James is building a disaster recovery plan for his organization and would like to determine the amount of acceptable data loss after an outage. What variable is James determining?

1. SLA
2. RTO
3. MTD
4. RPO

Fred needs to deploy a network device that can connect his network to other networks while controlling traffic on his network. What type of device is Fred’s best choice?

1. A switch
2. A bridge
3. A gateway
4. A router

Alex is preparing to solicit bids for a penetration test of his company’s network and systems. He wants to maximize the effectiveness of the testing rather than the realism of the test. What type of penetration test should he require in his bidding process?

1. Black box
2. Crystal box
3. Gray box
4. Zero box

Application banner information is typically recorded during what penetration testing phase?

1. Planning
2. Attack
3. Reporting
4. Discovery

What is the default subnet mask for a Class B network?

1. 255.0.0.0
2. 255.255.0.0
3. 255.254.0.0
4. 255.255.255.0

Jim has been asked to individually identify devices that users are bringing to work as part of a new BYOD policy. The devices will not be joined to a central management system like Active Directory, but he still needs to uniquely identify the systems. Which of the following options will provide Jim with the best means of reliably identifying each unique device?

1. Record the MAC address of each system.
2. Require users to fill out a form to register each system.
3. Scan each system using a port scanner.
4. Use device fingerprinting via a web-based registration system.

David works in an organization that uses a formal data governance program. He is consulting with an employee working on a project that created an entirely new class of data and wants to work with the appropriate individual to assign a classification level to that information. Who is responsible for the assignment of information to a classification level?

1. Data creator
2. Data owner
3. CISO
4. Data custodian

What type of inbound packet is characteristic of a ping flood attack?

1. ICMP echo request
2. ICMP echo reply
3. ICMP destination unreachable
4. ICMP route changed

Gabe is concerned about the security of passwords used as a cornerstone of his organization’s information security program. Which one of the following controls would provide the greatest improvement in Gabe’s ability to authenticate users?

1. More complex passwords
2. User education against social engineering
3. Multifactor authentication
4. Addition of security questions based on personal knowledge

The separation of network infrastructure from the control layer, combined with the ability to centrally program a network design in a vendor-neutral, standards-based implementation, is an example of what important concept?

1. MPLS, a way to replace long network addresses with shorter labels and support a wide range of protocols
2. FCoE, a converged protocol that allows common applications over Ethernet
3. SDN, a converged protocol that allows network virtualization
4. CDN, a converged protocol that makes common network designs accessible

Susan is preparing to decommission her organization’s archival DVD-ROMs that contain Top Secret data. How should she ensure that the data cannot be exposed?

1. Degauss
2. Zero wipe
3. Pulverize
4. Secure erase

What is the final stage of the Software Capability Maturity Model (SW-CMM)?

1. Repeatable
2. Defined
3. Managed
4. Optimizing

Angie is configuring egress monitoring on her network to provide added security. Which one of the following packet types should Angie allow to leave the network headed for the Internet?

1. Packets with a source address from Angie’s public IP address block
2. Packets with a destination address from Angie’s public IP address block
3. Packets with a source address outside of Angie’s address block
4. Packets with a source address from Angie’s private address block

Matt is conducting a penetration test against a Linux server and successfully gained access to an administrative account. He would now like to obtain the password hashes for use in a brute-force attack. Where is he likely to find the hashes, assuming the system is configured to modern security standards?

1. /etc/passwd
2. /etc/hash
3. /etc/secure
4. /etc/shadow

Theresa is implementing a new access control system and wants to ensure that developers do not have the ability to move code from development systems into the production environment. What information security principle is she most directly enforcing?

1. Separation of duties
2. Two-person control
3. Least privilege
4. Job rotation

Which one of the following tools may be used to achieve the goal of nonrepudiation?

1. Digital signature
2. Symmetric encryption
3. Firewall
4. IDS

In the diagram of the TCP three-way handshake here, what should system A send to system B in step 3?

1. ACK
2. SYN
3. FIN
4. RST

What RADIUS alternative is commonly used for Cisco network gear and supports two-factor authentication?

1. RADIUS+
2. TACACS+
3. XTACACS
4. Kerberos

What two types of attacks are VoIP call managers and VoIP phones most likely to be susceptible to?

1. DoS and malware
2. Worms and Trojans
3. DoS and host OS attacks
4. Host OS attacks and buffer overflows

Vivian works for a chain of retail stores and would like to use a software product that restricts the software used on point-of-sale terminals to those packages on a preapproved list. What approach should Vivian use?

1. Antivirus
2. Heuristic
3. Whitelist
4. Blacklist

Questions 21–23 refer to the following scenario.

Hunter is the facilities manager for DataTech, a large data center management firm. He is evaluating the installation of a flood prevention system at one of DataTech’s facilities. The facility and contents are valued at $100 million. Installing the new flood prevention system would cost $10 million.

Hunter consulted with flood experts and determined that the facility lies within a 200-year flood plain and that, if a flood occurred, it would likely cause $20 million in damage to the facility.

Based on the information in this scenario, what is the exposure factor for the effect of a flood on DataTech’s data center?

1. 2%
2. 20%
3. 100%
4. 200%

Based on the information in this scenario, what is the annualized rate of occurrence for a flood at DataTech’s data center?

1. 0.002
2. 0.005
3. 0.02
4. 0.05

Based on the information in this scenario, what is the annualized loss expectancy for a flood at DataTech’s data center?

1. $40,000
2. $100,000
3. $400,000
4. $1,000,000

Which accounts are typically assessed during an account management assessment?

1. A random sample
2. Highly privileged accounts
3. Recently generated accounts
4. Accounts that have existed for long periods of time

In the shared responsibility model, under which tier of cloud computing does the customer take responsibility for securing server operating systems?

1. IaaS
2. PaaS
3. SaaS
4. TaaS

What type of error occurs when a valid subject using a biometric authenticator is not authenticated?

1. A Type 1 error
2. A Type 2 error
3. A Type 3 error
4. A Type 4 error

Jackie is creating a database that contains the Customers table, shown here. She is designing a new table to contain Orders and plans to use the Company ID in that table to uniquely identify the customer associated with each order. What role does the Company ID field play in the Orders table?

1. Primary key
2. Foreign key
3. Candidate key
4. Referential key

What three types of interfaces are typically tested during software testing?

1. Network, physical, and application interfaces
2. APIs, UIs, and physical interfaces
3. Network interfaces, APIs, and UIs
4. Application, programmatic, and user interfaces

George is assisting a prosecutor with a case against a hacker who attempted to break into George’s company’s computer systems. He provides system logs to the prosecutor for use as evidence but the prosecutor insists that George testify in court about how he gathered the logs. What rule of evidence requires George’s testimony?

1. Testimonial evidence rule
2. Parol evidence rule
3. Best evidence rule
4. Hearsay rule

Which of the following is not a valid use for key risk indicators?

1. Provide warnings before issues occur.
2. Provide real-time incident response information.
3. Provide historical views of past risks.
4. Provide insight into risk tolerance for the organization.

Which one of the following malware types uses built-in propagation mechanisms that exploit system vulnerabilities to spread?

