
Domain 1 Exam.
A minimum of 70% is required to pass.
#1. What kind of person does the word sabotage, the root of the word sabotage, refer to?
Sabotage is an attack by an insider.
#2. What is called taking reasonable action to prevent a security breach?
〇:Due Care
Confidentiality means that the company does everything it could reasonably have done to prevent a security breach under the circumstances and takes appropriate control and action in the event of a security breach. In short, it means that the company is acting responsibly by practicing common sense and prudent management. If a company has a facility that is not fire-immune, its arsonist will be only a small part of this tragedy. The company is responsible for providing fire-resistant building materials, alarms, exits, fire extinguishers, and backup fire detection and suppression systems, all critical information specific areas that could be affected by a fire. If a fire were to burn the company’s building and all records (customer data, inventory records, and information needed to rebuild the business) were to disappear, the company would not take precautions to ensure that it is protected against that loss. For example, it would be possible to back up to an off-site location. In this case, employees, shareholders, customers, and anyone else affected could potentially sue the company. However, if the company has done all that is expected of it in terms of the points mentioned so far, it is difficult to sue without success if proper care (dee care) is not taken.
×:Downstream Liability
Is wrong because one firm’s activities (or lack thereof) may have a negative impact on other firms. If either company fails to provide the required level of protection and its negligence affects the partners with whom it cooperates, the affected company can sue the upstream company. For example, suppose Company A and Company B have built an extranet. Company A has not implemented controls to detect and address viruses. Company A is infected with a harmful virus, which infects Company B through the extranet. The virus destroys critical data and causes a major disruption to Company B’s production. Company B can therefore sue Company A for negligence. This is an example of downstream liability.
×:Liability
Incorrect, as it generally refers to the obligation and expected behavior or actions of a particular party. Obligations can have a defined set of specific actions required, which is a more general and open approach that allows parties to determine how to fulfill specific obligations.
×:Due diligence
A better answer to this question. Liability is not considered a legal term as with the other answers. Due diligence is because the firm has properly investigated all of its possible weaknesses and vulnerabilities. Before you can understand how to properly protect yourself, you need to know that you are protecting yourself. To understand the real level of risk, investigate and assess the real level of vulnerability. Even after these steps and assessments have been made, effective controls and protective measures can be identified and implemented. Due diligence means identifying all potential risks, but an appropriate response is one that actually mitigates the risk.
#3. What vulnerability is logically possible for an attacker to guess a URL that he/she does not know?
Users can logically guess the URL or path to access resources they should not. If an organization’s network has access to a report name ending in “financials_2017.pdf”, it is possible to guess other file names that should not be accessed, such as “financials_2018.pdf” or “financials.pdf”.
#4. If you have little or no computer experience, but you have unauthorized access, what methods do you think the perpetrator is using? Which of the following comes closest?
〇:Shoulder Surfing Attacks
Shoulder surfing is a type of browsing attack in which an attacker looks over the shoulder of another person to see what is being typed on that person’s monitor items or keyboard. Of the attacks listed, this is the easiest to perform in that it requires no knowledge of the computer system. Therefore, the correct answer is a shoulder surfing attack.
×:Dictionary attack
A dictionary attack is an unauthorized login that targets users who use words as passwords.
×:Side-channel attack
A side-channel attack is an attack that eavesdrops on system data from physical information.
×:Timing Attacks
A timing attack is an attack in which various input information is given to a device that processes ciphers, and the cipher key or other information is deduced from the difference in processing time. If processing time is taken, it can be inferred as a rough indication that the process is proceeding normally as a process, and so on.
#5. What is the typical audit duration for non-accounting security and other controls over a trustee company in SOC-2?
Service Organization Control (SOC) is a rule established by the American Institute of Certified Public Accountants (AICPA) to assure the internal control of the party contracted to perform services. Sometimes, work is contracted out to other firms. In order to guarantee the quality of its own work, the company that is contracted to perform the work must also have appropriate controls in place. For this reason, we check the internal control of the outsourcing company to which the work is outsourced.
- SOC-1 (Internal Control over Financial Reporting (ICFR)) Audits the accounting of the trustee company.
SOC-2 (Trust Services Criteria): Checks security and other controls other than accounting for the fiduciary company. Usually takes six months to complete.
SOC-3 (Trust Services Criteria for General Use Report) Confirms security and other controls other than accounting for unspecified persons (users).
