Appendix Answers to Review Questions

Chapter 1: Access Controls (Domain 1)

  1. B. Device authentication allows the venue to restrict network access to authorized scanners but does not require individual ushers to sign in to the device. This seems an acceptable level of security for this environment, as the scanners are carefully controlled. Moving to any authentication scheme that requires user authentication would be unwieldy.

  2. D. The purpose of an extranet is to allow outside organizations that are business partners to access limited resources on the corporate network. That describes the situation in this scenario, so Norma is building an extranet.

  3. B. A mandatory access control (MAC) scheme is an example of a nondiscretionary approach to access control, as the owner of objects does not have the ability to set permissions on those objects. It is possible for a visitor list or file ACLs to be configured using a nondiscretionary scheme, but these approaches can also be configured as discretionary access control (DAC) implementations.

  4. C. Digital certificates are the strongest device-based access control mechanism listed in this scenario. Administrators may create certificates for each device and tie them to the physical device. Passwords are easily transferred to other devices and are not as strong an approach. IP addresses are easily changed and should not be used. MAC addresses theoretically identify devices uniquely, but it is possible to alter a MAC address, so they should not be relied upon for authentication.

  5. A. Kaiden should use a virtual private network (VPN) for all remote connections to the extranet. The VPN will encrypt traffic sent over public networks and protect it from eavesdropping.

  6. B. The permissions granted on files in Linux designate what authorized users can do with those files—read, write, or execute. In the image shown, all users can read, write, and execute index.html, whereas the owner can read, write, and execute example.txt, the group cannot, and everyone can write and execute it.

  7. C. Usernames are an identification tool. They are not secret, so they are not suitable for use as a password.

  8. B. Before granting access, Gary should verify that the user has a valid security clearance and a business need to know the information. Gary is performing an authorization task, so he does not need to verify the user’s credentials, such as a password or biometric scan.

  9. C. The crossover error rate is the point where false acceptance rate and false rejection rate cross over and is a standard assessment used to compare the accuracy of biometric devices.

  10. A. At point B, the false acceptance rate, or FAR, is quite high, while the false rejection rate, or FRR, is relatively low. This may be acceptable in some circumstances, but in organizations where a false acceptance can cause a major problem, it is likely that they should instead choose a point to the right of point A.

  11. B. CER is a standard used to assess biometric devices. If the CER for this device does not fit the needs of the organization, Ben should assess other biometric systems to find one with a lower CER. Sensitivity is already accounted for in CER charts, and moving the CER isn’t something Ben can do. FRR is not a setting in software, so Ben can’t use that as an option either.

  12. B. The process of a subject claiming or professing an identity is known as identification. Authorization verifies the identity of a subject by checking a factor such as a password. Logins typically include both identification and authorization, and token presentation is a type of authentication.

  13. B. All of these are objects. Although some of these items can be subjects, files, databases, and storage media can’t be. Processes and programs aren’t file stores, and of course none of these is a user.

  14. B. Mandatory access control systems can be hierarchical, where each domain is ordered and related to other domains above and below it; compartmentalized, where there is no relationship between each domain; or hybrid, where both hierarchy and compartments are used. There is no concept of bracketing in mandatory access control design.

  15. B. All of the controls listed here, if properly implemented, have the potential to improve the organization’s security posture. However, only single sign-on is likely to improve the user experience by eliminating barriers to authentication across multiple systems. Mandatory access control and multifactor authentication will likely be seen as inconveniences by users, while automated deprovisioning will improve the experience of identity and access management administrators but not affect the end user experience.

  16. A. An attribute-based access control (ABAC) system will allow Susan to specify details about subjects, objects, and access, allowing granular control. Although a rule-based access control system (RBAC) might allow this, the attribute-based access control system can be more specific and thus is more flexible. Discretionary access control (DAC) would allow object owners to make decisions, and mandatory access controls (MACs) would use classifications; neither of these capabilities was described in the requirements.

  17. B. Decentralized access control empowers people closer to the resources to control access but does not provide consistent control. It does not provide redundancy, since it merely moves control points, the cost of access control depends on its implementation and methods, and granularity can be achieved in both centralized and decentralized models.

  18. C. Capability tables list the privileges assigned to subjects and identify the objects that subjects can access. Access control lists are object-focused rather than subject-focused. Implicit deny is a principle that states that anything that is not explicitly allowed is denied, and a rights management matrix is not an access control model.

  19. The security controls match with the categories as follows:

    1. Password: B. Something you know
    2. ID card: A. Something you have
    3. Retinal scan: C. Something you are
    4. Smartphone token: A. Something you have
    5. Fingerprint analysis: C. Something you are

  20. C. OpenID is a widely supported standard that allows a user to use a single account to log into multiple sites, and Google accounts are frequently used with OpenID.

  21. C. Synchronous soft tokens, such as Google Authenticator, use a time-based algorithm that generates a constantly changing series of codes. Asynchronous tokens typically require a challenge to be entered on the token to allow it to calculate a response, which the server compares to the response it expects. Smartcards typically present a certificate but may have other token capabilities built in. Static tokens are physical devices that can contain credentials and include smart cards and memory cards.

  22. B. Studies consistently show that users are more likely to write down passwords if they have more accounts. Central control of a single account is also easier to shut off if something does go wrong. Simply decreasing the number of accounts required for a subject doesn’t increase security by itself, and SSO does not guarantee individual system logging, although it should provide central logging of SSO activity. Since an SSO system was not specified, there is no way of determining whether a given SSO system provides better or worse encryption for authentication data.

  23. B. Software tokens are flexible, with delivery options including mobile applications, SMS, and phone delivery. They have a relatively low administrative overhead, as users can typically self-manage. Biometrics require significant effort to register users and to deploy and maintain infrastructure, and they require hardware at each authentication location. Both types of hardware tokens can require additional overhead for distribution and maintenance, and token failure can cause support challenges.

  24. D. Electronic access to company resources must be carefully coordinated. An employee who retains access after being terminated may use that access to take retaliatory action. On the other hand, if access is terminated too early, the employee may figure out that he or she is about to be terminated.

  25. C. A trust that allows one forest to access another’s resources without the reverse being possible is an example of a one-way trust. Since Jim doesn’t want the trust path to flow as the domain tree is formed, this trust has to be nontransitive.

  26. A. Verifying information that an individual should know about themselves using third-party factual information (a Type 1 authentication factor) is sometimes known as dynamic knowledge-based authentication and is a type of identity proofing. Out-of-band identity proofing would use another means of contacting the user, such as a text message or phone call, and password verification requires a password.

  27. A. Lauren’s team would benefit from a credential management system. Credential management systems offer features such as password management, multifactor authentication to retrieve passwords, logging, audit, and password rotation capabilities. A strong password policy would only make maintenance of passwords for many systems a more difficult task if done manually. Single sign-on would help if all of the systems had the same sensitivity levels, but different credentials are normally required for higher-sensitivity systems.

  28. A. Transitive trusts go beyond the two domains directly involved in the trust relationship and extend to their subdomains. Nontransitive trusts are not inheritable to other domains. The terms inheritable trust and noninheritable trust are not normally used.

  29. B. We know that both Adam and the server administrator have the username and password, but this is information used for identification and authentication, not authorization. We do not know what information Adam’s supervisor might have. The server is a standalone file server, so it must have information about the activities that Adam is authorized to perform.

  30. B. Privilege creep is a common problem when employees change roles over time and their privileges and permissions are not properly modified to reflect their new roles. Least privilege issues are a design or implementation problem, and switching roles isn’t typically what causes them to occur. Account creep is not a common industry term, and account termination would imply that someone has removed her account instead of switching her to new groups or new roles.

  31. A. Adam created a list of individual users that may access the file. This is an access control list, which consists of multiple access control entries. It includes the names of users, so it is not role-based, and Adam was able to modify the list, so it is not mandatory access control.

  32. A. Knowledge-based authentication relies on preset questions such as “What is your pet’s name?” and the answers. It can be susceptible to attacks because of the availability of the answers on social media or other sites. Dynamic knowledge-based authentication relies on facts or data that the user already knows that can be used to create questions they can answer on an as-needed basis (for example, a previous address, or a school they attended). Out-of-band identity proofing relies on an alternate channel like a phone call or text message. Finally, Type 3 authentication factors are biometric, or “something you are,” rather than knowledge-based.

  33. C. Authorization defines what a subject can or can’t do. Identification occurs when a subject claims an identity, accountability is provided by the logs and audit trail that track what occurs on a system, and authorization occurs when that identity is validated.

  34. B. Discretionary access control (DAC) can provide greater scalability by leveraging many administrators, and those administrators can add flexibility by making decisions about access to their objects without fitting into an inflexible mandatory access control (MAC) system. MAC is more secure because of the strong set of controls it provides, but it does not scale as well as DAC and is relatively inflexible in comparison.

  35. C. While signature-based detection is used to detect attacks, review of provisioning processes typically involves checking logs, reviewing the audit trail, or performing a manual review of permissions granted during the provisioning process.

  36. D. The principle of least privilege should guide Joe in this case. He should apply no access permissions by default and then give each user the necessary permissions to perform their job responsibilities. Read-only, editor, and administrator permissions may be necessary for one or more of these users, but those permissions should be assigned based upon business need and not by default.

  37. C. Type 2 errors occur in biometric systems when an invalid subject is incorrectly authenticated as a valid user. In this case, nobody except the actual customer should be validated when fingerprints are scanned. Type 2 errors are also known as false positive errors. Type 1 (or false negative) errors occur when a valid subject is not authenticated; if the existing customer was rejected, it would be a Type 1 error. Registration is the process of adding users, but registration errors and time-of-use, method-of-use errors are not specific biometric authentication terms.

  38. A. Entering a password is an act that proves a user’s identity and, therefore, is an authentication step. Laura likely already identified herself by providing her username or performing a similar identification function. Authorization occurs after authentication when the system determines what actions Laura is allowed to take. Accounting occurs when the system logs Laura’s activity.

  39. D. Current best practice guidance from NIST, published in NIST Special Publication 800-63b, suggests that organizations should not impose password expiration requirements on end users.

  40. C. Security Assertion Markup Language (SAML) is the best choice for providing authentication and authorization information, particularly for browser-based SSO. HTML is primarily used for web pages, SPML is used to exchange user information for SSO, and XACML is used for access control policy markup.

  41. B. Mandatory access control (MAC) applies labels to subjects and objects and allows subjects to access objects when their labels match. Discretionary access control (DAC) is controlled by the owner of objects, rule-based access control applies rules throughout a system, and role-based access control bases rights on roles, which are often handled as groups of users.

  42. C. Mandatory access control systems are based on a lattice-based model. Lattice-based models use a matrix of classification labels to compartmentalize data. Discretionary access models allow object owners to determine access to the objects they control, role-based access controls are often group-based, and rule-based access controls like firewall ACLs apply rules to all subjects they apply to.

  43. A. In the subject/object model of access control, the user or process making the request for a resource is the subject of that request. In this example, Ricky is requesting access to the VPN (the object of the request) and is, therefore, the subject.

  44. B. Firewalls use rule-based access control in their access control lists and apply rules created by administrators to all traffic that passes through them. DAC, or discretionary access control, allows owners to determine who can access objects they control, while task-based access control lists tasks for users. MAC, or mandatory access control, uses classifications to determine access.

  45. C. While all of the listed controls would improve authentication security, most simply strengthen the use of knowledge-based authentication. The best way to improve the authentication process would be to add a factor not based on knowledge through the use of multifactor authentication. This may include the use of biometric controls or token-based authentication.

  46. C. Self-service password reset tools typically have a significant impact on the number of password reset contacts that a help desk has. Two-factor and biometric authentication both add additional complexity and may actually increase the number of contacts. Passphrases can be easier to remember than traditional complex passwords and may decrease calls, but they don’t have the same impact that a self-service system does.

  47. B. OAuth provides the ability to access resources from another service and would meet Jim’s needs. OpenID would allow him to use an account from another service with his application, and Kerberos and LDAP are used more frequently for in-house services.

  48. D. Authorization occurs when a system determines whether an authenticated user is permitted to perform an activity, such as by consulting an access control list. Authentication occurs when a user proves his or her identity to a system, such as by providing a password or completing a facial recognition scan. When a system logs user activity, this is an example of accounting.

  49. A. This type of authentication, where one domain trusts users from another domain, is called federation. Federation may involve transitive trusts, where the trusts may be followed through a series of domains, but this scenario only describes the use of two domains. The scenario only describes use of credentials for a single system and does not describe a multiple-system scenario where single sign-on would be relevant. There is no requirement described for the use of multifactor authentication, which would require the use of two or more diverse authentication techniques.

  50. D. Role-based access control would be an excellent solution for Luke’s requirements. Administrators would assign permissions to roles and then simply adjust the role of a user when he or she changes jobs, rather than changing all of the individual permissions.

  51. C. When you input a username and password, you are authenticating yourself by providing a unique identifier and a verification that you are the person who should have that identifier (the password). Authorization is the process of determining what a user is allowed to do. Validation and login both describe elements of what is happening in the process; however, they aren’t the most important identity and access management activity.

  52. D. Kerberos is an authentication protocol that uses tickets and provides secure communications between the client, key distribution center (KDC), ticket-granting service (TGS), authentication server (AS), and endpoint services. RADIUS does not provide the same level of security by default, SAML is a markup language, and OAuth is designed to allow third-party websites to rely on credentials from other sites like Google or Microsoft.

  53. C. Palm scans compare the vein patterns in the palm to a database to authenticate a user. Vein patterns are unique, and this method is a better single-factor authentication method than voice pattern recognition, hand geometry, and pulse patterns, each of which can be more difficult to uniquely identify between individuals or can be fooled more easily.

  54. A. Asynchronous tokens use a challenge/response process in which the system sends a challenge and the user responds with a PIN and a calculated response to the challenge. The server performs the same calculations, and if both match, it authenticates the user. Synchronous tokens use a time-based calculation to generate codes. Smart cards are paired with readers and don’t need to have challenges entered, and RFID devices are not used for challenge/response tokens.

  55. B. Provisioning includes the creation, maintenance, and removal of user objects from applications, systems, and directories. Registration occurs when users are enrolled in a biometric system; population and authenticator loading are not common industry terms.

  56. C. Discretionary access control gives owners the right to decide who has access to the objects they own. Role-based access control uses administrators to make that decision for roles or groups of people with a role, task-based access control uses lists of tasks for each user, and rule-based access control applies a set of rules to all subjects.

  57. D. The Linux filesystem allows the owners of objects to determine the access rights that subjects have to them. This means that it is a discretionary access control. If the system enforced a role-based access control, Alex wouldn’t set the controls; they would be set based on the roles assigned to each subject. A rule-based access control system would apply rules throughout the system, and a mandatory access control system uses classification labels.

  58. C. The U.S. government’s Common Access Card is a smart card. The U.S. government also issues PIV cards, or personal identity verification cards.

  59. B. Privilege creep is the term used to describe the security issue that arises when users move between jobs in an organization and accumulate privileges that are never revoked when no longer necessary. This is a violation of the principle of least privilege.

  60. C. In a mandatory access control system, all subjects and objects have a label. Compartments may or may not be used, but there is not a specific requirement for either subjects or objects to be compartmentalized. The specific labels of Confidential, Secret, and Top Secret are not required by MAC.

  61. B. Mandatory access control systems allow an administrator to configure access permissions but do not allow users to delegate permission to others. Discretionary access control systems do allow this delegation. The scenario does not provide information to indicate whether a decentralized or rule-based approach is appropriate.

  62. C. Kathleen should implement a biometric factor. The cards and keys are an example of a Type 2 factor, or “something you have.” Using a smart card replaces this with another Type 2 factor, but the cards could still be loaned out or stolen. Adding a PIN suffers from the same problem: A PIN can be stolen. Adding cameras doesn’t prevent access to the facility and thus doesn’t solve the immediate problem (but it is a good idea!).

  63. D. Entitlement refers to the privileges granted to users when an account is first provisioned. Aggregation is the accumulation of privileges over time. Transitivity is the inheritance of privileges and trust through relationships. Baselines are snapshots of a system or application’s security that allow analysts to detect future modifications.

  64. A. Role-based access control gives each user an array of permissions based on their position in the organization, such as the scheme shown here. Task-based access control is not a standard approach. Rule-based access controls use rules that apply to all subjects, which isn’t something we see in the list. Discretionary access control gives object owners rights to choose how the objects they own are accessed, which is not what this list shows.

  65. C. Identity proofing that relies on a type of verification outside the initial environment that required the verification is out-of-band identity proofing. This type of verification relies on the owner of the phone or phone number having control of it but removes the ability for attackers to use only Internet-based resources to compromise an account. Knowledge-based authentication relies on answers to preselected information, whereas dynamic knowledge–based authentication builds questions using facts or data about the user. Risk-based identity proofing uses risk-based metrics to determine whether identities should be permitted or denied access. It is used to limit fraud in financial transactions, such as credit card purchases. This is a valid form of proofing but does not necessarily use an out-of-band channel, such as SMS.

Chapter 2: Security Operations and Administration (Domain 2)

  1. B. Privacy is of the utmost concern when handling personally identifiable information (PII). PII includes any information that may be reasonably tied to a specific person. This would include street addresses, telephone numbers, and national ID numbers (such as Social Security numbers). Item codes, when not tied to a name or other identifier, would not constitute PII.

  2. D. While all of the items listed are components of a strong security program, periodic audits would provide Carl with the assurance that controls continue to operate effectively over the long term.

  3. A. The situation Darlene finds herself in is an ethical dilemma, and a code of ethics would be the best place to look for guidance. This situation is specific to her employer, so she should turn to her organization’s code of ethics, rather than the more general (ISC)2 Code of Ethics.

  4. B. Nondisclosure agreements (NDAs) protect the confidentiality of sensitive information by requiring that employees and affiliates not share confidential information with third parties. NDAs normally remain in force after an employee leaves the company.

  5. A. Supply chain management can help ensure the security of hardware, software, and services that an organization acquires. Chris should focus on each step that his laptops take from the original equipment manufacturer to delivery.

  6. B. The (ISC)2 code of ethics also includes “Act honorably, honestly, justly, responsibly, and legally” but does not specifically require credential holders to disclose all breaches of privacy, trust, or ethics.

  7. B. A fence does not have the ability to detect intrusions. It does, however, have the ability to prevent and deter an intrusion. Fences are an example of a physical control.

  8. B. RAID technology provides fault tolerance for hard drive failures and is an example of a business continuity action. Restoring from backup tapes, relocating to a cold site, and restarting business operations are all disaster recovery actions.

  9. D. Fire suppression systems protect infrastructure from physical damage. Along with uninterruptible power supplies, fire suppression systems are good examples of technology used to harden physical infrastructure. Antivirus software, hardware firewalls, and two-factor authentication are all examples of logical controls.

  10. A. The message displayed is an example of ransomware, which encrypts the contents of a user’s computer to prevent legitimate use. This is an example of an availability attack.

  11. B. When following the separation of duties principle, organizations divide critical tasks into discrete components and ensure that no one individual has the ability to perform both actions. This prevents a single rogue individual from performing that task in an unauthorized manner.

  12. A. Integrity controls, such as the one Beth is implementing in this example, are designed to prevent the unauthorized modification of information.

  13. B. Virtual private networks (VPNs) provide secure communications channels over otherwise insecure networks (such as the Internet) using encryption. If you establish a VPN connection between the two offices, users in one office could securely access content located on the other office’s server over the Internet. Digital signatures are used to provide nonrepudiation, not confidentiality. Virtual LANs (VLANs) provide network segmentation on local networks but do not cross the Internet. Digital content management solutions are designed to manage web content, not access shared files located on a file server.

  14. C. RAID uses additional hard drives to protect the server against the failure of a single device. Load balancing and server clustering do add robustness but require the addition of a server. Scheduled backups protect against data loss but do not provide immediate access to data in the event of a hard drive failure.

  15. A. Hashing allows you to computationally verify that a file has not been modified between hash evaluations. ACLs and read-only attributes are useful controls that may help you prevent unauthorized modification, but they cannot verify that files were not modified. Firewalls are network security controls and do not verify file integrity.

  16. D. Mandatory vacation programs require that employees take continuous periods of time off each year and revoke their system privileges during that time. This will ideally disrupt any attempt to engage in the cover-up actions necessary to hide fraud and result in exposing the threat. Separation of duties, least privilege, and defense in depth controls all may help prevent the fraud in the first place but are unlikely to speed the detection of fraud that has already occurred.

  17. B. Baselines provide the minimum level of security that every system throughout the organization must meet.

  18. A. Keyloggers monitor the keystrokes of an individual and report them back to an attacker. They are designed to steal sensitive information, a disruption of the goal of confidentiality.

  19. C. Confidentiality controls prevent the disclosure of sensitive information to unauthorized individuals. Limiting the likelihood of a data breach is an attempt to prevent unauthorized disclosure.

  20. D. Keeping a server up and running is an example of an availability control because it increases the likelihood that a server will remain available to answer user requests.

  21. D. Router ACLs, encryption, and firewall rules are all examples of technical controls. Data classification is an administrative control.

  22. C. The change control board (CCB) has primary responsibility for reviewing the impact of a proposed change and coordinating the review and approval processes.

  23. B. During the Analysis/Impact Assessment phase, the organization subjects the change to peer review. In the peer review, technologists verify the accuracy and completeness of the change request and attempt to uncover any impact on other systems that might occur as a result of the change.

  24. B. Organizations adopting change management practices should appoint a change manager who will be responsible for managing policies and procedures. The change manager is also responsible for developing and maintaining the processes for requesting, approving, testing, and controlling changes.

  25. D. An organization’s incident response plan may be invoked as a result of a change gone awry, but the incident response plan itself is a stand-alone process and does not need to be included in a change request. The change request should definitely include a description of the change, an implementation plan, and a backout plan, among other components.

  26. D. Nonrepudiation allows a recipient to prove to a third party that a message came from a purported source. Authentication would provide proof to Ben that the sender was authentic, but Ben would not be able to prove this to a third party.

  27. C. Defense in depth states that organizations should have overlapping security controls designed to meet the same security objectives whenever possible. This approach provides security in the event of a single control failure.

  28. D. Stakeholders should be informed of changes before, not after, they occur. The other items listed are goals of change management programs.

