https://www.udemy.com/course/comptia-security-sy0-701-practice-tests/learn/quiz/6048206#content
CompTIA Security+ (SYO-701) – Results
Back to result overview
Attempt 1
All domains
- 90 all
- 0 correct
- 0 incorrect
- 90 skipped
- 0 marked
Collapse all questions
Question 1Skipped
Employees at Robert’s Bank are working from home as part of a BCP requirement. They want to test how well normal operations may continue in the event their office building premises are lost. What type of test are the employees at Robert’s Bank performing?
Walkthrough
Explanation
Walkthrough tests involve a step-by-step review of procedures and processes without actually executing them. While walkthroughs are valuable for understanding the steps involved in a process, they are not suitable for testing the actual response to a crisis like the loss of office premises.
Full interruption
Explanation
Full interruption tests involve completely halting operations to test the organization’s ability to recover and resume normal activities. While this type of test is valuable for assessing the organization’s recovery capabilities, it is not the appropriate choice for testing continuity during a scenario like working from home due to the loss of office premises.
Correct answer
Simulation
Explanation
Simulation tests involve simulating real-world scenarios to test the organization’s response and resilience in a controlled environment. In this case, the employees at Robert’s Bank are simulating the loss of their office building premises to assess the continuity of normal operations, making it the correct choice.
Tabletop
Explanation
Tabletop exercises are discussion-based sessions where key personnel gather to discuss their roles and responses to a hypothetical scenario. While tabletop exercises are beneficial for testing decision-making and communication, they do not involve the practical application of processes in a simulated environment like a simulation test.
Overall explanation
3.4 Explain the importance of resilience and recovery in security architecture.
A business continuity planning simulation is a type of drill that involves people in a team practicing a scenario of a made-up incident. In this case, Robert’s team are testing a scenario of a loss of the office building. The simulation test is usually as close as possible to real life situations which is observed as Robert’s team have left the office building and are working from home.
Domain
3.0 Security Architecture
Question 2Skipped
Robert has several files in different folders that he would like to share with his colleague Roberto. Robert wants to grant Roberto access to the files in the directories that he owns. What type of access control mechanism should Robert use?
Correct answer
DAC
Explanation
DAC (Discretionary Access Control) allows the owner of a file or resource to determine who can access it and what level of access they have. In this scenario, Robert wants to grant access to specific files in directories that he owns, making DAC the appropriate choice as it gives him the discretion to control access.
ACL
Explanation
ACL (Access Control List) is a list of permissions attached to an object that specifies which users or system processes are granted access to that object and what operations they are allowed to perform. While ACLs can be used for fine-grained access control, they may not provide the level of discretion that Robert needs to grant access to specific files in his directories.
RBAC
Explanation
RBAC (Role-Based Access Control) is a method of restricting network access based on the roles of individual users within an organization. While RBAC is useful for managing access based on job roles, it may not be the most suitable choice for Robert to grant access to specific files in directories that he owns.
MAC
Explanation
MAC (Mandatory Access Control) is a security model where access control is determined by the system rather than the owner of the resource. It is typically used in high-security environments where access decisions are based on labels or clearances assigned by a central authority, not by individual users like Robert in this case.
Overall explanation
4.6 Given a scenario, implement and maintain identity and access management.
DAC stands for discretionary access control. In DAC, the owner of the object has the capability of transferring ownership to another user. In this case, since Robert is the owner of the files and folders, he may grant access to Robert to read, write, or modify the files and directories.
Domain
4.0 Security Operations
Question 3Skipped
The chief financial officer of a large business firm has recently noticed several suspicious emails from some unknown sources requesting sensitive documents. What social engineering technique is the attacker using?
Smishing
Explanation
Smishing involves sending fraudulent messages via SMS (text messages) to trick individuals into revealing personal or sensitive information. Since the scenario describes suspicious emails rather than text messages, smishing is not applicable in this case.
Correct answer
Whaling
Explanation
Whaling is a form of phishing attack that specifically targets high-profile individuals, such as executives or senior managers, like the CFO in this scenario. Attackers craft convincing emails that focus on high-stakes topics, such as sensitive financial information, to manipulate these individuals into sharing confidential data. In this case, the emails were aimed at a senior executive, making "whaling" the correct answer.
Vishing
Explanation
Vishing is a social engineering attack conducted over the phone, where attackers use voice communication to trick individuals into divulging sensitive information. The scenario involves email-based attacks, so vishing does not apply to this situation.
Phishing
Explanation
Phishing is a broader term for any attempt to trick individuals into providing sensitive information via deceptive emails or websites. While whaling is a subset of phishing, phishing itself typically targets a wide audience, rather than high-profile individuals. The scenario describes a highly targeted attack aimed at the CFO, so this option is not the best fit.
Overall explanation
2.2 Explain common threat vectors and attack surfaces.
Whaling is a form of phishing that targets high-profile individuals and executives. It is like fishing for a large whale in the sea.
Domain
2.0 Threats, Vulnerabilities, and Mitigations
Question 4Skipped
A major incident recently occurred at a business firm. Senior management has sent instructions to the teams across the firm to keep all the business paperwork and emails from the date of the incident, until further notice. What process has been initiated?
Correct answer
Legal hold
Explanation
Legal hold is the process of preserving relevant documents and data, including business paperwork and emails, in anticipation of or during legal proceedings or investigations. In this case, senior management’s instructions to retain all paperwork and emails following a major incident align with the initiation of a legal hold.
Acquisition
Explanation
Acquisition refers to the process of obtaining or collecting evidence or data for analysis or investigation purposes. It does not directly relate to the scenario described in the question, where the focus is on retaining business paperwork and emails in response to a specific incident.
Chain of custody
Explanation
Chain of custody refers to the chronological documentation or paper trail that records the sequence of custody, control, transfer, analysis, and disposition of physical or electronic evidence. It is not directly related to the process of keeping business paperwork and emails in response to a specific incident.
Preservation
Explanation
Preservation involves the protection and retention of evidence in its original form to ensure its integrity and prevent tampering or alteration. While the instruction to keep business paperwork and emails aligns with the concept of preservation, the specific scenario described in the question indicates a different process.
Overall explanation
4.8 Explain appropriate incident response activities.
A legal hold is a notification sent out to custodians or owners of records and documentation, instructing them to not delete the records. The documentation may be in physical or electronic form and used in a lawsuit at a court of law.
Domain
4.0 Security Operations
Question 5Skipped
Which of the following protocols provides authentication of the data source in virtual private networks?
ISAKMP
Explanation
ISAKMP (Internet Security Association and Key Management Protocol) is used for establishing Security Associations (SAs) and negotiating key exchange for IPsec VPNs. While ISAKMP is important for securing VPN connections, it does not specifically provide authentication of the data source in virtual private networks.
SSL
Explanation
SSL (Secure Sockets Layer) is a protocol used for securing communication over the internet, typically in web browsers. While SSL can provide encryption and data integrity, it does not specifically focus on authenticating the data source in virtual private networks.
L2TP
Explanation
L2TP (Layer 2 Tunneling Protocol) is primarily used for creating VPN tunnels and does not specifically provide authentication of the data source in virtual private networks. It focuses on tunneling and not authentication.
Correct answer
AH
Explanation
AH (Authentication Header) is a protocol that provides authentication and integrity for IP packets. It ensures that the data source in virtual private networks is authenticated, making it the correct choice for this scenario.
Overall explanation
3.2 Given a scenario, apply security principles to secure enterprise infrastructure.
The Authentication Header (AH) protocol provides authentication of the source of the data and its payload to ensure that the source is not hijacked. It also performs integrity checks to verify that there has been no tampering with the data along the way. Protection from replay attacks is also provided by AH.
Domain
3.0 Security Architecture
Question 6Skipped
A group of college students were thrilled and excited after watching Elliot Alderson, a prodigious hacker from their favorite TV series called Mr. Robot. They decided to copy some of the hacks they saw on the episodes and try them on their friends back at college. They did not have much of an idea of what they were doing but the hacks seemed to work. What type of threat actors are these college students?
Nation-state
Explanation
Nation-state threat actors are typically sponsored by a government or state entity to conduct cyber attacks for political, economic, or military purposes. The college students in this scenario do not fit the profile of nation-state actors as they are not acting on behalf of a government.
Hacktivist
Explanation
Hacktivist threat actors are individuals or groups who carry out cyber attacks to promote a social or political agenda. The college students in this scenario are not motivated by any specific cause or ideology, making them different from hacktivist actors.
Organized crime
Explanation
Organized crime threat actors are individuals or groups who engage in cyber criminal activities for financial gain. The college students in this scenario do not appear to be motivated by monetary benefits, distinguishing them from organized crime actors.
Correct answer
Unskilled attacker
Explanation
Unskilled attackers are individuals who lack the technical expertise and knowledge to conduct sophisticated cyber attacks. The college students in this scenario fall under this category as they are copying hacks from a TV show without fully understanding the implications of their actions.
Overall explanation
2.1 Compare and contrast common threat actors and motivations.
An unskilled attacker is a low skilled hacker that uses free or paid hacking tools available on the internet or dark web to carry out cyberattacks for fun or personal interests without knowing much about the attacks being performed.
Domain
2.0 Threats, Vulnerabilities, and Mitigations
Question 7Skipped
What is the maximum session key size you can use in WPA3 Enterprise Mode?
160 bits
Explanation
A session key size of 160 bits is not the maximum key size that can be used in WPA3 Enterprise Mode. While 160-bit keys provide stronger security than 128-bit keys, WPA3 Enterprise Mode supports even larger key sizes for increased protection.
Correct answer
256 bits
Explanation
The correct choice is 256 bits because it represents the maximum session key size that can be used in WPA3 Enterprise Mode. A 256-bit key provides the highest level of security and encryption strength, making it the ideal choice for securing wireless networks in enterprise environments.
128 bits
Explanation
A session key size of 128 bits is not the maximum key size that can be used in WPA3 Enterprise Mode. While 128-bit keys are commonly used in encryption, WPA3 Enterprise Mode allows for larger key sizes for enhanced security.
192 bits
Explanation
A session key size of 192 bits is not the maximum key size that can be used in WPA3 Enterprise Mode. While 192-bit keys offer robust security, WPA3 Enterprise Mode allows for even larger key sizes to ensure the highest level of encryption.
Overall explanation
4.1 Given a scenario, apply common security techniques to computing resources.
As of 2023, the Enterprise mode of Wi-Fi Protected Access 3 (WPA3) supports session key sizes of 256 bits.
Domain
4.0 Security Operations
Question 8Skipped
Employees at a medium-sized organization have started practice drills to work from home as an initiative to prepare for pandemics like COVID-19. They want to remotely access their organization’s network while at home. What protocol shall ensure they can connect securely to their organization’s network?
Correct answer
IPSec
Explanation
IPSec (Internet Protocol Security) is a protocol suite that ensures secure communication over IP networks. It is commonly used for setting up Virtual Private Networks (VPNs) to securely connect remote users to an organization’s network. IPSec provides encryption, authentication, and integrity protection for data transmission.
FTPS
Explanation
FTPS (File Transfer Protocol Secure) is a protocol used for secure file transfers over a network. While it encrypts data during transmission, it is not specifically designed for secure remote network access like VPN protocols.
SSH
Explanation
SSH (Secure Shell) is a protocol used for secure remote access to systems and servers. While it provides secure communication and authentication, it is primarily used for accessing individual systems rather than connecting to an entire organization’s network securely.
HTTPS
Explanation
HTTPS is a protocol used for secure communication over the internet, typically for accessing websites securely. While it encrypts data during transmission, it is not specifically designed for secure remote network access like VPN protocols.
Overall explanation
3.2 Given a scenario, apply security principles to secure enterprise infrastructure.
IPSec stands for Internet Protocol Security. It provides secure communications links over the Internet. It uses two main protocols. Authentication Header (AH) provides authentication only. Encapsulating Security Payload (ESP) provides both confidentiality by encryption as well as authentication.
Domain
3.0 Security Architecture
Question 9Skipped
The logs of the SIEM corresponding to an alerted attack show the following username and password combinations attempted on a web application.
Username: administrator; Password: Password@1
Username: rkaramagi; Password: Password@1
Username: udemyadmin; Password: Password@1
Correct answer
Spraying
Explanation
Spraying is the correct choice because it involves using a single password against multiple usernames. In this scenario, the attacker is attempting the same password "Password@1" with different usernames, which aligns with the definition of spraying attacks.
Collision
Explanation
Collision attacks involve creating two inputs that produce the same hash value, which is not applicable in this scenario where the attacker is attempting different username and password combinations.
Rainbow table
Explanation
Rainbow table attacks involve precomputed tables of hash values for passwords, which are not relevant to the situation described in the question where the attacker is trying different username and password combinations in real-time.
Dictionary
Explanation
Dictionary attacks involve using a list of commonly used passwords or words from a dictionary to try and gain unauthorized access. In this case, the attacker is not using a list of words but rather a single password against multiple usernames, making it more aligned with a spraying attack.
Overall explanation
2.4 Given a scenario, analyze indicators of malicious activity.
A password spraying attack is a technique where an attacker attempts a single password on all the available users and then tries another password on all the users again. The technique is like spraying the password across all attempted user accounts. The technique is seen to be efficient because of the chances that multiple users have used the guessed password.
Domain
2.0 Threats, Vulnerabilities, and Mitigations
Question 10Skipped
Your friend forgot her company laptop on the airplane as she was on her way to London for a work trip. Although she got it back, what technique would provide the most assurance that the sensitive information on her laptop would not have been lost, in the event she did not retrieve her laptop?
Correct answer
Full-disk encryption
Explanation
Full-disk encryption is a security measure that encrypts all data on the laptop’s hard drive, making it unreadable without the encryption key. In the event the laptop is lost or stolen, full-disk encryption provides the most assurance that sensitive information cannot be accessed by unauthorized individuals.
Screen lock
Explanation
Screen lock is a security feature that requires a password, PIN, or pattern to unlock the laptop. While screen lock can prevent unauthorized access to the laptop if it is lost or stolen, it does not protect the sensitive information stored on the device.
Remote wipe
Explanation
Remote wipe allows the user to remotely erase all data on the laptop in case it is lost or stolen. This can help prevent unauthorized access to sensitive information, but it does not guarantee that the data cannot be recovered by sophisticated attackers.
Biometrics
Explanation
Biometrics is a method of authentication based on unique physical characteristics such as fingerprints or facial recognition. While biometrics can provide an additional layer of security to prevent unauthorized access to the laptop, it does not guarantee the protection of sensitive information in the event the laptop is lost or stolen.
Overall explanation
1.4 Explain the importance of using appropriate cryptographic solutions.
Full-disk encryption will provide reasonable assurance that the sensitive data on Robert’s laptop is not lost, as all data read from a fully encrypted drive will need to be decrypted first, which is nearly impossible without the encryption key.
Domain
1.0 General Security Concepts
Question 11Skipped
A top software developer got fired from the technology company he was working at. One week later, all the software development servers shut down at the same time and all the files on them were erased. What attack method could have been used in this situation?
Fileless virus
Explanation
A fileless virus is a type of malware that operates in a system’s memory without leaving any traces on the hard drive. It is designed to evade detection by traditional antivirus software. While it can be used to carry out malicious activities, it is not typically associated with causing servers to shut down or erase files.
Correct answer
Logic bomb
Explanation
A logic bomb is a type of malware that is triggered by a specific event or condition, such as a certain date or time, leading to a malicious action being carried out. In this situation, the firing of the top software developer could have triggered a logic bomb that caused the servers to shut down and files to be erased.
Keylogger
Explanation
A keylogger is a type of malware that records keystrokes on a computer, typically used to steal sensitive information such as passwords or credit card numbers. While it can be used to gather information, it does not directly cause servers to shut down or erase files.
Ransomware
Explanation
Ransomware is a type of malware that encrypts files on a system and demands payment in exchange for the decryption key. While ransomware can cause data loss and disruption, it typically does not involve the simultaneous shutdown of servers and erasure of files as described in the scenario.
Overall explanation
2.4 Given a scenario, analyze indicators of malicious activity.
A logic bomb is a set of malicious instructions that are written purposefully to only execute when certain conditions are met. An example could be when an employee is fired and has not logged in to a specific server for a set time, then malicious commands shall execute, like the deletion of tables from a critical database.
