https://www.udemy.com/course/comptia-security-sy0-701-practice-tests/learn/quiz/6108486#content
CompTIA Security+ (SYO-701) – Results
Back to result overview
Attempt 1
All domains
- 90 all
- 0 correct
- 0 incorrect
- 90 skipped
- 0 marked
Collapse all questions
Question 1Skipped
A financial institution is looking for a cryptographic mechanism that shall improve the security and transparency of its transactions. What technology is most suited for them if they want to use an open public ledger?
PKI
Explanation
PKI (Public Key Infrastructure) is a framework that manages digital certificates and keys to secure communication and verify the identities of parties involved in transactions. While PKI is crucial for establishing trust in digital interactions, it is not specifically designed for creating an open public ledger like a blockchain.
NFT
Explanation
NFTs (Non-Fungible Tokens) are unique digital assets that represent ownership of a specific item or piece of content. While they have gained popularity in the art and collectibles space, they are not primarily used for creating open public ledgers for financial transactions.
SSL/TLS
Explanation
SSL/TLS, while essential for securing communication over the internet, is not specifically designed for creating an open public ledger like a blockchain. It focuses on encrypting data in transit between a client and a server, rather than maintaining a transparent ledger of transactions.
Correct answer
Blockchain
Explanation
Blockchain technology is well-suited for creating an open public ledger that provides security and transparency for transactions. It uses cryptographic techniques to create a decentralized and immutable record of transactions, making it an ideal choice for a financial institution looking to enhance the security and transparency of its transactions.
Overall explanation
1.4 Explain the importance of using appropriate cryptographic solutions.
Blockchain technology provides a secure way to record transactions with transparency in a distributed and open public ledger. It ensures data integrity and immutability and is often associated with cryptocurrencies such as Bitcoin and Ethereum.
Domain
1.0 General Security Concepts
Question 2Skipped
A financial institution stores its sensitive customer information like credit card numbers in a database. They have recently implemented data masking for specific database fields to improve security. Which of the following illustrates the activity they have performed?
Disabling read access to the sensitive data
Explanation
Disabling read access to the sensitive data is a form of access control, not data masking. While restricting access to sensitive data is an important security measure, it does not involve masking the data itself to protect its confidentiality.
Replacing characters of the sensitive data with randomly selected characters
Explanation
Replacing characters of the sensitive data with randomly selected characters is a form of data obfuscation, not data masking. Data obfuscation involves intentionally making data difficult to understand or interpret, but it does not necessarily maintain the original format or structure of the data.
Full database encryption using a masking key
Explanation
Full database encryption using a masking key involves encrypting the entire database with a specific key to protect the data at rest. It does not specifically involve masking sensitive data fields with placeholders or random characters.
Correct answer
Making the sensitive data hard to depict by replacing characters with placeholders
Explanation
Making the sensitive data hard to depict by replacing characters with placeholders is a form of data masking where the actual sensitive information is obscured by substituting it with placeholder characters. This helps protect the confidentiality of the data without altering the underlying structure of the database.
Overall explanation
3.3 Compare and contrast concepts and strategies to protect data.
Data masking is about making sensitive data hard to depict by replacing characters with placeholders. It reduces the visibility of sensitive data and helps protect its confidentiality while still allowing authorized users to work with the database.
Domain
3.0 Security Architecture
Question 3Skipped
What is the most appropriate security measure that may be implemented by an organization to secure sensitive customer data while it is at rest on a server within its data center?
Correct answer
Encrypting the data on the server
Explanation
Encrypting the data on the server is the most appropriate security measure to secure sensitive customer data at rest. Encryption ensures that even if the data is accessed by unauthorized individuals, it will be unreadable without the decryption key, providing an additional layer of protection.
End to end encryption
Explanation
End to end encryption is not the most appropriate security measure for securing sensitive customer data at rest on a server within a data center. End to end encryption is typically used for securing data during transmission between two parties, not for data at rest on a server.
Labeling the server that has the sensitive data
Explanation
Labeling the server that has the sensitive data is not a security measure that directly secures sensitive customer data at rest on a server within a data center. While labeling servers can help with organization and access control, it does not provide the necessary protection for securing data at rest.
Storing hashes of the data at an offsite location
Explanation
Storing hashes of the data at an offsite location is not the most appropriate security measure for securing sensitive customer data at rest on a server within a data center. Hashing is used for data integrity verification, not for securing data at rest.
Overall explanation
3.3 Compare and contrast concepts and strategies to protect data.
The most appropriate security measure for the organization to secure its data at rest is encrypting the data on the server. Encryption ensures that if unauthorized physical access to the storage device is achieved, the data will not be able to be read without the encryption.
Domain
3.0 Security Architecture
Question 4Skipped
A risk management program is being implemented by an organization to assess cybersecurity threats. The team responsible has managed to identify key risk indicators (KRIs) to track the risks. What best represents a KRI?
The employees that have access to the car parking lot
Explanation
The employees that have access to the car parking lot is not a key risk indicator (KRI) for assessing cybersecurity threats. Access to physical areas like a parking lot is not directly related to cybersecurity risks and threats that the organization may face.
Correct answer
An increase in the total number of incidents for a period
Explanation
An increase in the total number of incidents for a period is a key risk indicator (KRI) as it reflects a potential rise in cybersecurity threats and incidents that could pose a risk to the organization’s security posture. Tracking this KRI allows the organization to proactively address and mitigate potential risks.
An increase in sales during a promotional event
Explanation
An increase in sales during a promotional event is not a key risk indicator (KRI) for assessing cybersecurity threats. While changes in sales may impact the organization’s financial performance, it does not provide insights into cybersecurity risks that could potentially harm the organization’s security posture.
The employees registered to cybersecurity training
Explanation
The number of employees registered for cybersecurity training is not a key risk indicator (KRI) for assessing cybersecurity threats. While cybersecurity training is important for enhancing security awareness, it does not directly represent a specific risk that needs to be monitored and managed.
Overall explanation
5.2 Explain elements of the risk management process.
An increase in the total number of incidents for a period such as the failed login attempts on a critical system is a KRI because it indicates the possibility of a potential threat to security such as a password attack. Key risk indicators are metrics that signify the risks and vulnerabilities that affect an organization’s security posture.
Domain
5.0 Security Program Management and Oversight
Question 5Skipped
Employees at a large organization are using unauthorized cloud storage services to store sensitive company information. The IT department has raised concerns about the risks associated with such a practice. What type of situation is this?
Compliance with the use of cloud services
Explanation
Compliance with the use of cloud services focuses on adhering to established rules and regulations when utilizing cloud-based solutions. In this scenario, the employees’ actions of using unauthorized cloud storage services do not align with the organization’s compliance requirements.
BYOD policy
Explanation
BYOD policy governs the use of personal devices for work-related tasks within an organization. While BYOD policies may touch on security considerations, the issue of employees utilizing unauthorized cloud storage services falls more specifically under the umbrella of Shadow IT.
Correct answer
Usage of Shadow IT
Explanation
The usage of Shadow IT refers to employees independently adopting and utilizing IT solutions without the explicit approval or oversight of the IT department. In this case, the unauthorized use of cloud storage services by employees falls within the realm of Shadow IT practices, posing potential security and compliance risks for the organization.
Research in the cloud
Explanation
Research in the cloud typically involves leveraging cloud platforms for data analysis, experimentation, or collaboration. However, the situation described, where employees are using unauthorized cloud storage services, does not directly relate to conducting research activities in the cloud.
Overall explanation
2.1 Compare and contrast common threat actors and motivations.
Shadow IT refers to using digital services, devices, or software without formal approval by the organization’s governing policies. In the given scenario the employees are using unauthorized cloud storage services to store the company information.
Domain
2.0 Threats, Vulnerabilities, and Mitigations
Question 6Skipped
An external cybersecurity firm has been requested for a document that outlines the scope, objectives, and expectations of a penetration testing engagement that they have been hired for. Which of the following is the document requested?
Correct answer
Statement of work
Explanation
The Statement of Work (SOW) is a document that outlines the scope, objectives, deliverables, timeline, and responsibilities of a specific project or engagement. In the context of a penetration testing engagement, the SOW would detail the specific goals, targets, and expectations of the cybersecurity firm hired for the testing.
Memorandum of understanding
Explanation
A Memorandum of Understanding (MOU) is a document that outlines the broad terms and objectives of a relationship or partnership between two or more parties. While it may establish general expectations, it is not typically used to detail the specific scope and objectives of a penetration testing engagement.
Memorandum of agreement
Explanation
A Memorandum of Agreement (MOA) is a document that outlines the terms and conditions of an agreement between two or more parties. While it may include some details of the engagement, it is not typically used to outline the specific scope, objectives, and expectations of a penetration testing engagement.
Master service agreement
Explanation
A Master Service Agreement (MSA) is a contract that outlines the general terms and conditions under which services will be provided between two parties. While it may establish the overall relationship and legal framework, it does not typically include the specific details of a penetration testing engagement such as scope, objectives, and expectations.
Overall explanation
5.3 Explain the processes associated with third-party risk assessment and management.
A statement of work (SOW) is a document outlining the scope, objectives, and expectations of a penetration test. It is also known as a work order (WO). The SOW gives details on the goals and objectives of the test, the specific tasks that shall be performed with their timelines and deliverables.
Domain
5.0 Security Program Management and Oversight
Question 7Skipped
A company has integrated a sandboxing system into its email server to provide protection from malicious attachments. What action will occur if a user receives an email with an attachment flagged as suspicious and possibly containing malware?
Correct answer
The email server will analyze the behavior of the attachment
Explanation
Analyzing the behavior of the attachment is a crucial step in determining whether it contains malware or poses a security risk. By examining the attachment’s actions and characteristics, the email server can identify potential threats and take appropriate action to protect the system and users.
The email server will send an alert to the security administrators
Explanation
Sending an alert to the security administrators is a proactive measure to notify them of a potential security incident. This action allows the administrators to investigate the issue further, take necessary steps to contain the threat, and implement additional security measures to prevent similar incidents in the future.
The email service will restart to prevent being compromised
Explanation
Restarting the email service is not a typical response to receiving an email with a suspicious attachment. This action does not directly address the security threat posed by the potentially malicious attachment and may not effectively protect the system from malware.
The email and its attachment shall be blocked and deleted
Explanation
Blocking and deleting the email and its attachment is a common security measure to prevent users from accessing potentially harmful content. This action helps to mitigate the risk of malware infection and protects the network from potential threats.
Overall explanation
4.1 Given a scenario, apply common security techniques to computing resources.
When a user receives an email with a suspicious attachment in an email server integrated with a sandboxing system, the email server will analyze the behavior of the attachment. The suspicious attachment will be opened and executed in the sandboxed environment to allow the mail system to detect and prevent potential malware threats without immediately blocking the entire email.
Domain
4.0 Security Operations
Question 8Skipped
A firewall that is incorporated into a critical network security setup has been set to fail open. After an unexpected power failure, the firewall reboots due to the loss of power. What is expected of the firewall in such a situation?
Correct answer
The firewall shall allow traffic to continue flowing
Explanation
In a fail-open configuration, the firewall is designed to allow traffic to continue flowing in the event of a failure. This is done to ensure that network connectivity is maintained even if the firewall experiences issues.
The firewall will block all traffic going in and out
Explanation
If the firewall were to block all traffic going in and out after a power failure, it would indicate a fail-closed configuration. In this case, the firewall would restrict all traffic until the issue is resolved, which is not the expected behavior in a fail-open setup.
The firewall will send alerts across the open ports
Explanation
Sending alerts across open ports is not a typical behavior expected from a firewall in a fail-open configuration. The primary purpose of a fail-open setup is to maintain network connectivity and allow traffic to flow, rather than sending alerts.
The firewall shall reconfigure itself on another firewall nearby
Explanation
The firewall reconfiguring itself on another nearby firewall is not a standard response in a fail-open scenario. Fail-open configurations are specifically designed to allow traffic to continue flowing through the existing firewall, rather than switching to another device.
Overall explanation
3.2 Given a scenario, apply security principles to secure enterprise infrastructure.
In a fail-open state, the firewall shall allow traffic to continue flowing even if it were to experience a failure or reboot. This ensures that there is continuity in network connectivity in any case there is a disruption in the firewall.
Domain
3.0 Security Architecture
Question 9Skipped
A technology company wants to protect its groundbreaking product from unauthorized disclosure. The product gives them a significant competitive advantage in the market. What type of protection for intellectual property should they consider for their product?
Copyright
Explanation
Copyright protection is more suitable for original works of authorship, such as literary, artistic, or musical works. While it can protect the expression of ideas in the product, it may not be the most effective form of protection for the underlying technology or functionality that gives the company a competitive advantage.
Trademark
Explanation
Trademark protection is used to protect brand names, logos, and slogans that identify and distinguish products or services in the market. While important for branding and marketing purposes, it may not provide the necessary protection for the technological aspects of the product that give the company a competitive edge.
Patent
Explanation
Patent protection is often used to protect inventions or discoveries that are new, useful, and non-obvious. While patents can provide strong protection for technological innovations, they require public disclosure of the invention in exchange for exclusive rights. This may not be ideal for protecting a groundbreaking product that the company wants to keep confidential.
Correct answer
Trade Secret
Explanation
Trade secret protection is the most suitable option for protecting a groundbreaking product from unauthorized disclosure. Trade secrets can include formulas, processes, designs, or other confidential information that provide a competitive advantage. Unlike patents, trade secrets do not require public disclosure and can be kept confidential indefinitely, making them an effective form of protection for valuable intellectual property.
Overall explanation
3.3 Compare and contrast concepts and strategies to protect data.
The technology company should consider a trade secret to protect their groundbreaking product from unauthorized disclosure. A trade secret is a form of protection for intellectual property that is used to protect both proprietary and confidential information such as processes, frameworks, or algorithms. They provide organizations with a competitive advantage in the market.
Domain
3.0 Security Architecture
Question 10Skipped
A large company with multiple regional and remote offices wants to enforce access controls for their sensitive data. They want employees to have access to data based on the time and their current location. What model do they need?
MAC
Explanation
Mandatory Access Control (MAC) is not the ideal model for the scenario described in the question. MAC enforces access controls based on security labels assigned to resources and users, rather than attributes like time and location. While MAC is valuable for high-security environments, it does not align with the company’s need to control access based on time and location.
Correct answer
ABAC
Explanation
Attribute-Based Access Control (ABAC) is the correct model for the scenario described in the question. ABAC allows access control decisions to be based on attributes such as time, location, and user roles. This model aligns with the company’s requirement to enforce access controls based on both time and location, making it the most suitable choice.
RBAC
Explanation
Role-Based Access Control (RBAC) is not the most appropriate model for the scenario described in the question. RBAC focuses on assigning access rights based on user roles, rather than attributes like time and location. While RBAC is a common access control model, it does not meet the specific requirements of the company in this case.
DAC
Explanation
Discretionary Access Control (DAC) is not the appropriate model for the scenario described in the question. DAC allows users to determine access controls for their own resources, which may not be suitable for a large company with sensitive data that needs to enforce access controls based on time and location. DAC does not provide the granular control required in this situation.
Overall explanation
4.6 Given a scenario, implement and maintain identity and access management.
An attribute-based access control (ABAC) model shall provide the company with access controls based on attributes such as the employee’s time of login or the physical location of the employee when attempting to log in.
Domain
4.0 Security Operations
Question 11Skipped
Network traffic is continuously logged by an organization’s firewall for security and monitoring purposes. When a review of the firewall logs was performed, the security team noticed a significantly large number of connection trials from an unknown external source. What action should the team take based on this information?
Delete the logs as they shall taint a bad image to the security team
Explanation
Deleting the logs without investigating them would be a hasty decision that could potentially overlook a serious security threat. It is important to analyze the logs to determine the severity of the situation and take necessary actions to address any security vulnerabilities.
Send the logs to the national cybersecurity incident response team
Explanation
Sending the logs to the national cybersecurity incident response team may be necessary in certain cases, but it should not be the first step. The security team should first investigate the logs internally to understand the situation before escalating it to external entities.
Correct answer
Investigate the logs to find out the nature and intention of the connection attempts
Explanation
Investigating the logs to find out the nature and intention of the connection attempts is the correct course of action. This will help the security team understand the potential threat posed by the unknown external source and take appropriate measures to mitigate the risk.
Block the IP address of the unknown source to prevent any further connection attempts
Explanation
Blocking the IP address of the unknown source may prevent further connection attempts, but it does not address the root cause of the issue. It is important to investigate the nature and intention of the connection attempts before taking any action.
Overall explanation
4.9 Given a scenario, use data sources to support an investigation.
The security team should investigate the logs to find out the nature and intention of the connection attempts after noticing a significantly large number of connection trials from an unknown external source. They shall be able to take the appropriate and necessary action once they have confirmed the details of the incident.
