Chapter 6 Information Asset Protection – CISA Certified Information Systems Auditor Practice Exams

CHAPTER 6

Information Asset Protection

This chapter covers CISA Domain 5, “Protection of Information Assets,” and includes questions from the following topics:

•   Information security management

•   Logical access controls

•   Network security

•   Environmental security

•   Physical security

•   Privacy

The topics in this chapter represent 27 percent of the CISA examination.

Information assets consist of information and information systems. Information includes software, tools, and data. Information system is an inclusive term that encompasses servers, workstations, mobile devices, network devices, gateways, appliances, IoT devices, and applications. An information system can be a single device or a collection of systems that work together for some business purpose.

Q QUESTIONS

1.   A new information security manager has examined the systems in the production environment and has found that their security-related configurations are inadequate and inconsistent. To improve this situation, the security manager should create a:

A.   Jump server

B.   Firewall rule

C.   Hardening standard

D.   CMDB

2.   Which U.S. government agency enforces retail organizations’ information privacy policy?

A.   National Institute of Standards and Technology

B.   Federal Trade Commission

C.   Office of Civil Rights

D.   United States Secret Service

3.   While useful for detecting fires, what is one known problem associated with the use of smoke detectors under a raised computer room floor?

A.   False alarms due to the accumulation of dust

B.   Higher cost of maintenance

C.   Lack of visual reference

D.   Lower sensitivity due to stagnant air

4.   An organization is seeking to establish a protocol standard for federated authentication. Which of the following protocols is least likely to be selected?

A.   OAuth

B.   SAML

C.   SOAP

D.   HMAC

5.   What is one distinct disadvantage of the use of on-premises web content filtering?

A.   End users can no longer inspect URLs in e-mail messages.

B.   End users can easily circumvent it with a local IPS.

C.   Mobile devices are unprotected when off-network.

D.   It is labor intensive to manage exceptions.

6.   What is the purpose of data classification?

A.   To establish rules for data protection and use

B.   To discover sensitive data on unstructured shares

C.   To enforce file access rules

D.   To gather statistics on data usage

7.   Blockchain is best described as:

A.   A cryptographic algorithm

B.   A data confidentiality technique using cryptography

C.   A popular cryptocurrency

D.   A list of records that are linked using cryptography

8.   The private keys for a well-known web site have been compromised. What is the best approach for resolving this matter?

A.   Change the IP address of the web server.

B.   Add an entry to a CRL for the web site’s SSL keys.

C.   Recompile the web site’s application.

D.   Reboot the web server.

9.   A web application stores unique codes on each user’s system in order to track the activities of each visitor. What is a common term for these codes?

A.   Http-only cookie

B.   Super cookie

C.   Session cookie

D.   Persistent cookie

10.   The term “virtual memory” refers to what mechanism?

A.   The main storage allocated to a guest of a hypervisor

B.   Memory management that isolates running processes

C.   Memory that is shared between guests of a hypervisor

D.   Main storage space that exceeds physical memory and is extended to secondary storage

11.   What is the effect of suppressing the broadcast of SSID?

A.   Network is not listed, but no difference in security.

B.   Only registered users are able to connect.

C.   Stronger (AES vs. TKIP) cryptography.

D.   Administrators can track users more easily.

12.   What is the purpose of recordkeeping in a security awareness training program?

A.   It prevents users from repeating the training.

B.   Compliance with training provider licensing requirements.

C.   Recordkeeping is required by ISO 27001.

D.   Users cannot later claim no knowledge of content if they violate policy.

13.   An attack technique in which an attacker attempts to place arbitrary code into the instruction space of a running process is known as:

A.   Cross-site scripting

B.   A time-of-check to time-of-use attack

C.   A buffer overflow attack

D.   A race condition

14.   A security analyst who is troubleshooting a security issue has asked another engineer to obtain a PCAP file associated with a given user’s workstation. What is the security analyst asking for?

A.   A copy of the workstation’s registry file

B.   A copy of the network traffic to and from the workstation

C.   An image of the workstation’s main memory (RAM)

D.   An image of the workstation’s secondary memory (hard drive)

15.   A development lab employs a syslog server for security and troubleshooting issues. The information security office has recently implemented a SIEM and has directed that all log data be sent to the SIEM. How can the development lab continue to employ its local syslog server while complying with this request?

A.   Build a proxy server that will clone the log data.

B.   The development lab will have to shut down its syslog server.

C.   Export syslog data every hour and send it to the SIEM.

D.   Direct servers to send their syslog data to the local server and to the SIEM.

16.   The best time to assign roles and responsibilities for computer security incident response is:

A.   During training

B.   During tabletop testing

C.   While responding to an incident

D.   While writing the incident response plan

17.   Chain of custody is employed in which business process?

A.   Internal investigation

B.   Asset management

C.   Access management

D.   Penetration testing

18.   Canada’s ITSG-33 is a similar to which standard?

A.   SSAE18

B.   HIPAA

C.   NIST SP800-53

D.   ISO/IEC 27001

19.   The process of ensuring proper protection and use of PII is known as:

A.   Security

B.   Privacy

C.   Data loss prevention

D.   Data discovery

20.   A CIO is investigating the prospect of a hosting center for its IT infrastructure. A specific hosting center claims to have “N+1 HVAC Systems.” What is meant by this term?

A.   The hosting center has one more HVAC system than is necessary for adequate cooling.

B.   The hosting center has the “N+1” brand of HVAC systems designed for hosting centers.

C.   The hosting center has recently installed a new HVAC system.

D.   The hosting center HVAC systems meet the N+1 reliability standard.

21.   An organization has updated its identity and access management infrastructure so that users use their AD credentials to log in to the network as well as internal business applications. What has the organization implemented?

A.   Credential vaulting

B.   Single sign-on

C.   Federated identity

D.   Reduced sign-on

22.   The primary advantage of a firewall on a laptop computer is:

A.   Laptop computers are protected when outside the enterprise network.

B.   End users have more control over their network security.

C.   Improved performance of enterprise network firewalls.

D.   Redundancy in the event the enterprise firewall is overloaded.

23.   An organization’s data classification policy includes guidelines for placing footers with specific language in documents and presentations. What activity does this refer to?

A.   Digital signatures

B.   Digital envelopes

C.   Document marking

D.   Document tagging

24.   What technique does PGP use to permit multiple users to read an encrypted document?

A.   Key fingerprints

B.   Symmetric cryptography

C.   Digital envelope

D.   Digital signature

25.   What feature permits enterprise users of Microsoft Outlook to digitally sign e-mail messages?

A.   PGP

B.   AD PKI

C.   Local administrative privileges

D.   Password vaulting

26.   A URL starting with shttp:// signifies what technology?

A.   Self-signed content

B.   Encryption with 3DES

C.   Encryption with SSL or TLS

D.   SET, or Secure Electronic Transaction

27.   A recent audit of an IT operation included a finding stating that the organization experiences virtualization sprawl. What is the meaning of this term?

A.   The process related to the creation of new virtual machines is not effective.

B.   Virtual machines are contending for scarce resources.

C.   The organization has too many virtual machines.

D.   Resource requirements for virtual machines are growing.

28.   Reasons for placing all IoT-type devices on isolated VLANs include all of the following except:

A.   Use of a different network access method

B.   Compatibility with IPv4

C.   Risks associated with unpatched and unpatchable devices

D.   Protection from malware present in end-user environments

29.   What is the best reason for including competency quizzes in security awareness training courses?

A.   Quizzes are needed in order to improve users’ knowledge.

B.   Quizzes are required by regulations such as PCI and HIPAA.

C.   It gives users an opportunity to test their skills.

D.   It provides evidence of retention of course content.

30.   In the context of information technology and information security, what is the purpose of fuzzing?

A.   To assess a physical server’s resilience through a range of humidity settings

B.   To assess a physical server’s ability to repel static electricity

C.   To assess a program’s resistance to attack via the UI

D.   To assess a program’s performance

31.   An attacker who is attempting to infiltrate an organization has decided to employ a DNS poison cache attack. What method will the attacker use to attempt this attack?

A.   Send forged query replies to a DNS server.

B.   Send forged query replies to end-user workstations.

C.   Send forged PTR replies to end-user workstations.

D.   Send forced PTR replies to DNS servers.

32.   What is the Unix command to dynamically view the end of a text logfile?

A.   tail -f

B.   tail -e

C.   less -f

D.   more -f

33.   In the United States, what are organizations required to do when discovering child pornography on a user’s workstation?

A.   Contact law enforcement after the user has admitted to viewing child porn.

B.   Contact law enforcement when the user’s workstation has been retired.

C.   Contact law enforcement after terminating the user.

D.   Immediately contact law enforcement.

34.   An organization suspects one of its employees of a security violation regarding the use of their workstation. The workstation, a laptop computer that is powered down, has been delivered to a forensic expert. What is the first thing the expert should do?

A.   Remove the hard drive.

B.   Photograph the laptop.

C.   Power up the laptop.

D.   Remove the RAM from the laptop.

35.   Which of the following statements is true regarding the Payment Card Industry Data Security Standard (PCI-DSS)?

A.   All organizations processing more than US$6,000,000 in credit card transactions annually must undergo an annual audit.

B.   Organizations using chip-and-PIN terminals are exempt from PCI requirements.

C.   Organizations processing fewer than six million merchant transactions annually are usually permitted to provide annual self-assessments.

D.   Organizations are permitted to opt out of low-risk controls via Compensating Control Worksheets.

36.   According to the European General Data Protection Regulation (GDPR), what is the requirement for organizations’ use of a Data Protection Officer (DPO)?

A.   All organizations storing EU citizen data are required to have an employee designated as the DPO.

B.   All organizations storing large volumes of EU citizen data are required to use a DPO.

C.   All organizations storing EU citizen data are required to retain the services of a DPO consultant.

D.   Only organizations based in Europe are required to have a DPO.

37.   What is the biggest risk associated with access badges that show the name of the organization?

A.   Someone who finds the badge may know where it can be used.

B.   An attacker can look up the organization’s public key and create forged badges.

C.   An attacker would know what brand of access badge technology is being used.

D.   Someone who finds a lost badge would be able to return it to the company.

38.   A user at work logs on to a web site that includes links to various business applications. Once the user logs on to the web site, the user does not need to log on to individual business applications. What mechanism provides this capability?