Domain
2.0 Threats, Vulnerabilities, and Mitigations
Question 12Skipped
Robert has set up a fake server posing as a management information system and allowed it to be easily accessible externally. What type of setup is this?
Honeyfile
Explanation
A honeyfile is a file that is used as bait to attract attackers and monitor their activities. It is not the correct term for the setup described in the question, where a fake server posing as a management information system is used to attract attackers.
Correct answer
Honeypot
Explanation
A honeypot is a decoy system set up to attract potential attackers and gather information about their tactics, techniques, and procedures. By setting up a fake server posing as a management information system and making it easily accessible externally, Robert has created a honeypot to lure attackers.
Honeynet
Explanation
A honeynet is a network of honeypots that are interconnected to simulate a larger and more realistic environment for attackers to interact with. While similar to a honeypot, the setup described in the question involves a single fake server posing as a management information system, making it a honeypot rather than a honeynet.
Honeyserver
Explanation
A honeyserver is not a commonly used term in the context of cybersecurity. The setup described in the question, where a fake server posing as a management information system is used to attract attackers, aligns more closely with the concept of a honeypot rather than a honeyserver.
Overall explanation
1.2 Summarize fundamental security concepts.
A honeypot is a decoy system exposed to the internet that is intentionally set up with fake information, open services, and ports to lure attackers into performing attacks. The aim is to study the techniques used to exploit the network and enhance the defenses.
Domain
1.0 General Security Concepts
Question 13Skipped
Which of the options below are key stretching functions? Select all that apply.
HMAC
Explanation
HMAC (Hash-based Message Authentication Code) is not a key stretching function, but rather a mechanism for verifying the integrity and authenticity of a message using a cryptographic hash function. It is not used for key stretching purposes like bcrypt or PBKDF2.
Correct selection
PBKDF2
Explanation
PBKDF2 (Password-Based Key Derivation Function 2) is a key stretching function that is commonly used for password hashing. It iteratively applies a pseudorandom function to the input password along with a salt to increase the computational cost of generating keys.
Blowfish
Explanation
Blowfish is not a key stretching function, but rather a symmetric-key block cipher. It is not designed for key stretching purposes like bcrypt or PBKDF2.
Correct selection
bcrypt
Explanation
bcrypt is a key stretching function that is specifically designed for secure password hashing. It uses a modified version of the Blowfish encryption algorithm to slow down brute-force attacks and make it harder to crack passwords.
RIPEMD
Explanation
RIPEMD (RACE Integrity Primitives Evaluation Message Digest) is a cryptographic hash function, not a key stretching function. It is used for generating fixed-size hash values from input data, but it does not have the key stretching capabilities of bcrypt or PBKDF2.
Overall explanation
1.4 Explain the importance of using appropriate cryptographic solutions.
bcrypt and PBKDF2 (Password-Based Key Derivation Function) are both key stretching algorithms. bcrypt is based on the Blowfish cipher. Both functions work to increase the strength of weak cryptographic keys using a hash function. The resulting hash is more resistant to password attacks.
Domain
1.0 General Security Concepts
Question 14Skipped
Which of the following attacks mainly relies on sniffing packets?
SQL injection
Explanation
SQL injection attacks involve inserting malicious SQL queries into input fields to manipulate a database. These attacks do not rely on sniffing packets to capture network traffic.
Integer overflow
Explanation
Integer overflow attacks involve manipulating the memory allocation of a program by inputting a value that exceeds the maximum integer size. These attacks do not rely on sniffing packets to capture network traffic.
DoS
Explanation
Denial of Service (DoS) attacks involve overwhelming a system with traffic to disrupt its normal operation. While sniffing packets may be used to gather information for a DoS attack, it is not the main method relied upon in this type of attack.
Correct answer
Session replay
Explanation
Session replay attacks involve capturing and replaying network traffic to impersonate a user or gain unauthorized access. Sniffing packets is a common method used to capture the network traffic necessary for a session replay attack.
Overall explanation
2.4 Given a scenario, analyze indicators of malicious activity.
A session replay attack is one where the hacker sniffs and listens to the communication between a client and a web server to capture the session information of the client. Once the hacker manages to steal the session data of the client, they replay it to the server. If the communication protocol is vulnerable, the hacker will manage to have a valid and authenticated session with the server.
Domain
2.0 Threats, Vulnerabilities, and Mitigations
Question 15Skipped
Robert is the data controller at a business conglomerate. He has outsourced the processing of their data to a local firm. What could you call this local firm?
Data controller
Explanation
The term "Data controller" typically refers to the individual or entity that determines the purposes and means of processing personal data. In this case, Robert is the data controller at the business conglomerate, not the local firm processing the data.
Data steward
Explanation
The term "Data steward" typically refers to an individual or role within an organization that is responsible for managing and overseeing the organization’s data assets. While data stewards play an important role in data governance, they are not directly related to the outsourcing of data processing to a third-party firm.
Data owner
Explanation
The term "Data owner" refers to the individual or entity that has ultimate responsibility and control over the data, including determining how it is collected, processed, and used. In this scenario, the local firm processing the data is not the owner but rather a service provider.
Correct answer
Data processor
Explanation
The term "Data processor" refers to a third party that processes personal data on behalf of the data controller. In this scenario, the local firm that Robert has outsourced the data processing to would be considered the data processor.
Overall explanation
5.1 Summarize elements of effective security governance.
The data processor is an entity that processes data on behalf of the data controller. The data processor could be a service provider, third party, or external representative of the company who performs data processes and operations such as storage, extraction, security, etc., at the call of the data controller.
Domain
5.0 Security Program Management and Oversight
Question 16Skipped
Robert is a cybersecurity specialist at a large bank. He is looking for a way to prevent users from being redirected to malicious sites when they query domain name servers. What technique or tool should he use?
Correct answer
DNS sinkhole
Explanation
DNS sinkhole is a technique used to redirect malicious or unwanted traffic to a specific IP address. By using DNS sinkholing, Robert can prevent users from being redirected to malicious sites when querying domain name servers by redirecting the traffic to a controlled, safe location.
DNS hijacking
Explanation
DNS hijacking is a malicious attack that redirects queries for a specific domain name to a different IP address. While it is related to DNS security, it is not the technique Robert should use to prevent users from being redirected to malicious sites when querying domain name servers.
Honeypot
Explanation
A honeypot is a security mechanism used to detect, deflect, or counteract attempts at unauthorized use of information systems. It is not specifically designed to prevent users from being redirected to malicious sites when querying domain name servers.
Watering hole
Explanation
A watering hole attack is a type of cyber attack in which the attacker infects a website that the target group is known to visit, with the goal of infecting the target group’s devices. It is not a technique that Robert should use to prevent users from being redirected to malicious sites when querying domain name servers.
Overall explanation
4.5 Given a scenario, modify enterprise capabilities to enhance security.
A DNS sinkhole is a technique used to protect users from being directed to malicious websites when they make DNS queries to DNS servers that have potentially been hijacked by an attacker. Instead, the DNS sinkhole shall direct the user to a safe and customized site. It is also called a Blackhole DNS.
Domain
4.0 Security Operations
Question 17Skipped
Which software testing method involves placing random data in the input fields of an application?
Correct answer
Fuzzing
Explanation
Fuzzing is a software testing technique that involves providing invalid, unexpected, or random data as inputs to an application to trigger unexpected behavior. This method is specifically designed to test the robustness of an application by introducing random data into input fields.
White box
Explanation
White box testing, also known as clear box or glass box testing, involves testing the internal structures or workings of an application. It is based on the knowledge of the internal code and logic of the software, not specifically on placing random data in input fields.
SAST
Explanation
Static Application Security Testing (SAST) is a type of security testing that analyzes an application’s source code, byte code, or binary code for security vulnerabilities. It does not involve placing random data in input fields as part of the testing process.
Black box
Explanation
Black box testing involves testing the functionality of an application without knowing its internal code or structure. It focuses on the inputs and outputs of the software, not specifically on placing random data in input fields.
Overall explanation
3.2 Given a scenario, implement host or application security solutions.
Fuzzing is a black box testing methodology to dynamically test the software by feeding random or irregular input data and observing the response or output behavior to find out vulnerabilities in the software.
Domain
3.0 Security Architecture
Question 18Skipped
Roberto is the server manager at a cloud firm. Robert from the security team has raised concern to him about the growing number of virtual machines in their network, and the way it seems they have lost control in maintaining them. What technique can they use to counter this issue?
Serverless architecture
Explanation
Serverless architecture is a cloud computing model where the cloud provider manages the infrastructure and automatically allocates resources as needed. While serverless architecture can help in managing resources more efficiently, it is not specifically designed to address the issue of losing control over virtual machines in a network.
Escape protection
Explanation
Escape protection is a security measure that focuses on preventing unauthorized access to sensitive data or systems. It is not directly related to managing virtual machines or addressing the issue of losing control over them in a network.
Resource policies
Explanation
Resource policies are rules and configurations set to manage and control the allocation and usage of resources in a network. While resource policies can help in managing virtual machines, they may not specifically address the issue of losing control over the growing number of virtual machines in a network.
Correct answer
Sprawl avoidance
Explanation
Sprawl avoidance is a technique used to prevent the uncontrolled growth of virtual machines in a network. It helps in maintaining control over the number of virtual machines deployed, ensuring efficient resource utilization, and reducing security risks associated with unmanaged VMs.
Overall explanation
2.3 Explain various types of vulnerabilities.
Sprawl avoidance in virtualization refers to a collection of techniques, policies, procedures, security measures, and management steps to ensure a proper virtual machine life cycle.
Domain
2.0 Threats, Vulnerabilities, and Mitigations
Question 19Skipped
Robert recently noticed that whenever he moves his laptop from his office desk to the office pantry, he cannot log in to a specific server. However, once he goes back to his desk his login attempts are successful. What could be the reason Robert experiences this?
GPS attack
Explanation
A GPS attack involves manipulating or spoofing the GPS signals to deceive a device’s location tracking. While this could potentially impact Robert’s ability to log in based on location, it is not a common or likely scenario in this case.
Correct answer
Geofencing
Explanation
Geofencing is a technology that creates a virtual boundary around a specific geographical area. It is possible that the server has geofencing restrictions in place, preventing access from certain locations such as the office pantry. This could explain why Robert can log in from his desk but not from other areas.
Geotagging
Explanation
Geotagging is the process of adding geographical identification metadata to various media such as photos or videos. While geotagging may provide location information, it is not directly related to Robert’s login issues when moving between different areas in the office.
Certificates
Explanation
Certificates are used for authentication and encryption purposes in secure communication. While certificates play a crucial role in securing connections to servers, they are not likely the reason behind Robert’s login issues based on his physical location within the office.
Overall explanation
3.3 Compare and contrast concepts and strategies to protect data.
Geofencing uses the Global Positioning System (GPS) with cellular data to create a virtual perimeter that can activate a specific event when a device is within or outside the virtual confinement. Robert must have exited the geofence that allows him to log in to the specific server when he moved with his laptop to the pantry. His authentication failed due to the wrong geolocation. However, when Robert returned to his desk, he re-entered the geofence and this allowed him to log in to the server.
Domain
3.0 Security Architecture
Question 20Skipped
All the connections between an organization and its subsidiary office traverse through the same router. What is the major risk posed by such a setup?
Correct answer
Single point of failure
Explanation
The major risk posed by having all connections between an organization and its subsidiary office traverse through the same router is the concept of a single point of failure. If the router malfunctions or experiences a disruption, it could lead to a complete breakdown in communication between the two locations, highlighting the critical importance of redundancy and failover mechanisms in network design.
Traffic jam
Explanation
While having all connections routed through the same router may potentially lead to traffic congestion or bottlenecks, the primary risk in this scenario is the presence of a single point of failure. This means that if the router fails, all communication between the organization and its subsidiary office could be severely impacted or completely halted, emphasizing the need for resilience and backup solutions.
Noise
Explanation
Noise in a network context typically refers to unwanted interference or disturbances that can affect the quality of data transmission. However, the major risk posed by having all connections pass through a single router is not related to noise but rather the vulnerability of a single point of failure. This setup increases the organization’s exposure to disruptions and downtime if the router experiences issues, underlining the importance of diversifying network paths for improved reliability.
Inherent risk
Explanation
In the context of network security, inherent risk typically refers to risks that are inherent in the technology, processes, or systems used by an organization. While having all connections pass through a single router may introduce certain inherent risks, the major concern in this scenario is the specific risk associated with a single point of failure.
Overall explanation
4.7 Explain the importance of automation and orchestration related to secure operations.
A single point of failure is a weakness in the design or configuration setup of a system whereby the failure of a specific component within the system shall cause the entire system to fail or become un-operational.
Domain
4.0 Security Operations
Question 21Skipped
Robert has noticed that whenever he switches on his Bluetooth connection, he keeps on receiving messages, adverts, and pictures from an unidentified source. The behavior stops when he switches the Bluetooth off. What could be the reason Robert is experiencing this?
Blueprinting
Explanation
Blueprinting is a technique used by attackers to gather information about nearby Bluetooth devices and then exploit this information to gain unauthorized access to these devices. It does not relate to the behavior Robert is experiencing with his Bluetooth connection.
Correct answer
Bluejacking
Explanation
Bluejacking is the practice of sending unsolicited messages or advertisements to a Bluetooth-enabled device. This aligns with Robert’s experience of receiving messages, adverts, and pictures from an unidentified source when his Bluetooth connection is on.
Bluesnarfing
Explanation
Bluesnarfing is the unauthorized access of information from a wireless device through a Bluetooth connection. It typically involves stealing data such as contact lists, emails, and text messages, rather than sending unwanted messages or advertisements to the device.
Bluebugging
Explanation
Bluebugging is a type of attack where an attacker gains unauthorized access to a Bluetooth-enabled device and can control its functions, such as making calls, sending messages, or accessing data. It does not involve sending unwanted messages or advertisements to the device.
Overall explanation
2.2 Explain common threat vectors and attack surfaces.
Bluejacking is an attack where a Bluetooth connection is used by an attacker to send unsolicited messages to the victim’s device.
Domain
2.0 Threats, Vulnerabilities, and Mitigations
Question 22Skipped
After a recent risk assessment of an organization’s enterprise assets, senior management has committed to addressing the risk based on their budget for risk mitigation. They are ready to allow for some risk items that cross their projected expenditure to remain unmitigated. What is the term given to the senior management’s acceptance of the risk?
Risk control
Explanation
Risk control involves implementing measures to manage, reduce, or eliminate risks within an organization. It includes activities such as risk assessment, risk mitigation, and monitoring of risk controls. While risk control is an important aspect of risk management, it does not specifically refer to senior management’s acceptance of risk based on budget constraints.
Risk transfer
Explanation
Risk transfer involves shifting the financial consequences of a risk to another party, such as through insurance or outsourcing. It is a risk management strategy that aims to transfer the risk burden to a third party. Senior management’s decision to accept some risks within their budget does not align with the concept of risk transfer.
Correct answer
Risk appetite
Explanation
Risk appetite is the term used to describe the level of risk that an organization is willing to accept or take on in pursuit of its objectives. It reflects the organization’s willingness to tolerate risk and the amount of risk it is willing to accept before taking action to mitigate it. In this scenario, senior management’s decision to allow some risk items to remain unmitigated within their budget aligns with the concept of risk appetite.
Risk avoidance
Explanation
Risk avoidance refers to the strategy of eliminating or removing the risk altogether. It involves taking actions to prevent the risk from occurring or to completely eliminate the possibility of the risk manifesting. This is not the term used to describe senior management’s acceptance of the risk based on their budget for risk mitigation.
Overall explanation
5.2 Explain elements of the risk management process.
Risk appetite is a measure of the level or quantity of risk that the organization’s management may deem to be acceptable as they set alignment with the organization’s strategic goals and objectives.
Domain
5.0 Security Program Management and Oversight
Question 23Skipped
The line managers and their teams have taken up the task of identifying the key areas of risk in their business units and the controls they have in place to address them. What is the activity they have been engaged in called?
Audit survey
Explanation
An audit survey typically involves an independent assessment of processes, controls, and compliance with standards or regulations. It is usually conducted by an external party to provide an objective evaluation of the organization’s operations.