  29. B. Ben should encrypt the data to provide an additional layer of protection as a compensating control. The organization has already made a policy exception, so he should not react by objecting to the exception or removing the data without authorization. Purchasing insurance may transfer some of the risk but is not a mitigating control.

  30. D. Wireshark is a protocol analyzer and may be used to eavesdrop on network connections. Eavesdropping is an attack against confidentiality.

  31. A. An organization pursuing a vital records management program should begin by identifying all of the documentation that qualifies as a vital business record. This should include all of the records necessary to restart the business in a new location should the organization invoke its business continuity plan.

  32. B. Security training is designed to provide employees with the specific knowledge they need to fulfill their job functions. It is usually designed for individuals with similar job functions.

  33. D. Awareness establishes a minimum standard of information security understanding. It is designed to accommodate all personnel in an organization, regardless of their assigned tasks.

  34. C. Sanitization is a combination of processes that ensure that data from a system cannot be recovered by any means. Erasing and clearing are both prone to mistakes and technical problems that can result in remnant data and don’t make sense for systems that handled proprietary information. Destruction is the most complete method of ensuring that data cannot be exposed, and some organizations opt to destroy the entire workstation, but that is not a typical solution because of the cost involved.

  35. B. A baseline is a set of security configurations that can be adopted and modified to fit an organization’s security needs. A security policy is written to describe an organization’s approach to security, while DSS is the second half of the Payment Card Industry Data Security Standard. The NIST SP-800 series of documents address computer security in a variety of areas.

  36. A. The need to protect sensitive data drives information classification. This allows organizations to focus on data that needs to be protected rather than spending effort on less important data. Remanence describes data left on media after an attempt is made to remove the data. Transmitting data isn’t a driver for an administrative process to protect sensitive data, and clearing is a technical process for removing data from media.

  37. D. The NIST SP 800-88 process for sanitization and disposition shows that media that will be reused and was classified at a moderate level should be purged and then that purge should be validated. Finally, it should be documented.

  38. C. Security baselines provide a starting point to scope and tailor security controls to your organization’s needs. They aren’t always appropriate to specific organizational needs, they cannot ensure that systems are always in a secure state, and they do not prevent liability.

  39. D. Record retention is the process of retaining and maintaining information for as long as it is needed. A data storage policy describes how and why data is stored, while data storage is the process of actually keeping the data. Asset maintenance is a process for maintaining physical assets that is not related to information security.

  40. A. Fires may be detected as early as the incipient stage. During this stage, air ionization takes place, and specialized incipient fire detection systems can identify these changes to provide early warning of a fire.

  41. D. A preaction fire suppression system activates in two steps. The pipes fill with water once the early signs of a fire are detected. The system does not dispense water until heat sensors on the sprinkler heads trigger the second phase.

  42. A. Closed-circuit television (CCTV) systems act as a secondary verification mechanism for physical presence because they allow security officials to view the interior of the facility when a motion alarm sounds to determine the current occupants and their activities.

  43. A. Mantraps use a double set of doors to prevent piggybacking by allowing only a single individual to enter a facility at a time.

  44. A. While it would be ideal to have wiring closets in a location where they are monitored by security staff, this is not feasible in most environments. Wiring closets must be distributed geographically in multiple locations across each building used by an organization.

  45. C. Parameter checking, or input validation, is used to ensure that input provided by users to an application matches the expected parameters for the application. Developers may use parameter checking to ensure that input does not exceed the expected length, preventing a buffer overflow attack.

  46. C. A magnetic lock may usually be retrofitted to an existing door with a minimum of effort. Installing an electric lock usually requires replacing the entire door. Mantraps and turnstiles will require significant renovation projects.

  47. A. The card shown in the image has a smart chip underneath the American flag. Therefore, it is an example of a smart card. This is the most secure type of identification card technology.

  48. C. Sensitive compartmented information facilities (SCIFs) are highly secure government facilities designed for processing classified information. They would have stricter physical security requirements than any other type of facility.

  49. D. In this case, the organization used the data that they collected for a purpose other than the one that they obtained consent for from the data subjects. This is a violation of purpose limitations. There is no evidence presented that the organization collected more data than was necessary, which would violate data minimization. They disposed of the data promptly, so there was no violation of storage limitations. There is also no indication that any of the data was inaccurate.

  50. D. Administrative access controls are procedures and the policies from which they derive. They are based on regulations, requirements, and the organization’s own policies. Corrective access controls return an environment to its original status after an issue, while logical controls are technical access controls that rely on hardware or software to protect systems and data. Compensating controls are used in addition to or as an alternative to other controls.

  51. The security controls match with the categories as follows:

    1. Password: B. Technical
    2. Account reviews: A. Administrative
    3. Badge readers: C. Physical
    4. MFA: B. Technical

    5. IDP: B. Technical

      Passwords, multifactor authentication (MFA) techniques, and intrusion prevention systems (IPS) are all examples of technical controls. Account reviews are an administrative control, while using badges to control access is a physical control.

  52. B. Locks can be preventative access controls by stopping unwanted access, can deter potential intruders by making access difficult, and are physical access controls. They are not directive controls because they don’t control the actions of subjects.

  53. B. Gary should follow the least privilege principle and assign users only the permissions they need to perform their job responsibilities. Aggregation is a term used to describe the unintentional accumulation of privileges over time, also known as privilege creep. Separation of duties and separation of privileges are principles used to secure sensitive processes.

  54. A. The matrix shown in the figure is known as a segregation of duties matrix. It is used to ensure that one person does not obtain two privileges that would create a potential conflict. Aggregation describes the unintentional accumulation of privileges over time, also known as privilege creep. Two-person control is used when two people must work together to perform a sensitive action. Defense in depth is a general security principle used to describe a philosophy of overlapping security controls.

  55. A. Lydia is following the need-to-know principle. While the user may have the appropriate security clearance to access this information, there is no business justification provided, so she does not know that the user has an appropriate need to know the information.

  56. B. In this scenario, Helen designed a process that requires the concurrence of two people to perform a sensitive action. This is an example of two-person control.

  57. C. The (ISC)2 code of ethics applies only to information security professionals who are members of (ISC)2. Adherence to the code is a condition of certification, and individuals found in violation of the code may have their certifications revoked. (ISC)2 members who observe a breach of the code are required to report the possible violation by following the ethics complaint procedures.

  58. B. The principle of least privilege says that an individual should only have the privileges necessary to complete their job functions. Removing administrative privileges from nonadministrative users is an example of least privilege.

  59. C. An attack committed against an organization by an insider, such as an employee, is known as sabotage. Espionage and confidentiality breaches involve the theft of sensitive information, which is not alleged to have occurred in this case. Integrity breaches involve the unauthorized modification of information, which is not described in this scenario.

  60. B. The four canons of the (ISC)2 code of ethics are to protect society, the common good, necessary public trust and confidence and the infrastructure; act honorably, honestly, justly, responsibly and legally; provide diligent and competent service to principals; and advance and protect the profession.

  61. B. Hilda’s design follows the principle of separation of duties. Giving one user the ability to both create new accounts and grant administrative privileges combines two actions that would result in a significant security change that should be divided among two users.

  62. C. Baseline configurations serve as the starting point for configuring secure systems and applications. They contain the security settings necessary to comply with an organization’s security policy and may then be customized to meet the specific needs of an implementation. While security policies and guidelines may contain information needed to secure a system, they do not contain a set of configuration settings that may be applied to a system. The running configuration of a system is the set of currently applied settings, which may or may not be secure.

  63. C. Regression testing is software testing that runs a set of known inputs against an application and then compares the results to those produced by an earlier version of the software. It is designed to capture unanticipated consequences of deploying new code versions prior to introducing them into a production environment.

  64. A. The defense-in-depth principle states that an organization should prepare for the failure of a single security control by ensuring that each security objective is covered by two or more overlapping controls.

  65. C. Configuration management practices ensure that an organization manages the configuration of systems in an organized and automated fashion. This would include ensuring that systems remain in compliance with the baseline requirements of the organization’s security standards.

Chapter 3: Risk Identification, Monitoring, and Analysis (Domain 3)

  1. D. HAL Systems decided to stop offering the service because of the risk. This is an example of a risk avoidance strategy. The company altered its operations in a manner that eliminates the risk of NTP misuse.

  2. A. The change log contains information about approved changes and the change management process. While other logs may contain details about the change’s effect, the audit trail for change management would be found in the change log.

  3. C. Fuzzers are tools that are designed to provide invalid or unexpected input to applications, testing for vulnerabilities like format string vulnerabilities, buffer overflow issues, and other problems. A static analysis relies on examining code without running the application or code and thus would not fill forms as part of a web application. Brute-force tools attempt to bypass security by trying every possible combination for passwords or other values. A black box is a type of penetration test where the testers do not know anything about the environment.

  4. C. The exposure factor is the percentage of the facility that risk managers expect will be damaged if a risk materializes. It is calculated by dividing the amount of damage by the asset value. In this case, that is $5 million in damage divided by the $10 million facility value, or 50 percent.

  5. B. The annualized rate of occurrence is the number of times that risk analysts expect a risk to happen in any given year. In this case, the analysts expect tornados once every 200 years, or 0.005 times per year.

  6. A. The annualized loss expectancy is calculated by multiplying the single loss expectancy (SLE) by the annualized rate of occurrence (ARO). In this case, the SLE is $5,000,000, and the ARO is 0.005. Multiplying these numbers together gives you the ALE of $25,000.

  7. B. Jim should ask the information security team to flag the issue as resolved if he is sure the patch was installed. Many vulnerability scanners rely on version information or banner information and may flag patched versions if the software provider does not update the information they see. Uninstalling and reinstalling the patch will not change this. Changing the version information may not change all of the details that are being flagged by the scanner and may cause issues at a later date. Reviewing the vulnerability information for a workaround may be a good idea but should not be necessary if the proper patch is installed; it can create maintenance issues later.

  8. B. NIST SP 800-53A is titled “Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans” and covers methods for assessing and measuring controls.

    NIST 800-12 is an introduction to computer security, 800-34 covers contingency planning, and 800-86 is the “Guide to Integrating Forensic Techniques into Incident Response.”

  9. D. Black-box testing is the most realistic type of penetration test because it does not provide the penetration tester with inside information about the configuration or design of systems, software, or networks. A gray-box test provides some information, whereas a white- or crystal-box test provides significant or full detail.

  10. D. Installing a device that will block attacks is an attempt to lower risk by reducing the likelihood of a successful application attack.

  11. C. Vulnerability scanners that do not have administrative rights to access a machine or that are not using an agent scan remote machines to gather information, including fingerprints from responses to queries and connections, banner information from services, and related data. CVE information is Common Vulnerabilities and Exposures information, or vulnerability information. A port scanner gathers information about what service ports are open, although some port scanners blur the line between port and vulnerability scanners. Patch management tools typically run as an agent on a system to allow them to both monitor patch levels and update the system as needed. Service validation typically involves testing the functionality of a service, not its banner and response patterns.

  12. D. Regression testing, which is a type of functional or unit testing, tests to ensure that changes have not introduced new issues. Nonregression testing checks to see whether a change has had the effect it was supposed to, smoke testing focuses on simple problems with impact on critical functionality, and evolution testing is not a software testing technique.

  13. C. Risk mitigation strategies attempt to lower the probability and/or impact of a risk occurring. Intrusion prevention systems attempt to reduce the probability of a successful attack and are, therefore, examples of risk mitigation.

  14. B. TCP port 443 normally indicates an HTTPS server. Nikto is useful for vulnerability scanning web servers and applications and is the best choice listed for a web server. Metasploit includes some scanning functionality but is not a purpose-built tool for vulnerability scanning. zzuf is a fuzzing tool and isn’t relevant for vulnerability scans, whereas sqlmap is a SQL injection testing tool.

  15. C. After developing a list of assets, the business impact analysis team should assign values to each asset.

  16. D. The menu shown will archive logs when they reach the maximum size allowed (20 MB). These archives will be retained, which could fill the disk. Log data will not be overwritten, and log data should not be lost when the data is archived. The question does not include enough information to determine if needed information may not be logged.

  17. A. Syslog is a widely used protocol for event and message logging. Eventlog, netlog, and Remote Log Protocol are all made-up terms.

  18. C. Risks are the combination of a threat and a vulnerability. Threats are the external forces seeking to undermine security, such as the malicious hacker in this case. Vulnerabilities are the internal weaknesses that might allow a threat to succeed. In this case, the missing patch is the vulnerability. In this scenario, if the malicious hacker (threat) attempts a SQL injection attack against the unpatched server (vulnerability), the result is website defacement.

  19. B. Group Policy provides the ability to monitor and apply settings in a security baseline. Manual checks by users and using startup scripts provide fewer reviews and may be prone to failure, while periodic review of the baseline won’t result in compliance being checked.

  20. B. Group Policy enforced by Active Directory can ensure consistent logging settings and can provide regular enforcement of policy on systems. Periodic configuration audits won’t catch changes made between audits, and local policies can drift because of local changes or differences in deployments. A Windows syslog client will enable the Windows systems to send syslog to the SIEM appliance but won’t ensure consistent logging of events.

  21. B. Windows systems generate logs in the Windows native logging format. To send syslog events, Windows systems require a helper application or tool. Enterprise wireless access points, firewalls, and Linux systems all typically support syslog.

  22. B. Network Time Protocol (NTP) can ensure that systems are using the same time, allowing time sequencing for logs throughout a centralized logging infrastructure. Syslog is a way for systems to send logs to a logging server and won’t address time sequencing. Neither logsync nor SNAP is an industry term.

  23. C. Key risk indicators are used to tell those in charge of risk management how risky an activity is and how much impact changes are having on that risk profile. Identifying key risk indicators and monitoring them can help to identify high-risk areas earlier in their lifecycle. Yearly risk assessments may be a good idea but only provide a point-in-time view, whereas penetration tests may miss out on risks that are not directly security related. Monitoring logs and events using a SIEM device can help detect issues as they occur but won’t necessarily show trends in risk.

  24. D. The annualized rate of occurrence (ARO) is the frequency at which you should expect a risk to materialize each year. In a 100-year flood plain, risk analysts expect a flood to occur once every 100 years, or 0.01 times per year.

  25. C. Simply updating the version that an application provides may stop the vulnerability scanner from flagging it, but it won’t fix the underlying issue. Patching, using workarounds, or installing an application layer firewall or IPS can all help to remediate or limit the impact of the vulnerability.

  26. C. SSH uses TCP port 22, so this attack is likely an attempt to scan for open or weakly secured SSH servers. FTP uses ports 20 and 21. Telnet uses port 23, and HTTP uses port 80.

  27. A. Netflow records contain an entry for every network communication session that took place on a network and can be compared to a list of known malicious hosts. IDS logs may contain a relevant record, but it is less likely because they would create log entries only if the traffic triggers the IDS, as opposed to netflow records, which encompass all communications. Authentication logs and RFC logs would not have records of any network traffic.

  28. B. OpenVAS is an open source vulnerability scanning tool that will provide Susan with a report of the vulnerabilities that it can identify from a remote, network-based scan. Nmap is an open source port scanner. Both the Microsoft Baseline Security Analyzer (MBSA) and Nessus are closed source tools, although Nessus was originally open source.

  29. B. Not having enough log sources is not a key consideration in log management system design, although it may be a worry for security managers who can’t capture the data they need. Log management system designs must take into account the volume of log data and the network bandwidth it consumes, the security of the data, and the amount of effort required to analyze the data.

  30. B. Port 80 is used by the HTTP protocol for unencrypted web communications. If Kara wants to protect against eavesdropping, she should block this port and restrict web access to encrypted HTTPS connections on port 443.

  31. A. Port 22 is used by the Secure Shell (SSH) protocol for administrative connections. If Kara wants to restrict administrative connections, she should block access on this port.

  32. B. TCP and UDP ports 137–139 are used for NetBIOS services, whereas 445 is used for Active Directory. TCP 1433 is the default port for Microsoft SQL, indicating that this is probably a Windows server providing SQL services.

  33. B. Purchasing insurance is a means of transferring risk. If Sally had worked to decrease the likelihood of the events occurring, she would have been using a reduce or risk mitigation strategy, while simply continuing to function as the organization has would be an example of an acceptance strategy. Rejection, or denial of the risk, is not a valid strategy, even though it occurs!

  34. A. Logging systems can provide accountability for identity systems by tracking the actions, changes, and other activities a user or account performs.

  35. D. Once a vulnerability scanner identifies a potential problem, validation is necessary to verify that the issue exists. Reporting, patching, or other remediation actions can be conducted once the vulnerability has been confirmed.

  36. D. In a risk acceptance strategy, the organization decides that taking no action is the most beneficial route to managing a risk.

  37. B. Brute-force attacks try every possible password. In this attack, the password is changing by one letter at each attempt, which indicates that it is a brute-force attack. A dictionary attack would use dictionary words for the attack, whereas a man-in-the-middle or pass-the-hash attack would most likely not be visible in an authentication log except as a successful login.

  38. C. The audit finding indicates that the backup administrator may not be monitoring backup logs and taking appropriate action based on what they report, thus resulting in potentially unusable backups. Issues with review, logging, or being aware of the success or failure of backups are less important than not having usable backups.

  39. B. Microsoft’s STRIDE threat assessment model places threats into one of six categories:

    • Spoofing—threats that involve user credentials and authentication, or falsifying legitimate communications
    • Tampering—threats that involve the malicious modification of data
    • Repudiation—threats that cause actions to occur that cannot be denied by a user
    • Information disclosure—threats that involve exposure of data to unauthorized individuals
    • Denial of service—threats that deny service to legitimate users
    • Elevation of privilege—threats that provide higher privileges to unauthorized users
    • Using role-based access controls (RBACs) for specific operations will help to ensure that users cannot perform actions that they should not be able to. Auditing and logging can help detect abuse but won’t prevent it, and data type, format checks, and whitelisting are all useful for preventing attacks like SQL injection and buffer overflow attacks but are not as directly aimed at authorization issues.

  40. D. Since a shared symmetric key could be used by any of the servers, transaction identification problems caused by a shared key are likely to involve a repudiation issue. If encrypted transactions cannot be uniquely identified by server, they cannot be proved to have come from a specific server.

  41. C. Filtering is useful for preventing denial-of-service attacks but won’t prevent tampering with data. Hashes and digital signatures can both be used to verify the integrity of data, and authorization controls can help ensure that only those with the proper rights can modify the data.

  42. D. Network-enabled printers often provide services via TCP 515 and 9100 and have both nonsecure and secure web-enabled management interfaces on TCP 80 and 443. Web servers, access points, and file servers would not typically provide service on the LPR and LPD ports (515 and 9100).

  43. C. In reduction analysis, the security professional breaks the system down into five key elements: trust boundaries, data flow paths, input points, privileged operations, and details about security controls.

  44. C. Penetration tests are intended to help identify vulnerabilities, and exploiting them is part of the process rather than a hazard. Application crashes; denial of service due to system, network, or application failures; and even data corruption can all be hazards of penetration tests.

  45. D. Nmap is a popular open source port scanner. Nmap is not a vulnerability scanner, nor is it a web application fuzzer. While port scanners can be used to partially map a network and its name stands for Network Mapper, it is not a network design tool.

  46. D. Mutation testing modifies a program in small ways and then tests that mutant to determine whether it behaves as it should or whether it fails. This technique is used to design and test software tests through mutation. Static code analysis and regression testing are both means of testing code, whereas code auditing is an analysis of source code rather than a means of designing and testing software tests.

  47. C. Rebooting a Windows machine results in an information log entry. Windows defines five types of events: errors, which indicate a significant problem; warnings, which may indicate future problems; information, which describes successful operation; success audits, which record successful security accesses; and failure audits, which record failed security access attempts.

  48. C. The most important first step for a penetration test is getting permission. Once permission has been received, planning, data gathering, and then elements of the actual test like port scanning can commence.

  49. D. In an elevation of privilege attack, the attacker transforms a limited user account into an account with greater privileges, powers, and/or access to the system. Spoofing attacks falsify an identity, while repudiation attacks attempt to deny accountability for an action. Tampering attacks attempt to violate the integrity of information or resources.

  50. C. At this point in the process, Ann has no reason to believe that any actual security compromise or policy violation took place, so this situation does not meet the criteria for a security incident or intrusion. Rather, the alert generated by the intrusion detection system is simply a security event requiring further investigation. Security occurrence is not a term commonly used in incident handling.

  51. A. DNS traffic commonly uses port 53 for both TCP and UDP communications. SSH and SCP use TCP port 22. SSL and TLS do not have ports assigned to them but are commonly used for HTTPS traffic on port 443. Unencrypted web traffic over HTTP often uses port 80.

  52. D. The attack described in this scenario has all of the hallmarks of a denial-of-service attack. More specifically, Ann’s organization is likely experiencing a DNS amplification attack where an attacker sends false requests to third-party DNS servers with a forged source IP address belonging to the targeted system. Because the attack uses UDP requests, there is no three-way handshake. The attack packets are carefully crafted to elicit a lengthy response from a short query. The purpose of these queries is to generate responses headed to the target system that are sufficiently large and numerous enough to overwhelm the targeted network or system.

  53. B. Now that Ann suspects an attack against her organization, she has sufficient evidence to declare a security incident. The attack underway seems to have undermined the availability of her network, meeting one of the criteria for a security incident. This is an escalation beyond a security event but does not reach the level of an intrusion because there is no evidence that the attacker has even attempted to gain access to systems on Ann’s network. Security occurrence is not a term commonly used in incident handling.

  54. C. Dictionary attacks use a dictionary or list of common passwords as well as variations of those words to attempt to log in as an authorized user. This attack shows a variety of passwords based on a similar base word, which is often a good indicator of a dictionary attack. A brute-force attack will typically show simple iteration of passwords, while a man-in-the-middle attack would not be visible in the authentication log. A rainbow table attack is used when attackers already have password hashes in their possession and would also not show up in logs.

  55. B. ISO 27002 is an international standard focused on information security and titled “Information technology—Security techniques—Code of practice for information security management.” The Information Technology Infrastructure Library (ITIL) does contain security management practices, but it is not the sole focus of the document, and the ITIL security section is derived from ISO 27002. The Capability Maturity Model (CMM) is focused on software development, and the Project Management Body of Knowledge (PMBOK) Guide focuses on project management.