Domain
4.0 Security Operations
Question 12Skipped
An employee has reported a suspicious email to the IT department which contains a link to a possibly dangerous website. What action should the IT department take?
Correct answer
Perform an investigation of the email and isolate the employee’s device
Explanation
Performing an investigation of the email and isolating the employee’s device is the correct action to take in response to a suspicious email containing a link to a potentially dangerous website. This approach helps prevent any potential spread of malware or security breaches while allowing the IT department to analyze the email for further security measures.
Shut down the mail server
Explanation
Shutting down the mail server is an extreme and disruptive response to a single suspicious email. It can impact the entire organization’s communication and productivity without effectively addressing the specific security threat posed by the email containing a link to a potentially dangerous website.
Notify all employees that their fellow staff has received a suspicious email so they should all be on the lookout
Explanation
Notifying all employees about the suspicious email received by a fellow staff member may create unnecessary panic and confusion among the workforce. It is more effective to handle such incidents discreetly and take appropriate security measures without causing alarm.
Disable the employee on the domain controller
Explanation
Disabling the employee on the domain controller is an extreme and unnecessary action in response to a suspicious email. It can disrupt the employee’s work and cause unnecessary inconvenience without addressing the root cause of the issue.
Overall explanation
5.6 Given a scenario, implement security awareness practices.
The best course of action for the IT department is to perform an investigation of the email and isolate the employee’s device to prevent potential harm to their network and assess the situation to find out the risk level of the reported threat.
Domain
5.0 Security Program Management and Oversight
Question 13Skipped
A manufacturing company works with various suppliers to procure the required components for producing its products. A long-term partner and supplier of theirs has lately been facing financial troubles and may lack funds for investing in security objectives. What is the most pressing concern regarding this situation?
The supplier may exit the market
Explanation
If the supplier exits the market, it may disrupt the manufacturing company’s supply chain and sourcing strategy. While this is a significant concern, it is not directly related to the security risks that the supplier’s financial troubles may introduce.
Correct answer
The supplier may bring in security vulnerabilities in the supply chain
Explanation
The most pressing concern in this situation is that the supplier may bring in security vulnerabilities in the supply chain. If the supplier lacks funds to invest in security objectives, it could lead to potential breaches, data leaks, or other security incidents that could impact the manufacturing company’s operations and reputation.
The supplier may continuously breach the SLA
Explanation
If the supplier continuously breaches the Service Level Agreement (SLA), it may impact the manufacturing company’s operations and delivery timelines. However, this is not the most pressing concern in terms of security risks and vulnerabilities in the supply chain.
The supplier may increase the charges for servicing
Explanation
If the supplier increases charges for servicing, it may impact the manufacturing company’s costs and profitability. While this is a concern, it is not as critical as the potential security vulnerabilities that the supplier may introduce into the supply chain.
Overall explanation
2.2 Explain common threat vectors and attack surfaces.
The most pressing concern for the manufacturing company is that the supplier may bring in security vulnerabilities in the supply chain thus affecting the security of the products they produce. Since their long-term supplier is facing financial trials there is a potential possibility of them failing to maintain adequate security controls and considerations.
Domain
2.0 Threats, Vulnerabilities, and Mitigations
Question 14Skipped
A corporate network has a file server that stores sensitive financial data. The IT department wants to set access permissions on the file server such that only an authorized group from the finance department can access it while providing read-only access to the HR department. What mechanism can help the IT department achieve this?
Firewall
Explanation
A firewall is a network security device that monitors and controls incoming and outgoing network traffic based on predetermined security rules. While firewalls can help protect the network from unauthorized access, they are not specifically designed to set access permissions on a file server for specific user groups.
IPS
Explanation
An Intrusion Prevention System (IPS) is a security tool that monitors network and/or system activities for malicious activities or policy violations. While an IPS can help protect the network from security threats, it is not the mechanism used to set access permissions on a file server for specific user groups.
VPN
Explanation
A VPN (Virtual Private Network) is used to create a secure connection to another network over the internet. While VPNs can provide secure access to network resources, they are not the mechanism used to set access permissions on a file server for specific user groups.
Correct answer
ACL
Explanation
Access Control Lists (ACLs) are a mechanism used to set permissions on network resources, such as file servers, to control who can access them and what actions they can perform. By configuring ACLs on the file server, the IT department can specify which users or groups have access and what level of access they have, such as read-only or full access.
Overall explanation
2.5 Explain the purpose of mitigation techniques used to secure the enterprise.
The IT department can set access permissions to the file server using an access control list (ACL). ACLs are used to manage and control access to the enterprise resources. The IT department can set specific rules to read, write, and modify permissions to approved users or groups. This mechanism allows fine-grained access control.
Domain
2.0 Threats, Vulnerabilities, and Mitigations
Question 15Skipped
What is the first step that should be taken by a company as they discover that the actions of an employee may have violated a compliance policy?
Correct answer
Inform the employee about the possible violation and initiate an investigation
Explanation
Informing the employee about the possible violation and initiating an investigation is the correct first step to take. This approach allows the employee to provide their perspective, ensures transparency in the process, and helps gather necessary information for a thorough investigation.
Report the incident to law enforcement authorities
Explanation
Reporting the incident to law enforcement authorities should only be considered after a thorough internal investigation has been conducted, and there is concrete evidence of a violation that warrants legal action. In most cases, companies should handle compliance policy violations internally before involving external authorities.
Disregard the incident because there is no confirmation of such a violation
Explanation
Disregarding the incident without confirmation of a violation can lead to potential risks and legal consequences for the company. It is essential to take all potential violations seriously and investigate them thoroughly.
Disable all access rights of the employee
Explanation
Disabling all access rights of the employee without proper investigation and confirmation of the violation can be seen as premature and may lead to legal issues. It is important to follow a structured process and gather evidence before taking such drastic actions.
Overall explanation
5.4 Summarize elements of effective security compliance.
Once a company has discovered that the actions of an employee may have violated a compliance policy, they should inform the employee about the possible violation and initiate an investigation. The investigation should be thorough to gather facts and evidence to determine the severity of the violation and take the appropriate action.
Domain
5.0 Security Program Management and Oversight
Question 16Skipped
An attacker managed to compromise the database of a company and transferred sensitive and personal customer data including credit card numbers to a remote and unknown server outside of the company’s network. What motivated such an attacker?
Correct answer
Data exfiltration for financial gain
Explanation
Data exfiltration for financial gain is a common motivation for attackers who compromise databases and steal sensitive information such as credit card numbers. This choice accurately reflects the actions of an attacker who transfers customer data to a remote server outside of the company’s network for monetary profit.
Ethical hacking
Explanation
Ethical hacking involves testing systems and networks for vulnerabilities with the permission of the system owner to improve security. It does not involve unauthorized access to sensitive data for financial gain, so this choice is not applicable to the attacker’s actions in the scenario.
Cybersecurity awareness
Explanation
Cybersecurity awareness would not motivate an attacker to compromise a company’s database and transfer sensitive customer data for financial gain. This choice is not relevant to the scenario described in the question.
Research and development
Explanation
Research and development typically involve legitimate activities aimed at improving products or services. Unauthorized access to a company’s database and transferring sensitive customer data for financial gain does not align with the goals of research and development, making this choice incorrect in the context of the question.
Overall explanation
2.1 Compare and contrast common threat actors and motivations.
The most likely motivation of an attacker compromising a database to leave with credit card numbers is data exfiltration for financial gain, such as selling the card numbers on the dark web or using them to perform fraudulent transactions.
Domain
2.0 Threats, Vulnerabilities, and Mitigations
Question 17Skipped
A large corporation has implemented a network security architecture that may isolate and protect critical internal resources from direct external access. They have configured the firewall to allow traffic to flow from the internal network to the DMZ but have restricted all traffic that comes from the DMZ to the internal network. What type of firewall configuration is this?
Correct answer
Screened subnet
Explanation
A screened subnet, also known as a DMZ (demilitarized zone), is a network segment that separates the internal network from an external network, such as the internet. In this configuration, the firewall allows traffic from the internal network to the DMZ but restricts traffic from the DMZ to the internal network, providing isolation and protection for critical internal resources.
Circuit level gateway
Explanation
A circuit level gateway operates at the session layer of the OSI model and can monitor and filter traffic based on sessions. It does not provide the specific isolation and protection of critical internal resources from direct external access as described in the scenario.
Application proxy
Explanation
An application proxy acts as an intermediary between external users and internal resources, inspecting and filtering traffic at the application layer. While it can provide additional security for specific applications, it does not describe the firewall configuration in the scenario.
Bastion host
Explanation
A bastion host is a highly secured server located on a network that is exposed to an untrusted network, such as the internet. It acts as a gateway for users to access the internal network securely. However, in this scenario, the firewall configuration does not involve a specific host for external access.
Overall explanation
4.5 Given a scenario, modify enterprise capabilities to enhance security.
The corporation has implemented a screened subnet firewall configuration**.** The demilitarized zone (DMZ) acts as an additional layer of protection between internal and external networks such as the Internet. The firewall is set up to allow traffic to flow from the internal network to the DMZ while limiting the traffic from the DMZ to the internal network.
Domain
4.0 Security Operations
Question 18Skipped
A customer has initialized a transaction to transfer funds to another account in an online banking system. The customer was presented with a confirmation message and proceeded with the transaction. At a later point in time, the customer denies having performed the transaction. Which concept of security ensures that the customer cannot deny that they conducted the fund transfer?
Integrity
Explanation
Integrity in the context of security ensures that data remains accurate, consistent, and unaltered. While integrity is important in maintaining the trustworthiness of data, it does not directly address the issue of denying a transaction in an online banking system.
Confidentiality
Explanation
Confidentiality in the context of security ensures that sensitive information is protected from unauthorized access. While confidentiality is important in banking systems, it does not address the issue of denying a transaction that has been conducted.
Correct answer
Non-repudiation
Explanation
Non-repudiation is the concept in security that ensures that a party cannot deny the authenticity or integrity of a communication or transaction that they have conducted. In the case of the online banking system, non-repudiation would prevent the customer from denying that they initiated the fund transfer.
Availability
Explanation
Availability in the context of security ensures that resources and services are available and accessible to authorized users when needed. It does not directly address the issue of denying a transaction in an online banking system.
Overall explanation
1.2 Summarize fundamental security concepts.
Non-repudiation is a security fundamental that ensures a party cannot claim that they did not perform a transaction when they did. In this scenario, the evidence that the customer initiated a transaction to transfer the funds to another account in the online banking system is provided by non-repudiation, preventing them from denying their involvement in the transaction.
Domain
1.0 General Security Concepts
Question 19Skipped
A cybersecurity analyst at a large financial organization is monitoring the traffic patterns and notices that no alerts have been triggered by all the security systems for all noticed events. The analyst initiates a search for explanations on the possible anomaly proactively. What activity is the analyst engaged in?
Root cause analysis
Explanation
Root cause analysis is the process of identifying the underlying cause of a problem or issue to prevent its recurrence in the future. While root cause analysis is important for understanding the reasons behind security incidents, the analyst in this scenario is not investigating a specific incident but rather looking for potential anomalies in the network traffic patterns.
Digital forensics
Explanation
Digital forensics involves the collection, preservation, analysis, and presentation of digital evidence for investigative purposes. It is typically used after a security incident has occurred to gather evidence for legal or disciplinary actions. The analyst in this scenario is not conducting a digital forensics investigation but rather proactively searching for anomalies.
Correct answer
Threat hunting
Explanation
Threat hunting is the correct choice because it involves actively searching for signs of malicious activity or potential threats within an organization’s network. By initiating a search for explanations on the anomaly without any alerts triggered, the analyst is engaging in threat hunting to identify and address potential security issues before they escalate.
Incident response
Explanation
Incident response typically involves reacting to and mitigating security incidents that have already occurred. It focuses on containing the incident, eradicating the threat, and recovering from the impact. In this scenario, the analyst is not responding to a specific incident but rather proactively searching for potential threats.
Overall explanation
4.8 Explain appropriate incident response activities.
The cybersecurity analyst is engaged in threat hunting by proactively searching for information and explanations that may give justifications for the anomalies noticed and potential threats within their network.
Domain
4.0 Security Operations
Question 20Skipped
The IT team is concerned about the security risks that result from a critical legacy application that no longer has support from its vendor being used as it is essential for day-to-day operations. What should they do about this?
Use online communities and repositories to find patches with time
Explanation
While using online communities and repositories to find patches may seem like a viable option, it is not a reliable or secure solution for addressing the security risks associated with an unsupported legacy application. Relying on unofficial patches can introduce additional vulnerabilities and may not provide adequate protection.
Run the legacy application in an air-gapped network
Explanation
Running the legacy application in an air-gapped network can help isolate it from external threats, but it does not address the underlying issue of using an unsupported and potentially vulnerable application. It may provide temporary security, but finding a long-term solution is necessary.
Decommission the legacy application right away
Explanation
Decommissioning the legacy application right away may seem like a drastic measure, but it is necessary to eliminate the security risks posed by using an unsupported application. Continuing to use the legacy application without vendor support puts the organization at risk of security breaches and data loss.
Correct answer
Find a supported and modern alternative to replace the legacy application
Explanation
Finding a supported and modern alternative to replace the legacy application is the best course of action to mitigate security risks. Using an unsupported application can expose the organization to various vulnerabilities and threats, so transitioning to a supported alternative is crucial for maintaining security.
Overall explanation
2.2 Explain common threat vectors and attack surfaces.
The IT team should find a supported and modern alternative to replace the legacy application that no longer has support from its vendor. Unsupported applications may not receive security patches making them vulnerable to security risks.
Domain
2.0 Threats, Vulnerabilities, and Mitigations
Question 21Skipped
What is the primary characteristic of an air-gapped network that has been implemented by an organization dealing with highly classified government files?
It allows users to access the network remotely
Explanation
An air-gapped network by definition does not allow any external connections, including remote access. This level of isolation is crucial for highly classified government files to prevent any unauthorized access or data breaches.
It provides a direct link to the internet
Explanation
Providing a direct link to the internet goes against the fundamental principle of an air-gapped network, which is to completely isolate the network from external connections. This direct link would compromise the security and integrity of the highly classified government files.
Correct answer
It provides isolation from the internet and external networks
Explanation
The primary characteristic of an air-gapped network, especially for organizations dealing with highly classified government files, is the complete isolation from the internet and external networks. This level of isolation ensures that the sensitive information remains secure and protected from any external threats.
It centralizes all network components to one location
Explanation
Centralizing all network components to one location is not a primary characteristic of an air-gapped network. While it may be a design choice for some networks, it is not directly related to the isolation from external networks that defines an air-gapped network.
Overall explanation
3.1 Compare and contrast security implications of different architecture models.
An air-gapped network provides isolation from the internet and external networks to prevent illegitimate access to the network and protect the systems from data exfiltration and intrusions that could lead to a compromise.
Domain
3.0 Security Architecture
Question 22Skipped
A company uses IoT devices to monitor the environmental conditions throughout its facility. The security management has raised concerns about the vulnerabilities associated with the devices and has initiated a hardening process. What is a key step that should be taken?
Disabling all the users with access to the IoT devices
Explanation
Disabling all users with access to the IoT devices may prevent unauthorized access, but it is not a key step in the hardening process. It is essential to focus on securing the devices themselves rather than just restricting user access.
Place the devices in a separate network
Explanation
Placing the devices in a separate network, also known as network segmentation, is a good security practice to isolate IoT devices from the main network. While this can enhance security, it is not as critical as regularly updating the firmware of the IoT devices.
Implementing firewall rules to deny access to the devices
Explanation
Implementing firewall rules to deny access to the devices can help control network traffic and prevent unauthorized access. While firewall rules are important for network security, they are not as crucial as regularly updating the firmware of the IoT devices to address vulnerabilities specific to the devices themselves.
Correct answer
Updating the IoT firmware regularly
Explanation
Updating the IoT firmware regularly is a key step in the hardening process. Firmware updates often include security patches that address known vulnerabilities and help protect the devices from potential attacks. Regular updates ensure that the devices are equipped with the latest security measures.
Overall explanation
4.1 Given a scenario, apply common security techniques to computing resources.
The key step to be taken by the company during the hardening process is updating the IoT firmware regularly to ensure security and reduce the risk of exploitation by patching all known vulnerabilities.
Domain
4.0 Security Operations
Question 23Skipped
An e-commerce website has a poorly implemented input validation mechanism that takes in the credit card information of customers during a checkout process. What security risk is associated with a hacker who notices this and attempts to exploit the weakness?
SSL certificate exposure
Explanation
SSL certificate exposure is not the security risk associated with a hacker exploiting a poorly implemented input validation mechanism for credit card information. SSL certificates are used to secure the communication between a user’s browser and the website, ensuring data confidentiality and integrity.
Inaccessibility of the login page
Explanation
Inaccessibility of the login page is not the security risk associated with a hacker exploiting a poorly implemented input validation mechanism for credit card information. Inaccessibility of the login page may be caused by various factors, but it is not directly related to the theft of sensitive customer data.