1. Trojan horse
2. Worm
3. Logic bomb
4. Virus

Don’s company is considering the use of an object-based storage system where data is placed in a vendor-managed storage environment through the use of API calls. What type of cloud computing service is in use?

1. IaaS
2. PaaS
3. CaaS
4. SaaS

In what model of cloud computing do two or more organizations collaborate to build a shared cloud computing environment that is for their own use?

1. Public cloud
2. Private cloud
3. Community cloud
4. Shared cloud

Which one of the following is not a principle of the Agile approach to software development?

1. The most efficient method of conveying information is electronic.
2. Working software is the primary measure of progress.
3. Simplicity is essential.
4. Business people and developers must work together daily.

Harry is concerned that accountants within his organization will use data diddling attacks to cover up fraudulent activity in accounts that they normally access. Which one of the following controls would best defend against this type of attack?

1. Encryption
2. Access controls
3. Integrity verification
4. Firewalls

What class of fire extinguisher is capable of fighting electrical fires?

1. Class A
2. Class B
3. Class C
4. Class D

What important factor differentiates Frame Relay from X.25?

1. Frame Relay supports multiple PVCs over a single WAN carrier connection.
2. Frame Relay is a cell switching technology instead of a packet switching technology like X.25.
3. Frame Relay does not provide a Committed Information Rate (CIR).
4. Frame Relay only requires a DTE on the provider side.

Using the following table, and your knowledge of the auditing process, answer questions 38–40.

As they prepare to migrate their data center to an Infrastructure as a Service (IaaS) provider, Susan’s company wants to understand the effectiveness of their new provider’s security, integrity, and availability controls. What SOC report would provide them with the most detail?

1. SOC 1
2. SOC 2
3. SOC 3
4. None of the SOC reports are suited to this, and they should request another form of report.

Susan wants to ensure that the audit report that her organization requested includes input from an external auditor. What type of report should she request?

1. SOC 2, Type 1
2. SOC 3, Type 1
3. SOC 2, Type 2
4. SOC 3, Type 2

When Susan requests a SOC2 report, they receive a SAS70 report. What issue should Susan raise?

1. SAS 70 does not include Type 2 reports, so control evaluation is only point in time.
2. SAS 70 has been replaced.
3. SAS 70 is a financial reporting standard and does not cover data centers.
4. SAS 70 only uses a 3-month period for testing.

What two logical network topologies can be physically implemented as a star topology?

1. A bus and a mesh
2. A ring and a mesh
3. A bus and a ring
4. It is not possible to implement other topologies as a star.

Bell-LaPadula is an example of what type of access control model?

1. DAC
2. RBAC
3. MAC
4. ABAC

Martha is the information security officer for a small college and is responsible for safeguarding the privacy of student records. What law most directly applies to her situation?

1. HIPAA
2. HITECH
3. COPPA
4. FERPA

What U.S. law mandates the protection of Protected Health Information?

1. FERPA
2. SAFE Act
3. GLBA
4. HIPAA

What type of Windows audit record describes events like an OS shutdown or a service being stopped?

1. An application log
2. A security log
3. A system log
4. A setup log

Susan is configuring her network devices to use syslog. What should she set to ensure that she is notified about issues but does not receive normal operational issue messages?

1. The facility code
2. The log priority
3. The security level
4. The severity level

What RAID level is also known as disk mirroring?

1. RAID 0
2. RAID 1
3. RAID 3
4. RAID 5

What type of firewall uses multiple proxy servers that filter traffic based on analysis of the protocols used for each service?

1. A static packet filtering firewall
2. An application-level gateway firewall
3. A circuit-level gateway firewall
4. A stateful inspection firewall

Surveys, interviews, and audits are all examples of ways to measure what important part of an organization’s security posture?

1. Code quality
2. Service vulnerabilities
3. Awareness
4. Attack surface

Tom is the general counsel for an Internet service provider and he recently received notice of a lawsuit against the firm because of copyrighted content illegally transmitted over the provider’s circuits by a customer. What law protects Tom’s company in this case?

1. Computer Fraud and Abuse Act
2. Digital Millennium Copyright Act
3. Wiretap Act
4. Copyright Code

A Type 2 authentication factor that generates dynamic passwords based on a time- or algorithm-based system is what type of authenticator?

1. A PIV
2. A smart card
3. A token
4. A CAC

Fred’s new employer has hired him for a position with access to their trade secrets and confidential internal data. What legal tool should they use to help protect their data if he chooses to leave to work at a competitor?

1. A stop-loss order
2. An NDA
3. An AUP
4. Encryption

Which one of the following computing models allows the execution of multiple processes on a single processor by having the operating system switch between them without requiring modification to the applications?

1. Multitasking
2. Multiprocessing
3. Multiprogramming
4. Multithreading

How many possible keys exist when using a cryptographic algorithm that has an 8-bit binary encryption key?

1. 16
2. 128
3. 256
4. 512

What activity is being performed when you apply security controls based on the specific needs of the IT system that they will be applied to?

1. Standardizing
2. Baselining
3. Scoping
4. Tailoring

During what phase of the electronic discovery process does an organization perform a rough cut of the information gathered to discard irrelevant information?

1. Preservation
2. Identification
3. Collection
4. Processing

Ben’s job is to ensure that data is labeled with the appropriate sensitivity label. Since Ben works for the US government, he has to apply the labels Unclassified, Confidential, Secret, and Top Secret to systems and media. If Ben is asked to label a system that handles Secret, Confidential, and Unclassified information, how should he label it?

1. Mixed classification
2. Confidential
3. Top Secret
4. Secret

Susan has discovered that the smart card-based locks used to keep the facility she works at secure are not effective because staff members are propping the doors open. She places signs on the doors reminding staff that leaving the door open creates a security issue, and adds alarms that will sound if the doors are left open for more than five minutes. What type of controls has she put into place?

1. Physical
2. Administrative
3. Compensation
4. Recovery

Ben is concerned about password cracking attacks against his system. He would like to implement controls that prevent an attacker who has obtained those hashes from easily cracking them. What two controls would best meet this objective?

1. Longer passwords and salting
2. Over-the-wire encryption and use of SHA1 instead of MD5
3. Salting and use of MD5
4. Using shadow passwords and salting

Which group is best suited to evaluate and report on the effectiveness of administrative controls an organization has put in place to a third party?

1. Internal auditors
2. Penetration testers
3. External auditors
4. Employees who design, implement, and monitor the controls

Renee is using encryption to safeguard sensitive business secrets when in transit over the Internet. What risk metric is she attempting to lower?

1. Likelihood
2. RTO
3. MTO
4. Impact

As part of hiring a new employee, Kathleen’s identity management team creates a new user object and ensures that the user object is available in the directories and systems where it is needed. What is this process called?

1. Registration
2. Provisioning
3. Population
4. Authenticator loading

Ricky would like to access a remote file server through a VPN connection. He begins this process by connecting to the VPN and attempting to log in. Applying the subject/object model to this request, what is the subject of Ricky’s login attempt?

