![](https://piedpin.com/wp-content/uploads/2020/06/goal-3144351_1280-1024x700.jpg)
![](https://piedpin.com/wp-content/uploads/2020/06/goal-3144351_1280-1024x700.jpg)
All Domains Exam.
A minimum of 70% is required to pass.
#1. Elliptic curve cryptography is an asymmetric algorithm. What are its advantages over other asymmetric algorithms?
〇:Encryption and decryption are more efficient.
Elliptic curves are rich mathematical structures that have shown usefulness in many different types of applications. Elliptic curve cryptography (ECC) differs from other asymmetric algorithms because of its efficiency; ECC is efficient because it is computationally less expensive than other asymmetric algorithms. In most cases, the longer the key, the more bloated the computation to secure it, but ECC can provide the same level of protection with a shorter key size than RSA requires.
×:Provides digital signatures, secure key distribution, and encryption.
ECC is wrong because it is not the only asymmetric algorithm that provides digital signatures, secure key distribution, and encryption provided by other asymmetric algorithms such as RSA.
×:Calculated in finite discrete logarithms.
Wrong because Diffie-Hellman and El-Gamal compute with finite discrete logarithms.
×:Uses a large percentage of resources to perform the encryption.
Incorrect because ECC when compared to other asymmetric algorithms uses much less resources. Some devices, such as wireless devices and cell phones, have limited processing power, storage, power, and bandwidth. Resource utilization efficiency is very important for the encryption methods used in this type.
#2. Which of the following is close to the meaning of the basic concept of security measures: multi-layer defense?
#3. Which formulas are used in a Business Impact Analysis (BIA) assessment?
#4. David is preparing the server room for the new branch office. He wants to know what locking mechanism should be used for the primary and secondary server room entry doors?
〇:Primary entry doors should have controlled access via swipe card or cryptographic locks. Secondary doors should not be secured from the inside and allowed entry.
Data centers, server rooms, and wiring closets should be located in the core areas of the facility, near wiring distribution centers. Strict access control mechanisms and procedures should be implemented for these areas. Access control mechanisms can lock smart card readers, biometric readers, or a combination of these. These restricted areas should have only one access door, but fire code requirements typically dictate that there must be at least two doors in most data centers and server rooms. Only one door should be used for daily entry and exit and the other door should be used only in case of an emergency, i.e., if a fire breaks out in a data center or server room, the door should be locked. This second door should not be an access door, meaning people should not be able to come through this door. It should be locked, but should have a panic bar that will release the lock if it is used as an exit, pushed from the inside.
×:The primary and secondary entry doors must have control access via swipe cards or cryptographic locks.
This is incorrect because even two entry doors should not be allowed to pass through with the identification, authentication, and authorization process. There should only be one entry point into the server room. No other door should provide an entry point, but can be used for an emergency exit. Therefore, secondary doors should be protected from the inside to prevent intrusion.
×:The primary entry door should have controlled access via a guard. Two doors should not be secured from the inside and allowed entry.
The main entry door to the server room is incorrect as it requires an identification, authentication, and authorization process to be performed. Swipe cards and cryptographic locks perform these functions. Server rooms should ideally not be directly accessible from public areas such as stairways, hallways, loading docks, elevators, and restrooms. This helps prevent foot traffic from casual passersby. Those who are by the door to the area to be secured should have a legitimate reason for being there, as opposed to those on the way to the meeting room, for example.
×:The main entry door must have controlled access via swipe card or crypto lock. Two doors must have security guards.
Two doors should not have security guards, because it is wrong. The door should be protected from the inside simply so it cannot be used as an entry. Two-door must function as an emergency exit.
#5. What type of database property ensures that a tuple is uniquely identified by its primary key value?
〇:Entity integrity
Entity integrity ensures that a tuple is uniquely identified by its primary key value. A tuple is a row in a two-dimensional database. The primary key is the corresponding column value that makes each row unique. For entity integrity, every tuple must contain one primary key. If a tuple does not have a primary key, the tuple will not be referenced by the database.
×:Concurrent Maintainability
Concurrent integrity is not a formal term in database software and is therefore incorrect. There are three main types of integrity services: semantic, reference, and entity. Concurrency is software that is accessed by multiple users or applications simultaneously. Without controls in place, two users can access and modify the same data at the same time.
×:Referential Integrity
Referential integrity is incorrect because it references all foreign keys that refer to an existing primary key. There must be a mechanism to ensure that foreign keys do not contain references to non-existent records or null-valued primary keys. This type of integrity control allows relationships between different tables to work properly and communicate properly with each other.
×:Semantic Integrity
The semantic integrity mechanism is incorrect because it ensures that the structural and semantic rules of the database are in place. These rules concern data types, boolean values, uniqueness constraints, and operations that may adversely affect the structure of the database.
#6. Which is the difference between public key cryptography and public key infrastructure?
〇:Public key infrastructure is a mechanism configuration for public key cryptographic distribution, and public key cryptography is another name for asymmetric encryption.
Public key cryptography is asymmetric cryptography. The terms are used interchangeably. Public key cryptography is a concept within the Public Key Infrastructure (PKI), which consists of various parts such as Certificate Authorities, Registration Authorities, certificates, keys, programs, and users. Public Key Infrastructure is used to identify and create users, distribute and maintain certificates, revoke and distribute certificates, maintain encryption keys, and for the purpose of encrypted communication and authentication.
×:Public key infrastructure uses symmetric algorithms and public key cryptography uses asymmetric algorithms.
This is incorrect because the public key infrastructure uses a hybrid system of symmetric and asymmetric key algorithms and methods. Public key cryptography is to use asymmetric algorithms. Therefore, asymmetric and public key cryptography are interchangeable, meaning they are the same. Examples of asymmetric algorithms are RSA, elliptic curve cryptography (ECC), Diffie-Hellman, and El Gamal.
×:Public key infrastructure is used to perform key exchange, while public key cryptography is used to create public/private key pairs.
This is incorrect because public key cryptography is the use of asymmetric algorithms used to create public/private key pairs, perform key exchange, and generate and verify digital signatures.
×:Public key infrastructure provides confidentiality and integrity, while public key cryptography provides authentication and non-repudiation.
Incorrect because the public key infrastructure itself does not provide authentication, non-repudiation, confidentiality, or integrity.
#7. Which DNS extension provides authentication of the origin of DNS data to DNS clients (resolvers) that can reduce DNS poisoning, spoofing, and other attacks?
〇:DNSSEC
DNSSEC is a set of extensions to the DNS that provide DNS clients (resolvers) with authentication of the origin of DNS data to reduce the threat of DNS poisoning, spoofing, and similar attack types. It is an Internet Engineering Task Force (IETF) specification for securing services.
×:Resource Record
DNS servers contain records that map hostnames to IP addresses, called resource records. The answer is incorrect. When a user’s computer needs to resolve a hostname to an IP address, it looks in its network configuration to find its DNS server. The computer then sends a request containing the hostname to the DNS server for resolution; the DNS server looks at its resource records, finds a record with this particular hostname, retrieves the address, and responds to the computer with the corresponding IP address.
×:Zone Transfer
Primary and secondary DNS servers synchronize their information via zone transfers. The answer is incorrect. After changes are made to the primary DNS server, these changes must be replicated to the secondary DNS server. It is important to configure the DNS servers so that zone transfers can take place between specific servers.
×:Resource Transfer
Equivalent to transferring DNS resource records, but the answer is incorrect.
#8. Which of the following is not an official risk methodology created for the purpose of analyzing security risks?
〇:AS / NZS 4360
AS / NZS 4360 can be used for security risk analysis, but it was not created for that purpose. It takes a much broader approach to risk management than other risk assessment methods, such as NIST or OCTAVE, which focus on IT threats and information security risks. AS / NZS 4360 can be used to understand a firm’s financial, capital, personnel safety, and business decision-making risks.
×:FAP
Incorrect as there is no formal FAP risk analysis methodology.
×:OCTAVE
Image B is incorrect because it focuses on IT threats and information security risks. OCTAVE is intended for use in situations that manage and direct information security risk assessments within an organization. Employees of an organization are empowered to determine the best way to assess security.
×:NIST SP 800-30
Wrong because it is specific to IT threats and how they relate to information threats. Focus is primarily on systems. Data is collected from network and security practices assessments and from people within the organization. Data is used as input values for the risk analysis steps outlined in the 800-30 document.
#9. Which is the first step in a business impact analysis?
〇:Creating Data Collection Techniques
Of the steps listed, the first step in a Business Impact Analysis (BIA) is to create a data collection technique. The BCP committee will use questionnaires, surveys, and interviews to collect key person information on how different tasks are accomplished within the organization, along with any relevant dependencies of processes, transactions, or services. Process flow diagrams should be created from this data and used throughout the BIA and planning and development phases.
×:Risk calculations for each different business function
This is incorrect because the risk for each business function is calculated after the business function has been identified. And before that happens, the BCP team needs to collect data from key personnel. To calculate the risk for each business function, qualitative and quantitative impact information must be collected, properly analyzed, and interpreted. Once the data analysis is complete, it should be reviewed with the most knowledgeable people in the company to ensure that the results are relevant and to explain the actual risks and impacts facing the organization. This will flush out any additional data points that were not captured initially and allow for a full understanding of all possible business impacts.
×:Identifying Critical Business Functions
Image B is incorrect because the identification of critical business functions is done after the BCP committee has learned about the business functions that exist by interviewing and surveying key individuals. Once the data collection phase is complete, the BCP committee conducts an analysis to determine which processes, devices, or business activities are critical. If a system stands on its own, does not affect other systems, and is less critical, it can be classified as a Tier 2 or Tier 3 recovery step. In other words, these resources are not processed in the recovery phase until the most critical (Tier 1) resources are up and running.
×:Vulnerability and Threat Identification to Business Functions
This is not the first step and is incorrect because it identifies vulnerabilities and threats to business functions toward the end of the business impact analysis. It is the last of the steps listed in the answer. Threats can be man-made, natural, or technical. It is important to identify all possible threats and estimate their likelihood of occurring. When developing these plans, some issues may not be immediately apparent. These issues are best addressed by groups conducting scenario-based exercises. This ensures that when the threat becomes reality, the plan will have an impact on all business tasks, departments, and critical operations. The more issues that are planned for, the better prepared you will be should these events occur.
#10. SAML (Security Assertion Markup Language) is an XML-based standard for exchanging authentication and authorization data between systems on different security domains. SAML allows for the sharing of authentication information, such as how the authentication was performed, the attributes of an entity, and the permissions to which the entity has access. Which of the following definitions is associated with the correct SAML component?
〇:SAML assertions are used to enable identity federation and distributed systems.
