Appendix
Answers to Review Questions

Chapter 1: Risk Management

  1. C. Subjective opinions are not an advantage of quantitative risk assessment but rather an advantage of qualitative risk assessment.
  2. A. What helps demystify these formulas is recalling what each value represents. Recall that SLE is the single loss expectancy of an asset, EF is the exposure factor, and a higher EF means a higher exposure (higher vulnerability of that asset). So, it's reasonable to understand that expectancy of a loss goes higher when the exposure is higher. Single loss expectancy is a product of both the asset's value and how vulnerable that asset is to a loss.
  3. B. Although a qualitative assessment generally requires much less time than a quantitative one, a qualitative assessment does not provide cost values.
  4. B. Recall that ALE represents the annual loss expectancy of an asset while SLE is the single loss. Once you understand that ALE is simply a year's value of the SLE, then you understand that the number of occurrences per year is what's needed to calculate ALE. The Annual Rate of Occurrence (ARO) represents that number of occurrences. Just remember that ARO can be less than once per year, which means the loss is expected to happen once over multiple years. And if ARO is less than one, then ALE will be less than SLE.
  5. D. To transfer the risk is to deflect it to a third party. The most common third party is an insurance company. Instead of managing the risk directly, the organization incurs an ongoing cost from that third party.
  6. C. To mitigate the risk means that a control is used to reduce the risk. For example, installing a firewall is one method by which risk can be mitigated.
  7. A. Once you have the asset's value (AV) and the exposure factor (EF), the product of those two values is the single loss expectancy (SLE).
  8. A. This is where you make a step-by-step list of the possibilities for testing. Test each possibility to see if it corrects the problem. Be careful to change one thing at a time to avoid creating any new problems. If the step-by-step procedure fails to fix the problem, then return to the beginning of the process and start over.
  9. C. Employees are often the target of cybercrime, and one simple mistake can have catastrophic consequences. Security awareness training educates employees about the cyber landscape and how to remain secure in the corporate ecosystem.
  10. A. A vulnerability can be described as a weakness in hardware, software, or components that may be exploited in order for a threat to destroy, damage, or compromise an asset.
  11. C. A threat is any agent, condition, or circumstance that could cause harm, loss, damage, or compromise to an IT asset or data asset. The likelihood of the threat is the probability of occurrence or the odds that the event will actually occur.
  12. D. OpenVAS is a vulnerability assessment tool, not an audit standard.
  13. D. The gap analysis examines an area or environment and is designed to report the difference between “where we are” and “where we want to be.” The analysis of that gap provides an objective viewpoint that helps form the steps necessary to close that gap.
  14. D. Vulnerability assessment tools and scanners provide information on vulnerabilities within a targeted application or system or an entire network. Vulnerability assessment tools usually provide advice on how to fix or manage the security risks that they have discovered.
  15. B. Uptime agreements (UAs) are one of the most well-known types of SLAs. UAs detail the agreed-on amount of uptime.
  16. D. The principle of least privilege is a best practice that ensures a person has only enough access to perform their duties.
  17. C. Personnel will manually perform recovery steps without causing any actual disruption.
  18. B. Equipment is effectively only available, but not yet set up. At least partial setup and configuration are assumed not yet done. A cold site is the cheapest and will require the most time to have running.
  19. A. The mean time to recovery (MTTR) describes the length of time between an interruption and the recovery from that interruption.
  20. A. Dual control requires employees to work together to complete critical actions. A common example is that of a combination or code for a safe. Two employees are required to open it successfully. Separation of duties limits what one employee can do, likely requiring a more senior employee to validate the employee's action.

Chapter 2: Configure and Implement Endpoint Security Controls

  1. C. Yes, there are synonyms for hardening, but the term hardening is the right word to recognize on the exam.
  2. D. The TCB is the sum of all protection mechanisms within a computer, and it is responsible for enforcing the security policy. This includes hardware, software, controls, and processes.
  3. A. The Hardware Security Module (HSM) and the Trusted Platform Module (TPM) do provide the option to encrypt hard drives and fixed storage, but not portable storage devices like USB drives. HSM and TPM authenticate the system, not the user.
  4. B. Security-Enhanced Linux is a Linux kernel security module that provides a mechanism for supporting access control security policies, including mandatory access controls. SELinux is a set of kernel modifications and user-space tools that have been added to various Linux distributions; it was started by a collaboration between the NSA and Red Hat.
  5. C. HSM and TPM provide the option to encrypt hard drives and fixed storage, not portable drives such as a USB drive.
  6. D. Examples of trusted OSs include SELinux, SEAndroid, and Trusted Solaris. Security-Enhanced Linux (SELinux), available now for just over 20 years, started as a collaborative effort between the NSA and Red Hat, and it continues to be improved. SELinux brings MAC to the Linux kernel, allowing for much stricter access control.
  7. B. The Hardware Security Module (HSM) is a type of secure crypto processor used to manage cryptographic keys. TPMs use endorsement key and storage root key, and SEDs use random Data Encryption Key (DEK), which the drive uses to both encrypt and decrypt the data.
  8. C. Attestation services can be designed as hardware-based, software-based, or hybrid. The Trusted Platform Module (TPM) is a specialized form of hardware security module, which might contain an asymmetric key or some other secret.
  9. D. Basic attributes of a trusted OS include long-term protected storage, separation of user processes from supervisor processes, isolation, and hardware protection.
  10. A. The total cost of ownership (TCO) is lower when using a standard operating system throughout the organization.
  11. C. A data interface is used with databases to generate process templates. Process templates are reusable collections of activity types. They allow system integrators and others who work with different clients to manipulate similar types of data.
  12. D. One of the original trusted OS testing standards was the Trusted Computer System Evaluation Criteria (TCSEC). TCSEC, also known as the Orange Book, was developed to evaluate stand-alone systems but was replaced by the Common Criteria.
  13. D. If a hardware system is particularly critical and cannot be easily replaced, a way to reduce downtime is to employ high availability (HA) with redundant hardware.
  14. C. Common Criteria categorizes assurance into one of seven increasingly strict levels of assurance, called the evaluation assurance levels (EALs). EALs provide a specific level of confidence in the security functions of the system being analyzed.
  15. C. A SED is a hard disk drive (HDD) or solid-state drive (SSD) designed to automatically encrypt and decrypt drive data without the need for user input or disk encryption software. When the SED is powered on in the host system, data being written to and read from the drive is being encrypted and decrypted instantly, and no other steps or software are needed to encrypt and decrypt the drive's data.
  16. A. Computers rely on system firmware, commonly known as the system Basic Input/Output System (BIOS), to facilitate the hardware initialization process and transition control to the operating system. Unauthorized modification of BIOS firmware by malicious software is a significant threat because of its unique and privileged position within the PC architecture. The move from BIOS to implementations based on the Unified Extensible Firmware Interface (UEFI) may make it easier for malware to target the BIOS.
  17. C. The NX (No-eXecute) bit segregates memory areas used for processor instruction and data storage.
  18. C. User and entity behavior analytics (UEBA) can possibly detect an unauthorized user or a Trojaned device.
  19. C. ASLR protects against buffer overflow attacks by randomizing the location of different portions of the code. Therefore, even if an attacker managed to make a buffer overflow work once, it may never work again on the same code.
  20. C. SEAndroid uses the concept of application sandboxing, or isolating and restricting its applications in their own respective memory and drive spaces.