Control check
Explanation
A control check typically refers to the process of verifying that established controls are functioning as intended and are effectively mitigating risks. It involves assessing the adequacy and effectiveness of control measures in place.
Correct answer
Self-assessment
Explanation
Self-assessment is the correct choice in this scenario as it refers to the process of individuals or teams within an organization evaluating their own performance, processes, or controls. In this case, line managers and their teams are conducting a self-assessment to identify key areas of risk and the controls in place to address them.
Risk review
Explanation
A risk review involves evaluating potential risks, threats, and vulnerabilities within the organization. It may include identifying, assessing, and prioritizing risks to determine the likelihood and impact of potential incidents.
Overall explanation
5.5 Explain types and purposes of audits and assessments.
Self-assessments are a technique of effectively managing risk in control areas by having the staff and management responsible for the operating function assess the compliance of the controls. This helps to improve the organization’s control framework in a structured manner.
Domain
5.0 Security Program Management and Oversight
Question 24Skipped
An organization recently had all their hard drives encrypted along with a message displayed from the hackers asking for Bitcoin to be sent to an online wallet in exchange for the decryption keys. What type of malware is this?
Virus
Explanation
A virus is a type of malware that replicates itself by attaching to files and spreading across systems, often causing damage or disruptions. However, viruses do not generally encrypt files or demand payment for file restoration, which is the hallmark of ransomware. Therefore, a virus is not the correct answer in this context.
Rootkit
Explanation
A rootkit is a type of malware that provides unauthorized administrative access to a system without being detected. Rootkits are designed to hide their presence and allow attackers to remotely control the system. While dangerous, they do not typically encrypt files or demand ransoms, as seen in the scenario.
Correct answer
Ransomware
Explanation
Ransomware is a type of malware that encrypts the victim’s files or entire system, rendering them unusable until a ransom is paid to the attackers. In this scenario, the attackers are demanding payment in Bitcoin in exchange for the decryption keys, which is a classic characteristic of a ransomware attack. The goal is to force the organization to pay in order to regain access to their data.
Cryptomalware
Explanation
Although cryptomalware is also a type of malware that involves encryption, it specifically refers to malware that silently encrypts files for illicit purposes, often without immediate ransom demands. In contrast, ransomware explicitly demands a payment for file decryption. The key difference here is the ransom demand, which makes this case ransomware rather than cryptomalware.
Overall explanation
2.4 Given a scenario, analyze indicators of malicious activity.
Ransomware is malware that Is designed to encrypt the files of a victim’s machine for the purpose of extortion of money via a ransom. Although the malware used by the hackers is crypto-malware, the scenario in question talks of the hackers demanding a ransom to be paid in exchange for the keys.
Domain
2.0 Threats, Vulnerabilities, and Mitigations
Question 25Skipped
Robert is the security administrator at a media company. The video processing server seems to have been attacked by some malware. When Robert performs the security analysis, he finds out that their enterprise antivirus and all the signatures are up to date. How could the video server have been infected?
Lack of vendor support
Explanation
Lack of vendor support can leave systems vulnerable to known security issues and vulnerabilities. However, in this scenario, the enterprise antivirus and all signatures are up to date, indicating that lack of vendor support is not the reason for the video server being infected with malware.
Outsourced code development
Explanation
Outsourced code development involves third-party developers writing code for an organization’s software. While outsourced code development can introduce security risks if proper security measures are not in place, it is not directly related to how the video server in this scenario could have been infected with malware.
Correct answer
Zero day
Explanation
A zero-day exploit refers to a vulnerability in software or hardware that is unknown to the vendor or has not been patched yet. Attackers can exploit zero-day vulnerabilities to infect systems with malware, even if antivirus and signatures are up to date. Therefore, a zero-day exploit is a possible explanation for how the video server could have been infected in this case.
Data breach
Explanation
A data breach refers to unauthorized access to sensitive data, which may result in data leakage or theft. While a data breach can lead to malware infections, it is not directly related to how the video server in this scenario could have been infected with malware.
Overall explanation
2.3 Explain various types of vulnerabilities.
A zero-day vulnerability is one that is not yet known to software or antivirus vendors, which allows hackers to exploit the weakness undetected.
Domain
2.0 Threats, Vulnerabilities, and Mitigations
Question 26Skipped
You were browsing a website securely on the internet until you suddenly noticed a certificate error claiming that you were browsing without a certificate. What could be a possible reason that this is happening?
Buffer overflow
Explanation
Buffer overflow occurs when a program writes more data to a buffer than it can hold, potentially leading to security vulnerabilities. However, buffer overflow attacks do not typically result in certificate errors while browsing a website.
Correct answer
Downgrade
Explanation
Downgrade attacks involve forcing a system to use weaker security protocols or algorithms, which can lead to certificate errors when browsing a website. In this scenario, the error claiming that you are browsing without a certificate could be a result of a downgrade attack attempting to weaken the security of the connection.
Replay
Explanation
Replay attacks involve the interception and retransmission of data packets to gain unauthorized access to a system. While replay attacks can compromise the security of data transmission, they are not directly related to certificate errors in browsing.
Injection
Explanation
Injection refers to the unauthorized insertion of code or data into a system, which can lead to security vulnerabilities. While injection attacks can compromise the security of a website, they are not directly related to certificate errors in browsing.
Overall explanation
2.4 Given a scenario, analyze indicators of malicious activity.
A downgrade attack is one where the attacker forces a secure protocol to degrade into an insecure protocol or a lower version of the protocol. Usually, the protocol that the hacker downgrades the system to has known vulnerabilities that can be exploited.
Domain
2.0 Threats, Vulnerabilities, and Mitigations
Question 27Skipped
Which of the following options provides a simplified and holistic approach to securing your organization from attacks from multiple perspectives?
WAF
Explanation
WAF (Web Application Firewall) is designed to protect web applications from various attacks, such as SQL injection and cross-site scripting. While WAF is essential for securing web applications, it focuses on a specific area of security and does not offer the same comprehensive approach as UTM, which covers a wide range of security aspects across the organization.
Correct answer
UTM
Explanation
UTM (Unified Threat Management) provides a comprehensive approach to security by combining multiple security features into a single solution. It includes functions such as firewall, intrusion detection and prevention, antivirus, content filtering, and VPN capabilities, offering a holistic approach to protecting the organization from various types of attacks.
NGFW
Explanation
NGFW (Next-Generation Firewall) offers advanced features beyond traditional firewalls, such as application awareness, intrusion prevention, and deep packet inspection. While NGFW enhances network security, it does not necessarily provide the same level of holistic protection as UTM, which integrates multiple security functions into a single solution.
HIPS
Explanation
HIPS (Host-based Intrusion Prevention System) focuses on protecting individual devices by monitoring and analyzing the behavior of applications and processes running on the host. While HIPS is an important security measure, it does not provide the same level of holistic protection as UTM, which covers multiple aspects of security across the organization.
Overall explanation
3.2 Given a scenario, apply security principles to secure enterprise infrastructure.
Unified threat management (UTM) incorporates the use of a variety of security tools and techniques integrated into a single platform for ease of management and centralized delivery of security.
Domain
3.0 Security Architecture
Question 28Skipped
What is the next stage after the preparation of an incident?
Correct answer
Detection
Explanation
Detection is the next stage after the preparation of an incident, where the organization monitors its systems and networks to identify any signs of ongoing or potential security incidents. It involves using tools and techniques to detect and analyze any suspicious activities.
Recovery
Explanation
Recovery is the stage where the organization restores the affected systems and services to normal operation after an incident has been contained and eradicated. It focuses on recovering any data or functionality that may have been lost during the incident.
Eradication
Explanation
Eradication is the stage where the organization eliminates the root cause of the incident to prevent it from happening again in the future. It involves identifying and removing any vulnerabilities or weaknesses that were exploited during the incident.
Containment
Explanation
Containment is the stage where the organization takes immediate actions to prevent the incident from spreading further and causing more damage. It involves isolating the affected systems or networks to limit the impact of the incident.
Overall explanation
4.8 Explain appropriate incident response activities.
The detection stage follows the preparation stage in an incident response plan. This is where the incident is detected. The type of the incident, its severity, and its impact on the processes and operations are determined and documented.
Domain
4.0 Security Operations
Question 29Skipped
Robert’s iPhone has several custom applications that seem to circumvent the restrictions made by Apple. What technique could Robert have used to get them onto his device?
App Store
Explanation
The App Store is Apple’s official platform for downloading and installing applications on iOS devices. Custom applications that circumvent Apple’s restrictions would not be available on the App Store.
Play Store
Explanation
The Play Store is Google’s official platform for downloading and installing applications on Android devices. Since Robert has an iPhone, the Play Store is not relevant to the situation described in the question.
Correct answer
Jailbreaking
Explanation
Jailbreaking is the process of removing software restrictions imposed by Apple on iOS devices. By jailbreaking his iPhone, Robert could have installed custom applications that are not available on the official App Store.
Rooting
Explanation
Rooting is the process of gaining full control over an Android device’s operating system. It is not applicable to iPhones, as iPhones use a different process called jailbreaking for similar purposes.
Overall explanation
2.3 Explain various types of vulnerabilities.
Jailbreaking is a technique of removing restrictions made by Apple on the iOS operating system to give root privileges to the embedded code via privilege escalation. It becomes possible for Robert to install applications not available on Apple’s App Store after he has jailbroken his iPhone.
Domain
2.0 Threats, Vulnerabilities, and Mitigations
Question 30Skipped
A technology firm is installing a new enterprise system for its business venture. The Project management wants to know the necessary security requirements that the enterprise system must adhere to. What should the security team provide the project management with?
Enterprise Architecture
Explanation
Enterprise Architecture focuses on the overall structure and operation of an organization’s IT systems. While security considerations are an important aspect of enterprise architecture, it is not the specific security requirements that the project management is looking for in this scenario.
Correct answer
Baseline Configuration
Explanation
Baseline Configuration refers to the standard configuration settings that all systems within the enterprise must adhere to in order to maintain a secure and consistent environment. Providing the project management with the baseline configuration requirements ensures that the enterprise system meets the necessary security standards.
Project Portfolio
Explanation
Project Portfolio management involves the centralized management of projects within an organization. While important for overall project management, it is not directly related to the specific security requirements that the enterprise system must adhere to in this scenario.
Configuration Management
Explanation
Configuration Management involves the process of managing changes to system configurations in a controlled manner. While important for maintaining system integrity and consistency, it is not directly related to the security requirements that the enterprise system must adhere to.
Overall explanation
4.1 Given a scenario, apply common security techniques to computing resources.
The baseline configuration is a checklist of the minimum security requirements that the system should meet to be termed as safe or secure. The Project Management will be able to know what security requirements are needed for compliance with the organization’s policy.
Domain
4.0 Security Operations
Question 31Skipped
Robert is reviewing the public key infrastructure at his organization. He wants to find out the status of the digital certificates. Which of the following options would help Robert achieve this?
Digital Signature Algorithm
Explanation
Digital Signature Algorithm is a cryptographic algorithm used for creating and verifying digital signatures. While digital signatures are an essential part of digital certificates, the DSA itself does not provide information about the status of certificates.
Hashing
Explanation
Hashing is a process used to generate a fixed-size string of bytes from input data. While hashing is used in PKI for various purposes, such as creating certificate fingerprints, it does not directly provide information about the status of digital certificates.
Correct answer
OCSP
Explanation
OCSP (Online Certificate Status Protocol) is a protocol used to check the revocation status of digital certificates. By querying an OCSP responder, Robert can determine whether a certificate is still valid or has been revoked, helping him assess the status of the digital certificates in the organization’s PKI.
Public Key
Explanation
Public Key is a component of asymmetric encryption used in PKI, but it does not directly provide information about the status of digital certificates. It is used for encryption, decryption, and digital signatures, not for checking the validity of certificates.
Overall explanation
1.4 Explain the importance of using appropriate cryptographic solutions.
OCSP stands for the Online Certificate Status Protocol. It is used to check the status of the digital certificate. It is an alternative to the Certificate Revocation List (CRL) as it gives information on the validity of the digital certificate or its revocation status.
Domain
1.0 General Security Concepts
Question 32Skipped
After analyzing the risk affecting one of the excavators of a mining organization, the risk management team has found that the cost to mitigate the risk is far greater than the loss that the organization shall suffer if the risk is to materialize. What risk management strategy should they apply?
Transference
Explanation
Transference involves transferring the risk to a third party, such as through insurance or outsourcing. However, in this scenario where the cost of mitigation is higher than the potential loss, transferring the risk may not be a viable option.
Mitigation
Explanation
Mitigation involves taking actions to reduce the impact or likelihood of the risk. However, in this case where the cost of mitigation is greater than the potential loss, it may not be cost-effective to pursue mitigation strategies.
Correct answer
Acceptance
Explanation
Acceptance is the appropriate risk management strategy when the cost of mitigating the risk outweighs the potential loss. By accepting the risk, the organization acknowledges the risk but decides not to take any specific action to mitigate it due to cost considerations.
Avoidance
Explanation
Avoidance involves taking actions to eliminate the risk entirely, which may not be feasible in this scenario where the cost to mitigate the risk is higher than the potential loss. It is not practical to avoid the risk in this case.
Overall explanation
5.2 Explain elements of the risk management process.
Risk acceptance is a risk management strategy organizations use when the cost of attending to the risk item is greater than the costs of damages or losses caused by the risk item.
Domain
5.0 Security Program Management and Oversight
Question 33Skipped
A security analyst is observing a JavaScript file for vulnerabilities but finds it very difficult to understand it. The code seems very complicated and does not make sense. What could be the reason for this?
Normalization
Explanation
Normalization is a process of organizing data in a database to reduce redundancy and improve data integrity. It is not directly related to the complexity or difficulty in understanding a JavaScript file. Normalization is a database design concept and does not apply to code obfuscation or readability issues.
Data exposure
Explanation
Data exposure refers to the unintentional or unauthorized disclosure of sensitive information. While data exposure can be a security concern in JavaScript files, it is not the primary reason for the difficulty in understanding the code. The complexity and lack of clarity in the script are more likely due to obfuscation techniques rather than data exposure issues.
Dead code
Explanation
Dead code refers to code that is no longer used or executed within a program. While dead code can contribute to the overall complexity of a script, it is not the primary reason for the difficulty in understanding the JavaScript file. Dead code typically does not impact the readability or logic of the active code.
Correct answer
Obfuscation
Explanation
Obfuscation is the deliberate act of making code more difficult to understand or reverse-engineer. It is often used by malicious actors to hide malicious code or vulnerabilities within a script. In this case, the complexity and lack of clarity in the JavaScript file may be due to obfuscation techniques being applied to the code.
Overall explanation
3.3 Compare and contrast concepts and strategies to protect data.
Obfuscation of code is a security technique that makes the program very difficult or even impossible to understand or retrieve the original code. Humans generally cannot make sense of obfuscated code.
Domain
3.0 Security Architecture
Question 34Skipped
Robert is a security architect at a television broadcasting company. He is tasked with making sure that any internet requests from the internal network are controlled. Which of the following network elements will help him do this?
Correct answer
Forward proxy
Explanation
A forward proxy is a network element that sits between the internal network and the internet, intercepting and controlling outgoing internet requests. It can filter and monitor traffic, enforce security policies, and provide anonymity for internal users.
Jump server
Explanation
A jump server is a secure intermediary server used to access and manage other servers in a network. While it can enhance security by limiting direct access to critical servers, it does not specifically control internet requests from the internal network.
Reverse proxy
Explanation
A reverse proxy is a network element that sits between the internet and internal servers, handling incoming requests on behalf of those servers. While it can enhance security by hiding server details and load balancing, it does not directly control outgoing internet requests from the internal network.
VPN
Explanation
A VPN (Virtual Private Network) is a technology that creates a secure, encrypted connection over a public network, allowing users to access resources securely from remote locations. While it can enhance security for remote access, it does not directly control internet requests from the internal network.
Overall explanation
3.2 Given a scenario, apply security principles to secure enterprise infrastructure.
A forward proxy is placed between a client and a web service. The purpose of the forward proxy is to capture all requests from the client user and send them to the web server receiving the requests on behalf of the user. Robert can control the requests from the employees directed to the internet using forward proxying rules. He can monitor requests that go against the security policy and choose to drop them, redirect them, or send response pages back to the clients.