DDoS attacks
Explanation
DDoS attacks are not directly related to the security risk associated with a poorly implemented input validation mechanism for credit card information. DDoS attacks aim to overwhelm a website or service with a high volume of traffic, causing it to become unavailable to legitimate users.
Correct answer
Theft of sensitive customer data
Explanation
Theft of sensitive customer data is the security risk associated with a hacker exploiting a poorly implemented input validation mechanism for credit card information. If a hacker can bypass the input validation mechanism, they can potentially steal sensitive customer data, such as credit card information, leading to financial loss and privacy breaches.
Overall explanation
4.1 Given a scenario, apply common security techniques to computing resources.
The e-commerce website of the company is at risk of theft of sensitive customer data as their poorly implemented input validation mechanism may allow the injection of malicious input by an attacker and lead to the credit card information it handles being stolen.
Domain
4.0 Security Operations
Question 24Skipped
As a company designs its network infrastructure, where should it consider placing the security devices within the architecture to ensure that sensitive data is adequately protected?
In a honeypot
Explanation
Placing security devices in a honeypot is not ideal for protecting sensitive data within the network infrastructure. A honeypot is a decoy system designed to lure in attackers and divert their attention away from critical assets. While honeypots can be useful for detecting and analyzing cyber threats, they are not the primary location for protecting sensitive data.
DMZ
Explanation
Placing security devices in the DMZ (Demilitarized Zone) is important for segregating and securing public-facing services, such as web servers, from the internal network. While the DMZ plays a crucial role in enhancing network security, it is not the primary location for protecting sensitive data within the network infrastructure. Additional security measures at other key locations, such as the network perimeter, are also necessary to ensure comprehensive protection.
Correct answer
At the network perimeter
Explanation
Placing security devices at the network perimeter is essential for protecting sensitive data within the network infrastructure. The network perimeter is the boundary between the internal network and external networks, such as the internet. By implementing security devices at this location, the company can monitor and control incoming and outgoing traffic to prevent unauthorized access and data breaches.
At the user endpoints
Explanation
Placing security devices at user endpoints is important for securing individual devices and preventing unauthorized access. However, this alone may not be sufficient to ensure the protection of sensitive data across the entire network infrastructure. Endpoint security is crucial, but additional measures at other strategic locations are also necessary.
Overall explanation
3.2 Given a scenario, apply security principles to secure enterprise infrastructure.
The company should consider placing its security devices at the network perimeter to protect sensitive data by traffic filtering and inspection as it enters and leaves the network. Potential security threats are blocked from reaching critical internal resources.
Domain
3.0 Security Architecture
Question 25Skipped
A company is performing an internal review of its password policy as part of its security governance operations. Which of the following practices complements effective security governance for the passwords?
Promote password sharing
Explanation
Promoting password sharing is a significant security risk and contradicts effective security governance practices. Sharing passwords compromises the confidentiality and integrity of sensitive information, making it easier for unauthorized individuals to gain access to systems and data.
Insist users write down their passwords to not forget them
Explanation
Insisting users write down their passwords goes against effective security governance practices. Writing down passwords increases the risk of unauthorized access, as physical copies of passwords can be lost, stolen, or accessed by unauthorized individuals.
Allow users to change their passwords only when they feel like doing so
Explanation
Allowing users to change their passwords only when they feel like doing so does not align with effective security governance. Regular password changes are essential to mitigate the risk of unauthorized access and enhance overall security posture.
Correct answer
Implementing multi-factor authentication
Explanation
Implementing multi-factor authentication complements effective security governance for passwords by adding an additional layer of security beyond just a password. Multi-factor authentication requires users to provide multiple forms of verification, such as a password and a unique code sent to their mobile device, significantly enhancing security.
Overall explanation
5.1 Summarize elements of effective security governance.
Implementing multi-factor authentication complements effective security governance of passwords for if a password is compromised it will not be enough to break the security of the authentication. Another factor will be needed such as a code from a token device or a biometric such as a fingerprint.
Domain
5.0 Security Program Management and Oversight
Question 26Skipped
The network team at a company uses SNMP to monitor their network devices. They receive a trap on the SNMP manager that points out a router with excessive CPU utilization beyond the threshold capacity. What does the trap portray?
Successful SNMP communication with the router
Explanation
The trap does not signify successful SNMP communication with the router. It specifically highlights the issue of excessive CPU utilization on the router, which requires attention and remediation to ensure optimal network performance and security.
Correct answer
An anomaly or security incident
Explanation
The trap indicating excessive CPU utilization beyond the threshold capacity on a router is typically an indication of an anomaly or security incident. This could be due to a potential attack, misconfiguration, or a performance issue that needs to be addressed promptly.
A request to allocate CPU to the router
Explanation
The trap does not represent a request to allocate CPU to the router. Instead, it alerts the network team about the router’s CPU utilization exceeding the threshold capacity, prompting them to investigate and take necessary actions to address the issue.
Unsuccessful SNMP communication with the router
Explanation
The trap received on the SNMP manager does not indicate unsuccessful SNMP communication with the router. Instead, it provides valuable information about the router’s CPU utilization exceeding the threshold capacity, which is crucial for network monitoring and management.
Overall explanation
4.4 Explain security alerting and monitoring concepts and tools.
The simple network management protocol (SNMP) trap portrays an anomaly or security incident. They are asynchronous notifications sent to an SNMP manager by the network devices to give alerts about specific network events or conditions. In the given scenario, the trap indicating the excessive CPU utilization in the router denotes an anomalous type of security incident.
Domain
4.0 Security Operations
Question 27Skipped
A multinational corporation with multiple branch offices and employees working remotely aims to upgrade its network security and access mechanisms for users to its cloud applications. They intend to adopt a solution that is comprised of both network security and wide-area networking features. What architecture shall best address the organization’s needs?
VPN
Explanation
VPN (Virtual Private Network) is a secure tunnel that allows remote users to access the organization’s network resources securely. While VPNs provide network security and remote access features, they do not inherently include wide-area networking capabilities, which may not fully address the organization’s needs for both network security and wide-area networking features.
Correct answer
SASE
Explanation
SASE (Secure Access Service Edge) is a cloud-native architecture that combines network security and wide-area networking features into a single integrated solution. SASE provides secure access to cloud applications for remote users while also offering network security capabilities such as secure web gateways, firewall as a service, and zero trust network access. This architecture aligns with the organization’s goal of upgrading network security and access mechanisms for cloud applications.
MPLS
Explanation
MPLS (Multiprotocol Label Switching) is a technology used for creating private networks over a service provider’s infrastructure. While MPLS offers wide-area networking capabilities, it does not inherently include network security features. Therefore, MPLS alone may not be the best solution for addressing the organization’s needs for both network security and wide-area networking features.
WAN
Explanation
WAN (Wide Area Network) is a network that connects multiple locations over a wide geographic area. While WANs provide wide-area networking capabilities, they do not inherently include network security features. Therefore, relying solely on a traditional WAN may not fully address the organization’s needs for both network security and wide-area networking features.
Overall explanation
3.2 Given a scenario, apply security principles to secure enterprise infrastructure.
Secure Access Service Edge (SASE) is an enterprise security architecture that combines network security and wide-area networking capabilities. It is well suited for the multinational corporation in the question that has multiple branches and employees working remotely to access cloud applications.
Domain
3.0 Security Architecture
Question 28Skipped
A small business startup wants a firewall solution to safeguard its internal network from external attacks. They are looking for one that runs at Layer 4 of the OSI model. What firewall do they need?
Application
Explanation
An Application firewall operates at Layer 7 (Application Layer) of the OSI model, focusing on filtering and monitoring traffic based on specific applications or protocols. While it provides granular control, it is not specifically designed to operate at Layer 4 for network protection.
Packet Filter
Explanation
A Packet Filter firewall operates at Layer 3 (Network Layer) of the OSI model, inspecting and filtering traffic based on IP addresses, ports, and protocols. While it can provide basic network security, it does not offer the same level of protection as a Stateful firewall operating at Layer 4.
Correct answer
Stateful
Explanation
A Stateful firewall operates at Layer 4 (Transport Layer) of the OSI model, providing stateful packet inspection to track the state of active connections and make decisions based on the context of the traffic. It is an effective choice for safeguarding internal networks from external attacks.
Proxy
Explanation
A Proxy firewall operates at Layer 7 (Application Layer) of the OSI model, not Layer 4. It acts as an intermediary between internal and external networks, inspecting and filtering traffic based on application-layer data.
Overall explanation
3.2 Given a scenario, apply security principles to secure enterprise infrastructure.
A stateful firewall runs at layer 4 and can safeguard the startup’s internal network from external attacks. It examines data at the transport layer (layer 4) and keeps track of active connections, therefore permitting or rejecting traffic based on its connection state.
Domain
3.0 Security Architecture
Question 29Skipped
A government agency wants to implement a key escrow as part of its encryption system that it uses for handling private communications. What do they need to achieve this?
Generating sessions keys using token generators
Explanation
Generating session keys using token generators may provide additional security for individual communication sessions, but it is not directly related to implementing a key escrow system. Key escrow involves long-term storage and management of encryption keys.
Correct answer
A trusted third party and strong cryptographic keys
Explanation
A key escrow system requires a trusted third party to securely store and manage cryptographic keys. Strong cryptographic keys are essential for ensuring the security of the encryption system and protecting private communications.
Ephemeral keys for encrypting communications
Explanation
Ephemeral keys are temporary keys used for a single communication session and are not suitable for implementing a key escrow system. Key escrow requires long-term storage and management of keys by a trusted third party.
Use the same key throughout the communication
Explanation
Using the same key throughout the communication, also known as static key encryption, is not recommended for secure communications. It does not provide the level of security and protection needed for handling private communications in a government agency. Key escrow systems require the secure storage and management of unique cryptographic keys.
Overall explanation
1.4 Explain the importance of using appropriate cryptographic solutions.
A government agency that wants to implement a key escrow shall need a trusted third party and strong cryptographic keys. The escrow ensures that the encryption keys can be accessed in case of emergencies or legal requirements, and recovered when the original key is lost.
Domain
1.0 General Security Concepts
Question 30Skipped
A healthcare facility is determined to strengthen its access control mechanisms to protect its patient’s data. The Chief Information Officer (CIO) is taking up the task of overseeing the initiative. Which managerial control is the CIO responsible for as part of this task?
Encrypting sensitive data
Explanation
Encrypting sensitive data is a technical control rather than a managerial control. It involves implementing encryption algorithms and mechanisms to protect data at rest and in transit, which falls under the realm of technical security measures rather than managerial responsibilities.
Correct answer
Developing the security policy
Explanation
Developing the security policy is a managerial control that the CIO is responsible for as part of overseeing the initiative to strengthen access control mechanisms. Security policies outline the organization’s security objectives, rules, and responsibilities, providing guidance on how to protect sensitive data and manage access effectively.
Planning the incident response
Explanation
Planning the incident response is another important aspect of cybersecurity, but it is a separate control from managerial responsibilities related to access control mechanisms. Incident response planning involves preparing for and responding to security incidents, such as data breaches or cyber attacks, and is typically overseen by a dedicated incident response team or security operations center.
Configuring the network devices
Explanation
Configuring network devices is also a technical control that involves setting up firewalls, routers, switches, and other network equipment to secure the network infrastructure. This responsibility typically falls under the domain of network administrators or security engineers, not managerial roles like the CIO.
Overall explanation
1.1 Compare and contrast various types of security controls.
Developing the security policy is primarily the responsibility of the CIO. The CIO oversees the development of the policy for the governance of access to patient data. Managerial controls define the framework and security strategy of an organization.
Domain
1.0 General Security Concepts
Question 31Skipped
A security consultant is hired to perform physical penetration testing to assess the physical security posture of a corporate office. Which of the following actions is the consultant most likely going to be doing?
Scanning the network for vulnerabilities
Explanation
Scanning the network for vulnerabilities is related to network penetration testing, not physical penetration testing. In physical penetration testing, the focus is on assessing the physical security measures in place.
Tricking employees into surrendering their credentials
Explanation
Tricking employees into surrendering their credentials is a social engineering tactic and is not directly related to physical penetration testing, which involves assessing the physical security of the premises.
Correct answer
Picking locks on office doors
Explanation
Picking locks on office doors is a common activity in physical penetration testing, as it assesses the effectiveness of physical access controls and security measures in place at the corporate office.
Attempting to break into a website by brute force
Explanation
Attempting to break into a website by brute force is a form of cyber attack and is not part of physical penetration testing, which focuses on assessing the physical security of the premises.
Overall explanation
5.5 Explain types and purposes of audits and assessments.
Physical penetration testing involves attempts to break the physical access controls of the corporate office**. Picking locks on office doors** is a common method used to assess the effectiveness of physical security controls.
Domain
5.0 Security Program Management and Oversight
Question 32Skipped
A security administrator manages and mitigates vulnerabilities across the organization. After patching a critical vulnerability that was present in a server the administrator needs to know if the vulnerability was successfully remediated. What action should be taken?
Reboot the server
Explanation
Rebooting the server is not necessary to verify the successful remediation of a vulnerability. While a reboot may be required for some patches to take effect, it is not a reliable method to confirm that the vulnerability has been mitigated.
Reset the server settings to default
Explanation
Resetting the server settings to default is not a recommended action to verify the successful remediation of a vulnerability. This step may introduce unnecessary risks and potentially undo the patch that was applied to address the vulnerability. It is not a standard practice in vulnerability management.
Document the closure status
Explanation
Documenting the closure status is an important step in the vulnerability management process, but it does not directly verify the successful remediation of a specific vulnerability. It is essential for tracking and reporting purposes but does not provide confirmation of the fix.
Correct answer
Rescan the server to verify the fix
Explanation
Rescanning the server after applying the patch is essential to verify that the vulnerability has been successfully remediated. This step ensures that the patch was applied correctly and that the vulnerability is no longer present, providing confirmation of the fix.
Overall explanation
4.3 Explain various activities associated with vulnerability management.
To validate that the vulnerabilities have been successfully remediated it is necessary to rescan the server to verify the fix. It is a best practice to validate that the patching or mitigation process was effective to ensure any vulnerabilities that previously existed are no longer exploitable.
Domain
4.0 Security Operations
Question 33Skipped
A company is enhancing its security architecture and wants to implement platform diversity as part of its initiative. What do they aim to achieve with this?
Increased complexity of security controls
Explanation
Increasing the complexity of security controls is not the primary goal of implementing platform diversity. While diversity may introduce some complexity, the main objective is to enhance security by leveraging the strengths of different platforms and technologies.
Correct answer
Improved resilience and fewer single points of failure
Explanation
Implementing platform diversity helps improve resilience and reduces the risk of single points of failure. By using a variety of platforms, the company can ensure that a security breach or failure in one platform does not compromise the entire security architecture.
Consistency by reliance on a single platform
Explanation
Relying on a single platform does not promote consistency in security architecture. In fact, it can create a single point of failure and increase the risk of a widespread security breach if that platform is compromised. Platform diversity aims to distribute risk and improve overall security posture.
Reduction in security layers
Explanation
Reducing security layers would actually weaken the security architecture, as multiple layers provide defense in depth against different types of threats. Platform diversity aims to strengthen security by introducing different technologies and platforms to mitigate risks.
Overall explanation
3.4 Explain the importance of resilience and recovery in security architecture.
The company can achieve improved resilience and fewer single points of failure with platform diversity. The risk of a single vulnerability or compromise impacting the entire security posture is reduced by the application of various security platforms, tools, and technologies.
Domain
3.0 Security Architecture
Question 34Skipped
Employees at a healthcare organization have different access levels to the records of the patients in the electronic health record (EHR) system. The doctors have the right to view and edit the patient information while the nurses can only view the information. Administrators are allowed to access all the records for maintenance purposes. What authorization model is exhibited in this scenario?
ABAC
Explanation
Attribute-Based Access Control (ABAC) is a model where access rights are determined by evaluating attributes associated with the user, resource, and environment. In this scenario, access levels are based on predefined roles rather than dynamic attributes, so ABAC is not the correct model.
MAC
Explanation
Mandatory Access Control (MAC) is a model where access rights are determined by the system rather than the owner. In this scenario, access levels are based on the roles of the users rather than system-enforced rules, so MAC is not applicable.
Correct answer
RBAC
Explanation
Role-Based Access Control (RBAC) is a model where access rights are assigned based on the roles of users within an organization. In this scenario, different roles (doctors, nurses, administrators) have different access levels to patient records, making RBAC the appropriate authorization model.
DAC
Explanation
Discretionary Access Control (DAC) is a model where access rights are determined by the owner of the resource. In this scenario, access levels are based on the roles of the users rather than the resource owner’s discretion, so DAC is not the correct model.