Chapter 3: Security Operations Scenarios

  1. A. Threat hunting is to search for and identify security threats and problems that have yet to be discovered in the environment. The prize to be sought would be the capable insider threat or shadow IT, which, until discovered, had been “flying under the radar.” Other potential discoveries can be bad configurations or outdated processes.
  2. B. Originating from Russia or former Soviet states have been some of the most notorious malware that has targeted global consumers, banks, and retailers over the past few years: LoJax, BadRabbit, and NotPetya, to name just a few.
  3. D. Indicators of compromise (IoCs) are evidence that a security incident occurred, and more investigation is needed to reveal the consequences. IoCs can be subtle or blatantly obvious and can range from log entries, alerts, and notifications to detecting activity or traffic that seems out of the ordinary.
  4. A. Insider threat is especially dangerous since the insider is already trusted within the organization. The insider knows internal policies, is familiar with the organizational structure, has awareness of business processes, and most of all, has network access as a trusted employee.
  5. B. Cisco created the network monitoring protocol NetFlow to assist in collecting statistics on IP traffic as it traverses the network. There are a variety of tools to gather and report on what NetFlow monitors. Those NetFlow logs are a gold mine to answer questions around network traffic.
  6. C. DLP alerts warn the security analyst or administrator of the likelihood of data being exfiltrated out of the network.
  7. B. In earlier years, intrusion detection and antivirus systems used regular expressions (regex) and scripts to identify a match between a known signature and what was seen on the wire. Regex or regular expression matching was the default approach, but regex matching does take considerable overhead in memory.
  8. D. An ACL is used for packet filtering and for selecting the types of traffic to be analyzed, forwarded, or influenced in some way by the firewall or device. ACL configuration can block traffic based on the source and destination address.
  9. B. In this access control list (ACL), all TCP traffic bound for port 23 is blocked. The ACL group number is 102.
  10. C. File integrity monitoring (FIM) will monitor for changes in files. FIM alerts can notify you practically in real time, permitting you to immediately investigate.
  11. B. Diamond Model of Intrusion Analysis has two axes, with the first axis labeled Victim – Adversary, while the second axis is Infrastructure – Capability.
  12. C. OSINT sources include commercial, scientific, and technical databases; symposium proceedings; published strategies and doctrine; think-tank publications; patent information; and other open-source documents available to the general public.
  13. D. This might be a challenging question only because it's tempting to choose an indicator of compromise. In the scenario, we are past suspecting an IoC. Advanced persistent threats (APTs) are definitely evidence of a compromised system. APTs can be near impossible to remove, with the best approach being to rebuild from scratch. The APT serves to maintain accessibility to the “pwned” machine. Given that APT malware can be advanced, the threat may stay even if the system administrators attempt to contain and eradicate the malware.
  14. C. Human intelligence (HUMINT) is the personal side of spying or collecting intelligence. While OSINT might involve dumpster diving and scouring social media, HUMINT involves building a genuine rapport and leveraging it for information or access.
  15. D. If an attacker wants to learn more about the organization's technical contact or registration information about their domain, the site that provides both is WHOIS.
  16. A. Reconnaissance is the first step, common to both Cyber Kill Chain and the ATT&CK framework. Exfiltration and discovery are unique to the ATT&CK framework.
  17. C. Discovery happens last and is the 9th of the 13 labeled tactics. Discovery happens after credential access and before lateral movement.
  18. A. Human intelligence (HUMINT) is the personal side of spying or collecting intelligence. HUMINT involves building a genuine rapport and leveraging it for information or access.
  19. D. Nation-state hackers and cyberterrorists are individuals or groups of individuals seeking to engage in recruitment, attacks, or, worse, compromise critical infrastructures in the target countries such as nuclear power plants, power generation stations, and water treatment plants.
  20. D. Supply chain attack is the correct answer. When a hacker focuses on a weaker service or organization with the goal to disrupt the target organization, this type of attack is called a supply chain attack. Hackers opt to cripple or disrupt a different organization on which the target relies.

