrypted at rest with AES-256. There is no mention of encryption for transfer or processing. The data is not stored redundantly, since it is being moved, not copied, to the central data warehouse, and there is no mention of a backup.
22. A. The data owner is the person(s) (or entity) assigned specific responsibility for a data asset in order to ensure its protection for use by the organization. The data controller is the entity that makes decisions about the data they are collecting. A data processor is the entity that performs operations on data on behalf of a data controller. A data custodian or steward is a subject who has been assigned or delegated the day-to-day responsibility for proper storage and transport as well as protecting data, assets, and other organizational objects.
23. B, D. In this scenario, the data loss prevention (DLP) alerts and log analysis are the only options that would potentially include useful information in regard to an insider exfiltrating the sensitive documents. The other options are incorrect because they do not provide relevant information. Network access control (NAC) is a security mechanism to prevent rogue devices and ensure authorized systems meet minimum security configuration requirements. Syslog is a logging service used to maintain centralized real-time copies of active log files. Malware scanner reports are not relevant here since there is no suspicious or malicious code being used but only access abuses and unauthorized file distribution. Integrity monitoring is also not relevant to this situation, since there is no indication that the documents were altered, just that they were released to the public.
24. C. WPA3 supports ENT (Enterprise Wi-Fi authentication, aka IEEE 802.1X) and SAE authentication. Simultaneous authentication of equals (SAE) still uses a password, but it no longer encrypts and sends that password across the connection to perform authentication. Instead, SAE performs a zero-knowledge proof process known as Dragonfly Key Exchange, which is itself a derivative of Diffie–Hellman. IEEE 802.1X defines port-based network access control that ensures that clients can't communicate with a resource until proper authentication has taken place. It's based on Extensible Authentication Protocol (EAP) from Point-to-Point Protocol (PPP). However, this is the technology behind the label of ENT; thus, it is not an option in this scenario. IEEE 802.1q defines the use of virtual local area network (VLAN) tags and thus is not relevant to Wi-Fi authentication. Flexible Authentication via Secure Tunneling (EAP-FAST) is a Cisco protocol proposed to replace Lightweight Extensible Authentication Protocol (LEAP), which is now obsolete, thanks to the development of WPA2, and is not supported in WPA3 either.
25. A, C, E, H. Biometrics are authentication factors that are based on a user's physical attributes; they include fingerprints, voice, retina, and facial recognition. Gait is a form of biometrics, but it is not appropriate for use as authentication on a mobile device; it is used from a stationary position to monitor people walking toward or past a security point. The other options are valid authentication factors, but they are not biometrics.
26. B. A repair technician typically requires more than a normal level of access to perform their duties, so a privileged account for even a trusted third-party technician is appropriate. A guest account or user (normal, limited) account is insufficient for this scenario. A service account is to be used by an application or background service, not a repair technician or other user.
27. C. Penetration testing is the attempt to bypass security controls to test overall system security. Logging usage data is a type of auditing and is useful in the authentication, authorization, accounting (AAA) service process in order to hold subjects accountable for their actions. However, it is not a means to test security. War dialing is an attempt to locate modems and fax machines by dialing phone numbers. This process is sometimes still used by penetration testers and adversaries to find targets to attack, but it is not an actual attack or stress test itself. Deploying secured desktop workstations is a security response to the results of a penetration test, not a security testing method.
28. A. Auditing is a required factor to sustain and enforce accountability. Auditing is one of the elements of the AAA services concept of identification, authentication, authorizations, auditing, and accounting (or accountability). Confidentiality is a core security element of the CIA Triad, but it is not dependent on auditing. Accessibility is the assurance that locations and systems are able to be used by the widest range of people/users possible. Redundancy is the implementation of alternatives, backup options, and recovery measures and methods to avoid single points of failure to ensure that downtime is minimized while maintaining availability.
29. A. The annualized loss expectancy (ALE) is computed as the product of the asset value (AV) times the exposure factor (EF) times the annualized rate of occurrence (ARO). This is the longer form of the formula ALE = SLE * ARO, since SLE = AV * EF. The other formulas displayed here do not accurately reflect this calculation, since they are not valid or typical risk formulas.
30. A. Identification of priorities is the first step of the business impact assessment process. Likelihood assessment is the third step or phase of BIA. Risk identification is the second step of BIA. Resource prioritization is the last step of BIA.
31. D. Natural events that can threaten organizations include earthquakes, floods, hurricanes, tornadoes, wildfires, and other acts of nature. Thus options A, B, and C are correct because they are natural and not human caused.
32. A. Hot sites provide backup facilities maintained in constant working order and fully capable of taking over business operations. Warm sites consist of preconfigured hardware and software to run the business, neither of which possesses the vital business information. Cold sites are simply facilities designed with power and environmental support systems but no configured hardware, software, or services. Disaster recovery services can facilitate and implement any of these sites on behalf of a company.