  56. The status messages match with the descriptions as follows:

    1. Open: C. The port is accessible on the remote system and an application is accepting connections on that port.
    2. Closed: A. The port is accessible on the remote system, but no application is accepting connections on that port.
    3. Filtered: B. The port is not accessible on the remote system.

  57. D. Tony would see the best results by combining elements of quantitative and qualitative risk assessment. Quantitative risk assessment excels at analyzing financial risk, while qualitative risk assessment is a good tool for intangible risks. Combining the two techniques provides a well-rounded risk picture.

  58. B. zzuf is the only fuzzer on the list, and zzuf is specifically designed to work with tools like web browsers, image viewers, and similar software by modifying network and file input to application. Nmap is a port scanner, Nessus is a vulnerability scanner, and Nikto is a web server scanner.

  59. B. Flows, also often called network flows, are captured to provide insight into network traffic for security, troubleshooting, and performance management. Audit logging provides information about events on the routers, route logging is not a common network logging function, and trace logs are used in troubleshooting specific software packages as they perform their functions.

  60. B. Metasploit is an exploitation package that is designed to assist penetration testers. A tester using Metasploit can exploit known vulnerabilities for which an exploit has been created or can create their own exploits using the tool. While Metasploit provides built-in access to some vulnerability scanning functionality, a tester using Metasploit should primarily be expected to perform actual tests of exploitable vulnerabilities. Similarly, Metasploit supports creating buffer overflow attacks, but it is not a purpose-built buffer overflow testing tool, and of course testing systems for zero-day exploits doesn’t work unless they have been released.

  61. D. Whenever you choose to accept a risk, you should maintain detailed documentation of the risk acceptance process to satisfy auditors in the future. This should happen before implementing security controls, designing a disaster recovery plan, or repeating the business impact analysis (BIA).

  62. C. After scanning for open ports using a port scanning tool like nmap, penetration testers will identify interesting ports and then conduct vulnerability scans to determine what services may be vulnerable. This will perform many of the same activities as connecting to a web server. It will also typically be more useful than trying to manually test for vulnerable accounts via Telnet. sqlmap would typically be used after a vulnerability scanner identifies additional information about services, and the vulnerability scanner will normally provide a wider range of useful information.

  63. B. The system is likely a Linux system. The system shows X11, as well as login, shell, and nfs ports, all of which are more commonly found on Linux systems than Windows systems or network devices. This system is also very poorly secured; many of the services running on it should not be exposed in a modern secure network.

  64. D. Nmap only scans 1000 TCP and UDP ports by default, including ports outside the 0–1024 range of “well-known” ports. By using the defaults for nmap, Ben missed 64,535 ports. OS fingerprinting won’t cover more ports but would have provided a best guess of the OS running on the scanned system.

  65. A. Risks exist when there is an intersection of a threat and a vulnerability. This is described using the equation Risk = Threat * Vulnerability.

  66. D. In many cases when an exploit is initially reported, there are no prebuilt signatures or detections for vulnerability scanners, and the CVE database may not immediately have information about the attack. Jacob’s best option is to quickly gather information and review potentially vulnerable servers based on their current configuration. As more information becomes available, signatures and CVE information are likely to be published. Unfortunately for Jacob, IDS and IPS signatures will only detect attacks and won’t detect whether systems are vulnerable unless he sees the systems being exploited.

  67. C. Inconsistent time stamps are a common problem, often caused by improperly set time zones or because of differences in how system clocks are set. In this case, a consistent time difference often indicates that one system uses local time, and the other is using Greenwich mean time (GMT). Logs from multiple sources tend to cause problems with centralization and collection, whereas different log formats can create challenges in parsing log data. Finally, modified logs are often a sign of intrusion or malicious intent.

  68. D. The final step of a quantitative risk analysis is conducting a cost-benefit analysis to determine whether the organization should implement proposed countermeasure(s).

  69. C. The string shown in the logs is characteristic of a directory traversal attack where the attacker attempts to force the web application to navigate up the file hierarchy and retrieve a file that should not normally be provided to a web user, such as the password file. The series of “double dots” is indicative of a directory traversal attack because it is the character string used to reference the directory one level up in a hierarchy.

  70. C. The two main methods of choosing records from a large pool for further analysis are sampling and clipping. Sampling uses statistical techniques to choose a sample that is representative of the entire pool, while clipping uses threshold values to select those records that exceed a predefined threshold because they may be of most interest to analysts.

  71. C. A TCP scan that sets all or most of the possible TCP flags is called a Christmas tree, or Xmas, scan since it is said to “light up like a Christmas tree” with the flags. A SYN scan would attempt to open TCP connections, whereas an ACK scan sends packets with the ACK flag set. There is no such type of scan known as a TCP flag scan.

  72. B. Qualitative tools are often used in business impact assessment to capture the impact on intangible factors such as customer confidence, employee morale, and reputation.

  73. C. Vulnerability scanners cannot detect vulnerabilities for which they do not have a test, plug-in, or signature. Signatures often include version numbers, service fingerprints, or configuration data. They can detect local vulnerabilities as well as those that require authentication if they are provided with credentials, and of course, they can detect service vulnerabilities.

  74. C. Path disclosures, local file inclusions, and buffer overflows are all vulnerabilities that may be found by a web vulnerability scanner, but race conditions that take advantage of timing issues tend to be found either by code analysis or using automated tools that specifically test for race conditions as part of software testing.

  75. D. The IP addresses that his clients have provided are RFC 1918 nonroutable IP addresses, and Jim will not be able to scan them from off-site. To succeed in his penetration test, he will have to either first penetrate their network border or place a machine inside their network to scan from the inside. IP addresses overlapping is not a real concern for scanning, and the ranges can easily be handled by current scanning systems.

Chapter 4: Incident Response and Recovery (Domain 4)

  1. C. Tara’s highest priority should be containing the damage to prevent the spread of the incident to other systems and networks. She has already detected the incident, so detection is not a priority. Eradication and recovery should occur only after the incident has been contained.

  2. C. Alan should request that the organization provide him with a securely generated hash value that was created when the evidence was originally collected. Alan can then compare the hash value of the current drive contents with that value to verify that the evidence was not altered.

  3. C. Photo metadata commonly includes the GPS location, the type of camera used to capture the photo, and the timestamp when the photo was taken. It does not include the number of times that the file was copied.

  4. D. John the Ripper is a password cracking tool. Using it on a Linux system requires copies of both the /etc/passwd and /etc/shadow files.

  5. C. NIST describes this type of event as a security incident because it is a violation or imminent threat of violation of security policies and practices. An adverse event is any event with negative consequences, and an event is any observable occurrence on a system or network.

  6. B. In cases where an advanced persistent threat (APT) has been present for an unknown period of time, backups should be assumed to be compromised. Since APTs often have tools that cannot be detected by normal anti-malware techniques, the best option that Charles has is to carefully rebuild the systems from the ground up and then ensure that they are fully patched and secured before returning them to service.

  7. A. Purging requires complete removal of data, and cryptographic erase is the only option that will fully destroy the contents of a drive from this list. Reformatting will leave the original data in place, overwriting leaves the potential for file remnants in slack space, and repartitioning will also leave data intact in the new partitions.

  8. B. Unless she already knows the protocol that a particular beacon uses, filtering out beacons by protocol may cause her to miss beaconing behavior. Attackers want to dodge common analytical tools and will use protocols that are less likely to attract attention. Filtering network traffic for beacons based on the intervals and frequency they are sent at, if the beacon persists over time, and removing known traffic are common means of filtering traffic to identify beacons.

  9. C. Local scans often provide more information than remote scans because of network or host firewalls that block access to services. This is the most likely problem. The second most likely answer is that Scott or Joanna used different settings when they scanned.

  10. B. A hardware write blocker can ensure that connecting or mounting the drive does not cause any changes to occur on the drive. Mika should create one or more forensic images of the original drive and then work with the copy or copies as needed. She may then opt to use forensic software, possibly including a software write blocker.

  11. A. This form is a chain of custody form. It includes information about the case, copies of drives that were created, and who was in possession of drives, devices, and copies during the investigation.

  12. B. SNMP, packet sniffing, and Netflow are commonly used when monitoring bandwidth consumption. Portmon is an aging Windows tool used to monitor serial ports, not exactly the sort of tool that you’d use to monitor network bandwidth!

  13. B. Conducting a lessons-learned review after using an incident response plan can help to identify improvements and to ensure that the plan is up-to-date and ready to handle future events.

  14. B. If Kathleen’s company uses a management system or inventory process to capture the MAC addresses of known systems, then a MAC address report from her routers and switches will show her devices that are connected to the network but not in the inventory. She can then track down where the devices are physically connected to a switch port and investigate the device.

  15. B. If business concerns override his ability to suspend the system, the best option that Charles has is to copy the virtual disk files and then use a live memory imaging tool. This will give him the best forensic copy achievable under the circumstances. Snapshotting the system and booting it will result in a loss of live memory artifacts. Escalating may be possible in some circumstances, but the scenario specifies that the system must remain online. Finally, Volatility can capture memory artifacts, but is not designed to capture a full virtual machine.

  16. D. A CSIRT leader must have authority to direct the incident response process and should be able to act as a liaison with organizational management. While Lauren may not have deep incident response experience, she is in the right role to provide those connections and leadership. She should look at retaining third-party experts for incidents if she needs additional skills or expertise on her IR team.

  17. A. A logical acquisition focuses on specific files of interest, such as a specific type of file, or files from a specific location. In Eric’s case, a logical acquisition meets his needs. A sparse acquisition also collects data from unallocated space. A bit-by-bit acquisition is typically performed for a full drive and will take longer.

  18. C. An organization’s incident response communications plan should include details of appropriate contacts with all entities who may be involved in incident response. This likely includes law enforcement agencies, the media, and security vendors. It is less likely that an organization would need to contact utility providers during a cybersecurity incident response effort.

  19. B. Disclosure based on regulatory or legislative requirements is commonly part of an incident response process; however, public feedback is typically a guiding element of information release. Limiting communication to trusted parties and ensuring that data and communications about the incident are properly secured are both critical to the security of the incident response process. This also means that responders should work to limit the potential for accidental release of incident related information.

  20. C. NIST describes events with negative consequences as adverse events. It might be tempting to immediately call this a security incident; however, this wouldn’t be classified that way until an investigation was conducted. If the user accidentally accessed the file, it would typically not change classification. Intentional or malicious access would cause the adverse event to become a security incident.

  21. B. When forensic evidence or information is produced for a civil case, it is called eDiscovery. This type of discovery often involves massive amounts of data including email, files, text messages, and any other electronic evidence that is relevant to the case.

  22. C. RAID level 5, disk striping with parity, requires a minimum of three physical hard disks to operate.

  23. A. Senior managers play several business continuity planning roles. These include setting priorities, obtaining resources, and arbitrating disputes among team members.

  24. A. Business continuity plan documentation normally includes the continuity planning goals, a statement of importance, statement of priorities, statement of organizational responsibility, statement of urgency and timing, risk assessment and risk acceptance and mitigation documentation, a vital records program, emergency response guidelines, and documentation for maintaining and testing the plan.

  25. C. Electronic vaulting is a data backup task that is part of disaster recovery, not business continuity, efforts.

  26. C. Everyone in the organization should receive a basic awareness training for the business continuity program. Those with specific roles, such as first responders and senior executives, should also receive detailed, role-specific training.

  27. A. The emergency response guidelines should include the immediate steps an organization should follow in response to an emergency situation. These include immediate response procedures, a list of individuals who should be notified of the emergency and secondary response procedures for first responders. They do not include long-term actions such as activating business continuity protocols, ordering equipment, or activating DR sites.

  28. A. Alejandro is in the first stage of the incident response process, detection. During this stage, the intrusion detection system provides the initial alert, and Alejandro performs preliminary triaging to determine whether an intrusion is actually taking place and whether the scenario fits the criteria for activating further steps of the incident response process (which include response, mitigation, reporting, recovery, remediation, and lessons learned).

  29. C. After detection of a security incident, the next step in the process is response, which should follow the organization’s formal incident response procedure. The first step of this procedure is activating the appropriate teams, including the organization’s computer security incident response team (CSIRT).

  30. C. The root-cause analysis examines the incident to determine what allowed it to happen and provides critical information for repairing systems so that the incident does not recur. This is a component of the remediation step of the incident response process because the root cause analysis output is necessary to fully remediate affected systems and processes.

  31. A. The risk assessment team should pay the most immediate attention to those risks that appear in quadrant I. These are the risks with a high probability of occurring and a high impact on the organization if they do occur.

  32. C. While senior management should be represented on the BCP team, it would be highly unusual for the CEO to fill this role personally.

  33. D. Of the states listed, Florida is the only one that is not shaded to indicate a serious risk of a major earthquake.

  34. D. The system Charles is remediating may have a firmware or BIOS infection, with malware resident on the system board. While uncommon, this type of malware can be difficult to find and remove. Since he used original media, it is unlikely that the malware came from the software vendor. Charles wiped the system partition, and the system would have been rebooted before being rebuilt, thus clearing system memory.

  35. B. Matt is helping to maintain the chain of custody documentation for his electronic evidence. This can be important if his organization needs to prove that the digital evidence they handled has not been tampered with. A better process would involve more than one person to ensure that no tampering was possible.

  36. B. Karen can’t use MTD verification because MTD is the maximum tolerable downtime. Verifying it will only tell her how long systems can be offline without significant business impact. Reviewing logs, using hashing to verify that the logs are intact, and performing periodic tests are all valid ways to verify that the backups are working properly.

  37. A. The illustration shows an example of a failover cluster, where DB1 and DB2 are both configured as database servers. At any given time, only one will function as the active database server, while the other remains ready to assume responsibility if the first one fails. While the environment may use UPS, tape backup, and cold sites as disaster recovery and business continuity controls, they are not shown in the diagram.

  38. C. A forensic disk controller performs four functions. One of those, write blocking, intercepts write commands sent to the device and prevents them from modifying data on the device. The other three functions include returning data requested by a read operation, returning access-significant information from the device, and reporting errors from the device back to the forensic host.

  39. D. The checklist review is the least disruptive type of disaster recovery test. During a checklist review, team members each review the contents of their disaster recovery checklists on their own and suggest any necessary changes. During a tabletop exercise, team members come together and walk through a scenario without making any changes to information systems. During a parallel test, the team actually activates the disaster recovery site for testing, but the primary site remains operational. During a full interruption test, the team takes down the primary site and confirms that the disaster recovery site is capable of handling regular operations. The full interruption test is the most thorough test but also the most disruptive.

  40. B. The Grandfather/Father/Son, Tower of Hanoi, and Six Cartridge Weekly schemes are all different approaches to rotating backup media that balance reuse of media with data retention concerns. Meet-in-the-middle is a cryptographic attack against 2DES encryption.

  41. C. Evidence provided in court must be relevant to determining a fact in question, material to the case at hand, and competently obtained. Evidence does not need to be tangible. Witness testimony is an example of intangible evidence that may be offered in court.

  42. C. In this scenario, all of the files on the server will be backed up on Monday evening during the full backup. The differential backup on Wednesday will then copy all files modified since the last full backup. These include files 1, 2, 3, 5, and 6: a total of five files.

    image

  43. B. The scrutiny of hard drives for forensic purposes is an example of media analysis. Embedded device analysis looks at the computers included in other large systems, such as automobiles or security systems. Software analysis analyzes applications and their logs. Network analysis looks at network traffic and logs.

  44. C. Security incidents negatively affect the confidentiality, integrity, or availability of information or assets and/or violate a security policy. The unauthorized vulnerability scan of a server does violate security policy and may negatively affect the security of that system, so it qualifies as a security incident. The completion of a backup schedule, logging of system access, and update of antivirus signatures are all routine actions that do not violate policy or jeopardize security, so they are all events rather than incidents.

  45. B. The maximum tolerable downtime (MTD) is the longest amount of time that an IT service or component may be unavailable without causing serious damage to the organization. The recovery time objective (RTO) is the amount of time expected to return an IT service or component to operation after a failure. The recovery point objective (RPO) identifies the maximum amount of data, measured in time, that may be lost during a recovery effort. Service-level agreements (SLAs) are written contracts that document service expectations.

  46. A. Interviews occur when investigators meet with an individual who may have information relevant to their investigation but is not a suspect. If the individual is a suspect, then the meeting is an interrogation.

  47. The terms match with the definitions as follows:

    1. Hot site: B. A site with dedicated storage and real-time data replication, often with shared equipment that allows restoration of service in a very short time
    2. Cold site: D. A rented space with power, cooling, and connectivity that can accept equipment as part of a recovery effort
    3. Warm site: C. A site that relies on shared storage and backups for recovery
    4. Service bureau: A. An organization that can provide on-site or off-site IT services in the event of a disaster

  48. C. In an electronic vaulting approach, automated technology moves database backups from the primary database server to a remote site on a scheduled basis, typically daily. Transaction logging is not a recovery technique alone; it is a process for generating the logs used in remote journaling. Remote journaling transfers transaction logs to a remote site on a more frequent basis than electronic vaulting, typically hourly. Remote mirroring maintains a live database server at the backup site and mirrors all transactions at the primary site on the server at the backup site.

  49. C. The end goal of the disaster recovery process is restoring normal business operations in the primary facility. All of the other actions listed may take place during the disaster recovery process, but the process is not complete until the organization is once again functioning normally in its primary facilities.

  50. C. The Mitigation phase of incident response focuses on actions that can contain the damage incurred during an incident. This includes limiting the scope and or effectiveness of the incident.

  51. C. The National Institute for Standards and Technologies recommends that organizations implement a mentoring program for incident response team members and provide team members with the opportunity to work on other tasks. They also recommend periodic exercises to evaluate the team’s effectiveness. Rather than assigning all members of the team on a permanent basis, NIST recommends rotating members on and off the team periodically.

  52. C. Gordon may conduct his investigation as he wants and use any information that is legally available to him, including information and systems belonging to his employer. There is no obligation to contact law enforcement. However, Gordon may not perform “hack back” activities because those may constitute violations of the law and/or (ISC)2 Code of Ethics.

  53. B. Netflow data contains information on the source, destination, and size of all network communications and is routinely saved as a matter of normal activity. Packet capture data would provide relevant information, but it must be captured during the suspicious activity and cannot be re-created after the fact unless the organization is already conducting 100 percent packet capture, which is rare. Additionally, the use of encryption limits the effectiveness of packet capture. Intrusion detection system logs would not likely contain relevant information because the encrypted traffic would probably not match intrusion signatures. Centralized authentication records would not contain information about network traffic.

  54. B. During a parallel test, the team actually activates the disaster recovery site for testing, but the primary site remains operational. During a full interruption test, the team takes down the primary site and confirms that the disaster recovery site is capable of handling regular operations. The full interruption test is the most thorough test but also the most disruptive. The checklist review is the least disruptive type of disaster recovery test. During a checklist review, team members each review the contents of their disaster recovery checklists on their own and suggest any necessary changes. During a tabletop exercise, team members come together and walk through a scenario without making any changes to information systems.

  55. C. Both the receipt of alerts and the verification of their accuracy occur during the Detection phase of the incident response process.

  56. A. Virtual machines run full guest operating systems on top of a host platform known as the hypervisor.

  57. A. During the lessons learned phase, analysts close out an incident by conducting a review of the entire incident response process. This may include making recommendations for improvements to the process that will streamline the efficiency and effectiveness of future incident response efforts.

  58. C. In this case, the person perpretrating the security incident is an employee. This person is likely able to bypass many of the organization’s security controls and the activity would not likely be identified by an intrusion detection system or firewall logs. There is no mention of malicious software, so antivirus software would also be unlikely to detect the issue. However, file integrity monitoring systems would likely detect the unauthorized data modification.

  59. B. During the containment phase, the incident response team’s goal is to limit the damage caused by an incident. They do this by isolating impacted systems and restricting access to resources to prevent the spread of the incident.

  60. A. Expert opinion evidence allows individuals to offer their opinion based upon the facts in evidence and their personal knowledge. Expert opinion evidence may be offered only if the court accepts the witness as an expert in a particular field. Direct evidence is when witnesses testify about their direct observations. Real evidence consists of tangible items brought into court as evidence. Documentary evidence consists of written records used as evidence in court.

  61. B. The analysis of application logs is one of the core tasks of software analysis. This is the correct answer because SQL injection attacks are application attacks.

  62. A. A lessons learned document is often created and distributed to involved parties after a postmortem review to ensure that those who were involved in the incident and others who may benefit from the knowledge are aware of what they can do to prevent future issues and to improve response in the event that one occurs.

  63. B. A content distribution network (CDN) is designed to provide reliable, low-latency, geographically distributed content distribution. In this scenario, a CDN is an ideal solution. A P2P CDN like BitTorrent isn’t a typical choice for a commercial entity, whereas redundant servers or a hot site can provide high availability but won’t provide the remaining requirements.

  64. B. Although the CEO will not normally serve on a BCP team, it is best to obtain top-level management approval for your plan to increase the likelihood of successful adoption.

  65. D. The project scope and planning phase includes four actions: a structured analysis of the organization, the creation of a BCP team, an assessment of available resources, and an analysis of the legal and regulatory landscape.

Chapter 5: Cryptography (Domain 5)

  1. C. Protecting the sensitive information with either full disk encryption or file encryption would render it unreadable to anyone finding the device. Data minimization would involve the removal of sensitive information from the device. File integrity monitoring would detect any changes in information stored on the device but would not protect against data loss.

  2. B. Self-signed certificates are functionally equivalent to those purchased from a trusted certificate authority. The fundamental difference is that they don’t carry the trusted signature of a CA and, therefore, won’t be trusted by web browsers by default. They are generally only appropriate for internal use.

  3. D. Phil Zimmerman’s Pretty Good Privacy (PGP) software is an encryption technology based upon the Web of Trust (WoT). This approach extends the social trust relationship to encryption keys.

  4. A. Kevin can take a cryptographic hash of the log files when they are created and then later repeat the use of the same hash function and compare the two hash values. If the hash values are identical, Kevin can be confident that the file was not altered.

  5. C. Secure Sockets Layer (SSL), Transport Layer Security (TLS), and virtual private networks (VPNs) are all used to protect data in motion. AES cryptography may be used to protect data at rest. SSL is no longer considered secure, so it is not a good choice for Greg. The only answer choice that matches each tool with the appropriate type of information and does not use SSL is using TLS for data in motion and AES for data at rest.

