CISSP certification: Full 125 question practice test #1 – test 1 – Results

CISSP certification: Full 125 question practice test #1 – test 1 – Results

Attempt 6
Question 1: Correct

We need to get rid of some old hard drives, and we need to ensure proper data disposal and no data remanence. Which of these options has NO known tools that can restore the data, once that specific disposal process has been used?
  • Overwriting.
    (Correct)
  • Deleting files.
  • Formatting the hard drive.
  • Installing a new OS over the old one.

Explanation

We can still recover files from deleted, formatted or reinstalled drives. Overwriting is done by writing 0’s or random characters over the data. As far as we know there is no tool available that can recover even single pass overwriting (not possible on damaged media).
Question 2: Correct

In a new implementation we have chosen to use RAID 0 on a server, what does tell us about the disk configuration?
  • Mirror set: 2 identical hard disks.
  • Striping without parity.
    (Correct)
  • Striping with parity.
  • Mirroring with parity.

Explanation

RAID 0: Striping without mirroring or parity; no fault tolerance; only provides faster read write speed; requires at least 2 disks
Question 3: Correct

Which type of access control model would we use if confidentiality was the MOST important factor to us?
  • MAC.
    (Correct)
  • RUBAC.
  • RBAC.
  • DAC.

Explanation

MAC (Mandatory Access Control): Often used when Confidentiality is most important. Access to an object is determined by labels and clearance, this is often used in the military or in organizations where confidentiality is very important.
Question 4: Incorrect

Which type of access control could we use to limit access outside of regular work hours?
  • Content-based access control.
  • Context-based access control.
    (Correct)
  • Discretionary access control.
  • Role-based access control.
    (Incorrect)

Explanation

Context-based access control: Access to an object is controlled based on certain contextual parameters, such as location, time, sequence of responses, access history.
Question 5: Correct

We are using RAID 5 on a one of our servers, that uses at least how many disks?
  • 2
  • 1
  • 3
    (Correct)
  • 4

Explanation

RAID 5: Block level striping with distributed parity, requires at least 3 disks. Combined speed with redundancy.
Question 6: Correct

We use many different names for different types of networks. When our engineers are talking about the extranet, what are they referring to?
  • The global collection of peered WAN networks, often between ISPs or long haul providers.
  • The local area network we have in our home.
  • Connected private intranets often between business partners or parent/child companies.
    (Correct)
  • An organization’s privately owned and operated internal network.

Explanation

An Extranet is a connection between private Intranets, often connecting business partners’ Intranets.
Question 7: Correct

The NSA wanted to embed the clipper chip on all motherboards. Which encryption algorithm did the chip use?
  • DSA.
  • 3DES.
  • Skipjack.
    (Correct)
  • RSA.

Explanation

The Clipper chip was a chipset that was developed and promoted by the United States National Security Agency (NSA) as an encryption device that secured “voice and data messages” with a built-in backdoor. It used SkipJack, a block cipher.
Question 8: Incorrect

With newer CPU (Central Processing Units) we can use pipelining, where each processor cycle does multiple tasks. Which of these are functions the CPU performs? (Select all that apply).
  • Fetch.
    (Correct)
  • Combine.
  • Store.
    (Correct)
  • Execute.
    (Correct)
  • Decode.
    (Correct)
  • Retrieve.

Explanation

CPU (Central Processing Unit), uses Fetch, Decode, Execute, and Store. Fetch – Gets the instructions from memory into the processor. Decode – Internally decodes what it is instructed to do. Execute – Takes the add or subtract values from the registers. Store – Stores the result back into another register (retiring the instruction). Pipelining – Combining multiple steps into one process; can Fetch, Decode, Execute, Store in same clock cycle.
Question 9: Correct

There are many types of financial motivated attacks. Which of these attacks is normally not NOT of them?
  • Phishing attacks.
  • Ransomware attacks.
  • Stealing trade secrets.
  • DDOS attacks.
    (Correct)

Explanation

DDOS normally does not benefit an attacker financially, the motivation if often revenge, disagreement with a decision or just to prove the attacker can.
Question 10: Incorrect

There are many different types of attacks on intellectual property. Which of these is a COMMON type of attack on trademarks?
  • Software piracy.
  • Counterfeiting.
    (Correct)
  • Someone using your protected design in their products.
    (Incorrect)
  • There are none. This is security through obscurity. If discovered, anyone is allowed to use it.

Explanation

The most common attacks against trademarks is counterfeiting: fake Rolexes, Prada, Nike, Apple products; either using the real name or a very similar name.
Question 11: Skipped

We use different risk analysis approaches and tools in our risk assessments. In which type of risk analysis would you see these terms?: Exposure factor (EF), Asset Value (AV), and Annual Rate of Occurrence (ARO)?
  • Quadratic.
  • Residual.
  • Qualitative.
  • Quantitative
    (Correct)

Explanation

Quantitative Risk Analysis is where we put a number on the risk: how much does it cost per time? How often does it happen? Asset Value (AV) – How much is the asset worth? Exposure factor (EF) – Percentage of Asset Value lost? Annual Rate of Occurrence (ARO) – How often will this happen each year?
Question 12: Correct

When is it appropriate to install and use backdoors and maintenance hooks?
  • When the code is still in development.
    (Correct)
  • When it makes it easier for the administrators to use the software.
  • Never.
  • When it is easier for the users to use the software.

Explanation

Backdoors: Often installed by attackers during an attack to allow them access to the systems after the initial attack is over, to continue exfiltrating data over time, or to come back and compromise other systems. Bypassing normal authentication or encryption in a computer system, a product, or an embedded device, etc. Backdoors are often used for securing remote access to a computer, or obtaining access to plaintext in cryptographic systems.
Question 13: Correct

We are doing security audits and we test against published standards. Which of these is NOT one of the standards we would test against?
  • SOC-2 type 1.
  • SOC 2 type 2.
  • RBAC.
    (Correct)
  • PCI-DSS.

Explanation

RBAC is role based access control, not a security audit standard. SOC 2 and PCI-DSS are standards we audit against.
Question 14: Incorrect

Jane is implementing Quality of Service (QoS) on our network. Which of these is one of the KEY benefit of QOS?
  • All traffic gets equal preference on the network.
  • Priority traffic (often VoIP) gets higher priority.
    (Correct)
  • Larger data gets priority. This could be file uploads or downloads.
  • We have less traffic congestion, because we spread the traffic over multiple paths.
    (Incorrect)

Explanation

QoS (Quality of Service) gives specific traffic priority over other traffic; this is most commonly VoIP (Voice over IP), or other UDP traffic needing close to real time communication. Other non real time traffic is down prioritized; the 0.25 second delay won’t be noticed.
Question 15: Correct

The CIA triad is of the foundational pieces of IT Security. We want to find the right mix of confidentiality, integrity and availability and we want to ensure none of the legs are compromised. Which of these is NOT one of the CIA triad opposite?
  • Aggregation.
    (Correct)
  • Destruction.
  • Alteration.
  • Disclosure.