#6. Marks is a security auditor. We would like to provide a system log as court evidence of unauthorized access. What are the requirements that must be met as a system log?
〇:System logs that operate and are acquired on a daily basis
It is necessary to show that the logs are different from common usage in order to determine whether the access is unauthorized or not. Also, it is less reliable as legal evidence regarding logs that are not routinely obtained.
×:System logs from sophisticated products that comply with international standards
Market sophistication is not a requirement for legal evidence. Conversely, it is unlikely that software developed in-house cannot be used for legal archives.
×:System logs printed and stored as physical media
Whether or not logs are printed is not necessarily a legal requirement. Since the records are printed out as software, they are not purely physical evidence.
×:System logs close to the infrastructure recorded at the OS layer
Logs close to the OS layer have greater systemic traceability, but they are also less relevant to user operations and are not suitable as evidence of unauthorized access.
#7. What historical events led to the enactment of the USA PATRIOT Act?
The 2001 terrorist attacks triggered the development of various laws against terrorism. Therefore, the correct answer is “2001,September 11 attacks”.
#8. Which of the following is the correct formula for calculating the expected annual loss (ALE)?
The expected annual loss amount is the value of losses that could occur in the future, equalized on an annual basis based on the frequency of occurrence. Therefore, it is the Single Loss Expectancy (SLE) multiplied by the annual frequency of occurrence (ALO).
#9. Management support is critical to the success of a business continuity plan. Which of the following is most important to provide to management in order to obtain support?
〇:Business Case
The most important part of establishing and maintaining a current continuity plan is management support. Management may need to be convinced of the need for such a plan. Therefore, a business case is needed to obtain this support. The business case should include current vulnerabilities, legal obligations, current status of the recovery plan, and recommendations. Management is generally most interested in cost-benefit issues, so preliminary figures can be gathered and potential losses estimated. Decisions about how a company should recover are business decisions and should always be treated as such.
×:Business Impact Analysis
Incorrect because the Business Impact Analysis (BIA) was conducted after the BCP team gained management’s support for its efforts. A BIA is conducted to identify areas of greatest financial or operational loss in the event of a disaster or disruption. It identifies the company’s critical systems required for survival and estimates the amount of downtime the company can tolerate as a result of a disaster or disruption.
×:Risk Analysis
Incorrect, as this is a method of identifying risks and assessing the potential damage that could be caused to justify security protection measures. In the context of BCP, risk analysis methods should be used in a BIA to identify which processes, devices, or operations are critical and should be recovered first.
×:Threat reports
The answer is wrong because it is unintended. However, it is important for management to understand what the actual threats are to the enterprise, the consequences of those threats, and the potential loss value for each threat. Without this understanding, management pays lip service to continuity planning and in some cases may be worse than if it did not plan because of the false awareness of security it creates.
#10. Which of the following is the first international treaty to address computer crime by adjusting national laws and improving investigative techniques and international cooperation?
〇:Council of Europe Convention on Cybercrime
The Council of Europe (CoE) Convention on Cybercrime is an example of an attempt to create a standard international response to cybercrime. It is the first international treaty to address computer crime by coordinating national laws and improving investigative techniques and international cooperation. The treaty’s objectives include creating a framework to bind the jurisdiction of the accused and the perpetrators of the crimes. For example, extradition is possible only if the case is a crime in both countries.
×:World Congress Council on Cybercrime
The World Congress Council on Cybercrime is misleading and therefore wrong. The official name of the Convention is the Council of Europe’s Convention on Cybercrime. It establishes comprehensive legislation against cybercrime and serves as a framework for international cooperation among the signatories to the Convention to guide all countries.
×:Organization for Economic Cooperation and Development (OECD)
Image C is wrong because the Organization for Economic Cooperation and Development (OECD) is an international organization that brings together different governments to help address the economic, social, and governance challenges of a globalized economy. For this reason, the OECD has developed national guidelines to ensure that data is properly protected and that everyone adheres to the same kinds of rules.
×:Organization for Cooperation and Development in Cybercrime
Organization for Cooperation and Development of Cybercrime is the wrong answer. There is no formal entity of this name.
#11. Which is the first step in a business impact analysis?
〇:Creating Data Collection Techniques
Of the steps listed, the first step in a Business Impact Analysis (BIA) is to create a data collection technique. The BCP committee will use questionnaires, surveys, and interviews to collect key person information on how different tasks are accomplished within the organization, along with any relevant dependencies of processes, transactions, or services. Process flow diagrams should be created from this data and used throughout the BIA and planning and development phases.