A.   Public key infrastructure

B.   Reduced sign-on

C.   Single sign-on

D.   Key vaulting

39.   What is the primary advantage of cloud-based web content filtering versus on-premises web content filtering:

A.   Cloud-based web content filtering systems are less expensive.

B.   Exceptions can be processed more quickly.

C.   Off-network users are protected just as in-office users are.

D.   Users are unable to circumvent this protection.

40.   An organization is investigating the use of an automated DLP solution that controls whether data files can be sent via e-mail or stored on USB drives based on their tags. What is the advantage of the use of tags for such a solution?

A.   Users are easily able to tag files so that they can be properly handled in e-mail.

B.   Data files are automatically processed based on tags instead of their data content.

C.   Tags are a better solution than the use of digital envelopes.

D.   Tags are human readable and can be altered as needed.

41.   All of the following are appropriate uses of digital signatures except:

A.   Verification of message authenticity

B.   Verification of message integrity

C.   Verification of message confidentiality

D.   Verification of message origin

42.   The entity that accepts requests for new public keys in a PKI is known as the:

A.   Reservation authority (RA)

B.   Validation authority (VA)

C.   Registration authority (RA)

D.   Certificate authority (CA)

43.   What method is used by a transparent proxy filter to prevent a user from visiting a site that has been blacklisted?

A.   Proxy sends an HTTP 400 Bad Request to the user’s browser.

B.   User is directed to a “web site blocked” splash page.

C.   Proxy filter simply drops the packets and the user’s browser times out.

D.   User’s workstation is quarantined to prevent malware from spreading.

44.   In a virtualized environment, which method is the fastest way to ensure rapid recovery of servers at an alternative processing center?

A.   Copy snapshots of virtual machine images to alternative processing center storage system.

B.   Provide build instructions for all servers and make master server images available.

C.   Perform full and incremental backups of all servers on a daily basis.

D.   Perform grandfather-father-son backups of all servers on a daily basis.

45.   In an environment where users are not local administrators of their workstations, which of the following methods ensures that end users are not able to use their mobile devices as mobile Wi-Fi hotspots for circumventing network security controls such as web content filters and IPS?

A.   Require employees to turn off their mobile devices at work.

B.   Jam the signals of unauthorized Wi-Fi networks.

C.   Create a whitelist of permitted Wi-Fi networks.

D.   Create a blacklist of forbidden Wi-Fi networks.

46.   What is the most effective method for training users to more accurately detect and delete phishing messages?

A.   Block access to personal webmail and permit corporate e-mail only.

B.   Include phishing information in regular security awareness training.

C.   Conduct phishing tests and publicly inform offenders of their mistakes.

D.   Conduct phishing tests and privately inform offenders of their mistakes.

47.   An attacker has targeted an organization in order to steal specific information. The attacker has found that the organization’s defenses are strong and that very few phishing messages arrive at end-user inboxes. The attacker has decided to try a watering hole attack. What first steps should the hacker use to ensure a successful watering hole attack?

A.   Determine which web sites are frequently visited by the organization’s end users.

B.   Determine which restaurants the organization’s end users visit after working hours.

C.   Determine which protocols are blocked by the organization’s Internet firewalls.

D.   Determine the IP addresses of public-facing web servers that can be attacked.

48.   Which of the following techniques most accurately describes a penetration test?

A.   Manual exploitation tools and techniques

B.   Security scan, with results tabulated into a formal report that includes an executive summary

C.   Security scan, with results validated to remove any false positives

D.   Security scan, followed by manual exploitation tools and techniques

49.   A security analyst spends most of her time on a system that collects log data and correlates events from various systems to deduce potential attacks in progress. What kind of a system is the security analyst using?

A.   SIEM

B.   IPS

C.   IDS

D.   AV console

50.   The general counsel is becoming annoyed with notifications of minor security events occurring in the organization. This is most likely due to:

A.   Careless users clicking on too many phishing e-mails

B.   Ineffective defenses allowing frequent attacks

C.   Improper classification of security incidents

D.   Lack of a security incident severity scheme

51.   A forensic investigator is seen to be creating a detailed record of artifacts that are collected, analyzed, controlled, transferred to others, and stored for safekeeping. What kind of a written record is this?

A.   Storage inventory

B.   Investigation report

C.   Evidence collection log

D.   Chain of custody record

52.   Which controls framework is suggested by the ISO/IEC 27001 standard?

A.   ISO/IEC 27001

B.   ISO/IEC 27002

C.   NIST SP800-53

D.   Any framework that is applicable to the organization

53.   The default principle in the European General Data Protection Regulation for marketing communications from organizations to citizens is:

A.   Citizens are included and cannot opt out.

B.   Citizens are included until they explicitly opt out.

C.   Citizens are excluded until they explicitly opt in.

D.   Citizens are excluded and cannot opt in.

54.   The primary purpose of a mantrap is:

A.   To catch an individual attempting to enter a room without authorization

B.   To hold an offender in custody until charged or released

C.   To permit entry of one authorized person at a time

D.   To permit entry or exit of one authorized person at a time

55.   What is the purpose of locking a user account that has not been used for long periods of time?

A.   Reduction of the risk of compromised credentials

B.   Free up space for others to use the system

C.   Avoidance of audit exceptions

D.   Recycle license keys and cost reduction

56.   What is the best approach for implementing a new blocking rule in an IPS?

A.   First implement a firewall rule and then activate the IPS rule.

B.   Use the change control process so that stakeholders are aware of the new rule.

C.   Implement a new rule during a change window.

D.   Put the rule in learn mode and analyze the results.

57.   A security leader needs to develop a data classification program. After developing the data classification and handling policy, what is the best next step to perform?

A.   Configure DLP systems to monitor and enforce compliance.

B.   Configure DLP systems to monitor compliance.

C.   Announce the new policy to the organization.

D.   Work with business departments to socialize the policy.

58.   An organization wants to implement an IPS that utilizes SSL inspection. What must first be implemented so that the IPS will function?

A.   A span port on the Internet switch must be configured.

B.   A new root certificate must be pushed to all user workstations.

C.   Users must sign a consent for their personal traffic to be monitored.

D.   All end-user private keys must be refreshed.

59.   In what manner does a PKI support whole disk encryption on end-user workstations?

A.   PKI stores the bootup passwords used on each end-user workstation.

B.   PKI detects unauthorized use of data on end-user workstations.

C.   PKI stores decryption keys in the event an end-user forgets their bootup password.

D.   PKI records encryption and decryption operations.

60.   A browser contacts a web server and requests a web page. The web server responds with a status code 200. What is the meaning of this status code?

A.   The user has been redirected to another URL on the same domain.

B.   The user has been redirected to another URL on a different domain.

C.   The requested page requires prior authentication.

D.   The request is valid and has been accepted.

61.   For what reason would an engineer choose to use a hosted hypervisor versus a bare-metal hypervisor?

A.   There are insufficient resources available for a bare-metal hypervisor.

B.   Features available only in a host operating system are required.

C.   Guest OS monitoring is required.

D.   The hypervisor is supporting a VDI environment.

62.   The laboratory environment of a pharmaceutical research organization contains many scientific instruments that contain older versions of Windows and Linux operating systems that cannot be patched. What is the best remedy for this?

A.   Isolate the scientific instruments on a separate, protected network.

B.   Upgrade the OSs on the scientific instruments to current OS versions.

C.   Disconnect the OSs from the network.

D.   Audit user accounts on the OSs periodically.

63.   Which of the following is the best policy for a security awareness training course?

A.   Users are not required to take competency quizzes.

B.   Users are required to repeat modules when they fail competency quizzes.

C.   Users are required to take competency quizzes only one time, regardless of score.

D.   Users can skip training if they pass competency quizzes.

64.   Guessing that an intended victim has a particular online banking session open, an attacker attempts to trick the victim into clicking on a link that will attempt to execute a transaction on the online banking site. This type of an attack is known as:

A.   Cross-site scripting

B.   Cross-site request forgery

C.   Man in the middle

D.   Man in the browser

65.   Which of the following tools is considered a search engine that can be used to list vulnerabilities in devices?

A.   OpenVAS

B.   Burp Suite

C.   Shodan

D.   John the Ripper

66.   All of the following tools are used to detect changes in static files except:

A.   Blacklight

B.   OSSEC

C.   Tripwire

D.   Firesheep

67.   Which of the following correctly describes the correct sequence for computer security incident response?

A.   Protect, detect, respond, recover

B.   Identify, protect, detect, respond, recover

C.   Evaluate, detect, eradicate, contain, recover, closure

D.   Detect, initiate, evaluate, contain, eradicate, recover, remediate

68.   Which of the following devices is needed for the creation of a forensically identical hard disk drive?

A.   Diode

B.   Bit locker

C.   Read blocker

D.   Write blocker

69.   Which of the following statements about NIST CSF is true?

A.   NIST CSF is a security controls framework.

B.   NIST CSF is a policy framework for cybersecurity.

C.   NIST CSF is a computer security incident response framework.

D.   NIST CSF is a software development framework.

70.   The “right to be forgotten” was first implemented by:

A.   GDPR

B.   Google

C.   NYDFS

D.   Facebook

71.   The term “tailgating” most often refers to:

A.   Personnel who prop or shim doors so that others can enter a protected facility without authentication

B.   Personnel who permit others to follow them into a protected facility without authentication

C.   Personnel who follow others into a protected facility without authentication

D.   Personnel who loan their keycards to others to enter a protected facility

72.   A security manager in a large organization has found that the IT department has no central management of privileged user accounts. What kind of a tool should the security manager introduce to remedy this practice?