1. Ricky
2. VPN
3. Remote file server
4. Files contained on the remote server

Alice is designing a cryptosystem for use by six users and would like to use a symmetric encryption algorithm. She wants any two users to be able to communicate with each other without worrying about eavesdropping by a third user. How many symmetric encryption keys will she need to generate?

1. 6
2. 12
3. 15
4. 30

Which one of the following intellectual property protection mechanisms has the shortest duration?

1. Copyright
2. Patent
3. Trademark
4. Trade secret

Gordon is developing a business continuity plan for a manufacturing company’s IT operations. The company is located in North Dakota and they are currently evaluating the risk of earthquake. They choose to pursue a risk acceptance strategy. Which one of the following actions is consistent with that strategy?

1. Purchasing earthquake insurance
2. Relocating the data center to a safer area
3. Documenting the decision-making process
4. Reengineering the facility to withstand the shock of an earthquake

Carol would like to implement a control that protects her organization from the momentary loss of power to the data center. Which control is most appropriate for her needs?

1. Redundant servers
2. RAID
3. UPS
4. Generator

Ben has encountered problems with users in his organization reusing passwords, despite a requirement that they change passwords every 30 days. What type of password setting should Ben employ to help prevent this issue?

1. Longer minimum age
2. Increased password complexity
3. Implement password history
4. Implement password length requirements

Chris is conducting a risk assessment for his organization and determined the amount of damage that a single flood could be expected to cause to his facilities. What metric has Gordon identified?

1. ALE
2. SLE
3. ARO
4. AV

The removal of a hard drive from a PC before it is retired and sold as surplus is an example of what type of action?

1. Purging
2. Sanitization
3. Degaussing
4. Destruction

During which phase of the incident response process would an organization determine whether it is required to notify law enforcement officials or other regulators of the incident?

1. Detection
2. Recovery
3. Remediation
4. Reporting

What OASIS standard markup language is used to generate provisioning requests both within organizations and with third parties?

1. SAML
2. SPML
3. XACML
4. SOA

Which of the following storage mechanisms is not considered secondary storage?

1. Magnetic hard disk
2. Solid state drive
3. DVD
4. RAM

Susan’s SMTP server does not authenticate senders before accepting and relaying email. What is this security configuration issue known as?

1. An email gateway
2. An SMTP relay
3. An X.400-compliant gateway
4. An open relay

The large business that Jack works for has been using noncentralized logging for years. They have recently started to implement centralized logging, however, and as they reviewed logs they discovered a breach that appeared to have involved a malicious insider. Use this scenario to answer questions 75 through 77 about logging environments.

When the breach was discovered and the logs were reviewed, it was discovered that the attacker had purged the logs on the system that they compromised. How can this be prevented in the future?

1. Encrypt local logs
2. Require administrative access to change logs
3. Enable log rotation
4. Send logs to a bastion host

How can Jack detect issues like this using his organization’s new centralized logging?

1. Deploy and use an IDS
2. Send logs to a central logging server
3. Deploy and use a SIEM
4. Use syslog

How can Jack best ensure accountability for actions taken on systems in his environment?

1. Log review and require digital signatures for each log.
2. Require authentication for all actions taken and capture logs centrally.
3. Log the use of administrative credentials and encrypt log data in transit.
4. Require authorization and capture logs centrally.

Ed’s organization has 5 IP addresses allocated to them by their ISP, but needs to connect over 100 computers and network devices to the Internet. What technology can he use to connect his entire network via the limited set of IP addresses he can use?

1. IPSec
2. PAT
3. SDN
4. IPX

What type of attack would the following precautions help prevent?

• Requesting proof of identity
• Requiring callback authorizations on voice-only requests
• Not changing passwords via voice communications

1. DoS attacks
2. Worms
3. Social engineering
4. Shoulder surfing

Fred’s organization needs to use a non-IP protocol on their VPN. Which of the common VPN protocols should he select to natively handle non-IP protocols?

1. PPTP
2. L2F
3. L2TP
4. IPSec

Residual data is another term for what type of data left after attempts have been made to erase it?

1. Leftover data
2. MBR
3. Bitrot
4. Remnant data

Which one of the following disaster recovery test types involves the actual activation of the disaster recovery facility?

1. Simulation test
2. Tabletop exercise
3. Parallel test
4. Checklist review

What access control system lets owners decide who has access to the objects they own?

1. Role-based access control
2. Task-based access control
3. Discretionary access control
4. Rule-based access control

Using a trusted channel and link encryption are both ways to prevent what type of access control attack?

1. Brute force
2. Spoofed login screens
3. Man-in-the-middle attacks
4. Dictionary attacks

Which one of the following is not one of the canons of the (ISC)2 Code of Ethics?

1. Protect society, the common good, necessary public trust and confidence, and the infrastructure.
2. Act honorably, honestly, justly, responsibly, and legally.
3. Provide diligent and competent service to principals.
4. Maintain competent records of all investigations and assessments.

Which one of the following components should be included in an organization’s emergency response guidelines?

1. Immediate response procedures
2. Long-term business continuity protocols
3. Activation procedures for the organization’s cold sites
4. Contact information for ordering equipment

Ben is working on integrating a federated identity management system and needs to exchange authentication and authorization information for browser-based single sign-on. What technology is his best option?

1. HTML
2. XACML
3. SAML
4. SPML

What is the minimum interval at which an organization should conduct business continuity plan refresher training for those with specific business continuity roles?

1. Weekly
2. Monthly
3. Semi-annually
4. Annually

What is the minimum number of cryptographic keys necessary to achieve strong security when using the 3DES algorithm?

1. 1
2. 2
3. 3
4. 4

What type of address is 10.11.45.170?

1. A public IP address
2. An RFC 1918 address
3. An APIPA address
4. A loopback address

Lauren wants to monitor her LDAP servers to identify what types of queries are causing problems. What type of monitoring should she use if she wants to be able to use the production servers and actual traffic for her testing?

1. Active
2. Real-time
3. Passive
4. Replay

Steve is developing an input validation routine that will protect the database supporting a web application from SQL injection attack. Where should Steve place the input validation code?

1. JavaScript embedded in the web pages
2. Backend code on the web server
3. Stored procedure on the database
4. Code on the user’s web browser

Ben is selecting an encryption algorithm for use in an organization with 10,000 employees. He must facilitate communication between any two employees within the organization. Which one of the following algorithms would allow him to meet this goal with the least time dedicated to key management?

1. RSA
2. IDEA
3. 3DES
4. Skipjack

Grace is considering the use of new identification cards in her organization that will be used for physical access control. She comes across the sample card shown here and is unsure of the technology it uses. What type of card is this?

1. Smart card
2. Phase-two card
3. Proximity card
4. Magnetic stripe card

What type of log file is shown in this figure?

1. Application
2. Web server
3. System
4. Firewall

Which one of the following activities transforms a zero-day vulnerability into a less dangerous attack vector?

1. Discovery of the vulnerability
2. Implementation of transport-layer encryption
3. Reconfiguration of a firewall
4. Release of a security patch

Which one of the following is an example of a hardening provision that might strengthen an organization’s existing physical facilities and avoid implementation of a business continuity plan?