×:Risk calculations for each different business function
This is incorrect because the risk for each business function is calculated after the business function has been identified. And before that happens, the BCP team needs to collect data from key personnel. To calculate the risk for each business function, qualitative and quantitative impact information must be collected, properly analyzed, and interpreted. Once the data analysis is complete, it should be reviewed with the most knowledgeable people in the company to ensure that the results are relevant and to explain the actual risks and impacts facing the organization. This will flush out any additional data points that were not captured initially and allow for a full understanding of all possible business impacts.
×:Identifying Critical Business Functions
Image B is incorrect because the identification of critical business functions is done after the BCP committee has learned about the business functions that exist by interviewing and surveying key individuals. Once the data collection phase is complete, the BCP committee conducts an analysis to determine which processes, devices, or business activities are critical. If a system stands on its own, does not affect other systems, and is less critical, it can be classified as a Tier 2 or Tier 3 recovery step. In other words, these resources are not processed in the recovery phase until the most critical (Tier 1) resources are up and running.
×:Vulnerability and Threat Identification to Business Functions
This is not the first step and is incorrect because it identifies vulnerabilities and threats to business functions toward the end of the business impact analysis. It is the last of the steps listed in the answer. Threats can be man-made, natural, or technical. It is important to identify all possible threats and estimate their likelihood of occurring. When developing these plans, some issues may not be immediately apparent. These issues are best addressed by groups conducting scenario-based exercises. This ensures that when the threat becomes reality, the plan will have an impact on all business tasks, departments, and critical operations. The more issues that are planned for, the better prepared you will be should these events occur.
#12. Which of the following is not an ethical item in the IAB (Internet Activities Board) Ethics for the Proper Use of Internet Resources?
This is a “non-ethics item” question.
A statement is made by the Internet Activities Board (IAB) to those who use the Internet about the correct use of Internet resources.
- Attempting to obtain unauthorized access to Internet resources.
- Disrupting the intended use of the Internet.
- Wasting resources (people, capabilities, and computers) through such activities.
- Destroying the integrity of computer-based information.
- Violating the privacy of users.
#13. Who is not necessarily covered under the HITECH Act?
HIPAA covered entities and the organizations and individuals who assist them in their business are treated in the same manner as HIPAA covered entities. Health care providers, health information clearinghouses, and health insurance plans are covered entities. Developers of health apps are responsible as programmers rather than holders or plan holders of bodily information. They may not be covered by HITECH, which focuses on how body information is managed. Therefore, the correct answer is “health app developer”.
It is not necessary to know the detailed HITECH requirements. You can classify them based on whether or not you are dealing with information and answer the questions by process of elimination.
#14. Would it make sense to measure marketing metrics from a security perspective?
〇:Yes. The same goal should be held because there is security in achieving corporate goals.
There are KPIs and other marketin indicators to achieve organizational goals. Developing a security function in the organization also exists to achieve these goals.
×:Yes. Marketing in the security industry is allowed to be risk-off.
By “marketing in the security industry,” I do not mean aligning the security function within the organization.
×:No. The division of labor should be strictly enforced and left to specialists.
While the division of labor in an organization is certainly important, all members of the organization need to be security conscious.
×:No. Security has nothing to do with confidential information that would be an executive decision.
Security should be addressed by the entire organization. It is not irrelevant.
#15. Planned business continuity procedures provide many benefits to an organization. Which of the following is NOT a benefit of business continuity planning?
〇:Tell your business partner that your company is not ready
Planned business continuity procedures can provide an organization with many benefits. In addition to the other response options listed previously, organizations can provide a quick and appropriate response to an emergency, mitigate the impact on their business, and work with outside vendors during the recovery period. Efforts in these areas should communicate to business partners that they are prepared in the event of a disaster.
×:Resuming Critical Business Functions
This is incorrect because a business continuity plan allows an organization to resume critical business functions. As part of the BCP development, the BCP team conducts a business impact analysis that includes identifying the maximum allowable downtime for critical resources. This effort helps the team prioritize recovery efforts so that the most critical resources can be recovered first.
×:Protecting Lives and Ensuring Safety
Business continuity planning allows organizations to protect lives and ensure safety, which is wrong. People are a company’s most valuable asset. Therefore, human resources are an integral part of the recovery and continuity process and must be fully considered and integrated into the plan. Once this is done, a business continuity plan will help a company protect its employees.