A.   FAM tools

B.   FIM tools

C.   PAM tools

D.   SIEM tools

73.   A security analyst has determined that some of the OS configuration file alterations have taken place without proper authorization. Which tool did the security analyst use to determine this?

A.   FAM

B.   FIM

C.   PAM

D.   SIEM

74.   An employee notes that a company document is marked “Confidential.” Is it acceptable for the employee to e-mail the document to a party outside the company?

A.   Yes, but the document must be encrypted first.

B.   Yes, the document can be e-mailed to an outside party in plaintext.

C.   This cannot be determined without first consulting the data classification and handling policy.

D.   No, the document cannot be e-mailed to any inside or outside party.

75.   An auditor has completed an audit of an organization’s use of a tool that generates SSL certificates for its external web sites. The auditor has determined that key management procedures are insufficient and that split custody of the key generation procedure is required. How might this be implemented?

A.   Of two engineers, one creates the certificate and the other verifies its creation.

B.   Of two engineers, each performs half of the procedure used to create a new certificate.

C.   Of two engineers, each has one half of the password required to create a new certificate.

D.   Of two engineers, one approves the creation of the certificate and the other creates the certificate.

76.   An organization that issues digital certificates recently discovered that a digital certificate was issued to an unauthorized party. What is the appropriate response?

A.   Create a CRLF entry.

B.   Create a CRL entry.

C.   Notify all certificate holders.

D.   Call a press conference.

77.   Why is it important for a web session cookie to be encrypted?

A.   Parties that can observe the communication will not be able to hijack the session.

B.   Parties that observe the communication will not be able to view the user’s password.

C.   Third parties will not be able to push unsolicited advertising to the user.

D.   The web site operator will not be able to record the user’s session.

78.   Why would a hypervisor conceal its existence from a guest OS?

A.   To prevent the guest OS from breaking out of the container.

B.   To improve the performance of the guest OS.

C.   To avoid letting an intruder know that the OS is part of a virtualized environment.

D.   To let an intruder know that the OS is part of a virtualized environment.

79.   How can an organization prevent employees from connecting to the corporate Exchange e-mail environment with personally owned mobile devices?

A.   Implement multifactor authentication.

B.   Permit only Outlook clients to connect to the Exchange server.

C.   Encrypt OWA traffic.

D.   Put the OWA server behind the firewall and VPN switch.

80.   What is the purpose of the Firesheep tool?

A.   It demonstrates the dangers of non-encrypted web sessions.

B.   It is used as an alternative browser to Firefox to illustrate security concepts.

C.   It is used to analyze firewall rules.

D.   It is used to back up firewall rules.

81.   An organization is implementing a new SIEM. How must engineers get log data from systems and devices to the SIEM?

A.   Install agents on all systems and devices.

B.   Send them via Windows events.

C.   Send them via syslog.

D.   Send them via syslog and Windows events.

82.   What is the appropriate consequence of SOC operators declaring incidents that turn out to be false positives?

A.   Additional training to improve their incident-handling skills.

B.   Termination of employment.

C.   Removal of incident declaration privileges.

D.   No consequence, as false positives are a part of business as usual.

QUICK ANSWER KEY

1. C

2. B

3. A

4. C

5. C

6. A

7. D

8. B

9. C

10. D

11. A

12. D

13. C

14. B

15. D

16. D

17. A

18. C

19. B

20. A

21. D

22. A

23. C

24. C

25. B

26. D

27. A

28. B

29. D

30. C

31. A

32. A

33. D

34. B

35. C

36. B

37. A

38. C

39. C

40. B

41. C

42. C

43. B

44. A

45. C

46. D

47. A

48. D

49. A

50. D

51. D

52. B

53. C

54. D

55. A

56. D

57. D

58. B

59. C

60. D

61. B

62. A

63. B

64. B

65. C

66. D

67. D

68. D

69. B

70. A

71. C

72. C

73. B

74. C

75. C

76. B

77. A

78. C

79. D

80. A

81. D

82. A

ANSWERS A

1.   A new information security manager has examined the systems in the production environment and has found that their security-related configurations are inadequate and inconsistent. To improve this situation, the security manager should create a:

A.   Jump server

B.   Firewall rule

C.   Hardening standard

D.   CMDB

  C. A hardening standard will define the security-related configurations applicable to information systems and devices. Note that automation may also need to be implemented if there are large numbers of servers.

  A is incorrect because a jump server will not address this situation.

  B is incorrect because firewall rules will not adequately address this situation.

  D is incorrect because a CMDB may already exist in this situation; regardless, it is the strong and consistent configuration of servers that is necessary. A CMDB will assist in the management of server configuration.

2.   Which U.S. government agency enforces retail organizations’ information privacy policy?

A.   National Institute of Standards and Technology

B.   Federal Trade Commission

C.   Office of Civil Rights

D.   United States Secret Service

  B. The Federal Trade Commission (FTC) has historically been enforcing retail organizations’ information privacy policy and has brought legal suit against organizations knowingly violating these policies.

  A is incorrect because the National Institute of Standards and Technology (NIST) develops standards and guidelines but does not perform enforcement.

  C is incorrect because the Office of Civil Rights (OCR) enforces HIPAA and related laws in the health-care industry.

  D is incorrect because the U.S. Secret Service (USSS) protects U.S. currency as well as the president.

3.   While useful for detecting fires, what is one known problem associated with the use of smoke detectors under a raised computer room floor?

A.   False alarms due to the accumulation of dust

B.   Higher cost of maintenance

C.   Lack of visual reference

D.   Lower sensitivity due to stagnant air

  A. Dust can accumulate under the raised floor in a computer room environment. Changes in airflow can cause the dust to circulate in the air, causing false-positive smoke detection.

  B is incorrect because there is no difference in maintenance costs for smoke detectors above or below a raised floor.

  C is incorrect because it is not necessary for personnel to be able to see smoke detectors below a raised floor.

  D is incorrect because the air under a raised floor is not stagnant, but instead serves as a plenum for cooling and air circulation.

4.   An organization is seeking to establish a protocol standard for federated authentication. Which of the following protocols is least likely to be selected?

A.   OAuth

B.   SAML

C.   SOAP

D.   HMAC

  C. SOAP is a protocol used for distributed object instantiation and communication.

  A is incorrect because OAuth is a protocol found in federated authentication.

  B is incorrect because SAML is a protocol found in federated authentication.

  D is incorrect because HMAC is a protocol found in federated authentication. HMAC has fallen out of common use.

5.   What is one distinct disadvantage of the use of on-premises web content filtering?

A.   End users can no longer inspect URLs in e-mail messages.

B.   End users can easily circumvent it with a local IPS.

C.   Mobile devices are unprotected when off-network.

D.   It is labor intensive to manage exceptions.

  C. On-premises web content filtering protects devices on the internal network, as well as remote devices when they have established VPNs without split tunneling. Mobile devices connected to the Internet without VPN receive no protection from on-premises web content filtering systems.

  A is incorrect because web content filtering systems do not interact with the content of e-mail messages.

  B is incorrect because users would not be able to circumvent web content filtering with a local IPS; on the contrary, a local IPS would further improve endpoint security, particularly when off-network.

  D is incorrect because the management of rule exceptions is not necessarily a problem.

6.   What is the purpose of data classification?

A.   To establish rules for data protection and use

B.   To discover sensitive data on unstructured shares

C.   To enforce file access rules

D.   To gather statistics on data usage

  A. The purpose of a data classification program is to define the classes, or categories, of data and define usage guidelines for data at each classification level. This helps personnel to understand and follow handling guidelines, which results in improved data protection.

  B is incorrect because data classification is not used in data discovery.

  C is incorrect because data classification does not directly contribute to the enforcement of file access rules. Data classification, however, may state what file access rules should be.

  D is incorrect because data classification does not contribute to data usage statistics.

7.   Blockchain is best described as:

A.   A cryptographic algorithm

B.   A data confidentiality technique using cryptography

C.   A popular cryptocurrency

D.   A list of records that are linked using cryptography

  D. A blockchain is a series of records that are linked using cryptography. Specifically, each successive record in a blockchain contains a hash of the previous record; this makes data in a blockchain resistant to alteration.

  A is incorrect because blockchain is not a cryptographic algorithm; blockchain uses crypto algorithms, however.

  B is incorrect because blockchain does not protect the confidentiality of data.

  C is incorrect because blockchain is not a cryptocurrency.

8.   The private keys for a well-known web site have been compromised. What is the best approach for resolving this matter?

A.   Change the IP address of the web server.

B.   Add an entry to a CRL for the web site’s SSL keys.

C.   Recompile the web site’s application.

D.   Reboot the web server.

  B. Adding an entry to the certificate revocation list (CRL) is the most effective solution. The certificate authority (CA) that issued the original SSL keys would perform this action. Subsequent attempts to connect with the compromised keys would be unsuccessful—at least for all software that checks the CRL first.

  A is incorrect because changing the web server’s IP address does not address the problem of the compromised private key.

  C is incorrect because recompiling the web site’s application does not address the problem of the compromised private key.

  D is incorrect because rebooting the web server does not change anything about the encryption keys in use.

9.   A web application stores unique codes on each user’s system in order to track the activities of each visitor. What is a common term for these codes?

A.   Http-only cookie

B.   Super cookie

C.   Session cookie

D.   Persistent cookie

  C. A session cookie is used to uniquely identify each visitor to a web site and is used to manage user sessions.

  A is incorrect because an http-only cookie is one that cannot be read by client-side software such as JavaScript.

  B is incorrect because a super cookie is one issued by a top-level domain such as .com.

  D is incorrect because a persistent cookie is used to store user preferences such as language and time zone.

10.   The term “virtual memory” refers to what mechanism?

A.   The main storage allocated to a guest of a hypervisor

B.   Memory management that isolates running processes

C.   Memory that is shared between guests of a hypervisor

D.   Main storage space that exceeds physical memory and is extended to secondary storage

  D. Virtual memory is the technique of creating memory space that exceeds the physical main memory of a system; memory is extended onto secondary storage.