1. Patching a leaky roof
2. Reviewing and updating firewall access control lists
3. Upgrading operating systems
4. Deploying a network intrusion detection system

Susan wants to monitor traffic between systems in a VMWare environment. What solution would be her best option to monitor that traffic?

1. Use a traditional hardware-based IPS.
2. Install Wireshark on each virtual system.
3. Set up a virtual span port and capture data using a VM IDS.
4. Use netcat to capture all traffic sent between VMs.

Questions 99–102 refer to the following scenario.

Matthew and Richard are friends located in different physical locations who would like to begin communicating with each other using cryptography to protect the confidentiality of their communications. They exchange digital certificates to begin this process and plan to use an asymmetric encryption algorithm for the secure exchange of email messages.

When Matthew sends Richard a message, what key should he use to encrypt the message?

1. Matthew’s public key
2. Matthew’s private key
3. Richard’s public key
4. Richard’s private key

When Richard receives the message from Matthew, what key should he use to decrypt the message?

1. Matthew’s public key
2. Matthew’s private key
3. Richard’s public key
4. Richard’s private key

Matthew would like to enhance the security of his communication by adding a digital signature to the message. What goal of cryptography are digital signatures intended to enforce?

1. Secrecy
2. Availability
3. Confidentiality
4. Nonrepudiation

When Matthew goes to add the digital signature to the message, what encryption key does he use to create the digital signature?

1. Matthew’s public key
2. Matthew’s private key
3. Richard’s public key
4. Richard’s private key

When Jim logs into a system, his password is compared to a hashed value stored in a database. What is this process?

1. Identification
2. Hashing
3. Tokenization
4. Authentication

What is the primary advantage of decentralized access control?

1. It provides better redundancy.
2. It provides control of access to people closer to the resources.
3. It is less expensive.
4. It provides more granular control of access.

Which of the following types of controls does not describe a mantrap?

1. Deterrent
2. Preventive
3. Compensating
4. Physical

Sally’s organization needs to be able to prove that certain staff members sent emails, and she wants to adopt a technology that will provide that capability without changing their existing email system. What is the technical term for the capability Sally needs to implement as the owner of the email system, and what tool could she use to do it?

1. Integrity; IMAP
2. Repudiation; encryption
3. Nonrepudiation; digital signatures
4. Authentication; DKIM

Which one of the following background checks is not normally performed during normal pre-hire activities?

1. Credit check
2. Reference verification
3. Criminal records check
4. Medical records check

Margot is investigating suspicious activity on her network and uses a protocol analyzer to sniff inbound and outbound traffic. She notices an unusual packet that has identical source and destination IP addresses. What type of attack uses this packet type?

1. Fraggle
2. Smurf
3. Land
4. Teardrop

Jim wants to perform an audit that will generate an industry recognized report on the design and suitability of his organization’s controls as they stand at the time of the report. If this is his only goal, what type of report should he provide?

1. An SSAE-16 Type I
2. An SAS70 Type I
3. An SSAE-16 Type II
4. An SAS-70 Type II

In the OSI model, when a packet changes from a datastream to a segment or a datagram, what layer has it traversed?

1. The Transport layer
2. The Application layer
3. The Data Link layer
4. The Physical layer

Tommy handles access control requests for his organization. A user approaches him and explains that he needs access to the human resources database in order to complete a headcount analysis requested by the CFO. What has the user demonstrated successfully to Tommy?

1. Clearance
2. Separation of duties
3. Need to know
4. Isolation

Kathleen wants to set up a service to provide information about her organization’s users and services using a central, open, vendor-neutral, standards-based system that can be easily queried. Which of the following technologies is her best choice?

1. RADIUS
2. LDAP
3. Kerberos
4. Active Directory

What type of firewall is capable of inspecting traffic at layer 7 and performing protocol-specific analysis for malicious traffic?

1. Application firewall
2. Stateful inspection firewall
3. Packet filtering firewall
4. Bastion host

Alice would like to add another object to a security model and grant herself rights to that object. Which one of the rules in the Take-Grant protection model would allow her to complete this operation?

1. Take rule
2. Grant rule
3. Create rule
4. Remove rule

Which of the following concerns should not be on Lauren’s list of potential issues when penetration testers suggest using Metasploit during their testing?

1. Metasploit can only test vulnerabilities it has plug-ins for.
2. Penetration testing only covers a point-in-time view of the organization’s security.
3. Tools like Metasploit can cause denial-of-service issues.
4. Penetration testing cannot test process and policy.

Colin is reviewing a system that has been assigned the EAL7 evaluation assurance level under the Common Criteria. What is the highest level of assurance that he may have about the system?

1. It has been functionally tested.
2. It has been methodically tested and checked.
3. It has been methodically designed, tested, and reviewed.
4. It has been formally verified, designed, and tested.

Which ITU-T standard should Alex expect to see in use when he uses his smart card to provide a certificate to an upstream authentication service?

1. X.500
2. SPML
3. X.509
4. SAML

What type of websites are regulated under the terms of COPPA?

1. Financial websites not run by financial institutions
2. Healthcare websites that collect personal information
3. Websites that collect information from children
4. Financial websites run by financial institutions

Tracy recently accepted an IT compliance position at a federal government agency that works very closely with the Defense Department on classified government matters. Which one of the following laws is least likely to pertain to Tracy’s agency?

1. HIPAA
2. FISMA
3. HSA
4. CFAA

Referring to the figure shown here, what is the name of the security control indicated by the arrow?

1. Mantrap
2. Intrusion prevention system
3. Turnstile
4. Portal

What two important factors does accountability for access control rely on?

1. Identification and authorization
2. Authentication and authorization
3. Identification and authentication
4. Accountability and authentication

What key assumption made by EAP can be remedied by using PEAP?

1. EAP assumes that LEAP will replace TKIP, ensuring authentication will occur.
2. EAP originally assumed the use of physically isolated channels and is usually not encrypted.
3. There are no TLS implementations available using EAP.
4. EAP does not allow additional authentication methods, and PEAP adds additional methods.

Scott’s organization has configured their external IP address to be 192.168.1.25. When traffic is sent to their ISP, it never reaches its destination. What problem is Scott’s organization encountering?

1. BGP is not set up properly.
2. They have not registered their IP with their ISP.
3. The IP address is a private, non-routable address.
4. 192.168.1.25 is a reserved address for home routers.

Jennifer needs to measure the effectiveness of her information security program as she works toward her organization’s long-term goals. What type of measures should she select?

1. Metrics
2. KPIs
3. SLAs
4. OKRs

Sue’s organization recently failed a security assessment because their network was a single flat broadcast domain, and sniffing traffic was possible between different functional groups. What solution should she recommend to help prevent the issues that were identified?

1. Use VLANs.
2. Change the subnet mask for all systems.
3. Deploy gateways.
4. Turn on port security.

Susan is setting up the network for a local coffee house and wants to ensure that users have to authenticate using an email address and agree to the coffee house’s acceptable use policy before being allowed on the network. What technology should she use to do this?