Overall explanation
1.2 Summarize fundamental security concepts.
A Role-Based Access Control (RBAC) model allows employees to have different levels of access based on the role that they play in the organization. The access rights and permissions are assigned to a user based on their respective roles, job functions, or responsibilities. In the scenario given, the role of the doctor needs editing and viewing the patient data while the nurse’s job function only requires viewing the information the doctor updates.
Domain
1.0 General Security Concepts
Question 35Skipped
Robert works in the marketing department of a corporate organization. His key responsibilities are to manage the company’s social media profiles and generate engaging marketing content for the followers. Which access control principle should be enforced to ensure the sternest security without impacting Robert’s capability to do his job?
RBAC
Explanation
Role-Based Access Control (RBAC) is a method of restricting system access based on the roles of individual users within an organization. While RBAC can be effective in assigning permissions based on predefined roles, it may not be as granular as the least privilege principle in ensuring that Robert has the minimum necessary access for his specific job responsibilities.
Separation of duties
Explanation
Separation of duties is a principle that aims to prevent conflicts of interest and fraud by dividing tasks and responsibilities among multiple individuals. While it is important for maintaining internal controls, it may not be the most suitable principle for ensuring security without impacting Robert’s ability to perform his job in the marketing department.
Correct answer
Least privilege
Explanation
Least privilege is the principle of providing individuals with only the minimum level of access and permissions necessary to perform their job functions. By enforcing least privilege, Robert will have access only to the resources and systems required for managing social media profiles and creating marketing content, reducing the risk of unauthorized access and potential security breaches.
Need to know
Explanation
Need to know is a principle that restricts access to information to only those individuals who require it to perform their job functions. While it is important for protecting sensitive information, enforcing the need to know principle may be too restrictive for Robert’s role in the marketing department, potentially hindering his ability to generate engaging marketing content for the company’s followers.
Overall explanation
2.5 Explain the purpose of mitigation techniques used to secure the enterprise.
The principle of least privilege requires that individuals are granted the minimum level of access or only the necessary permissions required for them to perform their job functions. It reduces the risk of unauthorized access to sensitive data. In this scenario, the least privilege principle will ensure that Robert only has permissions and access to allow him to manage the company’s social media profiles and generate engaging marketing content for the followers.
Domain
2.0 Threats, Vulnerabilities, and Mitigations
Question 36Skipped
A company wants to execute a security strategy that is based on the workforce multiplier approach. Which of the following describes the concept of the approach they are trying to achieve?
Correct answer
Improving the capabilities of personnel using technology
Explanation
Improving the capabilities of personnel using technology is the core concept of the workforce multiplier approach. By leveraging technology to enhance the skills and productivity of existing employees, the company can achieve better security outcomes without necessarily hiring more staff.
Enhancing the security by increasing the work to be done
Explanation
Enhancing security by increasing the work to be done would not align with the concept of the workforce multiplier approach. The approach focuses on improving the efficiency and effectiveness of existing personnel through technology, rather than adding more work.
Increasing the security measures to have no leniency
Explanation
Increasing security measures to have no leniency does not directly relate to the concept of the workforce multiplier approach. The approach is more about optimizing the workforce’s capabilities through technology rather than solely relying on stricter security measures.
Hiring new employees to support the processes
Explanation
Hiring new employees to support the processes would not be in line with the workforce multiplier approach, as the focus is on maximizing the potential of existing personnel through technology rather than increasing headcount.
Overall explanation
4.7 Explain the importance of automation and orchestration related to secure operations.
The workforce multiplier approach involves improving the capabilities of personnel using technology and solutions such as automation, machine learning, and artificial intelligence to promote and extend the capabilities of security personnel. The approach increases the effectiveness of the security team and sets them up with the ability to handle a broad scope of security-related tasks and respond to threats.
Domain
4.0 Security Operations
Question 37Skipped
A government agency wants to streamline its process of maintaining security compliance across the operating systems, software, and various IT infrastructures within its environment. They have opted to implement a standard framework to help them automate the process of measuring, assessing, and reporting vulnerabilities. Which of the following options will help them accomplish this?
CVE
Explanation
CVE (Common Vulnerabilities and Exposures) is a dictionary of publicly known information security vulnerabilities and exposures. While CVE provides a unique identifier for each vulnerability, it does not offer automation capabilities for measuring, assessing, and reporting vulnerabilities across diverse IT environments.
SIEM
Explanation
SIEM (Security Information and Event Management) is a tool used for collecting, analyzing, and correlating security events and logs from various sources. While SIEM is essential for monitoring and detecting security incidents, it is not specifically designed to automate the process of measuring, assessing, and reporting vulnerabilities across operating systems and IT infrastructures.
CVSS
Explanation
CVSS (Common Vulnerability Scoring System) is a framework used to assess and prioritize vulnerabilities based on their severity. While CVSS is crucial for understanding the impact of vulnerabilities, it does not provide automation capabilities for measuring, assessing, and reporting vulnerabilities across different IT environments.
Correct answer
SCAP
Explanation
SCAP (Security Content Automation Protocol) is a standard framework designed to automate the process of measuring, assessing, and reporting vulnerabilities across operating systems, software, and IT infrastructures. SCAP enables organizations to streamline security compliance efforts by providing a standardized approach to vulnerability management.
Overall explanation
4.4 Explain security alerting and monitoring concepts and tools.
The Security Content Automation Protocol (SCAP) will help the government agency automate its vulnerability assessment, measuring, and reporting in a standardized framework. The framework allows organizations to assess and monitor their software and hardware security configurations consistently with automation that suits diverse IT environments.
Domain
4.0 Security Operations
Question 38Skipped
An employee working remotely receives an email from the company’s CFO requesting to be granted access to sensitive financial data. The email includes a link to a login page. What action should the employee take?
Immediately click the link and attend to the CFO’s request
Explanation
Immediately clicking the link and attending to the CFO’s request can be risky as it may lead to a phishing attack or unauthorized access to sensitive financial data. It is crucial to verify the authenticity of such requests before taking any action.
Ignore the email
Explanation
Ignoring the email is not the best course of action as it leaves the situation unresolved and potentially puts the company’s sensitive financial data at risk. It is important to address the request appropriately to ensure security.
Correct answer
Contact the IT department for guidance
Explanation
Contacting the IT department for guidance is the correct action to take in this scenario. The IT department can verify the legitimacy of the email and the request, ensuring that sensitive data is not compromised through phishing attempts.
Reply to the CFO asking for further information
Explanation
Replying to the CFO asking for further information may not be the most secure option as it could potentially engage with a phishing attempt. It is safer to involve the IT department to verify the legitimacy of the request before responding.
Overall explanation
5.6 Given a scenario, implement security awareness practices.
The employee should contact the IT department for guidance and verification of the legitimacy of the email. Caution should be exhibited by the employee to not immediately click on the link to the login page or give access to the sensitive financial data being requested. Employees should be trained to recognize suspicious requests and take the appropriate action.
Domain
5.0 Security Program Management and Oversight
Question 39Skipped
A company is in the process of introducing a high-availability solution for the critical servers within its infrastructure. What should they expect by installing multiple servers in a cluster?
Correct answer
Redundancy and fault tolerance
Explanation
By installing multiple servers in a cluster, the company can expect redundancy and fault tolerance. This means that if one server fails, the workload can be automatically shifted to another server in the cluster, ensuring continuous availability of critical services.
Enhanced data security
Explanation
Enhanced data security is not a direct result of installing multiple servers in a cluster. While clustering can improve data security by providing redundancy and fault tolerance, the primary focus of clustering in this context is to ensure high availability of critical servers rather than specifically enhancing data security.
Efficient load balancing
Explanation
Efficient load balancing can be achieved by installing multiple servers in a cluster, but it is not the only outcome. Load balancing is a technique used to distribute incoming network traffic across multiple servers to optimize resource utilization, but the main purpose of clustering in this scenario is to provide redundancy and fault tolerance.
High speed processing
Explanation
High speed processing is not necessarily a direct result of installing multiple servers in a cluster. While distributing the workload across multiple servers can improve performance, the primary benefit of clustering is redundancy and fault tolerance rather than high speed processing.
Overall explanation
3.4 Explain the importance of resilience and recovery in security architecture.
The company should expect redundancy and fault tolerance by installing multiple servers in a cluster. Clustering allows a group of servers to work together as a unified system to minimize downtime due to failures and ensure high availability. It may offer improved performance, however, its primary purpose is to provide resilience and uptime.
Domain
3.0 Security Architecture
Question 40Skipped
A system administrator is looking to implement mandatory access control settings on a Red Hat Enterprise Linux Server. Which setting should be enabled to establish such a configuration?
OpenSSL
Explanation
OpenSSL is an open-source toolkit for Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols, used for encryption and secure communication. While it is essential for securing communications, it is not directly related to implementing mandatory access control settings on a Linux server.
Group policy
Explanation
Group policy is a feature in Windows operating systems, not in Red Hat Enterprise Linux Server. It is used to manage user and computer configurations in an Active Directory environment, not for establishing mandatory access control settings in Linux.
sshd
Explanation
SSHD (Secure Shell Daemon) is a service that allows secure remote access to a Linux server using the SSH protocol. While SSHD is crucial for secure remote access, it is not specifically related to implementing mandatory access control settings on the server.
Correct answer
SELinux
Explanation
SELinux (Security-Enhanced Linux) is a mandatory access control security mechanism implemented in Red Hat Enterprise Linux Server. It provides fine-grained access control policies that restrict users and processes’ actions based on security policies defined by the system administrator.
Overall explanation
4.5 Given a scenario, modify enterprise capabilities to enhance security.
Security-Enhanced Linux (SELinux) is a mandatory access control (MAC) system for Linux that allows administrators to define fine-grained security policies for system processes, applications, and users, providing an additional security layer and enhancing the overall system security.
Domain
4.0 Security Operations
Question 41Skipped
What solution should an organization that runs its operations across various regions in the country consider implementing to allow seamless access for their employees across the regions to the various company resources without managing multiple sets of credentials?
OAuth
Explanation
OAuth is an open standard for access delegation commonly used for authorization purposes. While OAuth can be used to grant access to resources without sharing credentials, it is not specifically designed to provide seamless access for employees across regions without managing multiple sets of credentials.
LDAP
Explanation
LDAP (Lightweight Directory Access Protocol) is a protocol used for accessing and maintaining distributed directory information services over an IP network. While LDAP can centralize user authentication and authorization, it does not provide seamless access for employees across regions without managing multiple sets of credentials.
Correct answer
SSO with Federation
Explanation
SSO (Single Sign-On) with Federation allows users to access multiple applications with a single set of credentials. By implementing SSO with Federation, employees across different regions can seamlessly access company resources without the need to manage multiple sets of credentials, improving user experience and security.
SAML
Explanation
SAML (Security Assertion Markup Language) is an XML-based open standard for exchanging authentication and authorization data between parties. While SAML can facilitate single sign-on and identity federation, it is typically used in conjunction with SSO solutions like SSO with Federation to enable seamless access for users across regions.
Overall explanation
4.6 Given a scenario, implement and maintain identity and access management.
The organization should consider single sign-on (SSO) with Federation to achieve seamless access to the company resources for its employees across the various regions in the country without managing multiple sets of credentials. The solution allows users to have to only log in once to be able to access the resources across the different domains and regions.
Domain
4.0 Security Operations
Question 42Skipped
The IT department has identified a software application that has not been receiving security updates for an extended period of time. What is their primary concern?
The software vendors may have more updates coming
Explanation
While it is possible that software vendors may release more updates in the future, the primary concern is the existing vulnerabilities in the software due to missing patches. These vulnerabilities can be exploited by attackers to compromise the security of the application.
The security administrators may not find the patches later
Explanation
The concern is not about security administrators not finding the patches later. The main issue is the immediate risk posed by the software application not receiving security updates, leaving it vulnerable to potential cyber threats.
Correct answer
Vulnerabilities in the software due to missing patches
Explanation
This choice is correct because the primary concern of the IT department is the vulnerabilities in the software due to missing patches. Without security updates, the software is at risk of being exploited by cyber attackers, potentially leading to data breaches or system compromises.
The vulnerability management program may become congested
Explanation
The primary concern is not related to the vulnerability management program becoming congested. The main issue is the potential security risks associated with the software application not receiving security updates.
Overall explanation
2.2 Explain common threat vectors and attack surfaces.
The primary concern for the IT department for the identified unpatched software is vulnerabilities in the software due to missing patches. Such vulnerabilities may lead to potential exploitation by malicious threat actors causing unaccounted and unrecoverable losses.
Domain
2.0 Threats, Vulnerabilities, and Mitigations
Question 43Skipped
A malicious attacker has uncovered a vulnerability in a web application that allows unauthorized code to be executed. Which technique shall the attacker most likely consult to compromise the web application?
SQL Injection
Explanation
SQL Injection is a type of attack where malicious SQL statements are inserted into an entry field for execution. While SQL Injection can be used to manipulate databases and access sensitive information, it is not typically used to execute unauthorized code within the web application itself.
Correct answer
Memory Injection
Explanation
Memory Injection is a technique where an attacker injects malicious code into the memory space of a running process. This technique can be used to execute unauthorized code within the web application, making it a likely choice for compromising the application in the scenario described.
XSS
Explanation
XSS (Cross-Site Scripting) is a type of attack where malicious scripts are injected into web pages viewed by other users. While XSS can be used to steal information or perform other malicious actions, it is not typically used to execute unauthorized code within the web application itself.
XSRF
Explanation
XSRF (Cross-Site Request Forgery) is a type of attack where a user is tricked into executing unwanted actions on a web application in which they are authenticated. While XSRF can lead to unauthorized actions being performed by the user, it is not typically used to execute unauthorized code within the web application itself.
Overall explanation
2.3 Explain various types of vulnerabilities.
The attacker will most likely use memory injection to execute unauthorized code to compromise the web server. The technique involves injecting malicious instructions into the application’s memory space and as a result, compromising the application’s security and integrity.
Domain
2.0 Threats, Vulnerabilities, and Mitigations
Question 44Skipped
A company wants to enhance its network security by implementing a Zero Trust model. What is the primary use of the control plane that they are currently setting up?
The control plane deals with traffic flow and control
Explanation
The control plane is responsible for managing and controlling the flow of network traffic, including routing decisions and network protocols. While it plays a crucial role in network operations, it is not primarily focused on enforcing access control and security policies in the context of a Zero Trust model.
The control plane performs intrusion detection and prevention
Explanation
Intrusion detection and prevention systems are typically part of the data plane, which is responsible for inspecting and filtering network traffic for security threats. The control plane, on the other hand, is primarily focused on enforcing access control and security policies to ensure a Zero Trust environment.
The control plane scans the network for malware and viruses
Explanation
While network security controls such as malware and virus scanning are important components of overall network security, they are typically associated with the data plane rather than the control plane. The control plane focuses more on access control and policy enforcement in the context of a Zero Trust model.
Correct answer
The control plane enforces access control and security policies
Explanation
In the context of implementing a Zero Trust model, the primary use of the control plane is to enforce access control and security policies. It is responsible for determining who can access what resources within the network based on strict authentication and authorization mechanisms.
Overall explanation
1.2 Summarize fundamental security concepts.
In the Zero Trust model, the control plane enforces access control and security policies. The controls are based on contextual factors and the identity of users and devices. It does not solely rely on traditional perimeter defenses such as intrusion detection but focuses more on continuously verifying the identities and ensuring the least privileged access.
Domain
1.0 General Security Concepts
Question 45Skipped
As a security analyst reviews the logs of a critical server in the organization’s data center, he notices that the logs for a specific period are completely missing from the log repository of the server. What indication is given by the missing log data?
Correct answer
The logs have been erased to hide the tracks of an intrusion
Explanation
The missing log data could indicate that the logs have been deliberately erased to cover up the tracks of an intrusion. This action is often taken by attackers to hide their activities and make it difficult for security analysts to detect unauthorized access or malicious actions.
There was an ongoing backup of the logs
Explanation
Ongoing backup of logs would not lead to the logs for a specific period being completely missing. The logs should still be available in the backup repository.
The logging feature was disabled to patch the server
Explanation
Disabling the logging feature to patch the server would not result in the logs for a specific period being completely missing. The logs would still be available before and after the patching process.
The logs sometimes may not write themselves, so it is normal behavior
Explanation
Logs not writing themselves is not normal behavior and indicates a potential issue with the logging mechanism or configuration. However, it would not result in logs for a specific period being completely missing.
Overall explanation
2.4 Given a scenario, analyze indicators of malicious activity.
The missing log data noticed by the security analyst most likely indicates that the logs have been erased to hide the tracks of an intrusion. The absence of log data in a critical server in most cases points out to malicious activity. Deletion of logs is a common technique used by attackers to avoid detection.
Domain
2.0 Threats, Vulnerabilities, and Mitigations
Question 46Skipped
A smartphone manufacturer has equipped the devices it produces with a secure enclave. What is the purpose of such a feature?