  A, B, and C are incorrect because virtual memory is not correctly described in these terms.

11.   What is the effect of suppressing the broadcast of SSID?

A.   Network is not listed, but no difference in security.

B.   Only registered users are able to connect.

C.   Stronger (AES vs. TKIP) cryptography.

D.   Administrators can track users more easily.

  A. Suppressing the broadcast of SSID in a Wi-Fi network makes no difference in terms of the security of the network. Some believe that suppressing SSID is better for security, but there are numerous tools available that show all available networks, whether they are broadcasting SSID or not.

  B is incorrect because suppressing SSID broadcast has no effect on the users who are able to connect.

  C is incorrect because suppressing SSID broadcast is not related to the selection of cryptography.

  D is incorrect because suppressing SSID broadcast does not affect administration or monitoring of the Wi-Fi network.

12.   What is the purpose of recordkeeping in a security awareness training program?

A.   It prevents users from repeating the training.

B.   Compliance with training provider licensing requirements.

C.   Recordkeeping is required by ISO 27001.

D.   Users cannot later claim no knowledge of content if they violate policy.

  D. When a user completes security awareness training and there is evidence of this completion in business records, the user cannot easily refute knowledge of the training content if they later are found to violate policy. Competency quizzes as a part of security awareness training helps even more in this regard.

  A is incorrect because an organization would not normally deny a user from repeating security awareness training.

  B is incorrect because license requirements are enforced through access controls.

  C is incorrect because recordkeeping is not necessarily required by ISO 27001.

13.   An attack technique in which an attacker attempts to place arbitrary code into the instruction space of a running process is known as:

A.   Cross-site scripting

B.   A time-of-check to time-of-use attack

C.   A buffer overflow attack

D.   A race condition

  C. A buffer overflow attack is a technique where the attacker attempts to overflow a running program’s input buffer, resulting in arbitrary code overwriting other instructions in the program. Successful exploitation of a buffer overflow vulnerability gives the attacker complete control over the target program.

  A is incorrect because a cross-site scripting attack does not overwrite code in the instruction space of a running program, but instead is a technique where the attacker attempts to place client-side scripts into web pages so that a user’s browser will execute the attacker’s code.

  B and D are incorrect because a time-of-check to time-of-use attack (also known as a race condition) is an attack that exploits a software bug that allows two programs to control a resource that only one resource should be able to control.

14.   A security analyst who is troubleshooting a security issue has asked another engineer to obtain a PCAP file associated with a given user’s workstation. What is the security analyst asking for?

A.   A copy of the workstation’s registry file

B.   A copy of the network traffic to and from the workstation

C.   An image of the workstation’s main memory (RAM)

D.   An image of the workstation’s secondary memory (hard drive)

  B. A PCAP (packet capture) file is a file containing a copy of network traffic associated with one or more devices on a network.

  A is incorrect because a PCAP is not a copy of the workstation’s registry file.

  C and D are incorrect because a PCAP is not an image of a workstation’s main or secondary memory.

15.   A development lab employs a syslog server for security and troubleshooting issues. The information security office has recently implemented a SIEM and has directed that all log data be sent to the SIEM. How can the development lab continue to employ its local syslog server while complying with this request?

A.   Build a proxy server that will clone the log data.

B.   The development lab will have to shut down its syslog server.

C.   Export syslog data every hour and send it to the SIEM.

D.   Direct servers to send their syslog data to the local server and to the SIEM.

  D. Servers and devices can send syslog data to multiple destinations.

  A is incorrect because a proxy server is unnecessary, as systems and devices can send syslog data to multiple destinations.

  B is incorrect because the development lab can continue using its syslog server and comply with the request by configuring its systems and devices to send syslog data to both the local syslog server and the SIEM.

  C is incorrect because exporting syslog data and forwarding it to the SIEM is unnecessary, since systems and devices can send syslog data to multiple destinations.

16.   The best time to assign roles and responsibilities for computer security incident response is:

A.   During training

B.   During tabletop testing

C.   While responding to an incident

D.   While writing the incident response plan

  D. The best time to establish and assign roles and responsibilities for computer security incident response is at the time of incident response plan development.

  A is incorrect because responsible parties for computer security incident response should be established well before training, in the plan development stage.

  B is incorrect because responsible parties for computer security incident response should be established well before tabletop testing, in the plan development stage.

  C is incorrect because roles and responsibilities should be established well before an incident actually occurs, ideally in the plan development stage.

17.   Chain of custody is employed in which business process?

A.   Internal investigation

B.   Asset management

C.   Access management

D.   Penetration testing

  A. Chain of custody is employed whenever there is an investigation, including forensics and security incidents, where evidence needs to be collected and retained for later legal proceedings.

  B and C are incorrect because chain of custody is not used in asset or access management processes.

  D is incorrect because chain of custody is not used in penetration tests.

18.   Canada’s ITSG-33 is a similar to which standard?

A.   SSAE18

B.   HIPAA

C.   NIST SP800-53

D.   ISO/IEC 27001

  C. Canada’s ITSG-33 is nearly a clone of the U.S. standard NIST SP800-53.

  A, B, and D are incorrect because ITSG-33 is not similar to SSAE18, HIPAA, or ISO/IEC 27001.

19.   The process of ensuring proper protection and use of PII is known as:

A.   Security

B.   Privacy

C.   Data loss prevention

D.   Data discovery

  B. Privacy is primarily concerned with the protection of PII (personally identifiable information), as well as its uses in and by an organization.

  A is incorrect because security is primarily concerned only with the protection of PII, but not with its use.

  C is incorrect because data loss prevention is mainly concerned with the use of PII and other sensitive information such as intellectual property.

  D is incorrect because data discovery is the process of examining storage systems to determine the nature of the data that resides there.

20.   A CIO is investigating the prospect of a hosting center for its IT infrastructure. A specific hosting center claims to have “N+1 HVAC Systems.” What is meant by this term?

A.   The hosting center has one more HVAC system than is necessary for adequate cooling.

B.   The hosting center has the “N+1” brand of HVAC systems designed for hosting centers.

C.   The hosting center has recently installed a new HVAC system.

D.   The hosting center HVAC systems meet the N+1 reliability standard.

  A. N+1 refers to any of several critical systems, including incoming power, HVAC, and Internet connectivity, where at least one additional component is available so that the failure of one component will not interrupt hosting center services.

  B is incorrect because N+1 is not an HVAC brand, but an expression of resilience.

  C is incorrect because N+1 is an expression of resilience through redundancy.

  D is incorrect because N+1 is an expression of resilience through the number of components in use, generally one more than is necessary to sustain operations.

21.   An organization has updated its identity and access management infrastructure so that users use their AD credentials to log in to the network as well as internal business applications. What has the organization implemented?

A.   Credential vaulting

B.   Single sign-on

C.   Federated identity

D.   Reduced sign-on

  D. Reduced sign-on is the result of integrating a central identity store such as Active Directory (AD) with applications and networks. The term “reduced sign-on” refers to the reduction in the numbers of login credentials users need to access networks and systems.

  A is incorrect because credential vaulting is a technique of storing login credentials in an encrypted repository.

  B is incorrect because single sign-on (SSO) is a mechanism that permits a user to log in once to an environment containing multiple applications and systems. The logged-in state of each user is known to systems and applications that are a part of the SSO environment.

  C is incorrect because federated identity is the process of permitting users to authenticate to systems in participating organizations.

22.   The primary advantage of a firewall on a laptop computer is:

A.   Laptop computers are protected when outside the enterprise network.

B.   End users have more control over their network security.

C.   Improved performance of enterprise network firewalls.

D.   Redundancy in the event the enterprise firewall is overloaded.

  A. The firewall on a laptop computer will provide some network protection in cases where the laptop is connected to the Internet at a location outside of the enterprise and its firewalls.

  B is incorrect because end users should not be able to configure the firewalls on their workstations.

  C and D are incorrect because the use of laptop firewalls will not affect the performance of enterprise firewalls.

23.   An organization’s data classification policy includes guidelines for placing footers with specific language in documents and presentations. What activity does this refer to?

A.   Digital signatures

B.   Digital envelopes

C.   Document marking

D.   Document tagging

  C. Document marking is the process of placing human-readable text in a document that advises a reader of its sensitivity.

  A is incorrect because the use of digital signatures is a process of cryptographically signing a document to ensure its authenticity and integrity.

  B is incorrect because the use of digital envelopes is a technique of encapsulating encryption keys.

  D is incorrect because document tagging, while similar to document marking, is used to place machine-readable tags on documents for use by automated systems.

24.   What technique does PGP use to permit multiple users to read an encrypted document?

A.   Key fingerprints

B.   Symmetric cryptography

C.   Digital envelope

D.   Digital signature

  C. PGP uses a digital envelope to encapsulate multiple public keys that permits multiple users to read an encrypted document.

  A is incorrect because key fingerprints are used to verify a user’s public key.

  B is incorrect because symmetric cryptography, while used at the core of PGP to encrypt and decrypt files, does not itself facilitate access by multiple users.

  D is incorrect because a digital signature is used to verify the authenticity and integrity of a document.

25.   What feature permits enterprise users of Microsoft Outlook to digitally sign e-mail messages?

A.   PGP

B.   AD PKI

C.   Local administrative privileges

D.   Password vaulting

  B. The PKI capabilities in Active Directory facilitate the use of digital signatures, and encryption, of e-mail messages in Outlook.

  A is incorrect because PGP is not commonly used any more for this purpose.

  C is incorrect because local administrative privileges do not directly facilitate the use of digital signatures in e-mail. While a local administrator may be able to generate a keypair locally, a recipient of a digitally signed or encrypted message would probably not be able to verify or decrypt it.

  D is incorrect because password vaulting is used to protect passwords.

26.   A URL starting with shttp:// signifies what technology?

A.   Self-signed content

B.   Encryption with 3DES

C.   Encryption with SSL or TLS

D.   SET, or Secure Electronic Transaction

  D. SHTTP:// signifies the use of the now-deprecated SET (Secure Electronic Transaction) protocol, which is no longer in wide use.