Explanation

The CIA (Confidentiality, Integrity, Availability) Triad: Confidentiality – We keep our data and secrets secret. Integrity – We ensure the data has not been altered. Availability – We ensure authorized people can access the data they need, when they need to.
Question 16: Incorrect

We have tested our software and we have found over 10,000 flaws. What should our next steps be?
  • Leave them alone, 10,000 is too many to fix.
  • Rate them on likelihood of exploit and impact and address the critical issues.
    (Correct)
  • Fix them all.
  • Rate them on likelihood of exploit and impact and address all the issues.
    (Incorrect)

Explanation

Now that we have completed our tests, just like on our log reviews, we need to use it and analyze the data we got from the testing. It can be huge amounts of data, and we need to prioritize what we act on first, what is acceptable and what is not. Think of the qualitative risk analysis, if it is low likelihood and low impact we may leave it alone and focus on higher priority items.
Question 17: Correct

We are building a new data center, and we will use the new site for real-time backups of our most critical systems. In the conduits between the demarc and the new server room, there are a lot of power cables. Which type of networking cables would be the BEST to use between the demarc and the server room?
  • Copper Ethernet.
  • Coax copper.
  • Fiber Ethernet.
    (Correct)
  • Wireless.

Explanation

Fiber Optic Cables are not susceptible to EMI, so the cables can be run next to power cables with no adverse effects.
Question 18: Skipped

Which kind of type 3 authentication errors are the WORST?
  • False rejection.
  • True acceptance.
  • True acceptance.
  • False acceptance.
    (Correct)

Explanation

FAR (False accept rate) Type 2 error: Unauthorized user is granted access. This is a very serious error.
Question 19: Skipped

We are building a new data center and the walls must be slab-to-slab. What does that mean?
  • The wall is made of slabs.
  • The wall is from the real floor to the real ceiling.
    (Correct)
  • The wall is from the real floor to the subceiling.
  • The wall is from the top of the subfloor to the subceiling.

Explanation

Walls should be “slab to slab” (from the REAL floor to the REAL ceiling); if subflooring or subceilings are used, then they should be contained within the slab to slab walls.
Question 20: Incorrect

Which of these is NOT related to security misconfigurations (OWASP A5)?
  • Using deprecated objects or code.
    (Correct)
  • Misconfigured databases.
  • Not applying patches.
  • Keeping default logins and passwords.
    (Incorrect)

Explanation

While using deprecated objects or code is a security issue, is OWASP A9 using Components with Known Vulnerabilities. A5 Security Misconfiguration would be databases configured incorrectly, not removing out of the box default access and settings. Keeping default usernames and passwords. OS, Web Server, DBMS, applications, etc. Not patched and up to date. Unnecessary features are enabled or installed; this could be open ports, services, pages, accounts, privileges, etc.
Question 21: Correct

What is another term we could use for penetration testing?
  • Gray hat hacking.
  • Fracking.
  • Black hat hacking.
  • Ethical hacking.
    (Correct)

Explanation

Penetration Testing (Pen Testing), also called ethical hacking or white hat hacking. Test if the vulnerabilities are exploitable
Question 22: Incorrect

Looking at the governance of our organization, we can use policies, standards, procedures, or other frameworks. Which of these characteristics would BEST describe our policies?
  • Recommendations.
  • Specific, all laptops are W10, 64 bit, 8GB memory, etc.
    (Incorrect)
  • Low level step-by-step guides.
  • Non-specific, but can contain patches, updates, strong encryption.
    (Correct)

Explanation

Policies – Mandatory: High level, non-specific. They can contain “Patches, Updates, strong encryption”, they will not be specific to “OS, Encryption type, Vendor Technology”
Question 23: Incorrect

When an attacker is using a brute force attack to break a password, what are they doing?
  • Trying to recover the key without breaking the encryption.
  • Looking at common letter frequency to guess the plaintext.
  • Looking at the hash values and comparing it to thousands or millions of pre-calculated hashes.
    (Incorrect)
  • Trying every possible key to, over time, break any encryption.
    (Correct)

Explanation

Brute Force: Using the entire keyspace (every possible key); with enough time, any plaintext can be decrypted. Effective against all key-based ciphers except the one-time pad; it would eventually decrypt it, but it would also generate so many false positives that the data would be useless.
Question 24: Correct

We can use smart cards, tokens, passports, and IDs for which type of authentication?
  • Type 5.
  • Type 3.
  • Type 1.
  • Type 2.
    (Correct)

Explanation

Something you have – Type 2 Authentication: ID, passport, smart card, token, cookie on PC; these are called Possession factors.
Question 25: Correct

Which of these COMMON frameworks focuses on Information Technology Service Management (ITSM)?
  • COBIT.
  • COSO.
  • PCI-DSS.
  • ITIL.
    (Correct)

Explanation

ITIL – Information Technology Infrastructure Library. IT Service Management (ITSM).
Question 26: Correct

We have implemented contactless ID cards in our organization. Which type of technology do they use?
  • RFID.
    (Correct)
  • Magnetic stripe.
  • RAID.
  • RIPE.

Explanation

Contactless Cards – can be read by proximity. Key fobs or credit cards where you just hold it close to a reader. They use a RFID (Radio Frequency Identification) tag (transponder) which is then read by a RFID Transceiver.
Question 27: Correct

At the quarterly leadership conference, you are talking about threats to our environments, and one of the participants asks you to define what a threat is. Which of these could be your answer?
  • The total risk after we have implemented our countermeasures.
  • A weakness that can possibly be exploited.
  • How bad is it if we are compromised?
  • A potential harmful incident.
    (Correct)

Explanation

Threat – A potentially harmful incident (Tsunami, Earthquake, Virus, etc.)
Question 28: Correct

What would be a reason to do misuse case testing on our software?
  • To expose the system to normal user traffic and use.
  • To ensure all exposed interfaces are tested.
  • Because attackers do not act like normal users, we need to test against that.
    (Correct)
  • To see how well the software installs on certain hardware systems.

Explanation

Misuse Case Testing: Executing a malicious act against a system, attackers won’t do what normal users would, we need to test misuse to ensure our application or software is safe.
Question 29: Correct

We have hired an IT security firm to do penetration testing on our organization. Which of these could be something they would use?
  • Crowbars.
  • Threats.
  • Kali Linux.
    (Correct)
  • Rootkits.

Explanation

Kali Linux is a version of Linux designed for hackers, it is a toolkit with many different attack vectors.
Question 30: Incorrect

As part of our software testing, we are performing regression testing. What does that mean?
  • That the software installs correctly on the customers hardware.
  • Processes and security alerts when encountering errors.
    (Incorrect)
  • interfaces between components in the software.
  • Lost or missing features after major code changes.
    (Correct)

Explanation

Regression testing: Finding defects after a major code change has occurred. Looks for software regressions, as degraded or lost features, including old bugs that have come back.
Question 31: Skipped

Which of these, is NOT a phase of our Disaster Recovery Planning (DRP) lifecycle?
  • Preparation.
  • Succession planning.
    (Correct)
  • Recovery.
  • Mitigation.

Explanation

DRP has a lifecycle of Mitigation, Preparation, Response and Recovery. Mitigation: Reduce the impact, and likeliness of a disaster. Preparation: Build programs, procedures and tools for our response. Response: How we react in a disaster, following the procedures. Recovery: Reestablish basic functionality and get back to full production.
Question 32: Incorrect

In our best practice password policy, which of these would be allowed?
  • Family members’ names.
  • Minimum length passwords.
    (Correct)
  • Whole dictionary words.
    (Incorrect)
  • Birthdays.