1. 802.11
2. NAC
3. A captive portal
4. A wireless gateway

What is another term for active monitoring?

1. Synthetic
2. Passive
3. Reactive
4. Span-based

The TCP header is made up of elements such as the source port, destination port, sequence number, and others. How many bytes long is the TCP header?

1. 8 bytes
2. 20–60 bytes
3. 64 bytes
4. 64–128 bytes

The company that Fred works for is reviewing the security of their company issued cell phones. They issue 4G capable smartphones running Android and iOS, and use a mobile device management solution to deploy company software to the phones. The mobile device management software also allows the company to remotely wipe the phones if they are lost. Use this information, as well as your knowledge of cellular technology, to answer questions 129–131.

What security considerations should Fred’s company require for sending sensitive data over the cellular network?

1. They should use the same requirements as data over any public network.
2. Cellular provider networks are private networks and should not require special consideration.
3. Encrypt all traffic to ensure confidentiality.
4. Require the use of WAP for all data sent from the phone.

Fred intends to attend a major hacker conference this year. What should he do when connecting to his cellular provider’s 4G network while at the conference?

1. Continue normal usage.
2. Discontinue all usage; towers can be spoofed.
3. Only use trusted Wi-Fi networks.
4. Connect to his company’s encrypted VPN service.

What are the most likely circumstances that would cause a remote wipe of a mobile phone to fail?

1. The phone has a passcode on it.
2. The phone cannot contact a network.
3. The provider has not unlocked the phone.
4. The phone is in use.

Elaine is developing a business continuity plan for her organization. What value should she seek to minimize?

1. AV
2. SSL
3. RTO
4. MTO

NIST Special Publication 800-53, revision 4, describes two measures of assurance. Which measure of developmental assurance is best described as measuring “the rigor, level of detail, and formality of the artifacts produced during the design and development of the hardware, software, and firmware components of information systems (e.g., functional specifications, high-level design, low-level design, source code)”?

1. Coverage
2. Suitability
3. Affirmation
4. Depth

Which one of the following disaster recovery test types does not involve the actual use of any technical disaster recovery controls?

1. Simulation test
2. Parallel test
3. Structured walk-through
4. Full interruption test

Chris is experiencing issues with the quality of network service on his organization’s network. The primary symptom is that packets are becoming corrupted as they travel from their source to their destination. What term describes the issue Chris is facing?

1. Latency
2. Jitter
3. Interference
4. Packet loss

Kathleen has been asked to choose a highly formalized code review process for her software quality assurance team to use. Which of the following software testing processes is the most rigorous and formal?

1. Fagan
2. Fuzzing
3. Over the shoulder
4. Pair programming

Frank is attempting to protect his web application against cross-site scripting attacks. Users do not need to provide input containing scripts, so he decided the most effective way to filter would be to write a filter on the server that watches for the <SCRIPT> tag and removes it. What is the issue with Frank’s approach?

1. Validation should always be performed on the client side.
2. Attackers may use XSS filter evasion techniques against this approach.
3. Server-side validation requires removing all HTML tags, not just the <SCRIPT> tag.
4. There is no problem with Frank’s approach.

Which one of the following is not an object-oriented programming language?

1. C++
2. Java
3. Fortran
4. C#

Uptown Records Management recently entered into a contract with a hospital for the secure storage of medical records. The hospital is a HIPAA-covered entity. What type of agreement must the two organizations sign to remain compliant with HIPAA?

1. NDA
2. NCA
3. BAA
4. SLA

Norm would like to conduct a disaster recovery test for his organization and wants to choose the most thorough type of test, recognizing that it may be quite disruptive. What type of test should Norm choose?

1. Full interruption test
2. Parallel test
3. Tabletop exercise
4. Checklist review

Ed is building a network that supports IPv6 but needs to connect it to an IPv4 network. What type of device should Ed place between the networks?

1. A switch
2. A router
3. A bridge
4. A gateway

What encryption standard won the competition for certification as the Advanced Encryption Standard?

1. Blowfish
2. Twofish
3. Rijndael
4. Skipjack

Which law can be summarized through these seven key principles: notice, choice, onward transfer, security, data integrity, access, enforcement?

1. COPA
2. NY SAFE Act
3. The EU Data Protection Directive
4. FISMA

Which one of the following actions is not required under the EU Data Protection Directive?

1. Organizations must allow individuals to opt out of information sharing.
2. Organizations must provide individuals with lists of employees with access to information.
3. Organizations must use proper mechanisms to protect data against unauthorized disclosure.
4. Organizations must have a dispute resolution process for privacy issues.

Tammy is selecting a disaster recovery facility for her organization. She would like to choose a facility that balances the time required to recover operations with the cost involved. What type of facility should she choose?

1. Hot site
2. Warm site
3. Cold site
4. Red site

What layer of the OSI model is associated with datagrams?

1. Session
2. Transport
3. Network
4. Data Link

Which one of the following is not a valid key length for the Advanced Encryption Standard?

1. 128 bits
2. 192 bits
3. 256 bits
4. 384 bits

Which one of the following technologies provides a function interface that allows developers to directly interact with systems without knowing the implementation details of that system?

1. Data dictionary
2. Object model
3. Source code
4. API

What email encryption technique is illustrated in this figure?

1. MD5
2. Thunderbird
3. S/MIME
4. PGP

When Ben lists the files on a Linux system, he sees a set of attributes as shown in the following image.

This letters rwx indicate different levels of what?

1. Identification
2. Authorization
3. Authentication
4. Accountability

What type of access control is intended to discover unwanted or unauthorized activity by providing information after the event has occurred?

1. Preventive
2. Corrective
3. Detective
4. Directive

Which one of the following presents the most complex decoy environment for an attacker to explore during an intrusion attempt?

1. Honeypot
2. Darknet
3. Honeynet
4. Pseudo flaw

Ben’s organization is adopting biometric authentication for their high-security building’s access control system. Using this chart, answer questions 153–155 about their adoption of the technology.

Ben’s company is considering configuring their systems to work at the level shown by point A on the diagram. What level are they setting the sensitivity to?

1. The FRR crossover
2. The FAR point
3. The CER
4. The CFR

At point B, what problem is likely to occur?

1. False acceptance will be very high.
2. False rejection will be very high.
3. False rejection will be very low.
4. False acceptance will be very low.

What should Ben do if the FAR and FRR shown in this diagram does not provide an acceptable performance level for his organization’s needs?

1. Adjust the sensitivity of the biometric devices.
2. Assess other biometric systems to compare them.
3. Move the CER.
4. Adjust the FRR settings in software.

Ed is tasked with protecting information about his organization’s customers, including their name, Social Security number, birthdate and place of birth, as well as a variety of other information. What is this information known as?

1. PHI
2. PII
3. Personal Protected Data
4. PID

What software development life-cycle model is shown in the following illustration?

1. Spiral
2. Agile
3. Boehm
4. Waterfall

Encapsulation is the core concept that enables what type of protocol?

1. Bridging
2. Multilayer
3. Hashing
4. Storage

Which one of the following is not a key principle of the COBIT framework for IT security control objectives?