Chapter 4: Security Ops: Vulnerability Assessments and Operational Risk

  1. A. The BEST definition of a risk in IT is a vulnerability in your ecosystem and the high probability of compromise with a known active threat actor.
  2. D. A list of root passwords is not a requirement. A vulnerability assessment is the testing of systems and access controls for weaknesses.
  3. C. Ethical Hackers will perform a no knowledge penetration test. They will use the same methods as the bad guys but get permission first. Yes, there are blue-hat hackers. A blue-hat hacker is someone who typically tests systems before they launch and looks for bugs.
  4. A. Cross-site scripting (XSS) is an attack that can be mitigated by using input validation and sanitization. Like a CSRF attack, an XSS attack is attempting to steal information from a user. If a web application is not able to properly sanitize input from a user, the attacker can use form input to inject malicious code.
  5. D. Social engineering is malicious activity where data is disclosed by accident. It is typically performed by an attacker outside of the organization. The goal is to get the victim to disclose confidential or sensitive information. Fraud, espionage, and embezzlement are all malicious actions where the attacker is internal and commits these crimes on purpose.
  6. D. This one is all about strategy! You need to test for resilience and reliability of the rebuilt site before you restore any mission-critical functions. Financial and communication assets should be restored only after you know the foundation is good.
  7. A. A denial-of-service (DoS) or distributed denial-of-service (DDoS) attack makes legitimate users unable to use devices or network resources. It affects availability.
  8. C. The golden rule of forensics is never touch, change, or alter anything until it has been documented, identified, measured, and photographed. An image is a complete image of all the contents of a storage device. A bitstream copy of an image copies all areas of a storage device. When documenting for an incident, you need to list the software/hardware used, source and destination name, start/end timestamp, and hashed values.
  9. C. Virtualization creates an abstract computing platform. Many servers can be replaced by one larger physical server to decrease the need for hardware. Many hosts allow the execution of complete operating systems, and access can be restricted for security depending on the hardware access policy created by the host. In this scenario, the most secure option with a focus on confidentiality would be to assign virtual hosts to the client and physically partition storage. If confidentiality is in the question, look for encryption in the answer.
  10. D. A keylogger, by its very nature, is meant to steal the keystrokes the victim makes on their keyboard and violate the security tenet of confidentiality. From this information, the attacker can replay websites/usernames/passwords typed in by the victim.
  11. B. When the decision is made to outsource any IT function, process, or system, there is a risk to operations and process flows, confidentiality, continuity, and compliance. You cannot use the excuse, “It wasn't me.” Regulators and compliance auditors will still hold your organization responsible for performing the correct level of due diligence to confirm that a third-party service has the right people, processes, and technology in place to support your business need.
  12. C. The threat in this scenario is the hacker/hacktivist or nation-state hacker who wants to use this third-party vendor as a gateway into your organization. Vetting a third-party organization is mission critical if that vendor is going to be working with any type of sensitive data or project.
  13. B. If Adriana encrypts her database, she is using an algorithm to transform readable data into unreadable data. Without knowing the key or algorithm used, you cannot reverse engineer the data. The purpose of this is to protect data from theft, malicious intent, or misuse.
  14. C. Threat and risk assessments are the best ways to identify the risks this company is facing. Pentesting will come after controls are in place.
  15. C. The best way to control dumpster diving is to control what leaves the facility by way of disposal and what form that takes. Larger enterprise organizations will hire third-party organizations for their shredding, whereas some organizations create a policy based on what type of document has been manufactured. Either way, this needs to be in your policies and procedures and communicated to staff and periodically audited.
  16. A. The vulnerability time is the time between when the vulnerability is discovered and when it is patched. The vulnerability window is when an IT asset is most vulnerable. This window has become increasingly important because it can be much larger than it was in the past. The cycle of creating malware based on known vulnerabilities keeps getting shorter.
  17. D. The third-party organization should be contractually obliged to perform security activities noted in the business documents signed by the parties. Evidence of those contracts should be negotiated, investigated, and confirmed prior to beginning the project.
  18. B. A buffer overflow occurs when a program writes more data to a buffer than is expected. An attacker can take advantage of this situation by injecting their own malicious code or variables into the buffer. Because these commands don't check buffer size, they make a program susceptible to buffer overflow attacks.
  19. D. A patch management system can automate the process of installing patches on systems. Using automation, it is more likely that all systems will be patched and none mistakenly missed. A security assessment identifies the current security posture of an organization. Vulnerability management is the continual process of identifying, evaluating, treating, and reporting on security vulnerabilities. A vulnerability scanner scans a network looking for known vulnerabilities and reporting on them.
  20. A. A cross-site request forgery (CSRF) is an attack that takes advantage of a software vulnerability and will redirect static content from a trusted site. An example might be stealing online banking credentials and account information from a user that logs into a legitimate banking site. CAPTCHA forms require solving some type of puzzle to validate the user is human, confirming the authenticity of the user.

Chapter 5: Compliance and Vendor Risk

  1. B. An external audit must have an independent certified authority and be performed against a recognized auditable standard. This is why an external audit can hold so much value for a company.
  2. D. The business impact analysis (BIA) is a systematic process to determine the potential effects of the failure of processes and systems that are critical to business operations, whether the interruption is a natural disaster, an accident, or an upgrade.
  3. A. A master service agreement (MSA) provides a strong foundation for future business. It typically specifies payment terms, warranties, geographic location, and intellectual property ownership.
  4. A. The major question that you should ask the vendor is what level of encryption they offer, and if the tools encryption is comprehensive. If your organization is not compliant with PCI-DSS, it could be open to major regulatory compliance risk.
  5. A. In no event should access of any kind be granted to any data that is classified as sensitive without the express permission of the data owner.
  6. C. Data retention is the amount of time that specific data is maintained in storage. Data stored for more time than is needed becomes a security risk to an organization. If you have a vendor managing your data archives, they need to know what type of compliance your organization falls under so they know how long to keep the data.
  7. B. The definition of attestation according to Merriam-Webster's dictionary is “an act or instance of proving the existence of something through evidence.” The Payment Card Industry (PCI) is governed by the PCI Security Standards Council, which will certify an organization has completed and passed or failed an audit with an attestation of compliance.
  8. A. A global organization that collects data from customers must be concerned with data sovereignty. A learning management system (LMS) and a content management system (CMS) collect information on global students taking classes, viewing videos, and accessing files. This data is subject to the laws of the country where the data was collected. Many countries have passed various laws around the control and storage of data.
  9. C. A data owner has administrative control over a specific dataset. Some examples of a data owner are a treasurer who has administrative control and is accountable for financial data or a human resources director who has responsibility for employee data. In most enterprise organizations, the owner is not the custodian.
  10. D. Many local, state, federal, and international laws, as well as industry restrictions, require that data be kept for specific periods of time.
  11. C. Due diligence means “required carefulness.” Due diligence is exercising informed care that is expected of reasonable people. Performing this kind of process ensures that the proper information is systematically and deliberately protected.
  12. A. A cloud-based deployment solution will probably be entirely operated and maintained by a third-party vendor. You are able to pay a usage fee for access to that solution but lose some control over hardware and software.
  13. C. Infrastructure as a services (IaaS) enables a company to use hardware resources provided by a third party, including processing and networking to host varied multiple hosts.
  14. C. One of the biggest benefits of moving virtual hosts to the cloud is elasticity. Businesses adopting this cloud computing solution can enjoy the dynamic allocation of resources to projects and workflows. It makes using the cloud efficient and cost effective.
  15. D. PaaS allows you to avoid the expense and complexity of having to buy and manage software licenses, application infrastructure, development tools, and other resources. You manage the applications and services that you have developed, and the cloud provider does everything else.
  16. A. A public cloud is the cloud computing model where IT services are delivered across the Internet. The defining features of public cloud solutions are elasticity and scalability for IT services at low cost. Public cloud offers many solutions for all types of computing requirements.
  17. D. Easy deployment and lower cost for less IT expertise can be good things.
  18. C. While the multitenancy cloud services would be less expensive since usage and resources are shared, they operate at maximum usage, making for best efficiency. They are easier to set up because there is a high volume of customers that should have a good experience onboarding. The limitation of multitenancy is multiple access points and less control, and if one tenant is affected, all tenants are affected. With multiple access points and all cloud tenants affected, this is not an OKR to be measured by an organization in a shared responsibility cloud model.
  19. A. The first priority should be to understand what data this organization has and classify it through a data classification engine. Look for a comprehensive solution that locates and protects sensitive content on the assets uploaded to the cloud.
  20. D. Negotiating an SLA is an administrative contract guaranteeing service, and it is created, not deployed, to a cloud environment. You should absolutely have one that will protect the business and processes.