Explanation

Passwords should never contain: The name of a pet, child, family member, or significant other, anniversary dates, birthdays, birthplace, favorite holiday, something related to a favorite sports team, or the word “password.” Winter2017 is not a good password, even if it does fulfill the password requirements. Official recommendations by the U.S. Department of Defense and Microsoft: password history = set to remember 24 passwords; maximum password age = 90 days; minimum password age = 2 days (to prevent users from cycling through 24 passwords to return to their favorite password again). Minimum password length = 8 characters. Passwords must meet complexity requirements = true. Store password using reversible encryption = false.
Question 33: Skipped

All of these are examples of distributed denial of service (DDOS) attacks, except one. Which of these is NOT a DDOS attack?
  • IPP flood.

    (Correct)
  • SYN flood.
  • MAC flood.
  • UDP flood.

Explanation

There are many different types of DDOS (distributed denial of service) attacks, there is no such thing as an IPP flood. UDP, SYN and MAC floods are all DDOS attacks.

Question 34: Skipped

What is the ISO 27002 standard focused on?
  • Protecting PHI.
  • Risk management.
  • HIPAA.
  • ISMS.

    (Correct)

Explanation

ISO 27002: (From BS 7799, 1/2, ISO 17799) Provides practical advice on how to implement security controls. It focuses on Information Security Management Systems (ISMS).

Question 35: Correct

We are choosing a site to build a new data center and offices in. Which of these would NOT be a valid security concern?
  • Whether the area is prone to flooding.
  • How pretty the area is.
    (Correct)
  • How good the utilities are.
  • Crime in the area.

Explanation

Site Selection: Greenfield: Not built on yet; undeveloped land. Topography: the physical shape of the landscape – hills, valleys, trees, streams. Most often used in military sites where they can leverage (sometimes by altering) the topology for higher security. Utilities: How reliable is the power, the internet in the area? Crime: How high are the crime rates in the area? How close are the police?
Question 36: Correct

We are using DAC (Discretionary access control) in our organization. What is DAC based on?
  • IF/THEN statements.
  • The job role of the user.
  • The discretion of the object owner.
    (Correct)
  • Labels and clearance.

Explanation

DAC (Discretionary Access Control): Often used when Availability is most important. Access to an object is assigned at the discretion of the object owner. The owner can add, remove rights, commonly used by most OS’. Uses DACL’s (Discretionary ACL), based on user identity.
Question 37: Skipped

In which order would these recovery site options be ranked from the highest to the lowest cost?
  • Redundant > Hot > Warm > Cold.
    (Correct)
  • Cold > Warm > Hot > Redundant.
  • Redundant > Warm > Hot > Cold.
  • Redundant > Hot > Cold > Warm.

Explanation

Redundant site: Complete identical site to our production, receives a real time copy of our data. Hot site: Similar to the redundant site, but only houses critical applications and systems, often on lower spec’d systems. Warm site: Similar to the hot site, but not with real or near-real time data, often restored with backups. Cold site: No hardware or backups are at the cold site, they require systems to be acquired, configured and applications loaded and configured.
Question 38: Skipped

In the software capability maturity model, at which level are some processes “possibly repeatable with consistent results”?
  • Level 2.
    (Correct)
  • Level 1.
  • Level 4.
  • Level 3.

Explanation

Level 2: Repeatable This level of maturity that some processes are repeatable, possibly with consistent results. Process discipline is unlikely to be rigorous, but where it exists it may help to ensure that existing processes are maintained during times of stress.
Question 39: Incorrect

When we design our defense in depth we use multiple overlapping controls. Which of these is a type of preventative access control?
  • Encryption.
    (Correct)
  • Patches.
  • Backups.
  • Intrusion detection systems.
    (Incorrect)

Explanation

Preventative access control: Prevents action from happening – Least Privilege, Drug Tests, IPS, Firewalls, Encryption.
Question 40: Incorrect

When we talk about data, we look at the 3 states it can be in. In which of those states, are we unable to protect the data by using encryption?
  • Data in use.
    (Correct)
  • Data in motion.
  • Data at rest.
    (Incorrect)
  • Data on backup tapes.

Explanation

Data in Use: (We are actively using the files/data, it can’t be encrypted). Use good practices: Clean Desk policy, Print Policy, Allow no ‘Shoulder Surfing’, maybe the use of view angle privacy screen for monitors, locking computer screen when leaving workstation.
Question 41: Correct

When an attacker is using DDOS attacks, which leg of the CIA Triad is that meant to disrupt?
  • Availability.
    (Correct)
  • Accountability.
  • Integrity.
  • Confidentiality.

Explanation

When we get hit by a DDOS (Distributed Denial Of Service), is disrupts our availability, but not integrity or confidentiality.
Question 42: Skipped

We have just added biometrics to our access control systems, and we are seeing a lot of Type 2 authentication errors. Looking at the image, which data point would be the Type 2 errors?

  • A
    (Correct)
  • B
  • C

Explanation

FAR (False accept rate) Type 2 error: Unauthorized user is granted access. This is a very serious error.
Question 43: Correct

All but one of these are networking topologies we could use in our design. Which is NOT a network topology?
  • Matrix.
    (Correct)
  • Mesh
  • Star.
  • Ring.

Explanation

Matrix is not a network topology. Ring, Mesh and Star are network topologies.
Question 44: Correct

We are using social engineering, which of these are effective types of social engineering?
  • All of these.
    (Correct)
  • Urgency.
  • Intimidation.
  • Authority.

Explanation

Social engineering is often more successful if is uses one or more of these approaches: authority, intimidation, consensus, scarcity, urgency, or familiarity.
Question 45: Correct

Jane has been tasked with finding multifactor authentication solutions for our organization. Which of these is TRUE multifactor authentication?
  • Fingerprint and retina scan.
  • Password and PIN.
  • Fingerprint and password.
    (Correct)
  • Username and password.

Explanation

Multifactor requires more than one type of authentication; username/password are both knowledge factors, so is password/pin and fingerprint/retina scans are both biometrics.
Question 46: Skipped

Which of these types of data destruction would we use to ensure there is no data remanence on our PROM, flash memory, and SSD drives?
  • Overwriting.
  • Degaussing.
  • Formatting.
  • Shredding.
    (Correct)

Explanation

We can’t overwrite, format or degauss PROM. The only way to ensure destruction is shredding.
Question 47: Correct

We are wanting to use the most commonly used database management system (DBMS) in our organization. What should we implement?
  • ModoDB.
  • Oracle.
  • IBM DB2
  • SQL.
    (Correct)

Explanation

DBMS (database management system): The most common is SQL or a SQL derivative. A computer software application that interacts with the user, other applications, and the database itself to capture and analyze data. A general-purpose DBMS is designed to allow the definition, creation, querying, update, and administration of databases. MySQL, PostgreSQL, MongoDB, MariaDB, Microsoft SQL Server, Oracle, Sybase, SAP HANA, SQLite and IBM DB2.
Question 48: Correct

You have been tasked with looking at PURELY physical security controls for a new implementation. Which of these would you consider using?
  • Biometric authentication.
  • Access lists.
  • Dogs.
    (Correct)
  • Regulations.