1. Meeting stakeholder needs
2. Performing exhaustive analysis
3. Covering the enterprise end-to-end
4. Separating governance from management

Roscommon Enterprises is an Irish company that handles personal information. They exchange information with many other countries. Which of the following countries would trigger the onward transfer provisions of the International Safe Harbor Privacy Principles?

1. United States
2. United Kingdom
3. Italy
4. Germany

What important protocol is responsible for providing human-readable addresses instead of numerical IP addresses?

1. TCP
2. IP
3. DNS
4. ARP

NIST Special Publication 800-53A describes four types of objects that can be assessed. If Ben is reviewing a password standard, which of the four types of objects is he assessing?

1. A mechanism
2. A specification
3. An activity
4. An individual

What process is typically used to ensure data security for workstations that are being removed from service, but which will be resold or otherwise reused?

1. Destruction
2. Erasing
3. Sanitization
4. Clearing

Colleen is conducting a software test that is evaluating code for both security flaws and usability issues. She is working with the application from an end-user perspective and referencing the source code as she works her way through the product. What type of testing is Colleen conducting?

1. White box
2. Blue box
3. Gray box
4. Black box

Harold is looking for a software development methodology that will help with a major issue he is seeing in his organization. Currently, developers and operations staff do not work together and are often seen as taking problems and “throwing them over the fence” to the other team. What technology management approach is designed to alleviate this problem?

1. ITIL
2. Lean
3. ITSM
4. DevOps

NIST Special Publication 800-92, the Guide to Computer Security Log Management, describes four types of common challenges to log management:

• Many log sources
• Inconsistent log content
• Inconsistent timestamps
• Inconsistent log formats

Which of the following solutions is best suited to solving these issues?

1. Implement SNMP for all logging devices.
2. Implement a SIEM.
3. Standardize on the Windows event log format for all devices and use NTP.
4. Ensure logging is enabled on all endpoints using their native logging formats and set their local time correctly.

Mike has a flash memory card that he would like to reuse. The card contains sensitive information. What technique can he use to securely remove data from the card and allow its reuse?

1. Degaussing
2. Physical destruction
3. Overwriting
4. Reformatting

Carlos is investigating the compromise of sensitive information in his organization. He believes that attackers managed to retrieve personnel information on all employees from the database and finds the following user-supplied input in a log entry for a web-based personnel management system:

Collins'&1=1;––

What type of attack took place?

1. SQL injection
2. Buffer overflow
3. Cross-site scripting
4. Cross-site request forgery

Which one of the following is a detailed, step-by-step document that describes the exact actions that individuals must complete?

1. Policy
2. Standard
3. Guideline
4. Procedure

What principle of relational databases ensures the permanency of transactions that have successfully completed?

1. Atomicity
2. Consistency
3. Isolation
4. Durability

Bryan has a set of sensitive documents that he would like to protect from public disclosure. He would like to use a control that, if the documents appear in a public forum, may be used to trace the leak back to the person who was originally given the document copy. What security control would best fulfill this purpose?

1. Digital signature
2. Document staining
3. Hashing
4. Watermarking

Carlos is planning a design for a data center that will be constructed within a new four-story corporate headquarters. The building consists of a basement and three above-ground floors. What is the best location for the data center?

1. Basement
2. First floor
3. Second floor
4. Third floor

Chris is an information security professional for a major corporation and, as he is walking into the building, he notices that the door to a secure area has been left ajar. Physical security does not fall under his responsibility, but he takes immediate action by closing the door and informing the physical security team of his action. What principle is Chris demonstrating?

1. Due care
2. Due diligence
3. Separation of duties
4. Informed consent

Which one of the following investigation types always uses the beyond a reasonable doubt standard of proof?

1. Civil investigation
2. Criminal investigation
3. Operational investigation
4. Regulatory investigation

Which one of the following backup types does not alter the status of the archive bit on a file?

1. Full backup
2. Incremental backup
3. Partial backup
4. Differential backup

What type of alternate processing facility contains the hardware necessary to restore operations but does not have a current copy of data?

1. Hot site
2. Warm site
3. Cold site
4. Mobile site

Which one of the following terms describes a period of momentary high voltage?

1. Sag
2. Brownout
3. Spike
4. Surge

A web application accesses information in a database to retrieve user information. What is the web application acting as?

1. A subject
2. An object
3. A user
4. A token

The Open Shortest Path First (OSPF) protocol is a routing protocol that keeps a map of all connected remote networks and uses that map to select the shortest path to a remote destination. What type of routing protocol is OSPF?

1. Link state
2. Shortest path first
3. Link mapping
4. Distance vector

Which one of the following categories consists of first-generation programming languages?

1. Machine languages
2. Assembly languages
3. Compiled languages
4. Natural language

Questions 181–185 refer to the following scenario.

Concho Controls is a mid-sized business focusing on building automation systems. They host a set of local file servers in their on-premises data center that store customer proposals, building plans, product information, and other data that is critical to their business operations.

Tara works in the Concho Controls IT department and is responsible for designing and implementing the organization’s backup strategy, among other tasks. She currently conducts full backups every Sunday evening at 8 p.m. and differential backups on Monday through Friday at noon.

Concho experiences a server failure at 3 p.m. on Wednesday. Tara rebuilds the server and wants to restore data from the backups.

What backup should Tara apply to the server first?

1. Sunday’s full backup
2. Monday’s differential backup
3. Tuesday’s differential backup
4. Wednesday’s differential backup

How many backups in total must Tara apply to the system to make the data it contains as current as possible?

1. 1
2. 2
3. 3
4. 4

In this backup approach, some data may be irretrievably lost. How long is the time period where any changes made will have been lost?

1. 3 hours
2. 5 hours
3. 8 hours
4. No data will be lost.

If Tara followed the same schedule but switched the differential backups to incremental backups, how many backups in total would she need to apply to the system to make the data it contains as current as possible?

1. 1
2. 2
3. 3
4. 4

If Tara made the change from differential to incremental backups and we assume that the same amount of information changes each day, which one of the following files would be the largest?

1. Monday’s incremental backup
2. Tuesday’s incremental backup
3. Wednesday’s incremental backup
4. All three will be the same size.

Susan is conducting a STRIDE threat assessment by placing threats into one or more of the following categories: Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege. As part of her assessment, she has discovered an issue that allows transactions to be modified between a web browser and the application server that it accesses. What STRIDE categorization(s) best fit this issue?

1. Tampering and Information Disclosure
2. Spoofing and Tampering
3. Tampering and Repudiation
4. Information Disclosure and Elevation of Privilege

Bob has been tasked with writing a policy that describes how long data should be kept and when it should be purged. What concept does this policy deal with?

1. Data remanence
2. Record retention
3. Data redaction
4. Audit logging

Which component of IPSec provides authentication, integrity, and nonrepudiation?

1. L2TP
2. Encapsulating Security Payload
3. Encryption Security Header
4. Authentication Header

Renee notices that a system on her network recently received connection attempts on all 65,536 TCP ports from a single system during a short period of time. What type of attack did Renee most likely experience?