Chapter 6: Cryptography and PKI

  1. B. Encryption provides confidentiality since the data is scrambled by cryptographic algorithm. Symmetric encryption offers that privacy through the use of a unique, shared key.
  2. D. Rivest Cipher 5 (RC5) is a fast-block cipher. As a symmetric algorithm, it supports a variable block size, a variable key size, and a variable number of rounds. Allowable choices for the block size are 32, 64, and 128 bits.
  3. D. Asymmetric encryption provides confidentiality, integrity, authentication, and nonrepudiation. By comparison, symmetric encryption offers only confidentiality.
  4. C. The CRL is maintained by the CA, which signs the list to maintain its accuracy. Whenever problems are reported with digital certificates, the digital certificates are considered invalid, and the CA has the serial number added to the CRL.
  5. D. Like passports, digital certificates do not stay valid for a lifetime. Certificates become invalid for many reasons, such as someone leaving the company, information changing, or a private key being compromised. For these reasons, the certificate revocation list (CRL) must be maintained.
  6. D. There is no one type of certificate to secure all subdomains and domains. A wildcard certificate allows the purchaser to secure an unlimited number of subdomain certificates on a domain name. While the wildcard secures multiple subdomains, the multidomain certificate will secure multiple top-level website domains, such as example.net, example.com, and example.org.
  7. D. Symmetric encryption does offer speed, but if you're looking for a cryptographic system that provides easy key exchange, you will have to consider asymmetric encryption.
  8. A. Public key cryptography (asymmetric encryption) is made possible by the use of one-way functions. A one-way function, or trapdoor, is a math operation that is easy to compute in one direction, yet is almost impossible to compute in the other direction.
  9. C. MD5 is the only option that is a hash. The others are encryption algorithms. A hash is a one-way calculation of input data, such as a file. Comparing the hashes for two files can indicate that the files either are identical or have the slightest difference. Thus, a hash acts to prove the integrity of a file.
  10. B. Symmetric encryption does offer speed, but if you're looking for a cryptographic system that provides easy key exchange, you will have to consider asymmetric encryption.
  11. D. SSL/TLS uses both asymmetric and symmetric encryption. Almost all modern cryptographic systems make use of hybrid encryption. This method works well because it uses the strength of symmetric encryption and the key exchange capabilities of asymmetric encryption. Some good examples of hybrid cryptographic systems are IPsec, Secure Shell, Secure Electronic Transaction, Secure Sockets Layer (SSL), PGP, and Transport Layer Security (TLS).
  12. A. A wildcard certificate allows the purchaser to secure an unlimited number of subdomain certificates on a domain name. For example, a wildcard certificate could secure sub1.example.org, sub2.example.org, and sub3.example.org.
  13. D. The International Data Encryption Algorithm (IDEA) is a 64-bit block cipher that uses a 128-bit key. Although IDEA is patented by a Swiss company, it is freely available for noncommercial use. It is considered a secure encryption standard, and there have been no known attacks against it.
  14. B. Disk encryption can use either hardware or software to encrypt an entire hard drive or volume. Such technology is incredibly important today. Mobile security is especially enhanced by encryption, considering how much sensitive information individuals have stored on mobile devices and tablets. Such items are easily lost or stolen. Common disk encryption products include BitLocker and AxCrypt.
  15. A. Hashing refers to a broad category of algorithms that are useful for their ability to provide integrity and authentication. Integrity ensures that the information remains unchanged and is in its true original form.
  16. D. Hashing algorithms operate by taking a variable amount of data and compressing it into a fixed-length value referred to as a hash value. Hashing provides a fingerprint or message digest of the data. A well-designed hashing algorithm will not typically produce the same hash value or output for two different inputs. When this does occur, it is referred to as a collision.
  17. D. A web of trust model is the least complex, is the lowest trust of the options, and is most suited for small groups. The single authority model is simple, though not well suited for large organizations; a hierarchical model is typically provided by a commercial entity, requiring a more robust model.
  18. B. Symmetric encryption is fast, but key distribution is a problem. Asymmetric encryption offers easy key distribution, but it's not suited for large amounts of data. Combining the two into hybrid encryption uses the advantages of each and results in a truly powerful system.
  19. B. Block encryption secures data in fixed-size groups of bits. An example of a block cipher is 3DES ECB, which encrypts data in 64-bit blocks.
  20. A. Many organizations use hardware security modules (HSMs) to store and retrieve escrowed keys securely. Escrowed keys allow another trusted party to hold a copy of a key. They need to be managed at the same security level as the original key.