SAML provides a model that allows two parties to share authentication information about one entity. The two parties are considered a Service Provider (SP) and an Identity Provider (IdP). The Identity Provider asserts information about the principal, such as whether the subject is authenticated or has certain attributes. The service provider uses the information provided by the identity provider to make access decisions about the services it provides, including whether to trust the identity provider’s assertions. By trusting the identity provider’s information, the service provider can provide services without requiring the principal to authenticate again. This framework enables federated identification and distributed authentication across domains.
A SAML assertion is information about a principal contained in a SAML response that is returned to the service provider after authentication has been processed by the identity provider.
×:Two SAML assertions (authentication and authorization) are used to indicate that an authority by SAML has validated a particular subject.
The Identity Provider will not return two SAML assertions; one assertion will be returned per request.
×:The SAML binding specification describes how to embed SAML messages within the TCP and UDP protocols.
It is not classified in the sense of within the TCP and UDP protocols.
×:The SAML profile has a definition for issuing a refresh token.
Refresh tokens are a concept in the OAuth/OIDC family.
#11. Angela wants a computer environment that can be used together in departmental groups while easily sharing network resources. Which computers should logically be used as group computers?
〇:VLAN
Virtual LANs (VLANs) allow logical isolation and grouping of computers based on resource requirements, security, or business needs, despite the standard physical location of the system. Computers in the same department configured on the same VLAN network can all receive the same broadcast messages, allowing all users to access the same types of resources regardless of their physical location.
×:Open Network Architecture
Open network architecture is wrong because it describes the technology that can configure a network; the OSI model provides a framework for developing products that operate within an open network architecture.
×:Intranet
Incorrect because an intranet is a private network used by a company when it wants to use Internet and Web-based technologies in its internal network.
×:VAN
Incorrect because a Value Added Network (VAN) is an electronic data interchange (EDI) infrastructure developed and maintained by a service bureau.
#12. Carol is charged with building a system to handle health information. What should we advocate first?
〇:Considering an architecture that can handle health information.
Carol is a systems engineer and is expected to explore systemic realities. It is likely that she is deviating from her role to preemptively explain why it cannot be done systemically, to modify approvals other than the system configuration, or to initiate legal work. The correct answer, therefore, is, “Think about an architecture that can handle health information.” The correct answer would be
×:To address the dangers of handling health information in the system.
The basic stance of a system engineer is to obtain feasibility as a system. Although it is necessary to supplement the danger to the proposed idea, appealing the danger should not be the main purpose.
×:Obtaining permission to entrust health information from a medical institution.
A contract should be signed and the legal scope of responsibility should be clarified. This is outside the scope of the system engineer’s scope.
×:To prepare a written consent to use for handling health information.
It is necessary to obtain consent for end users before using the service, and the scope of legal responsibility needs to be clarified. This is outside the scope object of the system engineer’s scope.
#13. What are the problems with RADIUS that have been eliminated by Diameter?
#14. Marge uses her private key to create a digital signature for messages sent to George, but she does not show or share her private key with George. Which of the following illustrates this situation?
〇:Zero Knowledge Proof
Zero Knowledge Proof means that someone can tell you something without telling you more information than you need to know. In cryptography, it means proving that you have a certain key without sharing that key or showing it to anyone. Zero knowledge proof (usually mathematical) is an interactive way for one party to prove to another that something is true without revealing anything sensitive.
×:Key Clustering
Key clustering is the phenomenon of encrypting the same plaintext with different keys, but with the same ciphertext.
×:Avoiding Birthday Attacks
An attacker can attempt to force a collision, called a birthday attack. This attack is based on the mathematical birthday paradox present in standard statistics. This is a cryptographic attack that uses probability theory to exploit the mathematics behind the birthday problem.
×:Provides data confidentiality
Provided via encryption when data is encrypted with a key, which is incorrect.
#15. DNS is a popular target for attackers on the Internet; which ones use recursive queries to pollute the caches of DNS servers?
〇:DNS Hijacking
The DNS plays a great role in the transmission of traffic on the Internet; it directs traffic to the appropriate IP address corresponding to a given domain name DNS queries can be classified as either recursive or iterative. In a recursive query, the DNS server forwards the query to another server, which returns the appropriate response to the inquirer. In an iterative query, the DNS server responds with the address of another DNS server that may be able to answer the question and then proceeds to further ask for a new DNS server. Attackers use recursive queries to pollute the caches of DNS servers.
The attacker sends a recursive query to the victim’s DNS server asking for the IP address of the domain; the DNS server forwards the query to another DNS server. Before the other DNS server responds, the attacker inserts his IP address. The victim server receives the IP address and stores it in its cache for a specific period of time. The next time the system queries the server for resolution, the server directs the user to the attacker’s IP address.
×:Manipulating the hosts file
Manipulating the hosts file is wrong because it does not use recursive queries to pollute the DNS server cache. The client queries the hosts file before issuing a request to the first DNS server. Some viruses add the antivirus vendor’s invalid IP address to the hosts file to prevent the virus definition file from being downloaded and to prevent detection.
×:Social engineering
Social engineering is wrong because it does not require querying DNS servers. Social engineering refers to manipulation by an individual for the purpose of gaining unauthorized access or information.
×:Domain Litigation
Domain litigation is wrong because it does not involve poisoning the DNS server cache. Domain names are at trademark risk, including temporary unavailability or permanent loss of established domain names.
#16. There are several calculation methods used to evaluate the value of an asset. Which of the following is NOT used to determine the value of an asset?
〇:Level of insurance required to cover assets.
This question is about choosing what is not used. There are several ways to calculate asset value (AV, Asset Value): the market approach, which refers to similar assets in the market, the income approach, which measures it by the profit it will earn in the future, and the cost approach, which measures it by the cost spent on the asset. The level of insurance needed to cover an asset is a decision made after identifying the asset value and conducting an appropriate risk analysis, allowing the organization to more easily determine the level of insurance coverage to purchase for that asset. Therefore, the correct answer is “level of insurance required to cover the asset”.
×:Value of the asset in the external market.
The technique of referring to similar assets in the market is known as the market approach.
×:Initial costs and outlay for purchasing, licensing, and supporting the asset.
The method of measuring by the cost spent on an asset is known as the cost approach.
×:The value of the asset to the organization’s production operations.
The method of measuring by the profit that will be earned in the future is known as the revenue approach.
#17. Which of the following is not essential in information lifecycle management?
〇:Database Migration
The movement of accessible data from one repository to another may be required over its lifetime, but is generally not as important as the other phases provided in response to this question.
×:Data specification and classification
This is incorrect because the determination of what the data is and its classification is the first essential phase that can provide the appropriate level of protection.
×:Continuous monitoring and auditing of data access
Incorrect because without continuous monitoring and auditing of access to sensitive data, breaches cannot be identified and security cannot be guaranteed.
×:Data Archiving
Incorrect as even the most sensitive data is subject to retention requirements. This means that it must be archived for an appropriate period of time and with the same level of security as during actual use.
#18. Which of the following are ways to defend against cross-site tracing?
Cross-site tracing is an attack to obtain authentication information by embedding TRACE method HTTP communication in a web page. Suppose the TRACE method is embedded in the login screen by XSS. After the password to log in is sent, it is returned by TRACE and comes back. The password that has just been sent is returned to the browser, leading to a compromise.
#19. Which of the following is an attack that accesses an internal IP address as the source from the outside and aims for internal access by means of a response request?
〇:LAND attack
A LAND attack is an attack that penetrates firewalls that block bad requests; it is similar to the Fraggle attack, but it sends a request to the firewall with the sender as the target of the attack. This is a blind spot because the firewall, which is supposed to protect the inside of the system, is used for the attack.
×:Teardrop
Teardrop is an attack that halts the system by forging the offset of IP packets before they are split.
×:Christmas Tree Attack
A Christmas tree attack is an attack in which a packet is sent with a number of flags (URG, ACK, PSH, RST, SYN, FIN) and the response is observed.
×:CHARGEN attack
CHARGEN (port 19) is a protocol that returns an appropriate string.
#20. When submitting a security report to management, which of the following elements is most important?
〇:A Comprehensive Executive Summary
No matter how technically comprehensive a report to management may be, it is not always desirable to be too informative; IT security professionals must understand that the risk to the enterprise from a data breach is only one of many concerns that senior management must understand and prioritize. C-level executives must be attentive to many risks and may have difficulty properly categorizing the often unfamiliar, highly technical threats. In short, the IT security professional’s primary job is to summarize the risks in as short a time as possible in a way that suits the management.
×:List of Threats, Vulnerabilities, and Likelihood of Occurrence
This is incorrect because it is not the most important element to report to management. Such a list is essential to a comprehensive security report, but providing it to senior management is unlikely to result in effective action without a skillful executive summary.
×:A comprehensive list of the probability and impact of expected adverse events
This is incorrect because it is not the most important element of the report to management. Such lists are important in technical reports, but summaries are critical to achieving risk mitigation goals.
×:A comprehensive list of threats, vulnerabilities, and likelihood of occurrence, a comprehensive list of the probability and impact of expected adverse events, and a written summary thereof to meet technical comprehensiveness
incorrect because it describes the most common and significant obstacles to reporting to management.
#21. Lee is the new security manager responsible for ensuring that his company complies with the European Union Principles on Privacy when interacting with its European partners. Which of the following laws or regulations contain a set of principles dealing with the transmission of data that is considered private?
〇:Data Protection Directive
In many cases, the European Union (EU) takes personal privacy more seriously than most other countries in the world and therefore adheres to strict laws regarding data considered personal information based on the European Union Principles for the Protection of Personal Data. This set of principles addresses the use and communication of information that is considered private in nature. These principles and how to comply with them are contained in the EU Data Protection Directive. All European states must comply with these principles, and all companies doing business with EU companies must follow this directive if their business involves the exchange of privacy-type data.
×:Organization for Economic Cooperation and Development (OECD)
Image B is incorrect because the Organization for Economic Cooperation and Development (OECD) is an international organization that brings together different governments to help address the economic, social, and governance challenges of a globalized economy. For this reason, the OECD has developed national guidelines to ensure that data is properly protected and that everyone adheres to the same kinds of rules.
×:Federal Private Sector Bill
The Federal Private Bill is incorrect. There is no official bill by this name.
×:Privacy Protection Act
The Privacy Protection Act is the wrong answer. There is no official legislation by this name.
#22. Lacy’s manager assigned her to research intrusion detection systems for the new dispatching center. Lacey identifies the top five products and compares their ratings. Which of the following is the most used evaluation criteria framework today for this purpose?
〇:Common Criteria
Common Criteria was created in the early 1990s as a way to combine the strengths of both the Trustworthy Computer Systems Evaluation Criteria (TCSEC) and the Information Technology Security Evaluation Criteria (ITSEC) and eliminate their weaknesses. Common Criteria is more flexible than TCSEC and easier than ITSEC. Common Criteria is recognized worldwide and assists consumers by reducing the complexity of assessments and eliminating the need to understand the definitions and meanings of different assessments in different assessment schemes. This also helps manufacturers because they can now build a specific set of requirements when they want to market their products internationally, rather than having to meet several different evaluation criteria under different rules and requirements.