  6. A. Unfortunately, the RADIUS protocol only supports the weak MD5 hash function. This is the major criticism of the RADIUS protocol. Most organizations require that RADIUS be protected with additional encryption to compensate for this vulnerability.

  7. C. Encryption is often used to protect traffic like bank transactions from sniffing. While packet injection and man-in-the-middle attacks are possible, they are far less likely to occur, and if a VPN were used, it would be used to provide encryption. TEMPEST is a specification for techniques used to prevent spying using electromagnetic emissions and wouldn’t be used to stop attacks at any normal bank.

  8. C. Information shared with customers is public, internal business could be sensitive or private, and trade secrets are proprietary. Thus, public, sensitive, proprietary matches this most closely. Confidential is a military classification, which removes two of the remaining options, and trade secrets are more damaging to lose than a private classification would allow.

  9. C. A watermark is used to digitally label data and can be used to indicate ownership. Encryption would have prevented the data from being accessed if it was lost, while classification is part of the set of security practices that can help make sure the right controls are in place. Finally, metadata is used to label data and might help a data loss prevention system flag it before it leaves your organization.

  10. B. AES is a strong modern symmetric encryption algorithm that is appropriate for encrypting data at rest. TLS is frequently used to secure data when it is in transit. A virtual private network is not necessarily an encrypted connection and would be used for data in motion, while DES is an outdated algorithm and should not be used for data that needs strong security.

  11. C. A and E can both be expected to have data at rest. C, the Internet, is an unknown, and the data can’t be guaranteed to be at rest. B, D, and F are all data in transit across network links.

  12. C. B, D, and F all show network links. Of the answers provided, Transport Layer Security (TLS) provides the best security for data in motion. AES-256 and 3DES are both symmetric ciphers and are more likely to be used for data at rest. SSL has been replaced with TLS and should not be a preferred solution.

  13. B. Sending a file that is encrypted before it leaves means that exposure of the file in transit will not result in a confidentiality breach, and the file will remain secure until decrypted at location E. Since answers A, C, and D do not provide any information about what happens at point C, they should be considered insecure, as the file may be at rest at point C in an unencrypted form.

  14. C. Data at rest is inactive data that is physically stored. Data in an IPsec tunnel or part of an e-commerce transaction is data in motion. Data in RAM is ephemeral and is not inactive.

  15. B. FTP and Telnet do not provide encryption for the data they transmit and should not be used if they can be avoided. SFTP and SSH provide encryption to protect both the data they send and the credentials that are used to log in via both utilities.

  16. A. NIST Special Publication 800-122 defines PII as any information that can be used to distinguish or trace an individual’s identity, such as name, Social Security number, date and place of birth, mother’s maiden name, biometric records, and other information that is linked or linkable to an individual such as medical, educational, financial, and employment information. PHI is health-related information about a specific person, Social Security numbers are issued to individuals in the United States, and SII is a made-up term.

  17. The data elements match with the categories as follows:

    Data elements

    1. Medical records: B. PHI
    2. Credit card numbers: A. PCI DSS
    3. Social Security numbers: C. PII

    4. Driver’s license numbers: C. PII

      Medical records are an example of protected health information (PHI). Credit card numbers are personally identifiable information (PII), but they are also covered by the Payment Card Industry Data Security Standard (PCI DSS), which is a more specific category governing only credit card information and is a better answer. Social Security numbers and driver’s license numbers are examples of PII.

  18. C. TLS is a modern encryption method used to encrypt and protect data in transit. BitLocker is a full disk encryption technology used for data at rest. DES and SSL are both outdated encryption methods and should not be used for data that requires high levels of security.

  19. C. By default, BitLocker and Microsoft’s Encrypting File System (EFS) both use AES (Advanced Encryption Standard), which is the NIST-approved replacement for DES (Data Encryption Standard). Serpent was a competitor of AES, and 3DES was created as a possible replacement for DES.

  20. A. The POODLE (or Padding Oracle On Downgraded Legacy Encryption) attack helped force the move from SSL 3.0 to TLS because it allowed attackers to easily access SSL encrypted messages. Stuxnet was a worm aimed at the Iranian nuclear program, while CRIME and BEAST were earlier attacks against SSL.

  21. D. Using strong encryption, like AES-256, can help ensure that loss of removable media like tapes doesn’t result in a data breach. Security labels may help with handling processes, but they won’t help once the media is stolen or lost. Having multiple copies will ensure that you can still access the data but won’t increase the security of the media. Finally, using hard drives instead of tape only changes the media type and not the risk from theft or loss.

  22. D. Electronic signatures, as used in this rule, prove that the signature was provided by the intended signer. Electronic signatures as part of the FDA code are intended to ensure that electronic records are “trustworthy, reliable, and generally equivalent to paper records and handwritten signatures executed on paper.” Signatures cannot provide confidentiality or integrity and don’t ensure that someone has reviewed the data.

  23. D. Secure Shell (SSH) is an encrypted protocol for remote login and command-line access. SCP and SFTP are both secure file transfer protocols, while WDS is the acronym for Windows Deployment Services, which provides remote installation capabilities for Windows operating systems.

  24. D. Data in transit is data that is traversing a network or is otherwise in motion. TLS, VPNs, and IPsec tunnels are all techniques used to protect data in transit. AES, Serpent, and IDEA are all symmetric algorithms, while Telnet, ISDN, and UDP are all protocols. BitLocker and FileVault are both used to encrypt data, but they protect only stored data, not data in transit.

  25. D. Bcrypt is based on Blowfish (the b is a key hint here). AES and 3DES are both replacements for DES, while Diffie–Hellman is a protocol for key exchange.

  26. D. Personally identifiable information includes any information that can uniquely identify an individual. This would include name, Social Security number, and any other unique identifier (including a student ID number). ZIP code, by itself, does not uniquely identify an individual.

  27. C. AES is a strong symmetric cipher that is appropriate for use with data at rest. SHA1 is a cryptographic hash, while TLS is appropriate for data in motion. DES is an outdated and insecure symmetric encryption method.

  28. B. Symmetric encryption like AES is typically used for data at rest. Asymmetric encryption is often used during transactions or communications when the ability to have public and private keys is necessary. DES is an outdated encryption standard, and OTP is the acronym for onetime password.

  29. A. Tapes are frequently exposed because of theft or loss in transit. That means that tapes that are leaving their normal storage facility should be handled according to the organization’s classification schemes and handling requirements. Purging the tapes would cause the loss of data, while increasing the classification level of the tapes. The tapes should be encrypted rather than decrypted.

  30. C. PGP, or Pretty Good Privacy (or its open source alternative, GPG), provides strong encryption of files, which can then be sent via email. Email traverses multiple servers and will be unencrypted at rest at multiple points along its path as it is stored and forwarded to its destination.

  31. D. Intentional collisions have been created with MD5, and a real-world collision attack against SHA 1 was announced in early 2017. 3DES is not a hashing tool, leaving SHA 256 (sometimes called SHA 2) as the only real choice that Chris has in this list.

  32. B. The salt is a random value added to a password before it is hashed by the operating system. The salt is then stored in a password file with the hashed password. This increases the complexity of cryptanalytic attacks by negating the usefulness of attacks that use precomputed hash values, such as rainbow tables.

  33. A. Hash functions do not include any element of secrecy and, therefore, do not require a cryptographic key.

  34. B. The Encapsulating Security Payload (ESP) protocol provides confidentiality and integrity for packet contents. It encrypts packet payloads and provides limited authentication and protection against replay attacks.

  35. C. In an asymmetric cryptosystem, the sender of a message always encrypts the message using the recipient’s public key.

  36. D. When Bob receives the message, he uses his own private key to decrypt it. Since he is the only one with his private key, he is the only one who should be able to decrypt it, thus preserving confidentiality.

  37. B. Each user retains their private key as secret information. In this scenario, Bob would only have access to his own private key and would not have access to the private key of Alice or any other user.

  38. B. Alice creates the digital signature using her own private key. Then Bob, or any other user, can verify the digital signature using Alice’s public key.

  39. D. The greatest risk when a device is lost or stolen is that sensitive data contained on the device will fall into the wrong hands. Confidentiality protects against this risk.

  40. A. DES uses a 64-bit encryption key, but only 56 of those bits are actually used as keying material in the encryption operation. The remaining 8 bits are used to detect tampering or corruption of the key.

  41. B. The Diffie–Hellman algorithm allows for the secure exchange of symmetric encryption keys over a public network.

  42. A. Hash functions must be able to work on any variable-length input and produce a fixed-length output from that input, regardless of the length of the input.

  43. C. Binary keyspaces contain a number of keys equal to two raised to the power of the number of bits. Two to the fifth power is 32, so a 5-bit keyspace contains 32 possible keys.

  44. B. Kerckhoff’s principle says that a cryptographic system should be secure even if everything about the system, except the key, is public knowledge.

  45. C. Nonrepudiation occurs when the recipient of a message is able to demonstrate to a third party that the message came from the purported sender.

  46. A. The MD5 hash algorithm has known collisions and, as of 2005, is no longer considered secure for use in modern environments.

  47. C. In a known plaintext attack, the attacker has a copy of the encrypted message along with the plaintext message used to generate that ciphertext.

  48. A. The X.509 standard, developed by the International Telecommunications Union, contains the specification for digital certificates.

  49. C. This message was most likely encrypted with a transposition cipher. The use of a substitution cipher, a category that includes AES and 3DES, would change the frequency distribution so that it did not mirror that of the English language.

  50. D. The meet-in-the-middle attack uses a known plaintext message and uses both encryption of the plaintext and decryption of the ciphertext simultaneously in a brute-force manner to identify the encryption key in approximately double the time of a brute-force attack against the basic DES algorithm.

  51. A. Blowfish allows the user to select any key length between 32 and 448 bits.

  52. A. Digital signatures are possible only when using an asymmetric encryption algorithm. Of the algorithms listed, only RSA is asymmetric and supports digital signature capabilities.

  53. A. In TLS, both the server and the client first communicate using an ephemeral symmetric session key. They exchange this key using asymmetric cryptography, but all encrypted content is protected using symmetric cryptography.

  54. C. Asymmetric cryptosystems use a pair of keys for each user. In this case, with 1,000 users, the system will require 2,000 keys.

  55. A. The certificate revocation list contains the serial numbers of digital certificates issued by a certificate authority that have later been revoked.

  56. A. The point of the digital certificate is to prove to Alison that the server belongs to the bank, so she does not need to have this trust in advance. To trust the certificate, she must verify the CA’s digital signature on the certificate, trust the CA, verify that the certificate is not listed on a CRL, and verify that the certificate contains the name of the bank.

  57. C. Self-signed digital certificates should be used only for internal-facing applications, where the user base trusts the internally generated digital certificate.

  58. C. Quantum may choose to use any or all of these security controls, but data encryption is, by far, the most important control. It protects the confidentiality of data stored on the tapes, which are most vulnerable to theft while in transit between two secure locations.

  59. C. The formula for determining the number of encryption keys required by a symmetric algorithm is ((n*(n − 1))/2). With six users, you will need ((6*5)/2), or 15 keys.

  60. C. ESP’s Transport mode encrypts IP packet data but leaves the packet header unencrypted. Tunnel mode encrypts the entire packet and adds a new header to support transmission through the tunnel.

  61. D. Nonrepudiation is possible only with an asymmetric encryption algorithm. RSA is an asymmetric algorithm. AES, DES, and Blowfish are all symmetric encryption algorithms that do not provide nonrepudiation.

  62. C. Certificates may only be added to a Certificate Revocation List by the certificate authority that created the digital certificate.

  63. C. Salting adds random text to the password before hashing in an attempt to defeat automated password cracking attacks that use precomputed values. MD5 and SHA-1 are both common hashing algorithms, so using them does not add any security. Double-hashing would only be a minor inconvenience for an attacker and would not be as effective as the use of salting.

  64. D. When using symmetric cryptography, the sender encrypts a message using a shared secret key, and the recipient then decrypts the message with that same key. Only asymmetric cryptography uses the concept of public and private key pairs.

  65. A. Skip should use SCP—Secure Copy is a secure file transfer method. SSH is a secure command-line and login protocol, whereas HTTP is used for unencrypted web traffic. Telnet is an unencrypted command-line and login protocol.

Chapter 6: Network and Communications Security (Domain 6)

  1. C. Denial-of-service (DoS) attacks and distributed denial-of-service (DDoS) attacks try to disrupt the availability of information systems and networks by flooding a victim with traffic or otherwise disrupting service.

  2. A. A repeater or concentrator will amplify the signal, ensuring that the 100-meter distance limitation of 1000BaseT is not an issue. A gateway would be useful if network protocols were changing, while Cat7 cable is appropriate for a 10Gbps network at much shorter distances. STP cable is limited to 155 Mbps and 100 meters, which would leave Chris with network problems.

  3. D. Ethernet uses a bus topology. While devices may be physically connected to a switch in a physical topology that looks like a star, systems using Ethernet can all transmit on the bus simultaneously, possibly leading to collisions.

  4. B. WPA2 enterprise uses RADIUS authentication for users rather than a preshared key. This means a password attack is more likely to fail as password attempts for a given user may result in account lockout. WPA2 encryption will not stop a password attack, and WPA2’s preshared key mode is specifically targeted by password attacks that attempt to find the key. Not only is WEP encryption outdated, but it can also frequently be cracked quickly by tools like aircrack-ng.

  5. D. Fully connected mesh networks provide each system with a direct physical link to every other system in the mesh. This is expensive but can provide performance advantages for specific types of computational work.

  6. D. Network segmentation can reduce issues with performance as well as diminish the chance of broadcast storms by limiting the number of systems in a segment. This decreases broadcast traffic visible to each system and can reduce congestion. Segmentation can also help provide security by separating functional groups who don’t need to be able to access each other’s systems. Installing a firewall at the border would only help with inbound and outbound traffic, not cross-network traffic. Spanning tree loop prevention helps prevent loops in Ethernet networks (for example, when you plug a switch into a switch via two ports on each), but it won’t solve broadcast storms that aren’t caused by a loop or security issues. Encryption might help prevent some problems between functional groups, but it won’t stop them from scanning other systems, and it definitely won’t stop a broadcast storm!

  7. A. Wardriving and warwalking are both processes used to locate wireless networks but are not typically as detailed and thorough as a site survey, and design map is a made-up term.

  8. C. The Physical layer includes electrical specifications, protocols, and standards that allow control of throughput, handling line noise, and a variety of other electrical interface and signaling requirements. The OSI layer doesn’t have a Device layer. The Transport layer connects the Network and Session layers, and the Data Link layer packages packets from the network layer for transmission and receipt by devices operating on the Physical layer.

  9. D. The RST flag is used to reset or disconnect a session. It can be resumed by restarting the connection via a new three-way handshake.

  10. The OSI layers in order from layer 1 to layer 7 are:

    • D. Physical
    • B. Data Link
    • C. Network
    • G. Transport
    • F. Session
    • E. Presentation
    • A. Application

  11. A. A well-designed set of VLANs based on functional groupings will logically separate segments of the network, making it difficult to have data exposure issues between VLANs. Changing the subnet mask will only modify the broadcast domain and will not fix issues with packet sniffing. Gateways would be appropriate if network protocols were different on different segments. Port security is designed to limit which systems can connect to a given port.

  12. D. 802.1x provides port-based authentication and can be used with technologies like EAP, the Extensible Authentication Protocol. 802.11a is a wireless standard, 802.3 is the standard for Ethernet, and 802.15.1 was the original Bluetooth IEEE standard.

  13. C. FDDI, or Fiber Distributed Data Interface, is a token-passing network that uses a pair of rings with traffic flowing in opposite directions. It can bypass broken segments by dropping the broken point and using the second, unbroken ring to continue to function. Token Ring also uses tokens, but it does not use a dual loop. SONET is a protocol for sending multiple optical streams over fiber, and a ring topology is a design, not a technology.

  14. B. The firewall in the diagram has two protected zones behind it, making it a two-tier firewall design.

  15. D. Remote PCs that connect to a protected network need to comply with security settings and standards that match those required for the internal network. The VPN concentrator logically places remote users in the protected zone behind the firewall, but that means user workstations (and users) must be trusted in the same way that local workstations are.

  16. C. An intrusion protection system can scan traffic and stop both known and unknown attacks. A web application firewall, or WAF, is also a suitable technology, but placing it at location C would only protect from attacks via the organization’s VPN, which should only be used by trusted users. A firewall typically won’t have the ability to identify and stop cross-site scripting attacks, and IDS systems only monitor and don’t stop attacks.

  17. C. A bus can be linear or tree-shaped and connects each system to trunk or backbone cable. Ethernet networks operate on a bus topology.

  18. B. Screen scrapers copy the actual screen displayed and display it at a remote location. RDP provides terminal sessions without doing screen scraping, remote node operation is the same as dial-up access, and remote control is a means of controlling a remote system (screen scraping is a specialized subset of remote control).

  19. A. WPA2, the replacement for WPA, does not suffer from the security issues that WEP, the original wireless security protocol, and WPA, its successor, both suffer from. AES is used in WPA2 but is not specifically a wireless security standard.

  20. B. The Remote Authentication Dial-in User Service (RADIUS) protocol was originally designed to support dial-up modem connections but is still commonly used for VPN-based authentication. HTTPS is not an authentication protocol. ESP and AH are IPsec protocols but do not provide authentication services for other systems.

  21. C. Double NATing isn’t possible with the same IP range; the same IP addresses cannot appear inside and outside a NAT router. RFC 1918 addresses are reserved, but only so they are not used and routable on the Internet, and changing to PAT would not fix the issue.

  22. C. Stateful packet inspection firewalls, also known as dynamic packet filtering firewalls, track the state of a conversation and can allow a response from a remote system based on an internal system being allowed to start the communication. Static packet filtering and circuit-level gateways only filter based on source, destination, and ports, whereas application-level gateway firewalls proxy traffic for specific applications.

  23. C. The assignment of endpoint systems to VLANs is normally performed by a network switch.

  24. C. A three-tier design separates three distinct protected zones and can be accomplished with a single firewall that has multiple interfaces. Single- and two-tier designs don’t support the number of protected networks needed in this scenario, while a four-tier design would provide a tier that isn’t needed.

  25. B. Not only should active scanning be expected to cause wireless IPS alarms, but they may actually be desired if the test is done to test responses. Accidentally scanning guests or neighbors or misidentifying devices belonging to third parties are all potential problems with active scanning and require the security assessor to carefully verify the systems that she is scanning.

  26. B. ARP and RARP operate at the Data Link layer, the second layer of the OSI model. Both protocols deal with physical (MAC) hardware addresses, which are used above the Physical layer (layer 1) and below the Network layer (layer 3), thus falling at the Data Link layer.

  27. A. A smurf attack is an example of a denial-of-service attack, which jeopardizes the availability of a targeted network.

  28. B. Category 3 UTP cable is primarily used for phone cables and was also used for early Ethernet networks where it provided 10 Mbps of throughput. Cat 5 cable provides 100 Mbps (and 1000 Mbps if it is Cat 5e). Cat 6 cable can also provide 1000 Mbps.

  29. B. The use of TCP port 80 indicates that the messaging service is using the HTTP protocol. Slack is a messaging service that runs over HTTPS, which uses port 443. SMTP is an email protocol that uses port 25.

  30. C. HTTP traffic is typically sent via TCP 80. Unencrypted HTTP traffic can be easily captured at any point between A and B, meaning that the messaging solution chosen does not provide confidentiality for the organization’s corporate communications.

  31. B. If a business need requires messaging, using a local messaging server is the best option. This prevents traffic from traveling to a third-party server and can offer additional benefits such as logging, archiving, and control of security options like the use of encryption.

  32. A. The File Transfer Protocol (FTP) operates on TCP ports 20 and 21. UDP port 69 is used for the Trivial File Transfer Protocol, or TFTP, while UDP port 21 is not used for any common file transfer protocol.

  33. D. Bluetooth active scans can determine both the strength of the PIN and what security mode the device is operating in. Unfortunately, Bluetooth scans can be challenging because of the limited range of Bluetooth and the prevalence of personally owned Bluetooth-enabled devices. Passive Bluetooth scanning only detects active connections and typically requires multiple visits to have a chance of identifying all devices.

  34. B. A proxy is a form of gateway that provide clients with a filtering, caching, or other service that protects their information from remote systems. A router connects networks, while a firewall uses rules to limit traffic permitted through it. A gateway translates between protocols.

  35. A. When a data stream is converted into a segment (TCP) or a datagram (UDP), it transitions from the Session layer to the Transport layer. This change from a message sent to an encoded segment allows it to then traverse the Network layer.

  36. B. Media Access Control (MAC) addresses are the hardware address the machine uses for layer 2 communications. The MAC addresses include an organizationally unique identifier (OUI), which identifies the manufacturer. MAC addresses can be changed, so this is not a guarantee of accuracy, but under normal circumstances you can tell what manufacturer made the device by using the MAC address.

  37. A. Passive scanning can help identify rogue devices by capturing MAC address vendor IDs that do not match deployed devices, by verifying that systems match inventories of organizationally owned hardware by hardware address, and by monitoring for rogue SSIDs or connections.

  38. A. A ring connects all systems like points on a circle. A ring topology was used with Token Ring networks, and a token was passed between systems around the ring to allow each system to communicate. More modern networks may be described as a ring but are only physically a ring and not logically using a ring topology.

  39. B. VLANs can be used to logically separate groups of network ports while still providing access to an uplink. Per-room VPNs would create significant overhead for support as well as create additional expenses. Port security is used to limit what systems can connect to ports, but it doesn’t provide network security between systems. Finally, while firewalls might work, they would add additional expense and complexity without adding any benefits over a VLAN solution.

  40. The TCP ports match with the protocols as follows:

    1. TCP port 23: D. Telnet
    2. TCP port 25: A. SMTP
    3. TCP port 143: C. IMAP
    4. TCP port 515: B. LPD

  41. A. John’s design provides multiple processing sites, distributing load to multiple regions. Not only does this provide business continuity and disaster recovery functionality, but it also means that his design will be more resilient to denial-of-service attacks.

  42. C. PPTP, L2F, L2TP, and IPsec are the most common VPN protocols. TLS is also used for an increasingly large percentage of VPN connections and may appear at some point in the CISSP® exam. PPP is a dial-up protocol, LTP is not a protocol, and SPAP is the Shiva Password Authentication Protocol sometimes used with PPTP.

