Lisa is attempting to prevent her network from being targeted by IP spoofing attacks as well as preventing her network from being the source of those attacks. Which of the following rules are best practices that Lisa should configure at her network border? (Select all that apply.)
Block packets with internal source addresses from entering the network.
Block packets with external source addresses from leaving the network.
Block packets with public IP addresses from entering the network.
Block packets with private IP addresses from exiting the network.
Ed has been tasked with identifying a service that will provide a low-latency, high-performance, and high-availability way to host content for his employer. What type of solution should he seek out to ensure that his employer's customers around the world can access their content quickly, easily, and reliably?
A hot site
A CDN
Redundant servers
A P2P CDN
Fran is building a forensic analysis workstation and is selecting a forensic disk controller to include in the setup. Which of the following are functions of a forensic disk controller? (Select all that apply.)
Preventing the modification of data on a storage device
Returning data requested from the device
Reporting errors sent by the device to the forensic host
Blocking read commands sent to the device
Mike is building a fault-tolerant server and wants to implement RAID 1. How many physical disks are required to build this solution?
1
2
3
5
Darren is troubleshooting an authentication issue for a Kerberized application used by his organization. He believes the issue is with the generation of session keys. What Kerberos service should he investigate first?
KDC
TGT
AS
TGS
Evelyn believes that one of her organization's vendors has breached a contractual obligation to protect sensitive data and would like to conduct an investigation into the circumstances. Based upon the results of the investigation, it is likely that Evelyn's organization will sue the vendor for breach of contract. What term best describes the type of investigation that Evelyn is conducting?
Administrative investigation
Criminal investigation
Civil investigation
Regulatory investigation
Ivan is installing a motion detector to protect a sensitive work area that uses high-frequency microwave signal transmissions to identify potential intruders. What type of detector is he installing?
Infrared
Heat-based
Wave pattern
Capacitance
Susan sets up a firewall that keeps track of the status of the communication between two systems and allows a remote system to respond to a local system only after the local system starts communication. What type of firewall is Susan using?
A static packet filtering firewall
An application-level gateway firewall
A stateful packet inspection firewall
A circuit-level gateway firewall
For questions 9–11, please refer to the following scenario:
Ben owns a coffeehouse and wants to provide wireless internet service for his customers. Ben's network is simple and uses a single consumer-grade wireless router and a cable modem connected via a commercial cable data contract.
How can Ben provide access control for his customers without having to provision user IDs before they connect while also gathering useful contact information for his business purposes?
WPA2 PSK
A captive portal
Require customers to use a publicly posted password like “BensCoffee”
WPA3 SAE
Ben intends to run an open (unencrypted) wireless network. How should he connect his business devices?
Run WPA3 on the same SSID.
Set up a separate SSID using WPA3.
Run the open network in Enterprise mode.
Set up a separate wireless network using WEP.
After implementing the solution from the first question, Ben receives a complaint about users in his cafe hijacking other customers' web traffic, including using their usernames and passwords. How is this possible?
The password is shared by all users, making traffic vulnerable.
A malicious user has installed a Trojan on the router.
A user has ARP spoofed the router, making all traffic broadcast to all users.
Open networks are unencrypted, making traffic easily sniffable.
Kevin is reviewing and updating the security documentation used by his organization. He would like to document some best practices for securing IoT devices that his team has developed over the past year. The practices are generalized in nature and do not cover specific devices. What type of document would be best for this purpose?
Policy
Standard
Guideline
Procedure
Tom is tuning his security monitoring tools in an attempt to reduce the number of alerts received by administrators without missing important security events. He decides to configure the system to only report failed login attempts if there are five failed attempts to access the same account within a one-hour period of time. What term best describes the technique that Tom is using?
Thresholding
Sampling
Account lockout
Clipping
Sally has been tasked with deploying an authentication, authorization, and accounting server for wireless network services in her organization and needs to avoid using proprietary technology. What technology should she select?