Domain
3.0 Security Architecture
Question 35Skipped
What is the best way to get rid of a hard drive that contains highly classified or top-secret information?
Erasing
Explanation
Erasing involves overwriting the data on a hard drive to make it unrecoverable. While this method can be effective for standard data erasure, it may not be sufficient for highly classified or top-secret information as there is a possibility of data recovery through advanced forensic techniques.
Degaussing
Explanation
Degaussing is a method of erasing data from a magnetic storage device by exposing it to a strong magnetic field. While this method can be effective for standard data erasure, it may not be sufficient for highly classified or top-secret information as there is a possibility of data recovery through specialized techniques.
Formatting
Explanation
Formatting a hard drive simply removes the file system and directory structure, but the data still remains on the drive and can be recovered using data recovery tools. This method is not recommended for highly classified or top-secret information as it does not securely erase the data.
Correct answer
Shredding
Explanation
Shredding is considered the best way to securely dispose of a hard drive that contains highly classified or top-secret information. Shredding physically destroys the hard drive, making data recovery virtually impossible. This method ensures that the information is completely unrecoverable and eliminates the risk of data leakage.
Overall explanation
4.2 Explain the security implications of proper hardware, software, and data asset management.
Shredding a hard drive ensures all the basic parts are destroyed and not recoverable by any technical means. It is the most secure way to get rid of an unwanted hard drive that has very sensitive or confidential information. The type of information you would never want to get into the hands of any party other than yourself.
Domain
4.0 Security Operations
Question 36Skipped
The security team has a video file from the CCTV footage showing the suspect who infiltrated their building. They have backed up a copy of the file. What security measures should they use to ensure the file has not been tampered with at a later date?
Correct answer
Hashing
Explanation
Hashing is the correct choice as it involves generating a unique fixed-size string of characters (hash value) based on the content of the file. By comparing the hash value of the original file with the hash value of the copy, the security team can verify if the file has been tampered with at a later date.
Cache
Explanation
Cache is a temporary storage location that stores copies of frequently accessed data for quick retrieval. While caching can improve performance, it does not provide a mechanism to verify the integrity of a file and ensure it has not been tampered with.
Pagefile
Explanation
Pagefile is a system file in Windows that acts as virtual memory, allowing the system to move data from RAM to the hard drive. Pagefile is not directly related to verifying the integrity of a file and ensuring it has not been tampered with.
Snapshot
Explanation
Snapshot is a point-in-time copy of data that can be used for backup or recovery purposes. While snapshots can help in restoring data to a previous state, they do not provide a way to verify the integrity of the file and ensure it has not been tampered with.
Overall explanation
1.4 Explain the importance of using appropriate cryptographic solutions.
Hashing of the CCTV footage video file creates a cryptographic value that corresponds to that video file only. If any changes are made to the video file, the hash value will change, and the security team will know that the video file has been tampered with. To ensure integrity, the security team on a later date must create a hash of the video file again and ensure the value is the same as the previous one.
Domain
1.0 General Security Concepts
Question 37Skipped
Which technique can be used to harden the password hashes?
Fuzzing
Explanation
Fuzzing is a technique used to discover vulnerabilities in software by inputting invalid, unexpected, or random data to see how the software responds. While fuzzing is a valuable technique for identifying security flaws, it is not used to harden password hashes. Fuzzing is more focused on identifying weaknesses in software implementations, not on securing password storage.
Correct answer
Salting
Explanation
Salting is a technique used to add random data to password hashes before they are stored in a database. This random data makes it more difficult for attackers to use precomputed tables, such as rainbow tables, to crack the password hashes. Salting significantly increases the security of password storage.
Cookies
Explanation
Cookies are small pieces of data stored on the client-side that are used for tracking user information and preferences. While cookies are important for web applications, they are not directly related to hardening password hashes. Cookies are not a technique used to secure password storage.
SSL Certificates
Explanation
SSL Certificates are used to secure the communication between a client and a server by encrypting the data in transit. While SSL Certificates are essential for securing data transmission, they are not used to harden password hashes. SSL Certificates do not directly impact the security of password storage.
Overall explanation
1.4 Explain the importance of using appropriate cryptographic solutions.
Salting is a security technique that creates cryptographically stronger hashes by adding a string to the password (in most cases, a random string) before passing it as an input to the hash function. The resulting hash is much more difficult to reverse engineer and provides protection against password cracking attacks.
Domain
1.0 General Security Concepts
Question 38Skipped
You are the security manager of a large corporate bank. The management is worried about the sensitive data processed internally being exfiltrated out of the bank’s network without authorization. What solution could you use to help the bank’s management alleviate their worries?
Quarantine
Explanation
Quarantine is a security measure that isolates potentially compromised devices or systems from the rest of the network to prevent the spread of threats. While quarantine can help contain security incidents and prevent further damage, it may not directly address the specific concern of data exfiltration. Quarantine focuses on isolating and remedying security incidents rather than proactively preventing data exfiltration.
Firewall
Explanation
While firewalls are essential for network security and can help prevent unauthorized access to the network, they are not specifically designed to address data exfiltration concerns. Firewalls control incoming and outgoing network traffic based on predetermined security rules, but they may not be sufficient to prevent sensitive data from leaving the network.
Segmentation
Explanation
Segmentation is a network security strategy that involves dividing the network into separate segments or subnetworks to control and secure traffic flow. While segmentation can help contain and isolate potential security breaches, it may not directly address the specific concern of data exfiltration. Segmentation alone may not be enough to prevent unauthorized data transfers.
Correct answer
DLP
Explanation
Data Loss Prevention (DLP) solutions are specifically designed to prevent unauthorized data exfiltration by monitoring, detecting, and blocking sensitive data transfers. DLP solutions can identify and protect sensitive data, enforce data security policies, and prevent data leakage through various channels, including email, web, and removable devices. Implementing a DLP solution can help the bank’s management alleviate their worries about data exfiltration.
Overall explanation
4.4. Explain security alerting and monitoring concepts and tools.
DLP stands for Data Loss Prevention. It is a combination of processes and tools used to prevent the loss or leakage of sensitive data from within or outside the organization. It protects sensitive data from being mishandled or accessed by individuals without clearance to it.
Domain
4.0 Security Operations
Question 39Skipped
Which step would occur first in a penetration test?
Exploitation
Explanation
Exploitation is the step in a penetration test where the tester attempts to exploit the identified vulnerabilities in the target system or network. This step comes after reconnaissance, as it relies on the information gathered during the initial phase.
Privilege escalation
Explanation
Privilege escalation is a specific type of exploitation that occurs after an initial foothold has been established in the target system or network. It is not the first step in a penetration test, as it relies on successful exploitation of vulnerabilities identified during reconnaissance.
Correct answer
Reconnaissance
Explanation
Reconnaissance is the first step in a penetration test, where the tester gathers information about the target system or network. This information includes identifying potential vulnerabilities, system architecture, and possible entry points for exploitation.
Reporting
Explanation
Reporting is the final step in a penetration test, where the tester documents the findings, vulnerabilities exploited, and recommendations for improving the security posture of the target system or network. It occurs after the reconnaissance and exploitation phases have been completed.
Overall explanation
5.5 Explain types and purposes of audits and assessments.
Reconnaissance is the first step in performing a penetration test. The security tester may passively collect all possible information from publicly available sources such as social media, online forums, etc., and may actively interact with the target through scanning and sniffing.
Domain
5.0 Security Program Management and Oversight
Question 40Skipped
What is the default port for LDAPS?
389
Explanation
Port 389 is the default port for LDAP (Lightweight Directory Access Protocol), not LDAPS (LDAP over SSL/TLS). LDAPS uses a different port for secure communication.
161
Explanation
Port 161 is the default port for SNMP (Simple Network Management Protocol), not LDAPS. SNMP is used for network management and monitoring, not for secure directory access.
Correct answer
636
Explanation
Port 636 is the correct default port for LDAPS (LDAP over SSL/TLS). LDAPS uses port 636 to establish a secure connection for directory access, ensuring data confidentiality and integrity.
139
Explanation
Port 139 is the default port for NetBIOS Session Service, not LDAPS. NetBIOS is an older networking protocol used for communication between computers on a local network, not for secure directory access.
Overall explanation
4.6 Given a scenario, implement and maintain identity and access management.
LDAPS stands for Lightweight Directory Access Protocol (LDAP) over Secure Socket Layer (SSL) or Secure LDAP. LDAPS uses Transport Layer Security (TLS) / SSL to connect to a client. The default port for LDAPS is 636. The communication between the client and the LDAP server is encrypted.
Domain
4.0 Security Operations
Question 41Skipped
A production system unexpectedly crashed during business operations. During the root cause analysis, it was found that several new configurations had been applied without any proper record. What is the process that has failed?
Risk management
Explanation
Risk management involves identifying, assessing, and mitigating risks to the system to protect against potential threats and vulnerabilities. While risk management is crucial for overall system security, the issue of new configurations causing a system crash is more directly related to a failure in change management processes.
Patch management
Explanation
Patch management involves the process of identifying, acquiring, installing, and verifying patches for software applications to address security vulnerabilities and improve system stability. While patch management is important for system security, the unexpected crash in this scenario is more likely related to a failure in another process.
Configuration management
Explanation
Configuration management focuses on maintaining accurate records of system configurations, including hardware, software, settings, and dependencies. While the issue in this scenario involves new configurations being applied without proper records, the root cause is more closely related to a different process.
Correct answer
Change management
Explanation
Change management is the process of controlling changes to the system environment, including documenting, approving, and implementing changes to prevent disruptions and maintain system stability. In this scenario, the unexpected crash occurred due to new configurations being applied without proper documentation, indicating a failure in the change management process.
Overall explanation
5.1 Summarize elements of effective security governance.
Change management is a framework for analyzing, assessing, and applying changes to processes and systems to avoid unforeseen disruption to services and downtime. If proper change management was in place, the new configurations would have been tested and approved to minimize the risk of crashes during implementation.
Domain
5.0 Security Program Management and Oversight
Question 42Skipped
The secretary of a legal firm recently left her mobile phone unattended without locking her screen because she felt too lazy to always unlock it. She noticed a very large file had been onboarded onto her phone that would probably have taken hours to download. She recalls that on some occasions she was not with her phone, however, never for that long. What mechanism did the threat actor use to upload this unknown file onto her phone?
NFC
Explanation
NFC (Near Field Communication) requires devices to be in close proximity (within a few centimeters) for data transfer. It is unlikely that a threat actor could have used NFC to upload a large file onto the secretary’s phone without her knowledge, especially if she was not physically near the attacker.
Correct answer
USB OTG
Explanation
USB OTG (On-The-Go) allows devices like smartphones to act as a host and connect to other USB devices, such as computers, keyboards, or storage devices. A threat actor could have used a USB OTG connection to quickly upload the large file onto the secretary’s phone without her knowledge.
Bluetooth
Explanation
Bluetooth connections usually require pairing and authorization before file transfers can occur. It is unlikely that a threat actor could have used Bluetooth to upload a large file onto the secretary’s phone without her knowledge, especially if she was not in close proximity to the attacker.
WiFi
Explanation
WiFi alone would not allow a threat actor to upload a large file onto the secretary’s phone without her knowledge, especially if the phone was not connected to an unsecured network. WiFi connections typically require some form of authentication or permission to transfer files.
Overall explanation
2.4 Given a scenario, analyze indicators of malicious activity.
USB On-The-Go (OTG) allows devices to transfer data between one another without requiring a computer to process the data transfer. The hacker most likely used USB OTG to transfer the large file while the secretary was not with her phone.
Domain
2.0 Threats, Vulnerabilities, and Mitigations
Question 43Skipped
Robert is new to the security operations center. He is left wondering what he will do if a security incident ever occurs. What can help Robert clear his doubts?
Incident Response
Explanation
While incident response is a key aspect of managing security incidents, it is a broader term that refers to the overall process of detecting, responding to, and recovering from a security breach. Incident response outlines the overall phases but does not offer the detailed, step-by-step guidance that a playbook does. In this case, Robert needs a playbook to address specific actions during an incident rather than the general framework of incident response.
Root cause analysis
Explanation
Root cause analysis is a process used to identify the underlying cause of a security incident or problem. While it is an important step in incident response, it may not provide Robert with clear guidance on what specific actions to take when a security incident occurs.
Correct answer
Playbook
Explanation
A playbook in a Security Operations Center is a predefined set of instructions or protocols designed to guide personnel like Robert during specific security incidents. It provides detailed, step-by-step procedures on what actions to take based on the type of incident. This can help Robert understand his role, reduce confusion, and ensure a timely, structured response. Playbooks are critical for ensuring consistency in incident handling and are tailored to various scenarios such as malware outbreaks, data breaches, and phishing attempts.
Forensics
Explanation
Forensics involves the collection, preservation, analysis, and presentation of evidence related to a security incident. While it is an important aspect of investigating security incidents, it may not provide Robert with immediate guidance on what actions to take during an incident.
Overall explanation
5.1 Summarize elements of effective security governance.
A security playbook is a document that gives step-by-step instructions on what to do when a security incident occurs. It allows organizations to seamlessly go through the incident response lifecycle as per their defined strategies and techniques.
Domain
5.0 Security Program Management and Oversight
Question 44Skipped
Robert is a cybersecurity specialist at a bank. He wants to harden one of the servers that will be used for a new payment gateway that connects to their core banking system. What is a proper measure he should take to harden the server?
Clear the registry cache
Explanation
Clearing the registry cache is not a proper measure to harden a server for security purposes. It may help with performance optimization, but it does not directly contribute to server hardening and security enhancement.
Disable third party applications
Explanation
Disabling third-party applications may be necessary if they pose security risks, but it is not a general hardening measure for a server. Hardening typically involves securing the server configuration, limiting access, and implementing security best practices to protect against potential threats.
Correct answer
Disable unused ports and services
Explanation
Disabling unused ports and services is a proper measure to harden a server for security. By disabling unnecessary ports and services, Robert can reduce the attack surface and minimize potential entry points for attackers, thereby enhancing the server’s security posture.
Scan the server using Nessus
Explanation
Scanning the server using Nessus is a good practice for vulnerability assessment, but it is not a direct measure to harden the server. Vulnerability scanning helps identify potential security weaknesses, but hardening involves implementing specific security measures to reduce the attack surface.
Overall explanation
2.5 Explain the purpose of mitigation techniques used to secure the enterprise.
By disabling unused ports and services, the attack vector of the hacker is reduced as they cannot form a communication path through the disabled port.
Domain
2.0 Threats, Vulnerabilities, and Mitigations
Question 45Skipped
Which metric can be used to estimate how long the system can be operating smoothly before a crash or failure?
RPO
Explanation
RPO (Recovery Point Objective) is the maximum acceptable amount of data loss in case of a system failure. It does not estimate how long the system can operate smoothly before a crash or failure.
RTO
Explanation
RTO (Recovery Time Objective) is the maximum acceptable downtime for a system after a failure. It does not estimate how long the system can operate smoothly before a crash or failure.
Correct answer
MTBF
Explanation
MTBF (Mean Time Between Failures) is the metric used to estimate how long a system can operate smoothly before a crash or failure. It calculates the average time between failures in a system.
MTTR
Explanation
MTTR (Mean Time To Repair) is the average time it takes to repair a system after a failure has occurred. It does not estimate how long the system can operate smoothly before a crash or failure.
Overall explanation
5.2 Explain elements of the risk management process.
The mean time between failures (MTBF) is the average time between two consecutive system failures. It is a critical metric for performance measurement to assess the estimated time between the next possible system outage.
Domain
5.0 Security Program Management and Oversight
Question 46Skipped
A small company wants to invest in its physical security but has a low budget. They have opted to put a large sign on their fence warning intruders to stay out of their property or face the risk of danger. What type of control has the company used?
Correct answer
Deterrent
Explanation
A Deterrent control is designed to discourage unauthorized access or behavior by warning potential intruders of the consequences of their actions. The large sign on the fence warning intruders to stay out or face danger is a classic example of a deterrent control, as it aims to prevent security incidents by dissuading individuals from attempting to breach the property.