  A is incorrect because shttp:// does not signify the use of self-signed content.

  B and C are incorrect because shttp:// does not determine the encryption protocol to be used.

27.   A recent audit of an IT operation included a finding stating that the organization experiences virtualization sprawl. What is the meaning of this term?

A.   The process related to the creation of new virtual machines is not effective.

B.   Virtual machines are contending for scarce resources.

C.   The organization has too many virtual machines.

D.   Resource requirements for virtual machines are growing.

  A. Virtualization sprawl is the phenomenon whereby new virtual machines are created without adequate management control. Because new servers can be created in a virtual environment without requiring the purchase of server hardware, organizations without effective controls will find that they have far more virtual machines than management intends.

  B is incorrect because virtualization sprawl does not refer to VMs contending for scarce resources. However, VMs contending for resources is a likely result of virtualization sprawl.

  C is incorrect because an organization with too many virtual machines is a result of ineffective virtual machine management controls.

  D is incorrect because virtualization sprawl does not refer to the growing need for resources, but to the loss of control over the creation of virtual machines.

28.   Reasons for placing all IoT-type devices on isolated VLANs include all of the following except:

A.   Use of a different network access method

B.   Compatibility with IPv4

C.   Risks associated with unpatched and unpatchable devices

D.   Protection from malware present in end-user environments

  B. Compatibility with IPv4 is rarely, if ever, a reason for isolating IoT devices onto a separate VLAN.

  A, C, and D are incorrect because these are all potential considerations for placing IoT devices in isolated VLANs.

29.   What is the best reason for including competency quizzes in security awareness training courses?

A.   Quizzes are needed in order to improve users’ knowledge.

B.   Quizzes are required by regulations such as PCI and HIPAA.

C.   It gives users an opportunity to test their skills.

D.   It provides evidence of retention of course content.

  D. Quizzes help to reinforce learning and provide evidence that users learned the content. Some online courses are able to require users to pass quizzes with an arbitrary minimum score in order to complete the course. Finally, a user accused of policy violation cannot rightfully claim their lack of understanding of policies if quiz scores demonstrate they did understand them at the time of their training.

  A is incorrect because quizzes don’t necessarily improve users’ knowledge, but are used to test their knowledge.

  B is incorrect because PCI and HIPAA do not necessarily require quizzes in security awareness training courses.

  C is incorrect because the primary purposes of quizzes is to measure competency, not provide opportunities to practice.

30.   In the context of information technology and information security, what is the purpose of fuzzing?

A.   To assess a physical server’s resilience through a range of humidity settings

B.   To assess a physical server’s ability to repel static electricity

C.   To assess a program’s resistance to attack via the UI

D.   To assess a program’s performance

  C. Fuzzing refers to techniques where numerous iterations of data input combinations are offered to input fields to assess the presence and exploitability of security vulnerabilities.

  A and B are incorrect because fuzzing is not related to humidity or static electricity in a server environment.

  D is incorrect because fuzzing is not used to assess a program’s performance.

31.   An attacker who is attempting to infiltrate an organization has decided to employ a DNS poison cache attack. What method will the attacker use to attempt this attack?

A.   Send forged query replies to a DNS server.

B.   Send forged query replies to end-user workstations.

C.   Send forged PTR replies to end-user workstations.

D.   Send forced PTR replies to DNS servers.

  A. A DNS poison cache attack works by sending forged DNS query replies to a DNS server in an attempt to plant false information in the server’s cache. The purpose of this attack is to direct users to the wrong server when their workstations query the DNS server in attempts to obtain IP addresses for target servers. When the attacker has successfully poisoned the DNS server’s cache, the DNS server provides falsified replies and users are sent to imposter servers.

  B is incorrect because DNS poison cache attacks involve sending forged replies to DNS servers, not to workstations.

  C and D are incorrect because DNS poison cache attacks do not utilize the sending of PTR replies.

32.   What is the Unix command to dynamically view the end of a text logfile?

A.   tail -f

B.   tail -e

C.   less -f

D.   more -f

  A. The “tail -f” command will dynamically display the end of a text logfile. When new entries appear in the logfile, tail will automatically show the new entries with no user intervention required.

  B is incorrect because “tail -e” is not the proper command to display the end of a logfile dynamically.

  C is incorrect because “less -f” is not the proper command to display the end of a logfile.

  D is incorrect because “more -f” is not the proper command to display the end of a logfile.

33.   In the United States, what are organizations required to do when discovering child pornography on a user’s workstation?

A.   Contact law enforcement after the user has admitted to viewing child porn.

B.   Contact law enforcement when the user’s workstation has been retired.

C.   Contact law enforcement after terminating the user.

D.   Immediately contact law enforcement.

  D. Organizations in the United States are required to contact law enforcement immediately upon discovery of child porn on any computer or workstation.

  A is incorrect because there is no requirement for users to admit anything.

  B is incorrect because law enforcement must be notified immediately.

  C is incorrect because law enforcement must be notified immediately.

34.   An organization suspects one of its employees of a security violation regarding the use of their workstation. The workstation, a laptop computer that is powered down, has been delivered to a forensic expert. What is the first thing the expert should do?

A.   Remove the hard drive.

B.   Photograph the laptop.

C.   Power up the laptop.

D.   Remove the RAM from the laptop.

  B. Prior to removing the hard drive to make a forensically identical copy for analysis, the forensic expert should first photograph the laptop to show its state prior to any disassembly.

  A is incorrect because the laptop should be photographed prior to removing the hard drive in order to document its pre-investigation state.

  C is incorrect because the laptop should not be powered up until after it has been photographed and its hard drive forensically copied.

  D is incorrect because the laptop should be photographed prior to any disassembly to document its pre-investigation state.

35.   Which of the following statements is true regarding the Payment Card Industry Data Security Standard (PCI-DSS)?

A.   All organizations processing more than US$6,000,000 in credit card transactions annually must undergo an annual audit.

B.   Organizations using chip-and-PIN terminals are exempt from PCI requirements.

C.   Organizations processing fewer than six million merchant transactions annually are usually permitted to provide annual self-assessments.

D.   Organizations are permitted to opt out of low-risk controls via Compensating Control Worksheets.

  C. Merchant organizations with fewer than six million credit card transactions annually are usually permitted to complete annual self-assessment questionnaires.

  A is incorrect because compliance levels are determined by the number of transactions, not the value of transactions.

  B is incorrect because organizations using chip-and-PIN terminals are still subject to PCI-DSS standards; however, such organizations have fewer requirements to comply with.

  D is incorrect because organizations are not permitted to opt out of controls.

36.   According to the European General Data Protection Regulation (GDPR), what is the requirement for organizations’ use of a Data Protection Officer (DPO)?

A.   All organizations storing EU citizen data are required to have an employee designated as the DPO.

B.   All organizations storing large volumes of EU citizen data are required to use a DPO.

C.   All organizations storing EU citizen data are required to retain the services of a DPO consultant.

D.   Only organizations based in Europe are required to have a DPO.

  B. According to Article 37 of the GDPR, those organizations with large volumes of EU citizen data are required to have a DPO, which may be an employee or a consultant.

  A is incorrect because only organizations with a large volume of data, or operations requiring monitoring, are required to have a DPO.

  C is incorrect because organizations are not required to have a DPO consultant; they are also permitted to appoint an employee as the DPO, or not have a DPO at all if requirements in Article 37, Section 1 are met.

  D is incorrect because organizations based outside of Europe but with operations in Europe are required to have a DPO if requirements in Article 37, Section 1 deem it necessary.

37.   What is the biggest risk associated with access badges that show the name of the organization?

A.   Someone who finds the badge may know where it can be used.

B.   An attacker can look up the organization’s public key and create forged badges.

C.   An attacker would know what brand of access badge technology is being used.

D.   Someone who finds a lost badge would be able to return it to the company.

  A. An access badge bearing the name of the organization would give someone finding the badge valuable information about where the badge may be used. If the organization does not use multifactor access controls, anyone finding a badge may be able to enter buildings, parking garages, and even data centers.

  B is incorrect because encryption keys for access badge systems are not publicly available.

  C is incorrect because the organization’s name does not reveal the brand of access card in use. However, often the brand of access card is visible on the front or rear of a card.

  D is incorrect because this is not a risk associated with an organization’s name on the badge, but a benefit.

38.   A user at work logs on to a web site that includes links to various business applications. Once the user logs on to the web site, the user does not need to log on to individual business applications. What mechanism provides this capability?

A.   Public key infrastructure

B.   Reduced sign-on

C.   Single sign-on

D.   Key vaulting

  C. The user has logged on to a single sign-on (SSO) portal, which provides easy access to many business applications without the user having to log on to each one.

  A is incorrect because a PKI is not the primary agent providing this capability. PKI is not required for an SSO portal.

  B is incorrect because reduced sign-on lets users remember fewer login credentials, but those credentials must be used when logging on to each application.

  D is incorrect because key vaulting is a mechanism for storing encryption keys, not for facilitating single sign-on.

39.   What is the primary advantage of cloud-based web content filtering versus on-premises web content filtering:

A.   Cloud-based web content filtering systems are less expensive.

B.   Exceptions can be processed more quickly.

C.   Off-network users are protected just as in-office users are.

D.   Users are unable to circumvent this protection.

  C. The primary advantage of cloud-based web content filtering is that all users are protected, whether they are on the organization’s internal network or off-network, either at home or traveling.

  A is incorrect because cloud-based solutions are not necessarily less expensive.

  B is incorrect because the process of handling exceptions does not vary based on whether the solution is on-premises or cloud-based.

  D is incorrect because users are unable to circumvent protection, whether the solution is on-premises or cloud-based.

40.   An organization is investigating the use of an automated DLP solution that controls whether data files can be sent via e-mail or stored on USB drives based on their tags. What is the advantage of the use of tags for such a solution?