OAuth
RADIUS
XTACACS
TACACS+
An accounting clerk for Christopher's Cheesecakes does not have access to the salary information for individual employees but wanted to know the salary of a new hire. He pulled total payroll expenses for the pay period before the new person was hired and then pulled the same expenses for the following pay period. He computed the difference between those two amounts to determine the individual's salary. What type of attack occurred?
Salami slicing
Data diddling
Inference
Social engineering
Alice would like to have read permissions on an object and knows that Bob already has those rights and would like to give them to herself. Which one of the rules in the Take-Grant protection model would allow her to complete this operation if the relationship exists between Alice and Bob?
Take rule
Grant rule
Create rule
Remote rule
During a log review, Danielle discovers a series of logs that show login failures:
Jan 31 11:39:12 ip-10-0-0-2 sshd[29092]: Invalid user admin from remotehost passwd=aaaaaaaaJan 31 11:39:20 ip-10-0-0-2 sshd[29098]: Invalid user admin from remotehost passwd=aaaaaaabJan 31 11:39:23 ip-10-0-0-2 sshd[29100]: Invalid user admin from remotehost passwd=aaaaaaacJan 31 11:39:31 ip-10-0-0-2 sshd[29106]: Invalid user admin from remotehost passwd=aaaaaaadJan 31 20:40:53 ip-10-0-0-254 sshd[30520]: Invalid user admin from remotehost passwd=aaaaaaae
What type of attack has Danielle discovered?
A pass-the-hash attack
A brute-force attack
A man-in-the-middle attack
A dictionary attack
Ben is designing a database-driven application and would like to ensure that two executing transactions do not affect each other by storing interim results in the database. What property is he seeking to enforce?
Atomicity
Isolation
Consistency
Durability
Kim is the system administrator for a small business network that is experiencing security problems. She is in the office in the evening working on the problem, and nobody else is there. As she is watching, she can see that systems on the other side of the office that were previously behaving normally are now exhibiting signs of infection one after the other. What type of malware is Kim likely dealing with?
Virus
Worm
Trojan horse
Logic bomb
Barb is reviewing the compliance obligations facing her organization and the types of liability that each one might incur. Which of the following laws and regulations may involve criminal penalties if violated? (Select all that apply.)
FERPA
HIPAA
SOX
PCI DSS
Quentin is analyzing network traffic that he collected with Wireshark on a TCP/IP network. He would like to identify all new connections that were set up during his traffic collection. If he is looking for the three packets that constitute the TCP three-way handshake used to establish a new connection, what flags should be set on the first three packets?
SYN, ACK, SYN/ACK
PSH, RST, ACK
SYN, SYN/ACK, ACK
SYN, RST, FIN
Daniel is selecting a new mobile device management (MDM) solution for his organization and is writing the RFP. He is trying to decide what features he should include as requirements after aligning his organization's security needs with an MDM platform's capabilities. Which of the following are typical capabilities of MDM solutions? (Select all that apply.)
Remotely wiping the contents of a mobile device
Assuming control of a nonregistered BYOD mobile device
Enforcing the use of device encryption
Managing device backups
Jim is implementing an IDaaS solution for his organization. What type of technology is he putting in place?
Identity as a service
Employee ID as a service
Intrusion detection as a service
OAuth
Gina recently took the CISSP certification exam and then wrote a blog post that included the text of many of the exam questions that she experienced. What aspect of the (ISC)2 Code of Ethics is most directly violated in this situation?
Advance and protect the profession.
Act honorably, honestly, justly, responsibly, and legally.
Protect society, the common good, necessary public trust and confidence, and the infrastructure.
Provide diligent and competent service to principals.
Gordon is conducting a risk assessment for his organization and determined the amount of damage that flooding is expected to cause to his facilities each year. What metric has Gordon identified?
ALE
ARO
SLE
EF
Greg would like to implement application control technology in his organization. He would like to limit users to installing only approved software on their systems. What type of application control would be appropriate in this situation?