Compensating
Explanation
A Compensating control is used to mitigate risks when primary controls are not feasible or effective. It is typically used as an alternative measure to address security vulnerabilities. The large sign on the fence, in this case, is not serving as a compensating control but rather as a proactive measure to deter potential intruders.
Corrective
Explanation
A Corrective control is implemented to restore systems or processes to their normal state after a security incident has occurred. It involves taking actions to correct the effects of a breach and prevent similar incidents in the future. The large sign on the fence does not fall under the category of corrective controls, as it is focused on preventing security incidents rather than responding to them.
Detective
Explanation
A Detective control is used to identify security incidents after they have occurred. It involves monitoring and analyzing security events to detect potential threats or breaches. In this scenario, the large sign on the fence is not aimed at detecting security incidents but rather at preventing them from happening.
Overall explanation
1.1 Compare and contrast various types of security controls.
A deterrent control is a control used to demotivate a possible attacker from engaging in an attack by placing warnings or threats of severe consequences.
Domain
1.0 General Security Concepts
Question 47Skipped
A business has a critical function that needs to be up and running within 30 minutes if a disaster occurs. What is the term given for this time?
MTTR
Explanation
MTTR (Mean Time to Repair) refers to the average time it takes to repair a system or component after a failure. It is not specifically related to the time required to restore critical functions after a disaster within 30 minutes.
Correct answer
RTO
Explanation
RTO (Recovery Time Objective) is the term given for the time within which a critical function needs to be up and running after a disaster occurs. In this case, the business requires the critical function to be restored within 30 minutes, making RTO the correct term.
RPO
Explanation
RPO (Recovery Point Objective) refers to the maximum acceptable amount of data loss in case of a disaster. It is not related to the time required to restore critical functions after a disaster occurs within 30 minutes.
MTBF
Explanation
MTBF (Mean Time Between Failures) refers to the average time elapsed between two failures of a system or component. It is not related to the time required to restore critical functions after a disaster within 30 minutes.
Overall explanation
5.2 Explain elements of the risk management process.
The Recovery time objective (RTO) is the amount of time that is allowed to elapse in the event of a disaster without services being restored. In other words, it is the limit of the amount of time that should be needed to restore services after a disaster. This means that if a disaster occurs to make a critical process with an RTO of 30 minutes unavailable, then all services should be restored and back to normal operations within 29 minutes and 59 seconds.
Domain
5.0 Security Program Management and Oversight
Question 48Skipped
Which load balancing configuration ensures the most availability of services during failover?
Passive-Passive
Explanation
Passive-Passive load balancing configuration involves multiple servers that are all passive and do not actively serve requests. This configuration does not ensure high availability during failover as none of the servers are actively handling traffic.
Passive-Active
Explanation
Passive-Active load balancing configuration has a passive server that becomes active only when the primary server fails. This configuration may result in a longer failover time and potentially lower availability compared to Active-Active configuration as the passive server needs to be activated before serving requests.
Active-Passive
Explanation
Active-Passive load balancing configuration involves one active server handling traffic while the passive server remains idle until failover is needed. This configuration may result in lower availability during failover compared to Active-Active configuration as the passive server needs time to become active.
Correct answer
Active-Active
Explanation
Active-Active load balancing configuration ensures the most availability of services during failover by distributing traffic evenly across multiple servers that are all actively serving requests. In the event of a failure, the remaining active servers can continue to handle traffic without interruption.
Overall explanation
3.2 Given a scenario, apply security principles to secure enterprise infrastructure.
The active-active load balancing configuration consists of a minimum of two nodes that are always up and running. If a single node fails, the traffic is automatically redirected to the other node ensuring continuously running services without downtime.
Domain
3.0 Security Architecture
Question 49Skipped
Robert is the administrator of his company’s security operations center. She wants to make sure that when an incident occurs, they have a proper incident response process in place. What is the first step that Robert should take in setting up the incident response process?
Identification
Explanation
Identification is an important step in the incident response process, but it comes after the preparation phase. During the identification phase, the security team identifies and confirms the occurrence of a security incident.
Containment
Explanation
Containment is a crucial step in the incident response process, but it typically follows the preparation phase. Containment involves taking immediate actions to prevent the incident from spreading further and causing more damage.
Recovery
Explanation
Recovery is an essential part of the incident response process, but it usually occurs after the preparation phase. Recovery involves restoring systems and data to their normal state after an incident has been contained and mitigated.
Correct answer
Preparation
Explanation
Preparation is the first step that Robert should take in setting up the incident response process. During the preparation phase, the security team establishes policies, procedures, and resources necessary to effectively respond to security incidents. This phase includes creating an incident response plan, defining roles and responsibilities, and conducting training and drills.
Overall explanation
4.8 Explain appropriate incident response activities.
The first step in the incident response process is preparation. All the preliminary activities that allow us to handle the incident proactively in the event we face an incident, are done here. It is then followed by Identification, Containment, Eradication, Recovery, and finally Lessons learned.
Domain
4.0 Security Operations
Question 50Skipped
Which of the following shall provide corporate security controls to applications installed on mobile devices?
Correct answer
MAM
Explanation
Mobile Application Management (MAM) is designed to provide security controls specifically to applications installed on mobile devices. It allows organizations to manage and secure corporate data within the applications without affecting personal data on the device, making it a suitable choice for corporate security controls.
BYOD
Explanation
Bring Your Own Device (BYOD) is a policy that allows employees to use their personal devices for work purposes. While BYOD can impact security controls, it is not specifically designed to provide security controls to applications installed on mobile devices.
COPE
Explanation
Corporate-Owned, Personally-Enabled (COPE) is a device ownership model where the organization provides the device to the employee but allows personal use. While COPE can implement security controls, its primary focus is on the device ownership model rather than providing security controls to individual applications.
MDM
Explanation
Mobile Device Management (MDM) focuses on managing and securing the entire mobile device, including settings, applications, and data. While MDM can provide security controls, its primary focus is on the device itself rather than individual applications.
Overall explanation
4.1 Given a scenario, apply common security techniques to computing resources.
Mobile Application Management (MAM) is software that allows organizations to place policies and security controls to manage and protect corporate data in mobile applications such as Microsoft Office, Google Chrome, Salesforce, etc.
Domain
4.0 Security Operations
Question 51Skipped
Which of the following attacks aims at finding identical password hashes?
Cloning
Explanation
Cloning is not an attack that aims at finding identical password hashes. It typically refers to creating a duplicate copy of a device or network to deceive users or gain unauthorized access.
Evil twin
Explanation
An evil twin attack involves setting up a rogue wireless access point to mimic a legitimate network in order to intercept sensitive information. It is not related to finding identical password hashes.
Correct answer
Collision
Explanation
Collision attacks aim at finding identical password hashes by generating two different inputs that produce the same hash value. This can lead to security vulnerabilities and compromise the integrity of password storage systems.
Brute force
Explanation
Brute force attacks involve systematically trying all possible combinations of passwords until the correct one is found. While brute force attacks can be used to crack password hashes, they do not specifically target finding identical hashes.
Overall explanation
2.4 Given a scenario, analyze indicators of malicious activity.
A collision attack is an attack where the attacker attempts to find two inputs to a hash algorithm that will output the same or identical hash value. If an original password, say, “pa$$word” produces a hash value of “XX##XX”, and a collision is found whereby the string, say, “drow$$ap” produces the same hash value of “XX##XX”, then the hacker will not need to know the original password of “pa$$word” to break the authentication. The password of “drow$$ap” would work as well because it produces the same hash as “pa$$word”.
Domain
2.0 Threats, Vulnerabilities, and Mitigations
Question 52Skipped
A system at a manufacturing firm has been hit with dangerous malware. The security analyst has tried all possible antivirus programs to remove the malware but still observes signs of the malware existing. This led the security analyst to reconstitute the system. What kind of malware has possibly hit the system at the manufacturing firm?
Virus
Explanation
Viruses are malicious software that can replicate themselves and infect other files on a system. While viruses can be harmful and difficult to remove, they do not typically have the same level of stealth and persistence as rootkits. Reconstituting the system may not be necessary if the malware is a virus.
Trojan
Explanation
Trojans are malware that disguise themselves as legitimate software to trick users into downloading and executing them. While Trojans can be dangerous and cause harm to a system, they are not typically as persistent and difficult to remove as rootkits. Reconstituting the system may not be necessary if the malware is a Trojan.
Correct answer
Rootkit
Explanation
Rootkits are a type of malware that are specifically designed to hide themselves and their activities on a system. They are known for being difficult to detect and remove, which explains why the security analyst was unable to completely remove the malware using traditional antivirus programs. Reconstituting the system is often necessary to completely eliminate a rootkit infection.
Backdoor
Explanation
Backdoors are a type of malware that provide unauthorized access to a system, allowing attackers to control the system remotely. While backdoors can be dangerous and pose a serious security risk, they are not typically as stealthy and persistent as rootkits. Reconstituting the system may not be necessary if the malware is a backdoor.
Overall explanation
2.4 Given a scenario, analyze indicators of malicious activity.
Rootkits are malware that bury themselves in the kernel (Ring 0) of the operating system. They are very hard to remove and the only way to be safe is by reconstituting the entire system. This means re-installing the operating system and recovering the applications and files from a trusted source without infection.
Domain
2.0 Threats, Vulnerabilities, and Mitigations
Question 53Skipped
An operator at a bank has received a client asking to perform a money transfer of $500,000. The bank operator first investigates the individual’s bank profile, history of transactions, and bank records before authorizing the transfer. What principle has the operator shown?
Due care
Explanation
Due care refers to the responsibility of an individual to act in a manner that is considered reasonable and prudent to prevent harm to oneself or others. While the bank operator is being cautious and thorough in investigating the client’s profile, due care is a broader concept that encompasses a wider range of actions beyond just the investigation process.
Prudence
Explanation
Prudence involves the use of good judgment and common sense in decision-making and actions. While the bank operator is demonstrating prudence by thoroughly investigating the client’s profile before authorizing the transfer, the specific principle being exhibited in this scenario is more closely related to due diligence.
Correct answer
Due diligence
Explanation
Due diligence is the principle of conducting a thorough and comprehensive investigation or review before making a decision or taking action. In this scenario, the bank operator is following the principle of due diligence by carefully examining the client’s bank profile, transaction history, and records before authorizing the significant money transfer.
Attestation
Explanation
Attestation refers to the act of affirming or verifying the accuracy or truthfulness of a statement or document. While the bank operator may need to attest to the legitimacy of the money transfer and the client’s identity, the primary principle being demonstrated in this scenario is due diligence through the thorough investigation of the client’s information.
Overall explanation
5.4 Summarize elements of effective security compliance.
Due diligence is the act of making cautious choices and decisions to reduce the risk of unintended downsides when performing activities. It involves having a clear understanding of how to deal with various situations and responding to them in the most feasible way possible.
Domain
5.0 Security Program Management and Oversight
Question 54Skipped
Which of the following is a protocol developed by Cisco to monitor the flow of traffic?
NXLog
Explanation
NXLog is not a protocol developed by Cisco for monitoring traffic flow. It is a tool used for log management and log collection in various operating systems and environments.
sFlow
Explanation
sFlow is a protocol developed by InMon Corporation, not Cisco, to monitor network traffic and provide real-time visibility into network activity. It is not specifically associated with Cisco.
Correct answer
NetFlow
Explanation
NetFlow is a protocol developed by Cisco to monitor the flow of traffic within a network. It collects and analyzes network traffic data to provide insights into network performance, security, and usage patterns.
xFlow
Explanation
xFlow is a generic term used to refer to different flow monitoring protocols, including NetFlow, sFlow, and others. It is not a specific protocol developed by Cisco for monitoring traffic flow.
Overall explanation
4.4 Explain security alerting and monitoring concepts and tools.
NetFlow is a protocol used to collect and monitor the traffic flow in a network. It was developed by Cisco in 1995 to capture IP traffic information traversing across network devices such as routers, switches, etc.
Domain
4.0 Security Operations
Question 55Skipped
Which of the following malware replicates on its own to spread across an uninfected network?
Backdoor
Explanation
A backdoor is a type of malware that provides unauthorized access to a system by bypassing normal authentication mechanisms. While backdoors can be used to spread malware and create additional entry points for attackers, they do not have the ability to independently replicate and spread across a network like worms do.
RAT
Explanation
A RAT (Remote Access Trojan) is a type of malware that allows an attacker to remotely control a compromised system. While RATs can be used to spread malware and infect other systems, they do not have the inherent ability to replicate on their own like worms do.
Correct answer
Worm
Explanation
A worm is a type of malware that can replicate itself and spread across a network without needing to attach itself to a host program. It can independently spread to other systems and devices, making it a self-replicating threat that can quickly infect an entire network.
Virus
Explanation
A virus is a type of malware that needs to attach itself to a host program or file in order to replicate and spread. Unlike worms, viruses cannot independently spread across a network without user interaction to execute the infected file or program.
Overall explanation
2.4 Given a scenario, analyze indicators of malicious activity.
A worm is a malware that spreads on its own across a network via self-replication. Once a device is infected by a worm, the worm will attempt to infect all other devices in the network that are connected to the infected machine. A worm does not need to attach itself to another file or host to be able to cause damage.
Domain
2.0 Threats, Vulnerabilities, and Mitigations
Question 56Skipped
The human resources department of a large business firm is handling many applications for various job positions. They want to make sure that the people applying for the job are reputable and who they say they are. What technique should they use to ensure this?
Onboarding
Explanation
Onboarding is the process of integrating a new employee into the organization, providing them with the necessary information, tools, and training to be successful in their role. While onboarding may include verifying the identity of the new employee, it is not specifically designed to ensure that job applicants are reputable and who they claim to be.
Correct answer
Background checks
Explanation
Background checks involve verifying the identity, criminal history, employment history, education, and other relevant information of job applicants. By conducting background checks, the human resources department can ensure that the people applying for the job are reputable and who they claim to be. This technique helps in maintaining the integrity and security of the organization.
Measurement systems analysis
Explanation
Measurement systems analysis is a statistical method used to evaluate the performance and reliability of measurement systems in manufacturing processes. While this technique is important for quality control and process improvement, it is not directly related to verifying the identity and reputation of job applicants.
Non-disclosure agreement
Explanation
Non-disclosure agreements (NDAs) are legal contracts that protect confidential information shared between parties. While NDAs are important for safeguarding sensitive information within the organization, they do not directly address the issue of verifying the identity and reputation of job applicants.
Overall explanation
5.1 Summarize elements of effective security governance.
Background checks are verification procedures that organizations use to verify or confirm the previous places that the applicant or employee worked or studied, their criminal history, and other information related to them.
Domain
5.0 Security Program Management and Oversight
Question 57Skipped
Robert wanted to send his credit card number to Roberto via his organization email. He tried several times, but his email kept getting blocked. What is preventing Robert from sending this email to Roberto?
Correct answer
DLP
Explanation
Data Loss Prevention (DLP) policies are designed to prevent sensitive information, such as credit card numbers, from being sent via email. In this case, the DLP policy is likely detecting the credit card number in the email content and blocking the email from being sent to protect sensitive information.
Spam filter
Explanation
Spam filters are used to identify and block unsolicited or unwanted emails. While spam filters can sometimes block legitimate emails, they are not typically configured to specifically block emails containing credit card numbers unless they are part of a broader data protection policy.
Proxy
Explanation
Proxies act as intermediaries between users and the internet, providing additional security and privacy. While proxies can sometimes block certain types of traffic, they are not typically configured to specifically block emails containing credit card numbers unless they are part of a broader security policy.
Firewall
Explanation
Firewalls are network security devices that monitor and control incoming and outgoing network traffic based on predetermined security rules. While firewalls can block certain types of traffic, they are not specifically designed to block emails containing credit card numbers.
Overall explanation
4.5 Given a scenario, modify enterprise capabilities to enhance security.
Data Loss Prevention (DLP) is a security solution that protects organizations from data leakage, theft, and unauthorized destruction. When integrated into the email system, it can prevent emails with sensitive data from being sent out based on defined policies. Although Robert had no malicious intention when sending his credit card number to Roberto, the DLP security tool noticed the event as a data breach and a possible exfiltration of sensitive information because credit card numbers are confidential data. Robert wanted to send his credit card number to Roberto via his organization email. He tried several times, but his email kept getting blocked.