  43. A. VLAN hopping between the voice and computer VLANs can be accomplished when devices share the same switch infrastructure. Using physically separate switches can prevent this attack. Encryption won’t help with VLAN hopping because it relies on header data that the switch needs to read (and this is unencrypted), while Caller ID spoofing is an inherent problem with VoIP systems. A denial of service is always a possibility, but it isn’t specifically a VoIP issue and a firewall may not stop the problem if it’s on a port that must be allowed through.

  44. B. While it may be tempting to tell her staff to simply not connect to any network, Susan knows that they will need connectivity to do their work. Using a VPN to connect their laptops and mobile devices to a trusted network and ensuring that all traffic is tunneled through the VPN is her best bet to secure their Internet usage. Susan may also want to ensure that they take “clean” laptops and devices that do not contain sensitive information or documents and that those systems are fully wiped and reviewed when they return.

  45. B. ARP cache poisoning occurs when false ARP data is inserted into a system’s ARP cache, allowing the attacker to modify its behavior. RARP flooding, denial-of-ARP attacks, and ARP buffer blasting are all made-up terms.

  46. D. Egress filtering scans outbound traffic for potential security policy violations. This includes traffic with a private IP address as the destination, traffic with a broadcast address as the destination, and traffic that has a falsified source address not belonging to the organization.

  47. B. A teardrop attack uses fragmented packets to target a flaw in how the TCP stack on a system handles fragment reassembly. If the attack is successful, the TCP stack fails, resulting in a denial of service. Christmas tree attacks set all of the possible TCP flags on a packet, thus “lighting it up like a Christmas tree.” Stack killer and frag grenade attacks are made-up answers.

  48. C. By default, RADIUS uses UDP and only encrypts passwords. RADIUS supports TCP and TLS, but this is not a default setting.

  49. A. The Transport layer provides logical connections between devices, including end-to-end transport services to ensure that data is delivered. Transport layer protocols include TCP, UDP, SSL, and TLS.

  50. A. In a man-in-the-middle attack, attackers manage to insert themselves into a connection between a user and a legitimate website, relaying traffic between the two parties while eavesdropping on the connection. Although similarly named, the meet-in-the-middle attack is a cryptographic attack that does not necessarily involve connection tampering. Fraggle is a network-based denial-of-service attack using UDP packets. Wardriving is a reconnaissance technique for discovering open or weakly secured wireless networks.

  51. C. WEP has a weak security model that relies on a single, predefined, shared static key. This means that modern attacks can break WEP encryption in less than a minute.

  52. D. Bluesnarfing targets the data or information on Bluetooth-enabled devices. Bluejacking occurs when attackers send unsolicited messages via Bluetooth.

  53. B. Since Bluetooth doesn’t provide strong encryption, it should only be used for activities that are not confidential. Bluetooth PINs are four-digit codes that often default to 0000. Turning it off and ensuring that your devices are not in discovery mode can help prevent Bluetooth attacks.

  54. D. Ping uses ICMP, the Internet Control Message Protocol, to determine whether a system responds and how many hops there are between the originating system and the remote system. Lauren simply needs to filter out ICMP to not see her pings.

  55. B. Joseph may be surprised to discover FTP (TCP port 21) and Telnet (TCP port 23) open on his network since both services are unencrypted and have been largely replaced by SSH, and SCP or SFTP. SSH uses port 22, SMTP uses port 25, and POP3 uses port 110.

  56. B. While non-IP protocols like IPX/SPX, NetBEUI, and AppleTalk are rare in modern networks, they can present a challenge because many firewalls are not capable of filtering them. This can create risks when they are necessary for an application or system’s function because they may have to be passed without any inspection. Christmas tree attacks set all of the possible flags on a TCP packet (and are thus related to an IP protocol), IPX is not an IP-based protocol, and while these protocols are outdated, there are ways to make even modern PCs understand them.

  57. D. ARP spoofing is often done to replace a target’s cache entry for a destination IP, allowing the attacker to conduct a man-in-the-middle attack. A denial-of-service attack would be aimed at disrupting services rather than spoofing an ARP response, a replay attack will involve existing sessions, and a Trojan is malware that is disguised in a way that makes it look harmless.

  58. B. A denial-of-service attack is an attack that causes a service to fail or to be unavailable. Exhausting a system’s resources to cause a service to fail is a common form of denial-of-service attack. A worm is a self-replicating form of malware that propagates via a network, a virus is a type of malware that can copy itself to spread, and a smurf attack is a distributed denial-of-service (DDoS) that spoofs a victim’s IP address to systems using an IP broadcast, resulting in traffic from all of those systems to the target.

  59. C. A full mesh topology directly connects each machine to every other machine on the network. For five systems, this means four connections per system.

  60. B. LEAP, the Lightweight Extensible Authentication Protocol, is a Cisco proprietary protocol designed to handle problems with TKIP. Unfortunately, LEAP has significant security issues as well and should not be used. Any modern hardware should support WPA2 and technologies like PEAP or EAP-TLS. Using WEP, the predecessor to WPA and WPA2, would be a major step back in security for any network.

  61. C. Intrusion detection systems (IDSs) provide only passive responses, such as alerting administrators to a suspected attack. Intrusion prevention systems and firewalls, on the other hand, may take action to block an attack attempt. Antivirus software also may engage in active response by quarantining suspect files.

  62. B. All stateful inspection firewalls enforce an implicit deny rule as the final rule of the rulebase. It is designed to drop all inbound traffic that was not accepted by an earlier rule. Stealth rules hide the firewall from external networks, but they are not included by default. This firewall does not contain any egress filtering rules, and egress filtering is not enforced by default. Connection proxying is an optional feature of stateful inspection firewalls and would not be enforced without a rule explicitly implementing it.

  63. A. SMTP uses ports 25 and 465. The presence of an inbound rule allowing SMTP traffic indicates that this is an email server.

  64. C. The HTTP connection will be allowed, despite the presence of rule 2, because it matches rule 1. The HTTPS connection will be blocked because there is no rule allowing HTTPS connections to this server.

  65. D. The firewall should be configured to accept inbound connections from any port selected by the source system. The vast majority of inbound firewall rules allow access from any source port.

  66. A. A single-tier firewall deployment is simple and does not offer useful design options like a DMZ or separate transaction subnets.

  67. B. Disabling SSID broadcast can help prevent unauthorized personnel from attempting to connect to the network. Since the SSID is still active, it can be discovered by using a wireless sniffer. Encryption keys are not related to SSID broadcast, beacon frames are used to broadcast the SSID, and it is possible to have multiple networks with the same SSID.

  68. C. The DARPA TCP/IP model was used to create the OSI model, and the designers of the OSI model made sure to map the OSI model layers to it. The Application layer of the TCP model maps to the Application, Presentation, and Session layers, while the TCP and OSI models both have a distinct Transport layer.

  69. B. Ethernet networks use Carrier-Sense Multiple Access/Collision Detection (CSMA/CD) technology. When a collision is detected and a jam signal is sent, hosts wait a random period of time before attempting retransmission.

  70. C. Layer 6, the Presentation layer, transforms data from the Application layer into formats that other systems can understand by formatting and standardizing the data. That means that standards like JPEG, ASCII, and MIDI are used at the Presentation layer for data. TCP, UDP, and TLS are used at the Transport layer; NFS, SQL, and RPC operate at the Session layer; and HTTP, FTP, and SMTP are Application layer protocols.

  71. C. WPA2’s CCMP encryption scheme is based on AES. As of the writing of this book, there have not been any practical real-world attacks against WPA2. DES has been successfully broken, and neither 3DES nor TLS is used for WPA2.

  72. B. A two-tier firewall uses a firewall with multiple interfaces or multiple firewalls in series. This image shows a firewall with two protected interfaces, with one used for a DMZ and one used for a protected network. This allows traffic to be filtered between each of the zones (Internet, DMZ, and private network).

  73. B. DNS poisoning occurs when an attacker changes the domain name to IP address mappings of a system to redirect traffic to alternate systems. DNS spoofing occurs when an attacker sends false replies to a requesting system, beating valid replies from the actual DNS server. ARP spoofing provides a false hardware address in response to queries about an IP, and Cain & Abel is a powerful Windows hacking tool, but a Cain attack is not a specific type of attack.

  74. A. The correct answer is the tape that is being shipped to a storage facility. You might think that the tape in shipment is “in motion,” but the key concept is that the data is not being accessed and is instead in storage. Data in a TCP packet, in an e-commerce transaction, or in local RAM is in motion and is actively being used.

  75. C. A fail open configuration may be appropriate in this case. In this configuration, the firewall would continue to pass traffic without inspection while it is restarting. This would minimize downtime, and the traffic would still be protected by the other security controls described in the scenario. Failover devices and high availability clusters would indeed increase availability, but at potentially significant expense. Redundant disks would not help in this scenario because no disk failure is described.

  76. B. When a workstation or other device is connected simultaneously to both a secure and a nonsecure network like the Internet, it may act as a bridge, bypassing the security protections located at the edge of a corporate network. It is unlikely that traffic will be routed improperly leading to the exposure of sensitive data, as traffic headed to internal systems and networks is unlikely to be routed to the external network. Reflected DDoS attacks are used to hide identities rather than to connect through to an internal network, and security administrators of managed systems should be able to determine both the local and wireless IP addresses his system uses.

  77. D. 1000BaseT is capable of a 100-meter run according to its specifications. For longer distances, a fiber-optic cable is typically used in modern networks.

  78. The wireless attack terms match with their descriptions as follows:

    1. Rogue access point: B. An access point intended to attract new connections by using an apparently legitimate SSID
    2. Replay: C. An attack that retransmits captured communication to attempt to gain access to a targeted system
    3. Evil twin: A. An attack that relies on an access point to spoof a legitimate access point’s SSID and MAC address
    4. War driving: D. The process of using detection tools to find wireless networks

  79. D. This question is asking you to identify the blocking rule that should not be set on the firewall. Packets with public IP addresses will routinely be allowed to enter the network, so you should not create a rule to block them, making this the correct answer. Packets with internal source addresses should never originate from outside the network, so they should be blocked from entering the network. Packets with external source addresses should never be found on the internal network, so they should be blocked from leaving the network. Finally, private IP addresses should never be used on the Internet, so packets containing private IP addresses should be blocked from leaving the network.

  80. C. A collision domain is the set of systems that could cause a collision if they transmitted at the same time. Systems outside a collision domain cannot cause a collision if they send at the same time. This is important, as the number of systems in a collision domain increases the likelihood of network congestion due to an increase in collisions. A broadcast domain is the set of systems that can receive a broadcast from each other. A subnet is a logical division of a network, while a supernet is made up of two or more networks.

  81. A. Application firewalls add layer 7 functionality to other firewall solutions. This includes the ability to inspect Application-layer details such as analyzing HTTP, DNS, FTP, and other application protocols.

  82. C. The TCP three-way handshake consists of initial contact via a SYN, or synchronize flagged packet; which receives a response with a SYN/ACK, or synchronize and acknowledge flagged packet; which is acknowledged by the original sender with an ACK, or acknowledge packet. RST is used in TCP to reset a connection, PSH is used to send data immediately, and FIN is used to end a connection.

  83. D. Application-specific protocols are handled at layer 7, the Application layer of the OSI model.

  84. D. MAC addresses and their organizationally unique identifiers are used at the Data Link layer to identify systems on a network. The Application and Session layers don’t care about physical addresses, while the Physical layer involves electrical connectivity and handling physical interfaces rather than addressing.

  85. A. A data loss prevention (DLP) system or software is designed to identify labeled data or data that fits specific patterns and descriptions to help prevent it from leaving the organization. An IDS is designed to identify intrusions. Although some IDS systems can detect specific types of sensitive data using pattern matching, they have no ability to stop traffic. A firewall uses rules to control traffic routing, while UDP is a network protocol.

Chapter 7: Systems and Application Security (Domain 7)

  1. B. The principle of data integrity states that data should be reliable and that information should not be used for purposes other than those that users are made aware of by notice and that they have accepted through choice. Enforcement is aimed at ensuring that compliance with principles is assured. Access allows individuals to correct, change, or delete their information, while onward transfer limits transfers to other organizations that comply with the principles of notice and choice.

  2. C. The Microsoft Baseline Security Analyzer, or MBSA, is a tool provided by Microsoft that can identify installed or missing patches as well as common security misconfigurations. Since it is run with administrative rights, it will provide a better view than normal nmap and Nessus scans. MBSA provides more detailed information about specific patches that are installed. Metasploit provides some limited scanning capabilities but is not the best tool for the situation.

  3. B. Heuristic detection methods run the potential malware application and track what occurs. This can allow the anti-malware tool to determine whether the behaviors and actions of the program match those common to malware, even if the file does not match the fingerprint of known malware packages.

  4. A. The 192.168.0.0/16 address range, which includes 192.168.163.109 is one of the address ranges reserved for use as private IP addresses. These addresses should not appear on packets inbound to a network from the Internet. The other addresses mentioned here are all normal public IP addresses.

  5. D. Caitlyn is preparing a decomposition diagram that maps the high-level functions to lower-level components. This will allow her to better understand how the malware package works and may help her identify areas she should focus on.

  6. B. Lauren’s team should use full disk encryption or volume encryption and should secure the encryption keys properly. This will ensure that any data that remains cannot be exposed to future users of the virtual infrastructure. While many cloud providers have implemented technology to ensure that this won’t happen, Lauren can avoid any potential issues by ensuring that she has taken proactive action to prevent data exposure. Using a zero wipe is often impossible because virtual environments may move without her team’s intervention, data masking will not prevent unmasked data or temporary data stored on the virtual disks from being exposed, and spanning multiple virtual disks will still leave data accessible, albeit possibly in fragmented form.

  7. C. When endpoints are connected without a network control point between them, a host-based solution is required. In this case, Lucca’s specific requirement is to prevent attacks, rather than simply detect them, meaning that a HIPS is required to meet his needs. Many modern products combine HIPS capabilities with other features such as data loss prevention and system compliance profiling, so Lucca may end up with additional useful capabilities if he selects a product with those features.

  8. B. Most SaaS providers do not want their customers conducting port scans of their service, and many are glad to provide security assertions and attestations including audits, testing information, or contractual language that addresses potential security issues. Using a different scanning tool, engaging a third-party tester, and even using a VPN are not typically valid answers in a scenario like this.

  9. B. Changing the hosts file has been used by various malware packages to prevent updates by stopping DNS resolution of the antivirus update server. Lauren should check to see whether the antivirus software on the system is up-to-date, but she will probably need to recommend a rebuild or reinstallation of the system.

  10. D. Geoff’s only sure bet to prevent these services from being accessed is to put a network firewall in front of them. Many appliances enable services by default, but since they are appliances, they may not have host firewalls available to enable. They also often don’t have patches available, and many appliances do not allow the services they provide to be disabled or modified.

  11. D. The uses described for the workstation that Tim is securing do not require inbound access to the system on any of these ports. Web browsing and Active Directory domain membership traffic can be handled by traffic initiated by the system.

  12. C. Relying on hashing means that Charles will only be able to identify the specific versions of malware packages that have already been identified. This is a consistent problem with signature-based detections and malware. Packages commonly implement polymorphic capabilities, meaning that two instances of the same package will not have identical hashes because of changes meant to avoid signature-based detection systems.

  13. B. Lauren can determine only that the default administrative shares are enabled. While administrative shares are useful for remote administration, they can pose a threat for systems that do not require them, and some security baselines suggest disabling them in the registry if they are not used.

  14. A. Susan’s best option is to submit the file to a tool like VirusTotal, which will scan it for virus-like behaviors and known malware tools. Checking the hash using either a manual check or by using the National Software Reference Library can tell her whether the file matches a known good version but won’t tell her if it includes malware. Running a suspect file is the worst option on the list!

  15. A. Windows 10 Pro and Enterprise support application whitelisting. Chris can whitelist his allowed programs and then set the default mode to disallowed, preventing all other applications from running and thus blacklisting the application. This can be a bit of a maintenance hassle but can be useful for high security environments or those in which limiting what programs can run is critical.

  16. B. Most infrastructure as a service providers will allow their customers to perform security scans as long as they follow the rules and policies around such scans. Ian should review his vendor’s security documentation and contact them for details if he has questions.

  17. D. DNS blackholing uses a list of known malicious domains or IP addresses and relies on listing the domains on an internal DNS server that provides a fake reply. Route poisoning prevents networks from sending data to a destination that is invalid. Routers do not typically have an anti-malware filter feature, and subdomain whitelisting was made up for this question.

  18. B. In many cases, backups are the best method to minimize the impact of a ransomware outbreak. While preventative measures can help, malware packages continue to change more quickly than detective controls like anti-malware software and NGFW device manufacturers can react. A honeypot won’t help Adam prevent ransomware, so it can be easily dismissed when answering this question.

  19. C. Lauren’s screenshot shows behavioral analysis of the executed code. From this, we can determine that malwr is a dynamic analysis sandbox that runs the malware sample to determine what it does while also analyzing the file.

  20. C. The label A designates the guest operating systems in this environment. Each virtualization platform may run multiple guest operating systems, all of which share physical resources.

  21. A. The label B designates the hypervisor in this environment. In a bare-metal virtualization environment, the hypervisor sits beneath the guest operating systems and controls access to memory, disk, CPU, and other system resources.

  22. D. The label C designates the physical hardware in this environment. In a bare-metal virtualization environment, the physical hardware sits beneath the hypervisor, which moderates access by guest operating systems. There is no host operating system in a bare-metal virtualization approach.

  23. A. Virtualized systems run full versions of operating systems. If Frank’s scan revealed a missing operating system patch when he scanned a virtualized server, the patch should be applied directly to that guest operating system.

  24. A. This is an informational-level report that will be discovered on any server that supports the OPTIONS method. This is not a serious issue and is listed as an informational item, so Mike does not need to take any action to address it.

  25. A. Because both of these hosts are located on the same virtualization platform, it is likely that the network traffic never leaves that environment and would not be controlled by an external network firewall or intrusion prevention system. Ed should first look at the internal configuration of the virtual network to determine whether he can apply the restriction there.

  26. A. The Simple Network Management Protocol (SNMP) uses traps and polling requests to monitor and manage both physical and virtual networks. The Simple Mail Transfer Protocol (SMTP) is an email transfer protocol. The Border Gateway Protocol (BGP) and Enhanced Interior Gateway Routing Protocol (EIGRP) are used to make routing decisions.

  27. A. Although the vulnerability scan report does indicate that this is a low-severity vulnerability, Don must take this information in context. The management interface of a virtualization platform should never be exposed to external hosts, and it also should not use unencrypted credentials. In that context, this is a critical vulnerability that could allow an attacker to take control of a large portion of the computing environment. Don should work with security and network engineers to block this activity at the firewall as soon as possible. Shutting down the virtualization platform is not a good alternative because it would be extremely disruptive, and the firewall adjustment is equally effective from a security point of view.

  28. D. The best practice for securing virtualization platforms is to expose the management interface only to a dedicated management network, accessible only to authorized engineers. This greatly reduces the likelihood of an attack against the virtualization platform.

  29. B. Angela has performed interactive behavior analysis. This process involves executing a file in a fully instrumented environment and then tracking what occurs. Angela’s ability to interact with the file is part of the interactive element and allows her to simulate normal user interactions as needed or to provide the malware with an environment where it can interact like it would in the wild.

  30. A. Derek has created a malware analysis sandbox and may opt to use tools like Cuckoo, Truman, Minibis, or a commercial analysis tool. If he pulls apart the files to analyze how they work, he would be engaging in reverse engineering, and doing code-level analysis of executable malware would require disassembly. Darknets are used to identify malicious traffic and aren’t used in this way.

  31. B. The diagram already shows a firewall in place on both sides of the network connection. Ian should place a VPN at the point marked by question marks to ensure that communications over the Internet are encrypted. IPS and DLP systems do provide added security controls, but they do not provide encrypted network connections.

  32. D. Bare-metal virtualization does not impose any requirements on the diversity of guest operating systems. It is common to find Linux and Windows systems running on the same platform. Bare-metal virtualization does not use a host operating system. Instead, it runs the hypervisor directly on top of the physical hardware.

  33. B. John has discovered a program that is both accepting connections and has an open connection, neither of which are typical for the Minesweeper game. Attackers often disguise trojans as innocuous applications, so John should follow his organization’s incident response plan.

  34. B. Improper usage, which results from violations of an organization’s acceptable use policies by authorized users can be reduced by implementing a strong awareness program. This will help ensure users know what they are permitted to do and what is prohibited. Attrition attacks focus on brute-force methods of attacking services, impersonation attacks include spoofing, man-in-the-middle attacks, and similar threats. Finally, web-based attacks focus on websites or web applications. Awareness may help with some specific web-based attacks like fake login sites, but many others would not be limited by Lauren’s awareness efforts.

  35. C. Bring your own device (BYOD) strategies allow users to operate personally owned devices on corporate networks. These devices are more likely to contain vulnerabilities than those managed under a mobile device management (MDM) system or a corporate-owned, personally enabled (COPE) strategy. Transport Layer Security (TLS) is a network encryption protocol, not a mobile device strategy.

  36. D. While application sharding and query optimization can help services respond under heavy loads, Jarett’s best bet is to work with a content distribution network, or CDN, that has built-in DDoS mitigation technologies. This will allow his content to be accessible even if his primary service is taken offline and will spread the load to other servers during attacks, even if the CDN’s anti-DDoS capabilities can’t entirely mitigate the attack. Aggressive aging can help when implemented on a firewall and may help somewhat with survivability but is less useful for large scale DDoS attacks.

  37. C. Jennifer can push an updated hosts file to her domain-connected systems that will direct traffic intended for known bad domains to the localhost or a safe system. She might want to work with a security analyst or other IT staff member to capture queries sent to that system to track any potentially infected workstations. A DNS sinkhole would work only if all the systems were using local DNS, and off-site users are likely to have DNS settings set by the local networks they connect to. Anti-malware applications may not have an update yet or may fail to detect the malware, and forcing a BGP update for third-party networks is likely a bad idea!

  38. A. Full disk encryption prevents anyone who gains possession of a device from accessing the data it contains, making it an ideal control to meet Martin’s goal. Strong passwords may be bypassed by directly accessing the disk. Cable locks are not effective for devices used by travelers. Intrusion prevention systems are technical controls that would not affect someone who gained physical access to a device.