A.   Users are easily able to tag files so that they can be properly handled in e-mail.

B.   Data files are automatically processed based on tags instead of their data content.

C.   Tags are a better solution than the use of digital envelopes.

D.   Tags are human readable and can be altered as needed.

  B. Automated systems can take action based on the tags in a file. However, this is only as good as the mechanism used to apply tags in the first place, which could be highly accurate or inaccurate.

  A is incorrect because users do not necessarily have the ability to tag files (and if they did, one should expect that many errors will be made that will result in mishandling of data).

  C is incorrect because digital envelopes have not been used in DLP solutions.

  D is incorrect because tags are not easily human readable, and they are not intended to be easily changed, except by approved means.

41.   All of the following are appropriate uses of digital signatures except:

A.   Verification of message authenticity

B.   Verification of message integrity

C.   Verification of message confidentiality

D.   Verification of message origin

  C. Verification of message confidentiality is not a use of digital signatures.

  A, B, and D are incorrect because these are legitimate and intended uses of digital signatures.

42.   The entity that accepts requests for new public keys in a PKI is known as the:

A.   Reservation authority (RA)

B.   Validation authority (VA)

C.   Registration authority (RA)

D.   Certificate authority (CA)

  C. A registration authority (RA) is the entity that receives and accepts requests for new public keys or digital certificates in a PKI such as an SSL certificate issuer for securing web site communication.

  A is incorrect because reservation authority is not the term used; further, the PKI model does not have an entity called a reservation authority.

  B is incorrect because a validation authority (VA), usually a third party such as a government, serves to ensure that the request is genuine.

  D is incorrect because a certificate authority (CA) is the entity that creates and issues a public key or digital certificate.

43.   What method is used by a transparent proxy filter to prevent a user from visiting a site that has been blacklisted?

A.   Proxy sends an HTTP 400 Bad Request to the user’s browser.

B.   User is directed to a “web site blocked” splash page.

C.   Proxy filter simply drops the packets and the user’s browser times out.

D.   User’s workstation is quarantined to prevent malware from spreading.

  B. A transparent proxy server will usually direct a user to a “splash page,” informing the user that their request to access a forbidden web site has been blocked. Some organizations include information on the splash page that can direct the user to make a request to unblock access to the desired site.

  A is incorrect. A transparent proxy generally does not return error codes to the user’s browser, but instead displays a splash page that informs the user that access has been blocked.

  C is incorrect because this inelegant method will cause the user to believe that there is a technical problem that potentially requires tech support.

  D is incorrect because this situation does not cite a suspected or confirmed malware infection that warrants quarantining the workstation.

44.   In a virtualized environment, which method is the fastest way to ensure rapid recovery of servers at an alternative processing center?

A.   Copy snapshots of virtual machine images to alternative processing center storage system.

B.   Provide build instructions for all servers and make master server images available.

C.   Perform full and incremental backups of all servers on a daily basis.

D.   Perform grandfather-father-son backups of all servers on a daily basis.

  A. Copying snapshots of actual server images ensures that recent server images are available at the alternative processing center for rapid restoration.

  B is incorrect, as using procedures to recover servers may be accurate but will take more time than restoring snapshots of virtual server images.

  C and D are incorrect because restoring server images from multiple generations of backup media may be accurate, but will be far more time consuming than employing snapshots of server images.

45.   In an environment where users are not local administrators of their workstations, which of the following methods ensures that end users are not able to use their mobile devices as mobile Wi-Fi hotspots for circumventing network security controls such as web content filters and IPS?

A.   Require employees to turn off their mobile devices at work.

B.   Jam the signals of unauthorized Wi-Fi networks.

C.   Create a whitelist of permitted Wi-Fi networks.

D.   Create a blacklist of forbidden Wi-Fi networks.

  C. The best workable solution is to create a whitelist of Wi-Fi networks that workstations are permitted to connect to. These networks would include all corporate Wi-Fi networks, as well as any trusted non-corporate networks.

  A is incorrect because a policy requiring employees to turn off their mobile devices is not likely to be successful.

  B is incorrect because jamming signals of unauthorized Wi-Fi networks is not likely to be successful, and may possibly even be illegal in some jurisdictions. Also, many mobile devices also permit Bluetooth and USB connections for tethering Internet connectivity for workstations.

  D is incorrect because managing blacklists is a never-ending game of whack-a-mole.

46.   What is the most effective method for training users to more accurately detect and delete phishing messages?

A.   Block access to personal webmail and permit corporate e-mail only.

B.   Include phishing information in regular security awareness training.

C.   Conduct phishing tests and publicly inform offenders of their mistakes.

D.   Conduct phishing tests and privately inform offenders of their mistakes.

  D. Well-managed phishing testing campaigns can help employees learn how to spot phishing messages. Providing a “I think this is a phish” reporting capability gives end users the ability to affirm that test messages are phishing tests, and it’s also a good method for reporting actual phishing messages.

  A is incorrect because blocking personal web mail does not address the matter of phishing messages that are sent to users’ corporate e-mail addresses.

  B is incorrect. While including phishing information in security awareness training is a good practice, this is not as effective as conducting phishing tests.

  C is incorrect because publicly shaming users who make mistakes is not good for morale.

47.   An attacker has targeted an organization in order to steal specific information. The attacker has found that the organization’s defenses are strong and that very few phishing messages arrive at end-user inboxes. The attacker has decided to try a watering hole attack. What first steps should the hacker use to ensure a successful watering hole attack?

A.   Determine which web sites are frequently visited by the organization’s end users.

B.   Determine which restaurants the organization’s end users visit after working hours.

C.   Determine which protocols are blocked by the organization’s Internet firewalls.

D.   Determine the IP addresses of public-facing web servers that can be attacked.

  A. In order to conduct a successful watering hole attack, the attacker must first determine which web sites are frequently visited by employees in the organization. This will include cloud-based applications used for primary business processes such as accounting, sales, human resources, and file storage.

  B is incorrect because a watering hole attack involves attacks on web sites frequently visited by the target organization’s personnel.

  C and D are incorrect because the attacker has already dismissed frontal attack techniques such as compromising exploitable server vulnerabilities.

48.   Which of the following techniques most accurately describes a penetration test?

A.   Manual exploitation tools and techniques

B.   Security scan, with results tabulated into a formal report that includes an executive summary

C.   Security scan, with results validated to remove any false positives

D.   Security scan, followed by manual exploitation tools and techniques

  D. A penetration test most commonly begins with a security scan that enumerates assets and provides a big-picture attack profile. This is followed by an array of manual attack techniques that attempt to exploit vulnerabilities in the systems and services identified by the security scan.

  A is incorrect because a penetration test usually begins with a security scan to enumerate the environment, which identifies targets to attack.

  B is incorrect because this method lacks the manual tools and techniques that are central to a penetration test. What is described here is simply a security scan and nothing more.

  C is incorrect because a penetration test also includes numerous manual exploitation techniques. What is described here is simply a validated security scan and nothing more.

49.   A security analyst spends most of her time on a system that collects log data and correlates events from various systems to deduce potential attacks in progress. What kind of a system is the security analyst using?

A.   SIEM

B.   IPS

C.   IDS

D.   AV console

  A. The security analyst is using a SIEM, or security information and event management system. A SIEM collects log data from devices throughout the environment and then correlates seemingly disparate events to deduce potential attacks. When such attacks are discerned, the SIEM will produce an alert that directs the security analyst to further investigate the matter and take possible action.

  B is incorrect because an IPS is an inline device that is used to detect and block unwanted network traffic. An IPS does not collect log data from devices in the network.

  C is incorrect because an IDS is a device that is used to monitor network traffic and detect unwanted traffic. An IDS does not collect log data from devices in the network.

  D is incorrect because an AV console is used to monitor antivirus software that is running on servers and endpoints.

50.   The general counsel is becoming annoyed with notifications of minor security events occurring in the organization. This is most likely due to:

A.   Careless users clicking on too many phishing e-mails

B.   Ineffective defenses allowing frequent attacks

C.   Improper classification of security incidents

D.   Lack of a security incident severity scheme

  D. The most likely reason the general counsel is being notified of minor incidents is the lack of an incident classification scheme in the organization’s security incident response plan. Without a severity classification scheme, all incidents are treated as equal, regardless of their actual severity. In this case, the result is executives being notified of minor incidents that should be of little or no concern to them.

  A is incorrect because this is too narrow a scenario.

  B is incorrect because the scenario here involves minor incidents, not successful attacks on outer defenses.

  C is incorrect because improper classification of incidents would likely be resolved quickly.

51.   A forensic investigator is seen to be creating a detailed record of artifacts that are collected, analyzed, controlled, transferred to others, and stored for safekeeping. What kind of a written record is this?

A.   Storage inventory

B.   Investigation report

C.   Evidence collection log

D.   Chain of custody record

  D. The recordkeeping described is a chain of custody record, which provides a detailed account for each artifact collected and analyzed.

  A is incorrect because a storage inventory record would not include information about transfer of custody or analysis of items.

  B is incorrect because an investigative report would describe conclusions of an investigation.

  C is incorrect because an evidence collection log would not include analysis, control, and transfers.

52.   Which controls framework is suggested by the ISO/IEC 27001 standard?

A.   ISO/IEC 27001

B.   ISO/IEC 27002

C.   NIST SP800-53

D.   Any framework that is applicable to the organization

  B. ISO/IEC 27001 suggests the use of the ISO/IEC 27002 standard for controls. Annex A of ISO/IEC 27001 contains a summary list of the controls found in the ISO/IEC 27002 standard.

  A is incorrect because the controls listed in Annex A of ISO/IEC 27001 are from the ISO/IEC 27002 standard.

  C is incorrect because ISO/IEC 27001 does not suggest the use of NIST SP800-53.

  D is incorrect because ISO/IEC 27001 contains a summary of the controls in ISO/IEC 27002.

53.   The default principle in the European General Data Protection Regulation for marketing communications from organizations to citizens is:

A.   Citizens are included and cannot opt out.

B.   Citizens are included until they explicitly opt out.

C.   Citizens are excluded until they explicitly opt in.

D.   Citizens are excluded and cannot opt in.

  C. Under the GDPR, organizations are not permitted to market to individual citizens unless the citizens first opt in.

  A is incorrect because citizens are not included, but excluded, and they are permitted to opt out.