1. Denial of service
2. Reconnaissance
3. Malicious insider
4. Compromise

Which one of the following techniques can an attacker use to exploit a TOC/TOU vulnerability?

1. File locking
2. Exception handling
3. Algorithmic complexity
4. Concurrency control

In the ring protection model shown here, what ring does not run in privileged mode?

1. Ring 0
2. Ring 1
3. Ring 2
4. Ring 3

What level of RAID is also known as disk striping?

1. RAID 0
2. RAID 1
3. RAID 5
4. RAID 10

Jacob executes an attack against a system using a valid but low privilege user account by accessing a file pointer that the account has access to. After the access check, but before the file is opened, he quickly switches the file pointer to point to a file that the user account does not have access to. What type of attack is this?

1. TOC/TOU
2. Permissions creep
3. Impersonation
4. Link swap

What is the minimum number of disks required to implement RAID level 0?

1. 1
2. 2
3. 3
4. 5

Fred’s company wants to ensure the integrity of email messages sent via their central email servers. If the confidentiality of the messages is not critical, what solution should Fred suggest?

1. Digitally sign and encrypt all messages to ensure integrity.
2. Digitally sign but don’t encrypt all messages.
3. Use TLS to protect messages, ensuring their integrity.
4. Use a hashing algorithm to provide a hash in each message to prove that it hasn’t changed.

The leadership at Susan’s company has asked her to implement an access control system that can support rule declarations like “Only allow access to salespeople from managed devices on the wireless network between 8 a.m. and 6 p.m.” What type of access control system would be Susan’s best choice?

1. ABAC
2. RBAC
3. DAC
4. MAC

What type of communications rely on a timing mechanism using either an independent clock or a time stamp embedded in the communications?

1. Analog
2. Digital
3. Synchronous
4. Asynchronous

Chris is deploying a gigabit Ethernet network using Category 6 cable between two buildings. What is the maximum distance he can run the cable according to the Category 6 standard?

1. 50 meters
2. 100 meters
3. 200 meters
4. 300 meters

Howard is a security analyst working with an experienced computer forensics investigator. The investigator asks him to retrieve a forensic drive controller, but Howard cannot locate a device in the storage room with this name. What is another name for a forensic drive controller?

1. RAID controller
2. Write blocker
3. SCSI terminator
4. Forensic device analyzer

The web application that Saria’s development team is working on needs to provide secure session management that can prevent hijacking of sessions using the cookies that the application relies on. Which of the following techniques would be the best for her to recommend to prevent this?

1. Set the Secure attribute for the cookies, thus forcing TLS.
2. Set the Domain cookie attribute to example.com to limit cookie access to servers in the same domain.
3. Set the Expires cookie attribute to less than a week.
4. Set the HTTPOnly attribute to require only unencrypted sessions.

Ben’s company has recently retired their fleet of multifunction printers. Their information security team has expressed concerns that the printers contain hard drives and that they may still have data from scans and print jobs. What is the technical term for this issue?

1. Data pooling
2. Failed clearing
3. Data permanence
4. Data remanence

What access control scheme labels subjects and objects, and allows subjects to access objects when the labels match?

1. DAC
2. MAC
3. Rule BAC
4. Role BAC

A cloud-based service that provides account provisioning, management, authentication, authorization, reporting, and monitoring capabilities is known as what type of service?

1. PaaS
2. IDaaS
3. IaaS
4. SaaS

Sally wants to secure her organization’s VOIP systems. Which of the following attacks is one that she shouldn’t have to worry about?

1. Eavesdropping
2. Denial of service
3. Blackboxing
4. Caller ID spoofing

Marty discovers that the access restrictions in his organization allow any user to log into the workstation assigned to any other user, even if they are from completely different departments. This type of access most directly violates which information security principle?

1. Separation of duties
2. Two-person control
3. Need to know
4. Least privilege

Fred needs to transfer files between two servers on an untrusted network. Since he knows the network isn’t trusted, he needs to select an encrypted protocol that can ensure his data remains secure. What protocol should he choose?

1. SSH
2. TCP
3. SFTP
4. IPSec

Chris uses a packet sniffer to capture traffic from a TACACS+ server. What protocol should he monitor, and what data should he expect to be readable?

1. UDP; none—TACACS+ encrypts the full session
2. TCP; none—TACACS+ encrypts the full session
3. UDP; all but the username and password, which are encrypted
4. TCP; all but the username and password, which are encrypted

Use your knowledge of Kerberos authentication and authorization as well as the following diagram to answer questions 208–210.

If the client has already authenticated to the KDC, what does the client workstation send to the KDC at point A when it wants to access a resource?

1. It re-sends the password.
2. A TGR
3. Its TGT
4. A service ticket

What occurs between steps A and B?

1. The KDC verifies the validity of the TGT and whether the user has the right privileges for the requested resource.
2. The KDC updates its access control list based on the data in the TGT.
3. The KDC checks its service listing and prepares an updated TGT based on the service request.
4. The KDC generates a service ticket to issue to the client.

What system or systems does the service that is being accessed use to validate the ticket?

1. The KDC
2. The client workstation and the KDC
3. The client workstation supplies it in the form of a client-to-server ticket and an authenticator.
4. The KVS

What does a service ticket (ST) provide in Kerberos authentication?

1. It serves as the authentication host.
2. It provides proof that the subject is authorized to access an object.
3. It provides proof that a subject has authenticated through a KDC and can request tickets to access other objects.
4. It provides ticket granting services.

A password that requires users to answer a series of questions like “What is your mother’s maiden name?” or “What is your favorite color?” is known as what type of password?

1. A passphrase
2. Multifactor passwords
3. Cognitive passwords
4. Password reset questions

CDMA, GSM, and IDEN are all examples of what generation of cellular technology?

1. 1G
2. 2G
3. 3G
4. 4G

Which one of the following fire suppression systems poses the greatest risk of accidental discharge that damages equipment in a data center?

1. Closed head
2. Dry pipe
3. Deluge
4. Preaction

Lauren’s healthcare provider maintains such data as details about her health, treatments, and medical billing. What type of data is this?

1. Protected Health Information
2. Personally Identifiable Information
3. Protected Health Insurance
4. Individual Protected Data

What type of code review is best suited to identifying business logic flaws?

1. Mutational fuzzing
2. Manual
3. Generational fuzzing
4. Interface testing

Something you know is an example of what type of authentication factor?

1. Type 1
2. Type 2
3. Type 3
4. Type 4

Saria is the system owner for a healthcare organization. What responsibilities does she have related to the data that resides on or is processed by the systems she owns?

1. She has to classify the data.
2. She has to make sure that appropriate security controls are in place to protect the data.
3. She has to grant appropriate access to personnel.
4. She bears sole responsibility for ensuring that data is protected at rest, in transit, and in use.

During software testing, Jack diagrams how a hacker might approach the application he is reviewing and determines what requirements the hacker might have. He then tests how the system would respond to the attacker’s likely behavior. What type of testing is Jack conducting?

1. Misuse case testing
2. Use case testing
3. Hacker use case testing
4. Static code analysis

When a vendor develops a product that they wish to submit for Common Criteria evaluation, what do they complete to describe the claims of security for their product?