Domain
4.0 Security Operations
Question 58Skipped
Which of the following sites takes the longest time to recover services?
Warm site
Explanation
A warm site is a middle ground between a hot site and a cold site. It has some pre-configured infrastructure and data backups, but it still requires additional setup and configuration before it can fully recover services. It takes longer to recover compared to a hot site but shorter than a cold site.
Hot site
Explanation
A hot site is a fully operational data center with up-to-date copies of data and infrastructure ready to take over in case of a disaster. It has the shortest recovery time compared to other sites because it can quickly resume services with minimal downtime.
Correct answer
Cold site
Explanation
A cold site takes the longest time to recover services because it does not have any pre-configured infrastructure or data in place. In the event of a disaster, all systems and data need to be set up and restored from scratch, leading to a significant downtime.
Mobile site
Explanation
A mobile site is a temporary location or setup that can be used to quickly resume essential services in case of a disaster. While it may not have all the resources of a hot site, it is designed for rapid deployment and can help maintain critical operations during emergencies.
Overall explanation
3.4 Explain the importance of resilience and recovery in security architecture.
A cold site is a recovery location with no computing equipment installed. It only contains basic equipment such as power, communication cabling, and heating, ventilation, and air conditioning (HVAC). In the event of a disaster, a cloud site takes the longest time to bring normal operations back up and running.
Domain
3.0 Security Architecture
Question 59Skipped
A user at an organization uses the corporate network to hide their identity and perform illegal gambling on the dark web. What policy is the user breaking?
Correct answer
Acceptable use policy
Explanation
The user is breaking the Acceptable Use Policy by using the corporate network for illegal activities such as gambling on the dark web. The Acceptable Use Policy typically outlines the acceptable behaviors and activities that users are allowed to engage in while using the organization’s resources.
Dark Web policy
Explanation
While the organization may have specific policies related to accessing the dark web, the user’s actions primarily violate the Acceptable Use Policy by engaging in illegal activities. The Dark Web policy, if it exists, would likely prohibit accessing the dark web for any purpose.
Gambling policy
Explanation
The user is not specifically breaking a "Gambling Policy" as this may not be a standalone policy within the organization. The illegal gambling activity falls under the broader umbrella of violating the Acceptable Use Policy.
Corporate policy
Explanation
The user’s actions are in violation of the organization’s Corporate Policy, but the specific policy that is being broken in this scenario is the Acceptable Use Policy, which governs the appropriate use of corporate resources.
Overall explanation
5.1 Summarize elements of effective security governance.
An acceptable use policy (AUP) is a document signed by a user of corporate resources agreeing to use them in an ethical manner and adhere to the guidelines for the proper usage of the corporate assets. The policy outlines the do’s and don’ts for the justifiable usage of enterprise resources.
Domain
5.0 Security Program Management and Oversight
Question 60Skipped
Robert recently wanted to charge his phone while he was at his university. Unfortunately, he had forgotten his charging cable. A mysterious stranger offered him a cable to charge his phone. To his surprise when he went home, his phone started misbehaving and became extremely slow when connected to the internet, even after he paused all updates. What could have caused this?
Skimming
Explanation
Skimming is a type of attack where a malicious actor steals credit card information by using a device that captures data from the magnetic stripe of a card. Skimming would not be the cause of Robert’s phone behaving slowly when connected to the internet, as it is unrelated to phone performance issues.
Brute force
Explanation
Brute force is a method used to crack passwords by systematically trying all possible combinations until the correct one is found. In this scenario, brute force would not be the cause of Robert’s phone behaving slowly when connected to the internet, as it is typically used for password attacks and not for causing general device slowdown.
Ransomware
Explanation
Ransomware is a type of malware that encrypts a user’s files and demands payment in exchange for the decryption key. While ransomware can cause a device to slow down, it typically does not manifest in the form of general device slowdown when connected to the internet. Therefore, ransomware is unlikely to be the cause of Robert’s phone performance issues in this scenario.
Correct answer
Malicious USB cable
Explanation
A malicious USB cable could have been used to infect Robert’s phone with malware or malicious software. When connected to the internet, the malware could be causing the phone to behave erratically and slow down, even after pausing updates. This type of attack is known as a "juice jacking" attack, where the USB cable itself is used to compromise the device.
Overall explanation
5.6 Given a scenario, implement security awareness practices.
A Malicious Universal Serial Bus (USB) cable is a cable that connects to your device to perform malicious actions different from the normal USB data transfer or charging function. It may pose as a wireless access point that can allow a hacker to connect to it and transfer malware, viruses, and trojans. Remote commands can be sent to infiltrate the device.
Domain
5.0 Security Program Management and Oversight
Question 61Skipped
Below is an HTTP GET request for an attack on the host robertkaramagi.com. What kind of an attack is this?
GET http://robertkaramagi.com/show.asp?view=../../../../../Windows/system.ini HTTP/1.1
Host: robertkaramagi.com
Correct answer
Directory traversal
Explanation
This is a directory traversal attack (also known as path traversal), where the attacker manipulates the URL by using "../" sequences to navigate outside the intended directory. The goal is to access sensitive files or directories that should not be accessible, such as configuration files (e.g., "system.ini"). This kind of attack exploits inadequate input validation, allowing attackers to read files from a different directory than the web application is designed to serve. In this case, the attacker is trying to access the "Windows/system.ini" file by exploiting directory navigation.
SQL Injection
Explanation
SQL Injection is an attack that targets databases by injecting malicious SQL code into a query to manipulate or retrieve sensitive data. SQL injection typically involves appending SQL queries in input fields to exploit vulnerabilities in a database system. In this case, the HTTP request is attempting to access files directly via URL manipulation, not interacting with a database, so SQL injection is not relevant here.
Replay attack
Explanation
A replay attack involves capturing and reusing legitimate communication packets between a client and server in an attempt to impersonate a user or gain unauthorized access. It often targets authentication mechanisms or network protocols. However, this scenario does not involve capturing or replaying traffic; it involves manipulating a URL to access restricted files, which is why it does not match the characteristics of a replay attack.
Buffer overflow
Explanation
A buffer overflow attack occurs when an attacker sends more data to a buffer (memory area) than it can handle, causing the application to overwrite adjacent memory locations. This attack is typically aimed at injecting malicious code or causing a system crash, but it is unrelated to directory traversal. In this scenario, there is no indication of memory manipulation or buffer overflows.
Overall explanation
2.4 Given a scenario, analyze indicators of malicious activity.
A directory traversal attack is one where the hacker attempts to read data on the web server hosting the web application by entering commands within the URL (Uniform Resource Locator). The vulnerability may allow the attacker to possibly modify files on the web server and inject malicious code. The ../ may be used to manipulate objects that are linked to files to enable a hacker to access the folder containing that file on the web server.
Domain
2.0 Threats, Vulnerabilities, and Mitigations
Question 62Skipped
Which of the following attack techniques leverage mistakes made by users as they type in the letters of a website they want to browse?
Pretexting
Explanation
Pretexting is a social engineering technique where attackers create a false scenario to manipulate individuals into providing sensitive information. It does not involve leveraging mistakes made by users while typing in website URLs.
Pharming
Explanation
Pharming is a type of cyber attack where attackers redirect a website’s traffic to a fake website by compromising the DNS server or by poisoning the DNS cache. It does not involve leveraging mistakes made by users while typing in website URLs.
Hoax
Explanation
A hoax is a deceptive act or scheme intended to trick individuals into believing something false. It does not involve leveraging mistakes made by users while typing in website URLs.
Correct answer
Typosquatting
Explanation
Typosquatting is a type of attack where attackers register domain names that are similar to popular websites with the intention of capturing traffic from users who mistype the website URL. This technique leverages mistakes made by users as they type in website URLs.
Overall explanation
2.2 Explain common threat vectors and attack surfaces.
Typosquatting is also known as Uniform Resource Locator (URL) hijacking. It is a social engineering technique where the hacker registers and purchases domain names that are very similar to common websites but with a minor difference. They do this in the hope that a user navigating to the common site will make a spelling error or “typo” and be directed to their malicious site which is identical to the site they are trying to hijack. An example would be typosquatting www.microsoft.com with domains such as www.microsft.com, or www.micrsoft.com. The hacker would hope that the user navigating to Microsoft’s website will accidentally skip an “o” letter and be directed to their malicious website that looks exactly like Microsoft’s website. Large corporations nowadays are purchasing all domains that have near-like spellings to their own to prevent hackers from tricking users.
Domain
2.0 Threats, Vulnerabilities, and Mitigations
Question 63Skipped
What are MFA factors? Select all that apply.
Something you trust
Explanation
"Something you trust" is not a valid MFA factor. MFA factors are based on tangible and verifiable elements that can be used to authenticate the user’s identity.
Correct selection
Something you are
Explanation
"Something you are" refers to biometric characteristics unique to the user, such as fingerprints, facial recognition, or iris scans. This factor is used in MFA to provide a high level of security by verifying the user’s physical traits.
Correct selection
Something you have
Explanation
"Something you have" refers to physical items that the user possesses, such as a smart card, a security token, or a mobile device. This factor is commonly used in MFA to enhance security.
Correct selection
Something you know
Explanation
"Something you know" refers to information that only the user should know, such as a password or a PIN. This factor is commonly used in MFA to verify the user’s identity.
Something you think
Explanation
"Something you think" is not a valid MFA factor. MFA factors are based on tangible and verifiable elements, not subjective thoughts.
Something you believe
Explanation
"Something you believe" is not a valid MFA factor. MFA factors are based on concrete and objective elements that can be used to verify the user’s identity.
Overall explanation
4.6 Given a scenario, implement and maintain identity and access management.
The factors of multifactor authentication include: –
Something you know – this could be your password or a PIN number
Something you have – this could be a token generator fob (giving a one-time password – OTP) or a smart card
Something you are – this includes biometrics such as your fingerprints, face (facial scan), eyes (retina scan)
Domain
4.0 Security Operations
Question 64Skipped
How can Robert verify the source that wrote the software that he is downloading?
Cookies
Explanation
Cookies are small pieces of data stored on a user’s computer by a website. They are used for tracking user behavior and preferences but do not verify the source that wrote the software that Robert is downloading.
Correct answer
Code signing
Explanation
Code signing is a method used to digitally sign software and scripts to confirm the software author and guarantee that the code has not been altered or corrupted since it was signed. It allows Robert to verify the source that wrote the software he is downloading.
HTTP header
Explanation
HTTP headers are part of the HTTP protocol used for communication between a web server and a client. They contain information about the request and response but do not directly verify the source that wrote the software that Robert is downloading.
Software escrow
Explanation
Software escrow is a legal arrangement where a third party holds the source code of software in case the software developer goes out of business or fails to maintain the software. It does not directly verify the source that wrote the software that Robert is downloading.
Overall explanation
4.1 Given a scenario, apply common security techniques to computing resources.
Code signing is a technique used to validate the authenticity of software or a program using digital signatures that verify the integrity of the software and the identity of the manufacturer or developer.
Domain
4.0 Security Operations
Question 65Skipped
Which of the following uses hardware to store cryptographic keys?
PKI
Explanation
PKI (Public Key Infrastructure) is a system of digital certificates, certificate authorities, and other registration authorities that verify and authenticate the validity of each party involved in an electronic transaction. While PKI is essential for secure communication, it does not use hardware to store cryptographic keys.
AES
Explanation
AES (Advanced Encryption Standard) is a symmetric encryption algorithm used to secure data by encrypting and decrypting information. While AES is a widely used encryption standard, it does not specifically use hardware to store cryptographic keys.
Steganography
Explanation
Steganography is the practice of concealing messages or information within other non-secret data. It does not involve the use of hardware to store cryptographic keys, making it an incorrect choice for the question.
Correct answer
TPM
Explanation
TPM (Trusted Platform Module) is a hardware component that securely stores cryptographic keys, passwords, and digital certificates. It provides a secure environment for key generation and storage, making it a reliable choice for protecting sensitive information.
Overall explanation
1.4 Explain the importance of using appropriate cryptographic solutions.
A Trusted Platform Module (TPM) is hardware encryption technology in the form of an embedded microcontroller. It can be placed on a device’s motherboard or inside the central processing unit (CPU). The TPM stores various types of confidential data such as passwords, biometrics, certificates, and encryption keys.
Domain
1.0 General Security Concepts
Question 66Skipped
Robert is a security analyst. He wants to get logs from the applications, databases, operating systems, and network devices at his organization. What process does Robert need to perform?
Retention
Explanation
Retention refers to the storage and preservation of data for a specific period of time. While retention is important for compliance and investigative purposes, it is not the primary process Robert needs to perform to collect logs from multiple sources.
Archiving
Explanation
Archiving involves storing data in a secure and organized manner for long-term preservation. While archiving is important for maintaining historical logs and records, it is not the immediate process Robert needs to perform to gather logs from applications, databases, operating systems, and network devices.
Correlation
Explanation
Correlation involves analyzing and identifying relationships between different sets of data to detect patterns or anomalies. While correlation is important in security analysis, it is not the process Robert needs to perform to get logs from various sources.
Correct answer
Aggregation
Explanation
Aggregation is the process of collecting and combining data from different sources into a single, centralized location. In Robert’s case, he needs to aggregate logs from applications, databases, operating systems, and network devices to effectively monitor and analyze security events.
Overall explanation
4.4 Explain security alerting and monitoring concepts and tools.
Log aggregation is the process of collecting logs from different sources across the network and consolidating them at a single centralized point for analysis and interpretation.
Domain
4.0 Security Operations
Question 67Skipped
An online retail store has set up a web application for its customers performing online transactions. They have noticed large peaks of incoming traffic directed to their web server from their clients. It has caused their web application to become slow and unresponsive during these times. What should they use to achieve substantial performance?
Backup
Explanation
Backup refers to the process of creating copies of data for recovery purposes in case of data loss. While backups are crucial for data protection, they do not directly address the performance challenges caused by high levels of incoming traffic on a web server.
Virtual Machine
Explanation
A Virtual Machine is an emulation of a computer system that runs within another computer system. While Virtual Machines offer flexibility and resource isolation, they are not specifically designed to handle performance issues related to spikes in incoming traffic on a web server.
RAID
Explanation
RAID (Redundant Array of Independent Disks) is a data storage technology that combines multiple disk drives for data redundancy or performance improvement. While RAID can enhance data storage reliability, it is not directly related to addressing performance issues caused by high incoming traffic on a web server.
Correct answer
Load Balancer
Explanation
A Load Balancer is a device or software solution that evenly distributes incoming network traffic across multiple servers to prevent any single server from being overwhelmed. By balancing the load, a Load Balancer can help maintain optimal performance and responsiveness of the web application during peak traffic periods.
Overall explanation
3.2 Given a scenario, apply security principles to secure enterprise infrastructure.
A Load Balancer is used to optimize network traffic. It distributes the incoming web traffic based on some policy, algorithm, or criteria across several web servers to improve the performance of the web application.
Domain
3.0 Security Architecture
Question 68Skipped
Robert has noticed credit card details tagged to be Mastercard, Visa, and AmEx in a very different format from the standard and known sequence. The card details look like %I#HgVr%#3TR3@&S. What security technique has been applied to them?
Minimization
Explanation
Minimization is a security technique that involves reducing the amount of sensitive data stored or transmitted to only what is necessary for a specific purpose. While minimization aims to limit the exposure of sensitive information, it does not involve transforming the data into a different format as seen in the given scenario.
Correct answer
Tokenization
Explanation
Tokenization is a security technique that involves replacing sensitive data with unique tokens that have no intrinsic meaning or value. In this scenario, the credit card details have been transformed into a format that does not resemble the original card numbers, indicating that tokenization has been applied to protect the sensitive information.
Masking
Explanation
Masking is a security technique that involves hiding or obscuring sensitive data by replacing it with random characters or symbols. In this case, the credit card details are not simply hidden or obscured, but rather transformed into a completely different format, indicating that masking is not the technique applied here.
Anonymization
Explanation
Anonymization is a security technique that involves removing or altering personally identifiable information to prevent the identification of individuals. In this case, the credit card details have not been anonymized but rather transformed into a different format, indicating that anonymization is not the technique applied here.