To create fascinating user experience
Explanation
Creating a fascinating user experience is not the primary purpose of a secure enclave in a smartphone. While security features can enhance the overall user experience, the main goal of a secure enclave is to provide a secure environment for sensitive data and operations.
Correct answer
To provide an isolated and secure environment
Explanation
The correct choice. A secure enclave in a smartphone is designed to provide an isolated and secure environment within the device. It helps protect sensitive data, cryptographic keys, and secure operations from unauthorized access or tampering.
To switch off the device if it is stolen
Explanation
While the ability to switch off a device remotely if it is stolen can be a security feature, it is not directly related to the purpose of a secure enclave. The primary function of a secure enclave is to provide a protected space within the device for sensitive operations and data.
To protect the device from internet hackers
Explanation
Protecting the device from internet hackers is a valid concern for smartphone security, but the secure enclave specifically focuses on providing an isolated and secure environment within the device itself. It is not solely aimed at protecting the device from external threats like internet hackers.
Overall explanation
1.4 Explain the importance of using appropriate cryptographic solutions.
A secure enclave is used to provide an isolated and secure environment within the hardware or software of a device that is designed to store and process sensitive information securely. It protects critical operations on confidential data such as authentication, storage, and encryption.
Domain
1.0 General Security Concepts
Question 47Skipped
The cybersecurity policies and practices of a large corporation are being reviewed internally. The setting of the cybersecurity initiatives and strategic direction of the organization is mainly the responsibility of the Senior executives, the CIO, and the CEO. What is the role of the board of directors in relation to cybersecurity?
Prepare the cybersecurity policy
Explanation
The preparation of cybersecurity policies is often the responsibility of the organization’s cybersecurity team, IT department, or legal department. While the board of directors may approve and oversee the policies, they are not typically responsible for drafting them.
Perform cybersecurity awareness training
Explanation
Performing cybersecurity awareness training is usually the responsibility of the organization’s training or HR department. While the board of directors may support and promote cybersecurity awareness initiatives, they are not typically responsible for directly conducting the training.
Implementation of cybersecurity controls
Explanation
The implementation of cybersecurity controls is typically the responsibility of the IT department, security team, or designated cybersecurity professionals within the organization. The board of directors is not directly involved in the day-to-day implementation of controls.
Correct answer
Provide oversight and set the cybersecurity strategy
Explanation
Providing oversight and setting the cybersecurity strategy is a key role of the board of directors in relation to cybersecurity. The board is responsible for ensuring that the organization’s cybersecurity initiatives align with its overall strategic goals and objectives. They provide guidance, direction, and governance to ensure the organization’s cybersecurity posture is effective and aligned with best practices.
Overall explanation
5.1 Summarize elements of effective security governance.
The role of the board of directors in relation to cybersecurity is to provide oversight and set the cybersecurity strategy. They ensure that the organization’s efforts made for cybersecurity align with its overall goals and play a crucial role in cybersecurity governance and high-level decision-making.
Domain
5.0 Security Program Management and Oversight
Question 48Skipped
An organization is currently facing an individual who has requested all her personal data to be deleted from their database. The organization collected and stored this data legitimately, but the user claims she has the right for her data to be forgotten. What should the organization do?
Reject the request due to data retention policies
Explanation
Rejecting the request solely based on data retention policies without considering the individual’s right to erasure can result in non-compliance with data protection laws. It is crucial to evaluate the request and legal requirements before making a decision.
Delete all the individual’s data immediately from all stored locations
Explanation
Deleting all the individual’s data immediately from all stored locations without assessing the request and legal obligations can lead to potential legal consequences for the organization. It is essential to verify the legitimacy of the request and any legal exemptions before taking action.
Request the user to pay a significant fee for such a service request
Explanation
Requesting the user to pay a significant fee for a data deletion service request is not in line with data protection regulations. Individuals have the right to request the deletion of their personal data without being charged for such a service. It is important for the organization to handle data deletion requests in accordance with legal requirements.
Correct answer
Perform an assessment of the request and check for any legal exemptions
Explanation
Performing an assessment of the request and checking for any legal exemptions is the correct course of action for the organization. It is important to ensure compliance with data protection regulations such as GDPR, which may have specific exemptions or requirements for data deletion requests.
Overall explanation
5.4 Summarize elements of effective security compliance.
The organization should perform an assessment of the request and check for any legal exemptions. In some cases, there may be legitimate reasons for retaining the data, such as legal obligations or legitimate business purposes, so not all requests for the right to be forgotten may be fulfilled.
Domain
5.0 Security Program Management and Oversight
Question 49Skipped
The security team has implemented a wireless device heat map topology to visualize the strength of wireless signals across the organization’s premises. What is the main purpose of such an implementation?
To maintain the guest wireless network
Explanation
Maintaining the guest wireless network is not the main purpose of implementing a wireless device heat map topology. This implementation is more focused on optimizing the placement of wireless access points for signal strength and coverage.
Correct answer
To optimally place the wireless access points
Explanation
The main purpose of implementing a wireless device heat map topology is to optimally place the wireless access points. By visualizing the strength of wireless signals across the organization’s premises, the security team can strategically place access points to ensure better coverage and performance of the wireless network.
To block unencrypted wireless connections
Explanation
Blocking unencrypted wireless connections is a security measure to protect data in transit, but it is not the main purpose of a wireless device heat map topology. This implementation is more about optimizing the placement of wireless access points for optimal signal strength and coverage.
To determine the rogue wireless devices
Explanation
Determining rogue wireless devices is an important security measure, but it is not the main purpose of implementing a wireless device heat map topology. This implementation is primarily used to optimize the placement of wireless access points for better signal coverage.
Overall explanation
4.1 Given a scenario, apply common security techniques to computing resources.
A wireless device heat map topology is mainly used to optimally place the wireless access points to ensure reliable wireless coverage throughout the organization’s premises through an assessment of their strength and performance.
Domain
4.0 Security Operations
Question 50Skipped
A financial institution has established stern security policies, carries out periodic security assessments, and continuously updates the measures it uses for security. What type of risk appetite would you say they have?
Neutral
Explanation
A neutral risk appetite suggests that an organization is comfortable with moderate levels of risk and is open to opportunities for growth while still maintaining a balanced approach to risk management. The financial institution in the question, with its strong focus on security measures and updates, does not exhibit a neutral risk appetite as they prioritize security over potential growth opportunities.
Expansionary
Explanation
Expansionary risk appetite refers to an organization that is willing to take on higher levels of risk in pursuit of potential growth opportunities. A financial institution with stern security policies, periodic security assessments, and continuous security updates is more likely to have a conservative risk appetite, as they prioritize security and stability over potential growth through risk-taking.
Correct answer
Conservative
Explanation
A conservative risk appetite indicates that an organization prefers to take minimal risks and prioritize security, stability, and reliability. The financial institution described in the question, with strict security policies, regular security assessments, and continuous security updates, aligns more closely with a conservative risk appetite due to their emphasis on maintaining a secure environment.
Undefined
Explanation
An undefined risk appetite indicates that an organization has not clearly defined its approach to risk management and may not have established clear guidelines or strategies for addressing risks. The financial institution described in the question, with its strict security policies and continuous security updates, is more likely to have a defined risk appetite, particularly one that leans towards being conservative in order to prioritize security.
Overall explanation
5.2 Explain elements of the risk management process.
The financial institution has a conservative risk appetite as they observe a cautious approach to risk management through their strict security policies and regular assessments. They prioritize security measures to be taken over other activities to minimize risks**.**
Domain
5.0 Security Program Management and Oversight
Question 51Skipped
An organization has defined a segment in its network that allows all devices to be considered trusted without the need for extensive authentication validations. Which term best describes this network segment that is used for internal resources and all systems are taken as safe?
Correct answer
Implicit Trust Zone
Explanation
An Implicit Trust Zone is a network segment where all devices are automatically considered trusted without the need for extensive authentication validations. This type of network segment is used for internal resources where all systems are assumed to be safe, reducing the need for individual device authentication.
Intranet
Explanation
An intranet is a private network that is only accessible to an organization’s internal users and devices. While an intranet is used for internal resources, it does not necessarily mean that all systems are automatically trusted without authentication.
DMZ
Explanation
The DMZ (Demilitarized Zone) is a network segment that sits between the internal network and an external network, such as the internet. It is used to host services that need to be accessible from both the internal network and the external network, but it is not a segment where all devices are considered trusted without authentication.
Explicit Trust Zone
Explanation
An Explicit Trust Zone is a network segment where devices and systems are explicitly granted trust through authentication and validation processes. It is the opposite of an Implicit Trust Zone, where all devices are considered trusted without extensive authentication validations.
Overall explanation
1.2 Summarize fundamental security concepts.
An implicit trust zone refers to a network segment where all the devices are trusted without the need for extensive authentication. A higher level of trust is assumed within its boundaries.
Domain
1.0 General Security Concepts
Question 52Skipped
A medium-sized company that deals with confidential customer data within a thoroughly regulated industry is developing its information security policy. What is the reason they should ensure that the policy is comprehensive?
To reduce the security operational costs
Explanation
While a comprehensive information security policy may help in optimizing security operational costs in the long run, the primary objective should be to ensure compliance with regulations and protect the confidentiality of customer data.
To gain an advantage in the market by being known for good security
Explanation
While having a comprehensive information security policy may indirectly contribute to gaining a competitive advantage, the primary reason for ensuring the policy is comprehensive should be focused on regulatory compliance and protecting customer data rather than market positioning.
To boost the security confidence of the staff
Explanation
Boosting the security confidence of the staff is important for creating a security-aware culture within the organization, but the main reason for ensuring the policy is comprehensive should be to meet regulatory requirements and safeguard customer data.
Correct answer
To ensure compliance with regulations and protect the customer’s data
Explanation
Ensuring compliance with regulations and protecting customer data should be the main focus of developing a comprehensive information security policy for a company dealing with confidential customer data in a regulated industry. This is crucial for maintaining trust, avoiding legal penalties, and safeguarding sensitive information.
Overall explanation
5.1 Summarize elements of effective security governance.
The company should have a comprehensive information security policy to ensure compliance with regulations and protect the customer’s data. The practice demonstrates regulatory compliance by handling data in accordance with legal requirements.
Domain
5.0 Security Program Management and Oversight
Question 53Skipped
An overseas institution is looking into various architectural models that may provide for easy recovery in the event of a disaster or a security incident. They aim for quick recovery with the least loss of data. Which model is most suited for such demands?
Virtual private cloud
Explanation
Virtual private cloud is a secure and isolated environment for hosting resources, but it does not directly address the need for easy recovery in the event of a disaster or security incident. While it can enhance security, it may not provide the agility and flexibility needed for quick recovery.
Peer-to-peer architecture
Explanation
Peer-to-peer architecture does not inherently provide easy recovery in the event of a disaster or security incident. It relies on individual nodes communicating directly with each other, which may not be the most efficient for quick recovery and data loss prevention.
Monolithic and centralized
Explanation
Monolithic and centralized architecture may not be the best choice for easy recovery in the event of a disaster or security incident. It relies on a single, large codebase and centralized control, which can make recovery more challenging and increase the risk of data loss.
Correct answer
Microservices architecture
Explanation
Microservices architecture is well-suited for easy recovery in the event of a disaster or security incident. It breaks down applications into smaller, independent services that can be easily replaced or scaled. This allows for quick recovery with minimal data loss.
Overall explanation
3.1 Compare and contrast security implications of different architecture models.
Where there is a demand for quick recovery and minimal data loss, a microservices architecture is most suitable. Microservices are based upon independent and modular components which makes the recovery granular. Data redundancy and resilience are offered by its distributed replication capabilities.
Domain
3.0 Security Architecture
Question 54Skipped
A technology firm is undergoing disaster recovery planning. They are simulating a real-world hypothetical disaster scenario whereby the organization’s primary data center is rendered inaccessible due to a natural disaster to test the organization’s response. What type of test are they performing?
Correct answer
Tabletop exercise
Explanation
Tabletop exercises are simulations of hypothetical disaster scenarios where key stakeholders gather to discuss and walk through the organization’s response and recovery procedures. This type of test allows the organization to evaluate their disaster recovery plans without actually disrupting operations.
Failover
Explanation
Failover tests involve switching operations from the primary data center to a secondary data center or backup systems to ensure continuity in case of a disaster. While failover testing is an essential part of disaster recovery planning, it is not the type of test being performed in this scenario.
Capacity planning
Explanation
Capacity planning involves determining the resources and infrastructure needed to support the organization’s operations, but it is not directly related to testing disaster recovery plans or response to a hypothetical disaster scenario.
Full interruption
Explanation
Full interruption tests involve completely shutting down the primary data center to simulate a disaster scenario. This type of test is more extreme and disruptive compared to what the organization is conducting in this scenario.
Overall explanation
3.4 Explain the importance of resilience and recovery in security architecture.
The technology firm is performing a tabletop exercise to simulate a potential real-life disaster scenario and evaluate how well the organization is prepared for it. The response procedures and plans are tested to help identify areas that require improvement in the case an actual disaster occurs.
Domain
3.0 Security Architecture
Question 55Skipped
A security audit is being performed on a company to assess its compliance with the regulations of the industry. As part of the audit, evidence of internal audits has been requested. What is the main goal for this evidence being given?
Correct answer
To prove that the security controls are effective
Explanation
Providing evidence of internal audits is essential to demonstrate that the security controls implemented by the company are effective in protecting sensitive data and systems. It helps to ensure that the company is compliant with industry regulations and standards, and that the security measures in place are adequate to mitigate potential risks.
To show that external audit requirements are met
Explanation
While external audit requirements are important for overall compliance, the main goal of providing evidence of internal audits is not specifically to show that external audit requirements are met. Internal audits focus on evaluating the effectiveness of internal controls and security measures within the organization.
To find out security holes in the company
Explanation
The main goal of providing evidence of internal audits is not to find security holes in the company, but rather to demonstrate that the existing security controls are effective in addressing potential vulnerabilities and risks. Internal audits help to identify areas for improvement and ensure that security measures are in place to protect against threats.
To establish good relations with the auditors
Explanation
While establishing good relations with auditors is important for a smooth audit process, the main goal of providing evidence of internal audits is not solely to build rapport with auditors. The primary purpose is to demonstrate the effectiveness of security controls and ensure compliance with industry regulations and standards.
Overall explanation
5.3 Explain the processes associated with third-party risk assessment and management.
The main goal of providing the evidence of internal audits is to prove that the security controls are effective. The internal audits help to identify weaknesses in controls, vulnerabilities in the systems, and areas for improvement to ensure that the allocated security measures are functioning as intended.
Domain
5.0 Security Program Management and Oversight
Question 56Skipped
A bus transportation service maintains an official Facebook page to provide updates on its schedules and ways to easily book tickets. Recently, they have noticed an unauthorized Facebook profile pretending to be their service with posts of misleading information. What is this an example of?
Cyberbullying
Explanation
Cyberbullying refers to the use of electronic communication to bully a person, typically by sending messages of an intimidating or threatening nature. This choice does not accurately describe the situation of an unauthorized Facebook profile pretending to be a legitimate service.
Lack of awareness of social media
Explanation
Lack of awareness of social media does not accurately describe the situation of an unauthorized Facebook profile pretending to be the bus transportation service. This choice focuses more on the organization’s knowledge and understanding of social media platforms rather than the deceptive actions of impersonation.
Correct answer
Brand Impersonation
Explanation
Brand impersonation is the act of creating a fake online presence that mimics a legitimate brand or organization to deceive users. In this case, the unauthorized Facebook profile pretending to be the bus transportation service is an example of brand impersonation.
Facebook Hijack
Explanation
Facebook hijack typically refers to the unauthorized access or takeover of a Facebook account or page. While similar in nature to the situation described, it does not fully capture the deceptive act of impersonating a legitimate service.
Overall explanation
2.2 Explain common threat vectors and attack surfaces.
Brand impersonation is being performed on the Facebook profile of the bus transportation service as the fake profile is made with the intention of pretending to be theirs and it posts misleading information. The practice involves a threat actor impersonating a brand or an organization on social media or online.
Domain
2.0 Threats, Vulnerabilities, and Mitigations
Question 57Skipped
As part of a hardening initiative, a company has decided to install endpoint protection software on all the employee’s devices. How will such software help?
Eliminate phishing in the mail servers
Explanation
Endpoint protection software is primarily designed to protect devices from malware and viruses, not to eliminate phishing attacks on mail servers. Phishing attacks typically involve social engineering tactics to trick users into revealing sensitive information, which is different from the malware-focused protection provided by endpoint security software.
Protect the company from social engineering attacks
Explanation
Endpoint protection software focuses on protecting devices from malware, ransomware, and other malicious software. While it may help in preventing certain types of attacks, such as malware-based social engineering attacks, its primary function is not specifically geared towards protecting the company from social engineering attacks.