Blacklisting
Graylisting
Whitelisting
Bluelisting
Frank is the security administrator for a web server that provides news and information to people located around the world. His server received an unusually high volume of traffic that it could not handle and was forced to reject requests. Frank traced the source of the traffic back to a botnet. What type of attack took place?
Denial-of-service
Reconnaissance
Compromise
Malicious insider
In the database table shown here, which column would be the best candidate for a primary key?
Company ID
Company Name
ZIP Code
Sales Rep
Gwen is a cybersecurity professional for a financial services firm that maintains records of their customers. These records include personal information about each customer, including the customer's name, Social Security number, date and place of birth, and mother's maiden name. What category best describes these records?
PHI
Proprietary data
PII
EDI
Bob is configuring egress filtering on his network, examining traffic destined for the internet. His organization uses the public address range 12.8.195.0/24. Packets with which one of the following destination addresses should Bob permit to leave the network?
12.8.195.15
10.8.15.9
192.168.109.55
129.53.44.124
Brian is considering increasing the length of the cryptographic keys used by his organization. If he adds 8 bits to the encryption key, how many more possible keys will be added to the keyspace for the algorithm?
The size of the keyspace will double.
The size of the keyspace will increase by a factor of 8.
The size of the keyspace will increase by a factor of 64.
The size of the keyspace will increase by a factor of 256.
Which of the following data assets may be safely and effectively disposed of using shredding? (Select all that apply.)
Paper records
Credit cards
Removable media
SSD hard drives
GAD Systems is concerned about the risk of hackers stealing sensitive information stored on a file server. They choose to pursue a risk mitigation strategy. Which one of the following actions would support that strategy?
Encrypting the files
Deleting the files
Purchasing cyber-liability insurance
Taking no action
Viola is conducting a user account audit to determine whether accounts have the appropriate level of permissions and that all permissions were approved through a formal process. The organization has approximately 50,000 user accounts and an annual employee turnover rate of 24 percent. Which one of the following sampling approaches would be the most effective use of her time when choosing records for manual review?
Select all records that have been modified during the past month.
Ask access administrators to identify the accounts most likely to have issues and audit those.
Select a random sample of records, either from the entire population or from the population of records that have changed during the audit period.
Sampling is not effective in this situation, and all accounts should be audited.
Lila is reviewing her organization's adverse termination process. In that process, when would be the most appropriate time to revoke a user's access privileges to digital systems?
At the time the user is informed of the termination
At the end of the last day of employment
At the time the decision is made
Several days after the last day of employment
William is reviewing log files that were stored on a system with a suspected compromise. He finds the log file shown here. What type of log file is this?
Firewall log
Change log
Application log
System log
Roger is reviewing a list of security vulnerabilities in his organization and rating them based upon their severity. Which one of the following models would be most useful to his work?
CVSS
STRIDE
PASTA
ATT&CK
An attacker recently called an organization's help desk and persuaded them to reset a password for another user's account. What term best describes this attack?
A human Trojan
Social engineering
Phishing
Whaling
Greg is evaluating a new vendor that will be supplying networking gear to his organization. Due to the nature of his organization's work, Greg is concerned that an attacker might attempt a supply chain exploit. Assuming that both Greg's organization and the vendor operate under reasonable security procedures, which one of the following activities likely poses the greatest supply chain risk to the equipment?
Tampering by an unauthorized third party at the vendor's site
Interception of devices in transit
Misconfiguration by an administrator after installation
Tampering by an unauthorized third party at Greg's site
Kevin is operating in a single-level security environment and is seeking to classify information systems according to the type of information that they process. What procedure would be the best way for him to assign asset classifications?
Assign systems the classification of information that they most commonly process.
Assign systems the classification of the highest level of information that they are expected to process regularly.
Assign systems the classification of the highest level of information that they are ever expected to process.