Overall explanation
3.3 Compare and contrast concepts and strategies to protect data.
Tokenization is the process of securing sensitive data by replacing the data with unsensitive data called tokens. Normally, the length and the type of data remain unchanged, the only difference lies in the substitution of the values.
Domain
3.0 Security Architecture
Question 69Skipped
Who is responsible for the implementation and maintenance of security controls necessary for protecting the organization’s data?
Data controller
Explanation
The data controller is responsible for determining the purposes and means of processing personal data. While they have a significant role in data processing activities, they are not specifically responsible for the implementation and maintenance of security controls necessary for protecting the organization’s data.
Data protection officer
Explanation
The data protection officer is responsible for ensuring that an organization complies with data protection laws and regulations. While they play a crucial role in data privacy and compliance, they are not directly responsible for the implementation and maintenance of security controls for protecting the organization’s data.
Correct answer
Data custodian
Explanation
The data custodian is responsible for the implementation and maintenance of security controls necessary for protecting the organization’s data. They are tasked with safeguarding the data assets, ensuring data integrity, and managing access controls to prevent unauthorized access or data breaches.
Data owner
Explanation
The data owner is responsible for making decisions about how data is used and who has access to it. While they have a say in data security policies and procedures, they are not directly responsible for the implementation and maintenance of security controls necessary for protecting the organization’s data.
Overall explanation
5.1 Summarize elements of effective security governance.
The data custodian implements and maintains the security controls necessary to protect the data that belongs to the organization.
Domain
5.0 Security Program Management and Oversight
Question 70Skipped
A company is expected to lose $50,000 if its application server cluster is to face unrecoverable damage from a disaster. What is the term given to this amount?
ARO
Explanation
ARO (Annual Rate of Occurrence) represents the frequency at which a specific threat is expected to occur within a year. It is used in conjunction with the Single Loss Expectancy (SLE) to calculate the Annual Loss Expectancy (ALE).
ALE
Explanation
ALE (Annual Loss Expectancy) refers to the expected annual loss resulting from a specific risk. It is calculated by multiplying the Annual Rate of Occurrence (ARO) with the Single Loss Expectancy (SLE).
KRI
Explanation
KRI (Key Risk Indicator) is a metric used to measure and monitor the level of risk in an organization. It helps in identifying potential risks and taking proactive measures to mitigate them. However, it is not directly related to the monetary value associated with a specific loss like the Single Loss Expectancy (SLE).
Correct answer
SLE
Explanation
SLE (Single Loss Expectancy) is the term given to the amount of loss that would result from a single security incident or event. In this case, the $50,000 loss expected from the application server cluster facing unrecoverable damage is the Single Loss Expectancy.
Overall explanation
5.2 Explain elements of the risk management process.
The Single Loss Expectancy (SLE) is a monetary value that describes the cost of damage that an organization will suffer if an asset at risk is damaged, lost, or destroyed due to an incident. For the case in question, the company has an SLE of $50,000 because they stand to lose that amount if their application server cluster is destroyed. The SLE is not necessarily the exact cost of the asset. Other factors may either lower or increase the value. For example, if heavy labor charges are involved in setting up the asset, then the SLE will exceed the asset cost.
Domain
5.0 Security Program Management and Oversight
Question 71Skipped
Robert recently received $100,000 from Microsoft for disclosing a vulnerability in Microsoft.NET. What caused Robert to get such a reward?
Black Hat
Explanation
Black Hat refers to individuals who engage in malicious activities, such as hacking, without authorization. Robert, in this scenario, disclosed a vulnerability to Microsoft, which is not an act associated with Black Hat behavior.
OSINT
Explanation
OSINT (Open Source Intelligence) is the practice of collecting and analyzing publicly available information. It is not related to receiving a reward for disclosing a vulnerability in a software system like Microsoft.NET.
Correct answer
Bug bounty
Explanation
Bug bounty programs are initiatives launched by organizations to reward individuals who responsibly disclose security vulnerabilities in their software or systems. Robert received a reward from Microsoft for disclosing a vulnerability in Microsoft.NET, which aligns with the concept of bug bounty programs.
Red-team
Explanation
Red-team refers to a group of individuals within an organization who simulate attacks to test the security posture of the organization. Robert’s act of disclosing a vulnerability to Microsoft does not fall under the scope of red-team activities.
Overall explanation
4.3 Explain various activities associated with vulnerability management.
A Bug bounty program is a reward offering made by software vendors to award ethical hackers and individuals for discovering and disclosing software bugs, security holes, vulnerabilities, and exploits in their programs.
Domain
4.0 Security Operations
Question 72Skipped
Which of the following disaster recovery options is the most expensive to maintain?
Mobile site
Explanation
A mobile site is a less common disaster recovery option that involves using a mobile facility to restore operations in case of a disaster. While it may offer flexibility and mobility, it is not necessarily the most expensive option compared to a hot site.
Correct answer
Hot site
Explanation
A hot site is the most expensive disaster recovery option to maintain as it provides fully operational infrastructure, real-time data replication, and immediate failover capabilities. This ensures minimal downtime and high availability in case of a disaster.
Cold site
Explanation
A cold site is the least expensive disaster recovery option to maintain as it only provides basic infrastructure such as power and physical space. It requires time to set up and activate in case of a disaster, which may result in longer downtime.
Warm site
Explanation
A warm site is more expensive than a cold site but less expensive than a hot site. It has some pre-configured infrastructure and data backups, allowing for a faster recovery time compared to a cold site.
Overall explanation
3.4 Explain the importance of resilience and recovery in security architecture.
A hot site is a disaster recovery site that is continuously available and always up and running alongside the main site. All the production data is replicated and synchronized in real-time. In the event of a disaster, the hot site can be up and running in a very short time.
Domain
3.0 Security Architecture
Question 73Skipped
Robert, on his trip to London, opened a bank account at Barclays Bank. As he travels back to Tanzania, he must keep in mind that his bank account must comply with the regulations from the United Kingdom. What is the reason behind this?
Data protection
Explanation
Data protection refers to safeguarding sensitive information from unauthorized access or disclosure. While it is important for Robert to protect his personal data, the reason behind complying with UK regulations is not solely related to data protection.
Data governance
Explanation
Data governance involves managing the availability, usability, integrity, and security of data used in an organization. While data governance is important for ensuring data quality and compliance, the reason behind Robert needing to comply with UK regulations is more specifically related to data sovereignty in this scenario.
Data loss prevention
Explanation
Data loss prevention focuses on preventing data breaches, leaks, or unauthorized access to sensitive information. While it is crucial for Robert to prevent data loss, the reason behind complying with UK regulations is not specifically related to data loss prevention.
Correct answer
Data sovereignty
Explanation
Data sovereignty refers to the concept that data is subject to the laws of the country in which it is located. In this case, Robert opened a bank account in the UK, so he must comply with UK regulations regarding his bank account even when he is in Tanzania. This ensures that his data is governed by the laws of the UK.
Overall explanation
3.3 Compare and contrast concepts and strategies to protect data.
Data sovereignty is the legal jurisdiction that places the country where the data originates from as the regulator of how the data shall be collected, stored, processed, or distributed, for operations occurring either within or outside the country’s territory.
Domain
3.0 Security Architecture
Question 74Skipped
Robert’s home computer was recently attacked by dangeroushreat. Which of the below options would have best prevented Robert’s computer from the compromise?
Correct answer
HIPS
Explanation
Host-based Intrusion Prevention System (HIPS) is designed to monitor and analyze the internals of a computing system, including the operating system, applications, and network connections. It can prevent malware attacks by detecting and blocking suspicious activities at the host level, which would have helped prevent the compromise on Robert’s computer.
HIDS
Explanation
Host-based Intrusion Detection System (HIDS) is focused on monitoring and analyzing the internals of a computing system to detect suspicious activities but does not have the capability to actively prevent or block intrusions like HIPS does. Therefore, it may not have been as effective in preventing the compromise on Robert’s computer.
NIDS
Explanation
Network-based Intrusion Detection System (NIDS) is designed to monitor network traffic for suspicious activities and potential threats. While NIDS can help detect network-based attacks, it may not have been sufficient to prevent the compromise on Robert’s computer, as the malware attack originated from within the system.
NIPS
Explanation
Network-based Intrusion Prevention System (NIPS) is focused on monitoring and analyzing network traffic to actively prevent and block malicious activities. However, in Robert’s case, the compromise occurred at the host level, making a host-based solution like HIPS more effective in preventing the malware attack on his computer.
Overall explanation
2.5 Explain the purpose of mitigation techniques used to secure the enterprise.
A Host-based intrusion prevention system (HIPS) is installed on a host to monitor and defend the host from observed malicious activity and cyberattacks. With HIPS installed on Robert’s computer, detected malware is sandboxed in a quarantine zone, preventing it from infecting the device.
Domain
2.0 Threats, Vulnerabilities, and Mitigations
Question 75Skipped
What AAA protocol can be used to authenticate remote users and provide network access?
RDP
Explanation
RDP (Remote Desktop Protocol) is not an AAA protocol. RDP is a proprietary protocol developed by Microsoft that allows users to connect to a remote desktop over a network connection. While RDP can be used for remote access, it is not specifically designed for user authentication and network access control.
OAuth
Explanation
OAuth is not an AAA protocol. OAuth is an authorization framework that allows a third-party application to obtain limited access to an HTTP service on behalf of a resource owner. It is commonly used for delegated access scenarios, such as allowing a user to grant access to their data without sharing their credentials.
Correct answer
RADIUS
Explanation
RADIUS (Remote Authentication Dial-In User Service) is a widely used AAA protocol that can authenticate remote users and provide network access. It is commonly used in scenarios where users need to connect to a network remotely, such as dial-up or VPN connections.
SSH
Explanation
SSH (Secure Shell) is not an AAA protocol. SSH is a cryptographic network protocol that provides secure communication over an unsecured network. It is commonly used for secure remote access to systems and for secure file transfers, but it is not designed for user authentication and network access control like AAA protocols such as RADIUS.
Overall explanation
4.1 Given a scenario, apply common security techniques to computing resources.
RADIUS stands for the Remote Authentication Dial-In User Service. It provides Authentication, Authorization, and Accounting (AAA) services for remote users in a network. The protocol can be used to centralize the authentication point and control the network access based on the authorization policies defined. The users’ activities are logged in an audit trail for accountability.
Domain
4.0 Security Operations
Question 76Skipped
Robert has several applications that need certificates for the domain robertkaramagi.com. He decides to purchase a certificate with an asterisk symbol before his domain name, *.robertkaramagi.com. What type of certificate has Robert purchased?
Java KeyStore
Explanation
Java KeyStore is a repository of security certificates used for encryption and decryption in Java applications. It is not related to the type of certificate that Robert has purchased for his domain.
Root
Explanation
Root certificates are used to establish trust in a certificate chain by verifying the authenticity of intermediate and end-entity certificates. They are not related to wildcard certificates like the one Robert has purchased.
Correct answer
Wildcard
Explanation
Robert has purchased a wildcard certificate, indicated by the asterisk symbol before his domain name. Wildcard certificates secure the main domain and all its subdomains with a single certificate, making them a cost-effective and efficient choice for securing multiple applications under the same domain.
Self-signed
Explanation
Self-signed certificates are certificates that are signed by the entity creating them, rather than a trusted third party. They are not related to the wildcard certificate that Robert has purchased for his domain.
Overall explanation
1.4 Explain the importance of using appropriate cryptographic solutions.
Robert has purchased a wildcard certificate. Wildcard certificates can be used for a primary domain and all its subdomains. The wildcard certificate starts with an asterisk symbol before the primary domain. The certificate Robert purchased can be used for his primary domain www.robertkaramagi.com, and other subdomains such as training.robertkaramagi.com, ftps.robertkaramagi.com, mail.robertkaramagi.com, payments.robertkaramagi.com, etc.
Domain
1.0 General Security Concepts
Question 77Skipped
Robert is looking into the wireless security of his organization. Which of the following options below is a type of interference brought up intentionally to the wireless network in Robert’s organization?
Correct answer
Jamming
Explanation
Jamming is a type of interference intentionally brought up to disrupt the wireless network by transmitting a strong signal on the same frequency as the network, causing interference and preventing legitimate devices from connecting.
Rogue access point
Explanation
A rogue access point is an unauthorized wireless access point that is connected to the network without the network administrator’s knowledge. While it can cause interference, it is not intentionally brought up to disrupt the network like jamming.
MAC Spoofing
Explanation
MAC Spoofing is a technique where an attacker changes the Media Access Control (MAC) address of a device to impersonate another device. While it can be used to gain unauthorized access to the network, it is not a type of interference intentionally brought up to disrupt the wireless network.
Radio frequency identification
Explanation
Radio frequency identification (RFID) is a technology that uses electromagnetic fields to automatically identify and track tags attached to objects. While RFID can operate on similar frequencies as wireless networks, it is not a type of interference intentionally brought up to disrupt the network like jamming.
Overall explanation
2.2 Explain common threat vectors and attack surfaces.
Jamming is performed by an attacker on a wireless network to intentionally slow down communication or stop the device from connecting to the network. It is a type of denial-of-service attack.
Domain
2.0 Threats, Vulnerabilities, and Mitigations
Question 78Skipped
The physical security team of an organization wants to make sure that any unauthorized vehicles are prevented from entering the premises. What control do they need to have in place?
Alarm
Explanation
Alarms are designed to alert individuals of a potential security breach or unauthorized access. While alarms can be effective in notifying security personnel of a breach, they do not physically prevent unauthorized vehicles from entering the premises.
Signage
Explanation
Signage can be used to communicate security policies and guidelines to individuals entering the premises. While signage can help deter unauthorized vehicles, it does not physically prevent them from entering the premises.
Correct answer
Bollards
Explanation
Bollards are physical barriers that are used to block or restrict access to certain areas. In the context of preventing unauthorized vehicles from entering the premises, bollards are an effective control measure as they physically block vehicles from accessing restricted areas.
CCTV
Explanation
Closed-circuit television (CCTV) systems are used for surveillance and monitoring purposes. While CCTV can help identify unauthorized vehicles after they have entered the premises, it does not physically prevent them from entering in the first place.
Overall explanation
1.2 Summarize fundamental security concepts.
A bollard is a vertical post commonly made of metal or concrete, that is used to prevent a vehicle from entering an area.
Domain
1.0 General Security Concepts
Question 79Skipped
Robert ensures a daily backup of the servers at his company is taken. They do not have the backup time and storage to perform full backups every day. They back up the files that have changed instead. Where can Robert get this information?
Differential backup
Explanation
Differential backups capture all changes made since the last full backup. While they can be useful for backup strategies, they do not specifically identify the files that have changed.
Incremental backup
Explanation
Incremental backups only capture the changes made since the last backup, whether it was a full backup, or an incremental backup. While this method is helpful for creating backups, it does not specifically pinpoint which files have been modified.
Snapshot
Explanation
Snapshots are point-in-time copies of data that capture the state of a system at a specific moment. While snapshots can be used for backup purposes, they do not specifically track changes to files for backups.
Correct answer
Journal
Explanation
Journals are logs that record changes made to files or data over time. By referencing the journal, Robert can identify the specific files that have changed since the last backup and only back up those changes.
Overall explanation
3.4 Explain the importance of resilience and recovery in security architecture.
The journal log is a file containing details of all the changes that have been made to the files in a file system before the file index is changed. The journal is important in the incremental and differential backup schemes as the information that has changed and needs to be backed up can be found here.
Domain
3.0 Security Architecture
Question 80Skipped
Robert has his laptop that he usually uses at home. He wants to be using it at the office on some occasions now and then. What policy will permit Robert to do this?
Acceptable use
Explanation
Acceptable Use Policy defines the acceptable ways in which employees can use company resources, including devices. While it is important for setting guidelines, it does not specifically address the scenario where an employee wants to use their personal device at work.
COPE
Explanation
COPE (Corporate-Owned, Personally Enabled) is a policy where the organization owns the device and allows employees to use it for personal purposes. It is not applicable in Robert’s case as he wants to use his personal laptop at the office.
Correct answer
BYOD
Explanation
BYOD (Bring Your Own Device) is a policy that allows employees to use their personal devices, such as laptops, at work. This policy would permit Robert to use his laptop at the office on some occasions.