  39. C. One of the visibility risks of virtualization is that communication between servers and systems using virtual interfaces can occur “inside” the virtual environment. This means that visibility into traffic in the virtualization environment has to be purpose-built as part of its design. Option D is correct but incomplete because inter-hypervisor traffic isn’t the only traffic the IDS will see.

  40. B. Cut and paste between virtual machines can bypass normal network-based data loss prevention tools and monitoring tools like an IDS or IPS. Thus, it can act as a covert channel, allowing the transport of data between security zones. So far, cut and paste has not been used as a method for malware spread in virtual environments and has not been associated with denial-of-service attacks. Cut and paste requires users to be logged in and does not bypass authentication requirements.

  41. A. While virtual machine escape has been demonstrated only in laboratory environments, the threat is best dealt with by limiting what access to the underlying hypervisor can prove to a successful tracker. Segmenting by data types or access levels can limit the potential impact of a hypervisor compromise. If attackers can access the underlying system, restricting the breach to only similar data types or systems will limit the impact. Escape detection tools are not available on the market, restoring machines to their original snapshots will not prevent the exploit from occurring again, and Tripwire detects file changes and is unlikely to catch exploits that escape the virtual machines themselves.

  42. C. Michael should conduct his investigation, but there is a pressing business need to bring the website back online. The most reasonable course of action would be to take a snapshot of the compromised system and use the snapshot for the investigation, restoring the website to operation as quickly as possible while using the results of the investigation to improve the security of the site.

  43. B. The Trusted Platform Module (TPM) is a hardware security technique that stores an encryption key on a chip on the motherboard and prevents someone from accessing an encrypted drive by installing it in another computer.

  44. D. In an infrastructure as a service environment, security duties follow a shared responsibility model. Since the vendor is responsible for managing the storage hardware, the vendor would retain responsibility for destroying or wiping drives as they are taken out of service. However, it is still the customer’s responsibility to validate that the vendor’s sanitization procedures meet their requirements prior to utilizing the vendor’s storage services.

  45. A. Mobile device management (MDM) products provide a consistent, centralized interface for applying security configuration settings to mobile devices.

  46. B. In a software as a service environment, the customer has no access to any underlying infrastructure, so firewall management is a vendor responsibility under the cloud computing shared responsibility model.

  47. A. The blacklisting approach to application control allows users to install any software they want except for packages specifically identified by the administrator as prohibited. This would be an appropriate approach in a scenario where users should be able to install any nonmalicious software they want to use.

  48. B. The hypervisor is responsible for coordinating access to physical hardware and enforcing isolation between different virtual machines running on the same physical platform.

  49. C. The most reasonable choice presented is to move the devices to a secure and isolated network segment. This will allow the devices to continue to serve their intended function while preventing them from being compromised. All of the other scenarios either create major new costs or deprive her organization of the functionality that the devices were purchased to provide.

  50. C. Software-defined networking provides a network architecture that can be defined and configured as code or software. This will allow Lauren’s team to quickly change the network based on organizational requirements. The 5-4-3 rule is an old design rule for networks that relied on repeaters or hubs. A converged network carries multiple types of traffic such as voice, video, and data. A hypervisor-based network may be software defined, but it could also use traditional network devices running as virtual machines.

  51. B. Since physical access to the workstations is part of the problem, setting application timeouts and password-protected screensavers with relatively short inactivity timeouts can help prevent unauthorized access. Using session IDs for all applications and verifying system IP addresses would be helpful for online attacks against applications.

  52. C. Cross-site scripting (XSS) attacks seek to inject script code into a web application through unvalidated input. By removing the <SCRIPT> tag from that input, Harold is seeking to prevent this type of attack from succeeding.

  53. D. Software-defined networking separates the control plane from the data plane. Network devices then do not contain complex logic themselves but receive instructions from the SDN.

  54. D. Hotfixes, updates, and security fixes are all synonyms for single patches designed to correct a single problem. Service packs are collections of many different updates that serve as a major update to an operating system or application.

  55. D. The scenario describes a mix of public cloud and private cloud services. This is an example of a hybrid cloud environment.

  56. D. In a software as a service solution, the vendor manages both the physical infrastructure and the complete application stack, providing the customer with access to a fully managed application.

  57. C. Zero-day attacks are those that are previously unknown to the security community and, therefore, have no available patch. These are especially dangerous attacks because they may be highly effective until a solution becomes available.

  58. C. A host-based intrusion detection system (HIDS) may be able to detect unauthorized processes running on a system. The other controls mentioned, network intrusion detection systems (NIDSs), firewalls, and DLP systems, are network-based and may not notice rogue processes.

  59. B. The scenario describes a privilege escalation attack where a malicious insider with authorized access to a system misused that access to gain privileged credentials.

  60. C. In an infrastructure as a service environment, the vendor is responsible for hardware- and network-related responsibilities. These include configuring network firewalls, maintaining the hypervisor, and managing physical equipment. The customer retains responsibility for patching operating systems on its virtual machine instances.

  61. C. In a platform as a service solution, the customer supplies application code that the vendor then executes on its own infrastructure.

  62. C. A whitelist of allowed applications will ensure that Lauren’s users can run only the applications that she preapproves. Blacklists would require her to maintain a list of every application that she doesn’t want to allow, which is an almost impossible task. Graylisting is not a technology option, and configuration management can be useful for making sure the right applications are on a PC but typically can’t directly prevent users from running undesired applications or programs.

  63. A. Macro viruses are most commonly found in office productivity documents, such as Microsoft Word documents that end in the .doc or .docx extension. They are not commonly found in executable files with the .com or .exe extensions.

  64. D. Worms have built-in propagation mechanisms that do not require user interaction, such as scanning for systems containing known vulnerabilities and then exploiting those vulnerabilities to gain access. Viruses and Trojan horses typically require user interaction to spread. Logic bombs do not spread from system to system but lie in wait until certain conditions are met, triggering the delivery of their payload.

  65. D. One possibility for the clean scan results is that the virus is using stealth techniques, such as intercepting read requests from the antivirus software and returning a correct-looking version of the infected file. The system may also be the victim of a zero-day attack, using a virus that is not yet included in the signature definition files provided by the antivirus vendor.

  66. D. Messages similar to the one shown in the figure are indicative of a ransomware attack. The attacker encrypts files on a user’s hard drive and then demands a ransom, normally paid in Bitcoin, for the decryption key required to restore access to the original content. Encrypted viruses, on the other hand, use encryption to hide themselves from antivirus mechanisms and do not alter other contents on the system.

Chapter 8: Practice Test 1

  1. C. Dictionary, brute-force, and man-in-the-middle attacks are all types of attacks that are frequently aimed at access controls. Teardrop attacks are a type of denial-of-service attack.

  2. D. The hearsay rule says that a witness cannot testify about what someone else told them, except under specific exceptions. The courts have applied the hearsay rule to include the concept that attorneys may not introduce logs into evidence unless they are authenticated by the system administrator. The best evidence rule states that copies of documents may not be submitted into evidence if the originals are available. The parol evidence rule states that if two parties enter into a written agreement, that written document is assumed to contain all the terms of the agreement. Testimonial evidence is a type of evidence, not a rule of evidence.

  3. D. Device fingerprinting via a web portal can require user authentication and can gather data like operating systems, versions, software information, and many other factors that can uniquely identify systems. Using an automated fingerprinting system is preferable to handling manual registration, and pairing user authentication with data gathering provides more detail than a port scan. MAC addresses can be spoofed, and systems may have more than one depending on how many network interfaces they have, which can make unique identification challenging.

  4. C. The whitelisting approach to application control allows users to install only those software packages specifically approved by administrators. This would be an appropriate approach in a scenario where application installation needs to be tightly controlled.

  5. B. Biometric systems can face major usability challenges if the time to enroll is long (more than a couple of minutes) and if the speed at which the biometric system is able to scan and accept or reject the user is too slow. FAR and FRR may be important in the design decisions made by administrators or designers, but they aren’t typically visible to users. CER and ERR are the same and are the point where FAR and FRR meet. Reference profile requirements are a system requirement, not a user requirement.

  6. B. Category 5e and Category 6 UTP cable are both rated to 1000 Mbps. Cat 5 (not Cat 5e) is rated only to 100 Mbps, whereas Cat 7 is rated to 10 Gbps. There is no Cat 4e.

  7. B. Provisioning that occurs through an established workflow, such as through an HR process, is workflow-based account provisioning. If Alex had set up accounts for his new hire on the systems he manages, he would have been using discretionary account provisioning. If the provisioning system allowed the new hire to sign up for an account on their own, they would have used self-service account provisioning, and if there was a central, software-driven process, rather than HR forms, it would have been automated account provisioning.

  8. C. As Alex has changed roles, he retained access to systems that he no longer administers. The provisioning system has provided rights to workstations and the application servers he manages, but he should not have access to the databases he no longer administers. Privilege levels are not specified, so we can’t determine whether he has excessive rights. Logging may or may not be enabled, but it isn’t possible to tell from the diagram or problem.

  9. C. When a user’s role changes, they should be provisioned based on their role and other access entitlements. Deprovisioning and reprovisioning is time-consuming and can lead to problems with changed IDs and how existing credentials work. Simply adding new rights leads to privilege creep, and matching another user’s rights can lead to excessive privileges because of privilege creep for that other user.

  10. C. The blacklist approach to application control blocks certain prohibited packages but allows the installation of other software on systems. The whitelist approach uses the reverse philosophy and allows only approved software. Antivirus software would only detect the installation of malicious software after the fact. Heuristic detection is a variant of antivirus software.

  11. C. Capacitance motion detectors monitor the electromagnetic field in a monitored area, sensing disturbances that correspond to motion.

  12. A. In this scenario, the vendor is providing object-based storage, a core infrastructure service. Therefore, this is an example of infrastructure as a service (IaaS).

  13. D. Individuals with specific business continuity roles should receive training on at least an annual basis.

  14. D. The log entries contained in this example show the allow/deny status for inbound and outbound TCP and UDP sessions. This is, therefore, an example of a firewall log.

  15. B. MDM products do not have the capability of assuming control of a device not currently managed by the organization. This would be equivalent to hacking into a device owned by someone else and might constitute a crime.

  16. B. Crystal-box penetration testing, which is also sometimes called white-box penetration testing, provides the tester with information about networks, systems, and configurations, allowing highly effective testing. It doesn’t simulate an actual attack like black- and gray-box testing can and thus does not have the same realism, and it can lead to attacks succeeding that would fail in a zero- or limited-knowledge attack.

  17. B. TACACS+ is the most modern version of TACACS, the Terminal Access Controller Access-Control System. It is a Cisco proprietary protocol with added features beyond what RADIUS provides, meaning it is commonly used on Cisco networks. XTACACS is an earlier version, Kerberos is a network authentication protocol rather than a remote user authentication protocol, and RADIUS+ is a made-up term.

  18. B. Class B fire extinguishers use carbon dioxide, halon, or soda acid as their suppression material and are useful against liquid-based fires. Water may not be used against liquid-based fires because it may cause the burning liquid to splash, and many burning liquids, such as oil, will float on water.

  19. A. The emergency response guidelines should include the immediate steps an organization should follow in response to an emergency situation. These include immediate response procedures, a list of individuals who should be notified of the emergency, and secondary response procedures for first responders. They do not include long-term actions such as activating business continuity protocols, ordering equipment, or activating DR sites.

  20. C. During a parallel test, the team activates the disaster recovery site for testing, but the primary site remains operational. A simulation test involves a roleplay of a prepared scenario overseen by a moderator. Responses are assessed to help improve the organization’s response process. The checklist review is the least disruptive type of disaster recovery test. During a checklist review, team members each review the contents of their disaster recovery checklists on their own and suggest any necessary changes. During a tabletop exercise, team members come together and walk through a scenario without making any changes to information systems.

  21. D. Implementations of syslog vary, but most provide a setting for severity level, allowing configuration of a value that determines what messages are sent. Typical severity levels include debug, informational, notice, warning, error, critical, alert, and emergency. The facility code is also supported by syslog but is associated with which services are being logged. Security level and log priority are not typical syslog settings.

  22. A. Network address translation (NAT) translates an internal address to an external address. VLANs are used to logically divide networks, BGP is a routing protocol, and S/NAT is a made-up term.

  23. B. While full device encryption doesn’t guarantee that data cannot be accessed, it provides Michelle’s best option for preventing data from being lost with a stolen device when paired with a passcode. Mandatory passcodes and application management can help prevent application-based attacks and unwanted access to devices but won’t keep the data secure if the device is lost. Remote wipe and GPS location is useful if the thief allows the device to connect to a cellular or Wi-Fi network. Unfortunately, many modern thieves immediately take steps to ensure that the device will not be trackable or allowed to connect to a network before they capture data or wipe the device for resale.

  24. D. Dogs, guards, and fences are all examples of physical controls. While dogs and guards might detect a problem, fences cannot, so they are not all examples of detective controls. None of these controls would help repair or restore functionality after an issue, and thus they are not recovery controls, nor are they administrative controls that involve policy or procedures, although the guards might refer to them when performing their duties.

  25. A. System A should send an ACK to end the three-way handshake. The TCP three-way handshake is SYN, SYN/ACK, ACK.

  26. A. In the public cloud computing model, the vendor builds a single platform that is shared among many different customers. This is also known as the shared tenancy model.

  27. D. Sending logs to a secure log server, sometimes called a bastion host, is the most effective way to ensure that logs survive a breach. Encrypting local logs won’t stop an attacker from deleting them, and requiring administrative access won’t stop attackers who have breached a machine and acquired escalated privileges. Log rotation archives logs based on time or file size and can also purge logs after a threshold is hit. Rotation won’t prevent an attacker from purging logs.

  28. C. A security information and event management (SIEM) tool is designed to provide automated analysis and monitoring of logs and security events. A SIEM tool that receives access to logs can help detect and alert on events like logs being purged or other breach indicators. An IDS can help detect intrusions, but IDSs are not typically designed to handle central logs. A central logging server can receive and store logs but won’t help with analysis without taking additional actions. Syslog is simply a log format.

  29. B. Requiring authentication can help provide accountability by ensuring that any action taken can be tracked back to a specific user. Storing logs centrally ensures that users can’t erase the evidence of actions that they have taken. Log review can be useful when identifying issues, but digital signatures are not a typical part of a logging environment. Logging the use of administrative credentials helps for those users but won’t cover all users, and encrypting the logs doesn’t help with accountability. Authorization helps, but being able to specifically identify users through authentication is more important.

  30. B. An application-level gateway firewall uses proxies for each service it filters. Each proxy is designed to analyze traffic for its specific traffic type, allowing it to better understand valid traffic and to prevent attacks. Static packet filters and circuit-level gateways simply look at the source, destination, and ports in use, whereas a stateful packet inspection firewall can track the status of communication and allow or deny traffic based on that understanding.

  31. D. The recovery point objective (RPO) identifies the maximum amount of data, measured in time, that may be lost during a recovery effort. The recovery time objective (RTO) is the amount of time expected to return an IT service or component to operation after a failure. The maximum tolerable downtime (MTD) is the longest amount of time that an IT service or component may be unavailable without causing serious damage to the organization. Service-level agreements (SLAs) are written contracts that document service expectations.

  32. D. The four canons of the (ISC)2 code of ethics are to protect society, the common good, necessary public trust and confidence, and the infrastructure; act honorably, honestly, justly, responsibly, and legally; provide diligent and competent service to principals; and advance and protect the profession.

  33. B. Rainbow tables use precomputed password hashes to conduct cracking attacks against password files. They may be frustrated by the use of salting, which adds a specified value to the password prior to hashing, making it much more difficult to perform precomputation. Password expiration policies, password complexity policies, and user education may all contribute to password security, but they are not direct defenses against the use of rainbow tables.

  34. C. The process of removing a header (and possibly a footer) from the data received from a previous layer in the OSI model is known as de-encapsulation. Encapsulation occurs when the header and/or footer are added. Payloads are part of a virus or malware package that are delivered to a target, and packet unwrapping is a made-up term.

  35. C. Static packet filtering firewalls are known as first-generation firewalls and do not track connection state. Stateful inspection, application proxying, and next-generation firewalls all add connection state tracking capability.

  36. D. Integrity ensures that unauthorized changes are not made to data while stored or in transit.

  37. D. The Network Time Protocol (NTP) allows the synchronization of system clocks with a standardized time source. The Secure Shell (SSH) protocol provides encrypted administrative connections to servers. The File Transfer Protocol (FTP) is used for data exchange. Transport Layer Security (TLS) is an encryption process used to protect information in transit over a network.

  38. D. Fire suppression systems do not stop a fire from occurring but do reduce the damage that fires cause. This is an example of reducing risk by lowering the impact of an event.

  39. A. Load balancing helps to ensure that a failed server will not take a website or service offline. Dual power supplies only work to prevent failure of a power supply or power source. IPS can help to prevent attacks, and RAID can help prevent a disk failure from taking a system offline.

  40. B. The use of an electromagnetic coil inside the card indicates that this is a proximity card.

  41. D. Authorization provides a user with capabilities or rights. Roles and group management are both methods that could be used to match users with rights. Logins are used to validate a user.

  42. B. Triple DES functions by using either two or three encryption keys. When used with only one key, 3DES produces weakly encrypted ciphertext that is the insecure equivalent of DES.

  43. A. Gina’s actions harm the SSCP certification and information security community by undermining the integrity of the examination process. While Gina also is acting dishonestly, the harm to the profession is more of a direct violation of the code of ethics.

  44. D. When the owner of a file makes the decisions about who has rights or access privileges to it, they are using discretionary access control. Role-based access controls would grant access based on a subject’s role, while rule-based controls would base the decision on a set of rules or requirements. Nondiscretionary access controls apply a fixed set of rules to an environment to manage access. Nondiscretionary access controls include rule-, role-, and lattice-based access controls.

  45. A. Administrators and processes may attach security labels to objects that provide information on an object’s attributes. Labels are commonly used to apply classifications in a mandatory access control system.

  46. C. The user has successfully explained a valid need to know the data—completing the report requested by the CFO requires this access. However, the user has not yet demonstrated that he or she has appropriate clearance to access the information. A note from the CFO would meet this requirement.

  47. D. The DES modes of operation are Electronic Codebook (ECB), Cipher Block Chaining (CBC), Cipher Feedback (CFB), Output Feedback (OFB), and Counter (CTR). The Advanced Encryption Standard (AES) is a separate encryption algorithm.

  48. C. Voice pattern recognition is “something you are,” a biometric authentication factor, because it measures a physical characteristic of the individual authenticating.

  49. D. Kerberos, Active Directory Federation Services (ADFS), and Central Authentication Services (CAS) are all SSO implementations. RADIUS is not a single sign-on implementation, although some vendors use it behind the scenes to provide authentication for proprietary SSO.

  50. B. The single loss expectancy (SLE) is the amount of damage that a risk is expected to cause each time that it occurs.

  51. A. Tara first must achieve a system baseline. She does this by applying the most recent full backup to the new system. This is Sunday’s full backup. Once Tara establishes this baseline, she may then proceed to apply differential backups to bring the system back to a more recent state.

  52. B. To restore the system to as current a state as possible, Tara must first apply Sunday’s full backup. She may then apply the most recent differential backup, from Wednesday at noon. Differential backups include all files that have changed since the most recent full backup, so the contents of Wednesday’s backup contain all of the data that would be contained in Monday and Tuesday’s backups, making the Monday and Tuesday backups irrelevant for this scenario.

  53. A. In this scenario, the differential backup was made at noon, and the server failed at 3 p.m. Therefore, any data modified or created between noon and 3 p.m. will not be contained on any backup and will be irretrievably lost.

  54. D. By switching from differential to incremental backups, Tara’s weekday backups will contain only the information changed since the previous day. Therefore, she must apply all the available incremental backups. She would begin by restoring the Sunday full backup and then apply the Monday, Tuesday, and Wednesday incremental backups.

  55. D. Each incremental backup contains only the information changed since the most recent full or incremental backup. If we assume that the same amount of information changes every day, each of the incremental backups would be roughly the same size.

  56. C. She has placed compensation controls in place. Compensation controls are used when controls like the locks in this example are not sufficient. While the alarm is a physical control, the signs she posted are not. Similarly, the alarms are not administrative controls. These controls do not help to recover from an issue and are thus not recovery controls.

  57. B. During the preservation phase, the organization ensures that information related to the matter at hand is protected against intentional or unintentional alteration or deletion. The identification phase locates relevant information but does not preserve it. The collection phase occurs after preservation and gathers responsive information. The processing phase performs a rough cut of the collected information for relevance.

  58. D. This broad access may indirectly violate all of the listed security principles, but it is most directly a violation of least privilege because it grants users privileges that they do not need for their job functions.

  59. C. Metasploit is a tool used to exploit known vulnerabilities. Nikto is a web application and server vulnerability scanning tool, Ettercap is a man-in-the-middle attack tool, and THC Hydra is a password brute-force tool.

  60. C. The parol evidence rule states that when an agreement between two parties is put into written form, it is assumed to be the entire agreement unless amended in writing. The best evidence rule says that a copy of a document is not admissible if the original document is available. Real evidence and testimonial evidence are evidence types, not rules of evidence.

  61. D. During the Reporting phase, incident responders assess their obligations under laws and regulations to report the incident to government agencies and other regulators.

  62. A. The annualized loss expectancy is the amount of damage that the organization expects to occur each year as the result of a given risk.

  63. D. The Physical layer deals with the electrical impulses or optical pulses that are sent as bits to convey data.

  64. A. All packets leaving Angie’s network should have a source address from her public IP address block. Packets with a destination address from Angie’s network should not be leaving the network. Packets with source addresses from other networks are likely spoofed and should be blocked by egress filters. Packets with private IP addresses as sources or destinations should never be routed onto the Internet.

  65. D. In the subject/object model, the object is the resource being requested by a subject. In this example, Harry would like access to the document, making the document the object of the request.

  66. C. Personally identifiable information (PII) includes data that can be used to distinguish or trace that person’s identity and also includes information such as their medical, educational, financial, and employment information. PHI is personal health information, EDI is Electronic Data Interchange, and proprietary data is used to maintain an organization’s competitive advantage.