  B is incorrect because citizens are not included, but excluded, and they can opt out.

  D is incorrect because although citizens are excluded, they can opt in.

54.   The primary purpose of a mantrap is:

A.   To catch an individual attempting to enter a room without authorization

B.   To hold an offender in custody until charged or released

C.   To permit entry of one authorized person at a time

D.   To permit entry or exit of one authorized person at a time

  D. A mantrap is a special controlled entrance or exit that permits only one person at a time to enter or exit an area.

  A is incorrect because a mantrap does not intend to entrap persons attempting to enter or exit an area.

  B is incorrect because a mantrap is not a holding cell, but an access control.

  C is incorrect because a mantrap can be used for both entrance and exit.

55.   What is the purpose of locking a user account that has not been used for long periods of time?

A.   Reduction of the risk of compromised credentials

B.   Free up space for others to use the system

C.   Avoidance of audit exceptions

D.   Recycle license keys and cost reduction

  A. If a user has not logged in to an application for long periods of time, then perhaps the user account for that application can be locked. This would reduce the impact of compromised credentials by preventing an unauthorized party from logging in to a system.

  B is incorrect because freeing up space is generally not the primary reason for removing user accounts.

  C is incorrect because avoidance of audit exceptions would be a secondary result. Many organizations have a control that requires dormant (unused) user accounts to be locked or removed, and that control is sometimes audited.

  D is incorrect because the harvesting of unused licenses is not generally a primary reason for locking a user account. If an organization needed to harvest licenses, the user account would probably need to be removed and not just locked.

56.   What is the best approach for implementing a new blocking rule in an IPS?

A.   First implement a firewall rule and then activate the IPS rule.

B.   Use the change control process so that stakeholders are aware of the new rule.

C.   Implement a new rule during a change window.

D.   Put the rule in learn mode and analyze the results.

  D. The best approach is to first create the rule in learn mode, where the rule will detect and log rule activations, but not actually block traffic. Analysis of the log will help analysts understand whether the new rule would inadvertently block legitimate traffic and disrupt system operation. If no such interference is observed, the rule can be safely put into block mode.

  A is incorrect because firewalls generally lack the sophistication of an IPS and instead can only block packets based on source and destination IP addresses and port numbers.

  B is incorrect because even the change control process is not always going to detect potential negative consequences of a new IPS blocking rule.

  C is incorrect because this approach provides no opportunity to first learn whether the new blocking rule will disrupt legitimate activities.

57.   A security leader needs to develop a data classification program. After developing the data classification and handling policy, what is the best next step to perform?

A.   Configure DLP systems to monitor and enforce compliance.

B.   Configure DLP systems to monitor compliance.

C.   Announce the new policy to the organization.

D.   Work with business departments to socialize the policy.

  D. The best next step is to work with various business departments to discuss the new policy and handling guidelines to understand the potential impact of the policy. A badly implemented data classification program can cause business disruption and erode goodwill.

  A is incorrect because enforcing data classification policy as a first step is highly likely to disrupt business processes.

  B is incorrect because monitoring data classification policy is highly likely to produce numerous false-positive alerts.

  C is incorrect because announcing policy to the organization is likely to cause confusion unless the security leader first works with all individual departments to understand the potential impact of the new data classification policy.

58.   An organization wants to implement an IPS that utilizes SSL inspection. What must first be implemented so that the IPS will function?

A.   A span port on the Internet switch must be configured.

B.   A new root certificate must be pushed to all user workstations.

C.   Users must sign a consent for their personal traffic to be monitored.

D.   All end-user private keys must be refreshed.

  B. Unless the organization creates a root certificate and pushes it to all end-user workstations, users’ browsers will throw certificate errors.

  A is incorrect because an inline IPS does not use a span port, but rather is inline.

  C is incorrect because users are not usually required to sign a separate consent form. Generally, as a result of employment and through using company-provided information systems, employees are told that company information systems are provided for company business only and are subject to monitoring.

  D is incorrect because an IPS does not rely on any private keys used by end users.

59.   In what manner does a PKI support whole disk encryption on end-user workstations?

A.   PKI stores the bootup passwords used on each end-user workstation.

B.   PKI detects unauthorized use of data on end-user workstations.

C.   PKI stores decryption keys in the event an end-user forgets their bootup password.

D.   PKI records encryption and decryption operations.

  C. While a PKI is not required to implement whole disk encryption on end-user workstations, a PKI can be used to store administrative keys that can be used to unlock a workstation in the event that the user has forgotten their bootup password.

  A is incorrect because a PKI does not store the bootup password used on end-user workstations.

  B is incorrect, as a PKI does not monitor file access on systems.

  D is incorrect because a PKI does not record encryption and decryption operations, but instead can store administrative keys that can be used to unlock a workstation.

60.   A browser contacts a web server and requests a web page. The web server responds with a status code 200. What is the meaning of this status code?

A.   The user has been redirected to another URL on the same domain.

B.   The user has been redirected to another URL on a different domain.

C.   The requested page requires prior authentication.

D.   The request is valid and has been accepted.

  D. A response code 200 means the request is valid and has been responded to.

  A and B are incorrect because a code 200 is a successful transaction and not related to redirection.

  C is incorrect because a code 200 is a successful transaction and not related to authentication.

61.   For what reason would an engineer choose to use a hosted hypervisor versus a bare-metal hypervisor?

A.   There are insufficient resources available for a bare-metal hypervisor.

B.   Features available only in a host operating system are required.

C.   Guest OS monitoring is required.

D.   The hypervisor is supporting a VDI environment.

  B. An engineer would select a hosted hypervisor (that is, a hypervisor that runs on an operating system like Windows, Linux, or macOS) because one or more features or functions found only on the operating system are required.

  A is incorrect because a bare-metal hypervisor actually consumes fewer resources than a full OS.

  C is incorrect because bare-metal hypervisors provide guest OS monitoring.

  D is incorrect as a bare-metal hypervisor is capable of supporting a VDI (virtual desktop infrastructure) environment.

62.   The laboratory environment of a pharmaceutical research organization contains many scientific instruments that contain older versions of Windows and Linux operating systems that cannot be patched. What is the best remedy for this?

A.   Isolate the scientific instruments on a separate, protected network.

B.   Upgrade the OSs on the scientific instruments to current OS versions.

C.   Disconnect the OSs from the network.

D.   Audit user accounts on the OSs periodically.

  A. The presence of older and/or unpatchable OSs on scientific equipment is a common problem that is not easily solved. Most often, the best approach is to isolate those systems through network segmentation and security controls to ensure that all attempts to attack those systems will be automatically detected and blocked.

  B is incorrect because often the OSs on such equipment cannot be upgraded for various reasons (e.g., laboratory software will not run on newer OS versions, or there are insufficient resources such as memory to run newer OSs).

  C is incorrect because disconnecting those older OSs may impair their operation.

  D is incorrect because auditing user accounts does little to protect these older OSs from attack.

63.   Which of the following is the best policy for a security awareness training course?

A.   Users are not required to take competency quizzes.

B.   Users are required to repeat modules when they fail competency quizzes.

C.   Users are required to take competency quizzes only one time, regardless of score.

D.   Users can skip training if they pass competency quizzes.

  B. When a user fails to achieve the minimum passing grade on a competency quiz, the user should be required to repeat the learning module and then take the quiz again.

  A is incorrect because users should be required to take competency quizzes to see how well they retained the learning content.

  C is incorrect because users should be required to repeat the learning module if they fail the competency quiz.

  D is incorrect because some learning content may not have accompanying quizzes.

64.   Guessing that an intended victim has a particular online banking session open, an attacker attempts to trick the victim into clicking on a link that will attempt to execute a transaction on the online banking site. This type of an attack is known as:

A.   Cross-site scripting

B.   Cross-site request forgery

C.   Man in the middle

D.   Man in the browser

  B. A cross-site request forgery (CSRF) attack is one in which an attacker attempts to trick a victim into performing a transaction on another web site (for example, a banking transaction in which the victim transfers money to the attacker).

  A is incorrect because a cross-site scripting attack is one in which an attacker attempts to inject code into a web site, where the code is then executed later by others who visit the site (for example, placing code on a discussion forum).

  C is incorrect because a man-in-the-middle (MITM) attack is one in which an attacker attempts to subvert communications between two parties by intercepting and injecting forged content into the communications.

  D is incorrect because a man-in-the-browser (MITB) attack is one in which an attacker attempts to exploit a vulnerability in a user’s browser by tricking the user into downloading malicious code that alters the browser’s operation.

65.   Which of the following tools is considered a search engine that can be used to list vulnerabilities in devices?

A.   OpenVAS

B.   Burp Suite

C.   Shodan

D.   John the Ripper

  C. Shodan is a search engine that scans the Internet using common protocols and catalogs the responses returned from devices. This is a useful tool for seeing what devices are visible from the Internet.

  A is incorrect because OpenVAS is a network vulnerability testing tool.

  B is incorrect because Burp Suite is a web site vulnerability testing tool.

  D is incorrect because John the Ripper is a password cracking tool.

66.   All of the following tools are used to detect changes in static files except:

A.   Blacklight

B.   OSSEC

C.   Tripwire

D.   Firesheep

  D. Firesheep is not a file integrity monitoring (FIM) tool, but instead is a tool used to steal cookies from other user sessions in unprotected Wi-Fi networks.

  A, B, and C are incorrect because these are all examples of file integrity monitoring (FIM) tools.

67.   Which of the following correctly describes the correct sequence for computer security incident response?

A.   Protect, detect, respond, recover

B.   Identify, protect, detect, respond, recover

C.   Evaluate, detect, eradicate, contain, recover, closure

D.   Detect, initiate, evaluate, contain, eradicate, recover, remediate

  D. The correct sequence for organizing computer security incident response is detect, initiate, evaluate, contain, eradicate, recover, and remediate. This is often followed by a post-incident review.