Provide secure encryption on the devices
Explanation
While some endpoint protection software may offer encryption features, the primary function of such software is to protect against malware and viruses. Encryption is more related to data protection and confidentiality rather than malware protection, which is the main focus of endpoint security solutions.
Correct answer
Protection against malware and viruses
Explanation
Endpoint protection software is specifically designed to provide protection against malware, viruses, and other malicious software that could compromise the security of the devices. It helps in detecting, blocking, and removing such threats to ensure the security of the endpoints and the company’s network as a whole.
Overall explanation
2.5 Explain the purpose of mitigation techniques used to secure the enterprise.
Endpoint protection software provides protection against malware and viruses that may compromise the security of the employee devices. The software is installed on the specific device to ensure the risk of the host being infected or attacked by various security threats is reduced.
Domain
2.0 Threats, Vulnerabilities, and Mitigations
Question 58Skipped
A company has installed a physical security system that incorporates closed-circuit television for performing video surveillance. The security team on one occasion noticed what seemed to be a suspicious person roaming around a restricted area. As they review the footage, they confirm that the individual was attempting to breach security. How does video surveillance help the security team in this situation?
Alerting in real-time as breaches occur
Explanation
Video surveillance systems are not typically designed to alert in real-time as breaches occur. They are more focused on recording and capturing footage for later review and analysis.
Recording unauthorized physical breaches
Explanation
Video surveillance systems are primarily used for recording unauthorized physical breaches rather than actively preventing them in real-time. The recorded footage serves as a historical record of events for review and analysis.
Correct answer
Forensic evidence to aid investigations
Explanation
Video surveillance provides valuable forensic evidence that can aid investigations after a security breach has occurred. The recorded footage can be used to identify suspects, understand the sequence of events, and gather evidence for legal proceedings.
Prevent intruders from crossing restricted areas
Explanation
While video surveillance can act as a deterrent for potential intruders, it does not physically prevent them from crossing restricted areas. It serves more as a tool for monitoring and recording activities.
Overall explanation
1.2 Summarize fundamental security concepts.
The video surveillance helps the security team by providing forensic evidence to aid investigations. It provides documented video footage that may be used in the post-incident analysis of the events that took place such as the suspicious person roaming around the restricted area**.**
Domain
1.0 General Security Concepts
Question 59Skipped
A network specialist has recently installed a new router at a mobile site of an organization. What is the security risk, if any, that exists due to the router’s login credentials not being configured yet?
Security is stronger when configurations are not changed
Explanation
Security is not stronger when configurations are not changed, especially when it comes to login credentials. Default or unchanged credentials are often well-known and can be exploited by attackers to gain unauthorized access to the network.
There is no risk
Explanation
While it may seem that there is no immediate risk if the router’s login credentials are not configured yet, leaving default credentials or no credentials at all can pose a significant security risk.
Correct answer
Unauthorized access using the default credentials
Explanation
The correct choice is unauthorized access using default credentials. If the router’s login credentials are not configured, it may still be using default credentials that are widely known and can be easily exploited by attackers to gain unauthorized access to the network. This can lead to potential security breaches and compromise the organization’s sensitive information.
There will be a performance degradation
Explanation
Performance degradation is not directly related to the absence of configured login credentials on a router. The lack of proper credentials can lead to unauthorized access and potential security breaches, but it does not impact performance.
Overall explanation
2.2 Explain common threat vectors and attack surfaces.
The security risk that exists is unauthorized access using the default credentials because the router is most likely still configured with the default username and password allowing potential break-ins.
Domain
2.0 Threats, Vulnerabilities, and Mitigations
Question 60Skipped
The security operations center has noticed that many user accounts are facing lock-out issues because of failed login attempts. An unusual login attempt pattern has been observed without an explainable reason. What could be the most likely reason for such a login pattern?
Configuration error in the domain controller
Explanation
A configuration error in the domain controller could potentially cause issues with user authentication, but it is less likely to result in a specific unusual login attempt pattern without a clear reason. This choice does not directly explain the observed login behavior.
Users playing a password guessing game
Explanation
While users playing a password guessing game could result in multiple failed login attempts, it is less likely to create a consistent and unusual login pattern across multiple user accounts without a clear reason. This choice does not fully explain the observed behavior described in the question.
Server maintenance going wrong
Explanation
Server maintenance going wrong may cause temporary disruptions or issues with user authentication, but it is unlikely to result in a consistent and unusual login attempt pattern without a clear reason. This choice does not directly address the specific login behavior observed by the security operations center.
Correct answer
A credential replay attack
Explanation
A credential replay attack involves an attacker intercepting valid credentials and replaying them to gain unauthorized access to user accounts. This type of attack can lead to multiple failed login attempts and lock-out issues for legitimate users, which aligns with the observed login pattern described in the question.
Overall explanation
2.4 Given a scenario, analyze indicators of malicious activity.
The most likely reason for the unusual login attempt pattern causing lock-out issues and has no apparent reason is a credential replay attack that is often used by attackers to gain unauthorized access to accounts by using an automated script to replay credentials that they have managed to steal.
Domain
2.0 Threats, Vulnerabilities, and Mitigations
Question 61Skipped
Which of the following technologies should a company that wants to protect its domain from phishing attacks targeted at its customers and enhance email security consider implementing?
IMAP
Explanation
IMAP (Internet Message Access Protocol) is another protocol used for retrieving email messages from a mail server to a client device, with more advanced features compared to POP. However, like POP, IMAP is not specifically designed to protect against phishing attacks or enhance email security for a domain.
Correct answer
DMARC
Explanation
DMARC (Domain-based Message Authentication, Reporting, and Conformance) is a technology that helps protect a domain from email phishing attacks by allowing domain owners to specify how their emails should be authenticated. It enhances email security by providing a way to verify the authenticity of the sender’s domain and prevent email spoofing.
SMTP
Explanation
SMTP (Simple Mail Transfer Protocol) is a communication protocol used for sending email messages between servers. While SMTP is essential for email communication, it is not specifically designed to protect against phishing attacks or enhance email security for a domain.
POP
Explanation
POP (Post Office Protocol) is a protocol used for retrieving email messages from a mail server to a client device. POP is not directly related to protecting a domain from phishing attacks or enhancing email security, as it focuses on email retrieval rather than security measures.
Overall explanation
4.5 Given a scenario, modify enterprise capabilities to enhance security.
The company should consider domain-based message authentication reporting and conformance (DMARC) to protect its domain from phishing attacks targeted at its customers. DMARC improves email security by providing authentication to the emails and a reporting mechanism. Organizations are allowed to specify how the emails from their domain should be handled and prevent their domains from unauthorized usage.
Domain
4.0 Security Operations
Question 62Skipped
A medium-sized enterprise aims to provide strong wired and wireless network access authentication schemes. Which technology is best suited for such an activity?
RADIUS
Explanation
RADIUS (Remote Authentication Dial-In User Service) is a networking protocol that provides centralized authentication, authorization, and accounting management for users who connect and use a network service. While RADIUS is commonly used for network access control, it is primarily focused on remote access authentication and may not be the best choice for providing strong authentication schemes for both wired and wireless networks within the enterprise.
LDAP
Explanation
LDAP (Lightweight Directory Access Protocol) is a protocol used for accessing and managing directory information services. While LDAP can be used for user authentication and authorization, it is not specifically designed for network access control like 802.1X. Therefore, it may not be the best technology for providing strong wired and wireless network access authentication schemes in the enterprise.
Correct answer
802.1X
Explanation
802.1X is a standard for port-based network access control that provides an authentication framework for both wired and wireless networks. It allows devices to authenticate themselves before they are granted access to the network, making it an ideal technology for implementing strong network access authentication schemes in a medium-sized enterprise that aims to secure both wired and wireless connections.
WPA3
Explanation
WPA3 is a security protocol for securing Wi-Fi networks, focusing on encryption and authentication. While it is important for wireless network security, it does not directly address wired network access authentication, making it less suitable for the enterprise’s goal of providing strong authentication schemes for both wired and wireless networks.
Overall explanation
3.2 Given a scenario, apply security principles to secure enterprise infrastructure.
802.1X is an authentication mechanism that can provide authentication for both wired and wireless networks. It requires that the users authenticate themselves before gaining network access. It is a robust authentication method that is commonly used with a RADIUS server for centralized authentication, authorization, and accounting (AAA) purposes with Extensible Authentication Protocol (EAP) methods.
Domain
3.0 Security Architecture
Question 63Skipped
Robert is the finance controller of a financial institution. He has received an email from the CEO of his company requesting him to urgently transfer funds to the account of a new supplier. The email includes a very compelling explanation for the request with the bank details of the supplier. What should Robert do in this situation?
Correct answer
Contact the CEO via a separate channel to validate the email
Explanation
Contacting the CEO via a separate channel to validate the email is the correct course of action in this situation. Verifying the authenticity of the request through a separate communication channel can help confirm if the email is legitimate and prevent falling victim to a potential phishing scam.
Ask his friends what to do
Explanation
Asking friends for advice in this situation may not provide the necessary security measures to verify the legitimacy of the email. It is essential to follow established protocols and contact the appropriate channels to validate the request.
Immediately transfer the money to the bank account in the email
Explanation
Immediately transferring the money to the bank account in the email without verifying the authenticity of the request can lead to potential financial fraud. It is crucial to validate the legitimacy of such requests before taking any action to prevent unauthorized fund transfers.
Ignore the email
Explanation
Ignoring the email without taking any action may not be the best approach, as it is essential to address the request promptly. However, it is crucial to verify the legitimacy of the email through proper channels before proceeding with any fund transfers to ensure the security of the financial institution.
Overall explanation
2.2 Explain common threat vectors and attack surfaces.
Robert should contact the CEO via a separate channel to validate the email. Business email compromise (BEC) usually involves the impersonation of high-ranking officials by attackers with the aim of tricking employees into giving up confidential data or performing unintended actions. In this case, it is crucial that Robert verifies that the request for the fund transfer is a legitimate one, more necessarily through known and different communication means**.**
Domain
2.0 Threats, Vulnerabilities, and Mitigations
Question 64Skipped
Robert uses the same password for his corporate email and personal social media account. He finds it way easier to just have a single password. What is the security issue with Robert’s practice?
Robert’s practice is good because he only has one password to remember
Explanation
Having only one password to remember may seem convenient, but it poses a significant security risk. If that single password is compromised, all accounts associated with it are at risk of being accessed by unauthorized individuals.
The security is stronger because Robert has a higher chance of not forgetting his password
Explanation
While having a single password may reduce the chances of forgetting it, the security implications of using the same password for multiple accounts outweigh the convenience of not forgetting it. It is always recommended to use unique, strong passwords for each account to enhance security.
There is no security issue as the accounts are different
Explanation
While the accounts may serve different purposes, using the same password for both still presents a security issue. If one account is breached, the shared password could potentially be used to access the other account.
Correct answer
There is a security risk if one password is compromised
Explanation
This choice is correct because using the same password for multiple accounts increases the security risk. If one account is compromised, all other accounts using the same password are also vulnerable to unauthorized access.
Overall explanation
4.6 Given a scenario, implement and maintain identity and access management.
There is a security risk if one password is compromised, as Robert uses the same password for both his corporate email and social media accounts. An attacker could potentially gain access to any of the other accounts if a successful breach of one of the accounts is achieved. The re-use of passwords is a discouraged practice as it increases the risk of compromise given an account is breached.
Domain
4.0 Security Operations
Question 65Skipped
A large organization has invested in a system that maintains an inventory of all of the devices owned by the company. The system stores information such as the device model, serial numbers, owners, etc. What is the main goal of having this asset-tracking system?
Correct answer
To track and manage the assets of the company
Explanation
The main goal of having an asset-tracking system is to track and manage the assets of the company. This includes keeping a record of device models, serial numbers, owners, and other relevant information to ensure proper inventory management and security.
To manage the software licenses of the organization
Explanation
Managing software licenses is not the main goal of an asset-tracking system. While it may be a part of the system, the primary purpose is to track and manage physical assets owned by the company.
To prepare a bill of materials for the procured assets
Explanation
Generating a bill of materials for procured assets is not the main goal of an asset-tracking system. While the system may provide information for procurement purposes, its primary function is to track and manage the physical assets of the organization.
To monitor the performance of the devices
Explanation
Monitoring device performance is not the main goal of an asset-tracking system. While performance data may be collected as part of asset management, the primary focus is on tracking and managing the physical assets themselves.
Overall explanation
4.2 Explain the security implications of proper hardware, software, and data asset management.
The main goal of having the asset tracking system is to track and manage the assets of the company. An inventory of devices owned by the company is maintained to ensure that the security policies can be enforced on all the devices. Unauthorized or missing devices can be identified.
Domain
4.0 Security Operations
Question 66Skipped
Employees in a corporate environment communicate with their colleagues and clients using instant messaging applications. An employee has received a message with an offer of a free premium license for a well-known app that they use. The offer is time-limited, and the message has a link to the offering site. What action should be taken by the employee?
Find out from fellow colleagues if they received the same message
Explanation
Finding out from fellow colleagues if they received the same message may not provide accurate information about the legitimacy of the offer. It is always best to consult the IT department or the organization’s security team to validate the sender’s identity and the authenticity of the message.
Correct answer
Consult the IT department to verify the sender’s identity
Explanation
Consulting the IT department to verify the sender’s identity is the correct action to take in this scenario. It is essential to confirm the legitimacy of the offer and the sender before clicking on any links or providing any personal information to avoid falling victim to phishing or scam attempts.
Immediately navigate to the site to get the free premium deal as it is time limited
Explanation
Immediately navigating to the site without verifying the sender’s identity can pose a significant security risk. Clicking on unknown links in unsolicited messages can lead to malware infections, data breaches, or phishing attacks. It is crucial to exercise caution and verify the legitimacy of such offers.
Reply to the message to get more details of the offer
Explanation
Replying to the message to get more details of the offer can potentially expose the employee to further phishing attempts or social engineering tactics. It is not advisable to engage with unsolicited messages offering free deals or promotions without verifying the sender’s identity through proper channels.
Overall explanation
2.2 Explain common threat vectors and attack surfaces.
The employee should consult the IT department to verify the sender’s identity. Caution should be exercised to not click on any links provided by an unknown contact. Clicking on suspicious links from instant messaging applications may lead to security vulnerabilities or malware infections that may compromise the device or cause data breaches.
Domain
2.0 Threats, Vulnerabilities, and Mitigations
Question 67Skipped
The employees at an organization use mobile devices for their daily work activities which include accessing corporate data and applications. The security team has initiated a process of ensuring that all the mobile devices are hardened. Which of the below options is a principal step in hardening these devices?
Disabling encryption to speed up the device
Explanation
Disabling encryption on mobile devices is not a recommended step in hardening them. Encryption plays a crucial role in protecting sensitive data in case the device is lost or stolen. Disabling encryption can expose the data to unauthorized access and compromise the confidentiality of corporate information.
Giving employees the liberty to install any apps they like
Explanation
Allowing employees to install any apps they like can introduce security vulnerabilities to the mobile devices, as these apps may not be vetted for security risks. This can compromise the integrity and confidentiality of corporate data and applications.
Correct answer
Enforcing automatic updates for all apps and firmware
Explanation
Enforcing automatic updates for all apps and firmware is a principal step in hardening mobile devices. Regular updates ensure that known security vulnerabilities are patched, reducing the risk of exploitation by malicious actors and enhancing the overall security posture of the devices.
Disabling screen locks to allow users to concentrate
Explanation
Disabling screen locks on mobile devices is not a best practice for security hardening. Screen locks help prevent unauthorized access to the device and the data it contains. Enforcing screen locks enhances the security of the devices by requiring authentication before accessing corporate data and applications.
Overall explanation
4.1 Given a scenario, apply common security techniques to computing resources.
A principal step in hardening the mobile devices at the organization is enforcing automatic updates for all apps and firmware. This reduces the risk of vulnerabilities by ensuring that the devices are regularly patched with security updates.
Domain
4.0 Security Operations
Question 68Skipped
A healthcare organization is currently facing legal consequences due to a data breach that occurred in which sensitive patient information that they collect and store for medical records was exposed because of their improper security measures. Which legal regulation shall apply in this scenario?
ISO
Explanation
ISO (International Organization for Standardization) sets international standards for various industries, including cybersecurity. While compliance with ISO standards can demonstrate a commitment to security, it is not a legal regulation that imposes consequences for data breaches.
PCI
Explanation
PCI (Payment Card Industry) Data Security Standard is a set of security standards designed to ensure that all companies that accept, process, store, or transmit credit card information maintain a secure environment. While important for protecting payment card data, it is not directly related to the protection of sensitive patient information in the healthcare industry as mandated by HIPAA.
NIST
Explanation
NIST (National Institute of Standards and Technology) provides cybersecurity guidelines and best practices, but it is not a legal regulation. It offers a framework that organizations can use to improve their security posture, but it does not enforce legal consequences for data breaches.