33. D. The issue revealed by the audit report is that one account has a password that is older than the requirements allow for; thus, correcting the password maximum age security setting should resolve this. There is no information in regard to password length, lockout, or password reuse in the audit report, so these options are not of concern in this situation.
34. C. Written documents brought into court to prove the facts of a case are referred to as documentary evidence. Best evidence is a form of documentary evidence, but specifically it is the original document rather than a copy or description. Parol evidence is based on a rule stating that when an agreement between parties is put into written form, the written document is assumed to contain all the terms of the agreement and no verbal agreements may modify the written agreement. Testimonial evidence consists of the testimony of a witness's experience, either verbal testimony in court or written testimony in a recorded deposition.
35. A, B. If your organization depends on custom-developed software or software products produced through outsourced code development, then the risks of that arrangement need to be evaluated and mitigated. First, the quality and security of the code needs to be assessed. Second, if the third-party development group goes out of business, can you continue to operate with the code as is? You may need to abandon the existing code to switch to a new development group. It is not true that third-party code development is always more expensive; it is often less expensive. A software escrow agreement (SEA) is not an issue that John would want to bring up as a reason to keep development in house, since a SEA is a means to reduce the risk of a third-party developer group ceasing to exist.
36. D. HTTPS:// is the correct prefix for the use of HTTP (Hypertext Transfer Protocol) over TLS (Transport Layer Security). This was the same prefix when SSL (Secure Sockets Layer) was used to encrypt HTTP, but SSL has been deprecated. SHTTP:// is for Secure HTTP, which was SSH but SHTTP is also deprecated. TLS:// is an invalid prefix. FTPS:// is a valid prefix that can be used in some web browsers, and it uses TLS to encrypt the connection, but it is for securing FTP file exchange rather than web communications.
37. C. The CSO in this scenario is demonstrating the need to follow the security principle of change management. Change management usually involves extensive planning, testing, logging, auditing, and monitoring of activities related to security controls and mechanisms. This scenario is not describing a BCP event. A BCP event would involve the evaluation of threats to business processes and then the creation of response scenarios to address those issues. This scenario is not describing onboarding. Onboarding is the process of integrating a new element (such as an employee or device) into an existing system of security infrastructure. Although loosely similar to change management, onboarding focuses more on ensuring compliance with existing security policies by the new member, rather than testing updates for an existing member. Static analysis is used to evaluate source code as a part of a secure development environment. Static analysis may be used as an evaluation tool in change management, but it is a tool, not the principle of security referenced in this scenario.
38. D. The two main types of token devices are TOTP and HOTP. Time-based one-time password (TOTP) tokens or synchronous dynamic password tokens are devices or applications that generate passwords at fixed time intervals, such as every 60 seconds. Thus, TOTP produces new time-derived passwords on a specific time interval that can be used only a single time when attempting to authenticate. HMAC-based one-time password (HOTP) tokens or asynchronous dynamic password tokens are devices or applications that generate passwords not based on fixed time intervals but instead based on a nonrepeating one-way function, such as a hash or hash message authentication code (HMAC—a type of hash that uses a symmetric key in the hashing process) operation. HMAC is a hashing function, not a means to authenticate. Security Assertions Markup Language (SAML) is used to create authentication federation (i.e. sharing) links; it is not itself a means to authenticate.
39. A.. The most important security concern from this list of options in relation to a CSP is the data retention policy. The data retention policy defines what information or data is being collected by the CSP, how long it will be kept, how it is destroyed, why it is kept, and who can access it. The number of customers and what hardware is used are not significant security concerns in comparison to data retention. Whether the CSP offers MaaS, IDaaS, and SaaS is not as important as data retention, especially if these are not services your organization needs or wants. One of the keys to answering this question is to consider the range of CSP options, including software as a service (SaaS), platform as a service (PaaS), and infrastructure as a service (IaaS), and the type of organizations that are technically CSP SaaS but that we don't often think of as such (examples include Facebook, Google, and Amazon). These organizations absolutely have access to customer/user data, and thus, their data retention policies are of utmost concern (at least compared to the other options provided).
40. AB, C, D. Programmers need to adopt secure coding practices, which include using stored procedures, code signing, and server-side validation. A stored procedure is a subroutine or software module that can be called on or accessed by applications interacting with a relational database management system (RDBMS). Code signing is the activity of crafting a digital signature of a software program in order to confirm that it was not changed and who it is from. Server-side data validation is suited for protecting a system against input submitted by a malicious user. Using immutable systems is not a secure coding technique; instead, an immutable system is a server or software product that, once configured and deployed, is never altered in place. File size optimization may be efficient but is not necessarily a secure coding technique. Using third-party software libraries may reduce workload to minimize the amount of new code to author, but third-party software libraries are a risk because they can introduce vulnerabilities, especially when closed source libraries are used. Thus, use of third-party software libraries is not a secure coding technique unless the security posture of the externally sourced code is verified, which was not mentioned as an answer option.