  67. B. The recovery time objective (RTO) is the amount of time expected to return an IT service or component to operation after a failure. The maximum tolerable downtime (MTD) is the longest amount of time that an IT service or component may be unavailable without causing serious damage to the organization. The recovery point objective (RPO) identifies the maximum amount of data, measured in time, that may be lost during a recovery effort. Service-level agreements (SLAs) are written contracts that document service expectations.

  68. C. Detective access controls operate after the fact and are intended to detect or discover unwanted access or activity. Preventive access controls are designed to prevent the activity from occurring, whereas corrective controls return an environment to its original status after an issue occurs. Directive access controls limit or direct the actions of subjects to ensure compliance with policies.

  69. C. Change management typically requires sign-off from a manager or supervisor before changes are made. This helps to ensure proper awareness and communication. SDN stands for software-defined networking, release management is the process that new software releases go through to be accepted, and versioning is used to differentiate versions of software, code, or other objects.

  70. C. In a risk acceptance strategy, the organization chooses to take no action other than documenting the risk. Purchasing insurance would be an example of risk transference. Relocating the data center would be risk avoidance. Reengineering the facility is an example of a risk mitigation strategy.

  71. C. The sender of a message encrypts the message using the public key of the message recipient.

  72. D. The recipient of a message uses his or her own private key to decrypt messages that were encrypted with the recipient’s public key. This ensures that nobody other than the intended recipient can decrypt the message.

  73. D. Digital signatures enforce nonrepudiation. They prevent an individual from denying that he or she was the actual originator of the message.

  74. B. An individual creates a digital signature by encrypting the message digest with his or her own private key.

  75. C. Wave pattern motion detectors transmit ultrasonic or microwave signals into the monitor area, watching for changes in the returned signals bouncing off objects.

  76. A. In an IaaS server environment, the customer retains responsibility for most server security operations under the shared responsibility model. This includes managing OS security settings, maintaining host firewalls, and configuring server access control. The vendor would be responsible for all security mechanisms at the hypervisor layer and below.

  77. B. A callback to a landline phone number is an example of a “somewhere you are” factor because of the fixed physical location of a wired phone. A callback to a mobile phone would be a “something you have” factor.

  78. A. Using encryption reduces risk by lowering the likelihood that an eavesdropper will be able to gain access to sensitive information.

  79. B. Worms have built-in propagation mechanisms that do not require user interaction, such as scanning for systems containing known vulnerabilities and then exploiting those vulnerabilities to gain access. Viruses and Trojan horses typically require user interaction to spread. Logic bombs do not spread from system to system but lie in wait until certain conditions are met, triggering the delivery of their payload.

  80. C. Both a logical bus and a logical ring can be implemented as a physical star. Ethernet is commonly deployed as a physical star by placing a switch as the center of a star, but Ethernet still operates as a bus. Similarly, Token Ring deployments using a multistation access unit (MAU) were deployed as physical stars but operated as rings.

  81. B. As an employee’s role changes, they often experience privilege creep, which is the accumulation of old rights and roles. Account review is the process of reviewing accounts and ensuring that their rights match their owners’ role and job requirements. Account revocation removes accounts, while reprovisioning might occur if an employee was terminated and returned or took a leave of absence and returned.

  82. A. The ping flood attack sends echo requests at a targeted system. These pings use inbound ICMP echo request packets, causing the system to respond with an outbound ICMP echo reply.

  83. C. Social engineering is the best answer, as it can be useful to penetration testers who are asked to assess whether staff members are applying security training and have absorbed the awareness messages the organization uses. Port scanning and vulnerability scanning find technical issues that may be related to awareness or training issues but that are less likely to be directly related. Discovery can involve port scanning or other data-gathering efforts but is also less likely to be directly related to training and awareness.

  84. A. Encrypting the files reduces the probability that the data will be successfully stolen, so it is an example of risk mitigation. Deleting the files would be risk avoidance. Purchasing insurance would be risk transference. Taking no action would be risk acceptance.

  85. C. Sally needs to provide nonrepudiation, the ability to provably associate a given email with a sender. Digital signatures can provide nonrepudiation and are her best option. IMAP is a mail protocol, encryption can provide confidentiality, and DKIM is a tool for identifying domains that send email.

  86. C. Multipartite viruses use multiple propagation mechanisms to spread between systems. This improves their likelihood of successfully infecting a system because it provides alternative infection mechanisms that may be successful against systems that are not vulnerable to the primary infection mechanism.

  87. D. A fingerprint scan is an example of a “something you are” factor, which would be appropriate for pairing with a “something you know” password to achieve multifactor authentication. A username is not an authentication factor. PINs and security questions are both “something you know,” which would not achieve multifactor authentication when paired with a password because both methods would come from the same category, failing the requirement for multifactor authentication.

  88. A. The maximum tolerable downtime (MTD) is the amount of time that a business may be without a service before irreparable harm occurs. This measure is sometimes also called maximum tolerable outage (MTO).

  89. C. Software-defined networking (SDN) is a converged protocol that allows virtualization concepts and practices to be applied to networks. MPLS handles a wide range of protocols like ATM, DSL, and others, but isn’t intended to provide the centralization capabilities that SDN does. Content distribution network (CDN) is not a converged protocol, and FCoE is Fibre Channel over Ethernet, a converged protocol for storage.

  90. A. RSA is an asymmetric encryption algorithm that requires only two keys for each user. IDEA, 3DES, and Skipjack are all symmetric encryption algorithms and would require a key for every unique pair of users in the system.

  91. A. TKIP is used only as a means to encrypt transmissions and is not used for data at rest. RSA, AES, and 3DES are all used on data at rest as well as data in transit.

  92. A. Applying a digital signature to a message allows the sender to achieve the goal of nonrepudiation. This allows the recipient of a message to prove to a third party that the message came from the purported sender. Symmetric encryption does not support nonrepudiation. Firewalls and IDS are network security tools that are not used to provide nonrepudiation.

  93. D. Privileged access reviews are one of the most critical components of an organization’s security program because they ensure that only authorized users have access to perform the most sensitive operations. They should take place whenever a user with privileged access leaves the organization or changes roles as well as on a regular, recurring basis.

  94. D. Nessus, OpenVAS, and SAINT are all vulnerability scanning tools. All provide port scanning capabilities as well but are more than simple port scanning tools.

  95. B. Network access control (NAC) systems can be used to authenticate users and then validate their system’s compliance with a security standard before they are allowed to connect to the network. Enforcing security profiles can help reduce zero-day attacks, making NAC a useful solution. A firewall can’t enforce system security policies, whereas an IDS can only monitor for attacks and alarm when they happen. Thus, neither a firewall nor an IDS meets Kolin’s needs. Finally, port security is a MAC address-based security feature that can restrict only which systems or devices can connect to a given port.

  96. C. Binary keyspaces contain a number of keys equal to 2 raised to the power of the number of bits. Two to the eighth power is 256, so an 8-bit keyspace contains 256 possible keys.

  97. B. In the private cloud computing model, the cloud computing environment is dedicated to a single organization and does not follow the shared tenancy model. The environment may be built by the company in its own data center or built by a vendor at a co-location site.

  98. B. Decentralized access control can result in less consistency because the individuals tasked with control may interpret policies and requirements differently and may perform their roles in different ways. Access outages, overly granular control, and training costs may occur, depending on specific implementations, but they are not commonly identified issues with decentralized access control.

  99. C. In the community cloud computing model, two or more organizations pool their resources to create a cloud environment that they then share.

  100. B. Password complexity is driven by length, and a longer password will be more effective against brute-force attacks than a shorter password. Each character of additional length increases the difficulty by the size of the potential character set (for example, a single lowercase character makes the passwords 26 times more difficult to crack). While each of the other settings is useful for a strong password policy, they won’t have the same impact on brute-force attacks.

  101. C. Heuristic-based antimalware software has a higher likelihood of detecting a zero-day exploit than signature-based methods. Heuristic-based software does not require frequent signature updates because it does not rely upon monitoring systems for the presence of known malware. The trade-off with this approach is that it has a higher false positive rate than signature detection methods.

  102. B. Worms have built-in propagation mechanisms that do not require user interaction, such as scanning for systems containing known vulnerabilities and then exploiting those vulnerabilities.

  103. B. Registration is the process of adding a user to an identity management system. This includes creating their unique identifier and adding any attribute information that is associated with their identity. Proofing occurs when the user provides information to prove who they are. Directories are managed to maintain lists of users, services, and other items. Session management tracks application and user sessions.

  104. D. Fred should choose a router. Routers are designed to control traffic on a network while connecting to other similar networks. If the networks are very different, a bridge can help connect them. Gateways are used to connect to networks that use other protocols by transforming traffic to the appropriate protocol or format as it passes through them. Switches are often used to create broadcast domains and to connect endpoint systems or other devices.

  105. The testing methodologies match with the level of knowledge as follows:

    1. Black box: C. No prior knowledge of the system
    2. White box: A. Full knowledge of the system
    3. Gray box: B. Partial or incomplete knowledge

  106. The cloud service offerings in order from the case where the customer bears the least responsibility to where the customer bears the most responsibility are:

    • B. SaaS
    • C. PaaS

    • A. IaaS

      In an infrastructure as a service (IaaS) cloud computing model, the customer retains responsibility for managing operating system and application security while the vendor manages security at the hypervisor level and below. In a platform as a service (PaaS) environment, the vendor takes on responsibility for the operating system, but the customer writes and configures any applications. In a software as a service (SaaS) environment, the vendor takes on responsibility for the development and implementation of the application while the customer merely configures security settings within the application. TaaS is not a cloud service model.

  107. B. RAID level 5 is also known as disk striping with parity. It uses three or more disks, with one disk containing parity information used to restore data to another disk in the event of failure. When used with three disks, RAID 5 is able to withstand the loss of a single disk.

  108. C. A star topology uses a central connection device. Ethernet networks may look like a star, but they are actually a logical bus topology that is sometimes deployed in a physical star.

  109. A. Access control lists (ACLs) are used for determining a user’s authorization level. Usernames are identification tools. Passwords and tokens are authentication tools.

  110. A. Rainbow tables rely on being able to use databases of precomputed hashes to quickly search for matches to known hashes acquired by an attacker. Making passwords longer can greatly increase the size of the rainbow table required to find the matching hash, and adding a salt to the password will make it nearly impossible for the attacker to generate a table that will match unless they can acquire the salt value. MD5 and SHA1 are both poor choices for password hashing compared to modern password hashes, which are designed to make hashing easy and recovery difficult. Rainbow tables are often used against lists of hashes acquired by attacks rather than over-the-wire attacks, so over-the-wire encryption is not particularly useful here. Shadow passwords simply make the traditionally world-readable list of password hashes on Unix and Linux systems available in a location readable only by root. This doesn’t prevent a rainbow table attack once the hashes are obtained.

  111. C. During a parallel test, the team actually activates the disaster recovery site for testing, but the primary site remains operational. During a full interruption test, the team takes down the primary site and confirms that the disaster recovery site is capable of handling regular operations. The full interruption test is the most thorough test but also the most disruptive. The checklist review is the least disruptive type of disaster recovery test. During a checklist review, team members each review the contents of their disaster recovery checklists on their own and suggest any necessary changes. During a tabletop exercise, team members come together and walk through a scenario without making any changes to information systems.

  112. A. Confidentiality ensures that data cannot be read by unauthorized individuals while stored or in transit.

  113. D. Notifications and procedures like the signs posted at the company Chris works for are examples of directive access controls. Detective controls are designed to operate after the fact. The doors and the locks on them are examples of physical controls. Preventive controls are designed to stop an event and could also include the locks that are present on the doors.

  114. A. Identity as a service (IDaaS) provides an identity platform as a third-party service. This can provide benefits, including integration with cloud services and removing overhead for maintenance of traditional on-premise identity systems but can also create risk because of third-party control of identity services and reliance on an offsite identity infrastructure.

  115. D. Binary keyspaces contain a number of keys equal to 2 raised to the power of the number of bits. Two to the sixth power is 64, so a 6-bit keyspace contains 64 possible keys. The number of viable keys is usually smaller in most algorithms because of the presence of parity bits and other algorithmic overhead or security issues that restrict the use of some key values.

  116. B. Social engineering exploits humans to allow attacks to succeed. Since help desk employees are specifically tasked with being helpful, they may be targeted by attackers posing as legitimate employees. Trojans are a type of malware, whereas phishing is a targeted attack via electronic communication methods intended to capture passwords or other sensitive data. Whaling is a type of phishing aimed at high-profile or important targets.

  117. A. Developing a business impact assessment is an integral part of the business continuity planning effort. The selection of alternate facilities, activation of those facilities, and restoration of data from backup are all disaster recovery tasks.

  118. C. The file clearly shows HTTP requests, as evidenced by the many GET commands. Therefore, this is an example of an application log from an HTTP server.

  119. D. Kerberos uses realms, and the proper type of trust to set up for an Active Directory environment that needs to connect to a K5 domain is a realm trust. A shortcut trust is a transitive trust between parts of a domain tree or forest that shortens the trust path, a forest trust is a transitive trust between two forest root domains, and an external trust is a nontransitive trust between AD domains in separate forests.

  120. B. A captive portal can require those who want to connect to and use Wi-Fi to provide an email address to connect. This allows Ben to provide easy-to-use wireless while meeting his business purposes. WPA2 PSK is the preshared key mode of WPA and won’t provide information about users who are given a key. Sharing a password doesn’t allow for data gathering either. Port security is designed to protect wired network ports based on MAC addresses.

  121. B. Many modern wireless routers can provide multiple SSIDs. Ben can create a private, secure network for his business operations, but he will need to make sure that the customer and business networks are firewalled or otherwise logically separated from each other. Running WPA2 on the same SSID isn’t possible without creating another wireless network and would cause confusion for customers (SSIDs aren’t required to be unique). Running a network in Enterprise mode isn’t used for open networks, and WEP is outdated and incredibly vulnerable.

  122. D. Unencrypted open networks broadcast traffic in the clear. This means that unencrypted sessions to websites can be easily captured with a packet sniffer. Some tools like FireSheep have been specifically designed to capture sessions from popular websites. Fortunately, many now use TLS by default, but other sites still send user session information in the clear. Shared passwords are not the cause of the vulnerability, ARP spoofing isn’t an issue with wireless networks, and a Trojan is designed to look like safe software, not to compromise a router.

  123. A. This is a clear example of a denial-of-service attack—denying legitimate users authorized access to the system through the use of overwhelming traffic. It goes beyond a reconnaissance attack because the attacker is affecting the system, but it is not a compromise because the attacker did not attempt to gain access to the system. There is no reason to believe that a malicious insider was involved.

  124. C. SYN floods rely on the TCP implementation on machines and network devices to cause denial-of-service conditions.

  125. A. The Advanced Encryption Standard (AES) supports the use of encryption keys that are 128 bits, 192 bits, or 256 bits in length.

Chapter 9: Practice Test 2

  1. C. The first thing Casey should do is notify her management, but after that, replacing the certificate and using proper key management practices with the new certificate’s key should be at the top of her list.

  2. B. Phishing is not an attack against an access control mechanism. While phishing can result in stolen credentials, the attack itself is not against the control system and is instead against the person being phished. Dictionary attacks and man-in-the-middle attacks both target access control systems.

  3. C. One of the core capabilities of infrastructure as a service is providing servers on a vendor-managed virtualization platform. Web-based payroll and email systems are examples of software as a service. An application platform managed by a vendor that runs customer code is an example of platform as a service.

  4. B. Soda acid and other dry powder extinguishers work to remove the fuel supply. Water suppresses temperature, while halon and carbon dioxide remove the oxygen supply from a fire.

  5. B. Warm sites contain the hardware necessary to restore operations but do not have a current copy of data.

  6. A. 201.19.7.45 is a public IP address. RFC 1918 addresses are in the ranges 10.0.0.0 to 0.255.255.255, 172.16.0.0 to 172.31.255.255, and 192.168.0.0 to 192.168.255.255. APIPA addresses are assigned between 169.254.0.0 to 169.254.255.254, and 127.0.0.1 is a loopback address (although technically the entire 127.x.x.x network is reserved for loopback).

  7. B. A post-admission philosophy allows or denies access based on user activity after connection. Since this doesn’t check the status of a machine before it connects, it can’t prevent the exploit of the system immediately after connection. This doesn’t preclude out-of-band or in-band monitoring, but it does mean that a strictly post-admission policy won’t handle system checks before the systems are admitted to the network.

  8. B. Encapsulation is a process that adds a header and possibly a footer to data received at each layer before handoff to the next layer. TCP wrappers are a host-based network access control system, attribution is determining who or what performed an action or sent data, and data hiding is a term from object-oriented programming that is not relevant here.

  9. A. The four canons of the (ISC)2 code of ethics are to protect society, the common good, necessary public trust and confidence, and the infrastructure; act honorably, honestly, justly, responsibly, and legally; provide diligent and competent service to principals; and advance and protect the profession.

  10. A. The purpose of a digital certificate is to provide the general public with an authenticated copy of the certificate subject’s public key.

  11. D. The last step of the certificate creation process is the digital signature. During this step, the certificate authority signs the certificate using its own private key.

  12. C. When an individual receives a copy of a digital certificate, he or she verifies the authenticity of that certificate by using the CA’s public key to validate the digital signature contained on the certificate.

  13. A. Mike uses the public key that he extracted from Renee’s digital certificate to encrypt the message that he would like to send to Renee.

  14. A. Guidelines provide advice based on best practices developed throughout industry and organizations, but they are not compulsory. Compliance with guidelines is optional.

  15. C. Privilege creep occurs when users retain from roles they held previously rights they do not need to accomplish their current job. Unauthorized access occurs when an unauthorized user accesses files. Excessive provisioning is not a term used to describe permissions issues, and account review would help find issues like this.

  16. C. Routing Information Protocol (RIP), Open Shortest Path First (OSPF), and Border Gateway Protocol (BGP) are all routing protocols and are associated with routers.

  17. B. Susan has used two distinct types of factors: the PIN and password are both Type 1 factors, and the retina scan is a Type 3 factor. Her username is not a factor.

  18. B. TCP’s use of a handshake process to establish communications makes it a connection-oriented protocol. TCP does not monitor for dropped connections, nor does the fact that it works via network connections make it connection-oriented.

  19. A. The goal of the business continuity planning process is to ensure that your recovery time objectives are all less than your maximum tolerable downtimes.

  20. B. Awareness training is an example of an administrative control. Firewalls and intrusion detection systems are technical controls. Security guards are physical controls.

  21. B. RAID level 1 is also known as disk mirroring. RAID 0 is called disk striping. RAID 5 is called disk striping with parity. RAID 10 is known as a stripe of mirrors.

  22. C. Service Provisioning Markup Language, or SPML, is an XML-based language designed to allow platforms to generate and respond to provisioning requests. SAML is used to make authorization and authentication data, while XACML is used to describe access controls. SOAP, or Simple Object Access Protocol, is a messaging protocol and could be used for any XML messaging but is not a markup language itself.

  23. C. TCP, UDP, and other transport layer protocols like SSL and TLS operate at the Transport layer.

  24. B. Linda should choose a warm site. This approach balances cost and recovery time. Cold sites take a long time to activate, measured in weeks or months. Hot sites activate immediately but are quite expensive. Mutual assistance agreements depend on the support of another organization.

  25. D. Differential backups do not alter the archive bit on a file, whereas incremental and full backups reset the archive bit to 0 after the backup completes. Partial backups are not a backup type.

  26. C. The Remediation phase of incident handling focuses on conducting a root-cause analysis to identify the factors contributing to an incident and implementing new security controls, as needed.

  27. The services match with the network ports as follows:

    1. DNS: D. UDP port 53
    2. HTTPS: A. TCP port 443
    3. SSH: E. TCP port 22
    4. RDP: B. TCP port 3389
    5. MSSQL: C. TCP port 1433

  28. C. Windows system logs include reboots, shutdowns, and service state changes. Application logs record events generated by programs, security logs track events like logins and uses of rights, and setup logs track application setup.

  29. D. The system is set to overwrite the logs and will replace the oldest log entries with new log entries when the file reaches 20 MB. The system is not purging archived logs because it is not archiving logs. Since there can only be 20 MB of logs, this system will not have stored too much log data, and the question does not provide enough information to know whether there will be an issue with not having the information needed.

  30. D. Modification of audit logs will prevent repudiation because the data cannot be trusted, and thus actions cannot be provably denied. The modification of the logs is also a direct example of tampering. It might initially be tempting to answer elevation of privileges and tampering, as the attacker made changes to files that should be protected, but this is an unknown without more information. Similarly, the attacker may have accessed the files, resulting in information disclosure in addition to tampering, but again, this is not specified in the question. Finally, this did not cause a denial of service, and thus that answer can be ignored.

  31. The disaster recovery test types, listed in order of their potential impact on the business from the least impactful to the most impactful, are as follows:

    1. Checklist review
    2. Parallel test
    3. Tabletop exercise

    4. Full interruption test

      Checklist reviews are the least impactful type of exercise because they do not even require a meeting. Each team member reviews the checklist on his or her own. Tabletop exercises are slightly more impactful because they require bringing together the DR team in the same room. Parallel tests require the activation of alternate processing sites and require significant resources. Full interruption tests are the most impactful type of exercise because they involve shifting operations to the alternate site and could disrupt production activity.

  32. A. Resource-based access controls match permissions to resources like a storage volume. Resource-based access controls are becoming increasingly common in cloud-based infrastructure as a service environments. The lack of roles, rules, or a classification system indicate that role-based, rule-based, and mandatory access controls are not in use here.

  33. B. Fred’s company needs to protect integrity, which can be accomplished by digitally signing messages. Any change will cause the signature to be invalid. Encrypting isn’t necessary because the company does not want to protect confidentiality. TLS can provide in-transit protection but won’t protect integrity of the messages, and of course a hash used without a way to verify that the hash wasn’t changed won’t ensure integrity either.

  34. C. Deterrence is the first functional goal of physical security mechanisms. If a physical security control presents a formidable challenge to a potential attacker, they may not attempt the attack in the first place.

  35. B. In this scenario, all the files on the server will be backed up on Monday evening during the full backup. Tuesday’s incremental backup will include all files changed since Monday’s full backup: files 1, 2, and 5. Wednesday’s incremental backup will then include all files modified since Tuesday’s incremental backup: files 3 and 6.

    image

  36. C. Identity proofing can be done by comparing user information that the organization already has, such as account numbers or personal information. Requiring users to create unique questions can help with future support by providing a way for them to do password resets. Using a phone call only verifies that the individual who created the account has the phone that they registered and won’t prove their identity. In-person verification would not fit the business needs of most websites.