×:ITSEC
This is incorrect because it is not the most widely used information technology security evaluation standard. ITSEC was the first attempt to establish a single standard for evaluating the security attributes of computer systems and products in many European countries. In addition, ITSEC separates functionality and assurance in its evaluations, giving each a separate rating. It was developed to provide greater flexibility than TCSEC and addresses integrity, availability, and confidentiality in networked systems. The goal of ITSEC was to become the global standard for product evaluation, but it failed to achieve that goal and was replaced by Common Criteria.
×:Red Book
Wrong, as it is a U.S. government publication that addresses the topic of security evaluation of networks and network components. Formally titled Trusted Network Interpretation, it provides a framework for protecting different types of networks. Subjects accessing objects on the network must be controlled, monitored, and audited.
×:Orange Book
Incorrect as this is a U.S. Government publication that addresses government and military requirements and expectations for operating systems. The Orange Book is used to evaluate whether a product is suitable for the security characteristics and specific applications or functions required by the vendor. The Orange Book is used to review the functionality, effectiveness, and assurance of the product under evaluation, using classes designed to address typical patterns of security requirements. It provides a broad framework for building and evaluating trusted systems, with an emphasis on controlling which users have access to the system. We call it the Orange Book, but another name for it is Trusted Computer System Evaluation Criteria (TCSEC).
#23. Which project management methodology is based on each phase leading to the next phase and not returning to the previous phase?
〇:Waterfall
Waterfall is very unidirectional and each phase leads directly to the next phase. In a pure waterfall model, there is no way to return to the previous phase.
×:Agile
Agile is the idea that system development should be done flexibly. It is a trial-and-error development method that emphasizes adaptive planning, evolutionary development, early delivery, and continuous improvement. Agile differs from the traditional approach of modeling a process, where principles and claims are shared by the entire team and an attempt is made to adapt to every situation.
×:SASHIMI
The SASHIMI model is a model of the system development process that allows the end and beginning points of each phase to run concurrently. In many cases, a waterfall model is used, where the next phase is moved to the next phase with the submission and review of deliverables. This is also great, but in practice, there are times when the delivery is made but modified due to changing requirements.
×:Spiral
The spiral model is a method of development that iterates from design to testing for each function. It is a method in which a series of processes consisting of planning, analysis, design, implementation, testing, and evaluation are repeated many times within a single project to gradually increase the degree of completion. In a software project, these phases are repeated.
#24. You are selecting a site for a new data center and offices. Which of the following is not a valid security concern?
Greenfield is undeveloped land that has not yet been built upon. The perspectives for selecting a site as a data center site include topography, utilities, and public safety.
- Topography refers to the physical shape of the landscape-hills, valleys, trees, streams.
- Utility refers to the degree to which power and internet in the area are reliable.
- Public safety is in terms of how high is the crime rate in the area and how close is the police force.
#25. A backup file stored on a physical disk is being transported by truck to a data center at a different location. What is the status of the data in this backup file?
Stored data is data that is stored on a disk or other media. Transmitted data is data flowing over a network. Used data is data that is in memory, cache, etc. and in use. Just because it is being transported by truck does not make it data that is being transferred. Therefore, “stored data” is the correct answer.
#26. What is the IPSec SA value?
#27. What are the advantages of depositing cryptographic keys with another organization?
A key escrow system is one in which a third-party organization holds a copy of the public/private key pair. If the private key is stolen, all ciphers can be decrypted. Conversely, if it is lost, all ciphers cannot be decrypted. Therefore, you want to have a copy. However, if you have it yourself, it may be stolen if a break-in occurs, so you leave it with a third-party organization.
#28. The change management process includes a variety of steps. Which of the following incorrectly describes a change management policy procedure?
〇:A change unanimously approved by the change control committee would be a step that does not require testing of the actual equipment.
This is a false choice question.
For different types of environmental changes, a structured change management process needs to be in place. Depending on the severity of the change requirement, the change and implementation may need to be presented to a change control committee. Change requests approved by the change control committee must be tested to discover any unintended consequences. This helps to demonstrate the purpose, consequences, and possible effects of the change in its various aspects. This means that just because a change has been approved by the change control board does not mean that it does not need to be tested. The change control board has mandated action on the change, and its appropriateness must be ensured by testing. Therefore, the correct answer is: “A change that is unanimously approved by the change control committee is a step that does not require testing on the actual equipment.” The result will be
×:Changes approved by the change control committee should be kept as a log of changes.
This is correct change management.
×:A rough schedule should be created during the planning phase of the change.
This is correct change management.
×:Proposed changes should be prioritized and reviewed.
This is correct change management.
#29. Which of the following is a critical first step in disaster recovery and emergency response planning?
〇:Completing the Business Impact Analysis
Of the steps listed in this question, completing the Business Impact Analysis is the highest priority. The BIA is essential in determining the most critical business functions and identifying the threats associated with them. Qualitative and quantitative data must be collected, analyzed, interpreted, and presented to management.
×:Test and Drill Plan
Test and drill is wrong because it is part of the last step in disaster recovery and contingency planning. Because the environment is constantly changing, it is important to test your business continuity plan on a regular basis. Testing and disaster recovery drills and exercises should be performed at least once a year. The exercises should be done in sections or at specific times that require logistical planning, as most firms cannot afford these exercises to disrupt production or productivity.
×:Determining alternatives for off-site backup facilities
This is incorrect because it is part of the contingency strategy that is done in the middle of the disaster recovery and contingency planning process. In the event of a major disaster, an alternate off-site backup capability is required. Typically, contracts are established with third-party vendors to provide such services. The client pays a monthly fee to retain the right to use the facility when needed and then pays an activation fee when they need to use that facility.
×:Organize and prepare related documentation
This is incorrect because the relevant documentation is organized and created around the time the disaster recovery and contingency planning process is completed. Procedures should be documented. This is because time-consuming schedules are confusing when they are actually needed. Documentation should include information on how to install images, configure the operating system and server, and install utilities and proprietary software. Other documentation should include call trees and contact information for specific vendors, emergency agencies, off-site facilities, etc.
#30. Jim is a sales representative and the data owner of the sales department. Which of the following is not the responsibility of Jim, the data owner?
〇:Verifying Data Availability
The responsibility for verifying data availability is the sole responsibility that does not belong to the data (information) owner. Rather, it is the responsibility of the data (information) controller. The data controller is also responsible for maintaining and protecting the data in accordance with the data owner’s instructions. This includes performing regular backups of data, restoring data from backup media, maintaining records of activities, and enforcing information security and data protection requirements in company policies, guidelines, and standards. Data owners work at a higher level than data managers. The data owner basically says, “This is the level of integrity, availability, and confidentiality you need to provide. Please do it now”. The data administrator is executing these permissions and following up on the installed controls to ensure they are working properly.
×:Assigning Information Classification
Incorrect as you are asking if Jim is not responsible for the assignment of information classifications because as the data owner, Jim is responsible for the assignment of information classifications.
×:Determining how to protect data
Incorrect because the data owner, such as Jim, is responsible for determining how the information is protected. The data owner has organizational responsibility for data protection and is liable for any negligence with respect to protecting the organization’s information assets. This means that Jim needs to decide how to protect the information and ensure that the data controller (a role usually occupied by IT or security) is implementing these decisions.
×:Determining how long to retain data
This is incorrect because the decision of how long to retain data is the responsibility of the data owner. The data owner is also responsible for determining who can access the information and ensuring that the appropriate access rights are used. He may approve access requests himself or delegate that function to the business unit manager. The business unit manager approves the request based on the user access criteria defined by the data owner.
#31. Which of the following cannot be said to be privacy information under the concept of information security?
#32. If the media contains sensitive information, purging must be performed at the end of the media lifecycle. Which of the following adequately describes purging?
〇:To make information physically unrecoverable by any special effort.
Purging is the removal of sensitive data from disk. Software deletion of files on disk does not actually erase the data, only disconnects it from the location of the on-disk data. This means that if the data on the disk containing sensitive information cannot be completely erased, physical destruction is also necessary.
×:To change the polarization of atoms on a medium.
This is not a description of purging.
×:Do not authorize the reuse of media in the same physical environment for the same purpose.
While such an approval process may exist in practice, it is not a description of purging as data deletion.
×:To make data on media unrecoverable by overwriting it.
Simply overwriting media with new information does not eliminate the possibility of recovering previously written information.
Therefore, it does not fit the description of purging.
#33. Which of the following is the most effective method of identifying backup strategies?
〇:Test the restore procedure.
The ability to successfully restore from a backup must be tested periodically. Therefore, the correct answer is: “Test the restore procedure.” will be
×:Ensure that all user data is backed up.
Making copies of user data is important, but copies are useless unless it is ensured that the copies can be restored.
×:Back up the database management system (DBMS) to your own specifications.
While it is a good idea to use measures to meet the proprietary specifications of the DBMS to ensure that transactional copies are usable, those copies will not be trusted unless the restores are tested.
×:Ensure that the backup log files are complete.
Monitoring backup logs for completion is good operational practice, but it is wrong because it is no substitute for regular testing of the backups themselves and their ability to truly recover from data loss.
#34. Which password management method would decrease help desk call volume and facilitate access to multiple resources in the event of a password compromise?
〇:Password synchronization between different systems
Password synchronization is designed to reduce the complexity of maintaining different passwords for different systems. Password synchronization technology allows a single password to be maintained across multiple systems by transparently synchronizing passwords to other systems in real time. This reduces help desk call volume. However, one of the disadvantages of this approach is that only one password is used to access different resources. This means that a hacker only needs to figure out one set of credentials to gain unauthorized access to all resources. Therefore, the correct answer is “password synchronization between different systems”.
×:Password reset by administrator query
This does not reduce the amount of help desk support because the end user must contact the administrator.
×:End-user manual password reset by self-service
This is the so-called “self-service” password reset, in which end users change their passwords themselves from their profile pages.
This is the most practical way to reduce the amount of helpdesk support, but it does not meet the requirement of easy access to multiple resources in case of a password compromise.
×:Password reset by inquiry
This does not reduce the amount of helpdesk support because it requires the end user to contact the administrator. An inquiry is an inquiry whether or not an administrator is attached.
#35. The team should be involved in the implementation of the business continuity plan. Which team is responsible for initiating recovery of the original site?
〇:Salvage Teams
The BCP coordinator should understand the needs of the company and the types of teams that need to be developed and trained. Employees should be assigned to specific teams based on their knowledge and skill sets. Named leaders, each team must have members and the ability to direct their activities. These team leaders will be responsible not only for ensuring that team goals are met, but also for interacting with each other to ensure that each team is operating properly. The salvage team is responsible for initiating recovery of the original site. They are also responsible for backing up data from the alternate site and restoring it within the new facility, carefully terminating any unforeseen operations, and ensuring equipment and personnel are transported to the new facility.
×:Damage Assessment Team
The Damage Assessment Team is incorrect because it is responsible for determining the extent and severity of damage.
×:BCP Team
Wrong because the BCP team is responsible for creating and maintaining a business continuity plan.
×:Recovery Team
Wrong because the Recovery Team is responsible for getting an alternate site to work and to keep the environment functioning.
#36. Which technology can generate time-based one-time passwords?
〇:Time-Based Synchronous Dynamic Token
A synchronous token device synchronizes with the authentication service using time or a counter as a core part of the authentication process. When synchronization is time-based, the token device and authentication service must maintain the same time within their internal clocks. The time values of the token device and private key are used to generate a one-time password that is displayed to the user. The user then passes this value and user ID to the server running the authentication service and enters this value and user ID into the computer. The authentication service decrypts this value and compares it to the expected value. If both match, the user is authenticated and allowed to use the computer and resources.
×:Counter-Based Synchronous Dynamic Token
If the token device and authentication service use counter synchronization, it is incorrect because it is not based on time. When using a counter-synchronized token device, the user must initiate the creation of a one-time password by pressing a button on the token device. This causes the token device and authentication service to proceed to the next authentication value. This value, the base secret, is hashed and displayed to the user. The user enters this resulting value along with the user ID to be authenticated. For either time or counter-based synchronization, the token device and authentication service must share the same secret base key used for encryption and decryption.
×:Asynchronous Tokens
Asynchronous token generation methods are incorrect because they use a challenge/response method for the token device to authenticate the user. Instead of using synchronization, this technique does not use separate steps in the authentication process.
×:Mandatory Tokens
Wrong because there is no such thing as a mandatory token. This is an incorrect answer.
#37. Server cluster configurations are taken for critical applications, but what functions are achieved by this configuration?
Clustering is designed for fault tolerance. It is often combined with load balancing, but they are essentially separate. Clustering can make an operation active/active. On top of that, the load balancing feature handles traffic from multiple servers. Active/passive, on the other hand, has a designated primary active server and a secondary passive server, with the passive sending keep-alives or heartbeats every few seconds.
#38. Which of the following is a straightforward inference as to why email spoofing was so easily carried out?
〇:SMTP lacks proper authentication mechanisms.
Email spoofing is easy to perform if the SMTP lacks proper authentication mechanisms. An attacker can spoof the sender address of an e-mail by sending a Telnet command to port 25 of the mail server. The spammer uses e-mail spoofing to prevent himself from being identified.
×:The administrator forgot to configure a setting that prevents inbound SMTP connections for non-functioning domains.
If it is spoofed, the email sender is also spoofed. This can happen even if you prevent inbound SMTP connections for a domain.
×:Technically abolished by keyword filtering.
Filtering is not very effective against spoofing. Therefore, even if it is technically obsolete, it is unlikely to be the cause.
×:The blacklist function is not technically reliable.
If an email is spoofed, the sender of the email is also spoofed. This can happen even if the filtering function is not reliable.
#39. What is the difference between interface testing and misuse case testing?
〇:Interface test is intended to verify correct operation in the correct state. Misuse case testing is intended to verify that problems occur in error conditions.
All applications must undergo interface testing to ensure proper function and use. They should undergo misuse case testing to determine if their intentional misuse could cause errors that would harm the confidentiality, integrity, and availability of the data to which the application provides access.
×:Interface test is intended to determine if a problem occurs in an error condition. Misuse case testing is intended to verify correct operation in the correct state.
While it may be possible to find incorrect behavior based on the assumption that the correct behavior occurs, the sentence is backwards in terms of the purpose of the test as well.
×:Interface testing is intended to check for proper usability. Misuse case testing monitors when errors occur.
Interfaces are not limited to usability. It is also a test for the API for server-to-server communication.
×:Interface testing and misuse case testing are essentially the same.
Essentially, the purpose of the test and the creation of an environment to achieve that purpose are different.
#40. Sally has performed software analysis against her company’s proprietary applications. She has found that it is possible to force an authentication step to take place before the attacker has successfully completed the authentication procedure. What could be the cause?
〇:Conflict condition
A race condition is present when a process performs a task on a shared resource and the sequence could be in the wrong order. 2 or more processes can have a race condition if they use a shared resource, like data in a variable. It is important that processes perform their functions in the correct sequence.
×:Backdoors
Backdoors are incorrect because they are “listening” services on certain ports. Backdoors are implemented by attackers to allow easy access to the system without authenticating as a normal system user.
×:Maintenance Hooks
Maintenance hooks are specific software codes that allow easy and unauthorized access to sensitive parts of a software product. Software programmers use maintenance hooks to allow them to get quick access to the code so that they can make fixes in immediate, but this is dangerous.
×:Data validation errors
Data validation errors are wrong because an attacker cannot operate on the process execution sequence.
#41. SElinux is set up. Which access control will be followed?
〇:Mandatory Access Control (MAC)
Mandatory Access Control (MAC) is an access control that enforces access privileges by pre-classifying resources into levels. There are several types of access rights to data files. There are several types of access rights to data files: the user of the data file, the owner who creates the data file, and the administrator who decides which owner can create the data. SELinux, TOMOYO Linux, Trusted BSD, and Trusted Solaris are methods used by MACs.
×:Discretionary Access Control (DAC)
Discretionary Access Control (DAC) is an access control method that allows the owner of an access target to change access privileges.
×:Role Access Control (RAC)
There is no such term. A close equivalent is role-based access control, which divides accounts by role and applies access control to those roles.
×:Voluntary Access Control (VAC)
There is no such term.
#42. In United States, federal agencies must comply with the Federal Information Processing Standard 201-2 to ensure which of the following?
〇:That the identity of the public official has been properly verified.
FIPS 201-2 establishes U.S. government standards for personal identity verification (PIV) and gives various requirements for assurance. Access to restricted information by government employees and contracting agents depends on their level of clearance and need to know it, but first the government must assure the individual that they are who they say they are.
×:That government employees are properly cleared for the work to which they are assigned.
Government employees must be properly cleared for the information to which they have been granted access, and therefore true identification must be available for review and verification prior to such access.
×:Government employees are only allowed access to data at their clearance level.
This is wrong because government employees only need to get acquainted and have access to the information they need to access. But again, this must be based on a clear level of assurance that the clearance they possess is valid.
×:That the data to which public officials have access is properly classified.
This is incorrect because the classification of data is not directly related to the validation of personal information.
#43. Similar to logical access control, audit logs should also be generated and monitored for physical access control. Which of the following statements is true regarding auditing physical access?
〇:All failed access attempts should be logged and reviewed.
The physical access control system may use software and auditing capabilities to generate an audit trail or access log associated with access attempts. The date and time of the entry point when access was attempted, the user ID used when access was attempted, and any failed access attempts, among others, should be recorded.
×:Failed access attempts are recorded and only security personnel are entitled to review them.
Unless someone actually reviews them, the access logs are as useless as the audit logs generated by the computer. Security guards should review these logs, but security professionals and facility managers should review these logs on a regular basis. The administrator must know the existence and location of entry points into the facility.
×:Only successful access attempts should be logged and reviewed.
Wrong, as unsuccessful access attempts should be logged and reviewed. Audit should be able to alert you to suspicious activity even though you are denying an entity access to a network, computer, or location.
×:Failed access attempts outside of business hours should be logged and reviewed.
Incorrect, as all unauthorized access attempts should be logged and reviewed regardless. Unauthorized access can occur at any time.
#44. What is the last step in the process after a penetration test has been properly conducted?
Penetration testing is an attempt to penetrate a system connected to a network. Penetration allows for any kind of manipulation and can bring the service itself to a halt. Therefore, the focus of testing is on penetration. The sequence is: planning, preliminary investigation, search for vulnerabilities, evaluation, attack, and reporting. Therefore, the correct answer is “report generation.
#45. Jared plays a role in the company’s data classification system. In this role, he must use extreme caution when accessing data, ensure that data is used only in accordance with authorized policies, and follow the rules set for data classification. He does not determine, maintain, or evaluate controls. What is Jared’s role?
〇:Data User
An individual who uses data for work-related tasks is a data user. Users must have the necessary level of access to data to perform their job duties. They are also responsible for adhering to operational security procedures to ensure the confidentiality, integrity, and availability of the data to others. This means that users must take appropriate precautions and follow both security policies and data classification rules.
×:Data Owners
This is incorrect because the data owner has a higher level of responsibility in protecting the data. The data owner is responsible for classifying the data, regularly reviewing the classification level, and delegating responsibility for the data protection position to the data controller. The data owner is usually a manager or executive within the organization and is responsible for the protection of the company’s information assets.
×:Data Controller
Incorrect, as the data controller is responsible for implementing and maintaining security controls as directed by the data owner. In other words, the data administrator is the technician of the controls that protect the data. Her duties include creating backups, restoring data, implementing and maintaining countermeasures, and managing controls.
×:Information Systems Auditor
Incorrect, as they are responsible for evaluating controls. After evaluating the controls, the auditor submits a report to management, mapping the results to the organization’s acceptable level of risk. This has nothing to do with using data or being meticulous in the use of data.
#46. It appears that this organization is abusing its authority. Which approach would clarify the what, how, where, who, when, and why of each ex officio?
〇:Zachman Framework
The Zachman Framework is an enterprise architecture that determines the what, how, where, who, when, and why for each mandate. Enterprise architecture is to create a management structure to achieve business goals. We create an organization to achieve business goals, and basically, the larger the business goals, the larger the organization. If the structure of the organization is not in place, the organization will not run efficiently, as there may be residual work that needs to be done, or there may be friction between jobs due to authority that is covered by others. Therefore, it is necessary to clarify the scope of each job authority in order to put the organization in order. The job authority here is different from the perspectives of human resources or sales. It is easier to think of them as hierarchically separated to achieve business goals. Clarify the scope in Executive, Business Management, Architecture, Engineers, Subcontractors, and Stakeholders, respectively. Therefore, the correct answer is the Zachman Framework.
×:SABSA
SABSA (Sherwood Applied Business Security Architecture) is a framework to ensure that security measures are working properly in achieving business goals. Unlike the Zachman Framework, the tasks to be organized are hierarchical elements. Business Requirements > Conceptual Architecture > Logical Service Architecture > Physical Infrastructure Architecture > Technology and Products, each with a 5W1H practice.
×:Five-W method
There is no such term. If there is, it is a term coined to make it easier to interpret.
×:Biba Model
The Biba model is a security model that indicates that data cannot be changed without permission.
#47. There are several important stages of account management. Which of the following describes each of these stages?
〇:Provisioning accounts, modifying accounts, auditing account usage, and deactivating accounts.
All phases of the authenticated access lifecycle should be considered. Access should not be granted without proper instructions, nor should access be granted or denied without expected authorization. Suspension of access must also be auditable.
×:Provisioning or adding accounts, changing accounts, and suspending accounts.
Incorrect because it does not include auditing of account usage.
×:Adding an account, deleting an account, or deleting a user’s data.
Incorrect because deletion of user data may conflict with data retention requirements.
×:Verifying account passwords, checking account usage, and deleting accounts.
Incorrect because it is merely an authentication step and not related to account management.
#48. Management support is critical to the success of a business continuity plan. Which of the following is most important to provide to management in order to obtain support?
〇:Business Case
The most important part of establishing and maintaining a current continuity plan is management support. Management may need to be convinced of the need for such a plan. Therefore, a business case is needed to obtain this support. The business case should include current vulnerabilities, legal obligations, current status of the recovery plan, and recommendations. Management is generally most interested in cost-benefit issues, so preliminary figures can be gathered and potential losses estimated. Decisions about how a company should recover are business decisions and should always be treated as such.
×:Business Impact Analysis
Incorrect because the Business Impact Analysis (BIA) was conducted after the BCP team gained management’s support for its efforts. A BIA is conducted to identify areas of greatest financial or operational loss in the event of a disaster or disruption. It identifies the company’s critical systems required for survival and estimates the amount of downtime the company can tolerate as a result of a disaster or disruption.
×:Risk Analysis
Incorrect, as this is a method of identifying risks and assessing the potential damage that could be caused to justify security protection measures. In the context of BCP, risk analysis methods should be used in a BIA to identify which processes, devices, or operations are critical and should be recovered first.
×:Threat reports
The answer is wrong because it is unintended. However, it is important for management to understand what the actual threats are to the enterprise, the consequences of those threats, and the potential loss value for each threat. Without this understanding, management pays lip service to continuity planning and in some cases may be worse than if it did not plan because of the false awareness of security it creates.
#49. There are three core rules in the U.S. HIPAA. Which of the following is NOT a core rule?
#50. When penetration testers are doing white box testing, how much do they know about the target?
#51. Which of the following is NOT an effective countermeasure against spam mail?
〇:Make the mail relay server available to everyone.
This is a question of choosing the “ineffective” one. An open mail relay server is not an effective countermeasure against spam. In fact, spammers often use spammers to distribute spam, because the attackers can hide their identities. An open mail relay server is an SMTP server configured to allow inbound SMTP connections from anyone on the Internet, and many relays are properly configured to prevent attackers from distributing spam and pornography. Thus, the correct answer is “have an email relay server available to everyone.” will be.
×:Build a properly configured mail relay server.
A properly configured mail relay server can also suppress spam mail.
×:Perform filtering at the e-mail gateway.
Filtering emails that are considered spam mail at the gateway will help to prevent spam mail.
×:Filtering at the client.
Filtering spam mail at the client, i.e., in a mailing application such as Outlook, is considered to be a countermeasure against spam mail.
#52. What is the difference between awareness and trainning?
Awareness is to inform the organization’s members of the information they already have in order to make them more vigilant again. Tranning is the input of information that is unknown to the members of the organization. Therefore, the difference between awareness-raising and tranning is whether the target audience is already aware of the information.
#53. We have tested our software and found over 10,000 defects. What should the next step be?
〇:Calculate the potential impact for fatal errors.
Software testing is a must, but when that testing reveals numerous defects, it must be handled with care. Systems do not have the same concept as human forgetfulness, but it is not realistic to ask someone who scored 30 on this week’s test to score 100 on next week’s test.
Before any corrections can be made, the data taken from the test must be analyzed with the test completed, including log reviews. Priority must be given to determining what to implement first and what is acceptable and unacceptable. Think about qualitative risk analysis; if it is unlikely and has little impact, it can be left alone and focus on high priority items. Thus, the correct answer is, “Calculate the likelihood of impact for fatal errors.” will be.
×:Fix them all.
If many defects are found, it is likely that a lot of time will be taken to deal with their correction.
×:Leave them alone because of the huge number.
In principle, it is unacceptable to leave defects unattended.
×:Calculate the potential impact for all errors.
Performing an analysis for all errors can also be very work intensive.
#54. Matthew, the company’s business continuity coordinator, helps recruit members to the Business Continuity Plan (BCP) Committee. Which of the following is an incorrect explanation?
〇:Meetings should be conducted with a fixed number of members and should be as small as possible.
The BCP committee should be large enough to represent each department within the organization. It should consist of people who are familiar with the different departments within the company, as each department has unique functions and unique risks and threats. All issues and threats will be formulated when they are brought in and discussed. This cannot be done effectively with a few divisions or a few people. The committee must consist of at least business unit, senior management, IT, security, communications, and legal personnel.
Conducting meetings with a fixed number of members and as few as possible is certainly not a misinterpretation of “elite few. However, one must know what is the “best” answer and answer it.
×:Committee members should be involved in the planning, testing, and implementation phases.
The answer is incorrect because it is correct that committee members need to be involved in the planning, testing, and implementation phases. If Matthew, the coordinator of the BCP, is a good business leader, he will consider that it is best to make team members feel ownership over their duties and roles. The people who develop the BCP must also be the ones who implement it. If some critical tasks are expected to be performed during a time of crisis, additional attention should be given during the planning and testing phase.
×:The business continuity coordinator should work with management to appoint committee members.
This is incorrect because the BCP coordinator should work with management to appoint committee members. However, management’s involvement does not end there. The BCP team should work with management to finalize the goals of the plan, identify the critical parts of the business that must be handled first in the event of a disaster, and identify department and task priorities. Management also needs to help direct the team on the scope and specific goals of the project.
×:The team should consist of people from different departments within the company.
This is incorrect because the team should consist of people from different departments within the company. This will be the only way for the team to consider the risks and threats that each department faces according to the organization.
#55. What is code review?
〇:A review by another coder after the coder has completed coding.
A static code review is a review performed by another engineer to mitigate points that were not apparent to the author. Thus, the correct answer is “Reviewed by another coder after the coder’s coding is complete.” will be.
×:To allow coders to see each other’s coding and work in parallel.
Extreme programming (XP, extreme programming) is a flexible method of developing a program while discussing it in pairs. It is not code review.
×:Ensuring that proper transaction processing is applied before check-in.
This is a statement about database commitment.
×:Ensuring that the appropriate questions and answers exist.
The presence of appropriate question and answer may be part of what is performed during the code review, but it is not a description of the code review itself.
#56. Which of the following would not be considered an attack motivated by gaining money?
Distributed Denial of Service (DDoS) attacks usually do not provide financial gain to the attacker. Often, the motivation is revenge, disagreement with the organization’s policy decisions, or the attacker proving the extent of his or her animosity toward the organization. Certainly, it can be used to bloat the cost of a pay-as-you-go cloud service by causing it to consume more resources than expected by accessing it in large volumes, but it is a mistake in that it is not the financial objective of the parties involved.
#57. We are implementing several new standards and frameworks in our organization. We have decided to do scoping on one of the standards we are implementing. What will that entail?
#58. Which of the following are possible standards used for credit card payments?
〇:PCI DSS
PCI DSS (Payment Card Industry Data Security Standard) is a framework to avoid personal information leakage when making electronic payments. Therefore, the correct answer is “PCI DSS.
By the way, if you were to ask, “Which of the following are possible?” I am tempted to argue that other frameworks may be used as well. However, in the CISSP exam, you may have to choose “the most plausible” option in some cases. Therefore, we have used this phrase.
×:HITECH
The Health Information Technology for Economic and Clinical Health Act (HITECH) is an enhanced version of HIPPA that applies not only to data management but also to health care business associates.
×:OCTAVE
OCTAVE is one of the risk assessment frameworks introduced in CERT.
×:COBIT
COBIT is a framework for measuring the maturity of a company’s IT governance. It was proposed by the Information Systems Control Association of America (ISACA) and the IT Governance Institute (ITGI).
#59. Which of the following is the best way to reduce brute force attacks that allow intruders to reveal user passwords?
〇:Lock out the account for a certain period of time after reaching the clipping level.
Brute force attack is an attack that continuously tries different inputs to achieve a predefined goal that can then be used to qualify for unauthorized access. A brute force attack to discover the password means that the intruder is trying all possible sequences of characters to reveal the correct password. This proves to be a good countermeasure if the account will be disabled (or locked out) after this type of attack attempt is made.
×:Increase the clipping level.
Clipping levels are wrong because they need to be implemented to establish a baseline of user activity and acceptable error. Entities attempting to log into an account after the clipping level is met should be locked out. A high clipping level gives the attacker more attempts during a warning or lockout. Lowering the clipping level is a good countermeasure.
×:After the threshold for failed login attempts is met, the administrator should physically lock out the account.
This is incorrect because it is impractical to have an administrator physically lock out an account. This type of activity can easily be taken care of through automated software mechanisms. Accounts should be automatically locked out for a certain amount of time after a threshold of failed login attempts is met.
×:Encrypt password files and choose a weaker algorithm.
Encrypting passwords and/or password files and using a weaker algorithm is incorrect as it increases the likelihood of a successful brute force attack.
#60. Which of the following are effective measures against rainbow tables?
〇:Salt
A rainbow table is a pre-built list of ciphertexts that match plaintext and have hashes that match passwords. The table can contain millions of pairs. Salting is random data used as additional input to a one-way function that “hashes” a password or passphrase. The primary function of a salting is to protect against dictionary or compiled rainbow table attacks.
×:Login Attempt Restrictions
Effective against all unauthorized login methods, but not a direct or effective countermeasure against rainbow tables.
×:Key stretching
Replacing passwords with longer, random strings for encryption purposes.
×:Hashing
Password hashing is a fixed-length cipher (hash) statement for secure password storage.
#61. Which of the following is NOT included in the risk assessment?
〇:Cessation of activities that pose a risk.
This question is about choosing what is not included. Discontinuing an activity that introduces risk is a way to address risk through avoidance. For example, there are many risks surrounding the use of instant messaging (IM) within a company. If a company decides not to allow the use of IM because there is no business need to do so, banning this service is an example of risk avoidance. The risk assessment does not include the implementation of such measures. Therefore, the correct answer is “discontinue the activity that poses a risk”.
×:Asset Identification
This is incorrect because identifying the asset is part of the risk assessment and is required to identify what is not included in the risk assessment. To determine the value of an asset, the asset must first be identified. Identifying and valuing assets is another important task of risk management.
×:Threat Identification
This is incorrect because identifying threats is part of risk assessment and requires identifying what is not included in the risk assessment. A risk exists because a threat could exploit a vulnerability. If there are no threats, there are no risks. Risk links vulnerabilities, threats, and the resulting potential for exploitation to the business.
×:Risk analysis in order of cost
Analyzing risks in order of cost or criticality is part of the risk assessment process and is inappropriate because questions are asked to identify what is not included in the risk assessment. A risk assessment examines and quantifies the risks a company faces. Risks must be addressed in a cost-effective manner. Knowing the severity of the risk allows the organization to determine how to effectively address it.
#62. Which attacks occur regardless of system architecture and installed software?
〇:Social Engineering
Social engineering is an attack that invites human error rather than system. It occurs regardless of system architecture and installed software.
×:DDoS Attacks
A DDoS attack is a mass DoS attack against a target website or server from multiple computers.
×:Ransomware
Ransomware is malware that freezes data by encrypting it and demands a ransom from the owner.
×:Zero-day attacks
A zero-day attack is an attack on a vulnerability that was disclosed before it was fixed.
#63. Different levels of RAID determine the type of activity that occurs within a RAID system. Which level of RAID is associated with byte-level parity?
〇:RAID Level 3
RAID redundant arrays provide fault tolerance capability for hard drives and can improve system performance. Redundancy and speed are provided by splitting data and writing it to multiple disks, allowing different disk heads to operate simultaneously to retrieve requested information. At this time, recovery data is also created. This is called parity; if one disk fails, the parity data can be used to reconstruct the corrupted or lost information. Different levels of RAID systems experience different activities that provide fault tolerance or improved performance. RAID level 3 is a method that uses byte-level striping and dedicated parity disks.
×:RAID Level 0
Wrong because only striping occurs at level 0.
×:RAID Level 5
RAID 5 is incorrect because it uses block-level striping and interleaved parity on all disks.
×:RAID Level 10
Level 10 is incorrect because it is associated with striping and mirroring.
#64. Which security architecture model defines how to securely develop access rights between subjects and objects?
〇:Graham-Denning Model
The Graham-Denning model addresses how access rights between subjects and objects are defined, developed, and integrated. It defines a basic set of rights in terms of the commands that a particular subject can execute on an object. The model has eight basic protective rights or rules on how to safely perform these types of functions
×:Brewer-Nash Model
It is incorrect because its purpose is to provide access control that can be changed dynamically according to the user’s previous actions. The main purpose is to protect against conflicts of interest due to user access attempts. For example, if a large marketing firm provides marketing promotions and materials for two banks, the employee responsible for the Bank A project should not be able to see information about Bank B, the marketing firm’s other bank customer. A conflict of interest could arise because the banks are competitors. If the project manager of the marketing firm’s Project A can see information about Bank B’s new marketing campaign, he may attempt to execute it rather than promote it to please more direct customers. Marketing firms have a bad reputation when internal employees can act irresponsibly.
×:Clark-Wilson Model
The Clark-Wilson model is incorrect because it is implemented to protect data integrity and ensure that transactions are properly formatted within the application. Subjects can only access objects through authorized programs. Segregation of duties is enforced. Auditing is required. The Clark-Wilson model addresses three integrity goals: preventing changes by unauthorized users, preventing inappropriate changes by unauthorized users, and maintaining internal and external consistency.
×:Bell-LaPadula Model
This model was developed to address concerns about the security of U.S. military systems and the leakage of classified information, and is incorrect. The primary goal of the model is to prevent unauthorized access to classified information. It is a state machine model that enforces the confidentiality aspect of access control. Matrices and security levels are used to determine if a subject has access to different objects. Specific rules are applied to control how objects interact with each other compared to the subject’s object classification.
#65. In a redundant array in a RAID system, data and parity information is striped across several different disks. What is parity information?
〇:Information used to reconstruct data
RAID can improve system performance by providing fault tolerance to the hard drive and the data it holds. Redundancy and speed are provided by splitting the data and writing it to multiple disks, allowing different disk heads to operate simultaneously to retrieve the requested information. Control data is also distributed across each disk. This is called parity, and if one disk fails, the other disks can work together to recover the data.
×:Information used to create new data
This is incorrect because parity information is not used to create new data, but rather as instructions on how to recreate lost or corrupted data.
×:Information used to erase data
Parity information is not used to erase data. This is incorrect because it is used as instructions on how to recreate lost or corrupted data.
×:Information used to construct data
Parity information is not used to create data. Incorrect because it is used as instructions on how to recreate lost or corrupted data.
#66. If you use one-time passwords, which authentication type are you referring to?
#67. My organization has been ordered by the court to comply with the EU Data Protection Directive. What is one of the things you must do?
The EU Data Protection Directive is a very aggressive privacy law. Organizations must inform individuals how their data is collected and used. Organizations must allow people to opt out of data sharing with third parties. Opt-in is required to share the most sensitive data. No transmissions from the EU unless the recipient country is found to have adequate (equivalent) privacy protections, and the U.S. does not meet this standard.
#68. Which of the following is an axiom of access control to ensure that rewriting a supervisor’s document does not release incorrect information to the supervisor?
〇:* (star) Integrity Property
The Biba model defines a model with completeness as having two axioms. The * (star) Integrity Property is that the subordinate’s document is to be seen and there is no Read Down. The * (star) Integrity Property is that there is no Write Up, that is, no rewriting of the supervisor’s document. If the Simple Integrity Axiom is not followed, the subordinate’s document will be seen and may absorb unclassified and incorrect information at a lower level. If the * (star) Integrity Property is not followed, a supervisor’s document will be rewritten, which will release incorrect information to the supervisor who sees it. Therefore, both are integrity conditions.
×:Simple Integrity Property
The Simple Integrity Property is a constraint on Read Down.
×:Strong Tranquillity Axiom
The Strong Tranquillity Axiom is the constraint not to change permissions while the system is running.
×:Weak Tranquillity Axiom
Weak Tranquillity Axiom means do not change privileges until the attribute is inconsistent.
#69. The Recovery Time Objective (RTO) and the Maximum Tolerable Downtime (MTD) metric have similar roles, but their values are defined differently. Which of the following best describes the difference between RTO and MTD metrics?
#70. Would it make sense to measure marketing metrics from a security perspective?
〇:Yes. The same goal should be held because there is security in achieving corporate goals.
There are KPIs and other marketin indicators to achieve organizational goals. Developing a security function in the organization also exists to achieve these goals.
×:Yes. Marketing in the security industry is allowed to be risk-off.
By “marketing in the security industry,” I do not mean aligning the security function within the organization.
×:No. The division of labor should be strictly enforced and left to specialists.
While the division of labor in an organization is certainly important, all members of the organization need to be security conscious.
×:No. Security has nothing to do with confidential information that would be an executive decision.
Security should be addressed by the entire organization. It is not irrelevant.
#71. According to the Kerckhoffs’s principle, which of the following should not leak?
The Kerckhoffs’s principle is the idea that cryptography should be secure even if everything but the private key is known. When encrypting data, one decides on a private key and how to encrypt it using that private key. Kerckhoffs says that even if it is known how it is encrypted, it should not be deciphered as long as the secret key is not discovered. Encryption has been with the history of human warfare. The main purpose is to communicate a strategy to one’s allies without being discovered by the enemy. In battle, its designs and encryption devices may be stolen by spies. Therefore, the encryption must be such that it cannot be solved without the key, no matter how much is known about how it works.
#72. We are looking to move to a cloud-based solution to eliminate the increasing cost of maintaining our own server network environment. Which of the following is the correct definition and mapping of a typical cloud-based solution to choose?
〇:The cloud provider is provided a platform as a service that provides a computing platform that may include an operating system, database, and web servers.
Cloud computing is a term used to describe the aggregation of network and server technologies, each virtualized, to provide customers with a specific computing environment that matches their needs. This centralized control provides end users with self-service, broad access across multiple devices, resource pooling, rapid elasticity, and service monitoring capabilities.
There are different types of cloud computing products: IaaS provides virtualized servers in the cloud; PaaS allows applications to be developed individually; SaaS allows service providers to deploy services with no development required and with a choice of functionality; and IaaS allows customers to choose the type of service they want to use. ” The term “PaaS” must fit the definition of “PaaS” because it requires that “the original application configuration remains the same”. Thus, the correct answer is, “The cloud provider provides a computing platform that may include an operating system, database, and web server, where the platform as a service is provided.” The following is the correct answer
×:The cloud provider is provided with an infrastructure as a service that provides a computing platform that can include an operating system, database, and web servers.
IaaS Description.
×:The cloud provider is provided with software services that provide an infrastructure environment similar to that of a traditional data center.
This is a description of the operational benefits of cloud computing. It is not a definition.
×:The cloud provider provides software as a service in a computing platform environment where application functionality is internalized.
SaaS Description.
#73. Which option best describes the role of the Java Virtual Machine in the execution of Java applets?
〇:Converts bytecode to machine-level code.
Java is an object-oriented, platform-independent programming language. It is used as a full-fledged programming language to write programs called applets that run in the user’s browser. java is platform independent because it creates intermediate code that is not processor-specific bytecode. java virtual machine (JVM) converts bytecode into machine-level code that can be understood by processors on a particular system.
×:Converts source code to bytecode and blocks the sandbox.
Incorrect because the Java Virtual Machine converts bytecode to machine-level code. The Java compiler does not convert source code to bytecode. The JVM also creates a virtual machine in an environment called the sandbox. This virtual machine is the enclosed environment in which the applet executes its activities. The applet is typically sent via HTTP within the requested web page and is executed as soon as the applet arrives. If the applet developer fails to function properly, it may intentionally or accidentally perform a malicious act. Therefore, the sandbox strictly limits the applet’s access to system resources. The JVM mediates access to system resources to ensure that applet code runs and works within its own sandbox.
×:It runs only on specific processors within a specific operating system.
This is incorrect because Java is an object-oriented, platform-independent programming language. Other languages are compiled into object code for specific operating systems and processors. Thus, a particular application can run on Windows, but not on the Mac OS. Intel processors do not necessarily understand machine code compiled for Alpha processors. Java is platform independent because it creates intermediate code bytecode. It is not processor-specific code bytecode.
×:Develop an applet that runs in the user’s browser.
This is incorrect because the Java Virtual Machine does not create applets. Java is adopted as a full-fledged programming language and is used to write complete and short programs called applets that run in the user’s browser. Programmers create Java applets and run them through a compiler. The Java compiler converts the source code into byte code. The user then downloads the Java applet. The bytecode is converted to machine-level code by the JVM. Finally, the applet is executed when invoked.
#74. Which of the following must be done before a penetration test is performed?
〇:Approval of the attack to the target organization
Permission must be obtained from the target organization for the attack during the planning phase. Even though it is a test, it takes an action that is similar to an attack. During the implementation, the target system cannot be updated, so approval must be obtained. We also need to understand the system to be penetrated in great detail, so that the information itself is not leaked to the outside world. Also, a successful intrusion will indicate that the system has been compromised. It is necessary to make an arrangement such as not waiting until a report is generated to inform the company of the situation. Therefore, the correct answer is “Approval of attack on the target organization.
×:Share the target organization’s design documents.
This is done as necessary. Although there are various design documents, detailed design documents such as detailed design documents and program design documents are generally not presented, but only the usage of the service and basic server configuration are generally shared.
×:Confirmation of OS version
As a rule, this is not done. Penetration testing is generally conducted from the investigation of the attack. In particular, there are few cases where the OS version is informed to the penetration tester.
×:Deployment of the attack tools to be used
It is not uncommon for attack tools to be deployed from the organization that possesses the system that is the target of the penetration. This in itself is an act of limiting the attack methods, as it does not constitute a realistic test.
#75. Smith, who lives in the United States, writes books. Copyright in the book is automatically granted and all rights are owned. How long is copyright protected after the creator’s death?
#76. When attackers set up war dialing, what do they try to do?
War Dialing is the indiscriminate and repeated act of cracking dial-ups in search of dial-up lines, such as those for non-public internal networks. It automatically scans a list of telephone numbers, usually dialing all numbers in the local area code, and searches modems, computers, bulletin board systems, and fax machines.
#77. Which of the following is not an acronym for CIA Triad?
#78. TLS is a protocol used to protect transactions that occur over an untrusted network. Which of the following is an appropriate description of what takes place during the setup process of a TLS connection?
〇:The client generates a session key and encrypts it with a public key.
Transport Layer Security (TLS) uses public key cryptography to provide data encryption, server authentication, message integrity, and optionally client authentication. When a client accesses a cryptographically protected page, the web server initiates TLS and begins the process of securing subsequent communications. The server performs a three-handshake to establish a secure session. After that, client authentication with a digital certificate, as the case may be, comes in. The client then generates a session key, encrypts it with the server’s public key, and shares it. This session key is used as the symmetric key for encrypting the data to be transmitted thereafter. Thus, the correct answer is: “The client generates a session key and encrypts it with the public key.” will be
×:The server generates the session key and encrypts it with the public key.
The server does not encrypt with the public key.
×:The server generates a session key and encrypts it with the private key.
Even if encryption is performed from the server side, it can be decrypted with the public key, so it is not structurally possible.
×:The client generates a session key and encrypts it with its private key.
The client side does not have the private key.
#79. Fred is told that he needs to test components of a new content management application under development to validate data structures, logic, and boundary conditions. What tests should he perform?
〇:Unit Testing
Unit testing involves testing individual components in a controlled environment to verify data structures, logic, and boundary conditions. After the programmer develops a component, it is tested with several different input values and in a variety of situations. Unit testing can begin early in the development process and usually continues throughout the development phase. One of the benefits of unit testing is that it identifies problems early in the development cycle. It is easier and less expensive to make changes to individual units.
×:Acceptance Testing
This is incorrect because acceptance testing is done to verify that the code meets the customer’s requirements. This test is applied to some or all of the application, but usually not individual components.
×:Regression Testing
Regression testing is incorrect because it implies retesting a system after changes have been made to ensure its functionality, performance, and protection. Essentially, regression testing is done to identify bugs where functionality no longer works as intended as a result of a program change. It is not uncommon for developers to fix one problem, accidentally create a new problem, or fix a new problem and solve an old one. Regression testing involves checking for previously fixed bugs to ensure that they have not reappeared and re-running previous tests.
×:Integration Testing
Integration testing is incorrect because it verifies that components work together as outlined in the design specification. After unit testing, individual components or units are tested in combination to verify that they meet functional, performance, and reliability requirements.
#80. When penetration testers are doing black box testing, how much do they know about the target?
〇:The attacker knows nothing about the organization other than the information that is publicly available.
In black box testing (zero-knowledge), the attacker has no knowledge about the organization other than the publicly available information. The focus is on what the external attacker does. Therefore, the correct answer is “knows nothing about the organization other than the information that is publicly available.” The result will be
×:I know everything.
White box testing is testing to verify the operation of a program, which is done after knowing what is in the program.
×:I keep the product manual and retain privileged access.
A gray box test is a test that is performed by a pen tester to some extent, with the attacker having only limited knowledge of the program.
This is a white box test or gray box test.
×:The vendor retains an accessible level of information.
In a black box test, the attacker has no information in principle.
#81. In computer programming, coupling and condensing degrees are used. Which of the following is the preferred combination of coupling and condensing degree?
It is a good thing for a module to have low coupling and high condensibility. The higher the degree of condensation, the easier it is to update and modify, and it does not affect other modules with which it interacts. This also means that modules are easier to reuse and maintain. Coupling degree is a measure of the amount of interaction a single module requires to perform its task. If a module’s coupling is low, it means that the module does not need to communicate with many other modules to perform its job. It is easier to understand and reuse than a module that depends on many other modules to perform its tasks. It will also be easier to modify modules without affecting the many modules around them. Therefore, the correct answer is “low-coupling, high-cohesion”.
#82. The importance of protecting audit logs generated by computers and network devices is being stressed more than ever before, as required by and as per many regulations today. Which of the following does not explain why audit logs should be protected?
〇:The format of the audit log is unknown and is not available to the intruder in the first place.
Audit tools are technical controls that track activity within a network, on a network device, or on a specific computer. Auditing is not activity that denies an entity access to a network or computer, but it tracks activity so that the security administrator can understand the type of access made, identify security violations, or alert the administrator of suspicious activity. This information points out weaknesses in other technical controls and helps the administrator understand where changes need to be made to maintain the required level of security within the environment. Intruders can also use this information to exploit these weaknesses. Therefore, audit logs should be protected by controls on privileges, permissions, and integrity, such as hashing algorithms. However, the format of system logs is generally standardized for all similar systems. Hiding the log format is not a normal measure and is not a reason to protect audit log files.
×:If not properly protected, audit logs may not be admissible during prosecution.
This is incorrect because great care must be taken to protect audit logs in order for them to be admissible in court. Audit trails can be used to provide alerts about suspicious activity that can be investigated later. In addition, it is useful in determining exactly how far away the attack took place and the extent of any damage that may have occurred. It is important to ensure that a proper chain of custody is maintained so that all data collected can be properly and accurately represented in case it needs to be used in later events such as criminal proceedings or investigations.
×:Because audit logs contain sensitive data, only a specific subset of users should have access to them.
This is incorrect because only administrators and security personnel need to be able to view, modify, and delete audit trail information. Others cannot see this data and can rarely change or delete it. The use of digital signatures, message digest tools, and strong access controls can help ensure the integrity of the data. Its confidentiality can be protected with encryption and access control as needed, and it can be stored on write-once media to prevent data loss or tampering. Unauthorized access attempts to audit logs should be captured and reported.
×:Intruders may attempt to scrub logs to hide their activities.
If an intruder breaks into your home, do your best to leave no fingerprints or clues that can be used to link them to criminal activity. The same is true for computer fraud and illegal activity. Attackers often delete audit logs that hold this identifying information. In the text, deleting is described as scrubbing. Deleting this information may alert administrators to an alert or perceived security breach and prevent valuable data from being destroyed. Therefore, audit logs should be protected by strict access controls.
#83. Which of the following is NOT a characteristic of a company with a security governance program?
〇:All security activities shall be conducted within the security department.
When all security activities are performed within the security department, security functions within a silo and is not integrated throughout the organization. In companies that have a security governance program in place, security responsibilities are pervasive throughout the organization, from senior management down the chain of command. A common scenario is executive management with the executive director of operations responsible for risk management activities for a particular business unit. Additionally, employees are responsible for malicious or accidental security breaches.
×:Officers will be updated quarterly on the company’s security status.
Incorrect. Security governance is providing strategic guidance, ensuring that goals are being met, risks are properly managed, and resources are used responsibly. Organizations with a security governance program have a board of directors that understands the importance of security and is aware of the organization’s security performance and breaches.
×:Deploy security products, services, and consultants in an informed manner.
Security governance is incorrect because it is a cohesive system of integrated security components that includes products, people, training, and processes. Therefore, organizations that have a security governance program in place will assist consultants with security products, management services, and consultants in an informed manner. They are also constantly reviewed to ensure they are cost effective.
×:The organization establishes metrics and goals for improving security.
inaccurate because security governance requires performance measurement and oversight mechanisms. Organizations that have a security governance program in place are continually reviewing their processes, including security, with the goal of continuous improvement. On the other hand, an organization lacking a security governance program may proceed without analyzing its performance, thus repeating the same mistakes.
#84. What kind of person does the word sabotage, the root of the word sabotage, refer to?
#85. Measuring the damage and recovery requirements by different indicators helps quantify the risk. which is correct about the RPO (Recovery Point Objective) and RTO (Recovery Time Objective)?
RPO (Recovery Point Objective) is the target value for recovering data at a point in the past when a failure occurs. When a failure occurs, the data currently handled is lost. The lost data must be recovered from backups, but it is important to know how far in the past the backups are from the current point in time.
RTO (Recovery Time Objective) is a target value that defines when the data should be recovered in the event of a failure. In the event of a failure, the service must not be unavailable indefinitely. Failure response procedures and disaster drills must be implemented to establish a target value for the time from the occurrence of a failure to the startup of service.
#86. Virtual storage combines RAM for system memory and secondary storage. Which of the following is a security concern regarding virtual storage?
〇:Multiple processes are using the same resources.
The system uses hard drive space (called swap space) that is reserved to expand RAM memory space. When the system fills up volatile memory space, data is written from memory to the hard drive. When a program requests access to this data, it is returned from the hard drive to memory in specific units called page frames. Accessing data stored on hard drive pages takes longer than accessing data stored in memory because it requires read/write access to the physical disk. A security issue with using virtual swap space is that two or more processes can use the same resources and corrupt or damage data.
×:Allowing cookies to remain persistent in memory
This is incorrect because virtual storage is not associated with cookies. Virtual storage uses hard drive space to extend RAM memory space. Cookies are small text files used primarily by web browsers. Cookies can contain credentials for web sites, site preferences, and shopping history. Cookies are also commonly used to maintain web server-based sessions.
×:Side-channel attacks are possible.
Side-channel attacks are incorrect because they are physical attacks. This type of attack gathers information about how a mechanism (e.g., smart card or encryption processor) works from abandoned radiation, time spent processing, power consumed to perform a task, etc. Using the information, reverse engineer the mechanism to reveal how it performs its security task. This is not related to virtual storage.
×:Two processes can perform a denial of service attack.
The biggest threat within a system where resources are shared between processes is that one process can adversely affect the resources of another process, since the operating system requires memory to be shared among all resources. This is especially true in the case of memory. It is possible for two processes to work together to perform a denial of service attack, but this is only one of the attacks that can be performed with or without the use of virtual storage.
#87. A company is looking to migrate to an original or new site. Which phase of business continuity planning do you proceed with?
〇:Reconfiguration Phase
When a firm returns to its original or new site, the firm is ready to enter the reconfiguration phase. The firm has not entered the emergency state until it is operating at the original primary site or until it returns to the new site that was built to replace the primary site. If a firm needs to return from the replacement site to the original site, a number of logistical issues must be considered. Some of these issues include ensuring employee safety, proper communication and connection methods are working, and properly testing the new environment.
The definition of a rebuilding phase needs to be imagined and answered in the question text. It will test your language skills to see how it reads semantically rather than lexically correct.
×:Recovery Phase
Incorrect because it involves preparing an off-site facility (if needed), rebuilding networks and systems, and organizing staff to move to the new facility. To get the company up and running as quickly as possible, the recovery process needs to be as structured as possible. Templates should be developed during the planning phase. It can be used by each team during the recovery phase to take the necessary steps and document the results. The template keeps the team on task and quickly communicates to the team leader about progress, obstacles, and potential recovery time.
×:Project Initiation Phase
This is incorrect because it is how the actual business continuity plan is initiated. It does not occur during the execution of the plan. The Project Initiation Phase includes obtaining administrative support, developing the scope of the plan, and securing funding and resources.
×:Damage Assessment Phase
Incorrect because it occurs at the start of the actual implementation of the business continuity procedures. The damage assessment helps determine if the business continuity plan should be implemented based on the activation criteria predefined by the BCP coordinator and team. After the damage assessment, the team will move into recovery mode if one or more of the situations listed in the criteria occur.
#88. Why install gates and fences that are physical access control?
Gates and fences are used as physical deterrents and preventative measures. Fences as small as 3 feet can be a deterrent, but as tall as 8 feet can be a deterrent and prevention mechanism. The purpose of the fence is to limit the routes in and out of the facility so that they occur only through doors, gates, and turnstiles.
#89. Which of the following adequately describes parallel testing in disaster recovery testing?
〇:Ensure that some systems are executed at the alternate site.
Parallel testing compares how some systems run at the alternate site and how the results are processed at the primary site. This is to assure that systems run at the alternate site and does not affect service productivity.
×:All departments will be sent a copy of the disaster recovery plan for completeness.
This alternative is incorrect because it describes a checklist test.
×:Representatives from each department meet to validate the plan.
This option is incorrect because it describes a structured walk-through test.
×:The normal operation system is taken down.
This option is incorrect because it describes a full interruption test.
#90. If you have little or no computer experience, but you have unauthorized access, what methods do you think the perpetrator is using? Which of the following comes closest?
〇:Shoulder Surfing Attacks
Shoulder surfing is a type of browsing attack in which an attacker looks over the shoulder of another person to see what is being typed on that person’s monitor items or keyboard. Of the attacks listed, this is the easiest to perform in that it requires no knowledge of the computer system. Therefore, the correct answer is a shoulder surfing attack.
×:Dictionary attack
A dictionary attack is an unauthorized login that targets users who use words as passwords.
×:Side-channel attack
A side-channel attack is an attack that eavesdrops on system data from physical information.
×:Timing Attacks
A timing attack is an attack in which various input information is given to a device that processes ciphers, and the cipher key or other information is deduced from the difference in processing time. If processing time is taken, it can be inferred as a rough indication that the process is proceeding normally as a process, and so on.
#91. After a disaster has occurred, an impact assessment must be performed. Which of the following steps is the last one performed in an impact assessment?
〇:Declare the impact and consequences of the disaster.
The final step in the damage assessment is to declare the disaster. After the information from the damage assessment has been collected and evaluated, determine if the BCP actually needs to be activated. The BCP coordinator and team should determine the activation criteria before the disaster occurs.
×:Determine the cause of the disaster.
Determining the cause of the disaster is incorrect as it is the first step in the damage assessment process.
×:Identify resources that need to be replaced immediately.
Incorrect because identifying resources that need to be replaced immediately is not the last step in damage assessment.
×:Determine how long it will take to bring critical functions back online.
Incorrect because determining how long it will take to bring critical functions back online is the second-to-last step in damage assessment.
#92. ITIL (Information Technology Infrastructure Library) consists of five sets of textbooks. This is the core and focus of which of the following IT service plans?
〇:Service Strategy
The basic approach of ITIL is to create a service strategy that focuses on the overall planning of the intended IT services. Once the initial planning is complete, it provides guidelines for the design of validated IT services and overall implementation policies. The service transition phase is then initiated, providing guidelines for the assessment, testing, and validation of the IT services. This enables the transition from the business environment to the technical service. Service Operations ensures that all determined services have achieved their objectives. Finally, Continuous Service Improvement points out areas for improvement throughout the service lifecycle. Service strategy is considered the core of ITIL. It consists of a set of guidelines that include best practices for planning, design, and alignment of IT and business approaches, market analysis, service assets, setting goals to provide quality service to customers, and the strategy and value of implementing the service strategy.
×:Service Operations
Service operations is a critical component of the lifecycle when services are actually delivered, and something like ITIL that provides guidance is not at the core of actual operations. Lifecycle operations define a set of guidelines that ensure that an agreed level of service is delivered to the customer. The different genres incorporated by service operations include event management, problem management, access management, incident management, application management, technology management, and operations management. Service Operations balances between conflicting goals such as technology and business requirements, stability and responsiveness, cost and quality of service, and competing proactive activities.
×:Service Design
Inadequate because it involves a set of best practices for the design of IT services, including processes, architecture, policies, and documentation to meet current and future business requirements. The goal of service design is to design services according to agreed business objectives. Design processes that can support lifecycle and risk identification and management. Involves improving IT service quality as a whole.
×:Service Migration
Service Migration is incorrect because it focuses on delivering the services proposed by the business strategy for operational use. It also includes guidelines to enable a smooth transition of the business model to technical services. If service requirements change after design, Service Migration ensures that those requirements are delivered in accordance with the changed design. Areas of focus for these guidelines include the responsibilities of personnel involved in the migration transition plan and support, change management, knowledge management, release and deployment management, service verification and testing, and evaluation.
#93. What is a synthetic transaction?
#94. Which is the appropriate period of time to use maintenance hooks?
〇:Only during code development.
Maintenance hoc refers to functions and tools that are temporarily used by the developer for testing purposes. In fact, in system development, tools are provided to assist in confirming that individual functions are working properly. However, if maintenance hocks are left in the production environment, they may be used by attackers and must be removed.
×:Maintenance hooks should not be used.
The use of maintenance hooks can make the work more efficient.
×:When you want to make the software available to administrators in a simplified manner.
In some cases, attackers can exploit tools that were supposed to be available only to administrators.
×:When you want users to be able to use the software in a simplified manner.
After the actual release of the software, maintenance hooks are not made available to users.
#95. Which of the following is a drawback of the symmetric key system?
〇:Keys will need to be distributed via a secure transmission channel.
For two users to exchange messages encrypted with a symmetric algorithm, they need to figure out how to distribute the key first. If the key is compromised, all messages encrypted with that key can be decrypted and read by an intruder. Simply sending the key in an email message is not secure because the key is not protected and can easily be intercepted and used by an attacker.
×:Computation is more intensive than in asymmetric systems.
That is incorrect because it describes the advantages of symmetric algorithms. Symmetric algorithms tend to be very fast because they are less computationally intensive than asymmetric algorithms. They can encrypt and decrypt relatively quickly large amounts of data that take an unacceptable amount of time to encrypt and decrypt with asymmetric algorithms.
×:Much faster operation than asymmetric systems
Symmetric algorithms are faster than asymmetric systems, but this is an advantage. Therefore, it is incorrect.
×:Mathematically intensive tasks must be performed
Asymmetric algorithms are wrong because they perform a mathematically intensive task. Symmetric algorithms, on the other hand, perform relatively simple mathematical functions on bits during the encryption and decryption process.
#96. Which of the following are threats to layers 5-7 of the OSI reference model?
#97. Lisa learned that most databases implement concurrency control. What is concurrency? And why do we need to control it?
〇:A process that is running concurrently. If not properly controlled, the integrity of the database can be adversely affected.
Databases are used simultaneously by many different applications and many users interact with them at once. Concurrency means that different processes (applications and users) are accessing the database at the same time. If this is not properly controlled, processes can overwrite each other’s data or cause deadlock situations. The worst consequence of concurrency problems is poor integrity of the data held in the database. Database integrity is provided by concurrency protection mechanisms; one concurrency control is locking, which prevents users from accessing or modifying data being used by other users.
×:Processes running at different levels. If not properly controlled, they can adversely affect the integrity of the database.
Concurrency is incorrect because it refers to processes running at the same time, not at different levels. Concurrency problems occur when the database can be accessed simultaneously by different users or applications. If controls are not in place, two users can access and modify the same data at the same time, which can be detrimental to a dynamic environment.
×:The process of inferring new information from a review of accessible data. Inference attacks may occur.
The ability to infer new information from reviewing accessible data occurs when subjects at lower security levels indirectly infer data at higher levels. This can lead to an inference attack, but is not related to concurrency.
×:Storing data in multiple locations in the database. If not properly controlled, it can negatively impact database integrity.
Storing data in multiple locations is incorrect because there is no concurrency issue. Concurrency becomes an issue when two subjects or applications are trying to modify the same data at the same time.
#98. Which of the following is a structured walk-through test in disaster recovery testing?
〇:Representatives from each department meet and undergo validation.
Structured walk-through testing allows functional personnel to review the plan as it is fulfilled to ensure its accuracy and validity.
×:Ensures that some systems will run at alternate sites.
This is incorrect because it describes parallel testing.
×:Send a copy of the disaster recovery plan to all departments to verify its completeness.
This is incorrect because it describes a checklist test.
×:Take down the normal operation system.
This is incorrect because it describes a full interruption test.
#99. Which of the following cannot be done by simply assigning a data classification level?
〇:Extraction of data from the database
In data classification, the data classification is used to specify which users have access to read and write data stored in the database, but it does not involve the extraction of data from the database. Therefore, the correct answer is “extraction of data from the database.
What is this? This is a question that you may think “What is this?” but you need to calmly analyze the classification of data and the manipulation of data. The more time you spend, the more tempted you are to give a difficult answer, but keeping calm is important in solving abstract problems.
×:Grouping hierarchically classified information
This is the primary activity of data classification.
×:Ensuring that non-confidential data is not unnecessarily protected
It is written in a complicated way, but it says that what does not need to be protected does not need the ability to be protected either.
×:Understanding the impact of data leakage
Although not directly, we may check the impact of a data breach in order to understand its importance in classifying data. Ka.
#100. RAID systems are available in a variety of methods that provide redundancy and performance. Which ones write data divided across multiple drives?
〇:Striping
RAID redundant arrays is a technology used for redundancy and performance. It combines multiple physical disks and aggregates them into a logical array; RAID appears as a single drive to applications and other devices. With striping, data is written to all drives. With this activity, data is split and written to multiple drives. Since multiple heads are reading and writing data at the same time, write and read performance is greatly improved.
×:Parity
Parity is used to reconstruct corrupted data.
×:Mirroring
Writing data to two drives at once is called mirroring.
×:Hot Swap
Hot swap refers to a type of disk found on most RAID systems. A RAID system with hot-swap disks allows the drives to be swapped out while the system is running. When a drive is swapped out or added, parity data is used to rebuild the data on the new disk that was just added.