Correct answer
HIPAA
Explanation
HIPAA (Health Insurance Portability and Accountability Act) is a legal regulation in the United States that specifically addresses the protection of sensitive patient information in the healthcare industry. It mandates security measures to safeguard patient data and imposes penalties for non-compliance, making it applicable in the scenario of a healthcare organization facing legal consequences for a data breach.
Overall explanation
5.4 Summarize elements of effective security compliance.
The Health Insurance Portability and Accountability Act (HIPAA) is most likely to be applied to healthcare organizations facing legal consequences due to breaches of sensitive patient data. The HIPAA regulation specifically protects the privacy and security of healthcare information.
Domain
5.0 Security Program Management and Oversight
Question 69Skipped
A critical operating system security vulnerability has been discovered in one of the servers of an organization. What course of action should the security team take?
Correct answer
Mitigate the risk by applying the patch
Explanation
Mitigating the risk by applying the patch is the most appropriate course of action to address the critical operating system security vulnerability. Applying the patch will help in fixing the security flaw and preventing any potential exploitation by malicious actors.
Deny all access and connectivity to the system
Explanation
Denying all access and connectivity to the system may disrupt the normal operations of the organization and impact productivity. While isolating the vulnerable system is a good practice, completely denying access may not be the most effective solution to address the security vulnerability.
Contact the operating system manufacturer and ask them to address the issue
Explanation
Contacting the operating system manufacturer to address the issue may result in delays in resolving the security vulnerability. It is more efficient for the organization’s security team to proactively apply the available patch to mitigate the risk and secure the system.
Pause the patching activity till a comprehensive assessment is performed
Explanation
Pausing the patching activity until a comprehensive assessment is performed can leave the system vulnerable to potential attacks exploiting the known security vulnerability. It is crucial to prioritize patching to mitigate the risk and prevent any potential security breaches.
Overall explanation
4.3 Explain various activities associated with vulnerability management.
The security team should mitigate the risk by applying the patch. Delaying the patching of a critical vulnerability leaves the system vulnerable to potential exploitation that could cause critical damage or losses.
Domain
4.0 Security Operations
Question 70Skipped
A popular social media website has been subjected to a large spike in traffic that has overloaded its servers and caused substantial performance degradation. The security team has reason to believe that the attack is a DDoS attack. What is the objective of such an attack?
Exfiltration of sensitive data
Explanation
Exfiltration of sensitive data is typically the objective of a data breach or data theft attack, where the attacker aims to steal confidential information from the website’s servers. In a DDoS attack, the primary goal is not to steal data but to disrupt the website’s availability and functionality.
Redirecting the network traffic of the website
Explanation
Redirecting the network traffic of the website is not the primary objective of a DDoS attack. While network traffic redirection can be a tactic used in more sophisticated cyber attacks, such as DNS hijacking or man-in-the-middle attacks, the main goal of a DDoS attack is to overwhelm the website’s servers and make it unavailable to legitimate users.
Manipulating the data on the website
Explanation
Manipulating the data on the website is not the main objective of a DDoS attack. While some attackers may use DDoS attacks as a distraction to carry out data manipulation or other malicious activities, the primary goal of a DDoS attack is to disrupt the website’s availability rather than tampering with its data.
Correct answer
Making the website unavailable
Explanation
Making the website unavailable is the primary objective of a DDoS (Distributed Denial of Service) attack. By overwhelming the servers with a large volume of traffic, the attackers aim to render the website inaccessible to legitimate users, causing performance degradation and downtime.
Overall explanation
2.4 Given a scenario, analyze indicators of malicious activity.
Making the website unavailable is the objective of a DDoS attack on the social media website**.** It disrupts the availability of the site by overloading its servers with malicious traffic to cause service degradation and downtime. DDoS attacks are typically aimed at making users fail to access an online service.
Domain
2.0 Threats, Vulnerabilities, and Mitigations
Question 71Skipped
An organization has subscribed to an open-source intelligence (OSINT) threat feed service. The cybersecurity analyst is responsible for monitoring threats to the organization’s network and notices one day that the threat feed has reported an increase in phishing attacks targeting their organization’s industry. What benefit does the organization have by using this threat feed?
Alerts for all cyberattacks occurring across the globe
Explanation
The threat feed service does not provide alerts for all cyberattacks occurring across the globe. It specifically focuses on threats relevant to the organization’s industry and network, such as phishing attacks targeting their industry, rather than all cyberattacks globally.
Vulnerability reports of various targets on the internet
Explanation
The threat feed service does not primarily focus on vulnerability reports of various targets on the internet. Its main purpose is to provide information about emerging threats and attacks relevant to the organization’s industry, such as the increase in phishing attacks targeting their industry.
Correct answer
Information about emerging cybersecurity threats
Explanation
The organization benefits from the threat feed service by receiving information about emerging cybersecurity threats, such as the increase in phishing attacks targeting their industry. This allows the cybersecurity analyst to proactively monitor and defend against potential threats to the organization’s network.
Latest details of how to exploit systems
Explanation
The threat feed service does not provide the latest details of how to exploit systems. Instead, it focuses on providing information about emerging cybersecurity threats and potential vulnerabilities that could impact the organization’s network security.
Overall explanation
4.3 Explain various activities associated with vulnerability management.
The open-source intelligence (OSINT) threat feed can provide the organization with information about emerging cybersecurity threats. They are valuable sources of information for getting data on attack patterns and associated vulnerabilities to allow security analysts to assess and respond to potential threats proactively.
Domain
4.0 Security Operations
Question 72Skipped
A multinational corporation has subsidiaries in several countries across the globe that all follow different sets of regulations. What is the major challenge faced by such an organization in this case?
Hardware and networking infrastructure
Explanation
Hardware and networking infrastructure are essential components of a secure IT environment, but they are not the major challenge faced by a multinational corporation with subsidiaries in different countries. The main challenge lies in navigating the complex regulatory landscape and ensuring compliance with the diverse set of regulations across all locations.
Correct answer
Complying with a diverse set of regulations
Explanation
Complying with a diverse set of regulations is the major challenge faced by a multinational corporation with subsidiaries in different countries. Each country may have its own data protection laws, privacy regulations, and cybersecurity requirements, making it difficult for the organization to ensure compliance across all locations.
Encrypting the data across borders
Explanation
Encrypting data across borders is an important security measure, but it is not the major challenge faced by a multinational corporation with subsidiaries in different countries. The main challenge lies in complying with the various regulations that govern how data can be stored, processed, and transferred in each country.
Cybersecurity training facilities
Explanation
Cybersecurity training facilities are important for educating employees on security best practices, but they are not the major challenge faced by a multinational corporation with subsidiaries in different countries. The main challenge lies in complying with the diverse set of regulations that each country may have.
Overall explanation
5.1 Summarize elements of effective security governance.
A major challenge faced by such a multinational corporation is complying with a diverse set of regulations. A wide understanding and adherence to a diverse set of regulatory requirements, which differ in each country, such as data protection regulations, is required.
Domain
5.0 Security Program Management and Oversight
Question 73Skipped
A large financial institution is assessing the security of practices used to handle customer data. They have decided to consult an external organization to perform the assessment. What security process is being implemented by the institution?
Compliance check
Explanation
Compliance check typically refers to verifying whether the organization’s security practices align with specific regulatory requirements or industry standards. While compliance checks are important, they do not involve the comprehensive assessment provided by a third-party audit in this scenario.
Internal audit
Explanation
Internal audit involves the organization’s own internal team assessing and evaluating the security practices and controls. Since the financial institution is seeking an external organization for the assessment, internal audit is not being implemented.
Correct answer
Third-party audit
Explanation
Third-party audit refers to the process of hiring an external organization to assess and evaluate the security practices and controls of an organization. In this case, the financial institution is consulting an external organization for the assessment, making third-party audit the correct choice.
Self-assessment
Explanation
Self-assessment involves the organization evaluating its own security practices and controls without the involvement of an external party. In this scenario, the financial institution has decided to consult an external organization, so self-assessment is not being implemented.
Overall explanation
5.5 Explain types and purposes of audits and assessments.
A large financial institution consulting an external organization to perform an assessment of its security practices is an implementation of a third-party audit. Such an audit helps organizations objectively evaluate their security measures while ensuring impartiality and transparency.
Domain
5.0 Security Program Management and Oversight
Question 74Skipped
An organization has faced a cyberattack from a group of individuals claiming to have strong religious beliefs against the types of operations the organization is engaged in. What threat actor are they facing?
Insider threat
Explanation
Insider threat actors are individuals within the organization who misuse their access to cause harm, whether intentionally or unintentionally. Their actions are not typically driven by religious beliefs against the organization’s operations.
Nation-state
Explanation
Nation-state threat actors are typically sponsored by a government or state entity to conduct cyberattacks for political, economic, or military purposes. They are not motivated by religious beliefs against specific operations.
Organized crime
Explanation
Organized crime threat actors are typically motivated by financial gain and engage in illegal activities such as fraud, theft, or extortion. Their actions are not driven by religious beliefs against specific operations.
Correct answer
Hacktivist
Explanation
Hacktivist threat actors are individuals or groups who use hacking and cyberattacks to promote political or social causes, often driven by strong beliefs or ideologies. In this case, the group claiming religious beliefs against the organization’s operations fits the profile of a hacktivist threat actor.
Overall explanation
2.1 Compare and contrast common threat actors and motivations.
The organization is facing a hacktivist as the threat actors are strongly motivated by their philosophical and religious beliefs against the operations that the organization performs and aim to send their message across using a cyberattack.
Domain
2.0 Threats, Vulnerabilities, and Mitigations
Question 75Skipped
An organization performs various IT tasks such as software development and configuring systems. They have decided to implement automated scripting to aid them when it gets tedious. They have set up guardrails to conform to the security and compliance requirements. What is the use of these guard rails?
To start and stop the scripting activities
Explanation
Guardrails are not typically used to start and stop scripting activities. Their main purpose is to provide guidelines and restrictions to ensure security and compliance.
To allow unsupervised automation
Explanation
Guardrails are not meant to allow unsupervised automation. Their purpose is to provide guidelines and restrictions to ensure that automation activities are conducted in a safe and secure manner, in line with security and compliance requirements.
To manage the privileges for the automated scripts
Explanation
While managing privileges for automated scripts is important for security, guardrails go beyond just privilege management. They are put in place to provide safe and secure automation guidelines that align with security and compliance requirements.
Correct answer
To give safe and secure automation guidelines
Explanation
Guardrails are specifically implemented to give safe and secure automation guidelines. They ensure that automated scripting activities adhere to security and compliance requirements, reducing the risk of security breaches or non-compliance issues.
Overall explanation
4.7 Explain the importance of automation and orchestration related to secure operations.
Guardrails are used in automation to give safe and secure automation guidelines, in compliance with policies. They provide a balance between efficiency and security and help prevent unintended consequences and security breaches during the automated task through constraints.
Domain
4.0 Security Operations
Question 76Skipped
An e-commerce website has a login page that allows its customers to log in with their username and password. A malicious user has attempted to break the security of the web page’s login function by entering the below input into the password field. What type of attack is being attempted?
‘ OR 1=1 —
XSS
Explanation
XSS is a vulnerability where an attacker injects malicious scripts into web pages viewed by other users. It typically aims to execute scripts in the context of the victim’s browser, allowing attackers to steal session cookies or execute unauthorized actions. The attack in this scenario is aimed at manipulating the database query, not injecting scripts into the webpage, making XSS the wrong answer.
Correct answer
SQLi
Explanation
SQL Injection occurs when an attacker inserts or manipulates SQL queries into an entry field (like a login form) in an attempt to exploit vulnerabilities in the application’s database. In this case, the input ' OR 1=1 -- is designed to manipulate the SQL query responsible for validating the login credentials. The OR 1=1 condition always evaluates as true, which allows the attacker to bypass authentication without a valid password. The double dash (--) comments out the rest of the query, preventing further validation logic from executing. This is a classic SQL injection attack, exploiting a failure to properly sanitize input fields.
Buffer overflow
Explanation
A buffer overflow occurs when data exceeds the buffer’s storage capacity, allowing the attacker to overwrite adjacent memory and potentially execute malicious code. This type of attack generally targets memory management vulnerabilities rather than exploiting flaws in SQL queries. The attack described in the scenario involves manipulating database queries, not memory structures, making buffer overflow irrelevant here.
Memory injection
Explanation
Memory injection typically refers to inserting malicious code into the memory space of a running process, potentially leading to execution of that code. While this is a severe security issue, it is unrelated to the scenario described, where the attacker is manipulating SQL statements, not injecting code into memory spaces. Therefore, this is not the correct attack type.
Overall explanation
2.3 Explain various types of vulnerabilities.
Inputting ‘ OR 1=1 — into the password field of the e-commerce website’s log in function is a classic example of structured query language injection (SQLi). A vulnerable website will allow the attacker to gain access to the website without knowing the username or the password of a valid and authorized user because the expression OR 1=1 will always return a true value and the vulnerable website will assume that the result of the authenticity of the user is true.
Domain
2.0 Threats, Vulnerabilities, and Mitigations
Question 77Skipped
A security analyst is conducting an assessment of the management of vulnerabilities at an organization. As the analyst reviews the various security incidents, he notices that a majority of the vulnerabilities are known and have a CVE number. What is this number used for?
To rank the vulnerabilities based on how severe they are
Explanation
The CVE number is not used to rank vulnerabilities based on severity. While severity ratings may be assigned to vulnerabilities, the CVE number itself is primarily for identification purposes.
Correct answer
To uniquely identify the security vulnerability
Explanation
The CVE number is used to uniquely identify a specific security vulnerability. It provides a standardized way to reference and track vulnerabilities across different systems and organizations.
To demonstrate the impact of the vulnerability on the organization
Explanation
The CVE number is not used to demonstrate the impact of a vulnerability on an organization. It is primarily a reference number to identify and track vulnerabilities, rather than quantify their impact.
To find out the attacker that exploited the vulnerabilities
Explanation
The CVE number is not used to find out the attacker that exploited vulnerabilities. It is focused on identifying and tracking vulnerabilities, not attributing attacks to specific individuals or groups.
Overall explanation
4.3 Explain various activities associated with vulnerability management.
Common Vulnerability Enumeration (CVE) numbers uniquely identify the security vulnerability. Vulnerability information can be easily tracked and shared across organizations and security professionals.
Domain
4.0 Security Operations
Question 78Skipped
A misconfiguration has been detected in the Infrastructure as Code (IaC) scripts of an organization that uses the practice for managing its cloud infrastructure. What is the likely consequence of such a misconfiguration?
The misconfiguration will cause them to pay more to their cloud service provider
Explanation
A misconfiguration in Infrastructure as Code (IaC) scripts may lead to inefficiencies or errors in the cloud infrastructure, but it does not directly cause the organization to pay more to their cloud service provider. The cost implications would depend on the specific impact of the misconfiguration.
Correct answer
The misconfiguration may lead to unauthorized access to sensitive data in the cloud
Explanation
A misconfiguration in Infrastructure as Code (IaC) scripts can potentially expose sensitive data to unauthorized access in the cloud. This is a significant risk as it can lead to data breaches, compliance violations, and other security incidents. It is crucial to address and rectify such misconfigurations promptly to prevent unauthorized access.
The misconfiguration has no impact on the organization
Explanation
A misconfiguration in Infrastructure as Code (IaC) scripts can have a significant impact on the organization, especially in terms of security, efficiency, and compliance. It is unlikely that a misconfiguration would have no impact on the organization, as it can lead to various issues related to cloud infrastructure management and security.
The misconfiguration will revert the configurations to a previous stable state
Explanation
A misconfiguration in Infrastructure as Code (IaC) scripts does not automatically revert configurations to a previous stable state. IaC scripts are used to define and manage cloud infrastructure, so a misconfiguration can lead to unexpected changes or issues, but it does not inherently revert to a previous state.
Overall explanation
3.1 Compare and contrast security implications of different architecture models.
A likely consequence of the detected misconfiguration in the IaC scripts managing the organization’s cloud infrastructure is that the misconfiguration may lead to unauthorized access to sensitive data in the cloud, as the security controls may not function as they are intended to.
Domain
3.0 Security Architecture
Question 79Skipped
A company with the aim of streamlining its process of deploying applications has implemented containerization. A finding from a security audit revealed that some containers lack proper security measures. What is the most important concern as a result of this?
Container sprawl
Explanation
Container sprawl, while a concern in terms of resource management and scalability, is not the most critical concern resulting from containers lacking proper security measures. It refers to the uncontrolled growth of containers within an environment, leading to potential inefficiencies and security risks.
Correct answer
Container escape
Explanation
Container escape is the most important concern when containers lack proper security measures. It refers to a scenario where an attacker gains access to the host operating system from within a container, potentially compromising the entire system. Proper security measures must be in place to prevent container escape and protect the host system.
Incompatibility problems
Explanation
Incompatibility problems may arise from improper containerization practices, but they do not pose as significant a risk as container escape. Incompatibility issues can result in operational challenges and performance issues, but they are not as critical as the potential security implications of container escape.