Assign all systems the same classification level.
For questions 41–43, please refer to the following scenario:
The organization that Ben works for has a traditional on-site Active Directory environment that uses a manual provisioning process for each addition to their 350-employee company. As the company adopts new technologies, they are increasingly using software as a service applications to replace their internally developed software stack.
Ben has been tasked with designing an identity management implementation that will allow his company to use cloud services while supporting their existing systems. Using the logical diagram shown here, answer the following questions about the identity recommendations Ben should make.
If availability of authentication services is the organization's biggest priority, what type of identity platform should Ben recommend?
On-site
Cloud-based
Hybrid
Outsourced
If Ben needs to share identity information with the business partner shown, what should he investigate?
Single sign-on
Multifactor authentication
Federation
IDaaS
What technology is likely to be involved when Ben's organization needs to provide authentication and authorization assertions to their cloud e-commerce application?
Active Directory
SAML
RADIUS
SPML
Dave is responsible for password security in his organization and would like to strengthen the security of password files. He would like to defend his organization against the use of rainbow tables. Which one of the following techniques is specifically designed to frustrate the use of rainbow tables?
Password expiration policies
Salting
User education
Password complexity policies
Helen recently built a new system as part of her organization's deception campaign. The system is configured in a manner that makes it vulnerable to attack and that conveys that it might contain highly sensitive information. What term best describes this system?
Honeynet
Darknet
Honeypot
Pseudoflaw
Nandi is evaluating a set of candidate systems to replace a biometric authentication mechanism in her organization. What metric would be the best way to compare the effectiveness of the different systems?
FAR
FRR
CER
FDR
Sean suspects that an individual in his company is smuggling out secret information despite his company's careful use of data loss prevention systems. He discovers that the suspect is posting photos, including the one shown here, to public internet message boards. What type of technique may the individuals be using to hide messages inside this image?
Watermarking
VPN
Steganography
Covert timing channel
Roger is concerned that a third-party firm hired to develop code for an internal application will embed a backdoor in the code. The developer retains rights to the intellectual property and will only deliver the software in its final form. Which one of the following languages would be least susceptible to this type of attack because it would provide Roger with code that is human-readable in its final form?
JavaScript
C
C++
Java
Jesse is looking at the
/etc/passwd
file on a system configured to use shadowed passwords. What should she expect to see in the password field of this file?
Plaintext passwords
Encrypted passwords
Hashed passwords
x
Rob recently received a notice from a vendor that the EOL date is approaching for a firewall platform that is used in his organization. What action should Rob take?
Prepare to discontinue use of the platform as soon as possible.
Immediately discontinue use of the device.
Prepare to discontinue use of the device as part of the organization's normal planning cycle.
No action is necessary.
What principle states that an individual should make every effort to complete his or her responsibilities in an accurate and timely manner?
Least privilege
Separation of duties
Due care
Due diligence
Tony is developing a data classification system for his organization. What factor should he use as the primary driver when determining the classification level of each category of information?
Sensitivity
Source
Likelihood of theft
Likelihood of data loss
Perry is establishing information handling requirements for his organization. He discovers that the organization often needs to send sensitive information over the internet to a supplier and is concerned about it being intercepted. What handling requirement would best protect against this risk?
Require the use of transport encryption.
Require proper classification and labeling.
Require the use of data loss prevention technology.
Require the use of storage encryption.
John is developing a tangible asset inventory for his organization. Which of the following items would most likely be included in this inventory? (Select all that apply.)
Intellectual property
Server hardware
Files stored on servers
Mobile devices
Maria is analyzing a security incident where she believes that an attacker gained access to a fiber-optic cable and installed a tap on that cable. What layer of the OSI model did this attack occur at?
Transport
Network
Data Link
Physical
Bert is considering the use of an infrastructure as a service cloud computing partner to provide virtual servers. Which one of the following would be a vendor responsibility in this scenario?