1. PP
2. ITSEC
3. TCSEC
4. ST

Chris has been assigned to scan a system on all of its possible TCP and UDP ports. How many ports of each type must he scan to complete his assignment?

1. 65,536 TCP ports and 32,768 UDP ports
2. 1024 common TCP ports and 32,768 ephemeral UDP ports
3. 65,536 TCP and 65,536 UDP ports
4. 16,384 TCP ports, and 16,384 UDP ports

CVE and the NVD both provide information about what?

1. Vulnerabilities
2. Markup languages
3. Vulnerability assessment tools
4. Penetration testing methodologies

What is the highest level of the military classification scheme?

1. Secret
2. Confidential
3. SBU
4. Top Secret

In what type of trusted recovery process does the system recover against one or more failure types without administrator intervention while protecting itself against data loss?

1. Automated recovery
2. Manual recovery
3. Function recovery
4. Automated recovery without undue data loss

What three important items should be considered if you are attempting to control the strength of signal for a wireless network as well as where it is accessible?

1. Antenna placement, antenna type, and antenna power levels
2. Antenna design, power levels, use of a captive portal
3. Antenna placement, antenna design, use of a captive portal
4. Power levels, antenna placement, FCC minimum strength requirements

What is the best way to ensure that data is unrecoverable from a SSD?

1. Use the built-in erase commands
2. Use a random pattern wipe of 1s and 0s
3. Physically destroy the drive
4. Degauss the drive

Alice sends a message to Bob and wants to ensure that Mal, a third party, does not read the contents of the message while in transit. What goal of cryptography is Alice attempting to achieve?

1. Confidentiality
2. Integrity
3. Authentication
4. Nonrepudiation

Which one of the following metrics specifies the amount of time that business continuity planners believe it will take to restore a service when it goes down?

1. MTD
2. RTO
3. RPO
4. MTO

Gary would like to examine the text of a criminal law on computer fraud to determine whether it applies to a recent act of hacking against his company. Where should he go to read the text of the law?

1. Code of Federal Regulations
2. Supreme Court rulings
3. Compendium of Laws
4. United States Code

James has opted to implement an NAC solution that uses a post-admission philosophy for its control of network connectivity. What type of issues can’t a strictly post-admission policy handle?

1. Out-of-band monitoring
2. Preventing an unpatched laptop from being exploited immediately after connecting to the network
3. Denying access when user behavior doesn’t match an authorization matrix
4. Allowing user access when user behavior is allowed based on an authorization matrix

Ben has built an access control list that lists the objects that his users are allowed to access. When users attempt to access an object that they don’t have rights to, they are denied access, even though there isn’t a specific rule that allows it. What access control principle is key to this behavior?

1. Least privilege
2. Implicit deny
3. Explicit deny
4. Final rule fall-through

Mary is a security risk analyst for an insurance company. She is currently examining a scenario where a hacker might use a SQL injection attack to deface a web server due to a missing patch in the company’s web application. In this scenario, what is the risk?

1. Unpatched web application
2. Web defacement
3. Hacker
4. Operating system

In the diagram shown here of security boundaries within a computer system, what component’s name has been replaced with XXX?

1. Kernel
2. Privileged core
3. User monitor
4. Security perimeter

Val is attempting to review security logs but is overwhelmed by the sheer volume of records maintained in her organization’s central log repository. What technique can she use to select a representative set of records for further review?

1. Statistical sampling
2. Clipping
3. Choose the first 5% of records from each day.
4. Choose 5% of records from the middle of the day.

In Jen’s job as the network administrator for an industrial production facility, she is tasked with ensuring that the network is not susceptible to electromagnetic interference due to the large motors and other devices running on the production floor. What type of network cabling should she choose if this concern is more important than cost and difficulty of installation?

1. 10Base2
2. 100BaseT
3. 1000BaseT
4. Fiber-optic

Questions 236–239 refer to the following scenario.

Jasper Diamonds is a jewelry manufacturer that markets and sells custom jewelry through their website. Bethany is the manager of Jasper’s software development organization, and she is working to bring the company into line with industry standard practices. She is developing a new change management process for the organization and wishes to follow commonly accepted approaches.

Bethany would like to put in place controls that provide an organized framework for company employees to suggest new website features that her team will develop. What change management process facilitates this?

1. Configuration control
2. Change control
3. Release control
4. Request control

Bethany would also like to create a process that helps multiple developers work on code at the same time. What change management process facilitates this?

1. Configuration control
2. Change control
3. Release control
4. Request control

Bethany is working with her colleagues to conduct user acceptance testing. What change management process includes this task?

1. Configuration control
2. Change control
3. Release control
4. Request control

Bethany noticed that some problems arise when system administrators update libraries without informing developers. What change management process can assist with this problem?

1. Configuration control
2. Change control
3. Release control
4. Request control

Ben has written the password hashing system for the web application he is building. His hashing code function for passwords results in the following process for a series of passwords:

hash (password1 + 07C98BFE4CF67B0BFE2643B5B22E2D7D) =
10B222970537B97919DB36EC757370D2
hash (password2 + 07C98BFE4CF67B0BFE2643B5B22E2D7D) =
F1F16683F3E0208131B46D37A79C8921

What flaw has Ben introduced with his hashing implementation?

1. Plaintext salting
2. Salt reuse
3. Use of a short salt
4. Poor salt algorithm selection

Which one of the following is an example of risk transference?

1. Building a guard shack
2. Purchasing insurance
3. Erecting fences
4. Relocating facilities

What protocol takes the place of certificate revocation lists and adds real-time status verification?

1. RTCP
2. RTVP
3. OCSP
4. CSRTP

Jim performs both lexical analysis on a program and produces control flow graphs. What type of software testing is he performing?

1. Dynamic
2. Fuzzing
3. Manual
4. Static

What process makes TCP a connection-oriented protocol?

1. It works via network connections.
2. It uses a handshake.
3. It monitors for dropped connections.
4. It uses a complex header.

What LDAP operation includes authentication to the LDAP server?

1. Bind
2. Auth
3. StartLDAP
4. AuthDN

You are conducting a qualitative risk assessment for your organization. The two important risk elements that should weigh most heavily in your analysis of risk are probability and ________________.

1. Likelihood
2. History
3. Impact
4. Cost

Using the OSI model, what format does the Data link Layer use to format messages received from higher up the stack?

1. A datastream
2. A frame
3. A segment
4. A datagram

What is the maximum penalty that may be imposed by an (ISC)2 peer review board when considering a potential ethics violation?

1. Revocation of certification
2. Termination of employment
3. Financial penalty
4. Suspension of certification

Which one of the following statements about the SDLC is correct?

1. The SDLC requires the use of an iterative approach to software development.
2. The SDLC requires the use of a sequential approach to software development.
3. The SDLC does not include training for end users and support staff.
4. The waterfall methodology is compatible with the SDLC.

In the scenario shown here, Harry is prevented from reading a file at a higher classification level than his security clearance. What security model prevents this behavior?

1. Bell-LaPadula
2. Biba
3. Clark-Wilson
4. Brewer-Nash