Chapter 7: Incident Response and Forensics

  1. C. A false positive alert is an alert that is generated but that is not associated with a true attack. Having tumbleweeds hitting your fence, triggering alerts, is an example of a false positive alert. A true positive is an alert triggered from an attack. A true negative is no alert triggered because no attack occurred. A false negative is an attack happening with no alert triggered.
  2. D. During lessons learned, one step to include in the process is to evaluate the effectiveness of the playbooks involved. Any changes to those documents should be documented in procedure controls and implemented as soon as an incident occurs.
  3. D. In digital or cyber forensics, no matter what action has been taken and what the implied burden of proof is, you must treat the incident as if a crime had been committed. If the process is broken, the risk of challenging or diminishing the value of the evidence could make it inadmissible and reduce its value to the company. The IRT should have well-documented policies and procedures in place and have chain-of-custody rules. According to the National Institute of Standards and Technology (NIST), there are four steps: 1) preparation, 2) detection and analysis, 3) containment and eradication and recovery, and, lastly, 4) post-incident activity, better known as lessons learned.
  4. A. After an incident, managers can evaluate the effectiveness of their response and then identify areas that need improvement—specifically assessment, detection, notification, and evaluation. The lessons learned document details how your emergency response process can be improved.
  5. D. In an after-action report (AAR), it is time for reflection and to record what was done well and the areas that need improvement. Capturing and regularly updating the lessons learned can keep the incident response on track. In the long run, it can also help continually improve how organizations execute incident response. The network topology diagrams should be created and updated often and are not part of an AAR.
  6. B. You should have this documented in an IR response manual. Disconnecting the intruder is the best response if confidentiality is of utmost importance. Allowing any more time to the intruder might enable them to pivot deeper into the network. Delaying, auditing, or monitoring the intruder is the correct response if you are going to prosecute the intruder. This is the type of scenario that has already been discussed so that you know exactly what the response should be in an incident/event.
  7. C. This actually happened. A casino in North America detected a ransomware attack that used the network-attached fish tank as a point of entry. The attack was spotted due to a security orchestration, automation, and response (SOAR) solution that detected the intrusion, and no damage was done.
  8. D. According to Gartner, social engineering is the single greatest security risk faced in cybersecurity. Social engineering is the art of manipulating, influencing, or deceiving to gain information or control of a system, process, or finances.
  9. C. When a situation arises, such as a service interruption or some other significant incident, the security operations center (SOC) receives word via its monitoring system. Once it has identified an issue, you must manually initiate an incident response, which will in turn notify the appropriate parties, providing the necessary information so they can begin working to resolve the problem. Critical issues must be addressed quickly, as any downtime can have a tremendous negative impact on the organization, from lower revenue to lost customers. This puts a lot of pressure on SOC managers to handle any and all incidents with the utmost attention given to quality and turnaround time. The problem comes into play when businesses are still relying on antiquated systems to manage their incident response processes. The result is a huge margin for human error and unnecessary delay.
  10. C. Due care is acting responsibly. Due diligence is verifying those actions are sufficient. An organization that shows due care means it took every reasonable precaution to protect its assets and environment. A runbook is created before an incident happens, documenting policies, procedures, and due care taken by an organization. An AAR is created after an incident occurs. A statement of work (SOW) is a document used in project management. It is the narrative description of a project's work requirement. It defines project-specific activities, deliverables, and timelines for a vendor providing services to the client. A nondisclosure agreement (NDA), also known as a confidentiality agreement, confidential disclosure agreement, or secrecy agreement, is a legal contract or part of a contract. Runbooks are often confused with playbooks, and some IT professionals use the terms synonymously. While runbooks define individual processes, playbooks deal with overarching responses to larger issues or events and may incorporate multiple runbooks and personnel within them—think of a runbook as a chapter within a playbook.
  11. B. Security orchestration and automation response (SOAR) helps teams improve their security posture and create efficiency—without sacrificing control of important security and IT processes. SOAR technology helps coordinate, execute, and automate tasks between various people and tools, allowing companies to respond quickly to cybersecurity attacks and improve their overall security posture. SOAR tools use security “playbooks” to automate and coordinate workflows that may include any number of disparate security tools as well as human tasks.
  12. D. Because time is important, as a project manager you need to estimate how long the merge will take and then look at ROI—how much to sustain and how much to change. Involve the stakeholders and present them with a communication plan clarifying who is involved in the decision-making process.
  13. C. The golden rule of forensics is to never touch, change, or alter anything until it is documented, identified, measured, and photographed. An image is a complete image of all the contents of a storage device. A bitstream copy of an image copies all areas of a storage device. When documenting for an incident, you need to list the software/hardware used, its source and destination name, the start/end timestamps, and hashed values.
  14. D. If the logs are evidence, then as evidence they cannot be altered. If the timestamps are from years before the crime occurred, they may not be allowed in court.
  15. A. Understand what can be contained in volatile memory before you power down a machine that you believe is compromised. Use a tool that is able to quickly analyze RAM and add that data to digital evidence.
  16. A. The Internet Engineering Task Force (IETF) released guidelines for evidence collection known as RFC 3227. This document explains the order of volatility, which is least volatile to most—archives, physical, logging, disk, temporary files, routing and ARP tables, registers, and cache.
  17. B. Once you determine which machines were compromised, make sure that nothing was left behind that will do more damage or allow the attackers access again. Collect all evidence and logs that are appropriate; then ensure that other assets are protected against the method the attackers used to get into your organization.
  18. A. In criminal cases, a defendant can petition the court to exclude evidence that the prosecution obtained if someone breaks the chain of custody for any reason.
  19. D. The U.S. NSA recently outsourced Ghidra, a reverse engineering tool used to forensically analyze malware. Hydra is a network login cracker, Immunity Debugger is not open source, and AngryIP is open source but used for network scanning.
  20. B. A well-organized attack by skilled individuals is extremely difficult to solve with a technical investigation, but your data will be extremely helpful for detectives (i.e., authorities). They may have parts of a puzzle that you do not have access to or have established a modus operandi of hacking groups in your specific industry.