  37. C. Interviews, surveys, and audits are all useful for assessing awareness. Code quality is best judged by code review, service vulnerabilities are tested using vulnerability scanners and related tools, and the attack surface of an organization requires both technical and administrative review.

  38. D. The three-way handshake is SYN, SYN/ACK, ACK. System B should respond with “Synchronize and Acknowledge” to System A after it receives a SYN.

  39. D. The Advanced Encryption Standard supports encryption with 128-bit keys, 192-bit keys, and 256-bit keys.

  40. B. Multipartite viruses use multiple propagation mechanisms to defeat system security controls but do not necessarily include techniques designed to hide the malware from antivirus software. Stealth viruses tamper with the operating system to hide their existence. Polymorphic viruses alter their code on each system they infect to defeat signature detection. Encrypted viruses use a similar technique, employing encryption to alter their appearance and avoid signature detection mechanisms.

  41. A. Cellular networks have the same issues that any public network does. Encryption requirements should match those that the organization selects for other public networks such as hotels, conference Wi-Fi, and similar scenarios. Encrypting all data is difficult and adds overhead, so it should not be the default answer unless the company specifically requires it. WAP is a dated wireless application protocol and is not in broad use; requiring it would be difficult. WAP does provide TLS, which would help when in use.

  42. D. Fred’s best option is to use an encrypted, trusted VPN service to tunnel all of his data usage. Trusted Wi-Fi networks are unlikely to exist at a hacker conference, normal usage is dangerous due to the proliferation of technology that allows fake towers to be set up, and discontinuing all usage won’t support Fred’s business needs.

  43. B. Remote wipe tools are a useful solution, but they work only if the phone can access either a cellular or Wi-Fi network. Remote wipe solutions are designed to wipe data from the phone regardless of whether it is in use or has a passcode. Providers unlock phones for use on other cellular networks rather than for wiping or other feature support.

  44. B. Risk transference involves actions that shift risk from one party to another. Purchasing insurance is an example of risk transference because it moves risk from the insured to the insurance company.

  45. C. For systems running in System High mode, the user must have a valid security clearance for all information processed by the system, access approval for all information processed by the system, and a valid need to know for some, but not necessarily all, information processed by the system.

  46. D. Risk acceptance occurs when an organization determines that the costs involved in pursuing other risk management strategies are not justified and they choose not to pursue any action.

  47. B. Carla’s account has experienced aggregation, where privileges accumulated over time. This condition is also known as privilege creep and likely constitutes a violation of the least privilege principle.

  48. A. The service-level agreement (SLA) is between a service provider and a customer and documents in a formal manner expectations around availability, performance, and other parameters. An MOU may cover the same items but is not as formal a document. An OLA is between internal service organizations and does not involve customers. An SOW is an addendum to a contract describing work to be performed.

  49. C. Both TCP and UDP port numbers are a 16-digit binary number, which means there can be 216 ports, or 65,536 ports, numbered from 0 to 65,535.

  50. D. When users have more rights than they need to accomplish their job, they have excessive privileges. This is a violation of the concept of least privilege. Unlike creeping privileges, this is a provisioning or rights management issue rather than a problem of retention of rights the user needed but no longer requires. Rights collision is a made-up term and thus is not an issue here.

  51. C. Jim has agreed to a black-box penetration test, which provides no information about the organization, its systems, or its defenses. A crystal- or white-box penetration test provides all of the information an attacker needs, whereas a gray-box penetration test provides some, but not all, information.

  52. C. An access control matrix is a table that lists objects, subjects, and their privileges. Access control lists focus on objects and which subjects can access them. Capability tables list subjects and what objects they can access. Subject/object rights management systems are not based on an access control model.

  53. B. Identity as a service (IDaaS) provides capabilities such as account provisioning, management, authentication, authorization, reporting, and monitoring. Platform as a service (PaaS), infrastructure as a service (IaaS), and software as a service (SaaS) are other types of cloud computing capabilities that are not specialized identity management services.

  54. A. If the (ISC)2 peer review board finds that a certified individual has violated the (ISC)2 code of ethics, the board may revoke their certification. The board is not able to terminate an individual’s employment or assess financial penalties.

  55. C. They need a key for every possible pair of users in the cryptosystem. The first key would allow communication between Matthew and Richard. The second key would allow communication between Richard and Christopher. The third key would allow communication between Christopher and Matthew.

  56. B. Syslog uses UDP port 514. TCP-based implementations of syslog typically use port 6514. The other ports may look familiar because they are commonly used TCP ports: 443 is HTTPS, 515 is the LPD print service, and 445 is used for Windows SMB.

  57. D. During a tabletop exercise, team members come together and walk through a scenario without making any changes to information systems. The checklist review is the least disruptive type of disaster recovery test. During a checklist review, team members each review the contents of their disaster recovery checklists on their own and suggest any necessary changes. During a parallel test, the team actually activates the disaster recovery site for testing, but the primary site remains operational. During a full interruption test, the team takes down the primary site and confirms that the disaster recovery site is capable of handling regular operations. The full interruption test is the most thorough test but also the most disruptive.

  58. D. Procedures are formal, mandatory documents that provide detailed, step-by-step actions required from individuals performing a task.

  59. B. Tammy should choose a warm site. This type of facility meets her requirements for a good balance between cost and recovery time. It is less expensive than a hot site but facilitates faster recovery than a cold site. A red site is not a type of disaster recovery facility.

  60. C. Signature detection is extremely effective against known strains of malware because it uses a reliable pattern matching technique to identify known malware. Signature detection is, therefore, the most reliable way to detect known malware. This technique is not, however, effective against the zero-day malware typically used by advanced persistent threats (APTs) that does not exploit vulnerabilities identified in security bulletins. While malware authors once almost exclusively targeted Windows systems, malware now exists for all major platforms.

  61. C. Regression testing ensures proper functionality of an application or system after it has been changed. Unit testing focuses on testing each module of a program instead of against its previous functional state. White- and black-box testing both describe the amount of knowledge about a system or application, rather than a specific type or intent for testing.

  62. A. Heartbeat sensors send periodic status messages from the alarm system to the monitoring center. The monitoring center triggers an alarm if it does not receive a status message for a prolonged period of time, indicating that communications were disrupted.

  63. B. Polymorphic viruses mutate each time they infect a system by making adjustments to their code that assists them in evading signature detection mechanisms. Encrypted viruses also mutate from infection to infection but do so by encrypting themselves with different keys on each device.

  64. C. External auditors can provide an unbiased and impartial view of an organization’s controls to third parties. Internal auditors are useful when reporting to senior management of the organization but are typically not asked to report to third parties. Penetration tests test technical controls but are not as well suited to testing many administrative controls. The employees who build and maintain controls are more likely to bring a bias to the testing of those controls and should not be asked to report on them to third parties.

  65. D. The hypervisor runs within the virtualization platform and serves as the moderator between virtual resources and physical resources.

  66. B. Google’s federation with other applications and organizations allows single sign-on as well as management of their electronic identity and its related attributes. While this is an example of SSO, it goes beyond simple single sign-on. Provisioning provides accounts and rights, and a public key infrastructure is used for certificate management.

  67. B. Running the program in a sandbox provides secure isolation that can prevent the malware from impacting other applications or systems. If Joe uses appropriate instrumentation, he can observe what the program does, what changes it makes, and any communications it may attempt. ASLR is a memory location randomization technology, process isolation keeps processes from impacting each other, but a sandbox typically provides greater utility in a scenario like this since it can be instrumented and managed in a way that better supports investigations, and clipping is a term often used in signal processing.

  68. C. Each of the precautions listed helps to prevent social engineering by helping prevent exploitation of trust. Avoiding voice-only communications is particularly important since establishing identity over the phone is difficult. The other listed attacks would not be prevented by these techniques.

  69. D. Mirai targeted Internet of Things devices, including routers, cameras, and DVRs. As organizations bring an increasing number of devices like these into their corporate networks, protecting both internal and external targets from insecure, infrequently updated, and often vulnerable IoT devices is increasingly important.

  70. D. The use of a probability/impact matrix is the hallmark of a qualitative risk assessment. It uses subjective measures of probability and impact, such as “high” and “low,” in place of quantitative measures.

  71. B. Ben is reusing his salt. When the same salt is used for each hash, all users with the same password will have the same hash, and the attack can either attempt to steal the salt or may attempt to guess the salt by targeting the most frequent hash occurrences based on commonly used passwords. Short salts are an issue, but the salts used here are 32 bytes (256 bits) long. There is no salting algorithm used or mentioned here; salt is an added value for a hash, and plaintext salting is a made-up term.

  72. C. Usernames are an identification tool. They are not secret, so they are not suitable for use as a password.

  73. A. While developers may feel like they have a business need to be able to move code into production, the principle of separation of duties dictates that they should not have the ability to both write code and place it on a production server. The deployment of code is often performed by change management staff.

  74. B. A security information and event management (SIEM) tool is designed to centralize logs from many locations in many formats and to ensure that logs are read and analyzed despite differences between different systems and devices. The Simple Network Management Protocol (SNMP) is used for some log messaging but is not a solution that solves all of these problems. Most non-Windows devices, including network devices among others, are not designed to use the Windows event log format, although using NTP for time synchronization is a good idea. Finally, local logging is useful, but setting clocks individually will result in drift over time and won’t solve the issue with many log sources.

  75. A. The emergency response guidelines should include the immediate steps an organization should follow in response to an emergency situation. These include immediate response procedures, a list of individuals who should be notified of the emergency, and secondary response procedures for first responders. They do not include long-term actions such as activating business continuity protocols, ordering equipment, or activating disaster recovery sites.

  76. D. The image clearly shows a black magnetic stripe running across the card, making this an example of a magnetic stripe card.

  77. A. Repudiation threats allow an attacker to deny having performed an action or activity without the other party being able to prove differently.

  78. A. When operating system patches are no longer available for mobile devices, the best option is typically to retire or replace the device. Building isolated networks will not stop the device from being used for browsing or other purposes, which means it is likely to continue to be exposed to threats. Installing a firewall will not remediate the security flaws in the OS, although it may help somewhat. Finally, reinstalling the OS will not allow new updates or fix the root issue.

  79. C. Mandatory access controls use a lattice to describe how classification labels relate to each other. In this image, classification levels are set for each of the labels shown. A discretionary access control (DAC) system would show how the owner of the objects allows access. RBAC could be either rule- or role-based access control and would use either system-wide rules or roles. Task-based access control (TBAC) would list tasks for users.

  80. B. Cloud computing systems where the customer only provides application code for execution on a vendor-supplied computing platform are examples of platform as a service (PaaS) computing.

  81. C. Rainbow tables are databases of prehashed passwords paired with high-speed lookup functions. Since they can quickly compare known hashes against those in a file, using rainbow tables is the fastest way to quickly determine passwords from hashes. A brute-force attack may eventually succeed but will be very slow against most hashes. Pass-the-hash attacks rely on sniffed or otherwise acquired NTLM or LanMan hashes being sent to a system to avoid the need to know a user’s password. Salts are data added to a hash to avoid the use of tools like rainbow tables. A salt added to a password means the hash won’t match a rainbow table generated without the same salt.

  82. C. The blacklist approach to application control blocks certain prohibited packages but allows the installation of other software on systems. The whitelist approach uses the reverse philosophy and allows only approved software. Antivirus software would detect the installation of malicious software only after the fact. Heuristic detection is a variant of antivirus software.

  83. C. This scenario describes separation of duties—not allowing the same person to hold two roles that, when combined, are sensitive. While two-person control is a similar concept, it does not apply in this case because the scenario does not say that either action requires the concurrence of two users.

  84. C. These are examples of private IP addresses. RFC1918 defines a set of private IP addresses for use in internal networks. These private addresses including 10.0.0.0 to 10.255.255.255, 172.16.0.0 to 172.31.255.255, and 192.168.0.0 to 196.168.255.255 should never be routable on the public Internet.

  85. A. This is an example of a vendor offering a fully functional application as a web-based service. Therefore, it fits under the definition of software as a service (SaaS). In infrastructure as a service (IaaS), compute as a service (CaaS), and platform as a service (PaaS) approaches, the customer provides their own software. In this example, the vendor is providing the email software, so none of those choices is appropriate.

  86. The cable types match with the maximum lengths as follows:

    1. Category 5e: B. 300 feet
    2. Coaxial (RG-58): A. 500 feet
    3. Fiber optic: C. 1+ kilometers

  87. D. The Authentication Header provides authentication, integrity, and nonrepudiation for IPsec connections. The Encapsulating Security Payload provides encryption and thus provides confidentiality. It can also provide limited authentication. L2TP is an independent VPN protocol, and Encryption Security Header is a made-up term.

  88. D. Need to know is applied when subjects like Alex have access to only the data they need to accomplish their job. Separation of duties is used to limit fraud and abuse by having multiple employees perform parts of a task. Constrained interfaces restrict what a user can see or do and would be a reasonable answer if need to know did not describe his access more completely in this scenario. Context-dependent control relies on the activity being performed to apply controls, and this question does not specify a workflow or process.

  89. B. Operational investigations are performed by internal teams to troubleshoot performance or other technical issues. They are not intended to produce evidence for use in court and, therefore, do not have the rigid collection standards of criminal, civil, or regulatory investigations.

  90. B. The complexity of brute-forcing a password increases based on both the number of potential characters and the number of letters added. In this case, there are 26 lowercase letters, 26 uppercase letters, and 10 possible digits. That creates 62 possibilities. Since we added only a single letter of length, we get 62^1, or 62 possibilities, and thus, the new passwords would be 62 times harder to brute-force on average.

  91. A. Purchasing insurance is a way to transfer risk to another entity.

  92. B. The recovery time objective (RTO) is the amount of time that it may take to restore a service after a disaster without unacceptable impact on the business. The RTO for each service is identified during a business impact assessment.

  93. A. Retina scans can reveal additional information, including high blood pressure and pregnancy, causing privacy concerns. Newer retina scans don’t require a puff of air, and retina scanners are not the most expensive biometric factor. Their false positive rate can typically be adjusted in software, allowing administrators to adjust their acceptance rate as needed to balance usability and security.

  94. C. The SMTP protocol does not guarantee confidentiality between servers, making TLS or SSL between the client and server only a partial measure. Encrypting the email content can provide confidentiality; digital signatures can provide nonrepudiation.

  95. B. When data reaches the Transport layer, it is sent as segments (TCP) or datagrams (UDP). Above the Transport layer, data becomes a data stream, while below the Transport layer they are converted to packets at the Network layer, frames at the Data Link layer, and bits at the Physical layer.

  96. A. Authenticated scans use a read-only account to access configuration files, allowing more accurate testing of vulnerabilities. Web application, unauthenticated scans, and port scans don’t have access to configuration files unless they are inadvertently exposed.

  97. B. A baseline is used to ensure a minimum security standard. A policy is the foundation that a standard may point to for authority, and a configuration guide may be built from a baseline to help staff who need to implement it to accomplish their task. An outline is helpful, but outline isn’t the term you’re looking for here.

  98. B. Full disk encryption only protects data at rest. Since it encrypts the full disk, it does not distinguish between labeled and unlabeled data.

  99. C. This scenario violates the least privilege principle because an application should never require full administrative rights to run. Gwen should update the service account to have only the privileges necessary to support the application.

  100. B. When a message reaches the Data Link layer, it is called a frame. Data streams exist at the Application, Presentation, and Session layers, whereas segments and datagrams exist at the Transport layer (for TCP and UDP, respectively).

  101. B. Criminal forensic investigations typically have the highest standards for evidence, as they must be able to help prove the case beyond a reasonable doubt. Administrative investigations merely need to meet the standards of the organization and to be able to be defended in court, while civil investigations operate on a preponderance of evidence. There is not a category of forensic investigation referred to as “industry” in the CISSP® exam’s breakdown of forensic types.

  102. A. Protected health information (PHI) is defined by HIPAA to include health information used by healthcare providers, such as medical treatment, history, and billing. Personally identifiable information is information that can be used to identify an individual, which may be included in the PHI but isn’t specifically this type of data. Protected health insurance and individual protected data are both made-up terms.

  103. D. Fiber-optic cable is more expensive and can be much harder to install than stranded copper cable or coaxial cable, but it isn’t susceptible to electromagnetic interference (EMI). That makes it a great solution for Jen’s problem, especially if she is deploying EMI-hardened systems to go with her EMI-resistant network cables.

  104. D. Gray-box testing is a blend of crystal-box (or white-box) testing, which provides full information about a target, and black-box testing, which provides little or no knowledge about the target.

  105. D. The Service Organizations Control audit program includes business continuity controls in a SOC 2, but not SOC 1, audit. Although FISMA and PCI DSS may audit business continuity, they would not apply to an email service used by a hospital.

  106. C. A mantrap, which is composed of a pair of doors with an access mechanism that allows only one door to open at a time, is an example of a preventive access control because it can stop unwanted access by keeping intruders from accessing a facility because of an opened door or following legitimate staff in. It can serve as a deterrent by discouraging intruders who would be trapped in it without proper access, and of course, doors with locks are an example of a physical control. A compensating control attempts to make up for problems with an existing control or to add additional controls to improve a primary control.

  107. The protocols match with the descriptions as follows:

    1. TCP: C. Transports data over a network in a connection-oriented fashion
    2. UDP: D. Transports data over a network in a connectionless fashion
    3. DNS: B. Performs translations between FQDNs and IP addresses

    4. ARP: A. Performs translations between MAC addresses and IP addresses

      The Domain Name System (DNS) translates human-friendly fully qualified domain names (FQDNs) into IP addresses, making it possible to easily remember websites and hostnames. ARP is used to resolve IP addresses into MAC addresses. TCP and UDP are used to control the network traffic that travels between systems. TCP does so in a connection-oriented fashion using the three-way handshake, while UDP uses connectionless “best-effort” delivery.

  108. C. A unique salt should be created for each user using a secure generation method and stored in that user’s record. Since attacks against hashes rely on building tables to compare the hashes against, unique salts for each user make building tables for an entire database essentially impossible—the work to recover a single user account may be feasible, but large-scale recovery requires complete regeneration of the table each time. A single salt allows rainbow tables to be generated if the salt is stolen or can be guessed based on frequently used passwords. Creating a unique salt each time a user logs in does not allow a match against a known salted hashed password.

  109. C. An important part of application threat modeling is threat categorization. It helps to assess attacker goals that influence the controls that should be put in place. The other answers all involve topics that are not directly part of application threat modeling.

  110. D. There is no need to conduct forensic imaging as a preventative measure. Rather, forensic imaging should be used during the incident response process. Maintaining patch levels, implementing intrusion detection/prevention, and removing unnecessary services and accounts are all basic preventative measures.

  111. C. The two most important elements of a qualitative risk assessment are determining the probability and impact of each risk upon the organization. Likelihood is another word for probability. Cost should be taken into account but is only one element of impact, which also includes reputational damage, operational disruption, and other ill effects.

  112. C. The Secure File Transfer Protocol (SFTP) is specifically designed for encrypted file transfer. SSH is used for secure command-line access, whereas TCP is one of the bundles of Internet protocols commonly used to transmit data across a network. IPsec could be used to create a tunnel to transfer the data but is not specifically designed for file transfer.

  113. B. Criminal investigations have high stakes with severe punishment for the offender that may include incarceration. Therefore, they use the strictest standard of evidence of all investigations: beyond a reasonable doubt. Civil investigations use a preponderance-of-the-evidence standard. Regulatory investigations may use whatever standard is appropriate for the venue where the evidence will be heard. This may include the beyond-a-reasonable-doubt standard, but it is not always used in regulatory investigations. Operational investigations do not use a standard of evidence.

  114. A. During a full interruption test, the team takes down the primary site and confirms that the disaster recovery site is capable of handling regular operations. The full interruption test is the most thorough test but also the most disruptive. During a parallel test, the team actually activates the disaster recovery site for testing but the primary site remains operational. The checklist review is the least disruptive type of disaster recovery test. During a checklist review, team members each review the contents of their disaster recovery checklists on their own and suggest any necessary changes. During a tabletop exercise, team members come together and walk through a scenario without making any changes to information systems.

  115. B. Personally identifiable information (PII) can be used to distinguish a person’s identity. Protected health information (PHI) includes data such as medical history, lab results, insurance information, and other details about a patient. Personal protected data is a made-up term, and PID is an acronym for process ID, the number associated with a running program or process.

  116. A. Information that is modifiable between a client and a server also means that it is accessible, pointing to both tampering and information disclosure. Spoofing in STRIDE is aimed at credentials and authentication, and there is no mention of this in the question. Repudiation would require that proving who performed an action was important, and elevation of privilege would come into play if privilege levels were involved.

  117. C. Risk transference involves shifting the impact of a potential risk from the organization incurring the risk to another organization. Insurance is a common example of risk transference.

  118. C. Turnstiles are unidirectional gates that prevent more than a single person from entering a facility at a time.

  119. C. The goal of business continuity planning exercises is to reduce the amount of time required to restore operations. This is done by minimizing the recovery time objective (RTO).

  120. B. The maximum allowed length of a Cat 6 cable is 100 meters, or 328 feet. Long distances are typically handled by a fiber run or by using network devices like switches or repeaters.

  121. A. Hot sites contain all of the hardware and data necessary to restore operations and may be activated very quickly.

  122. A. RAID level 0 is also known as disk striping. RAID 1 is called disk mirroring. RAID 5 is called disk striping with parity. RAID 10 is known as a stripe of mirrors.

  123. A. This is an example of a time of check/time of use, or TOC/TOU attack. It exploits the difference between the times when a system checks for permission to perform an action and when the action is actually performed. Permissions creep would occur if the account had gained additional rights over time as the other’s role or job changed. Impersonation occurs when an attacker pretends to be a valid user, and link swap is not a type of attack.

  124. B. RAID 0, or disk striping, requires at least two disks to implement. It improves performance of the storage system but does not provide fault tolerance.

  125. A. The RSA algorithm supports key lengths between 1,024 and 4,096 bits. All of these key lengths are currently considered secure. Some cryptographers believe that attacks will surface that render 1,024 bit keys insecure in the future, but no such attacks are yet public. RSA does not support 512 bit keys.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.191.157.186