×:Ensure business viability
This is a fallacy because a well-planned business continuity plan can help a company ensure the viability of its business. A business continuity plan provides methods and procedures for dealing with long-term outages and disasters. It involves moving critical systems to another environment while the original facility is being restored and conducting business operations in a different mode until normal operations return. In essence, business continuity planning addresses how business is conducted after an emergency.
#16. As the company’s CISO, George needs to demonstrate to the board the need for a strong risk management program. Which of the following should George use to calculate the firm’s residual risk?
Measures have been implemented to reduce the overall risk to an acceptable level. However, no system or environment is 100% safe, and risks remain with all countermeasures. The residual risk after countermeasures have been taken is called residual risk. Residual risk is different from total risk. Total risk is the risk of not implementing countermeasures. While total risk can be determined by calculating (threat x vulnerability x asset value = total risk), residual risk can be determined by calculating (threat x vulnerability x asset value) x control gap = residual risk. The control gap is the amount of protection that the control cannot provide.
#17. Which international organizations are in place to help address the economic, social, and governance challenges of a globalized economy?
〇:Organization for Economic Cooperation and Development
Almost every country has its own set of rules regarding what constitutes private data and how it should be protected. With the advent of the digital and information age, these different laws have begun to adversely affect business and international trade. Thus, the Organization for Economic Cooperation and Development (OECD) created guidelines for different countries to ensure that data is properly protected and that everyone follows the same rules.
×:COSO
An organization that studies fraudulent financial reporting and which elements lead to them is fraudulent because the Committee of Sponsoring Organizations of the Treadway Commission (COSO) was established in 1985. The acronym COSO refers to a model of corporate governance that addresses IT at the strategic level, corporate culture, and financial accounting principles.
×:COBIT (Control Objectives for Information and Related Technology)
Incorrect, as this framework defines control objectives to ensure that IT is properly managed and that IT is responsive to business needs. It is an international open standard that provides control and security requirements for sensitive data and reference frameworks.
×:International Organization for Standardization (ISO)
Incorrect because it is an international standards organization composed of representatives of national standards bodies. Its purpose is to establish global standardization. But its standardization goes beyond the privacy of data moving across international borders. For example, some standards address quality control; others address assurance and security.
#18. Which of the following attacks are related to availability?
〇:DDoS attacks
Availability is one of the properties of the CIA triad that indicates service continuity. An attack that threatens the continuity of service corresponds to a DDoS attack that sends a large number of requests and causes a service outage. Therefore, the correct answer is “DDoS attack”.
×: Wheeling
Whaling is a spear-phishing attack that targets a socially recognized person or organization.
×: TOC/TOU
TOC/TOU is a software bug that occurs when the system is modified between the time a condition is checked and the time the results of that check are used. In many cases, the attack replaces one file with another between looking for the file and reading the file.
×: DRAM
RAM (Random Access Memory) is memory used for CPU and screen displays, etc. DRAM is RAM that is only stored for short periods of time and requires periodic refreshing.
#19. Which of the following are effective methods that you as a software system administrator can implement to prevent significant damage?
〇:Regular software updates
You are the system administrator. As an administrator, what you should be doing is updating software on a regular basis. Therefore, the correct answer is “regular software updates.
There may be some that you should implement, but choosing the better of the two will also be tested in the actual exam.
×:Sophisticated product selection
In most cases, products that meet the requirements will be selected in accordance with the Request for Proposal (RFP) presented by the customer. Existing system administrators may be involved in some of these discussions, but this is not an appropriate response.
×:Early reporting to your supervisor
In all jobs, reporting to the supervisor is probably an essential part of the job. Here, however, it is more appropriate to focus on your position as a software system administrator.
×:Human resources to monitor the system
A resident system may allow you to deal with problems in a timely manner. However, here, it is more appropriate to focus on the position as a system administrator of the software.
#20. Which of the following is a correct action-directed defense?
〇:Regular training to change employee attitudes
Behavior-directed controls are intended to direct the behavior required of employees as part of organizational management. Regular training that changes employee awareness falls under the action-directed type. Therefore, the correct answer is “Regular training to change employee attitudes”.
×:Remotely directed defenses using drone audits
This falls under reinforcing (compensating) defensive measures.
×:Defensive measures to be behavioral psychological barriers due to physical barriers
This is a physical (physically) defensive measure.
×:Developing recurrence prevention measures to review certain actions
This is a corrective measure.