CYOD
Explanation
CYOD (Choose Your Own Device) is a policy where employees can choose from a list of approved devices provided by the organization. Since Robert wants to use his own personal laptop, CYOD is not the correct policy for his situation.
Overall explanation
4.1 Given a scenario, apply common security techniques to computing resources.
Bring your own device (BYOD) is a policy where the organization’s staff are permitted to use their own personal devices e.g., laptops and mobile phones to gain access to the organization’s network and corporate resources.
Domain
4.0 Security Operations
Question 81Skipped
What is the most important in a digital forensic investigation to make sure that the evidence is admissible in a court of law?
Order of volatility
Explanation
Order of volatility is the principle of collecting digital evidence in a specific sequence based on its volatility, starting with the most volatile data first. While important for preserving evidence, it is not the most critical factor in ensuring admissibility in court. Chain of custody is more directly related to demonstrating the integrity of the evidence.
Time stamps
Explanation
Time stamps are essential in digital forensic investigations to establish the timeline of events and actions related to the evidence. While important for establishing the chronology of events, time stamps alone do not guarantee the admissibility of evidence in court. Chain of custody is more crucial in demonstrating the integrity and authenticity of the evidence.
Provenance
Explanation
Provenance refers to the origin or source of the evidence in a digital forensic investigation. While important, it is not the most critical factor in ensuring the admissibility of evidence in court. Provenance helps establish the history of the evidence, but chain of custody is more directly related to maintaining its integrity.
Correct answer
Chain of custody
Explanation
Chain of custody is crucial in a digital forensic investigation to ensure that the evidence collected is handled and stored properly, maintaining its integrity and authenticity. It documents who had possession of the evidence at all times, from collection to presentation in court, to prove that it has not been tampered with.
Overall explanation
4.8 Explain appropriate incident response activities.
The chain of custody tracks the entire evidence life cycle. It tracks the order in which the evidence was obtained and handled. The handlers need to be documented along with the date and time they received or transferred the evidence. In a court of law, it must be proven that the evidence followed a proper chain of custody otherwise it will not be permitted.
Domain
4.0 Security Operations
Question 82Skipped
Which of the following describes the CER?
Correct answer
The point where the FAR is equal to the FRR
Explanation
The Crossover Error Rate (CER) is a crucial metric in biometric systems that signifies the point at which the False Acceptance Rate (FAR) matches the False Rejection Rate (FRR). This balance is essential for determining the optimal threshold in biometric authentication systems to minimize both false acceptances and false rejections.
The point where the FAR is greater than the FRR
Explanation
In biometric systems, the FAR (False Acceptance Rate) represents the probability of incorrectly accepting an unauthorized user, while the FRR (False Rejection Rate) represents the probability of incorrectly rejecting an authorized user. The Crossover Error Rate (CER) occurs when these two rates are equal, indicating a balance between the risks of false acceptance and false rejection.
The point where the FRR is greater than the FAR
Explanation
The Crossover Error Rate (CER) is a critical point in biometric systems where the False Acceptance Rate (FAR) and False Rejection Rate (FRR) intersect. At this point, the system’s performance is such that the likelihood of incorrectly accepting an unauthorized user is equal to the likelihood of incorrectly rejecting an authorized user.
The point where the FAR and FRR are equal to zero
Explanation
When the False Acceptance Rate (FAR) and False Rejection Rate (FRR) are both zero, it indicates a perfect system with no errors in accepting or rejecting users. However, the Crossover Error Rate (CER) specifically refers to the point where the FAR is equal to the FRR, highlighting the trade-off between security and convenience in biometric authentication.
Overall explanation
4.6 Given a scenario, implement and maintain identity and access management.
The Crossover Error Rate (CER) is also referred to as the Equal Error Rate (EER). It gives an overall measure of how accurate the biometric system is. When plotted on a graph of the Percentage Error versus the Sensitivity of the biometric system, the CER is the point at which the curve of the False Acceptance Rate (FAR) and curve of the False Rejection Rate (FRR) meet or coincide. In other words, it is the point where the FAR is equal to the FRR.
Domain
4.0 Security Operations
Question 83Skipped
Robert is a security analyst scanning a group of servers for vulnerabilities. From the reports, he finds that many of the checks failed to run. What could help Robert ensure that the vulnerability tests run successfully?
Deep Scan
Explanation
Deep scan refers to a comprehensive and thorough scanning process that examines all aspects of a system for vulnerabilities. While deep scans are important for identifying potential security issues, they do not specifically address the issue of failed vulnerability tests running successfully.
False Negative
Explanation
False negative refers to a situation where a security tool incorrectly indicates that a vulnerability does not exist when it actually does. While addressing false negatives is important for the accuracy of vulnerability assessments, it does not directly help Robert ensure that the vulnerability tests run successfully.
Correct answer
Credentialed Scan
Explanation
A credentialed scan involves providing the necessary credentials to the scanning tool to access the target servers as an authenticated user. This type of scan allows for a more thorough assessment of the servers, including checking for vulnerabilities that may not be visible without proper credentials. Running vulnerability tests with credentialed scans can help ensure their success.
Common Vulnerabilities and Exposures (CVE)
Explanation
Common Vulnerabilities and Exposures (CVE) is a list of publicly known information security vulnerabilities and exposures. While it is important for identifying specific vulnerabilities, it does not directly address the issue of failed vulnerability tests running successfully.
Overall explanation
4.3 Explain various activities associated with vulnerability management.
A credentialed scan is a scan that uses administrative or privileged credentials to allow the scanner to run authenticated scans on the targets. Such scans have access to perform tests and the failed checks that Robert has been seeing will most likely work.
Domain
4.0 Security Operations
Question 84Skipped
Robert recently misplaced his company phone which has highly classified information on it. He reported the incident immediately to the cybersecurity team. Which technique would ensure that the data on Robert’s phone is not stolen?
Screen lock
Explanation
Screen lock is a basic security measure that requires a password, PIN, or pattern to unlock the device. While screen lock can prevent unauthorized access to the phone, it may not be sufficient to protect highly classified information in the event of a misplaced device.
Pattern lock
Explanation
Pattern lock is another form of screen lock that requires a specific pattern to unlock the device. While pattern lock adds a level of security, it may not be as effective as remote wipe in ensuring that the data on Robert’s phone is not stolen if the device is lost or misplaced.
Biometrics
Explanation
Biometrics, such as fingerprint or facial recognition, can provide an additional layer of security to unlock a device. However, in the case of a misplaced phone, biometrics alone may not prevent unauthorized access to the classified information stored on the device.
Correct answer
Remote wipe
Explanation
Remote wipe allows the cybersecurity team to remotely erase all data on Robert’s misplaced phone. This ensures that even if the device falls into the wrong hands, the classified information will not be accessible, thus protecting sensitive data from being stolen.
Overall explanation
4.1 Given a scenario, apply common security techniques to computing resources.
A remote wipe is a security control that allows all the data on a device to be completely deleted by a triggered command from a remote location. This would ensure that the highly classified information on Robert’s phone is completely erased before it could fall into the wrong hands.
Domain
4.0 Security Operations
Question 85Skipped
The software development team has been trying to install a Python tool that is not in the approved software inventory of their organization. To their surprise, whenever the installation setup is completed, the tool immediately disappears along with all the installed files. What could be causing this to happen?
Antivirus
Explanation
Antivirus software is primarily focused on detecting and removing viruses and other malware from systems. While it may prevent the installation of known malicious software, it is unlikely to automatically remove installed files without user intervention.
Correct answer
Endpoint detection and response (EDR)
Explanation
Endpoint detection and response (EDR) solutions are designed to monitor and respond to security incidents on endpoints. In this case, the EDR solution may be configured to automatically remove any unauthorized software installations to prevent potential security risks or policy violations.
Anti-malware
Explanation
Anti-malware software is designed to detect and remove malicious software, such as viruses, worms, and trojans. While it may prevent the installation of unauthorized software, it typically does not automatically remove installed files without user intervention.
DLP
Explanation
Data Loss Prevention (DLP) solutions are focused on preventing the unauthorized disclosure of sensitive information. While DLP solutions may restrict the installation of unauthorized software, they are not typically designed to automatically remove installed files.
Overall explanation
4.5 Given a scenario, modify enterprise capabilities to enhance security.
Endpoint detection and response (EDR) software is a security solution that protects end-user devices by detecting cyber threats and proactively responding to them with protection mechanisms. EDR is capable of whitelisting trusted and approved software. It can detect the presence of unapproved software not in the whitelist and respond by uninstalling or removing it from the end user’s device.
Domain
4.0 Security Operations
Question 86Skipped
Which of the following options are examples of detective controls? Select all that apply.
Backup
Explanation
Backup systems are primarily used as a preventive control to ensure data availability and recovery in case of data loss or system failures. They are not examples of detective controls.
Alarm
Explanation
Alarm systems are typically preventive controls that are triggered by specific events or conditions to alert individuals of potential security threats. They are not examples of detective controls.
Correct selection
CCTV
Explanation
CCTV (Closed-Circuit Television) is a detective control that uses video surveillance to monitor and record activities in a specific area. It is commonly used for detecting security incidents or unauthorized access.
Correct selection
IDS
Explanation
IDS (Intrusion Detection System) is a detective control that monitors network or system activities for malicious activities or policy violations. It detects and alerts on potential security incidents.
IPS
Explanation
IPS (Intrusion Prevention System) is a preventive control that actively blocks or prevents potential security threats. It is not an example of a detective control.
DLP
Explanation
DLP (Data Loss Prevention) is a preventive control that focuses on stopping data breaches before they occur, rather than detecting them after the fact. It is not an example of a detective control.
Overall explanation
1.1 Compare and contrast various types of security controls.
An intrusion detection system (IDS) is a detective technical control as it performs the monitoring of real-time network traffic (network-based IDS – NIDS) or events on a host (host-based IDS – HIDS) and sends an alert in the event of an intrusion. A Passive IDS only monitors but does not alert. An Active IDS sends alerts for suspicious events.
Closed Circuit Television (CCTV) is a detective physical control as it monitors the surroundings of a secured area. By default, it is passive as it only observes and records. However, Artificial intelligence (AI) may be applied to CCTV to make them active and send alerts when an invader is seen and understood to be one.
Domain
1.0 General Security Concepts
Question 87Skipped
Which of the following would ensure that the mission’s essential business functions remain operational in the wake of a disaster?
Tabletop exercise
Explanation
Tabletop exercises are useful for testing and evaluating an organization’s disaster recovery and business continuity plans. They involve discussing hypothetical scenarios and responses with key stakeholders to identify gaps and improve preparedness. While they are valuable for training and awareness, they do not directly ensure the operational continuity of essential business functions in the event of a disaster.
Walkthroughs
Explanation
Walkthroughs involve physically walking through a disaster recovery or business continuity plan to identify potential issues and improve preparedness. While they can help familiarize stakeholders with the plan and identify areas for improvement, they do not directly ensure the operational continuity of essential business functions in the event of a disaster.
Simulations
Explanation
Simulations involve creating realistic scenarios to test the organization’s response to a disaster and evaluate the effectiveness of its business continuity plans. While simulations can help identify weaknesses and improve preparedness, they do not directly ensure the operational continuity of essential business functions in the event of a disaster.
Correct answer
COOP
Explanation
COOP (Continuity of Operations) planning focuses on ensuring that essential business functions can continue operating during and after a disaster. COOP plans outline procedures, resources, and strategies to maintain critical operations, minimize downtime, and recover quickly from disruptions. Implementing a COOP plan is essential for ensuring the operational continuity of essential business functions in the wake of a disaster.
Overall explanation
3.4 Explain the importance of resilience and recovery in security architecture.
Continuity of Operations Planning (COOP) is a set of activities and steps designed to ensure critical business activities continue to operate during a disaster or may resume operations after one.
Domain
3.0 Security Architecture
Question 88Skipped
An organization has received a threat from an unidentified source that claims they have managed to steal the organization’s customer details and shall leak it on social media if they do not receive 100 bitcoins to the wallet they provided. They have also shown some sample records to prove they are not bluffing. What should be the organization’s biggest concern?
Penetration Tests
Explanation
Penetration tests are simulated cyber attacks against a computer system to evaluate its security. While penetration tests are important for assessing and improving the organization’s security posture, they are not the immediate concern when facing a threat of customer data leak and potential reputational damage.
Correct answer
Reputational damage
Explanation
Reputational damage is the correct concern for the organization in this situation. If customer details are leaked on social media, it can severely damage the organization’s reputation and trustworthiness. Rebuilding trust with customers and stakeholders after a data breach can be a challenging and lengthy process.
Ransomware
Explanation
Ransomware is a type of malware that encrypts a victim’s files and demands payment for their release. While ransomware attacks are a serious threat to organizations, in this scenario, the threat is more focused on leaking sensitive customer details rather than encrypting files for ransom.
Loss of money
Explanation
Loss of money is a valid concern for the organization, especially if they decide to pay the ransom to prevent the leak of customer details. However, the biggest concern in this scenario is not the immediate financial loss but the potential long-term damage to the organization’s reputation.
Overall explanation
5.4 Summarize elements of effective security compliance.
Reputational damage is a negative recognition that results from a change in the way the public, customers, or stakeholders perceive or feel about the products or services offered by a company. The downside effects can lead to a loss of income, investors, and possible bankruptcy.
Domain
5.0 Security Program Management and Oversight
Question 89Skipped
An employee of a technology firm has recently submitted his resignation letter to the human resources department. He was involved in many projects that involved proprietary information that could not be known by competitors and the outside world. The human resources department has asked him to sign a document agreeing to not transfer the knowledge he knows elsewhere. What document is this?
Correct answer
NDA
Explanation
NDA stands for Non-Disclosure Agreement, which is a legal document that restricts an individual from disclosing confidential and proprietary information to third parties. In this scenario, the employee is being asked to sign an NDA to prevent the transfer of knowledge to competitors or the outside world.
SLA
Explanation
SLA stands for Service Level Agreement, which is a contract outlining the level of service expected by a customer from a service provider. It is not related to agreements regarding the transfer of proprietary knowledge by an employee leaving a company.
MSA
Explanation
MSA stands for Master Service Agreement, which is a contract outlining the terms and conditions of services provided by one party to another. It is not related to agreements regarding the transfer of proprietary knowledge by an employee leaving a company.
BPA
Explanation
BPA stands for Business Partnership Agreement, which is a legal document outlining the terms and conditions of a partnership between two or more businesses. It is not related to agreements regarding the transfer of proprietary knowledge by an employee leaving a company.
Overall explanation
5.3 Explain the processes associated with third-party risk assessment and management.
A non-disclosure agreement (NDA) is a contract between two entities with the intention of protecting proprietary or confidential information such as patents or trade secrets. The entities legally agree not to share the information with any other uninvolved parties.
Domain
5.0 Security Program Management and Oversight
Question 90Skipped
Two cybersecurity companies have made up a formal agreement document that summarizes a plan for them to work together to provide cybersecurity consulting services across the region. What document is this?
NDA
Explanation
An NDA (Non-Disclosure Agreement) is a legal document that protects confidential information shared between parties. While it is important in the cybersecurity industry, it is not the document used to summarize a plan for collaboration like an MOU.
Correct answer
MOU
Explanation
An MOU (Memorandum of Understanding) is a formal agreement document that outlines the plan for two or more parties to work together on a specific project or goal. In this case, the cybersecurity companies have created an MOU to collaborate on providing cybersecurity consulting services across the region.
BPA
Explanation
A BPA (Business Partnership Agreement) is a legal document that outlines the terms and conditions of a partnership between two or more businesses. While it may cover various aspects of the partnership, it is not specifically tailored to summarize a plan for collaboration in providing cybersecurity consulting services.
MSA
Explanation
An MSA (Master Services Agreement) is a contract that defines the terms and conditions for future services between two parties. While it is related to formal agreements, it is not specifically designed to outline a plan for collaboration like an MOU.
Overall explanation
5.3 Explain the processes associated with third-party risk assessment and management.
A Memorandum of Understanding (MOU) is an agreement between two or more parties or companies that are planning to work together formally to achieve a common goal.
Domain
5.0 Security Program Management and Oversight