Maintaining the hypervisor
Managing operating system security settings
Maintaining the host firewall
Configuring server access control
When Ben records data and then replays it against his test website to verify how it performs based on a real production workload, what type of performance monitoring is he undertaking?
Passive
Proactive
Reactive
Replay
Kailey is reviewing a set of old records maintained by her organization and wants to dispose of them securely. She is unsure how long the organization should keep the records because they involve tax data. How can Kailey determine whether the records may be disposed?
Consult the organization's records retention policy.
Consult IRS requirements.
Retain the records for at least seven years.
Retain the records permanently.
Alan is considering the use of new identification cards in his organization that will be used for physical access control. He comes across a sample card and is unsure of the technology. He breaks it open and sees the following internal construction. What type of card is this?
Smart card
Proximity card
Magnetic stripe
Phase-two card
Mark is planning a disaster recovery test for his organization. He would like to perform a live test of the disaster recovery facility but does not want to disrupt operations at the primary facility. What type of test should Mark choose?
Full interruption test
Checklist review
Parallel test
Tabletop exercise
Which one of the following is not a principle of the Agile approach to software development?
The best architecture, requirements, and designs emerge from self-organizing teams.
Deliver working software infrequently, with an emphasis on creating accurate code over longer timelines.
Welcome changing requirements, even late in the development process.
Simplicity is essential.
During a security audit, Susan discovers that the organization is using hand geometry scanners as the access control mechanism for their secure data center. What recommendation should Susan make about the use of hand geometry scanners?
They have a high FRR and should be replaced.
A second factor should be added because they are not a good way to reliably distinguish individuals.
The hand geometry scanners provide appropriate security for the data center and should be considered for other high-security areas.
They may create accessibility concerns, and an alternate biometric system should be considered.
Colleen is conducting a business impact assessment for her organization. What metric provides important information about the amount of time that the organization may be without a service before causing irreparable harm?
MTD
ALE
RPO
RTO
Bailey is concerned that users around her organization are using sensitive information in a variety of cloud services and would like to enforce security policies consistently across those services. What security control would be best suited for her needs?
DRM
IPS
CASB
DLP
Matt is designing a set of information handling requirements for his organization and would like to draw upon common industry practices. Which of the following practices should Matt implement? (Select all that apply.)
Labeling both paper and electronic documents with their classification level
Automatically granting senior executives full access to all classified information
Automatically granting visitors access to information classified at the lowest level of sensitivity
Encrypting sensitive information in storage and at rest
Jerry is investigating an attack where the attacker stole an authentication token from a user's web session and used it to impersonate the user on the site. What term best describes this attack?
Masquerading
Replay
Spoofing
Modification
Lisa wants to integrate with a cloud identity provider that uses OAuth 2.0, and she wants to select an appropriate authentication framework. Which of the following best suits her needs?
OpenID Connect
SAML
RADIUS
Kerberos
Owen recently designed a security access control structure that prevents a single user from simultaneously holding the role required to create a new vendor and the role required to issue a check. What principle is Owen enforcing?
Two-person control
Least privilege
Separation of duties
Job rotation
Denise is preparing for a trial relating to a contract dispute between her company and a software vendor. The vendor is claiming that Denise made a verbal agreement that amended their written contract. What rule of evidence should Denise raise in her defense?
Real evidence rule
Best evidence rule
Parol evidence rule
Testimonial evidence rule
While Lauren is monitoring traffic on two ends of a network connection, she sees traffic that is inbound to a public IP address show up inside the production network. It is headed for an internal host with an RFC 1918 reserved destination address. What technology should she expect is in use at the network border?
NAT
VLANs
S/NAT
BGP
Which of the following statements about SSAE-18 are correct? (Select all that apply.)
It mandates a specific control set.
It is an attestation standard.
It is used for external audits.
It uses a framework, including SOC 1, SOC 2, and SOC 3 reports.