  A is incorrect because protect, detect, respond, recover are not the correct steps in computer security incident response.

  B is incorrect, as identify, protect, detect, respond, and recover are the pillars of the NIST CSF framework.

  C is incorrect because these are not the correct steps. Namely, evaluate and detect are out of sequence: an incident is first detected and then it is evaluated.

68.   Which of the following devices is needed for the creation of a forensically identical hard disk drive?

A.   Diode

B.   Bit locker

C.   Read blocker

D.   Write blocker

  D. A write blocker is a device used to read data from a hard drive whose contents are being evaluated. The write blocker makes it impossible for data to be written to the hard drive.

  A is incorrect because a diode is an electronic component.

  B is incorrect because bit locker (properly, BitLocker) is the name of a hard drive encryption program from Microsoft.

  C is incorrect because there is no such device as a read blocker.

69.   Which of the following statements about NIST CSF is true?

A.   NIST CSF is a security controls framework.

B.   NIST CSF is a policy framework for cybersecurity.

C.   NIST CSF is a computer security incident response framework.

D.   NIST CSF is a software development framework.

  B. NIST CSF is a policy framework for cybersecurity that provides guidance for organizations that want to improve their cybersecurity capabilities.

  A is incorrect because NIST CSF is not a controls framework.

  C is incorrect because NIST CSF is not an incident response framework.

  D is incorrect because NIST CSF is not a software development framework.

70.   The “right to be forgotten” was first implemented by:

A.   GDPR

B.   Google

C.   NYDFS

D.   Facebook

  A. The “right to be forgotten” is a concept that has been codified in the European General Data Protection Regulation (GDPR). A European citizen can make requests of online service providers and ask that records associated with them be anonymized or expunged.

  B, C, and D are incorrect because Google, NYDFS, and Facebook did not first implement the “right to be forgotten.”

71.   The term “tailgating” most often refers to:

A.   Personnel who prop or shim doors so that others can enter a protected facility without authentication

B.   Personnel who permit others to follow them into a protected facility without authentication

C.   Personnel who follow others into a protected facility without authentication

D.   Personnel who loan their keycards to others to enter a protected facility

  C. Tailgating refers to people who follow others into a protected facility without themselves authenticating with their keycard or other device.

  A is incorrect because tailgating does not refer to propping doors open (which is also a potentially serious security violation).

  B is incorrect because tailgating is the act of following others in to a protected facility.

  D is incorrect because tailgating is not the act of loaning a keycard to another person (which is potentially a serious security violation).

72.   A security manager in a large organization has found that the IT department has no central management of privileged user accounts. What kind of a tool should the security manager introduce to remedy this practice?

A.   FAM tools

B.   FIM tools

C.   PAM tools

D.   SIEM tools

  C. Privileged Access Management (PAM) tools are used to centrally control the use of privileged accounts, both for administrative personnel and for service accounts.

  A is incorrect because file activity monitoring (FAM) tools are not a proper remedy.

  B is incorrect because file integrity monitoring (FIM) tools are not a proper remedy.

  D is incorrect, as security information and event management (SIEM) tools are not a proper remedy.

73.   A security analyst has determined that some of the OS configuration file alterations have taken place without proper authorization. Which tool did the security analyst use to determine this?

A.   FAM

B.   FIM

C.   PAM

D.   SIEM

  B. The security analyst’s use of file integrity monitoring (FIM) tools revealed that files were being changed without authorization. FIM tools do not reveal the subject(s) who altered the files; other means are needed, such as examining login logs.

  A is incorrect because file activity monitoring (FAM) tools record accesses to files, but not alterations to files.

  C is incorrect because Privileged Access Management (PAM) tools do not all record administrator activities.

  D is incorrect, as a security information and event management (SIEM) tool cannot by itself detect file changes, but only in conjunction with file integrity monitoring (FIM) tools.

74.   An employee notes that a company document is marked “Confidential.” Is it acceptable for the employee to e-mail the document to a party outside the company?

A.   Yes, but the document must be encrypted first.

B.   Yes, the document can be e-mailed to an outside party in plaintext.

C.   This cannot be determined without first consulting the data classification and handling policy.

D.   No, the document cannot be e-mailed to any inside or outside party.

  C. A simple marking on a document such as “Confidential” does not by itself reveal what handling is permitted. An employee would need to consult a data classification and handling policy to see what actions are permitted.

  A, B, and D are incorrect because the “Confidential” document marking does not itself reveal what handling is appropriate. An employee would need to read the data classification and handling policy to know what actions are permitted.

75.   An auditor has completed an audit of an organization’s use of a tool that generates SSL certificates for its external web sites. The auditor has determined that key management procedures are insufficient and that split custody of the key generation procedure is required. How might this be implemented?

A.   Of two engineers, one creates the certificate and the other verifies its creation.

B.   Of two engineers, each performs half of the procedure used to create a new certificate.

C.   Of two engineers, each has one half of the password required to create a new certificate.

D.   Of two engineers, one approves the creation of the certificate and the other creates the certificate.

  C. Split custody refers to the concept of splitting knowledge of a key task, such as two halves of a safe combination or two halves of a password. This requires that both parties cooperate to complete a sensitive task.

  A is incorrect because this activity is not a description of split custody, but instead the separation of duties.

  B is incorrect because this method is not a description of split custody, but instead the separation of duties.

  D is incorrect because this method is not a description of split custody, but instead the separation of duties.

76.   An organization that issues digital certificates recently discovered that a digital certificate was issued to an unauthorized party. What is the appropriate response?

A.   Create a CRLF entry.

B.   Create a CRL entry.

C.   Notify all certificate holders.

D.   Call a press conference.

  B. Creating an entry in the certificate revocation list (CRL) is the appropriate response. In the future, when any party attempts to verify the integrity of the certificate, its presence in the CRL will render it invalid.

  A is incorrect because CRLF is shorthand for “carriage return, line feed,” a character sequence found in text files.

  C is incorrect because notifying other certificate holders does not remedy the situation.

  D is incorrect because calling a press conference does not effectively remedy the situation.

77.   Why is it important for a web session cookie to be encrypted?

A.   Parties that can observe the communication will not be able to hijack the session.

B.   Parties that observe the communication will not be able to view the user’s password.

C.   Third parties will not be able to push unsolicited advertising to the user.

D.   The web site operator will not be able to record the user’s session.

  A. When a user’s session cookie is encrypted, another party that can observe the communication will not be able to hijack the user’s session. The Firesheep tool is a proof-of-concept tool that was developed to demonstrate this technique.

  B is incorrect because encrypting a session cookie does not imply that the remainder of the communications is also encrypted.

  C is incorrect because encrypting a session cookie does not prevent advertising.

  D is incorrect because encrypting a session cookie does not prevent the web site operator from recording the user’s session.

78.   Why would a hypervisor conceal its existence from a guest OS?

A.   To prevent the guest OS from breaking out of the container.

B.   To improve the performance of the guest OS.

C.   To avoid letting an intruder know that the OS is part of a virtualized environment.

D.   To let an intruder know that the OS is part of a virtualized environment.

  C. Concealing the existence of the virtualized environment may lead an intruder to believe that the OS is running on bare metal. This is a security-by-obscurity tactic that does not prevent an intruder from attempting to break into the hypervisor.

  A is incorrect because this does not prevent an intruder from breaking out of the guest environment.

  B is incorrect because this has no effect on guest OS performance.

  D is incorrect because concealing this does not reveal it to an intruder.

79.   How can an organization prevent employees from connecting to the corporate Exchange e-mail environment with personally owned mobile devices?

A.   Implement multifactor authentication.

B.   Permit only Outlook clients to connect to the Exchange server.

C.   Encrypt OWA traffic.

D.   Put the OWA server behind the firewall and VPN switch.

  D. By putting the OWA server behind the firewall and the VPN switch, the organization prevents personally owned mobile devices from reaching the OWA server—provided the VPN switch is configured to permit only company-managed devices to connect.

  A is incorrect because implementing MFA does nothing to prevent personally owned mobile devices from connecting to the Exchange server.

  B is incorrect because there is not a reliable way of preventing non-Outlook clients from connecting to the Exchange server.

  C is incorrect because encrypting OWA traffic does nothing to prevent personally owned mobile devices from connecting to the Exchange server.

80.   What is the purpose of the Firesheep tool?

A.   It demonstrates the dangers of non-encrypted web sessions.

B.   It is used as an alternative browser to Firefox to illustrate security concepts.

C.   It is used to analyze firewall rules.

D.   It is used to back up firewall rules.

  A. Firesheep is a proof-of-concept tool used to demonstrate how easy it is to hijack unencrypted user sessions on a Wi-Fi network.

  B is incorrect because Firesheep is not a browser.

  C and D are incorrect because Firesheep is not a tool used to manage firewalls.

81.   An organization is implementing a new SIEM. How must engineers get log data from systems and devices to the SIEM?

A.   Install agents on all systems and devices.

B.   Send them via Windows events.

C.   Send them via syslog.

D.   Send them via syslog and Windows events.

  D. Any SIEM can accept log entries sent via syslog and Windows events.

  A is incorrect because agents, while they may provide additional functionality, are not required to get basic log data from systems and devices.

  B is incorrect because syslog can also be used to send log data to a SIEM.

  C is incorrect because Windows events can also be used to send log data to a SIEM.

82.   What is the appropriate consequence of SOC operators declaring incidents that turn out to be false positives?

A.   Additional training to improve their incident-handling skills.

B.   Termination of employment.

C.   Removal of incident declaration privileges.

D.   No consequence, as false positives are a part of business as usual.

  A. If SOC operators chronically declare incidents where none exist, this suggest that they need additional training to better recognize and distinguish real incidents from false positives. A false positive now and then should not be a big deal.

  B is incorrect because termination of employment is an unreasonably harsh consequence.

  C is incorrect because removal of incident declaration privileges is too harsh.

  D is incorrect because the number of false positives is high.