Chapter 8: Security Architecture

  1. A. You want to protect your endpoints from malware, viruses, and spyware. A host-based firewall will prevent malicious traffic, whereas the IDS will only report there is an intrusion. All 2FA is MFA, but not all MFA is 2FA. Multifactor authentication grants a user access after presenting several separate pieces of evidence that belong to different categories (including something you are, something you know, or something you have). 2FA is two pieces of evidence.
  2. B. A network-based intrusion detection system (NIDS) is an intrusion detection system used to detect intrusions traversing the network and alert on those intrusions. The alerts can come in various forms, including email and text messages. HIDS is host-based intrusion detection, and HIPSs/NIPSs are intrusion prevention systems.
  3. A. Some more advanced FIM solutions are a part of a host-based intrusion detection system (HIDS). As a general rule, they can detect threats in other areas, not just files. NIDS is network intrusion detection and change management is an administrative control. ADVFIM is made up.
  4. D. A Web Application Firewall (WAF) is used to inspect OSI Layer 7 data for malicious activity. HTTP/HTTPS/SOAP are all web application protocols that operate at OSI Layer 7. Screened host firewalls and packet filter firewalls don't inspect OSI Layer 7 data. A DMZ is a type of screened subnet that permits external users' access to a part of a private network.
  5. B. A virtual private network (VPN) enables employees to access sensitive data and systems on mobile devices while away from the secure corporate network. A VPN's traditional role is to enable employees to authenticate from anywhere in the world and seamlessly access the company's network. Wi-Fi is wireless networking technology that allows equipment to connect to the Internet. RDP is remote desktop protocol and is a Microsoft technology that gives end users a graphical user interface to connect to another computer. A NIC is a network interface card, that is, hardware that connects a computer to a network.
  6. B. A unified threat management (UTM) system is a single device that provides multiple security functions including antivirus protection, antispyware, a firewall, and an intrusion detection and prevention system. A concern with using a UTM is that it could become a single point of failure. A next-generation firewall or NGFW combines a traditional firewall with other network device filtering functions such as deep packet inspection or IPS. A quantum proxy is a signature scheme that makes a proxy signer generate a signature on behalf of the original signer. There is no security model for quantum proxy, and it is susceptible to forgery attacks. There is no such thing as a next-generation intrusion detection and prevention system.
  7. C. A reverse proxy performs the function mentioned in the question. Because traffic intended for the servers goes through the reverse proxy, it can provide filtering of malicious traffic destined for the servers. A proxy sits in front of clients, receiving their requests and forwarding them on to the destination. Replies associated with these requests are also forwarded through the proxy to the clients. A basic firewall filters traffic based on packet header information. A network-based intrusion detection system (NIDS) examines traffic, looking for malicious content.
  8. A. A DoS attack is a single-source computer system initiating the attack. A DDoS is a much more orchestrated attack, enlisting the help of hundreds (if not thousands) of other source computers to completely overload the system. Spamming is the use of messaging systems to send an unsolicited message to multiple addresses. IP spoofing is the creating of IP packets with a false source IP address to impersonate another computer system. Containerization is an alternative or companion to virtualization involving encapsulating software code and all dependencies so it can run consistently on any infrastructure.
  9. B. A Switched Port Analyzer or SPAN port is a dedicated port on a switch. It takes a mirrored copy of network from within the switch and sends it to the proper destination. That destination is typically a monitoring device. The proper way to bring a switch port out of the error-disabled state is to go to the interface and issue the shutdown and then no shutdown commands.
  10. A. If you place an IDS sensor somewhere in your network for intrusion detection, your end goal is important. If you want to see what threats are being aimed at your organization from the Internet, you place the IDS outside the firewall. If you want to see potentially malicious internal traffic that you have inside the perimeter of your network, you place the monitor between the firewall and internal LAN. Considering what traffic is most important, find the relevant point in the network that traffic MUST pass through to get there.
  11. D. A network TAP is an external network device that creates a copy of the traffic for use by various monitoring devices. It allows traffic mirroring and is an intricate part of an organization's network stack. The network TAP device is introduced at a point in the path of the network that it is felt should be observed so that it can copy data packets and send them to a monitoring device. By deploying the correct ACL rule, it will immediately prevent data coming or going anywhere on port 445. The others could be options, but they would take more time than you have to stop the spread immediately.
  12. D. A SIEM monitors servers on your network, ideally providing a real-time analysis of security incidents and events. SIEM (pronounced “SIM”) can be performed with hardware or software by examining and correlating logs the servers produce. A SIEM can be used to monitor alerts from an IDS and to perform trend analysis. If an anomaly is detected, rules are then written to inform security administrators.
  13. B. When network access control or NAC is used but an agent is not installed on the devices, we refer to it as an agentless configuration. When using agentless NAC, the policy enforcement component is integrated into an authentication system like Microsoft Active Directory. The enforcement of policies is performed when the device logs on or off the network.
  14. C. Interactive Application Security Testing (IAST) combines the best of a SAST and a DAST. IAST security tools provide the advantages of a static view because they can see the source code and also the advantages of a web scanner viewing the execution flow of the application during runtime. Static analysis security testing (SAST) tools can scan binaries in software to find errors, vulnerabilities, and flaws in web and desktop applications. SAST is often called known-environment testing or white-box testing. Dynamic analysis (DAST) tools are used for unknown environment testing (black-box testing), employing injection techniques like SQLi and CSS. Interactive analysis (IASP) is a combination of both SAST and DAST testing, applying analysis to all code, runtime controls, and data flow. Vendor application security testing (VAST) is a third-party risk assessment.
  15. A. Customer relationship management (CRM) is the process of managing interactions with existing as well as past and potential customers. It is one of many different approaches that allow a company to analyze interactions with its past, current, and potential customers. The first phase of any future attack will be active and passive reconnaissance. Using social media capriciously will open your organization to knowledge that can be used against you. Even job descriptions can be used to find out what technology your organization is using to craft social engineering attacks, such as when HR advertises a need for a CCNP and an attacker knows you are probably using Cisco devices in your network.
  16. A. When the exam uses the acronym SDLC, reread the question to clarify if it is the software development life cycle or the system development life cycle. They have different stages but use the same acronym. The SDLC this question refers to is focused on systems. There are six stages beginning with (1) requirement analysis, (2) planning, (3) design, (4) development, (5) testing, and finally (6) deployment.
  17. A. Encryption for data at rest is a key protection against a data breach. Data at rest is stored and usually protected by a firewall or antivirus software. Defense in depth is important to data at rest and begins with encryption.
  18. C. Agile software development has been in use since 2001 when the waterfall methodology was too strict and rigid. Agile emphasizes teamwork and feedback, which changes the direction of the software. There are two major types of agile methods, including Scrum and Kanban. Scrum defines roles and events, whereas Kanban is simple and has a lot of flexibility.
  19. D. A spiral software development process is beneficial because of risk management; development is fast, and there is always room for feedback. It is not advisable if it is a small project because it is known to be expensive. There is more documentation with the spiral model because it has intermediate phases that require it. To be effective, the model has to be followed precisely.
  20. A. Data loss prevention (DLP) is a technology term that can refer to a methodology or a tool that monitors the system, the user, and data events on an endpoint, looking for and blocking suspicious activity. You can use DLP solutions to classify and prioritize data security. You can also use these solutions to ensure access policies meet regulatory compliance, including HIPAA, GDPR, and PCI-DSS. DLP solutions can also go beyond simple detection, providing alerts, enforcing encryption, and isolating data. NIDS and NIPS are for network intrusion detection and prevention. HIPS could have been the answer if DLP was not an option. HIPS tools can take a variety of actions, including sending an alarm to the computer user, logging the malicious activity for future investigation, resetting the connection, dropping malicious packets, and blocking subsequent traffic from a suspect IP address. Most host intrusion prevention systems use known attack patterns, called signatures, to identify malicious activity. Signature-based detection is effective, but it can protect the host device only against known attacks. It cannot protect against zero-day attacks or other signatures that are not in the software provider's database.