Elliott is using an asymmetric cryptosystem and would like to add a digital signature to a message. What key should he use to encrypt the message digest?
Elliott's private key
Elliott's public key
Recipient's private key
Recipient's public key
Greg is building a disaster recovery plan for his organization and would like to determine the amount of time that it should take to restore a particular IT service after an outage. What variable is Greg calculating?
MTD
RTO
RPO
SLA
What business process typically requires sign-off from a manager before modifications are made to a system?
SDN
Release management
Change management
Versioning
Jen is selecting a fire suppression system for her organization's data center and would like to narrow down the list of candidates. Which one of the following suppression systems would be LEAST appropriate for use?
Dry pipe
Wet pipe
Pre-action
FM-200
The company Chris works for has notifications posted at each door reminding employees to be careful to not allow people to enter when they do. Which type of control is this?
Detective
Physical
Preventive
Directive
Seth is designing the physical security controls for a new facility being constructed by his organization. He would like to deter attacks to the extent possible. Which of the following controls serve as deterrents? (Select all that apply.)
Motion detectors
Guard dogs
Mantraps
Lighting
Thomas recently signed an agreement for a serverless computing environment where his organization's developers will be able to write functions in Python and deploy them on the cloud provider's servers for execution. The cloud provider will manage the servers. What term best describes this model?
SaaS
PaaS
IaaS
Containerization
An attacker has intercepted a large amount of data that was all encrypted with the same algorithm and encryption key. With no further information, which of the following cryptanalytic attacks are possible? (Select all that apply.)
Known plaintext
Chosen ciphertext
Frequency analysis
Brute-force
For questions 80–82, please refer to the following scenario:
Alex has been with the university he works at for more than 10 years. During that time, he has been a system administrator and a database administrator, and he has worked in the university's help desk. He is now a manager for the team that runs the university's web applications. Using the provisioning diagram shown here, answer the following questions.
If Alex hires a new employee and the employee's account is provisioned after HR manually inputs information into the provisioning system based on data Alex provides via a series of forms, what type of provisioning has occurred?
Discretionary account provisioning
Workflow-based account provisioning
Automated account provisioning
Self-service account provisioning
Alex has access to B, C, and D in the diagram. What concern should he raise to the university's identity management team?
The provisioning process did not give him the rights he needs.
He has excessive privileges.
Privilege creep may be taking place.
Logging is not properly enabled.
When Alex changes roles, what should occur?
He should be de-provisioned, and a new account should be created.
He should have his new rights added to his existing account.
He should be provisioned for only the rights that match his role.
He should have his rights set to match those of the person he is replacing.
Robert is reviewing a system that has been assigned the EAL2 evaluation assurance level under the Common Criteria. What is the highest level of assurance that he may have about the system?
It has been functionally tested.
It has been structurally tested.
It has been formally verified, designed, and tested.
It has been semiformally designed and tested.
Adam is processing an access request for an end user. What two items should he verify before granting the access?
Separation and need to know
Clearance and endorsement
Clearance and need to know
Second factor and clearance
During what phase of the electronic discovery reference model does an organization ensure that potentially discoverable information is protected against alteration or deletion?
Identification
Preservation
Collection
Processing
Dana is selecting a hash function for use in her organization and would like to balance a concern for a cryptographically strong hash with the speed and efficiency of the algorithm. Which one of the following hash functions would best meet her needs?
MD5
RIPEMD
SHA-2
SHA-3
Harry would like to access a document owned by Sally stored on a file server. Applying the subject/object model to this scenario, who or what is the object of the resource request?
Harry
Sally
File server
Document
What is the process that occurs when the Session layer removes the header from data sent by the Transport layer?
Encapsulation
Packet unwrapping
De-encapsulation
Payloading
Rob is reviewing his organization's campus for physical security using the Crime Prevention Through Environmental Design (CPTED) framework. Which one of the following is NOT a strategy in this framework?