Prolonged application deployment
Explanation
Prolonged application deployment may be a consequence of security issues in containers, but it is not the most important concern resulting from containers lacking proper security measures. While delays in deployment can impact business operations, the security risk posed by container escape is a more immediate and critical concern that must be addressed.
Overall explanation
3.1 Compare and contrast security implications of different architecture models.
The most important concern for the company is container escape whereby unauthorized access to the underlying host system of the container may be achieved by a hacker managing to exploit the vulnerabilities in the unsecured container.
Domain
3.0 Security Architecture
Question 80Skipped
An industrial control system uses a real-time operating system (RTOS) to manage and control the machinery in the manufacturing facility. To ensure safety and efficiency, the system must be capable of responding to events and triggers within very limited time constraints. What is a prime concern to security when operating such systems?
RTOSs cannot be attacked so the worry is out
Explanation
This statement is incorrect. RTOSs, like any other operating system, can be vulnerable to attacks and security breaches. Ignoring security concerns for RTOSs can lead to potential risks and threats to the industrial control system.
Correct answer
RTOSs need timely updating and patching
Explanation
This statement is correct. RTOSs used in industrial control systems must be regularly updated and patched to address any security vulnerabilities that may be discovered. Failing to update and patch the RTOS can leave the system exposed to potential cyber threats and attacks, compromising safety and efficiency.
RTOSs have a high CPU latency
Explanation
This statement is incorrect. RTOSs are designed to have low CPU latency, meaning they can respond quickly to events and triggers. High CPU latency would hinder the real-time capabilities of the system, which is a critical aspect of industrial control systems.
RTOSs consume a large amount of bandwidth
Explanation
This statement is incorrect. RTOSs do not consume a large amount of bandwidth as they are optimized for real-time performance and efficiency. Bandwidth consumption is not a primary concern for security when operating such systems.
Overall explanation
3.1 Compare and contrast security implications of different architecture models.
The prime concern to security when operating real-time operating systems (RTOSs) is that the RTOSs need timely updating and patching. RTOS systems are designed for high real-time performance but are not immune to vulnerabilities, making it crucial that they are continuously maintained with security patches.
Domain
3.0 Security Architecture
Question 81Skipped
A signature-based network intrusion detection system (NIDS) continuously monitors malicious activity occurring in the traffic flowing through the network of an organization based on known attack patterns. It was not able to detect a zero-day attack. What type of situation is this?
True negative
Explanation
A true negative occurs when the NIDS correctly identifies normal traffic as not malicious. Since the NIDS failed to detect a zero-day attack, it did not correctly identify the attack as malicious, making it a different situation from a true negative.
True positive
Explanation
A true positive occurs when the NIDS correctly identifies actual malicious activity as malicious. Since the NIDS did not detect the zero-day attack, it did not correctly identify the attack as malicious, making it different from a true positive.
False positive
Explanation
A false positive occurs when the NIDS incorrectly identifies normal traffic as malicious activity. In this situation, the NIDS did not mistakenly detect normal traffic as malicious, so it is not a false positive.
Correct answer
False negative
Explanation
A false negative occurs when the NIDS fails to detect actual malicious activity. In this case, the NIDS was not able to detect the zero-day attack, which is an example of a false negative.
Overall explanation
4.3 Explain various activities associated with vulnerability management.
The signature-based network intrusion detection system (NIDS) failing to detect a zero-day attack is a false negative. This happens because the attack pattern is not in its signature database as it is the first time the attack is being used or known. False negatives occur when a system fails to identify an actual intrusion or threat.
Domain
4.0 Security Operations
Question 82Skipped
A software development team at an organization is developing a new release of a mobile application. They have gathered all the necessary requirements and want to start designing the mobile app. What security considerations should the team incorporate as they design the app?
Their major concern should be user experience and performance above security
Explanation
While user experience and performance are important considerations in mobile app design, security should not be sacrificed for the sake of these factors. Prioritizing security ensures that the app protects user data, maintains confidentiality, and prevents unauthorized access, ultimately contributing to a trustworthy and reliable user experience.
Correct answer
They should integrate security in the design from the start
Explanation
Integrating security in the design from the start is crucial to building a secure mobile application. By considering security requirements and best practices early in the design process, the development team can proactively address potential security vulnerabilities and ensure the app’s security posture is strong.
Once they develop the app, they should send it over to the security team for assessment
Explanation
Waiting until the app is fully developed to send it to the security team for assessment can lead to security vulnerabilities being discovered late in the development cycle, resulting in costly and time-consuming rework. It is more effective to integrate security considerations from the start of the design phase.
They should incorporate security during the testing phase only
Explanation
Incorporating security only during the testing phase is not sufficient to ensure the security of the mobile application. Security should be a fundamental aspect of the design and development process from the beginning to identify and mitigate potential security risks early on.
Overall explanation
5.1 Summarize elements of effective security governance.
An important security consideration that the software development team should incorporate as they design the app is to integrate security in the design from the start. It is crucial and essential that security is dealt with throughout all stages of the software development lifecycle (SDLC), including the early stages and the design phase.
Domain
5.0 Security Program Management and Oversight
Question 83Skipped
An organization is applying critical security patches to the servers in the production network. Unfortunately, during the deployment of the patches, an unexpected instability of the servers is observed. What is the next step that should be taken that aligns with the best practices?
Correct answer
Execute the backout plan
Explanation
Executing the backout plan is the best practice in this situation. A backout plan is a predefined set of steps to revert the changes made during a deployment process. By executing the backout plan, the organization can restore the servers to their previous stable state and mitigate the impact of the instability caused by the patch deployment.
Escalate the issue to all stakeholders
Explanation
Escalating the issue to all stakeholders is important, but it should not be the immediate next step. Before involving all stakeholders, it is crucial to address the current instability and mitigate any potential risks. The backout plan should be executed first to ensure the servers are restored to a stable state.
Immediately shut down all the servers that have been experiencing instability
Explanation
Immediately shutting down all servers that are experiencing instability may disrupt the production network and cause downtime for critical services. This drastic action should be avoided until a proper assessment and plan are in place.
Continue deploying the patches till successful completion
Explanation
Continuing to deploy the patches despite the observed instability can lead to further issues and potentially cause more damage to the servers. It is not recommended to proceed with the deployment without addressing the current instability.
Overall explanation
1.3 Explain the importance of change management processes and the impact to security.
After an unexpected instability of the servers during the deployment of the patches, the next step that should be taken that aligns with the best practices is to execute the backout plan to restore servers to their previous state.
Domain
1.0 General Security Concepts
Question 84Skipped
A small online business has purchased a cybersecurity insurance policy due to the worry of possible financial losses that may occur due to data breaches. Which of the following risk management strategies have they invested in?
Risk Mitigation
Explanation
Risk Mitigation involves taking actions to reduce the impact or likelihood of risks. While purchasing a cybersecurity insurance policy can be considered a form of risk mitigation, it is more accurately categorized as a form of risk transfer, as the financial burden of a data breach is being transferred to the insurance provider.
Risk Acceptance
Explanation
Risk Acceptance means acknowledging the risks and deciding not to take any action to mitigate or transfer them. By purchasing a cybersecurity insurance policy, the small online business is actively taking steps to address potential financial losses from data breaches, indicating that they are not simply accepting the risks.
Correct answer
Risk Transfer
Explanation
Risk Transfer involves shifting the financial consequences of a risk to another party, such as an insurance provider. By purchasing a cybersecurity insurance policy, the small online business is transferring the financial risk of data breaches to the insurance company, making this the correct choice for the risk management strategy they have invested in.
Risk Avoidance
Explanation
Risk Avoidance involves completely avoiding activities or situations that could lead to potential risks. In this case, purchasing a cybersecurity insurance policy does not align with the concept of avoiding risks altogether.
Overall explanation
5.2 Explain elements of the risk management process.
The online business has invested in a risk transfer strategy. They are transferring the potential financial consequences of a data breach to the insurance company they have purchased the cybersecurity insurance policy from.
Domain
5.0 Security Program Management and Oversight
Question 85Skipped
A user at an organization clicked on a link in an email that redirects to a suspicious website but was blocked from reaching the site by the URL scanning system implemented to improve security. What is the primary use of such a system?
To prevent phishing attacks and spam
Explanation
While a URL scanning system may help prevent phishing attacks by blocking access to malicious websites, its primary use is not specifically focused on preventing phishing attacks or spam. The main goal is to protect users from dangerous websites that may contain malware or other threats.
To encrypt the communication links
Explanation
Encrypting communication links is an important security measure, but it is not the primary use of a URL scanning system. The main purpose of a URL scanning system is to identify and block access to malicious websites to protect users from potential security risks.
Correct answer
To provide protection from dangerous websites
Explanation
The primary purpose of a URL scanning system is to provide protection from dangerous websites by scanning URLs for malicious content or known threats. In this case, the system successfully blocked the user from accessing a suspicious website, demonstrating its effectiveness in improving security.
To initiate proxy connections across the internet
Explanation
A URL scanning system is not designed to initiate proxy connections across the internet. Its main function is to scan URLs for potential threats and block access to dangerous websites to enhance security within an organization.
Overall explanation
4.5 Given a scenario, modify enterprise capabilities to enhance security.
The primary use of the URL scanning system is to provide protection from dangerous websites. The system ensures that users are not exposed to phishing attempts when clicking on links in suspicious emails or harmful content across the web.
Domain
4.0 Security Operations
Question 86Skipped
A manufacturing company that relies on RFID technology to track its facility inventory and equipment has faced an attack where the malicious actor managed to bypass security and successfully clone an RFID tag. What is the security concern given the system uses unique identifiers for each asset?
There is an insider threat
Explanation
While insider threats are always a concern in any organization, the scenario described in the question does not indicate any involvement of an insider in the attack. The focus is on the vulnerability of the RFID communication system.
The access control policies are not robust
Explanation
The security concern is not directly related to access control policies in this scenario. The issue lies in the lack of encryption in RFID communication, which allowed the malicious actor to clone RFID tags successfully.
Correct answer
The RFID communication is not encrypted
Explanation
The correct security concern is that the RFID communication is not encrypted, allowing malicious actors to intercept and clone RFID tags without any encryption measures in place to protect the data transmission.
The physical security was breached
Explanation
The security concern in this scenario is not related to physical security being breached, as the attack involved cloning an RFID tag electronically rather than physically breaching the facility.
Overall explanation
2.4 Given a scenario, analyze indicators of malicious activity.
The security concern is that the RFID communication is not encrypted. If the communication between the reader and the tag is not encrypted it becomes vulnerable to eavesdropping and unauthorized cloning.
Domain
2.0 Threats, Vulnerabilities, and Mitigations
Question 87Skipped
A senior employee has recently retired. The employee oversaw managing a critical database. The IT department wants to make sure that they smoothly transfer the responsibilities and ownership of the database. What security concept addresses this?
Offboarding
Explanation
Offboarding is the process of managing an employee’s departure from an organization. While offboarding may involve transitioning responsibilities and access to systems, it does not specifically address the smooth transfer of ownership and responsibilities of a critical database to a new employee.
Onboarding
Explanation
Onboarding is the process of integrating a new employee into an organization. While onboarding may be necessary for the new employee taking over the database management responsibilities, it does not specifically address the transfer of ownership and responsibilities from the retiring employee.
Data transfer
Explanation
Data transfer refers to the process of moving data from one location to another. While data transfer may be involved in the transition of database ownership, it does not specifically address the concept of smoothly transferring responsibilities and ownership.
Correct answer
Succession planning
Explanation
Succession planning is the correct choice as it involves the process of identifying and developing employees to fill key roles within an organization when current employees leave. In this scenario, succession planning would ensure a smooth transfer of responsibilities and ownership of the critical database after the senior employee’s retirement.
Overall explanation
4.2 Explain the security implications of proper hardware, software, and data asset management.
The concept of succession planning is addressed by ensuring a smooth transfer of responsibilities and ownership of the critical database. The organization needs to plan for this transition following the retirement of the senior employee who managed this database.
Domain
4.0 Security Operations
Question 88Skipped
What is the most significant concern regarding the use of a legacy operating system that is critical to business operations, however, has reached its end-of-life (EOL)?
The company may face legal penalties
Explanation
Using a legacy operating system that has reached its end-of-life may not necessarily result in legal penalties, as it depends on the specific regulations and compliance requirements of the industry. While it is generally not recommended for security reasons, legal penalties may not be the most significant concern in this scenario.
The durability of the system shall be impaired
Explanation
The durability of the system being impaired is not the most significant concern when using a legacy operating system that has reached its end-of-life. While there may be performance issues or hardware failures due to aging components, the primary worry is the lack of security updates and the increased vulnerability to cyber attacks.
Correct answer
The system is at risk of vulnerabilities due to no vendor fixes
Explanation
The most significant concern with using a legacy operating system that has reached its end-of-life is the increased risk of vulnerabilities. Without vendor support and fixes, the system will no longer receive security patches or updates to protect against new threats, making it a prime target for attackers.
There will be frequent compatibility issues
Explanation
Compatibility issues can indeed be a concern when using a legacy operating system, but they may not be the most significant concern. The primary worry with an end-of-life system is the lack of vendor support and security updates, which can leave the system vulnerable to cyber threats.
Overall explanation
2.3 Explain various types of vulnerabilities.
The most significant concern regarding the use of an operating system that has reached its end-of-life (EOL) is that the system is at risk of vulnerabilities due to no vendor fixes. The system will not be receiving patches for newly discovered vulnerabilities and is therefore subjected to critical security risks.
Domain
2.0 Threats, Vulnerabilities, and Mitigations
Question 89Skipped
An organization is not capable of implementing multifactor authentication on one of their internal legacy applications. They have decided to make the application only accessible from a specific server that is isolated from the internal network. What type of control have they implemented?
Technical
Explanation
Technical controls are security measures that use technology to protect systems and data. While restricting access to a specific server involves a technical aspect, the primary focus is on compensating for the lack of multifactor authentication rather than solely relying on technical measures for security.
Corrective
Explanation
Corrective controls are implemented after an incident has occurred to correct or remedy the situation. In this scenario, the organization is proactively implementing a control to prevent unauthorized access, rather than correcting a past incident.
Preventive
Explanation
Preventive controls are put in place to prevent security incidents from happening. While limiting access to a specific server can be seen as a preventive measure, the organization is not directly preventing unauthorized access to the legacy application itself.
Correct answer
Compensating
Explanation
Compensating controls are implemented when the primary control is not feasible or cannot be implemented. In this case, since multifactor authentication cannot be implemented on the legacy application, restricting access to a specific server is a compensating control to mitigate the risk of unauthorized access.
Overall explanation
1.1 Compare and contrast various types of security controls.
A compensating control is a control measure made as a substitute for a recommended control when the implementation of the recommended control cannot be performed, either due to technical, financial, or political challenges. Although the control implemented is technical, and may also prevent attacks, it is a compensating control in the context of the question because it compensates for the lack of the multifactor control.
Domain
1.0 General Security Concepts
Question 90Skipped
An organization has implemented a new collaboration tool on the cloud. During a security audit, the IT team found that the tool had a critical vulnerability reported about it. The team decided to conduct an ad-hoc risk assessment as the risk elevates concerns. What is the main purpose of such an assessment?
To determine all possible threat actors associated with the collaboration tool
Explanation
While determining threat actors is an important aspect of a risk assessment, the main purpose of an ad-hoc risk assessment in this scenario is not to identify all possible threat actors associated with the collaboration tool. The focus is on evaluating the impact of the critical vulnerability on the organization’s network.
Correct answer
To find out what impact the vulnerability has on the organization’s network
Explanation
The main purpose of conducting an ad-hoc risk assessment in response to a critical vulnerability in the collaboration tool is to determine the impact that the vulnerability has on the organization’s network. This assessment helps in understanding the potential consequences of the vulnerability and allows the IT team to prioritize and address the risk accordingly.
To determine the possibilities of security incidents while using the tool
Explanation
While determining the possibilities of security incidents is important in overall risk management, the main purpose of the ad-hoc risk assessment in this specific scenario is to focus on the impact of the critical vulnerability on the organization’s network. Understanding the potential impact helps in making informed decisions on mitigating the risk and addressing the vulnerability effectively.
To evaluate the security posture of the organization
Explanation
Evaluating the security posture of the organization is a broader and ongoing process that involves assessing various aspects of security controls, policies, and practices. In this case, the main purpose of the ad-hoc risk assessment is to specifically address the critical vulnerability found in the new collaboration tool.
Overall explanation
5.2 Explain elements of the risk management process.
In an ad-hoc risk assessment, the primary purpose would be to find out what impact the vulnerability has on the organization’s network. In this case, the impact and potential consequences of the critical vulnerability found in the cloud-based collaboration tool need to be quickly determined.
Domain
5.0 Security Program Management and Oversight