Chapter 9: Secure Cloud and Virtualization

  1. B. The main difference between Type 1 and Type 2 hypervisors is that Type 1 runs on bare metal and Type 2 runs in an operating system.
  2. D. When using containers, host them in a container-focused OS and reduce the initial attack surface by disabling unnecessary services. Add monitoring tools for additional visibility, and then develop a strong set of security controls to preserve the integrity of the systems.
  3. C. Virtual desktop infrastructure (VDI) is the hosting of desktop environments on a central server. This has been called providing desktop as a service (DaaS). Thin clients are protected from unauthorized software, and data is saved in another location than the server. It uses centralized processing for better management and monitoring.
  4. C. Emulation is important in fighting obsolescence and keeping data available. Emulation lets you model older hardware and software and re-create them using current technology. With emulation, you can use a current platform to access an older application, operating system, or data while the older software still thinks it is running in its original environment. Type 1 hypervisor is a hypervisor installed on a bare-metal server, meaning that the hypervisor is its own operating system. Type 1 hypervisors usually perform better due to the direct access to physical hardware. Type 2 hypervisors run inside an operating system of a physical machine. Platform as a service (PaaS) is a kind of cloud computer service that enables a customer to develop and manage applications without a need to build and maintain the usual infrastructure.
  5. D. The only answer that is a benefit to virtualization is faster provisioning and disaster recovery. Risks to virtual environments include patching, maintenance, and oversight, but the biggest is probably sprawl. It is easy to create VMs, push them out, duplicate machines, and forget about them. Once you bring them up, they could be up for weeks or months and get behind in patching, which creates a vulnerability.
  6. A. The management of your application requires end-to-end monitoring, so a connection from your location to the cloud environment is the best way to have great control over and visibility into attacks that threaten your environment.
  7. D. A community cloud is defined by National Institute of Standards and Technology (NIST) as a collaborative effort in which infrastructure is shared between several organizations from a specific community with shared concerns. It can be managed and controlled by a group of organizations with shared interests so that costs are spread over several users. The public cloud model is the most widely used cloud service. This cloud type is a popular option for web applications, file sharing, and nonsensitive data storage. A public cloud model is available to anyone, but a private cloud belongs to a specific organization. That organization controls the system and manages it in a centralized fashion. A hybrid cloud environment is a combination of public, private, or community.
  8. D. While single tenancy is more secure due to isolation and you control access and backups and cost with scaling, it requires more maintenance because single-tenant environments need more updates and upgrades that are managed by the customer.
  9. D. A virtual private cloud (VPC) customer has exclusive access to a segment of a public cloud. This deployment is a compromise between a private and a public model in terms of price and features. Access can also be restricted by the user's physical location by employing firewalls and IP address whitelisting. Using the cloud is a trade-off—you gain speed, performance, and cost, but you still lose control over the security processes.
  10. B. Electronic vaulting will enable you to transmit bulk data to an offsite data backup storage facility. You can choose to back up hourly, daily, or weekly. If a server fails, you can restore data quickly, but because the information is sent over the Internet, it should be encrypted. File storage organizes and represents data as a hierarchy of files in folders; block storage chunks data into arbitrarily organized, evenly sized volumes; and object storage manages data and links it to associated metadata.
  11. C. Virtualization creates an abstract computing platform. Many servers can be replaced by one larger physical server to decrease the need for hardware. Many hosts enable the execution of complete operating systems, and access can be restricted for security depending on the hardware access policy created by the host. In this scenario, the most secure option with a focus on confidentiality would be to assign virtual hosts to the client and physically partition storage. If confidentiality is in the question, look for encryption in the answer.
  12. D. When you drag a file into the trash and empty the trash, it doesn't actually erase the file. It simply indicates to the file system that the file is deleted, but the data in the file remains on the hard drive until the file system eventually overwrites the file. We call this problem data remanence. Cloud computing complicates the data remanence issue. You have little or no visibility into the physical location of your data in the cloud, so overwriting the physical media is virtually impossible. The cloud infrastructure may distribute your storage or virtual machine instance across multiple physical drives. Deprovisioning that instance is similar to dragging it to the trash. The data that is written to various drives remains until the cloud provider reallocates the sectors you were using to other customers.
  13. D. Creating an audit trail is vital. Security policy often specifies which data should be collected, how it should be stored, and how long it will be kept. An audit trail is often used to find unauthorized activity on a network.
  14. B. A virtual private network (VPN) is a tool to protect privacy and security on the Internet. VPN securely connects two computers with an encrypted tunnel to transfer data between a remote user and a corporate network. Employees should use VPNs when accessing cloud storage services. If you connect to the cloud over an unsecured Internet connection, there is a risk of exposing data to attackers.
  15. B. An alert from any one of these assets should trigger the security organization to take a closer look at the cause of the alert. Monitoring and alerting are interrelated and have the ability to provide visibility into the health of your systems and help you understand trends in usage or behavior and the impact of changes you make. If the metrics fall outside of your expected ranges, these systems can send notifications to prompt someone to take a look and can assist in surfacing information to help identify the possible causes.
  16. D. IP Security (IPSec) is a suite of protocols used across an IP network providing authentication, integrity, and confidentiality. This includes Authentication Header (AH), Encapsulating Security Payloads (ESP), and Security Associations (SA), which provide the different configurations and keys used for those connections. Internet Security Association and Key Management Protocol (ISAKMP) is a component of SA and how the keys are managed and exchanged between the devices. An IPSec VPN will protect traffic being forwarded from client to server or from server to server.
  17. A. For these specific requirements, the ability to audit event logs that include source address and timestamps is most critical. If the systems are on premises, you have more physical control. Assets in the cloud require more technical controls.
  18. D. Defining user access as well as devices and idle time are especially important to a network security policy. You should also decide what authentication methods are used, how authentication will be implemented, and what the standard operating procedures (SOPs) are, should your organization be compromised.
  19. B. Data dispersed and stored in multiple cloud pods is a key component of cloud storage architecture. The ability to have data replicated throughout a distributed storage infrastructure is critical. This allows a cloud service provider to offer storage services based on the level of the user's subscription or the popularity of the item. Bit splitting is another technique for securing data over a computer network that involves encrypting data, splitting the encrypted data into smaller data units, distributing those smaller units to different storage locations, and then further encrypting the data at its new location. Data is protected from security breaches, because even if an attacker is able to retrieve and decrypt one data unit, the information would be useless unless it can be combined with decrypted data units from the other locations.
  20. A. The first priority should be to understand what data your organization has and to classify it through a data classification engine. Look for a comprehensive solution that locates and protects sensitive content on the assets uploaded to the cloud.

Chapter 10: Mobility and Emerging Technologies

  1. A. Leveraging machine learning and innovating artificial intelligence will help find and respond to threats. Unfortunately, as with every tool, attackers are using this technology as well. In the future, we will see new machine learning malware and AI spear fishing that increases the length and breadth of cyberattacks. SIEM comes later in the attack life cycle. DevSecOps and security as code are proactive pre-attack rather than post-attack.
  2. D. A PIN is something you create and memorize. The others are something you physically are.
  3. D. Organizations today must reduce their IoT attack surfaces, increase the attack surfaces they monitor, and attempt to reduce false positive alerts that often affect IoT devices.
  4. A. Chatbots are evolving, and advancements in natural language processing (NLP) have increased their usefulness to the point that live agents no longer need to be the first point of communication for some customers. Some features of chatbots include being able to help users navigate support articles and knowledge bases, order products or services, and manage accounts. NLP describes the interaction between human language and computers. It is a technology that many people use daily and has been around for years, from spell check to Siri, Alexa, or Google Assistant. Biometrics are body measurements related to human characteristics such as fingerprints or retina scans. Virtual reality is a simulated experience that is created by computer technology, placing the user in that reality. Deep fake refers to a manipulated image or video produced by artificial intelligence (AI) that makes someone appear to do or say something they did not.
  5. A. Private Information Retrieval (PIR) is a protocol that allows someone to retrieve an element of a database without the database owner knowing which element was selected. Strong Private Information Retrieval (SPIR) is private information retrieval with the additional requirement that someone only learns the elements they are querying for, and nothing else, which answers the need for the privacy of a database owner. Secure function evaluation (SFE) and private function evaluation (PFE) are special protocols used in cryptography, based on secretly or privately sharing all the inputs to search for potentially malicious computations that benefit an attacker. They are primarily used in digital currency, blockchain, and multiparty computations. A National Institute of Standards and Technology (NIST) report defines big data as “extensive datasets, primarily in the characteristics of volume, velocity, and/or variability that require a scalable architecture for efficient storage, manipulation, and analysis.” Some have defined big data as an amount of data that exceeds a petabyte—one million gigabytes.
  6. D. A cloud-related challenge is structural. Once committed to a cloud service, companies become dependent on that service provider, often with no easy way to change providers. IT departments need to build up the skill set to work in the cloud safely and reliably. The business proposition of AR is causing it to be adopted before the risks have been vetted or having tech developed by companies without significant IT experience, leading to technologies that are vulnerable. Wearable devices can host malware, enabling cameras, collecting data, corrupting work instructions, or disrupting operation. It is fairly easy to steal network credentials off wearable devices using Android and exposing networks. The only one that does not make sense here is micro/nano technology. Micro and nano technologies include a wide range of advanced techniques used to fabricate and study artificial systems with dimensions ranging from several micrometers (one micrometer is one millionth of a meter) to a few nanometers (one nanometer is one billionth of a meter; a human hair is about 60,000 nanometers wide).
  7. B. The one thing all 3-D printers share, whether proprietary or open source, is that they are computer-controlled. Those computers run software that may be prone to development errors that result in security vulnerabilities. The rest of these options are important, but hardening existing systems first should be the priority.
  8. C. The use of passwordless authentication methods like biometric and facial recognition has become a norm on mobile devices, but that's not the only place it's used. Windows and Linux support passwordless authentication. In a 2018 update to Active Directory LDAP service, Microsoft added native support for passwordless authentication through FIDO2 keys. This means that with the proper server-level configurations, AD users can walk up to any domain-connected workstation and insert their key to log in to their accounts without making changes at the machine level. Linux also has native support for software keys, which can replace passwords. When passwordless authentication is implemented on a Linux server, users can remotely log in to their SSH consoles by presenting their software keys instead of typing in their passwords.
  9. C. Machine learning uses algorithms to parse data, learn from that data, and make informed decisions based on what it has learned. Deep learning structures algorithms in layers to create an “artificial neural network” that can learn and make intelligent decisions on its own. Deep learning has enabled many practical applications of machine learning and by extension the overall field of AI. Deep learning breaks down tasks in ways that make all kinds of machine assists seem possible—like driverless cars, better preventive healthcare, and even better movie recommendations on Netflix.
  10. A. There is no one-size-fits-all solution, and each mobile device strategy has its own pros and cons. With bring your own device (BYOD), no wireless carrier needs to be engaged, and fast deployment is available and has a lower cost because the employee owns the device.
  11. B. A mobile strategy that works well for some organizations is choose your own device (CYOD), and there are a few select models from which to choose (for example, an organization may ask if you want a Mac laptop or a PC tablet when starting a job).
  12. C. When you are in a situation where security and data protection are of the utmost importance, corporate-owned, personally enabled (COPE) is the best mobile device strategy to use. COPE has strict specific procurement standards and has the highest hardware costs of the three options.
  13. B. A virtual private network (VPN) enables employees to access sensitive data and systems on mobile devices while they are away from the secure corporate network. A VPN's traditional role is to enable employees to authenticate from anywhere in the world and seamlessly access the company's network.
  14. C. Sideloading is a term that applies to transferring a file from one local device to another using either a USB, a lightning cable, or Bluetooth. The process involves establishing a connection between two devices and moving files to the right location.
  15. A. Android requires that all apps be digitally signed with a certificate before they can be installed. This certificate proves authorship and that the app came from you and not a suspicious entity.
  16. A. The benefits of tethering include getting Internet access to upload and download files and check your account balances securely through your personal area network (PAN). The downsides are that there is a possible cost with your carrier, the mobile connection will be slow, and the battery on your phone or tablet can die quickly.
  17. C. Your fingerprint is a biometric. It is something you are, not something you know.
  18. C. Only give apps permissions they must have and delete any app that asks for more than is necessary. For example, there is no need for your flashlight app to record your voice and have access to all your pictures/video.
  19. A. New tokens must be generated with each access attempt. Improper session handling occurs when apps accidentally share session tokens with malicious attackers, enabling them to impersonate legitimate users.
  20. C. Some people have the perception that jailbreaking is used only to do nefarious things or piracy. Jailbreaking enables you to do things like change the default browser and mail client. It also enables you to use software of which the manufacturer does not approve. Your company should have both an inventory of mobile devices and a security policy, and a scanning process should be required as well. Some companies have an annual “eyes on inventory,” where mobile devices are scanned physically by IT.
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.149.242.71