Natural intrusion detection
Natural access control
Natural surveillance
Natural territorial reinforcement
What markup language uses the concepts of a requesting authority, a provisioning service point, and a provisioning service target to handle its core functionality?
SAML
SAMPL
SPML
XACML
What type of risk assessment uses tools such as the one shown here?
Quantitative
Loss expectancy
Financial
Qualitative
MAC models use three types of environments. Which of the following is not a mandatory access control design?
Hierarchical
Bracketed
Compartmentalized
Hybrid
Mandy is the team leader for a project team that includes six people. She would like to provide those people with the ability to communicate privately, such that any pair of people can exchange communications that are not subject to interception by anyone else (team member or nonteam member). She is using an asymmetric encryption algorithm. How many keys are required to implement these requirements?
6
12
15
36
Sally is wiring a gigabit Ethernet network. What cabling choices should she make to ensure she can use her network at the full 1000 Mbps she wants to provide to her users?
Cat 5 and Cat 6
Cat 5e and Cat 6
Cat 4e and Cat 5e
Cat 6 and Cat 7
Ursula is seeking to expand the reach and scalability of her organization's website. She would like to position copies of her data around the world in locations close to website visitors to reduce loading time and the burden on her servers. What type of cloud service would best meet her needs?
IaaS
Containerization
CDN
SaaS
Robert is the network administrator for a small business and recently installed a new firewall. After seeing signs of unusually heavy network traffic, he checked his intrusion detection system, which reported that a smurf attack was underway. What firewall configuration change can Robert make to most effectively prevent this attack?
Block the source IP address of the attack.
Block inbound UDP traffic.
Block the destination IP address of the attack.
Block inbound ICMP traffic.
Which one of the following types of firewalls does not have the ability to track connection status between different packets?
Stateful inspection
Application proxy
Packet filter
Next generation
Frances is concerned that equipment failures within her organization's servers will lead to a loss of power to those servers. Which one of the following controls would best address this risk?
Redundant power sources
Backup generators
Dual power supplies
Uninterruptible power supplies
Peter is reviewing the remote access technologies used by his organization and would like to eliminate the use of any techniques that do not include built-in encryption. Which of the following approaches should he retain? (Select all that apply.)
RDP
Telnet
SSH
Dial-up
Matthew is experiencing issues with the quality of network service on his organization's network. The primary symptom is that packets are occasionally taking too long to travel from their source to their destination. The length of this delay changes for individual packets. What term describes the issue Matthew is facing?
Latency
Jitter
Packet loss
Interference
Gavin is an internal auditor working to assess his organization's cybersecurity posture. Which of the following would be appropriate recipients of the reports he generates from his work? (Select all that apply.)
Managers
Individual contributors
Suppliers
Board members
Kim is conducting testing of a web application developed by her organization and would like to ensure that it is accessible from all commonly used web browsers. What type of testing should she conduct?
Regression testing
Interface testing
Fuzzing
White-box testing
Kathleen is implementing an access control system for her organization and builds the following array:
Reviewers: update files, delete files
Submitters: upload files
Editors: upload files, update files
Archivists: delete files
What type of access control system has Kathleen implemented?
Role-based access control
Task-based access control
Rule-based access control
Discretionary access control
Alan is installing a fire suppression system that will activate after a fire breaks out and protect the equipment in the data center from extensive damage. What metric is Alan attempting to lower?
Likelihood
RTO
RPO
Impact
Alan's Wrenches recently developed a new manufacturing process for its product. They plan to use this technology internally and not share it with others. They would like it to remain protected for as long as possible. What type of intellectual property protection is best suited for this situation?
Patent
Copyright
Trademark
Trade secret
Ben wants to interface with the National Vulnerability Database using a standardized protocol. What option should he use to ensure that the tools he builds work with the data contained in the NVD?
XACML
SCML
VSML
SCAP
Ron's organization does not have the resources to conduct penetration testing that uses time-intensive manual techniques, but he would like to achieve some of the benefits of penetration testing. Which one of the following techniques could he engage in that requires the least manual effort?