Explanation

Dogs are a physical security control. Access lists and biometrics are technical and regulations are administrative.
Question 49: Correct

Which project management methodology uses a linear approach where each phase leads into the next and you can’t go back to a previous phase?
  • Sashimi.
  • Waterfall.
    (Correct)
  • Spiral.
  • Agile.

Explanation

Waterfall: Very linear, each phase leads directly into the next. The unmodified waterfall model does not allow us to go back to the previous phase.
Question 50: Skipped

What is the relationship between our Business Continuity Plan (BCP) and our Disaster Recovery Plan (DRP)?
  • The BCP is a sub-plan of the DRP.
  • None of these.
  • The DRP is a sub-plan of the BCP.
    (Correct)
  • They are separate and completely independent plans.

Explanation

BCP’s often contain DRP (Disaster Recovery Plan), COOP (Continuity of Operations Plan), Crisis Communications Plan, Critical Infrastructure Protection Plan, Cyber Incident Response Plan, ISCP (Information System Contingency Plan), Occupant Emergency Plan.
Question 51: Skipped

In which type of access control does subjects have clearance and object labels?
  • MAC.
    (Correct)
  • RUBAC.
  • RBAC.
  • DAC.

Explanation

MAC (Mandatory Access Control): Often used when confidentiality is most important. Access to an object is determined by labels and clearance. This is often used in the military or in organizations where confidentiality is very important.
Question 52: Skipped

We are adding hashing to our passwords. Which of these is a hashing function we could consider?
  • DES.
  • Salting.
  • RSA.
  • RIPEMD.
    (Correct)

Explanation

Hash Functions: RIPEMD: Developed outside of defense to ensure no government backdoors. 128, 256, 320 bit hashes. Not widely used. No longer secure.
Question 53: Skipped

When we are doing quantitative risk analysis, what does the Asset Value (AV) tell us?
  • How much something is worth.
    (Correct)
  • How often that asset type is compromised per year.
  • How much of the asset is lost per incident.
  • What it will cost us per year if we do nothing.

Explanation

Asset Value (AV) – How much is the asset worth?
Question 54: Skipped

Which generation of programming languages often use a graphical user interfaces and drag and drops for generating the actual code?
  • 3rd generation.
  • 2nd generation.
  • 4th generation.
    (Correct)
  • 1st generation.

Explanation

4th Generation languages (4GL): Often uses a GUI, drag and drop, and then generating the code, often used for websites, databases and reports.
Question 55: Skipped

Which of these countermeasures would be effective against rainbow tables?
  • Key stretching.
  • Keeping hashes in plaintext.
  • Limiting login attempts.
  • Salting.
    (Correct)

Explanation

Salt (Salting): Random data that is used as an additional input to a one-way function that “hashes” a password or passphrase. The primary function of salts is to defend against dictionary attacks or a pre-compiled rainbow table attack. Rainbow Tables: Pre-made list of plaintext and matching ciphertext, often passwords and matching hashes. A table can contain millions of pairs.
Question 56: Skipped

In a new data center implementation, we are wanting to use IPv6 addresses. Which of these statements are TRUE about IPv6 addresses? (Select all that apply).
  • They are 128 bit binary.
    (Correct)
  • They use the fe80: prefix for link local addresses.
    (Correct)
  • They use broadcast addresses.
  • They are 32-bit binary.
  • They can use EUI/MAC48 addresses, by adding fffe in the middle of the mac address.
    (Correct)

Explanation

IPv6 is 128-bit binary, often expressed in hexadecimal numbers (using 0-9 and a-f); for Link Local addresses we add the fe80: prefix to an address, and for EUI/MAC48 addresses we add “fffe” to make it an EUI/MAC64 address.
Question 57: Incorrect

If we are looking for information on a specific systems hardware, which of our plans could we find that in?
  • DRP.
    (Correct)
  • NPR.
  • BGP.
    (Incorrect)
  • BCP.

Explanation

DRP (Disaster Recovery Plan): Often the “how” and system specific, while the BCP is more “what” and non-system specific. This is the process of creating the short-term plans, policies, procedures and tools to enable the recovery or continuation of vital IT systems in a disaster. It focuses on the IT systems supporting critical business functions, and how we get those back up after a disaster. DRP is a subset of our BCP. We look at what we would do if a we get hit with a DDOS attack, if a server gets compromised, if we experience a power outage, etc.
Question 58: Correct

Which of these should NOT be part of our proper hardware disposal procedures?
  • Deleting all files on the hard drive.
    (Correct)
  • Degaussing.
  • Overwriting all bits on the disks with 0s.
  • Disk crushing.

Explanation

Deleting a file just removes it from the table. Everything is still recoverable. Crushing, degaussing and overwriting should all be non-recoverable.
Question 59: Correct

What could be a type of physical access control that we would use, to prevent cars and vans from entering our perimeter?
  • Motion sensors.
  • Bollards.
    (Correct)
  • Lights.
  • Cameras.

Explanation

Bollards (Preventative): Used to prevent cars or trucks from entering an area while allowing foot traffic to pass. Often, shops use planters or similar; it looks prettier, but achieves the same goal. Most are static heavy duty objects, but some cylindrical versions can also be electronically raised or lowered to allow authorized traffic past a “no traffic” point. Some are permanent fixtures and can be removed with a key or other unlock function.
Question 60: Skipped

6 months ago, we had an attacker trying to gain access to one of our servers. The attack was not successful, and the authorities were able to find the attacker using our forensics. In court, the attacker claims we used entrapment. Which of these options describes entrapment?
  • Something we can do without consulting our legal department.
  • A solid legal defense strategy for the attacker; entrapment is illegal and unethical.
    (Correct)
  • Not a solid legal defense strategy for the attacker.
  • Legal and unethical.

Explanation

Entrapment (illegal and unethical): When someone is persuaded to commit a crime they had no intention to commit and is then charged with it. Openly advertising sensitive data and then charging people when they access them. Entrapment is a solid legal defense.
Question 61: Correct

PINs, passwords, and passphrases are all which type of authentication?
  • Type 1.
    (Correct)
  • Type 5.
  • Type 3.
  • Type 2.

Explanation

Something you know – Type 1 Authentication: passwords, pass phrase, PIN, etc., also called knowledge factors. The subject uses these to authenticate their identity: they know the secret, therefore they must be who they say they are.
Question 62: Correct

As part of our annual security audit we hired a pen testing company. What could be some of the tools they would use?
  • Cutting power cables.
  • Access control lists.
  • Force against employees.
  • Social engineering.
    (Correct)

Explanation

Social engineering is often the easiest way for pen testers to get the initial foothold on our network.
Question 63: Incorrect

Jane has written a book on IT security. With books, copyright is automatically granted, and Jane owns all the rights to her materials. How long is copyrighted materialS protected after the creator’s death?
  • 70 years.
    (Correct)
  • 10 years.
  • 20 years.
    (Incorrect)
  • 95 years.

Explanation

Copyright © applies to books, art, music, software and much more. It is automatically granted and lasts 70 years after creator’s death or 95 years after creation by/for corporations.
Question 64: Skipped

Which of these would be the PRIMARY reason we would chose to use hash functions?
  • Integrity.
    (Correct)
  • Authorization.
  • Availability.
  • Confidentiality.

Explanation

Hash Functions (One-Way Hash Functions) are used for Integrity: A variable-length plaintext is hashed into a fixed-length value hash or MD (Message Digest). It is used to prove the Integrity of the data has not changed. Even changing a comma in a 1000 page document will produce an entirely new hash.
Question 65: Skipped

Our networking department is recommending we use a simplex solution for an implementation. What is one of the KEY FEATURES of simplex solutions?
  • One way communication: One system transmits, the other receives. Direction can’t be reversed.
    (Correct)
  • One way communication: one system transmits, the other receives. Direction can be reversed.
  • Only one system on the network can send one signal at a time.
  • Both systems can send and receive at the same time.

Explanation

Simplex is a one-way communication (one system transmits, the other listens).
Question 66: Correct

Which type of authentication is the WORST to have compromised, because we are unable to reissue it?
  • Type 3.
    (Correct)
  • Type 1.
  • Type 4.
  • Type 2.

Explanation

Something you are – Type 3 Authentication (Biometrics): Lost passwords and ID cards can be replaced with new different ones. Biometrics can’t. You can’t change your fingerprints; once compromised they are always compromised.
Question 67: Skipped

Which are the COMMON US military clearance levels?
  • Secret, confidential, unclassified, top secret.
    (Correct)
  • Top secret, secret, sensitive, public.
  • Top secret, secret, internal, unclassified.
  • Secret, top secret, confidential, public.

Explanation

The US military uses: Top-secret, secret, confidential and unclassified.
Question 68: Skipped

Our organization has been court ordered to comply with the “Data Protection Directive” in the EU. What is one of the things we need to do in order to do that?
  • Gather as much personal information as they can to better sell products to the individuals.
  • Refuse to let individuals opt out of data sharing with 3rd party companies.
  • Notify individuals about how their data is gathered and used.
    (Correct)
  • Transmit information out of the EU to countries with lower standards for storage.

Explanation

EU Data Protection Directive: Very aggressive pro-privacy law. Organizations must notify individuals of how their data is gathered and used. Organizations must allow for opt-out for sharing with 3rd parties. Opt-in is required for sharing most sensitive data. No transmission out of EU unless the receiving country is perceived to have adequate (equal) privacy protections; the US does NOT meet this standard. EU-US Safe Harbor: optional between organization and EU.
Question 69: Incorrect

As part of our data disposal process, we overwrite all of the disks multiple times with random 0s and 1s. Sometimes that is NOT an option. When would that be?
  • When it involves SSD drives.
  • When the disk is damaged.
    (Correct)
  • When it involves spinning disk hard drives.
  • When the disk is still in the system.
    (Incorrect)

Explanation

Overwriting is done by writing 0s or random characters over the data. As far as we know, there is no tool available that can recover even single pass overwriting (not possible on damaged media).
Question 70: Skipped

We are adding random data to our password hashes, to prevent attackers from successfully using rainbow table and dictionary attacks. What are we adding to the hash function?
  • Clipping levels.
  • Salting.
    (Correct)
  • Key stretching.
  • Nonce.

Explanation

Salting is random data that is used as an additional input to a one-way function that hashes a password or passphrase.
Question 71: Skipped

We are implementing some new standards and framework in our organization. We chose to use scoping on one of the standards we are implementing. What does scoping mean?
  • To pick and chose which parts of the standard or framework we want to implement.
    (Correct)
  • To find out how much the implementation will cost us.
  • To see if the standard is a good fit for our organization.
  • To implement the full standard or framework, but implement higher standards in some areas.

Explanation

Scoping is determining which portion of a standard we will deploy in our organization. We take the portions of the standard that we want or that apply to our industry, and determine what is in scope and what is out of scope for us.
Question 72: Skipped

As part of our fault tolerance strategy we are using remote journaling. What does that do?
  • Using a remote backup service, sends backups off-site at a certain time interval.
  • Sends an exact database or file copy to another location.
  • Sends transaction log files to a remote location, not the files themselves.
    (Correct)
  • Sends copies of the database to backup tapes.

Explanation

Remote journaling: Sends transaction log files to a remote location, not the files themselves. The transactions can be rebuilt from the logs if we lose the original files.
Question 73: Correct

Health care systems in the US must be HIPAA compliant. What is HIPAA an abbreviation of?
  • Health Insurance Portability and Accountability Act.
    (Correct)
  • Health Information Portability and Accountability Act.
  • Health Information Portability and Authorization Act.
  • Health Insurrection Portability and Accountability Act.

Explanation

HIPAA is the Health Insurance Portability and Accountability Act.
Question 74: Skipped

Which of these backup types would NOT clear the archive bit on Windows systems?
  • Incremental backup.
  • Differential backup.
    (Correct)
  • Full backup.
  • Weekly backup.

Explanation

Full and incremental backups clear the archive bit, differential backups does not. We have no clue as to what type of backup the weekly is so not the right answer.
Question 75: Skipped

In which of these protocols, is IPSEC built into and NOT added on later?
  • PGP.
  • IPv4.
  • HMAC.
  • IPv6.
    (Correct)

Explanation

IPSEC (Internet Protocol Security): Set of protocols that provide a cryptographic layer to IP traffic; for IPv4, it is bolted on. For IPv6, it is designed into the protocol.
Question 76: Skipped

If we want to implement a type of encryption that uses discrete logarithms, which of these could we choose?
  • ECC.
    (Correct)
  • AES.
  • Twofish.
  • DES.

Explanation

Elliptic Curve Cryptography (ECC) is a one-way function that uses discrete Logarithms applied to elliptical curves. Much stronger per bit than normal discrete Logarithms.
Question 77: Skipped

We need to ensure we are compliant with all the laws and regulations of all the states, territories, and countries we operate in. How are the security breach notification laws in the US handled?
  • Handled by the individual states.
    (Correct)
  • Handled by the individual organizations.
  • Mandatory for states to have.
  • Federal.

Explanation

Security Breach Notification Laws. NOT Federal. 48 states have individual laws. Know the one for your state (none in Alabama and South Dakota). They normally require organizations to inform anyone who had their PII compromised. Many states have an encryption clause where lost encrypted data may not require disclosure.
Question 78: Correct

In our data centers we have redundancy on many things. Looking at our servers, which of these elements are commonly NOT redundant?
  • Motherboards.
    (Correct)
  • Network cards.
  • Power supplies.
  • Hard disks.

Explanation

Motherboards are rarely redundant, instead we use redundant servers. NICs, PSUs and disks are almost always redundant in servers.
Question 79: Correct

When we are talking about data remanence, what does that refer to?
  • Files saved locally and not on a remote storage device.
  • Data we are actively using and therefore can’t encrypt.
  • Data left over after normal removal and deletion.
    (Correct)
  • All the data on our systems.

Explanation

Data Remanence: Data left over after normal removal and deletion of data.
Question 80: Skipped

Attackers are using distributed denial of service (DDOS) attacks on our organization using UDP flood. How does that type of DDOS attack work?
  • Sends many user datagram protocol packets.
    (Correct)
  • Sends many IP addresses to a router.
  • Sends many ethernet frames, each with different media access control addresses.
  • Opens many TCP sessions but never replies to the ACK from the host.

Explanation

UDP (User datagram protocol) floods are used frequently for larger bandwidth DDoS attacks because they are connectionless and it is easy to generate UDP messages from many different scripting and compiled languages.
Question 81: Correct

Which type of networking circuits would we use to ensure the traffic ALWAYS uses the same path?
  • Weighted routing tables.
  • Circuit switching.
    (Correct)
  • Packet switching.
  • Full traffic switching.

Explanation

Circuit switching – Expensive, but always available; used less often. A dedicated communications channel through the network. The circuit guarantees the full bandwidth. The circuit functions as if the nodes were physically connected by a cable.
Question 82: Skipped

Using the OSI model, which of these are COMMON layer 5-7 threats?
  • SYN floods.
  • Ping of death.
  • Worms.
    (Correct)
  • Eavesdropping.

Explanation

A computer worm is a standalone malware computer program that replicates itself to spread to other computers; they normally operate on OSI layer 5-7.
Question 83: Skipped

As part of our authentication process, we have issued our staff TOTP tokens. How do they work?
  • Generates a new password often.
    (Correct)
  • Sends us a new password when we request it, but never when we don’t.
  • Does not need the clocks of the token and the server to be synchronized.
  • Generate a password that is valid until it is used.

Explanation

Something you have – Type 2 Authentication: TOTP (Time-based One-Time Password): Time based with shared secret, often generated every 30 or 60 seconds, synchronized clocks are critical.
Question 84: Skipped

In our software testing, if we are doing a white box test, how much information would we have?
  • A version of the software, but only the cripple ware version.
  • User logs, access entries and project plan.
  • Just the software, no source code.
  • The software, source code, data structures and variables.
    (Correct)

Explanation

White box software testing: The tester has full access to program source code, data structures, variables, etc.
Question 85: Skipped

We are using a hot site secondary data center as part of DR plan. What would we have at the hot site?
  • Internet, power, racks, servers, applications installed and real-time or near real-time copies of the data.
    (Correct)
  • Internet, power, racks, servers and applications, but no backups.
  • Internet, power, racks, but no servers or applications installed.
  • Internet, power, racks, servers, but no applications installed.

Explanation

Hot site: Similar to the redundant site, but only houses critical applications and systems, often on lower spec’d systems. Still often a smaller but a full data center, with redundant UPS’, HVACs, ISPs, generators. We may have to manually fail traffic over, but a full switch can take an hour or less. Near or real-time copies of data.
Question 86: Skipped

We have decided to change the type of hashing we use to a newer version that is collision resistant. What happens when a hash collision occurs?
  • The same plain text produces two different hashes using the same hash function.
  • You can figure out the plain text from the hash.
  • A variable-length text produces a fixed-length hash.
  • When two different plaintexts produce the same hash.
    (Correct)

Explanation

Collisions: When 2 hashes of different data provide the same hash. It is possible, but very unlikely.
Question 87: Skipped

Which of these protocols is the one Voice over IP (VoIP) PRIMARILY uses?
  • TCP
  • BGP
  • UDP
    (Correct)
  • VIP

Explanation

VoIP uses UDP. It is connectionless; it is better to lose a packet or two than have it retransmitted half a second later.
Question 88: Correct

When we use single-use passwords and one-time pads, we are using which type of authentication?
  • Something you know.
  • Somewhere you are.
  • Something you have.
    (Correct)
  • Something you are.

Explanation

Single-use passwords and one-time pads. While they are passwords, it is something you have in your possession, not something you know.
Question 89: Skipped

What can RAID protect us against, if we are using RAID with fault tolerance?
  • Hardware failures.
  • Data loss if a single disk fails.
    (Correct)
  • Multiple disk failures happening at the same time.
  • Attackers gaining access to our data.

Explanation

RAID can protect our data if we have a single disk failure, as default not against more than one. It can however be configured to support multi disk failure, but is rarely done and is expensive.
Question 90: Skipped

What is the PRIMARY reason we would implement clipping levels?
  • To prevent administrative overhead.
    (Correct)
  • To allow users to unlock their own account when they mistype their password too many times.
  • To prevent password guessing.
  • To allow users a few tries when they fat finger their password.

Explanation

Clipping levels: Clipping levels are in place to prevent administrative overhead. It allows authorized users who forget or mistype their password to still have a couple of extra tries. It prevents password guessing by locking the user account for a certain time frame (an hour), or until unlocked by an administrator.
Question 91: Correct

When attackers are war dialing, what are they trying to do?
  • Calling our dispatch trying to get information through social engineering.
  • Use a modem to call different numbers, looking for an answer with a modem carrier tone.
    (Correct)
  • Driving around trying to gain access to unsecured or weak security wireless access points.
  • Disrupt our wireless access points by transmitting notice on the wireless channels we use.

Explanation

War dialing: Uses modem to dial a series of phone numbers, looking for an answering modem carrier tone, the penetration tester then attempts to access the answering system. Not really done anymore, but know it for the exam.
Question 92: Skipped

The US HIPAA laws have 3 core rules. Which of these is NOT one of them?
  • Breach notification rule.
  • Security rule.
  • Privacy rule.
  • Encryption rule.
    (Correct)

Explanation

HIPAA (Health Insurance Portability and Accountability Act) has 3 rules – Privacy rule, Security rule and Breach Notification rule. The rules mandate administrative, physical and technical safeguards. Risk Analysis is required.
Question 93: Correct

When a penetration tester is doing a black box test, how much knowledge do they have about their target?
  • Partial knowledge, user or vendor access level.
  • All of these.
  • Full knowledge and privileges access to systems.
  • No knowledge other than what is publicly available.
    (Correct)

Explanation

Black box Pen testing (Zero Knowledge): The attacker had no knowledge about the organization other than publicly available information. They start from the point an external attacker would.
Question 94: Correct

When we buy software from a vendor, what should we ALWAYS do?
  • Look at reviews, and if they are good we can go ahead and buy it.
  • Assume it is secure enough for our organization since others use it already.
  • Perform a full security assessment to determine if they meet our security posture.
    (Correct)
  • Trust the vendors security claims.

Explanation

Buying software from other companies: When we buy software from vendors either COTS (Commercial Off The Shelf) or custom built software we need to ensure it is as secure as we need it to be. Vendors claims of security posture should until proven be seen as marketing claims. We need to do our due care and due diligence, as well as use outside council if needed.
Question 95: Incorrect

Object-oriented programming tends to lean towards which programming process?
  • Cripple ware.
  • Sashimi.
  • Bottom-up.
    (Correct)
  • Top-down.
    (Incorrect)

Explanation

Bottom-up Programming: Piecing together of systems to build more complex systems, making the original systems a sub-system of the overarching system. OOP leans tends toward Bottom-Up, you start by developing your objects and build up.
Question 96: Skipped

When we list the MOR for a system in our business impact analysis (BIA), what should it contain?
  • The required time to fully configure a system.
  • Minimum specs for the system to function.
    (Correct)
  • How long is the maximum organizational redundancy.
  • The maximum tolerable downtime.

Explanation

MOR (Minimum Operating Requirements): The minimum environmental and connectivity requirements for our critical systems to function, can also at times have minimum system requirements for DR sites. We may not need a fully spec’d system to resume the business functionality.
Question 97: Skipped

In a business impact analysis (BIA) assessment, which of these statements would be acceptable?
  • RTO > MTD
  • MTD ≥ RTO + WRT
    (Correct)
  • MTD < WRT + RTO
  • WRT + MTD < RTO

Explanation

MTD ≥ RTO + WRT: The time to rebuild the system and configure it for reinsertion into production must be less than or equal to our MTD.
Question 98: Skipped

In our fuzz testing, we analyze data and change the fuzz input iteratively. What is this called?
  • Migration fuzzing.
  • Mitigation fuzzing.
  • Mutilation fuzzing.
  • Mutation fuzzing.
    (Correct)

Explanation

Fuzzing (Fuzz testing): Testing that provides a lot of different inputs, to try to cause unauthorized access or for the application to enter unpredictable state or crash. If the program crashes or hangs the fuzz test failed. The Fuzz tester can enter values into the script or use pre-compiled random or specific values. Mutating fuzzing – The tester analyses real info and modify it iteratively.
Question 99: Skipped

We have just signed a contract with a vendor for a Software as a service (SaaS) implementation. Where does our responsibility start, and the vendors responsibility stop?

  • A: After the application.
    (Correct)
  • B: Between security and application.
  • C: Between virtualization and OS.
  • D: Between storage and servers.

Explanation

In Software as a service (SaaS), the vendor provides everything including the applications and programs. We would provide the data for the applications.
Question 100: Skipped

For us to ensure CONTINUAL clean power in our data center, we would use which of these?
  • Load balancing.
  • PDUs.
  • UPSs.
    (Correct)
  • PSUs.

Explanation

An UPS (Uninterrupted Power Supply) contains a large battery bank that will take over in a power outage, it does also provide surge protection.
Question 101: Skipped

When an attacker can guess a URL they don’t know about, from another similar logical URL, what is that called?
  • Under protected API’s
  • Unvalidated redirects.
  • Insecure direct object reference.
    (Correct)
  • CSRF.

Explanation

2013 A4 Insecure direct object reference. Users can access resources they shouldn’t, by guessing the URL or path, often if it is logical. If you have access to a report names ending in financials_may2017.pdf on your organization’s network, you can try guessing other file names you should not have access to financials_August.pdf or financials_2017.pdf Mitigated by proper access control, using non-sequential names or monitoring file usage.
Question 102: Skipped

Without using anything to trick our systems, an unauthorized individual is allowed access using our biometric authentication. This is an example of what?
  • CRR.
  • CER.
  • FAR.
    (Correct)
  • FRR.

Explanation

FAR (False accept rate) Type 2 error: Unauthorized user is granted access. This is a very serious error.
Question 103: Skipped

We have acquired a competing organization and your team is working on the risk analysis for the applications they use internally. You would use which of these as PART of your Qualitative Risk Analysis?
  • Fact based analysis.
  • A risk analysis matrix.
    (Correct)
  • Risk = threat x vulnerability.
  • ALE, SLE and ARO.

Explanation

Qualitative Risk Analysis: This is vague, guessing, based on a feeling, and relatively quick to do. We add all our assets to a matrix and assign them values on “how likely is it to happen and how bad is it if it happens?” It is often done to know where to focus the Quantitative Risk Analysis.
Question 104: Correct

Acting ethically is very important, especially for IT security professionals. If we look at the IAB’s “Ethics and the Internet,” which of these behaviors does it NOT consider unethical?
  • Having fake social media profiles and accounts.
    (Correct)
  • Seeks to gain unauthorized access to resources of the internet.
  • Disrupts the intended use of the internet.
  • Compromises the privacy of users.

Explanation

IAB’s Ethics and the Internet, defined as a Request for Comment (RFC), #1087 – Published in 1987. It considered the following unethical behavior: Seeks to gain unauthorized access to the resources of the Internet. Disrupts the intended use of the Internet. Wastes resources (people, capacity, computer) through such actions. Destroys the integrity of computer-based information. Compromises the privacy of users.
Question 105: Skipped

Different types of memory are made for specific tasks and functions in our hardware. Which of these are types of nonvolatile memory? (Select all that apply).
  • PLD (Programmable logic devices)
    (Correct)
  • SRAM (Static RAM)
  • DRAM (Dynamic RAM)
  • ROM (Read Only Memory)
    (Correct)
  • EEPROM (Electrically erasable programmable read only memory)
    (Correct)

Explanation

ROM (Read Only Memory) is nonvolatile (retains memory after power loss). EEPROM (Electrically erasable programmable read only memory) – These are electrically erasable, you can use a flashing program. This is still called read only. The ability to write to the BIOS makes it vulnerable to attackers. PLD (Programmable logic devices) are programmable after they leave the factory (EPROM, EEPROM and flash memory). Not PROM.
Question 106: Skipped

We are using the OSI model to categorize attacks and threats. Which of these are COMMON layer 2 threats?
  • Eavesdropping.
  • ARP spoofing.
    (Correct)
  • Ping of death.
  • SYN floods.

Explanation

ARP spoofing is an attack where an attacker sends a fake ARP (Address Resolution Protocol) messages over a local area network. This results in associating the attacker’s MAC address with the IP address of an authorized computer or server on our network.
Question 107: Correct

A pentester is calling one of our employees. The pentester explains the company will be hit with a lawsuit if they don’t do what they are told. Which type of social engineering is the pentester using?
  • Scarcity.
  • Familiarity.
  • Intimidation.
    (Correct)
  • Authority.

Explanation

Social engineering uses people skills to bypass security controls. Intimidation (If you don’t bad thing happens) – Virus on the network, credit card compromised, lawsuit against your company, intimidation is most effective with impersonation and vishing attacks.
Question 108: Skipped

Which type of RAID configuration ALWAYS provides redundancy?
  • Disk formatting.
  • Disk mirroring.
    (Correct)
  • Disk segmenting.
  • Disk striping.

Explanation

Disk mirroring: Writing the same data across multiple hard disks, this is slower, the RAID controller has to write all data twice, needs at least 2 disks. Disk striping can provide it too IF it uses parity, but as default it does not.
Question 109: Incorrect

We are implementing new networking infrastructure in our organization. The new infrastructure is using Carrier-sense multiple access with collision detection (CSMA/CD). What are we implementing?
  • Internet.
  • Extranet.
  • Ethernet.
    (Correct)
  • Wireless.
    (Incorrect)

Explanation

CSMA/CD (Carrier Sense Multiple Access Collision Detection): Used for systems that can send and receive at the same time, like Ethernet. If two clients listen at the same time and see the line is clear, they can both transmit at the same time, causing collisions; CD is added to help with this scenario. Clients listen to see if the line is idle, and if idle, they send; if in use, they wait a random amount of time (milliseconds). While transmitting, they monitor the network. If more input is received than sent, another workstation is also transmitting, and they send a jam signal to tell the other nodes to stop sending, and wait for a random amount of time before starting to retransmit.
Question 110: Correct

We use the CIA triad as a logical model for IT Security and the protection profile our organization wants. What does the A stand for in the CIA triad?
  • Authorization.
  • Availability.
    (Correct)
  • Authentication.
  • Accountability.

Explanation

The CIA (Confidentiality, Integrity, Availability) Triad: Availability – We ensure authorized people can access the data they need, when they need to.
Question 111: Correct

Which of these describes Type 1 authentication?
  • Something you have.
  • Something you know.
    (Correct)
  • Somewhere you are.
  • Something you are.

Explanation

Something you know – Type 1 Authentication: passwords, pass phrase, PIN, etc., also called knowledge factors. The subject uses these to authenticate their identity: they know the secret, therefore they must be who they say they are.
Question 112: Skipped

When using the formal approval process, what is required to access data?
  • Higher clearance than the object requires and data owner approval.
  • Appropriate clearance and data owner approval.
    (Correct)
  • Permission from the data owner.
  • Appropriate clearance.

Explanation

Formal Access Approval: Document from the data owner approving access to the data for the subject. Subject must understand all requirements for accessing the data and the liability involved if compromised, lost or destroyed. Appropriate Security Clearance is required as well as the Formal Access Approval.
Question 113: Correct

We have, for many years, used dogs as part of our physical security. However, we are considering implementing other physical security measures and ceasing using dogs. Which of these could be the reason we would consider NOT using dogs anymore?
  • They can cause liability issues.
    (Correct)
  • They are not very good at deterring.
  • They are always friendly.
  • It is expensive.

Explanation

Dogs (Deterrent, Detective, Compensating): Most often used in controlled, enclosed areas. Liability can be an issue. Dogs are trained to corner suspects and attack someone who’s fleeing. People often panic when they encounter a dog and run. Even if they’re in a secure area, the organization may still be liable for injuries.
Question 114: Correct

When, in telecommunications, we talk about the Demarc, what are we referring to?
  • The ISP terminates their line and your network begins.
    (Correct)
  • The servers are places to ensure faster speeds.
  • You ensure all of the other tenants have full access to your network equipment.
  • You place all your routers and switches.

Explanation

Demarc – Point of Demarcation (POD): Where the ISP (Internet Service Provider) terminates their phone/internet lines and your network begins; most buildings only have one.
Question 115: Incorrect

Our Disaster Recovery Plan (DRP) is a subplan of our Business Continuity Plan (BCP), and the DRP lifecycle has 4 distinct phases. What are those 4 phases? (Select all that apply).
  • Preparation.
    (Correct)
  • Mitigation.
    (Correct)
  • Action.
  • Failback.
    (Incorrect)
  • Response.
    (Correct)
  • Recovery.
    (Correct)

Explanation

DRP has a lifecycle of Mitigation, Preparation, Response and Recovery. Mitigation: Reduce the impact, and likeliness of a disaster. Preparation: Build programs, procedures and tools for our response. Response: How we react in a disaster, following the procedures. Recovery: Reestablish basic functionality and get back to full production.
Question 116: Skipped

We want to mitigate injection attacks (OWASP A1) on our web servers. What can we implement to help with that?
  • Input validation.
    (Correct)
  • Non-predictable session IDs.
  • SSL.
  • CAPTCHA.

Explanation

A1 Injection. Can be any code injected into user forms, often seen is SQL/LDAP. Attackers can do this because our software does not use: Strong enough input validation and data type limitations input fields. Input length limitations. The fix is to do just that, we only allow users to input appropriate data into the fields, only letters in names, numbers in phone number, have dropdowns for country and state (if applicable), we limit how many characters people can use per cell,
Question 117: Skipped

Which of these types of memory keeps the data they store, as long as they have power and the data is NOT overwritten?
  • SRAM.
    (Correct)
  • SDRAM.
  • ROM.
  • DRAM.

Explanation

SRAM (Static RAM): Fast and expensive. Uses latches to store bits (Flip-Flops). Does not need refreshing to keep data, keeps data until power is lost. This can be embedded on the CPU.
Question 118: Incorrect

We are using server clustering on critical applications. What is the MAIN purpose of server clustering?
  • Fault tolerance.
    (Correct)
  • Traffic distribution.
  • Load balancing.
    (Incorrect)
  • Making configuration easier.

Explanation

Clustering is designed for fault tolerance, often combined with load balancing, but not innately. Clustering can be active/active, this is load balancing, with 2 servers both servers would actively process traffic. Active/passive: There is a designated primary active server and a secondary passive server, they are connected and the passive sends a keep-alive or heartbeat every 1-3 seconds, “are you alive, are you alive…”
Question 119: Correct

Which type of disaster would we classify an earthquake as?
  • Human.
  • Preventative.
  • Natural.
    (Correct)
  • Environmental.

Explanation

Natural: Anything caused by nature, this could be earthquakes, floods, snow, tornados, etc. They can be very devastating, but are less common than the other types of threats.
Question 120: Skipped

As part of a security audit, we have found some security flaws. The IT Security team has been asked to suggest mitigation strategies using the OSI model. Which of these would address layer 7 issues?
  • Shut down open unused ports.
  • Access Lists.
  • Installing UPSes in the data center.
  • Start using application firewalls.
    (Correct)

Explanation

Application layer firewalls are on the 7th OSI Layer. The key benefit of application layer firewalls is that they can understand certain applications and protocols. They see the entire packet; the packet isn’t decrypted until layer 6; any other firewall can only inspect the packet, but not the payload. They can detect if an unwanted application or service is attempting to bypass the firewall using a protocol on an allowed port, or detect if a protocol is being used any malicious way.
Question 121: Skipped

On which layer of the OSI model would we consider physical security?
  • 2
  • 4
  • 1
    (Correct)
  • 3

Explanation

Layer 1: Physical Layer: wires, fiber, radio waves, hub, part of NIC, connectors (wireless).
Question 122: Correct

In our physical access control, we use gates and fences to ensure what happens?
  • Ensure entry and exit from our facility only happens through the gates.
    (Correct)
  • Allow easy entry and exit from our facility.
  • Allow employees to safely exit in an emergency.
  • Prevent employees from safely exiting in an emergency.

Explanation

Fences (Deterrence, Preventative): Smaller fences such as 3ft. (1m) can be a deterrence, while taller ones, such as 8ft. (2.4m) can be a prevention mechanism. The purpose of the fences is to ensure that entrances/exits from the facility happen through only a few entry points (doors, gates, turnstiles). Gates (Deterrence, Preventative): Placed at control points at the perimeter. Used with the fences to ensure that access only happens through a few entry points.
Question 123: Correct

Which of these is NOT a type of open-source software licensing?
  • GNU.
  • Oracle.
    (Correct)
  • Apache.
  • BSD.

Explanation

Open source software can be protected by a variety of licensing agreement. GNU (General Public License), BSD (Berkeley Software Distribution) and Apache are all examples of this.
Question 124: Incorrect

What is the difference between freeware and shareware?
  • They are the same thing, there is no difference.
  • Freeware is free with no time restrictions, shareware is free for a limited amount of time.
    (Correct)
  • Freeware is free forever, shareware you buy it, but you are allowed to share it.
    (Incorrect)
  • Freeware is free for a limited amount of time, shareware is free with no time restrictions.

Explanation

Freeware: Actually free software, it is free of charge to use. Shareware: Fully functional proprietary software that is initially free to use. Often for trials to test the software, after 30 days you have to pay to continue to use.
Question 125: Correct

Which of these would be part of our Disaster Recovery Plan (DRP)?
  • Specific names of who does what in an incident.
  • What to do if our staff is hit by a pandemic like the flu.
  • Which teams and roles does what in an incident.
    (Correct)
  • What to do if our staff goes on strike.

Explanation

Our DRP (Disaster Recovery Plan) should answer at least three basic questions: What is the objective and purpose. Who will be the people or teams who will be responsible in case any disruptions happen. What will these people do (our procedures) when the disaster hits.

Leave a Reply