White-box testing
Black-box testing
Gray-box testing
Breach and attack simulation
In the figure shown here, Harry's request to read the data file is blocked. Harry has a Secret security clearance, and the data file has a Top Secret classification. What principle of the Bell–LaPadula model blocked this request?
Simple Security Property
Simple Integrity Property
*-Security Property
Discretionary Security Property
Norm is starting a new software project with a vendor that uses an SDLC approach to development. When he arrives on the job, he receives a document that has the sections shown here. What type of planning document is this?
Functional requirements
Work breakdown structure
Test analysis report
Project plan
Kolin is searching for a network security solution that will allow him to help reduce zero-day attacks while using identities to enforce a security policy on systems before they connect to the network. What type of solution should Kolin implement?
A firewall
A NAC system
An intrusion detection system
Port security
Gwen comes across an application that is running under a service account on a web server. The service account has full administrative rights to the server. What principle of information security does this violate?
Need to know
Separation of duties
Least privilege
Job rotation
Ed is developing a set of key performance and risk indicators for his organization's information security program. Which of the following are commonly used indicators? (Select all that apply.)
Number of scheduled audits
Time to resolve vulnerabilities
Number of malicious site visit attempts
Number of account compromises
Kara is documenting the results of a vulnerability scan. After reviewing one finding, she determined that the vulnerability did exist. The team then implemented a configuration change that corrected the issue. How should Kara classify this vulnerability in her report?
True positive
True negative
False positive
False negative
For questions 114–116, please refer to the following scenario:
During a web application vulnerability scanning test, Steve runs Nikto against a web server he believes may be vulnerable to attacks. Using the Nikto output shown here, answer the following questions.
Why does Nikto flag the
/test
directory?
The
/test
directory allows administrative access to PHP.
It is used to store sensitive data.
Test directories often contain scripts that can be misused.
It indicates a potential compromise.
Why does Nikto identify directory indexing as an issue?
It lists files in a directory.
It may allow for XDRF.
Directory indexing can result in a denial-of-service attack.
Directory indexing is off by default, potentially indicating compromise.
Nikto lists OSVDB-877, noting that the system may be vulnerable to XST. What would this type of attack allow an attacker to do?
Use cross-site targeting.
Steal a user's cookies.
Counter SQL tracing.
Modify a user's TRACE information.
Who would be the most appropriate supervisor for an organization's chief audit executive (CAE)?
CIO
CISO
CEO
CFO
Ursula believes that many individuals in her organization are storing sensitive information on their laptops in a manner that is unsafe and potentially violates the organization's security policy. What control can she use to identify the presence of these files?
Network DLP
Network IPS
Endpoint DLP
Endpoint IPS
In what cloud computing model does the customer build a cloud computing environment in his or her own data center or build an environment in another data center that is for the customer's exclusive use?
Public cloud
Private cloud
Hybrid cloud
Shared cloud
Which one of the following technologies is designed to prevent a web server going offline from becoming a single point of failure in a web application architecture?
Load balancing
Dual-power supplies
IPS
RAID
Alice wants to send Bob a message with the confidence that Bob will know the message was not altered while in transit. What security goal is Alice trying to achieve?
Confidentiality
Nonrepudiation
Authentication
Integrity
What network topology is shown here?
A ring
A bus
A star
A mesh
Monica is developing a software application that calculates an individual's body mass index for use in medical planning. She would like to include a control on the field where the physician enters an individual's weight to ensure that the weight falls within an expected range. What type of control should Monica use?
Fail open
Fail secure
Limit check
Buffer bounds
Match the following numbered types of testing methodologies with the lettered correct level of knowledge:
Testing methodologies
Black box
White box
Gray box
Level of knowledge
Full knowledge of the system
Partial or incomplete knowledge
No prior knowledge of the system
Match the following lettered factors to their numbered type: